Merge branch 'master' into pub.solar

2021-07-03 16:06:42 +02:00 · 2021-07-03 16:06:42 +02:00 · 67b1b33d39
commit 67b1b33d39
parent 02d578bfa9 b6d71b9da1
24 changed files with 111 additions and 170 deletions
--- a/docs/maintenance-synapse.md
+++ b/docs/maintenance-synapse.md
@ -14,7 +14,7 @@ Table of contents:

 ## Purging old data with the Purge History API

-You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
+You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.

 To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
 Alternatively, you can log in and obtain a new access token like this:
@ -27,7 +27,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login

 Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file.

-Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions.
+Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md) documentation page for the actual purging instructions.

 After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).

--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -26,6 +26,7 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-bridge-mautrix-hangouts`
 - `matrix-bridge-mautrix-telegram`
 - `matrix-bridge-mx-puppet-skype`
+- `matrix-bot-mjolnir`

 Adding self-building support to other roles is welcome. Feel free to contribute!

--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -851,6 +851,8 @@ matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en
 # We don't enable bots by default.
 matrix_bot_mjolnir_enabled: false

+matrix_bot_mjolnir_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
+
 matrix_bot_mjolnir_systemd_required_services_list: |
  {{
    ['docker.service']
@ -1472,7 +1474,7 @@ matrix_postgres_additional_databases: |
      'username': matrix_prometheus_postgres_exporter_database_username,
      'password': matrix_prometheus_postgres_exporter_database_password,
    }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else [])
-   
+
   }}

 matrix_postgres_import_roles_to_ignore: |
@ -1669,16 +1671,23 @@ matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"

 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
+#
+# When Let's Encrypt certificates are used (the default case),
+# we don't enable `turns` endpoints, because WebRTC in Element can't talk to them.
+# Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145
 matrix_synapse_turn_uris: |
  {{
+    []
+    +
    [
      'turns:' + matrix_server_fqn_matrix + '?transport=udp',
      'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
+    ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else []
+    +
+    [
      'turn:' + matrix_server_fqn_matrix + '?transport=udp',
      'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
-    ]
-    if matrix_coturn_enabled
-    else []
+    ] if matrix_coturn_enabled else []
  }}

 matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
--- a/roles/matrix-awx/tasks/set_variables_synapse.yml
+++ b/roles/matrix-awx/tasks/set_variables_synapse.yml
@ -1,13 +1,13 @@

- name: Limit max upload size to 100MB part 1
+- name: Limit max upload size to 200MB part 1
  set_fact:
-    matrix_synapse_max_upload_size_mb: "100"
-  when: matrix_synapse_max_upload_size_mb_raw|int >= 100
+    matrix_synapse_max_upload_size_mb: "200"
+  when: matrix_synapse_max_upload_size_mb_raw|int >= 200

- name: Limit max upload size to 100MB part 2
+- name: Limit max upload size to 200MB part 2
  set_fact:
    matrix_synapse_max_upload_size_mb: "{{ matrix_synapse_max_upload_size_mb_raw }}"
-  when: matrix_synapse_max_upload_size_mb_raw|int < 100
+  when: matrix_synapse_max_upload_size_mb_raw|int < 200

 - name: Record Synapse variables locally on AWX
  delegate_to: 127.0.0.1
--- a/roles/matrix-bot-mjolnir/defaults/main.yml
+++ b/roles/matrix-bot-mjolnir/defaults/main.yml
@ -2,13 +2,21 @@
 # See: https://github.com/matrix-org/mjolnir

 matrix_bot_mjolnir_enabled: true
-matrix_bot_mjolnir_version: "v0.1.17"
-matrix_bot_mjolnir_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}"
+
+matrix_bot_mjolnir_version: "v0.1.18"
+
+matrix_bot_mjolnir_container_image_self_build: false
+matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"
+
+matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}"
+matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}"
+
 matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}"

 matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir"
 matrix_bot_mjolnir_config_path: "{{ matrix_bot_mjolnir_base_path }}/config"
 matrix_bot_mjolnir_data_path: "{{ matrix_bot_mjolnir_base_path }}/data"
+matrix_bot_mjolnir_docker_src_files_path: "{{ matrix_bot_mjolnir_base_path }}/docker-src"

 # A list of extra arguments to pass to the container
 matrix_bot_mjolnir_container_extra_arguments: []
--- a/roles/matrix-bot-mjolnir/tasks/init.yml
+++ b/roles/matrix-bot-mjolnir/tasks/init.yml
@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Mjolnir image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_bot_mjolnir_container_image_self_build and matrix_bot_mjolnir_enabled"
+
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-mjolnir.service'] }}"
  when: matrix_bot_mjolnir_enabled|bool
--- a/roles/matrix-bot-mjolnir/tasks/setup_install.yml
+++ b/roles/matrix-bot-mjolnir/tasks/setup_install.yml
@ -14,14 +14,36 @@
    - { path: "{{ matrix_bot_mjolnir_base_path }}", when: true }
    - { path: "{{ matrix_bot_mjolnir_config_path }}", when: true }
    - { path: "{{ matrix_bot_mjolnir_data_path }}", when: true }
+    - { path: "{{ matrix_bot_mjolnir_docker_src_files_path }}", when: "{{ matrix_bot_mjolnir_container_image_self_build }}" }
  when: "item.when|bool"

- name: Ensure mjolnir image is pulled
+- name: Ensure mjolnir Docker image is pulled
  docker_image:
    name: "{{ matrix_bot_mjolnir_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_bot_mjolnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_mjolnir_docker_image_force_pull }}"
+  when: "not matrix_bot_mjolnir_container_image_self_build|bool"
+
+- name: Ensure mjolnir repository is present on self-build
+  git:
+    repo: "{{ matrix_bot_mjolnir_container_image_self_build_repo }}"
+    dest: "{{ matrix_bot_mjolnir_docker_src_files_path }}"
+    version: "{{ matrix_bot_mjolnir_docker_image.split(':')[1] }}"
+    force: "yes"
+  register: matrix_bot_mjolnir_git_pull_results
+  when: "matrix_bot_mjolnir_container_image_self_build|bool"
+
+- name: Ensure mjolnir Docker image is built
+  docker_image:
+    name: "{{ matrix_bot_mjolnir_docker_image }}"
+    source: build
+    force_source: "{{ matrix_bot_mjolnir_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_bot_mjolnir_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_bot_mjolnir_container_image_self_build|bool"

 - name: Ensure matrix-bot-mjolnir config installed
  copy:
--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
 matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
 matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"

-matrix_appservice_irc_version: release-0.26.1
+matrix_appservice_irc_version: release-0.27.0
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

--- a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml
@ -7,7 +7,7 @@

 - name: Ensure matrix-heisenbridge is stopped
  service:
-    name: heisenbridge
+    name: matrix-heisenbridge
    state: stopped
    daemon_reload: yes
  when: "matrix_heisenbridge_service_stat.stat.exists"
--- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
@ -21,10 +21,3 @@
      +
      {{ ["/matrix-mautrix-facebook-registration.yaml"] }}
  when: matrix_mautrix_facebook_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build"
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
@ -67,10 +67,3 @@
      URL endpoint to the matrix-mautrix-hangouts container.
      You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable.
  when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)"
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build"
--- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml
@ -21,10 +21,3 @@
      +
      {{ ["/matrix-mautrix-instagram-registration.yaml"] }}
  when: matrix_mautrix_instagram_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml
@ -21,10 +21,3 @@
      +
      {{ ["/matrix-mx-puppet-discord-registration.yaml"] }}
  when: matrix_mx_puppet_discord_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml
@ -21,10 +21,3 @@
      +
      {{ ["/matrix-mx-puppet-groupme-registration.yaml"] }}
  when: matrix_mx_puppet_groupme_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
@ -21,10 +21,3 @@
      +
      {{ ["/matrix-mx-puppet-skype-registration.yaml"] }}
  when: matrix_mx_puppet_skype_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@ -68,10 +68,3 @@
      URL endpoint to the matrix-mx-puppet-slack container.
      You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable.
  when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml
@ -21,10 +21,3 @@
      +
      {{ ["/matrix-mx-puppet-steam-registration.yaml"] }}
  when: matrix_mx_puppet_steam_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
@ -68,10 +68,3 @@
      URL endpoint to the matrix-mx-puppet-twitter container.
      You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable.
  when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined"
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build"
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -2,7 +2,7 @@ matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
-matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r2"
+matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

 matrix_coturn_version: 4.5.2-r2
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@ -12,7 +12,7 @@
 	add_header X-Content-Type-Options nosniff;
 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	add_header X-Frame-Options SAMEORIGIN;
-	add_header Content-Security-Policy "frame-ancestors 'none'";
+	add_header Content-Security-Policy "frame-ancestors 'self'";

 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@ -17,11 +17,11 @@ matrix_postgres_architecture: amd64
 # > LOG:  startup process (PID 37) was terminated by signal 11: Segmentation fault
 matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}"

-matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.22{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.17{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.12{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.7{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.3{{ matrix_postgres_docker_image_suffix }}"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.36.0
-matrix_synapse_version_arm64: v1.36.0
+matrix_synapse_version: v1.37.1
+matrix_synapse_version_arm64: v1.37.1
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

--- a/roles/matrix-synapse/tasks/main.yml
+++ b/roles/matrix-synapse/tasks/main.yml
@ -3,7 +3,7 @@
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
-  when: run_setup|bool
+  when: run_setup|bool and matrix_synapse_enabled|bool
  tags:
    - setup-all
    - setup-synapse
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -7,6 +7,22 @@
 #
 # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html

+
+## Modules ##
+
+# Server admins can expand Synapse's functionality with external modules.
+#
+# See https://matrix-org.github.io/synapse/develop/modules.html for more
+# documentation on how to configure or create custom modules for Synapse.
+#
+modules:
+    # - module: my_super_module.MySuperClass
+    #   config:
+    #       do_thing: true
+    # - module: my_other_super_module.SomeClass
+    #   config: {}
+
+
 ## Server ##

 # The public-facing domain of the server
@ -574,13 +590,9 @@ retention:
 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
 # certificate, signed by a recognised Certificate Authority.
 #
-# See 'ACME support' below to enable auto-provisioning this certificate via
-# Let's Encrypt.
-#
-# If supplying your own, be sure to use a `.pem` file that includes the
-# full certificate chain including any intermediate certificates (for
-# instance, if using certbot, use `fullchain.pem` as your certificate,
-# not `cert.pem`).
+# Be sure to use a `.pem` file that includes the full certificate chain including
+# any intermediate certificates (for instance, if using certbot, use
+# `fullchain.pem` as your certificate, not `cert.pem`).
 #
 tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }}

@ -631,80 +643,6 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
 #  - myCA2.pem
 #  - myCA3.pem

-# ACME support: This will configure Synapse to request a valid TLS certificate
-# for your configured `server_name` via Let's Encrypt.
-#
-# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
-# ACME v2. This means that this feature currently won't work with installs set
-# up after November 2019. For more info, and alternative solutions, see
-# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
-#
-# Note that provisioning a certificate in this way requires port 80 to be
-# routed to Synapse so that it can complete the http-01 ACME challenge.
-# By default, if you enable ACME support, Synapse will attempt to listen on
-# port 80 for incoming http-01 challenges - however, this will likely fail
-# with 'Permission denied' or a similar error.
-#
-# There are a couple of potential solutions to this:
-#
-#  * If you already have an Apache, Nginx, or similar listening on port 80,
-#    you can configure Synapse to use an alternate port, and have your web
-#    server forward the requests. For example, assuming you set 'port: 8009'
-#    below, on Apache, you would write:
-#
-#    ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
-#
-#  * Alternatively, you can use something like `authbind` to give Synapse
-#    permission to listen on port 80.
-#
-acme:
-    # ACME support is disabled by default. Uncomment the following line
-    # (and tls_certificate_path and tls_private_key_path above) to enable it.
-    #
-    #enabled: true
-
-    # Endpoint to use to request certificates. If you only want to test,
-    # use Let's Encrypt's staging url:
-    #     https://acme-staging.api.letsencrypt.org/directory
-    #
-    #url: https://acme-v01.api.letsencrypt.org/directory
-
-    # Port number to listen on for the HTTP-01 challenge. Change this if
-    # you are forwarding connections through Apache/Nginx/etc.
-    #
-    #port: 80
-
-    # Local addresses to listen on for incoming connections.
-    # Again, you may want to change this if you are forwarding connections
-    # through Apache/Nginx/etc.
-    #
-    #bind_addresses: ['::', '0.0.0.0']
-
-    # How many days remaining on a certificate before it is renewed.
-    #
-    #reprovision_threshold: 30
-
-    # The domain that the certificate should be for. Normally this
-    # should be the same as your Matrix domain (i.e., 'server_name'), but,
-    # by putting a file at 'https://<server_name>/.well-known/matrix/server',
-    # you can delegate incoming traffic to another server. If you do that,
-    # you should give the target of the delegation here.
-    #
-    # For example: if your 'server_name' is 'example.com', but
-    # 'https://example.com/.well-known/matrix/server' delegates to
-    # 'matrix.example.com', you should put 'matrix.example.com' here.
-    #
-    # If not set, defaults to your 'server_name'.
-    #
-    #domain: matrix.example.com
-
-    # file to use for the account key. This will be generated if it doesn't
-    # exist.
-    #
-    # If unspecified, we will use CONFDIR/client.key.
-    #
-    #account_key_file: /data/acme_account.key
-

 ## Federation ##

@ -957,6 +895,10 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire

 # The largest allowed upload size in bytes
 #
+# If you are using a reverse proxy you may also need to set this value in
+# your reverse proxy's config. Notably Nginx has a small max body size by default.
+# See https://matrix-org.github.io/synapse/develop/reverse_proxy.html.
+#
 max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M"

 # Maximum number of pixels that will be thumbnailed
@ -2045,6 +1987,17 @@ sso:
    #  - https://riot.im/develop
    #  - https://my.custom.client/

+    # Uncomment to keep a user's profile fields in sync with information from
+    # the identity provider. Currently only syncing the displayname is
+    # supported. Fields are checked on every SSO login, and are updated
+    # if necessary.
+    #
+    # Note that enabling this option will override user profile information,
+    # regardless of whether users have opted-out of syncing that
+    # information when first signing in. Defaults to false.
+    #
+    #update_profile_information: true
+
    # Directory in which Synapse will try to find the template files below.
    # If not set, or the files named below are not found within the template
    # directory, default templates from within the Synapse package will be used.
@ -2326,6 +2279,10 @@ ui_auth:
    # the user-interactive authentication process, by allowing for multiple
    # (and potentially different) operations to use the same validation session.
    #
+    # This is ignored for potentially "dangerous" operations (including
+    # deactivating an account, modifying an account password, and
+    # adding a 3PID).
+    #
    # Uncomment below to allow for credential validation to last for 15
    # seconds.
    #