diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index f391a4574..3db40efa9 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -34,6 +34,8 @@ Updates to this section are trailed here: Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository. +For simpler installation steps you can use to get started with this system, check out our minimal installation guide at '/doc/Installation_Minimal.md'. + ## Does I need a front-end WordPress site? And a DigitalOcean account? diff --git a/roles/matrix-awx/surveys/access_export.json.j2 b/roles/matrix-awx/surveys/access_export.json.j2 new file mode 100644 index 000000000..c20a97493 --- /dev/null +++ b/roles/matrix-awx/surveys/access_export.json.j2 @@ -0,0 +1,42 @@ +{ + "name": "Access Export", + "description": "Access the services export.", + "spec": [ + { + "question_name": "SFTP Authorisation Method", + "question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.", + "required": true, + "min": null, + "max": null, + "default": "{{ sftp_auth_method | string }}", + "choices": "Disabled\nPassword\nSSH Key", + "new_question": true, + "variable": "sftp_auth_method", + "type": "multiplechoice" + }, + { + "question_name": "SFTP Password", + "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 64, + "default": "{{ sftp_password }}", + "choices": "", + "new_question": true, + "variable": "sftp_password", + "type": "password" + }, + { + "question_name": "SFTP Public SSH Key (More Secure)", + "question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.", + "required": false, + "min": 0, + "max": 16384, + "default": "{{ sftp_public_key }}", + "choices": "", + "new_question": true, + "variable": "sftp_public_key", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 index 9b9cddbd6..80782b740 100644 --- a/roles/matrix-awx/surveys/backup_server.json.j2 +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -1,6 +1,6 @@ { "name": "Backup Server", - "description": "", + "description": "Performs a backup of the entire service to a remote location.", "spec": [ { "question_name": "Enable Backup", diff --git a/roles/matrix-awx/surveys/configure_corporal.json.j2 b/roles/matrix-awx/surveys/configure_corporal.json.j2 index 4c4ead830..14e417ce2 100755 --- a/roles/matrix-awx/surveys/configure_corporal.json.j2 +++ b/roles/matrix-awx/surveys/configure_corporal.json.j2 @@ -1,6 +1,6 @@ { "name": "Configure Matrix Corporal", - "description": "", + "description": "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy.", "spec": [ { "question_name": "Enable Corporal", diff --git a/roles/matrix-awx/surveys/configure_dimension.json.j2 b/roles/matrix-awx/surveys/configure_dimension.json.j2 index 3acbaaaff..2f39e80e3 100644 --- a/roles/matrix-awx/surveys/configure_dimension.json.j2 +++ b/roles/matrix-awx/surveys/configure_dimension.json.j2 @@ -1,6 +1,6 @@ { "name": "Configure Dimension", - "description": "", + "description": "Configure Dimension, the self-hosted integrations server.", "spec": [ { "question_name": "Enable Dimension", diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 index 0ff02288c..02812fbc3 100755 --- a/roles/matrix-awx/surveys/configure_element.json.j2 +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -1,6 +1,6 @@ { - "name": "", - "description": "", + "name": "Configure Element", + "description": "Configure Element web client, Element is the most developed Matrix client software.", "spec": [ { "question_name": "Enable Element-Web", diff --git a/roles/matrix-awx/surveys/configure_jitsi.json.j2 b/roles/matrix-awx/surveys/configure_jitsi.json.j2 index 2eb0579b2..9cb3044d1 100755 --- a/roles/matrix-awx/surveys/configure_jitsi.json.j2 +++ b/roles/matrix-awx/surveys/configure_jitsi.json.j2 @@ -1,6 +1,6 @@ { - "name": "", - "description": "", + "name": "Configure Jitsi", + "description": "Configure Jitsi conferencing settings.", "spec": [ { "question_name": "Enable Jitsi", diff --git a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 index e3c1d4487..67c2c88d7 100644 --- a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 +++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 @@ -1,6 +1,6 @@ { - "name": "", - "description": "", + "name": "Configure ma1sd", + "description": "Configure ma1sd settings, ma1sd is a self-hosted identity server for Matrix.", "spec": [ { "question_name": "Enable ma1sd", diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index f8d725da8..22b80303e 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -1,6 +1,6 @@ { "name": "Configure Synapse", - "description": "", + "description": "Configure Synapse settings. Synapse is the homeserver software that powers your Matrix instance.", "spec": [ { "question_name": "Enable Public Registration", diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index 580d8bc9b..b7e27e9df 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -8,7 +8,7 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' - when: customise_base_domain_website|bool == false + when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain delegate_to: 127.0.0.1 @@ -19,7 +19,19 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' - when: customise_base_domain_website|bool == true + when: (customise_base_domain_website is defined) and customise_base_domain_website|bool + +- name: Record custom 'Customise Website + Access Export' variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Custom Settings Start' + with_dict: + 'sftp_auth_method': '"{{ sftp_auth_method }}"' + 'sftp_password': '"{{ sftp_password }}"' + 'sftp_public_key': '"{{ sftp_public_key }}"' - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 @@ -30,28 +42,40 @@ insertafter: '# Custom Settings Start' with_dict: 'customise_base_domain_website': '{{ customise_base_domain_website }}' - 'sftp_auth_method': '"{{ sftp_auth_method }}"' - 'sftp_password': '"{{ sftp_password }}"' - 'sftp_public_key': '"{{ sftp_public_key }}"' + when: customise_base_domain_website is defined - name: Reload vars in matrix_vars.yml include_vars: file: '{{ awx_cached_matrix_vars }}' no_log: True -# ^ Is this even needed? - - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' + when: customise_base_domain_website is defined - name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' dest: '/matrix/awx/configure_website_access_export.json' mode: '0660' + when: customise_base_domain_website is defined + +- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: './roles/matrix-awx/surveys/access_export.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' + when: customise_base_domain_website is undefined + +- name: Copy new 'Customise Website + Access Export' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' + dest: '/matrix/awx/access_export.json' + mode: '0660' + when: customise_base_domain_website is undefined - name: Collect AWX admin token the hard way! delegate_to: 127.0.0.1 @@ -60,7 +84,7 @@ register: tower_token no_log: True -- name: Recreate 'Customise Base Domain Export' job template +- name: Recreate 'Configure Website + Access Export' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: name: "{{ matrix_domain }} - 1 - Configure Website + Access Export" @@ -80,6 +104,29 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes + when: customise_base_domain_website is defined + +- name: Recreate 'Access Export' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Access Export" + description: "Access the services export." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-nginx-proxy" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: customise_base_domain_website is undefined - name: Ensure group "sftp" exists group: @@ -113,6 +160,7 @@ name: sftp groups: matrix append: yes + when: customise_base_domain_website is defined - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container) file: @@ -129,6 +177,7 @@ owner: matrix group: matrix mode: '0574' + when: customise_base_domain_website is defined - name: Ensure /chroot/export location exists file: diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml index 0100a5d07..6017152fb 100644 --- a/roles/matrix-awx/tasks/import_awx.yml +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -16,8 +16,3 @@ - name: Ensure correct ownership of /matrix/synapse shell: chown -R matrix:matrix /matrix/synapse -- name: Fetch matrix_vars.yml file to AWX - fetch: - src: /matrix/awx/matrix_vars.yml - dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/ - flat: yes diff --git a/roles/matrix-awx/tasks/purge_media_local.yml b/roles/matrix-awx/tasks/purge_media_local.yml index 434c974bc..fcb4770ff 100644 --- a/roles/matrix-awx/tasks/purge_media_local.yml +++ b/roles/matrix-awx/tasks/purge_media_local.yml @@ -6,7 +6,12 @@ - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}' + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}' + register: purge_command + +- name: Print output of purge command + debug: + msg: "{{ purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index fba0a0009..77a8fecc4 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,6 +21,10 @@ shell: | curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token' register: janitors_token + +- name: Collect the internal IP of the matrix-synapse container + shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" + register: synapse_container_ip - name: Generate list of dates to purge to delegate_to: 127.0.0.1 diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml index 2a408eb96..ce0a1c96a 100644 --- a/roles/matrix-awx/tasks/purge_media_remote.yml +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -6,7 +6,12 @@ - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' + register: purge_command + +- name: Print output of purge command + debug: + msg: "{{ purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index 2d5eb6192..53a4dbfc6 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -4,9 +4,11 @@ file: '{{ awx_cached_matrix_vars }}' no_log: True -- name: Install jq on remote machine +- name: Install jq and curl on remote machine apt: - name: jq + name: + - jq + - curl state: present - name: Collect access token of Dimension user diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 0ae0ed4d4..55f99101b 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_version: 0.5.5 +matrix_sms_bridge_version: 0.5.7 matrix_sms_bridge_docker_image: "{{ matrix_container_global_registry_prefix }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index c14b5ecdf..8904c295a 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.25 +matrix_client_element_version: v1.7.26 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 568ccd23a..cf843d24b 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -35,3 +35,18 @@ with_dict: 'matrix_awx_dimension_user_created': 'true' when: not matrix_awx_dimension_user_created|bool + +- name: Ensure /chroot/website location has correct permissions + file: + path: /chroot/website + state: directory + owner: matrix + group: matrix + mode: '0574' + when: customise_base_domain_website is defined + +- name: Ensure erroneous /chroot/website/matrix-domain location doesn't exist + file: + path: /chroot/website/matrix-domain + state: absent + when: customise_base_domain_website is defined diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index ea4786d85..624ab7d06 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,7 +1,9 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git" +matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" +matrix_coturn_container_image_self_build_repo_version: "upstream/{{ matrix_coturn_version }}" +matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" matrix_coturn_version: 4.5.2 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" diff --git a/roles/matrix-coturn/tasks/setup_install.yml b/roles/matrix-coturn/tasks/setup_install.yml index 2f3664f18..24f038db6 100644 --- a/roles/matrix-coturn/tasks/setup_install.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -30,7 +30,7 @@ git: repo: "{{ matrix_coturn_container_image_self_build_repo }}" dest: "{{ matrix_coturn_docker_src_files_path }}" - version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + version: "{{ matrix_coturn_container_image_self_build_repo_version }}" force: "yes" register: matrix_coturn_git_pull_results @@ -40,7 +40,7 @@ source: build force_source: "{{ matrix_coturn_git_pull_results.changed }}" build: - dockerfile: Dockerfile + dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}" path: "{{ matrix_coturn_docker_src_files_path }}" pull: yes when: "matrix_coturn_container_image_self_build|bool" diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 958d8ed2c..60c9c7f23 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.4 +matrix_grafana_version: 7.5.5 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" @@ -50,5 +50,3 @@ matrix_grafana_systemd_wanted_services_list: [] # # Takes an ":" or "" value (e.g. "127.0.0.1:3000"), or empty string to not expose. matrix_grafana_container_http_host_bind_port: '' - - diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 6ba6a98af..3a6f943ac 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.19.10-alpine +matrix_nginx_proxy_version: 1.20.0-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 4a3a355d3..db111090c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -11,7 +11,7 @@ upstream generic_worker_upstream { # ensures that requests from the same client will always be passed # to the same server (except when this server is unavailable) - ip_hash; + hash $http_x_forwarded_for; {% for worker in generic_workers %} {% if matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d11a67355..a6b035c0b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.32.2 -matrix_synapse_version_arm64: v1.32.2 +matrix_synapse_version: v1.33.1 +matrix_synapse_version_arm64: v1.33.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e951067af..df280dd54 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1178,69 +1178,6 @@ turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} # enable_registration: {{ matrix_synapse_enable_registration|to_json }} -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - #template_dir: "res/templates" - - # File within 'template_dir' giving the HTML to be displayed to the user after - # they successfully renewed their account. If not set, default text is used. - # - #account_renewed_html_path: "account_renewed.html" - - # File within 'template_dir' giving the HTML to be displayed when the user - # tries to renew an account with an invalid renewal token. If not set, - # default text is used. - # - #invalid_token_html_path: "invalid_token.html" - # Time that a user's session remains valid for, after they log in. # # Note that this is not currently compatible with guest logins. @@ -1445,13 +1382,97 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json #auto_join_rooms_for_guests: false +## Account Validity ## + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + # The currently available templates are: + # + # * account_renewed.html: Displayed to the user after they have successfully + # renewed their account. + # + # * account_previously_renewed.html: Displayed to the user if they attempt to + # renew their account with a token that is valid, but that has already + # been used. In this case the account is not renewed again. + # + # * invalid_token.html: Displayed to the user when they try to renew an account + # with an unknown or invalid renewal token. + # + # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for + # default template contents. + # + # The file name of some of these templates can be configured below for legacy + # reasons. + # + #template_dir: "res/templates" + + # A custom file name for the 'account_renewed.html' template. + # + # If not set, the file is assumed to be named "account_renewed.html". + # + #account_renewed_html_path: "account_renewed.html" + + # A custom file name for the 'invalid_token.html' template. + # + # If not set, the file is assumed to be named "invalid_token.html". + # + #invalid_token_html_path: "invalid_token.html" + + ## Metrics ### # Enable collection and rendering of performance metrics # enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} - # Enable sentry integration # NOTE: While attempts are made to ensure that the logs don't contain # any sensitive information, this cannot be guaranteed. By enabling @@ -1892,7 +1913,7 @@ saml2_config: # sub-properties: # # module: The class name of a custom mapping module. Default is -# 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. +# 'synapse.handlers.oidc.JinjaOidcMappingProvider'. # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers # for information on implementing a custom mapping provider. #