forked from ungleich-public/cdist-contrib
[__matrix_synapse] various configuration fixes
This commit is contained in:
parent
c84831331e
commit
e8b0ced1b1
7 changed files with 97 additions and 82 deletions
|
@ -525,13 +525,19 @@ retention:
|
|||
# full certificate chain including any intermediate certificates (for
|
||||
# instance, if using certbot, use \`fullchain.pem\` as your certificate,
|
||||
# not \`cert.pem\`).
|
||||
#
|
||||
tls_certificate_path: "${TLS_CERTIFICATE_PATH:?}"
|
||||
EOF
|
||||
|
||||
if [ -n "$TLS_CERTIFICATE_PATH" ] && [ -n "$TLS_PRIVATE_KEY_PATH" ]; then
|
||||
cat << EOF
|
||||
tls_certificate_path: "$TLS_CERTIFICATE_PATH}"
|
||||
|
||||
# PEM-encoded private key for TLS
|
||||
#
|
||||
tls_private_key_path: "${TLS_PRIVATE_KEY_PATH:?}"
|
||||
tls_private_key_path: "$TLS_PRIVATE_KEY_PATH"
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat << EOF
|
||||
# Whether to verify TLS server certificates for outbound federation requests.
|
||||
#
|
||||
# Defaults to \`true\`. To disable certificate verification, uncomment the
|
||||
|
@ -2495,7 +2501,7 @@ push:
|
|||
# The default value is "true" to include message details. Uncomment to only
|
||||
# include the event ID and room ID in push notification payloads.
|
||||
#
|
||||
#include_content: false
|
||||
include_content: true
|
||||
|
||||
# When a push notification is received, an unread count is also sent.
|
||||
# This number can either be calculated as the number of unread messages
|
||||
|
@ -2538,7 +2544,7 @@ spam_checker:
|
|||
# Note that this option will only affect rooms created after it is set. It
|
||||
# will also not affect rooms created by other servers.
|
||||
#
|
||||
encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"j
|
||||
encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"
|
||||
|
||||
|
||||
# Uncomment to allow non-server-admin users to create groups on this server
|
||||
|
|
|
@ -5,6 +5,7 @@ cat << EOF
|
|||
# THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. #
|
||||
###############################################################
|
||||
|
||||
|
||||
# Log configuration for Synapse.
|
||||
#
|
||||
# This is a YAML file containing a standard Python logging configuration
|
||||
|
@ -15,13 +16,18 @@ cat << EOF
|
|||
#
|
||||
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
||||
# [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md
|
||||
|
||||
#
|
||||
version: 1
|
||||
|
||||
formatters:
|
||||
precise:
|
||||
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
|
||||
|
||||
filters:
|
||||
context:
|
||||
(): synapse.util.logcontext.LoggingContextFilter
|
||||
request: ""
|
||||
|
||||
handlers:
|
||||
file:
|
||||
class: logging.handlers.TimedRotatingFileHandler
|
||||
|
@ -29,8 +35,8 @@ handlers:
|
|||
filename: ${LOG_DIR:?}/homeserver.log
|
||||
when: midnight
|
||||
backupCount: 3 # Does not include the current log file.
|
||||
filters: [context]
|
||||
encoding: utf8
|
||||
|
||||
# Default to buffering writes to log file for efficiency. This means that
|
||||
# will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
|
||||
# logs will still be flushed immediately.
|
||||
|
@ -43,37 +49,22 @@ handlers:
|
|||
# be written to disk.
|
||||
capacity: 10
|
||||
flushLevel: 30 # Flush for WARNING logs as well
|
||||
|
||||
# A handler that writes logs to stderr. Unused by default, but can be used
|
||||
# instead of "buffer" and "file" in the logger handlers.
|
||||
console:
|
||||
class: logging.StreamHandler
|
||||
formatter: precise
|
||||
level: WARN
|
||||
|
||||
loggers:
|
||||
synapse:
|
||||
level: INFO
|
||||
synapse.storage.SQL:
|
||||
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||
# information such as access tokens.
|
||||
level: INFO
|
||||
|
||||
twisted:
|
||||
# We send the twisted logging directly to the file handler,
|
||||
# to work around https://github.com/matrix-org/synapse/issues/3471
|
||||
# when using "buffer" logger. Use "console" to log to stderr instead.
|
||||
handlers: [file]
|
||||
propagate: false
|
||||
level: INFO
|
||||
|
||||
root:
|
||||
level: INFO
|
||||
|
||||
# Write logs to the \`buffer\` handler, which will buffer them together in memory,
|
||||
# then write them to a file.
|
||||
#
|
||||
# Replace "buffer" with "console" to log to stderr instead. (Note that you'll
|
||||
# also need to update the configuration for the \`twisted\` logger above, in
|
||||
# this case.)
|
||||
#
|
||||
handlers: [buffer]
|
||||
|
||||
disable_existing_loggers: false
|
||||
handlers: [buffer, console]
|
||||
EOF
|
||||
|
|
|
@ -6,11 +6,11 @@ init=$(cat "$__global/explorer/init")
|
|||
case "$os" in
|
||||
alpine)
|
||||
synapse_conf_dir=/etc/synapse
|
||||
synapse_service=matrix-synapse
|
||||
synapse_service=synapse
|
||||
;;
|
||||
debian)
|
||||
synapse_conf_dir=/etc/matrix-synapse
|
||||
synapse_service=synapse
|
||||
synapse_service=matrix-synapse
|
||||
;;
|
||||
*)
|
||||
echo "Unknown OS $os." >&2
|
||||
|
@ -18,10 +18,10 @@ case "$os" in
|
|||
;;
|
||||
esac
|
||||
|
||||
if grep -qE "^__file/$synapse_conf_dir" "${__messages_in}"; then
|
||||
if grep -qE "^__file$synapse_conf_dir" "${__messages_in}"; then
|
||||
case "$init" in
|
||||
systemd)
|
||||
echo "systemctl try-reload-or-restart $synapse_service"
|
||||
echo "systemctl restart $synapse_service"
|
||||
;;
|
||||
initd)
|
||||
echo "service --ifstopped $synapse_service start"
|
||||
|
|
|
@ -28,12 +28,6 @@ database-name
|
|||
Path to database file if SQLite3 is used or database name if PostgresSQL is
|
||||
used.
|
||||
|
||||
tls-cert
|
||||
Path to PEM-encoded X509 TLS certificate.
|
||||
|
||||
tls-private-key
|
||||
Path to PEM-encoded TLS private key.
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
database-host
|
||||
|
@ -69,6 +63,14 @@ ldap-bind-password
|
|||
ldap-filter
|
||||
LDAP user filter, defaulting to `(objectClass=posixAccount)`.
|
||||
|
||||
tls-cert
|
||||
Path to PEM-encoded X509 TLS certificate. Not needed if TLS termination is
|
||||
handled by a reverse Proxy such as NGINX.
|
||||
|
||||
tls-private-key
|
||||
Path to PEM-encoded TLS private key. Not needed if TLS termination is
|
||||
handled by a reverse Proxy such as NGINX.
|
||||
|
||||
smtp-host
|
||||
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
||||
|
||||
|
|
|
@ -119,9 +119,14 @@ if [ -f "$__object/parameter/enable-server-notices" ]; then
|
|||
fi
|
||||
|
||||
# TLS.
|
||||
if [ -f "$__object/parameter/tls-cert" ]; then
|
||||
TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert")
|
||||
export TLS_CERTIFICATE_PATH
|
||||
fi
|
||||
if [ -f "$__object/parameter/tls-private-key" ]; then
|
||||
TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key")
|
||||
export TLS_PRIVATE_KEY_PATH TLS_CERTIFICATE_PATH
|
||||
export TLS_PRIVATE_KEY_PATH
|
||||
fi
|
||||
|
||||
# Performance flags.
|
||||
GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor")
|
||||
|
@ -144,7 +149,11 @@ export DATABASE_ENGINE DATABASE_NAME DATABASE_HOST DATABASE_USER \
|
|||
DATABASE_PASSWORD
|
||||
|
||||
# LDAP-based authentication.
|
||||
if [ -f "$__object/enable-ldap-auth" ]; then
|
||||
ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth')
|
||||
export ENABLE_LDAP_AUTH
|
||||
fi
|
||||
|
||||
LDAP_FILTER=$(cat "$__object/parameter/ldap-filter")
|
||||
LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute")
|
||||
LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute")
|
||||
|
@ -154,9 +163,8 @@ LDAP_BASE_DN=$(cat "$__object/parameter/ldap-base-dn")
|
|||
LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
|
||||
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
|
||||
LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls')
|
||||
export ENABLE_LDAP_AUTH LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE \
|
||||
LDAP_NAME_ATTRIBUTE LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD \
|
||||
LDAP_USE_STARTTLS
|
||||
export LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE LDAP_NAME_ATTRIBUTE \
|
||||
LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD LDAP_USE_STARTTLS
|
||||
|
||||
# Outgoing emails (= notifications).
|
||||
ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications')
|
||||
|
@ -181,6 +189,11 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
|
|||
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
|
||||
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
|
||||
|
||||
if [ -f "$__object/parameter/registration-shared-token" ]; then
|
||||
REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
|
||||
export REGISTRATION_SHARED_SECRET
|
||||
fi
|
||||
|
||||
if [ -f "$__object/parameter/registration-requires-email" ]; then
|
||||
export REGISTRATION_REQUIRES_EMAIL=1
|
||||
fi
|
||||
|
@ -196,14 +209,16 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
|
|||
fi
|
||||
|
||||
# Federation.
|
||||
DISABLE_FEDERATION=$(get_boolean_for 'disable-federation')
|
||||
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
|
||||
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
|
||||
LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity')
|
||||
REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold")
|
||||
export DISABLE_FEDERATION ALLOW_PUBLIC_ROOMS_OVER_FEDERATION \
|
||||
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH LIMIT_REMOTE_ROOM_COMPLEXITY \
|
||||
REMOTE_ROOM_COMPLEXITY_TRESHOLD
|
||||
export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH \
|
||||
LIMIT_REMOTE_ROOM_COMPLEXITY REMOTE_ROOM_COMPLEXITY_TRESHOLD
|
||||
|
||||
if [ -f "$__object/parameter/disable-federation" ]; then
|
||||
export DISABLE_FEDERATION=1
|
||||
fi
|
||||
|
||||
# Message retention.
|
||||
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
|
||||
|
@ -290,7 +305,7 @@ esac
|
|||
# backports situation.
|
||||
synapse_req=
|
||||
if [ -n "$apt_target_release" ]; then
|
||||
__package_apt "$synapse_pkg" \
|
||||
require="__apt_source/debian-backports" __package_apt "$synapse_pkg" \
|
||||
--target-release "$apt_target_release"
|
||||
synapse_req="__package_apt/$synapse_pkg"
|
||||
else
|
||||
|
@ -298,7 +313,7 @@ else
|
|||
synapse_req="__package/$synapse_pkg"
|
||||
fi
|
||||
|
||||
if [ "$ENABLE_LDAP_AUTH" = "true" ]; then
|
||||
if [ -n "$ENABLE_LDAP_AUTH" ]; then
|
||||
if [ -n "$apt_target_release" ]; then
|
||||
require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
|
||||
--target-release "$apt_target_release"
|
||||
|
|
|
@ -29,3 +29,6 @@ notification-from
|
|||
message-max-lifetime
|
||||
worker-replication-secret
|
||||
background-tasks-worker
|
||||
tls-cert
|
||||
tls-private-key
|
||||
registration-shared-secret
|
||||
|
|
|
@ -2,5 +2,3 @@ server-name
|
|||
base-url
|
||||
database-engine
|
||||
database-name
|
||||
tls-cert
|
||||
tls-private-key
|
||||
|
|
Loading…
Reference in a new issue