Merge branch 'master' into pub.solar

This commit is contained in:
teutat3s 2020-08-30 18:39:04 +02:00
commit 2ebf62a771
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
53 changed files with 1227 additions and 145 deletions

View file

@ -1,3 +1,30 @@
# 2020-08-21
## rust-synapse-compress-state support
The playbook can now help you use [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) to compress the state groups in your Synapse database.
See our [Compressing state with rust-synapse-compress-state](docs/maintenance-synapse.md#compressing-state-with-rust-synapse-compress-state) documentation page to get started.
# 2020-07-22
## Synapse Admin support
The playbook can now help you set up [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin).
See our [Setting up Synapse Admin](docs/configuring-playbook-synapse-admin.md) documentation to get started.
# 2020-07-20
## matrix-reminder-bot support
The playbook can now help you set up [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot).
See our [Setting up matrix-reminder-bot](docs/configuring-playbook-bot-matrix-reminder-bot.md) documentation to get started.
# 2020-07-17
## (Compatibility Break) Riot is now Element

View file

@ -68,6 +68,10 @@ Using this playbook, you can get the following services configured on your serve
- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform
- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms
- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server
Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.
@ -83,7 +87,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
- this one installs and hooks together **a lot more Matrix-related services** for you (see above)
- this one **can be re-ran many times** without causing trouble
- this one **can be executed more than once** without causing trouble
- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux**
@ -158,15 +162,15 @@ This playbook sets up your server using the following Docker images:
- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) (optional)
- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional)
- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https://www.skype.com) (optional)
- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional)
- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https://slack.com) (optional)
- [sorunome/mx-puppet-instagram](https://hub.docker.com/r/sorunome/mx-puppet-instagram) - the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge to [Instagram](https://www.instagram.com) (optional)
- [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional)
- [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https:/discordapp.com) (optional)
- [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https://discordapp.com) (optional)
- [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) - the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge to [Steam](https://steampowered.com) (optional)
@ -180,6 +184,10 @@ This playbook sets up your server using the following Docker images:
- [jitsi/jvb](https://hub.docker.com/r/jitsi/jvb) - the [Jitsi](https://jitsi.org/) Video Bridge component (optional)
- [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional)
- [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional)
## Deficiencies

View file

@ -14,7 +14,7 @@ Usually, there are 2 options:
This documentation page tells you how to do the latter. With some easy changes, we make it possible to serve the base domain from the Matrix server via the integrated webserver (`matrix-nginx-proxy`).
Just **adjust your DNS records**, so that your base domain is pointed to the Matrix server's IP address **and use the following configuration**:
Just **adjust your DNS records**, so that your base domain is pointed to the Matrix server's IP address (using a DNS `A` record) **and then use the following configuration**:
```yaml
matrix_nginx_proxy_base_domain_serving_enabled: true

View file

@ -0,0 +1,59 @@
# Setting up matrix-reminder-bot (optional)
The playbook can install and configure [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for you.
It's a bot you can use to **schedule one-off & recurring reminders and alarms**.
See the project's [documentation](https://github.com/anoadragon453/matrix-reminder-bot#usage) to learn what it does and why it might be useful to you.
## Registering the bot user
By default, the playbook will set up the bot with a username like this: `@bot.matrix-reminder-bot:DOMAIN`.
(to use a different username, adjust the `matrix_bot_matrix_reminder_bot_matrix_user_id_localpart` variable).
You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md):
```
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-reminder-bot password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
```
Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
```yaml
matrix_bot_matrix_reminder_bot_enabled: true
# Adjust this to whatever password you chose when registering the bot user
matrix_bot_matrix_reminder_bot_matrix_user_password: PASSWORD_FOR_THE_BOT
# Adjust this to your timezone
matrix_bot_matrix_reminder_bot_reminders_timezone: Europe/London
```
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
To use the bot, start a chat with `@bot.matrix-reminder-bot:DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
You can also add the bot to any existing Matrix room (`/invite @bot.matrix-reminder-bot:DOMAIN`).
Basic usage is like this: `!remindme in 2 minutes; This is a test`
Send `!help commands` to the room to see the bot's help menu for additional commands.
You can also refer to the upstream [Usage documentation](https://github.com/anoadragon453/matrix-reminder-bot#usage).

View file

@ -6,7 +6,7 @@ If that's okay, you can skip this document.
## Disabling Element
If you'd like for the playbook to not install (or to uninstall the previously installed Element), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
If you'd like for the playbook to not install Element (or to uninstall it if it was previously installed), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_client_element_enabled: false

View file

@ -37,7 +37,8 @@ We recommend that you create a dedicated Matrix user for Dimension (`dimension`
Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**.
You are required to specify an access token (belonging to this new user) for Dimension to work.
To get an access token for the Dimension user, follow these steps:
To get an access token for the Dimension user, you can follow one of two options:
*Through an interactive login*:
1. In a private browsing session (incognito window), open Element.
2. Log in with the `dimension` user and its password.
@ -46,6 +47,17 @@ To get an access token for the Dimension user, follow these steps:
3. Copy the highlighted text to your configuration.
4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
*With CURL*
```
curl -X POST --header 'Content-Type: application/json' -d '{
"identifier": { "type": "m.id.user", "user": "YourDimensionUsername" },
"password": "YourDimensionPassword",
"type": "m.login.password"
}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login'
```
*Change the "YourDimensionUser/Pass" URL accordigly*
**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
Add access token to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

View file

@ -6,6 +6,17 @@ This server is private by default, potentially at the expense of user discoverab
ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.
## Disabling ma1sd
ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features).
If you'd like for the playbook to not install ma1sd (or to uninstall it if it was previously installed), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_ma1sd_enabled: false
```
## Matrix.org lookup forwarding
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).
@ -90,6 +101,22 @@ matrix_ma1sd_configuration_extension_yaml: |
number: '+<msisdn-number>'
```
## Example: Open Registration for every Domain
If you want to open registration for any domain, you have to setup the allowed domains with ma1sd's `blacklist` and `whitelist`. The default behavior when neither the `blacklist`, nor the `whitelist` match, is to allow registration. Beware: you can't block toplevel domains (aka `.xy`) because the internal architecture of ma1sd doesn't allow that.
```yaml
matrix_ma1sd_configuration_extension_yaml: |
register:
policy:
allowed: true
threepid:
email:
domain:
blacklist: ~
whitelist: ~
```
## Troubleshooting
If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md).

View file

@ -15,9 +15,15 @@ If you decide that you'd like to let this playbook install it for you, you'd nee
## Playbook configuration
You would then need some configuration like this:
```yaml
# The Shared Secret Auth password provider module is required for Corporal to work.
# See configuring-playbook-shared-secret-auth.md
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
matrix_corporal_enabled: true
matrix_corporal_policy_provider_config: |

View file

@ -25,7 +25,7 @@ There are a few options for handling this:
- (**avoiding changes** - using the old `riot.DOMAIN` domain and avoiding DNS changes) -- to keep using `riot.DOMAIN` instead of `element.DOMAIN`, override the domain at which the playbook serves Element: `matrix_server_fqn_element: "riot.{{ matrix_domain }}"`
- (**embracing changes** - using only `element.DOMAIN`) - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)). You can drop the `riot.DOMAIN` in this case. If so, you may also wish to remove old SSL certificates (`rm -rf /matrix/ssl/config/live/riot.DOMAIN`), so that `certbot` would stop trying to renew them.
- (**embracing changes** - using only `element.DOMAIN`) - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)). You can drop the `riot.DOMAIN` in this case. If so, you may also wish to remove old SSL certificates (`rm -rf /matrix/ssl/config/live/riot.DOMAIN`) and renewal configuration (`rm -f /matrix/ssl/config/renewal/riot.DOMAIN.conf`), so that `certbot` would stop trying to renew them.
- (**embracing changes and transitioning smoothly** - using both `element.DOMAIN` and `riot.DOMAIN`) - to serve Element at the new domain (`element.DOMAIN`) and to also have `riot.DOMAIN` redirect there - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)) and enable Riot to Element redirection (`matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true`).

View file

@ -28,6 +28,8 @@ If self-signed certificates are alright with you, you can ask the playbook to ge
matrix_ssl_retrieval_method: self-signed
```
If you get a `Cannot reach homeserver` error in Element, you will have to visit `https://matrix.<your-domain>` in your browser and agree to the certificate exception before you can login.
## Using your own SSL certificates

View file

@ -0,0 +1,62 @@
# Setting up Synapse Admin (optional)
The playbook can install and configure [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) for you.
It's a web UI tool you can use to **administrate users and rooms on your Matrix server**.
See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
```yaml
matrix_synapse_admin_enabled: true
```
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/synapse-admin/`
To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server.
The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN`
### Sample configuration for running behind Traefik 2.0
Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy.
This an extension to Traefik config sample in [own-webserver-documentation](./configuring-playbook-own-webserver.md).
```yaml
# Don't bind any HTTP or federation port to the host
# (Traefik will proxy directly into the containers)
matrix_synapse_admin_container_http_host_bind_port: ""
matrix_synapse_admin_container_extra_arguments:
# May be unnecessary depending on Traefik config, but can't hurt
- '--label "traefik.enable=true"'
# The Synapse Admin container will only receive traffic from this subdomain and path
- '--label "traefik.http.routers.matrix-synapse-admin.rule=(Host(`{{ matrix_server_fqn_matrix }}`) && Path(`{{matrix_synapse_admin_public_endpoint}}`))"'
# (Define your entrypoint)
- '--label "traefik.http.routers.matrix-synapse-admin.entrypoints=web-secure"'
# (The 'default' certificate resolver must be defined in Traefik config)
- '--label "traefik.http.routers.matrix-synapse-admin.tls.certResolver=default"'
# The Synapse Admin container uses port 80 by default
- '--label "traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80"'
```

View file

@ -16,3 +16,8 @@ Alternatively, **if there is no pre-defined variable** for a Synapse setting you
- or, you can **extend and override the default configuration** ([`homeserver.yaml.j2`](../roles/matrix-synapse/templates/synapse/homeserver.yaml.j2)) by making use of the `matrix_synapse_configuration_extension_yaml` variable. You can find information about this in [`roles/matrix-synapse/defaults/main.yml`](../roles/matrix-synapse/defaults/main.yml).
- or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_synapse_configuration` (or `matrix_synapse_configuration_yaml`). You can find information about this in [`roles/matrix-synapse/defaults/main.yml`](../roles/matrix-synapse/defaults/main.yml).
## Synapse Admin
Certain Synapse administration tasks (managing users and rooms, etc.) can be performed via a web user-interace, if you install [Synapse Admin](configuring-playbook-synapse-admin.md).

View file

@ -68,6 +68,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
### Authentication and user-related
- [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional)
- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced)
- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional, advanced)
@ -112,3 +114,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
- [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional)
### Bots
- [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional)

View file

@ -22,6 +22,8 @@ If you are using an [external Postgres server](configuring-playbook-external-pos
## Vacuuming PostgreSQL
Deleting lots data from Postgres does not make it release disk space, until you perform a `VACUUM` operation.
To perform a `FULL` Postgres [VACUUM](https://www.postgresql.org/docs/current/sql-vacuum.html), run the playbook with `--tags=run-postgres-vacuum`.
Example:
@ -42,7 +44,7 @@ docker run \
--rm \
--network=matrix \
--env-file=/matrix/postgres/env-postgres-psql \
postgres:12.1-alpine \
postgres:12.4-alpine \
pg_dumpall -h matrix-postgres \
| gzip -c \
> /postgres.sql.gz

View file

@ -9,14 +9,54 @@ Table of contents:
- [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database
- [Synapse maintenance](#synapse-maintenance)
- [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor)
- [Vacuuming Postgres](#vacuuming-postgres)
- [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api)
- [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state)
- [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor)
- [Browse and manipulate the database](#browse-and-manipulate-the-database)
- [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands
## Purging old data with the Purge History API
You can use the **Purge History API** to delete in-use (but old) data.
**This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
Synapse's [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) can be used to purge on a per-room basis.
To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
Alternatively, you can log in and obtain a new access token like this:
```
curl \
--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Synapse-Purge-History-API"}' \
https://matrix.DOMAIN/_matrix/client/r0/login
```
Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions.
After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
## Compressing state with rust-synapse-compress-state
[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse.
This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.
To ask the playbook to run rust-synapse-compress-state, execute:
```
ansible-playbook -i inventory/hosts setup.yml --tags=rust-synapse-compress-state
```
By default, all rooms with more than `100000` state group rows will be compressed.
If you need to adjust this, pass: `--extra-vars='matrix_synapse_rust_synapse_compress_state_min_state_groups_required=SOME_NUMBER_HERE'` to the command above.
After state compression, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
## Purging unused data with synapse-janitor
**NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it.
@ -34,50 +74,9 @@ ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-synapse-janito
**Note**: this will automatically stop Synapse temporarily and restart it later.
### Vacuuming Postgres
Running synapse-janitor potentially deletes a lot of data from the Postgres database.
However, disk space only ever gets released after a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
You may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql) after that.
It's easiest if you ask the playbook to run both synapse-janitor and a `VACUUM FULL` in one call:
```bash
ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-synapse-janitor,run-postgres-vacuum,start
```
**Note**: this will automatically stop Synapse temporarily and restart it later. You'll also need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`).
## Purging old data with the Purge History API
If [purging unused and unreachable data](#purging-unused-data-with-synapse-janitor) is not enough for you, you can start deleting in-use (but old) data.
**This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
Synapse provides a [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) that you can use to purge on a per-room basis.
To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
Alternatively, you can log in and obtain a new access token like this:
```
curl \
--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Synapse-Purge-History-API"}' \
https://matrix.DOMAIN/_matrix/client/r0/login
```
Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions.
Don't forget that disk space only ever gets released after a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql) - something the playbook can help you with.
## Compressing state with rust-synapse-compress-state
[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse.
Unfortunately, at this time the playbook can't help you run this **experimental tool**.
Since it's also experimental, you may wish to stay away from it, or at least [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.
## Browse and manipulate the database

View file

@ -35,3 +35,8 @@ The script `/usr/local/bin/matrix-change-user-admin-status` may be used to chang
```
/usr/local/bin/matrix-change-user-admin-status <username> <0/1>
```
## Managing users via a Web UI
To manage users more easily (via a web user-interace), you can install [Synapse Admin](configuring-playbook-synapse-admin.md).

View file

@ -11,6 +11,7 @@ To make use of self-building, you don't need to do anything besides change your
Note that **not all components support self-building yet**.
List of roles where self-building the Docker image is currently possible:
- `matrix-synapse`
- `matrix-synapse-admin`
- `matrix-client-element`
- `matrix-coturn`
- `matrix-ma1sd`

View file

@ -16,7 +16,7 @@
#
######################################################################
matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}"
matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}"
matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
@ -516,6 +516,23 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov
#
######################################################################
######################################################################
#
# matrix-bot-matrix-reminder-bot
#
######################################################################
# We don't enable bots by default.
matrix_bot_matrix_reminder_bot_enabled: false
######################################################################
#
# /matrix-bot-matrix-reminder-bot
#
######################################################################
######################################################################
#
# matrix-corporal
@ -904,9 +921,6 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr
matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
# When ma1sd is enabled, we can use it instead of the default public Identity servers.
matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}"
# When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"
@ -994,3 +1008,24 @@ matrix_synapse_systemd_wanted_services_list: |
# /matrix-synapse
#
######################################################################
######################################################################
#
# matrix-synapse-admin
#
######################################################################
matrix_synapse_admin_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse Admin over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# Synapse Admin's HTTP port to the local host.
matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}"
######################################################################
#
# /matrix-synapse-admin
#
######################################################################

View file

@ -85,7 +85,7 @@ matrix_vars_yml_snapshotting_src: "{{ inventory_dir }}/host_vars/{{ inventory_ho
matrix_well_known_matrix_server_enabled: true
# Controls whether Docker is automatically installed.
# If you change this to false you must install and update Docker manually.
# If you change this to false you must install and update Docker manually. You also need to install the docker (https://pypi.org/project/docker/) Python package.
matrix_docker_installation_enabled: true
# Controls the Docker package that is installed.
@ -101,6 +101,7 @@ run_postgres_vacuum: true
run_synapse_register_user: true
run_synapse_update_user_password: true
run_synapse_import_media_store: true
run_synapse_rust_synapse_compress_state: true
run_setup: true
run_self_check: true
run_start: true

View file

@ -3,11 +3,26 @@
- include_tasks: "{{ role_path }}/tasks/server_base/setup_centos.yml"
when: ansible_distribution == 'CentOS'
- include_tasks: "{{ role_path }}/tasks/server_base/setup_debian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian')
- block:
# ansible_lsb is only available if lsb-release is installed.
- name: Ensure lsb-release installed
apt:
name:
- lsb-release
state: present
update_cache: yes
register: lsb_release_installation_result
- include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian')
- name: Reread ansible_lsb facts if lsb-release got installed
setup: filter=ansible_lsb*
when: lsb_release_installation_result.changed
- include_tasks: "{{ role_path }}/tasks/server_base/setup_debian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian')
- include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml"
when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian')
when: ansible_os_family == 'Debian'
- include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml"
when: ansible_distribution == 'Archlinux'

View file

@ -5,7 +5,7 @@
name:
- apt-transport-https
- ca-certificates
- gpg
- gnupg
state: present
update_cache: yes

View file

@ -0,0 +1,64 @@
# matrix-reminder-bot is a bot for one-off and recurring reminders
# See: https://github.com/anoadragon453/matrix-reminder-bot
matrix_bot_matrix_reminder_bot_enabled: true
matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-0.1.0"
matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
matrix_bot_matrix_reminder_bot_config_path: "{{ matrix_bot_matrix_reminder_bot_base_path }}/config"
matrix_bot_matrix_reminder_bot_data_path: "{{ matrix_bot_matrix_reminder_bot_base_path }}/data"
matrix_bot_matrix_reminder_bot_data_store_path: "{{ matrix_bot_matrix_reminder_bot_data_path }}/store"
# A list of extra arguments to pass to the container
matrix_bot_matrix_reminder_bot_container_extra_arguments: []
# List of systemd services that matrix-bot-matrix-reminder-bot.service depends on
matrix_bot_matrix_reminder_bot_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-bot-matrix-reminder-bot.service wants
matrix_bot_matrix_reminder_bot_systemd_wanted_services_list: []
# The bot's username. This user needs to be created manually beforehand.
# Also see `matrix_bot_matrix_reminder_bot_user_password`.
matrix_bot_matrix_reminder_bot_matrix_user_id_localpart: "bot.matrix-reminder-bot"
matrix_bot_matrix_reminder_bot_matrix_user_id: '@{{ matrix_bot_matrix_reminder_bot_matrix_user_id_localpart }}:{{ matrix_domain }}'
# The password that the bot uses to authenticate.
matrix_bot_matrix_reminder_bot_matrix_user_password: ''
matrix_bot_matrix_reminder_bot_matrix_homeserver_url: 'http://matrix-synapse:8008'
# The timezone to use when creating reminders.
# Examples: 'Europe/London', 'Etc/UTC'
matrix_bot_matrix_reminder_bot_reminders_timezone: ''
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_bot_matrix_reminder_bot_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_bot_matrix_reminder_bot_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_bot_matrix_reminder_bot_configuration_extension_yaml: |
# Your custom YAML configuration goes here.
# This configuration extends the default starting configuration (`matrix_bot_matrix_reminder_bot_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_bot_matrix_reminder_bot_configuration_yaml`.
#
# Example configuration extension follows:
#
# matrix:
# device_name: My-Reminder-Bot
matrix_bot_matrix_reminder_bot_configuration_extension: "{{ matrix_bot_matrix_reminder_bot_configuration_extension_yaml|from_yaml if matrix_bot_matrix_reminder_bot_configuration_extension_yaml|from_yaml is mapping else {} }}"
# Holds the final configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_bot_matrix_reminder_bot_configuration_yaml`.
matrix_bot_matrix_reminder_bot_configuration: "{{ matrix_bot_matrix_reminder_bot_configuration_yaml|from_yaml|combine(matrix_bot_matrix_reminder_bot_configuration_extension, recursive=True) }}"

View file

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot'] }}"
when: matrix_bot_matrix_reminder_bot_enabled|bool

View file

@ -0,0 +1,14 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_bot_matrix_reminder_bot_enabled|bool"
tags:
- setup-all
- setup-bot-matrix-reminder-bot
- import_tasks: "{{ role_path }}/tasks/setup.yml"
tags:
- setup-all
- setup-bot-matrix-reminder-bot

View file

@ -0,0 +1,88 @@
---
#
# Tasks related to setting up matrix-reminder-bot
#
- name: Ensure matrix-reminder-bot paths exist
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true }
- { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true }
- { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true }
when: matrix_bot_matrix_reminder_bot_enabled|bool and item.when
- name: Ensure matrix-reminder-bot image is pulled
docker_image:
name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}"
when: matrix_bot_matrix_reminder_bot_enabled|bool
- name: Ensure matrix-reminder-bot config installed
copy:
content: "{{ matrix_bot_matrix_reminder_bot_configuration|to_nice_yaml }}"
dest: "{{ matrix_bot_matrix_reminder_bot_config_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_bot_matrix_reminder_bot_enabled|bool
- name: Ensure matrix-matrix-reminder-bot.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service"
mode: 0644
register: matrix_bot_matrix_reminder_bot_systemd_service_result
when: matrix_bot_matrix_reminder_bot_enabled|bool
- name: Ensure systemd reloaded after matrix-matrix-reminder-bot.service installation
service:
daemon_reload: yes
when: "matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_systemd_service_result.changed"
#
# Tasks related to getting rid of matrix-reminder-bot (if it was previously enabled)
#
- name: Check existence of matrix-matrix-reminder-bot service
stat:
path: "{{ matrix_systemd_path }}/matrix-matrix-reminder-bot.service"
register: matrix_bot_matrix_reminder_bot_service_stat
- name: Ensure matrix-matrix-reminder-bot is stopped
service:
name: matrix-matrix-reminder-bot
state: stopped
daemon_reload: yes
register: stopping_result
when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists"
- name: Ensure matrix-matrix-reminder-bot.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-matrix-reminder-bot.service"
state: absent
when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-matrix-reminder-bot.service removal
service:
daemon_reload: yes
when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists"
- name: Ensure Matrix matrix-reminder-bot paths don't exist
file:
path: "{{ matrix_bot_matrix_reminder_bot_base_path }}"
state: absent
when: "not matrix_bot_matrix_reminder_bot_enabled|bool"
- name: Ensure matrix-reminder-bot Docker image doesn't exist
docker_image:
name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
state: absent
when: "not matrix_bot_matrix_reminder_bot_enabled|bool"

View file

@ -0,0 +1,10 @@
---
- name: Fail if required settings not defined
fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`).
when: "vars[item] == ''"
with_items:
- "matrix_bot_matrix_reminder_bot_matrix_user_password"
- "matrix_bot_matrix_reminder_bot_reminders_timezone"

View file

@ -0,0 +1,50 @@
# The string to prefix bot commands with
command_prefix: "!"
# Options for connecting to the bot's Matrix account
matrix:
# The Matrix User ID of the bot account
user_id: {{ matrix_bot_matrix_reminder_bot_matrix_user_id|to_json }}
# Matrix account password
user_password: {{ matrix_bot_matrix_reminder_bot_matrix_user_password|to_json }}
# The public URL at which the homeserver's Client-Server API can be accessed
homeserver_url: {{ matrix_bot_matrix_reminder_bot_matrix_homeserver_url }}
# The device ID that is a **non pre-existing** device
# If this device ID already exists, messages will be dropped silently in
# encrypted rooms
device_id: REMINDER
# What to name the logged in device
device_name: Reminder Bot
storage:
# The database connection string
# For SQLite3, this would look like:
# database: "sqlite://bot.db"
# For Postgres, this would look like:
# database: "postgres://username:password@localhost/dbname?sslmode=disable"
#database: "postgres://matrix-reminder-bot:remindme@localhost/matrix-reminder-bot?sslmode=disable"
database: "sqlite:///data/bot.db"
# The path to a directory for internal bot storage
# containing encryption keys, sync tokens, etc.
store_path: "/data/store"
reminders:
# Uncomment to set a default timezone that will be used when creating reminders.
# If not set, UTC will be used
timezone: {{ matrix_bot_matrix_reminder_bot_reminders_timezone }}
# Logging setup
logging:
# Logging level
# Allowed levels are 'INFO', 'WARNING', 'ERROR', 'DEBUG' where DEBUG is most verbose
level: INFO
# Configure logging to a file
file_logging:
# Whether logging to a file is enabled
enabled: false
# The path to the file to log to. May be relative or absolute
filepath: /data/bot.log
# Configure logging to the console (stdout/stderr)
console_logging:
# Whether console logging is enabled
enabled: true

View file

@ -0,0 +1,40 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=matrix-reminder-bot
{% for service in matrix_bot_matrix_reminder_bot_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_bot_matrix_reminder_bot_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-reminder-bot \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_docker_network }} \
-e 'TZ={{ matrix_bot_matrix_reminder_bot_reminders_timezone }}' \
-v {{ matrix_bot_matrix_reminder_bot_config_path }}:/config:ro \
-v {{ matrix_bot_matrix_reminder_bot_data_path }}:/data:rw \
--entrypoint=/bin/sh \
{% for arg in matrix_bot_matrix_reminder_bot_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_bot_matrix_reminder_bot_docker_image }} \
-c "matrix-reminder-bot /config/config.yaml"
ExecStop=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot
ExecStop=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot
Restart=always
RestartSec=30
SyslogIdentifier=matrix-bot-matrix-reminder-bot
[Install]
WantedBy=multi-user.target

View file

@ -4,7 +4,7 @@
matrix_mautrix_telegram_enabled: true
# See: https://mau.dev/tulir/mautrix-telegram/container_registry
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.8.1"
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.8.2"
matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

View file

@ -3,7 +3,7 @@
matrix_sms_bridge_enabled: true
matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.1.RELEASE"
matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.2.RELEASE"
matrix_sms_bridge_database_docker_image: "neo4j:latest"
matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}"

View file

@ -2,7 +2,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_docker_image: "vectorim/riot-web:v1.7.1"
matrix_client_element_docker_image: "vectorim/riot-web:v1.7.4"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"

View file

@ -1,21 +1,23 @@
---
- name: Ensure systemd reloaded
- name: Ensure systemd is reloaded
service:
daemon_reload: yes
- name: Ensure Matrix services stopped
- name: Ensure Matrix services are stopped
service:
name: "{{ item }}"
state: stopped
with_items: "{{ matrix_systemd_services_list }}"
when: not ansible_check_mode
- name: Ensure Matrix services started
- name: Ensure Matrix services are started
service:
name: "{{ item }}"
enabled: yes
state: started
with_items: "{{ matrix_systemd_services_list }}"
when: not ansible_check_mode
# If we check service state immediately, we may succeed,
# because it takes some time for the service to attempt to start and actually fail.

View file

@ -49,7 +49,7 @@ matrix_jitsi_jibri_xmpp_password: ''
matrix_jitsi_jibri_recorder_user: recorder
matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_container_image_tag: "stable-4627-1"
matrix_jitsi_container_image_tag: "stable-4857"
matrix_jitsi_web_docker_image: "jitsi/web:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"

View file

@ -83,6 +83,9 @@ matrix_ma1sd_verbose_logging: false
matrix_ma1sd_v1_enabled: true
matrix_ma1sd_v2_enabled: true
# Fix for missing 3PIDS bug
matrix_ma1sd_hashing_enabled: true
# Default ma1sd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

View file

@ -72,6 +72,19 @@ threepid:
{% endif %}
{% endif %}
{% if matrix_ma1sd_hashing_enabled %}
hashing:
enabled: true # enable or disable the hash lookup MSC2140 (default is false)
pepperLength: 20 # length of the pepper value (default is 20)
rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating
hashStorageType: sql # or `in_memory` where the hashes will be stored
algorithms:
- none # the same as v1 bulk lookup
- sha256 # hash the 3PID and pepper.
delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
requests: 10
{% endif %}
synapseSql:
enabled: {{ matrix_ma1sd_synapsesql_enabled }}
type: {{ matrix_ma1sd_synapsesql_type }}

View file

@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_nginx_proxy_docker_image: "nginx:1.19.1-alpine"
matrix_nginx_proxy_docker_image: "nginx:1.19.2-alpine"
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@ -227,7 +227,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.6.0"
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.7.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~

View file

@ -3,6 +3,9 @@
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}

View file

@ -3,6 +3,8 @@
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}

View file

@ -3,6 +3,8 @@
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}

View file

@ -8,10 +8,10 @@ matrix_postgres_db_name: ""
matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"
matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine"
matrix_postgres_docker_image_v10: "postgres:10.13-alpine"
matrix_postgres_docker_image_v11: "postgres:11.8-alpine"
matrix_postgres_docker_image_v12: "postgres:12.3-alpine"
matrix_postgres_docker_image_v9: "postgres:9.6.19-alpine"
matrix_postgres_docker_image_v10: "postgres:10.14-alpine"
matrix_postgres_docker_image_v11: "postgres:11.9-alpine"
matrix_postgres_docker_image_v12: "postgres:12.4-alpine"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}"
# This variable is assigned at runtime. Overriding its value has no effect.

View file

@ -0,0 +1,29 @@
# matrix-synapse-admin is a web UI for mananging the Synapse Matrix server
# See: https://github.com/Awesome-Technologies/synapse-admin
matrix_synapse_admin_enabled: true
matrix_synapse_admin_container_self_build: false
matrix_synapse_admin_docker_repo: "https://github.com/Awesome-Technologies/synapse-admin.git"
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
matrix_synapse_admin_docker_image: "awesometechnologies/synapse-admin:0.4.1"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
# A list of extra arguments to pass to the container
matrix_synapse_admin_container_extra_arguments: []
# List of systemd services that matrix-synapse-admin.service depends on
matrix_synapse_admin_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-synapse-admin.service wants
matrix_synapse_admin_systemd_wanted_services_list: []
# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8766"), or empty string to not expose.
matrix_synapse_admin_container_http_host_bind_port: ''
# The path at which Synapse Admin will be exposed on `matrix.DOMAIN`
# (only applies when matrix-nginx-proxy is used).
matrix_synapse_admin_public_endpoint: /synapse-admin

View file

@ -0,0 +1,52 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin'] }}"
when: matrix_synapse_admin_enabled|bool
- block:
- name: Fail if matrix-nginx-proxy role already executed
fail:
msg: >-
Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your plabook,
so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role.
when: matrix_nginx_proxy_role_executed|default(False)|bool
- name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy
set_fact:
matrix_synapse_admin_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;
location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
{% if matrix_nginx_proxy_enabled|default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-synapse-admin:80";
proxy_pass http://$backend/$1;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:8766/$1;
{% endif %}
}
- name: Register Synapse Admin proxying configuration with matrix-nginx-proxy
set_fact:
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+
[matrix_synapse_admin_matrix_nginx_proxy_configuration]
}}
tags:
- always
when: matrix_synapse_admin_enabled|bool
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
debug:
msg: >-
NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy
reverse proxy.
Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}`
URL endpoint to the matrix-synapse-admin container.
You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable.
when: "matrix_synapse_admin_enabled|bool and matrix_nginx_proxy_enabled is not defined"

View file

@ -0,0 +1,8 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup.yml"
tags:
- setup-all
- setup-synapse-admin

View file

@ -0,0 +1,79 @@
---
#
# Tasks related to setting up matrix-synapse-admin
#
- name: Ensure matrix-synapse-admin image is pulled
docker_image:
name: "{{ matrix_synapse_admin_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}"
when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool"
- name: Ensure matrix-synapse-admin repository is present when self-building
git:
repo: "{{ matrix_synapse_admin_docker_repo }}"
dest: "{{ matrix_synapse_admin_docker_src_files_path }}"
force: "yes"
register: matrix_synapse_admin_git_pull_results
when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool"
- name: Ensure matrix-synapse-admin Docker image is build
docker_image:
name: "{{ matrix_synapse_admin_docker_image }}"
source: build
force_source: yes
build:
dockerfile: Dockerfile
path: "{{ matrix_synapse_admin_docker_src_files_path }}"
pull: yes
when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool and matrix_synapse_admin_git_pull_results.changed"
- name: Ensure matrix-synapse-admin.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-synapse-admin.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-synapse-admin.service"
mode: 0644
register: matrix_synapse_admin_systemd_service_result
when: matrix_synapse_admin_enabled|bool
- name: Ensure systemd reloaded after matrix-synapse-admin.service installation
service:
daemon_reload: yes
when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_systemd_service_result.changed"
#
# Tasks related to getting rid of matrix-synapse-admin (if it was previously enabled)
#
- name: Check existence of matrix-synapse-admin service
stat:
path: "{{ matrix_systemd_path }}/matrix-synapse-admin.service"
register: matrix_synapse_admin_service_stat
- name: Ensure matrix-synapse-admin is stopped
service:
name: matrix-synapse-admin
state: stopped
daemon_reload: yes
register: stopping_result
when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists"
- name: Ensure matrix-synapse-admin.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-synapse-admin.service"
state: absent
when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-synapse-admin.service removal
service:
daemon_reload: yes
when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists"
- name: Ensure matrix-synapse-admin Docker image doesn't exist
docker_image:
name: "{{ matrix_synapse_admin_docker_image }}"
state: absent
when: "not matrix_synapse_admin_enabled|bool"

View file

@ -0,0 +1,40 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=matrix-synapse-admin
{% for service in matrix_synapse_admin_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_synapse_admin_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse-admin
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse-admin
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin \
--log-driver=none \
--cap-drop=ALL \
--cap-add=CHOWN \
--cap-add=NET_BIND_SERVICE \
--cap-add=SETUID \
--cap-add=SETGID \
--network={{ matrix_docker_network }} \
{% if matrix_synapse_admin_container_http_host_bind_port %}
-p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \
{% endif %}
{% for arg in matrix_synapse_admin_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_synapse_admin_docker_image }}
ExecStop=-{{ matrix_host_command_docker }} kill matrix-synapse-admin
ExecStop=-{{ matrix_host_command_docker }} rm matrix-synapse-admin
Restart=always
RestartSec=30
SyslogIdentifier=matrix-synapse-admin
[Install]
WantedBy=multi-user.target

View file

@ -5,7 +5,7 @@ matrix_synapse_enabled: true
matrix_synapse_container_image_self_build: false
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.17.0"
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.19.1"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -73,13 +73,6 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke
matrix_synapse_allow_guest_access: false
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_id_servers_public: ['matrix.org', 'vector.im']
# The list of identity servers to use for Synapse.
# We assume this role runs standalone without a local Identity server, so we point Synapse to public ones.
# This most likely gets overwritten later, so that a local Identity server is used.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
@ -371,6 +364,13 @@ matrix_synapse_redaction_retention_period: 7d
matrix_synapse_user_ips_max_age: 28d
matrix_synapse_rust_synapse_compress_state_docker_image: "devture/rust-synapse-compress-state:v0.1.0"
matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}"
matrix_synapse_rust_synapse_compress_state_base_path: "{{ matrix_base_data_path }}/rust-synapse-compress-state"
# Default Synapse configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

View file

@ -43,6 +43,11 @@
tags:
- update-user-password
- import_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml"
when: run_synapse_rust_synapse_compress_state|bool
tags:
- rust-synapse-compress-state
- name: Mark matrix-synapse role as executed
set_fact:
matrix_synapse_role_executed: true

View file

@ -0,0 +1,48 @@
- debug:
msg: "Compressing room `{{ room_details.room_id }}` having {{ room_details.count }} state group rows"
- name: Generate rust-synapse-compress-state room compression command
set_fact:
matrix_synapse_rust_synapse_compress_state_compress_room_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}
-v {{ matrix_synapse_rust_synapse_compress_state_base_path }}:/work
{{ matrix_synapse_rust_synapse_compress_state_docker_image }}
/synapse-compress-state -t -o /work/state-compressor.sql
-p "host={{ matrix_synapse_database_host }} user={{ matrix_synapse_database_user }} password={{ matrix_synapse_database_password }} dbname={{ matrix_synapse_database_database }}"
-r '{{ room_details.room_id }}'
- name: Run rust-synapse-compress-state room compression command (SQL generation)
command: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_command }}"
async: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_time }}"
poll: 10
register: matrix_synapse_rust_synapse_compress_state_compress_room_command_result
- debug: var="matrix_synapse_rust_synapse_compress_state_compress_room_command_result"
- name: Generate Postgres compression SQL import command
set_fact:
matrix_synapse_rust_synapse_compress_state_psql_import_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-psql-import
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
-v {{ matrix_synapse_rust_synapse_compress_state_base_path }}:/work:ro
--entrypoint=/bin/sh
{{ matrix_postgres_docker_image_latest }}
-c "cat /work/state-compressor.sql |
psql -v ON_ERROR_STOP=1 -h matrix-postgres"
- name: Import compression SQL into Postgres
command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}"
async: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_time }}"
poll: 10
register: matrix_synapse_rust_synapse_compress_state_psql_import_command_result
- name: Clean up
file:
path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}/state-compressor.sql"
state: absent

View file

@ -0,0 +1,118 @@
# Pre-checks
- name: Fail if Postgres not enabled
fail:
msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot use rust-synapse-compress-state."
when: "not matrix_postgres_enabled|bool"
# Defaults
- name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided
set_fact:
matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 15
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''"
- name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided
set_fact:
matrix_synapse_rust_synapse_compress_state_compress_room_time: 1800
when: "matrix_synapse_rust_synapse_compress_state_compress_room_time|default('') == ''"
- name: Set matrix_synapse_rust_synapse_compress_state_psql_import_time, if not provided
set_fact:
matrix_synapse_rust_synapse_compress_state_psql_import_time: 1800
when: "matrix_synapse_rust_synapse_compress_state_psql_import_time|default('') == ''"
- name: Set matrix_synapse_rust_synapse_compress_state_min_state_groups_required, if not provided
set_fact:
# The minimum number of state groups we're looking for before we consider a room eligible for compression.
# Rooms with a smaller state groups count will not be compressed.
matrix_synapse_rust_synapse_compress_state_min_state_groups_required: 100000
when: "matrix_synapse_rust_synapse_compress_state_min_state_groups_required|default('') == ''"
# Actual compression work
- name: Ensure rust-synapse-compress-state paths exist
file:
path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure rust-synapse-compress-state image is pulled
docker_image:
name: "{{ matrix_synapse_rust_synapse_compress_state_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_rust_synapse_compress_state_docker_image_force_pull }}"
- name: Generate rust-synapse-compress-state room find command
set_fact:
matrix_synapse_rust_synapse_compress_state_find_rooms_command: >-
{{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-find-rooms
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network={{ matrix_docker_network }}
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
{{ matrix_postgres_docker_image_latest }}
psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c
'SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;'
- name: Find rooms eligible for compression with rust-synapse-compress-state
command: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command }}"
async: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time }}"
poll: 10
register: matrix_synapse_rust_synapse_compress_state_find_rooms_command_result
# We expect the output to be like this:
#
# "stdout_lines": [
# " array_to_json ",
# "----------------------------------------------------------------------------------------------------------------------------",
# " [{\"room_id\":\"!some-id\",\"count\":2461329},{\"room_id\":\"!another-id\",\"count\":512017}]",
# "(1 row)"
# ]
#
# Row 3 (out of 4) contains the actual result.
#
# Row 3 contains a space when there's no result.
- block:
- debug: var="matrix_synapse_rust_synapse_compress_state_find_rooms_command_result"
- name: Fail if room find result is not what we expect
fail:
msg: >-
Expecting 4 lines in the "find rooms" result.
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.failed or matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines|length != 4"
- block:
# matrix_synapse_rust_synapse_compress_state_eligible_rooms is a list
# of dictionaries like this: {'room_id': '!some-id', 'count': 2461329}
- set_fact:
matrix_synapse_rust_synapse_compress_state_eligible_rooms: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] | from_json }}"
- name: Display rooms that will be compressed
debug:
msg: >-
The following rooms contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows
(configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`)
and will be compressed:
{{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }}
- name: Compress room state
include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/compress_room.yml"
with_items: "{{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }}"
loop_control:
loop_var: room_details
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] != ' '"
- name: Show notice about lack of rooms to compress
debug:
msg: >-
No rooms were found to contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows
(configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`),
so there's nothing to compress.
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] == ' '"

View file

@ -32,3 +32,4 @@
- {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}

View file

@ -89,7 +89,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
#gc_thresholds: [700, 10, 10]
# Set the limit on the returned events in the timeline in the get
# and sync operations. The default value is -1, means no upper limit.
# and sync operations. The default value is 100. -1 means no upper limit.
#
# Uncomment the following to increase the limit to 5000.
#
#filter_timeline_limit: 5000
@ -105,41 +107,6 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
#
#enable_search: false
# Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit
# inbound federation traffic as early as possible, rather than relying
# purely on this application-layer restriction. If not specified, the
# default is to whitelist everything.
#
#federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
{% if matrix_synapse_federation_domain_whitelist is not none %}
{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #}
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
{% endif %}
# Prevent federation requests from being sent to the following
# blacklist IP address CIDR ranges. If this option is not specified, or
# specified with an empty list, no ip range blacklist will be enforced.
#
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
# servers provided by user input.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
federation_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
# List of ports that Synapse should listen on, their purpose and their
# configuration.
@ -169,7 +136,7 @@ federation_ip_range_blacklist:
# names: a list of names of HTTP resources. See below for a list of
# valid resource names.
#
# compress: set to true to enable HTTP comression for this resource.
# compress: set to true to enable HTTP compression for this resource.
#
# additional_resources: Only valid for an 'http' listener. A map of
# additional endpoints which should be loaded via dynamic modules.
@ -342,6 +309,10 @@ limit_remote_rooms:
#
#complexity_error: "This room is too complex."
# allow server admins to join complex rooms. Default is false.
#
#admins_can_join: true
# Whether to require a user to be in the room to add an alias to it.
# Defaults to 'true'.
#
@ -610,6 +581,43 @@ acme:
# Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit
# inbound federation traffic as early as possible, rather than relying
# purely on this application-layer restriction. If not specified, the
# default is to whitelist everything.
#
#federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
{% if matrix_synapse_federation_domain_whitelist is not none %}
{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #}
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
{% endif %}
# Prevent federation requests from being sent to the following
# blacklist IP address CIDR ranges. If this option is not specified, or
# specified with an empty list, no ip range blacklist will be enforced.
#
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
# servers provided by user input.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
federation_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
## Caching ##
# Caching can be configured through the following options.
@ -699,6 +707,10 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
# - one for ratelimiting redactions by room admins. If this is not explicitly
# set then it uses the same ratelimiting as per rc_message. This is useful
# to allow room admins to deal with abuse quickly.
# - two for ratelimiting number of rooms a user can join, "local" for when
# users are joining rooms the server is already in (this is cheap) vs
# "remote" for when users are trying to join rooms not on the server (which
# can be more expensive)
#
# The defaults are as shown below.
#
@ -727,6 +739,14 @@ rc_login: {{ matrix_synapse_rc_login|to_json }}
#rc_admin_redaction:
# per_second: 1
# burst_count: 50
#
#rc_joins:
# local:
# per_second: 0.1
# burst_count: 3
# remote:
# per_second: 0.01
# burst_count: 3
# Ratelimiting settings for incoming federation
@ -1113,25 +1133,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
#
#default_identity_server: https://matrix.org
# The list of identity servers trusted to verify third party
# identifiers by this server.
#
# Also defines the ID server which will be called when an account is
# deactivated (one will be picked arbitrarily).
#
# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
# background migration script, informing itself that the identity server all of its
# 3PIDs have been bound to is likely one of the below.
#
# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
# it is now solely used for the purposes of the background migration script, and can be
# removed once it has run.
{% if matrix_synapse_trusted_third_party_id_servers|length > 0 %}
trusted_third_party_id_servers:
{{ matrix_synapse_trusted_third_party_id_servers|to_nice_yaml }}
{% endif %}
# Handle threepid (email/phone etc) registration and password resets through a set of
# *trusted* identity servers. Note that this allows the configured identity server to
# reset passwords for accounts!
@ -1542,6 +1543,17 @@ saml2_config:
#
#grandfathered_mxid_source_attribute: upn
# It is possible to configure Synapse to only allow logins if SAML attributes
# match particular values. The requirements can be listed under
# `attribute_requirements` as shown below. All of the listed attributes must
# match for the login to be permitted.
#
#attribute_requirements:
# - attribute: userGroup
# value: "staff"
# - attribute: department
# value: "sales"
# Directory in which Synapse will try to find the template files below.
# If not set, default templates from within the Synapse package will be used.
#
@ -1788,6 +1800,9 @@ sso:
# Each JSON Web Token needs to contain a "sub" (subject) claim, which is
# used as the localpart of the mxid.
#
# Additionally, the expiration time ("exp"), not before time ("nbf"),
# and issued at ("iat") claims are validated if present.
#
# Note that this is a non-standard login type and client support is
# expected to be non-existant.
#
@ -1879,8 +1894,8 @@ email:
#notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
# app_name defines the default value for '%(app)s' in notif_from. It
# defaults to 'Matrix'.
# app_name defines the default value for '%(app)s' in notif_from and email
# subjects. It defaults to 'Matrix'.
#
#app_name: my_branded_matrix_server
app_name: Matrix
@ -1946,6 +1961,73 @@ email:
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
#
#template_dir: "res/templates"
# Subjects to use when sending emails from Synapse.
#
# The placeholder '%(app)s' will be replaced with the value of the 'app_name'
# setting above, or by a value dictated by the Matrix client application.
#
# If a subject isn't overridden in this configuration file, the value used as
# its example will be used.
#
#subjects:
# Subjects for notification emails.
#
# On top of the '%(app)s' placeholder, these can use the following
# placeholders:
#
# * '%(person)s', which will be replaced by the display name of the user(s)
# that sent the message(s), e.g. "Alice and Bob".
# * '%(room)s', which will be replaced by the name of the room the
# message(s) have been sent to, e.g. "My super room".
#
# See the example provided for each setting to see which placeholder can be
# used and how to use them.
#
# Subject to use to notify about one message from one or more user(s) in a
# room which has a name.
#message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
#
# Subject to use to notify about one message from one or more user(s) in a
# room which doesn't have a name.
#message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
#
# Subject to use to notify about multiple messages from one or more users in
# a room which doesn't have a name.
#messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
#
# Subject to use to notify about multiple messages in a room which has a
# name.
#messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
#
# Subject to use to notify about multiple messages in multiple rooms.
#messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
#
# Subject to use to notify about multiple messages from multiple persons in
# multiple rooms. This is similar to the setting above except it's used when
# the room in which the notification was triggered has no name.
#messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
#
# Subject to use to notify about an invite to a room which has a name.
#invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
#
# Subject to use to notify about an invite to a room which doesn't have a
# name.
#invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
# Subject for emails related to account administration.
#
# On top of the '%(app)s' placeholder, these one can use the
# '%(server_name)s' placeholder, which will be replaced by the value of the
# 'server_name' setting in your Synapse configuration.
#
# Subject to use when sending a password reset email.
#password_reset: "[%(server_name)s] Password reset"
#
# Subject to use when sending a verification email to assert an address's
# ownership.
#email_validation: "[%(server_name)s] Validate your email"
{% endif %}
# Password providers allow homeserver administrators to integrate
@ -2303,4 +2385,57 @@ opentracing:
# false
## Workers ##
# Disables sending of outbound federation transactions on the main process.
# Uncomment if using a federation sender worker.
#
#send_federation: false
# It is possible to run multiple federation sender workers, in which case the
# work is balanced across them.
#
# This configuration must be shared between all federation sender workers, and if
# changed all federation sender workers must be stopped at the same time and then
# started, to ensure that all instances are running with the same config (otherwise
# events may be dropped).
#
#federation_sender_instances:
# - federation_sender1
# When using workers this should be a map from `worker_name` to the
# HTTP replication listener of the worker, if configured.
#
#instance_map:
# worker1:
# host: localhost
# port: 8034
# Experimental: When using workers you can define which workers should
# handle event persistence and typing notifications. Any worker
# specified here must also be in the `instance_map`.
#
#stream_writers:
# events: worker1
# typing: worker1
# Configuration for Redis when using workers. This *must* be enabled when
# using workers (unless using old style direct TCP configuration).
#
redis:
# Uncomment the below to enable Redis support.
#
#enabled: true
# Optional host and port to use to connect to redis. Defaults to
# localhost and 6379
#
#host: localhost
#port: 6379
# Optional password if configured on the Redis instance
#
#password: <secret_password>
# vim:ft=yaml

View file

@ -1,7 +1,5 @@
---
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions"
matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

View file

@ -23,7 +23,9 @@
- matrix-bridge-mx-puppet-twitter
- matrix-bridge-mx-puppet-instagram
- matrix-bridge-sms
- matrix-bot-matrix-reminder-bot
- matrix-synapse
- matrix-synapse-admin
- matrix-client-element
- matrix-jitsi
- matrix-ma1sd