From 53ad97417d0c37e4e60e9f959a71cbc2a3453aa7 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sat, 9 May 2026 09:27:07 +0300
Subject: [PATCH] matrix-tuwunel: update to v1.6.2

This release adds opt-in server-level enforcement of MSC4284 policy
servers via two new `[global]` keys: `enable_policy_servers` and
`policy_server_request_timeout`. Surface both as Ansible variables
matching tuwunel's upstream defaults (off, 5s timeout) and refresh the
docs section that previously claimed MSC4284 needed no playbook
configuration.

Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5213.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/configuring-playbook-tuwunel.md               |  9 ++++++++-
 roles/custom/matrix-tuwunel/defaults/main.yml      | 14 +++++++++++++-
 .../matrix-tuwunel/templates/tuwunel.toml.j2       |  3 +++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/docs/configuring-playbook-tuwunel.md b/docs/configuring-playbook-tuwunel.md
index 0932f552b..250f50fda 100644
--- a/docs/configuring-playbook-tuwunel.md
+++ b/docs/configuring-playbook-tuwunel.md
@@ -166,7 +166,14 @@ matrix_tuwunel_config_prevent_media_downloads_from:
   - 'heavy\.example\.com$'
 ```
 
-Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating; that lives in room state and needs no playbook configuration.
+Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:
+
+```yaml
+matrix_tuwunel_config_enable_policy_servers: true
+matrix_tuwunel_config_policy_server_request_timeout: 5
+```
+
+When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline.
 
 ### Default room version
 
diff --git a/roles/custom/matrix-tuwunel/defaults/main.yml b/roles/custom/matrix-tuwunel/defaults/main.yml
index f1f22571c..43923f473 100644
--- a/roles/custom/matrix-tuwunel/defaults/main.yml
+++ b/roles/custom/matrix-tuwunel/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_tuwunel_enabled: true
 matrix_tuwunel_hostname: ''
 
 # renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel
-matrix_tuwunel_version: v1.6.1
+matrix_tuwunel_version: v1.6.2
 
 matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"
 matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"
@@ -177,6 +177,18 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
 matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
 matrix_tuwunel_config_prevent_media_downloads_from: []
 
+# MSC4284 policy server enforcement.
+# When enabled, rooms with a valid `m.room.policy` state event will have
+# outgoing events signed by the configured policy server before federation.
+# Refusal aborts the local request; transient network or timeout failures
+# fail open with a warn log so a policy-server outage does not silently
+# take the room offline.
+matrix_tuwunel_config_enable_policy_servers: false
+
+# Timeout (in seconds) for outbound `/sign` calls and inbound
+# signature-fetches against a room's policy server.
+matrix_tuwunel_config_policy_server_request_timeout: 5
+
 # Outgoing presence is heavy on CPU and network and almost no clients use it. Off by default.
 matrix_tuwunel_config_allow_outgoing_presence: false
 
diff --git a/roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2 b/roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2
index 07ad0b5f2..9c64718fe 100644
--- a/roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2
+++ b/roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2
@@ -57,6 +57,9 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
 prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
 {% endif %}
 
+enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
+policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}
+
 allow_outgoing_presence = {{ matrix_tuwunel_config_allow_outgoing_presence | to_json }}
 
 {% if matrix_tuwunel_config_url_preview_domain_contains_allowlist | length > 0 %}