From 9d3c0310315e9b9b29bdca8821db84ecdd4e2d4e Mon Sep 17 00:00:00 2001
From: Catalan Lover <catalanlover@protonmail.com>
Date: Fri, 28 Jun 2024 23:34:36 +0200
Subject: [PATCH 1/3] Enable Internal Admin API Access separately from Public
 access.

---
 group_vars/matrix_servers                     |  2 +
 .../templates/labels.j2                       | 38 +++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index f84bf4e55..0d14b36e7 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -4307,6 +4307,7 @@ matrix_synapse_container_labels_public_client_root_redirection_enabled: "{{ matr
 matrix_synapse_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
 
 matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}"
+matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled: "{{ matrix_bot_draupnir_admin_api_enabled }}"
 
 matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
 matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
@@ -4466,6 +4467,7 @@ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ ma
 
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"
+matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled }}"
 
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}"
 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_tls }}"
diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
index 44c7e7a82..bf9645870 100644
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2
@@ -119,6 +119,44 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synaps
 ############################################################
 {% endif %}
 
+{% if matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled %}
+############################################################
+#                                                          #
+# Internal Synapse Admin API (/_synapse/client)            #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.rule=PathPrefix(`/_synapse/client`)
+
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.entrypoints=matrix-internal-matrix-client-api
+
+############################################################
+#                                                          #
+# /Internal Synapse Admin API (/_synapse/client)           #
+#                                                          #
+############################################################
+
+
+############################################################
+#                                                          #
+# Internal Synapse Admin API (/_synapse/admin)             #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.rule=PathPrefix(`/_synapse/admin`)
+
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.service=matrix-synapse-reverse-proxy-companion-client-api
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.entrypoints=matrix-internal-matrix-client-api
+
+############################################################
+#                                                          #
+# /Internal Synapse Admin API (/_synapse/admin)            #
+#                                                          #
+############################################################
+{% endif %}
 
 {% if matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled %}
 ############################################################

From 3a92b63f9806c0e5a2f0f3248e8f8fc681c9b5e1 Mon Sep 17 00:00:00 2001
From: Catalan Lover <catalanlover@protonmail.com>
Date: Fri, 28 Jun 2024 23:38:43 +0200
Subject: [PATCH 2/3] Add Config variable for Draupnir Hijack command

And also make the internal admin API be automatically  activated when this capability is used.
---
 group_vars/matrix_servers                                  | 2 ++
 roles/custom/matrix-bot-draupnir/defaults/main.yml         | 7 +++++++
 .../matrix-bot-draupnir/templates/production.yaml.j2       | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 0d14b36e7..92ab2f90b 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -2747,6 +2747,8 @@ matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture not in [
 
 matrix_bot_draupnir_container_network: "{{ matrix_addons_container_network }}"
 
+matrix_bot_draupnir_admin_api_enabled: "{{ matrix_bot_draupnir_room_hijack_enabled }}"
+
 matrix_bot_draupnir_container_additional_networks_auto: |-
   {{
     ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml
index 53dd53e43..0dea1ef64 100644
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -75,6 +75,13 @@ matrix_bot_draupnir_raw_homeserver_url: ""
 # Its Exposed here because its common enough to be valid to expose.
 matrix_bot_draupnir_disable_server_acl: "false"
 
+# Used to control if the Synapse Admin API is exposed internally to the containers and therefore giving Draupnir Access.
+matrix_bot_draupnir_admin_api_enabled: ""
+
+# Controls if the draupnir room hijack command is activated or not. This also automatically enables the internal admin API
+# in the process of activation.
+matrix_bot_draupnir_room_hijack_enabled: "false"
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
index b4d3a0bcc..fc0d1fbc6 100644
--- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
@@ -138,7 +138,7 @@ admin:
   # (with enough permissions) to "make" a user an admin.
   #
   # This only works if a local user with enough admin permissions is present in the room.
-  enableMakeRoomAdminCommand: false
+  enableMakeRoomAdminCommand: {{ matrix_bot_draupnir_room_hijack_enabled | to_json }}
 
 # Misc options for command handling and commands
 commands:

From 9d24643a8f3b77ee5f4c8f8915b0889e0c84f19f Mon Sep 17 00:00:00 2001
From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com>
Date: Tue, 2 Jul 2024 20:55:21 +0200
Subject: [PATCH 3/3] Apply suggestions from code review

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
---
 roles/custom/matrix-bot-draupnir/defaults/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml
index 0dea1ef64..45bc37a15 100644
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -76,11 +76,11 @@ matrix_bot_draupnir_raw_homeserver_url: ""
 matrix_bot_draupnir_disable_server_acl: "false"
 
 # Used to control if the Synapse Admin API is exposed internally to the containers and therefore giving Draupnir Access.
-matrix_bot_draupnir_admin_api_enabled: ""
+matrix_bot_draupnir_admin_api_enabled: false
 
 # Controls if the draupnir room hijack command is activated or not. This also automatically enables the internal admin API
 # in the process of activation.
-matrix_bot_draupnir_room_hijack_enabled: "false"
+matrix_bot_draupnir_room_hijack_enabled: false
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.