matrix-synapse/homeserver.yaml.tmpl

## Modules ##

# Server admins can expand Synapse's functionality with external modules.
#
# See https://matrix-org.github.io/synapse/latest/modules.html for more
# documentation on how to configure or create custom modules for Synapse.
#
modules:
    # - module: my_super_module.MySuperClass
    #   config:
    #       do_thing: true
    # - module: my_other_super_module.SomeClass
    #   config: {}
    {{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }}
    - module: shared_secret_authenticator.SharedSecretAuthProvider
      config:
        shared_secret: {{ secret "shared_secret_auth" }}
        m_login_password_support_enabled: true
    {{ end }}

## Server ##

# The public-facing domain of the server
#
# The server_name name will appear at the end of usernames and room addresses
# created on this server. For example if the server_name was example.com,
# usernames on this server would be in the format @user:example.com
#
# In most cases you should avoid using a matrix specific subdomain such as
# matrix.example.com or synapse.example.com as the server_name for the same
# reasons you wouldn't use user@email.example.com as your email address.
# See https://matrix-org.github.io/synapse/latest/delegate.html
# for information on how to host Synapse on a subdomain while preserving
# a clean server_name.
#
# The server_name cannot be changed later so it is important to
# configure this correctly before you start Synapse. It should be all
# lowercase and may contain an explicit port.
# Examples: matrix.org, localhost:8080
#
server_name: {{ env "DOMAIN" }}

# The public-facing base URL that clients use to access this Homeserver (not
# including _matrix/...). This is the same URL a user might enter into the
# 'Custom Homeserver URL' field on their client. If you use Synapse with a
# reverse proxy, this should be the URL to reach Synapse via the proxy.
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
# 'listeners' below).
#
# Defaults to 'https://<server_name>/'.
#
public_baseurl: https://{{ env "DOMAIN" }}/

# Uncomment the following to tell other servers to send federation traffic on
# port 443.
#
# By default, other servers will try to reach our server on port 8448, which can
# be inconvenient in some environments.
#
# Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
# option configures Synapse to serve a file at
# 'https://<server_name>/.well-known/matrix/server'. This will tell other
# servers to send traffic to port 443 instead.
#
# See https://matrix-org.github.io/synapse/latest/delegate.html for more
# information.
#
# Defaults to 'false'.
#
serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}

# If set to 'true', removes the need for authentication to access the server's
# public rooms directory through the client API, meaning that anyone can
# query the room directory. Defaults to 'false'.
#
allow_public_rooms_without_auth: false

# If set to 'true', allows any other homeserver to fetch the server's public
# rooms directory via federation. Defaults to 'false'.
#
allow_public_rooms_over_federation: false

listeners:
  # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
  # that unwraps TLS.
  #
  # If you plan to use a reverse proxy, please see
  # https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
  #
  - port: 8008
    tls: false
    type: http
    x_forwarded: true

    {{ if eq (env "DISABLE_FEDERATION") "1" }}
    resources:
      {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
      - names: [client, openid]
        compress: true
      {{ else }}
      - names: [client]
        compress: true
      {{ end }}
    {{ else }}
    resources:
      {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
      - names: [client, openid, federation]
        compress: true
      {{ else }}
      - names: [client, federation]
        compress: true
      {{ end }}
    {{ end }}

## Homeserver blocking ##

# How to reach the server admin, used in ResourceLimitError
#
admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'

# Resource-constrained homeserver settings
#
# When this is enabled, the room "complexity" will be checked before a user
# joins a new remote room. If it is above the complexity limit, the server will
# disallow joining, or will instantly leave.
#
# Room complexity is an arbitrary measure based on factors such as the number of
# users in the room.
#
limit_remote_rooms:
  # Uncomment to enable room complexity checking.
  #
  enabled: true

  # the limit above which rooms cannot be joined. The default is 1.0.
  #
  complexity: 200.0

# The largest allowed file size for a user avatar. Defaults to no restriction.
# Note that user avatar changes will not work if this is set without
# using Synapse's media repository.
#
max_avatar_size: 10M

# How long to keep redacted events in unredacted form in the database. After
# this period redacted events get replaced with their redacted form in the DB.
#
# Defaults to `7d`. Set to `null` to disable.
#
redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }}

# How long to track users' last seen time and IPs in the database.
#
# Defaults to `28d`. Set to `null` to disable clearing out of old rows.
#
user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }}

# Message retention policy at the server level.
#
# Room admins and mods can define a retention period for their rooms using the
# 'm.room.retention' state event, and server admins can cap this period by setting
# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options.
#
# If this feature is enabled, Synapse will regularly look for and purge events
# which are older than the room's maximum retention period. Synapse will also
# filter events received over federation so that events that should have been
# purged are ignored and not stored again.
#
retention:
  # The message retention policies feature is disabled by default. Uncomment the
  # following line to enable it.
  #
  enabled: true

  # Default retention policy. If set, Synapse will apply it to rooms that lack the
  # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't
  # matter much because Synapse doesn't take it into account yet.
  #
  default_policy:
    min_lifetime: 1d
    max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }}

  # Retention policy limits. If set, and the state of a room contains a
  # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
  # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
  # to these limits when running purge jobs.
  #
  allowed_lifetime_min: 1d
  allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }}

  # Server admins can define the settings of the background jobs purging the
  # events which lifetime has expired under the 'purge_jobs' section.
  #
  # If no configuration is provided, a single job will be set up to delete expired
  # events in every room daily.
  #
  # Each job's configuration defines which range of message lifetimes the job
  # takes care of. For example, if 'shortest_max_lifetime' is '2d' and
  # 'longest_max_lifetime' is '3d', the job will handle purging expired events in
  # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and
  # lower than or equal to 3 days. Both the minimum and the maximum value of a
  # range are optional, e.g. a job with no 'shortest_max_lifetime' and a
  # 'longest_max_lifetime' of '3d' will handle every room with a retention policy
  # which 'max_lifetime' is lower than or equal to three days.
  #
  # The rationale for this per-job configuration is that some rooms might have a
  # retention policy with a low 'max_lifetime', where history needs to be purged
  # of outdated messages on a more frequent basis than for the rest of the rooms
  # (e.g. every 12h), but not want that purge to be performed by a job that's
  # iterating over every room it knows, which could be heavy on the server.
  #
  # If any purge job is configured, it is strongly recommended to have at least
  # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
  # set, or one job without 'shortest_max_lifetime' and one job without
  # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
  # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
  # room's policy to these values is done after the policies are retrieved from
  # Synapse's database (which is done using the range specified in a purge job's
  # configuration).
  #
  purge_jobs:
    - longest_max_lifetime: 3d
      interval: 12h
    - shortest_max_lifetime: 3d
      interval: 1d

## Federation ##

# Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit
# inbound federation traffic as early as possible, rather than relying
# purely on this application-layer restriction.  If not specified, the
# default is to whitelist everything.
#
#federation_domain_whitelist:
#  - lon.example.com
#  - nyc.example.com
#  - syd.example.com
{{ if eq (env "DISABLE_FEDERATION") "1" }}
federation_domain_whitelist: []
{{ else if eq (env "ENABLE_ALLOWLIST") "1" }}
federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }}
{{ end }}

## Database ##

# The 'database' setting defines the database that synapse uses to store all of
# its data.
#
# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
# 'psycopg2' (for PostgreSQL).
#
# 'txn_limit' gives the maximum number of transactions to run per connection
# before reconnecting. Defaults to 0, which means no limit.
#
# 'args' gives options which are passed through to the database engine,
# except for options starting 'cp_', which are used to configure the Twisted
# connection pool. For a reference to valid arguments, see:
#   * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
#   * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
#   * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
database:
  name: psycopg2
  txn_limit: 10000
  args:
    user: synapse
    password: "{{ secret "db_password" }}"
    database: synapse
    host: "{{ env "STACK_NAME" }}_db"
    port: 5432
    cp_min: 5
    cp_max: 10
    keepalives_idle: 10
    keepalives_interval: 10
    keepalives_count: 3

## Logging ##

# A yaml python logging config file as described by
# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
#
log_config: "/data/log.config"

## Media Store ##

# Enable the media store service in the Synapse master. Uncomment the
# following if you are using a separate media store worker.
#
#enable_media_repo: false

# Directory where uploaded images and attachments are stored.
#
media_store_path: "/data/media_store"

# The largest allowed upload size in bytes
#
# If you are using a reverse proxy you may also need to set this value in
# your reverse proxy's config. Notably Nginx has a small max body size by default.
# See https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
#
max_upload_size: 50M

{{ if eq (env "TURN_ENABLED") "1" }}
## TURN ##

# The public URIs of the TURN server to give to clients
#
turn_uris: {{ env "TURN_URIS" }}

# The shared secret used to compute passwords for the TURN server
#
turn_shared_secret: "{{ secret "turn_shared_secret" }}"

# How long generated TURN credentials last
#
turn_user_lifetime: 1h

# Whether guests should be allowed to use the TURN server.
# This defaults to True, otherwise VoIP will be unreliable for guests.
# However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA).
#
turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
{{ end }}

## Registration ##
#
# Registration can be rate-limited using the parameters in the "Ratelimiting"
# section of this file.

# Enable registration for new users.
#
enable_registration: {{ env "ENABLE_REGISTRATION" }}

# Enable 3PIDs lookup requests to identity servers from this server.
#
enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}

# If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled.
#
registration_shared_secret: {{ secret "registration_shared_secret" }}

# Users who register on this homeserver will automatically be joined
# to these rooms.
#
# By default, any room aliases included in this list will be created
# as a publicly joinable room when the first user registers for the
# homeserver. This behaviour can be customised with the settings below.
# If the room already exists, make certain it is a publicly joinable
# room. The join rule of the room must be set to 'public'.
#
{{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
auto_join_rooms:
  - "{{ env "AUTO_JOIN_ROOM" }}"
{{ end }}

## Metrics ###

# Whether or not to report anonymized homeserver usage statistics.
#
report_stats: false

## API Configuration ##

# A list of application service config files to use
#
{{ if eq (env "APP_SERVICES_ENABLED") "1" }}
app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
{{ end }}

# a secret which is used to sign access tokens. If none is specified,
# the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key.
#
macaroon_secret_key: "{{ secret "macaroon_secret_key" }}"

# a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent
# forms to work.
#
form_secret: "{{ secret "form_secret" }}"

## Signing Keys ##

# Path to the signing key to sign messages with
#
signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"

# The trusted servers to download signing keys from.
#
# When we need to fetch a signing key, each server is tried in parallel.
#
# Normally, the connection to the key server is validated via TLS certificates.
# Additional security can be provided by configuring a `verify key`, which
# will make synapse check that the response is signed by that key.
#
# This setting supercedes an older setting named `perspectives`. The old format
# is still supported for backwards-compatibility, but it is deprecated.
#
# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
# warning on start-up. To suppress this warning, set
# 'suppress_key_server_warning' to true.
#
# Options for each entry in the list include:
#
#    server_name: the name of the server. required.
#
#    verify_keys: an optional map from key id to base64-encoded public key.
#       If specified, we will check that the response is signed by at least
#       one of the given keys.
#
#    accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
#       and federation_verify_certificates is not `true`, synapse will refuse
#       to start, because this would allow anyone who can spoof DNS responses
#       to masquerade as the trusted key server. If you know what you are doing
#       and are sure that your network environment provides a secure connection
#       to the key server, you can set this to `true` to override this
#       behaviour.
#
# An example configuration might look like:
#
#trusted_key_servers:
#  - server_name: "my_trusted_server.example.com"
#    verify_keys:
#      "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
#  - server_name: "my_other_trusted_server.example.com"
#
trusted_key_servers:
  - server_name: "matrix.org"

## Single sign-on integration ##

# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
# and login.
#
# Options for each entry include:
#
#   idp_id: a unique identifier for this identity provider. Used internally
#       by Synapse; should be a single word such as 'github'.
#
#       Note that, if this is changed, users authenticating via that provider
#       will no longer be recognised as the same user!
#
#       (Use "oidc" here if you are migrating from an old "oidc_config"
#       configuration.)
#
#   idp_name: A user-facing name for this identity provider, which is used to
#       offer the user a choice of login mechanisms.
#
#   idp_icon: An optional icon for this identity provider, which is presented
#       by clients and Synapse's own IdP picker page. If given, must be an
#       MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
#       obtain such an MXC URI is to upload an image to an (unencrypted) room
#       and then copy the "url" from the source of the event.)
#
#   idp_brand: An optional brand for this identity provider, allowing clients
#       to style the login flow according to the identity provider in question.
#       See the spec for possible options here.
#
#   discover: set to 'false' to disable the use of the OIDC discovery mechanism
#       to discover endpoints. Defaults to true.
#
#   issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
#       is enabled) to discover the provider's endpoints.
#
#   client_id: Required. oauth2 client id to use.
#
#   client_secret: oauth2 client secret to use. May be omitted if
#        client_secret_jwt_key is given, or if client_auth_method is 'none'.
#
#   client_secret_jwt_key: Alternative to client_secret: details of a key used
#      to create a JSON Web Token to be used as an OAuth2 client secret. If
#      given, must be a dictionary with the following properties:
#
#          key: a pem-encoded signing key. Must be a suitable key for the
#              algorithm specified. Required unless 'key_file' is given.
#
#          key_file: the path to file containing a pem-encoded signing key file.
#              Required unless 'key' is given.
#
#          jwt_header: a dictionary giving properties to include in the JWT
#              header. Must include the key 'alg', giving the algorithm used to
#              sign the JWT, such as "ES256", using the JWA identifiers in
#              RFC7518.
#
#          jwt_payload: an optional dictionary giving properties to include in
#              the JWT payload. Normally this should include an 'iss' key.
#
#   client_auth_method: auth method to use when exchanging the token. Valid
#       values are 'client_secret_basic' (default), 'client_secret_post' and
#       'none'.
#
#   scopes: list of scopes to request. This should normally include the "openid"
#       scope. Defaults to ["openid"].
#
#   authorization_endpoint: the oauth2 authorization endpoint. Required if
#       provider discovery is disabled.
#
#   token_endpoint: the oauth2 token endpoint. Required if provider discovery is
#       disabled.
#
#   userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
#       disabled and the 'openid' scope is not requested.
#
#   jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
#       the 'openid' scope is used.
#
#   skip_verification: set to 'true' to skip metadata verification. Use this if
#       you are connecting to a provider that is not OpenID Connect compliant.
#       Defaults to false. Avoid this in production.
#
#   user_profile_method: Whether to fetch the user profile from the userinfo
#       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
#
#       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
#       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
#       userinfo endpoint.
#
#   allow_existing_users: set to 'true' to allow a user logging in via OIDC to
#       match a pre-existing account instead of failing. This could be used if
#       switching from password logins to OIDC. Defaults to false.
#
#   user_mapping_provider: Configuration for how attributes returned from a OIDC
#       provider are mapped onto a matrix user. This setting has the following
#       sub-properties:
#
#       module: The class name of a custom mapping module. Default is
#           'synapse.handlers.oidc.JinjaOidcMappingProvider'.
#           See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers
#           for information on implementing a custom mapping provider.
#
#       config: Configuration for the mapping provider module. This section will
#           be passed as a Python dictionary to the user mapping provider
#           module's `parse_config` method.
#
#           For the default provider, the following settings are available:
#
#             subject_claim: name of the claim containing a unique identifier
#                 for the user. Defaults to 'sub', which OpenID Connect
#                 compliant providers should provide.
#
#             localpart_template: Jinja2 template for the localpart of the MXID.
#                 If this is not set, the user will be prompted to choose their
#                 own username (see 'sso_auth_account_details.html' in the 'sso'
#                 section of this file).
#
#             display_name_template: Jinja2 template for the display name to set
#                 on first login. If unset, no displayname will be set.
#
#             email_template: Jinja2 template for the email address of the user.
#                 If unset, no email address will be added to the account.
#
#             extra_attributes: a map of Jinja2 templates for extra attributes
#                 to send back to the client during login.
#                 Note that these are non-standard and clients will ignore them
#                 without modifications.
#
#           When rendering, the Jinja2 templates are given a 'user' variable,
#           which is set to the claims returned by the UserInfo Endpoint and/or
#           in the ID Token.
#
#   It is possible to configure Synapse to only allow logins if certain attributes
#   match particular values in the OIDC userinfo. The requirements can be listed under
#   `attribute_requirements` as shown below. All of the listed attributes must
#   match for the login to be permitted. Additional attributes can be added to
#   userinfo by expanding the `scopes` section of the OIDC config to retrieve
#   additional information from the OIDC provider.
#
#   If the OIDC claim is a list, then the attribute must match any value in the list.
#   Otherwise, it must exactly match the value of the claim. Using the example
#   below, the `family_name` claim MUST be "Stephensson", but the `groups`
#   claim MUST contain "admin".
#
#   attribute_requirements:
#     - attribute: family_name
#       value: "Stephensson"
#     - attribute: groups
#       value: "admin"
#
# See https://matrix-org.github.io/synapse/latest/openid.html
# for information on how to configure these options.
#
# For backwards compatibility, it is also possible to configure a single OIDC
# provider via an 'oidc_config' setting. This is now deprecated and admins are
# advised to migrate to the 'oidc_providers' format. (When doing that migration,
# use 'oidc' for the idp_id to ensure that existing users continue to be
# recognised.)
#
oidc_providers:

  {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
  - idp_id: {{ env "KEYCLOAK_ID" }}
    idp_name: {{ env "KEYCLOAK_NAME" }}
    issuer: "{{ env "KEYCLOAK_URL" }}"
    client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}"
    client_secret: "{{ secret "keycloak_client_secret" }}"
    scopes: ["openid", "profile"]
    allow_existing_users: {{ env "KEYCLOAK_ALLOW_EXISTING_USERS" }}
    user_mapping_provider:
      config:
        localpart_template: "{{ "{{ user.preferred_username }}" }}"
        display_name_template: "{{ "{{ user.name }}" }}"
  {{ end }}

  {{ if eq (env "KEYCLOAK2_ENABLED") "1" }}
  - idp_id: keycloak2
    idp_name: {{ env "KEYCLOAK2_NAME" }}
    issuer: "{{ env "KEYCLOAK2_URL" }}"
    client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}"
    client_secret: "{{ secret "keycloak2_client_secret" }}"
    scopes: ["openid", "profile"]
    user_mapping_provider:
      config:
        localpart_template: "{{ "{{ user.preferred_username }}" }}"
        display_name_template: "{{ "{{ user.name }}" }}"
  {{ end }}

  {{ if eq (env "KEYCLOAK3_ENABLED") "1" }}
  - idp_id: keycloak3
    idp_name: {{ env "KEYCLOAK3_NAME" }}
    issuer: "{{ env "KEYCLOAK3_URL" }}"
    client_id: "{{ env "KEYCLOAK3_CLIENT_ID" }}"
    client_secret: "{{ secret "keycloak3_client_secret" }}"
    scopes: ["openid", "profile"]
    user_mapping_provider:
      config:
        localpart_template: "{{ "{{ user.preferred_username }}" }}"
        display_name_template: "{{ "{{ user.name }}" }}"
  {{ end }}

# Additional settings to use with single-sign on systems such as OpenID Connect,
# SAML2 and CAS.
#
# Server admins can configure custom templates for pages related to SSO. See
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
#
sso:
    # A list of client URLs which are whitelisted so that the user does not
    # have to confirm giving access to their account to the URL. Any client
    # whose URL starts with an entry in the following list will not be subject
    # to an additional confirmation step after the SSO login is completed.
    #
    # WARNING: An entry such as "https://my.client" is insecure, because it
    # will also match "https://my.client.evil.site", exposing your users to
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
    # The login fallback page (used by clients that don't natively support the
    # required login flows) is whitelisted in addition to any URLs in this list.
    #
    # By default, this list contains only the login fallback page.
    #
    #client_whitelist:
    #  - https://riot.im/develop
    #  - https://my.custom.client/
    {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
    client_whitelist:
      - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
    {{ end }}


password_config:
   # Uncomment to disable password login
   #
   enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}

# Configuration for sending emails from Synapse.
#
# Server admins can configure custom templates for email content. See
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
#
email:
  {{ if eq (env "SMTP_ENABLED") "1" }}
  # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
  #
  smtp_host: {{ env "SMTP_HOST" }}

  # The port on the mail server for outgoing SMTP. Defaults to 25.
  #
  smtp_port: {{ env "SMTP_PORT" }}

  # Username/password for authentication to the SMTP server. By default, no
  # authentication is attempted.
  #
  smtp_user: {{ env "SMTP_USER" }}
  smtp_pass: {{ secret "smtp_password" }}

  # Uncomment the following to require TLS transport security for SMTP.
  # By default, Synapse will connect over plain text, and will then switch to
  # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
  # Synapse will refuse to connect unless the server supports STARTTLS.
  #
  require_transport_security: true

  # notif_from defines the "From" address to use when sending emails.
  # It must be set if email sending is enabled.
  #
  # The placeholder '%(app)s' will be replaced by the application name,
  # which is normally 'app_name' (below), but may be overridden by the
  # Matrix client application.
  #
  # Note that the placeholder must be written '%(app)s', including the
  # trailing 's'.
  #
  notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}>

  # app_name defines the default value for '%(app)s' in notif_from and email
  # subjects. It defaults to 'Matrix'.
  #
  app_name: {{ env "SMTP_APP_NAME" }}

  # Uncomment the following to enable sending emails for messages that the user
  # has missed. Disabled by default.
  #
  enable_notifs: true

  # Custom URL for client links within the email notifications. By default
  # links will be based on "https://matrix.to".
  #
  # (This setting used to be called riot_base_url; the old name is still
  # supported for backwards-compatibility but is now deprecated.)
  #
  client_base_url: https://{{ env "DOMAIN" }}
  {{ end }}

## Rooms ##

# Controls whether locally-created rooms should be end-to-end encrypted by
# default.
#
# Possible options are "all", "invite", and "off". They are defined as:
#
# * "all": any locally-created room
# * "invite": any room created with the "private_chat" or "trusted_private_chat"
#             room creation presets
# * "off": this option will take no effect
#
# The default value is "off".
#
# Note that this option will only affect rooms created after it is set. It
# will also not affect rooms created by other servers.
#
encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}

# User Directory configuration
#
user_directory:
    # Defines whether to search all users visible to your HS when searching
    # the user directory. If false, search results will only contain users
    # visible in public rooms and users sharing a room with the requester.
    # Defaults to false.
    #
    # NB. If you set this to true, and the last time the user_directory search
    # indexes were (re)built was before Synapse 1.44, you'll have to
    # rebuild the indexes in order to search through all known users.
    # These indexes are built the first time Synapse starts; admins can
    # manually trigger a rebuild via API following the instructions at
    #     https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
    #
    # Uncomment to return search results containing all known users, even if that
    # user does not share a room with the requester.
    #
    search_all_users: true

## Media retention ##
#

# since https://github.com/matrix-org/synapse/releases/tag/v1.61.0
media_retention:
  local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }}
  remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}