From 11bd9019d91997639dff0f5933a38a72bba00169 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Sun, 29 Mar 2020 11:48:38 +0200
Subject: [PATCH] matrix: update config and set max_body_size

---
 .../matrix-synapse/homeserver.yaml.j2         | 95 +++++++++++++++++--
 roles/matrix/templates/vhost.j2               |  4 +
 2 files changed, 93 insertions(+), 6 deletions(-)

diff --git a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2 b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
index 03a6430..0bce7ef 100644
--- a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
+++ b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
@@ -1,3 +1,11 @@
+# Configuration file for Synapse.
+#
+# This is a YAML file: see [1] for a quick introduction. Note in particular
+# that *indentation is important*: all the elements of a list or dictionary
+# should have the same indentation.
+#
+# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+
 ## Server ##
 
 # The domain name of the server, with optional explicit port.
@@ -24,7 +32,7 @@ pid_file: "/var/run/matrix-synapse.pid"
 # use synapse with a reverse proxy, this should be the URL to reach
 # synapse via the proxy.
 #
-#public_baseurl: https://example.com/
+public_baseurl: https://{{ matrix_domain }}/
 
 # Set the soft limit on the number of file descriptors synapse can use
 # Zero is used to indicate synapse should set the soft limit to the
@@ -456,6 +464,11 @@ retention:
 # ACME support: This will configure Synapse to request a valid TLS certificate
 # for your configured `server_name` via Let's Encrypt.
 #
+# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
+# ACME v2. This means that this feature currently won't work with installs set
+# up after November 2019. For more info, and alternative solutions, see
+# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
+#
 # Note that provisioning a certificate in this way requires port 80 to be
 # routed to Synapse so that it can complete the http-01 ACME challenge.
 # By default, if you enable ACME support, Synapse will attempt to listen on
@@ -688,7 +701,7 @@ media_store_path: "/var/lib/matrix-synapse/media"
 
 # The largest allowed upload size in bytes
 #
-#max_upload_size: 10M
+max_upload_size: 5M
 
 # Maximum number of pixels that will be thumbnailed
 #
@@ -1325,6 +1338,25 @@ saml2_config:
   #
   #grandfathered_mxid_source_attribute: upn
 
+  # Directory in which Synapse will try to find the template files below.
+  # If not set, default templates from within the Synapse package will be used.
+  #
+  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+  # If you *do* uncomment it, you will need to make sure that all the templates
+  # below are in the directory.
+  #
+  # Synapse will look for the following templates in this directory:
+  #
+  # * HTML page to display to users if something goes wrong during the
+  #   authentication process: 'saml_error.html'.
+  #
+  #   This template doesn't currently need any variable to render.
+  #
+  # You can see the default templates at:
+  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
+  #
+  #template_dir: "res/templates"
+
 
 
 # Enable CAS for registration and login.
@@ -1338,6 +1370,56 @@ saml2_config:
 #   #    name: value
 
 
+# Additional settings to use with single-sign on systems such as SAML2 and CAS.
+#
+sso:
+    # A list of client URLs which are whitelisted so that the user does not
+    # have to confirm giving access to their account to the URL. Any client
+    # whose URL starts with an entry in the following list will not be subject
+    # to an additional confirmation step after the SSO login is completed.
+    #
+    # WARNING: An entry such as "https://my.client" is insecure, because it
+    # will also match "https://my.client.evil.site", exposing your users to
+    # phishing attacks from evil.site. To avoid this, include a slash after the
+    # hostname: "https://my.client/".
+    #
+    # By default, this list is empty.
+    #
+    #client_whitelist:
+    #  - https://riot.im/develop
+    #  - https://my.custom.client/
+
+    # Directory in which Synapse will try to find the template files below.
+    # If not set, default templates from within the Synapse package will be used.
+    #
+    # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+    # If you *do* uncomment it, you will need to make sure that all the templates
+    # below are in the directory.
+    #
+    # Synapse will look for the following templates in this directory:
+    #
+    # * HTML page for a confirmation step before redirecting back to the client
+    #   with the login token: 'sso_redirect_confirm.html'.
+    #
+    #   When rendering, this template is given three variables:
+    #     * redirect_url: the URL the user is about to be redirected to. Needs
+    #                     manual escaping (see
+    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
+    #
+    #     * display_url: the same as `redirect_url`, but with the query
+    #                    parameters stripped. The intention is to have a
+    #                    human-readable URL to show to users, not to use it as
+    #                    the final address to redirect to. Needs manual escaping
+    #                    (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
+    #
+    #     * server_name: the homeserver's name.
+    #
+    # You can see the default templates at:
+    # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
+    #
+    #template_dir: "res/templates"
+
+
 # The JWT needs to contain a globally unique "sub" (subject) claim.
 #
 #jwt_config:
@@ -1387,10 +1469,6 @@ email:
   #
   #require_transport_security: true
 
-  # Enable sending emails for messages that the user has missed
-  #
-  #enable_notifs: false
-
   # notif_from defines the "From" address to use when sending emails.
   # It must be set if email sending is enabled.
   #
@@ -1408,6 +1486,11 @@ email:
   #
   #app_name: my_branded_matrix_server
 
+  # Uncomment the following to enable sending emails for messages that the user
+  # has missed. Disabled by default.
+  #
+  #enable_notifs: true
+
   # Uncomment the following to disable automatic subscription to email
   # notifications for new users. Enabled by default.
   #
diff --git a/roles/matrix/templates/vhost.j2 b/roles/matrix/templates/vhost.j2
index d34cb66..14037d4 100644
--- a/roles/matrix/templates/vhost.j2
+++ b/roles/matrix/templates/vhost.j2
@@ -23,6 +23,8 @@ server {
 	ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
 
+	client_max_body_size 5M;
+
 	location / {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
@@ -38,6 +40,8 @@ server {
 	ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
 
+	client_max_body_size 5M;
+
 	location / {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;