Draupnir Zero Touch Deployment Stage 1 support

1 місяць тому · 9ed2c7a2cd
--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -58,14 +58,33 @@ matrix_appservice_draupnir_for_all_force_restart: "{{
  matrix_appservice_draupnir_for_all_rolling_tag | bool
 }}"

 # This controls whether Zero Touch Deployment is enabled.
 # When enabled, the playbook validates the related settings and only renders
 # the configuration values Draupnir expects for this mode.
 # This prevents invalid manual combinations from being passed through, since
 # Draupnir requires `matrix_appservice_draupnir_for_all_config_adminRoom` to be
 # unset and `matrix_appservice_draupnir_for_all_initialManager` to be a valid
 # user ID.
 # Zero Touch Deployment is recomended for all new deployments.
 # New deployments that are exempt from this recomendation are assumed to be advanced users. 
 # Who know what they are doing and have specific needs that require the flexibility of non-zero-touch-deployment mode. 
 # Note that enabling this on an existing deployment will cause the bot to recreate the admin room.
 # Manual policy migration has to be done in that case as to not break when access controls return to working order.
 matrix_appservice_draupnir_for_all_zero_touch_deploy: false

 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 # Appservice mode unlike bot mode is not verbose in the admin room.
 # This room is different for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
 matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming

 # This controls the mxid of who is invited to the admin room on its creation when using Zero Touch Deployment.
 # The this value is mutually exclusive with matrix_appservice_draupnir_for_all_config_adminRoom 
 # and the bot will crash if you attempt to set both at the same time.
 matrix_appservice_draupnir_for_all_config_initialManager: ""  # noqa var-naming

 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
@@ -25,10 +25,19 @@
    - {'old': 'matrix_appservice_draupnir_for_all_docker_src_files_path', 'new': 'matrix_appservice_draupnir_for_all_container_src_files_path'}
    - {'old': 'matrix_appservice_draupnir_for_all_container_image_force_pull', 'new': '<removed> (No longer needed due to new docker module doing this natively only if needed.)'}

 - name: Fail if required matrix-bot-draupnir variables are undefined
 - name: Fail if required matrix-appservice-draupnir-for-all variables are undefined
  ansible.builtin.fail:
    msg: "The `{{ item }}` variable must be defined and have a non-null value."
    msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
  with_items:
    - "matrix_appservice_draupnir_for_all_config_adminRoom"
    - "matrix_bot_draupnir_container_network"
  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
    - {'name': 'matrix_appservice_draupnir_for_all_container_network', when: true}
  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

 - name: Fail if inappropriate variables are defined
  ansible.builtin.fail:
    msg: "The `{{ item.name }}` variable must be undefined or have a null value."
  with_items:
    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
--- a/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2
+++ b/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2
@@ -17,9 +17,17 @@ db:
  engine: "postgres"
  connectionString: "{{ matrix_appservice_draupnir_for_all_database_connection_string }}"

 {% if not matrix_appservice_draupnir_for_all_zero_touch_deploy %}
 # A room you have created that scopes who can access the appservice.
 # See docs/access_control.md
 adminRoom: {{ matrix_appservice_draupnir_for_all_config_adminRoom | to_json }}
 {% endif %}

 {% if matrix_appservice_draupnir_for_all_zero_touch_deploy %}
 # The initial manager to invite if the admin room has to be created.
 initialManager: {{ matrix_appservice_draupnir_for_all_config_initialManager | to_json }}
 {% endif %}


 # This is a web api that the widget connects to in order to interact with the appservice.
 webAPI:
@@ -37,6 +45,5 @@ maxDraupnirsPerUser: 1
 # Defaults to false when omitted.
 allowSelfServiceProvisioning: false


 roomStateBackingStore:
  enabled: {{ matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled | to_json }}
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -115,12 +115,36 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
 matrix_bot_draupnir_login_native: false

 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This controls whether Zero Touch Deployment is enabled.
 # When enabled, the playbook validates the settings and only
 # renders the configuration values Draupnir expects.
 # This prevents invalid manual combinations from being passed through, since
 # Draupnir requires `matrix_bot_draupnir_config_managementRoom` to be unset and
 # `matrix_bot_draupnir_initialManager` to be a valid MXID.
 # Zero Touch Deployment is recommended for all new deployments.
 # Deployments that are exempt from this recommendation are assumed to be
 # advanced setups with specific needs for non-zero-touch mode.
 # Note that enabling this on an existing deployment will cause the bot to
 # recreate the management room.
 # Recreating the management room will cause all protections to reset their settings to defaults
 # and cause the re creation of secondary rooms like notification rooms. News memory will also be wiped.
 matrix_bot_draupnir_zero_touch_deploy: false

 # The management room used for administration when Zero Touch
 # Deployment is disabled.
 # The bot has no access controls, so anyone in this room can use it - secure
 # your room!
 # This should be a room alias or room ID - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 matrix_bot_draupnir_config_managementRoom: ""  # noqa var-naming

 # The MXID invited as the initial manager when Zero Touch Deployment creates the
 # management room.
 # This value is mutually exclusive with
 # `matrix_bot_draupnir_config_managementRoom`, and the bot will crash if you
 # attempt to set both at the same time.
 matrix_bot_draupnir_config_initialManager: ""  # noqa var-naming

 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API).
 # Set this to the Pantalaimon URL if you're using that.
 matrix_bot_draupnir_config_homeserverUrl: ""  # noqa var-naming
--- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2023 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@@ -45,7 +45,8 @@
  with_items:
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ not matrix_bot_draupnir_pantalaimon_use and not matrix_bot_draupnir_login_native }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_config_experimentalRustCrypto }}"}
    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: true}
    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: "{{ not matrix_bot_draupnir_zero_touch_deploy }}"}
    - {'name': 'matrix_bot_draupnir_config_initialManager', when: "{{ matrix_bot_draupnir_zero_touch_deploy }}"}
    - {'name': 'matrix_bot_draupnir_container_network', when: true}
    - {'name': 'matrix_bot_draupnir_config_homeserverUrl', when: true}
    - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
@@ -64,6 +65,8 @@
  with_items:
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: "{{ matrix_bot_draupnir_zero_touch_deploy }}"}
    - {'name': 'matrix_bot_draupnir_config_initialManager', when: "{{ not matrix_bot_draupnir_zero_touch_deploy }}"}
  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

 - name: Fail when matrix_bot_draupnir_config_experimentalRustCrypto is enabled together with matrix_bot_draupnir_pantalaimon_use
--- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
@@ -63,6 +63,7 @@ autojoinOnlyIfManager: true
 # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
 recordIgnoredInvites: false

 {% if not matrix_bot_draupnir_zero_touch_deploy %}
 # The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir.
 #
 # Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
@@ -72,6 +73,13 @@ recordIgnoredInvites: false
 # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
 # (see verboseLogging to adjust this a bit.)
 managementRoom: {{ matrix_bot_draupnir_config_managementRoom | to_json }}
 {% endif %}

 {% if matrix_bot_draupnir_zero_touch_deploy %}
 # The initial manager to invite if the management room has to be created.
 # Leave this commented out when using a pre-existing management room.
 initialManager: {{ matrix_bot_draupnir_config_initialManager | to_json }}
 {% endif %}

 # The log level of terminal (or container) output,
 # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.