diff --git a/.env.sample b/.env.sample
index d090ff1..3887ec5 100644
--- a/.env.sample
+++ b/.env.sample
@@ -48,6 +48,9 @@ ENCRYPTED_BY_DEFAULT=all
 #ENABLE_ALLOWLIST=1
 #FEDERATION_ALLOWLIST="[]"
 
+# Set these to keyservers you trust - usually the same as your federation allowlist
+#TRUSTED_KEYSERVERS="trusted_key_servers:\n  - server_name: 'example.com'\n  - server_name: 'example2.com'"
+
 ## Retention
 
 ALLOWED_LIFETIME_MAX=4w
diff --git a/abra.sh b/abra.sh
index c1c8395..91bf8a1 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,6 +1,6 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v1
-export HOMESERVER_YAML_VERSION=v19
+export HOMESERVER_YAML_VERSION=v21
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v1
 export SIGNAL_BRIDGE_YAML_VERSION=v4
diff --git a/homeserver.yaml.tmpl b/homeserver.yaml.tmpl
index 1f4ec83..522f643 100644
--- a/homeserver.yaml.tmpl
+++ b/homeserver.yaml.tmpl
@@ -427,8 +427,12 @@ signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
 #      "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
 #  - server_name: "my_other_trusted_server.example.com"
 #
+{{ if eq (env "ENABLE_ALLOWLIST") "1" }}
+{{ env "TRUSTED_KEYSERVERS" }}
+{{ else }}
 trusted_key_servers:
   - server_name: "matrix.org"
+{{ end }}
 
 ## Single sign-on integration ##