[__matrix_synapse] various configuration fixes

This commit is contained in:
fnux 2021-02-18 11:27:34 +01:00
parent c84831331e
commit e8b0ced1b1
No known key found for this signature in database
GPG key ID: 4502C902C00A1E12
7 changed files with 97 additions and 82 deletions

View file

@ -525,13 +525,19 @@ retention:
# full certificate chain including any intermediate certificates (for
# instance, if using certbot, use \`fullchain.pem\` as your certificate,
# not \`cert.pem\`).
#
tls_certificate_path: "${TLS_CERTIFICATE_PATH:?}"
EOF
if [ -n "$TLS_CERTIFICATE_PATH" ] && [ -n "$TLS_PRIVATE_KEY_PATH" ]; then
cat << EOF
tls_certificate_path: "$TLS_CERTIFICATE_PATH}"
# PEM-encoded private key for TLS
#
tls_private_key_path: "${TLS_PRIVATE_KEY_PATH:?}"
tls_private_key_path: "$TLS_PRIVATE_KEY_PATH"
EOF
fi
cat << EOF
# Whether to verify TLS server certificates for outbound federation requests.
#
# Defaults to \`true\`. To disable certificate verification, uncomment the
@ -2495,7 +2501,7 @@ push:
# The default value is "true" to include message details. Uncomment to only
# include the event ID and room ID in push notification payloads.
#
#include_content: false
include_content: true
# When a push notification is received, an unread count is also sent.
# This number can either be calculated as the number of unread messages
@ -2538,7 +2544,7 @@ spam_checker:
# Note that this option will only affect rooms created after it is set. It
# will also not affect rooms created by other servers.
#
encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"j
encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"
# Uncomment to allow non-server-admin users to create groups on this server

View file

@ -5,6 +5,7 @@ cat << EOF
# THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. #
###############################################################
# Log configuration for Synapse.
#
# This is a YAML file containing a standard Python logging configuration
@ -15,13 +16,18 @@ cat << EOF
#
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
# [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md
#
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
file:
class: logging.handlers.TimedRotatingFileHandler
@ -29,8 +35,8 @@ handlers:
filename: ${LOG_DIR:?}/homeserver.log
when: midnight
backupCount: 3 # Does not include the current log file.
filters: [context]
encoding: utf8
# Default to buffering writes to log file for efficiency. This means that
# will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
# logs will still be flushed immediately.
@ -43,37 +49,22 @@ handlers:
# be written to disk.
capacity: 10
flushLevel: 30 # Flush for WARNING logs as well
# A handler that writes logs to stderr. Unused by default, but can be used
# instead of "buffer" and "file" in the logger handlers.
console:
class: logging.StreamHandler
formatter: precise
level: WARN
loggers:
synapse:
level: INFO
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
twisted:
# We send the twisted logging directly to the file handler,
# to work around https://github.com/matrix-org/synapse/issues/3471
# when using "buffer" logger. Use "console" to log to stderr instead.
handlers: [file]
propagate: false
level: INFO
root:
level: INFO
# Write logs to the \`buffer\` handler, which will buffer them together in memory,
# then write them to a file.
#
# Replace "buffer" with "console" to log to stderr instead. (Note that you'll
# also need to update the configuration for the \`twisted\` logger above, in
# this case.)
#
handlers: [buffer]
disable_existing_loggers: false
handlers: [buffer, console]
EOF

View file

@ -6,11 +6,11 @@ init=$(cat "$__global/explorer/init")
case "$os" in
alpine)
synapse_conf_dir=/etc/synapse
synapse_service=matrix-synapse
synapse_service=synapse
;;
debian)
synapse_conf_dir=/etc/matrix-synapse
synapse_service=synapse
synapse_service=matrix-synapse
;;
*)
echo "Unknown OS $os." >&2
@ -18,10 +18,10 @@ case "$os" in
;;
esac
if grep -qE "^__file/$synapse_conf_dir" "${__messages_in}"; then
if grep -qE "^__file$synapse_conf_dir" "${__messages_in}"; then
case "$init" in
systemd)
echo "systemctl try-reload-or-restart $synapse_service"
echo "systemctl restart $synapse_service"
;;
initd)
echo "service --ifstopped $synapse_service start"

View file

@ -28,12 +28,6 @@ database-name
Path to database file if SQLite3 is used or database name if PostgresSQL is
used.
tls-cert
Path to PEM-encoded X509 TLS certificate.
tls-private-key
Path to PEM-encoded TLS private key.
OPTIONAL PARAMETERS
-------------------
database-host
@ -69,6 +63,14 @@ ldap-bind-password
ldap-filter
LDAP user filter, defaulting to `(objectClass=posixAccount)`.
tls-cert
Path to PEM-encoded X509 TLS certificate. Not needed if TLS termination is
handled by a reverse Proxy such as NGINX.
tls-private-key
Path to PEM-encoded TLS private key. Not needed if TLS termination is
handled by a reverse Proxy such as NGINX.
smtp-host
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.

View file

@ -119,9 +119,14 @@ if [ -f "$__object/parameter/enable-server-notices" ]; then
fi
# TLS.
if [ -f "$__object/parameter/tls-cert" ]; then
TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert")
export TLS_CERTIFICATE_PATH
fi
if [ -f "$__object/parameter/tls-private-key" ]; then
TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key")
export TLS_PRIVATE_KEY_PATH TLS_CERTIFICATE_PATH
export TLS_PRIVATE_KEY_PATH
fi
# Performance flags.
GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor")
@ -144,7 +149,11 @@ export DATABASE_ENGINE DATABASE_NAME DATABASE_HOST DATABASE_USER \
DATABASE_PASSWORD
# LDAP-based authentication.
if [ -f "$__object/enable-ldap-auth" ]; then
ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth')
export ENABLE_LDAP_AUTH
fi
LDAP_FILTER=$(cat "$__object/parameter/ldap-filter")
LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute")
LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute")
@ -154,9 +163,8 @@ LDAP_BASE_DN=$(cat "$__object/parameter/ldap-base-dn")
LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls')
export ENABLE_LDAP_AUTH LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE \
LDAP_NAME_ATTRIBUTE LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD \
LDAP_USE_STARTTLS
export LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE LDAP_NAME_ATTRIBUTE \
LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD LDAP_USE_STARTTLS
# Outgoing emails (= notifications).
ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications')
@ -181,6 +189,11 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
if [ -f "$__object/parameter/registration-shared-token" ]; then
REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
export REGISTRATION_SHARED_SECRET
fi
if [ -f "$__object/parameter/registration-requires-email" ]; then
export REGISTRATION_REQUIRES_EMAIL=1
fi
@ -196,14 +209,16 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
fi
# Federation.
DISABLE_FEDERATION=$(get_boolean_for 'disable-federation')
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity')
REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold")
export DISABLE_FEDERATION ALLOW_PUBLIC_ROOMS_OVER_FEDERATION \
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH LIMIT_REMOTE_ROOM_COMPLEXITY \
REMOTE_ROOM_COMPLEXITY_TRESHOLD
export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH \
LIMIT_REMOTE_ROOM_COMPLEXITY REMOTE_ROOM_COMPLEXITY_TRESHOLD
if [ -f "$__object/parameter/disable-federation" ]; then
export DISABLE_FEDERATION=1
fi
# Message retention.
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
@ -290,7 +305,7 @@ esac
# backports situation.
synapse_req=
if [ -n "$apt_target_release" ]; then
__package_apt "$synapse_pkg" \
require="__apt_source/debian-backports" __package_apt "$synapse_pkg" \
--target-release "$apt_target_release"
synapse_req="__package_apt/$synapse_pkg"
else
@ -298,7 +313,7 @@ else
synapse_req="__package/$synapse_pkg"
fi
if [ "$ENABLE_LDAP_AUTH" = "true" ]; then
if [ -n "$ENABLE_LDAP_AUTH" ]; then
if [ -n "$apt_target_release" ]; then
require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
--target-release "$apt_target_release"

View file

@ -29,3 +29,6 @@ notification-from
message-max-lifetime
worker-replication-secret
background-tasks-worker
tls-cert
tls-private-key
registration-shared-secret

View file

@ -2,5 +2,3 @@ server-name
base-url
database-engine
database-name
tls-cert
tls-private-key