Auto-configure synapse-admin to be restricted to a single homeserver (the one managed by the playbook)

CHANGELOG.md

@@ -1,3 +1,19 @@
+# 2024-07-01
+
+## synapse-admin is now restricted to your homeserver's URL by default
+
+A new feature introduced in synapse-admin [v0.10.0](https://github.com/Awesome-Technologies/synapse-admin/releases/tag/0.10.0) (released and supported by the playbook since a a few months ago) provides the ability to [restrict its usage to a specific homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) (or multiple homeservers).
+
+The playbook has just started making use of this feature. **From now on, your synapse-admin instance will be restricted to the homeserver you're managing via the playbook**. When configured like this, the *Homeserver URL* field in synapse-admin's web UI changes from a text field to a dropdown having a single value (the URL of your homeserver). This makes usage simpler for most people, as they won't need to manually enter a *Homeserver URL* anymore.
+
+If you'd like **to go back to the old unrestricted behavior**, use the following configuration:
+
+```yml
+# Use this configuration to allow synapse-admin to manage any homeserver instance.
+matrix_synapse_admin_config_restrictBaseUrl: []
+```
+
+
 # 2024-06-25
 
 ## The URL-prefix for Hookshot generic webhooks has changed

docs/configuring-playbook-synapse-admin.md

@@ -20,14 +20,12 @@ matrix_synapse_admin_enabled: true
 - for [Synapse](./configuring-playbook-synapse.md) (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true`
 - for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true`
 
+By default, synapse-admin installation will be [restricted to only work with one homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) - the one managed by the playbook. To adjust these restrictions, tweak the `matrix_synapse_admin_config_restrictBaseUrl` variable.
+
 
 ## Installing
 
-After configuring the playbook, run the [installation](installing.md) command again:
-
-```
-ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
-```
+After configuring the playbook, run the [installation](installing.md) command again (`just install-all`).
 
 
 ## Usage
@@ -35,5 +33,3 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/synapse-admin/`
 
 To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server.
-
-The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN`

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -6,6 +6,7 @@ matrix_synapse_admin_enabled: true
 
 # A path on host where all related files will be saved
 matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin"
+matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config"
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src"
 
 matrix_synapse_admin_container_image_self_build: false
@@ -135,3 +136,40 @@ matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}"
 # The path at which Synapse Admin is exposed.
 # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`).
 matrix_synapse_admin_path_prefix: /synapse-admin
+
+# Default synapse-admin configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_synapse_admin_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_synapse_admin_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
+
+# Your custom JSON configuration for synapse-admin should go to `matrix_synapse_admin_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_synapse_admin_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_synapse_admin_configuration_default`.
+#
+# Example configuration extension follows:
+#
+# matrix_synapse_admin_configuration_extension_json: |
+#  {
+#  "some_setting": true,
+#  "another_setting": false
+#  }
+matrix_synapse_admin_configuration_extension_json: '{}'
+
+matrix_synapse_admin_configuration_extension: "{{ matrix_synapse_admin_configuration_extension_json | from_json if matrix_synapse_admin_configuration_extension_json | from_json is mapping else {} }}"
+
+# Holds the final synapse-admin configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_synapse_admin_configuration_default`.
+matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_default | combine(matrix_synapse_admin_configuration_extension, recursive=True) }}"
+
+# Controls the restrictBaseUrl configuration setting, which, if defined,
+# restricts the homeserver(s), so that the user can no longer define a homeserver manually during login.
+matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}"  # noqa var-naming

roles/custom/matrix-synapse-admin/tasks/setup_install.yml

@@ -1,12 +1,17 @@
 ---
 
-- name: Ensure matrix-synapse-admin path exist
+- name: Ensure matrix-synapse-admin paths exists
   ansible.builtin.file:
-    path: "{{ matrix_synapse_admin_base_path }}"
+    path: "{{ item.path }}"
     state: directory
-    mode: 0700
+    mode: 0750
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_synapse_admin_base_path }}", when: true}
+    - {path: "{{ matrix_synapse_admin_config_path }}", when: true}
+    - {path: "{{ matrix_synapse_admin_docker_src_files_path }}", when: "{{ matrix_synapse_admin_container_image_self_build }}"}
+  when: "item.when | bool"
 
 - name: Ensure matrix-synapse-admin labels file is created
   ansible.builtin.template:
@@ -16,6 +21,14 @@
     group: "{{ matrix_user_groupname }}"
     mode: 0640
 
+- name: Ensure matrix-synapse-admin configuration installed
+  ansible.builtin.copy:
+    content: "{{ matrix_synapse_admin_configuration | to_nice_json }}"
+    dest: "{{ matrix_synapse_admin_config_path }}/config.json"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
 - name: Ensure matrix-synapse-admin image is pulled
   community.docker.docker_image:
     name: "{{ matrix_synapse_admin_docker_image }}"

roles/custom/matrix-synapse-admin/templates/config.json.j2

@@ -0,0 +1,3 @@
+{
+	"restrictBaseUrl": {{ matrix_synapse_admin_config_restrictBaseUrl | to_json }}
+}

roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2

@@ -30,6 +30,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			-p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \
 			{% endif %}
 			--label-file={{ matrix_synapse_admin_base_path }}/labels \
+			--mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \
 			{% for arg in matrix_synapse_admin_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}