Remove matrix-synapse-admin in favor of ansible-role-synapse-admin

Signed-off-by: Suguru Hirahara <did🔑z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
4 hafta önce · 732380afc3
--- a/roles/custom/matrix-synapse-admin/defaults/main.yml
+++ b/roles/custom/matrix-synapse-admin/defaults/main.yml
@@ -1,246 +0,0 @@
 # SPDX-FileCopyrightText: 2020 - 2021 Aaron Raimist
 # SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2020 Dennis Ciba
 # SPDX-FileCopyrightText: 2021 - 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2021 Ahmad Haghighi
 # SPDX-FileCopyrightText: 2022 - 2025 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---
 # synapse-admin is a web UI for managing the Synapse Matrix server
 # Project source code URL: https://github.com/Awesome-Technologies/synapse-admin
 # Fork source code URL: https://github.com/etkecc/synapse-admin

 synapse_admin_enabled: true

 # A path on host where all related files will be saved
 synapse_admin_config_path: "{{ synapse_admin_base_path }}/config"
 synapse_admin_docker_src_files_path: "{{ synapse_admin_base_path }}/docker-src"

 synapse_admin_uid: ''
 synapse_admin_gid: ''

 synapse_admin_container_image_self_build: false
 synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"

 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
 synapse_admin_version: v0.11.1-etke53
 synapse_admin_container_image: "{{ synapse_admin_container_image_registry_prefix }}etkecc/synapse-admin:{{ synapse_admin_version }}"
 synapse_admin_container_image_registry_prefix_upstream_default: "ghcr.io/"
 synapse_admin_container_image_force_pull: "{{ synapse_admin_container_image.endswith(':latest') }}"

 # The base container network
 synapse_admin_container_network: synapse-admin

 # A list of additional container networks that the container would be connected to.
 # The role does not create these networks, so make sure they already exist.
 # Use this to expose this container to a reverse proxy, which runs in a different container network.
 synapse_admin_container_additional_networks: []

 # Controls whether the synapse-admin container exposes its HTTP port (tcp/8080 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8766"), or empty string to not expose.
 synapse_admin_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 synapse_admin_container_extra_arguments: []

 # synapse_admin_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
 # To inject your own other container labels, see `synapse_admin_container_labels_additional_labels`.
 synapse_admin_container_labels_traefik_enabled: true
 synapse_admin_container_labels_traefik_docker_network: "{{ synapse_admin_container_network }}"
 synapse_admin_container_labels_traefik_hostname: "{{ synapse_admin_hostname }}"
 # The path prefix must either be `/` or not end with a slash (e.g. `/synapse-admin`).
 synapse_admin_container_labels_traefik_path_prefix: "{{ synapse_admin_path_prefix }}"
 synapse_admin_container_labels_traefik_rule: "Host(`{{ synapse_admin_container_labels_traefik_hostname }}`){% if synapse_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ synapse_admin_container_labels_traefik_path_prefix }}`){% endif %}"
 synapse_admin_container_labels_traefik_priority: 0
 synapse_admin_container_labels_traefik_entrypoints: web-secure
 synapse_admin_container_labels_traefik_tls: "{{ synapse_admin_container_labels_traefik_entrypoints != 'web' }}"
 synapse_admin_container_labels_traefik_tls_certResolver: default  # noqa var-naming
 # This setting is to define a list ip addresses to allow access to synapse-admin.
 # Each IP address should be in CIDR format, e.g. xxx.xxx.xxx.xxx/xx.
 # For more information, see: https://doc.traefik.io/traefik/middlewares/http/ipallowlist/
 # If the list is empty, all IP addresses are allowed.
 synapse_admin_container_labels_traefik_ipallowlist_sourcerange: []

 # Controls which additional headers to attach to all HTTP responses.
 # To add your own headers, use `synapse_admin_container_labels_traefik_additional_response_headers_custom`
 synapse_admin_container_labels_traefik_additional_response_headers: "{{ synapse_admin_container_labels_traefik_additional_response_headers_auto | combine(synapse_admin_container_labels_traefik_additional_response_headers_custom) }}"
 synapse_admin_container_labels_traefik_additional_response_headers_auto: |
  {{
    {}
    | combine ({'X-XSS-Protection': synapse_admin_http_header_xss_protection} if synapse_admin_http_header_xss_protection else {})
    | combine ({'X-Content-Type-Options': synapse_admin_http_header_content_type_options} if synapse_admin_http_header_content_type_options else {})
    | combine ({'Content-Security-Policy': synapse_admin_http_header_content_security_policy} if synapse_admin_http_header_content_security_policy else {})
    | combine ({'Permission-Policy': synapse_admin_http_header_content_permission_policy} if synapse_admin_http_header_content_permission_policy else {})
    | combine ({'Strict-Transport-Security': synapse_admin_http_header_strict_transport_security} if synapse_admin_http_header_strict_transport_security and synapse_admin_container_labels_traefik_tls else {})
  }}
 synapse_admin_container_labels_traefik_additional_response_headers_custom: {}

 # synapse_admin_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
 # synapse_admin_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 synapse_admin_container_labels_additional_labels: ''

 # List of systemd services that synapse-admin.service depends on
 synapse_admin_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"

 # List of systemd services that synapse-admin.service wants
 synapse_admin_systemd_wanted_services_list: []

 # Specifies the value of the `X-XSS-Protection` header
 # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
 #
 # Learn more about it is here:
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 # - https://portswigger.net/web-security/cross-site-scripting/reflected
 synapse_admin_http_header_xss_protection: "1; mode=block"

 # Specifies the value of the `X-Content-Type-Options` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 synapse_admin_http_header_content_type_options: nosniff

 # Specifies the value of the `Content-Security-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 synapse_admin_http_header_content_security_policy: frame-ancestors 'self'

 # Specifies the value of the `Permission-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
 synapse_admin_http_header_content_permission_policy: "{{ 'interest-cohort=()' if synapse_admin_floc_optout_enabled else '' }}"

 # Specifies the value of the `Strict-Transport-Security` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 synapse_admin_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if synapse_admin_hsts_preload_enabled else '' }}"

 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
 #
 # Learn more about what it is here:
 # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
 # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
 # - https://amifloced.org/
 #
 # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
 # See: `synapse_admin_content_permission_policy`
 synapse_admin_floc_optout_enabled: true

 # Controls if HSTS preloading is enabled
 #
 # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
 # indicates a willingness to be "preloaded" into browsers:
 # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
 # For more information visit:
 # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # - https://hstspreload.org/#opt-in
 # See: `synapse_admin_http_header_strict_transport_security`
 synapse_admin_hsts_preload_enabled: false

 # Default synapse-admin configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `synapse_admin_configuration_extension_json`)
 # or completely replace this variable with your own template.
 #
 # The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
 # This is unlike what it does when looking up YAML template files (no automatic parsing there).
 synapse_admin_configuration_default:
  restrictBaseUrl: "{{ synapse_admin_config_restrictBaseUrl }}"
  externalAuthProvider: "{{ synapse_admin_config_externalAuthProvider }}"
  corsCredentials: "{{ synapse_admin_config_corsCredentials }}"
  asManagedUsers: "{{ synapse_admin_config_asManagedUsers }}"
  menu: "{{ synapse_admin_config_menu }}"

 # Your custom JSON configuration for synapse-admin should go to `synapse_admin_configuration_extension_json`.
 # This configuration extends the default starting configuration (`synapse_admin_configuration_default`).
 #
 # You can override individual variables from the default configuration, or introduce new ones.
 #
 # If you need something more special, you can take full control by
 # completely redefining `synapse_admin_configuration_default`.
 #
 # Example configuration extension follows:
 #
 # synapse_admin_configuration_extension_json: |
 #  {
 #  "some_setting": true,
 #  "another_setting": false
 #  }
 synapse_admin_configuration_extension_json: '{}'

 # This is similar to `synapse_admin_configuration_extension_json`, but intended for use by playbook or group vars
 synapse_admin_configuration_extension_json_auto: '{}'

 synapse_admin_configuration_extension: "{{ synapse_admin_configuration_extension_json_auto | from_json | combine(synapse_admin_configuration_extension_json | from_json if synapse_admin_configuration_extension_json | from_json is mapping else {}, recursive=True) }}"

 # Holds the final synapse-admin configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `synapse_admin_configuration_default`.
 synapse_admin_configuration: "{{ synapse_admin_configuration_default | combine(synapse_admin_configuration_extension, recursive=True) }}"

 # Controls the externalAuthProvider configuration setting, which, if defined,
 # enables a special compatibility mode that works better for external auth providers like LDAP, MAS, etc.
 synapse_admin_config_externalAuthProvider: false  # noqa var-naming

 # Controls the corsCredentials configuration setting, which, if defined,
 # allows including credentials (cookies, authorization headers, or TLS client certificates) in requests
 # ref: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials
 synapse_admin_config_corsCredentials: "same-origin"  # noqa var-naming

 # Controls the menu configuration setting, which, if defined, adds new menu items to the Synapse Admin UI.
 # The format is a list of objects, where each object has the following keys:
 # - `label` (string, required): The label of the menu item.
 # - `i18n` (dict, optional): Dictionary of translations for the label. The keys should be BCP 47 language tags (e.g., en, fr, de) supported by Synapse Admin (see src/i18n).
 # - `icon` (string, optional): The icon of the menu item, one of the https://github.com/etkecc/synapse-admin/blob/main/src/components/icons.ts
 # - `url` (string, required): The URL of the menu item.
 # Example:
 # [
 #   {
 #     "label": "Contact support",
 #     "i18n": {
 #       "de": "Support kontaktieren",
 #       "fr": "Contacter le support",
 #       "zh": "联系支持"
 #     },
 #     "icon": "SupportAgent",
 #     "url": "https://github.com/etkecc/synapse-admin/issues"
 #   }
 # ]
 synapse_admin_config_menu: []

 # Controls the asManagedUsers configuration setting (managed by playbook), which, if defined,
 # restricts modifications of the specified users (e.g., bridge-managed).
 # You should use JS regex syntax to match the user IDs.
 # Example for mautrix-telegram: ["^@telegram_[a-zA-Z0-9]+:example\\.com$"]
 # WARNING: you want to use synapse_admin_config_asManagedUsers_custom instead of this variable.
 synapse_admin_config_asManagedUsers_auto: []  # noqa var-naming

 # Controls the asManagedUsers configuration setting (managed per host), which, if defined,
 # restricts modifications of the specified users (e.g., bridge-managed).
 # You should use JS regex syntax to match the user IDs.
 # Example for mautrix-telegram: ["^@telegram_[a-zA-Z0-9]+:example\\.com$"]
 synapse_admin_config_asManagedUsers_custom: []  # noqa var-naming

 # Controls the asManagedUsers configuration setting, which, if defined,
 # restricts modifications of the specified users (e.g., bridge-managed).
 # You should use JS regex syntax to match the user IDs.
 # Example for mautrix-telegram: ["^@telegram_[a-zA-Z0-9]+:example\\.com$"]
 # WARNING: you want to use synapse_admin_config_asManagedUsers_custom instead of this variable.
 synapse_admin_config_asManagedUsers: "{{ synapse_admin_config_asManagedUsers_auto + synapse_admin_config_asManagedUsers_custom }}"  # noqa var-naming

 # synapse_admin_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the
 # systemd service manager role (when conditional restart is enabled).
 #
 # This value is automatically computed during installation based on whether
 # any configuration files, the systemd service file, or the container image changed.
 # The default of `false` means "no restart needed" — appropriate when the role's
 # installation tasks haven't run (e.g., due to --tags skipping them).
 synapse_admin_restart_necessary: false
--- a/roles/custom/matrix-synapse-admin/tasks/main.yml
+++ b/roles/custom/matrix-synapse-admin/tasks/main.yml
@@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - tags:
    - setup-all
    - setup-synapse-admin
    - install-all
    - install-synapse-admin
  block:
    - when: synapse_admin_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

    - when: synapse_admin_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"

 - tags:
    - setup-all
    - setup-synapse-admin
  block:
    - when: not synapse_admin_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml
+++ b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml
@@ -1,102 +0,0 @@
 # SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2020 Dennis Ciba
 # SPDX-FileCopyrightText: 2021 Aaron Raimist
 # SPDX-FileCopyrightText: 2022 MDAD project contributors
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2022 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 Sebastian Gumprich
 # SPDX-FileCopyrightText: 2024 David Mehren
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: Ensure synapse-admin paths exists
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - {path: "{{ synapse_admin_base_path }}", when: true}
    - {path: "{{ synapse_admin_config_path }}", when: true}
    - {path: "{{ synapse_admin_docker_src_files_path }}", when: "{{ synapse_admin_container_image_self_build }}"}
  when: "item.when | bool"

 - name: Ensure synapse-admin labels file is created
  ansible.builtin.template:
    src: "{{ role_path }}/templates/labels.j2"
    dest: "{{ synapse_admin_base_path }}/labels"
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
    mode: 0640
  register: synapse_admin_support_files_result

 - name: Ensure synapse-admin configuration installed
  ansible.builtin.copy:
    content: "{{ synapse_admin_configuration | to_nice_json }}"
    dest: "{{ synapse_admin_config_path }}/config.json"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  register: synapse_admin_config_result

 - name: Ensure synapse-admin image is pulled
  community.docker.docker_image:
    name: "{{ synapse_admin_container_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ synapse_admin_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else synapse_admin_container_image_force_pull }}"
  when: not synapse_admin_container_image_self_build | bool
  register: synapse_admin_container_image_pull_result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: synapse_admin_container_image_pull_result is not failed

 - name: Ensure synapse-admin repository is present when self-building
  ansible.builtin.git:
    repo: "{{ synapse_admin_container_image_self_build_repo }}"
    dest: "{{ synapse_admin_docker_src_files_path }}"
    version: "{{ synapse_admin_container_image.split(':')[1] }}"
    force: "yes"
  become: true
  become_user: "{{ matrix_user_name }}"
  register: synapse_admin_git_pull_results
  when: synapse_admin_container_image_self_build | bool

 - name: Ensure synapse-admin Docker image is built
  community.docker.docker_image:
    name: "{{ synapse_admin_container_image }}"
    source: build
    force_source: "{{ synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else synapse_admin_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ synapse_admin_docker_src_files_path }}"
      pull: true
  when: synapse_admin_container_image_self_build | bool

 - name: Ensure synapse-admin container network is created
  community.general.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
    name: "{{ synapse_admin_container_network }}"
    driver: bridge
    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"

 - name: Ensure synapse-admin.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/synapse-admin.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/synapse-admin.service"
    mode: 0644
  register: synapse_admin_systemd_service_result

 - name: Determine whether Synapse Admin needs a restart
  ansible.builtin.set_fact:
    synapse_admin_restart_necessary: >-
      {{
        synapse_admin_support_files_result.changed | default(false)
        or synapse_admin_config_result.changed | default(false)
        or synapse_admin_systemd_service_result.changed | default(false)
        or synapse_admin_container_image_pull_result.changed | default(false)
      }}
--- a/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml
@@ -1,29 +0,0 @@
 # SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: Check existence of synapse-admin service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/synapse-admin.service"
  register: synapse_admin_service_stat

 - when: synapse_admin_service_stat.stat.exists | bool
  block:
    - name: Ensure synapse-admin is stopped
      ansible.builtin.service:
        name: synapse-admin
        state: stopped
        enabled: false
        daemon_reload: true

    - name: Ensure synapse-admin.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/synapse-admin.service"
        state: absent

    - name: Ensure synapse-admin directory doesn't exist
      ansible.builtin.file:
        path: "{{ synapse_admin_base_path }}"
        state: absent
--- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml
@@ -1,27 +0,0 @@
 # SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2022 MDAD project contributors
 # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - when: synapse_admin_container_labels_traefik_enabled | bool
  block:
    - name: Fail if required synapse-admin Traefik settings not defined
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`).
      when: "lookup('vars', item, default='') == ''"
      with_items:
        - synapse_admin_container_labels_traefik_hostname
        - synapse_admin_container_labels_traefik_path_prefix

    # We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
    # Knowing that `synapse_admin_container_labels_traefik_path_prefix` does not end with a slash
    # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
    - name: Fail if synapse_admin_container_labels_traefik_path_prefix ends with a slash
      ansible.builtin.fail:
        msg: >-
          synapse_admin_container_labels_traefik_path_prefix (`{{ synapse_admin_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/synapse-admin`).
      when: "synapse_admin_container_labels_traefik_path_prefix != '/' and synapse_admin_container_labels_traefik_path_prefix[-1] == '/'"
--- a/roles/custom/matrix-synapse-admin/templates/labels.j2
+++ b/roles/custom/matrix-synapse-admin/templates/labels.j2
@@ -1,58 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2025 MDAD project contributors

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}

 {% if synapse_admin_container_labels_traefik_enabled %}
 traefik.enable=true

 {% if synapse_admin_container_labels_traefik_docker_network %}
 traefik.docker.network={{ synapse_admin_container_labels_traefik_docker_network }}
 {% endif %}

 traefik.http.services.synapse-admin.loadbalancer.server.port=8080

 {% set middlewares = [] %}

 {% if synapse_admin_container_labels_traefik_ipallowlist_sourcerange | length > 0 %}
 traefik.http.middlewares.synapse-admin-ipallowlist.ipallowlist.sourcerange={{ synapse_admin_container_labels_traefik_ipallowlist_sourcerange | join(',') }}
 {% set middlewares = middlewares + ['synapse-admin-ipallowlist'] %}
 {% endif %}

 {% if synapse_admin_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.synapse-admin-slashless-redirect.redirectregex.regex=({{ synapse_admin_container_labels_traefik_path_prefix | quote }})$
 traefik.http.middlewares.synapse-admin-slashless-redirect.redirectregex.replacement=${1}/
 {% set middlewares = middlewares + ['synapse-admin-slashless-redirect'] %}
 {% endif %}

 {% if synapse_admin_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.synapse-admin-strip-prefix.stripprefix.prefixes={{ synapse_admin_container_labels_traefik_path_prefix }}
 {% set middlewares = middlewares + ['synapse-admin-strip-prefix'] %}
 {% endif %}

 {% if synapse_admin_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
 {% for name, value in synapse_admin_container_labels_traefik_additional_response_headers.items() %}
 traefik.http.middlewares.synapse-admin-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
 {% endfor %}
 {% set middlewares = middlewares + ['synapse-admin-add-headers'] %}
 {% endif %}

 traefik.http.routers.synapse-admin.rule={{ synapse_admin_container_labels_traefik_rule }}
 {% if synapse_admin_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.synapse-admin.priority={{ synapse_admin_container_labels_traefik_priority }}
 {% endif %}
 {% if middlewares | length > 0 %}
 traefik.http.routers.synapse-admin.middlewares={{ middlewares | join(',') }}
 {% endif %}
 traefik.http.routers.synapse-admin.service=synapse-admin
 traefik.http.routers.synapse-admin.entrypoints={{ synapse_admin_container_labels_traefik_entrypoints }}
 traefik.http.routers.synapse-admin.tls={{ synapse_admin_container_labels_traefik_tls | to_json }}
 {% if synapse_admin_container_labels_traefik_tls %}
 traefik.http.routers.synapse-admin.tls.certResolver={{ synapse_admin_container_labels_traefik_tls_certResolver }}
 {% endif %}

 {% endif %}

 {{ synapse_admin_container_labels_additional_labels }}
--- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2
+++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2
@@ -1,51 +0,0 @@
 #jinja2: lstrip_blocks: True
 [Unit]
 Description=synapse-admin
 {% for service in synapse_admin_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in synapse_admin_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}
 DefaultDependencies=no

 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} synapse-admin 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm synapse-admin 2>/dev/null || true'

 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=synapse-admin \
 			--log-driver=none \
 			--cap-drop=ALL \
 			--read-only \
 			--user={{ synapse_admin_uid }}:{{ synapse_admin_gid }} \
 			--network={{ synapse_admin_container_network }} \
 			{% if synapse_admin_container_http_host_bind_port %}
 			-p {{ synapse_admin_container_http_host_bind_port }}:8080 \
 			{% endif %}
 			--label-file={{ synapse_admin_base_path }}/labels \
 			--mount type=bind,src={{ synapse_admin_config_path }}/config.json,dst=/var/public/config.json,ro \
 			{% for arg in synapse_admin_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ synapse_admin_container_image }}

 {% for network in synapse_admin_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} synapse-admin
 {% endfor %}

 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach synapse-admin

 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} synapse-admin 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm synapse-admin 2>/dev/null || true'

 Restart=always
 RestartSec=30
 SyslogIdentifier=synapse-admin

 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2.license
+++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2.license
@@ -1,4 +0,0 @@
 SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2020 Dan Arnfield

 SPDX-License-Identifier: AGPL-3.0-or-later