From b52d91e180e4cce41a1c6455ac4cd7f4df889339 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Sep 2018 15:01:38 +0300 Subject: [PATCH] Add the ability to controll password-peppering for Synapse Closes Github issue #5 --- CHANGELOG.md | 7 ++++++- roles/matrix-server/defaults/main.yml | 3 +++ roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14e45a15..b23ed359 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # 2018-09-07 -## Statistics-reporting support +## Password-peppering support for Matrix Synapse + +The playbook now supports enabling password-peppering for increased security in Matrix Synapse via the `matrix_synapse_password_config_pepper` playbook variable. Using a password pepper is disabled by default (just like it used to be before this playbook variable got introduced) and is not to be enabled/disabled after initial setup, as that would invalidate all existing passwords. + + +## Statistics-reporting support for Matrix Synapse There's now a new `matrix_synapse_report_stats` playbook variable, which controls the `report_stats` configuration option for Matrix Synapse. It defaults to `false`, so no change is required to retain your privacy. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 57a9ebb1..5143d5c1 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -68,6 +68,9 @@ matrix_synapse_rc_message_burst_count: 10.0 # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false +# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. +matrix_synapse_password_config_pepper: "" + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 5f100e7d..9ee67f1e 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -538,7 +538,7 @@ password_config: enabled: true # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! - #pepper: "" + pepper: "{{ matrix_synapse_password_config_pepper }}"