diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e450d617..1a854f2f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -3,7 +3,7 @@ matrix_synapse_enabled: true -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.4" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.5.1" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" @@ -67,8 +67,9 @@ matrix_synapse_storage_sql_log_level: "INFO" matrix_synapse_root_log_level: "INFO" # Rate limits -matrix_synapse_rc_messages_per_second: 0.2 -matrix_synapse_rc_message_burst_count: 10.0 +matrix_synapse_rc_message: + per_second: 0.2 + burst_count: 10 matrix_synapse_rc_registration: per_second: 0.17 @@ -85,11 +86,13 @@ matrix_synapse_rc_login: per_second: 0.17 burst_count: 3 -matrix_synapse_federation_rc_window_size: 1000 -matrix_synapse_federation_rc_sleep_limit: 10 -matrix_synapse_federation_rc_sleep_delay: 500 -matrix_synapse_federation_rc_reject_limit: 50 -matrix_synapse_federation_rc_concurrent: 3 +matrix_synapse_rc_federation: + window_size: 1000 + sleep_limit: 10 + sleep_delay: 500 + reject_limit: 50 + concurrent: 3 + matrix_synapse_federation_rr_transactions_per_room_per_second: 50 # Controls whether the TLS federation listener is enabled (tcp/8448). diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index cdc649cc..d4efad9d 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -20,3 +20,10 @@ - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'} - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'} - {'old': 'matrix_room_list_publication_rules', 'new': 'matrix_synapse_room_list_publication_rules'} + - {'old': 'matrix_synapse_rc_messages_per_second', 'new': ''} + - {'old': 'matrix_synapse_rc_message_burst_count', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_window_size', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_sleep_limit', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': ''} diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ce2f1677..c51a60a0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -110,6 +110,24 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} {% endif %} +# Prevent federation requests from being sent to the following +# blacklist IP address CIDR ranges. If this option is not specified, or +# specified with an empty list, no ip range blacklist will be enforced. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +federation_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + # List of ports that Synapse should listen on, their purpose and their # configuration. # @@ -260,6 +278,12 @@ listeners: # #require_membership_for_aliases: false +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + ## TLS ## @@ -433,21 +457,15 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" ## Ratelimiting ## -# Number of messages a client can send per second -# -rc_messages_per_second: {{ matrix_synapse_rc_messages_per_second }} - -# Number of message a client can send before being throttled -# -rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} - -# Ratelimiting settings for registration and login. +# Ratelimiting settings for client actions (registration, login, messaging). # # Each ratelimiting configuration is made of two parameters: # - per_second: number of requests a client can send per second. # - burst_count: number of requests a client can send before being throttled. # # Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using # - one for registration that ratelimits registration requests based on the # client's IP address. # - one for login that ratelimits login requests based on the client's IP @@ -460,6 +478,12 @@ rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} # # The defaults are as shown below. # +#rc_message: +# per_second: 0.2 +# burst_count: 10 +# +rc_message: {{ matrix_synapse_rc_message|to_json }} +# #rc_registration: # per_second: 0.17 # burst_count: 3 @@ -477,34 +501,29 @@ rc_registration: {{ matrix_synapse_rc_registration|to_json }} # burst_count: 3 rc_login: {{ matrix_synapse_rc_login|to_json }} -# The federation window size in milliseconds -# -#federation_rc_window_size: 1000 -federation_rc_window_size: {{ matrix_synapse_federation_rc_window_size }} - -# The number of federation requests from a single server in a window -# before the server will delay processing the request. -# -#federation_rc_sleep_limit: 10 -federation_rc_sleep_limit: {{ matrix_synapse_federation_rc_sleep_limit }} -# The duration in milliseconds to delay processing events from -# remote servers by if they go over the sleep limit. +# Ratelimiting settings for incoming federation # -#federation_rc_sleep_delay: 500 -federation_rc_sleep_delay: {{ matrix_synapse_federation_rc_sleep_delay }} - -# The maximum number of concurrent federation requests allowed -# from a single server +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server # -#federation_rc_reject_limit: 50 -federation_rc_reject_limit: {{ matrix_synapse_federation_rc_reject_limit }} - -# The number of federation requests to concurrently process from a -# single server +# The defaults are as shown below. # -#federation_rc_concurrent: 3 -federation_rc_concurrent: {{ matrix_synapse_federation_rc_concurrent }} +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 +rc_federation: {{ matrix_synapse_rc_federation|to_json }} # Target outgoing federation transaction frequency for sending read-receipts, # per-room. @@ -719,6 +738,40 @@ turn_allow_guests: False # enable_registration: {{ matrix_synapse_enable_registration|to_json }} +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# ``enabled`` defines whether the account validity feature is enabled. Defaults +# to False. +# +# ``period`` allows setting the period after which an account is valid +# after its registration. When renewing the account, its validity period +# will be extended by this amount of time. This parameter is required when using +# the account validity feature. +# +# ``renew_at`` is the amount of time before an account's expiry date at which +# Synapse will send an email to the account's email address with a renewal link. +# This needs the ``email`` and ``public_baseurl`` configuration sections to be +# filled. +# +# ``renew_email_subject`` is the subject of the email sent out with the renewal +# link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter +# from the ``email`` section. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. +# +#account_validity: +# enabled: True +# period: 6w +# renew_at: 1w +# renew_email_subject: "Renew your %(app)s account" + # The user must provide all of the below types of 3PID when registering. # #registrations_require_3pid: