Merge branch 'master' into pub.solar

pub.solar
teutat3s 2021-01-13 16:20:56 +01:00
commit 8720ab02d2
Signed by: teutat3s
GPG Key ID: 18DAE600A6BBE705
22 changed files with 400 additions and 59 deletions

View File

@ -1,3 +1,25 @@
# 2021-01-08
## (Breaking Change) New SSL configuration
SSL configuration (protocols, ciphers) can now be more easily controlled thanks to us making use of configuration presets.
We define a few presets (old, intermediate, modern), following the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx).
A new variable `matrix_nginx_proxy_ssl_preset` controls which preset is used (defaults to `"intermediate"`).
Compared to before, this changes nginx's `ssl_prefer_server_ciphers` to `off` (used to default to `on`). It also add some more ciphers to the list, giving better performance on mobile devices, and removes some weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md).
To revert to the old behaviour, set the following variables:
```yaml
matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
matrix_nginx_proxy_ssl_prefer_server_ciphers: "on"
```
Just like before, you can still use your own custom protocols by specifying them in `matrix_nginx_proxy_ssl_protocols`. Doing so overrides the values coming from the preset.
# 2021-01-03
## Signal bridging support via mautrix-signal
@ -48,7 +70,6 @@ If you went with the Postgres migration and it went badly for you (some bridge n
- re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`)
- [get in touch](README.md#support) with us
# 2020-12-11
## synapse-janitor support removed

View File

@ -51,7 +51,7 @@ docker run -it --rm \
-v `pwd`:/work \
-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
--entrypoint=/bin/sh \
devture/ansible:2.9.13-r0
docker.io/devture/ansible:2.9.14-r0
```
The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).

View File

@ -10,7 +10,7 @@ Use matrix-registration to **create unique registration links**, which people ca
- **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https:///matrix.DOMAIN/matrix-registration`
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https://matrix.DOMAIN/matrix-registration`
## Installing
@ -33,15 +33,18 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
## Usage
**matrix-registration** gets exposed at `https:///matrix.DOMAIN/matrix-registration`
**matrix-registration** gets exposed at `https://matrix.DOMAIN/matrix-registration`
It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`.
We make the most common API (the one for creating unique registration tokens) easy to use via the playbook.
We make the most common APIs easy to use via the playbook (see below).
**To create a new user registration token (link)**, use this command:
```
### Creating registration tokens
To **create a new user registration token (link)**, use this command:
```bash
ansible-playbook -i inventory/hosts setup.yml \
--tags=generate-matrix-registration-token \
--extra-vars="one_time=yes ex_date=2021-12-31"
@ -51,3 +54,13 @@ The above command creates and returns a **one-time use** token, which **expires*
Adjust the `one_time` and `ex_date` variables as you see fit.
Share the unique registration link (generated by the command above) with users to let them register on your Matrix server.
### Listing registration tokens
To **list the existing user registration tokens**, use this command:
```bash
ansible-playbook -i inventory/hosts setup.yml \
--tags=list-matrix-registration-tokens
```

View File

@ -24,6 +24,27 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
- 1.1.1.1
```
## Adjusting SSL in your server
You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS
Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
Possible values are:
- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility
- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server
- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. The
[Federarion tester](https://federationtester.matrix.org/) also won't work.
Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables:
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`.
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.
For more information about these variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file.
## Synapse + OpenID Connect for Single-Sign-On
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:

View File

@ -45,7 +45,7 @@ docker run \
--log-driver=none \
--network=matrix \
--env-file=/matrix/postgres/env-postgres-psql \
postgres:13.0-alpine \
docker.io/postgres:13.1-alpine \
pg_dumpall -h matrix-postgres \
| gzip -c \
> /postgres.sql.gz

View File

@ -0,0 +1,72 @@
---
# matrix-aux is a role that manages auxiliary files and directories on your Matrix server.
#
# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.).
# This role allows such files to be managed by the playbook.
#
# Note that files and directories created via this role are not automatically made available for containers to use.
# If you use this role to put files in a directory that's already mounted into a container,
# you can access the files without additional work.
# Otherwise, you'd need to mount the file/directory to the container that needs it.
# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable
# that you can use to mount an additional volume.
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
matrix_aux_directory_default_mode: '0750'
# Holds a list of directories to create on the server.
#
# By default, directories are:
# - created with permissions as specified in `matrix_aux_directory_default_mode`
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
#
# Example:
#
# matrix_aux_directory_definitions:
# - dest: /matrix/aux
#
# - dest: /matrix/another
# mode: '0700'
# owner: 'some-user'
# group: 'some-group'
matrix_aux_directory_definitions: []
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
matrix_aux_file_default_mode: '0640'
# Holds a list of files to create on the server.
#
# By default, files are:
# - created with permissions as specified in `matrix_aux_file_default_mode`
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
#
# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below).
# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files,
# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`).
#
# Note: parent paths for files must exist.
# If you've defined a file with a destination of `/matrix/some/path/file.txt`,
# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well.
# You don't need to do this for directories that the playbook already creates for you.
#
# Example:
#
# matrix_aux_file_definitions:
# - dest: "{{ matrix_synapse_config_dir_path }}/something.html"
# content: |
# <!doctype html>
# <html><body>Something</body></html>
#
# - dest: /matrix/aux/some-other-file.txt
# content: "Something"
# mode: '0600'
# owner: 'some-user'
# group: 'some-group'
#
# - dest: /matrix/aux/yet-another-file.txt
# content: "{{ lookup('template', '/path/to/file.txt.j2') }}"
# mode: '0600'
# owner: 'some-user'
# group: 'some-group'
matrix_aux_file_definitions: []

View File

@ -0,0 +1,5 @@
- import_tasks: "{{ role_path }}/tasks/setup.yml"
when: run_stop|bool
tags:
- setup-all
- setup-aux-files

View File

@ -0,0 +1,19 @@
---
- name: Ensure AUX directories are created
file:
dest: "{{ item.dest }}"
state: directory
owner: "{{ item.owner|default(matrix_user_username) }}"
group: "{{ item.group|default(matrix_user_groupname) }}"
mode: "{{ item.mode|default(matrix_aux_directory_default_mode) }}"
with_items: "{{ matrix_aux_directory_definitions }}"
- name: Ensure AUX files are created
copy:
dest: "{{ item.dest }}"
content: "{{ item.content }}"
owner: "{{ item.owner|default(matrix_user_username) }}"
group: "{{ item.group|default(matrix_user_groupname) }}"
mode: "{{ item.mode|default(matrix_aux_file_default_mode) }}"
with_items: "{{ matrix_aux_file_definitions }}"

View File

@ -219,8 +219,46 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving all the various vhosts
matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
# This is based on the Mozilla Server Side TLS Recommended configurations.
#
# The posible values are:
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
# - "intermediate" - Recommended configuration for a general-purpose server
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
#
# For more information visit:
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# - https://ssl-config.mozilla.org/#server=nginx
matrix_nginx_proxy_ssl_preset: "intermediate"
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
# if you wish to use something more custom.
matrix_nginx_proxy_ssl_presets:
modern:
protocols: TLSv1.3
ciphers: ""
prefer_server_ciphers: "off"
intermediate:
protocols: TLSv1.2 TLSv1.3
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
prefer_server_ciphers: "off"
old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
prefer_server_ciphers: "on"
# Specifies which *SSL protocols* to use when serving all the various vhosts.
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
# Specifies whether to prefer *the clients choice or the servers choice* when negotiating ciphers.
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
# To see the full list for suportes ciphers run `openssl ciphers` on your server
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
# Controls whether the self-check feature should validate SSL certificates.
matrix_nginx_proxy_self_check_validate_certificates: true

View File

@ -18,3 +18,9 @@
msg: >-
`matrix_ssl_retrieval_method` needs to be set to a known value.
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
- name: Fail on unknown matrix_nginx_proxy_ssl_config
fail:
msg: >-
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"

View File

@ -5,7 +5,7 @@
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options SAMEORIGIN;
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
@ -67,9 +67,12 @@ server {
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}

View File

@ -65,9 +65,12 @@ server {
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}

View File

@ -58,9 +58,12 @@ server {
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}

View File

@ -86,9 +86,12 @@ server {
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}

View File

@ -55,9 +55,12 @@ server {
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}

View File

@ -203,9 +203,12 @@ server {
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}
@ -235,9 +238,13 @@ server {
{% if matrix_nginx_proxy_https_enabled %}
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{% endif %}
location / {

View File

@ -0,0 +1,29 @@
- name: Call matrix-registration list all tokens API
uri:
url: "{{ matrix_registration_api_token_endpoint }}"
follow_redirects: none
validate_certs: "{{ matrix_registration_api_validate_certs }}"
headers:
Content-Type: application/json
Authorization: "SharedSecret {{ matrix_registration_admin_secret }}"
method: GET
body_format: json
check_mode: no
register: matrix_registration_api_result
- set_fact:
matrix_registration_api_result_message: >-
matrix-registration result:
{{ matrix_registration_api_result.json | to_nice_json }}
check_mode: no
- name: Inject result message into matrix_playbook_runtime_results
set_fact:
matrix_playbook_runtime_results: |
{{
matrix_playbook_runtime_results|default([])
+
[matrix_registration_api_result_message]
}}
check_mode: no

View File

@ -24,3 +24,8 @@
when: "run_setup|bool and matrix_registration_enabled|bool"
tags:
- generate-matrix-registration-token
- import_tasks: "{{ role_path }}/tasks/list_tokens.yml"
when: "run_setup|bool and matrix_registration_enabled|bool"
tags:
- list-matrix-registration-tokens

View File

@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# The if statement below may look silly at times (leading to the same version being returned),
# but ARM-compatible container images are only released 1-7 hours after a release,
# so we may often be on different versions for different architectures when new Synapse releases come out.
matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"

View File

@ -33,3 +33,12 @@
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
fail:
msg: >-
Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in matrix_synapse_configuration_extension"
with_items:
- {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'}

View File

@ -120,6 +120,47 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
#
#enable_search: false
# Prevent outgoing requests from being sent to the following blacklisted IP address
# CIDR ranges. If this option is not specified then it defaults to private IP
# address ranges (see the example below).
#
# The blacklist applies to the outbound requests for federation, identity servers,
# push servers, and for checking key validity for third-party invite events.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
#
#ip_range_blacklist:
# - '127.0.0.0/8'
# - '10.0.0.0/8'
# - '172.16.0.0/12'
# - '192.168.0.0/16'
# - '100.64.0.0/10'
# - '192.0.0.0/24'
# - '169.254.0.0/16'
# - '198.18.0.0/15'
# - '192.0.2.0/24'
# - '198.51.100.0/24'
# - '203.0.113.0/24'
# - '224.0.0.0/4'
# - '::1/128'
# - 'fe80::/10'
# - 'fc00::/7'
# List of IP address CIDR ranges that should be allowed for federation,
# identity servers, push servers, and for checking key validity for
# third-party invite events. This is useful for specifying exceptions to
# wide-ranging blacklisted target IP ranges - e.g. for communication with
# a push server only visible in your network.
#
# This whitelist overrides ip_range_blacklist and defaults to an empty
# list.
#
#ip_range_whitelist:
# - '192.168.1.1'
# List of ports that Synapse should listen on, their purpose and their
# configuration.
#
@ -633,27 +674,6 @@ acme:
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
{% endif %}
# Prevent federation requests from being sent to the following
# blacklist IP address CIDR ranges. If this option is not specified, or
# specified with an empty list, no ip range blacklist will be enforced.
#
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
# servers provided by user input.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
federation_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
# Report prometheus metrics on the age of PDUs being sent to and received from
# the following domains. This can be used to give an idea of "delay" on inbound
# and outbound federation, though be aware that any delay can be due to problems
@ -919,9 +939,15 @@ url_preview_ip_range_blacklist:
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/64'
- 'fe80::/10'
- 'fc00::/7'
# List of IP address CIDR ranges that the URL preview spider is allowed
@ -1776,7 +1802,8 @@ oidc_config:
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
# Token
#
# This must be configured if using the default mapping provider.
# If this is not set, the user will be prompted to choose their
# own username.
#
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
@ -1854,11 +1881,8 @@ sso:
# - https://my.custom.client/
# Directory in which Synapse will try to find the template files below.
# If not set, default templates from within the Synapse package will be used.
#
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
# If you *do* uncomment it, you will need to make sure that all the templates
# below are in the directory.
# If not set, or the files named below are not found within the template
# directory, default templates from within the Synapse package will be used.
#
# Synapse will look for the following templates in this directory:
#
@ -1987,6 +2011,56 @@ password_config:
#
pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
# Define and enforce a password policy. Each parameter is optional.
# This is an implementation of MSC2000.
#
policy:
# Whether to enforce the password policy.
# Defaults to 'false'.
#
#enabled: true
# Minimum accepted length for a password.
# Defaults to 0.
#
#minimum_length: 15
# Whether a password must contain at least one digit.
# Defaults to 'false'.
#
#require_digit: true
# Whether a password must contain at least one symbol.
# A symbol is any character that's not a number or a letter.
# Defaults to 'false'.
#
#require_symbol: true
# Whether a password must contain at least one lowercase letter.
# Defaults to 'false'.
#
#require_lowercase: true
# Whether a password must contain at least one lowercase letter.
# Defaults to 'false'.
#
#require_uppercase: true
ui_auth:
# The number of milliseconds to allow a user-interactive authentication
# session to be active.
#
# This defaults to 0, meaning the user is queried for their credentials
# before every action, but this can be overridden to alow a single
# validation to be re-used. This weakens the protections afforded by
# the user-interactive authentication process, by allowing for multiple
# (and potentially different) operations to use the same validation session.
#
# Uncomment below to allow for credential validation to last for 15
# seconds.
#
#session_timeout: 15000
{% if matrix_synapse_email_enabled %}
# Configuration for sending emails from Synapse.
@ -2061,9 +2135,8 @@ email:
#validation_token_lifetime: 15m
# Directory in which Synapse will try to find the template files below.
# If not set, default templates from within the Synapse package will be used.
#
# Do not uncomment this setting unless you want to customise the templates.
# If not set, or the files named below are not found within the template
# directory, default templates from within the Synapse package will be used.
#
# Synapse will look for the following templates in this directory:
#
@ -2309,7 +2382,7 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }}
# If enabled, non server admins can only create groups with local parts
# starting with this prefix
#
#group_creation_prefix: "unofficial/"
#group_creation_prefix: "unofficial_"
@ -2580,6 +2653,13 @@ opentracing:
#
#run_background_tasks_on: worker1
# A shared secret used by the replication APIs to authenticate HTTP requests
# from workers.
#
# By default this is unused and traffic is not authenticated.
#
#worker_replication_secret: ""
# Configuration for Redis when using workers. This *must* be enabled when
# using workers (unless using old style direct TCP configuration).

View File

@ -36,4 +36,5 @@
- matrix-email2matrix
- matrix-nginx-proxy
- matrix-coturn
- matrix-aux
- matrix-common-after