Compare revisions

Jan Alexander Steffens (heftig) · Kristian Klausen · Kristian Klausen · Kristian Klausen · Kristian Klausen · 3c773eca
--- a/host_vars/gluebuddy.archlinux.org/misc
+++ b/host_vars/gluebuddy.archlinux.org/misc
 ---
 filesystem: btrfs
+wireguard_address: 10.0.0.36
+wireguard_public_key: iiwiHp6b9fmepXLNZ0xFMWIhF2u2a8oEpQI1TTDR4zI=
--- a/hosts
+++ b/hosts
@@ -140,6 +140,7 @@ md.archlinux.org
 man.archlinux.org
 dashboards.archlinux.org
 lists.archlinux.org
+gluebuddy.archlinux.org

 [wireguard]
 archlinux.org
@@ -176,6 +177,7 @@ md.archlinux.org
 man.archlinux.org
 dashboards.archlinux.org
 lists.archlinux.org
+gluebuddy.archlinux.org

 [kape_servers]
 asia.mirror.pkgbuild.com

--- a/playbooks/gluebuddy.archlinux.org.yml
+++ b/playbooks/gluebuddy.archlinux.org.yml
@@ -5,8 +5,8 @@
  remote_user: root
  roles:
    - { role: common }
-    - { role: tools }
    - { role: firewalld }
+    - { role: wireguard }
    - { role: sshd }
    - { role: root_ssh }
    - { role: gluebuddy }

--- a/playbooks/gluebuddy.yml
+++ b/playbooks/gluebuddy.yml
- name: setup gluebuddy.archlinux.org
-  hosts: gluebuddy.archlinux.org
-  remote_user: root
-  roles:
-    - { role: common }
-    - { role: sshd }
-    - { role: root_ssh }
-    - { role: borg_client, tags: ["borg"] }
-    - { role: sudo }
-    - { role: fail2ban }
-    - { role: prometheus_exporters }
-    - { role: promtail }
-    - { role: gluebuddy }
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -77,7 +77,7 @@
 - name: install synapse
  pip:
    name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.50.1'
+      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.51.0'
    state: latest
    extra_args: '--upgrade-strategy=eager'
    virtualenv: /var/lib/synapse/venv

--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -74,13 +74,7 @@ server_name: "{{ matrix_server_name }}"
 #
 #pid_file: DATADIR/homeserver.pid

-# The absolute URL to the web client which /_matrix/client will redirect
-# to if 'webclient' is configured under the 'listeners' configuration.
-#
-# This option can be also set to the filesystem path to the web client
-# which will be served at /_matrix/client/ if 'webclient' is configured
-# under the 'listeners' configuration, however this is a security risk:
-# https://github.com/matrix-org/synapse#security-note
+# The absolute URL to the web client which / will redirect to.
 #
 #web_client_location: https://riot.example.com/

@@ -164,7 +158,7 @@ allow_public_rooms_over_federation: true
 # The default room version for newly created rooms.
 #
 # Known room versions are listed here:
-# https://matrix.org/docs/spec/#complete-list-of-room-versions
+# https://spec.matrix.org/latest/rooms/#complete-list-of-room-versions
 #
 # For example, for room version 1, default_room_version should be set
 # to "1".
@@ -310,8 +304,6 @@ allow_public_rooms_over_federation: true
 #   static: static resources under synapse/static (/_matrix/static). (Mostly
 #       useful for 'fallback authentication'.)
 #
-#   webclient: A web client. Requires web_client_location to be set.
-#
 listeners:
  # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
  #
@@ -1527,6 +1519,21 @@ room_prejoin_state:
   #additional_event_types:
   #  - org.example.custom.event.type

+# We record the IP address of clients used to access the API for various
+# reasons, including displaying it to the user in the "Where you're signed in"
+# dialog.
+#
+# By default, when puppeting another user via the admin API, the client IP
+# address is recorded against the user who created the access token (ie, the
+# admin user), and *not* the puppeted user.
+#
+# Uncomment the following to also record the IP address against the puppeted
+# user. (This also means that the puppeted user will count as an "active" user
+# for the purpose of monthly active user tracking - see 'limit_usage_by_mau' etc
+# above.)
+#
+#track_puppeted_user_ips: true
+

 # A list of application service config files to use
 #
@@ -1893,10 +1900,13 @@ saml2_config:
 #       Defaults to false. Avoid this in production.
 #
 #   user_profile_method: Whether to fetch the user profile from the userinfo
-#       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
+#       endpoint, or to rely on the data returned in the id_token from the
+#       token_endpoint.
+#
+#       Valid values are: 'auto' or 'userinfo_endpoint'.
 #
-#       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
-#       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
+#       Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
+#       not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
 #       userinfo endpoint.
 #
 #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to
No results found