diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
index 4033106afd3d3b60ebddfdca0268e6357b82db7a..4eee5e151eac188a980e7a03a891ae825697fd2a 100644
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -78,7 +78,7 @@
- name: install synapse
pip:
name:
- - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.36.0'
+ - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.37.1'
state: latest
extra_args: '--upgrade-strategy=eager'
virtualenv: /var/lib/synapse/venv
diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2
index c7e659902a9666383b5cf6f374cd217251782419..01a4198041134228997cdd1380ddf575343e94e3 100644
--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -21,6 +21,33 @@
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+
+## Modules ##
+
+# Server admins can expand Synapse's functionality with external modules.
+#
+# See https://matrix-org.github.io/synapse/develop/modules.html for more
+# documentation on how to configure or create custom modules for Synapse.
+#
+modules:
+ # - module: my_super_module.MySuperClass
+ # config:
+ # do_thing: true
+ # - module: my_other_super_module.SomeClass
+ # config: {}
+
+spam_checker:
+ - module: mjolnir.AntiSpam
+ config:
+ block_invites: true
+ block_messages: false
+ block_usernames: false
+ ban_lists:
+ - "!WuBtumawCeOGEieRrp:matrix.org" # #matrix-org-coc-bl:matrix.org
+ - "!tUPwPPmVTaiKXMiijj:matrix.org" # #matrix-org-hs-tos-bl:matrix.org
+ - "!vmRBOqUEHGdNBeweth:archlinux.org" # #banlist:archlinux.org
+
+
## Server ##
# The public-facing domain of the server
@@ -553,13 +580,9 @@ retention:
# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
# certificate, signed by a recognised Certificate Authority.
#
-# See 'ACME support' below to enable auto-provisioning this certificate via
-# Let's Encrypt.
-#
-# If supplying your own, be sure to use a `.pem` file that includes the
-# full certificate chain including any intermediate certificates (for
-# instance, if using certbot, use `fullchain.pem` as your certificate,
-# not `cert.pem`).
+# Be sure to use a `.pem` file that includes the full certificate chain including
+# any intermediate certificates (for instance, if using certbot, use
+# `fullchain.pem` as your certificate, not `cert.pem`).
#
#tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt"
@@ -610,80 +633,6 @@ retention:
# - myCA2.pem
# - myCA3.pem
-# ACME support: This will configure Synapse to request a valid TLS certificate
-# for your configured `server_name` via Let's Encrypt.
-#
-# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
-# ACME v2. This means that this feature currently won't work with installs set
-# up after November 2019. For more info, and alternative solutions, see
-# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
-#
-# Note that provisioning a certificate in this way requires port 80 to be
-# routed to Synapse so that it can complete the http-01 ACME challenge.
-# By default, if you enable ACME support, Synapse will attempt to listen on
-# port 80 for incoming http-01 challenges - however, this will likely fail
-# with 'Permission denied' or a similar error.
-#
-# There are a couple of potential solutions to this:
-#
-# * If you already have an Apache, Nginx, or similar listening on port 80,
-# you can configure Synapse to use an alternate port, and have your web
-# server forward the requests. For example, assuming you set 'port: 8009'
-# below, on Apache, you would write:
-#
-# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
-#
-# * Alternatively, you can use something like `authbind` to give Synapse
-# permission to listen on port 80.
-#
-acme:
- # ACME support is disabled by default. Set this to `true` and uncomment
- # tls_certificate_path and tls_private_key_path above to enable it.
- #
- enabled: false
-
- # Endpoint to use to request certificates. If you only want to test,
- # use Let's Encrypt's staging url:
- # https://acme-staging.api.letsencrypt.org/directory
- #
- #url: https://acme-v01.api.letsencrypt.org/directory
-
- # Port number to listen on for the HTTP-01 challenge. Change this if
- # you are forwarding connections through Apache/Nginx/etc.
- #
- port: 80
-
- # Local addresses to listen on for incoming connections.
- # Again, you may want to change this if you are forwarding connections
- # through Apache/Nginx/etc.
- #
- bind_addresses: ['::', '0.0.0.0']
-
- # How many days remaining on a certificate before it is renewed.
- #
- reprovision_threshold: 30
-
- # The domain that the certificate should be for. Normally this
- # should be the same as your Matrix domain (i.e., 'server_name'), but,
- # by putting a file at 'https://<server_name>/.well-known/matrix/server',
- # you can delegate incoming traffic to another server. If you do that,
- # you should give the target of the delegation here.
- #
- # For example: if your 'server_name' is 'example.com', but
- # 'https://example.com/.well-known/matrix/server' delegates to
- # 'matrix.example.com', you should put 'matrix.example.com' here.
- #
- # If not set, defaults to your 'server_name'.
- #
- domain: {{ matrix_domain }}
-
- # file to use for the account key. This will be generated if it doesn't
- # exist.
- #
- # If unspecified, we will use CONFDIR/client.key.
- #
- account_key_file: DATADIR/acme_account.key
-
## Federation ##
@@ -2063,6 +2012,17 @@ sso:
# - https://riot.im/develop
# - https://my.custom.client/
+ # Uncomment to keep a user's profile fields in sync with information from
+ # the identity provider. Currently only syncing the displayname is
+ # supported. Fields are checked on every SSO login, and are updated
+ # if necessary.
+ #
+ # Note that enabling this option will override user profile information,
+ # regardless of whether users have opted-out of syncing that
+ # information when first signing in. Defaults to false.
+ #
+ #update_profile_information: true
+
# Directory in which Synapse will try to find the template files below.
# If not set, or the files named below are not found within the template
# directory, default templates from within the Synapse package will be used.
@@ -2344,6 +2304,10 @@ ui_auth:
# the user-interactive authentication process, by allowing for multiple
# (and potentially different) operations to use the same validation session.
#
+ # This is ignored for potentially "dangerous" operations (including
+ # deactivating an account, modifying an account password, and
+ # adding a 3PID).
+ #
# Uncomment below to allow for credential validation to last for 15
# seconds.
#
@@ -2591,33 +2555,6 @@ push:
#group_unread_count_by_room: false
-# Spam checkers are third-party modules that can block specific actions
-# of local users, such as creating rooms and registering undesirable
-# usernames, as well as remote users by redacting incoming events.
-#
-spam_checker:
- - module: mjolnir.AntiSpam
- config:
- # Prevent servers/users in the ban lists from inviting users on this
- # server to rooms. Default true.
- block_invites: true
- # Flag messages sent by servers/users in the ban lists as spam. Currently
- # this means that spammy messages will appear as empty to users. Default
- # false.
- block_messages: false
- # Remove users from the user directory search by filtering matrix IDs and
- # display names by the entries in the user ban list. Default false.
- block_usernames: false
- # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
- # this list cannot be room aliases or permalinks. This server is expected
- # to already be joined to the room - Mjolnir will not automatically join
- # these rooms.
- ban_lists:
- - "!WuBtumawCeOGEieRrp:matrix.org" # #matrix-org-coc-bl:matrix.org
- - "!tUPwPPmVTaiKXMiijj:matrix.org" # #matrix-org-hs-tos-bl:matrix.org
- - "!vmRBOqUEHGdNBeweth:archlinux.org" # #banlist:archlinux.org
-
-
## Rooms ##
# Controls whether locally-created rooms should be end-to-end encrypted by