diff --git a/defaults/main.yml b/defaults/main.yml index 9097ead..3f15289 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -matrix_version: "1.26.0" +matrix_version: "1.52.0" matrix_virtualenv_command: /usr/bin/python3 -m venv matrix_virtualenv: "{{ matrix_base_dir }}/env" @@ -31,8 +31,7 @@ matrix_conf_dir: "{{ matrix_base_dir }}/config" matrix_data_dir: "{{ matrix_base_dir }}/data" matrix_log_dir: "{{ matrix_base_dir }}/log" -matrix_log_file_level: INFO -matrix_log_console_level: ERROR +matrix_log_root_level: INFO matrix_log_synapse_level: INFO matrix_log_synapse_sql_level: INFO matrix_log_ldap_level: INFO @@ -46,11 +45,11 @@ matrix_client_url: https://matrix.example.com matrix_web_client_location: /path/to/web/root matrix_filter_timeline_limit: -1 -matrix_http_bind_ips: +matrix_http_bind_addresses: - "127.0.0.1" matrix_http_bind_port: 8008 -matrix_https_bind_ips: [] +matrix_https_bind_addresses: [] matrix_https_bind_port: 8448 matrix_ldap_auth_enabled: False @@ -66,6 +65,7 @@ matrix_ldap_auth_name_attr: "cn" # @var matrix_db_type:description: Sopported values are `pgsql` and `sqlite`. matrix_db_type: pgsql +matrix_db_txn_limit: 0 matrix_db_server: localhost matrix_db_port: 5432 matrix_db_name: matrix @@ -74,6 +74,14 @@ matrix_db_password: secure matrix_db_ssl_mode: disable matrix_db_ssl_root_cert: /etc/pki/tls/certs/ca-bundle.trust.crt +matrix_presence_enabled: False +matrix_default_room_version: "6" + +matrix_event_cache_size: "100K" +matrix_caches_global_factor: 0.5 + +matrix_suppress_key_server_warning: False + matrix_url_preview_enabled: False # List of IP address CIDR ranges that the URL preview spider is denied @@ -125,8 +133,6 @@ matrix_form_secret: "oFP3m&,r^wJ=Tr#=Ruww5+h0e;-DZqcuVGXV4XgRZIAt~Gv2YF" # @var matrix_signing_key: $ "_unset_" matrix_tls_enabled: False -matrix_tls_dhparam_path: "{{ matrix_base_dir }}/tls/dhparam.pem" -matrix_tls_dhparam_size: 2048 matrix_tls_cert_path: "{{ matrix_base_dir }}/tls/certs/mycert.pem" matrix_tls_key_path: "{{ matrix_base_dir }}/tls/private/mykey.pem" matrix_tls_cert_source: mycert.pem diff --git a/tasks/tls.yml b/tasks/tls.yml index d638dca..200fcbb 100644 --- a/tasks/tls.yml +++ b/tasks/tls.yml @@ -8,7 +8,6 @@ group: "{{ matrix_group }}" recurse: True loop: - - "{{ matrix_tls_dhparam_path | dirname }}" - "{{ matrix_tls_cert_path | dirname }}" - "{{ matrix_tls_key_path | dirname }}" become: True @@ -21,17 +20,14 @@ dest: "{{ item.dest }}" mode: "{{ item.mode }}" loop: - - { src: "{{ matrix_tls_key_source }}", dest: '{{ matrix_tls_key_path }}', mode: '0600' } - - { src: "{{ matrix_tls_cert_source }}", dest: '{{ matrix_tls_cert_path }}', mode: '0650' } + - src: "{{ matrix_tls_key_source }}" + dest: "{{ matrix_tls_key_path }}" + mode: "0600" + - src: "{{ matrix_tls_cert_source }}" + dest: "{{ matrix_tls_cert_path }}" + mode: "0650" loop_control: label: "{{ item.dest }}" notify: __matrix_restart - - - name: Create Diffie-Hellman Parameter - openssl_dhparam: - path: "{{ matrix_tls_dhparam_path }}" - size: "{{ matrix_tls_dhparam_size }}" - when: matrix_tls_dhparam_path is defined - notify: __matrix_restart become: True become_user: "{{ matrix_user }}" diff --git a/templates/opt/matrix/config/homeserver.yml.j2 b/templates/opt/matrix/config/homeserver.yml.j2 index 8cfe400..079d4df 100644 --- a/templates/opt/matrix/config/homeserver.yml.j2 +++ b/templates/opt/matrix/config/homeserver.yml.j2 @@ -1,72 +1,28 @@ #jinja2: lstrip_blocks: True {{ ansible_managed | comment }} + ## Server ## -# The domain name of the server, with optional explicit port server_name: "{{ matrix_server_url }}" - -# When running as a daemon, the file to store the pid in pid_file: /var/run/homeserver.pid - -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. -# web_client_location: "{{ matrix_web_client_location }}" - -# The public-facing base URL that clients use to access this HS public_baseurl: "{{ matrix_client_url }}" -# Set to false to disable presence tracking on this homeserver. -use_presence: false +presence: + enabled: {{ matrix_presence_enabled | bool | lower }} -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. require_auth_for_profile_requests: false - -# If set to 'false', requires authentication to access the server's public rooms -# directory through the client API. allow_public_rooms_without_auth: true - -# If set to 'false', forbids any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'true'. allow_public_rooms_over_federation: true - -# The default room version for newly created rooms. -# https://matrix.org/docs/spec/#complete-list-of-room-versions -default_room_version: "4" - -# Set the limit on the returned events in the timeline in the get -# and sync operations. +matrix_default_room_version: "{{ matrix_default_room_version }}" filter_timeline_limit: {{ matrix_filter_timeline_limit }} - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). block_non_admin_invites: false - -# Room searching enable_search: true -# Restrict federation to the following whitelist of domains. -# federation_domain_whitelist: [] - -federation_ip_range_blacklist: - - "127.0.0.0/8" - - "10.0.0.0/8" - - "172.16.0.0/12" - - "192.168.0.0/16" - - "100.64.0.0/10" - - "169.254.0.0/16" - - "::1/128" - - "fe80::/64" - - "fc00::/7" - -# List of ports that Synapse should listen on, their purpose and their -# configuration. listeners: - {% if matrix_https_bind_ips is defined and matrix_https_bind_ips | length > 0 %} - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: {{ matrix_https_bind_port }} + {% if matrix_https_bind_addresses is defined and matrix_https_bind_addresses | length > 0 %} + - type: http + port: {{ matrix_https_bind_port }} bind_addresses: - {{ matrix_https_bind_ips | to_nice_yaml | indent(6) }} - type: http + {{ matrix_https_bind_addresses | to_nice_yaml | indent(6) }} {% if matrix_tls_enabled %} tls: true {% endif %} @@ -76,104 +32,40 @@ listeners: - names: [client, federation] compress: false {% endif %} - {% if matrix_http_bind_ips is defined and matrix_http_bind_ips | length > 0 %} + {% if matrix_http_bind_addresses is defined and matrix_http_bind_addresses | length > 0 %} - # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: {{ matrix_http_bind_port }} + - type: http + port: {{ matrix_http_bind_port }} tls: false bind_addresses: - {{ matrix_http_bind_ips | to_nice_yaml | indent(6) }} - type: http + {{ matrix_http_bind_addresses | to_nice_yaml | indent(6) }} x_forwarded: true resources: - names: [client, federation] compress: false {% endif %} - -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# -#admin_contact: 'mailto:admin@server.com' - -# Global blocking -# -#hs_disabled: False -#hs_disabled_message: 'Human readable reason for why the HS is blocked' -#hs_disabled_limit_type: 'error code(str), to help clients decode reason' - -# Monthly Active User Blocking -# -# Used in cases where the admin or server owner wants to limit to the -# number of monthly active users. -# -# 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# anabled and a limit is reached the server returns a 'ResourceLimitError' -# with error type Codes.RESOURCE_LIMIT_EXCEEDED -# -# 'max_mau_value' is the hard limit of monthly active users above which -# the server will start blocking user actions. -# -# 'mau_trial_days' is a means to add a grace period for active users. It -# means that users must be active for this number of days before they -# can be considered active and guards against the case where lots of users -# sign up in a short space of time never to return after their initial -# session. -# -#limit_usage_by_mau: False -#max_mau_value: 50 -#mau_trial_days: 2 - -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# -#mau_stats_only: False - -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -#mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' - -# Used by phonehome stats to group together related servers. -#server_context: context - -# Whether to require a user to be in the room to add an alias to it. -# Defaults to 'true'. -# -#require_membership_for_aliases: false - -# Whether to allow per-room membership profiles through the send of membership -# events with profile information that differ from the target's global profile. -# Defaults to 'true'. -# -#allow_per_room_profiles: false {% if matrix_tls_enabled %} ## TLS ## tls_certificate_path: "{{ matrix_tls_cert_path }}" tls_private_key_path: "{{ matrix_tls_key_path }}" -tls_dh_params_path: "{{ matrix_tls_dhparam_path }}" -# Whether to verify TLS server certificates for outbound federation requests. federation_verify_certificates: true - -# The minimum TLS version that will be used for outbound federation requests. federation_client_minimum_tls_version: 1.2 - -# Skip federation certificate verification on the following whitelist -# of domains. -# federation_certificate_verification_whitelist: [] +federation_certificate_verification_whitelist: [] {% endif %} +## Caching ## +event_cache_size: "{{ matrix_event_cache_size }}" +caches: + global_factor: {{ matrix_caches_global_factor }} + ## Database ## database: {% if matrix_db_type == "pgsql" %} name: psycopg2 + txn_limit: {{ matrix_db_txn_limit }} args: user: {{ matrix_db_user }} password: {{ matrix_db_password }} @@ -190,17 +82,12 @@ database: database: "{{ matrix_data_dir }}/homeserver.db" {% endif %} -# Number of events to cache in memory. -event_cache_size: "10K" - ## Logging ## # A yaml python logging config file log_config: "{{ matrix_conf_dir }}/logging.config" ## Ratelimiting ## - -# Ratelimiting settings for client actions (registration, login, messaging). rc_message: per_second: 0.2 burst_count: 10 @@ -220,8 +107,6 @@ rc_login: per_second: 0.17 burst_count: 3 - -# Ratelimiting settings for incoming federation rc_federation: window_size: 1000 sleep_limit: 10 @@ -229,26 +114,11 @@ rc_federation: reject_limit: 50 concurrent: 3 -# Directory where uploaded images and attachments are stored. +## Media Store ## media_store_path: "{{ matrix_data_dir }}/media_store" - -# Directory where in-progress uploads are stored. -uploads_path: "{{ matrix_data_dir }}/uploads" - -# The largest allowed upload size in bytes max_upload_size: 10M - -# Maximum number of pixels that will be thumbnailed max_image_pixels: 32M - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. dynamic_thumbnails: false - -# List of thumbnails to precalculate when an image is uploaded. thumbnail_sizes: - width: 32 height: 32 @@ -266,118 +136,42 @@ thumbnail_sizes: height: 600 method: scale -# Is the preview URL API enabled? url_preview_enabled: {{ 'true' if matrix_url_preview_enabled else 'false' }} -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. {% if matrix_url_preview_ip_blacklist is defined %} url_preview_ip_range_blacklist: {{ matrix_url_preview_ip_blacklist | to_nice_yaml | indent(2) }} {% endif %} -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# url_preview_ip_range_whitelist: [] - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. {% if matrix_url_preview_url_blacklist is defined %} url_preview_url_blacklist: {{ matrix_url_preview_url_blacklist | to_nice_yaml | indent(2) }} {% endif %} -# The largest allowed URL preview spidering size in bytes max_spider_size: "{{ matrix_url_preview_max_spider_size }}" ## Captcha ## enable_registration_captcha: false -## TURN ## -# The public URIs of the TURN server to give to clients -# -#turn_uris: [] - -# The shared secret used to compute passwords for the TURN server -# -#turn_shared_secret: "YOUR_SHARED_SECRET" - -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -# -#turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# -#turn_allow_guests: True - - ## Registration ## -# Enable registration for new users. enable_registration: false - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. allow_guest_access: false - -# The identity server which we suggest that clients should use when users log -# in on this server. default_identity_server: https://matrix.org ## Metrics ### -# Enable collection and rendering of performance metrics -enable_metrics: False - -# Whether or not to report anonymized homeserver usage statistics. +enable_metrics: false report_stats: false ## API Configuration ## -# A secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. macaroon_secret_key: "{{ matrix_macaroon_secret_key }}" - -# Used to enable access token expiration. -#expire_access_token: False - -# A secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. form_secret: "{{ matrix_form_secret }}" ## Signing Keys ## - -# Path to the signing key to sign messages with signing_key_path: "{{ matrix_conf_dir }}/{{ matrix_server_url }}.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. E.g. it has lost its private key -# -#old_signing_keys: -# "ed25519:auto": -# # Base64 encoded public key -# key: "The public part of your old signing key." -# # Millisecond POSIX timestamp when the key expired. -# expired_ts: 123456789123 - -# How long key response published by this server is valid for. key_refresh_interval: 1d -# The trusted servers to download signing keys from. +suppress_key_server_warning: {{ matrix_suppress_key_server_warning | bool | lower }} trusted_key_servers: - server_name: "matrix.org" @@ -407,120 +201,16 @@ password_providers: {% endif %} {% endif %} -# Enable sending emails for password resets, notification events or -# account expiry notices -# -# If your SMTP server requires authentication, the optional smtp_user & -# smtp_pass variables should be used -# -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 # SSL: 465, STARTTLS: 587 -# smtp_user: "exampleusername" -# smtp_pass: "examplepassword" -# require_transport_security: False -# notif_from: "Your Friendly %(app)s Home Server " -# app_name: Matrix -# -# # Enable email notifications by default -# # -# notif_for_new_users: True -# -# # Defining a custom URL for Riot is only needed if email notifications -# # should contain links to a self-hosted installation of Riot; when set -# # the "app_name" setting is ignored -# # -# riot_base_url: "http://localhost/riot" -# -# # Enable sending password reset emails via the configured, trusted -# # identity servers -# # -# # IMPORTANT! This will give a malicious or overtaken identity server -# # the ability to reset passwords for your users! Make absolutely sure -# # that you want to do this! It is strongly recommended that password -# # reset emails be sent by the homeserver instead -# # -# # If this option is set to false and SMTP options have not been -# # configured, resetting user passwords via email will be disabled -# # -# #trust_identity_server_for_password_resets: false -# -# # Configure the time that a validation email or text message code -# # will expire after sending -# # -# # This is currently used for password resets -# # -# #validation_token_lifetime: 1h -# -# # Template directory. All template files should be stored within this -# # directory. If not set, default templates from within the Synapse -# # package will be used -# # -# # For the list of default templates, please see -# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates -# # -# #template_dir: res/templates -# -# # Templates for email notifications -# # -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# -# # Templates for account expiry notices -# # -# expiry_template_html: notice_expiry.html -# expiry_template_text: notice_expiry.txt -# -# # Templates for password reset emails sent by the homeserver -# # -# #password_reset_template_html: password_reset.html -# #password_reset_template_text: password_reset.txt -# -# # Templates for password reset success and failure pages that a user -# # will see after attempting to reset their password -# # -# #password_reset_template_success_html: password_reset_success.html -# #password_reset_template_failure_html: password_reset_failure.html - -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (`event_id_only`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For `event_id_only` push, it -# has no effect. -# -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. -# -#push: -# include_content: true - -#spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' - -# Uncomment to allow non-server-admin users to create groups on this server +## Rooms ## enable_group_creation: false - -# Uncomment to disable searching the public room list. When disabled -# blocks searching local and remote room lists for local and remote -# users by always returning an empty list for all queries. enable_room_list_search: true -# The `alias_creation` option controls who's allowed to create aliases -# on this server. alias_creation_rules: - user_id: "*" alias: "*" room_id: "*" action: allow -# The `room_list_publication_rules` option controls who can publish and -# which rooms can be published in the public room list. room_list_publication_rules: - user_id: "*" alias: "*" @@ -529,6 +219,5 @@ room_list_publication_rules: ## Opentracing ## -# These settings enable opentracing, which implements distributed tracing. opentracing: enabled: false diff --git a/templates/opt/matrix/config/logging.config.j2 b/templates/opt/matrix/config/logging.config.j2 index dc49968..1e30475 100644 --- a/templates/opt/matrix/config/logging.config.j2 +++ b/templates/opt/matrix/config/logging.config.j2 @@ -20,12 +20,10 @@ handlers: backupCount: 10 filters: [context] encoding: utf8 - level: {{ matrix_log_file_level }} console: class: logging.StreamHandler formatter: precise filters: [context] - level: {{ matrix_log_console_level }} loggers: synapse: @@ -45,4 +43,5 @@ loggers: {% endif %} root: + level: {{ matrix_log_root_level }} handlers: [file, console]