Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

roles/matrix-bridge-appservice-discord/defaults/main.yml

@@ -7,11 +7,16 @@ matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:late
 matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}"
 
 matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord"
+matrix_appservice_discord_config_path: "{{ matrix_base_data_path }}/appservice-discord/config"
+matrix_appservice_discord_data_path: "{{ matrix_base_data_path }}/appservice-discord/data"
 
 # Get your own keys at https://discordapp.com/developers/applications/me/create
 matrix_appservice_discord_client_id: ''
 matrix_appservice_discord_bot_token: ''
 
+matrix_appservice_discord_appservice_token: ''
+matrix_appservice_discord_homeserver_token: ''
+
 # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9005"), or empty string to not expose.
@@ -26,109 +31,135 @@ matrix_appservice_discord_systemd_required_services_list: ['docker.service']
 # List of systemd services that matrix-appservice-discord.service wants
 matrix_appservice_discord_systemd_wanted_services_list: []
 
+matrix_appservice_discord_appservice_url: 'http://matrix-appservice-discord:9005'
+
+matrix_appservice_discord_bridge_domain: "{{ matrix_domain }}"
+# As of right now, the homeserver URL must be a public URL. See below.
+matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}"
+matrix_appservice_discord_bridge_disablePresence: false
+
 matrix_appservice_discord_configuration_yaml: |
-    bridge:
-        domain: "{{ matrix_domain }}"
-        homeserverUrl: "{{ matrix_homeserver_url }}"
-    auth:
-        clientID: "{{matrix_appservice_discord_client_id}}"
-        botToken: "{{matrix_appservice_discord_bot_token}}"
-    database:
-        filename: "/data/discord.db"
-        userStorePath: "/data/user-store.db"
-        roomStorePath: "/data/room-store.db"
+  #jinja2: lstrip_blocks: "True"
+  bridge:
+    # Domain part of the bridge, e.g. matrix.org
+    domain: {{ matrix_appservice_discord_bridge_domain }}
+    # This should be your publically facing URL because Discord may use it to
+    # fetch media from the media store.
+    homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }}
+    # Interval at which to process users in the 'presence queue'. If you have
+    # 5 users, one user will be processed every 500 milliseconds according to the
+    # value below. This has a minimum value of 250.
+    # WARNING: This has a high chance of spamming the homeserver with presence
+    # updates since it will send one each time somebody changes state or is online.
+    presenceInterval: 500
+    # Disable setting presence for 'ghost users' which means Discord users on Matrix
+    # will not be shown as away or online.
+    disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }}
+    # Disable sending typing notifications when somebody on Discord types.
+    disableTypingNotifications: false
+    # Disable deleting messages on Discord if a message is redacted on Matrix.
+    disableDeletionForwarding: false
+    # Enable users to bridge rooms using !discord commands. See
+    # https://t2bot.io/discord for instructions.
+    enableSelfServiceBridging: false
+    # Disable sending of read receipts for Matrix events which have been
+    # successfully bridged to Discord.
+    disableReadReceipts: false
+    # Disable Join Leave echos from matrix
+    disableJoinLeaveNotifications: false
+  # Authentication configuration for the discord bot.
+  auth:
+    clientID: {{ matrix_appservice_discord_client_id }}
+    botToken: {{ matrix_appservice_discord_bot_token }}
+  logging:
+    # What level should the logger output to the console at.
+    console: "warn" #silly, verbose, info, http, warn, error, silent
+    lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
+    # files:
+    #   - file: "debug.log"
+    #     disable:
+    #       - "PresenceHandler" # Will not capture presence logging
+    #   - file: "warn.log" # Will capture warnings
+    #     level: "warn"
+    #   - file: "botlogs.log" # Will capture logs from DiscordBot
+    #     level: "info"
+    #     enable:
+    #       - "DiscordBot"
+  database:
+    # You may either use SQLite or Postgresql for the bridge database, which contains
+    # important mappings for events and user puppeting configurations.
+    # Use the filename option for SQLite, or connString for Postgresql.
+    # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
+    # WARNING: You will almost certainly be fine with sqlite unless your bridge
+    # is in heavy demand and you suffer from IO slowness.
+    filename: "/data/discord.db"
+    # connString: "postgresql://user:password@localhost/database_name"
+  room:
+    # Set the default visibility of alias rooms, defaults to "public".
+    # One of: "public", "private"
+    defaultVisibility: "public"
+  channel:
+      # Pattern of the name given to bridged rooms.
+      # Can use :guild for the guild name and :name for the channel name.
+      namePattern: "[Discord] :guild :name"
+      # Changes made to rooms when a channel is deleted.
+      deleteOptions:
+        # Prefix the room name with a string.
+        #namePrefix: "[Deleted]"
+        # Prefix the room topic with a string.
+        #topicPrefix: "This room has been deleted"
+        # Disable people from talking in the room by raising the event PL to 50
+        disableMessaging: false
+        # Remove the discord alias from the room.
+        unsetRoomAlias: true
+        # Remove the room from the directory.
+        unlistFromDirectory: true
+        # Set the room to be unavaliable for joining without an invite.
+        setInviteOnly: true
+        # Make all the discord users leave the room.
+        ghostsLeave: true
+  limits:
+      # Delay in milliseconds between discord users joining a room.
+      roomGhostJoinDelay: 6000
+      # Delay in milliseconds before sending messages to discord to avoid echos.
+      # (Copies of a sent message may arrive from discord before we've
+      # fininished handling it, causing us to echo it back to the room)
+      discordSendDelay: 750
+  ghosts:
+      # Pattern for the ghosts nick, available is :nick, :username, :tag and :id
+      nickPattern: ":nick"
+      # Pattern for the ghosts username, available is :username, :tag and :id
+      usernamePattern: ":username#:tag"
 
 matrix_appservice_discord_configuration_extension_yaml: |
-    # This is a sample of the config file showing all avaliable options.
-    # Where possible we have documented what they do, and all values are the
-    # default values.
-    #
-    #bridge:
-    #  # Domain part of the bridge, e.g. matrix.org
-    #  domain: "localhost"
-    #  # This should be your publically facing URL because Discord may use it to
-    #  # fetch media from the media store.
-    #  homeserverUrl: "http://localhost:8008"
-    #  # Interval at which to process users in the 'presence queue'. If you have
-    #  # 5 users, one user will be processed every 500 milliseconds according to the
-    #  # value below. This has a minimum value of 250.
-    #  # WARNING: This has a high chance of spamming the homeserver with presence
-    #  # updates since it will send one each time somebody changes state or is online.
-    #  presenceInterval: 500
-    #  # Disable setting presence for 'ghost users' which means Discord users on Matrix
-    #  # will not be shown as away or online.
-    #  disablePresence: false
-    #  # Disable sending typing notifications when somebody on Discord types.
-    #  disableTypingNotifications: false
-    #  # Disable deleting messages on Discord if a message is redacted on Matrix.
-    #  disableDeletionForwarding: false
-    #  # Enable users to bridge rooms using !discord commands. See
-    #  # https://t2bot.io/discord for instructions.
-    #  enableSelfServiceBridging: false
-    #  # Disable sending of read receipts for Matrix events which have been
-    #  # successfully bridged to Discord.
-    #  disableReadReceipts: false
-    # Authentication configuration for the discord bot.
-    #auth:
-    #  clientID: "12345"
-    #  botToken: "foobar"
-    #logging:
-    #  # What level should the logger output to the console at.
-    #  console: "warn" #silly, verbose, info, http, warn, error, silent
-    #  lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
-    #  files:
-    #    - file: "debug.log"
-    #      disable:
-    #        - "PresenceHandler" # Will not capture presence logging
-    #    - file: "warn.log" # Will capture warnings
-    #      level: "warn"
-    #    - file: "botlogs.log" # Will capture logs from DiscordBot
-    #      level: "info"
-    #      enable:
-    #        - "DiscordBot"
-    #database:
-    #  userStorePath: "user-store.db"
-    #  roomStorePath: "room-store.db"
-    #  # You may either use SQLite or Postgresql for the bridge database, which contains
-    #  # important mappings for events and user puppeting configurations.
-    #  # Use the filename option for SQLite, or connString for Postgresql.
-    #  # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
-    #  # WARNING: You will almost certainly be fine with sqlite unless your bridge
-    #  # is in heavy demand and you suffer from IO slowness.
-    #  filename: "discord.db"
-    #  # connString: "postgresql://user:password@localhost/database_name"
-    #room:
-    #  # Set the default visibility of alias rooms, defaults to "public".
-    #  # One of: "public", "private"
-    #  defaultVisibility: "public"
-    #channel:
-    #    # Pattern of the name given to bridged rooms.
-    #    # Can use :guild for the guild name and :name for the channel name.
-    #    namePattern: "[Discord] :guild :name"
-    #    # Changes made to rooms when a channel is deleted.
-    #    deleteOptions:
-    #       # Prefix the room name with a string.
-    #       #namePrefix: "[Deleted]"
-    #       # Prefix the room topic with a string.
-    #       #topicPrefix: "This room has been deleted"
-    #       # Disable people from talking in the room by raising the event PL to 50
-    #       disableMessaging: false
-    #       # Remove the discord alias from the room.
-    #       unsetRoomAlias: true
-    #       # Remove the room from the directory.
-    #       unlistFromDirectory: true
-    #       # Set the room to be unavaliable for joining without an invite.
-    #       setInviteOnly: true
-    #       # Make all the discord users leave the room.
-    #       ghostsLeave: true
-    #limits:
-    #    # Delay in milliseconds between discord users joining a room.
-    #    roomGhostJoinDelay: 6000
-    #    # Delay in milliseconds before sending messages to discord to avoid echos.
-    #    # (Copies of a sent message may arrive from discord before we've
-    #    # fininished handling it, causing us to echo it back to the room)
-    #    discordSendDelay: 750
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_appservice_discord_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_appservice_discord_configuration_yaml`.
 
 matrix_appservice_discord_configuration_extension: "{{ matrix_appservice_discord_configuration_extension_yaml|from_yaml if matrix_appservice_discord_configuration_extension_yaml|from_yaml is mapping else {} }}"
 
 matrix_appservice_discord_configuration: "{{ matrix_appservice_discord_configuration_yaml|from_yaml|combine(matrix_appservice_discord_configuration_extension, recursive=True) }}"
+
+matrix_appservice_discord_registration_yaml: |
+  #jinja2: lstrip_blocks: "True"
+  id: appservice-discord
+  as_token: "{{ matrix_appservice_discord_appservice_token }}"
+  hs_token: "{{ matrix_appservice_discord_homeserver_token }}"
+  namespaces:
+    users:
+    - exclusive: true
+      regex: '^@_discord_.*'
+    aliases:
+    - exclusive: true
+      regex: '^#_discord_.*'
+  url: {{ matrix_appservice_discord_appservice_url }}
+  sender_localpart: _discord_bot
+  rate_limited: false
+  protocols:
+    - discord
+
+matrix_appservice_discord_registration: "{{ matrix_appservice_discord_registration_yaml|from_yaml }}"

roles/matrix-bridge-appservice-discord/tasks/init.yml

@@ -1,3 +1,11 @@
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role.
+  when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}"
   when: matrix_appservice_discord_enabled|bool
@@ -7,7 +15,7 @@
     matrix_synapse_container_extra_arguments: >
       {{ matrix_synapse_container_extra_arguments|default([]) }}
       +
-      {{ ["--mount type=bind,src={{ matrix_appservice_discord_base_path }}/discord-registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }}
+      {{ ["--mount type=bind,src={{ matrix_appservice_discord_config_path }}/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }}
 
     matrix_synapse_app_service_config_files: >
       {{ matrix_synapse_app_service_config_files|default([]) }}

roles/matrix-bridge-appservice-discord/tasks/setup_install.yml

@@ -1,13 +1,5 @@
 ---
 
-# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
-# We don't want to fail in such cases.
-- name: Fail if matrix-synapse role already executed
-  fail:
-    msg: >-
-      The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role.
-  when: "matrix_synapse_role_executed|default(False)"
-
 - name: Ensure Appservice Discord image is pulled
   docker_image:
     name: "{{ matrix_appservice_discord_docker_image }}"
@@ -15,22 +7,66 @@
     force_source: "{{ matrix_appservice_discord_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_discord_docker_image_force_pull }}"
 
-- name: Ensure Appservice Discord base directory exists
+- name: Ensure AppService Discord paths exist
   file:
-    path: "{{ matrix_appservice_discord_base_path }}"
+    path: "{{ item }}"
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_appservice_discord_base_path }}"
+    - "{{ matrix_appservice_discord_config_path }}"
+    - "{{ matrix_appservice_discord_data_path }}"
 
-- name: Ensure Matrix Appservice Discord config installed
+- name: Check if an old database file already exists
+  stat:
+    path: "{{ matrix_appservice_discord_base_path }}/discord.db"
+  register: matrix_appservice_discord_stat_db
+
+- name: (Data relocation) Ensure matrix-appservice-discord.service is stopped
+  service:
+    name: matrix-appservice-discord
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_appservice_discord_stat_db.stat.exists"
+
+# In addition to this, there used to be some `user-store-db` and `room-store.db` files.
+# They're no longer in use, so we're not relocating them in an effort to point them out as neither `./data`, nor `./config`.
+- name: (Data relocation) Move AppService Discord discord.db file to ./data directory
+  command: "mv {{ matrix_appservice_discord_base_path }}/discord.db {{ matrix_appservice_discord_data_path }}/discord.db"
+  when: "matrix_appservice_discord_stat_db.stat.exists"
+
+- name: Ensure AppService Discord config.yaml installed
   copy:
     content: "{{ matrix_appservice_discord_configuration|to_nice_yaml }}"
-    dest: "{{ matrix_appservice_discord_base_path }}/config.yaml"
+    dest: "{{ matrix_appservice_discord_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
 
+- name: Ensure AppService Discord registration.yaml installed
+  copy:
+    content: "{{ matrix_appservice_discord_registration|to_nice_yaml }}"
+    dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+# If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated.
+# We intentionally suppress Ansible changes.
+- name: Generate AppService Discord invite link
+  shell: >-
+    /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -v {{ matrix_appservice_discord_config_path }}:/cfg
+    -w /cfg
+    {{ matrix_appservice_discord_docker_image }}
+    /bin/sh -c "node /build/tools/addbot.js > /cfg/invite_link"
+  changed_when: false
+
 - name: Ensure matrix-appservice-discord.service installed
   template:
     src: "{{ role_path }}/templates/systemd/matrix-appservice-discord.service.j2"
@@ -42,39 +78,3 @@
   service:
     daemon_reload: yes
   when: "matrix_appservice_discord_systemd_service_result.changed"
-
-- name: Check if a matrix-appservice-discord registration file exists
-  stat:
-    path: "{{ matrix_appservice_discord_base_path }}/discord-registration.yaml"
-  register: appservice_discord_registration_file
-
-- name: Generate matrix-appservice-discord discord-registration.yaml if it doesn't exist
-  shell: >-
-    /usr/bin/docker run --rm --name matrix-appservice-discord-gen
-    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
-    --cap-drop=ALL
-    -v {{ matrix_appservice_discord_base_path }}:/data:z
-    {{ matrix_appservice_discord_docker_image }}
-    node build/src/discordas.js
-    -r
-    -u "http://matrix-appservice-discord:9005"
-    -c /data/config.yaml
-    -f /data/discord-registration.yaml
-    -l discord_bot
-  when: "not appservice_discord_registration_file.stat.exists"
-
-- name: Check if a matrix-appservice-discord invite_link file exists
-  stat:
-    path: "{{ matrix_appservice_discord_base_path }}/invite_link"
-  register: appservice_discord_link_generated
-
-- name: Generate your discord invite link
-  shell: >-
-    /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen
-    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
-    --cap-drop=ALL
-    -v {{ matrix_appservice_discord_base_path }}:/data
-    -w /data
-    {{ matrix_appservice_discord_docker_image }}
-    /bin/sh -c "node .././build/tools/addbot.js > invite_link"
-  when: "not appservice_discord_link_generated.stat.exists"

roles/matrix-bridge-appservice-discord/tasks/validate_config.yml

@@ -8,6 +8,8 @@
   with_items:
     - "matrix_appservice_discord_client_id"
     - "matrix_appservice_discord_bot_token"
+    - "matrix_appservice_discord_appservice_token"
+    - "matrix_appservice_discord_homeserver_token"
 
 - name: (Deprecation) Catch and report renamed appservice-discord variables
   fail:

roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2

@@ -25,11 +25,13 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \
 			{% if matrix_appservice_discord_container_http_host_bind_port %}
 			-p {{ matrix_appservice_discord_container_http_host_bind_port }}:9005 \
 			{% endif %}
-			-v {{ matrix_appservice_discord_base_path }}:/data \
+			-v {{ matrix_appservice_discord_config_path }}:/cfg \
+			-v {{ matrix_appservice_discord_data_path }}:/data \
 			{% for arg in matrix_appservice_discord_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
-			{{ matrix_appservice_discord_docker_image }}
+			{{ matrix_appservice_discord_docker_image }} \
+			node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml
 
 ExecStop=-/usr/bin/docker kill matrix-appservice-discord
 ExecStop=-/usr/bin/docker rm matrix-appservice-discord

roles/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -36,7 +36,7 @@
   command: "mv {{ matrix_appservice_irc_base_path }}/passkey.pem {{ matrix_appservice_irc_data_path }}/passkey.pem"
   when: "matrix_appservice_irc_stat_passkey.stat.exists"
 
-- name: (Data relocation) Move AppService database files to ./data directory
+- name: (Data relocation) Move AppService IRC database files to ./data directory
   command: "mv {{ matrix_appservice_irc_base_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}"
   with_items:
     - rooms.db

roles/matrix-nginx-proxy/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
-matrix_nginx_proxy_docker_image: "nginx:1.17.0-alpine"
+matrix_nginx_proxy_docker_image: "nginx:1.17.1-alpine"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
 
 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"

roles/matrix-synapse/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_synapse_enabled: true
 
-matrix_synapse_docker_image: "matrixdotorg/synapse:v1.0.0"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v1.1.0"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@@ -49,7 +49,7 @@ matrix_synapse_systemd_required_services_list: ['docker.service']
 # List of systemd services that matrix-synapse.service wants
 matrix_synapse_systemd_wanted_services_list: []
 
-matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
+matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.7/site-packages"
 
 # Specifies which template files to use when configuring Synapse.
 # If you'd like to have your own different configuration, feel free to copy and paste
@@ -69,8 +69,6 @@ matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
 matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}"
 
 matrix_synapse_max_upload_size_mb: 10
-matrix_synapse_max_log_file_size_mb: 100
-matrix_synapse_max_log_files_count: 10
 
 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}"
@@ -147,6 +145,11 @@ matrix_synapse_autocreate_auto_join_rooms: true
 # Controls password-peppering for Synapse. Not to be changed after initial setup.
 matrix_synapse_password_config_pepper: ""
 
+# Controls if Synapse allows people to authenticate against its local database.
+# It may be useful to disable this if you've configured additional password providers
+# and only wish authentication to happen through them.
+matrix_synapse_password_config_localdb_enabled: true
+
 # Controls the number of events that Synapse caches in memory.
 matrix_synapse_event_cache_size: "100K"
 

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -14,29 +14,6 @@ server_name: "{{ matrix_domain }}"
 #
 pid_file: /homeserver.pid
 
-# CPU affinity mask. Setting this restricts the CPUs on which the
-# process will be scheduled. It is represented as a bitmask, with the
-# lowest order bit corresponding to the first logical CPU and the
-# highest order bit corresponding to the last logical CPU. Not all CPUs
-# may exist on a given system but a mask may specify more CPUs than are
-# present.
-#
-# For example:
-#    0x00000001  is processor #0,
-#    0x00000003  is processors #0 and #1,
-#    0xFFFFFFFF  is all processors (#0 through #31).
-#
-# Pinning a Python process to a single CPU is desirable, because Python
-# is inherently single-threaded due to the GIL, and can suffer a
-# 30-40% slowdown due to cache blow-out and thread context switching
-# if the scheduler happens to schedule the underlying threads across
-# different cores. See
-# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/.
-#
-# This setting requires the affinity package to be installed!
-#
-#cpu_affinity: 0xFFFFFFFF
-
 # The path to the web client which will be served at /_matrix/client/
 # if 'webclient' is configured under the 'listeners' configuration.
 #
@@ -68,11 +45,15 @@ use_presence: {{ matrix_synapse_use_presence|to_json }}
 #
 #require_auth_for_profile_requests: true
 
-# If set to 'true', requires authentication to access the server's
-# public rooms directory through the client API, and forbids any other
-# homeserver to fetch it via federation. Defaults to 'false'.
+# If set to 'false', requires authentication to access the server's public rooms
+# directory through the client API. Defaults to 'true'.
 #
-#restrict_public_rooms_to_local_users: true
+#allow_public_rooms_without_auth: false
+
+# If set to 'false', forbids any other homeserver to fetch the server's public
+# rooms directory via federation. Defaults to 'true'.
+#
+#allow_public_rooms_over_federation: false
 
 # The default room version for newly created rooms.
 #
@@ -338,6 +319,15 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
 #
 #federation_verify_certificates: false
 
+# The minimum TLS version that will be used for outbound federation requests.
+#
+# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
+# that setting this value higher than `1.2` will prevent federation to most
+# of the public Matrix network: only configure it to `1.3` if you have an
+# entirely private federation setup and you can ensure TLS 1.3 support.
+#
+#federation_client_minimum_tls_version: 1.2
+
 # Skip federation certificate verification on the following whitelist
 # of domains.
 #
@@ -427,6 +417,13 @@ acme:
     #
     #domain: matrix.example.com
 
+    # file to use for the account key. This will be generated if it doesn't
+    # exist.
+    #
+    # If unspecified, we will use CONFDIR/client.key.
+    #
+    account_key_file: /data/acme_account.key
+
 # List of allowed TLS fingerprints for this server to publish along
 # with the signing keys for this server. Other matrix servers that
 # make HTTPS requests to this server will check that the TLS
@@ -696,7 +693,7 @@ url_preview_ip_range_blacklist:
 #  - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
 
 # The largest allowed URL preview spidering size in bytes
-
+#
 max_spider_size: 10M
 
 
@@ -1020,6 +1017,12 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
 # so it is not normally necessary to specify them unless you need to
 # override them.
 #
+# Once SAML support is enabled, a metadata file will be exposed at
+# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
+# use to configure your SAML IdP with. Alternatively, you can manually configure
+# the IdP to use an ACS location of
+# https://<server>:<port>/_matrix/saml2/authn_response.
+#
 #saml2_config:
 #  sp_config:
 #    # point this to the IdP's metadata. You can use either a local file or
@@ -1029,7 +1032,15 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
 #      remote:
 #        - url: https://our_idp/metadata.xml
 #
-#    # The rest of sp_config is just used to generate our metadata xml, and you
+#    # By default, the user has to go to our login page first. If you'd like to
+#    # allow IdP-initiated login, set 'allow_unsolicited: True' in a
+#    # 'service.sp' section:
+#    #
+#    #service:
+#    #  sp:
+#    #    allow_unsolicited: True
+#
+#    # The examples below are just used to generate our metadata xml, and you
 #    # may well not need it, depending on your setup. Alternatively you
 #    # may need a whole lot more detail - see the pysaml2 docs!
 #
@@ -1052,6 +1063,12 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
 #  # separate pysaml2 configuration file:
 #  #
 #  config_path: "/data/sp_conf.py"
+#
+#  # the lifetime of a SAML session. This defines how long a user has to
+#  # complete the authentication process, if allow_unsolicited is unset.
+#  # The default is 5 minutes.
+#  #
+#  # saml_session_lifetime: 5m
 
 
 
@@ -1078,6 +1095,12 @@ password_config:
    #
    #enabled: false
 
+   # Uncomment to disable authentication against the local password
+   # database. This is ignored if `enabled` is false, and is only useful
+   # if you have other password_providers.
+   #
+   localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }}
+
    # Uncomment and change to a secret random string for extra security.
    # DO NOT CHANGE THIS AFTER INITIAL SETUP!
    #
@@ -1102,11 +1125,13 @@ password_config:
 #   app_name: Matrix
 #
 #   # Enable email notifications by default
+#   #
 #   notif_for_new_users: True
 #
 #   # Defining a custom URL for Riot is only needed if email notifications
 #   # should contain links to a self-hosted installation of Riot; when set
 #   # the "app_name" setting is ignored
+#   #
 #   riot_base_url: "http://localhost/riot"
 #
 #   # Enable sending password reset emails via the configured, trusted
@@ -1119,16 +1144,22 @@ password_config:
 #   #
 #   # If this option is set to false and SMTP options have not been
 #   # configured, resetting user passwords via email will be disabled
+#   #
 #   #trust_identity_server_for_password_resets: false
 #
 #   # Configure the time that a validation email or text message code
 #   # will expire after sending
 #   #
 #   # This is currently used for password resets
+#   #
 #   #validation_token_lifetime: 1h
 #
 #   # Template directory. All template files should be stored within this
-#   # directory
+#   # directory. If not set, default templates from within the Synapse
+#   # package will be used
+#   #
+#   # For the list of default templates, please see
+#   # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
 #   #
 #   #template_dir: res/templates
 #
@@ -1325,6 +1356,7 @@ push:
 #
 
 
+
 # Local statistics collection. Used in populating the room directory.
 #
 # 'bucket_size' controls how large each statistics timeslice is. It can
@@ -1429,3 +1461,16 @@ alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }}
 #    action: allow
 
 room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }}
+
+
+# Server admins can define a Python module that implements extra rules for
+# allowing or denying incoming events. In order to work, this module needs to
+# override the methods defined in synapse/events/third_party_rules.py.
+#
+# This feature is designed to be used in closed federations only, where each
+# participating server enforces the same rules.
+#
+#third_party_event_rules:
+#  module: "my_custom_project.SuperRulesSet"
+#  config:
+#    example_option: 'things'

roles/matrix-synapse/templates/synapse/synapse.log.config.j2

@@ -12,14 +12,6 @@ filters:
         request: ""
 
 handlers:
-    file:
-        class: logging.handlers.RotatingFileHandler
-        formatter: precise
-        filename: /matrix-run/homeserver.log
-        maxBytes: {{ matrix_synapse_max_log_file_size_mb * 1024 * 1024 }}
-        backupCount: {{ matrix_synapse_max_log_files_count }}
-        filters: [context]
-        encoding: utf8
     console:
         class: logging.StreamHandler
         formatter: precise
@@ -41,4 +33,4 @@ loggers:
 
 root:
     level: {{ matrix_synapse_root_log_level }}
-    handlers: [file, console]
+    handlers: [console]