## Modules ## # Server admins can expand Synapse's functionality with external modules. # # See https://matrix-org.github.io/synapse/latest/modules.html for more # documentation on how to configure or create custom modules for Synapse. # modules: # - module: my_super_module.MySuperClass # config: # do_thing: true # - module: my_other_super_module.SomeClass # config: {} {{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }} - module: shared_secret_authenticator.SharedSecretAuthProvider config: shared_secret: {{ secret "shared_secret_auth" }} m_login_password_support_enabled: true {{ end }} ## Server ## # The public-facing domain of the server # # The server_name name will appear at the end of usernames and room addresses # created on this server. For example if the server_name was example.com, # usernames on this server would be in the format @user:example.com # # In most cases you should avoid using a matrix specific subdomain such as # matrix.example.com or synapse.example.com as the server_name for the same # reasons you wouldn't use user@email.example.com as your email address. # See https://matrix-org.github.io/synapse/latest/delegate.html # for information on how to host Synapse on a subdomain while preserving # a clean server_name. # # The server_name cannot be changed later so it is important to # configure this correctly before you start Synapse. It should be all # lowercase and may contain an explicit port. # Examples: matrix.org, localhost:8080 # server_name: {{ env "DOMAIN" }} # The public-facing base URL that clients use to access this Homeserver (not # including _matrix/...). This is the same URL a user might enter into the # 'Custom Homeserver URL' field on their client. If you use Synapse with a # reverse proxy, this should be the URL to reach Synapse via the proxy. # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see # 'listeners' below). # # Defaults to 'https:///'. # public_baseurl: https://{{ env "DOMAIN" }}/ # Uncomment the following to tell other servers to send federation traffic on # port 443. # # By default, other servers will try to reach our server on port 8448, which can # be inconvenient in some environments. # # Provided 'https:///' on port 443 is routed to Synapse, this # option configures Synapse to serve a file at # 'https:///.well-known/matrix/server'. This will tell other # servers to send traffic to port 443 instead. # # See https://matrix-org.github.io/synapse/latest/delegate.html for more # information. # # Defaults to 'false'. # serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }} # If set to 'true', removes the need for authentication to access the server's # public rooms directory through the client API, meaning that anyone can # query the room directory. Defaults to 'false'. # allow_public_rooms_without_auth: false # If set to 'true', allows any other homeserver to fetch the server's public # rooms directory via federation. Defaults to 'false'. # allow_public_rooms_over_federation: false listeners: # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy # that unwraps TLS. # # If you plan to use a reverse proxy, please see # https://matrix-org.github.io/synapse/latest/reverse_proxy.html. # - port: 8008 tls: false type: http x_forwarded: true {{ if eq (env "DISABLE_FEDERATION") "1" }} resources: {{ if eq (env "KEYCLOAK_ENABLED") "1" }} - names: [client, openid] compress: true {{ else }} - names: [client] compress: true {{ end }} {{ else }} resources: {{ if eq (env "KEYCLOAK_ENABLED") "1" }} - names: [client, openid, federation] compress: true {{ else }} - names: [client, federation] compress: true {{ end }} {{ end }} ## Homeserver blocking ## # How to reach the server admin, used in ResourceLimitError # admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}' # Resource-constrained homeserver settings # # When this is enabled, the room "complexity" will be checked before a user # joins a new remote room. If it is above the complexity limit, the server will # disallow joining, or will instantly leave. # # Room complexity is an arbitrary measure based on factors such as the number of # users in the room. # limit_remote_rooms: # Uncomment to enable room complexity checking. # enabled: true # the limit above which rooms cannot be joined. The default is 1.0. # complexity: 200.0 # The largest allowed file size for a user avatar. Defaults to no restriction. # Note that user avatar changes will not work if this is set without # using Synapse's media repository. # max_avatar_size: 10M # How long to keep redacted events in unredacted form in the database. After # this period redacted events get replaced with their redacted form in the DB. # # Defaults to `7d`. Set to `null` to disable. # redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }} # How long to track users' last seen time and IPs in the database. # # Defaults to `28d`. Set to `null` to disable clearing out of old rows. # user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }} # Message retention policy at the server level. # # Room admins and mods can define a retention period for their rooms using the # 'm.room.retention' state event, and server admins can cap this period by setting # the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. # # If this feature is enabled, Synapse will regularly look for and purge events # which are older than the room's maximum retention period. Synapse will also # filter events received over federation so that events that should have been # purged are ignored and not stored again. # retention: # The message retention policies feature is disabled by default. Uncomment the # following line to enable it. # enabled: true # Default retention policy. If set, Synapse will apply it to rooms that lack the # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't # matter much because Synapse doesn't take it into account yet. # default_policy: min_lifetime: 1d max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }} # Retention policy limits. If set, and the state of a room contains a # 'm.room.retention' event in its state which contains a 'min_lifetime' or a # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy # to these limits when running purge jobs. # allowed_lifetime_min: 1d allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }} # Server admins can define the settings of the background jobs purging the # events which lifetime has expired under the 'purge_jobs' section. # # If no configuration is provided, a single job will be set up to delete expired # events in every room daily. # # Each job's configuration defines which range of message lifetimes the job # takes care of. For example, if 'shortest_max_lifetime' is '2d' and # 'longest_max_lifetime' is '3d', the job will handle purging expired events in # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and # lower than or equal to 3 days. Both the minimum and the maximum value of a # range are optional, e.g. a job with no 'shortest_max_lifetime' and a # 'longest_max_lifetime' of '3d' will handle every room with a retention policy # which 'max_lifetime' is lower than or equal to three days. # # The rationale for this per-job configuration is that some rooms might have a # retention policy with a low 'max_lifetime', where history needs to be purged # of outdated messages on a more frequent basis than for the rest of the rooms # (e.g. every 12h), but not want that purge to be performed by a job that's # iterating over every room it knows, which could be heavy on the server. # # If any purge job is configured, it is strongly recommended to have at least # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' # set, or one job without 'shortest_max_lifetime' and one job without # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a # room's policy to these values is done after the policies are retrieved from # Synapse's database (which is done using the range specified in a purge job's # configuration). # purge_jobs: - longest_max_lifetime: 3d interval: 12h - shortest_max_lifetime: 3d interval: 1d ## Federation ## # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit # inbound federation traffic as early as possible, rather than relying # purely on this application-layer restriction. If not specified, the # default is to whitelist everything. # #federation_domain_whitelist: # - lon.example.com # - nyc.example.com # - syd.example.com {{ if eq (env "DISABLE_FEDERATION") "1" }} federation_domain_whitelist: [] {{ else if eq (env "ENABLE_ALLOWLIST") "1" }} federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }} {{ end }} ## Database ## # The 'database' setting defines the database that synapse uses to store all of # its data. # # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or # 'psycopg2' (for PostgreSQL). # # 'txn_limit' gives the maximum number of transactions to run per connection # before reconnecting. Defaults to 0, which means no limit. # # 'args' gives options which are passed through to the database engine, # except for options starting 'cp_', which are used to configure the Twisted # connection pool. For a reference to valid arguments, see: # * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect # * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS # * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ database: name: psycopg2 txn_limit: 10000 args: user: synapse password: "{{ secret "db_password" }}" database: synapse host: "{{ env "STACK_NAME" }}_db" port: 5432 cp_min: 5 cp_max: 10 keepalives_idle: 10 keepalives_interval: 10 keepalives_count: 3 ## Logging ## # A yaml python logging config file as described by # https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema # log_config: "/data/log.config" ## Media Store ## # Enable the media store service in the Synapse master. Uncomment the # following if you are using a separate media store worker. # #enable_media_repo: false # Directory where uploaded images and attachments are stored. # media_store_path: "/data/media_store" # The largest allowed upload size in bytes # # If you are using a reverse proxy you may also need to set this value in # your reverse proxy's config. Notably Nginx has a small max body size by default. # See https://matrix-org.github.io/synapse/latest/reverse_proxy.html. # max_upload_size: 50M {{ if eq (env "TURN_ENABLED") "1" }} ## TURN ## # The public URIs of the TURN server to give to clients # turn_uris: {{ env "TURN_URIS" }} # The shared secret used to compute passwords for the TURN server # turn_shared_secret: "{{ secret "turn_shared_secret" }}" # How long generated TURN credentials last # turn_user_lifetime: 1h # Whether guests should be allowed to use the TURN server. # This defaults to True, otherwise VoIP will be unreliable for guests. # However, it does introduce a slight security risk as it allows users to # connect to arbitrary endpoints without having first signed up for a # valid account (e.g. by passing a CAPTCHA). # turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }} {{ end }} ## Registration ## # # Registration can be rate-limited using the parameters in the "Ratelimiting" # section of this file. # Enable registration for new users. # enable_registration: {{ env "ENABLE_REGISTRATION" }} # Enable 3PIDs lookup requests to identity servers from this server. # enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }} # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # registration_shared_secret: {{ secret "registration_shared_secret" }} # Users who register on this homeserver will automatically be joined # to these rooms. # # By default, any room aliases included in this list will be created # as a publicly joinable room when the first user registers for the # homeserver. This behaviour can be customised with the settings below. # If the room already exists, make certain it is a publicly joinable # room. The join rule of the room must be set to 'public'. # {{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }} auto_join_rooms: - "{{ env "AUTO_JOIN_ROOM" }}" {{ end }} ## Metrics ### # Whether or not to report anonymized homeserver usage statistics. # report_stats: false ## API Configuration ## # A list of application service config files to use # {{ if eq (env "APP_SERVICES_ENABLED") "1" }} app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }} {{ end }} # a secret which is used to sign access tokens. If none is specified, # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. # macaroon_secret_key: "{{ secret "macaroon_secret_key" }}" # a secret which is used to calculate HMACs for form values, to stop # falsification of values. Must be specified for the User Consent # forms to work. # form_secret: "{{ secret "form_secret" }}" ## Signing Keys ## # Path to the signing key to sign messages with # signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key" # The trusted servers to download signing keys from. # # When we need to fetch a signing key, each server is tried in parallel. # # Normally, the connection to the key server is validated via TLS certificates. # Additional security can be provided by configuring a `verify key`, which # will make synapse check that the response is signed by that key. # # This setting supercedes an older setting named `perspectives`. The old format # is still supported for backwards-compatibility, but it is deprecated. # # 'trusted_key_servers' defaults to matrix.org, but using it will generate a # warning on start-up. To suppress this warning, set # 'suppress_key_server_warning' to true. # # Options for each entry in the list include: # # server_name: the name of the server. required. # # verify_keys: an optional map from key id to base64-encoded public key. # If specified, we will check that the response is signed by at least # one of the given keys. # # accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, # and federation_verify_certificates is not `true`, synapse will refuse # to start, because this would allow anyone who can spoof DNS responses # to masquerade as the trusted key server. If you know what you are doing # and are sure that your network environment provides a secure connection # to the key server, you can set this to `true` to override this # behaviour. # # An example configuration might look like: # #trusted_key_servers: # - server_name: "my_trusted_server.example.com" # verify_keys: # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # - server_name: "my_other_trusted_server.example.com" # trusted_key_servers: - server_name: "matrix.org" ## Single sign-on integration ## # List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration # and login. # # Options for each entry include: # # idp_id: a unique identifier for this identity provider. Used internally # by Synapse; should be a single word such as 'github'. # # Note that, if this is changed, users authenticating via that provider # will no longer be recognised as the same user! # # (Use "oidc" here if you are migrating from an old "oidc_config" # configuration.) # # idp_name: A user-facing name for this identity provider, which is used to # offer the user a choice of login mechanisms. # # idp_icon: An optional icon for this identity provider, which is presented # by clients and Synapse's own IdP picker page. If given, must be an # MXC URI of the format mxc:///. (An easy way to # obtain such an MXC URI is to upload an image to an (unencrypted) room # and then copy the "url" from the source of the event.) # # idp_brand: An optional brand for this identity provider, allowing clients # to style the login flow according to the identity provider in question. # See the spec for possible options here. # # discover: set to 'false' to disable the use of the OIDC discovery mechanism # to discover endpoints. Defaults to true. # # issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery # is enabled) to discover the provider's endpoints. # # client_id: Required. oauth2 client id to use. # # client_secret: oauth2 client secret to use. May be omitted if # client_secret_jwt_key is given, or if client_auth_method is 'none'. # # client_secret_jwt_key: Alternative to client_secret: details of a key used # to create a JSON Web Token to be used as an OAuth2 client secret. If # given, must be a dictionary with the following properties: # # key: a pem-encoded signing key. Must be a suitable key for the # algorithm specified. Required unless 'key_file' is given. # # key_file: the path to file containing a pem-encoded signing key file. # Required unless 'key' is given. # # jwt_header: a dictionary giving properties to include in the JWT # header. Must include the key 'alg', giving the algorithm used to # sign the JWT, such as "ES256", using the JWA identifiers in # RFC7518. # # jwt_payload: an optional dictionary giving properties to include in # the JWT payload. Normally this should include an 'iss' key. # # client_auth_method: auth method to use when exchanging the token. Valid # values are 'client_secret_basic' (default), 'client_secret_post' and # 'none'. # # scopes: list of scopes to request. This should normally include the "openid" # scope. Defaults to ["openid"]. # # authorization_endpoint: the oauth2 authorization endpoint. Required if # provider discovery is disabled. # # token_endpoint: the oauth2 token endpoint. Required if provider discovery is # disabled. # # userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is # disabled and the 'openid' scope is not requested. # # jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and # the 'openid' scope is used. # # skip_verification: set to 'true' to skip metadata verification. Use this if # you are connecting to a provider that is not OpenID Connect compliant. # Defaults to false. Avoid this in production. # # user_profile_method: Whether to fetch the user profile from the userinfo # endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. # # Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is # included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the # userinfo endpoint. # # allow_existing_users: set to 'true' to allow a user logging in via OIDC to # match a pre-existing account instead of failing. This could be used if # switching from password logins to OIDC. Defaults to false. # # user_mapping_provider: Configuration for how attributes returned from a OIDC # provider are mapped onto a matrix user. This setting has the following # sub-properties: # # module: The class name of a custom mapping module. Default is # 'synapse.handlers.oidc.JinjaOidcMappingProvider'. # See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers # for information on implementing a custom mapping provider. # # config: Configuration for the mapping provider module. This section will # be passed as a Python dictionary to the user mapping provider # module's `parse_config` method. # # For the default provider, the following settings are available: # # subject_claim: name of the claim containing a unique identifier # for the user. Defaults to 'sub', which OpenID Connect # compliant providers should provide. # # localpart_template: Jinja2 template for the localpart of the MXID. # If this is not set, the user will be prompted to choose their # own username (see 'sso_auth_account_details.html' in the 'sso' # section of this file). # # display_name_template: Jinja2 template for the display name to set # on first login. If unset, no displayname will be set. # # email_template: Jinja2 template for the email address of the user. # If unset, no email address will be added to the account. # # extra_attributes: a map of Jinja2 templates for extra attributes # to send back to the client during login. # Note that these are non-standard and clients will ignore them # without modifications. # # When rendering, the Jinja2 templates are given a 'user' variable, # which is set to the claims returned by the UserInfo Endpoint and/or # in the ID Token. # # It is possible to configure Synapse to only allow logins if certain attributes # match particular values in the OIDC userinfo. The requirements can be listed under # `attribute_requirements` as shown below. All of the listed attributes must # match for the login to be permitted. Additional attributes can be added to # userinfo by expanding the `scopes` section of the OIDC config to retrieve # additional information from the OIDC provider. # # If the OIDC claim is a list, then the attribute must match any value in the list. # Otherwise, it must exactly match the value of the claim. Using the example # below, the `family_name` claim MUST be "Stephensson", but the `groups` # claim MUST contain "admin". # # attribute_requirements: # - attribute: family_name # value: "Stephensson" # - attribute: groups # value: "admin" # # See https://matrix-org.github.io/synapse/latest/openid.html # for information on how to configure these options. # # For backwards compatibility, it is also possible to configure a single OIDC # provider via an 'oidc_config' setting. This is now deprecated and admins are # advised to migrate to the 'oidc_providers' format. (When doing that migration, # use 'oidc' for the idp_id to ensure that existing users continue to be # recognised.) # oidc_providers: {{ if eq (env "KEYCLOAK_ENABLED") "1" }} - idp_id: {{ env "KEYCLOAK_ID" }} idp_name: {{ env "KEYCLOAK_NAME" }} issuer: "{{ env "KEYCLOAK_URL" }}" client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}" client_secret: "{{ secret "keycloak_client_secret" }}" scopes: ["openid", "profile"] allow_existing_users: {{ env "KEYCLOAK_ALLOW_EXISTING_USERS" }} user_mapping_provider: config: localpart_template: "{{ "{{ user.preferred_username }}" }}" display_name_template: "{{ "{{ user.name }}" }}" {{ end }} {{ if eq (env "KEYCLOAK2_ENABLED") "1" }} - idp_id: keycloak2 idp_name: {{ env "KEYCLOAK2_NAME" }} issuer: "{{ env "KEYCLOAK2_URL" }}" client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}" client_secret: "{{ secret "keycloak2_client_secret" }}" scopes: ["openid", "profile"] user_mapping_provider: config: localpart_template: "{{ "{{ user.preferred_username }}" }}" display_name_template: "{{ "{{ user.name }}" }}" {{ end }} {{ if eq (env "KEYCLOAK3_ENABLED") "1" }} - idp_id: keycloak3 idp_name: {{ env "KEYCLOAK3_NAME" }} issuer: "{{ env "KEYCLOAK3_URL" }}" client_id: "{{ env "KEYCLOAK3_CLIENT_ID" }}" client_secret: "{{ secret "keycloak3_client_secret" }}" scopes: ["openid", "profile"] user_mapping_provider: config: localpart_template: "{{ "{{ user.preferred_username }}" }}" display_name_template: "{{ "{{ user.name }}" }}" {{ end }} # Additional settings to use with single-sign on systems such as OpenID Connect, # SAML2 and CAS. # # Server admins can configure custom templates for pages related to SSO. See # https://matrix-org.github.io/synapse/latest/templates.html for more information. # sso: # A list of client URLs which are whitelisted so that the user does not # have to confirm giving access to their account to the URL. Any client # whose URL starts with an entry in the following list will not be subject # to an additional confirmation step after the SSO login is completed. # # WARNING: An entry such as "https://my.client" is insecure, because it # will also match "https://my.client.evil.site", exposing your users to # phishing attacks from evil.site. To avoid this, include a slash after the # hostname: "https://my.client/". # # The login fallback page (used by clients that don't natively support the # required login flows) is whitelisted in addition to any URLs in this list. # # By default, this list contains only the login fallback page. # #client_whitelist: # - https://riot.im/develop # - https://my.custom.client/ {{ if eq (env "KEYCLOAK_ENABLED") "1" }} client_whitelist: - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }} {{ end }} password_config: # Uncomment to disable password login # enabled: {{ env "PASSWORD_LOGIN_ENABLED" }} # Configuration for sending emails from Synapse. # # Server admins can configure custom templates for email content. See # https://matrix-org.github.io/synapse/latest/templates.html for more information. # email: {{ if eq (env "SMTP_ENABLED") "1" }} # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. # smtp_host: {{ env "SMTP_HOST" }} # The port on the mail server for outgoing SMTP. Defaults to 25. # smtp_port: {{ env "SMTP_PORT" }} # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. # smtp_user: {{ env "SMTP_USER" }} smtp_pass: "{{ secret "smtp_password" }}" # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, # Synapse will refuse to connect unless the server supports STARTTLS. # require_transport_security: true # notif_from defines the "From" address to use when sending emails. # It must be set if email sending is enabled. # # The placeholder '%(app)s' will be replaced by the application name, # which is normally 'app_name' (below), but may be overridden by the # Matrix client application. # # Note that the placeholder must be written '%(app)s', including the # trailing 's'. # notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}> # app_name defines the default value for '%(app)s' in notif_from and email # subjects. It defaults to 'Matrix'. # app_name: {{ env "SMTP_APP_NAME" }} # Uncomment the following to enable sending emails for messages that the user # has missed. Disabled by default. # enable_notifs: true # Custom URL for client links within the email notifications. By default # links will be based on "https://matrix.to". # # (This setting used to be called riot_base_url; the old name is still # supported for backwards-compatibility but is now deprecated.) # client_base_url: https://{{ env "DOMAIN" }} {{ end }} ## Rooms ## # Controls whether locally-created rooms should be end-to-end encrypted by # default. # # Possible options are "all", "invite", and "off". They are defined as: # # * "all": any locally-created room # * "invite": any room created with the "private_chat" or "trusted_private_chat" # room creation presets # * "off": this option will take no effect # # The default value is "off". # # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }} # User Directory configuration # user_directory: # Defines whether to search all users visible to your HS when searching # the user directory. If false, search results will only contain users # visible in public rooms and users sharing a room with the requester. # Defaults to false. # # NB. If you set this to true, and the last time the user_directory search # indexes were (re)built was before Synapse 1.44, you'll have to # rebuild the indexes in order to search through all known users. # These indexes are built the first time Synapse starts; admins can # manually trigger a rebuild via API following the instructions at # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run # # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # search_all_users: true ## Media retention ## # # since https://github.com/matrix-org/synapse/releases/tag/v1.61.0 media_retention: local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }} remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}