Merge branch 'master' into pub.solar
This commit is contained in:
commit
8720ab02d2
23
CHANGELOG.md
23
CHANGELOG.md
|
@ -1,3 +1,25 @@
|
||||||
|
# 2021-01-08
|
||||||
|
|
||||||
|
## (Breaking Change) New SSL configuration
|
||||||
|
|
||||||
|
SSL configuration (protocols, ciphers) can now be more easily controlled thanks to us making use of configuration presets.
|
||||||
|
|
||||||
|
We define a few presets (old, intermediate, modern), following the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx).
|
||||||
|
|
||||||
|
A new variable `matrix_nginx_proxy_ssl_preset` controls which preset is used (defaults to `"intermediate"`).
|
||||||
|
|
||||||
|
Compared to before, this changes nginx's `ssl_prefer_server_ciphers` to `off` (used to default to `on`). It also add some more ciphers to the list, giving better performance on mobile devices, and removes some weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md).
|
||||||
|
|
||||||
|
To revert to the old behaviour, set the following variables:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
|
||||||
|
matrix_nginx_proxy_ssl_prefer_server_ciphers: "on"
|
||||||
|
```
|
||||||
|
|
||||||
|
Just like before, you can still use your own custom protocols by specifying them in `matrix_nginx_proxy_ssl_protocols`. Doing so overrides the values coming from the preset.
|
||||||
|
|
||||||
|
|
||||||
# 2021-01-03
|
# 2021-01-03
|
||||||
|
|
||||||
## Signal bridging support via mautrix-signal
|
## Signal bridging support via mautrix-signal
|
||||||
|
@ -48,7 +70,6 @@ If you went with the Postgres migration and it went badly for you (some bridge n
|
||||||
- re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`)
|
- re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`)
|
||||||
- [get in touch](README.md#support) with us
|
- [get in touch](README.md#support) with us
|
||||||
|
|
||||||
|
|
||||||
# 2020-12-11
|
# 2020-12-11
|
||||||
|
|
||||||
## synapse-janitor support removed
|
## synapse-janitor support removed
|
||||||
|
|
|
@ -51,7 +51,7 @@ docker run -it --rm \
|
||||||
-v `pwd`:/work \
|
-v `pwd`:/work \
|
||||||
-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
|
-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
|
||||||
--entrypoint=/bin/sh \
|
--entrypoint=/bin/sh \
|
||||||
devture/ansible:2.9.13-r0
|
docker.io/devture/ansible:2.9.14-r0
|
||||||
```
|
```
|
||||||
|
|
||||||
The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
|
The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
|
||||||
|
|
|
@ -10,7 +10,7 @@ Use matrix-registration to **create unique registration links**, which people ca
|
||||||
|
|
||||||
- **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)
|
- **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)
|
||||||
|
|
||||||
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https:///matrix.DOMAIN/matrix-registration`
|
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https://matrix.DOMAIN/matrix-registration`
|
||||||
|
|
||||||
|
|
||||||
## Installing
|
## Installing
|
||||||
|
@ -33,15 +33,18 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
**matrix-registration** gets exposed at `https:///matrix.DOMAIN/matrix-registration`
|
**matrix-registration** gets exposed at `https://matrix.DOMAIN/matrix-registration`
|
||||||
|
|
||||||
It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`.
|
It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`.
|
||||||
|
|
||||||
We make the most common API (the one for creating unique registration tokens) easy to use via the playbook.
|
We make the most common APIs easy to use via the playbook (see below).
|
||||||
|
|
||||||
**To create a new user registration token (link)**, use this command:
|
|
||||||
|
|
||||||
```
|
### Creating registration tokens
|
||||||
|
|
||||||
|
To **create a new user registration token (link)**, use this command:
|
||||||
|
|
||||||
|
```bash
|
||||||
ansible-playbook -i inventory/hosts setup.yml \
|
ansible-playbook -i inventory/hosts setup.yml \
|
||||||
--tags=generate-matrix-registration-token \
|
--tags=generate-matrix-registration-token \
|
||||||
--extra-vars="one_time=yes ex_date=2021-12-31"
|
--extra-vars="one_time=yes ex_date=2021-12-31"
|
||||||
|
@ -51,3 +54,13 @@ The above command creates and returns a **one-time use** token, which **expires*
|
||||||
Adjust the `one_time` and `ex_date` variables as you see fit.
|
Adjust the `one_time` and `ex_date` variables as you see fit.
|
||||||
|
|
||||||
Share the unique registration link (generated by the command above) with users to let them register on your Matrix server.
|
Share the unique registration link (generated by the command above) with users to let them register on your Matrix server.
|
||||||
|
|
||||||
|
|
||||||
|
### Listing registration tokens
|
||||||
|
|
||||||
|
To **list the existing user registration tokens**, use this command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ansible-playbook -i inventory/hosts setup.yml \
|
||||||
|
--tags=list-matrix-registration-tokens
|
||||||
|
```
|
||||||
|
|
|
@ -24,6 +24,27 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
|
||||||
- 1.1.1.1
|
- 1.1.1.1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Adjusting SSL in your server
|
||||||
|
|
||||||
|
You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS
|
||||||
|
Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
|
||||||
|
Possible values are:
|
||||||
|
|
||||||
|
- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||||
|
- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server
|
||||||
|
- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||||
|
|
||||||
|
**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. The
|
||||||
|
[Federarion tester](https://federationtester.matrix.org/) also won't work.
|
||||||
|
|
||||||
|
Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables:
|
||||||
|
|
||||||
|
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
|
||||||
|
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`.
|
||||||
|
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.
|
||||||
|
|
||||||
|
For more information about these variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file.
|
||||||
|
|
||||||
## Synapse + OpenID Connect for Single-Sign-On
|
## Synapse + OpenID Connect for Single-Sign-On
|
||||||
|
|
||||||
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
|
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
|
||||||
|
|
|
@ -45,7 +45,7 @@ docker run \
|
||||||
--log-driver=none \
|
--log-driver=none \
|
||||||
--network=matrix \
|
--network=matrix \
|
||||||
--env-file=/matrix/postgres/env-postgres-psql \
|
--env-file=/matrix/postgres/env-postgres-psql \
|
||||||
postgres:13.0-alpine \
|
docker.io/postgres:13.1-alpine \
|
||||||
pg_dumpall -h matrix-postgres \
|
pg_dumpall -h matrix-postgres \
|
||||||
| gzip -c \
|
| gzip -c \
|
||||||
> /postgres.sql.gz
|
> /postgres.sql.gz
|
||||||
|
|
72
roles/matrix-aux/defaults/main.yml
Normal file
72
roles/matrix-aux/defaults/main.yml
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# matrix-aux is a role that manages auxiliary files and directories on your Matrix server.
|
||||||
|
#
|
||||||
|
# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.).
|
||||||
|
# This role allows such files to be managed by the playbook.
|
||||||
|
#
|
||||||
|
# Note that files and directories created via this role are not automatically made available for containers to use.
|
||||||
|
# If you use this role to put files in a directory that's already mounted into a container,
|
||||||
|
# you can access the files without additional work.
|
||||||
|
# Otherwise, you'd need to mount the file/directory to the container that needs it.
|
||||||
|
# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable
|
||||||
|
# that you can use to mount an additional volume.
|
||||||
|
|
||||||
|
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
|
||||||
|
matrix_aux_directory_default_mode: '0750'
|
||||||
|
|
||||||
|
# Holds a list of directories to create on the server.
|
||||||
|
#
|
||||||
|
# By default, directories are:
|
||||||
|
# - created with permissions as specified in `matrix_aux_directory_default_mode`
|
||||||
|
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# matrix_aux_directory_definitions:
|
||||||
|
# - dest: /matrix/aux
|
||||||
|
#
|
||||||
|
# - dest: /matrix/another
|
||||||
|
# mode: '0700'
|
||||||
|
# owner: 'some-user'
|
||||||
|
# group: 'some-group'
|
||||||
|
matrix_aux_directory_definitions: []
|
||||||
|
|
||||||
|
# The default permission mode when creating directories using `matrix_aux_directory_definitions`
|
||||||
|
matrix_aux_file_default_mode: '0640'
|
||||||
|
|
||||||
|
# Holds a list of files to create on the server.
|
||||||
|
#
|
||||||
|
# By default, files are:
|
||||||
|
# - created with permissions as specified in `matrix_aux_file_default_mode`
|
||||||
|
# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
|
||||||
|
#
|
||||||
|
# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below).
|
||||||
|
# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files,
|
||||||
|
# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`).
|
||||||
|
#
|
||||||
|
# Note: parent paths for files must exist.
|
||||||
|
# If you've defined a file with a destination of `/matrix/some/path/file.txt`,
|
||||||
|
# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well.
|
||||||
|
# You don't need to do this for directories that the playbook already creates for you.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# matrix_aux_file_definitions:
|
||||||
|
# - dest: "{{ matrix_synapse_config_dir_path }}/something.html"
|
||||||
|
# content: |
|
||||||
|
# <!doctype html>
|
||||||
|
# <html><body>Something</body></html>
|
||||||
|
#
|
||||||
|
# - dest: /matrix/aux/some-other-file.txt
|
||||||
|
# content: "Something"
|
||||||
|
# mode: '0600'
|
||||||
|
# owner: 'some-user'
|
||||||
|
# group: 'some-group'
|
||||||
|
#
|
||||||
|
# - dest: /matrix/aux/yet-another-file.txt
|
||||||
|
# content: "{{ lookup('template', '/path/to/file.txt.j2') }}"
|
||||||
|
# mode: '0600'
|
||||||
|
# owner: 'some-user'
|
||||||
|
# group: 'some-group'
|
||||||
|
matrix_aux_file_definitions: []
|
5
roles/matrix-aux/tasks/main.yml
Normal file
5
roles/matrix-aux/tasks/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/setup.yml"
|
||||||
|
when: run_stop|bool
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-aux-files
|
19
roles/matrix-aux/tasks/setup.yml
Normal file
19
roles/matrix-aux/tasks/setup.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure AUX directories are created
|
||||||
|
file:
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ item.owner|default(matrix_user_username) }}"
|
||||||
|
group: "{{ item.group|default(matrix_user_groupname) }}"
|
||||||
|
mode: "{{ item.mode|default(matrix_aux_directory_default_mode) }}"
|
||||||
|
with_items: "{{ matrix_aux_directory_definitions }}"
|
||||||
|
|
||||||
|
- name: Ensure AUX files are created
|
||||||
|
copy:
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
content: "{{ item.content }}"
|
||||||
|
owner: "{{ item.owner|default(matrix_user_username) }}"
|
||||||
|
group: "{{ item.group|default(matrix_user_groupname) }}"
|
||||||
|
mode: "{{ item.mode|default(matrix_aux_file_default_mode) }}"
|
||||||
|
with_items: "{{ matrix_aux_file_definitions }}"
|
|
@ -219,8 +219,46 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||||||
# a new SSL certificate could go into effect.
|
# a new SSL certificate could go into effect.
|
||||||
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
||||||
|
|
||||||
# Specifies which SSL protocols to use when serving all the various vhosts
|
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
|
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||||
|
#
|
||||||
|
# The posible values are:
|
||||||
|
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||||
|
# - "intermediate" - Recommended configuration for a general-purpose server
|
||||||
|
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||||
|
#
|
||||||
|
# For more information visit:
|
||||||
|
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||||
|
# - https://ssl-config.mozilla.org/#server=nginx
|
||||||
|
matrix_nginx_proxy_ssl_preset: "intermediate"
|
||||||
|
|
||||||
|
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
||||||
|
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
|
||||||
|
# if you wish to use something more custom.
|
||||||
|
matrix_nginx_proxy_ssl_presets:
|
||||||
|
modern:
|
||||||
|
protocols: TLSv1.3
|
||||||
|
ciphers: ""
|
||||||
|
prefer_server_ciphers: "off"
|
||||||
|
intermediate:
|
||||||
|
protocols: TLSv1.2 TLSv1.3
|
||||||
|
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
prefer_server_ciphers: "off"
|
||||||
|
old:
|
||||||
|
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||||||
|
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||||||
|
prefer_server_ciphers: "on"
|
||||||
|
|
||||||
|
|
||||||
|
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
||||||
|
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
|
||||||
|
|
||||||
|
# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.
|
||||||
|
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
|
||||||
|
|
||||||
|
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
||||||
|
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
||||||
|
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
|
||||||
|
|
||||||
# Controls whether the self-check feature should validate SSL certificates.
|
# Controls whether the self-check feature should validate SSL certificates.
|
||||||
matrix_nginx_proxy_self_check_validate_certificates: true
|
matrix_nginx_proxy_self_check_validate_certificates: true
|
||||||
|
|
|
@ -18,3 +18,9 @@
|
||||||
msg: >-
|
msg: >-
|
||||||
`matrix_ssl_retrieval_method` needs to be set to a known value.
|
`matrix_ssl_retrieval_method` needs to be set to a known value.
|
||||||
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
|
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
|
||||||
|
|
||||||
|
- name: Fail on unknown matrix_nginx_proxy_ssl_config
|
||||||
|
fail:
|
||||||
|
msg: >-
|
||||||
|
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
|
||||||
|
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
|
||||||
|
|
|
@ -67,9 +67,12 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem;
|
||||||
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
|
|
|
@ -65,9 +65,12 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
||||||
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
|
|
|
@ -58,9 +58,12 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
|
||||||
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
|
|
|
@ -86,9 +86,12 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;
|
||||||
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
|
|
|
@ -55,9 +55,12 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
|
||||||
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
|
|
|
@ -203,9 +203,12 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
||||||
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{{ render_vhost_directives() }}
|
{{ render_vhost_directives() }}
|
||||||
}
|
}
|
||||||
|
@ -235,9 +238,13 @@ server {
|
||||||
{% if matrix_nginx_proxy_https_enabled %}
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
|
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
|
||||||
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
|
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||||
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|
29
roles/matrix-registration/tasks/list_tokens.yml
Normal file
29
roles/matrix-registration/tasks/list_tokens.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
- name: Call matrix-registration list all tokens API
|
||||||
|
uri:
|
||||||
|
url: "{{ matrix_registration_api_token_endpoint }}"
|
||||||
|
follow_redirects: none
|
||||||
|
validate_certs: "{{ matrix_registration_api_validate_certs }}"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/json
|
||||||
|
Authorization: "SharedSecret {{ matrix_registration_admin_secret }}"
|
||||||
|
method: GET
|
||||||
|
body_format: json
|
||||||
|
check_mode: no
|
||||||
|
register: matrix_registration_api_result
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
matrix_registration_api_result_message: >-
|
||||||
|
matrix-registration result:
|
||||||
|
|
||||||
|
{{ matrix_registration_api_result.json | to_nice_json }}
|
||||||
|
check_mode: no
|
||||||
|
|
||||||
|
- name: Inject result message into matrix_playbook_runtime_results
|
||||||
|
set_fact:
|
||||||
|
matrix_playbook_runtime_results: |
|
||||||
|
{{
|
||||||
|
matrix_playbook_runtime_results|default([])
|
||||||
|
+
|
||||||
|
[matrix_registration_api_result_message]
|
||||||
|
}}
|
||||||
|
check_mode: no
|
|
@ -24,3 +24,8 @@
|
||||||
when: "run_setup|bool and matrix_registration_enabled|bool"
|
when: "run_setup|bool and matrix_registration_enabled|bool"
|
||||||
tags:
|
tags:
|
||||||
- generate-matrix-registration-token
|
- generate-matrix-registration-token
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/list_tokens.yml"
|
||||||
|
when: "run_setup|bool and matrix_registration_enabled|bool"
|
||||||
|
tags:
|
||||||
|
- list-matrix-registration-tokens
|
||||||
|
|
|
@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
|
||||||
# The if statement below may look silly at times (leading to the same version being returned),
|
# The if statement below may look silly at times (leading to the same version being returned),
|
||||||
# but ARM-compatible container images are only released 1-7 hours after a release,
|
# but ARM-compatible container images are only released 1-7 hours after a release,
|
||||||
# so we may often be on different versions for different architectures when new Synapse releases come out.
|
# so we may often be on different versions for different architectures when new Synapse releases come out.
|
||||||
matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
|
matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
|
||||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||||
|
|
||||||
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
|
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
|
||||||
|
|
|
@ -33,3 +33,12 @@
|
||||||
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
|
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
|
||||||
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
|
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
|
||||||
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
|
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
|
||||||
|
|
||||||
|
- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
|
||||||
|
fail:
|
||||||
|
msg: >-
|
||||||
|
Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name.
|
||||||
|
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||||
|
when: "item.old in matrix_synapse_configuration_extension"
|
||||||
|
with_items:
|
||||||
|
- {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'}
|
||||||
|
|
|
@ -120,6 +120,47 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
|
||||||
#
|
#
|
||||||
#enable_search: false
|
#enable_search: false
|
||||||
|
|
||||||
|
# Prevent outgoing requests from being sent to the following blacklisted IP address
|
||||||
|
# CIDR ranges. If this option is not specified then it defaults to private IP
|
||||||
|
# address ranges (see the example below).
|
||||||
|
#
|
||||||
|
# The blacklist applies to the outbound requests for federation, identity servers,
|
||||||
|
# push servers, and for checking key validity for third-party invite events.
|
||||||
|
#
|
||||||
|
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
||||||
|
# listed here, since they correspond to unroutable addresses.)
|
||||||
|
#
|
||||||
|
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
||||||
|
#
|
||||||
|
#ip_range_blacklist:
|
||||||
|
# - '127.0.0.0/8'
|
||||||
|
# - '10.0.0.0/8'
|
||||||
|
# - '172.16.0.0/12'
|
||||||
|
# - '192.168.0.0/16'
|
||||||
|
# - '100.64.0.0/10'
|
||||||
|
# - '192.0.0.0/24'
|
||||||
|
# - '169.254.0.0/16'
|
||||||
|
# - '198.18.0.0/15'
|
||||||
|
# - '192.0.2.0/24'
|
||||||
|
# - '198.51.100.0/24'
|
||||||
|
# - '203.0.113.0/24'
|
||||||
|
# - '224.0.0.0/4'
|
||||||
|
# - '::1/128'
|
||||||
|
# - 'fe80::/10'
|
||||||
|
# - 'fc00::/7'
|
||||||
|
|
||||||
|
# List of IP address CIDR ranges that should be allowed for federation,
|
||||||
|
# identity servers, push servers, and for checking key validity for
|
||||||
|
# third-party invite events. This is useful for specifying exceptions to
|
||||||
|
# wide-ranging blacklisted target IP ranges - e.g. for communication with
|
||||||
|
# a push server only visible in your network.
|
||||||
|
#
|
||||||
|
# This whitelist overrides ip_range_blacklist and defaults to an empty
|
||||||
|
# list.
|
||||||
|
#
|
||||||
|
#ip_range_whitelist:
|
||||||
|
# - '192.168.1.1'
|
||||||
|
|
||||||
# List of ports that Synapse should listen on, their purpose and their
|
# List of ports that Synapse should listen on, their purpose and their
|
||||||
# configuration.
|
# configuration.
|
||||||
#
|
#
|
||||||
|
@ -633,27 +674,6 @@ acme:
|
||||||
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
|
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Prevent federation requests from being sent to the following
|
|
||||||
# blacklist IP address CIDR ranges. If this option is not specified, or
|
|
||||||
# specified with an empty list, no ip range blacklist will be enforced.
|
|
||||||
#
|
|
||||||
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
|
|
||||||
# servers provided by user input.
|
|
||||||
#
|
|
||||||
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
|
||||||
# listed here, since they correspond to unroutable addresses.)
|
|
||||||
#
|
|
||||||
federation_ip_range_blacklist:
|
|
||||||
- '127.0.0.0/8'
|
|
||||||
- '10.0.0.0/8'
|
|
||||||
- '172.16.0.0/12'
|
|
||||||
- '192.168.0.0/16'
|
|
||||||
- '100.64.0.0/10'
|
|
||||||
- '169.254.0.0/16'
|
|
||||||
- '::1/128'
|
|
||||||
- 'fe80::/64'
|
|
||||||
- 'fc00::/7'
|
|
||||||
|
|
||||||
# Report prometheus metrics on the age of PDUs being sent to and received from
|
# Report prometheus metrics on the age of PDUs being sent to and received from
|
||||||
# the following domains. This can be used to give an idea of "delay" on inbound
|
# the following domains. This can be used to give an idea of "delay" on inbound
|
||||||
# and outbound federation, though be aware that any delay can be due to problems
|
# and outbound federation, though be aware that any delay can be due to problems
|
||||||
|
@ -919,9 +939,15 @@ url_preview_ip_range_blacklist:
|
||||||
- '172.16.0.0/12'
|
- '172.16.0.0/12'
|
||||||
- '192.168.0.0/16'
|
- '192.168.0.0/16'
|
||||||
- '100.64.0.0/10'
|
- '100.64.0.0/10'
|
||||||
|
- '192.0.0.0/24'
|
||||||
- '169.254.0.0/16'
|
- '169.254.0.0/16'
|
||||||
|
- '198.18.0.0/15'
|
||||||
|
- '192.0.2.0/24'
|
||||||
|
- '198.51.100.0/24'
|
||||||
|
- '203.0.113.0/24'
|
||||||
|
- '224.0.0.0/4'
|
||||||
- '::1/128'
|
- '::1/128'
|
||||||
- 'fe80::/64'
|
- 'fe80::/10'
|
||||||
- 'fc00::/7'
|
- 'fc00::/7'
|
||||||
|
|
||||||
# List of IP address CIDR ranges that the URL preview spider is allowed
|
# List of IP address CIDR ranges that the URL preview spider is allowed
|
||||||
|
@ -1776,7 +1802,8 @@ oidc_config:
|
||||||
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
|
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
|
||||||
# Token
|
# Token
|
||||||
#
|
#
|
||||||
# This must be configured if using the default mapping provider.
|
# If this is not set, the user will be prompted to choose their
|
||||||
|
# own username.
|
||||||
#
|
#
|
||||||
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
|
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
|
||||||
|
|
||||||
|
@ -1854,11 +1881,8 @@ sso:
|
||||||
# - https://my.custom.client/
|
# - https://my.custom.client/
|
||||||
|
|
||||||
# Directory in which Synapse will try to find the template files below.
|
# Directory in which Synapse will try to find the template files below.
|
||||||
# If not set, default templates from within the Synapse package will be used.
|
# If not set, or the files named below are not found within the template
|
||||||
#
|
# directory, default templates from within the Synapse package will be used.
|
||||||
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
|
|
||||||
# If you *do* uncomment it, you will need to make sure that all the templates
|
|
||||||
# below are in the directory.
|
|
||||||
#
|
#
|
||||||
# Synapse will look for the following templates in this directory:
|
# Synapse will look for the following templates in this directory:
|
||||||
#
|
#
|
||||||
|
@ -1987,6 +2011,56 @@ password_config:
|
||||||
#
|
#
|
||||||
pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
|
pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
|
||||||
|
|
||||||
|
# Define and enforce a password policy. Each parameter is optional.
|
||||||
|
# This is an implementation of MSC2000.
|
||||||
|
#
|
||||||
|
policy:
|
||||||
|
# Whether to enforce the password policy.
|
||||||
|
# Defaults to 'false'.
|
||||||
|
#
|
||||||
|
#enabled: true
|
||||||
|
|
||||||
|
# Minimum accepted length for a password.
|
||||||
|
# Defaults to 0.
|
||||||
|
#
|
||||||
|
#minimum_length: 15
|
||||||
|
|
||||||
|
# Whether a password must contain at least one digit.
|
||||||
|
# Defaults to 'false'.
|
||||||
|
#
|
||||||
|
#require_digit: true
|
||||||
|
|
||||||
|
# Whether a password must contain at least one symbol.
|
||||||
|
# A symbol is any character that's not a number or a letter.
|
||||||
|
# Defaults to 'false'.
|
||||||
|
#
|
||||||
|
#require_symbol: true
|
||||||
|
|
||||||
|
# Whether a password must contain at least one lowercase letter.
|
||||||
|
# Defaults to 'false'.
|
||||||
|
#
|
||||||
|
#require_lowercase: true
|
||||||
|
|
||||||
|
# Whether a password must contain at least one lowercase letter.
|
||||||
|
# Defaults to 'false'.
|
||||||
|
#
|
||||||
|
#require_uppercase: true
|
||||||
|
|
||||||
|
ui_auth:
|
||||||
|
# The number of milliseconds to allow a user-interactive authentication
|
||||||
|
# session to be active.
|
||||||
|
#
|
||||||
|
# This defaults to 0, meaning the user is queried for their credentials
|
||||||
|
# before every action, but this can be overridden to alow a single
|
||||||
|
# validation to be re-used. This weakens the protections afforded by
|
||||||
|
# the user-interactive authentication process, by allowing for multiple
|
||||||
|
# (and potentially different) operations to use the same validation session.
|
||||||
|
#
|
||||||
|
# Uncomment below to allow for credential validation to last for 15
|
||||||
|
# seconds.
|
||||||
|
#
|
||||||
|
#session_timeout: 15000
|
||||||
|
|
||||||
|
|
||||||
{% if matrix_synapse_email_enabled %}
|
{% if matrix_synapse_email_enabled %}
|
||||||
# Configuration for sending emails from Synapse.
|
# Configuration for sending emails from Synapse.
|
||||||
|
@ -2061,9 +2135,8 @@ email:
|
||||||
#validation_token_lifetime: 15m
|
#validation_token_lifetime: 15m
|
||||||
|
|
||||||
# Directory in which Synapse will try to find the template files below.
|
# Directory in which Synapse will try to find the template files below.
|
||||||
# If not set, default templates from within the Synapse package will be used.
|
# If not set, or the files named below are not found within the template
|
||||||
#
|
# directory, default templates from within the Synapse package will be used.
|
||||||
# Do not uncomment this setting unless you want to customise the templates.
|
|
||||||
#
|
#
|
||||||
# Synapse will look for the following templates in this directory:
|
# Synapse will look for the following templates in this directory:
|
||||||
#
|
#
|
||||||
|
@ -2309,7 +2382,7 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }}
|
||||||
# If enabled, non server admins can only create groups with local parts
|
# If enabled, non server admins can only create groups with local parts
|
||||||
# starting with this prefix
|
# starting with this prefix
|
||||||
#
|
#
|
||||||
#group_creation_prefix: "unofficial/"
|
#group_creation_prefix: "unofficial_"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -2580,6 +2653,13 @@ opentracing:
|
||||||
#
|
#
|
||||||
#run_background_tasks_on: worker1
|
#run_background_tasks_on: worker1
|
||||||
|
|
||||||
|
# A shared secret used by the replication APIs to authenticate HTTP requests
|
||||||
|
# from workers.
|
||||||
|
#
|
||||||
|
# By default this is unused and traffic is not authenticated.
|
||||||
|
#
|
||||||
|
#worker_replication_secret: ""
|
||||||
|
|
||||||
|
|
||||||
# Configuration for Redis when using workers. This *must* be enabled when
|
# Configuration for Redis when using workers. This *must* be enabled when
|
||||||
# using workers (unless using old style direct TCP configuration).
|
# using workers (unless using old style direct TCP configuration).
|
||||||
|
|
Loading…
Reference in a new issue