From 35d31c4b9aeea76f7b567f2ee3fc3e9857a029bd Mon Sep 17 00:00:00 2001
From: AkDk7 <joerg@pannbacker.email>
Date: Wed, 12 Feb 2025 19:25:08 +0100
Subject: [PATCH] This push request is about handling Traefik ipallowlist to
 synapse-admin application.

It's my first push request. If I forgot something please let me know. :-)
---
 roles/custom/matrix-synapse-admin/defaults/main.yml   | 6 ++++++
 roles/custom/matrix-synapse-admin/templates/labels.j2 | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml
index 9fcf9532e..44c661a7e 100644
--- a/roles/custom/matrix-synapse-admin/defaults/main.yml
+++ b/roles/custom/matrix-synapse-admin/defaults/main.yml
@@ -215,3 +215,9 @@ matrix_synapse_admin_config_asManagedUsers_custom: []  # noqa var-naming
 # Example for mautrix-telegram: ["^@telegram_[a-zA-Z0-9]+:example\\.com$"]
 # WARNING: you want to use matrix_synapse_admin_config_asManagedUsers_custom instead of this variable.
 matrix_synapse_admin_config_asManagedUsers: "{{ matrix_synapse_admin_config_asManagedUsers_auto + matrix_synapse_admin_config_asManagedUsers_custom }}"  # noqa var-naming
+
+# This setting is to define a list ip addresses to allow access to synapse-admin.
+# Each IP address should be in CIDR format, e.g. xxx.xxx.xxx.xxx/xx.
+# For more information, see: https://doc.traefik.io/traefik/middlewares/http/ipallowlist/
+# If the list is empty, all IP addresses are allowed.
+matrix_synapse_admin_container_labels_traefik_ipallowlist: []
diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2
index b4e973e00..1c665cfc8 100644
--- a/roles/custom/matrix-synapse-admin/templates/labels.j2
+++ b/roles/custom/matrix-synapse-admin/templates/labels.j2
@@ -9,6 +9,11 @@ traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80
 
 {% set middlewares = [] %}
 
+{% if matrix_synapse_admin_container_labels_traefik_ipallowlist is defined and matrix_synapse_admin_container_labels_traefik_ipallowlist | length > 0 %}
+traefik.http.middlewares.matrix-synapse-admin-ipallowlist.ipallowlist.sourcerange={{ matrix_synapse_admin_container_labels_traefik_ipallowlist | join(',') }}
+{% set middlewares = middlewares + ['matrix-synapse-admin-ipallowlist'] %}
+{% endif %}
+
 {% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.regex=({{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }})$
 traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.replacement=${1}/