matrix-docker-ansible-deploy/roles/custom/matrix-synapse/tasks/validate_config.yml

# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 Charles Wright
# SPDX-FileCopyrightText: 2024 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later

---

- name: (Deprecation) Catch and report renamed settings
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_synapse_email_riot_base_url', 'new': '<superseded by client_base_url>'}
    - {'old': 'matrix_synapse_container_expose_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
    - {'old': 'matrix_synapse_no_tls', 'new': '<removed>'}
    - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'}
    - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'}
    - {'old': 'matrix_room_list_publication_rules', 'new': 'matrix_synapse_room_list_publication_rules'}
    - {'old': 'matrix_synapse_rc_messages_per_second', 'new': '<per_second subkey of matrix_synapse_rc_message>'}
    - {'old': 'matrix_synapse_rc_message_burst_count', 'new': '<burst_count subkey of matrix_synapse_rc_message>'}
    - {'old': 'matrix_synapse_federation_rc_window_size', 'new': '<window_size subkey of matrix_synapse_rc_federation>'}
    - {'old': 'matrix_synapse_federation_rc_sleep_limit', 'new': '<sleep_limit subkey of matrix_synapse_rc_federation>'}
    - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': '<sleep_delay subkey of matrix_synapse_rc_federation>'}
    - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': '<reject_limit subkey of matrix_synapse_rc_federation>'}
    - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': '<concurrent subkey of matrix_synapse_rc_federation>'}
    - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': '<superseded by matrix_synapse_container_client_api_host_bind_port>'}
    - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
    - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
    - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
    - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
    - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}
    - {'old': 'matrix_synapse_version_arm64', 'new': '<superseded by matrix_synapse_version - see https://github.com/matrix-org/synapse/pull/11810>'}
    - {'old': 'matrix_synapse_enable_group_creation', 'new': '<removed in Synapse v1.61.0 - use the new Spaces feature instead>'}
    - {'old': 'matrix_synapse_account_threepid_delegates_email', 'new': '<removed in Synapse v1.66.0 - make sure to configure email settings for Synapse - see https://matrix-org.github.io/synapse/v1.66/upgrade.html#delegation-of-email-validation-no-longer-supported>'}
    - {'old': 'matrix_synapse_workers_frontend_proxy_workers_count', 'new': '<removed in favor of generic workers - see https://github.com/matrix-org/synapse/pull/13645>'}
    - {'old': 'matrix_synapse_workers_frontend_proxy_workers_port_range_start', 'new': '<removed in favor of generic workers - see https://github.com/matrix-org/synapse/pull/13645>'}
    - {'old': 'matrix_synapse_workers_frontend_proxy_workers_metrics_range_start', 'new': '<removed in favor of generic workers - see https://github.com/matrix-org/synapse/pull/13645>'}
    - {'old': 'matrix_synapse_ext_s3_storage_provider_path', 'new': 'matrix_synapse_ext_s3_storage_provider_base_path'}
    - {'old': 'matrix_synapse_send_federation', 'new': '<unnecessary - Synapse relies on federation_sender_instances now>'}
    - {'old': 'matrix_synapse_start_pushers', 'new': '<unnecessary - Synapse relies on pusher_instances now>'}
    - {'old': 'matrix_synapse_spam_checker', 'new': '<superseded by matrix_synapse_modules>'}
    - {'old': 'matrix_synapse_caches_autotuning_max_cache_memory_usage', 'new': 'matrix_synapse_cache_autotuning_max_cache_memory_usage'}
    - {'old': 'matrix_synapse_caches_autotuning_target_cache_memory_usage', 'new': 'matrix_synapse_cache_autotuning_target_cache_memory_usage'}
    - {'old': 'matrix_synapse_caches_autotuning_min_cache_ttl', 'new': 'matrix_synapse_cache_autotuning_min_cache_ttl'}
    - {'old': 'matrix_synapse_memtotal_kb', 'new': '<superseded by matrix_synapse_cache_size_calculations_memtotal_bytes>'}
    - {'old': 'matrix_synapse_docker_image_name_prefix', 'new': 'matrix_synapse_container_image_registry_prefix'}
    - {'old': 'matrix_s3_goofys_docker_image_name_prefix', 'new': 'matrix_s3_goofys_container_image_registry_prefix'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix', 'new': 'matrix_synapse_rust_synapse_compress_state_container_image_registry_prefix'}
    - {'old': 'matrix_s3_goofys_docker_image', 'new': 'matrix_s3_goofys_container_image'}
    - {'old': 'matrix_s3_goofys_docker_image_force_pull', 'new': 'matrix_s3_goofys_container_image_force_pull'}
    - {'old': 'matrix_s3_goofys_docker_image_registry_prefix', 'new': 'matrix_s3_goofys_container_image_registry_prefix'}
    - {'old': 'matrix_s3_goofys_docker_image_registry_prefix_upstream', 'new': 'matrix_s3_goofys_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_s3_goofys_docker_image_registry_prefix_upstream_default', 'new': 'matrix_s3_goofys_container_image_registry_prefix_upstream_default'}
    - {'old': 'matrix_synapse_docker_image', 'new': 'matrix_synapse_container_image'}
    - {'old': 'matrix_synapse_docker_image_name', 'new': 'matrix_synapse_container_image_name'}
    - {'old': 'matrix_synapse_docker_image_tag', 'new': 'matrix_synapse_container_image_tag'}
    - {'old': 'matrix_synapse_docker_image_force_pull', 'new': 'matrix_synapse_container_image_force_pull'}
    - {'old': 'matrix_synapse_docker_image_registry_prefix', 'new': 'matrix_synapse_container_image_registry_prefix'}
    - {'old': 'matrix_synapse_docker_image_registry_prefix_upstream', 'new': 'matrix_synapse_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_synapse_docker_image_registry_prefix_upstream_default', 'new': 'matrix_synapse_container_image_registry_prefix_upstream_default'}
    - {'old': 'matrix_synapse_docker_src_files_path', 'new': 'matrix_synapse_container_src_files_path'}
    - {'old': 'matrix_synapse_docker_image_customized', 'new': 'matrix_synapse_container_image_customized'}
    - {'old': 'matrix_synapse_docker_image_customized_build_nocache', 'new': 'matrix_synapse_container_image_customized_build_nocache'}
    - {'old': 'matrix_synapse_docker_image_customized_force_source', 'new': 'matrix_synapse_container_image_customized_force_source'}
    - {'old': 'matrix_synapse_docker_image_final', 'new': 'matrix_synapse_container_image_final'}
    - {'old': 'matrix_synapse_customized_docker_src_files_path', 'new': 'matrix_synapse_customized_container_src_files_path'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image', 'new': 'matrix_synapse_rust_synapse_compress_state_container_image'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_version', 'new': 'matrix_synapse_rust_synapse_compress_state_container_image_version'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_force_pull', 'new': 'matrix_synapse_rust_synapse_compress_state_container_image_force_pull'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix', 'new': 'matrix_synapse_rust_synapse_compress_state_container_image_registry_prefix'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix_upstream', 'new': 'matrix_synapse_rust_synapse_compress_state_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix_upstream_default', 'new': 'matrix_synapse_rust_synapse_compress_state_container_image_registry_prefix_upstream_default'}

    - {'old': 'matrix_synapse_experimental_features_msc3202_device_masquerading_enabled', 'new': '<removed - this feature is enabled by default now'}

    - {'old': 'matrix_synapse_experimental_features_msc3861_enabled', 'new': 'matrix_synapse_matrix_authentication_service_enabled'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_issuer', 'new': '<superseded by matrix_synapse_matrix_authentication_service_endpoint>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_client_id', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_client_auth_method', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_client_secret', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_admin_token', 'new': '<removed>'}
    - {'old': 'matrix_synapse_experimental_features_msc3861_account_management_url', 'new': '<removed>'}

    - {'old': 'matrix_synapse_experimental_features_msc4133_enabled', 'new': '<removed - this feature is enabled by default now>'}

    - {'old': 'matrix_synapse_container_image_customizations_s3_storage_provider_installation_old_boto_workaround_enabled', 'new': '<removed; see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4637>'}

    - {'old': 'matrix_synapse_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_s3_goofys_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_synapse_rust_synapse_compress_state_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
    - {'old': 'matrix_synapse_reverse_proxy_companion_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}

- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
  ansible.builtin.fail:
    msg: >-
      Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "item.old in matrix_synapse_configuration_extension"
  with_items:
    - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'}

- name: Fail if required Synapse settings not defined
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_synapse_username', when: true}
    - {'name': 'matrix_synapse_uid', when: true}
    - {'name': 'matrix_synapse_gid', when: true}
    - {'name': 'matrix_synapse_container_network', when: true}
    - {'name': 'matrix_synapse_macaroon_secret_key', when: true}
    - {'name': 'matrix_synapse_database_host', when: true}
    - {'name': 'matrix_synapse_database_user', when: true}
    - {'name': 'matrix_synapse_database_password', when: true}
    - {'name': 'matrix_synapse_database_database', when: true}

    - {'name': 'matrix_synapse_container_labels_public_client_root_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_root_enabled }}"}
    - {'name': 'matrix_synapse_container_labels_public_client_root_redirection_url', when: "{{ matrix_synapse_container_labels_public_client_root_redirection_enabled }}"}

    - {'name': 'matrix_synapse_container_labels_public_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_api_enabled }}"}

    - {'name': 'matrix_synapse_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}"}
    - {'name': 'matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled }}"}

    - {'name': 'matrix_synapse_container_labels_public_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}"}
    - {'name': 'matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"}

    - {'name': 'matrix_synapse_container_labels_public_federation_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_federation_api_enabled }}"}
    - {'name': 'matrix_synapse_container_labels_public_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_public_federation_api_enabled }}"}

    - {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
    - {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}

    - {'name': 'matrix_synapse_matrix_authentication_service_endpoint', when: "{{ matrix_synapse_matrix_authentication_service_enabled }}"}
    - {'name': 'matrix_synapse_matrix_authentication_service_secret', when: "{{ matrix_synapse_matrix_authentication_service_enabled }}"}

    - {'name': 'matrix_synapse_container_labels_traefik_compression_middleware_name', when: "{{ matrix_synapse_container_labels_traefik_compression_middleware_enabled }}"}

- name: Fail if asking for more than 1 instance of single-instance workers
  ansible.builtin.fail:
    msg: >-
      `{{ item }}` cannot be more than 1. This is a single-instance worker.
  when: "lookup('vars', item, default='') | int > 1"
  with_items:
    - "matrix_synapse_workers_appservice_workers_count"
    - "matrix_synapse_workers_user_dir_workers_count"
    - "matrix_synapse_workers_background_workers_count"
    - "matrix_synapse_workers_stream_writer_typing_stream_workers_count"
    - "matrix_synapse_workers_stream_writer_to_device_stream_workers_count"
    - "matrix_synapse_workers_stream_writer_account_data_stream_workers_count"
    - "matrix_synapse_workers_stream_writer_receipts_stream_workers_count"
    - "matrix_synapse_workers_stream_writer_presence_stream_workers_count"
    - "matrix_synapse_workers_stream_writer_push_rules_stream_workers_count"

- name: Fail if matrix-synapse-reverse-proxy-companion access log format is invalid
  ansible.builtin.fail:
    msg: >-
      `matrix_synapse_reverse_proxy_companion_access_log_format` must be one of:
      {{ matrix_synapse_reverse_proxy_companion_access_log_format_presets.keys() | sort | join(', ') }}
  when: "matrix_synapse_reverse_proxy_companion_access_log_format not in matrix_synapse_reverse_proxy_companion_access_log_format_presets"

- name: Fail when mixing generic workers with new specialized workers
  ansible.builtin.fail:
    msg: >-
      Generic workers should not be mixed with the new specialized worker types (room workers, sync workers, client readers, and federation readers)
  when: matrix_synapse_workers_generic_workers_count | int > 0 and ((matrix_synapse_workers_room_workers_count | int + matrix_synapse_workers_sync_workers_count | int + matrix_synapse_workers_client_reader_workers_count | int + matrix_synapse_workers_federation_reader_workers_count | int) > 0)

- when: matrix_synapse_container_image_customizations_templates_enabled | bool
  block:
    - name: Fail if required `matrix_synapse_container_image_customizations_templates_*` settings not defined
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_enabled`.
      when: "lookup('vars', item, default='') == ''"
      with_items:
        - matrix_synapse_container_image_customizations_templates_git_repository_url
        - matrix_synapse_container_image_customizations_templates_git_repository_branch

    - name: Fail if required `matrix_synapse_container_image_customizations_templates_git_repository_keyscan_*` settings not defined
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_git_repository_keyscan`.
      when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and lookup('vars', item, default='') == ''"
      with_items:
        - matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname

- name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and lookup('vars', item, default='') | bool
  with_items:
    - matrix_synapse_ext_password_provider_rest_auth_enabled
    - matrix_synapse_ext_password_provider_shared_secret_auth_enabled
    - matrix_synapse_ext_password_provider_ldap_enabled

- name: Fail if password config is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_password_config_enabled

- name: Fail if registration is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable registration (`matrix_synapse_enable_registration: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_enable_registration

- name: Fail if registration CAPTCHA is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable registration CAPTCHA (`matrix_synapse_enable_registration_captcha: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_enable_registration_captcha

- name: Fail if OpenID Connect is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable OpenID Connect (`matrix_synapse_oidc_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_oidc_enabled and not matrix_authentication_service_migration_in_progress

- name: Fail if CAS config is enabled for Synapse when auth is delegated to Matrix Authentication Service
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable CAS config (`matrix_synapse_cas_config_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_cas_config_enabled

- name: Fail if QR code login (MSC4108) is enabled while Matrix Authentication Service is not
  ansible.builtin.fail:
    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Matrix Authentication Service integration (`matrix_synapse_matrix_authentication_service_enabled`) must also be enabled."
  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_matrix_authentication_service_enabled