Upgrade LiveKit JWT Service (lk-jwt-service) to v0.5.0

v0.5.0 makes LIVEKIT_FULL_ACCESS_HOMESERVERS a required setting and
drops the implicit `*` wildcard default upstream.

Split the full-access-homeservers list into _default/_auto/_custom
parts (following the convention used for other variables in this role),
with a sane _default of the homeserver's own domain. This also lets
group_vars/matrix_servers drop its now-redundant override.

Add a validate_config.yml check requiring the setting to be defined.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

group_vars/matrix_servers

@@ -6235,8 +6235,6 @@ matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ (matrix_homeser
 
 matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ (matrix_homeserver_generic_secret_key + ':lk.secret') | hash('sha512') | to_uuid }}"
 
-matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list: ["{{ matrix_domain }}"]
-
 ########################################################################
 #                                                                      #
 # /matrix-livekit-jwt-service                                          #

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2022 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 wjbeckett
-# SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2024 - 2026 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.4.4
+matrix_livekit_jwt_service_version: 0.5.0
 
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"
@@ -86,12 +86,20 @@ matrix_livekit_jwt_service_environment_variable_livekit_url: ""
 # Controls the LIVEKIT_SECRET environment variable
 matrix_livekit_jwt_service_environment_variable_livekit_secret: ""
 
-# Controls the LIVEKIT_FULL_ACCESS_HOMESERVERS environment variable
+# Controls the LIVEKIT_FULL_ACCESS_HOMESERVERS environment variable.
 # Comma-separated list of Matrix homeservers whose users are authorized with full access to LiveKit SFU features
-# (supports * as a wildcard to allow all homeservers).
+# (like creating rooms on the SFU).
+#
+# This is a required setting and the service refuses to start without it.
+# Setting it to `*` grants full access to any federated Matrix user, but listing only the homeserver(s)
+# you intend to serve is strongly recommended.
+#
+# To add additional homeservers, use `matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list_custom`.
 matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers: "{{ matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list | join(',') }}"
-
-matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list: ["*"]
+matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list: "{{ matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list_default + matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list_auto + matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list_custom }}"
+matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list_default: ["{{ matrix_domain }}"]
+matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list_auto: []
+matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list_custom: []
 
 # Additional environment variables to pass to the container.
 #

roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml

@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2022 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 wjbeckett
-# SPDX-FileCopyrightText: 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2024 - 2026 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
@@ -27,3 +27,4 @@
     - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_key', when: true}
     - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_url', when: true}
     - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_secret', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers', when: true}