Upgrade Synapse (1.46.0 -> 1.47.0)

We had to remove UID/GID environment variables that we used to pass
to the Synapse container, because it was causing a problem after
https://github.com/matrix-org/synapse/pull/11209

We were using both `--user` and UID/GID environment variables until now.

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.46.0
-matrix_synapse_version_arm64: v1.46.0
+matrix_synapse_version: v1.47.0
+matrix_synapse_version_arm64: v1.47.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse/tasks/synapse/setup_install.yml

@@ -67,8 +67,6 @@
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
     --cap-drop=ALL
     --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data
-    -e UID={{ matrix_user_uid }}
-    -e GID={{ matrix_user_gid }}
     -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
     -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }}
     -e SYNAPSE_REPORT_STATS=no

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -66,8 +66,28 @@ pid_file: /homeserver.pid
 # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
 # 'listeners' below).
 #
+# Defaults to 'https://<server_name>/'.
+#
 public_baseurl: https://{{ matrix_server_fqn_matrix }}/
 
+# Uncomment the following to tell other servers to send federation traffic on
+# port 443.
+#
+# By default, other servers will try to reach our server on port 8448, which can
+# be inconvenient in some environments.
+#
+# Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
+# option configures Synapse to serve a file at
+# 'https://<server_name>/.well-known/matrix/server'. This will tell other
+# servers to send traffic to port 443 instead.
+#
+# See https://matrix-org.github.io/synapse/latest/delegate.html for more
+# information.
+#
+# Defaults to 'false'.
+#
+#serve_server_wellknown: true
+
 # Set the soft limit on the number of file descriptors synapse can use
 # Zero is used to indicate synapse should set the soft limit to the
 # hard limit.
@@ -1271,7 +1291,7 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # in on this server.
 #
 # (By default, no suggestion is made, so it is left up to the client.
-# This setting is ignored unless public_baseurl is also set.)
+# This setting is ignored unless public_baseurl is also explicitly set.)
 #
 #default_identity_server: https://matrix.org
 
@@ -1296,8 +1316,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # by the Matrix Identity Service API specification:
 # https://matrix.org/docs/spec/identity_service/latest
 #
-# If a delegate is specified, the config option public_baseurl must also be filled out.
-#
 account_threepid_delegates:
     email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
     msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}
@@ -1990,11 +2008,10 @@ sso:
     # phishing attacks from evil.site. To avoid this, include a slash after the
     # hostname: "https://my.client/".
     #
-    # If public_baseurl is set, then the login fallback page (used by clients
-    # that don't natively support the required login flows) is whitelisted in
-    # addition to any URLs in this list.
+    # The login fallback page (used by clients that don't natively support the
+    # required login flows) is whitelisted in addition to any URLs in this list.
     #
-    # By default, this list is empty.
+    # By default, this list contains only the login fallback page.
     #
     #client_whitelist:
     #  - https://riot.im/develop

roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2

@@ -17,8 +17,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 5
 ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			-e UID={{ matrix_user_uid }} \
-			-e GID={{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \

roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2

@@ -33,8 +33,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 3
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			--env=UID={{ matrix_user_uid }} \
-			--env=GID={{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \

roles/matrix-synapse/vars/workers.yml

@@ -271,19 +271,19 @@ matrix_synapse_workers_media_repository_endpoints:
   # expose the `media` resource. For example:
 
   # ```yaml
-  #     worker_listeners:
-  #      - type: http
-  #        port: 8085
-  #        resources:
-  #          - names:
-  #            - media
+  # worker_listeners:
+  #  - type: http
+  #    port: 8085
+  #    resources:
+  #      - names:
+  #        - media
   # ```
 
   # Note that if running multiple media repositories they must be on the same server
   # and you must configure a single instance to run the background tasks, e.g.:
 
   # ```yaml
-  #     media_instance_running_background_jobs: "media-repository-1"
+  # media_instance_running_background_jobs: "media-repository-1"
   # ```
 
   # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately).
@@ -319,7 +319,9 @@ matrix_synapse_workers_frontend_proxy_endpoints:
   # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration
   # file. For example:
 
-  #     worker_main_http_uri: http://127.0.0.1:{{ matrix_synapse_container_client_api_port }}
+  # ```yaml
+  # worker_main_http_uri: http://127.0.0.1:8008
+  # ```
 
 matrix_synapse_workers_avail_list:
   - appservice