Merge remote-tracking branch 'upstream/master' into gomatrixhosting-testing

docs/faq.md

@@ -121,7 +121,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
 
 - this one **can be executed more than once** without causing trouble
 
-- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux**
+- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 10/Buster+, **Ubuntu** 18.04+), **Archlinux**
 
 - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place
 

docs/importing-postgres.md

@@ -60,7 +60,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user;
 It can be worked around by changing the username to `synapse`, for example by using `sed`:
 
 ```Shell
-$ sed -i "s/synapse_user/synapse/g" homeserver.sql"
+$ sed -i "s/synapse_user/synapse/g" homeserver.sql
 ```
 
 This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead.

docs/prerequisites.md

@@ -4,8 +4,8 @@ To install Matrix services using this Ansible playbook, you need:
 
 - (Recommended) An **x86** server ([What kind of server specs do I need?](faq.md#what-kind-of-server-specs-do-i-need)) running one of these operating systems:
   - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300))
-  - **Debian** (9/Stretch or newer)
-  - **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
+  - **Debian** (10/Buster or newer)
+  - **Ubuntu** (18.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
   - **Archlinux**
 
 Generally, newer is better. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.

examples/vars.yml

@@ -14,7 +14,7 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE
 #
 # In case SSL renewal fails at some point, you'll also get an email notification there.
 #
-# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt),
+# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
 # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
 #
 # Example value: someone@example.com

roles/matrix-bot-mjolnir/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_bot_mjolnir_enabled: true
 
-matrix_bot_mjolnir_version: "v0.1.19"
+matrix_bot_mjolnir_version: "v1.1.20"
 
 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"

roles/matrix-bridge-appservice-irc/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
 matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
 matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
 
-matrix_appservice_irc_version: release-0.30.0
+matrix_appservice_irc_version: release-0.31.0
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
 

roles/matrix-bridge-heisenbridge/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_heisenbridge_enabled: true
 
-matrix_heisenbridge_version: 1.0.1
+matrix_heisenbridge_version: 1.2.0
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
 

roles/matrix-client-element/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
 
-matrix_client_element_version: v1.8.2
+matrix_client_element_version: v1.8.5
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

roles/matrix-client-hydrogen/tasks/setup.yml

@@ -33,17 +33,6 @@
   register: matrix_client_hydrogen_git_pull_results
   when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
 
-- name: Ensure Hydrogen Docker image is built
-  docker_image:
-    name: "{{ matrix_client_hydrogen_docker_image }}"
-    source: build
-    force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_client_hydrogen_docker_src_files_path }}"
-      pull: yes
-  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
-
 - name: Ensure Hydrogen configuration installed
   copy:
     content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
@@ -64,6 +53,19 @@
     - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
   when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
 
+# This step MUST come after the steps to install the configuration files because the config files
+# are currently only read at build time, not at run time like most other components in the playbook
+- name: Ensure Hydrogen Docker image is built
+  docker_image:
+    name: "{{ matrix_client_hydrogen_docker_image }}"
+    source: build
+    force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_client_hydrogen_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
+
 - name: Ensure matrix-client-hydrogen.service installed
   template:
     src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"

roles/matrix-grafana/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_grafana_enabled: false
 
-matrix_grafana_version: 8.1.2
+matrix_grafana_version: 8.1.4
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
 

roles/matrix-nginx-proxy/defaults/main.yml

@@ -1,5 +1,5 @@
 matrix_nginx_proxy_enabled: true
-matrix_nginx_proxy_version: 1.21.1-alpine
+matrix_nginx_proxy_version: 1.21.3-alpine
 
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
@@ -426,7 +426,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: []
 
 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
-matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.18.0"
+matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.19.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.41.1
-matrix_synapse_version_arm64: v1.41.1
+matrix_synapse_version: v1.43.0
+matrix_synapse_version_arm64: v1.43.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -83,20 +83,6 @@ presence:
   #
   enabled: {{ matrix_synapse_presence_enabled|to_json }}
 
-  # Presence routers are third-party modules that can specify additional logic
-  # to where presence updates from users are routed.
-  #
-  presence_router:
-    # The custom module's class. Uncomment to use a custom presence router module.
-    #
-    #module: "my_custom_router.PresenceRouter"
-
-    # Configuration options of the custom module. Refer to your module's
-    # documentation for available options.
-    #
-    #config:
-    #  example_option: 'something'
-
 # Whether to require authentication to retrieve profile data (avatars,
 # display names) of other users through the client API. Defaults to
 # 'false'. Note that profile data is also available via the federation
@@ -371,6 +357,24 @@ update_user_directory: false
 daemonize: false
 {% endif %}
 
+# Connection settings for the manhole
+#
+manhole_settings:
+  # The username for the manhole. This defaults to 'matrix'.
+  #
+  #username: manhole
+
+  # The password for the manhole. This defaults to 'rabbithole'.
+  #
+  #password: mypassword
+
+  # The private and public SSH key pair used to encrypt the manhole traffic.
+  # If these are left unset, then hardcoded and non-secret keys are used,
+  # which could allow traffic to be intercepted if sent over a public network.
+  #
+  #ssh_priv_key_path: /data/id_rsa
+  #ssh_pub_key_path: /data/id_rsa.pub
+
 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of
@@ -839,6 +843,8 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
 #     is using
 #   - one for registration that ratelimits registration requests based on the
 #     client's IP address.
+#   - one for checking the validity of registration tokens that ratelimits
+#     requests based on the client's IP address.
 #   - one for login that ratelimits login requests based on the client's IP
 #     address.
 #   - one for login that ratelimits login requests based on the account the
@@ -869,6 +875,10 @@ rc_message: {{ matrix_synapse_rc_message|to_json }}
 #  burst_count: 3
 rc_registration: {{ matrix_synapse_rc_registration|to_json }}
 #
+#rc_registration_token_validity:
+#  per_second: 0.1
+#  burst_count: 5
+#
 #rc_login:
 #  address:
 #    per_second: 0.17
@@ -1228,6 +1238,15 @@ allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }}
 #
 #enable_3pid_lookup: true
 
+# Require users to submit a token during registration.
+# Tokens can be managed using the admin API:
+# https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/registration_tokens.html
+# Note that `enable_registration` must be set to `true`.
+# Disabling this option will not delete any tokens previously generated.
+# Defaults to false. Uncomment the following to require tokens:
+#
+#registration_requires_token: true
+
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
@@ -2257,7 +2276,7 @@ password_config:
       #
       #require_lowercase: true
 
-      # Whether a password must contain at least one lowercase letter.
+      # Whether a password must contain at least one uppercase letter.
       # Defaults to 'false'.
       #
       #require_uppercase: true

roles/matrix-synapse/vars/workers.yml

@@ -32,6 +32,8 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/federation/v1/user/devices/
   - ^/_matrix/federation/v1/get_groups_publicised$
   - ^/_matrix/key/v2/query
+  - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/
+  - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/
 
   # Inbound federation transaction request
   - ^/_matrix/federation/v1/send/
@@ -43,6 +45,9 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$
   - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$
   - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$
+  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$
+  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$
+  - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
   - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$
   - ^/_matrix/client/(api/v1|r0|unstable)/devices$
   - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$
@@ -59,6 +64,7 @@ matrix_synapse_workers_generic_worker_endpoints:
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|unstable)/login$
   - ^/_matrix/client/(r0|unstable)/register$
+  - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$
 
   # Event sending requests
   - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact