Merge branch 'master' into synapse-workers

This commit is contained in:
Slavi Pantaleev 2021-02-16 17:31:40 +02:00
commit daae74b074
6 changed files with 146 additions and 32 deletions

View file

@ -89,4 +89,4 @@ The following local filesystem paths are mounted in the `matrix-corporal` contai
- `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write) - `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write)
As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container path `/etc/matrix-corporal` As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container paths - `/etc/matrix-corporal` (read-only), `/var/matrix-corporal` (read and write), `/var/cache/matrix-corporal` (read and write).

View file

@ -770,6 +770,8 @@ matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | pas
matrix_etherpad_enabled: false matrix_etherpad_enabled: false
matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}"
matrix_etherpad_systemd_required_services_list: | matrix_etherpad_systemd_required_services_list: |
{{ {{
['docker.service'] ['docker.service']

View file

@ -3,7 +3,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.20" matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

View file

@ -19,10 +19,15 @@ matrix_etherpad_user_gid: '5001'
# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). # Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container).
# #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9001"), or empty string to not expose. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9001"), or empty string to not expose.
matrix_etherpad_container_http_host_bind_port: '9001' matrix_etherpad_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container # A list of extra arguments to pass to the container
matrix_etherpad_container_extra_arguments: [] #
# We assume that a reverse proxy is used and tell the container to trust it
# Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md
matrix_etherpad_container_extra_arguments: [
'--env TRUST_PROXY=true'
]
matrix_etherpad_public_endpoint: '/etherpad' matrix_etherpad_public_endpoint: '/etherpad'

View file

@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# The if statement below may look silly at times (leading to the same version being returned), # The if statement below may look silly at times (leading to the same version being returned),
# but ARM-compatible container images are only released 1-7 hours after a release, # but ARM-compatible container images are only released 1-7 hours after a release,
# so we may often be on different versions for different architectures when new Synapse releases come out. # so we may often be on different versions for different architectures when new Synapse releases come out.
matrix_synapse_docker_image_tag: "{{ 'v1.26.0' if matrix_architecture == 'amd64' else 'v1.26.0' }}" matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture == 'amd64' else 'v1.26.0' }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"

View file

@ -50,10 +50,6 @@ pid_file: /homeserver.pid
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
# 'listeners' below). # 'listeners' below).
# #
# If this is left unset, it defaults to 'https://<server_name>/'. (Note that
# that will not work unless you configure Synapse or a reverse-proxy to listen
# on port 443.)
#
public_baseurl: https://{{ matrix_server_fqn_matrix }}/ public_baseurl: https://{{ matrix_server_fqn_matrix }}/
# Set the soft limit on the number of file descriptors synapse can use # Set the soft limit on the number of file descriptors synapse can use
@ -820,6 +816,9 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
# users are joining rooms the server is already in (this is cheap) vs # users are joining rooms the server is already in (this is cheap) vs
# "remote" for when users are trying to join rooms not on the server (which # "remote" for when users are trying to join rooms not on the server (which
# can be more expensive) # can be more expensive)
# - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
# - two for ratelimiting how often invites can be sent in a room or to a
# specific user.
# #
# The defaults are as shown below. # The defaults are as shown below.
# #
@ -858,6 +857,18 @@ rc_admin_redaction: {{ matrix_synapse_rc_admin_redaction|to_json }}
# per_second: 0.01 # per_second: 0.01
# burst_count: 3 # burst_count: 3
rc_joins: {{ matrix_synapse_rc_joins|to_json }} rc_joins: {{ matrix_synapse_rc_joins|to_json }}
#
#rc_3pid_validation:
# per_second: 0.003
# burst_count: 5
#
#rc_invites:
# per_room:
# per_second: 0.3
# burst_count: 10
# per_user:
# per_second: 0.003
# burst_count: 5
# Ratelimiting settings for incoming federation # Ratelimiting settings for incoming federation
# #
@ -1157,9 +1168,8 @@ account_validity:
# send an email to the account's email address with a renewal link. By # send an email to the account's email address with a renewal link. By
# default, no such emails are sent. # default, no such emails are sent.
# #
# If you enable this setting, you will also need to fill out the 'email' # If you enable this setting, you will also need to fill out the 'email' and
# configuration section. You should also check that 'public_baseurl' is set # 'public_baseurl' configuration sections.
# correctly.
# #
#renew_at: 1w #renew_at: 1w
@ -1256,7 +1266,8 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
# The identity server which we suggest that clients should use when users log # The identity server which we suggest that clients should use when users log
# in on this server. # in on this server.
# #
# (By default, no suggestion is made, so it is left up to the client.) # (By default, no suggestion is made, so it is left up to the client.
# This setting is ignored unless public_baseurl is also set.)
# #
#default_identity_server: https://matrix.org #default_identity_server: https://matrix.org
@ -1281,6 +1292,8 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
# by the Matrix Identity Service API specification: # by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest # https://matrix.org/docs/spec/identity_service/latest
# #
# If a delegate is specified, the config option public_baseurl must also be filled out.
#
account_threepid_delegates: account_threepid_delegates:
email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}
@ -1565,10 +1578,10 @@ trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }}
# enable SAML login. # enable SAML login.
# #
# Once SAML support is enabled, a metadata file will be exposed at # Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to # https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
# use to configure your SAML IdP with. Alternatively, you can manually configure # use to configure your SAML IdP with. Alternatively, you can manually configure
# the IdP to use an ACS location of # the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response. # https://<server>:<port>/_synapse/client/saml2/authn_response.
# #
saml2_config: saml2_config:
# `sp_config` is the configuration for the pysaml2 Service Provider. # `sp_config` is the configuration for the pysaml2 Service Provider.
@ -1804,17 +1817,21 @@ saml2_config:
# #
# For the default provider, the following settings are available: # For the default provider, the following settings are available:
# #
# sub: name of the claim containing a unique identifier for the # subject_claim: name of the claim containing a unique identifier
# user. Defaults to 'sub', which OpenID Connect compliant # for the user. Defaults to 'sub', which OpenID Connect
# providers should provide. # compliant providers should provide.
# #
# localpart_template: Jinja2 template for the localpart of the MXID. # localpart_template: Jinja2 template for the localpart of the MXID.
# If this is not set, the user will be prompted to choose their # If this is not set, the user will be prompted to choose their
# own username. # own username (see 'sso_auth_account_details.html' in the 'sso'
# section of this file).
# #
# display_name_template: Jinja2 template for the display name to set # display_name_template: Jinja2 template for the display name to set
# on first login. If unset, no displayname will be set. # on first login. If unset, no displayname will be set.
# #
# email_template: Jinja2 template for the email address of the user.
# If unset, no email address will be added to the account.
#
# extra_attributes: a map of Jinja2 templates for extra attributes # extra_attributes: a map of Jinja2 templates for extra attributes
# to send back to the client during login. # to send back to the client during login.
# Note that these are non-standard and clients will ignore them # Note that these are non-standard and clients will ignore them
@ -1849,7 +1866,12 @@ oidc_providers:
# token_endpoint: "https://accounts.example.com/oauth2/token" # token_endpoint: "https://accounts.example.com/oauth2/token"
# userinfo_endpoint: "https://accounts.example.com/userinfo" # userinfo_endpoint: "https://accounts.example.com/userinfo"
# jwks_uri: "https://accounts.example.com/.well-known/jwks.json" # jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
# skip_verification: true # user_mapping_provider:
# config:
# subject_claim: "id"
# localpart_template: "{ user.login }"
# display_name_template: "{ user.name }"
# email_template: "{ user.email }"
# For use with Keycloak # For use with Keycloak
# #
@ -1864,6 +1886,7 @@ oidc_providers:
# #
#- idp_id: github #- idp_id: github
# idp_name: Github # idp_name: Github
# idp_brand: org.matrix.github
# discover: false # discover: false
# issuer: "https://github.com/" # issuer: "https://github.com/"
# client_id: "your-client-id" # TO BE FILLED # client_id: "your-client-id" # TO BE FILLED
@ -1891,10 +1914,6 @@ cas_config:
# #
#server_url: "https://cas-server.com" #server_url: "https://cas-server.com"
# The public URL of the homeserver.
#
#service_url: "https://homeserver.domain.com:8448"
# The attribute of the CAS response to use as the display name. # The attribute of the CAS response to use as the display name.
# #
# If unset, no displayname will be set. # If unset, no displayname will be set.
@ -1926,9 +1945,9 @@ sso:
# phishing attacks from evil.site. To avoid this, include a slash after the # phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/". # hostname: "https://my.client/".
# #
# The login fallback page (used by clients that don't natively support the # If public_baseurl is set, then the login fallback page (used by clients
# required login flows) is automatically whitelisted in addition to any URLs # that don't natively support the required login flows) is whitelisted in
# in this list. # addition to any URLs in this list.
# #
# By default, this list is empty. # By default, this list is empty.
# #
@ -1949,15 +1968,19 @@ sso:
# #
# When rendering, this template is given the following variables: # When rendering, this template is given the following variables:
# * redirect_url: the URL that the user will be redirected to after # * redirect_url: the URL that the user will be redirected to after
# login. Needs manual escaping (see # login.
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
# #
# * server_name: the homeserver's name. # * server_name: the homeserver's name.
# #
# * providers: a list of available Identity Providers. Each element is # * providers: a list of available Identity Providers. Each element is
# an object with the following attributes: # an object with the following attributes:
#
# * idp_id: unique identifier for the IdP # * idp_id: unique identifier for the IdP
# * idp_name: user-facing name for the IdP # * idp_name: user-facing name for the IdP
# * idp_icon: if specified in the IdP config, an MXC URI for an icon
# for the IdP
# * idp_brand: if specified in the IdP config, a textual identifier
# for the brand of the IdP
# #
# The rendered HTML page should contain a form which submits its results # The rendered HTML page should contain a form which submits its results
# back as a GET request, with the following query parameters: # back as a GET request, with the following query parameters:
@ -1967,17 +1990,101 @@ sso:
# #
# * idp: the 'idp_id' of the chosen IDP. # * idp: the 'idp_id' of the chosen IDP.
# #
# * HTML page to prompt new users to enter a userid and confirm other
# details: 'sso_auth_account_details.html'. This is only shown if the
# SSO implementation (with any user_mapping_provider) does not return
# a localpart.
#
# When rendering, this template is given the following variables:
#
# * server_name: the homeserver's name.
#
# * idp: details of the SSO Identity Provider that the user logged in
# with: an object with the following attributes:
#
# * idp_id: unique identifier for the IdP
# * idp_name: user-facing name for the IdP
# * idp_icon: if specified in the IdP config, an MXC URI for an icon
# for the IdP
# * idp_brand: if specified in the IdP config, a textual identifier
# for the brand of the IdP
#
# * user_attributes: an object containing details about the user that
# we received from the IdP. May have the following attributes:
#
# * display_name: the user's display_name
# * emails: a list of email addresses
#
# The template should render a form which submits the following fields:
#
# * username: the localpart of the user's chosen user id
#
# * HTML page allowing the user to consent to the server's terms and
# conditions. This is only shown for new users, and only if
# `user_consent.require_at_registration` is set.
#
# When rendering, this template is given the following variables:
#
# * server_name: the homeserver's name.
#
# * user_id: the user's matrix proposed ID.
#
# * user_profile.display_name: the user's proposed display name, if any.
#
# * consent_version: the version of the terms that the user will be
# shown
#
# * terms_url: a link to the page showing the terms.
#
# The template should render a form which submits the following fields:
#
# * accepted_version: the version of the terms accepted by the user
# (ie, 'consent_version' from the input variables).
#
# * HTML page for a confirmation step before redirecting back to the client
# with the login token: 'sso_redirect_confirm.html'.
#
# When rendering, this template is given the following variables:
#
# * redirect_url: the URL the user is about to be redirected to.
#
# * display_url: the same as `redirect_url`, but with the query
# parameters stripped. The intention is to have a
# human-readable URL to show to users, not to use it as
# the final address to redirect to.
#
# * server_name: the homeserver's name.
#
# * new_user: a boolean indicating whether this is the user's first time
# logging in.
#
# * user_id: the user's matrix ID.
#
# * user_profile.avatar_url: an MXC URI for the user's avatar, if any.
# None if the user has not set an avatar.
#
# * user_profile.display_name: the user's display name. None if the user
# has not set a display name.
#
# * HTML page which notifies the user that they are authenticating to confirm # * HTML page which notifies the user that they are authenticating to confirm
# an operation on their account during the user interactive authentication # an operation on their account during the user interactive authentication
# process: 'sso_auth_confirm.html'. # process: 'sso_auth_confirm.html'.
# #
# When rendering, this template is given the following variables: # When rendering, this template is given the following variables:
# * redirect_url: the URL the user is about to be redirected to. Needs # * redirect_url: the URL the user is about to be redirected to.
# manual escaping (see
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
# #
# * description: the operation which the user is being asked to confirm # * description: the operation which the user is being asked to confirm
# #
# * idp: details of the Identity Provider that we will use to confirm
# the user's identity: an object with the following attributes:
#
# * idp_id: unique identifier for the IdP
# * idp_name: user-facing name for the IdP
# * idp_icon: if specified in the IdP config, an MXC URI for an icon
# for the IdP
# * idp_brand: if specified in the IdP config, a textual identifier
# for the brand of the IdP
#
# * HTML page shown after a successful user interactive authentication session: # * HTML page shown after a successful user interactive authentication session:
# 'sso_auth_success.html'. # 'sso_auth_success.html'.
# #