diff --git a/roles/custom/matrix-continuwuity/defaults/main.yml b/roles/custom/matrix-continuwuity/defaults/main.yml index 24c3481e9..fe45f56d7 100644 --- a/roles/custom/matrix-continuwuity/defaults/main.yml +++ b/roles/custom/matrix-continuwuity/defaults/main.yml @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2025 MDAD project contributors # SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# SPDX-FileCopyrightText: 2026 Catalan Lover # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -190,7 +191,9 @@ matrix_continuwuity_config_turn_password: '' # Controls whether the self-check feature should validate SSL certificates. matrix_continuwuity_self_check_validate_certificates: true -# If set, registration will require Google ReCAPTCHA verification. +# Configuring both of these settings makes registration require Google ReCAPTCHA verification. +# Both must be set together (or both left empty). Setting only one of them is a configuration error. +# When both are set, ReCAPTCHA gets enabled automatically (see `matrix_continuwuity_recaptcha_enabled` in `vars/main.yml`). matrix_continuwuity_config_recaptcha_site_key: '' matrix_continuwuity_config_recaptcha_private_site_key: '' diff --git a/roles/custom/matrix-continuwuity/tasks/validate_config.yml b/roles/custom/matrix-continuwuity/tasks/validate_config.yml index 44ae541d9..777f12387 100644 --- a/roles/custom/matrix-continuwuity/tasks/validate_config.yml +++ b/roles/custom/matrix-continuwuity/tasks/validate_config.yml @@ -1,4 +1,5 @@ # SPDX-FileCopyrightText: 2025 MDAD project contributors +# SPDX-FileCopyrightText: 2026 Catalan Lover # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -36,3 +37,11 @@ - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream'} - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream_default', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream_default'} - {'old': 'matrix_continuwuity_container_image_force_pull', 'new': ' (the new community.docker.docker_image_pull module handles this natively)'} + +- name: Fail if Continuwuity ReCAPTCHA is only partially configured + ansible.builtin.fail: + msg: >- + You have configured only one of `matrix_continuwuity_config_recaptcha_site_key` and + `matrix_continuwuity_config_recaptcha_private_site_key`. Configure both to enable ReCAPTCHA + registration, or leave both empty to disable it. + when: "(matrix_continuwuity_config_recaptcha_site_key | string | length > 0) != (matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0)" diff --git a/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 b/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 index 14cfa6981..a7ffb3821 100644 --- a/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 +++ b/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 @@ -2,6 +2,7 @@ SPDX-FileCopyrightText: 2025 MDAD project contributors SPDX-FileCopyrightText: 2025 Slavi Pantaleev SPDX-FileCopyrightText: 2025 Suguru Hirahara +SPDX-FileCopyrightText: 2026 Catalan Lover SPDX-License-Identifier: AGPL-3.0-or-later #} @@ -490,6 +491,7 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json # #registration_token_file = +{% if matrix_continuwuity_recaptcha_enabled %} # The public site key for reCaptcha. If this is provided, reCaptcha # becomes required during registration. If both captcha *and* # registration token are enabled, both will be required during @@ -509,6 +511,7 @@ recaptcha_site_key = {{ matrix_continuwuity_config_recaptcha_site_key | to_json # even if `recaptcha_site_key` is set. # recaptcha_private_site_key = {{ matrix_continuwuity_config_recaptcha_private_site_key | to_json }} +{% endif %} # Controls whether encrypted rooms and events are allowed. # diff --git a/roles/custom/matrix-continuwuity/vars/main.yml b/roles/custom/matrix-continuwuity/vars/main.yml index d51a37c72..900935924 100644 --- a/roles/custom/matrix-continuwuity/vars/main.yml +++ b/roles/custom/matrix-continuwuity/vars/main.yml @@ -1,9 +1,15 @@ # SPDX-FileCopyrightText: 2025 MDAD project contributors # SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# SPDX-FileCopyrightText: 2026 Catalan Lover # # SPDX-License-Identifier: AGPL-3.0-or-later --- +# Continuwuity has no dedicated "enable ReCAPTCHA" setting. It enables ReCAPTCHA registration based on the +# presence of a recaptcha private site key, so we only render the keys when both have been configured. +# This avoids rendering empty keys, which would otherwise enable a broken ReCAPTCHA flow. +matrix_continuwuity_recaptcha_enabled: "{{ matrix_continuwuity_config_recaptcha_site_key | string | length > 0 and matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0 }}" + matrix_continuwuity_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}/_matrix/client/versions" matrix_continuwuity_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"