Просмотр исходного кода

Upgrade Continuwuity (v0.5.10 -> v26.6.1) and re-sync its config template

This is a major upgrade which performs a one-way database migration
and removes LDAP support upstream.

The continuwuity.toml.j2 template is re-synced with the v26.6.1 example
config. Notably, registration_token is now only rendered when non-empty,
because v26+ refuses to start when it is set to an empty string.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
pull/5413/head
Slavi Pantaleev 10 часов назад
Родитель
Сommit
19a775ef7e
3 измененных файлов: 269 добавлений и 181 удалений
  1. +8
    -0
      CHANGELOG.md
  2. +1
    -1
      roles/custom/matrix-continuwuity/defaults/main.yml
  3. +260
    -180
      roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2

+ 8
- 0
CHANGELOG.md Просмотреть файл

@@ -1,3 +1,11 @@
# 2026-07-12

## Continuwuity v26 no longer supports LDAP

The playbook now installs [Continuwuity](./docs/configuring-playbook-continuwuity.md) v26, a major upgrade from the v0.5.x series which **removes LDAP authentication support** (see the [v26.6.0 release notes](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v26.6.0)).

The playbook never exposed dedicated variables for Continuwuity's LDAP support, so most people are unaffected. However, if you had enabled LDAP via `matrix_continuwuity_environment_variables_extension` or a custom configuration template, you'll need to migrate to another authentication method, such as the newly introduced [OpenID Connect support](https://continuwuity.org/guides/oidc).

# 2026-06-29

## Support for running on Synology DSM


+ 1
- 1
roles/custom/matrix-continuwuity/defaults/main.yml Просмотреть файл

@@ -14,7 +14,7 @@ matrix_continuwuity_enabled: true
matrix_continuwuity_hostname: ''

# renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/continuwuity
matrix_continuwuity_version: v0.5.10
matrix_continuwuity_version: v26.6.1

matrix_continuwuity_container_image: "{{ matrix_continuwuity_container_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_container_image_tag }}"
matrix_continuwuity_container_image_tag: "{{ matrix_continuwuity_version }}"


+ 260
- 180
roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 Просмотреть файл

@@ -276,13 +276,35 @@ allow_announcements_check = {{ matrix_continuwuity_config_allow_announcements_ch
#
#ip_lookup_strategy = 5

# The source to use for discovering the real connecting client IP.
#
# Takes any of the following options:
#
# "cf_connecting_ip" - `Cf-Connecting-Ip` header
# "cloudfront_viewer_address" - `CloudFront-Viewer-Address` header
# "fly_client_ip" - `Fly-Client-IP` header
# "x_forwarded_for" - rightmost value of the `X-Forwarded-For` header
# "true_client_ip" - `True-Client-Ip` header
# "x_envoy_external_address" - `X-Envoy-External-Address` header
# "x_real_ip" - `X-Real-Ip` header
#
# Only set this if you are certain only your reverse proxy
# will send the expected header. There is no "is the connecting IP allowed
# to set this header" check; if the header selected is present, it is
# used.
#
# Defaults to the IP address actually making the connection.
#
#request_ip_source = false

# Max request size for file uploads in bytes. Defaults to 20MB.
# Also limits incoming federated media.
#
max_request_size = {{ matrix_continuwuity_config_max_request_size }}

# This item is undocumented. Please contribute documentation for it.
#
#max_fetch_prev_events = 192
#max_fetch_prev_events = 1024

# How many incoming federation transactions the server is willing to be
# processing at any given time before it becomes overloaded and starts
@@ -357,21 +379,18 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
#
#federation_timeout = 60

# MSC4284 Policy server request timeout (seconds). Generally policy
# Policy server request timeout (seconds). Generally policy
# servers should respond near instantly, however may slow down under
# load. If a policy server doesn't respond in a short amount of time, the
# room it is configured in may become unusable if this limit is set too
# high. 10 seconds is a good default, however dropping this to 3-5 seconds
# can be acceptable.
# high. 30 seconds is a good default, however lower values may be
# acceptable if temporary send failures are an okay trade-off.
#
# Please be aware that policy requests are *NOT* currently re-tried, so if
# a spam check request fails, the event will be assumed to be not spam,
# which in some cases may result in spam being sent to or received from
# the room that would typically be prevented.
#
# About policy servers: https://matrix.org/blog/2025/04/introducing-policy-servers/
# (Stabilized in Matrix v1.18)
#
#policy_server_request_timeout = 10
#policy_server_request_timeout = 30

# Federation client idle connection pool timeout (seconds).
#
@@ -444,7 +463,7 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
#
# If you would like registration only via token reg, please configure
# `registration_token` or `registration_token_file`.
# `registration_token`.
#
allow_registration = {{ matrix_continuwuity_config_allow_registration | to_json }}

@@ -470,24 +489,24 @@ suspend_on_register = {{ matrix_continuwuity_config_suspend_on_register | to_jso
yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }}

# A static registration token that new users will have to provide when
# creating an account. If unset and `allow_registration` is true,
# you must set
# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
# to true to allow open registration without any conditions.
#
# YOU NEED TO EDIT THIS OR USE registration_token_file.
# creating an account. This token does not supersede tokens from other
# sources, such as the `!admin token` command or the
# `registration_token_file` configuration option.
#
# example: "o&^uCtes4HPf0Vu@F20jQeeWE7"
#
{% if matrix_continuwuity_config_registration_token != '' %}
registration_token = {{ matrix_continuwuity_config_registration_token | to_json }}
{% endif %}

# Path to a file on the system that gets read for additional registration
# tokens. Multiple tokens can be added if you separate them with
# whitespace
# A path to a file containing static registration tokens, one per line.
# Tokens in this file do not supersede tokens from other sources, such as
# the `!admin token` command or the `registration_token` configuration
# option.
#
# continuwuity must be able to access the file, and it must not be empty
#
# example: "/etc/continuwuity/.reg_token"
# The file will be read once, when Continuwuity starts. It is not
# currently reread when the server configuration is reloaded. If the file
# cannot be read, Continuwuity will fail to start.
#
#registration_token_file =

@@ -513,6 +532,16 @@ recaptcha_site_key = {{ matrix_continuwuity_config_recaptcha_site_key | to_json
recaptcha_private_site_key = {{ matrix_continuwuity_config_recaptcha_private_site_key | to_json }}
{% endif %}

# Controls whether users are allowed to deactivate their own accounts
# through the account management panel or their Matrix clients. Server
# admins can always deactivate users using the relevant admin commands.
#
# Note that, in some jurisdictions, you may be legally required to honor
# users who request to deactivate their accounts if you set this option
# to `false`.
#
#allow_deactivation = true

# Controls whether encrypted rooms and events are allowed.
#
allow_encryption = {{ matrix_continuwuity_config_allow_encryption | to_json }}
@@ -551,18 +580,6 @@ forget_forced_upon_leave = {{ matrix_continuwuity_config_forget_forced_upon_leav
#
#allow_public_room_directory_over_federation = false

# Allow guests/unauthenticated users to access TURN credentials.
#
# This is the equivalent of Synapse's `turn_allow_guests` config option.
# This allows any unauthenticated user to call the endpoint
# `/_matrix/client/v3/voip/turnServer`.
#
# It is unlikely you need to enable this as all major clients support
# authentication for this endpoint and prevents misuse of your TURN server
# from potential bots.
#
#turn_allow_guests = false

# Set this to true to lock down your server's public room directory and
# only allow admins to publish rooms to the room directory. Unpublishing
# is still allowed by all users with this enabled.
@@ -597,7 +614,7 @@ allow_room_creation = {{ matrix_continuwuity_config_allow_room_creation | to_jso
# Set to false to disable users from joining or creating room versions
# that aren't officially supported by continuwuity.
#
# continuwuity officially supports room versions 6 - 11.
# continuwuity officially supports room versions 6 - 12.
#
# continuwuity has slightly experimental (though works fine in practice)
# support for versions 3 - 5.
@@ -609,10 +626,42 @@ allow_room_creation = {{ matrix_continuwuity_config_allow_room_creation | to_jso
# rather than an integer. Forgetting the quotes will make the server fail
# to start!
#
# Per spec, room version "11" is the default.
# Per spec, room version "12" is the default.
#
default_room_version = {{ matrix_continuwuity_config_default_room_version | to_json }}

# A default allow value for the Access Control List when creating a room.
#
# If a list is provided, new rooms will be created with
# a m.room.server_acl event. Only servers which match one of the patterns
# in the list will be permitted to participate in the room.
#
# ACLs in existing rooms will not be updated automatically. This is not
# a substitute for moderation bots.
#
#default_room_acl_allow =

# A default deny value for the Access Control List when creating a room.
#
# If a list is provided, new rooms will be created with
# a m.room.server_acl event. Servers which match one of the patterns
# in the list will be NOT permitted to participate in the room.
#
# This config cannot be used if the default_room_acl_allow config is used.
#
# ACLs in existing rooms will not be updated automatically. This is not
# a substitute for moderation bots.
#
#default_room_acl_deny =

# The number of forward extremities to tolerate in a room before
# attempting to manually squash them with a "dummy event". Setting this
# above 20 will hinder its efficacy, and setting it below 5 will cause
# more dummy events to be sent than necessary (which increases federation
# traffic).
#
#dummy_event_threshold = 10

# Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
# Jaeger exporter. Traces will be sent via OTLP to a collector (such as
# Jaeger) that supports the OpenTelemetry Protocol.
@@ -799,7 +848,7 @@ log = {{ matrix_continuwuity_config_log | to_json }}
# ("turn_secret"), It is recommended to use a shared secret over static
# credentials.
#
{% if matrix_continuwuity_config_turn_username != '' %}
{% if matrix_continuwuity_config_turn_username != '' %}
turn_username = {{ matrix_continuwuity_config_turn_username | to_json }}
{% endif %}

@@ -990,6 +1039,21 @@ auto_join_rooms = {{ matrix_continuwuity_config_auto_join_rooms | to_json }}
#
#rocksdb_bottommost_compression = true

# Compression algorithm for RocksDB's Write-Ahead-Log (WAL).
#
# At present, only ZSTD compression is supported by RocksDB for WAL
# compression. Enabling this can reduce WAL size at the expense of some
# CPU usage during writes.
#
# The options are:
# - "none" = No compression
# - "zstd" = ZSTD compression
#
# For more information on WAL compression, see:
# https://github.com/facebook/rocksdb/wiki/WAL-Compression
#
#rocksdb_wal_compression = "zstd"

# Database recovery mode (for RocksDB WAL corruption).
#
# Use this option when the server reports corruption and refuses to start.
@@ -1253,21 +1317,6 @@ allow_outgoing_presence = {{ matrix_continuwuity_config_allow_outgoing_presence
#
#brotli_compression = false

# Set to true to allow user type "guest" registrations. Some clients like
# Element attempt to register guest users automatically.
#
#allow_guest_registration = false

# Set to true to log guest registrations in the admin room. Note that
# these may be noisy or unnecessary if you're a public homeserver.
#
#log_guest_registrations = false

# Set to true to allow guest registrations/users to auto join any rooms
# specified in `auto_join_rooms`.
#
#allow_guests_auto_join_rooms = false

# Enable the legacy unauthenticated Matrix media repository endpoints.
# These endpoints consist of:
# - /_matrix/media/*/config
@@ -1380,6 +1429,20 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_config_for
#
ignore_messages_from_server_names = {{ matrix_continuwuity_config_ignore_messages_from_server_names | to_json }}

# List of server names that continuwuity will deprioritize (try last) when
# a client requests to join a room.
#
# This can be used to potentially speed up room join requests, by
# deprioritizing sending join requests through servers that are known to
# be large or slow.
#
# continuwuity will still send join requests to servers in this list if
# the room couldn't be joined via other servers it federates with.
#
# example: ["example.com"]
#
#deprioritize_joins_through_servers = []

# Send messages from users that the user has ignored to the client.
#
# There is no way for clients to receive messages sent while a user was
@@ -1390,6 +1453,11 @@ ignore_messages_from_server_names = {{ matrix_continuwuity_config_ignore_message
#
#send_messages_from_ignored_users_to_client = false

# Send "org.matrix.dummy_event" events to the client. This is a debugging
# option.
#
#send_dummy_events_to_clients = false

# Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
# do not want continuwuity to send outbound requests to. Defaults to
# RFC1918, unroutable, loopback, multicast, and testnet addresses for
@@ -1553,19 +1621,6 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
#
#block_non_admin_invites = false

# Enable or disable making requests to MSC4284 Policy Servers.
# It is recommended you keep this enabled unless you experience frequent
# connectivity issues, such as in a restricted networking environment.
#
#enable_msc4284_policy_servers = true

# Enable running locally generated events through configured MSC4284
# policy servers. You may wish to disable this if your server is
# single-user for a slight speed benefit in some rooms, but otherwise
# should leave it enabled.
#
#policy_server_check_own_events = true

# Allow admins to enter commands in rooms other than "#admins" (admin
# room) by prefixing your message with "\!admin" or "\\!admin" followed up
# a normal continuwuity admin command. The reply will be publicly visible
@@ -1832,6 +1887,11 @@ client = {{ matrix_continuwuity_config_well_known_client | to_json }}
#
#support_page =

# The ed25519 public key for the policy server available at this server's
# name. Must be unpadded base64.
#
#policy_server_public_key =

# Role string for server support contacts, to be served as part of the
# MSC1929 server support endpoint at /.well-known/matrix/support.
#
@@ -1852,23 +1912,10 @@ client = {{ matrix_continuwuity_config_well_known_client | to_json }}
#
#support_mxid =

[global.blurhashing]

# blurhashing x component, 4 is recommended by https://blurha.sh/
#
#components_x = 4

# blurhashing y component, 3 is recommended by https://blurha.sh/
#
#components_y = 3

# Max raw size that the server will blurhash, this is the size of the
# image after converting it to raw data, it should be higher than the
# upload limit but not too high. The higher it is the higher the
# potential load will be for clients requesting blurhashes. The default
# is 33.55MB. Setting it to 0 disables blurhashing.
# PGP key URI for server support contacts, to be served as part of the
# MSC1929 server support endpoint.
#
#blurhash_max_raw_size = 33554432
#support_pgp_key =

[global.matrix_rtc]

@@ -1891,102 +1938,6 @@ foci = [
{% endfor %}
]

[global.ldap]

# Whether to enable LDAP login.
#
# example: "true"
#
#enable = false

# Whether to force LDAP authentication or authorize classical password
# login.
#
# example: "true"
#
#ldap_only = false

# URI of the LDAP server.
#
# example: "ldap://ldap.example.com:389"
#
#uri = ""

# StartTLS for LDAP connections.
#
#use_starttls = false

# Skip TLS certificate verification, possibly dangerous.
#
#disable_tls_verification = false

# Root of the searches.
#
# example: "ou=users,dc=example,dc=org"
#
#base_dn = ""

# Bind DN if anonymous search is not enabled.
#
# You can use the variable `{username}` that will be replaced by the
# entered username. In such case, the password used to bind will be the
# one provided for the login and not the one given by
# `bind_password_file`. Beware: automatically granting admin rights will
# not work if you use this direct bind instead of a LDAP search.
#
# example: "cn=ldap-reader,dc=example,dc=org" or
# "cn={username},ou=users,dc=example,dc=org"
#
#bind_dn = ""

# Path to a file on the system that contains the password for the
# `bind_dn`.
#
# The server must be able to access the file, and it must not be empty.
#
#bind_password_file = ""

# Search filter to limit user searches.
#
# You can use the variable `{username}` that will be replaced by the
# entered username for more complex filters.
#
# example: "(&(objectClass=person)(memberOf=matrix))"
#
#filter = "(objectClass=*)"

# Attribute to use to uniquely identify the user.
#
# example: "uid" or "cn"
#
#uid_attribute = "uid"

# Attribute containing the display name of the user.
#
# example: "givenName" or "sn"
#
#name_attribute = "givenName"

# Root of the searches for admin users.
#
# Defaults to `base_dn` if empty.
#
# example: "ou=admins,dc=example,dc=org"
#
#admin_base_dn = ""

# The LDAP search filter to find administrative users for continuwuity.
#
# If left blank, administrative state must be configured manually for each
# user.
#
# You can use the variable `{username}` that will be replaced by the
# entered username for more complex filters.
#
# example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
#
#admin_filter = ""

#[global.antispam]

#[global.antispam.meowlnir]
@@ -2064,13 +2015,142 @@ sender = {{ matrix_continuwuity_config_smtp_sender | to_json }}
#sender =
{% endif %}

# Whether to require that users provide an email address when they
# register.
# Whether to allow public registration with an email address.
#
# Note that, if this option is enabled, anyone will be able to register an
# account with just an email address.
#
# If either this option or `require_email_for_token_registration` are set,
# users will not be allowed to remove their email address.
#
require_email_for_registration = {{ matrix_continuwuity_config_smtp_require_email_for_registration | to_json }}

# Whether to require that users who register with a registration token
# provide an email address.
# provide an email address. This option is independent of
# `require_email_for_registration`.
#
require_email_for_token_registration = {{ matrix_continuwuity_config_smtp_require_email_for_token_registration | to_json }}
{% endif %}

#[global.registration_terms]

# The language code to provide to clients along with the policy documents.
#
#language = "en"

# Policy documents, such as terms and conditions or a privacy policy,
# which users must agree to when registering an account.
#
# Example:
# ```ignore
# [global.registration_terms.documents]
# privacy_policy = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
# ```
#
#documents =

#[global.oauth]

# The compatibility mode to use for OAuth.
#
# - "disabled": OAuth will be unavailable. Users will only be able to log
# in using legacy authentication.
# - "hybrid": OAuth and legacy authentication will both be available. Some
# clients may only use one or the other.
# - "exclusive": Only OAuth will be available. Clients which require
# legacy authentication will be unable to log in.
#
#compatibility_mode = "hybrid"

#[global.oauth.oidc]
# Uncommenting this section will enable Continuwuity's support for
# authenticating users using an OpenID Connect-compatible identity provider.
# This is referred to as "delegated authentication".
#
# IMPORTANT NOTE: When delegated authentication is active, Continuwuity will behave as if
# the `global.oauth.compatibility_mode` setting is set to `exclusive`.
# Matrix clients which do not support OAuth login (also referred to as "next-gen auth") will NOT be able
# to log in while delegated authentication is active.


# The OIDC issuer URL. Continuwuity will use OpenID Connect Discovery to
# automatically fetch the identity provider's metadata from this URL.
# Generally you should set this to the base domain your identity provider
# runs on.
#
#discovery_url =

# The OAuth client ID for Continuwuity to use when communicating with the
# identity provider.
#
#client_id =

# The OAuth client secret for Continuwuity to use when communicating with
# the identity provider.
#
#client_secret =

# A path to a file which Continuwuity will read the client secret from.
# If this option is set, it will override `client_secret`.
#
# The server will fail to start if the file cannot be read.
#
#client_secret_file =

# Additional scopes Continuwuity should request from the IDP. This may be
# necessary to access certain claims. Continuwuity always requests the
# `openid` scope.
#
#additional_scopes = []

# Whether the user should be prompted to choose a localpart
# when signing in for the first time. If this is `false`, Continuwuity
# will attempt to use the value of the `preferred_username_claim`
# (see below) as the user's localpart. Authentication will
# fail if this claim is missing or is not a valid localpart.
#
#prompt_for_localpart = true

# The claim to use for the user's localpart, if `prompt_for_localpart` is
# false.
#
#preferred_username_claim = "preferred_username"

# The claim which will be used to set the user's email address,
# either on initial registration or on every login depending on
# the value of `profile_key_import_mode`. Continuwuity assumes that
# the IDP has taken care of verifying that the user controls the email
# address it provides.
#
# This option does nothing if SMTP is not configured.
#
# If this option is set, and `profile_key_import_mode` is `on_login`,
# users will not be able to change their email addresses themselves.
#
#email_claim = "email"

# Defines how claims returned from the IDP should be mapped to a user's
# profile data. The profile field named in each key will be set from the
# claim named in the corresponding value when the user first registers,
# and possibly on subsequent logins as well, depending on the value of
# `profile_key_import_mode` (see below).
#
# Per-room overrides to the user's display name or avatar will be
# preserved by the import process.
#
# SECURITY NOTE: If the `avatar_url` field is set, Continuwuity will
# perform a HTTP GET to the URL in the mapped claim and use the returned
# file as the user's profile picture. Make sure your users are not able
# to set the value of the mapped claim to an arbitrary URL.
#
#profile_key_map = { displayname = "name" }

# When profile keys should be imported from the IDP's claims.
#
# - "on_registration": Listed keys will be imported once, when the user
# logs in for the first time and their shadow account is created.
# - "on_login": Listed keys will be imported every time the user logs in.
# Additionally, users will not be able to manually edit any listed keys
# through their Matrix client.
#
#profile_key_import_mode = "on_registration"

Загрузка…
Отмена
Сохранить