refactor: point to config manual
This commit is contained in:
parent
08b49c14d9
commit
43a3502fad
2
abra.sh
2
abra.sh
|
@ -1,6 +1,6 @@
|
|||
export DISCORD_BRIDGE_YAML_VERSION=v2
|
||||
export ENTRYPOINT_CONF_VERSION=v1
|
||||
export HOMESERVER_YAML_VERSION=v24
|
||||
export HOMESERVER_YAML_VERSION=v25
|
||||
export LOG_CONFIG_VERSION=v2
|
||||
export SHARED_SECRET_AUTH_VERSION=v1
|
||||
export SIGNAL_BRIDGE_YAML_VERSION=v4
|
||||
|
|
|
@ -1,92 +1,32 @@
|
|||
## Modules ##
|
||||
# All configuration options are documented on the following link:
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
|
||||
|
||||
# Server admins can expand Synapse's functionality with external modules.
|
||||
#
|
||||
# See https://matrix-org.github.io/synapse/latest/modules.html for more
|
||||
# documentation on how to configure or create custom modules for Synapse.
|
||||
#
|
||||
{{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }}
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#modules-1
|
||||
modules:
|
||||
# - module: my_super_module.MySuperClass
|
||||
# config:
|
||||
# do_thing: true
|
||||
# - module: my_other_super_module.SomeClass
|
||||
# config: {}
|
||||
{{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }}
|
||||
- module: shared_secret_authenticator.SharedSecretAuthProvider
|
||||
config:
|
||||
shared_secret: {{ secret "shared_secret_auth" }}
|
||||
m_login_password_support_enabled: true
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
||||
## Server ##
|
||||
|
||||
# The public-facing domain of the server
|
||||
#
|
||||
# The server_name name will appear at the end of usernames and room addresses
|
||||
# created on this server. For example if the server_name was example.com,
|
||||
# usernames on this server would be in the format @user:example.com
|
||||
#
|
||||
# In most cases you should avoid using a matrix specific subdomain such as
|
||||
# matrix.example.com or synapse.example.com as the server_name for the same
|
||||
# reasons you wouldn't use user@email.example.com as your email address.
|
||||
# See https://matrix-org.github.io/synapse/latest/delegate.html
|
||||
# for information on how to host Synapse on a subdomain while preserving
|
||||
# a clean server_name.
|
||||
#
|
||||
# The server_name cannot be changed later so it is important to
|
||||
# configure this correctly before you start Synapse. It should be all
|
||||
# lowercase and may contain an explicit port.
|
||||
# Examples: matrix.org, localhost:8080
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#server_name
|
||||
server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
|
||||
|
||||
# The public-facing base URL that clients use to access this Homeserver (not
|
||||
# including _matrix/...). This is the same URL a user might enter into the
|
||||
# 'Custom Homeserver URL' field on their client. If you use Synapse with a
|
||||
# reverse proxy, this should be the URL to reach Synapse via the proxy.
|
||||
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
|
||||
# 'listeners' below).
|
||||
#
|
||||
# Defaults to 'https://<server_name>/'.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl
|
||||
public_baseurl: https://{{ env "DOMAIN" }}/
|
||||
|
||||
# Uncomment the following to tell other servers to send federation traffic on
|
||||
# port 443.
|
||||
#
|
||||
# By default, other servers will try to reach our server on port 8448, which can
|
||||
# be inconvenient in some environments.
|
||||
#
|
||||
# Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
|
||||
# option configures Synapse to serve a file at
|
||||
# 'https://<server_name>/.well-known/matrix/server'. This will tell other
|
||||
# servers to send traffic to port 443 instead.
|
||||
#
|
||||
# See https://matrix-org.github.io/synapse/latest/delegate.html for more
|
||||
# information.
|
||||
#
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
|
||||
serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
|
||||
|
||||
# If set to 'true', removes the need for authentication to access the server's
|
||||
# public rooms directory through the client API, meaning that anyone can
|
||||
# query the room directory. Defaults to 'false'.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth
|
||||
allow_public_rooms_without_auth: false
|
||||
|
||||
# If set to 'true', allows any other homeserver to fetch the server's public
|
||||
# rooms directory via federation. Defaults to 'false'.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
|
||||
allow_public_rooms_over_federation: {{ env "ALLOW_PUBLIC_ROOMS_FEDERATION" }}
|
||||
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
|
||||
listeners:
|
||||
# Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
|
||||
# that unwraps TLS.
|
||||
#
|
||||
# If you plan to use a reverse proxy, please see
|
||||
# https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
|
||||
#
|
||||
- port: 8008
|
||||
tls: false
|
||||
type: http
|
||||
|
@ -112,153 +52,45 @@ listeners:
|
|||
{{ end }}
|
||||
{{ end }}
|
||||
|
||||
## Homeserver blocking ##
|
||||
|
||||
# How to reach the server admin, used in ResourceLimitError
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
|
||||
admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
|
||||
|
||||
# Resource-constrained homeserver settings
|
||||
#
|
||||
# When this is enabled, the room "complexity" will be checked before a user
|
||||
# joins a new remote room. If it is above the complexity limit, the server will
|
||||
# disallow joining, or will instantly leave.
|
||||
#
|
||||
# Room complexity is an arbitrary measure based on factors such as the number of
|
||||
# users in the room.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms
|
||||
limit_remote_rooms:
|
||||
# Uncomment to enable room complexity checking.
|
||||
#
|
||||
enabled: true
|
||||
|
||||
# the limit above which rooms cannot be joined. The default is 1.0.
|
||||
#
|
||||
complexity: 200.0
|
||||
|
||||
# The largest allowed file size for a user avatar. Defaults to no restriction.
|
||||
# Note that user avatar changes will not work if this is set without
|
||||
# using Synapse's media repository.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_avatar_size
|
||||
max_avatar_size: 10M
|
||||
|
||||
# How long to keep redacted events in unredacted form in the database. After
|
||||
# this period redacted events get replaced with their redacted form in the DB.
|
||||
#
|
||||
# Defaults to `7d`. Set to `null` to disable.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period
|
||||
redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }}
|
||||
|
||||
# How long to track users' last seen time and IPs in the database.
|
||||
#
|
||||
# Defaults to `28d`. Set to `null` to disable clearing out of old rows.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age
|
||||
user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }}
|
||||
|
||||
# Message retention policy at the server level.
|
||||
#
|
||||
# Room admins and mods can define a retention period for their rooms using the
|
||||
# 'm.room.retention' state event, and server admins can cap this period by setting
|
||||
# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options.
|
||||
#
|
||||
# If this feature is enabled, Synapse will regularly look for and purge events
|
||||
# which are older than the room's maximum retention period. Synapse will also
|
||||
# filter events received over federation so that events that should have been
|
||||
# purged are ignored and not stored again.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention
|
||||
retention:
|
||||
# The message retention policies feature is disabled by default. Uncomment the
|
||||
# following line to enable it.
|
||||
#
|
||||
enabled: true
|
||||
|
||||
# Default retention policy. If set, Synapse will apply it to rooms that lack the
|
||||
# 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't
|
||||
# matter much because Synapse doesn't take it into account yet.
|
||||
#
|
||||
default_policy:
|
||||
min_lifetime: 1d
|
||||
max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }}
|
||||
|
||||
# Retention policy limits. If set, and the state of a room contains a
|
||||
# 'm.room.retention' event in its state which contains a 'min_lifetime' or a
|
||||
# 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
|
||||
# to these limits when running purge jobs.
|
||||
#
|
||||
allowed_lifetime_min: 1d
|
||||
allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }}
|
||||
|
||||
# Server admins can define the settings of the background jobs purging the
|
||||
# events which lifetime has expired under the 'purge_jobs' section.
|
||||
#
|
||||
# If no configuration is provided, a single job will be set up to delete expired
|
||||
# events in every room daily.
|
||||
#
|
||||
# Each job's configuration defines which range of message lifetimes the job
|
||||
# takes care of. For example, if 'shortest_max_lifetime' is '2d' and
|
||||
# 'longest_max_lifetime' is '3d', the job will handle purging expired events in
|
||||
# rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and
|
||||
# lower than or equal to 3 days. Both the minimum and the maximum value of a
|
||||
# range are optional, e.g. a job with no 'shortest_max_lifetime' and a
|
||||
# 'longest_max_lifetime' of '3d' will handle every room with a retention policy
|
||||
# which 'max_lifetime' is lower than or equal to three days.
|
||||
#
|
||||
# The rationale for this per-job configuration is that some rooms might have a
|
||||
# retention policy with a low 'max_lifetime', where history needs to be purged
|
||||
# of outdated messages on a more frequent basis than for the rest of the rooms
|
||||
# (e.g. every 12h), but not want that purge to be performed by a job that's
|
||||
# iterating over every room it knows, which could be heavy on the server.
|
||||
#
|
||||
# If any purge job is configured, it is strongly recommended to have at least
|
||||
# a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
|
||||
# set, or one job without 'shortest_max_lifetime' and one job without
|
||||
# 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
|
||||
# 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
|
||||
# room's policy to these values is done after the policies are retrieved from
|
||||
# Synapse's database (which is done using the range specified in a purge job's
|
||||
# configuration).
|
||||
#
|
||||
purge_jobs:
|
||||
- longest_max_lifetime: 3d
|
||||
interval: 12h
|
||||
- shortest_max_lifetime: 3d
|
||||
interval: 1d
|
||||
|
||||
## Federation ##
|
||||
|
||||
# Restrict federation to the following whitelist of domains.
|
||||
# N.B. we recommend also firewalling your federation listener to limit
|
||||
# inbound federation traffic as early as possible, rather than relying
|
||||
# purely on this application-layer restriction. If not specified, the
|
||||
# default is to whitelist everything.
|
||||
#
|
||||
#federation_domain_whitelist:
|
||||
# - lon.example.com
|
||||
# - nyc.example.com
|
||||
# - syd.example.com
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist
|
||||
{{ if eq (env "DISABLE_FEDERATION") "1" }}
|
||||
federation_domain_whitelist: []
|
||||
{{ else if eq (env "ENABLE_ALLOWLIST") "1" }}
|
||||
federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }}
|
||||
{{ end }}
|
||||
|
||||
## Database ##
|
||||
|
||||
# The 'database' setting defines the database that synapse uses to store all of
|
||||
# its data.
|
||||
#
|
||||
# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
|
||||
# 'psycopg2' (for PostgreSQL).
|
||||
#
|
||||
# 'txn_limit' gives the maximum number of transactions to run per connection
|
||||
# before reconnecting. Defaults to 0, which means no limit.
|
||||
#
|
||||
# 'args' gives options which are passed through to the database engine,
|
||||
# except for options starting 'cp_', which are used to configure the Twisted
|
||||
# connection pool. For a reference to valid arguments, see:
|
||||
# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
|
||||
# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
|
||||
# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1
|
||||
database:
|
||||
name: psycopg2
|
||||
txn_limit: 10000
|
||||
|
@ -274,326 +106,65 @@ database:
|
|||
keepalives_interval: 10
|
||||
keepalives_count: 3
|
||||
|
||||
## Logging ##
|
||||
|
||||
# A yaml python logging config file as described by
|
||||
# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#log_config
|
||||
log_config: "/data/log.config"
|
||||
|
||||
## Media Store ##
|
||||
|
||||
# Enable the media store service in the Synapse master. Uncomment the
|
||||
# following if you are using a separate media store worker.
|
||||
#
|
||||
#enable_media_repo: false
|
||||
|
||||
# Directory where uploaded images and attachments are stored.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_store_path
|
||||
media_store_path: "/data/media_store"
|
||||
|
||||
# The largest allowed upload size in bytes
|
||||
#
|
||||
# If you are using a reverse proxy you may also need to set this value in
|
||||
# your reverse proxy's config. Notably Nginx has a small max body size by default.
|
||||
# See https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_upload_size
|
||||
max_upload_size: 50M
|
||||
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn
|
||||
{{ if eq (env "TURN_ENABLED") "1" }}
|
||||
## TURN ##
|
||||
|
||||
# The public URIs of the TURN server to give to clients
|
||||
#
|
||||
turn_uris: {{ env "TURN_URIS" }}
|
||||
|
||||
# The shared secret used to compute passwords for the TURN server
|
||||
#
|
||||
turn_shared_secret: "{{ secret "turn_shared_secret" }}"
|
||||
|
||||
# How long generated TURN credentials last
|
||||
#
|
||||
turn_user_lifetime: 1h
|
||||
|
||||
# Whether guests should be allowed to use the TURN server.
|
||||
# This defaults to True, otherwise VoIP will be unreliable for guests.
|
||||
# However, it does introduce a slight security risk as it allows users to
|
||||
# connect to arbitrary endpoints without having first signed up for a
|
||||
# valid account (e.g. by passing a CAPTCHA).
|
||||
#
|
||||
turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
|
||||
{{ end }}
|
||||
|
||||
## Registration ##
|
||||
#
|
||||
# Registration can be rate-limited using the parameters in the "Ratelimiting"
|
||||
# section of this file.
|
||||
|
||||
# Enable registration for new users.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
|
||||
enable_registration: {{ env "ENABLE_REGISTRATION" }}
|
||||
|
||||
# Enable 3PIDs lookup requests to identity servers from this server.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
|
||||
enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
|
||||
|
||||
# If set, allows registration of standard or admin accounts by anyone who
|
||||
# has the shared secret, even if registration is otherwise disabled.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_shared_secret
|
||||
registration_shared_secret: {{ secret "registration_shared_secret" }}
|
||||
|
||||
# Users who register on this homeserver will automatically be joined
|
||||
# to these rooms.
|
||||
#
|
||||
# By default, any room aliases included in this list will be created
|
||||
# as a publicly joinable room when the first user registers for the
|
||||
# homeserver. This behaviour can be customised with the settings below.
|
||||
# If the room already exists, make certain it is a publicly joinable
|
||||
# room. The join rule of the room must be set to 'public'.
|
||||
#
|
||||
{{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms
|
||||
auto_join_rooms:
|
||||
- "{{ env "AUTO_JOIN_ROOM" }}"
|
||||
{{ end }}
|
||||
|
||||
## Metrics ###
|
||||
|
||||
# Whether or not to report anonymized homeserver usage statistics.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats
|
||||
report_stats: false
|
||||
|
||||
## API Configuration ##
|
||||
|
||||
# A list of application service config files to use
|
||||
#
|
||||
{{ if eq (env "APP_SERVICES_ENABLED") "1" }}
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
|
||||
app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
|
||||
{{ end }}
|
||||
|
||||
# a secret which is used to sign access tokens. If none is specified,
|
||||
# the registration_shared_secret is used, if one is given; otherwise,
|
||||
# a secret key is derived from the signing key.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#macaroon_secret_key
|
||||
macaroon_secret_key: "{{ secret "macaroon_secret_key" }}"
|
||||
|
||||
# a secret which is used to calculate HMACs for form values, to stop
|
||||
# falsification of values. Must be specified for the User Consent
|
||||
# forms to work.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#form_secret
|
||||
form_secret: "{{ secret "form_secret" }}"
|
||||
|
||||
## Signing Keys ##
|
||||
|
||||
# Path to the signing key to sign messages with
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
|
||||
signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
|
||||
|
||||
# The trusted servers to download signing keys from.
|
||||
#
|
||||
# When we need to fetch a signing key, each server is tried in parallel.
|
||||
#
|
||||
# Normally, the connection to the key server is validated via TLS certificates.
|
||||
# Additional security can be provided by configuring a `verify key`, which
|
||||
# will make synapse check that the response is signed by that key.
|
||||
#
|
||||
# This setting supercedes an older setting named `perspectives`. The old format
|
||||
# is still supported for backwards-compatibility, but it is deprecated.
|
||||
#
|
||||
# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
|
||||
# warning on start-up. To suppress this warning, set
|
||||
# 'suppress_key_server_warning' to true.
|
||||
#
|
||||
# Options for each entry in the list include:
|
||||
#
|
||||
# server_name: the name of the server. required.
|
||||
#
|
||||
# verify_keys: an optional map from key id to base64-encoded public key.
|
||||
# If specified, we will check that the response is signed by at least
|
||||
# one of the given keys.
|
||||
#
|
||||
# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
|
||||
# and federation_verify_certificates is not `true`, synapse will refuse
|
||||
# to start, because this would allow anyone who can spoof DNS responses
|
||||
# to masquerade as the trusted key server. If you know what you are doing
|
||||
# and are sure that your network environment provides a secure connection
|
||||
# to the key server, you can set this to `true` to override this
|
||||
# behaviour.
|
||||
#
|
||||
# An example configuration might look like:
|
||||
#
|
||||
#trusted_key_servers:
|
||||
# - server_name: "my_trusted_server.example.com"
|
||||
# verify_keys:
|
||||
# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
|
||||
# - server_name: "my_other_trusted_server.example.com"
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
|
||||
{{ if eq (env "ENABLE_ALLOWLIST") "1" }}
|
||||
{{ env "TRUSTED_KEYSERVERS" }}
|
||||
trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST
|
||||
{{ else }}
|
||||
trusted_key_servers:
|
||||
- server_name: "matrix.org"
|
||||
{{ end }}
|
||||
|
||||
## Single sign-on integration ##
|
||||
|
||||
# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
|
||||
# and login.
|
||||
#
|
||||
# Options for each entry include:
|
||||
#
|
||||
# idp_id: a unique identifier for this identity provider. Used internally
|
||||
# by Synapse; should be a single word such as 'github'.
|
||||
#
|
||||
# Note that, if this is changed, users authenticating via that provider
|
||||
# will no longer be recognised as the same user!
|
||||
#
|
||||
# (Use "oidc" here if you are migrating from an old "oidc_config"
|
||||
# configuration.)
|
||||
#
|
||||
# idp_name: A user-facing name for this identity provider, which is used to
|
||||
# offer the user a choice of login mechanisms.
|
||||
#
|
||||
# idp_icon: An optional icon for this identity provider, which is presented
|
||||
# by clients and Synapse's own IdP picker page. If given, must be an
|
||||
# MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
|
||||
# obtain such an MXC URI is to upload an image to an (unencrypted) room
|
||||
# and then copy the "url" from the source of the event.)
|
||||
#
|
||||
# idp_brand: An optional brand for this identity provider, allowing clients
|
||||
# to style the login flow according to the identity provider in question.
|
||||
# See the spec for possible options here.
|
||||
#
|
||||
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
||||
# to discover endpoints. Defaults to true.
|
||||
#
|
||||
# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
|
||||
# is enabled) to discover the provider's endpoints.
|
||||
#
|
||||
# client_id: Required. oauth2 client id to use.
|
||||
#
|
||||
# client_secret: oauth2 client secret to use. May be omitted if
|
||||
# client_secret_jwt_key is given, or if client_auth_method is 'none'.
|
||||
#
|
||||
# client_secret_jwt_key: Alternative to client_secret: details of a key used
|
||||
# to create a JSON Web Token to be used as an OAuth2 client secret. If
|
||||
# given, must be a dictionary with the following properties:
|
||||
#
|
||||
# key: a pem-encoded signing key. Must be a suitable key for the
|
||||
# algorithm specified. Required unless 'key_file' is given.
|
||||
#
|
||||
# key_file: the path to file containing a pem-encoded signing key file.
|
||||
# Required unless 'key' is given.
|
||||
#
|
||||
# jwt_header: a dictionary giving properties to include in the JWT
|
||||
# header. Must include the key 'alg', giving the algorithm used to
|
||||
# sign the JWT, such as "ES256", using the JWA identifiers in
|
||||
# RFC7518.
|
||||
#
|
||||
# jwt_payload: an optional dictionary giving properties to include in
|
||||
# the JWT payload. Normally this should include an 'iss' key.
|
||||
#
|
||||
# client_auth_method: auth method to use when exchanging the token. Valid
|
||||
# values are 'client_secret_basic' (default), 'client_secret_post' and
|
||||
# 'none'.
|
||||
#
|
||||
# scopes: list of scopes to request. This should normally include the "openid"
|
||||
# scope. Defaults to ["openid"].
|
||||
#
|
||||
# authorization_endpoint: the oauth2 authorization endpoint. Required if
|
||||
# provider discovery is disabled.
|
||||
#
|
||||
# token_endpoint: the oauth2 token endpoint. Required if provider discovery is
|
||||
# disabled.
|
||||
#
|
||||
# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
|
||||
# disabled and the 'openid' scope is not requested.
|
||||
#
|
||||
# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
|
||||
# the 'openid' scope is used.
|
||||
#
|
||||
# skip_verification: set to 'true' to skip metadata verification. Use this if
|
||||
# you are connecting to a provider that is not OpenID Connect compliant.
|
||||
# Defaults to false. Avoid this in production.
|
||||
#
|
||||
# user_profile_method: Whether to fetch the user profile from the userinfo
|
||||
# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
|
||||
#
|
||||
# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
|
||||
# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
|
||||
# userinfo endpoint.
|
||||
#
|
||||
# allow_existing_users: set to 'true' to allow a user logging in via OIDC to
|
||||
# match a pre-existing account instead of failing. This could be used if
|
||||
# switching from password logins to OIDC. Defaults to false.
|
||||
#
|
||||
# user_mapping_provider: Configuration for how attributes returned from a OIDC
|
||||
# provider are mapped onto a matrix user. This setting has the following
|
||||
# sub-properties:
|
||||
#
|
||||
# module: The class name of a custom mapping module. Default is
|
||||
# 'synapse.handlers.oidc.JinjaOidcMappingProvider'.
|
||||
# See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers
|
||||
# for information on implementing a custom mapping provider.
|
||||
#
|
||||
# config: Configuration for the mapping provider module. This section will
|
||||
# be passed as a Python dictionary to the user mapping provider
|
||||
# module's `parse_config` method.
|
||||
#
|
||||
# For the default provider, the following settings are available:
|
||||
#
|
||||
# subject_claim: name of the claim containing a unique identifier
|
||||
# for the user. Defaults to 'sub', which OpenID Connect
|
||||
# compliant providers should provide.
|
||||
#
|
||||
# localpart_template: Jinja2 template for the localpart of the MXID.
|
||||
# If this is not set, the user will be prompted to choose their
|
||||
# own username (see 'sso_auth_account_details.html' in the 'sso'
|
||||
# section of this file).
|
||||
#
|
||||
# display_name_template: Jinja2 template for the display name to set
|
||||
# on first login. If unset, no displayname will be set.
|
||||
#
|
||||
# email_template: Jinja2 template for the email address of the user.
|
||||
# If unset, no email address will be added to the account.
|
||||
#
|
||||
# extra_attributes: a map of Jinja2 templates for extra attributes
|
||||
# to send back to the client during login.
|
||||
# Note that these are non-standard and clients will ignore them
|
||||
# without modifications.
|
||||
#
|
||||
# When rendering, the Jinja2 templates are given a 'user' variable,
|
||||
# which is set to the claims returned by the UserInfo Endpoint and/or
|
||||
# in the ID Token.
|
||||
#
|
||||
# It is possible to configure Synapse to only allow logins if certain attributes
|
||||
# match particular values in the OIDC userinfo. The requirements can be listed under
|
||||
# `attribute_requirements` as shown below. All of the listed attributes must
|
||||
# match for the login to be permitted. Additional attributes can be added to
|
||||
# userinfo by expanding the `scopes` section of the OIDC config to retrieve
|
||||
# additional information from the OIDC provider.
|
||||
#
|
||||
# If the OIDC claim is a list, then the attribute must match any value in the list.
|
||||
# Otherwise, it must exactly match the value of the claim. Using the example
|
||||
# below, the `family_name` claim MUST be "Stephensson", but the `groups`
|
||||
# claim MUST contain "admin".
|
||||
#
|
||||
# attribute_requirements:
|
||||
# - attribute: family_name
|
||||
# value: "Stephensson"
|
||||
# - attribute: groups
|
||||
# value: "admin"
|
||||
#
|
||||
# See https://matrix-org.github.io/synapse/latest/openid.html
|
||||
# for information on how to configure these options.
|
||||
#
|
||||
# For backwards compatibility, it is also possible to configure a single OIDC
|
||||
# provider via an 'oidc_config' setting. This is now deprecated and admins are
|
||||
# advised to migrate to the 'oidc_providers' format. (When doing that migration,
|
||||
# use 'oidc' for the idp_id to ensure that existing users continue to be
|
||||
# recognised.)
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers
|
||||
oidc_providers:
|
||||
|
||||
{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
|
||||
- idp_id: {{ env "KEYCLOAK_ID" }}
|
||||
idp_name: {{ env "KEYCLOAK_NAME" }}
|
||||
|
@ -636,144 +207,40 @@ oidc_providers:
|
|||
display_name_template: "{{ "{{ user.name }}" }}"
|
||||
{{ end }}
|
||||
|
||||
# Additional settings to use with single-sign on systems such as OpenID Connect,
|
||||
# SAML2 and CAS.
|
||||
#
|
||||
# Server admins can configure custom templates for pages related to SSO. See
|
||||
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#sso
|
||||
sso:
|
||||
# A list of client URLs which are whitelisted so that the user does not
|
||||
# have to confirm giving access to their account to the URL. Any client
|
||||
# whose URL starts with an entry in the following list will not be subject
|
||||
# to an additional confirmation step after the SSO login is completed.
|
||||
#
|
||||
# WARNING: An entry such as "https://my.client" is insecure, because it
|
||||
# will also match "https://my.client.evil.site", exposing your users to
|
||||
# phishing attacks from evil.site. To avoid this, include a slash after the
|
||||
# hostname: "https://my.client/".
|
||||
#
|
||||
# The login fallback page (used by clients that don't natively support the
|
||||
# required login flows) is whitelisted in addition to any URLs in this list.
|
||||
#
|
||||
# By default, this list contains only the login fallback page.
|
||||
#
|
||||
#client_whitelist:
|
||||
# - https://riot.im/develop
|
||||
# - https://my.custom.client/
|
||||
{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
|
||||
client_whitelist:
|
||||
- https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
|
||||
{{ end }}
|
||||
|
||||
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
|
||||
password_config:
|
||||
# Uncomment to disable password login
|
||||
#
|
||||
enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
|
||||
|
||||
# Configuration for sending emails from Synapse.
|
||||
#
|
||||
# Server admins can configure custom templates for email content. See
|
||||
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
|
||||
email:
|
||||
{{ if eq (env "SMTP_ENABLED") "1" }}
|
||||
# The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
||||
#
|
||||
smtp_host: {{ env "SMTP_HOST" }}
|
||||
|
||||
# The port on the mail server for outgoing SMTP. Defaults to 25.
|
||||
#
|
||||
smtp_port: {{ env "SMTP_PORT" }}
|
||||
|
||||
# Username/password for authentication to the SMTP server. By default, no
|
||||
# authentication is attempted.
|
||||
#
|
||||
smtp_user: {{ env "SMTP_USER" }}
|
||||
smtp_pass: "{{ secret "smtp_password" }}"
|
||||
|
||||
# Uncomment the following to require TLS transport security for SMTP.
|
||||
# By default, Synapse will connect over plain text, and will then switch to
|
||||
# TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
|
||||
# Synapse will refuse to connect unless the server supports STARTTLS.
|
||||
#
|
||||
require_transport_security: true
|
||||
|
||||
# notif_from defines the "From" address to use when sending emails.
|
||||
# It must be set if email sending is enabled.
|
||||
#
|
||||
# The placeholder '%(app)s' will be replaced by the application name,
|
||||
# which is normally 'app_name' (below), but may be overridden by the
|
||||
# Matrix client application.
|
||||
#
|
||||
# Note that the placeholder must be written '%(app)s', including the
|
||||
# trailing 's'.
|
||||
#
|
||||
notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}>
|
||||
|
||||
# app_name defines the default value for '%(app)s' in notif_from and email
|
||||
# subjects. It defaults to 'Matrix'.
|
||||
#
|
||||
app_name: {{ env "SMTP_APP_NAME" }}
|
||||
|
||||
# Uncomment the following to enable sending emails for messages that the user
|
||||
# has missed. Disabled by default.
|
||||
#
|
||||
enable_notifs: true
|
||||
|
||||
# Custom URL for client links within the email notifications. By default
|
||||
# links will be based on "https://matrix.to".
|
||||
#
|
||||
# (This setting used to be called riot_base_url; the old name is still
|
||||
# supported for backwards-compatibility but is now deprecated.)
|
||||
#
|
||||
client_base_url: https://{{ env "DOMAIN" }}
|
||||
{{ end }}
|
||||
|
||||
## Rooms ##
|
||||
|
||||
# Controls whether locally-created rooms should be end-to-end encrypted by
|
||||
# default.
|
||||
#
|
||||
# Possible options are "all", "invite", and "off". They are defined as:
|
||||
#
|
||||
# * "all": any locally-created room
|
||||
# * "invite": any room created with the "private_chat" or "trusted_private_chat"
|
||||
# room creation presets
|
||||
# * "off": this option will take no effect
|
||||
#
|
||||
# The default value is "off".
|
||||
#
|
||||
# Note that this option will only affect rooms created after it is set. It
|
||||
# will also not affect rooms created by other servers.
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type
|
||||
encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
|
||||
|
||||
# User Directory configuration
|
||||
#
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
|
||||
user_directory:
|
||||
# Defines whether to search all users visible to your HS when searching
|
||||
# the user directory. If false, search results will only contain users
|
||||
# visible in public rooms and users sharing a room with the requester.
|
||||
# Defaults to false.
|
||||
#
|
||||
# NB. If you set this to true, and the last time the user_directory search
|
||||
# indexes were (re)built was before Synapse 1.44, you'll have to
|
||||
# rebuild the indexes in order to search through all known users.
|
||||
# These indexes are built the first time Synapse starts; admins can
|
||||
# manually trigger a rebuild via API following the instructions at
|
||||
# https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
|
||||
#
|
||||
# Uncomment to return search results containing all known users, even if that
|
||||
# user does not share a room with the requester.
|
||||
#
|
||||
search_all_users: true
|
||||
search_all_users: true
|
||||
|
||||
## Media retention ##
|
||||
#
|
||||
|
||||
# since https://github.com/matrix-org/synapse/releases/tag/v1.61.0
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
|
||||
media_retention:
|
||||
local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }}
|
||||
remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}
|
||||
|
|
Loading…
Reference in New Issue