From 8624cf4a57be11acd0d9803844dd57ea65c2257f Mon Sep 17 00:00:00 2001 From: Ciaran Ainsworth Date: Fri, 26 Apr 2019 14:11:40 +0100 Subject: [PATCH 01/12] Fixed default url preview settings --- .../templates/synapse/homeserver.yaml.j2 | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 41649e5c..4c8b9654 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -525,7 +525,7 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # an explicit url_preview_ip_range_blacklist of IPs that the spider is # denied from accessing. # -#url_preview_enabled: false +url_preview_enabled: true # List of IP address CIDR ranges that the URL preview spider is denied # from accessing. There are no defaults: you must explicitly @@ -534,18 +534,18 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # to connect to, otherwise anyone in any Matrix room could cause your # synapse to issue arbitrary GET requests to your internal services, # causing serious security issues. -# -#url_preview_ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '169.254.0.0/16' -# - '::1/128' -# - 'fe80::/64' -# - 'fc00::/7' -# + +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + # List of IP address CIDR ranges that the URL preview spider is allowed # to access even if they are specified in url_preview_ip_range_blacklist. # This is useful for specifying exceptions to wide-ranging blacklisted @@ -590,8 +590,8 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' # The largest allowed URL preview spidering size in bytes -# -#max_spider_size: 10M + +max_spider_size: 10M ## Captcha ## From 6aa6633ee7052010d7f087488584bf9ea50115a2 Mon Sep 17 00:00:00 2001 From: Hugues De Keyzer Date: Sat, 27 Apr 2019 21:54:21 +0200 Subject: [PATCH 02/12] Fix value of nginx-proxy tmpfs size Use an int conversion in the computation of the value of matrix_nginx_proxy_tmp_directory_size_mb, to have the integer value multiplied by 50 instead of having the string repeated 50 times. --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 674757f9..beb0850e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -92,7 +92,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_c matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. -matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb * 50 }}" +matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" # A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] From 1e344d5a7ab382b9cfbe67ce78523deb1f5c9495 Mon Sep 17 00:00:00 2001 From: Hugues De Keyzer Date: Sat, 27 Apr 2019 22:12:05 +0200 Subject: [PATCH 03/12] Remove hardcoded values in matrix-remove-all Use matrix_docker_network and matrix_base_data_path in matrix-remove-all instead of hardcoded default values. --- .../templates/usr-local-bin/matrix-remove-all.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index fc1ab5ba..9fad37d9 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -26,9 +26,9 @@ else echo "Remove every docker images" docker rmi $(docker images -aq) echo "Remove docker matrix network" - docker network rm matrix - echo "Remove /matrix directory" - rm -fr /matrix + docker network rm {{ matrix_docker_network }} + echo "Remove {{ matrix_base_data_path }} directory" + rm -fr "{{ matrix_base_data_path }}" exit 0 fi From ed442af96f354713696e10804cb20998a555ee1d Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 27 Apr 2019 16:28:40 -0500 Subject: [PATCH 04/12] Update mxisd (1.3.1 -> 1.4.1) --- roles/matrix-mxisd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index cb83674c..441a49cc 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,6 +1,6 @@ matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.3.1" +matrix_mxisd_docker_image: "kamax/mxisd:1.4.1" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From 5586eaddefca72cf73425d6d8867e2f8686ef322 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 25 Apr 2019 16:27:45 -0500 Subject: [PATCH 05/12] Set Riot's enable_presence_by_hs_url to false if presence is disabled --- roles/matrix-riot-web/templates/config.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 9477e53c..207b58fd 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -14,6 +14,11 @@ "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }}, + {% if matrix_synapse_use_presence|to_json %} + "enable_presence_by_hs_url": { + {{ matrix_riot_web_default_hs_url|to_json }}: false + }, + {% endif %} "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }} } From e42fe4b18c81f891c56eb5257f60dc95c36e9166 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 27 Apr 2019 17:09:21 -0500 Subject: [PATCH 06/12] Include Slavi's improvements to keep roles independent --- group_vars/matrix-servers | 7 +++++++ roles/matrix-riot-web/defaults/main.yml | 3 +++ roles/matrix-riot-web/templates/config.json.j2 | 6 ++---- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index facf1b84..6f104892 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -321,6 +321,13 @@ matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrie matrix_riot_web_registration_enabled: "{{ matrix_synapse_enable_registration }}" +matrix_riot_web_enable_presence_by_hs_url: | + {{ + none + if matrix_synapse_use_presence + else {matrix_riot_web_default_hs_url: false} + }} + ###################################################################### # # /matrix-riot-web diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index b1112eee..e17663b0 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -31,3 +31,6 @@ matrix_riot_web_self_check_validate_certificates: true # don't show the registration button on welcome page matrix_riot_web_registration_enabled: false + +# Controls whether Riot shows the presence features +matrix_riot_web_enable_presence_by_hs_url: ~ diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 207b58fd..477fe4da 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -14,10 +14,8 @@ "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }}, - {% if matrix_synapse_use_presence|to_json %} - "enable_presence_by_hs_url": { - {{ matrix_riot_web_default_hs_url|to_json }}: false - }, + {% if matrix_riot_web_enable_presence_by_hs_url is not none %} + "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }}, {% endif %} "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }} From 00ec22688aee5840bfdfa96348a9de402433c3b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 Apr 2019 10:15:46 +0300 Subject: [PATCH 07/12] Upgrade mxisd (1.4.1 -> 1.4.2) Looks like we may not have to do this, since 1.4.2 fixes edge cases for people who used the broken 1.4.0 release. We jumped straight to 1.4.1, so maybe we're okay. Still, upgrading anyway, just in case. --- roles/matrix-mxisd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 441a49cc..caaccfd0 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,6 +1,6 @@ matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.4.1" +matrix_mxisd_docker_image: "kamax/mxisd:1.4.2" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From 7c246b4a99c4c9e748476ce478149a88e3e70eef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 Apr 2019 11:02:13 +0300 Subject: [PATCH 08/12] Make error about unset matrix_ssl_lets_encrypt_support_email more descriptive Previously, we'd show an error like this: {"changed": false, "item": null, "msg": "Detected an undefined required variable"} .. which didn't mention the variable name (`matrix_ssl_lets_encrypt_support_email`). --- roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 771081b1..629f24c7 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -30,8 +30,8 @@ fail: msg: "Detected an undefined required variable" with_items: - - "{{ matrix_ssl_lets_encrypt_support_email }}" - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none" + - "matrix_ssl_lets_encrypt_support_email" + when: "matrix_ssl_retrieval_method == 'lets-encrypt' and vars[item] is none" - name: Ensure certbot Docker image is pulled docker_image: From 3387035400ab7cc2f588fb096cfac446f2b25d10 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Apr 2019 08:51:03 +0300 Subject: [PATCH 09/12] Enable Native Python Types for Jinja2 Helps with #151 (Github Pull Request), but only for Ansible >= 2.7 and when Jinja >= 2.10 is in use. For other version combinations we still need the workaround proposed in the pull rqeuest. --- ansible.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 48bc18c4..4f7b0e99 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,4 @@ [defaults] retry_files_enabled = False +# jinja2_native helps with problems like https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/151 +jinja2_native = True From 5be1d50b3ad1f51ed523a1224c8c9ab128aae034 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Apr 2019 09:07:05 +0300 Subject: [PATCH 10/12] Revert "Enable Native Python Types for Jinja2" This reverts commit 3387035400ab7cc2f588fb096cfac446f2b25d10. Enabling `jinja2_native` does help with the issue it is trying to address - #151 (Github Pull Request), but it introduces a regression when generating templates. An example is `roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2`, which yields a strange resulting value of: ``` location /.well-known/acme-challenge { resolver 127.0.0.11 valid=5s; set $backend "matrix-certbot:8080"; proxy_pass http://$backend; resolver 127.0.0.11 valid=5s; set $backend "matrix-certbot:8080"; proxy_pass http://$backend; } ``` For whatever reason (still to be investigated), the `if` block's contents seem to have been outputted twice. Reverting until this is resolved. Until then, #151 would rely on the workaround and not on `jinja2_native`. --- ansible.cfg | 2 -- 1 file changed, 2 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 4f7b0e99..48bc18c4 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,4 +1,2 @@ [defaults] retry_files_enabled = False -# jinja2_native helps with problems like https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/151 -jinja2_native = True From bf77f776a2f9578eeac6b81b159ba5959718c9ac Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Tue, 30 Apr 2019 11:55:31 +0200 Subject: [PATCH 11/12] Add variable to disable homeserver url preview --- roles/matrix-synapse/defaults/main.yml | 4 ++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8edc6b62..ee454b5a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -167,6 +167,10 @@ matrix_synapse_password_providers_enabled: false # to load message content directly from the homeserver. matrix_synapse_push_include_content: true +# If url previews should be generated. This will cause a request from Synapse to +# URLs shared by users. +matrix_synapse_url_preview_enabled: true + # Enable exposure of metrics to Prometheus # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.rst matrix_synapse_metrics_enabled: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4c8b9654..c5edf9b1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -525,7 +525,7 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # an explicit url_preview_ip_range_blacklist of IPs that the spider is # denied from accessing. # -url_preview_enabled: true +url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} # List of IP address CIDR ranges that the URL preview spider is denied # from accessing. There are no defaults: you must explicitly @@ -1169,4 +1169,4 @@ alias_creation_rules: {{ matrix_alias_creation_rules|to_json }} # room_id: "*" # action: allow -room_list_publication_rules: {{ matrix_room_list_publication_rules|to_json }} \ No newline at end of file +room_list_publication_rules: {{ matrix_room_list_publication_rules|to_json }} From 0e391b5870e4f6d4b88b7076ab2577f3e0f4e9b6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Apr 2019 18:25:57 +0300 Subject: [PATCH 12/12] Add explicit |int casting for more variables As discussed in #151 (Github Pull Request), it's a good idea to not selectively apply casting, but to do it in all cases involving arithmetic operations. --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index beb0850e..2c99c84f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -87,7 +87,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048" -matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 3 }}" +matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"