Merge branch 'master' into pub.solar

2020-05-23 18:48:37 +02:00 · 2020-05-23 18:48:37 +02:00 · bec0f6484a
parent 7fc6b574b4 4c4f208613
commit bec0f6484a
20 changed files with 172 additions and 66 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,16 @@
+# 2020-05-19
+
+## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server
+
+User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database.
+
+ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc.
+
+Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**.
+
+*If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"`
+
+
 # 2020-04-28

 ## Newer IRC bridge (with potential breaking change)
@ -11,6 +24,7 @@ If you did not include `mappings` in your configuration for IRC, no
 change is necessary.  `mappings` is not part of the default
 configuration.

+
 # 2020-04-23

 ## Slack bridging support
--- a/docs/configuring-playbook-email.md
+++ b/docs/configuring-playbook-email.md
@ -34,7 +34,7 @@ matrix_mailer_relay_auth_password: "some-password"


 ### Configuations for sending emails using Sendgrid
-An easy and free STMP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`.
+An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`.

 The only other thing you need to change is the `matrix_mailer_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`.

--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -616,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"

-matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
+# Not proxying the user directory search to the identity server by default anymore,
+# because it currently leaks data.
+# See: https://github.com/ma1uta/ma1sd/issues/44
+matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"

--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_appservice_irc_enabled: true

-matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.16.0"
+matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.17.1"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -4,7 +4,7 @@
 matrix_mautrix_telegram_enabled: true

 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
-matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0"
+matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"

 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
--- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
@ -5,6 +5,11 @@ matrix_mx_puppet_slack_enabled: true

 matrix_mx_puppet_slack_container_image_self_build: false

+# Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
+matrix_mx_puppet_slack_container_http_host_bind_port: ''
+
 matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest"
 matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}"

@ -68,7 +73,7 @@ matrix_mx_puppet_slack_configuration_yaml: |

  # Slack OAuth settings. Create a slack app at https://api.slack.com/apps
  oauth:
-    enabled: false
+    enabled: true
    # Slack app credentials.
    # N.B. This must be quoted so YAML wouldn't parse it as a float.
    clientId: "{{ matrix_mx_puppet_slack_client_id }}"
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@ -50,17 +50,17 @@
        }}
  tags:
   - always
-  when: matrix_appservice_slack_enabled|bool
+  when: matrix_mx_puppet_slack_enabled|bool

 - name: Warn about reverse-proxying if matrix-nginx-proxy not used
  debug:
    msg: >-
      NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy
      reverse proxy.
-      Please make sure that you're proxying the `{{ something }}`
-      URL endpoint to the matrix-appservice-slack container.
+      Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}`
+      URL endpoint to the matrix-mx-puppet-slack container.
      You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable.
-  when: "matrix_appservice_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"
+  when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
--- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
+++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
+			{% if matrix_mx_puppet_slack_container_http_host_bind_port %}
+			-p {{ matrix_mx_puppet_slack_container_http_host_bind_port }}:{{ matrix_mx_puppet_slack_appservice_port }} \
+			{% endif %}
 			-e CONFIG_PATH=/config/config.yaml \
 			-e REGISTRATION_PATH=/config/registration.yaml \
 			-v {{ matrix_mx_puppet_slack_config_path }}:/config:z \
--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@ -50,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder
 matrix_jitsi_jibri_recorder_password: ''


-matrix_jitsi_web_docker_image: "jitsi/web:4416"
+matrix_jitsi_web_docker_image: "jitsi/web:stable-4548-1"
 matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"

 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
@ -96,11 +96,12 @@ matrix_jitsi_web_interface_config_show_powered_by: false
 matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
 matrix_jisti_web_interface_config_show_deep_linking_image: false

-matrix_jitsi_prosody_docker_image: "jitsi/prosody:4416"
+matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1"
 matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"

 matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
 matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
+matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"

 # A list of extra arguments to pass to the container
 matrix_jitsi_prosody_container_extra_arguments: []
@ -109,7 +110,7 @@ matrix_jitsi_prosody_container_extra_arguments: []
 matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']


-matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4416"
+matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4548-1"
 matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"

 matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
@ -126,7 +127,7 @@ matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: ''


-matrix_jitsi_jvb_docker_image: "jitsi/jvb:4416"
+matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4548-1"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

 matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
--- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
@ -14,6 +14,7 @@
  with_items:
    - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true }
+    - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true }
  when: matrix_jitsi_enabled|bool and item.when

 - name: Ensure jitsi-prosody Docker image is pulled
--- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
+++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
@ -16,6 +16,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_prosody_base_path }}/env \
 			-v {{ matrix_jitsi_prosody_config_path }}:/config \
+			-v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \
 			{% for arg in matrix_jitsi_prosody_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-ma1sd/defaults/main.yml
+++ b/roles/matrix-ma1sd/defaults/main.yml
@ -76,6 +76,10 @@ matrix_ma1sd_self_check_validate_certificates: true
 # According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
 matrix_ma1sd_verbose_logging: false

+# Setting up support for API prefixes
+matrix_ma1sd_v1_enabled: true
+matrix_ma1sd_v2_enabled: true
+
 # Default ma1sd configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@ -85,8 +89,8 @@ matrix_ma1sd_configuration_yaml: |
  #jinja2: lstrip_blocks: True
  matrix:
    domain: {{ matrix_domain }}
-    v1: true
-    v2: true
+    v1: {{ matrix_ma1sd_v1_enabled|to_json }}
+    v2: {{ matrix_ma1sd_v2_enabled|to_json }}

  server:
    name: {{ matrix_server_fqn_matrix }}
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
-matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0"
+matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.4.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@ -8,10 +8,10 @@ matrix_postgres_db_name: ""
 matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
 matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"

-matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine"
-matrix_postgres_docker_image_v10: "postgres:10.12-alpine"
-matrix_postgres_docker_image_v11: "postgres:11.7-alpine"
-matrix_postgres_docker_image_v12: "postgres:12.2-alpine"
+matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine"
+matrix_postgres_docker_image_v10: "postgres:10.13-alpine"
+matrix_postgres_docker_image_v11: "postgres:11.8-alpine"
+matrix_postgres_docker_image_v12: "postgres:12.3-alpine"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
--- a/roles/matrix-postgres/tasks/import_sqlite_db.yml
+++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml
@ -79,7 +79,6 @@
    --network={{ matrix_docker_network }}
    --entrypoint=python
    -v {{ matrix_synapse_config_dir_path }}:/data
-    -v {{ matrix_synapse_run_path }}:/matrix-run
    -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro
    {{ matrix_synapse_docker_image }}
    /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@ -2,7 +2,7 @@ matrix_riot_web_enabled: true

 matrix_riot_web_container_image_self_build: false

-matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0"
+matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.2"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -5,13 +5,12 @@ matrix_synapse_enabled: true

 matrix_synapse_container_image_self_build: false

-matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.4"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v1.13.0"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
-matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
 matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
 matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
 matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
--- a/roles/matrix-synapse/tasks/setup_synapse.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse.yml
@ -9,7 +9,6 @@
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_synapse_config_dir_path }}", when: true }
-    - { path: "{{ matrix_synapse_run_path }}", when: true }
    - { path: "{{ matrix_synapse_ext_path }}", when: true }
    - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" }
    # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml),
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -20,10 +20,15 @@ server_name: "{{ matrix_domain }}"
 #
 pid_file: /homeserver.pid

-# The path to the web client which will be served at /_matrix/client/
-# if 'webclient' is configured under the 'listeners' configuration.
+# The absolute URL to the web client which /_matrix/client will redirect
+# to if 'webclient' is configured under the 'listeners' configuration.
 #
-#web_client_location: "/path/to/web/root"
+# This option can be also set to the filesystem path to the web client
+# which will be served at /_matrix/client/ if 'webclient' is configured
+# under the 'listeners' configuration, however this is a security risk:
+# https://github.com/matrix-org/synapse#security-note
+#
+#web_client_location: https://riot.example.com/

 # The public-facing base URL that clients use to access this HS
 # (not including _matrix/...). This is the same URL a user would
@ -252,6 +257,19 @@ listeners:
 {% endif %}


+# Forward extremities can build up in a room due to networking delays between
+# homeservers. Once this happens in a large room, calculation of the state of
+# that room can become quite expensive. To mitigate this, once the number of
+# forward extremities reaches a given threshold, Synapse will send an
+# org.matrix.dummy_event event, which will reduce the forward extremities
+# in the room.
+#
+# This setting defines the threshold (i.e. number of forward extremities in the
+# room) at which dummy events are sent. The default value is 10.
+#
+#dummy_events_threshold: 5
+
+
 ## Homeserver blocking ##

 # How to reach the server admin, used in ResourceLimitError
@ -410,6 +428,16 @@ retention:
  #    longest_max_lifetime: 1y
  #    interval: 1d

+# Inhibits the /requestToken endpoints from returning an error that might leak
+# information about whether an e-mail address is in use or not on this
+# homeserver.
+# Note that for some endpoints the error situation is the e-mail already being
+# used, and for others the error is entering the e-mail being unused.
+# If this option is enabled, instead of returning an error, these endpoints will
+# act as if no error happened and return a fake session ID ('sid') to clients.
+#
+#request_token_inhibit_3pid_errors: true
+

 ## TLS ##

@ -706,20 +734,15 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire
 #
 #media_storage_providers:
 #  - module: file_system
-#    # Whether to write new local files.
+#    # Whether to store newly uploaded local files
 #    store_local: false
-#    # Whether to write new remote media
+#    # Whether to store newly downloaded remote files
 #    store_remote: false
-#    # Whether to block upload requests waiting for write to this
-#    # provider to complete
+#    # Whether to wait for successful storage for local uploads
 #    store_synchronous: false
 #    config:
 #       directory: /mnt/some/other/directory

-# Directory where in-progress uploads are stored.
-#
-uploads_path: "/matrix-run/uploads"
-
 # The largest allowed upload size in bytes
 #
 max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M"
@ -834,6 +857,31 @@ url_preview_ip_range_blacklist:
 #
 max_spider_size: 10M

+# A list of values for the Accept-Language HTTP header used when
+# downloading webpages during URL preview generation. This allows
+# Synapse to specify the preferred languages that URL previews should
+# be in when communicating with remote servers.
+#
+# Each value is a IETF language tag; a 2-3 letter identifier for a
+# language, optionally followed by subtags separated by '-', specifying
+# a country or region variant.
+#
+# Multiple values can be provided, and a weight can be added to each by
+# using quality value syntax (;q=). '*' translates to any language.
+#
+# Defaults to "en".
+#
+# Example:
+#
+# url_preview_accept_language:
+#   - en-UK
+#   - en-US;q=0.9
+#   - fr;q=0.8
+#   - *;q=0.7
+#
+url_preview_accept_language:
+#   - en
+

 ## Captcha ##
 # See docs/CAPTCHA_SETUP for full details of configuring this.
@ -852,10 +900,6 @@ max_spider_size: 10M
 #
 #enable_registration_captcha: false

-# A secret key used to bypass the captcha test entirely.
-#
-#captcha_bypass_secret: "YOUR_SECRET_HERE"
-
 # The API endpoint to use for verifying m.login.recaptcha responses.
 #
 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify"
@ -1066,6 +1110,29 @@ account_threepid_delegates:
    email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
    msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}

+# Whether users are allowed to change their displayname after it has
+# been initially set. Useful when provisioning users based on the
+# contents of a third-party directory.
+#
+# Does not apply to server administrators. Defaults to 'true'
+#
+#enable_set_displayname: false
+
+# Whether users are allowed to change their avatar after it has been
+# initially set. Useful when provisioning users based on the contents
+# of a third-party directory.
+#
+# Does not apply to server administrators. Defaults to 'true'
+#
+#enable_set_avatar_url: false
+
+# Whether users can change the 3PIDs associated with their accounts
+# (email address and msisdn).
+#
+# Defaults to 'true'
+#
+#enable_3pid_changes: false
+
 # Users who register on this homeserver will automatically be joined
 # to these rooms
 #
@ -1108,7 +1175,7 @@ sentry:
 # enabled by default, either for performance reasons or limited use.
 #
 metrics_flags:
-    # Publish synapse_federation_known_servers, a g auge of the number of
+    # Publish synapse_federation_known_servers, a gauge of the number of
    # servers this homeserver knows about, including itself. May cause
    # performance problems on large homeservers.
    #
@ -1272,32 +1339,32 @@ saml2_config:
  #    remote:
  #      - url: https://our_idp/metadata.xml
  #
-  #    # By default, the user has to go to our login page first. If you'd like
-  #    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
-  #    # 'service.sp' section:
-  #    #
-  #    #service:
-  #    #  sp:
-  #    #    allow_unsolicited: true
+  #  # By default, the user has to go to our login page first. If you'd like
+  #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+  #  # 'service.sp' section:
+  #  #
+  #  #service:
+  #  #  sp:
+  #  #    allow_unsolicited: true
  #
-  #    # The examples below are just used to generate our metadata xml, and you
-  #    # may well not need them, depending on your setup. Alternatively you
-  #    # may need a whole lot more detail - see the pysaml2 docs!
+  #  # The examples below are just used to generate our metadata xml, and you
+  #  # may well not need them, depending on your setup. Alternatively you
+  #  # may need a whole lot more detail - see the pysaml2 docs!
  #
-  #    description: ["My awesome SP", "en"]
-  #    name: ["Test SP", "en"]
+  #  description: ["My awesome SP", "en"]
+  #  name: ["Test SP", "en"]
  #
-  #    organization:
-  #      name: Example com
-  #      display_name:
-  #        - ["Example co", "en"]
-  #      url: "http://example.com"
+  #  organization:
+  #    name: Example com
+  #    display_name:
+  #      - ["Example co", "en"]
+  #    url: "http://example.com"
  #
-  #    contact_person:
-  #      - given_name: Bob
-  #        sur_name: "the Sysadmin"
-  #        email_address": ["admin@example.com"]
-  #        contact_type": technical
+  #  contact_person:
+  #    - given_name: Bob
+  #      sur_name: "the Sysadmin"
+  #      email_address": ["admin@example.com"]
+  #      contact_type": technical

  # Instead of putting the config inline as above, you can specify a
  # separate pysaml2 configuration file:
@ -1532,8 +1599,19 @@ email:
  #template_dir: "res/templates"
 {% endif %}

-
-#password_providers:
+# Password providers allow homeserver administrators to integrate
+# their Synapse installation with existing authentication methods
+# ex. LDAP, external tokens, etc.
+#
+# For more information and known implementations, please see
+# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md
+#
+# Note: instances wishing to use SAML or CAS authentication should
+# instead use the `saml2_config` or `cas_config` options,
+# respectively.
+#
+# password_providers:
+#    # Example config for an LDAP auth provider
 #    - module: "ldap_auth_provider.LdapAuthProvider"
 #      config:
 #        enabled: true
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -45,7 +45,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			-p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \
 			{% endif %}
 			-v {{ matrix_synapse_config_dir_path }}:/data:ro \
-			-v {{ matrix_synapse_run_path }}:/matrix-run:rw \
 			-v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \