From e000cbf0f42874bec05611d57a2922259da292bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Jul 2024 16:01:31 +0300 Subject: [PATCH] Auto-configure synapse-admin to be restricted to a single homeserver (the one managed by the playbook) --- CHANGELOG.md | 16 ++++++++ docs/configuring-playbook-synapse-admin.md | 10 ++--- .../matrix-synapse-admin/defaults/main.yml | 38 +++++++++++++++++++ .../tasks/setup_install.yml | 19 ++++++++-- .../templates/config.json.j2 | 3 ++ .../systemd/matrix-synapse-admin.service.j2 | 1 + 6 files changed, 77 insertions(+), 10 deletions(-) create mode 100644 roles/custom/matrix-synapse-admin/templates/config.json.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 34397944577..367b3a2bcaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,19 @@ +# 2024-07-01 + +## synapse-admin is now restricted to your homeserver's URL by default + +A new feature introduced in synapse-admin [v0.10.0](https://github.com/Awesome-Technologies/synapse-admin/releases/tag/0.10.0) (released and supported by the playbook since a a few months ago) provides the ability to [restrict its usage to a specific homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) (or multiple homeservers). + +The playbook has just started making use of this feature. **From now on, your synapse-admin instance will be restricted to the homeserver you're managing via the playbook**. When configured like this, the *Homeserver URL* field in synapse-admin's web UI changes from a text field to a dropdown having a single value (the URL of your homeserver). This makes usage simpler for most people, as they won't need to manually enter a *Homeserver URL* anymore. + +If you'd like **to go back to the old unrestricted behavior**, use the following configuration: + +```yml +# Use this configuration to allow synapse-admin to manage any homeserver instance. +matrix_synapse_admin_config_restrictBaseUrl: [] +``` + + # 2024-06-25 ## The URL-prefix for Hookshot generic webhooks has changed diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 1e3e8980e22..0b80f27ba9b 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -20,14 +20,12 @@ matrix_synapse_admin_enabled: true - for [Synapse](./configuring-playbook-synapse.md) (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` - for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true` +By default, synapse-admin installation will be [restricted to only work with one homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) - the one managed by the playbook. To adjust these restrictions, tweak the `matrix_synapse_admin_config_restrictBaseUrl` variable. + ## Installing -After configuring the playbook, run the [installation](installing.md) command again: - -``` -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -``` +After configuring the playbook, run the [installation](installing.md) command again (`just install-all`). ## Usage @@ -35,5 +33,3 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/synapse-admin/` To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server. - -The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN` diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index c439c913365..e4697425675 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -6,6 +6,7 @@ matrix_synapse_admin_enabled: true # A path on host where all related files will be saved matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin" +matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config" matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src" matrix_synapse_admin_container_image_self_build: false @@ -135,3 +136,40 @@ matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}" # The path at which Synapse Admin is exposed. # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). matrix_synapse_admin_path_prefix: /synapse-admin + +# Default synapse-admin configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_synapse_admin_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_synapse_admin_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for synapse-admin should go to `matrix_synapse_admin_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_synapse_admin_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_synapse_admin_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_synapse_admin_configuration_extension_json: | +# { +# "some_setting": true, +# "another_setting": false +# } +matrix_synapse_admin_configuration_extension_json: '{}' + +matrix_synapse_admin_configuration_extension: "{{ matrix_synapse_admin_configuration_extension_json | from_json if matrix_synapse_admin_configuration_extension_json | from_json is mapping else {} }}" + +# Holds the final synapse-admin configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_synapse_admin_configuration_default`. +matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_default | combine(matrix_synapse_admin_configuration_extension, recursive=True) }}" + +# Controls the restrictBaseUrl configuration setting, which, if defined, +# restricts the homeserver(s), so that the user can no longer define a homeserver manually during login. +matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}" # noqa var-naming diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml index d8819524fe2..6e7b8160be6 100644 --- a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml @@ -1,12 +1,17 @@ --- -- name: Ensure matrix-synapse-admin path exist +- name: Ensure matrix-synapse-admin paths exists ansible.builtin.file: - path: "{{ matrix_synapse_admin_base_path }}" + path: "{{ item.path }}" state: directory - mode: 0700 + mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_synapse_admin_base_path }}", when: true} + - {path: "{{ matrix_synapse_admin_config_path }}", when: true} + - {path: "{{ matrix_synapse_admin_docker_src_files_path }}", when: "{{ matrix_synapse_admin_container_image_self_build }}"} + when: "item.when | bool" - name: Ensure matrix-synapse-admin labels file is created ansible.builtin.template: @@ -16,6 +21,14 @@ group: "{{ matrix_user_groupname }}" mode: 0640 +- name: Ensure matrix-synapse-admin configuration installed + ansible.builtin.copy: + content: "{{ matrix_synapse_admin_configuration | to_nice_json }}" + dest: "{{ matrix_synapse_admin_config_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure matrix-synapse-admin image is pulled community.docker.docker_image: name: "{{ matrix_synapse_admin_docker_image }}" diff --git a/roles/custom/matrix-synapse-admin/templates/config.json.j2 b/roles/custom/matrix-synapse-admin/templates/config.json.j2 new file mode 100644 index 00000000000..dbd32d6d4ed --- /dev/null +++ b/roles/custom/matrix-synapse-admin/templates/config.json.j2 @@ -0,0 +1,3 @@ +{ + "restrictBaseUrl": {{ matrix_synapse_admin_config_restrictBaseUrl | to_json }} +} diff --git a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index aa305718e6a..ed72bef7c6d 100644 --- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -30,6 +30,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ {% endif %} --label-file={{ matrix_synapse_admin_base_path }}/labels \ + --mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \ {% for arg in matrix_synapse_admin_container_extra_arguments %} {{ arg }} \ {% endfor %}