From 42c173c0b372ea62b2f94a1de391d5c24a988929 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sun, 28 Jun 2026 20:17:47 +0300
Subject: [PATCH] mautrix-meta-messenger: expose bridge HTTP API (for
 mautrix-manager and similar)

Auto-generate the provisioning shared secret (to enable the provisioning
API), route the whole bridge HTTP port via Traefik under
`<matrix-fqn>/bridges/meta-messenger`, and populate
appservice.public_address, reusing the matrix_bridges_exposure_*
mechanism. The labels template gate is widened so the exposure router is
emitted even when metrics are disabled (the exposure router reuses the
existing appservice Traefik service on port 29319).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 group_vars/matrix_servers                     |  6 +++
 .../defaults/main.yml                         | 21 +++++++++++
 .../templates/config.yaml.j2                  |  2 +-
 .../templates/labels.j2                       | 37 ++++++++++++++++++-
 4 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 82591bc4c..5f5137547 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -1899,6 +1899,7 @@ matrix_mautrix_meta_messenger_appservice_token: "{{ (matrix_homeserver_generic_s
 matrix_mautrix_meta_messenger_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 
 matrix_mautrix_meta_messenger_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.fb.hs') | hash('sha512') | to_uuid }}"
+matrix_mautrix_meta_messenger_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.fb.prov') | hash('sha512') | to_uuid }}"
 
 matrix_mautrix_meta_messenger_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
 
@@ -1917,6 +1918,11 @@ matrix_mautrix_meta_messenger_metrics_proxying_enabled: "{{ matrix_mautrix_meta_
 matrix_mautrix_meta_messenger_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_meta_messenger_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-meta-messenger"
 
+matrix_mautrix_meta_messenger_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_mautrix_meta_messenger_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}"
+matrix_mautrix_meta_messenger_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}"
+matrix_mautrix_meta_messenger_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/meta-messenger"
+
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_meta_messenger_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite3-fk-wal' }}"
diff --git a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
index 8e8a454a5..d212f0241 100644
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
@@ -63,6 +63,15 @@ matrix_mautrix_meta_messenger_container_labels_metrics_middleware_basic_auth_ena
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_meta_messenger_container_labels_metrics_middleware_basic_auth_users: ''
 
+# Controls whether labels will be added that expose mautrix-meta-messenger's HTTP API
+# (used by tools like mautrix-manager for bridge login) at `https://<hostname><path_prefix>`.
+matrix_mautrix_meta_messenger_container_labels_exposure_enabled: "{{ matrix_mautrix_meta_messenger_exposure_enabled }}"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_meta_messenger_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_meta_messenger_exposure_path_prefix }}`)"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_priority: 0
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_meta_messenger_container_labels_traefik_entrypoints }}"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_entrypoints != 'web' }}"
+matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_meta_messenger_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_mautrix_meta_messenger_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -123,6 +132,13 @@ matrix_mautrix_meta_messenger_homeserver_token: ''
 
 matrix_mautrix_meta_messenger_appservice_address: "http://{{ matrix_mautrix_meta_messenger_identifier }}:29319"
 
+# Scheme of the bridge's public address (see `matrix_mautrix_meta_messenger_bridge_public_address`).
+matrix_mautrix_meta_messenger_scheme: https
+
+# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed).
+# Used for the provisioning API's external-server (OpenID) flow and for public media links.
+matrix_mautrix_meta_messenger_bridge_public_address: "{{ (matrix_mautrix_meta_messenger_scheme + '://' + matrix_mautrix_meta_messenger_exposure_hostname + matrix_mautrix_meta_messenger_exposure_path_prefix) if matrix_mautrix_meta_messenger_exposure_enabled else '' }}"
+
 matrix_mautrix_meta_messenger_appservice_id: "{{ matrix_mautrix_meta_messenger_meta_mode }}"
 
 matrix_mautrix_meta_messenger_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
@@ -182,6 +198,11 @@ matrix_mautrix_meta_messenger_metrics_proxying_enabled: false
 matrix_mautrix_meta_messenger_metrics_proxying_hostname: ''
 matrix_mautrix_meta_messenger_metrics_proxying_path_prefix: ''
 
+# Controls whether mautrix-meta-messenger's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login).
+matrix_mautrix_meta_messenger_exposure_enabled: false
+matrix_mautrix_meta_messenger_exposure_hostname: ''
+matrix_mautrix_meta_messenger_exposure_path_prefix: ''
+
 matrix_mautrix_meta_messenger_bridge_username_prefix: |-
   {{
     ({
diff --git a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2
index 2af47d5f8..dd870af45 100644
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2
@@ -197,7 +197,7 @@ appservice:
     address: {{ matrix_mautrix_meta_messenger_appservice_address | to_json }}
     # A public address that external services can use to reach this appservice.
     # This value doesn't affect the registration file.
-    public_address: https://bridge.example.com
+    public_address: {{ matrix_mautrix_meta_messenger_bridge_public_address | to_json }}
 
     # The hostname and port where this appservice should listen.
     # For Docker, you generally have to change the hostname to 0.0.0.0.
diff --git a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/labels.j2
index 21946df81..722729732 100644
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/labels.j2
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/labels.j2
@@ -4,15 +4,19 @@ SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-{% if matrix_mautrix_meta_messenger_container_labels_traefik_enabled and matrix_mautrix_meta_messenger_container_labels_metrics_enabled %}
+{% if matrix_mautrix_meta_messenger_container_labels_traefik_enabled and (matrix_mautrix_meta_messenger_container_labels_metrics_enabled or matrix_mautrix_meta_messenger_container_labels_exposure_enabled) %}
 traefik.enable=true
 
 {% if matrix_mautrix_meta_messenger_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_mautrix_meta_messenger_container_labels_traefik_docker_network }}
 {% endif %}
 
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_enabled %}
 traefik.http.services.{{ matrix_mautrix_meta_messenger_identifier }}-appservice.loadbalancer.server.port=29319
+{% endif %}
+{% if matrix_mautrix_meta_messenger_container_labels_metrics_enabled %}
 traefik.http.services.{{ matrix_mautrix_meta_messenger_identifier }}-metrics.loadbalancer.server.port=8000
+{% endif %}
 
 
 {% if matrix_mautrix_meta_messenger_container_labels_metrics_enabled %}
@@ -48,6 +52,37 @@ traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-metrics.tls.
 ############################################################
 {% endif %}
 
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.middlewares.{{ matrix_mautrix_meta_messenger_identifier }}-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_meta_messenger_exposure_path_prefix }}
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.middlewares={{ matrix_mautrix_meta_messenger_identifier }}-exposure-strip-prefix
+
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.rule={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.priority={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.service={{ matrix_mautrix_meta_messenger_identifier }}-appservice
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.entrypoints={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.tls={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls %}
+traefik.http.routers.{{ matrix_mautrix_meta_messenger_identifier }}-exposure.tls.certResolver={{ matrix_mautrix_meta_messenger_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+
 
 {% endif %}