Upgrade Synapse (v1.24.0 -> v1.25.0) for amd64

5年前 · d5945c6e78
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # The if statement below may look silly at times (leading to the same version being returned),
 # but ARM-compatible container images are only released 1-7 hours after a release,
 # so we may often be on different versions for different architectures when new Synapse releases come out.
 matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
 matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -120,6 +120,47 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 #
 #enable_search: false

 # Prevent outgoing requests from being sent to the following blacklisted IP address
 # CIDR ranges. If this option is not specified then it defaults to private IP
 # address ranges (see the example below).
 #
 # The blacklist applies to the outbound requests for federation, identity servers,
 # push servers, and for checking key validity for third-party invite events.
 #
 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
 # listed here, since they correspond to unroutable addresses.)
 #
 # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
 #
 #ip_range_blacklist:
 #  - '127.0.0.0/8'
 #  - '10.0.0.0/8'
 #  - '172.16.0.0/12'
 #  - '192.168.0.0/16'
 #  - '100.64.0.0/10'
 #  - '192.0.0.0/24'
 #  - '169.254.0.0/16'
 #  - '198.18.0.0/15'
 #  - '192.0.2.0/24'
 #  - '198.51.100.0/24'
 #  - '203.0.113.0/24'
 #  - '224.0.0.0/4'
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'

 # List of IP address CIDR ranges that should be allowed for federation,
 # identity servers, push servers, and for checking key validity for
 # third-party invite events. This is useful for specifying exceptions to
 # wide-ranging blacklisted target IP ranges - e.g. for communication with
 # a push server only visible in your network.
 #
 # This whitelist overrides ip_range_blacklist and defaults to an empty
 # list.
 #
 #ip_range_whitelist:
 #   - '192.168.1.1'

 # List of ports that Synapse should listen on, their purpose and their
 # configuration.
 #
@@ -633,27 +674,6 @@ acme:
 federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
 {% endif %}

 # Prevent federation requests from being sent to the following
 # blacklist IP address CIDR ranges. If this option is not specified, or
 # specified with an empty list, no ip range blacklist will be enforced.
 #
 # As of Synapse v1.4.0 this option also affects any outbound requests to identity
 # servers provided by user input.
 #
 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
 # listed here, since they correspond to unroutable addresses.)
 #
 federation_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '169.254.0.0/16'
  - '::1/128'
  - 'fe80::/64'
  - 'fc00::/7'

 # Report prometheus metrics on the age of PDUs being sent to and received from
 # the following domains. This can be used to give an idea of "delay" on inbound
 # and outbound federation, though be aware that any delay can be due to problems
@@ -919,9 +939,15 @@ url_preview_ip_range_blacklist:
  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '192.0.0.0/24'
  - '169.254.0.0/16'
  - '198.18.0.0/15'
  - '192.0.2.0/24'
  - '198.51.100.0/24'
  - '203.0.113.0/24'
  - '224.0.0.0/4'
  - '::1/128'
  - 'fe80::/64'
  - 'fe80::/10'
  - 'fc00::/7'

 # List of IP address CIDR ranges that the URL preview spider is allowed
@@ -1776,7 +1802,8 @@ oidc_config:
      #   * user: The claims returned by the UserInfo Endpoint and/or in the ID
      #     Token
      #
      # This must be configured if using the default mapping provider.
      # If this is not set, the user will be prompted to choose their
      # own username.
      #
      localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"

@@ -1854,11 +1881,8 @@ sso:
    #  - https://my.custom.client/

    # Directory in which Synapse will try to find the template files below.
    # If not set, default templates from within the Synapse package will be used.
    #
    # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
    # If you *do* uncomment it, you will need to make sure that all the templates
    # below are in the directory.
    # If not set, or the files named below are not found within the template
    # directory, default templates from within the Synapse package will be used.
    #
    # Synapse will look for the following templates in this directory:
    #
@@ -1987,6 +2011,56 @@ password_config:
   #
   pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}

   # Define and enforce a password policy. Each parameter is optional.
   # This is an implementation of MSC2000.
   #
   policy:
      # Whether to enforce the password policy.
      # Defaults to 'false'.
      #
      #enabled: true

      # Minimum accepted length for a password.
      # Defaults to 0.
      #
      #minimum_length: 15

      # Whether a password must contain at least one digit.
      # Defaults to 'false'.
      #
      #require_digit: true

      # Whether a password must contain at least one symbol.
      # A symbol is any character that's not a number or a letter.
      # Defaults to 'false'.
      #
      #require_symbol: true

      # Whether a password must contain at least one lowercase letter.
      # Defaults to 'false'.
      #
      #require_lowercase: true

      # Whether a password must contain at least one lowercase letter.
      # Defaults to 'false'.
      #
      #require_uppercase: true

 ui_auth:
    # The number of milliseconds to allow a user-interactive authentication
    # session to be active.
    #
    # This defaults to 0, meaning the user is queried for their credentials
    # before every action, but this can be overridden to alow a single
    # validation to be re-used.  This weakens the protections afforded by
    # the user-interactive authentication process, by allowing for multiple
    # (and potentially different) operations to use the same validation session.
    #
    # Uncomment below to allow for credential validation to last for 15
    # seconds.
    #
    #session_timeout: 15000


 {% if matrix_synapse_email_enabled %}
 # Configuration for sending emails from Synapse.
@@ -2061,9 +2135,8 @@ email:
  #validation_token_lifetime: 15m

  # Directory in which Synapse will try to find the template files below.
  # If not set, default templates from within the Synapse package will be used.
  #
  # Do not uncomment this setting unless you want to customise the templates.
  # If not set, or the files named below are not found within the template
  # directory, default templates from within the Synapse package will be used.
  #
  # Synapse will look for the following templates in this directory:
  #
@@ -2309,7 +2382,7 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }}
 # If enabled, non server admins can only create groups with local parts
 # starting with this prefix
 #
 #group_creation_prefix: "unofficial/"
 #group_creation_prefix: "unofficial_"



@@ -2580,6 +2653,13 @@ opentracing:
 #
 #run_background_tasks_on: worker1

 # A shared secret used by the replication APIs to authenticate HTTP requests
 # from workers.
 #
 # By default this is unused and traffic is not authenticated.
 #
 #worker_replication_secret: ""


 # Configuration for Redis when using workers. This *must* be enabled when
 # using workers (unless using old style direct TCP configuration).