Draupnir Zero Touch Deployment Stage 1 support

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -58,14 +58,33 @@ matrix_appservice_draupnir_for_all_force_restart: "{{
   matrix_appservice_draupnir_for_all_rolling_tag | bool
 }}"
 
+# This controls whether Zero Touch Deployment is enabled.
+# When enabled, the playbook validates the related settings and only renders
+# the configuration values Draupnir expects for this mode.
+# This prevents invalid manual combinations from being passed through, since
+# Draupnir requires `matrix_appservice_draupnir_for_all_config_adminRoom` to be
+# unset and `matrix_appservice_draupnir_for_all_initialManager` to be a valid
+# user ID.
+# Zero Touch Deployment is recomended for all new deployments.
+# New deployments that are exempt from this recomendation are assumed to be advanced users. 
+# Who know what they are doing and have specific needs that require the flexibility of non-zero-touch-deployment mode. 
+# Note that enabling this on an existing deployment will cause the bot to recreate the admin room.
+# Manual policy migration has to be done in that case as to not break when access controls return to working order.
+matrix_appservice_draupnir_for_all_zero_touch_deploy: false
+
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.
-# Note: Draupnir is fairly verbose - expect a lot of messages from it.
+# Appservice mode unlike bot mode is not verbose in the admin room.
 # This room is different for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
 matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming
 
+# This controls the mxid of who is invited to the admin room on its creation when using Zero Touch Deployment.
+# The this value is mutually exclusive with matrix_appservice_draupnir_for_all_config_adminRoom 
+# and the bot will crash if you attempt to set both at the same time.
+matrix_appservice_draupnir_for_all_config_initialManager: ""  # noqa var-naming
+
 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.

roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml

@@ -25,10 +25,19 @@
     - {'old': 'matrix_appservice_draupnir_for_all_docker_src_files_path', 'new': 'matrix_appservice_draupnir_for_all_container_src_files_path'}
     - {'old': 'matrix_appservice_draupnir_for_all_container_image_force_pull', 'new': '<removed> (No longer needed due to new docker module doing this natively only if needed.)'}
 
-- name: Fail if required matrix-bot-draupnir variables are undefined
+- name: Fail if required matrix-appservice-draupnir-for-all variables are undefined
   ansible.builtin.fail:
-    msg: "The `{{ item }}` variable must be defined and have a non-null value."
+    msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
   with_items:
-    - "matrix_appservice_draupnir_for_all_config_adminRoom"
-    - "matrix_bot_draupnir_container_network"
-  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
+    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+    - {'name': 'matrix_appservice_draupnir_for_all_container_network', when: true}
+  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
+
+- name: Fail if inappropriate variables are defined
+  ansible.builtin.fail:
+    msg: "The `{{ item.name }}` variable must be undefined or have a null value."
+  with_items:
+    - {'name': 'matrix_appservice_draupnir_for_all_config_adminRoom', when: "{{ matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+    - {'name': 'matrix_appservice_draupnir_for_all_config_initialManager', when: "{{ not matrix_appservice_draupnir_for_all_zero_touch_deploy }}"}
+  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2

@@ -17,9 +17,17 @@ db:
   engine: "postgres"
   connectionString: "{{ matrix_appservice_draupnir_for_all_database_connection_string }}"
 
+{% if not matrix_appservice_draupnir_for_all_zero_touch_deploy %}
 # A room you have created that scopes who can access the appservice.
 # See docs/access_control.md
 adminRoom: {{ matrix_appservice_draupnir_for_all_config_adminRoom | to_json }}
+{% endif %}
+
+{% if matrix_appservice_draupnir_for_all_zero_touch_deploy %}
+# The initial manager to invite if the admin room has to be created.
+initialManager: {{ matrix_appservice_draupnir_for_all_config_initialManager | to_json }}
+{% endif %}
+
 
 # This is a web api that the widget connects to in order to interact with the appservice.
 webAPI:
@@ -37,6 +45,5 @@ maxDraupnirsPerUser: 1
 # Defaults to false when omitted.
 allowSelfServiceProvisioning: false
 
-
 roomStateBackingStore:
   enabled: {{ matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled | to_json }}

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -115,12 +115,36 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
 matrix_bot_draupnir_login_native: false
 
-# The room ID where people can use the bot. The bot has no access controls, so
-# anyone in this room can use the bot - secure your room!
+# This controls whether Zero Touch Deployment is enabled.
+# When enabled, the playbook validates the settings and only
+# renders the configuration values Draupnir expects.
+# This prevents invalid manual combinations from being passed through, since
+# Draupnir requires `matrix_bot_draupnir_config_managementRoom` to be unset and
+# `matrix_bot_draupnir_initialManager` to be a valid MXID.
+# Zero Touch Deployment is recommended for all new deployments.
+# Deployments that are exempt from this recommendation are assumed to be
+# advanced setups with specific needs for non-zero-touch mode.
+# Note that enabling this on an existing deployment will cause the bot to
+# recreate the management room.
+# Recreating the management room will cause all protections to reset their settings to defaults
+# and cause the re creation of secondary rooms like notification rooms. News memory will also be wiped.
+matrix_bot_draupnir_zero_touch_deploy: false
+
+# The management room used for administration when Zero Touch
+# Deployment is disabled.
+# The bot has no access controls, so anyone in this room can use it - secure
+# your room!
 # This should be a room alias or room ID - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 matrix_bot_draupnir_config_managementRoom: ""  # noqa var-naming
 
+# The MXID invited as the initial manager when Zero Touch Deployment creates the
+# management room.
+# This value is mutually exclusive with
+# `matrix_bot_draupnir_config_managementRoom`, and the bot will crash if you
+# attempt to set both at the same time.
+matrix_bot_draupnir_config_initialManager: ""  # noqa var-naming
+
 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API).
 # Set this to the Pantalaimon URL if you're using that.
 matrix_bot_draupnir_config_homeserverUrl: ""  # noqa var-naming

roles/custom/matrix-bot-draupnir/tasks/validate_config.yml

@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2025 MDAD project contributors
-# SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2023 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@@ -45,7 +45,8 @@
   with_items:
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ not matrix_bot_draupnir_pantalaimon_use and not matrix_bot_draupnir_login_native }}"}
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_config_experimentalRustCrypto }}"}
-    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: true}
+    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: "{{ not matrix_bot_draupnir_zero_touch_deploy }}"}
+    - {'name': 'matrix_bot_draupnir_config_initialManager', when: "{{ matrix_bot_draupnir_zero_touch_deploy }}"}
     - {'name': 'matrix_bot_draupnir_container_network', when: true}
     - {'name': 'matrix_bot_draupnir_config_homeserverUrl', when: true}
     - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
@@ -64,6 +65,8 @@
   with_items:
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
+    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: "{{ matrix_bot_draupnir_zero_touch_deploy }}"}
+    - {'name': 'matrix_bot_draupnir_config_initialManager', when: "{{ not matrix_bot_draupnir_zero_touch_deploy }}"}
   when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: Fail when matrix_bot_draupnir_config_experimentalRustCrypto is enabled together with matrix_bot_draupnir_pantalaimon_use

roles/custom/matrix-bot-draupnir/templates/production.yaml.j2

@@ -63,6 +63,7 @@ autojoinOnlyIfManager: true
 # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
 recordIgnoredInvites: false
 
+{% if not matrix_bot_draupnir_zero_touch_deploy %}
 # The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir.
 #
 # Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
@@ -72,6 +73,13 @@ recordIgnoredInvites: false
 # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
 # (see verboseLogging to adjust this a bit.)
 managementRoom: {{ matrix_bot_draupnir_config_managementRoom | to_json }}
+{% endif %}
+
+{% if matrix_bot_draupnir_zero_touch_deploy %}
+# The initial manager to invite if the management room has to be created.
+# Leave this commented out when using a pre-existing management room.
+initialManager: {{ matrix_bot_draupnir_config_initialManager | to_json }}
+{% endif %}
 
 # The log level of terminal (or container) output,
 # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.