Make bridge permissions more easily configurable

Not doing {% if matrix_admin %} checks in the YAML also fixes some issues
with indentation being incorrect sometimes.

This should be backward compatible, except for mautrix-signal's case
where `matrix_mautrix_signal_bridge_permissions` previously existed
as a string, not a dictionary. `tasks/validate_config.yml` will catch
the problem an even provide a quick fix.

roles/matrix-bridge-beeper-linkedin/defaults/main.yml

@@ -29,6 +29,12 @@ matrix_beeper_linkedin_bridge_presence: true
 
 matrix_beeper_linkedin_command_prefix: "!li"
 
+matrix_beeper_linkedin_bridge_permissions: |
+  {{
+    {matrix_beeper_linkedin_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # A list of extra arguments to pass to the container
 matrix_beeper_linkedin_container_extra_arguments: []
 

roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2

@@ -56,7 +56,7 @@ appservice:
         # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
         # to leave display name/avatar as-is.
         displayname: LinkedIn bridge bot
-        avatar: mxc://sumnerevans.com/XMtwdeUBnxYvWNFFrfeTSHqB 
+        avatar: mxc://sumnerevans.com/XMtwdeUBnxYvWNFFrfeTSHqB
 
     # Whether or not to receive ephemeral events via appservice transactions.
     # Requires MSC2409 support (i.e. Synapse 1.22+).
@@ -236,11 +236,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-        "{{ matrix_beeper_linkedin_homeserver_domain }}": user
-        {% if matrix_admin %}
-        "{{ matrix_admin }}": admin
-        {% endif %}
+    permissions: {{ matrix_beeper_linkedin_bridge_permissions|to_json }}
 
 
 

roles/matrix-bridge-go-skype-bridge/defaults/main.yml

@@ -85,6 +85,20 @@ matrix_go_skype_bridge_bridge_login_shared_secret_map:
 matrix_go_skype_bridge_bridge_double_puppet_server_map:
   "{{ matrix_go_skype_bridge_homeserver_domain :  matrix_go_skype_bridge_homeserver_address }}"
 
+# Enable End-to-bridge encryption
+matrix_go_skype_bridge_bridge_encryption_allow: false
+matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}"
+
+# Minimum severity of journal log messages.
+# Options: debug, info, warn, error, fatal
+matrix_go_skype_bridge_log_level: 'warn'
+
+matrix_go_skype_bridge_bridge_permissions: |
+  {{
+    {matrix_go_skype_bridge_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Default go-skype-bridge configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@@ -124,11 +138,3 @@ matrix_go_skype_bridge_registration_yaml: |
   de.sorunome.msc2409.push_ephemeral: true
 
 matrix_go_skype_bridge_registration: "{{ matrix_go_skype_bridge_registration_yaml | from_yaml }}"
-
-# Enable End-to-bridge encryption
-matrix_go_skype_bridge_bridge_encryption_allow: false
-matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}"
-
-# Minimum severity of journal log messages.
-# Options: debug, info, warn, error, fatal
-matrix_go_skype_bridge_log_level: 'warn'

roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2

@@ -197,11 +197,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-        "{{ matrix_go_skype_bridge_homeserver_domain }}": user
-        {% if matrix_admin %}
-        "{{ matrix_admin }}": admin
-        {% endif %}
+    permissions: {{ matrix_go_skype_bridge_bridge_permissions|to_json }}
 
     relaybot:
         # Whether or not relaybot support is enabled.

roles/matrix-bridge-mautrix-facebook/defaults/main.yml

@@ -46,6 +46,12 @@ matrix_mautrix_facebook_homeserver_token: ''
 # If false, created portal rooms will never be federated.
 matrix_mautrix_facebook_federate_rooms: true
 
+matrix_mautrix_facebook_bridge_permissions: |
+  {{
+    {matrix_mautrix_facebook_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Controls whether the matrix-mautrix-facebook container exposes its HTTP port.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9008"), or empty string to not expose.

roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2

@@ -201,11 +201,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_facebook_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_facebook_bridge_permissions|to_json }}
 
     relay:
         # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any

roles/matrix-bridge-mautrix-googlechat/defaults/main.yml

@@ -48,6 +48,12 @@ matrix_mautrix_googlechat_homeserver_token: ''
 # If false, created portal rooms will never be federated.
 matrix_mautrix_googlechat_federate_rooms: true
 
+matrix_mautrix_googlechat_bridge_permissions: |
+  {{
+    {matrix_mautrix_googlechat_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.

roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2

@@ -117,11 +117,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_googlechat_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_googlechat_bridge_permissions|to_json }}
 
 # Python logging configuration.
 #

roles/matrix-bridge-mautrix-hangouts/defaults/main.yml

@@ -27,6 +27,12 @@ matrix_mautrix_hangouts_appservice_address: 'http://matrix-mautrix-hangouts:8080
 
 matrix_mautrix_hangouts_command_prefix: "!HO"
 
+matrix_mautrix_hangouts_bridge_permissions: |
+  {{
+    {matrix_mautrix_hangouts_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Controls whether the matrix-mautrix-hangouts container exposes its HTTP port (tcp/8080 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9007"), or empty string to not expose.

roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2

@@ -114,11 +114,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_hangouts_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_hangouts_bridge_permissions|to_json }}
 
 # Python logging configuration.
 #

roles/matrix-bridge-mautrix-instagram/defaults/main.yml

@@ -25,6 +25,12 @@ matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29
 
 matrix_mautrix_instagram_command_prefix: "!ig"
 
+matrix_mautrix_instagram_bridge_permissions: |
+  {{
+    {matrix_mautrix_instagram_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # A list of extra arguments to pass to the container
 matrix_mautrix_instagram_container_extra_arguments: []
 

roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2

@@ -185,11 +185,7 @@ bridge:
   #        * - All Matrix users
   #   domain - All users on that homeserver
   #     mxid - Specific user
-  permissions:
-    "{{ matrix_mautrix_instagram_homeserver_domain }}": user
-    {% if matrix_admin %}
-    "{{ matrix_admin }}": admin
-    {% endif %}
+  permissions: {{ matrix_mautrix_instagram_bridge_permissions|to_json }}
   # Provisioning API part of the web server for automated portal creation and fetching information.
   # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
   provisioning:

roles/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -103,12 +103,14 @@ matrix_mautrix_signal_relaybot_enabled: false
 #        * - All Matrix users
 #   domain - All users on that homeserver
 #     mxid - Specific user
+#
+# This variable used to contain a YAML string, but now needs to contain a hashmap/dictionary.
 matrix_mautrix_signal_bridge_permissions: |
-  '*': relay
-  '{{ matrix_mautrix_signal_homeserver_domain }}': user
-  {% if matrix_admin %}
-  "{{ matrix_admin }}": admin
-  {% endif %}
+  {{
+    {'*': 'relay'}
+    | combine({matrix_mautrix_signal_homeserver_domain: 'user'})
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.

roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml

@@ -11,6 +11,15 @@
     - "matrix_mautrix_signal_homeserver_token"
     - "matrix_mautrix_signal_appservice_token"
 
+- name: (Deprecation) Fail if matrix_mautrix_signal_bridge_permissions specified as YAML string, instead of a dictionary
+  ansible.builtin.fail:
+    msg: >-
+      The `matrix_mautrix_signal_bridge_permissions` variable in your configuration is specified as a YAML string.
+      The playbook now expects a hashmap/dictionary in this variable.
+      Change your configuration like this:
+      matrix_mautrix_signal_bridge_permissions: {{ matrix_mautrix_signal_bridge_permissions | from_yaml | to_json }}
+  when: "matrix_mautrix_signal_bridge_permissions is string"
+
 - name: (Deprecation) Catch and report renamed Signal variables
   ansible.builtin.fail:
     msg: >-

roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -223,8 +223,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-        {{ matrix_mautrix_signal_bridge_permissions|from_yaml }}
+    permissions: {{ matrix_mautrix_signal_bridge_permissions|to_json }}
 
     relay:
         # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -27,6 +27,12 @@ matrix_mautrix_telegram_data_path: "{{ matrix_mautrix_telegram_base_path }}/data
 
 matrix_mautrix_telegram_command_prefix: "!tg"
 
+matrix_mautrix_telegram_bridge_permissions: |
+  {{
+    {matrix_mautrix_telegram_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Get your own API keys at https://my.telegram.org/apps
 matrix_mautrix_telegram_api_id: ''
 matrix_mautrix_telegram_api_hash: ''

roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2

@@ -289,11 +289,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_telegram_homeserver_domain }}': full
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_telegram_bridge_permissions|to_json }}
 
     # Options related to the message relay Telegram bot.
     relaybot:

roles/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -25,6 +25,12 @@ matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'
 
 matrix_mautrix_twitter_command_prefix: "!tw"
 
+matrix_mautrix_twitter_bridge_permissions: |
+  {{
+    {matrix_mautrix_twitter_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # A list of extra arguments to pass to the container
 matrix_mautrix_twitter_container_extra_arguments: []
 

roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2

@@ -173,11 +173,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_twitter_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_twitter_bridge_permissions|to_json }}
 
 
 # Python logging configuration.

roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -90,6 +90,17 @@ matrix_mautrix_whatsapp_bridge_login_shared_secret_map:
 matrix_mautrix_whatsapp_bridge_double_puppet_server_map:
   "{{ matrix_mautrix_whatsapp_homeserver_domain :  matrix_mautrix_whatsapp_homeserver_address }}"
 
+# Enable End-to-bridge encryption
+matrix_mautrix_whatsapp_bridge_encryption_allow: false
+matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
+matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
+
+matrix_mautrix_whatsapp_bridge_permissions: |
+  {{
+    {matrix_mautrix_whatsapp_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Default mautrix-whatsapp configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@@ -130,7 +141,3 @@ matrix_mautrix_whatsapp_registration_yaml: |
 
 matrix_mautrix_whatsapp_registration: "{{ matrix_mautrix_whatsapp_registration_yaml | from_yaml }}"
 
-# Enable End-to-bridge encryption
-matrix_mautrix_whatsapp_bridge_encryption_allow: false
-matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
-matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"

roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2

@@ -368,11 +368,7 @@ bridge:
     #        * - All Matrix users
     #   domain - All users on that homeserver
     #     mxid - Specific user
-    permissions:
-        "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user
-        {% if matrix_admin %}
-        "{{ matrix_admin }}": admin
-        {% endif %}
+    permissions: {{ matrix_mautrix_whatsapp_bridge_permissions|to_json }}
 
     # Settings for relay mode
     relay: