Merge branch 'spantaleev:master' into master

2021-05-07 23:03:55 +05:30 · 2021-05-07 23:03:55 +05:30 · bb0810302d
commit bb0810302d
parent 40fe6bd5c1 61220ea487
25 changed files with 244 additions and 104 deletions
--- a/docs/configuring-awx-system.md
+++ b/docs/configuring-awx-system.md
@ -34,6 +34,8 @@ Updates to this section are trailed here:

 Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository.

+For simpler installation steps you can use to get started with this system, check out our minimal installation guide at '/doc/Installation_Minimal.md'.
+

 ## Does I need a front-end WordPress site? And a DigitalOcean account? 

--- a/roles/matrix-awx/surveys/access_export.json.j2
+++ b/roles/matrix-awx/surveys/access_export.json.j2
@ -0,0 +1,42 @@
+{
+  "name": "Access Export",
+  "description": "Access the services export.",
+  "spec": [
+    {
+      "question_name": "SFTP Authorisation Method",
+      "question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
+      "required": true,
+      "min": null,
+      "max": null,
+      "default": "{{ sftp_auth_method | string }}",
+      "choices": "Disabled\nPassword\nSSH Key",
+      "new_question": true,
+      "variable": "sftp_auth_method",
+      "type": "multiplechoice"
+    },
+    {
+      "question_name": "SFTP Password",
+      "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
+      "required": false,
+      "min": 0,
+      "max": 64,
+      "default": "{{ sftp_password }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "sftp_password",
+      "type": "password"
+    },
+    {
+      "question_name": "SFTP Public SSH Key (More Secure)",
+      "question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
+      "required": false,
+      "min": 0,
+      "max": 16384,
+      "default": "{{ sftp_public_key }}",
+      "choices": "",
+      "new_question": true,
+      "variable": "sftp_public_key",
+      "type": "text"
+    }
+  ]
+}
--- a/roles/matrix-awx/surveys/backup_server.json.j2
+++ b/roles/matrix-awx/surveys/backup_server.json.j2
@ -1,6 +1,6 @@
 {
  "name": "Backup Server",
-  "description": "",
+  "description": "Performs a backup of the entire service to a remote location.",
  "spec": [
    {
      "question_name": "Enable Backup",
--- a/roles/matrix-awx/surveys/configure_corporal.json.j2
+++ b/roles/matrix-awx/surveys/configure_corporal.json.j2
@ -1,6 +1,6 @@
 {
  "name": "Configure Matrix Corporal",
-  "description": "",
+  "description": "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy.",
  "spec": [
    {
      "question_name": "Enable Corporal",
--- a/roles/matrix-awx/surveys/configure_dimension.json.j2
+++ b/roles/matrix-awx/surveys/configure_dimension.json.j2
@ -1,6 +1,6 @@
 {
  "name": "Configure Dimension",
-  "description": "",
+  "description": "Configure Dimension, the self-hosted integrations server.",
  "spec": [
    {
      "question_name": "Enable Dimension",
--- a/roles/matrix-awx/surveys/configure_element.json.j2
+++ b/roles/matrix-awx/surveys/configure_element.json.j2
@ -1,6 +1,6 @@
 {
-  "name": "",
-  "description": "",
+  "name": "Configure Element",
+  "description": "Configure Element web client, Element is the most developed Matrix client software.",
  "spec": [
    {
      "question_name": "Enable Element-Web",
--- a/roles/matrix-awx/surveys/configure_jitsi.json.j2
+++ b/roles/matrix-awx/surveys/configure_jitsi.json.j2
@ -1,6 +1,6 @@
 {
-  "name": "",
-  "description": "",
+  "name": "Configure Jitsi",
+  "description": "Configure Jitsi conferencing settings.",
  "spec": [
    {
      "question_name": "Enable Jitsi",
--- a/roles/matrix-awx/surveys/configure_ma1sd.json.j2
+++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2
@ -1,6 +1,6 @@
 {
-  "name": "",
-  "description": "",
+  "name": "Configure ma1sd",
+  "description": "Configure ma1sd settings, ma1sd is a self-hosted identity server for Matrix.",
  "spec": [
    {
      "question_name": "Enable ma1sd",
--- a/roles/matrix-awx/surveys/configure_synapse.json.j2
+++ b/roles/matrix-awx/surveys/configure_synapse.json.j2
@ -1,6 +1,6 @@
 {
  "name": "Configure Synapse",
-  "description": "",
+  "description": "Configure Synapse settings. Synapse is the homeserver software that powers your Matrix instance.",
  "spec": [
    {
      "question_name": "Enable Public Registration",
--- a/roles/matrix-awx/tasks/customise_website_access_export.yml
+++ b/roles/matrix-awx/tasks/customise_website_access_export.yml
@ -8,7 +8,7 @@
    insertafter: '# Base Domain Settings Start'
  with_dict:
    'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'
-  when: customise_base_domain_website|bool == false
+  when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool

 - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain
  delegate_to: 127.0.0.1
@ -19,7 +19,19 @@
    insertafter: '# Base Domain Settings Start'
  with_dict:
    'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
-  when: customise_base_domain_website|bool == true
+  when: (customise_base_domain_website is defined) and customise_base_domain_website|bool
+
+- name: Record custom 'Customise Website + Access Export' variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '{{ awx_cached_matrix_vars }}'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Custom Settings Start'
+  with_dict:
+    'sftp_auth_method': '"{{ sftp_auth_method }}"'
+    'sftp_password': '"{{ sftp_password }}"'
+    'sftp_public_key': '"{{ sftp_public_key }}"'

 - name: Record custom 'Customise Website + Access Export' variables locally on AWX
  delegate_to: 127.0.0.1
@ -30,28 +42,40 @@
    insertafter: '# Custom Settings Start'
  with_dict:
    'customise_base_domain_website': '{{ customise_base_domain_website }}'
-    'sftp_auth_method': '"{{ sftp_auth_method }}"'
-    'sftp_password': '"{{ sftp_password }}"'
-    'sftp_public_key': '"{{ sftp_public_key }}"'
+  when: customise_base_domain_website is defined

 - name: Reload vars in matrix_vars.yml
  include_vars:
    file: '{{ awx_cached_matrix_vars }}'
  no_log: True

-# ^ Is this even needed?
-
 - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
  delegate_to: 127.0.0.1
  template:
    src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
+  when: customise_base_domain_website is defined

 - name: Copy new 'Customise Website + Access Export' survey.json to target machine
  copy:
    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
    dest:  '/matrix/awx/configure_website_access_export.json'
    mode: '0660'
+  when: customise_base_domain_website is defined
+
+- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
+  delegate_to: 127.0.0.1
+  template:
+    src: './roles/matrix-awx/surveys/access_export.json.j2'
+    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
+  when: customise_base_domain_website is undefined
+
+- name: Copy new 'Customise Website + Access Export' survey.json to target machine
+  copy:
+    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
+    dest:  '/matrix/awx/access_export.json'
+    mode: '0660'
+  when: customise_base_domain_website is undefined

 - name: Collect AWX admin token the hard way!
  delegate_to: 127.0.0.1
@ -60,7 +84,7 @@
  register: tower_token
  no_log: True

- name: Recreate 'Customise Base Domain Export' job template
+- name: Recreate 'Configure Website + Access Export' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
    name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
@ -80,6 +104,29 @@
    tower_host: "https://{{ tower_host }}"
    tower_oauthtoken: "{{ tower_token.stdout }}"
    validate_certs: yes
+  when: customise_base_domain_website is defined
+
+- name: Recreate 'Access Export' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 1 - Access Export"
+    description: "Access the services export."
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "start,setup-nginx-proxy"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    survey_enabled: true
+    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}"
+    become_enabled: yes
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+  when: customise_base_domain_website is undefined

 - name: Ensure group "sftp" exists
  group:
@ -113,6 +160,7 @@
    name: sftp
    groups: matrix
    append: yes
+  when: customise_base_domain_website is defined

 - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
  file:
@ -129,6 +177,7 @@
    owner: matrix
    group: matrix
    mode: '0574'
+  when: customise_base_domain_website is defined

 - name: Ensure /chroot/export location exists
  file:
--- a/roles/matrix-awx/tasks/import_awx.yml
+++ b/roles/matrix-awx/tasks/import_awx.yml
@ -16,8 +16,3 @@
 - name: Ensure correct ownership of /matrix/synapse
  shell: chown -R matrix:matrix /matrix/synapse

- name: Fetch matrix_vars.yml file to AWX
-  fetch:
-    src: /matrix/awx/matrix_vars.yml
-    dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/
-    flat: yes
--- a/roles/matrix-awx/tasks/purge_media_local.yml
+++ b/roles/matrix-awx/tasks/purge_media_local.yml
@ -6,7 +6,12 @@

 - name: Purge local media to specific date
  shell: |
-    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}'
+    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}'
+  register: purge_command
+  
+- name: Print output of purge command
+  debug: 
+    msg: "{{ purge_command.stdout }}"

 - name: Pause for 5 seconds to let Synapse breathe
  pause:
--- a/roles/matrix-awx/tasks/purge_media_main.yml
+++ b/roles/matrix-awx/tasks/purge_media_main.yml
@ -21,6 +21,10 @@
  shell: |
    curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token'
  register: janitors_token
+  
+- name: Collect the internal IP of the matrix-synapse container
+  shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
+  register: synapse_container_ip
    
 - name: Generate list of dates to purge to
  delegate_to: 127.0.0.1
--- a/roles/matrix-awx/tasks/purge_media_remote.yml
+++ b/roles/matrix-awx/tasks/purge_media_remote.yml
@ -6,7 +6,12 @@

 - name: Purge local media to specific date
  shell: |
-    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}'
+    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}'
+  register: purge_command
+  
+- name: Print output of purge command
+  debug: 
+    msg: "{{ purge_command.stdout }}"

 - name: Pause for 5 seconds to let Synapse breathe
  pause:
--- a/roles/matrix-awx/tasks/set_variables_dimension.yml
+++ b/roles/matrix-awx/tasks/set_variables_dimension.yml
@ -4,9 +4,11 @@
    file: '{{ awx_cached_matrix_vars }}'
  no_log: True

- name: Install jq on remote machine
+- name: Install jq and curl on remote machine
  apt:
-    name: jq
+    name: 
+      - jq
+      - curl
    state: present

 - name: Collect access token of Dimension user
--- a/roles/matrix-bridge-sms/defaults/main.yml
+++ b/roles/matrix-bridge-sms/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_sms_bridge_enabled: true

-matrix_sms_bridge_version: 0.5.5
+matrix_sms_bridge_version: 0.5.7
 matrix_sms_bridge_docker_image: "{{ matrix_container_global_registry_prefix }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}"

 matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge"
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"

-matrix_client_element_version: v1.7.25
+matrix_client_element_version: v1.7.26
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/matrix-common-after/tasks/awx_post.yml
+++ b/roles/matrix-common-after/tasks/awx_post.yml
@ -35,3 +35,18 @@
  with_dict:
    'matrix_awx_dimension_user_created': 'true'
  when: not matrix_awx_dimension_user_created|bool
+  
+- name: Ensure /chroot/website location has correct permissions
+  file:
+    path: /chroot/website
+    state: directory
+    owner: matrix
+    group: matrix
+    mode: '0574'
+  when: customise_base_domain_website is defined
+
+- name: Ensure erroneous /chroot/website/matrix-domain location doesn't exist
+  file:
+    path: /chroot/website/matrix-domain
+    state: absent
+  when: customise_base_domain_website is defined
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -1,7 +1,9 @@
 matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: false
-matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git"
+matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
+matrix_coturn_container_image_self_build_repo_version: "upstream/{{ matrix_coturn_version }}"
+matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

 matrix_coturn_version: 4.5.2
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
--- a/roles/matrix-coturn/tasks/setup_install.yml
+++ b/roles/matrix-coturn/tasks/setup_install.yml
@ -30,7 +30,7 @@
      git:
        repo: "{{ matrix_coturn_container_image_self_build_repo }}"
        dest: "{{ matrix_coturn_docker_src_files_path }}"
-        version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
+        version: "{{ matrix_coturn_container_image_self_build_repo_version }}"
        force: "yes"
      register: matrix_coturn_git_pull_results

@ -40,7 +40,7 @@
        source: build
        force_source: "{{ matrix_coturn_git_pull_results.changed }}"
        build:
-          dockerfile: Dockerfile
+          dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}"
          path: "{{ matrix_coturn_docker_src_files_path }}"
          pull: yes
  when: "matrix_coturn_container_image_self_build|bool"
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_grafana_enabled: false

-matrix_grafana_version: 7.5.4
+matrix_grafana_version: 7.5.5
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

@ -50,5 +50,3 @@ matrix_grafana_systemd_wanted_services_list: []
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3000"), or empty string to not expose.
 matrix_grafana_container_http_host_bind_port: ''
-
-
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -1,5 +1,5 @@
 matrix_nginx_proxy_enabled: true
-matrix_nginx_proxy_version: 1.19.10-alpine
+matrix_nginx_proxy_version: 1.20.0-alpine

 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@ -11,7 +11,7 @@
 	upstream generic_worker_upstream {
 		# ensures that requests from the same client will always be passed
 		# to the same server (except when this server is unavailable)
-		ip_hash;
+		hash $http_x_forwarded_for;

 		{% for worker in generic_workers %}
 			{% if matrix_nginx_proxy_enabled %}
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.32.2
-matrix_synapse_version_arm64: v1.32.2
+matrix_synapse_version: v1.33.1
+matrix_synapse_version_arm64: v1.33.1
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -1178,69 +1178,6 @@ turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }}
 #
 enable_registration: {{ matrix_synapse_enable_registration|to_json }}

-# Optional account validity configuration. This allows for accounts to be denied
-# any request after a given period.
-#
-# Once this feature is enabled, Synapse will look for registered users without an
-# expiration date at startup and will add one to every account it found using the
-# current settings at that time.
-# This means that, if a validity period is set, and Synapse is restarted (it will
-# then derive an expiration date from the current validity period), and some time
-# after that the validity period changes and Synapse is restarted, the users'
-# expiration dates won't be updated unless their account is manually renewed. This
-# date will be randomly selected within a range [now + period - d ; now + period],
-# where d is equal to 10% of the validity period.
-#
-account_validity:
-  # The account validity feature is disabled by default. Uncomment the
-  # following line to enable it.
-  #
-  #enabled: true
-
-  # The period after which an account is valid after its registration. When
-  # renewing the account, its validity period will be extended by this amount
-  # of time. This parameter is required when using the account validity
-  # feature.
-  #
-  #period: 6w
-
-  # The amount of time before an account's expiry date at which Synapse will
-  # send an email to the account's email address with a renewal link. By
-  # default, no such emails are sent.
-  #
-  # If you enable this setting, you will also need to fill out the 'email' and
-  # 'public_baseurl' configuration sections.
-  #
-  #renew_at: 1w
-
-  # The subject of the email sent out with the renewal link. '%(app)s' can be
-  # used as a placeholder for the 'app_name' parameter from the 'email'
-  # section.
-  #
-  # Note that the placeholder must be written '%(app)s', including the
-  # trailing 's'.
-  #
-  # If this is not set, a default value is used.
-  #
-  #renew_email_subject: "Renew your %(app)s account"
-
-  # Directory in which Synapse will try to find templates for the HTML files to
-  # serve to the user when trying to renew an account. If not set, default
-  # templates from within the Synapse package will be used.
-  #
-  #template_dir: "res/templates"
-
-  # File within 'template_dir' giving the HTML to be displayed to the user after
-  # they successfully renewed their account. If not set, default text is used.
-  #
-  #account_renewed_html_path: "account_renewed.html"
-
-  # File within 'template_dir' giving the HTML to be displayed when the user
-  # tries to renew an account with an invalid renewal token. If not set,
-  # default text is used.
-  #
-  #invalid_token_html_path: "invalid_token.html"
-
 # Time that a user's session remains valid for, after they log in.
 #
 # Note that this is not currently compatible with guest logins.
@ -1445,13 +1382,97 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json
 #auto_join_rooms_for_guests: false


+## Account Validity ##
+
+# Optional account validity configuration. This allows for accounts to be denied
+# any request after a given period.
+#
+# Once this feature is enabled, Synapse will look for registered users without an
+# expiration date at startup and will add one to every account it found using the
+# current settings at that time.
+# This means that, if a validity period is set, and Synapse is restarted (it will
+# then derive an expiration date from the current validity period), and some time
+# after that the validity period changes and Synapse is restarted, the users'
+# expiration dates won't be updated unless their account is manually renewed. This
+# date will be randomly selected within a range [now + period - d ; now + period],
+# where d is equal to 10% of the validity period.
+#
+account_validity:
+  # The account validity feature is disabled by default. Uncomment the
+  # following line to enable it.
+  #
+  #enabled: true
+
+  # The period after which an account is valid after its registration. When
+  # renewing the account, its validity period will be extended by this amount
+  # of time. This parameter is required when using the account validity
+  # feature.
+  #
+  #period: 6w
+
+  # The amount of time before an account's expiry date at which Synapse will
+  # send an email to the account's email address with a renewal link. By
+  # default, no such emails are sent.
+  #
+  # If you enable this setting, you will also need to fill out the 'email' and
+  # 'public_baseurl' configuration sections.
+  #
+  #renew_at: 1w
+
+  # The subject of the email sent out with the renewal link. '%(app)s' can be
+  # used as a placeholder for the 'app_name' parameter from the 'email'
+  # section.
+  #
+  # Note that the placeholder must be written '%(app)s', including the
+  # trailing 's'.
+  #
+  # If this is not set, a default value is used.
+  #
+  #renew_email_subject: "Renew your %(app)s account"
+
+  # Directory in which Synapse will try to find templates for the HTML files to
+  # serve to the user when trying to renew an account. If not set, default
+  # templates from within the Synapse package will be used.
+  #
+  # The currently available templates are:
+  #
+  # * account_renewed.html: Displayed to the user after they have successfully
+  #       renewed their account.
+  #
+  # * account_previously_renewed.html: Displayed to the user if they attempt to
+  #       renew their account with a token that is valid, but that has already
+  #       been used. In this case the account is not renewed again.
+  #
+  # * invalid_token.html: Displayed to the user when they try to renew an account
+  #       with an unknown or invalid renewal token.
+  #
+  # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for
+  # default template contents.
+  #
+  # The file name of some of these templates can be configured below for legacy
+  # reasons.
+  #
+  #template_dir: "res/templates"
+
+  # A custom file name for the 'account_renewed.html' template.
+  #
+  # If not set, the file is assumed to be named "account_renewed.html".
+  #
+  #account_renewed_html_path: "account_renewed.html"
+
+  # A custom file name for the 'invalid_token.html' template.
+  #
+  # If not set, the file is assumed to be named "invalid_token.html".
+  #
+  #invalid_token_html_path: "invalid_token.html"
+
+
 ## Metrics ###

 # Enable collection and rendering of performance metrics
 #
 enable_metrics: {{ matrix_synapse_metrics_enabled|to_json  }}

-
 # Enable sentry integration
 # NOTE: While attempts are made to ensure that the logs don't contain
 # any sensitive information, this cannot be guaranteed. By enabling
@ -1892,7 +1913,7 @@ saml2_config:
 #       sub-properties:
 #
 #       module: The class name of a custom mapping module. Default is
-#           'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
+#           'synapse.handlers.oidc.JinjaOidcMappingProvider'.
 #           See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
 #           for information on implementing a custom mapping provider.
 #