13 files changed, 59 insertions, 81 deletions

diff --git a/CHANGES.md b/CHANGES.md
index 1b827c8079..284e89b266 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -52,7 +52,11 @@ Features
 - Add a script to generate new signing-key files. ([\#5361](https://github.com/matrix-org/synapse/issues/5361))
 - Update upgrade and installation guides ahead of 1.0. ([\#5371](https://github.com/matrix-org/synapse/issues/5371))
 - Replace the `perspectives` configuration section with `trusted_key_servers`, and make validating the signatures on responses optional (since TLS will do this job for us). ([\#5374](https://github.com/matrix-org/synapse/issues/5374))
-- Add ability to perform password reset via email without trusting the identity server. ([\#5377](https://github.com/matrix-org/synapse/issues/5377))
+- Add ability to perform password reset via email without trusting the identity server. **As a result of this PR, password resets will now be disabled on the default configuration.**
+
+  Password reset emails are now sent from the homeserver by default, instead of the identity server. To enable this functionality, ensure `email` and `public_baseurl` config options are filled out.
+
+  If you would like to re-enable password resets being sent from the identity server (warning: this is dangerous! See [#5345](https://github.com/matrix-org/synapse/pull/5345)), set `email.trust_identity_server_for_password_resets` to true. ([\#5377](https://github.com/matrix-org/synapse/issues/5377))
 - Set default room version to v4. ([\#5379](https://github.com/matrix-org/synapse/issues/5379))
 
 
diff --git a/INSTALL.md b/INSTALL.md
index 2df686b19b..25343593d5 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1,3 +1,4 @@
+- [Choosing your server name](#choosing-your-server-name)
 - [Installing Synapse](#installing-synapse)
   - [Installing from source](#installing-from-source)
     - [Platform-Specific Instructions](#platform-specific-instructions)
@@ -10,6 +11,22 @@
   - [Setting up a TURN server](#setting-up-a-turn-server)
   - [URL previews](#url-previews)
 
+# Choosing your server name
+
+It is important to choose the name for your server before you install Synapse,
+because it cannot be changed later.
+
+The server name determines the "domain" part of user-ids for users on your
+server: these will all be of the format `@user:my.domain.name`. It also
+determines how other matrix servers will reach yours for federation.
+
+For a test configuration, set this to the hostname of your server. For a more
+production-ready setup, you will probably want to specify your domain
+(`example.com`) rather than a matrix-specific hostname here (in the same way
+that your email address is probably `user@example.com` rather than
+`user@email.example.com`) - but doing so may require more advanced setup: see
+[Setting up Federation](docs/federate.md).
+
 # Installing Synapse
 
 ## Installing from source
@@ -64,16 +81,7 @@ python -m synapse.app.homeserver \
     --report-stats=[yes|no]
 ```
 
-... substituting an appropriate value for `--server-name`. The server name
-determines the "domain" part of user-ids for users on your server: these will
-all be of the format `@user:my.domain.name`. It also determines how other
-matrix servers will reach yours for Federation. For a test configuration,
-set this to the hostname of your server. For a more production-ready setup, you
-will probably want to specify your domain (`example.com`) rather than a
-matrix-specific hostname here (in the same way that your email address is
-probably `user@example.com` rather than `user@email.example.com`) - but
-doing so may require more advanced setup: see [Setting up Federation](docs/federate.md).
-Beware that the server name cannot be changed later.
+... substituting an appropriate value for `--server-name`.
 
 This command will generate you a config file that you can then customise, but it will
 also generate a set of keys for you. These keys will allow your Home Server to
@@ -86,9 +94,6 @@ different. See the
 [spec](https://matrix.org/docs/spec/server_server/latest.html#retrieving-server-keys)
 for more information on key management.)
 
-You will need to give Synapse a TLS certficate before it will start - see [TLS
-certificates](#tls-certificates).
-
 To actually run your new homeserver, pick a working directory for Synapse to
 run (e.g. `~/synapse`), and::
 
diff --git a/changelog.d/5313.misc b/changelog.d/5313.misc
new file mode 100644
index 0000000000..2ea01cb9d3
--- /dev/null
+++ b/changelog.d/5313.misc
@@ -0,0 +1 @@
+Update example haproxy config to a more compatible setup.
diff --git a/changelog.d/5545.misc b/changelog.d/5545.misc
new file mode 100644
index 0000000000..b738eef4bd
--- /dev/null
+++ b/changelog.d/5545.misc
@@ -0,0 +1 @@
+Update v1.0.0 release changelog to include more information about changes to password resets.
diff --git a/changelog.d/5548.misc b/changelog.d/5548.misc
new file mode 100644
index 0000000000..f35939cfe9
--- /dev/null
+++ b/changelog.d/5548.misc
@@ -0,0 +1 @@
+Remove non-functioning check_event_hash.py dev script.
diff --git a/changelog.d/5558.misc b/changelog.d/5558.misc
new file mode 100644
index 0000000000..9ce3555d45
--- /dev/null
+++ b/changelog.d/5558.misc
@@ -0,0 +1 @@
+Improve install docs on choosing server_name.
diff --git a/changelog.d/5562.feature b/changelog.d/5562.feature
new file mode 100644
index 0000000000..85380bc517
--- /dev/null
+++ b/changelog.d/5562.feature
@@ -0,0 +1 @@
+Update Docker image to deprecate the use of environment variables for configuration, and make the use of a static configuration the default.
diff --git a/changelog.d/5570.misc b/changelog.d/5570.misc
new file mode 100644
index 0000000000..dfb1d7e58b
--- /dev/null
+++ b/changelog.d/5570.misc
@@ -0,0 +1 @@
+Point the reverse links in the Purge History contrib scripts at the intended location.
diff --git a/contrib/purge_api/README.md b/contrib/purge_api/README.md
index 000bf35ca7..06b4cdb9f7 100644
--- a/contrib/purge_api/README.md
+++ b/contrib/purge_api/README.md
@@ -3,7 +3,7 @@ Purge history API examples
 
 # `purge_history.sh`
 
-A bash file, that uses the [purge history API](/docs/admin_api/README.rst) to 
+A bash file, that uses the [purge history API](/docs/admin_api/purge_history_api.rst) to 
 purge all messages in a list of rooms up to a certain event. You can select a 
 timeframe or a number of messages that you want to keep in the room.
 
@@ -12,5 +12,5 @@ the script.
 
 # `purge_remote_media.sh`
 
-A bash file, that uses the [purge history API](/docs/admin_api/README.rst) to 
+A bash file, that uses the [purge history API](/docs/admin_api/purge_history_api.rst) to 
 purge all old cached remote media.
diff --git a/docker/start.py b/docker/start.py
index ad968b2a67..1e6acb464c 100755
--- a/docker/start.py
+++ b/docker/start.py
@@ -67,10 +67,11 @@ def generate_config_from_template(environ, ownership):
             # generate a new secret and write it to a file
 
             if os.path.exists(filename):
+                log("Reading %s from %s" % (secret, filename))
                 with open(filename) as handle:
                     value = handle.read()
             else:
-                log("Generating a random secret for {}".format(name))
+                log("Generating a random secret for {}".format(secret))
                 value = codecs.encode(os.urandom(32), "hex").decode()
                 with open(filename, "w") as handle:
                     handle.write(value)
@@ -100,6 +101,24 @@ def generate_config_from_template(environ, ownership):
     convert("/conf/homeserver.yaml", config_path, environ)
     convert("/conf/log.config", "/compiled/log.config", environ)
     subprocess.check_output(["chown", "-R", ownership, "/data"])
+
+    # Hopefully we already have a signing key, but generate one if not.
+    subprocess.check_output(
+        [
+            "su-exec",
+            ownership,
+            "python",
+            "-m",
+            "synapse.app.homeserver",
+            "--config-path",
+            config_path,
+            # tell synapse to put generated keys in /data rather than /compiled
+            "--keys-directory",
+            "/data",
+            "--generate-keys",
+        ]
+    )
+
     return config_path
 
 
@@ -154,19 +173,15 @@ def main(args, environ):
         config_path = generate_config_from_template(environ, ownership)
 
     args = [
+        "su-exec",
+        ownership,
         "python",
         "-m",
         "synapse.app.homeserver",
         "--config-path",
         config_path,
-        # tell synapse to put any generated keys in /data rather than /compiled
-        "--keys-directory",
-        "/data",
     ]
-
-    # Generate missing keys and start synapse
-    subprocess.check_output(args + ["--generate-keys"])
-    os.execv("/sbin/su-exec", ["su-exec", ownership] + args)
+    os.execv("/sbin/su-exec", args)
 
 
 if __name__ == "__main__":
diff --git a/docs/MSC1711_certificates_FAQ.md b/docs/MSC1711_certificates_FAQ.md
index 7f9a23ff31..83497380df 100644
--- a/docs/MSC1711_certificates_FAQ.md
+++ b/docs/MSC1711_certificates_FAQ.md
@@ -14,7 +14,7 @@ upgraded, however it may be of use to those with old installs returning to the
 project.
 
 If you are setting up a server from scratch you almost certainly should look at
-the [installation guide](INSTALL.md) instead.
+the [installation guide](../INSTALL.md) instead.
 
 ## Introduction
 The goal of Synapse 0.99.0 is to act as a stepping stone to Synapse 1.0.0. It
diff --git a/docs/reverse_proxy.rst b/docs/reverse_proxy.rst
index 7619b1097b..e4b870411c 100644
--- a/docs/reverse_proxy.rst
+++ b/docs/reverse_proxy.rst
@@ -89,8 +89,10 @@ Let's assume that we expect clients to connect to our server at
         bind :::443 v4v6 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
 
         # Matrix client traffic
-        acl matrix hdr(host) -i matrix.example.com
-        use_backend matrix if matrix
+        acl matrix-host hdr(host) -i matrix.example.com
+        acl matrix-path path_beg /_matrix
+
+        use_backend matrix if matrix-host matrix-path
 
       frontend matrix-federation
         bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1
diff --git a/scripts-dev/check_event_hash.py b/scripts-dev/check_event_hash.py
deleted file mode 100644
index cd5599e9a1..0000000000
--- a/scripts-dev/check_event_hash.py
+++ /dev/null
@@ -1,54 +0,0 @@
-import argparse
-import hashlib
-import json
-import logging
-import sys
-
-from unpaddedbase64 import encode_base64
-
-from synapse.crypto.event_signing import (
-    check_event_content_hash,
-    compute_event_reference_hash,
-)
-
-
-class dictobj(dict):
-    def __init__(self, *args, **kargs):
-        dict.__init__(self, *args, **kargs)
-        self.__dict__ = self
-
-    def get_dict(self):
-        return dict(self)
-
-    def get_full_dict(self):
-        return dict(self)
-
-    def get_pdu_json(self):
-        return dict(self)
-
-
-def main():
-    parser = argparse.ArgumentParser()
-    parser.add_argument(
-        "input_json", nargs="?", type=argparse.FileType("r"), default=sys.stdin
-    )
-    args = parser.parse_args()
-    logging.basicConfig()
-
-    event_json = dictobj(json.load(args.input_json))
-
-    algorithms = {"sha256": hashlib.sha256}
-
-    for alg_name in event_json.hashes:
-        if check_event_content_hash(event_json, algorithms[alg_name]):
-            print("PASS content hash %s" % (alg_name,))
-        else:
-            print("FAIL content hash %s" % (alg_name,))
-
-    for algorithm in algorithms.values():
-        name, h_bytes = compute_event_reference_hash(event_json, algorithm)
-        print("Reference hash %s: %s" % (name, encode_base64(h_bytes)))
-
-
-if __name__ == "__main__":
-    main()