From ae091d7b2da1a5b3260b1e810a73c16e0c868f17 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Thu, 25 Feb 2021 13:40:35 +0200
Subject: [PATCH] Upgrade Synapse (v1.27.0 -> v1.28.0)
---
roles/matrix-synapse/defaults/main.yml | 2 +-
.../templates/synapse/homeserver.yaml.j2 | 28 +++++++++++++------
roles/matrix-synapse/vars/workers.yml | 13 +++++++--
3 files changed, 31 insertions(+), 12 deletions(-)
diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml
index 2435e9c2a..a0d2474d8 100644
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -15,7 +15,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.27.0
+matrix_synapse_version: v1.28.0
matrix_synapse_version_arm64: v1.26.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 99169b8a6..09e11f7ba 100644
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -141,6 +141,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
# - '100.64.0.0/10'
# - '192.0.0.0/24'
# - '169.254.0.0/16'
+# - '192.88.99.0/24'
# - '198.18.0.0/15'
# - '192.0.2.0/24'
# - '198.51.100.0/24'
@@ -149,6 +150,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
# - '::1/128'
# - 'fe80::/10'
# - 'fc00::/7'
+# - '2001:db8::/32'
+# - 'ff00::/8'
+# - 'fec0::/10'
# List of IP address CIDR ranges that should be allowed for federation,
# identity servers, push servers, and for checking key validity for
@@ -993,6 +997,7 @@ url_preview_ip_range_blacklist:
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
+ - '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
@@ -1001,6 +1006,9 @@ url_preview_ip_range_blacklist:
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
+ - '2001:db8::/32'
+ - 'ff00::/8'
+ - 'fec0::/10'
# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
@@ -1327,6 +1335,8 @@ account_threepid_delegates:
# By default, any room aliases included in this list will be created
# as a publicly joinable room when the first user registers for the
# homeserver. This behaviour can be customised with the settings below.
+# If the room already exists, make certain it is a publicly joinable
+# room. The join rule of the room must be set to 'public'.
#
#auto_join_rooms:
# - "#example:example.com"
@@ -1869,9 +1879,9 @@ oidc_providers:
# user_mapping_provider:
# config:
# subject_claim: "id"
- # localpart_template: "{ user.login }"
- # display_name_template: "{ user.name }"
- # email_template: "{ user.email }"
+ # localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
+ # display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+ # email_template: "{% raw %}{{ user.email }}{% endraw %}"
# For use with Keycloak
#
@@ -1898,8 +1908,8 @@ oidc_providers:
# user_mapping_provider:
# config:
# subject_claim: "id"
- # localpart_template: "{ user.login }"
- # display_name_template: "{ user.name }"
+ # localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
+ # display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
# Enable Central Authentication Service (CAS) for registration and login.
@@ -2227,11 +2237,11 @@ password_config:
#require_uppercase: true
ui_auth:
- # The number of milliseconds to allow a user-interactive authentication
- # session to be active.
+ # The amount of time to allow a user-interactive authentication session
+ # to be active.
#
# This defaults to 0, meaning the user is queried for their credentials
- # before every action, but this can be overridden to alow a single
+ # before every action, but this can be overridden to allow a single
# validation to be re-used. This weakens the protections afforded by
# the user-interactive authentication process, by allowing for multiple
# (and potentially different) operations to use the same validation session.
@@ -2239,7 +2249,7 @@ ui_auth:
# Uncomment below to allow for credential validation to last for 15
# seconds.
#
- #session_timeout: 15000
+ #session_timeout: "15s"
{% if matrix_synapse_email_enabled %}
diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml
index 3adfd9c3a..14b75a924 100644
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@@ -107,7 +107,8 @@ matrix_synapse_workers_generic_worker_endpoints:
# Ensure that all SSO logins go to a single process.
# For multiple workers not handling the SSO endpoints properly, see
- # [#7530](https://github.com/matrix-org/synapse/issues/7530).
+ # [#7530](https://github.com/matrix-org/synapse/issues/7530) and
+ # [#9427](https://github.com/matrix-org/synapse/issues/9427).
# Note that a HTTP listener with `client` and `federation` resources must be
# configured in the `worker_listeners` option in the worker config.
@@ -203,7 +204,15 @@ matrix_synapse_workers_generic_worker_endpoints:
# REST endpoints itself, but you should set `start_pushers: False` in the
# shared configuration file to stop the main synapse sending push notifications.
- # Note this worker cannot be load-balanced: only one instance should be active.
+ # To run multiple instances at once the `pusher_instances` option should list all
+ # pusher instances by their worker name, e.g.:
+
+ # ```yaml
+ # pusher_instances:
+ # - pusher_worker1
+ # - pusher_worker2
+ # ```
+
# ]
# appservice worker (no API endpoints) [