Merge branch 'master' into pub.solar

docs/configuring-playbook-bot-mjolnir.md

@@ -29,7 +29,7 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
 
 ## 3. Make sure the account is free from rate limiting
 
-You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. [Currently there is no Synapse config option for this](https://github.com/matrix-org/synapse/issues/6286) so you have to manually edit the Synapse database. Manually editing the Synapse database is rarely a good idea but in this case it is required. Please ask for help if you are uncomfortable with these steps.
+You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
 
 1. Copy the statement below into a text editor. 
 

group_vars/matrix_servers

@@ -1837,10 +1837,6 @@ matrix_postgres_additional_databases: |
     }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else [])
     +
     ([{
-      'name': matrix_dendrite_appservice_database,
-      'username': matrix_dendrite_database_user,
-      'password': matrix_dendrite_database_password,
-    },{
       'name': matrix_dendrite_federationapi_database,
       'username': matrix_dendrite_database_user,
       'password': matrix_dendrite_database_password,
@@ -2237,9 +2233,7 @@ matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}"
 
 matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 
-# When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
-# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
-matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}"
+# When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself.
 matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}"
 
 # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.

roles/matrix-backup-borg/defaults/main.yml

@@ -26,8 +26,11 @@ matrix_backup_borg_systemd_required_services_list: ['docker.service']
 # List of systemd services that matrix-backup-borg.service wants
 matrix_backup_borg_systemd_wanted_services_list: []
 
-# systemd calendar configuration for backup job
+# systemd calendar configuration for the backup job
+# the actual job may run with a delay (see matrix_backup_borg_schedule_randomized_delay_sec)
 matrix_backup_borg_schedule: "*-*-* 04:00:00"
+# the delay with which the systemd timer may run in relation to the `matrix_backup_borg_schedule` schedule
+matrix_backup_borg_schedule_randomized_delay_sec: 2h
 
 # what directories should be added to backup
 matrix_backup_borg_location_source_directories: []

roles/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2

@@ -4,7 +4,7 @@ Description=Matrix Borg Backup timer
 [Timer]
 Unit=matrix-backup-borg.service
 OnCalendar={{ matrix_backup_borg_schedule }}
-RandomizedDelaySec=2h
+RandomizedDelaySec={{ matrix_backup_borg_schedule_randomized_delay_sec }}
 
 [Install]
 WantedBy=timers.target

roles/matrix-bot-postmoogle/defaults/main.yml

@@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git"
 matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}"
 matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
 
-matrix_bot_postmoogle_version: latest
+matrix_bot_postmoogle_version: v0.9.0
 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}postmoogle:{{ matrix_bot_postmoogle_version }}"
 matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}"
 matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}"
@@ -78,11 +78,26 @@ matrix_bot_postmoogle_prefix: '!pm'
 # Max email size in megabytes, including attachments
 matrix_bot_postmoogle_maxsize: '1024'
 
-# Allow room settings changes by any room participant
-matrix_bot_postmoogle_noowner: false
+# DEPRECATED, use !pm users instead
+# A list of whitelisted users allowed to use the bridge.
+# If not defined, everyone is allowed.
+# Example set of rules:
+# matrix_bot_postmoogle_users:
+# - @someone:example.com
+# - @another:example.com
+# - @bot.*:example.com
+# - @*:another.com
+matrix_bot_postmoogle_users:
+  - "@*:{{ matrix_domain }}"
 
-# Allow Postmoogle use by users over federation
-matrix_bot_postmoogle_federation: false
+# A list of admins
+# Example set of rules:
+# matrix_bot_postmoogle_admins:
+# - @someone:example.com
+# - @another:example.com
+# - @bot.*:example.com
+# - @*:another.com
+matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}"
 
 # Sentry DSN
 matrix_bot_postmoogle_sentry: ''

roles/matrix-bot-postmoogle/templates/env.j2

@@ -10,7 +10,7 @@ POSTMOOGLE_MAXSIZE={{ matrix_bot_postmoogle_maxsize }}
 POSTMOOGLE_SENTRY={{ matrix_bot_postmoogle_sentry }}
 POSTMOOGLE_LOGLEVEL={{ matrix_bot_postmoogle_loglevel }}
 POSTMOOGLE_NOENCRYPTION={{ matrix_bot_postmoogle_noencryption }}
-POSTMOOGLE_NOOWNER={{ matrix_bot_postmoogle_noowner }}
-POSTMOOGLE_FEDERATION={{ matrix_bot_postmoogle_federation }}
+POSTMOOGLE_USERS={{ matrix_bot_postmoogle_users | join(' ') }}
+POSTMOOGLE_ADMINS={{ matrix_bot_postmoogle_admins | join(' ') }}
 
 {{ matrix_bot_postmoogle_environment_variables_extension }}

roles/matrix-bridge-hookshot/defaults/main.yml

@@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"
 
-matrix_hookshot_version: 2.0.1
+matrix_hookshot_version: 2.1.2
 
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"

roles/matrix-client-cinny/defaults/main.yml

@@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true
 matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
 
-matrix_client_cinny_version: v2.1.2
+matrix_client_cinny_version: v2.1.3
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"

roles/matrix-client-element/defaults/main.yml

@@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
-matrix_client_element_version: v1.11.3
+matrix_client_element_version: v1.11.4
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

roles/matrix-conduit/defaults/main.yml

@@ -36,8 +36,13 @@ matrix_conduit_template_conduit_config: "{{ role_path }}/templates/conduit/condu
 # Max size for uploads, in bytes
 matrix_conduit_max_request_size: 20_000_000
 
+# Maximum number of open files for Conduit's embedded RocksDB database
+# See https://github.com/facebook/rocksdb/wiki/RocksDB-Tuning-Guide#tuning-other-options
+# If not specified, Conduit defaults to a relatively low value of 20
+matrix_conduit_rocksdb_max_open_files: 64
+
 # Enables registration. If set to false, no users can register on this server.
-matrix_conduit_allow_registration: true
+matrix_conduit_allow_registration: false
 
 matrix_conduit_allow_federation: true
 

roles/matrix-conduit/templates/conduit/conduit.toml.j2

@@ -34,6 +34,9 @@ port = {{ matrix_conduit_port_number }}
 # Max size for uploads
 max_request_size = {{ matrix_conduit_max_request_size }}
 
+# Max number of open files for the RocksDB database
+rocksdb_max_open_files = {{ matrix_conduit_rocksdb_max_open_files }}
+
 # Enables registration. If set to false, no users can register on this server.
 allow_registration = {{ matrix_conduit_allow_registration | to_json }}
 

roles/matrix-dendrite/defaults/main.yml

@@ -6,7 +6,7 @@ matrix_dendrite_enabled: true
 
 matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
 matrix_dendrite_docker_image_name_prefix: "docker.io/"
-matrix_dendrite_docker_image_tag: "v0.9.5"
+matrix_dendrite_docker_image_tag: "v0.9.6"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
 
 matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
@@ -138,7 +138,6 @@ matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:
 matrix_dendrite_database_hostname: "matrix-postgres"
 matrix_dendrite_database_user: "dendrite"
 matrix_dendrite_database_password: "itsasecret"
-matrix_dendrite_appservice_database: "dendrite_appservice"
 matrix_dendrite_federationapi_database: "dendrite_federationapi"
 matrix_dendrite_keyserver_database: "dendrite_keyserver"
 matrix_dendrite_mediaapi_database: "dendrite_mediaapi"

roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2

@@ -133,11 +133,6 @@ app_service_api:
   internal_api:
     listen: http://0.0.0.0:7777
     connect: http://appservice_api:7777
-  database:
-    connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_appservice_database }}?sslmode=disable
-    max_open_conns: 10
-    max_idle_conns: 2
-    conn_max_lifetime: -1
 
   # Disable the validation of TLS certificates of appservices. This is
   # not recommended in production since it may allow appservice traffic

roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2

@@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: "True"
 #!/bin/bash
 
-if [ $# -ne 2 ]; then
+if [ $# -ne 3 ]; then
 	echo "Usage: "$0" <username> <password> <admin access: 0 or 1>"
 	exit 1
 fi

roles/matrix-dynamic-dns/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true
 # The dynamic dns daemon interval
 matrix_dynamic_dns_daemon_interval: '300'
 
-matrix_dynamic_dns_version: v3.9.1-ls96
+matrix_dynamic_dns_version: v3.9.1-ls97
 
 # The docker container to use when in mode
 matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"

roles/matrix-grafana/defaults/main.yml

@@ -5,7 +5,7 @@
 
 matrix_grafana_enabled: false
 
-matrix_grafana_version: 9.1.1
+matrix_grafana_version: 9.1.2
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse/defaults/main.yml

@@ -9,7 +9,7 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s
 
 matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}"
 matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}"
-matrix_synapse_version: v1.65.0
+matrix_synapse_version: v1.66.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
@@ -257,10 +257,6 @@ matrix_synapse_registrations_require_3pid: []
 #    pattern: '\+44'
 matrix_synapse_allowed_local_3pids: []
 
-# The server to use for email threepid validation. When empty, Synapse does it by itself.
-# Otherwise, this should be pointed to an identity server.
-matrix_synapse_account_threepid_delegates_email: ''
-
 # The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it.
 # To make it work, this should be pointed to an identity server.
 matrix_synapse_account_threepid_delegates_msisdn: ''

roles/matrix-synapse/tasks/validate_config.yml

@@ -61,6 +61,7 @@
     - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}
     - {'old': 'matrix_synapse_version_arm64', 'new': '<superseded by matrix_synapse_version - see https://github.com/matrix-org/synapse/pull/11810>'}
     - {'old': 'matrix_synapse_enable_group_creation', 'new': '<removed in Synapse v1.61.0 - use the new Spaces feature instead>'}
+    - {'old': 'matrix_synapse_account_threepid_delegates_email', 'new': '<removed in Synapse v1.66.0 - make sure to configure email settings for Synapse - see https://matrix-org.github.io/synapse/v1.66/upgrade.html#delegation-of-email-validation-no-longer-supported>'}
 
 - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
   ansible.builtin.fail:

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -1420,14 +1420,10 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 #
 #default_identity_server: https://matrix.org
 
-# Handle threepid (email/phone etc) registration and password resets through a set of
+# Handle threepid (phone etc) registration and password resets through a set of
 # *trusted* identity servers. Note that this allows the configured identity server to
 # reset passwords for accounts!
 #
-# Be aware that if `email` is not set, and SMTP options have not been
-# configured in the email config block, registration and user password resets via
-# email will be globally disabled.
-#
 # Additionally, if `msisdn` is not set, registration and password resets via msisdn
 # will be disabled regardless, and users will not be able to associate an msisdn
 # identifier to their account. This is due to Synapse currently not supporting
@@ -1442,7 +1438,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # https://matrix.org/docs/spec/identity_service/latest
 #
 account_threepid_delegates:
-    email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
     msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}
 
 # Whether users are allowed to change their displayname after it has