[__matrix_synapse] various configuration fixes
This commit is contained in:
parent
c84831331e
commit
e8b0ced1b1
7 changed files with 97 additions and 82 deletions
|
@ -525,13 +525,19 @@ retention:
|
||||||
# full certificate chain including any intermediate certificates (for
|
# full certificate chain including any intermediate certificates (for
|
||||||
# instance, if using certbot, use \`fullchain.pem\` as your certificate,
|
# instance, if using certbot, use \`fullchain.pem\` as your certificate,
|
||||||
# not \`cert.pem\`).
|
# not \`cert.pem\`).
|
||||||
#
|
EOF
|
||||||
tls_certificate_path: "${TLS_CERTIFICATE_PATH:?}"
|
|
||||||
|
if [ -n "$TLS_CERTIFICATE_PATH" ] && [ -n "$TLS_PRIVATE_KEY_PATH" ]; then
|
||||||
|
cat << EOF
|
||||||
|
tls_certificate_path: "$TLS_CERTIFICATE_PATH}"
|
||||||
|
|
||||||
# PEM-encoded private key for TLS
|
# PEM-encoded private key for TLS
|
||||||
#
|
#
|
||||||
tls_private_key_path: "${TLS_PRIVATE_KEY_PATH:?}"
|
tls_private_key_path: "$TLS_PRIVATE_KEY_PATH"
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
# Whether to verify TLS server certificates for outbound federation requests.
|
# Whether to verify TLS server certificates for outbound federation requests.
|
||||||
#
|
#
|
||||||
# Defaults to \`true\`. To disable certificate verification, uncomment the
|
# Defaults to \`true\`. To disable certificate verification, uncomment the
|
||||||
|
@ -2495,7 +2501,7 @@ push:
|
||||||
# The default value is "true" to include message details. Uncomment to only
|
# The default value is "true" to include message details. Uncomment to only
|
||||||
# include the event ID and room ID in push notification payloads.
|
# include the event ID and room ID in push notification payloads.
|
||||||
#
|
#
|
||||||
#include_content: false
|
include_content: true
|
||||||
|
|
||||||
# When a push notification is received, an unread count is also sent.
|
# When a push notification is received, an unread count is also sent.
|
||||||
# This number can either be calculated as the number of unread messages
|
# This number can either be calculated as the number of unread messages
|
||||||
|
@ -2538,7 +2544,7 @@ spam_checker:
|
||||||
# Note that this option will only affect rooms created after it is set. It
|
# Note that this option will only affect rooms created after it is set. It
|
||||||
# will also not affect rooms created by other servers.
|
# will also not affect rooms created by other servers.
|
||||||
#
|
#
|
||||||
encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"j
|
encryption_enabled_by_default_for_room_type: "${ROOM_ENCRYPTION_POLICY:?}"
|
||||||
|
|
||||||
|
|
||||||
# Uncomment to allow non-server-admin users to create groups on this server
|
# Uncomment to allow non-server-admin users to create groups on this server
|
||||||
|
|
|
@ -5,6 +5,7 @@ cat << EOF
|
||||||
# THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. #
|
# THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
|
|
||||||
# Log configuration for Synapse.
|
# Log configuration for Synapse.
|
||||||
#
|
#
|
||||||
# This is a YAML file containing a standard Python logging configuration
|
# This is a YAML file containing a standard Python logging configuration
|
||||||
|
@ -15,13 +16,18 @@ cat << EOF
|
||||||
#
|
#
|
||||||
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
||||||
# [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md
|
# [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md
|
||||||
|
#
|
||||||
version: 1
|
version: 1
|
||||||
|
|
||||||
formatters:
|
formatters:
|
||||||
precise:
|
precise:
|
||||||
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
|
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
|
||||||
|
|
||||||
|
filters:
|
||||||
|
context:
|
||||||
|
(): synapse.util.logcontext.LoggingContextFilter
|
||||||
|
request: ""
|
||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
file:
|
file:
|
||||||
class: logging.handlers.TimedRotatingFileHandler
|
class: logging.handlers.TimedRotatingFileHandler
|
||||||
|
@ -29,8 +35,8 @@ handlers:
|
||||||
filename: ${LOG_DIR:?}/homeserver.log
|
filename: ${LOG_DIR:?}/homeserver.log
|
||||||
when: midnight
|
when: midnight
|
||||||
backupCount: 3 # Does not include the current log file.
|
backupCount: 3 # Does not include the current log file.
|
||||||
|
filters: [context]
|
||||||
encoding: utf8
|
encoding: utf8
|
||||||
|
|
||||||
# Default to buffering writes to log file for efficiency. This means that
|
# Default to buffering writes to log file for efficiency. This means that
|
||||||
# will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
|
# will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
|
||||||
# logs will still be flushed immediately.
|
# logs will still be flushed immediately.
|
||||||
|
@ -43,37 +49,22 @@ handlers:
|
||||||
# be written to disk.
|
# be written to disk.
|
||||||
capacity: 10
|
capacity: 10
|
||||||
flushLevel: 30 # Flush for WARNING logs as well
|
flushLevel: 30 # Flush for WARNING logs as well
|
||||||
|
|
||||||
# A handler that writes logs to stderr. Unused by default, but can be used
|
|
||||||
# instead of "buffer" and "file" in the logger handlers.
|
|
||||||
console:
|
console:
|
||||||
class: logging.StreamHandler
|
class: logging.StreamHandler
|
||||||
formatter: precise
|
formatter: precise
|
||||||
|
level: WARN
|
||||||
|
|
||||||
loggers:
|
loggers:
|
||||||
|
synapse:
|
||||||
|
level: INFO
|
||||||
synapse.storage.SQL:
|
synapse.storage.SQL:
|
||||||
# beware: increasing this to DEBUG will make synapse log sensitive
|
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||||
# information such as access tokens.
|
# information such as access tokens.
|
||||||
level: INFO
|
level: INFO
|
||||||
|
|
||||||
twisted:
|
twisted:
|
||||||
# We send the twisted logging directly to the file handler,
|
level: INFO
|
||||||
# to work around https://github.com/matrix-org/synapse/issues/3471
|
|
||||||
# when using "buffer" logger. Use "console" to log to stderr instead.
|
|
||||||
handlers: [file]
|
|
||||||
propagate: false
|
|
||||||
|
|
||||||
root:
|
root:
|
||||||
level: INFO
|
level: INFO
|
||||||
|
handlers: [buffer, console]
|
||||||
# Write logs to the \`buffer\` handler, which will buffer them together in memory,
|
|
||||||
# then write them to a file.
|
|
||||||
#
|
|
||||||
# Replace "buffer" with "console" to log to stderr instead. (Note that you'll
|
|
||||||
# also need to update the configuration for the \`twisted\` logger above, in
|
|
||||||
# this case.)
|
|
||||||
#
|
|
||||||
handlers: [buffer]
|
|
||||||
|
|
||||||
disable_existing_loggers: false
|
|
||||||
EOF
|
EOF
|
||||||
|
|
|
@ -6,11 +6,11 @@ init=$(cat "$__global/explorer/init")
|
||||||
case "$os" in
|
case "$os" in
|
||||||
alpine)
|
alpine)
|
||||||
synapse_conf_dir=/etc/synapse
|
synapse_conf_dir=/etc/synapse
|
||||||
synapse_service=matrix-synapse
|
synapse_service=synapse
|
||||||
;;
|
;;
|
||||||
debian)
|
debian)
|
||||||
synapse_conf_dir=/etc/matrix-synapse
|
synapse_conf_dir=/etc/matrix-synapse
|
||||||
synapse_service=synapse
|
synapse_service=matrix-synapse
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo "Unknown OS $os." >&2
|
echo "Unknown OS $os." >&2
|
||||||
|
@ -18,10 +18,10 @@ case "$os" in
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if grep -qE "^__file/$synapse_conf_dir" "${__messages_in}"; then
|
if grep -qE "^__file$synapse_conf_dir" "${__messages_in}"; then
|
||||||
case "$init" in
|
case "$init" in
|
||||||
systemd)
|
systemd)
|
||||||
echo "systemctl try-reload-or-restart $synapse_service"
|
echo "systemctl restart $synapse_service"
|
||||||
;;
|
;;
|
||||||
initd)
|
initd)
|
||||||
echo "service --ifstopped $synapse_service start"
|
echo "service --ifstopped $synapse_service start"
|
||||||
|
|
|
@ -28,12 +28,6 @@ database-name
|
||||||
Path to database file if SQLite3 is used or database name if PostgresSQL is
|
Path to database file if SQLite3 is used or database name if PostgresSQL is
|
||||||
used.
|
used.
|
||||||
|
|
||||||
tls-cert
|
|
||||||
Path to PEM-encoded X509 TLS certificate.
|
|
||||||
|
|
||||||
tls-private-key
|
|
||||||
Path to PEM-encoded TLS private key.
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
database-host
|
database-host
|
||||||
|
@ -69,6 +63,14 @@ ldap-bind-password
|
||||||
ldap-filter
|
ldap-filter
|
||||||
LDAP user filter, defaulting to `(objectClass=posixAccount)`.
|
LDAP user filter, defaulting to `(objectClass=posixAccount)`.
|
||||||
|
|
||||||
|
tls-cert
|
||||||
|
Path to PEM-encoded X509 TLS certificate. Not needed if TLS termination is
|
||||||
|
handled by a reverse Proxy such as NGINX.
|
||||||
|
|
||||||
|
tls-private-key
|
||||||
|
Path to PEM-encoded TLS private key. Not needed if TLS termination is
|
||||||
|
handled by a reverse Proxy such as NGINX.
|
||||||
|
|
||||||
smtp-host
|
smtp-host
|
||||||
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
||||||
|
|
||||||
|
|
|
@ -119,9 +119,14 @@ if [ -f "$__object/parameter/enable-server-notices" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# TLS.
|
# TLS.
|
||||||
|
if [ -f "$__object/parameter/tls-cert" ]; then
|
||||||
TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert")
|
TLS_CERTIFICATE_PATH=$(cat "$__object/parameter/tls-cert")
|
||||||
|
export TLS_CERTIFICATE_PATH
|
||||||
|
fi
|
||||||
|
if [ -f "$__object/parameter/tls-private-key" ]; then
|
||||||
TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key")
|
TLS_PRIVATE_KEY_PATH=$(cat "$__object/parameter/tls-private-key")
|
||||||
export TLS_PRIVATE_KEY_PATH TLS_CERTIFICATE_PATH
|
export TLS_PRIVATE_KEY_PATH
|
||||||
|
fi
|
||||||
|
|
||||||
# Performance flags.
|
# Performance flags.
|
||||||
GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor")
|
GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor")
|
||||||
|
@ -144,7 +149,11 @@ export DATABASE_ENGINE DATABASE_NAME DATABASE_HOST DATABASE_USER \
|
||||||
DATABASE_PASSWORD
|
DATABASE_PASSWORD
|
||||||
|
|
||||||
# LDAP-based authentication.
|
# LDAP-based authentication.
|
||||||
|
if [ -f "$__object/enable-ldap-auth" ]; then
|
||||||
ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth')
|
ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth')
|
||||||
|
export ENABLE_LDAP_AUTH
|
||||||
|
fi
|
||||||
|
|
||||||
LDAP_FILTER=$(cat "$__object/parameter/ldap-filter")
|
LDAP_FILTER=$(cat "$__object/parameter/ldap-filter")
|
||||||
LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute")
|
LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute")
|
||||||
LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute")
|
LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute")
|
||||||
|
@ -154,9 +163,8 @@ LDAP_BASE_DN=$(cat "$__object/parameter/ldap-base-dn")
|
||||||
LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
|
LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
|
||||||
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
|
LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
|
||||||
LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls')
|
LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls')
|
||||||
export ENABLE_LDAP_AUTH LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE \
|
export LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE LDAP_NAME_ATTRIBUTE \
|
||||||
LDAP_NAME_ATTRIBUTE LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD \
|
LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD LDAP_USE_STARTTLS
|
||||||
LDAP_USE_STARTTLS
|
|
||||||
|
|
||||||
# Outgoing emails (= notifications).
|
# Outgoing emails (= notifications).
|
||||||
ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications')
|
ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications')
|
||||||
|
@ -181,6 +189,11 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
|
||||||
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
|
USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
|
||||||
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
|
export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/registration-shared-token" ]; then
|
||||||
|
REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
|
||||||
|
export REGISTRATION_SHARED_SECRET
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/registration-requires-email" ]; then
|
if [ -f "$__object/parameter/registration-requires-email" ]; then
|
||||||
export REGISTRATION_REQUIRES_EMAIL=1
|
export REGISTRATION_REQUIRES_EMAIL=1
|
||||||
fi
|
fi
|
||||||
|
@ -196,14 +209,16 @@ if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Federation.
|
# Federation.
|
||||||
DISABLE_FEDERATION=$(get_boolean_for 'disable-federation')
|
|
||||||
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
|
ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
|
||||||
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
|
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
|
||||||
LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity')
|
LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity')
|
||||||
REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold")
|
REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold")
|
||||||
export DISABLE_FEDERATION ALLOW_PUBLIC_ROOMS_OVER_FEDERATION \
|
export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH \
|
||||||
ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH LIMIT_REMOTE_ROOM_COMPLEXITY \
|
LIMIT_REMOTE_ROOM_COMPLEXITY REMOTE_ROOM_COMPLEXITY_TRESHOLD
|
||||||
REMOTE_ROOM_COMPLEXITY_TRESHOLD
|
|
||||||
|
if [ -f "$__object/parameter/disable-federation" ]; then
|
||||||
|
export DISABLE_FEDERATION=1
|
||||||
|
fi
|
||||||
|
|
||||||
# Message retention.
|
# Message retention.
|
||||||
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
|
ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
|
||||||
|
@ -290,7 +305,7 @@ esac
|
||||||
# backports situation.
|
# backports situation.
|
||||||
synapse_req=
|
synapse_req=
|
||||||
if [ -n "$apt_target_release" ]; then
|
if [ -n "$apt_target_release" ]; then
|
||||||
__package_apt "$synapse_pkg" \
|
require="__apt_source/debian-backports" __package_apt "$synapse_pkg" \
|
||||||
--target-release "$apt_target_release"
|
--target-release "$apt_target_release"
|
||||||
synapse_req="__package_apt/$synapse_pkg"
|
synapse_req="__package_apt/$synapse_pkg"
|
||||||
else
|
else
|
||||||
|
@ -298,7 +313,7 @@ else
|
||||||
synapse_req="__package/$synapse_pkg"
|
synapse_req="__package/$synapse_pkg"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$ENABLE_LDAP_AUTH" = "true" ]; then
|
if [ -n "$ENABLE_LDAP_AUTH" ]; then
|
||||||
if [ -n "$apt_target_release" ]; then
|
if [ -n "$apt_target_release" ]; then
|
||||||
require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
|
require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
|
||||||
--target-release "$apt_target_release"
|
--target-release "$apt_target_release"
|
||||||
|
|
|
@ -29,3 +29,6 @@ notification-from
|
||||||
message-max-lifetime
|
message-max-lifetime
|
||||||
worker-replication-secret
|
worker-replication-secret
|
||||||
background-tasks-worker
|
background-tasks-worker
|
||||||
|
tls-cert
|
||||||
|
tls-private-key
|
||||||
|
registration-shared-secret
|
||||||
|
|
|
@ -2,5 +2,3 @@ server-name
|
||||||
base-url
|
base-url
|
||||||
database-engine
|
database-engine
|
||||||
database-name
|
database-name
|
||||||
tls-cert
|
|
||||||
tls-private-key
|
|
||||||
|
|
Loading…
Reference in a new issue