Upgrade Synapse (v1.27.0 -> v1.28.0)

3 years ago · ae091d7b2d
parent 1ef683d366
commit ae091d7b2d
3 changed files with 31 additions and 12 deletions
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -15,7 +15,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.27.0
+matrix_synapse_version: v1.28.0
 matrix_synapse_version_arm64: v1.26.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -141,6 +141,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 #  - '100.64.0.0/10'
 #  - '192.0.0.0/24'
 #  - '169.254.0.0/16'
+#  - '192.88.99.0/24'
 #  - '198.18.0.0/15'
 #  - '192.0.2.0/24'
 #  - '198.51.100.0/24'
@ -149,6 +150,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'
+#  - '2001:db8::/32'
+#  - 'ff00::/8'
+#  - 'fec0::/10'

 # List of IP address CIDR ranges that should be allowed for federation,
 # identity servers, push servers, and for checking key validity for
@ -993,6 +997,7 @@ url_preview_ip_range_blacklist:
  - '100.64.0.0/10'
  - '192.0.0.0/24'
  - '169.254.0.0/16'
+  - '192.88.99.0/24'
  - '198.18.0.0/15'
  - '192.0.2.0/24'
  - '198.51.100.0/24'
@ -1001,6 +1006,9 @@ url_preview_ip_range_blacklist:
  - '::1/128'
  - 'fe80::/10'
  - 'fc00::/7'
+  - '2001:db8::/32'
+  - 'ff00::/8'
+  - 'fec0::/10'

 # List of IP address CIDR ranges that the URL preview spider is allowed
 # to access even if they are specified in url_preview_ip_range_blacklist.
@ -1327,6 +1335,8 @@ account_threepid_delegates:
 # By default, any room aliases included in this list will be created
 # as a publicly joinable room when the first user registers for the
 # homeserver. This behaviour can be customised with the settings below.
+# If the room already exists, make certain it is a publicly joinable
+# room. The join rule of the room must be set to 'public'.
 #
 #auto_join_rooms:
 #  - "#example:example.com"
@ -1869,9 +1879,9 @@ oidc_providers:
  #  user_mapping_provider:
  #    config:
  #      subject_claim: "id"
-  #      localpart_template: "{ user.login }"
-  #      display_name_template: "{ user.name }"
-  #      email_template: "{ user.email }"
+  #      localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
+  #      display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+  #      email_template: "{% raw %}{{ user.email }}{% endraw %}"

  # For use with Keycloak
  #
@ -1898,8 +1908,8 @@ oidc_providers:
  #  user_mapping_provider:
  #    config:
  #      subject_claim: "id"
-  #      localpart_template: "{ user.login }"
-  #      display_name_template: "{ user.name }"
+  #      localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
+  #      display_name_template: "{% raw %}{{ user.name }}{% endraw %}"


 # Enable Central Authentication Service (CAS) for registration and login.
@ -2227,11 +2237,11 @@ password_config:
      #require_uppercase: true

 ui_auth:
-    # The number of milliseconds to allow a user-interactive authentication
-    # session to be active.
+    # The amount of time to allow a user-interactive authentication session
+    # to be active.
    #
    # This defaults to 0, meaning the user is queried for their credentials
-    # before every action, but this can be overridden to alow a single
+    # before every action, but this can be overridden to allow a single
    # validation to be re-used.  This weakens the protections afforded by
    # the user-interactive authentication process, by allowing for multiple
    # (and potentially different) operations to use the same validation session.
@ -2239,7 +2249,7 @@ ui_auth:
    # Uncomment below to allow for credential validation to last for 15
    # seconds.
    #
-    #session_timeout: 15000
+    #session_timeout: "15s"


 {% if matrix_synapse_email_enabled %}
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@ -107,7 +107,8 @@ matrix_synapse_workers_generic_worker_endpoints:

  # Ensure that all SSO logins go to a single process.
  # For multiple workers not handling the SSO endpoints properly, see
-  # [#7530](https://github.com/matrix-org/synapse/issues/7530).
+  # [#7530](https://github.com/matrix-org/synapse/issues/7530) and 
+  # [#9427](https://github.com/matrix-org/synapse/issues/9427).

  # Note that a HTTP listener with `client` and `federation` resources must be
  # configured in the `worker_listeners` option in the worker config.
@ -203,7 +204,15 @@ matrix_synapse_workers_generic_worker_endpoints:
  # REST endpoints itself, but you should set `start_pushers: False` in the
  # shared configuration file to stop the main synapse sending push notifications.

-  # Note this worker cannot be load-balanced: only one instance should be active.
+  # To run multiple instances at once the `pusher_instances` option should list all
+  # pusher instances by their worker name, e.g.:
+
+  # ```yaml
+  # pusher_instances:
+  #     - pusher_worker1
+  #     - pusher_worker2
+  # ```
+
 # ]

 # appservice worker (no API endpoints) [