diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f7d45997..66c7ca73a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2018-10-25 + +## Support for controlling Matrix federation + +The playbook can now help you with [Controlling Matrix federation](docs/configuration-playbook-federation.md), should you wish to run a more private (isolated) server. + + # 2018-10-24 ## Disabling riot-web guests diff --git a/docs/configuration-playbook-federation.md b/docs/configuration-playbook-federation.md new file mode 100644 index 000000000..02e69600f --- /dev/null +++ b/docs/configuration-playbook-federation.md @@ -0,0 +1,28 @@ +# Controlling Matrix federation + +By default, your server federates with the whole Matrix network. +That is, people on your server can communicate with people on any other Matrix server. + + +## Federating only with select servers + +To make your server only federate with servers of your choosing, add this to your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_synapse_federation_domain_whitelist: +- example.com +- another.com +``` + +If you wish to disable federation, you can do that with an empty list (`[]`), or better yet by completely disabling federation (see below). + + +## Disabling federation + +To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_synapse_federation_enabled: false +``` + +With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server. \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 19dab5c15..af9bef61d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -23,6 +23,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ## Other configuration options +- [Controlling Matrix federation](configuration-playbook-federation.md) (optional) + - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9551893d1..38d9b0f8b 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -86,6 +86,15 @@ matrix_synapse_event_cache_size: "100K" # - https://github.com/matrix-org/synapse/issues/3939 matrix_synapse_cache_factor: 0.5 +# Controls whether Matrix Synapse will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +matrix_synapse_federation_enabled: true + +# A list of domain names that are allowed to federate with the given Matrix Synapse server. +# An empty list value (`[]`) will also effectively stop federation, but if that's the desired +# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. +matrix_synapse_federation_domain_whitelist: ~ + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index e70b30465..2b914e5e0 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -119,12 +119,16 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # - lon.example.com # - nyc.example.com # - syd.example.com +{% if matrix_synapse_federation_domain_whitelist is not none %} +federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} +{% endif %} # List of ports that Synapse should listen on, their purpose and their # configuration. listeners: # Main HTTPS listener # For when matrix traffic is sent directly to synapse. + {% if matrix_synapse_federation_enabled %} - # The port to listen for HTTPS requests on. port: 8448 @@ -157,6 +161,7 @@ listeners: # "/_matrix/my/custom/endpoint": # module: my_module.CustomRequestHandler # config: {} + {% endif %} # Unsecure HTTP listener, # For when matrix traffic passes through loadbalancer that unwraps TLS. diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 829f73727..9940fd301 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -29,7 +29,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --log-driver=none \ --env-file={{ matrix_environment_variables_data_path }}/synapse \ --network={{ matrix_docker_network }} \ + {% if matrix_synapse_federation_enabled %} -p 8448:8448 \ + {% endif %} {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8008:8008 \ {% endif %}