From e8b0ced1b1d5eb6e444df95bea78f3230fdfe8f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 18 Feb 2021 11:27:34 +0100 Subject: [PATCH] [__matrix_synapse] various configuration fixes --- .../__matrix_synapse/files/homeserver.yaml.sh | 16 +++- type/__matrix_synapse/files/log.config.sh | 95 +++++++++---------- type/__matrix_synapse/gencode-remote | 8 +- type/__matrix_synapse/man.rst | 14 +-- type/__matrix_synapse/manifest | 41 +++++--- type/__matrix_synapse/parameter/optional | 3 + type/__matrix_synapse/parameter/required | 2 - 7 files changed, 97 insertions(+), 82 deletions(-) diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index ad81569..6ee035c 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -525,13 +525,19 @@ retention: # full certificate chain including any intermediate certificates (for # instance, if using certbot, use \`fullchain.pem\` as your certificate, # not \`cert.pem\`). -# -tls_certificate_path: "${TLS_CERTIFICATE_PATH:?}" +EOF + +if [ -n "$TLS_CERTIFICATE_PATH" ] && [ -n "$TLS_PRIVATE_KEY_PATH" ]; then + cat << EOF +tls_certificate_path: "$TLS_CERTIFICATE_PATH}" # PEM-encoded private key for TLS # -tls_private_key_path: "${TLS_PRIVATE_KEY_PATH:?}" +tls_private_key_path: "$TLS_PRIVATE_KEY_PATH" +EOF +fi +cat << EOF # Whether to verify TLS server certificates for outbound federation requests. # # Defaults to \`true\`. To disable certificate verification, uncomment the @@ -2495,7 +2501,7 @@ push: # The default value is "true" to include message details. Uncomment to only # include the event ID and room ID in push notification payloads. # - #include_content: false + include_content: true # When a push notification is received, an unread count is also sent. # This number can either be calculated as the number of unread messages @@ -2538,7 +2544,7 @@ spam_checker: # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # -encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"j +encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}" # Uncomment to allow non-server-admin users to create groups on this server diff --git a/type/__matrix_synapse/files/log.config.sh b/type/__matrix_synapse/files/log.config.sh index 5eaf594..42502ec 100755 --- a/type/__matrix_synapse/files/log.config.sh +++ b/type/__matrix_synapse/files/log.config.sh @@ -5,6 +5,7 @@ cat << EOF # THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. # ############################################################### + # Log configuration for Synapse. # # This is a YAML file containing a standard Python logging configuration @@ -15,65 +16,55 @@ cat << EOF # # [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema # [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md - +# version: 1 formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" handlers: - file: - class: logging.handlers.TimedRotatingFileHandler - formatter: precise - filename: ${LOG_DIR:?}/homeserver.log - when: midnight - backupCount: 3 # Does not include the current log file. - encoding: utf8 - - # Default to buffering writes to log file for efficiency. This means that - # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR - # logs will still be flushed immediately. - buffer: - class: logging.handlers.MemoryHandler - target: file - # The capacity is the number of log lines that are buffered before - # being written to disk. Increasing this will lead to better - # performance, at the expensive of it taking longer for log lines to - # be written to disk. - capacity: 10 - flushLevel: 30 # Flush for WARNING logs as well - - # A handler that writes logs to stderr. Unused by default, but can be used - # instead of "buffer" and "file" in the logger handlers. - console: - class: logging.StreamHandler - formatter: precise + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: ${LOG_DIR:?}/homeserver.log + when: midnight + backupCount: 3 # Does not include the current log file. + filters: [context] + encoding: utf8 + # Default to buffering writes to log file for efficiency. This means that + # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR + # logs will still be flushed immediately. + buffer: + class: logging.handlers.MemoryHandler + target: file + # The capacity is the number of log lines that are buffered before + # being written to disk. Increasing this will lead to better + # performance, at the expensive of it taking longer for log lines to + # be written to disk. + capacity: 10 + flushLevel: 30 # Flush for WARNING logs as well + console: + class: logging.StreamHandler + formatter: precise + level: WARN loggers: - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: INFO - - twisted: - # We send the twisted logging directly to the file handler, - # to work around https://github.com/matrix-org/synapse/issues/3471 - # when using "buffer" logger. Use "console" to log to stderr instead. - handlers: [file] - propagate: false - -root: + synapse: + level: INFO + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + twisted: level: INFO - # Write logs to the \`buffer\` handler, which will buffer them together in memory, - # then write them to a file. - # - # Replace "buffer" with "console" to log to stderr instead. (Note that you'll - # also need to update the configuration for the \`twisted\` logger above, in - # this case.) - # - handlers: [buffer] - -disable_existing_loggers: false +root: + level: INFO + handlers: [buffer, console] EOF diff --git a/type/__matrix_synapse/gencode-remote b/type/__matrix_synapse/gencode-remote index 65ff56c..cf7c648 100755 --- a/type/__matrix_synapse/gencode-remote +++ b/type/__matrix_synapse/gencode-remote @@ -6,11 +6,11 @@ init=$(cat "$__global/explorer/init") case "$os" in alpine) synapse_conf_dir=/etc/synapse - synapse_service=matrix-synapse + synapse_service=synapse ;; debian) synapse_conf_dir=/etc/matrix-synapse - synapse_service=synapse + synapse_service=matrix-synapse ;; *) echo "Unknown OS $os." >&2 @@ -18,10 +18,10 @@ case "$os" in ;; esac -if grep -qE "^__file/$synapse_conf_dir" "${__messages_in}"; then +if grep -qE "^__file$synapse_conf_dir" "${__messages_in}"; then case "$init" in systemd) - echo "systemctl try-reload-or-restart $synapse_service" + echo "systemctl restart $synapse_service" ;; initd) echo "service --ifstopped $synapse_service start" diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst index a0e9b03..81b07c7 100644 --- a/type/__matrix_synapse/man.rst +++ b/type/__matrix_synapse/man.rst @@ -28,12 +28,6 @@ database-name Path to database file if SQLite3 is used or database name if PostgresSQL is used. -tls-cert - Path to PEM-encoded X509 TLS certificate. - -tls-private-key - Path to PEM-encoded TLS private key. - OPTIONAL PARAMETERS ------------------- database-host @@ -69,6 +63,14 @@ ldap-bind-password ldap-filter LDAP user filter, defaulting to `(objectClass=posixAccount)`. +tls-cert + Path to PEM-encoded X509 TLS certificate. Not needed if TLS termination is + handled by a reverse Proxy such as NGINX. + +tls-private-key + Path to PEM-encoded TLS private key. Not needed if TLS termination is + handled by a reverse Proxy such as NGINX. + smtp-host The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 1795b76..84592cd 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -119,9 +119,14 @@ if [ -f "$__object/parameter/enable-server-notices" ]; then fi # TLS. -TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert") -TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key") -export TLS_PRIVATE_KEY_PATH TLS_CERTIFICATE_PATH +if [ -f "$__object/parameter/tls-cert" ]; then + TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert") + export TLS_CERTIFICATE_PATH +fi +if [ -f "$__object/parameter/tls-private-key" ]; then + TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key") + export TLS_PRIVATE_KEY_PATH +fi # Performance flags. GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor") @@ -144,7 +149,11 @@ export DATABASE_ENGINE DATABASE_NAME DATABASE_HOST DATABASE_USER \ DATABASE_PASSWORD # LDAP-based authentication. -ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth') +if [ -f "$__object/enable-ldap-auth" ]; then + ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth') + export ENABLE_LDAP_AUTH +fi + LDAP_FILTER=$(cat "$__object/parameter/ldap-filter") LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute") LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute") @@ -154,9 +163,8 @@ LDAP_BASE_DN=$(cat "$__object/parameter/ldap-base-dn") LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn") LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password") LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls') -export ENABLE_LDAP_AUTH LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE \ - LDAP_NAME_ATTRIBUTE LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD \ - LDAP_USE_STARTTLS +export LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE LDAP_NAME_ATTRIBUTE \ + LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD LDAP_USE_STARTTLS # Outgoing emails (= notifications). ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications') @@ -181,6 +189,11 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations') USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users') export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS +if [ -f "$__object/parameter/registration-shared-token" ]; then + REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret") + export REGISTRATION_SHARED_SECRET +fi + if [ -f "$__object/parameter/registration-requires-email" ]; then export REGISTRATION_REQUIRES_EMAIL=1 fi @@ -196,14 +209,16 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then fi # Federation. -DISABLE_FEDERATION=$(get_boolean_for 'disable-federation') ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity') REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold") -export DISABLE_FEDERATION ALLOW_PUBLIC_ROOMS_OVER_FEDERATION \ - ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH LIMIT_REMOTE_ROOM_COMPLEXITY \ - REMOTE_ROOM_COMPLEXITY_TRESHOLD +export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH \ + LIMIT_REMOTE_ROOM_COMPLEXITY REMOTE_ROOM_COMPLEXITY_TRESHOLD + +if [ -f "$__object/parameter/disable-federation" ]; then + export DISABLE_FEDERATION=1 +fi # Message retention. ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy') @@ -290,7 +305,7 @@ esac # backports situation. synapse_req= if [ -n "$apt_target_release" ]; then - __package_apt "$synapse_pkg" \ + require="__apt_source/debian-backports" __package_apt "$synapse_pkg" \ --target-release "$apt_target_release" synapse_req="__package_apt/$synapse_pkg" else @@ -298,7 +313,7 @@ else synapse_req="__package/$synapse_pkg" fi -if [ "$ENABLE_LDAP_AUTH" = "true" ]; then +if [ -n "$ENABLE_LDAP_AUTH" ]; then if [ -n "$apt_target_release" ]; then require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \ --target-release "$apt_target_release" diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 16d1dd4..2f0bce4 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -29,3 +29,6 @@ notification-from message-max-lifetime worker-replication-secret background-tasks-worker +tls-cert +tls-private-key +registration-shared-secret diff --git a/type/__matrix_synapse/parameter/required b/type/__matrix_synapse/parameter/required index 344ae4c..f9ebcb3 100644 --- a/type/__matrix_synapse/parameter/required +++ b/type/__matrix_synapse/parameter/required @@ -2,5 +2,3 @@ server-name base-url database-engine database-name -tls-cert -tls-private-key