Merge branch 'spantaleev:master' into default_room_version_9
This commit is contained in:
Wm Salt Hale
GitHub
@ -1,3 +1,4 @@
|
||||
---
|
||||
# Synapse is a Matrix homeserver
|
||||
# See: https://github.com/matrix-org/synapse
|
||||
|
||||
@ -8,16 +9,8 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s
|
||||
|
||||
matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}"
|
||||
matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
# The if statement below may look silly at times (leading to the same version being returned),
|
||||
# but ARM-compatible container images are only released 1-7 hours after a release,
|
||||
# so we may often be on different versions for different architectures when new Synapse releases come out.
|
||||
#
|
||||
# amd64 gets released first.
|
||||
# arm32 relies on self-building, so the same version can be built immediately.
|
||||
# arm64 users need to wait for a prebuilt image to become available.
|
||||
matrix_synapse_version: v1.50.1
|
||||
matrix_synapse_version_arm64: v1.50.1
|
||||
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
|
||||
matrix_synapse_version: v1.53.0
|
||||
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}"
|
||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
|
||||
@ -471,7 +464,7 @@ matrix_synapse_database_database: "synapse"
|
||||
|
||||
matrix_synapse_turn_uris: []
|
||||
matrix_synapse_turn_shared_secret: ""
|
||||
matrix_synapse_turn_allow_guests: False
|
||||
matrix_synapse_turn_allow_guests: false
|
||||
|
||||
matrix_synapse_email_enabled: false
|
||||
matrix_synapse_email_smtp_host: ""
|
||||
@ -496,8 +489,16 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals
|
||||
# Enable this to activate the Shared Secret Auth password provider module.
|
||||
# See: https://github.com/devture/matrix-synapse-shared-secret-auth
|
||||
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
|
||||
matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.2/shared_secret_authenticator.py"
|
||||
matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py"
|
||||
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""
|
||||
matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true
|
||||
# We'd like to enable this, but it causes trouble for Element: https://github.com/vector-im/element-web/issues/19605
|
||||
matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: false
|
||||
matrix_synapse_ext_password_provider_shared_secret_config: "{{ matrix_synapse_ext_password_provider_shared_secret_config_yaml|from_yaml }}"
|
||||
matrix_synapse_ext_password_provider_shared_secret_config_yaml: |
|
||||
shared_secret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }}
|
||||
m_login_password_support_enabled: {{ matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled|to_json }}
|
||||
com_devture_shared_secret_auth_support_enabled: {{ matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled|to_json }}
|
||||
|
||||
# Enable this to activate LDAP password provider
|
||||
matrix_synapse_ext_password_provider_ldap_enabled: false
|
||||
@ -517,7 +518,7 @@ matrix_synapse_ext_password_provider_ldap_default_domain: ""
|
||||
# See: https://github.com/t2bot/synapse-simple-antispam
|
||||
matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false
|
||||
matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam"
|
||||
matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5"
|
||||
matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "5ab711971e3a4541a7a40310ff85e17f8262cc05"
|
||||
matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: []
|
||||
|
||||
# Enable this to activate the Mjolnir Antispam spam-checker module.
|
||||
@ -541,6 +542,30 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: []
|
||||
|
||||
|
||||
# Enable this to activate the E2EE disabling Synapse module.
|
||||
# See: https://github.com/digitalentity/matrix_encryption_disabler
|
||||
matrix_synapse_ext_encryption_disabler_enabled: false
|
||||
matrix_synapse_ext_encryption_disabler_download_url: "https://raw.githubusercontent.com/digitalentity/matrix_encryption_disabler/1182388f7019e8ec1e28f035070c7919d0e4cc24/matrix_e2ee_filter.py"
|
||||
# A list of server domain names for which to deny encryption if the event sender's domain matches the domain in the list.
|
||||
# By default, with the configuration below, we prevent all homeserver users from initiating encryption in ANY room.
|
||||
matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of: ["{{ matrix_domain }}"]
|
||||
# A list of server domain names for which to deny encryption if the destination room id's domain matches the domain in the list.
|
||||
# By default, with the configuration below, we prevent locally-created encryption events by ANY user encrypt rooms on the homeserver.
|
||||
# Note: foreign users with enough room privileges will still be able to send an encryption event to your rooms and encrypt them.
|
||||
matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of: ["{{ matrix_domain }}"]
|
||||
# Specifies whether the power levels event (setting) provided during room creation should be patched.
|
||||
# This makes it impossible for anybody (locally or over federation) from enabling room encryption
|
||||
# for the lifetime of rooms created while this setting is enabled (irreversible).
|
||||
# Enabling this may have incompatiblity consequences with servers / clients.
|
||||
# Familiarize yourself with the caveats upstream: https://github.com/digitalentity/matrix_encryption_disabler
|
||||
matrix_synapse_ext_encryption_disabler_patch_power_levels: false
|
||||
matrix_synapse_ext_encryption_config: "{{ matrix_synapse_ext_encryption_config_yaml|from_yaml }}"
|
||||
matrix_synapse_ext_encryption_config_yaml: |
|
||||
deny_encryption_for_users_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of|to_json }}
|
||||
deny_encryption_for_rooms_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of|to_json }}
|
||||
patch_power_levels: {{ matrix_synapse_ext_encryption_disabler_patch_power_levels|to_json }}
|
||||
|
||||
|
||||
matrix_s3_media_store_enabled: false
|
||||
matrix_s3_media_store_custom_endpoint_enabled: false
|
||||
matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
|
||||
@ -580,7 +605,12 @@ matrix_synapse_default_room_version: "9"
|
||||
# If not, you can also control its value manually.
|
||||
matrix_synapse_spam_checker: []
|
||||
|
||||
matrix_synapse_encryption_enabled_by_default_for_room_type: off
|
||||
# Controls the Synapse `modules` list.
|
||||
# You can define your own list of modules here. See the `modules` syntax in `homeserver.yaml.j2`
|
||||
# Certain Synapse extensions that you can enable below auto-inject themselves into `matrix_synapse_modules` at runtime.
|
||||
matrix_synapse_modules: []
|
||||
|
||||
matrix_synapse_encryption_enabled_by_default_for_room_type: "off"
|
||||
|
||||
matrix_synapse_trusted_key_servers:
|
||||
- server_name: "matrix.org"
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
---
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml"
|
||||
when: matrix_synapse_ext_encryption_disabler_enabled|bool
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml"
|
||||
when: "not matrix_synapse_ext_encryption_disabler_enabled|bool"
|
||||
@ -0,0 +1,33 @@
|
||||
---
|
||||
|
||||
- name: Download matrix_encryption_disabler
|
||||
get_url:
|
||||
url: "{{ matrix_synapse_ext_encryption_disabler_download_url }}"
|
||||
dest: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py"
|
||||
force: true
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- set_fact:
|
||||
matrix_synapse_modules: |
|
||||
{{
|
||||
matrix_synapse_modules|default([])
|
||||
+
|
||||
[
|
||||
{
|
||||
"module": "matrix_e2ee_filter.EncryptedRoomFilter",
|
||||
"config": matrix_synapse_ext_encryption_config
|
||||
}
|
||||
]
|
||||
}}
|
||||
|
||||
matrix_synapse_container_extra_arguments: >
|
||||
{{ matrix_synapse_container_extra_arguments|default([]) }}
|
||||
+
|
||||
["--mount type=bind,src={{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py,dst={{ matrix_synapse_in_container_python_packages_path }}/matrix_e2ee_filter.py,ro"]
|
||||
|
||||
matrix_synapse_additional_loggers: >
|
||||
{{ matrix_synapse_additional_loggers }}
|
||||
+
|
||||
{{ [{'name': 'matrix_e2ee_filter', 'level': 'INFO'}] }}
|
||||
@ -0,0 +1,6 @@
|
||||
---
|
||||
|
||||
- name: Ensure matrix_encryption_disabler doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py"
|
||||
state: absent
|
||||
@ -1,3 +1,5 @@
|
||||
---
|
||||
|
||||
- set_fact:
|
||||
matrix_synapse_password_providers_enabled: true
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
update_cache: false
|
||||
when: "ansible_os_family == 'RedHat'"
|
||||
|
||||
- name: Ensure git installed (Debian)
|
||||
@ -13,7 +13,7 @@
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
update_cache: false
|
||||
when: "ansible_os_family == 'Debian'"
|
||||
|
||||
- name: Ensure git installed (Archlinux)
|
||||
@ -21,7 +21,7 @@
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
update_cache: false
|
||||
when: "ansible_distribution == 'Archlinux'"
|
||||
|
||||
- name: Clone mjolnir-antispam git repository
|
||||
|
||||
@ -1,5 +1,7 @@
|
||||
---
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup.yml"
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml"
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml"
|
||||
|
||||
@ -5,6 +5,11 @@
|
||||
msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret"
|
||||
when: "matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''"
|
||||
|
||||
- name: Fail if no Shared Secret Auth login types enabled
|
||||
fail:
|
||||
msg: "Shared Secret Auth is enabled, but none of the login types are"
|
||||
when: "not (matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled or matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled)"
|
||||
|
||||
- name: Download matrix-synapse-shared-secret-auth
|
||||
get_url:
|
||||
url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}"
|
||||
@ -15,7 +20,17 @@
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- set_fact:
|
||||
matrix_synapse_password_providers_enabled: true
|
||||
matrix_synapse_modules: |
|
||||
{{
|
||||
matrix_synapse_modules|default([])
|
||||
+
|
||||
[
|
||||
{
|
||||
"module": "shared_secret_authenticator.SharedSecretAuthProvider",
|
||||
"config": matrix_synapse_ext_password_provider_shared_secret_config
|
||||
}
|
||||
]
|
||||
}}
|
||||
|
||||
matrix_synapse_container_extra_arguments: >
|
||||
{{ matrix_synapse_container_extra_arguments|default([]) }}
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
update_cache: false
|
||||
when: "ansible_os_family == 'RedHat'"
|
||||
|
||||
- name: Ensure git installed (Debian)
|
||||
@ -18,7 +18,7 @@
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
update_cache: false
|
||||
when: "ansible_os_family == 'Debian'"
|
||||
|
||||
- name: Ensure git installed (Archlinux)
|
||||
@ -26,7 +26,7 @@
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
update_cache: false
|
||||
when: "ansible_distribution == 'Archlinux'"
|
||||
|
||||
- name: Clone synapse-simple-antispam git repository
|
||||
@ -38,8 +38,8 @@
|
||||
become_user: "{{ matrix_user_username }}"
|
||||
|
||||
- set_fact:
|
||||
matrix_synapse_spam_checker: >
|
||||
{{ matrix_synapse_spam_checker }}
|
||||
matrix_synapse_modules: >
|
||||
{{ matrix_synapse_modules }}
|
||||
+
|
||||
[{
|
||||
"module": "synapse_simple_antispam.AntiSpamInvites",
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
---
|
||||
|
||||
- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_fuse_installed.yml"
|
||||
|
||||
- name: Ensure Goofys Docker image is pulled
|
||||
@ -12,7 +14,7 @@
|
||||
stat:
|
||||
path: "{{ matrix_s3_media_store_path }}"
|
||||
register: local_path_matrix_s3_media_store_path_stat
|
||||
ignore_errors: yes
|
||||
ignore_errors: true
|
||||
|
||||
- name: Ensure Matrix Goofys external storage mountpoint exists
|
||||
file:
|
||||
@ -39,5 +41,5 @@
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-goofys.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
when: "matrix_goofys_systemd_service_result.changed"
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
---
|
||||
|
||||
- name: Check existence of matrix-goofys service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-goofys.service"
|
||||
@ -7,8 +9,8 @@
|
||||
service:
|
||||
name: matrix-goofys
|
||||
state: stopped
|
||||
enabled: no
|
||||
daemon_reload: yes
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
register: stopping_result
|
||||
when: "matrix_goofys_service_stat.stat.exists"
|
||||
|
||||
@ -20,7 +22,7 @@
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-goofys.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
when: "matrix_goofys_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure goofys environment variables file doesn't exist
|
||||
|
||||
@ -44,8 +44,8 @@
|
||||
service:
|
||||
name: matrix-synapse
|
||||
state: stopped
|
||||
enabled: no
|
||||
daemon_reload: yes
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
register: stopping_result
|
||||
|
||||
# This can only work with local files, not if the media store is on Amazon S3,
|
||||
@ -54,11 +54,11 @@
|
||||
synchronize:
|
||||
src: "{{ server_path_media_store }}/"
|
||||
dest: "{{ matrix_synapse_media_store_path }}"
|
||||
delete: yes
|
||||
delete: true
|
||||
# It's wasteful to preserve owner/group now. We chown below anyway.
|
||||
owner: no
|
||||
group: no
|
||||
times: yes
|
||||
owner: false
|
||||
group: false
|
||||
times: true
|
||||
delegate_to: "{{ inventory_hostname }}"
|
||||
|
||||
# This is for the generic case and fails in other cases (remote file systems),
|
||||
@ -68,7 +68,7 @@
|
||||
path: "{{ matrix_synapse_media_store_path }}"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
recurse: yes
|
||||
recurse: true
|
||||
when: "not matrix_s3_media_store_enabled|bool"
|
||||
|
||||
# We don't chown for Goofys, because due to the way it's mounted,
|
||||
@ -78,7 +78,7 @@
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
when: "stopping_result.changed"
|
||||
with_items:
|
||||
- matrix-synapse
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
---
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
msg: "To self-build the Synapse image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled"
|
||||
|
||||
# Unless `matrix_synapse_workers_enabled_list` is explicitly defined,
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
---
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
@ -52,4 +54,4 @@
|
||||
set_fact:
|
||||
matrix_synapse_role_executed: true
|
||||
tags:
|
||||
- always
|
||||
- always
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
service:
|
||||
name: matrix-synapse
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
register: start_result
|
||||
|
||||
- name: Wait a while, so that Synapse can manage to start
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
---
|
||||
|
||||
- debug:
|
||||
msg: "Compressing room `{{ room_details.room_id }}` having {{ room_details.count }} state group rows"
|
||||
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
---
|
||||
# Pre-checks
|
||||
|
||||
- name: Fail if Postgres not enabled
|
||||
@ -80,12 +81,12 @@
|
||||
# Row 3 contains a space when there's no result.
|
||||
|
||||
- block:
|
||||
- debug: var="matrix_synapse_rust_synapse_compress_state_find_rooms_command_result"
|
||||
- debug: var="matrix_synapse_rust_synapse_compress_state_find_rooms_command_result"
|
||||
|
||||
- name: Fail if room find result is not what we expect
|
||||
fail:
|
||||
msg: >-
|
||||
Expecting 4 lines in the "find rooms" result.
|
||||
- name: Fail if room find result is not what we expect
|
||||
fail:
|
||||
msg: >-
|
||||
Expecting 4 lines in the "find rooms" result.
|
||||
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.failed or matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines|length != 4"
|
||||
|
||||
- block:
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
|
||||
register: result_matrix_synapse_client_api
|
||||
ignore_errors: true
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
when: matrix_synapse_enabled|bool
|
||||
|
||||
- name: Fail if Matrix Client API not working
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
|
||||
register: result_matrix_synapse_federation_api
|
||||
ignore_errors: true
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
when: matrix_synapse_enabled|bool
|
||||
|
||||
- name: Fail if Matrix Federation API not working
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
- name: Fail if Matrix Federation API unexpectedly enabled
|
||||
fail:
|
||||
msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled."
|
||||
msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled."
|
||||
when: "matrix_synapse_enabled|bool and not matrix_synapse_federation_enabled|bool and not result_matrix_synapse_federation_api.failed"
|
||||
|
||||
- name: Report working Matrix Federation API
|
||||
|
||||
@ -8,9 +8,9 @@
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_synapse_config_dir_path }}", when: true }
|
||||
- { path: "{{ matrix_synapse_ext_path }}", when: true }
|
||||
- { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" }
|
||||
- {path: "{{ matrix_synapse_config_dir_path }}", when: true}
|
||||
- {path: "{{ matrix_synapse_ext_path }}", when: true}
|
||||
- {path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}"}
|
||||
# We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml),
|
||||
# because if it's using Goofys and it's already mounted (from before),
|
||||
# trying to chown/chmod it here will cause trouble.
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
stat:
|
||||
path: "{{ matrix_synapse_media_store_path }}"
|
||||
register: local_path_media_store_stat
|
||||
ignore_errors: yes
|
||||
ignore_errors: true
|
||||
|
||||
# This is separate and conditional, to ensure we don't execute it
|
||||
# if the path already exists or we failed to check, because it's mounted using fuse.
|
||||
@ -18,25 +18,33 @@
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
|
||||
|
||||
- name: Ensure Synapse repository is present on self-build
|
||||
git:
|
||||
repo: "{{ matrix_synapse_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_synapse_docker_src_files_path }}"
|
||||
version: "{{ matrix_synapse_docker_image.split(':')[1] }}"
|
||||
force: "yes"
|
||||
register: matrix_synapse_git_pull_results
|
||||
when: "matrix_synapse_container_image_self_build|bool"
|
||||
- block:
|
||||
- name: Ensure Synapse repository is present on self-build
|
||||
git:
|
||||
repo: "{{ matrix_synapse_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_synapse_docker_src_files_path }}"
|
||||
version: "{{ matrix_synapse_docker_image.split(':')[1] }}"
|
||||
force: "yes"
|
||||
register: matrix_synapse_git_pull_results
|
||||
|
||||
- name: Ensure Synapse Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_synapse_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: docker/Dockerfile
|
||||
path: "{{ matrix_synapse_docker_src_files_path }}"
|
||||
pull: yes
|
||||
- name: Check if Synapse Docker image exists
|
||||
command: "{{ matrix_host_command_docker }} images --quiet --filter 'reference={{ matrix_synapse_docker_image }}'"
|
||||
register: matrix_synapse_docker_image_check_result
|
||||
|
||||
# Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module,
|
||||
# because the latter does not support BuildKit.
|
||||
# See: https://github.com/ansible-collections/community.general/issues/514
|
||||
- name: Ensure Synapse Docker image is built
|
||||
shell:
|
||||
chdir: "{{ matrix_synapse_docker_src_files_path }}"
|
||||
cmd: |
|
||||
{{ matrix_host_command_docker }} build \
|
||||
-t "{{ matrix_synapse_docker_image }}" \
|
||||
-f docker/Dockerfile \
|
||||
.
|
||||
environment:
|
||||
DOCKER_BUILDKIT: 1
|
||||
when: "matrix_synapse_git_pull_results.changed|bool or matrix_synapse_docker_image_check_result.stdout == ''"
|
||||
when: "matrix_synapse_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Synapse Docker image is pulled
|
||||
@ -55,10 +63,10 @@
|
||||
# We do this so that the signing key would get generated.
|
||||
#
|
||||
# This will also generate a default homeserver.yaml configuration file and a log configuration file.
|
||||
# We don't care about those configuraiton files, as we replace them with our own anyway (see below).
|
||||
# We don't care about those configuration files, as we replace them with our own anyway (see below).
|
||||
#
|
||||
# We don't use the `docker_container` module, because using it with `cap_drop` requires
|
||||
# a very recent version, which is not available for a lot of people yet.
|
||||
# a very recent docker-py version, which is not available for a lot of people yet.
|
||||
- name: Generate initial Synapse config and signing key
|
||||
command: |
|
||||
docker run
|
||||
@ -97,7 +105,7 @@
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-synapse.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
when: "matrix_synapse_systemd_service_result.changed"
|
||||
|
||||
- name: Ensure matrix-synapse-register-user script created
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
---
|
||||
|
||||
- name: Check existence of matrix-synapse service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-synapse.service"
|
||||
@ -7,8 +9,8 @@
|
||||
service:
|
||||
name: matrix-synapse
|
||||
state: stopped
|
||||
enabled: no
|
||||
daemon_reload: yes
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
register: stopping_result
|
||||
when: "matrix_synapse_service_stat.stat.exists"
|
||||
|
||||
@ -20,7 +22,7 @@
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-synapse.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
when: "matrix_synapse_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Synapse Docker image doesn't exist
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
---
|
||||
# Below is a huge hack for dynamically building a list of workers and finally assigning it to `matrix_synapse_workers_enabled_list`.
|
||||
#
|
||||
# set_fact within a loop does not work reliably in Ansible (it only executes on the first iteration for some reason),
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
name: "{{ item.key }}"
|
||||
state: stopped
|
||||
with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}"
|
||||
when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461
|
||||
when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461
|
||||
|
||||
- name: Find worker configs to be cleaned
|
||||
find:
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
---
|
||||
# The tasks below run before `validate_config.yml`.
|
||||
# To avoid failing with a cryptic error message, we'll do validation here.
|
||||
#
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
---
|
||||
|
||||
- set_fact:
|
||||
matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.instanceId }}"
|
||||
|
||||
|
||||
@ -19,14 +19,14 @@
|
||||
service:
|
||||
name: matrix-synapse
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
register: start_result
|
||||
|
||||
- name: Ensure matrix-postgres is started
|
||||
service:
|
||||
name: matrix-postgres
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
daemon_reload: true
|
||||
register: postgres_start_result
|
||||
|
||||
|
||||
|
||||
@ -48,6 +48,7 @@
|
||||
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
|
||||
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
|
||||
- {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}
|
||||
- {'old': 'matrix_synapse_version_arm64', 'new': '<superseded by matrix_synapse_version - see https://github.com/matrix-org/synapse/pull/11810>'}
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
|
||||
fail:
|
||||
|
||||
@ -27,10 +27,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name %n \
|
||||
-c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3'
|
||||
|
||||
TimeoutStartSec=5min
|
||||
ExecStopPost=-{{ matrix_host_command_docker }} stop %n
|
||||
ExecStopPost=-{{ matrix_host_command_docker }} kill %n
|
||||
ExecStopPost=-{{ matrix_host_command_docker }} rm %n
|
||||
ExecStopPost=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }}
|
||||
ExecStop=-{{ matrix_host_command_docker }} stop %n
|
||||
ExecStop=-{{ matrix_host_command_docker }} kill %n
|
||||
ExecStop=-{{ matrix_host_command_docker }} rm %n
|
||||
ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }}
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
SyslogIdentifier=matrix-goofys
|
||||
|
||||
@ -15,12 +15,13 @@
|
||||
# See https://matrix-org.github.io/synapse/latest/modules/index.html for more
|
||||
# documentation on how to configure or create custom modules for Synapse.
|
||||
#
|
||||
modules:
|
||||
# - module: my_super_module.MySuperClass
|
||||
# config:
|
||||
# do_thing: true
|
||||
# - module: my_other_super_module.SomeClass
|
||||
# config: {}
|
||||
#modules:
|
||||
#- module: my_super_module.MySuperClass
|
||||
# config:
|
||||
# do_thing: true
|
||||
#- module: my_other_super_module.SomeClass
|
||||
# config: {}
|
||||
modules: {{ matrix_synapse_modules|to_json }}
|
||||
|
||||
|
||||
## Server ##
|
||||
@ -49,13 +50,7 @@ server_name: "{{ matrix_domain }}"
|
||||
#
|
||||
pid_file: /homeserver.pid
|
||||
|
||||
# The absolute URL to the web client which /_matrix/client will redirect
|
||||
# to if 'webclient' is configured under the 'listeners' configuration.
|
||||
#
|
||||
# This option can be also set to the filesystem path to the web client
|
||||
# which will be served at /_matrix/client/ if 'webclient' is configured
|
||||
# under the 'listeners' configuration, however this is a security risk:
|
||||
# https://github.com/matrix-org/synapse#security-note
|
||||
# The absolute URL to the web client which / will redirect to.
|
||||
#
|
||||
#web_client_location: https://riot.example.com/
|
||||
|
||||
@ -139,7 +134,7 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe
|
||||
# The default room version for newly created rooms.
|
||||
#
|
||||
# Known room versions are listed here:
|
||||
# https://matrix.org/docs/spec/#complete-list-of-room-versions
|
||||
# https://spec.matrix.org/latest/rooms/#complete-list-of-room-versions
|
||||
#
|
||||
# For example, for room version 1, default_room_version should be set
|
||||
# to "1".
|
||||
@ -284,8 +279,6 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
|
||||
# static: static resources under synapse/static (/_matrix/static). (Mostly
|
||||
# useful for 'fallback authentication'.)
|
||||
#
|
||||
# webclient: A web client. Requires web_client_location to be set.
|
||||
#
|
||||
listeners:
|
||||
{% if matrix_synapse_metrics_enabled %}
|
||||
- type: metrics
|
||||
@ -495,6 +488,20 @@ limit_remote_rooms:
|
||||
#
|
||||
#allow_per_room_profiles: false
|
||||
|
||||
# The largest allowed file size for a user avatar. Defaults to no restriction.
|
||||
#
|
||||
# Note that user avatar changes will not work if this is set without
|
||||
# using Synapse's media repository.
|
||||
#
|
||||
#max_avatar_size: 10M
|
||||
|
||||
# The MIME types allowed for user avatars. Defaults to no restriction.
|
||||
#
|
||||
# Note that user avatar changes will not work if this is set without
|
||||
# using Synapse's media repository.
|
||||
#
|
||||
#allowed_avatar_mimetypes: ["image/png", "image/jpeg", "image/gif"]
|
||||
|
||||
# How long to keep redacted events in unredacted form in the database. After
|
||||
# this period redacted events get replaced with their redacted form in the DB.
|
||||
#
|
||||
@ -769,11 +776,16 @@ caches:
|
||||
per_cache_factors:
|
||||
#get_users_who_share_room_with_user: 2.0
|
||||
|
||||
# Controls how long an entry can be in a cache without having been
|
||||
# accessed before being evicted. Defaults to None, which means
|
||||
# entries are never evicted based on time.
|
||||
# Controls whether cache entries are evicted after a specified time
|
||||
# period. Defaults to true. Uncomment to disable this feature.
|
||||
#
|
||||
#expiry_time: 30m
|
||||
#expire_caches: false
|
||||
|
||||
# If expire_caches is enabled, this flag controls how long an entry can
|
||||
# be in a cache without having been accessed before being evicted.
|
||||
# Defaults to 30m. Uncomment to set a different time to live for cache entries.
|
||||
#
|
||||
#cache_entry_ttl: 30m
|
||||
|
||||
# Controls how long the results of a /sync request are cached for after
|
||||
# a successful response is returned. A higher duration can help clients with
|
||||
@ -883,6 +895,9 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
|
||||
# - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
|
||||
# - two for ratelimiting how often invites can be sent in a room or to a
|
||||
# specific user.
|
||||
# - one for ratelimiting 3PID invites (i.e. invites sent to a third-party ID
|
||||
# such as an email address or a phone number) based on the account that's
|
||||
# sending the invite.
|
||||
#
|
||||
# The defaults are as shown below.
|
||||
#
|
||||
@ -937,6 +952,10 @@ rc_joins: {{ matrix_synapse_rc_joins|to_json }}
|
||||
# per_user:
|
||||
# per_second: 0.003
|
||||
# burst_count: 5
|
||||
#
|
||||
#rc_third_party_invite:
|
||||
# per_second: 0.2
|
||||
# burst_count: 10
|
||||
|
||||
# Ratelimiting settings for incoming federation
|
||||
#
|
||||
@ -1465,6 +1484,16 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json
|
||||
#
|
||||
#auto_join_rooms_for_guests: false
|
||||
|
||||
# Whether to inhibit errors raised when registering a new account if the user ID
|
||||
# already exists. If turned on, that requests to /register/available will always
|
||||
# show a user ID as available, and Synapse won't raise an error when starting
|
||||
# a registration with a user ID that already exists. However, Synapse will still
|
||||
# raise an error if the registration completes and the username conflicts.
|
||||
#
|
||||
# Defaults to false.
|
||||
#
|
||||
#inhibit_user_in_use_error: true
|
||||
|
||||
|
||||
## Metrics ###
|
||||
|
||||
@ -1534,6 +1563,21 @@ room_prejoin_state:
|
||||
#additional_event_types:
|
||||
# - org.example.custom.event.type
|
||||
|
||||
# We record the IP address of clients used to access the API for various
|
||||
# reasons, including displaying it to the user in the "Where you're signed in"
|
||||
# dialog.
|
||||
#
|
||||
# By default, when puppeting another user via the admin API, the client IP
|
||||
# address is recorded against the user who created the access token (ie, the
|
||||
# admin user), and *not* the puppeted user.
|
||||
#
|
||||
# Uncomment the following to also record the IP address against the puppeted
|
||||
# user. (This also means that the puppeted user will count as an "active" user
|
||||
# for the purpose of monthly active user tracking - see 'limit_usage_by_mau' etc
|
||||
# above.)
|
||||
#
|
||||
#track_puppeted_user_ips: true
|
||||
|
||||
|
||||
# A list of application service config files to use
|
||||
#
|
||||
@ -1899,10 +1943,13 @@ saml2_config:
|
||||
# Defaults to false. Avoid this in production.
|
||||
#
|
||||
# user_profile_method: Whether to fetch the user profile from the userinfo
|
||||
# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
|
||||
# endpoint, or to rely on the data returned in the id_token from the
|
||||
# token_endpoint.
|
||||
#
|
||||
# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
|
||||
# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
|
||||
# Valid values are: 'auto' or 'userinfo_endpoint'.
|
||||
#
|
||||
# Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
|
||||
# not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
|
||||
# userinfo endpoint.
|
||||
#
|
||||
# allow_existing_users: set to 'true' to allow a user logging in via OIDC to
|
||||
@ -2551,11 +2598,6 @@ email:
|
||||
# #filter: "(objectClass=posixAccount)"
|
||||
{% if matrix_synapse_password_providers_enabled %}
|
||||
password_providers:
|
||||
{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %}
|
||||
- module: "shared_secret_authenticator.SharedSecretAuthenticator"
|
||||
config:
|
||||
sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }}
|
||||
{% endif %}
|
||||
{% if matrix_synapse_ext_password_provider_rest_auth_enabled %}
|
||||
- module: "rest_auth_provider.RestAuthProvider"
|
||||
config:
|
||||
|
||||
@ -46,8 +46,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor
|
||||
run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }}
|
||||
|
||||
|
||||
ExecStopPost=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }}
|
||||
ExecStopPost=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }}
|
||||
ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }}
|
||||
ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }}
|
||||
|
||||
ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1'
|
||||
Restart=always
|
||||
|
||||
@ -63,8 +63,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
|
||||
{{ matrix_synapse_docker_image }} \
|
||||
run -m synapse.app.homeserver -c /data/homeserver.yaml
|
||||
|
||||
ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null'
|
||||
ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null'
|
||||
ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
|
||||
@ -64,7 +64,7 @@ matrix_synapse_workers_generic_worker_endpoints:
|
||||
# Registration/login requests
|
||||
- ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
|
||||
- ^/_matrix/client/(r0|v3|unstable)/register$
|
||||
- ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$
|
||||
- ^/_matrix/client/v1/register/m.login.registration_token/validity$
|
||||
|
||||
# Event sending requests
|
||||
- ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact
|
||||
|
||||
Reference in New Issue
Block a user