From 9b4bc468ab087b6c8c96c925aac6c59ca9b376ee Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Sat, 3 Apr 2021 16:48:40 +0200
Subject: [PATCH] cleanup ip address bindings

---
 defaults/main.yml                             | 5 ++---
 templates/opt/matrix/config/homeserver.yml.j2 | 4 ++++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 28d73e9..64aa45c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -45,11 +45,10 @@ matrix_web_client_location: /path/to/web/root
 matrix_filter_timeline_limit: -1
 
 matrix_http_bind_ips:
-  - '::'
-  - '0.0.0.0'
+  - "127.0.0.1"
 matrix_http_bind_port: 8008
 
-matrix_https_bind_ips: "{{ matrix_http_bind_ips }}"
+matrix_https_bind_ips: []
 matrix_https_bind_port: 8448
 
 matrix_ldap_auth_enabled: False
diff --git a/templates/opt/matrix/config/homeserver.yml.j2 b/templates/opt/matrix/config/homeserver.yml.j2
index 20b6007..8cfe400 100644
--- a/templates/opt/matrix/config/homeserver.yml.j2
+++ b/templates/opt/matrix/config/homeserver.yml.j2
@@ -61,6 +61,7 @@ federation_ip_range_blacklist:
 # List of ports that Synapse should listen on, their purpose and their
 # configuration.
 listeners:
+  {% if matrix_https_bind_ips is defined and matrix_https_bind_ips | length > 0 %}
   # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
   - port: {{ matrix_https_bind_port }}
     bind_addresses:
@@ -74,6 +75,8 @@ listeners:
     resources:
       - names: [client, federation]
         compress: false
+  {% endif %}
+  {% if matrix_http_bind_ips is defined and matrix_http_bind_ips | length > 0 %}
 
   # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
   # that unwraps TLS.
@@ -87,6 +90,7 @@ listeners:
     resources:
       - names: [client, federation]
         compress: false
+    {% endif %}
 
 ## Homeserver blocking ##