[__matrix_synapse] various configuration fixes

This commit is contained in:
fnux 2021-02-18 11:27:34 +01:00
parent c84831331e
commit e8b0ced1b1
No known key found for this signature in database
GPG key ID: 4502C902C00A1E12
7 changed files with 97 additions and 82 deletions

View file

@ -525,13 +525,19 @@ retention:
# full certificate chain including any intermediate certificates (for # full certificate chain including any intermediate certificates (for
# instance, if using certbot, use \`fullchain.pem\` as your certificate, # instance, if using certbot, use \`fullchain.pem\` as your certificate,
# not \`cert.pem\`). # not \`cert.pem\`).
# EOF
tls_certificate_path: "${TLS_CERTIFICATE_PATH:?}"
if [ -n "$TLS_CERTIFICATE_PATH" ] && [ -n "$TLS_PRIVATE_KEY_PATH" ]; then
cat << EOF
tls_certificate_path: "$TLS_CERTIFICATE_PATH}"
# PEM-encoded private key for TLS # PEM-encoded private key for TLS
# #
tls_private_key_path: "${TLS_PRIVATE_KEY_PATH:?}" tls_private_key_path: "$TLS_PRIVATE_KEY_PATH"
EOF
fi
cat << EOF
# Whether to verify TLS server certificates for outbound federation requests. # Whether to verify TLS server certificates for outbound federation requests.
# #
# Defaults to \`true\`. To disable certificate verification, uncomment the # Defaults to \`true\`. To disable certificate verification, uncomment the
@ -2495,7 +2501,7 @@ push:
# The default value is "true" to include message details. Uncomment to only # The default value is "true" to include message details. Uncomment to only
# include the event ID and room ID in push notification payloads. # include the event ID and room ID in push notification payloads.
# #
#include_content: false include_content: true
# When a push notification is received, an unread count is also sent. # When a push notification is received, an unread count is also sent.
# This number can either be calculated as the number of unread messages # This number can either be calculated as the number of unread messages
@ -2538,7 +2544,7 @@ spam_checker:
# Note that this option will only affect rooms created after it is set. It # Note that this option will only affect rooms created after it is set. It
# will also not affect rooms created by other servers. # will also not affect rooms created by other servers.
# #
encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"j encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"
# Uncomment to allow non-server-admin users to create groups on this server # Uncomment to allow non-server-admin users to create groups on this server

View file

@ -5,6 +5,7 @@ cat << EOF
# THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. # # THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. #
############################################################### ###############################################################
# Log configuration for Synapse. # Log configuration for Synapse.
# #
# This is a YAML file containing a standard Python logging configuration # This is a YAML file containing a standard Python logging configuration
@ -15,13 +16,18 @@ cat << EOF
# #
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema # [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
# [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md # [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md
#
version: 1 version: 1
formatters: formatters:
precise: precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers: handlers:
file: file:
class: logging.handlers.TimedRotatingFileHandler class: logging.handlers.TimedRotatingFileHandler
@ -29,8 +35,8 @@ handlers:
filename: ${LOG_DIR:?}/homeserver.log filename: ${LOG_DIR:?}/homeserver.log
when: midnight when: midnight
backupCount: 3 # Does not include the current log file. backupCount: 3 # Does not include the current log file.
filters: [context]
encoding: utf8 encoding: utf8
# Default to buffering writes to log file for efficiency. This means that # Default to buffering writes to log file for efficiency. This means that
# will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
# logs will still be flushed immediately. # logs will still be flushed immediately.
@ -43,37 +49,22 @@ handlers:
# be written to disk. # be written to disk.
capacity: 10 capacity: 10
flushLevel: 30 # Flush for WARNING logs as well flushLevel: 30 # Flush for WARNING logs as well
# A handler that writes logs to stderr. Unused by default, but can be used
# instead of "buffer" and "file" in the logger handlers.
console: console:
class: logging.StreamHandler class: logging.StreamHandler
formatter: precise formatter: precise
level: WARN
loggers: loggers:
synapse:
level: INFO
synapse.storage.SQL: synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive # beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens. # information such as access tokens.
level: INFO level: INFO
twisted: twisted:
# We send the twisted logging directly to the file handler, level: INFO
# to work around https://github.com/matrix-org/synapse/issues/3471
# when using "buffer" logger. Use "console" to log to stderr instead.
handlers: [file]
propagate: false
root: root:
level: INFO level: INFO
handlers: [buffer, console]
# Write logs to the \`buffer\` handler, which will buffer them together in memory,
# then write them to a file.
#
# Replace "buffer" with "console" to log to stderr instead. (Note that you'll
# also need to update the configuration for the \`twisted\` logger above, in
# this case.)
#
handlers: [buffer]
disable_existing_loggers: false
EOF EOF

View file

@ -6,11 +6,11 @@ init=$(cat "$__global/explorer/init")
case "$os" in case "$os" in
alpine) alpine)
synapse_conf_dir=/etc/synapse synapse_conf_dir=/etc/synapse
synapse_service=matrix-synapse synapse_service=synapse
;; ;;
debian) debian)
synapse_conf_dir=/etc/matrix-synapse synapse_conf_dir=/etc/matrix-synapse
synapse_service=synapse synapse_service=matrix-synapse
;; ;;
*) *)
echo "Unknown OS $os." >&2 echo "Unknown OS $os." >&2
@ -18,10 +18,10 @@ case "$os" in
;; ;;
esac esac
if grep -qE "^__file/$synapse_conf_dir" "${__messages_in}"; then if grep -qE "^__file$synapse_conf_dir" "${__messages_in}"; then
case "$init" in case "$init" in
systemd) systemd)
echo "systemctl try-reload-or-restart $synapse_service" echo "systemctl restart $synapse_service"
;; ;;
initd) initd)
echo "service --ifstopped $synapse_service start" echo "service --ifstopped $synapse_service start"

View file

@ -28,12 +28,6 @@ database-name
Path to database file if SQLite3 is used or database name if PostgresSQL is Path to database file if SQLite3 is used or database name if PostgresSQL is
used. used.
tls-cert
Path to PEM-encoded X509 TLS certificate.
tls-private-key
Path to PEM-encoded TLS private key.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
database-host database-host
@ -69,6 +63,14 @@ ldap-bind-password
ldap-filter ldap-filter
LDAP user filter, defaulting to `(objectClass=posixAccount)`. LDAP user filter, defaulting to `(objectClass=posixAccount)`.
tls-cert
Path to PEM-encoded X509 TLS certificate. Not needed if TLS termination is
handled by a reverse Proxy such as NGINX.
tls-private-key
Path to PEM-encoded TLS private key. Not needed if TLS termination is
handled by a reverse Proxy such as NGINX.
smtp-host smtp-host
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.

View file

@ -119,9 +119,14 @@ if [ -f "$__object/parameter/enable-server-notices" ]; then
fi fi
# TLS. # TLS.
if [ -f "$__object/parameter/tls-cert" ]; then
TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert") TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert")
export TLS_CERTIFICATE_PATH
fi
if [ -f "$__object/parameter/tls-private-key" ]; then
TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key") TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key")
export TLS_PRIVATE_KEY_PATH TLS_CERTIFICATE_PATH export TLS_PRIVATE_KEY_PATH
fi
# Performance flags. # Performance flags.
GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor") GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor")
@ -144,7 +149,11 @@ export DATABASE_ENGINE DATABASE_NAME DATABASE_HOST DATABASE_USER \
DATABASE_PASSWORD DATABASE_PASSWORD
# LDAP-based authentication. # LDAP-based authentication.
if [ -f "$__object/enable-ldap-auth" ]; then
ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth') ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth')
export ENABLE_LDAP_AUTH
fi
LDAP_FILTER=$(cat "$__object/parameter/ldap-filter") LDAP_FILTER=$(cat "$__object/parameter/ldap-filter")
LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute") LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute")
LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute") LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute")
@ -154,9 +163,8 @@ LDAP_BASE_DN=$(cat "$__object/parameter/ldap-base-dn")
LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn") LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password") LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls') LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls')
export ENABLE_LDAP_AUTH LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE \ export LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE LDAP_NAME_ATTRIBUTE \
LDAP_NAME_ATTRIBUTE LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD \ LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD LDAP_USE_STARTTLS
LDAP_USE_STARTTLS
# Outgoing emails (= notifications). # Outgoing emails (= notifications).
ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications') ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications')
@ -181,6 +189,11 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users') USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
if [ -f "$__object/parameter/registration-shared-token" ]; then
REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
export REGISTRATION_SHARED_SECRET
fi
if [ -f "$__object/parameter/registration-requires-email" ]; then if [ -f "$__object/parameter/registration-requires-email" ]; then
export REGISTRATION_REQUIRES_EMAIL=1 export REGISTRATION_REQUIRES_EMAIL=1
fi fi
@ -196,14 +209,16 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
fi fi
# Federation. # Federation.
DISABLE_FEDERATION=$(get_boolean_for 'disable-federation')
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity') LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity')
REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold") REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold")
export DISABLE_FEDERATION ALLOW_PUBLIC_ROOMS_OVER_FEDERATION \ export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH \
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH LIMIT_REMOTE_ROOM_COMPLEXITY \ LIMIT_REMOTE_ROOM_COMPLEXITY REMOTE_ROOM_COMPLEXITY_TRESHOLD
REMOTE_ROOM_COMPLEXITY_TRESHOLD
if [ -f "$__object/parameter/disable-federation" ]; then
export DISABLE_FEDERATION=1
fi
# Message retention. # Message retention.
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy') ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
@ -290,7 +305,7 @@ esac
# backports situation. # backports situation.
synapse_req= synapse_req=
if [ -n "$apt_target_release" ]; then if [ -n "$apt_target_release" ]; then
__package_apt "$synapse_pkg" \ require="__apt_source/debian-backports" __package_apt "$synapse_pkg" \
--target-release "$apt_target_release" --target-release "$apt_target_release"
synapse_req="__package_apt/$synapse_pkg" synapse_req="__package_apt/$synapse_pkg"
else else
@ -298,7 +313,7 @@ else
synapse_req="__package/$synapse_pkg" synapse_req="__package/$synapse_pkg"
fi fi
if [ "$ENABLE_LDAP_AUTH" = "true" ]; then if [ -n "$ENABLE_LDAP_AUTH" ]; then
if [ -n "$apt_target_release" ]; then if [ -n "$apt_target_release" ]; then
require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \ require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
--target-release "$apt_target_release" --target-release "$apt_target_release"

View file

@ -29,3 +29,6 @@ notification-from
message-max-lifetime message-max-lifetime
worker-replication-secret worker-replication-secret
background-tasks-worker background-tasks-worker
tls-cert
tls-private-key
registration-shared-secret

View file

@ -2,5 +2,3 @@ server-name
base-url base-url
database-engine database-engine
database-name database-name
tls-cert
tls-private-key