diff --git a/abra.sh b/abra.sh index 0565de1..8a8b452 100644 --- a/abra.sh +++ b/abra.sh @@ -1,6 +1,6 @@ export DISCORD_BRIDGE_YAML_VERSION=v2 export ENTRYPOINT_CONF_VERSION=v1 -export HOMESERVER_YAML_VERSION=v24 +export HOMESERVER_YAML_VERSION=v25 export LOG_CONFIG_VERSION=v2 export SHARED_SECRET_AUTH_VERSION=v1 export SIGNAL_BRIDGE_YAML_VERSION=v4 diff --git a/homeserver.yaml.tmpl b/homeserver.yaml.tmpl index 53a435b..bfaee90 100644 --- a/homeserver.yaml.tmpl +++ b/homeserver.yaml.tmpl @@ -1,92 +1,32 @@ -## Modules ## +# All configuration options are documented on the following link: +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html -# Server admins can expand Synapse's functionality with external modules. -# -# See https://matrix-org.github.io/synapse/latest/modules.html for more -# documentation on how to configure or create custom modules for Synapse. -# +{{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }} +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#modules-1 modules: - # - module: my_super_module.MySuperClass - # config: - # do_thing: true - # - module: my_other_super_module.SomeClass - # config: {} - {{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }} - module: shared_secret_authenticator.SharedSecretAuthProvider config: shared_secret: {{ secret "shared_secret_auth" }} m_login_password_support_enabled: true - {{ end }} +{{ end }} -## Server ## - -# The public-facing domain of the server -# -# The server_name name will appear at the end of usernames and room addresses -# created on this server. For example if the server_name was example.com, -# usernames on this server would be in the format @user:example.com -# -# In most cases you should avoid using a matrix specific subdomain such as -# matrix.example.com or synapse.example.com as the server_name for the same -# reasons you wouldn't use user@email.example.com as your email address. -# See https://matrix-org.github.io/synapse/latest/delegate.html -# for information on how to host Synapse on a subdomain while preserving -# a clean server_name. -# -# The server_name cannot be changed later so it is important to -# configure this correctly before you start Synapse. It should be all -# lowercase and may contain an explicit port. -# Examples: matrix.org, localhost:8080 -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#server_name server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }} -# The public-facing base URL that clients use to access this Homeserver (not -# including _matrix/...). This is the same URL a user might enter into the -# 'Custom Homeserver URL' field on their client. If you use Synapse with a -# reverse proxy, this should be the URL to reach Synapse via the proxy. -# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see -# 'listeners' below). -# -# Defaults to 'https:///'. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl public_baseurl: https://{{ env "DOMAIN" }}/ -# Uncomment the following to tell other servers to send federation traffic on -# port 443. -# -# By default, other servers will try to reach our server on port 8448, which can -# be inconvenient in some environments. -# -# Provided 'https:///' on port 443 is routed to Synapse, this -# option configures Synapse to serve a file at -# 'https:///.well-known/matrix/server'. This will tell other -# servers to send traffic to port 443 instead. -# -# See https://matrix-org.github.io/synapse/latest/delegate.html for more -# information. -# -# Defaults to 'false'. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }} -# If set to 'true', removes the need for authentication to access the server's -# public rooms directory through the client API, meaning that anyone can -# query the room directory. Defaults to 'false'. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth allow_public_rooms_without_auth: false -# If set to 'true', allows any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'false'. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation allow_public_rooms_over_federation: {{ env "ALLOW_PUBLIC_ROOMS_FEDERATION" }} +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners listeners: - # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - # - # If you plan to use a reverse proxy, please see - # https://matrix-org.github.io/synapse/latest/reverse_proxy.html. - # - port: 8008 tls: false type: http @@ -112,153 +52,45 @@ listeners: {{ end }} {{ end }} -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}' -# Resource-constrained homeserver settings -# -# When this is enabled, the room "complexity" will be checked before a user -# joins a new remote room. If it is above the complexity limit, the server will -# disallow joining, or will instantly leave. -# -# Room complexity is an arbitrary measure based on factors such as the number of -# users in the room. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms limit_remote_rooms: - # Uncomment to enable room complexity checking. - # enabled: true - - # the limit above which rooms cannot be joined. The default is 1.0. - # complexity: 200.0 -# The largest allowed file size for a user avatar. Defaults to no restriction. -# Note that user avatar changes will not work if this is set without -# using Synapse's media repository. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_avatar_size max_avatar_size: 10M -# How long to keep redacted events in unredacted form in the database. After -# this period redacted events get replaced with their redacted form in the DB. -# -# Defaults to `7d`. Set to `null` to disable. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }} -# How long to track users' last seen time and IPs in the database. -# -# Defaults to `28d`. Set to `null` to disable clearing out of old rows. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }} -# Message retention policy at the server level. -# -# Room admins and mods can define a retention period for their rooms using the -# 'm.room.retention' state event, and server admins can cap this period by setting -# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. -# -# If this feature is enabled, Synapse will regularly look for and purge events -# which are older than the room's maximum retention period. Synapse will also -# filter events received over federation so that events that should have been -# purged are ignored and not stored again. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention retention: - # The message retention policies feature is disabled by default. Uncomment the - # following line to enable it. - # enabled: true - - # Default retention policy. If set, Synapse will apply it to rooms that lack the - # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't - # matter much because Synapse doesn't take it into account yet. - # default_policy: min_lifetime: 1d max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }} - - # Retention policy limits. If set, and the state of a room contains a - # 'm.room.retention' event in its state which contains a 'min_lifetime' or a - # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy - # to these limits when running purge jobs. - # allowed_lifetime_min: 1d allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }} - - # Server admins can define the settings of the background jobs purging the - # events which lifetime has expired under the 'purge_jobs' section. - # - # If no configuration is provided, a single job will be set up to delete expired - # events in every room daily. - # - # Each job's configuration defines which range of message lifetimes the job - # takes care of. For example, if 'shortest_max_lifetime' is '2d' and - # 'longest_max_lifetime' is '3d', the job will handle purging expired events in - # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and - # lower than or equal to 3 days. Both the minimum and the maximum value of a - # range are optional, e.g. a job with no 'shortest_max_lifetime' and a - # 'longest_max_lifetime' of '3d' will handle every room with a retention policy - # which 'max_lifetime' is lower than or equal to three days. - # - # The rationale for this per-job configuration is that some rooms might have a - # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a more frequent basis than for the rest of the rooms - # (e.g. every 12h), but not want that purge to be performed by a job that's - # iterating over every room it knows, which could be heavy on the server. - # - # If any purge job is configured, it is strongly recommended to have at least - # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' - # set, or one job without 'shortest_max_lifetime' and one job without - # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if - # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a - # room's policy to these values is done after the policies are retrieved from - # Synapse's database (which is done using the range specified in a purge job's - # configuration). - # purge_jobs: - longest_max_lifetime: 3d interval: 12h - shortest_max_lifetime: 3d interval: 1d -## Federation ## - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist {{ if eq (env "DISABLE_FEDERATION") "1" }} federation_domain_whitelist: [] {{ else if eq (env "ENABLE_ALLOWLIST") "1" }} federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }} {{ end }} -## Database ## - -# The 'database' setting defines the database that synapse uses to store all of -# its data. -# -# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or -# 'psycopg2' (for PostgreSQL). -# -# 'txn_limit' gives the maximum number of transactions to run per connection -# before reconnecting. Defaults to 0, which means no limit. -# -# 'args' gives options which are passed through to the database engine, -# except for options starting 'cp_', which are used to configure the Twisted -# connection pool. For a reference to valid arguments, see: -# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect -# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS -# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1 database: name: psycopg2 txn_limit: 10000 @@ -274,326 +106,65 @@ database: keepalives_interval: 10 keepalives_count: 3 -## Logging ## - -# A yaml python logging config file as described by -# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#log_config log_config: "/data/log.config" -## Media Store ## - -# Enable the media store service in the Synapse master. Uncomment the -# following if you are using a separate media store worker. -# -#enable_media_repo: false - -# Directory where uploaded images and attachments are stored. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_store_path media_store_path: "/data/media_store" -# The largest allowed upload size in bytes -# -# If you are using a reverse proxy you may also need to set this value in -# your reverse proxy's config. Notably Nginx has a small max body size by default. -# See https://matrix-org.github.io/synapse/latest/reverse_proxy.html. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_upload_size max_upload_size: 50M +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn {{ if eq (env "TURN_ENABLED") "1" }} -## TURN ## - -# The public URIs of the TURN server to give to clients -# turn_uris: {{ env "TURN_URIS" }} - -# The shared secret used to compute passwords for the TURN server -# turn_shared_secret: "{{ secret "turn_shared_secret" }}" - -# How long generated TURN credentials last -# turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }} {{ end }} -## Registration ## -# -# Registration can be rate-limited using the parameters in the "Ratelimiting" -# section of this file. - -# Enable registration for new users. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration enable_registration: {{ env "ENABLE_REGISTRATION" }} -# Enable 3PIDs lookup requests to identity servers from this server. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }} -# If set, allows registration of standard or admin accounts by anyone who -# has the shared secret, even if registration is otherwise disabled. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_shared_secret registration_shared_secret: {{ secret "registration_shared_secret" }} -# Users who register on this homeserver will automatically be joined -# to these rooms. -# -# By default, any room aliases included in this list will be created -# as a publicly joinable room when the first user registers for the -# homeserver. This behaviour can be customised with the settings below. -# If the room already exists, make certain it is a publicly joinable -# room. The join rule of the room must be set to 'public'. -# {{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }} +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms auto_join_rooms: - "{{ env "AUTO_JOIN_ROOM" }}" {{ end }} -## Metrics ### - -# Whether or not to report anonymized homeserver usage statistics. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats report_stats: false -## API Configuration ## - -# A list of application service config files to use -# {{ if eq (env "APP_SERVICES_ENABLED") "1" }} +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }} {{ end }} -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#macaroon_secret_key macaroon_secret_key: "{{ secret "macaroon_secret_key" }}" -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#form_secret form_secret: "{{ secret "form_secret" }}" -## Signing Keys ## - -# Path to the signing key to sign messages with -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key" -# The trusted servers to download signing keys from. -# -# When we need to fetch a signing key, each server is tried in parallel. -# -# Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a `verify key`, which -# will make synapse check that the response is signed by that key. -# -# This setting supercedes an older setting named `perspectives`. The old format -# is still supported for backwards-compatibility, but it is deprecated. -# -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start-up. To suppress this warning, set -# 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers {{ if eq (env "ENABLE_ALLOWLIST") "1" }} -{{ env "TRUSTED_KEYSERVERS" }} +trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST {{ else }} trusted_key_servers: - server_name: "matrix.org" {{ end }} -## Single sign-on integration ## - -# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration -# and login. -# -# Options for each entry include: -# -# idp_id: a unique identifier for this identity provider. Used internally -# by Synapse; should be a single word such as 'github'. -# -# Note that, if this is changed, users authenticating via that provider -# will no longer be recognised as the same user! -# -# (Use "oidc" here if you are migrating from an old "oidc_config" -# configuration.) -# -# idp_name: A user-facing name for this identity provider, which is used to -# offer the user a choice of login mechanisms. -# -# idp_icon: An optional icon for this identity provider, which is presented -# by clients and Synapse's own IdP picker page. If given, must be an -# MXC URI of the format mxc:///. (An easy way to -# obtain such an MXC URI is to upload an image to an (unencrypted) room -# and then copy the "url" from the source of the event.) -# -# idp_brand: An optional brand for this identity provider, allowing clients -# to style the login flow according to the identity provider in question. -# See the spec for possible options here. -# -# discover: set to 'false' to disable the use of the OIDC discovery mechanism -# to discover endpoints. Defaults to true. -# -# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery -# is enabled) to discover the provider's endpoints. -# -# client_id: Required. oauth2 client id to use. -# -# client_secret: oauth2 client secret to use. May be omitted if -# client_secret_jwt_key is given, or if client_auth_method is 'none'. -# -# client_secret_jwt_key: Alternative to client_secret: details of a key used -# to create a JSON Web Token to be used as an OAuth2 client secret. If -# given, must be a dictionary with the following properties: -# -# key: a pem-encoded signing key. Must be a suitable key for the -# algorithm specified. Required unless 'key_file' is given. -# -# key_file: the path to file containing a pem-encoded signing key file. -# Required unless 'key' is given. -# -# jwt_header: a dictionary giving properties to include in the JWT -# header. Must include the key 'alg', giving the algorithm used to -# sign the JWT, such as "ES256", using the JWA identifiers in -# RFC7518. -# -# jwt_payload: an optional dictionary giving properties to include in -# the JWT payload. Normally this should include an 'iss' key. -# -# client_auth_method: auth method to use when exchanging the token. Valid -# values are 'client_secret_basic' (default), 'client_secret_post' and -# 'none'. -# -# scopes: list of scopes to request. This should normally include the "openid" -# scope. Defaults to ["openid"]. -# -# authorization_endpoint: the oauth2 authorization endpoint. Required if -# provider discovery is disabled. -# -# token_endpoint: the oauth2 token endpoint. Required if provider discovery is -# disabled. -# -# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is -# disabled and the 'openid' scope is not requested. -# -# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and -# the 'openid' scope is used. -# -# skip_verification: set to 'true' to skip metadata verification. Use this if -# you are connecting to a provider that is not OpenID Connect compliant. -# Defaults to false. Avoid this in production. -# -# user_profile_method: Whether to fetch the user profile from the userinfo -# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. -# -# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is -# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the -# userinfo endpoint. -# -# allow_existing_users: set to 'true' to allow a user logging in via OIDC to -# match a pre-existing account instead of failing. This could be used if -# switching from password logins to OIDC. Defaults to false. -# -# user_mapping_provider: Configuration for how attributes returned from a OIDC -# provider are mapped onto a matrix user. This setting has the following -# sub-properties: -# -# module: The class name of a custom mapping module. Default is -# 'synapse.handlers.oidc.JinjaOidcMappingProvider'. -# See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers -# for information on implementing a custom mapping provider. -# -# config: Configuration for the mapping provider module. This section will -# be passed as a Python dictionary to the user mapping provider -# module's `parse_config` method. -# -# For the default provider, the following settings are available: -# -# subject_claim: name of the claim containing a unique identifier -# for the user. Defaults to 'sub', which OpenID Connect -# compliant providers should provide. -# -# localpart_template: Jinja2 template for the localpart of the MXID. -# If this is not set, the user will be prompted to choose their -# own username (see 'sso_auth_account_details.html' in the 'sso' -# section of this file). -# -# display_name_template: Jinja2 template for the display name to set -# on first login. If unset, no displayname will be set. -# -# email_template: Jinja2 template for the email address of the user. -# If unset, no email address will be added to the account. -# -# extra_attributes: a map of Jinja2 templates for extra attributes -# to send back to the client during login. -# Note that these are non-standard and clients will ignore them -# without modifications. -# -# When rendering, the Jinja2 templates are given a 'user' variable, -# which is set to the claims returned by the UserInfo Endpoint and/or -# in the ID Token. -# -# It is possible to configure Synapse to only allow logins if certain attributes -# match particular values in the OIDC userinfo. The requirements can be listed under -# `attribute_requirements` as shown below. All of the listed attributes must -# match for the login to be permitted. Additional attributes can be added to -# userinfo by expanding the `scopes` section of the OIDC config to retrieve -# additional information from the OIDC provider. -# -# If the OIDC claim is a list, then the attribute must match any value in the list. -# Otherwise, it must exactly match the value of the claim. Using the example -# below, the `family_name` claim MUST be "Stephensson", but the `groups` -# claim MUST contain "admin". -# -# attribute_requirements: -# - attribute: family_name -# value: "Stephensson" -# - attribute: groups -# value: "admin" -# -# See https://matrix-org.github.io/synapse/latest/openid.html -# for information on how to configure these options. -# -# For backwards compatibility, it is also possible to configure a single OIDC -# provider via an 'oidc_config' setting. This is now deprecated and admins are -# advised to migrate to the 'oidc_providers' format. (When doing that migration, -# use 'oidc' for the idp_id to ensure that existing users continue to be -# recognised.) -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers oidc_providers: - {{ if eq (env "KEYCLOAK_ENABLED") "1" }} - idp_id: {{ env "KEYCLOAK_ID" }} idp_name: {{ env "KEYCLOAK_NAME" }} @@ -636,144 +207,40 @@ oidc_providers: display_name_template: "{{ "{{ user.name }}" }}" {{ end }} -# Additional settings to use with single-sign on systems such as OpenID Connect, -# SAML2 and CAS. -# -# Server admins can configure custom templates for pages related to SSO. See -# https://matrix-org.github.io/synapse/latest/templates.html for more information. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#sso sso: - # A list of client URLs which are whitelisted so that the user does not - # have to confirm giving access to their account to the URL. Any client - # whose URL starts with an entry in the following list will not be subject - # to an additional confirmation step after the SSO login is completed. - # - # WARNING: An entry such as "https://my.client" is insecure, because it - # will also match "https://my.client.evil.site", exposing your users to - # phishing attacks from evil.site. To avoid this, include a slash after the - # hostname: "https://my.client/". - # - # The login fallback page (used by clients that don't natively support the - # required login flows) is whitelisted in addition to any URLs in this list. - # - # By default, this list contains only the login fallback page. - # - #client_whitelist: - # - https://riot.im/develop - # - https://my.custom.client/ {{ if eq (env "KEYCLOAK_ENABLED") "1" }} client_whitelist: - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }} {{ end }} +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config password_config: - # Uncomment to disable password login - # enabled: {{ env "PASSWORD_LOGIN_ENABLED" }} -# Configuration for sending emails from Synapse. -# -# Server admins can configure custom templates for email content. See -# https://matrix-org.github.io/synapse/latest/templates.html for more information. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email email: {{ if eq (env "SMTP_ENABLED") "1" }} - # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. - # smtp_host: {{ env "SMTP_HOST" }} - - # The port on the mail server for outgoing SMTP. Defaults to 25. - # smtp_port: {{ env "SMTP_PORT" }} - - # Username/password for authentication to the SMTP server. By default, no - # authentication is attempted. - # smtp_user: {{ env "SMTP_USER" }} smtp_pass: "{{ secret "smtp_password" }}" - - # Uncomment the following to require TLS transport security for SMTP. - # By default, Synapse will connect over plain text, and will then switch to - # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, - # Synapse will refuse to connect unless the server supports STARTTLS. - # require_transport_security: true - - # notif_from defines the "From" address to use when sending emails. - # It must be set if email sending is enabled. - # - # The placeholder '%(app)s' will be replaced by the application name, - # which is normally 'app_name' (below), but may be overridden by the - # Matrix client application. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}> - - # app_name defines the default value for '%(app)s' in notif_from and email - # subjects. It defaults to 'Matrix'. - # app_name: {{ env "SMTP_APP_NAME" }} - - # Uncomment the following to enable sending emails for messages that the user - # has missed. Disabled by default. - # enable_notifs: true - - # Custom URL for client links within the email notifications. By default - # links will be based on "https://matrix.to". - # - # (This setting used to be called riot_base_url; the old name is still - # supported for backwards-compatibility but is now deprecated.) - # client_base_url: https://{{ env "DOMAIN" }} {{ end }} -## Rooms ## - -# Controls whether locally-created rooms should be end-to-end encrypted by -# default. -# -# Possible options are "all", "invite", and "off". They are defined as: -# -# * "all": any locally-created room -# * "invite": any room created with the "private_chat" or "trusted_private_chat" -# room creation presets -# * "off": this option will take no effect -# -# The default value is "off". -# -# Note that this option will only affect rooms created after it is set. It -# will also not affect rooms created by other servers. -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }} -# User Directory configuration -# +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory user_directory: - # Defines whether to search all users visible to your HS when searching - # the user directory. If false, search results will only contain users - # visible in public rooms and users sharing a room with the requester. - # Defaults to false. - # - # NB. If you set this to true, and the last time the user_directory search - # indexes were (re)built was before Synapse 1.44, you'll have to - # rebuild the indexes in order to search through all known users. - # These indexes are built the first time Synapse starts; admins can - # manually trigger a rebuild via API following the instructions at - # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run - # - # Uncomment to return search results containing all known users, even if that - # user does not share a room with the requester. - # - search_all_users: true + search_all_users: true -## Media retention ## -# - -# since https://github.com/matrix-org/synapse/releases/tag/v1.61.0 +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention media_retention: local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }} remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}