chore: publish 7.0.2+v1.149.1 release

Reviewed-on: https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/55

.env.sample

@@ -33,7 +33,7 @@ ALLOW_PUBLIC_ROOMS_FEDERATION=false
 ENABLE_REGISTRATION=false
 PASSWORD_LOGIN_ENABLED=true
 
-# Token based registration. Enable ADMIN_INTERFACE_ENABLED=1 (below) to use the admin interface to generate tokens.
+# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
 #REGISTRATION_REQUIRES_TOKEN=true
 
 ## Room auto-join
@@ -68,6 +68,14 @@ ENCRYPTED_BY_DEFAULT=all
 # Set these to keyservers you trust - usually the same as your federation allowlist
 #TRUSTED_KEYSERVERS="trusted_key_servers:\n  - server_name: 'example.com'\n  - server_name: 'example2.com'"
 
+# some optional configs to increase privacy and security
+#REQUIRE_AUTH_FOR_PROFILE_REQUESTS=true
+#LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=true
+#DELETE_STALE_DEVICES_AFTER=1y
+#SESSION_LIFETIME=60d
+#TRACK_PUPPETED_USER_IPS=true
+
+
 ## Retention
 
 ALLOWED_LIFETIME_MAX=4w
@@ -78,6 +86,11 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d
 
+## Old Signing Key
+#OLD_SIGNING_KEY_ID=a_OLDKEYID
+#OLD_SIGNING_KEY=base64string
+#OLD_SIGNING_KEY_EXPIRES=123456789123
+
 ## Ratelimit
 
 #LOGIN_LIMIT_IP_PER_SECOND=5
@@ -126,6 +139,13 @@ RETENTION_MAX_LIFETIME=4w
 #SMTP_USER=
 #SECRET_SMTP_PASSWORD_VERSION=v1
 
+## USER-DIRECTORY
+
+#USER_DIRECTORY_ENABLED=true
+#USER_DIRECTORY_SEARCH_ALL_USERS=true
+#USER_DIRECTORY_PREFER_LOCAL_USERS=true
+#USER_DIRECTORY_SHOW_LOCKED_USERS=false
+
 ## App services
 
 #APP_SERVICES_ENABLED=1

abra.sh

@@ -1,14 +1,14 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v3
-export HOMESERVER_YAML_VERSION=v30
+export HOMESERVER_YAML_VERSION=v35
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v2
 export SIGNAL_BRIDGE_YAML_VERSION=v6
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v8
+export NGINX_CONFIG_VERSION=v12
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1
-export PG_BACKUP_VERSION=v1
+export PG_BACKUP_VERSION=v2
 export ADMIN_CONFIG_VERSION=v1
 
 set_admin () {

compose.admin.yml

@@ -3,13 +3,13 @@ version: "3.8"
 
 services:
   admin:
-    image: awesometechnologies/synapse-admin:0.10.3
+    image: awesometechnologies/synapse-admin:0.11.4
     networks:
       - proxy
     deploy:
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.services.${STACK_NAME}_admin.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}_admin.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})&&PathPrefix(`/admin`)"
         - "traefik.http.routers.${STACK_NAME}_admin.entrypoints=web-secure"

compose.shared_secret_auth.yml

@@ -9,7 +9,7 @@ services:
       - shared_secret_auth
     configs:
       - source: shared_secret_auth
-        target: /usr/local/lib/python3.12/site-packages/shared_secret_authenticator.py
+        target: /usr/local/lib/python3.13/site-packages/shared_secret_authenticator.py
 
 configs:
   shared_secret_auth:

compose.signal.yml

@@ -10,7 +10,7 @@ services:
       - signal-data:/signal-data
 
   signalbridge:
-    image: dock.mau.dev/mautrix/signal:v0.7.5
+    image: dock.mau.dev/mautrix/signal:v0.8.7
     depends_on:
       - signaldb
     configs:

compose.telegram.yml

@@ -10,7 +10,7 @@ services:
       - telegram-data:/telegram-data
 
   telegrambridge:
-    image: dock.mau.dev/mautrix/telegram:v0.15.2
+    image: dock.mau.dev/mautrix/telegram:v0.15.3
     depends_on:
       - telegramdb
     configs:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   web:
-    image: nginx:1.27.4
+    image: nginx:1.29.6
     networks:
       - proxy
       - internal
@@ -12,6 +12,7 @@ services:
       - STACK_NAME
       - NGINX_ACCESS_LOG_LOCATION
       - NGINX_ERROR_LOG_LOCATION
+      - MAX_UPLOAD_SIZE
     configs:
       - source: nginx_config
         target: /etc/nginx/nginx.conf
@@ -21,7 +22,7 @@ services:
         target: /var/www/.well-known/matrix/client
     deploy:
       restart_policy:
-        condition: on-failure
+        condition: any
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
@@ -30,12 +31,13 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
     healthcheck:
       test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
-      interval: 5s
+      interval: 30s
-      timeout: 3s
+      timeout: 15s
-      retries: 20
+      retries: 90
+      start_period: 2m
 
   app:
-    image: "matrixdotorg/synapse:v1.124.0"
+    image: "matrixdotorg/synapse:v1.149.1"
     volumes:
       - "data:/data"
     secrets:
@@ -55,7 +57,19 @@ services:
       - ENABLE_REGISTRATION
       - REGISTRATION_REQUIRES_TOKEN
       - ENCRYPTED_BY_DEFAULT
+      - OLD_SIGNING_KEY
+      - OLD_SIGNING_KEY_ID
+      - OLD_SIGNING_KEY_EXPIRES
+      - USER_DIRECTORY_ENABLED=${USER_DIRECTORY_ENABLED:-true}
+      - USER_DIRECTORY_SEARCH_ALL_USERS=${USER_DIRECTORY_SEARCH_ALL_USERS:-true}
+      - USER_DIRECTORY_PREFER_LOCAL_USERS=${USER_DIRECTORY_PREFER_LOCAL_USERS:-true}
+      - USER_DIRECTORY_SHOW_LOCKED_USERS=${USER_DIRECTORY_SHOW_LOCKED_USERS:-false}
       - FEDERATION_ALLOWLIST
+      - REQUIRE_AUTH_FOR_PROFILE_REQUESTS=${REQUIRE_AUTH_FOR_PROFILE_REQUESTS:-false}
+      - LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=${LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS:-false}
+      - DELETE_STALE_DEVICES_AFTER
+      - SESSION_LIFETIME
+      - TRACK_PUPPETED_USER_IPS=${TRACK_PUPPETED_USER_IPS:-false}
       - LETSENCRYPT_HOST=${DOMAIN}
       - MEDIA_RETENTION_LOCAL_LIFETIME
       - MEDIA_RETENTION_REMOTE_LIFETIME
@@ -92,34 +106,33 @@ services:
       restart_policy:
         condition: on-failure
       labels:
-        - "coop-cloud.${STACK_NAME}.version=6.6.1+v1.124.0"
+        - "coop-cloud.${STACK_NAME}.version=7.0.2+v1.149.1"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
       interval: 30s
       timeout: 10s
-      retries: 10
+      retries: 30
       start_period: 1m
 
   db:
-    image: postgres:13-alpine
+    image: pgautoupgrade/pgautoupgrade:17-alpine
     secrets:
       - db_password
     environment:
       - LC_COLLATE=C
       - LC_CTYPE=C
       - POSTGRES_DB=synapse
-      - POSTGRES_INITDB_ARGS="-E \"UTF8\""
+      - POSTGRES_INITDB_ARGS=-E UTF8
       - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
       - POSTGRES_USER=synapse
       - DOMAIN
     networks:
       - internal
     healthcheck:
-      test: ["CMD", "pg_isready", "-U", "synapse"]
       interval: 30s
       timeout: 10s
-      retries: 10
+      retries: 20
       start_period: 1m
     volumes:
       - postgres:/var/lib/postgresql/data
@@ -128,11 +141,11 @@ services:
         backupbot.backup: "${ENABLE_BACKUPS:-true}"
         backupbot.backup.pre-hook: "/pg_backup.sh backup"
         backupbot.backup.volumes.postgres.path: "backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
+        backupbot.restore.post-hook: "/pg_backup.sh restore"
     configs:
-        - source: pg_backup
+      - source: pg_backup
-          target: /pg_backup.sh
+        target: /pg_backup.sh
-          mode: 0555
+        mode: 0555
 
 volumes:
   data:

homeserver.yaml.tmpl

@@ -16,6 +16,12 @@ server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl
 public_baseurl: https://{{ env "DOMAIN" }}/
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests
+require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }}
+
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms
+limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
 serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
 
@@ -52,6 +58,11 @@ listeners:
       {{ end }}
     {{ end }}
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#delete_stale_devices_after
+{{ if (env "DELETE_STALE_DEVICES_AFTER") }}
+delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }}
+{{ end }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
 admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
 
@@ -132,6 +143,7 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
 enable_registration: {{ env "ENABLE_REGISTRATION" }}
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token
 registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
@@ -145,13 +157,28 @@ registration_shared_secret: {{ secret "registration" }}
 
 {{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms
+
+# AUTO_JOIN_ROOM only for backwards compatibility
+{{ if (env "AUTO_JOIN_ROOM") }}
 auto_join_rooms:
   - "{{ env "AUTO_JOIN_ROOM" }}"
+{{ else }}
+auto_join_rooms: {{ env "AUTO_JOIN_ROOM_LIST" }}
+{{ end }}
+
+{{ end }}
+
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#session_lifetime
+{{ if (env "SESSION_LIFETIME") }}
+session_lifetime: {{ env "SESSION_LIFETIME" }}
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats
 report_stats: false
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips
+track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }}
+
 {{ if eq (env "APP_SERVICES_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
 app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
@@ -166,6 +193,12 @@ form_secret: "{{ secret "form_secret" }}"
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
 signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
 
+# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#old_signing_keys
+{{ if (and (env "OLD_SIGNING_KEY_ID") (env "OLD_SIGNING_KEY") (env "OLD_SIGNING_KEY_EXPIRES")) }}
+old_signing_keys:
+  "ed25519:{{ env "OLD_SIGNING_KEY_ID" }}": { key: "{{ env "OLD_SIGNING_KEY" }}", expired_ts: {{ env "OLD_SIGNING_KEY_EXPIRES" }} }
+{{ end }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
 {{ if eq (env "ENABLE_ALLOWLIST") "1" }}
 trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST
@@ -248,9 +281,10 @@ encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
 user_directory:
-  enabled: true
+  enabled: {{ env "USER_DIRECTORY_ENABLED" }}
-  search_all_users: true
+  search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }}
-  prefer_local_users: true
+  prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }}
+  show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
 media_retention:

nginx.conf.tmpl

@@ -5,6 +5,16 @@ events {
 }
 
 http {
+
+  resolver 127.0.0.11 valid=30s ipv6=off;
+  resolver_timeout 5s;
+
+  upstream matrix_upstream {
+    zone matrix_upstream 64k;
+    server {{ env "STACK_NAME"}}_app:8008 resolve;
+    keepalive 16;
+  }
+
   server {
     listen 80;
 
@@ -14,7 +24,7 @@ http {
     server_name {{ env "DOMAIN" }};
 
     location = / {
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;
@@ -23,7 +33,7 @@ http {
     }
     
     location ~* ^(\/_matrix|\/_synapse\/client) {
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;
@@ -42,7 +52,7 @@ http {
       if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
         return 403;
       }
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;

pg_backup.sh

@@ -6,7 +6,7 @@ BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
 
 function backup {
   export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} | gzip > $BACKUP_FILE
 }
 
 function restore {
@@ -25,7 +25,7 @@ function restore {
     # Recreate Database
     psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
     createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+    gunzip -c $BACKUP_FILE | psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f -
 
     trap - EXIT INT TERM
     restore_config

release/6.6.2+v1.124.0

@@ -0,0 +1 @@
+new optional env vars for user_directory and privacy options

release/6.6.3+v1.124.0

@@ -0,0 +1 @@
+added env for old-signing-keys

release/6.7.1+v1.133.0

@@ -0,0 +1 @@
+This patch contains a critical nginx fix, to allow resolving docker internal hosts.

release/6.8.2+v1.139.2

@@ -0,0 +1 @@
+this patch is a reset to the state of the last known deploying version 6.8.0 – so better skip 6.8.1

release/7.0.0+v1.149.1

@@ -0,0 +1,2 @@
+WARNING: Backup your database!
+This upgrade switches the database image from postgres to pgautoupgrade and performs an in-place database upgrades from version 13 to 17.