Add support for controlling Matrix federation

CHANGELOG.md

@@ -1,3 +1,10 @@
+# 2018-10-25
+
+## Support for controlling Matrix federation
+
+The playbook can now help you with [Controlling Matrix federation](docs/configuration-playbook-federation.md), should you wish to run a more private (isolated) server.
+
+
 # 2018-10-24
 
 ## Disabling riot-web guests

docs/configuration-playbook-federation.md

@@ -0,0 +1,28 @@
+# Controlling Matrix federation
+
+By default, your server federates with the whole Matrix network.
+That is, people on your server can communicate with people on any other Matrix server.
+
+
+## Federating only with select servers
+
+To make your server only federate with servers of your choosing, add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`):
+
+```yaml
+matrix_synapse_federation_domain_whitelist:
+- example.com
+- another.com
+```
+
+If you wish to disable federation, you can do that with an empty list (`[]`), or better yet by completely disabling federation (see below).
+
+
+## Disabling federation
+
+To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/matrix.<your-domain>/vars.yml`):
+
+```yaml
+matrix_synapse_federation_enabled: false
+```
+
+With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.

docs/configuring-playbook.md

@@ -23,6 +23,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 ## Other configuration options
 
+- [Controlling Matrix federation](configuration-playbook-federation.md) (optional)
+
 - [Adjusting email-sending settings](configuring-playbook-email.md) (optional)
 
 - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional)

roles/matrix-server/defaults/main.yml

@@ -86,6 +86,15 @@ matrix_synapse_event_cache_size: "100K"
 # - https://github.com/matrix-org/synapse/issues/3939
 matrix_synapse_cache_factor: 0.5
 
+# Controls whether Matrix Synapse will federate at all.
+# Disable this to completely isolate your server from the rest of the Matrix network.
+matrix_synapse_federation_enabled: true
+
+# A list of domain names that are allowed to federate with the given Matrix Synapse server.
+# An empty list value (`[]`) will also effectively stop federation, but if that's the desired
+# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
+matrix_synapse_federation_domain_whitelist: ~
+
 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically based on Synapse extensions that have been enabled.
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}

roles/matrix-server/templates/synapse/homeserver.yaml.j2

@@ -119,12 +119,16 @@ use_presence: {{ matrix_synapse_use_presence|to_json }}
 #  - lon.example.com
 #  - nyc.example.com
 #  - syd.example.com
+{% if matrix_synapse_federation_domain_whitelist is not none %}
+federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
+{% endif %}
 
 # List of ports that Synapse should listen on, their purpose and their
 # configuration.
 listeners:
   # Main HTTPS listener
   # For when matrix traffic is sent directly to synapse.
+  {% if matrix_synapse_federation_enabled %}
   -
     # The port to listen for HTTPS requests on.
     port: 8448
@@ -157,6 +161,7 @@ listeners:
     #   "/_matrix/my/custom/endpoint":
     #     module: my_module.CustomRequestHandler
     #     config: {}
+  {% endif %}
 
   # Unsecure HTTP listener,
   # For when matrix traffic passes through loadbalancer that unwraps TLS.

roles/matrix-server/templates/systemd/matrix-synapse.service.j2

@@ -29,7 +29,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			--log-driver=none \
 			--env-file={{ matrix_environment_variables_data_path }}/synapse \
 			--network={{ matrix_docker_network }} \
+			{% if matrix_synapse_federation_enabled %}
 			-p 8448:8448 \
+			{% endif %}
 			{% if not matrix_nginx_proxy_enabled %}
 			-p 127.0.0.1:8008:8008 \
 			{% endif %}