matrix-tuwunel: update to v1.6.2

This release adds opt-in server-level enforcement of MSC4284 policy servers via two new `[global]` keys: `enable_policy_servers` and `policy_server_request_timeout`. Surface both as Ansible variables matching tuwunel's upstream defaults (off, 5s timeout) and refresh the docs section that previously claimed MSC4284 needed no playbook configuration. Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5213. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6 tuntia sitten · 53ad97417d
--- a/docs/configuring-playbook-tuwunel.md
+++ b/docs/configuring-playbook-tuwunel.md
@@ -166,7 +166,14 @@ matrix_tuwunel_config_prevent_media_downloads_from:
  - 'heavy\.example\.com$'
 ```

 Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating; that lives in room state and needs no playbook configuration.
 Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:

 ```yaml
 matrix_tuwunel_config_enable_policy_servers: true
 matrix_tuwunel_config_policy_server_request_timeout: 5
 ```

 When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline.

 ### Default room version

--- a/roles/custom/matrix-tuwunel/defaults/main.yml
+++ b/roles/custom/matrix-tuwunel/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_tuwunel_enabled: true
 matrix_tuwunel_hostname: ''

 # renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel
 matrix_tuwunel_version: v1.6.1
 matrix_tuwunel_version: v1.6.2

 matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"
 matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"
@@ -177,6 +177,18 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
 matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
 matrix_tuwunel_config_prevent_media_downloads_from: []

 # MSC4284 policy server enforcement.
 # When enabled, rooms with a valid `m.room.policy` state event will have
 # outgoing events signed by the configured policy server before federation.
 # Refusal aborts the local request; transient network or timeout failures
 # fail open with a warn log so a policy-server outage does not silently
 # take the room offline.
 matrix_tuwunel_config_enable_policy_servers: false

 # Timeout (in seconds) for outbound `/sign` calls and inbound
 # signature-fetches against a room's policy server.
 matrix_tuwunel_config_policy_server_request_timeout: 5

 # Outgoing presence is heavy on CPU and network and almost no clients use it. Off by default.
 matrix_tuwunel_config_allow_outgoing_presence: false

--- a/roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2
+++ b/roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2
@@ -57,6 +57,9 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
 prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
 {% endif %}

 enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
 policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}

 allow_outgoing_presence = {{ matrix_tuwunel_config_allow_outgoing_presence | to_json }}

 {% if matrix_tuwunel_config_url_preview_domain_contains_allowlist | length > 0 %}