Merge branch 'master' into pub.solar
This commit is contained in:
commit
8720ab02d2
22 changed files with 400 additions and 59 deletions
23
CHANGELOG.md
23
CHANGELOG.md
|
@ -1,3 +1,25 @@
|
|||
# 2021-01-08
|
||||
|
||||
## (Breaking Change) New SSL configuration
|
||||
|
||||
SSL configuration (protocols, ciphers) can now be more easily controlled thanks to us making use of configuration presets.
|
||||
|
||||
We define a few presets (old, intermediate, modern), following the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx).
|
||||
|
||||
A new variable `matrix_nginx_proxy_ssl_preset` controls which preset is used (defaults to `"intermediate"`).
|
||||
|
||||
Compared to before, this changes nginx's `ssl_prefer_server_ciphers` to `off` (used to default to `on`). It also add some more ciphers to the list, giving better performance on mobile devices, and removes some weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md).
|
||||
|
||||
To revert to the old behaviour, set the following variables:
|
||||
|
||||
```yaml
|
||||
matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
|
||||
matrix_nginx_proxy_ssl_prefer_server_ciphers: "on"
|
||||
```
|
||||
|
||||
Just like before, you can still use your own custom protocols by specifying them in `matrix_nginx_proxy_ssl_protocols`. Doing so overrides the values coming from the preset.
|
||||
|
||||
|
||||
# 2021-01-03
|
||||
|
||||
## Signal bridging support via mautrix-signal
|
||||
|
@ -48,7 +70,6 @@ If you went with the Postgres migration and it went badly for you (some bridge n
|
|||
- re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`)
|
||||
- [get in touch](README.md#support) with us
|
||||
|
||||
|
||||
# 2020-12-11
|
||||
|
||||
## synapse-janitor support removed
|
||||
|
|
|
@ -51,7 +51,7 @@ docker run -it --rm \
|
|||
-v `pwd`:/work \
|
||||
-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
|
||||
--entrypoint=/bin/sh \
|
||||
devture/ansible:2.9.13-r0
|
||||
docker.io/devture/ansible:2.9.14-r0
|
||||
```
|
||||
|
||||
The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
|
||||
|
|
|
@ -10,7 +10,7 @@ Use matrix-registration to **create unique registration links**, which people ca
|
|||
|
||||
- **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)
|
||||
|
||||
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https:///matrix.DOMAIN/matrix-registration`
|
||||
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https://matrix.DOMAIN/matrix-registration`
|
||||
|
||||
|
||||
## Installing
|
||||
|
@ -33,15 +33,18 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
|
|||
|
||||
## Usage
|
||||
|
||||
**matrix-registration** gets exposed at `https:///matrix.DOMAIN/matrix-registration`
|
||||
**matrix-registration** gets exposed at `https://matrix.DOMAIN/matrix-registration`
|
||||
|
||||
It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`.
|
||||
|
||||
We make the most common API (the one for creating unique registration tokens) easy to use via the playbook.
|
||||
We make the most common APIs easy to use via the playbook (see below).
|
||||
|
||||
**To create a new user registration token (link)**, use this command:
|
||||
|
||||
```
|
||||
### Creating registration tokens
|
||||
|
||||
To **create a new user registration token (link)**, use this command:
|
||||
|
||||
```bash
|
||||
ansible-playbook -i inventory/hosts setup.yml \
|
||||
--tags=generate-matrix-registration-token \
|
||||
--extra-vars="one_time=yes ex_date=2021-12-31"
|
||||
|
@ -51,3 +54,13 @@ The above command creates and returns a **one-time use** token, which **expires*
|
|||
Adjust the `one_time` and `ex_date` variables as you see fit.
|
||||
|
||||
Share the unique registration link (generated by the command above) with users to let them register on your Matrix server.
|
||||
|
||||
|
||||
### Listing registration tokens
|
||||
|
||||
To **list the existing user registration tokens**, use this command:
|
||||
|
||||
```bash
|
||||
ansible-playbook -i inventory/hosts setup.yml \
|
||||
--tags=list-matrix-registration-tokens
|
||||
```
|
||||
|
|
|
@ -24,6 +24,27 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
|
|||
- 1.1.1.1
|
||||
```
|
||||
|
||||
## Adjusting SSL in your server
|
||||
|
||||
You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS
|
||||
Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
|
||||
Possible values are:
|
||||
|
||||
- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||
- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server
|
||||
- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||
|
||||
**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. The
|
||||
[Federarion tester](https://federationtester.matrix.org/) also won't work.
|
||||
|
||||
Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables:
|
||||
|
||||
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
|
||||
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`.
|
||||
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.
|
||||
|
||||
For more information about these variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file.
|
||||
|
||||
## Synapse + OpenID Connect for Single-Sign-On
|
||||
|
||||
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
|
||||
|
|
|
@ -45,7 +45,7 @@ docker run \
|
|||
--log-driver=none \
|
||||
--network=matrix \
|
||||
--env-file=/matrix/postgres/env-postgres-psql \
|
||||
postgres:13.0-alpine \
|
||||
docker.io/postgres:13.1-alpine \
|
||||
pg_dumpall -h matrix-postgres \
|
||||
| gzip -c \
|
||||
> /postgres.sql.gz
|
||||
|
|
72
roles/matrix-aux/defaults/main.yml
Normal file
72
roles/matrix-aux/defaults/main.yml
Normal file
|
@ -0,0 +1,72 @@
|
|||
---
|
||||
|
||||
# matrix-aux is a role that manages auxiliary files and directories on your Matrix server.
|
||||
#
|
||||
# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.).
|
||||
# This role allows such files to be managed by the playbook.
|
||||
#
|
||||
# Note that files and directories created via this role are not automatically made available for containers to use.
|
||||
# If you use this role to put files in a directory that's already mounted into a container,
|
||||
# you can access the files without additional work.
|
||||
# Otherwise, you'd need to mount the file/directory to the container that needs it.
|
||||
# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable
|
||||
# that you can use to mount an additional volume.
|
||||
|
||||
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
|
||||
matrix_aux_directory_default_mode: '0750'
|
||||
|
||||
# Holds a list of directories to create on the server.
|
||||
#
|
||||
# By default, directories are:
|
||||
# - created with permissions as specified in `matrix_aux_directory_default_mode`
|
||||
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# matrix_aux_directory_definitions:
|
||||
# - dest: /matrix/aux
|
||||
#
|
||||
# - dest: /matrix/another
|
||||
# mode: '0700'
|
||||
# owner: 'some-user'
|
||||
# group: 'some-group'
|
||||
matrix_aux_directory_definitions: []
|
||||
|
||||
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
|
||||
matrix_aux_file_default_mode: '0640'
|
||||
|
||||
# Holds a list of files to create on the server.
|
||||
#
|
||||
# By default, files are:
|
||||
# - created with permissions as specified in `matrix_aux_file_default_mode`
|
||||
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
|
||||
#
|
||||
# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below).
|
||||
# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files,
|
||||
# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`).
|
||||
#
|
||||
# Note: parent paths for files must exist.
|
||||
# If you've defined a file with a destination of `/matrix/some/path/file.txt`,
|
||||
# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well.
|
||||
# You don't need to do this for directories that the playbook already creates for you.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# matrix_aux_file_definitions:
|
||||
# - dest: "{{ matrix_synapse_config_dir_path }}/something.html"
|
||||
# content: |
|
||||
# <!doctype html>
|
||||
# <html><body>Something</body></html>
|
||||
#
|
||||
# - dest: /matrix/aux/some-other-file.txt
|
||||
# content: "Something"
|
||||
# mode: '0600'
|
||||
# owner: 'some-user'
|
||||
# group: 'some-group'
|
||||
#
|
||||
# - dest: /matrix/aux/yet-another-file.txt
|
||||
# content: "{{ lookup('template', '/path/to/file.txt.j2') }}"
|
||||
# mode: '0600'
|
||||
# owner: 'some-user'
|
||||
# group: 'some-group'
|
||||
matrix_aux_file_definitions: []
|
5
roles/matrix-aux/tasks/main.yml
Normal file
5
roles/matrix-aux/tasks/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/setup.yml"
|
||||
when: run_stop|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-aux-files
|
19
roles/matrix-aux/tasks/setup.yml
Normal file
19
roles/matrix-aux/tasks/setup.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
- name: Ensure AUX directories are created
|
||||
file:
|
||||
dest: "{{ item.dest }}"
|
||||
state: directory
|
||||
owner: "{{ item.owner|default(matrix_user_username) }}"
|
||||
group: "{{ item.group|default(matrix_user_groupname) }}"
|
||||
mode: "{{ item.mode|default(matrix_aux_directory_default_mode) }}"
|
||||
with_items: "{{ matrix_aux_directory_definitions }}"
|
||||
|
||||
- name: Ensure AUX files are created
|
||||
copy:
|
||||
dest: "{{ item.dest }}"
|
||||
content: "{{ item.content }}"
|
||||
owner: "{{ item.owner|default(matrix_user_username) }}"
|
||||
group: "{{ item.group|default(matrix_user_groupname) }}"
|
||||
mode: "{{ item.mode|default(matrix_aux_file_default_mode) }}"
|
||||
with_items: "{{ matrix_aux_file_definitions }}"
|
|
@ -219,8 +219,46 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
|||
# a new SSL certificate could go into effect.
|
||||
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
||||
|
||||
# Specifies which SSL protocols to use when serving all the various vhosts
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
|
||||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||
#
|
||||
# The posible values are:
|
||||
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||
# - "intermediate" - Recommended configuration for a general-purpose server
|
||||
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||
#
|
||||
# For more information visit:
|
||||
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# - https://ssl-config.mozilla.org/#server=nginx
|
||||
matrix_nginx_proxy_ssl_preset: "intermediate"
|
||||
|
||||
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
||||
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
|
||||
# if you wish to use something more custom.
|
||||
matrix_nginx_proxy_ssl_presets:
|
||||
modern:
|
||||
protocols: TLSv1.3
|
||||
ciphers: ""
|
||||
prefer_server_ciphers: "off"
|
||||
intermediate:
|
||||
protocols: TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
prefer_server_ciphers: "off"
|
||||
old:
|
||||
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||||
prefer_server_ciphers: "on"
|
||||
|
||||
|
||||
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
||||
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
|
||||
|
||||
# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.
|
||||
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
|
||||
|
||||
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
||||
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
||||
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_nginx_proxy_self_check_validate_certificates: true
|
||||
|
|
|
@ -18,3 +18,9 @@
|
|||
msg: >-
|
||||
`matrix_ssl_retrieval_method` needs to be set to a known value.
|
||||
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
|
||||
|
||||
- name: Fail on unknown matrix_nginx_proxy_ssl_config
|
||||
fail:
|
||||
msg: >-
|
||||
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
|
||||
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
@ -67,9 +67,12 @@ server {
|
|||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
|
|
@ -65,9 +65,12 @@ server {
|
|||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
|
|
@ -58,9 +58,12 @@ server {
|
|||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
|
|
@ -86,9 +86,12 @@ server {
|
|||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
|
|
@ -55,9 +55,12 @@ server {
|
|||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
|
|
@ -203,9 +203,12 @@ server {
|
|||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
@ -235,9 +238,13 @@ server {
|
|||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
|
||||
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
|
|
29
roles/matrix-registration/tasks/list_tokens.yml
Normal file
29
roles/matrix-registration/tasks/list_tokens.yml
Normal file
|
@ -0,0 +1,29 @@
|
|||
- name: Call matrix-registration list all tokens API
|
||||
uri:
|
||||
url: "{{ matrix_registration_api_token_endpoint }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_registration_api_validate_certs }}"
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
Authorization: "SharedSecret {{ matrix_registration_admin_secret }}"
|
||||
method: GET
|
||||
body_format: json
|
||||
check_mode: no
|
||||
register: matrix_registration_api_result
|
||||
|
||||
- set_fact:
|
||||
matrix_registration_api_result_message: >-
|
||||
matrix-registration result:
|
||||
|
||||
{{ matrix_registration_api_result.json | to_nice_json }}
|
||||
check_mode: no
|
||||
|
||||
- name: Inject result message into matrix_playbook_runtime_results
|
||||
set_fact:
|
||||
matrix_playbook_runtime_results: |
|
||||
{{
|
||||
matrix_playbook_runtime_results|default([])
|
||||
+
|
||||
[matrix_registration_api_result_message]
|
||||
}}
|
||||
check_mode: no
|
|
@ -24,3 +24,8 @@
|
|||
when: "run_setup|bool and matrix_registration_enabled|bool"
|
||||
tags:
|
||||
- generate-matrix-registration-token
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/list_tokens.yml"
|
||||
when: "run_setup|bool and matrix_registration_enabled|bool"
|
||||
tags:
|
||||
- list-matrix-registration-tokens
|
||||
|
|
|
@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
|
|||
# The if statement below may look silly at times (leading to the same version being returned),
|
||||
# but ARM-compatible container images are only released 1-7 hours after a release,
|
||||
# so we may often be on different versions for different architectures when new Synapse releases come out.
|
||||
matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
|
||||
matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
|
||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
|
||||
|
|
|
@ -33,3 +33,12 @@
|
|||
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
|
||||
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
|
||||
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
|
||||
fail:
|
||||
msg: >-
|
||||
Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name.
|
||||
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||
when: "item.old in matrix_synapse_configuration_extension"
|
||||
with_items:
|
||||
- {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'}
|
||||
|
|
|
@ -120,6 +120,47 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
|
|||
#
|
||||
#enable_search: false
|
||||
|
||||
# Prevent outgoing requests from being sent to the following blacklisted IP address
|
||||
# CIDR ranges. If this option is not specified then it defaults to private IP
|
||||
# address ranges (see the example below).
|
||||
#
|
||||
# The blacklist applies to the outbound requests for federation, identity servers,
|
||||
# push servers, and for checking key validity for third-party invite events.
|
||||
#
|
||||
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
||||
# listed here, since they correspond to unroutable addresses.)
|
||||
#
|
||||
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
||||
#
|
||||
#ip_range_blacklist:
|
||||
# - '127.0.0.0/8'
|
||||
# - '10.0.0.0/8'
|
||||
# - '172.16.0.0/12'
|
||||
# - '192.168.0.0/16'
|
||||
# - '100.64.0.0/10'
|
||||
# - '192.0.0.0/24'
|
||||
# - '169.254.0.0/16'
|
||||
# - '198.18.0.0/15'
|
||||
# - '192.0.2.0/24'
|
||||
# - '198.51.100.0/24'
|
||||
# - '203.0.113.0/24'
|
||||
# - '224.0.0.0/4'
|
||||
# - '::1/128'
|
||||
# - 'fe80::/10'
|
||||
# - 'fc00::/7'
|
||||
|
||||
# List of IP address CIDR ranges that should be allowed for federation,
|
||||
# identity servers, push servers, and for checking key validity for
|
||||
# third-party invite events. This is useful for specifying exceptions to
|
||||
# wide-ranging blacklisted target IP ranges - e.g. for communication with
|
||||
# a push server only visible in your network.
|
||||
#
|
||||
# This whitelist overrides ip_range_blacklist and defaults to an empty
|
||||
# list.
|
||||
#
|
||||
#ip_range_whitelist:
|
||||
# - '192.168.1.1'
|
||||
|
||||
# List of ports that Synapse should listen on, their purpose and their
|
||||
# configuration.
|
||||
#
|
||||
|
@ -633,27 +674,6 @@ acme:
|
|||
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
|
||||
{% endif %}
|
||||
|
||||
# Prevent federation requests from being sent to the following
|
||||
# blacklist IP address CIDR ranges. If this option is not specified, or
|
||||
# specified with an empty list, no ip range blacklist will be enforced.
|
||||
#
|
||||
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
|
||||
# servers provided by user input.
|
||||
#
|
||||
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
||||
# listed here, since they correspond to unroutable addresses.)
|
||||
#
|
||||
federation_ip_range_blacklist:
|
||||
- '127.0.0.0/8'
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
- '100.64.0.0/10'
|
||||
- '169.254.0.0/16'
|
||||
- '::1/128'
|
||||
- 'fe80::/64'
|
||||
- 'fc00::/7'
|
||||
|
||||
# Report prometheus metrics on the age of PDUs being sent to and received from
|
||||
# the following domains. This can be used to give an idea of "delay" on inbound
|
||||
# and outbound federation, though be aware that any delay can be due to problems
|
||||
|
@ -919,9 +939,15 @@ url_preview_ip_range_blacklist:
|
|||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
- '100.64.0.0/10'
|
||||
- '192.0.0.0/24'
|
||||
- '169.254.0.0/16'
|
||||
- '198.18.0.0/15'
|
||||
- '192.0.2.0/24'
|
||||
- '198.51.100.0/24'
|
||||
- '203.0.113.0/24'
|
||||
- '224.0.0.0/4'
|
||||
- '::1/128'
|
||||
- 'fe80::/64'
|
||||
- 'fe80::/10'
|
||||
- 'fc00::/7'
|
||||
|
||||
# List of IP address CIDR ranges that the URL preview spider is allowed
|
||||
|
@ -1776,7 +1802,8 @@ oidc_config:
|
|||
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
|
||||
# Token
|
||||
#
|
||||
# This must be configured if using the default mapping provider.
|
||||
# If this is not set, the user will be prompted to choose their
|
||||
# own username.
|
||||
#
|
||||
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
|
||||
|
||||
|
@ -1854,11 +1881,8 @@ sso:
|
|||
# - https://my.custom.client/
|
||||
|
||||
# Directory in which Synapse will try to find the template files below.
|
||||
# If not set, default templates from within the Synapse package will be used.
|
||||
#
|
||||
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
|
||||
# If you *do* uncomment it, you will need to make sure that all the templates
|
||||
# below are in the directory.
|
||||
# If not set, or the files named below are not found within the template
|
||||
# directory, default templates from within the Synapse package will be used.
|
||||
#
|
||||
# Synapse will look for the following templates in this directory:
|
||||
#
|
||||
|
@ -1987,6 +2011,56 @@ password_config:
|
|||
#
|
||||
pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
|
||||
|
||||
# Define and enforce a password policy. Each parameter is optional.
|
||||
# This is an implementation of MSC2000.
|
||||
#
|
||||
policy:
|
||||
# Whether to enforce the password policy.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#enabled: true
|
||||
|
||||
# Minimum accepted length for a password.
|
||||
# Defaults to 0.
|
||||
#
|
||||
#minimum_length: 15
|
||||
|
||||
# Whether a password must contain at least one digit.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_digit: true
|
||||
|
||||
# Whether a password must contain at least one symbol.
|
||||
# A symbol is any character that's not a number or a letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_symbol: true
|
||||
|
||||
# Whether a password must contain at least one lowercase letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_lowercase: true
|
||||
|
||||
# Whether a password must contain at least one lowercase letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_uppercase: true
|
||||
|
||||
ui_auth:
|
||||
# The number of milliseconds to allow a user-interactive authentication
|
||||
# session to be active.
|
||||
#
|
||||
# This defaults to 0, meaning the user is queried for their credentials
|
||||
# before every action, but this can be overridden to alow a single
|
||||
# validation to be re-used. This weakens the protections afforded by
|
||||
# the user-interactive authentication process, by allowing for multiple
|
||||
# (and potentially different) operations to use the same validation session.
|
||||
#
|
||||
# Uncomment below to allow for credential validation to last for 15
|
||||
# seconds.
|
||||
#
|
||||
#session_timeout: 15000
|
||||
|
||||
|
||||
{% if matrix_synapse_email_enabled %}
|
||||
# Configuration for sending emails from Synapse.
|
||||
|
@ -2061,9 +2135,8 @@ email:
|
|||
#validation_token_lifetime: 15m
|
||||
|
||||
# Directory in which Synapse will try to find the template files below.
|
||||
# If not set, default templates from within the Synapse package will be used.
|
||||
#
|
||||
# Do not uncomment this setting unless you want to customise the templates.
|
||||
# If not set, or the files named below are not found within the template
|
||||
# directory, default templates from within the Synapse package will be used.
|
||||
#
|
||||
# Synapse will look for the following templates in this directory:
|
||||
#
|
||||
|
@ -2309,7 +2382,7 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }}
|
|||
# If enabled, non server admins can only create groups with local parts
|
||||
# starting with this prefix
|
||||
#
|
||||
#group_creation_prefix: "unofficial/"
|
||||
#group_creation_prefix: "unofficial_"
|
||||
|
||||
|
||||
|
||||
|
@ -2580,6 +2653,13 @@ opentracing:
|
|||
#
|
||||
#run_background_tasks_on: worker1
|
||||
|
||||
# A shared secret used by the replication APIs to authenticate HTTP requests
|
||||
# from workers.
|
||||
#
|
||||
# By default this is unused and traffic is not authenticated.
|
||||
#
|
||||
#worker_replication_secret: ""
|
||||
|
||||
|
||||
# Configuration for Redis when using workers. This *must* be enabled when
|
||||
# using workers (unless using old style direct TCP configuration).
|
||||
|
|
|
@ -36,4 +36,5 @@
|
|||
- matrix-email2matrix
|
||||
- matrix-nginx-proxy
|
||||
- matrix-coturn
|
||||
- matrix-aux
|
||||
- matrix-common-after
|
||||
|
|
Loading…
Add table
Reference in a new issue