diff --git a/CHANGELOG.md b/CHANGELOG.md index 14e45a155..b23ed359f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # 2018-09-07 -## Statistics-reporting support +## Password-peppering support for Matrix Synapse + +The playbook now supports enabling password-peppering for increased security in Matrix Synapse via the `matrix_synapse_password_config_pepper` playbook variable. Using a password pepper is disabled by default (just like it used to be before this playbook variable got introduced) and is not to be enabled/disabled after initial setup, as that would invalidate all existing passwords. + + +## Statistics-reporting support for Matrix Synapse There's now a new `matrix_synapse_report_stats` playbook variable, which controls the `report_stats` configuration option for Matrix Synapse. It defaults to `false`, so no change is required to retain your privacy. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 57a9ebb19..5143d5c13 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -68,6 +68,9 @@ matrix_synapse_rc_message_burst_count: 10.0 # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false +# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. +matrix_synapse_password_config_pepper: "" + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 5f100e7d8..9ee67f1ec 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -538,7 +538,7 @@ password_config: enabled: true # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! - #pepper: "" + pepper: "{{ matrix_synapse_password_config_pepper }}"