diff --git a/CHANGELOG.md b/CHANGELOG.md index 16801d245..da757bb72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,42 @@ +# 2019-07-04 + +## Synapse no longer logs to text files + +Following what the official Synapse Docker image is doing ([#5565](https://github.com/matrix-org/synapse/pull/5565)) and what we've been doing for mostly everything installed by this playbook, **Synapse no longer logs to text files** (`/matrix/synapse/run/homeserver.log*`). + +From now on, Synapse would only log to console, which goes to systemd's journald. +To see Synapse's logs, execute: `journalctl -fu matrix-synapse` + +Because of this, the following variables have become obsolete and were removed: + +- `matrix_synapse_max_log_file_size_mb` +- `matrix_synapse_max_log_files_count` + +To prevent confusion, it'd be better if you delete all old files manually after you've upgraded (`rm -f /matrix/synapse/run/homeserver.log*`). + +Because Synapse is incredibly chatty when it comes to logging (here's [one such issue](https://github.com/matrix-org/synapse/issues/4751) describing the problem), if you're running an ancient distribution (like CentOS 7.0), be advised that systemd's journald default logging restrictions may not be high enough to capture all log messages generated by Synapse. This is especially true if you've got a busy (Synapse) server. We advise that you manually add `RateLimitInterval=0` and `RateLimitBurst=0` under `[Storage]` in the `/etc/systemd/journald.conf` file, followed by restarting the logging service (`systemctl restart systemd-journald`). + + +# 2019-06-27 + +## (BC Break) Discord bridge configuration is now entirely managed by the playbook + +Until now, the `config.yaml` file for the [Discord bridge](docs/configuring-playbook-bridge-appservice-discord.md) was managed by the playbook, but the `registration.yaml` file was not. + +From now on, the playbook will keep both configuration files sync for you. + +This means that if you were making manual changes to the `/matrix/appservice-discord/discord-registration.yaml` configuration file, those would be lost the next time you run the playbook. + +The bridge now stores configuration in a subdirectory (`/matrix/appservice-discord/config`). + +Likewise, data is now also stored in a subdirectory (`/matrix/appservice-discord/data`). When you run the playbook with an existing database file (`/matrix/appservice-discord/discord.db`), the playbook will stop the bridge and relocate the database file to the `./data` directory. There's no data-loss involved. You'll need to restart the bridge manually though (`--tags=start`). + +The main directory (`/matrix/appservice-discord`) may contain some leftover files (`user-store.db`, `room-store.db`, `config.yaml`, `discord-registration.yaml`, `invite_link`). These are no longer necessary and can be deleted manually. + +We're now following the default sample configuration for the Discord bridge. +If you need to override some values, define them in `matrix_appservice_discord_configuration_extension_yaml`. + + # 2019-06-24 ## (BC Break) WhatsApp bridge configuration is now entirely managed by the playbook @@ -15,6 +54,7 @@ Likewise, data is now also stored in a subdirectory (`/matrix/mautrix-whatsapp/d We're now following the default configuration for the WhatsApp bridge. + # 2019-06-20 ## (BC Break) IRC bridge configuration is now entirely managed by the playbook diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 967a75cf1..1db2aed66 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -19,8 +19,8 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" ``` 4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. -5. Retrieve Discord invitelink from the `{{ matrix_appservice_discord_base_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/invite_link`) +5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`) 6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. -7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: discordapp.com/channels/guild_id/channel_id +7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id` Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index 5d63cf264..5658b8a90 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -17,4 +17,13 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" -``` \ No newline at end of file +``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index 6c3e41898..f35c0f49e 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -13,3 +13,12 @@ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: f matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false ``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md index 26675f4c8..0ec60d2ea 100644 --- a/docs/configuring-playbook-shared-secret-auth.md +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -9,4 +9,13 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE -``` \ No newline at end of file +``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/docs/prerequisites.md b/docs/prerequisites.md index b3d4cf047..a111e7bd0 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -2,6 +2,8 @@ - **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. + - for ancient distributions like **CentOS 7.0**, we recommend that you do a manual systemd-journald adjustment. Because the Synapse chat server is incredibly chatty when it comes to logging (here's [one such issue](https://github.com/matrix-org/synapse/issues/4751) describing the problem), be advised that systemd's journald default logging restrictions may not be high enough to capture all log messages generated by Synapse. This is especially true if you've got a busy (Synapse) server. We advise that you manually add `RateLimitInterval=0` and `RateLimitBurst=0` under `[Storage]` in the `/etc/systemd/journald.conf` file, followed by restarting the logging service (`systemctl restart systemd-journald`). + - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). - a `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates. *This can be ignored if you use your own SSL certificates.* diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 356f6cf1d..503a45beb 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -39,6 +39,9 @@ matrix_appservice_discord_enabled: false # matrix-appservice-discord's client-server port to the local host. matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" +# If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. +matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}" + matrix_appservice_discord_systemd_required_services_list: | {{ ['docker.service'] @@ -46,6 +49,10 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) }} +matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}" + +matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}" + ###################################################################### # # /matrix-bridge-appservice-discord diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index a415d255e..61dc39bb6 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -7,11 +7,16 @@ matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:late matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" +matrix_appservice_discord_config_path: "{{ matrix_base_data_path }}/appservice-discord/config" +matrix_appservice_discord_data_path: "{{ matrix_base_data_path }}/appservice-discord/data" # Get your own keys at https://discordapp.com/developers/applications/me/create matrix_appservice_discord_client_id: '' matrix_appservice_discord_bot_token: '' +matrix_appservice_discord_appservice_token: '' +matrix_appservice_discord_homeserver_token: '' + # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9005"), or empty string to not expose. @@ -26,109 +31,135 @@ matrix_appservice_discord_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-appservice-discord.service wants matrix_appservice_discord_systemd_wanted_services_list: [] +matrix_appservice_discord_appservice_url: 'http://matrix-appservice-discord:9005' + +matrix_appservice_discord_bridge_domain: "{{ matrix_domain }}" +# As of right now, the homeserver URL must be a public URL. See below. +matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}" +matrix_appservice_discord_bridge_disablePresence: false + matrix_appservice_discord_configuration_yaml: | - bridge: - domain: "{{ matrix_domain }}" - homeserverUrl: "{{ matrix_homeserver_url }}" - auth: - clientID: "{{matrix_appservice_discord_client_id}}" - botToken: "{{matrix_appservice_discord_bot_token}}" - database: - filename: "/data/discord.db" - userStorePath: "/data/user-store.db" - roomStorePath: "/data/room-store.db" + #jinja2: lstrip_blocks: "True" + bridge: + # Domain part of the bridge, e.g. matrix.org + domain: {{ matrix_appservice_discord_bridge_domain }} + # This should be your publically facing URL because Discord may use it to + # fetch media from the media store. + homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }} + # Interval at which to process users in the 'presence queue'. If you have + # 5 users, one user will be processed every 500 milliseconds according to the + # value below. This has a minimum value of 250. + # WARNING: This has a high chance of spamming the homeserver with presence + # updates since it will send one each time somebody changes state or is online. + presenceInterval: 500 + # Disable setting presence for 'ghost users' which means Discord users on Matrix + # will not be shown as away or online. + disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }} + # Disable sending typing notifications when somebody on Discord types. + disableTypingNotifications: false + # Disable deleting messages on Discord if a message is redacted on Matrix. + disableDeletionForwarding: false + # Enable users to bridge rooms using !discord commands. See + # https://t2bot.io/discord for instructions. + enableSelfServiceBridging: false + # Disable sending of read receipts for Matrix events which have been + # successfully bridged to Discord. + disableReadReceipts: false + # Disable Join Leave echos from matrix + disableJoinLeaveNotifications: false + # Authentication configuration for the discord bot. + auth: + clientID: {{ matrix_appservice_discord_client_id }} + botToken: {{ matrix_appservice_discord_bot_token }} + logging: + # What level should the logger output to the console at. + console: "warn" #silly, verbose, info, http, warn, error, silent + lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format + # files: + # - file: "debug.log" + # disable: + # - "PresenceHandler" # Will not capture presence logging + # - file: "warn.log" # Will capture warnings + # level: "warn" + # - file: "botlogs.log" # Will capture logs from DiscordBot + # level: "info" + # enable: + # - "DiscordBot" + database: + # You may either use SQLite or Postgresql for the bridge database, which contains + # important mappings for events and user puppeting configurations. + # Use the filename option for SQLite, or connString for Postgresql. + # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite + # WARNING: You will almost certainly be fine with sqlite unless your bridge + # is in heavy demand and you suffer from IO slowness. + filename: "/data/discord.db" + # connString: "postgresql://user:password@localhost/database_name" + room: + # Set the default visibility of alias rooms, defaults to "public". + # One of: "public", "private" + defaultVisibility: "public" + channel: + # Pattern of the name given to bridged rooms. + # Can use :guild for the guild name and :name for the channel name. + namePattern: "[Discord] :guild :name" + # Changes made to rooms when a channel is deleted. + deleteOptions: + # Prefix the room name with a string. + #namePrefix: "[Deleted]" + # Prefix the room topic with a string. + #topicPrefix: "This room has been deleted" + # Disable people from talking in the room by raising the event PL to 50 + disableMessaging: false + # Remove the discord alias from the room. + unsetRoomAlias: true + # Remove the room from the directory. + unlistFromDirectory: true + # Set the room to be unavaliable for joining without an invite. + setInviteOnly: true + # Make all the discord users leave the room. + ghostsLeave: true + limits: + # Delay in milliseconds between discord users joining a room. + roomGhostJoinDelay: 6000 + # Delay in milliseconds before sending messages to discord to avoid echos. + # (Copies of a sent message may arrive from discord before we've + # fininished handling it, causing us to echo it back to the room) + discordSendDelay: 750 + ghosts: + # Pattern for the ghosts nick, available is :nick, :username, :tag and :id + nickPattern: ":nick" + # Pattern for the ghosts username, available is :username, :tag and :id + usernamePattern: ":username#:tag" matrix_appservice_discord_configuration_extension_yaml: | - # This is a sample of the config file showing all avaliable options. - # Where possible we have documented what they do, and all values are the - # default values. - # - #bridge: - # # Domain part of the bridge, e.g. matrix.org - # domain: "localhost" - # # This should be your publically facing URL because Discord may use it to - # # fetch media from the media store. - # homeserverUrl: "http://localhost:8008" - # # Interval at which to process users in the 'presence queue'. If you have - # # 5 users, one user will be processed every 500 milliseconds according to the - # # value below. This has a minimum value of 250. - # # WARNING: This has a high chance of spamming the homeserver with presence - # # updates since it will send one each time somebody changes state or is online. - # presenceInterval: 500 - # # Disable setting presence for 'ghost users' which means Discord users on Matrix - # # will not be shown as away or online. - # disablePresence: false - # # Disable sending typing notifications when somebody on Discord types. - # disableTypingNotifications: false - # # Disable deleting messages on Discord if a message is redacted on Matrix. - # disableDeletionForwarding: false - # # Enable users to bridge rooms using !discord commands. See - # # https://t2bot.io/discord for instructions. - # enableSelfServiceBridging: false - # # Disable sending of read receipts for Matrix events which have been - # # successfully bridged to Discord. - # disableReadReceipts: false - # Authentication configuration for the discord bot. - #auth: - # clientID: "12345" - # botToken: "foobar" - #logging: - # # What level should the logger output to the console at. - # console: "warn" #silly, verbose, info, http, warn, error, silent - # lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format - # files: - # - file: "debug.log" - # disable: - # - "PresenceHandler" # Will not capture presence logging - # - file: "warn.log" # Will capture warnings - # level: "warn" - # - file: "botlogs.log" # Will capture logs from DiscordBot - # level: "info" - # enable: - # - "DiscordBot" - #database: - # userStorePath: "user-store.db" - # roomStorePath: "room-store.db" - # # You may either use SQLite or Postgresql for the bridge database, which contains - # # important mappings for events and user puppeting configurations. - # # Use the filename option for SQLite, or connString for Postgresql. - # # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite - # # WARNING: You will almost certainly be fine with sqlite unless your bridge - # # is in heavy demand and you suffer from IO slowness. - # filename: "discord.db" - # # connString: "postgresql://user:password@localhost/database_name" - #room: - # # Set the default visibility of alias rooms, defaults to "public". - # # One of: "public", "private" - # defaultVisibility: "public" - #channel: - # # Pattern of the name given to bridged rooms. - # # Can use :guild for the guild name and :name for the channel name. - # namePattern: "[Discord] :guild :name" - # # Changes made to rooms when a channel is deleted. - # deleteOptions: - # # Prefix the room name with a string. - # #namePrefix: "[Deleted]" - # # Prefix the room topic with a string. - # #topicPrefix: "This room has been deleted" - # # Disable people from talking in the room by raising the event PL to 50 - # disableMessaging: false - # # Remove the discord alias from the room. - # unsetRoomAlias: true - # # Remove the room from the directory. - # unlistFromDirectory: true - # # Set the room to be unavaliable for joining without an invite. - # setInviteOnly: true - # # Make all the discord users leave the room. - # ghostsLeave: true - #limits: - # # Delay in milliseconds between discord users joining a room. - # roomGhostJoinDelay: 6000 - # # Delay in milliseconds before sending messages to discord to avoid echos. - # # (Copies of a sent message may arrive from discord before we've - # # fininished handling it, causing us to echo it back to the room) - # discordSendDelay: 750 + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_appservice_discord_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_appservice_discord_configuration_yaml`. matrix_appservice_discord_configuration_extension: "{{ matrix_appservice_discord_configuration_extension_yaml|from_yaml if matrix_appservice_discord_configuration_extension_yaml|from_yaml is mapping else {} }}" matrix_appservice_discord_configuration: "{{ matrix_appservice_discord_configuration_yaml|from_yaml|combine(matrix_appservice_discord_configuration_extension, recursive=True) }}" + +matrix_appservice_discord_registration_yaml: | + #jinja2: lstrip_blocks: "True" + id: appservice-discord + as_token: "{{ matrix_appservice_discord_appservice_token }}" + hs_token: "{{ matrix_appservice_discord_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@_discord_.*' + aliases: + - exclusive: true + regex: '^#_discord_.*' + url: {{ matrix_appservice_discord_appservice_url }} + sender_localpart: _discord_bot + rate_limited: false + protocols: + - discord + +matrix_appservice_discord_registration: "{{ matrix_appservice_discord_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-appservice-discord/tasks/init.yml b/roles/matrix-bridge-appservice-discord/tasks/init.yml index 7370b0bde..1d31bc84d 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/init.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/init.yml @@ -1,3 +1,11 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role. + when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}" when: matrix_appservice_discord_enabled|bool @@ -7,7 +15,7 @@ matrix_synapse_container_extra_arguments: > {{ matrix_synapse_container_extra_arguments|default([]) }} + - {{ ["--mount type=bind,src={{ matrix_appservice_discord_base_path }}/discord-registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }} + {{ ["--mount type=bind,src={{ matrix_appservice_discord_config_path }}/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }} matrix_synapse_app_service_config_files: > {{ matrix_synapse_app_service_config_files|default([]) }} diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 3dc168391..384c1f3b7 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - fail: - msg: >- - The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed|default(False)" - - name: Ensure Appservice Discord image is pulled docker_image: name: "{{ matrix_appservice_discord_docker_image }}" @@ -15,22 +7,66 @@ force_source: "{{ matrix_appservice_discord_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_discord_docker_image_force_pull }}" -- name: Ensure Appservice Discord base directory exists +- name: Ensure AppService Discord paths exist file: - path: "{{ matrix_appservice_discord_base_path }}" + path: "{{ item }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_appservice_discord_base_path }}" + - "{{ matrix_appservice_discord_config_path }}" + - "{{ matrix_appservice_discord_data_path }}" -- name: Ensure Matrix Appservice Discord config installed +- name: Check if an old database file already exists + stat: + path: "{{ matrix_appservice_discord_base_path }}/discord.db" + register: matrix_appservice_discord_stat_db + +- name: (Data relocation) Ensure matrix-appservice-discord.service is stopped + service: + name: matrix-appservice-discord + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_appservice_discord_stat_db.stat.exists" + +# In addition to this, there used to be some `user-store-db` and `room-store.db` files. +# They're no longer in use, so we're not relocating them in an effort to point them out as neither `./data`, nor `./config`. +- name: (Data relocation) Move AppService Discord discord.db file to ./data directory + command: "mv {{ matrix_appservice_discord_base_path }}/discord.db {{ matrix_appservice_discord_data_path }}/discord.db" + when: "matrix_appservice_discord_stat_db.stat.exists" + +- name: Ensure AppService Discord config.yaml installed copy: content: "{{ matrix_appservice_discord_configuration|to_nice_yaml }}" - dest: "{{ matrix_appservice_discord_base_path }}/config.yaml" + dest: "{{ matrix_appservice_discord_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" +- name: Ensure AppService Discord registration.yaml installed + copy: + content: "{{ matrix_appservice_discord_registration|to_nice_yaml }}" + dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +# If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated. +# We intentionally suppress Ansible changes. +- name: Generate AppService Discord invite link + shell: >- + /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -v {{ matrix_appservice_discord_config_path }}:/cfg + -w /cfg + {{ matrix_appservice_discord_docker_image }} + /bin/sh -c "node /build/tools/addbot.js > /cfg/invite_link" + changed_when: false + - name: Ensure matrix-appservice-discord.service installed template: src: "{{ role_path }}/templates/systemd/matrix-appservice-discord.service.j2" @@ -42,39 +78,3 @@ service: daemon_reload: yes when: "matrix_appservice_discord_systemd_service_result.changed" - -- name: Check if a matrix-appservice-discord registration file exists - stat: - path: "{{ matrix_appservice_discord_base_path }}/discord-registration.yaml" - register: appservice_discord_registration_file - -- name: Generate matrix-appservice-discord discord-registration.yaml if it doesn't exist - shell: >- - /usr/bin/docker run --rm --name matrix-appservice-discord-gen - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - -v {{ matrix_appservice_discord_base_path }}:/data:z - {{ matrix_appservice_discord_docker_image }} - node build/src/discordas.js - -r - -u "http://matrix-appservice-discord:9005" - -c /data/config.yaml - -f /data/discord-registration.yaml - -l discord_bot - when: "not appservice_discord_registration_file.stat.exists" - -- name: Check if a matrix-appservice-discord invite_link file exists - stat: - path: "{{ matrix_appservice_discord_base_path }}/invite_link" - register: appservice_discord_link_generated - -- name: Generate your discord invite link - shell: >- - /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - -v {{ matrix_appservice_discord_base_path }}:/data - -w /data - {{ matrix_appservice_discord_docker_image }} - /bin/sh -c "node .././build/tools/addbot.js > invite_link" - when: "not appservice_discord_link_generated.stat.exists" diff --git a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml index fc321237a..46612ba53 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml @@ -8,6 +8,8 @@ with_items: - "matrix_appservice_discord_client_id" - "matrix_appservice_discord_bot_token" + - "matrix_appservice_discord_appservice_token" + - "matrix_appservice_discord_homeserver_token" - name: (Deprecation) Catch and report renamed appservice-discord variables fail: diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index f82c12848..9b0ac514f 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -25,11 +25,13 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ {% if matrix_appservice_discord_container_http_host_bind_port %} -p {{ matrix_appservice_discord_container_http_host_bind_port }}:9005 \ {% endif %} - -v {{ matrix_appservice_discord_base_path }}:/data \ + -v {{ matrix_appservice_discord_config_path }}:/cfg \ + -v {{ matrix_appservice_discord_data_path }}:/data \ {% for arg in matrix_appservice_discord_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_appservice_discord_docker_image }} + {{ matrix_appservice_discord_docker_image }} \ + node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml ExecStop=-/usr/bin/docker kill matrix-appservice-discord ExecStop=-/usr/bin/docker rm matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index a4601a607..059b9d36b 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -36,7 +36,7 @@ command: "mv {{ matrix_appservice_irc_base_path }}/passkey.pem {{ matrix_appservice_irc_data_path }}/passkey.pem" when: "matrix_appservice_irc_stat_passkey.stat.exists" -- name: (Data relocation) Move AppService database files to ./data directory +- name: (Data relocation) Move AppService IRC database files to ./data directory command: "mv {{ matrix_appservice_irc_base_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}" with_items: - rooms.db diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b518e94b3..1b5b79643 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.17.0-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.17.1-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 50301d5b0..08a3e78f9 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -3,7 +3,7 @@ matrix_synapse_enabled: true -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.0.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.1.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" @@ -49,7 +49,7 @@ matrix_synapse_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-synapse.service wants matrix_synapse_systemd_wanted_services_list: [] -matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages" +matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.7/site-packages" # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste @@ -69,8 +69,6 @@ matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}" matrix_synapse_max_upload_size_mb: 10 -matrix_synapse_max_log_file_size_mb: 100 -matrix_synapse_max_log_files_count: 10 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}" @@ -147,6 +145,11 @@ matrix_synapse_autocreate_auto_join_rooms: true # Controls password-peppering for Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" +# Controls if Synapse allows people to authenticate against its local database. +# It may be useful to disable this if you've configured additional password providers +# and only wish authentication to happen through them. +matrix_synapse_password_config_localdb_enabled: true + # Controls the number of events that Synapse caches in memory. matrix_synapse_event_cache_size: "100K" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 43ae99b6e..8100a1bb1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -14,29 +14,6 @@ server_name: "{{ matrix_domain }}" # pid_file: /homeserver.pid -# CPU affinity mask. Setting this restricts the CPUs on which the -# process will be scheduled. It is represented as a bitmask, with the -# lowest order bit corresponding to the first logical CPU and the -# highest order bit corresponding to the last logical CPU. Not all CPUs -# may exist on a given system but a mask may specify more CPUs than are -# present. -# -# For example: -# 0x00000001 is processor #0, -# 0x00000003 is processors #0 and #1, -# 0xFFFFFFFF is all processors (#0 through #31). -# -# Pinning a Python process to a single CPU is desirable, because Python -# is inherently single-threaded due to the GIL, and can suffer a -# 30-40% slowdown due to cache blow-out and thread context switching -# if the scheduler happens to schedule the underlying threads across -# different cores. See -# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. -# -# This setting requires the affinity package to be installed! -# -#cpu_affinity: 0xFFFFFFFF - # The path to the web client which will be served at /_matrix/client/ # if 'webclient' is configured under the 'listeners' configuration. # @@ -68,11 +45,15 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # #require_auth_for_profile_requests: true -# If set to 'true', requires authentication to access the server's -# public rooms directory through the client API, and forbids any other -# homeserver to fetch it via federation. Defaults to 'false'. +# If set to 'false', requires authentication to access the server's public rooms +# directory through the client API. Defaults to 'true'. # -#restrict_public_rooms_to_local_users: true +#allow_public_rooms_without_auth: false + +# If set to 'false', forbids any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'true'. +# +#allow_public_rooms_over_federation: false # The default room version for newly created rooms. # @@ -338,6 +319,15 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # #federation_verify_certificates: false +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + # Skip federation certificate verification on the following whitelist # of domains. # @@ -427,6 +417,13 @@ acme: # #domain: matrix.example.com + # file to use for the account key. This will be generated if it doesn't + # exist. + # + # If unspecified, we will use CONFDIR/client.key. + # + account_key_file: /data/acme_account.key + # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that # make HTTPS requests to this server will check that the TLS @@ -696,7 +693,7 @@ url_preview_ip_range_blacklist: # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' # The largest allowed URL preview spidering size in bytes - +# max_spider_size: 10M @@ -1020,6 +1017,12 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" # so it is not normally necessary to specify them unless you need to # override them. # +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_matrix/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_matrix/saml2/authn_response. +# #saml2_config: # sp_config: # # point this to the IdP's metadata. You can use either a local file or @@ -1029,7 +1032,15 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" # remote: # - url: https://our_idp/metadata.xml # -# # The rest of sp_config is just used to generate our metadata xml, and you +# # By default, the user has to go to our login page first. If you'd like to +# # allow IdP-initiated login, set 'allow_unsolicited: True' in a +# # 'service.sp' section: +# # +# #service: +# # sp: +# # allow_unsolicited: True +# +# # The examples below are just used to generate our metadata xml, and you # # may well not need it, depending on your setup. Alternatively you # # may need a whole lot more detail - see the pysaml2 docs! # @@ -1052,6 +1063,12 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" # # separate pysaml2 configuration file: # # # config_path: "/data/sp_conf.py" +# +# # the lifetime of a SAML session. This defines how long a user has to +# # complete the authentication process, if allow_unsolicited is unset. +# # The default is 5 minutes. +# # +# # saml_session_lifetime: 5m @@ -1078,6 +1095,12 @@ password_config: # #enabled: false + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} + # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! # @@ -1102,11 +1125,13 @@ password_config: # app_name: Matrix # # # Enable email notifications by default +# # # notif_for_new_users: True # # # Defining a custom URL for Riot is only needed if email notifications # # should contain links to a self-hosted installation of Riot; when set # # the "app_name" setting is ignored +# # # riot_base_url: "http://localhost/riot" # # # Enable sending password reset emails via the configured, trusted @@ -1119,16 +1144,22 @@ password_config: # # # # If this option is set to false and SMTP options have not been # # configured, resetting user passwords via email will be disabled +# # # #trust_identity_server_for_password_resets: false # # # Configure the time that a validation email or text message code # # will expire after sending # # # # This is currently used for password resets +# # # #validation_token_lifetime: 1h # # # Template directory. All template files should be stored within this -# # directory +# # directory. If not set, default templates from within the Synapse +# # package will be used +# # +# # For the list of default templates, please see +# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates # # # #template_dir: res/templates # @@ -1325,6 +1356,7 @@ push: # + # Local statistics collection. Used in populating the room directory. # # 'bucket_size' controls how large each statistics timeslice is. It can @@ -1429,3 +1461,16 @@ alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} # action: allow room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} + + +# Server admins can define a Python module that implements extra rules for +# allowing or denying incoming events. In order to work, this module needs to +# override the methods defined in synapse/events/third_party_rules.py. +# +# This feature is designed to be used in closed federations only, where each +# participating server enforces the same rules. +# +#third_party_event_rules: +# module: "my_custom_project.SuperRulesSet" +# config: +# example_option: 'things' diff --git a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 index 732c4c1de..09f07a2ea 100644 --- a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 +++ b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 @@ -12,14 +12,6 @@ filters: request: "" handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: precise - filename: /matrix-run/homeserver.log - maxBytes: {{ matrix_synapse_max_log_file_size_mb * 1024 * 1024 }} - backupCount: {{ matrix_synapse_max_log_files_count }} - filters: [context] - encoding: utf8 console: class: logging.StreamHandler formatter: precise @@ -41,4 +33,4 @@ loggers: root: level: {{ matrix_synapse_root_log_level }} - handlers: [file, console] + handlers: [console]