WIP: Upgrade Synapse (1.3.1 -> 1.4.0rc2)

This commit is contained in:
Aaron Raimist 2019-10-02 21:35:44 -05:00
parent 1dd1f9602f
commit 413d9ec143
No known key found for this signature in database
GPG key ID: 37419210002890EF
2 changed files with 216 additions and 75 deletions

View file

@ -3,7 +3,7 @@
matrix_synapse_enabled: true matrix_synapse_enabled: true
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.3.1" matrix_synapse_docker_image: "matrixdotorg/synapse:v1.4.0rc2"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -308,6 +308,13 @@ matrix_synapse_default_room_version: "4"
# If not, you can also control its value manually. # If not, you can also control its value manually.
matrix_synapse_spam_checker: ~ matrix_synapse_spam_checker: ~
matrix_synapse_trusted_key_servers:
- server_name: "matrix.org"
matrix_synapse_redaction_retention_period: 7d
matrix_synapse_user_ips_max_age: 28d
# Default Synapse configuration template which covers the generic use case. # Default Synapse configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it. # You can customize it by controlling the various variables inside it.
# #

View file

@ -105,6 +105,9 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js
# blacklist IP address CIDR ranges. If this option is not specified, or # blacklist IP address CIDR ranges. If this option is not specified, or
# specified with an empty list, no ip range blacklist will be enforced. # specified with an empty list, no ip range blacklist will be enforced.
# #
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
# servers provided by user input.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.) # listed here, since they correspond to unroutable addresses.)
# #
@ -131,8 +134,8 @@ federation_ip_range_blacklist:
# #
# type: the type of listener. Normally 'http', but other valid options are: # type: the type of listener. Normally 'http', but other valid options are:
# 'manhole' (see docs/manhole.md), # 'manhole' (see docs/manhole.md),
# 'metrics' (see docs/metrics-howto.rst), # 'metrics' (see docs/metrics-howto.md),
# 'replication' (see docs/workers.rst). # 'replication' (see docs/workers.md).
# #
# tls: set to true to enable TLS for this listener. Will use the TLS # tls: set to true to enable TLS for this listener. Will use the TLS
# key/cert specified in tls_private_key_path / tls_certificate_path. # key/cert specified in tls_private_key_path / tls_certificate_path.
@ -167,12 +170,12 @@ federation_ip_range_blacklist:
# #
# media: the media API (/_matrix/media). # media: the media API (/_matrix/media).
# #
# metrics: the metrics interface. See docs/metrics-howto.rst. # metrics: the metrics interface. See docs/metrics-howto.md.
# #
# openid: OpenID authentication. # openid: OpenID authentication.
# #
# replication: the HTTP replication API (/_synapse/replication). See # replication: the HTTP replication API (/_synapse/replication). See
# docs/workers.rst. # docs/workers.md.
# #
# static: static resources under synapse/static (/_matrix/static). (Mostly # static: static resources under synapse/static (/_matrix/static). (Mostly
# useful for 'fallback authentication'.) # useful for 'fallback authentication'.)
@ -311,6 +314,23 @@ listeners:
# #
#allow_per_room_profiles: false #allow_per_room_profiles: false
# How long to keep redacted events in unredacted form in the database. After
# this period redacted events get replaced with their redacted form in the DB.
#
# Defaults to `7d`. Set to `null` to disable.
#
#redaction_retention_period: 28d
redaction_retention_period: {{ matrix_synapse_redaction_retention_period }}
# How long to track users' last seen time and IPs in the database.
#
# Defaults to `28d`. Set to `null` to disable clearing out of old rows.
#
#user_ips_max_age: 14d
user_ips_max_age: {{ matrix_synapse_user_ips_max_age }}
## TLS ## ## TLS ##
@ -442,7 +462,7 @@ acme:
# #
# If unspecified, we will use CONFDIR/client.key. # If unspecified, we will use CONFDIR/client.key.
# #
account_key_file: /data/acme_account.key #account_key_file: /data/acme_account.key
# List of allowed TLS fingerprints for this server to publish along # List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that # with the signing keys for this server. Other matrix servers that
@ -493,7 +513,8 @@ event_cache_size: "{{ matrix_synapse_event_cache_size }}"
## Logging ## ## Logging ##
# A yaml python logging config file # A yaml python logging config file as described by
# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
# #
log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
@ -518,13 +539,15 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
# - one for login that ratelimits login requests based on the account the # - one for login that ratelimits login requests based on the account the
# client is attempting to log into, based on the amount of failed login # client is attempting to log into, based on the amount of failed login
# attempts for this account. # attempts for this account.
# - one for ratelimiting redactions by room admins. If this is not explicitly
# set then it uses the same ratelimiting as per rc_message. This is useful
# to allow room admins to deal with abuse quickly.
# #
# The defaults are as shown below. # The defaults are as shown below.
# #
#rc_message: #rc_message:
# per_second: 0.2 # per_second: 0.2
# burst_count: 10 # burst_count: 10
#
rc_message: {{ matrix_synapse_rc_message|to_json }} rc_message: {{ matrix_synapse_rc_message|to_json }}
# #
#rc_registration: #rc_registration:
@ -543,6 +566,10 @@ rc_registration: {{ matrix_synapse_rc_registration|to_json }}
# per_second: 0.17 # per_second: 0.17
# burst_count: 3 # burst_count: 3
rc_login: {{ matrix_synapse_rc_login|to_json }} rc_login: {{ matrix_synapse_rc_login|to_json }}
#
#rc_admin_redaction:
# per_second: 1
# burst_count: 50
# Ratelimiting settings for incoming federation # Ratelimiting settings for incoming federation
@ -907,11 +934,45 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
# Also defines the ID server which will be called when an account is # Also defines the ID server which will be called when an account is
# deactivated (one will be picked arbitrarily). # deactivated (one will be picked arbitrarily).
# #
# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
# background migration script, informing itself that the identity server all of its
# 3PIDs have been bound to is likely one of the below.
#
# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
# it is now solely used for the purposes of the background migration script, and can be
# removed once it has run.
{% if matrix_synapse_trusted_third_party_id_servers|length > 0 %} {% if matrix_synapse_trusted_third_party_id_servers|length > 0 %}
trusted_third_party_id_servers: trusted_third_party_id_servers:
{{ matrix_synapse_trusted_third_party_id_servers|to_nice_yaml }} {{ matrix_synapse_trusted_third_party_id_servers|to_nice_yaml }}
{% endif %} {% endif %}
# Handle threepid (email/phone etc) registration and password resets through a set of
# *trusted* identity servers. Note that this allows the configured identity server to
# reset passwords for accounts!
#
# Be aware that if `email` is not set, and SMTP options have not been
# configured in the email config block, registration and user password resets via
# email will be globally disabled.
#
# Additionally, if `msisdn` is not set, registration and password resets via msisdn
# will be disabled regardless. This is due to Synapse currently not supporting any
# method of sending SMS messages on its own.
#
# To enable using an identity server for operations regarding a particular third-party
# identifier type, set the value to the URL of that identity server as shown in the
# examples below.
#
# Servers handling the these requests must answer the `/requestToken` endpoints defined
# by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest
#
# If a delegate is specified, the config option public_baseurl must also be filled out.
#
account_threepid_delegates:
#email: https://example.com # Delegate email sending to example.org
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
# Users who register on this homeserver will automatically be joined # Users who register on this homeserver will automatically be joined
# to these rooms # to these rooms
# #
@ -950,9 +1011,24 @@ sentry:
dsn: {{ matrix_synapse_sentry_dsn|to_json }} dsn: {{ matrix_synapse_sentry_dsn|to_json }}
{% endif %} {% endif %}
# Flags to enable Prometheus metrics which are not suitable to be
# enabled by default, either for performance reasons or limited use.
#
metrics_flags:
# Publish synapse_federation_known_servers, a g auge of the number of
# servers this homeserver knows about, including itself. May cause
# performance problems on large homeservers.
#
#known_servers: true
# Whether or not to report anonymized homeserver usage statistics. # Whether or not to report anonymized homeserver usage statistics.
report_stats: {{ matrix_synapse_report_stats|to_json }} report_stats: {{ matrix_synapse_report_stats|to_json }}
# The endpoint to report the anonymized homeserver usage statistics to.
# Defaults to https://matrix.org/report-usage-stats/push
#
#report_stats_endpoint: https://example.com/report-usage-stats/push
## API Configuration ## ## API Configuration ##
@ -1022,6 +1098,10 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
# This setting supercedes an older setting named `perspectives`. The old format # This setting supercedes an older setting named `perspectives`. The old format
# is still supported for backwards-compatibility, but it is deprecated. # is still supported for backwards-compatibility, but it is deprecated.
# #
# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
# warning on start-up. To suppress this warning, set
# 'suppress_key_server_warning' to true.
#
# Options for each entry in the list include: # Options for each entry in the list include:
# #
# server_name: the name of the server. required. # server_name: the name of the server. required.
@ -1046,20 +1126,31 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
# - server_name: "my_other_trusted_server.example.com" # - server_name: "my_other_trusted_server.example.com"
# #
# The default configuration is: trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }}
# Uncomment the following to disable the warning that is emitted when the
# trusted_key_servers include 'matrix.org'. See above.
# #
#trusted_key_servers: #suppress_key_server_warning: true
# - server_name: "matrix.org"
# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"
# Enable SAML2 for registration and login. Uses pysaml2. # Enable SAML2 for registration and login. Uses pysaml2.
# #
# `sp_config` is the configuration for the pysaml2 Service Provider. # At least one of `sp_config` or `config_path` must be set in this section to
# See pysaml2 docs for format of config. # enable SAML login.
# #
# Default values will be used for the 'entityid' and 'service' settings, # (You will probably also want to set the following options to `false` to
# so it is not normally necessary to specify them unless you need to # disable the regular login/registration flows:
# override them. # * enable_registration
# * password_config.enabled
# #
# Once SAML support is enabled, a metadata file will be exposed at # Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@ -1067,52 +1158,85 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
# the IdP to use an ACS location of # the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response. # https://<server>:<port>/_matrix/saml2/authn_response.
# #
#saml2_config: saml2_config:
# sp_config: # `sp_config` is the configuration for the pysaml2 Service Provider.
# # point this to the IdP's metadata. You can use either a local file or # See pysaml2 docs for format of config.
# # (preferably) a URL. #
# metadata: # Default values will be used for the 'entityid' and 'service' settings,
# #local: ["saml2/idp.xml"] # so it is not normally necessary to specify them unless you need to
# remote: # override them.
# - url: https://our_idp/metadata.xml #
# #sp_config:
# # By default, the user has to go to our login page first. If you'd like to # # point this to the IdP's metadata. You can use either a local file or
# # allow IdP-initiated login, set 'allow_unsolicited: True' in a # # (preferably) a URL.
# # 'service.sp' section: # metadata:
# # # #local: ["saml2/idp.xml"]
# #service: # remote:
# # sp: # - url: https://our_idp/metadata.xml
# # allow_unsolicited: True #
# # # By default, the user has to go to our login page first. If you'd like
# # The examples below are just used to generate our metadata xml, and you # # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
# # may well not need it, depending on your setup. Alternatively you # # 'service.sp' section:
# # may need a whole lot more detail - see the pysaml2 docs! # #
# # #service:
# description: ["My awesome SP", "en"] # # sp:
# name: ["Test SP", "en"] # # allow_unsolicited: true
# #
# organization: # # The examples below are just used to generate our metadata xml, and you
# name: Example com # # may well not need them, depending on your setup. Alternatively you
# display_name: # # may need a whole lot more detail - see the pysaml2 docs!
# - ["Example co", "en"] #
# url: "http://example.com" # description: ["My awesome SP", "en"]
# # name: ["Test SP", "en"]
# contact_person: #
# - given_name: Bob # organization:
# sur_name: "the Sysadmin" # name: Example com
# email_address": ["admin@example.com"] # display_name:
# contact_type": technical # - ["Example co", "en"]
# # url: "http://example.com"
# # Instead of putting the config inline as above, you can specify a #
# # separate pysaml2 configuration file: # contact_person:
# # # - given_name: Bob
# config_path: "/data/sp_conf.py" # sur_name: "the Sysadmin"
# # email_address": ["admin@example.com"]
# # the lifetime of a SAML session. This defines how long a user has to # contact_type": technical
# # complete the authentication process, if allow_unsolicited is unset.
# # The default is 5 minutes. # Instead of putting the config inline as above, you can specify a
# # # separate pysaml2 configuration file:
# # saml_session_lifetime: 5m #
#config_path: "CONFDIR/sp_conf.py"
# the lifetime of a SAML session. This defines how long a user has to
# complete the authentication process, if allow_unsolicited is unset.
# The default is 5 minutes.
#
#saml_session_lifetime: 5m
# The SAML attribute (after mapping via the attribute maps) to use to derive
# the Matrix ID from. 'uid' by default.
#
#mxid_source_attribute: displayName
# The mapping system to use for mapping the saml attribute onto a matrix ID.
# Options include:
# * 'hexencode' (which maps unpermitted characters to '=xx')
# * 'dotreplace' (which replaces unpermitted characters with '.').
# The default is 'hexencode'.
#
#mxid_mapping: dotreplace
# In previous versions of synapse, the mapping from SAML attribute to MXID was
# always calculated dynamically rather than stored in a table. For backwards-
# compatibility, we will look for user_ids matching such a pattern before
# creating a new account.
#
# This setting controls the SAML attribute which will be used for this
# backwards-compatibility lookup. Typically it should be 'uid', but if the
# attribute maps are changed, it may be necessary to change it.
#
# The default is 'uid'.
#
#grandfathered_mxid_source_attribute: upn
@ -1178,19 +1302,6 @@ password_config:
# # # #
# riot_base_url: "http://localhost/riot" # riot_base_url: "http://localhost/riot"
# #
# # Enable sending password reset emails via the configured, trusted
# # identity servers
# #
# # IMPORTANT! This will give a malicious or overtaken identity server
# # the ability to reset passwords for your users! Make absolutely sure
# # that you want to do this! It is strongly recommended that password
# # reset emails be sent by the homeserver instead
# #
# # If this option is set to false and SMTP options have not been
# # configured, resetting user passwords via email will be disabled
# #
# #trust_identity_server_for_password_resets: false
#
# # Configure the time that a validation email or text message code # # Configure the time that a validation email or text message code
# # will expire after sending # # will expire after sending
# # # #
@ -1222,11 +1333,34 @@ password_config:
# #password_reset_template_html: password_reset.html # #password_reset_template_html: password_reset.html
# #password_reset_template_text: password_reset.txt # #password_reset_template_text: password_reset.txt
# #
# # Templates for registration emails sent by the homeserver
# #
# #registration_template_html: registration.html
# #registration_template_text: registration.txt
#
# # Templates for validation emails sent by the homeserver when adding an email to
# # your user account
# #
# #add_threepid_template_html: add_threepid.html
# #add_threepid_template_text: add_threepid.txt
#
# # Templates for password reset success and failure pages that a user # # Templates for password reset success and failure pages that a user
# # will see after attempting to reset their password # # will see after attempting to reset their password
# # # #
# #password_reset_template_success_html: password_reset_success.html # #password_reset_template_success_html: password_reset_success.html
# #password_reset_template_failure_html: password_reset_failure.html # #password_reset_template_failure_html: password_reset_failure.html
#
# # Templates for registration success and failure pages that a user
# # will see after attempting to register using an email or phone
# #
# #registration_template_success_html: registration_success.html
# #registration_template_failure_html: registration_failure.html
#
# # Templates for success and failure pages that a user will see after attempting
# # to add an email or phone to their account
# #
# #add_threepid_success_html: add_threepid_success.html
# #add_threepid_failure_html: add_threepid_failure.html
{% if matrix_synapse_email_enabled %} {% if matrix_synapse_email_enabled %}
email: email:
enable_notifs: true enable_notifs: true