diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..6313b56c --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index d10ebec5..8e7df118 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -13,7 +13,7 @@ jobs: - name: Check out uses: actions/checkout@v4 - name: Run yamllint - uses: frenck/action-yamllint@v1.4.1 + uses: frenck/action-yamllint@v1.4.2 ansible-lint: name: ansible-lint runs-on: ubuntu-latest diff --git a/CHANGELOG.md b/CHANGELOG.md index ef60d027..8fcf0eb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,35 @@ +# 2023-10-23 + +## Enabling `allow_public_rooms_over_federation` by default for Synapse + +**TDLR**: if your Matrix server is federating (which it mostly likely is, unless you've [disabled federation](docs/configuring-playbook-federation.md#disabling-federation)), your public rooms will not only be joinable across federation (as they've always been), but from now on will be discoverable (made available as a list across federation). We're changing this by flipping the value for Synapse's `allow_public_rooms_over_federation` setting to `true`, going against the upstream default. Servers that disable federation are not affected. Servers that have public rooms which are not published to the room directory are also not affected. + +We generally try to stick to the default configuration for Synapse (and all other components), unless these defaults seem wrong or harmful. One such previous case from a few months ago was us [Enabling `forget_rooms_on_leave` by default for Synapse](#enabling-forget_rooms_on_leave-by-default-for-synapse) - the default value was making Synapse more wasteful of resources by default. + +Today, we're going against upstream defaults again and flipping the `allow_public_rooms_over_federation` configuration option to `true`. +This way, public rooms on your server will be made discoverable by others via federation, using the [`GET /_matrix/federation/v1/publicRooms` of the Server-Server API](https://spec.matrix.org/v1.8/server-server-api/#get_matrixfederationv1publicrooms). + +The upstream Synapse default is `false` (disabled), so that public rooms are not exposed for other servers to discover (learn about their existence). Nevertheless, even if these rooms are not exposed (listed) for discovery, they are **still joinable** by anyone who knows their address or is invited to the room by an existing member. + +**We go against the upstream default** in an effort to make Matrix federation more useful - a public room should be globally public - not only joinable, but also discoverable across federation. + +The **historical reasoning** behind this change is as follows: + +- `allow_public_rooms_over_federation` seems to have been enabled by default for Synapse until v1.7.0 (~2019), just like we believe it should be for a globally-federating network - rooms should be joinable and discoverable across federation. + +- In Synapse v1.7.0 (~2019), `allow_public_rooms_over_federation` [got disabled](https://github.com/matrix-org/synapse/blob/e9069c9f919685606506f04527332e83fbfa44d9/docs/upgrade.md?plain=1#L1877-L1891) by default in a [security-by-obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) workaround for misconfigured servers. See the [Avoiding unwelcome visitors on private Matrix servers](https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers/) `matrix.org` blog article. We believe that people wishing for a truly private server, should [disable federation](docs/configuring-playbook-federation.md#disabling-federation), instead of having a fully-federating server and trying to hide its public rooms. We also provide other workarounds below. We (and the Synapse team, obviously) believe that Matrix should federate by default, so federating the public room list seems to make sense. + +- [etke.cc](https://etke.cc/) has been developing the free-software [Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) project for a while now. One public (demo) instance of it is hosted at [matrixrooms.info](https://matrixrooms.info/). This search engine tries to go through the Matrix federation and discover & index public rooms to allow people to find them. We believe it's vital for Matrix (and any chat or social network for that matter) to be more discoverable, so that people can find communities and others to talk to. Today (on 23rd of October 2023), `matrixrooms.info` is indexing `23066` Matrix servers. Of these, only `1567` servers (7%) are making their public rooms discoverable. Who knows what wonderful communities and rooms are available on these 93% other Matrix servers that are supposedly federating, but are still gate-keeping their public room list. Indubitably, many of these servers are hosted via matrix-docker-ansible-deploy, so we feel partially responsible for making Matrix federation less useful. + +Here are **actions you may wish to take** as a result of this change: + +- (recommended) embrace the new default. If your Matrix server is federating, your public rooms have always been joinable across federation anyway. Exposing the list of public rooms does no harm and more-so does good by contributing to the usefulness of the Matrix network by facilitating room discovery. + +- (switch to a better way of doings things on your semi-private server) The problem that the Synapse team appears to have solved by flipping the `allow_public_rooms_over_federation` default in Synapse v1.7.0 seems to for "mostly private" servers, which federate and have a bunch of rooms made public (and published in their room directory) in an effort to allow people on the same homeserver to easily find and join them (self-onboarding). With the introduction of Matrix Spaces, you can reorganize your flow around spaces - you can auto-join your users to a Matrix Space (via Synapse's `auto_join_rooms` setting - controlled by our `matrix_synapse_auto_join_rooms` variable), then add a bunch of rooms to the space and make them joinable by people belonging to the space. That is to say, do not make rooms public and do not publish them to the room directory unless they are really public. Instead, use other mechanisms for semi-public rooms or private rooms. One alternative is to stick to what you're doing (public rooms published to your rooms directory) but having a `m.federate: true` flag set during creation (clients like Element have a nice UI checkbox for this) to explicitly disable federation for them. + +- (keeping the old behavior) if you wish to keep doing what you're doing (keeping your Matrix server federating, but hiding its public rooms list), add `matrix_synapse_allow_public_rooms_over_federation: false` to your `vars.yml` configuration. This restores the old behavior. You may also consider [disabling federation](docs/configuring-playbook-federation.md#disabling-federation) completely instead of relying on security-by-obscurity measures. + + # 2023-10-18 ## Postgres parameters are automatically tuned now diff --git a/docs/configuring-playbook-bridge-beeper-linkedin.md b/docs/configuring-playbook-bridge-beeper-linkedin.md index 6ec294fb..a51b2781 100644 --- a/docs/configuring-playbook-bridge-beeper-linkedin.md +++ b/docs/configuring-playbook-bridge-beeper-linkedin.md @@ -32,14 +32,10 @@ You may wish to look at `roles/custom/matrix-bridge-beeper-linkedin/templates/co ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. - -### Method 1: automatically, by enabling Shared Secret Auth +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have to enable Shared Secred Auth. The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. -This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. - ## Usage diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md index a7aab981..f5bc6f76 100644 --- a/docs/configuring-playbook-sliding-sync-proxy.md +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -8,7 +8,7 @@ See the project's [documentation](https://github.com/matrix-org/sliding-sync) to Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi). -Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version. +Element X Android is [available on the Github Releases page](https://github.com/vector-im/element-x-android/releases). **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index 2c7b3dde..17c6b6ea 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -37,6 +37,7 @@ # Keep some URIs free for different proxy/location ProxyPassMatch ^/.well-known/matrix/client ! ProxyPassMatch ^/.well-known/matrix/server ! + ProxyPassMatch ^/.well-known/matrix/support ! ProxyPassMatch ^/_matrix/identity ! ProxyPassMatch ^/_matrix/client/r0/user_directory/search ! @@ -46,11 +47,11 @@ ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client - + # Proxy Admin API (necessary for Synapse-Admin) # ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon # ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin - + # Proxy Synapse-Admin # ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon # ProxyPassReverse /synapse-admin http://127.0.0.1:8766 @@ -64,6 +65,7 @@ Header always set Content-Type "application/json" Header always set Access-Control-Allow-Origin "*" + # Map /.well-known/matrix/server for server discovery Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server @@ -72,6 +74,16 @@ Header always set Content-Type "application/json" + + # Map /.well-known/matrix/support for support discovery + Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support + + Require all granted + + + Header always set Content-Type "application/json" + + AllowOverride All # Apache 2.4: diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2ca07dce..9b27fcb4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2491,6 +2491,8 @@ jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" jitsi_uid: "{{ matrix_user_uid }}" jitsi_gid: "{{ matrix_user_gid }}" +jitsi_user_username: "{{ matrix_user_username }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. @@ -2551,6 +2553,7 @@ jitsi_etherpad_enabled: "{{ etherpad_enabled }}" jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" # Allow verification using JWT and matrix-UVS +jitsi_prosody_auth_matrix_uvs_sync_power_levels: "{{ matrix_user_verification_service_enabled }}" jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" @@ -4300,9 +4303,6 @@ matrix_user_creator_users_auto: | # ###################################################################### -## FIXME: Needs to be updated when there is a proper release by upstream. -matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" - matrix_user_verification_service_enabled: false matrix_user_verification_service_systemd_required_services_list: | {{ diff --git a/requirements.yml b/requirements.yml index 2b0ccc8d..cbda8ec8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-1 name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.6-1.8.3-0 + version: v1.2.6-1.8.4-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git @@ -18,7 +18,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git version: v16.0-8 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git - version: a0cc7c1c696872ba8880d9c5e5a54098de825030 + version: d2c2585fe3f5ebf39045bc90c97ee160e1341594 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.5-0 + version: v2.10.5-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git @@ -35,9 +35,9 @@ version: 7.0.1 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.1.5-0 + version: v10.2.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v8960-1 + version: v8960-3 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.7.0-2 diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index efd39620..4e8f709f 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -5,7 +5,7 @@ matrix_bot_chatgpt_enabled: true # renovate: datasource=docker depName=ghcr.io/matrixgpt/matrix-chatgpt-bot -matrix_bot_chatgpt_version: 3.1.2 +matrix_bot_chatgpt_version: 3.1.4 matrix_bot_chatgpt_container_image_self_build: false matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" diff --git a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml index 0bd59951..c8d1bf94 100644 --- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml @@ -5,7 +5,7 @@ matrix_heisenbridge_enabled: true # renovate: datasource=docker depName=hif1/heisenbridge -matrix_heisenbridge_version: 1.14.5 +matrix_heisenbridge_version: 1.14.6 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 518c021c..5ab1bd38 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" # renovate: datasource=docker depName=ajbura/cinny -matrix_client_cinny_version: v2.2.6 +matrix_client_cinny_version: v3.2.0 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 484881f7..63b95db9 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" # renovate: datasource=docker depName=vectorim/element-web -matrix_client_element_version: v1.11.46 +matrix_client_element_version: v1.11.48 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index f63030ee..9830021b 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -11,7 +11,7 @@ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" # renovate: datasource=docker depName=matrixdotorg/dendrite-monolith -matrix_dendrite_docker_image_tag: "v0.13.3" +matrix_dendrite_docker_image_tag: "v0.13.4" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 996597f9..5a990dbb 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,8 +7,8 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -# renovate: datasource=docker depName=linuxserver/ddclient -matrix_dynamic_dns_version: v3.10.0-ls136 +# renovate: datasource=docker depName=linuxserver/ddclient versioning=semver +matrix_dynamic_dns_version: 3.11.1 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 36eb7aa4..36064480 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -2,7 +2,7 @@ # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true # renovate: datasource=docker depName=nginx -matrix_nginx_proxy_version: 1.25.2-alpine +matrix_nginx_proxy_version: 1.25.3-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -331,6 +331,12 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search). +# This is to assist identity servers which only handle the r0 endpoints. +# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. +# If this is disabled, API requests will be forwarded as-is, without any URL rewriting. +matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true + # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md @@ -338,6 +344,12 @@ matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken). +# This is to assist identity servers which only handle the r0 endpoints. +# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. +# If this is disabled, API requests will be forwarded as-is, without any URL rewriting. +matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true + # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 8ecaf64e..d28cbf15 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -119,7 +119,7 @@ # Redirect other endpoints registered by the media-repo to its container # /_matrix/client/r0/logout # /_matrix/client/r0/logout/all - location ^~ /_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) { + location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; @@ -142,7 +142,7 @@ # Redirect other endpoints registered by the media-repo to its container # /_matrix/client/r0/admin/purge_media_cache # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} - location ^~ /_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) { + location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; @@ -185,13 +185,19 @@ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} - location ^~ /_matrix/client/r0/user_directory/search { + location ~ ^/_matrix/client/(r0|v3)/user_directory/search { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} proxy_pass http://$backend; {% else %} + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; {% endif %} @@ -202,13 +208,19 @@ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} - location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ { + location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; + {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} proxy_pass http://$backend; {% else %} + {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %} + rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break; + {% endif %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; {% endif %} diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index aaa257ff..f7ebdee8 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -6,7 +6,7 @@ matrix_sliding_sync_enabled: true # renovate: datasource=docker depName=ghcr.io/matrix-org/sliding-sync -matrix_sliding_sync_version: v0.99.11 +matrix_sliding_sync_version: v0.99.12 matrix_sliding_sync_scheme: https diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 28a2dae6..5cd68f2a 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -26,7 +26,7 @@ matrix_synapse_reverse_proxy_companion_enabled: true # renovate: datasource=docker depName=nginx -matrix_synapse_reverse_proxy_companion_version: 1.25.2-alpine +matrix_synapse_reverse_proxy_companion_version: 1.25.3-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 3ad23058..2dda2cf3 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true # renovate: datasource=docker depName=matrixdotorg/synapse -matrix_synapse_version: v1.94.0 +matrix_synapse_version: v1.95.1 matrix_synapse_username: '' matrix_synapse_uid: '' @@ -312,8 +312,13 @@ matrix_synapse_presence_enabled: true matrix_synapse_allow_public_rooms_without_auth: false # Controls whether remote servers can fetch this server's public rooms directory via federation. -# For private servers, you most likely wish to forbid it. -matrix_synapse_allow_public_rooms_over_federation: false +# The upstream default is `false`, but we try to make Matrix federation more useful. +# +# For private servers, you may wish to forbid it to align yourself with upstream defaults. +# However, disabling federation completely (see `matrix_synapse_federation_enabled`) is a better way to make your server private, +# instead of relying on security-by-obscurity -- federating with others, having your public rooms joinable by anyone, +# but hiding them and thinking you've secured them. +matrix_synapse_allow_public_rooms_over_federation: true # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 068ef2af..46ae72db 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -5,6 +5,10 @@ matrix_user_verification_service_ansible_name: "Matrix User Verification Service # Enable by default. This is overwritten in provided group vars. matrix_user_verification_service_enabled: true +matrix_user_verification_service_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service" +matrix_user_verification_service_container_image_self_build_branch: "{{ 'master' if matrix_registration_version == 'latest' else matrix_user_verification_service_version }}" + # Fix version tag # renovate: datasource=docker depName=matrixdotorg/matrix-user-verification-service matrix_user_verification_service_version: "v3.0.0" @@ -13,6 +17,7 @@ matrix_user_verification_service_version: "v3.0.0" matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service" matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" +matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src" # Docker matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_global_registry_prefix }}" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 54d5d979..700614cb 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -9,6 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {path: "{{ matrix_user_verification_service_config_path }}", when: true} + - {path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}"} when: item.when | bool - name: Ensure Matrix User Verification Service image is pulled @@ -21,6 +22,30 @@ retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed + when: "not matrix_user_verification_service_container_image_self_build | bool" + +- name: Ensure Matrix User Verification Service repository is present when self-building + ansible.builtin.git: + repo: "{{ matrix_user_verification_service_container_image_self_build_repo }}" + dest: "{{ matrix_user_verification_service_docker_src_files_path }}" + version: "{{ matrix_user_verification_service_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_user_verification_service_git_pull_results + when: "matrix_user_verification_service_container_image_self_build | bool" + +- name: Ensure Matrix User Verification Service image is built + community.docker.docker_image: + name: "{{ matrix_user_verification_service_docker_image }}" + source: build + force_source: "{{ matrix_user_verification_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_user_verification_service_docker_src_files_path }}" + pull: true + when: "matrix_user_verification_service_container_image_self_build | bool" - name: Ensure Matrix User Verification Service env file installed ansible.builtin.template: diff --git a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 index 68398263..268e4298 100644 --- a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 +++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 @@ -17,13 +17,14 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ --name={{ matrix_user_verification_service_container_name }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --tmpfs /.npm \ --network={{ matrix_user_verification_service_container_network }} \ {% if matrix_user_verification_service_container_http_host_bind_port %} -p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \ @@ -37,6 +38,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ {% for network in matrix_user_verification_service_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_user_verification_service_container_name }} {% endfor %} +ExecStart=/usr/bin/env docker start --attach matrix-user-verification-service ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'