Merge branch '6.8.1fix'

Reviewed-on: #52

.env.sample

@@ -33,13 +33,15 @@ ALLOW_PUBLIC_ROOMS_FEDERATION=false
 ENABLE_REGISTRATION=false
 PASSWORD_LOGIN_ENABLED=true
 
-# Token based registration. Enable ADMIN_INTERFACE_ENABLED=1 (below) to use the admin interface to generate tokens.
+# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
 #REGISTRATION_REQUIRES_TOKEN=true
 
 ## Room auto-join
 
 #AUTO_JOIN_ROOM_ENABLED=1
+#AUTO_JOIN_ROOM is deprecated, but kept for backward compatibility. Please use only one, and prefer AUTO_JOIN_ROOM_LIST.
 #AUTO_JOIN_ROOM="#example:example.com"
+#AUTO_JOIN_ROOM_LIST="[\"#room1:example.com\",\"#room2:example.com\"]"
 
 ## Logging
 
@@ -86,6 +88,13 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d
 
+MAX_UPLOAD_SIZE=50M
+
+## Old Signing Key
+#OLD_SIGNING_KEY_ID=a_OLDKEYID
+#OLD_SIGNING_KEY=base64string
+#OLD_SIGNING_KEY_EXPIRES=123456789123
+
 ## Ratelimit
 
 #LOGIN_LIMIT_IP_PER_SECOND=5

abra.sh

@@ -1,11 +1,11 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v3
-export HOMESERVER_YAML_VERSION=v31
+export HOMESERVER_YAML_VERSION=v34
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v2
 export SIGNAL_BRIDGE_YAML_VERSION=v6
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v8
+export NGINX_CONFIG_VERSION=v11
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1
 export PG_BACKUP_VERSION=v1

compose.admin.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   admin:
-    image: awesometechnologies/synapse-admin:0.10.3
+    image: awesometechnologies/synapse-admin:0.11.1
     networks:
       - proxy
     deploy:

compose.signal.yml

@@ -10,7 +10,7 @@ services:
       - signal-data:/signal-data
 
   signalbridge:
-    image: dock.mau.dev/mautrix/signal:v0.7.5
+    image: dock.mau.dev/mautrix/signal:v0.8.7
     depends_on:
       - signaldb
     configs:

compose.telegram.yml

@@ -10,7 +10,7 @@ services:
       - telegram-data:/telegram-data
 
   telegrambridge:
-    image: dock.mau.dev/mautrix/telegram:v0.15.2
+    image: dock.mau.dev/mautrix/telegram:v0.15.3
     depends_on:
       - telegramdb
     configs:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   web:
-    image: nginx:1.27.4
+    image: nginx:1.29.2
     networks:
       - proxy
       - internal
@@ -12,6 +12,7 @@ services:
       - STACK_NAME
       - NGINX_ACCESS_LOG_LOCATION
       - NGINX_ERROR_LOG_LOCATION
+      - MAX_UPLOAD_SIZE
     configs:
       - source: nginx_config
         target: /etc/nginx/nginx.conf
@@ -35,7 +36,7 @@ services:
       retries: 20
 
   app:
-    image: "matrixdotorg/synapse:v1.124.0"
+    image: "matrixdotorg/synapse:v1.139.2"
     volumes:
       - "data:/data"
     secrets:
@@ -47,6 +48,7 @@ services:
       - ALLOWED_LIFETIME_MAX
       - ALLOW_PUBLIC_ROOMS_FEDERATION
       - AUTO_JOIN_ROOM
+      - AUTO_JOIN_ROOM_LIST
       - AUTO_JOIN_ROOM_ENABLED
       - DISABLE_FEDERATION
       - DOMAIN
@@ -55,6 +57,9 @@ services:
       - ENABLE_REGISTRATION
       - REGISTRATION_REQUIRES_TOKEN
       - ENCRYPTED_BY_DEFAULT
+      - OLD_SIGNING_KEY
+      - OLD_SIGNING_KEY_ID
+      - OLD_SIGNING_KEY_EXPIRES
       - USER_DIRECTORY_ENABLED=${USER_DIRECTORY_ENABLED:-true}
       - USER_DIRECTORY_SEARCH_ALL_USERS=${USER_DIRECTORY_SEARCH_ALL_USERS:-true}
       - USER_DIRECTORY_PREFER_LOCAL_USERS=${USER_DIRECTORY_PREFER_LOCAL_USERS:-true}
@@ -86,6 +91,7 @@ services:
       - LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
       - LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
       - WEB_CLIENT_LOCATION
+      - MAX_UPLOAD_SIZE
     networks:
       - internal
     entrypoint: /docker-entrypoint.sh
@@ -101,8 +107,8 @@ services:
       restart_policy:
         condition: on-failure
       labels:
-        - "coop-cloud.${STACK_NAME}.version=6.6.2+v1.124.0"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=6.8.1+v1.139.2"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
       interval: 30s

homeserver.yaml.tmpl

@@ -130,7 +130,7 @@ log_config: "/data/log.config"
 media_store_path: "/data/media_store"
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_upload_size 
-max_upload_size: 50M
+max_upload_size: {{ or (env "MAX_UPLOAD_SIZE") 50M }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn
 {{ if eq (env "TURN_ENABLED") "1" }}
@@ -157,8 +157,15 @@ registration_shared_secret: {{ secret "registration" }}
 
 {{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms
+
+# AUTO_JOIN_ROOM only for backwards compatibility
+{{ if (env "AUTO_JOIN_ROOM") }}
 auto_join_rooms:
   - "{{ env "AUTO_JOIN_ROOM" }}"
+{{ else }}
+auto_join_rooms: {{ env "AUTO_JOIN_ROOM_LIST" }}
+{{ end }}
+
 {{ end }}
 
 # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#session_lifetime
@@ -186,6 +193,12 @@ form_secret: "{{ secret "form_secret" }}"
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
 signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
 
+# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#old_signing_keys
+{{ if (and (env "OLD_SIGNING_KEY_ID") (env "OLD_SIGNING_KEY") (env "OLD_SIGNING_KEY_EXPIRES")) }}
+old_signing_keys:
+  "ed25519:{{ env "OLD_SIGNING_KEY_ID" }}": { key: "{{ env "OLD_SIGNING_KEY" }}", expired_ts: {{ env "OLD_SIGNING_KEY_EXPIRES" }} }
+{{ end }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
 {{ if eq (env "ENABLE_ALLOWLIST") "1" }}
 trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST

nginx.conf.tmpl

@@ -5,6 +5,16 @@ events {
 }
 
 http {
+
+  resolver 127.0.0.11 valid=30s ipv6=off;
+  resolver_timeout 5s;
+
+  upstream matrix_upstream {
+    zone matrix_upstream 64k;
+    server {{ env "STACK_NAME"}}_app:8008 resolve;
+    keepalive 16;
+  }
+
   server {
     listen 80;
 
@@ -14,20 +24,20 @@ http {
     server_name {{ env "DOMAIN" }};
 
     location = / {
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;
-      client_max_body_size 50M;
+      client_max_body_size {{ or (env "MAX_UPLOAD_SIZE") "50M" }};
       proxy_http_version 1.1;
     }
     
     location ~* ^(\/_matrix|\/_synapse\/client) {
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;
-      client_max_body_size 50M;
+      client_max_body_size {{ or (env "MAX_UPLOAD_SIZE") "50M" }};
       proxy_http_version 1.1;
     }
 
@@ -42,11 +52,11 @@ http {
       if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
         return 403;
       }
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;
-      client_max_body_size 50M;
+      client_max_body_size {{ or (env "MAX_UPLOAD_SIZE") "50M" }};
       proxy_http_version 1.1;
     }
 {{ end }}

release/6.6.3+v1.124.0

@@ -0,0 +1 @@
+added env for old-signing-keys

release/6.7.1+v1.133.0

@@ -0,0 +1 @@
+This patch contains a critical nginx fix, to allow resolving docker internal hosts.