diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 277fc9a39022..4a1bea50c14e 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -59,7 +59,12 @@ uploads_path: "/var/lib/matrix-synapse/uploads" max_upload_size: "${cfg.max_upload_size}" max_image_pixels: "${cfg.max_image_pixels}" dynamic_thumbnails: ${fromBool cfg.dynamic_thumbnails} -url_preview_enabled: False +url_preview_enabled: ${fromBool cfg.url_preview_enabled} +${optionalString (cfg.url_preview_enabled == true) '' +url_preview_ip_range_blacklist: ${builtins.toJSON cfg.url_preview_ip_range_blacklist} +url_preview_ip_range_whitelist: ${builtins.toJSON cfg.url_preview_ip_range_whitelist} +url_preview_url_blacklist: ${builtins.toJSON cfg.url_preview_url_blacklist} +''} recaptcha_private_key: "${cfg.recaptcha_private_key}" recaptcha_public_key: "${cfg.recaptcha_public_key}" enable_registration_captcha: ${fromBool cfg.enable_registration_captcha} @@ -355,6 +360,47 @@ in { default = "10K"; description = "Number of events to cache in memory."; }; + url_preview_enabled = mkOption { + type = types.bool; + default = false; + description = '' + Is the preview URL API enabled? If enabled, you *must* specify an + explicit url_preview_ip_range_blacklist of IPs that the spider is + denied from accessing. + ''; + }; + url_preview_ip_range_blacklist = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of IP address CIDR ranges that the URL preview spider is denied + from accessing. + ''; + }; + url_preview_ip_range_whitelist = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of IP address CIDR ranges that the URL preview spider is allowed + to access even if they are specified in + url_preview_ip_range_blacklist. + ''; + }; + url_preview_url_blacklist = mkOption { + type = types.listOf types.str; + default = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "169.254.0.0/16" + ]; + description = '' + Optional list of URL matches that the URL preview spider is + denied from accessing. + ''; + }; recaptcha_private_key = mkOption { type = types.str; default = ""; diff --git a/pkgs/servers/matrix-synapse/default.nix b/pkgs/servers/matrix-synapse/default.nix index d290c124244f..d1301fad7abc 100644 --- a/pkgs/servers/matrix-synapse/default.nix +++ b/pkgs/servers/matrix-synapse/default.nix @@ -27,7 +27,7 @@ in pythonPackages.buildPythonApplication rec { pydenticon pymacaroons-pynacl pynacl pyopenssl pysaml2 pytz requests2 service-identity signedjson systemd twisted ujson unpaddedbase64 pyyaml matrix-angular-sdk bleach netaddr jinja2 psycopg2 - ldap3 psutil msgpack + ldap3 psutil msgpack lxml ]; # Checks fail because of Tox.