Merge branch 'master' into pub.solar

docs/maintenance-synapse.md

@@ -14,7 +14,7 @@ Table of contents:
 
 ## Purging old data with the Purge History API
 
-You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
+You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
 
 To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
 Alternatively, you can log in and obtain a new access token like this:
@@ -27,7 +27,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login
 
 Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file.
 
-Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions.
+Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md) documentation page for the actual purging instructions.
 
 After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
 

docs/self-building.md

@@ -26,6 +26,7 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-bridge-mautrix-hangouts`
 - `matrix-bridge-mautrix-telegram`
 - `matrix-bridge-mx-puppet-skype`
+- `matrix-bot-mjolnir`
 
 Adding self-building support to other roles is welcome. Feel free to contribute!
 

group_vars/matrix_servers

@@ -851,6 +851,8 @@ matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en
 # We don't enable bots by default.
 matrix_bot_mjolnir_enabled: false
 
+matrix_bot_mjolnir_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
+
 matrix_bot_mjolnir_systemd_required_services_list: |
   {{
     ['docker.service']
@@ -1472,7 +1474,7 @@ matrix_postgres_additional_databases: |
       'username': matrix_prometheus_postgres_exporter_database_username,
       'password': matrix_prometheus_postgres_exporter_database_password,
     }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else [])
-   
+
    }}
 
 matrix_postgres_import_roles_to_ignore: |
@@ -1669,16 +1671,23 @@ matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
 
 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
+#
+# When Let's Encrypt certificates are used (the default case),
+# we don't enable `turns` endpoints, because WebRTC in Element can't talk to them.
+# Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145
 matrix_synapse_turn_uris: |
   {{
+    []
+    +
     [
       'turns:' + matrix_server_fqn_matrix + '?transport=udp',
       'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
+    ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else []
+    +
+    [
       'turn:' + matrix_server_fqn_matrix + '?transport=udp',
       'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
-    ]
-    if matrix_coturn_enabled
-    else []
+    ] if matrix_coturn_enabled else []
   }}
 
 matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"

roles/matrix-awx/tasks/set_variables_synapse.yml

@@ -1,13 +1,13 @@
 
-- name: Limit max upload size to 100MB part 1
+- name: Limit max upload size to 200MB part 1
   set_fact:
-    matrix_synapse_max_upload_size_mb: "100"
-  when: matrix_synapse_max_upload_size_mb_raw|int >= 100
+    matrix_synapse_max_upload_size_mb: "200"
+  when: matrix_synapse_max_upload_size_mb_raw|int >= 200
 
-- name: Limit max upload size to 100MB part 2
+- name: Limit max upload size to 200MB part 2
   set_fact:
     matrix_synapse_max_upload_size_mb: "{{ matrix_synapse_max_upload_size_mb_raw }}"
-  when: matrix_synapse_max_upload_size_mb_raw|int < 100
+  when: matrix_synapse_max_upload_size_mb_raw|int < 200
 
 - name: Record Synapse variables locally on AWX
   delegate_to: 127.0.0.1

roles/matrix-bot-mjolnir/defaults/main.yml

@@ -2,13 +2,21 @@
 # See: https://github.com/matrix-org/mjolnir
 
 matrix_bot_mjolnir_enabled: true
-matrix_bot_mjolnir_version: "v0.1.17"
-matrix_bot_mjolnir_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}"
+
+matrix_bot_mjolnir_version: "v0.1.18"
+
+matrix_bot_mjolnir_container_image_self_build: false
+matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"
+
+matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}"
+matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}"
+
 matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}"
 
 matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir"
 matrix_bot_mjolnir_config_path: "{{ matrix_bot_mjolnir_base_path }}/config"
 matrix_bot_mjolnir_data_path: "{{ matrix_bot_mjolnir_base_path }}/data"
+matrix_bot_mjolnir_docker_src_files_path: "{{ matrix_bot_mjolnir_base_path }}/docker-src"
 
 # A list of extra arguments to pass to the container
 matrix_bot_mjolnir_container_extra_arguments: []

roles/matrix-bot-mjolnir/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Mjolnir image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_bot_mjolnir_container_image_self_build and matrix_bot_mjolnir_enabled"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-mjolnir.service'] }}"
   when: matrix_bot_mjolnir_enabled|bool

roles/matrix-bot-mjolnir/tasks/setup_install.yml

@@ -14,14 +14,36 @@
     - { path: "{{ matrix_bot_mjolnir_base_path }}", when: true }
     - { path: "{{ matrix_bot_mjolnir_config_path }}", when: true }
     - { path: "{{ matrix_bot_mjolnir_data_path }}", when: true }
+    - { path: "{{ matrix_bot_mjolnir_docker_src_files_path }}", when: "{{ matrix_bot_mjolnir_container_image_self_build }}" }
   when: "item.when|bool"
 
-- name: Ensure mjolnir image is pulled
+- name: Ensure mjolnir Docker image is pulled
   docker_image:
     name: "{{ matrix_bot_mjolnir_docker_image }}"
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_bot_mjolnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_mjolnir_docker_image_force_pull }}"
+  when: "not matrix_bot_mjolnir_container_image_self_build|bool"
+
+- name: Ensure mjolnir repository is present on self-build
+  git:
+    repo: "{{ matrix_bot_mjolnir_container_image_self_build_repo }}"
+    dest: "{{ matrix_bot_mjolnir_docker_src_files_path }}"
+    version: "{{ matrix_bot_mjolnir_docker_image.split(':')[1] }}"
+    force: "yes"
+  register: matrix_bot_mjolnir_git_pull_results
+  when: "matrix_bot_mjolnir_container_image_self_build|bool"
+
+- name: Ensure mjolnir Docker image is built
+  docker_image:
+    name: "{{ matrix_bot_mjolnir_docker_image }}"
+    source: build
+    force_source: "{{ matrix_bot_mjolnir_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_bot_mjolnir_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_bot_mjolnir_container_image_self_build|bool"
 
 - name: Ensure matrix-bot-mjolnir config installed
   copy:

roles/matrix-bridge-appservice-irc/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
 matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
 matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
 
-matrix_appservice_irc_version: release-0.26.1
+matrix_appservice_irc_version: release-0.27.0
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
 

roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml

@@ -7,7 +7,7 @@
 
 - name: Ensure matrix-heisenbridge is stopped
   service:
-    name: heisenbridge
+    name: matrix-heisenbridge
     state: stopped
     daemon_reload: yes
   when: "matrix_heisenbridge_service_stat.stat.exists"

roles/matrix-bridge-mautrix-facebook/tasks/init.yml

@@ -21,10 +21,3 @@
       +
       {{ ["/matrix-mautrix-facebook-registration.yaml"] }}
   when: matrix_mautrix_facebook_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build"

roles/matrix-bridge-mautrix-hangouts/tasks/init.yml

@@ -67,10 +67,3 @@
       URL endpoint to the matrix-mautrix-hangouts container.
       You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable.
   when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)"
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build"

roles/matrix-bridge-mautrix-instagram/tasks/init.yml

@@ -21,10 +21,3 @@
       +
       {{ ["/matrix-mautrix-instagram-registration.yaml"] }}
   when: matrix_mautrix_instagram_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build"

roles/matrix-bridge-mx-puppet-discord/tasks/init.yml

@@ -21,10 +21,3 @@
       +
       {{ ["/matrix-mx-puppet-discord-registration.yaml"] }}
   when: matrix_mx_puppet_discord_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build"

roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml

@@ -21,10 +21,3 @@
       +
       {{ ["/matrix-mx-puppet-groupme-registration.yaml"] }}
   when: matrix_mx_puppet_groupme_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build"

roles/matrix-bridge-mx-puppet-skype/tasks/init.yml

@@ -21,10 +21,3 @@
       +
       {{ ["/matrix-mx-puppet-skype-registration.yaml"] }}
   when: matrix_mx_puppet_skype_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build"

roles/matrix-bridge-mx-puppet-slack/tasks/init.yml

@@ -68,10 +68,3 @@
       URL endpoint to the matrix-mx-puppet-slack container.
       You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable.
   when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build"

roles/matrix-bridge-mx-puppet-steam/tasks/init.yml

@@ -21,10 +21,3 @@
       +
       {{ ["/matrix-mx-puppet-steam-registration.yaml"] }}
   when: matrix_mx_puppet_steam_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build"

roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml

@@ -68,10 +68,3 @@
       URL endpoint to the matrix-mx-puppet-twitter container.
       You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable.
   when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined"
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self building it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build"

roles/matrix-coturn/defaults/main.yml

@@ -2,7 +2,7 @@ matrix_coturn_enabled: true
 
 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
-matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r2"
+matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 
 matrix_coturn_version: 4.5.2-r2

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2

@@ -12,7 +12,7 @@
 	add_header X-Content-Type-Options nosniff;
 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	add_header X-Frame-Options SAMEORIGIN;
-	add_header Content-Security-Policy "frame-ancestors 'none'";
+	add_header Content-Security-Policy "frame-ancestors 'self'";
 
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;

roles/matrix-postgres/defaults/main.yml

@@ -17,11 +17,11 @@ matrix_postgres_architecture: amd64
 # > LOG:  startup process (PID 37) was terminated by signal 11: Segmentation fault
 matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}"
 
-matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}"
-matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.22{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.17{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.12{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.7{{ matrix_postgres_docker_image_suffix }}"
+matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.3{{ matrix_postgres_docker_image_suffix }}"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}"
 
 # This variable is assigned at runtime. Overriding its value has no effect.

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.36.0
-matrix_synapse_version_arm64: v1.36.0
+matrix_synapse_version: v1.37.1
+matrix_synapse_version_arm64: v1.37.1
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse/tasks/main.yml

@@ -3,7 +3,7 @@
     - always
 
 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
-  when: run_setup|bool
+  when: run_setup|bool and matrix_synapse_enabled|bool
   tags:
     - setup-all
     - setup-synapse

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -7,6 +7,22 @@
 #
 # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
 
+
+## Modules ##
+
+# Server admins can expand Synapse's functionality with external modules.
+#
+# See https://matrix-org.github.io/synapse/develop/modules.html for more
+# documentation on how to configure or create custom modules for Synapse.
+#
+modules:
+    # - module: my_super_module.MySuperClass
+    #   config:
+    #       do_thing: true
+    # - module: my_other_super_module.SomeClass
+    #   config: {}
+
+
 ## Server ##
 
 # The public-facing domain of the server
@@ -574,13 +590,9 @@ retention:
 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
 # certificate, signed by a recognised Certificate Authority.
 #
-# See 'ACME support' below to enable auto-provisioning this certificate via
-# Let's Encrypt.
-#
-# If supplying your own, be sure to use a `.pem` file that includes the
-# full certificate chain including any intermediate certificates (for
-# instance, if using certbot, use `fullchain.pem` as your certificate,
-# not `cert.pem`).
+# Be sure to use a `.pem` file that includes the full certificate chain including
+# any intermediate certificates (for instance, if using certbot, use
+# `fullchain.pem` as your certificate, not `cert.pem`).
 #
 tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }}
 
@@ -631,80 +643,6 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
 #  - myCA2.pem
 #  - myCA3.pem
 
-# ACME support: This will configure Synapse to request a valid TLS certificate
-# for your configured `server_name` via Let's Encrypt.
-#
-# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
-# ACME v2. This means that this feature currently won't work with installs set
-# up after November 2019. For more info, and alternative solutions, see
-# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
-#
-# Note that provisioning a certificate in this way requires port 80 to be
-# routed to Synapse so that it can complete the http-01 ACME challenge.
-# By default, if you enable ACME support, Synapse will attempt to listen on
-# port 80 for incoming http-01 challenges - however, this will likely fail
-# with 'Permission denied' or a similar error.
-#
-# There are a couple of potential solutions to this:
-#
-#  * If you already have an Apache, Nginx, or similar listening on port 80,
-#    you can configure Synapse to use an alternate port, and have your web
-#    server forward the requests. For example, assuming you set 'port: 8009'
-#    below, on Apache, you would write:
-#
-#    ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
-#
-#  * Alternatively, you can use something like `authbind` to give Synapse
-#    permission to listen on port 80.
-#
-acme:
-    # ACME support is disabled by default. Uncomment the following line
-    # (and tls_certificate_path and tls_private_key_path above) to enable it.
-    #
-    #enabled: true
-
-    # Endpoint to use to request certificates. If you only want to test,
-    # use Let's Encrypt's staging url:
-    #     https://acme-staging.api.letsencrypt.org/directory
-    #
-    #url: https://acme-v01.api.letsencrypt.org/directory
-
-    # Port number to listen on for the HTTP-01 challenge. Change this if
-    # you are forwarding connections through Apache/Nginx/etc.
-    #
-    #port: 80
-
-    # Local addresses to listen on for incoming connections.
-    # Again, you may want to change this if you are forwarding connections
-    # through Apache/Nginx/etc.
-    #
-    #bind_addresses: ['::', '0.0.0.0']
-
-    # How many days remaining on a certificate before it is renewed.
-    #
-    #reprovision_threshold: 30
-
-    # The domain that the certificate should be for. Normally this
-    # should be the same as your Matrix domain (i.e., 'server_name'), but,
-    # by putting a file at 'https://<server_name>/.well-known/matrix/server',
-    # you can delegate incoming traffic to another server. If you do that,
-    # you should give the target of the delegation here.
-    #
-    # For example: if your 'server_name' is 'example.com', but
-    # 'https://example.com/.well-known/matrix/server' delegates to
-    # 'matrix.example.com', you should put 'matrix.example.com' here.
-    #
-    # If not set, defaults to your 'server_name'.
-    #
-    #domain: matrix.example.com
-
-    # file to use for the account key. This will be generated if it doesn't
-    # exist.
-    #
-    # If unspecified, we will use CONFDIR/client.key.
-    #
-    #account_key_file: /data/acme_account.key
-
 
 ## Federation ##
 
@@ -957,6 +895,10 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire
 
 # The largest allowed upload size in bytes
 #
+# If you are using a reverse proxy you may also need to set this value in
+# your reverse proxy's config. Notably Nginx has a small max body size by default.
+# See https://matrix-org.github.io/synapse/develop/reverse_proxy.html.
+#
 max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M"
 
 # Maximum number of pixels that will be thumbnailed
@@ -2045,6 +1987,17 @@ sso:
     #  - https://riot.im/develop
     #  - https://my.custom.client/
 
+    # Uncomment to keep a user's profile fields in sync with information from
+    # the identity provider. Currently only syncing the displayname is
+    # supported. Fields are checked on every SSO login, and are updated
+    # if necessary.
+    #
+    # Note that enabling this option will override user profile information,
+    # regardless of whether users have opted-out of syncing that
+    # information when first signing in. Defaults to false.
+    #
+    #update_profile_information: true
+
     # Directory in which Synapse will try to find the template files below.
     # If not set, or the files named below are not found within the template
     # directory, default templates from within the Synapse package will be used.
@@ -2326,6 +2279,10 @@ ui_auth:
     # the user-interactive authentication process, by allowing for multiple
     # (and potentially different) operations to use the same validation session.
     #
+    # This is ignored for potentially "dangerous" operations (including
+    # deactivating an account, modifying an account password, and
+    # adding a 3PID).
+    #
     # Uncomment below to allow for credential validation to last for 15
     # seconds.
     #