1 # vim:ft=yaml |
1 # Configuration file for Synapse. |
2 # PEM encoded X509 certificate for TLS. |
2 # |
3 # You can replace the self-signed certificate that synapse |
3 # This is a YAML file: see [1] for a quick introduction. Note in particular |
4 # autogenerates on launch with your own SSL certificate + key pair |
4 # that *indentation is important*: all the elements of a list or dictionary |
5 # if you like. Any required intermediary certificates can be |
5 # should have the same indentation. |
6 # appended after the primary certificate in hierarchical order. |
6 # |
7 tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" |
7 # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html |
8 |
8 |
9 # PEM encoded private key for TLS |
9 ## Server ## |
10 tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" |
10 |
11 |
11 # The domain name of the server, with optional explicit port. |
12 # PEM dh parameters for ephemeral keys |
12 # This is used by remote servers to connect to this server, |
13 tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" |
13 # e.g. matrix.org, localhost:8080, etc. |
14 |
14 # This is also the last part of your UserID. |
15 # Don't bind to the https port |
15 # |
16 no_tls: True |
16 server_name: "{{nginx_server_name}}" |
|
17 |
|
18 # When running as a daemon, the file to store the pid in |
|
19 # |
|
20 pid_file: "/var/run/matrix-synapse.pid" |
|
21 |
|
22 # The absolute URL to the web client which /_matrix/client will redirect |
|
23 # to if 'webclient' is configured under the 'listeners' configuration. |
|
24 # |
|
25 # This option can be also set to the filesystem path to the web client |
|
26 # which will be served at /_matrix/client/ if 'webclient' is configured |
|
27 # under the 'listeners' configuration, however this is a security risk: |
|
28 # https://github.com/matrix-org/synapse#security-note |
|
29 # |
|
30 #web_client_location: https://riot.example.com/ |
|
31 |
|
32 # The public-facing base URL that clients use to access this HS |
|
33 # (not including _matrix/...). This is the same URL a user would |
|
34 # enter into the 'custom HS URL' field on their client. If you |
|
35 # use synapse with a reverse proxy, this should be the URL to reach |
|
36 # synapse via the proxy. |
|
37 # |
|
38 #public_baseurl: https://example.com/ |
|
39 |
|
40 # Set the soft limit on the number of file descriptors synapse can use |
|
41 # Zero is used to indicate synapse should set the soft limit to the |
|
42 # hard limit. |
|
43 # |
|
44 #soft_file_limit: 0 |
|
45 |
|
46 # Set to false to disable presence tracking on this homeserver. |
|
47 # |
|
48 #use_presence: false |
|
49 |
|
50 # Whether to require authentication to retrieve profile data (avatars, |
|
51 # display names) of other users through the client API. Defaults to |
|
52 # 'false'. Note that profile data is also available via the federation |
|
53 # API, so this setting is of limited value if federation is enabled on |
|
54 # the server. |
|
55 # |
|
56 #require_auth_for_profile_requests: true |
|
57 |
|
58 # Uncomment to require a user to share a room with another user in order |
|
59 # to retrieve their profile information. Only checked on Client-Server |
|
60 # requests. Profile requests from other servers should be checked by the |
|
61 # requesting server. Defaults to 'false'. |
|
62 # |
|
63 #limit_profile_requests_to_users_who_share_rooms: true |
|
64 |
|
65 # If set to 'true', removes the need for authentication to access the server's |
|
66 # public rooms directory through the client API, meaning that anyone can |
|
67 # query the room directory. Defaults to 'false'. |
|
68 # |
|
69 #allow_public_rooms_without_auth: true |
|
70 |
|
71 # If set to 'true', allows any other homeserver to fetch the server's public |
|
72 # rooms directory via federation. Defaults to 'false'. |
|
73 # |
|
74 #allow_public_rooms_over_federation: true |
|
75 |
|
76 # The default room version for newly created rooms. |
|
77 # |
|
78 # Known room versions are listed here: |
|
79 # https://matrix.org/docs/spec/#complete-list-of-room-versions |
|
80 # |
|
81 # For example, for room version 1, default_room_version should be set |
|
82 # to "1". |
|
83 # |
|
84 #default_room_version: "5" |
|
85 |
|
86 # The GC threshold parameters to pass to `gc.set_threshold`, if defined |
|
87 # |
|
88 #gc_thresholds: [700, 10, 10] |
|
89 |
|
90 # Set the limit on the returned events in the timeline in the get |
|
91 # and sync operations. The default value is -1, means no upper limit. |
|
92 # |
|
93 #filter_timeline_limit: 5000 |
|
94 |
|
95 # Whether room invites to users on this server should be blocked |
|
96 # (except those sent by local server admins). The default is False. |
|
97 # |
|
98 #block_non_admin_invites: true |
|
99 |
|
100 # Room searching |
|
101 # |
|
102 # If disabled, new messages will not be indexed for searching and users |
|
103 # will receive errors when searching for messages. Defaults to enabled. |
|
104 # |
|
105 #enable_search: false |
|
106 |
|
107 # Restrict federation to the following whitelist of domains. |
|
108 # N.B. we recommend also firewalling your federation listener to limit |
|
109 # inbound federation traffic as early as possible, rather than relying |
|
110 # purely on this application-layer restriction. If not specified, the |
|
111 # default is to whitelist everything. |
|
112 # |
|
113 #federation_domain_whitelist: |
|
114 # - lon.example.com |
|
115 # - nyc.example.com |
|
116 # - syd.example.com |
|
117 |
|
118 # Prevent federation requests from being sent to the following |
|
119 # blacklist IP address CIDR ranges. If this option is not specified, or |
|
120 # specified with an empty list, no ip range blacklist will be enforced. |
|
121 # |
|
122 # As of Synapse v1.4.0 this option also affects any outbound requests to identity |
|
123 # servers provided by user input. |
|
124 # |
|
125 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly |
|
126 # listed here, since they correspond to unroutable addresses.) |
|
127 # |
|
128 federation_ip_range_blacklist: |
|
129 - '127.0.0.0/8' |
|
130 - '10.0.0.0/8' |
|
131 - '172.16.0.0/12' |
|
132 - '192.168.0.0/16' |
|
133 - '100.64.0.0/10' |
|
134 - '169.254.0.0/16' |
|
135 - '::1/128' |
|
136 - 'fe80::/64' |
|
137 - 'fc00::/7' |
|
138 |
|
139 # List of ports that Synapse should listen on, their purpose and their |
|
140 # configuration. |
|
141 # |
|
142 # Options for each listener include: |
|
143 # |
|
144 # port: the TCP port to bind to |
|
145 # |
|
146 # bind_addresses: a list of local addresses to listen on. The default is |
|
147 # 'all local interfaces'. |
|
148 # |
|
149 # type: the type of listener. Normally 'http', but other valid options are: |
|
150 # 'manhole' (see docs/manhole.md), |
|
151 # 'metrics' (see docs/metrics-howto.md), |
|
152 # 'replication' (see docs/workers.md). |
|
153 # |
|
154 # tls: set to true to enable TLS for this listener. Will use the TLS |
|
155 # key/cert specified in tls_private_key_path / tls_certificate_path. |
|
156 # |
|
157 # x_forwarded: Only valid for an 'http' listener. Set to true to use the |
|
158 # X-Forwarded-For header as the client IP. Useful when Synapse is |
|
159 # behind a reverse-proxy. |
|
160 # |
|
161 # resources: Only valid for an 'http' listener. A list of resources to host |
|
162 # on this port. Options for each resource are: |
|
163 # |
|
164 # names: a list of names of HTTP resources. See below for a list of |
|
165 # valid resource names. |
|
166 # |
|
167 # compress: set to true to enable HTTP comression for this resource. |
|
168 # |
|
169 # additional_resources: Only valid for an 'http' listener. A map of |
|
170 # additional endpoints which should be loaded via dynamic modules. |
|
171 # |
|
172 # Valid resource names are: |
|
173 # |
|
174 # client: the client-server API (/_matrix/client), and the synapse admin |
|
175 # API (/_synapse/admin). Also implies 'media' and 'static'. |
|
176 # |
|
177 # consent: user consent forms (/_matrix/consent). See |
|
178 # docs/consent_tracking.md. |
|
179 # |
|
180 # federation: the server-server API (/_matrix/federation). Also implies |
|
181 # 'media', 'keys', 'openid' |
|
182 # |
|
183 # keys: the key discovery API (/_matrix/keys). |
|
184 # |
|
185 # media: the media API (/_matrix/media). |
|
186 # |
|
187 # metrics: the metrics interface. See docs/metrics-howto.md. |
|
188 # |
|
189 # openid: OpenID authentication. |
|
190 # |
|
191 # replication: the HTTP replication API (/_synapse/replication). See |
|
192 # docs/workers.md. |
|
193 # |
|
194 # static: static resources under synapse/static (/_matrix/static). (Mostly |
|
195 # useful for 'fallback authentication'.) |
|
196 # |
|
197 # webclient: A web client. Requires web_client_location to be set. |
|
198 # |
|
199 listeners: |
|
200 # TLS-enabled listener: for when matrix traffic is sent directly to synapse. |
|
201 # |
|
202 # Disabled by default. To enable it, uncomment the following. (Note that you |
|
203 # will also need to give Synapse a TLS key and certificate: see the TLS section |
|
204 # below.) |
|
205 # |
|
206 #- port: 8448 |
|
207 # type: http |
|
208 # tls: true |
|
209 # resources: |
|
210 # - names: [client, federation] |
|
211 |
|
212 # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy |
|
213 # that unwraps TLS. |
|
214 # |
|
215 # If you plan to use a reverse proxy, please see |
|
216 # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. |
|
217 # |
|
218 - port: 8008 |
|
219 tls: false |
|
220 type: http |
|
221 x_forwarded: true |
|
222 bind_addresses: ['::1', '127.0.0.1'] |
|
223 |
|
224 resources: |
|
225 - names: [client, federation] |
|
226 compress: false |
|
227 |
|
228 # example additional_resources: |
|
229 # |
|
230 #additional_resources: |
|
231 # "/_matrix/my/custom/endpoint": |
|
232 # module: my_module.CustomRequestHandler |
|
233 # config: {} |
|
234 |
|
235 # Turn on the twisted ssh manhole service on localhost on the given |
|
236 # port. |
|
237 # |
|
238 #- port: 9000 |
|
239 # bind_addresses: ['::1', '127.0.0.1'] |
|
240 # type: manhole |
|
241 |
|
242 # Forward extremities can build up in a room due to networking delays between |
|
243 # homeservers. Once this happens in a large room, calculation of the state of |
|
244 # that room can become quite expensive. To mitigate this, once the number of |
|
245 # forward extremities reaches a given threshold, Synapse will send an |
|
246 # org.matrix.dummy_event event, which will reduce the forward extremities |
|
247 # in the room. |
|
248 # |
|
249 # This setting defines the threshold (i.e. number of forward extremities in the |
|
250 # room) at which dummy events are sent. The default value is 10. |
|
251 # |
|
252 #dummy_events_threshold: 5 |
|
253 |
|
254 |
|
255 ## Homeserver blocking ## |
|
256 |
|
257 # How to reach the server admin, used in ResourceLimitError |
|
258 # |
|
259 #admin_contact: 'mailto:[email protected]' |
|
260 |
|
261 # Global blocking |
|
262 # |
|
263 #hs_disabled: false |
|
264 #hs_disabled_message: 'Human readable reason for why the HS is blocked' |
|
265 |
|
266 # Monthly Active User Blocking |
|
267 # |
|
268 # Used in cases where the admin or server owner wants to limit to the |
|
269 # number of monthly active users. |
|
270 # |
|
271 # 'limit_usage_by_mau' disables/enables monthly active user blocking. When |
|
272 # anabled and a limit is reached the server returns a 'ResourceLimitError' |
|
273 # with error type Codes.RESOURCE_LIMIT_EXCEEDED |
|
274 # |
|
275 # 'max_mau_value' is the hard limit of monthly active users above which |
|
276 # the server will start blocking user actions. |
|
277 # |
|
278 # 'mau_trial_days' is a means to add a grace period for active users. It |
|
279 # means that users must be active for this number of days before they |
|
280 # can be considered active and guards against the case where lots of users |
|
281 # sign up in a short space of time never to return after their initial |
|
282 # session. |
|
283 # |
|
284 # 'mau_limit_alerting' is a means of limiting client side alerting |
|
285 # should the mau limit be reached. This is useful for small instances |
|
286 # where the admin has 5 mau seats (say) for 5 specific people and no |
|
287 # interest increasing the mau limit further. Defaults to True, which |
|
288 # means that alerting is enabled |
|
289 # |
|
290 #limit_usage_by_mau: false |
|
291 #max_mau_value: 50 |
|
292 #mau_trial_days: 2 |
|
293 #mau_limit_alerting: false |
|
294 |
|
295 # If enabled, the metrics for the number of monthly active users will |
|
296 # be populated, however no one will be limited. If limit_usage_by_mau |
|
297 # is true, this is implied to be true. |
|
298 # |
|
299 #mau_stats_only: false |
|
300 |
|
301 # Sometimes the server admin will want to ensure certain accounts are |
|
302 # never blocked by mau checking. These accounts are specified here. |
|
303 # |
|
304 #mau_limit_reserved_threepids: |
|
305 # - medium: 'email' |
|
306 # address: '[email protected]' |
|
307 |
|
308 # Used by phonehome stats to group together related servers. |
|
309 #server_context: context |
|
310 |
|
311 # Resource-constrained homeserver Settings |
|
312 # |
|
313 # If limit_remote_rooms.enabled is True, the room complexity will be |
|
314 # checked before a user joins a new remote room. If it is above |
|
315 # limit_remote_rooms.complexity, it will disallow joining or |
|
316 # instantly leave. |
|
317 # |
|
318 # limit_remote_rooms.complexity_error can be set to customise the text |
|
319 # displayed to the user when a room above the complexity threshold has |
|
320 # its join cancelled. |
|
321 # |
|
322 # Uncomment the below lines to enable: |
|
323 #limit_remote_rooms: |
|
324 # enabled: true |
|
325 # complexity: 1.0 |
|
326 # complexity_error: "This room is too complex." |
|
327 |
|
328 # Whether to require a user to be in the room to add an alias to it. |
|
329 # Defaults to 'true'. |
|
330 # |
|
331 #require_membership_for_aliases: false |
|
332 |
|
333 # Whether to allow per-room membership profiles through the send of membership |
|
334 # events with profile information that differ from the target's global profile. |
|
335 # Defaults to 'true'. |
|
336 # |
|
337 #allow_per_room_profiles: false |
|
338 |
|
339 # How long to keep redacted events in unredacted form in the database. After |
|
340 # this period redacted events get replaced with their redacted form in the DB. |
|
341 # |
|
342 # Defaults to `7d`. Set to `null` to disable. |
|
343 # |
|
344 #redaction_retention_period: 28d |
|
345 |
|
346 # How long to track users' last seen time and IPs in the database. |
|
347 # |
|
348 # Defaults to `28d`. Set to `null` to disable clearing out of old rows. |
|
349 # |
|
350 #user_ips_max_age: 14d |
|
351 |
|
352 # Message retention policy at the server level. |
|
353 # |
|
354 # Room admins and mods can define a retention period for their rooms using the |
|
355 # 'm.room.retention' state event, and server admins can cap this period by setting |
|
356 # the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. |
|
357 # |
|
358 # If this feature is enabled, Synapse will regularly look for and purge events |
|
359 # which are older than the room's maximum retention period. Synapse will also |
|
360 # filter events received over federation so that events that should have been |
|
361 # purged are ignored and not stored again. |
|
362 # |
|
363 retention: |
|
364 # The message retention policies feature is disabled by default. Uncomment the |
|
365 # following line to enable it. |
|
366 # |
|
367 #enabled: true |
|
368 |
|
369 # Default retention policy. If set, Synapse will apply it to rooms that lack the |
|
370 # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't |
|
371 # matter much because Synapse doesn't take it into account yet. |
|
372 # |
|
373 #default_policy: |
|
374 # min_lifetime: 1d |
|
375 # max_lifetime: 1y |
|
376 |
|
377 # Retention policy limits. If set, a user won't be able to send a |
|
378 # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' |
|
379 # that's not within this range. This is especially useful in closed federations, |
|
380 # in which server admins can make sure every federating server applies the same |
|
381 # rules. |
|
382 # |
|
383 #allowed_lifetime_min: 1d |
|
384 #allowed_lifetime_max: 1y |
|
385 |
|
386 # Server admins can define the settings of the background jobs purging the |
|
387 # events which lifetime has expired under the 'purge_jobs' section. |
|
388 # |
|
389 # If no configuration is provided, a single job will be set up to delete expired |
|
390 # events in every room daily. |
|
391 # |
|
392 # Each job's configuration defines which range of message lifetimes the job |
|
393 # takes care of. For example, if 'shortest_max_lifetime' is '2d' and |
|
394 # 'longest_max_lifetime' is '3d', the job will handle purging expired events in |
|
395 # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and |
|
396 # lower than or equal to 3 days. Both the minimum and the maximum value of a |
|
397 # range are optional, e.g. a job with no 'shortest_max_lifetime' and a |
|
398 # 'longest_max_lifetime' of '3d' will handle every room with a retention policy |
|
399 # which 'max_lifetime' is lower than or equal to three days. |
|
400 # |
|
401 # The rationale for this per-job configuration is that some rooms might have a |
|
402 # retention policy with a low 'max_lifetime', where history needs to be purged |
|
403 # of outdated messages on a more frequent basis than for the rest of the rooms |
|
404 # (e.g. every 12h), but not want that purge to be performed by a job that's |
|
405 # iterating over every room it knows, which could be heavy on the server. |
|
406 # |
|
407 #purge_jobs: |
|
408 # - shortest_max_lifetime: 1d |
|
409 # longest_max_lifetime: 3d |
|
410 # interval: 12h |
|
411 # - shortest_max_lifetime: 3d |
|
412 # longest_max_lifetime: 1y |
|
413 # interval: 1d |
|
414 |
|
415 # Inhibits the /requestToken endpoints from returning an error that might leak |
|
416 # information about whether an e-mail address is in use or not on this |
|
417 # homeserver. |
|
418 # Note that for some endpoints the error situation is the e-mail already being |
|
419 # used, and for others the error is entering the e-mail being unused. |
|
420 # If this option is enabled, instead of returning an error, these endpoints will |
|
421 # act as if no error happened and return a fake session ID ('sid') to clients. |
|
422 # |
|
423 #request_token_inhibit_3pid_errors: true |
|
424 |
|
425 |
|
426 ## TLS ## |
|
427 |
|
428 # PEM-encoded X509 certificate for TLS. |
|
429 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable |
|
430 # certificate, signed by a recognised Certificate Authority. |
|
431 # |
|
432 # See 'ACME support' below to enable auto-provisioning this certificate via |
|
433 # Let's Encrypt. |
|
434 # |
|
435 # If supplying your own, be sure to use a `.pem` file that includes the |
|
436 # full certificate chain including any intermediate certificates (for |
|
437 # instance, if using certbot, use `fullchain.pem` as your certificate, |
|
438 # not `cert.pem`). |
|
439 # |
|
440 #tls_certificate_path: "/home/lhoersten/nth.io.tls.crt" |
|
441 |
|
442 # PEM-encoded private key for TLS |
|
443 # |
|
444 #tls_private_key_path: "/home/lhoersten/nth.io.tls.key" |
|
445 |
|
446 # Whether to verify TLS server certificates for outbound federation requests. |
|
447 # |
|
448 # Defaults to `true`. To disable certificate verification, uncomment the |
|
449 # following line. |
|
450 # |
|
451 #federation_verify_certificates: false |
|
452 |
|
453 # The minimum TLS version that will be used for outbound federation requests. |
|
454 # |
|
455 # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note |
|
456 # that setting this value higher than `1.2` will prevent federation to most |
|
457 # of the public Matrix network: only configure it to `1.3` if you have an |
|
458 # entirely private federation setup and you can ensure TLS 1.3 support. |
|
459 # |
|
460 #federation_client_minimum_tls_version: 1.2 |
|
461 |
|
462 # Skip federation certificate verification on the following whitelist |
|
463 # of domains. |
|
464 # |
|
465 # This setting should only be used in very specific cases, such as |
|
466 # federation over Tor hidden services and similar. For private networks |
|
467 # of homeservers, you likely want to use a private CA instead. |
|
468 # |
|
469 # Only effective if federation_verify_certicates is `true`. |
|
470 # |
|
471 #federation_certificate_verification_whitelist: |
|
472 # - lon.example.com |
|
473 # - *.domain.com |
|
474 # - *.onion |
|
475 |
|
476 # List of custom certificate authorities for federation traffic. |
|
477 # |
|
478 # This setting should only normally be used within a private network of |
|
479 # homeservers. |
|
480 # |
|
481 # Note that this list will replace those that are provided by your |
|
482 # operating environment. Certificates must be in PEM format. |
|
483 # |
|
484 #federation_custom_ca_list: |
|
485 # - myCA1.pem |
|
486 # - myCA2.pem |
|
487 # - myCA3.pem |
|
488 |
|
489 # ACME support: This will configure Synapse to request a valid TLS certificate |
|
490 # for your configured `server_name` via Let's Encrypt. |
|
491 # |
|
492 # Note that ACME v1 is now deprecated, and Synapse currently doesn't support |
|
493 # ACME v2. This means that this feature currently won't work with installs set |
|
494 # up after November 2019. For more info, and alternative solutions, see |
|
495 # https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 |
|
496 # |
|
497 # Note that provisioning a certificate in this way requires port 80 to be |
|
498 # routed to Synapse so that it can complete the http-01 ACME challenge. |
|
499 # By default, if you enable ACME support, Synapse will attempt to listen on |
|
500 # port 80 for incoming http-01 challenges - however, this will likely fail |
|
501 # with 'Permission denied' or a similar error. |
|
502 # |
|
503 # There are a couple of potential solutions to this: |
|
504 # |
|
505 # * If you already have an Apache, Nginx, or similar listening on port 80, |
|
506 # you can configure Synapse to use an alternate port, and have your web |
|
507 # server forward the requests. For example, assuming you set 'port: 8009' |
|
508 # below, on Apache, you would write: |
|
509 # |
|
510 # ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge |
|
511 # |
|
512 # * Alternatively, you can use something like `authbind` to give Synapse |
|
513 # permission to listen on port 80. |
|
514 # |
|
515 acme: |
|
516 # ACME support is disabled by default. Set this to `true` and uncomment |
|
517 # tls_certificate_path and tls_private_key_path above to enable it. |
|
518 # |
|
519 enabled: false |
|
520 |
|
521 # Endpoint to use to request certificates. If you only want to test, |
|
522 # use Let's Encrypt's staging url: |
|
523 # https://acme-staging.api.letsencrypt.org/directory |
|
524 # |
|
525 #url: https://acme-v01.api.letsencrypt.org/directory |
|
526 |
|
527 # Port number to listen on for the HTTP-01 challenge. Change this if |
|
528 # you are forwarding connections through Apache/Nginx/etc. |
|
529 # |
|
530 port: 80 |
|
531 |
|
532 # Local addresses to listen on for incoming connections. |
|
533 # Again, you may want to change this if you are forwarding connections |
|
534 # through Apache/Nginx/etc. |
|
535 # |
|
536 bind_addresses: ['::', '0.0.0.0'] |
|
537 |
|
538 # How many days remaining on a certificate before it is renewed. |
|
539 # |
|
540 reprovision_threshold: 30 |
|
541 |
|
542 # The domain that the certificate should be for. Normally this |
|
543 # should be the same as your Matrix domain (i.e., 'server_name'), but, |
|
544 # by putting a file at 'https://<server_name>/.well-known/matrix/server', |
|
545 # you can delegate incoming traffic to another server. If you do that, |
|
546 # you should give the target of the delegation here. |
|
547 # |
|
548 # For example: if your 'server_name' is 'example.com', but |
|
549 # 'https://example.com/.well-known/matrix/server' delegates to |
|
550 # 'matrix.example.com', you should put 'matrix.example.com' here. |
|
551 # |
|
552 # If not set, defaults to your 'server_name'. |
|
553 # |
|
554 domain: matrix.example.com |
|
555 |
|
556 # file to use for the account key. This will be generated if it doesn't |
|
557 # exist. |
|
558 # |
|
559 # If unspecified, we will use CONFDIR/client.key. |
|
560 # |
|
561 account_key_file: /home/lhoersten/acme_account.key |
17 |
562 |
18 # List of allowed TLS fingerprints for this server to publish along |
563 # List of allowed TLS fingerprints for this server to publish along |
19 # with the signing keys for this server. Other matrix servers that |
564 # with the signing keys for this server. Other matrix servers that |
20 # make HTTPS requests to this server will check that the TLS |
565 # make HTTPS requests to this server will check that the TLS |
21 # certificates returned by this server match one of the fingerprints. |
566 # certificates returned by this server match one of the fingerprints. |
38 # You can calculate a fingerprint from a given TLS listener via: |
583 # You can calculate a fingerprint from a given TLS listener via: |
39 # openssl s_client -connect $host:$port < /dev/null 2> /dev/null | |
584 # openssl s_client -connect $host:$port < /dev/null 2> /dev/null | |
40 # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' |
585 # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' |
41 # or by checking matrix.org/federationtester/api/report?server_name=$host |
586 # or by checking matrix.org/federationtester/api/report?server_name=$host |
42 # |
587 # |
43 tls_fingerprints: [] |
588 #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] |
44 # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] |
589 |
45 |
590 |
46 |
591 |
47 ## Server ## |
592 ## Database ## |
48 |
593 |
49 # When running as a daemon, the file to store the pid in |
594 # The 'database' setting defines the database that synapse uses to store all of |
50 pid_file: "/var/run/matrix-synapse.pid" |
595 # its data. |
51 |
596 # |
52 # CPU affinity mask. Setting this restricts the CPUs on which the |
597 # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or |
53 # process will be scheduled. It is represented as a bitmask, with the |
598 # 'psycopg2' (for PostgreSQL). |
54 # lowest order bit corresponding to the first logical CPU and the |
599 # |
55 # highest order bit corresponding to the last logical CPU. Not all CPUs |
600 # 'args' gives options which are passed through to the database engine, |
56 # may exist on a given system but a mask may specify more CPUs than are |
601 # except for options starting 'cp_', which are used to configure the Twisted |
57 # present. |
602 # connection pool. For a reference to valid arguments, see: |
58 # |
603 # * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect |
59 # For example: |
604 # * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS |
60 # 0x00000001 is processor #0, |
605 # * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ |
61 # 0x00000003 is processors #0 and #1, |
606 # |
62 # 0xFFFFFFFF is all processors (#0 through #31). |
607 # |
63 # |
608 # Example SQLite configuration: |
64 # Pinning a Python process to a single CPU is desirable, because Python |
609 # |
65 # is inherently single-threaded due to the GIL, and can suffer a |
610 #database: |
66 # 30-40% slowdown due to cache blow-out and thread context switching |
611 # name: sqlite3 |
67 # if the scheduler happens to schedule the underlying threads across |
612 # args: |
68 # different cores. See |
613 # database: /path/to/homeserver.db |
69 # https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. |
614 # |
70 # |
615 # |
71 # cpu_affinity: 0xFFFFFFFF |
616 # Example Postgres configuration: |
72 |
617 # |
73 # The path to the web client which will be served at /_matrix/client/ |
618 #database: |
74 # if 'webclient' is configured under the 'listeners' configuration. |
619 # name: psycopg2 |
75 # |
620 # args: |
76 # web_client_location: "/path/to/web/root" |
621 # user: synapse |
77 |
622 # password: secretpassword |
78 # The public-facing base URL for the client API (not including _matrix/...) |
623 # database: synapse |
79 # public_baseurl: https://example.com:8448/ |
624 # host: localhost |
80 |
625 # cp_min: 5 |
81 # Set the soft limit on the number of file descriptors synapse can use |
626 # cp_max: 10 |
82 # Zero is used to indicate synapse should set the soft limit to the |
627 # |
83 # hard limit. |
628 # For more information on using Synapse with Postgres, see `docs/postgres.md`. |
84 soft_file_limit: 0 |
629 # |
85 |
|
86 # The GC threshold parameters to pass to `gc.set_threshold`, if defined |
|
87 # gc_thresholds: [700, 10, 10] |
|
88 |
|
89 # Set the limit on the returned events in the timeline in the get |
|
90 # and sync operations. The default value is -1, means no upper limit. |
|
91 # filter_timeline_limit: 5000 |
|
92 |
|
93 # Whether room invites to users on this server should be blocked |
|
94 # (except those sent by local server admins). The default is False. |
|
95 # block_non_admin_invites: True |
|
96 |
|
97 # Restrict federation to the following whitelist of domains. |
|
98 # N.B. we recommend also firewalling your federation listener to limit |
|
99 # inbound federation traffic as early as possible, rather than relying |
|
100 # purely on this application-layer restriction. If not specified, the |
|
101 # default is to whitelist everything. |
|
102 # |
|
103 # federation_domain_whitelist: |
|
104 # - lon.example.com |
|
105 # - nyc.example.com |
|
106 # - syd.example.com |
|
107 |
|
108 # List of ports that Synapse should listen on, their purpose and their |
|
109 # configuration. |
|
110 listeners: |
|
111 # Main HTTPS listener |
|
112 # For when matrix traffic is sent directly to synapse. |
|
113 # - |
|
114 # # The port to listen for HTTPS requests on. |
|
115 # port: 8448 |
|
116 |
|
117 # # Local addresses to listen on. |
|
118 # # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 |
|
119 # # addresses by default. For most other OSes, this will only listen |
|
120 # # on IPv6. |
|
121 # bind_addresses: |
|
122 # - '::1' |
|
123 # - '127.0.0.1' |
|
124 # # - '::' |
|
125 # # - '0.0.0.0' |
|
126 |
|
127 # # This is a 'http' listener, allows us to specify 'resources'. |
|
128 # type: http |
|
129 |
|
130 # tls: true |
|
131 |
|
132 # # Use the X-Forwarded-For (XFF) header as the client IP and not the |
|
133 # # actual client IP. |
|
134 # x_forwarded: false |
|
135 |
|
136 # # List of HTTP resources to serve on this listener. |
|
137 # resources: |
|
138 # - |
|
139 # # List of resources to host on this listener. |
|
140 # names: |
|
141 # - client # The client-server APIs, both v1 and v2 |
|
142 |
|
143 # # Should synapse compress HTTP responses to clients that support it? |
|
144 # # This should be disabled if running synapse behind a load balancer |
|
145 # # that can do automatic compression. |
|
146 # compress: true |
|
147 |
|
148 # - names: [federation] # Federation APIs |
|
149 # compress: false |
|
150 |
|
151 # # optional list of additional endpoints which can be loaded via |
|
152 # # dynamic modules |
|
153 # # additional_resources: |
|
154 # # "/_matrix/my/custom/endpoint": |
|
155 # # module: my_module.CustomRequestHandler |
|
156 # # config: {} |
|
157 |
|
158 # Unsecure HTTP listener, |
|
159 # For when matrix traffic passes through loadbalancer that unwraps TLS. |
|
160 - port: 8008 |
|
161 tls: false |
|
162 bind_addresses: |
|
163 - '::1' |
|
164 - '127.0.0.1' |
|
165 # - '::' |
|
166 # - '0.0.0.0' |
|
167 type: http |
|
168 |
|
169 x_forwarded: true |
|
170 |
|
171 resources: |
|
172 - names: [client] |
|
173 compress: true |
|
174 - names: [federation] |
|
175 compress: false |
|
176 |
|
177 # Turn on the twisted ssh manhole service on localhost on the given |
|
178 # port. |
|
179 # - port: 9000 |
|
180 # bind_addresses: |
|
181 # - '::1' |
|
182 # - '127.0.0.1' |
|
183 # type: manhole |
|
184 |
|
185 |
|
186 # Database configuration |
|
187 database: |
630 database: |
188 # The database engine name |
631 name: sqlite3 |
189 name: "sqlite3" |
|
190 # Arguments to pass to the engine |
|
191 args: |
632 args: |
192 # Path to the database |
|
193 database: "{{matrix_synapse_db}}" |
633 database: "{{matrix_synapse_db}}" |
194 |
634 |
195 # Number of events to cache in memory. |
635 # Number of events to cache in memory. |
196 event_cache_size: "10K" |
636 # |
197 |
637 #event_cache_size: 10K |
198 |
638 |
199 # A yaml python logging config file |
639 |
|
640 ## Logging ## |
|
641 |
|
642 # A yaml python logging config file as described by |
|
643 # https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema |
|
644 # |
200 log_config: "/etc/matrix-synapse/log.yaml" |
645 log_config: "/etc/matrix-synapse/log.yaml" |
201 |
646 |
202 |
647 |
203 |
|
204 ## Ratelimiting ## |
648 ## Ratelimiting ## |
205 |
649 |
206 # Number of messages a client can send per second |
650 # Ratelimiting settings for client actions (registration, login, messaging). |
207 rc_messages_per_second: 0.2 |
651 # |
208 |
652 # Each ratelimiting configuration is made of two parameters: |
209 # Number of message a client can send before being throttled |
653 # - per_second: number of requests a client can send per second. |
210 rc_message_burst_count: 10.0 |
654 # - burst_count: number of requests a client can send before being throttled. |
211 |
655 # |
212 # The federation window size in milliseconds |
656 # Synapse currently uses the following configurations: |
213 federation_rc_window_size: 1000 |
657 # - one for messages that ratelimits sending based on the account the client |
214 |
658 # is using |
215 # The number of federation requests from a single server in a window |
659 # - one for registration that ratelimits registration requests based on the |
216 # before the server will delay processing the request. |
660 # client's IP address. |
217 federation_rc_sleep_limit: 10 |
661 # - one for login that ratelimits login requests based on the client's IP |
218 |
662 # address. |
219 # The duration in milliseconds to delay processing events from |
663 # - one for login that ratelimits login requests based on the account the |
220 # remote servers by if they go over the sleep limit. |
664 # client is attempting to log into. |
221 federation_rc_sleep_delay: 500 |
665 # - one for login that ratelimits login requests based on the account the |
222 |
666 # client is attempting to log into, based on the amount of failed login |
223 # The maximum number of concurrent federation requests allowed |
667 # attempts for this account. |
224 # from a single server |
668 # - one for ratelimiting redactions by room admins. If this is not explicitly |
225 federation_rc_reject_limit: 50 |
669 # set then it uses the same ratelimiting as per rc_message. This is useful |
226 |
670 # to allow room admins to deal with abuse quickly. |
227 # The number of federation requests to concurrently process from a |
671 # |
228 # single server |
672 # The defaults are as shown below. |
229 federation_rc_concurrent: 3 |
673 # |
230 |
674 #rc_message: |
231 |
675 # per_second: 0.2 |
|
676 # burst_count: 10 |
|
677 # |
|
678 #rc_registration: |
|
679 # per_second: 0.17 |
|
680 # burst_count: 3 |
|
681 # |
|
682 #rc_login: |
|
683 # address: |
|
684 # per_second: 0.17 |
|
685 # burst_count: 3 |
|
686 # account: |
|
687 # per_second: 0.17 |
|
688 # burst_count: 3 |
|
689 # failed_attempts: |
|
690 # per_second: 0.17 |
|
691 # burst_count: 3 |
|
692 # |
|
693 #rc_admin_redaction: |
|
694 # per_second: 1 |
|
695 # burst_count: 50 |
|
696 |
|
697 |
|
698 # Ratelimiting settings for incoming federation |
|
699 # |
|
700 # The rc_federation configuration is made up of the following settings: |
|
701 # - window_size: window size in milliseconds |
|
702 # - sleep_limit: number of federation requests from a single server in |
|
703 # a window before the server will delay processing the request. |
|
704 # - sleep_delay: duration in milliseconds to delay processing events |
|
705 # from remote servers by if they go over the sleep limit. |
|
706 # - reject_limit: maximum number of concurrent federation requests |
|
707 # allowed from a single server |
|
708 # - concurrent: number of federation requests to concurrently process |
|
709 # from a single server |
|
710 # |
|
711 # The defaults are as shown below. |
|
712 # |
|
713 #rc_federation: |
|
714 # window_size: 1000 |
|
715 # sleep_limit: 10 |
|
716 # sleep_delay: 500 |
|
717 # reject_limit: 50 |
|
718 # concurrent: 3 |
|
719 |
|
720 # Target outgoing federation transaction frequency for sending read-receipts, |
|
721 # per-room. |
|
722 # |
|
723 # If we end up trying to send out more read-receipts, they will get buffered up |
|
724 # into fewer transactions. |
|
725 # |
|
726 #federation_rr_transactions_per_room_per_second: 50 |
|
727 |
|
728 |
|
729 |
|
730 ## Media Store ## |
|
731 |
|
732 # Enable the media store service in the Synapse master. Uncomment the |
|
733 # following if you are using a separate media store worker. |
|
734 # |
|
735 #enable_media_repo: false |
232 |
736 |
233 # Directory where uploaded images and attachments are stored. |
737 # Directory where uploaded images and attachments are stored. |
|
738 # |
234 media_store_path: "{{matrix_synapse_media_store}}" |
739 media_store_path: "{{matrix_synapse_media_store}}" |
235 |
740 |
236 # Media storage providers allow media to be stored in different |
741 # Media storage providers allow media to be stored in different |
237 # locations. |
742 # locations. |
238 # media_storage_providers: |
743 # |
239 # - module: file_system |
744 #media_storage_providers: |
240 # # Whether to write new local files. |
745 # - module: file_system |
241 # store_local: false |
746 # # Whether to store newly uploaded local files |
242 # # Whether to write new remote media |
747 # store_local: false |
243 # store_remote: false |
748 # # Whether to store newly downloaded remote files |
244 # # Whether to block upload requests waiting for write to this |
749 # store_remote: false |
245 # # provider to complete |
750 # # Whether to wait for successful storage for local uploads |
246 # store_synchronous: false |
751 # store_synchronous: false |
247 # config: |
752 # config: |
248 # directory: /mnt/some/other/directory |
753 # directory: /mnt/some/other/directory |
249 |
|
250 # Directory where in-progress uploads are stored. |
|
251 uploads_path: "{{matrix_synapse_uploads}}" |
|
252 |
754 |
253 # The largest allowed upload size in bytes |
755 # The largest allowed upload size in bytes |
254 max_upload_size: "10M" |
756 # |
|
757 #max_upload_size: 10M |
255 |
758 |
256 # Maximum number of pixels that will be thumbnailed |
759 # Maximum number of pixels that will be thumbnailed |
257 max_image_pixels: "32M" |
760 # |
|
761 #max_image_pixels: 32M |
258 |
762 |
259 # Whether to generate new thumbnails on the fly to precisely match |
763 # Whether to generate new thumbnails on the fly to precisely match |
260 # the resolution requested by the client. If true then whenever |
764 # the resolution requested by the client. If true then whenever |
261 # a new resolution is requested by the client the server will |
765 # a new resolution is requested by the client the server will |
262 # generate a new thumbnail. If false the server will pick a thumbnail |
766 # generate a new thumbnail. If false the server will pick a thumbnail |
263 # from a precalculated list. |
767 # from a precalculated list. |
264 dynamic_thumbnails: false |
768 # |
265 |
769 #dynamic_thumbnails: false |
266 # List of thumbnail to precalculate when an image is uploaded. |
770 |
267 thumbnail_sizes: |
771 # List of thumbnails to precalculate when an image is uploaded. |
268 - width: 32 |
772 # |
269 height: 32 |
773 #thumbnail_sizes: |
270 method: crop |
774 # - width: 32 |
271 - width: 96 |
775 # height: 32 |
272 height: 96 |
776 # method: crop |
273 method: crop |
777 # - width: 96 |
274 - width: 320 |
778 # height: 96 |
275 height: 240 |
779 # method: crop |
276 method: scale |
780 # - width: 320 |
277 - width: 640 |
781 # height: 240 |
278 height: 480 |
782 # method: scale |
279 method: scale |
783 # - width: 640 |
280 - width: 800 |
784 # height: 480 |
281 height: 600 |
785 # method: scale |
282 method: scale |
786 # - width: 800 |
283 |
787 # height: 600 |
284 # Is the preview URL API enabled? If enabled, you *must* specify |
788 # method: scale |
285 # an explicit url_preview_ip_range_blacklist of IPs that the spider is |
789 |
286 # denied from accessing. |
790 # Is the preview URL API enabled? |
287 url_preview_enabled: False |
791 # |
|
792 # 'false' by default: uncomment the following to enable it (and specify a |
|
793 # url_preview_ip_range_blacklist blacklist). |
|
794 # |
|
795 #url_preview_enabled: true |
288 |
796 |
289 # List of IP address CIDR ranges that the URL preview spider is denied |
797 # List of IP address CIDR ranges that the URL preview spider is denied |
290 # from accessing. There are no defaults: you must explicitly |
798 # from accessing. There are no defaults: you must explicitly |
291 # specify a list for URL previewing to work. You should specify any |
799 # specify a list for URL previewing to work. You should specify any |
292 # internal services in your network that you do not want synapse to try |
800 # internal services in your network that you do not want synapse to try |
293 # to connect to, otherwise anyone in any Matrix room could cause your |
801 # to connect to, otherwise anyone in any Matrix room could cause your |
294 # synapse to issue arbitrary GET requests to your internal services, |
802 # synapse to issue arbitrary GET requests to your internal services, |
295 # causing serious security issues. |
803 # causing serious security issues. |
296 # |
804 # |
297 # url_preview_ip_range_blacklist: |
805 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly |
298 # - '127.0.0.0/8' |
806 # listed here, since they correspond to unroutable addresses.) |
299 # - '10.0.0.0/8' |
807 # |
300 # - '172.16.0.0/12' |
808 # This must be specified if url_preview_enabled is set. It is recommended that |
301 # - '192.168.0.0/16' |
809 # you uncomment the following list as a starting point. |
302 # - '100.64.0.0/10' |
810 # |
303 # - '169.254.0.0/16' |
811 #url_preview_ip_range_blacklist: |
304 # |
812 # - '127.0.0.0/8' |
|
813 # - '10.0.0.0/8' |
|
814 # - '172.16.0.0/12' |
|
815 # - '192.168.0.0/16' |
|
816 # - '100.64.0.0/10' |
|
817 # - '169.254.0.0/16' |
|
818 # - '::1/128' |
|
819 # - 'fe80::/64' |
|
820 # - 'fc00::/7' |
|
821 |
305 # List of IP address CIDR ranges that the URL preview spider is allowed |
822 # List of IP address CIDR ranges that the URL preview spider is allowed |
306 # to access even if they are specified in url_preview_ip_range_blacklist. |
823 # to access even if they are specified in url_preview_ip_range_blacklist. |
307 # This is useful for specifying exceptions to wide-ranging blacklisted |
824 # This is useful for specifying exceptions to wide-ranging blacklisted |
308 # target IP ranges - e.g. for enabling URL previews for a specific private |
825 # target IP ranges - e.g. for enabling URL previews for a specific private |
309 # website only visible in your network. |
826 # website only visible in your network. |
310 # |
827 # |
311 # url_preview_ip_range_whitelist: |
828 #url_preview_ip_range_whitelist: |
312 # - '192.168.1.1' |
829 # - '192.168.1.1' |
313 |
830 |
314 # Optional list of URL matches that the URL preview spider is |
831 # Optional list of URL matches that the URL preview spider is |
315 # denied from accessing. You should use url_preview_ip_range_blacklist |
832 # denied from accessing. You should use url_preview_ip_range_blacklist |
316 # in preference to this, otherwise someone could define a public DNS |
833 # in preference to this, otherwise someone could define a public DNS |
317 # entry that points to a private IP address and circumvent the blacklist. |
834 # entry that points to a private IP address and circumvent the blacklist. |
325 # applied to that component of URLs, unless they start with a ^ in which |
842 # applied to that component of URLs, unless they start with a ^ in which |
326 # case they are treated as a regular expression match. If all the |
843 # case they are treated as a regular expression match. If all the |
327 # specified component matches for a given list item succeed, the URL is |
844 # specified component matches for a given list item succeed, the URL is |
328 # blacklisted. |
845 # blacklisted. |
329 # |
846 # |
330 # url_preview_url_blacklist: |
847 #url_preview_url_blacklist: |
331 # # blacklist any URL with a username in its URI |
848 # # blacklist any URL with a username in its URI |
332 # - username: '*' |
849 # - username: '*' |
333 # |
850 # |
334 # # blacklist all *.google.com URLs |
851 # # blacklist all *.google.com URLs |
335 # - netloc: 'google.com' |
852 # - netloc: 'google.com' |
336 # - netloc: '*.google.com' |
853 # - netloc: '*.google.com' |
337 # |
854 # |
338 # # blacklist all plain HTTP URLs |
855 # # blacklist all plain HTTP URLs |
339 # - scheme: 'http' |
856 # - scheme: 'http' |
340 # |
857 # |
341 # # blacklist http(s)://www.acme.com/foo |
858 # # blacklist http(s)://www.acme.com/foo |
342 # - netloc: 'www.acme.com' |
859 # - netloc: 'www.acme.com' |
343 # path: '/foo' |
860 # path: '/foo' |
344 # |
861 # |
345 # # blacklist any URL with a literal IPv4 address |
862 # # blacklist any URL with a literal IPv4 address |
346 # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' |
863 # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' |
347 |
864 |
348 # The largest allowed URL preview spidering size in bytes |
865 # The largest allowed URL preview spidering size in bytes |
349 max_spider_size: "10M" |
866 # |
350 |
867 #max_spider_size: 10M |
351 |
868 |
|
869 # A list of values for the Accept-Language HTTP header used when |
|
870 # downloading webpages during URL preview generation. This allows |
|
871 # Synapse to specify the preferred languages that URL previews should |
|
872 # be in when communicating with remote servers. |
|
873 # |
|
874 # Each value is a IETF language tag; a 2-3 letter identifier for a |
|
875 # language, optionally followed by subtags separated by '-', specifying |
|
876 # a country or region variant. |
|
877 # |
|
878 # Multiple values can be provided, and a weight can be added to each by |
|
879 # using quality value syntax (;q=). '*' translates to any language. |
|
880 # |
|
881 # Defaults to "en". |
|
882 # |
|
883 # Example: |
|
884 # |
|
885 # url_preview_accept_language: |
|
886 # - en-UK |
|
887 # - en-US;q=0.9 |
|
888 # - fr;q=0.8 |
|
889 # - *;q=0.7 |
|
890 # |
|
891 url_preview_accept_language: |
|
892 # - en |
352 |
893 |
353 |
894 |
354 ## Captcha ## |
895 ## Captcha ## |
355 # See docs/CAPTCHA_SETUP for full details of configuring this. |
896 # See docs/CAPTCHA_SETUP for full details of configuring this. |
356 |
897 |
357 # This Home Server's ReCAPTCHA public key. |
898 # This homeserver's ReCAPTCHA public key. |
358 recaptcha_public_key: "YOUR_PUBLIC_KEY" |
899 # |
359 |
900 #recaptcha_public_key: "YOUR_PUBLIC_KEY" |
360 # This Home Server's ReCAPTCHA private key. |
901 |
361 recaptcha_private_key: "YOUR_PRIVATE_KEY" |
902 # This homeserver's ReCAPTCHA private key. |
|
903 # |
|
904 #recaptcha_private_key: "YOUR_PRIVATE_KEY" |
362 |
905 |
363 # Enables ReCaptcha checks when registering, preventing signup |
906 # Enables ReCaptcha checks when registering, preventing signup |
364 # unless a captcha is answered. Requires a valid ReCaptcha |
907 # unless a captcha is answered. Requires a valid ReCaptcha |
365 # public/private key. |
908 # public/private key. |
366 enable_registration_captcha: False |
909 # |
367 |
910 #enable_registration_captcha: false |
368 # A secret key used to bypass the captcha test entirely. |
|
369 #captcha_bypass_secret: "YOUR_SECRET_HERE" |
|
370 |
911 |
371 # The API endpoint to use for verifying m.login.recaptcha responses. |
912 # The API endpoint to use for verifying m.login.recaptcha responses. |
372 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" |
913 # |
373 |
914 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" |
374 |
915 |
375 ## Turn ## |
916 |
|
917 ## TURN ## |
376 |
918 |
377 # The public URIs of the TURN server to give to clients |
919 # The public URIs of the TURN server to give to clients |
378 turn_uris: [] |
920 # |
|
921 #turn_uris: [] |
379 |
922 |
380 # The shared secret used to compute passwords for the TURN server |
923 # The shared secret used to compute passwords for the TURN server |
381 turn_shared_secret: "YOUR_SHARED_SECRET" |
924 # |
|
925 #turn_shared_secret: "YOUR_SHARED_SECRET" |
382 |
926 |
383 # The Username and password if the TURN server needs them and |
927 # The Username and password if the TURN server needs them and |
384 # does not use a token |
928 # does not use a token |
|
929 # |
385 #turn_username: "TURNSERVER_USERNAME" |
930 #turn_username: "TURNSERVER_USERNAME" |
386 #turn_password: "TURNSERVER_PASSWORD" |
931 #turn_password: "TURNSERVER_PASSWORD" |
387 |
932 |
388 # How long generated TURN credentials last |
933 # How long generated TURN credentials last |
389 turn_user_lifetime: "1h" |
934 # |
|
935 #turn_user_lifetime: 1h |
390 |
936 |
391 # Whether guests should be allowed to use the TURN server. |
937 # Whether guests should be allowed to use the TURN server. |
392 # This defaults to True, otherwise VoIP will be unreliable for guests. |
938 # This defaults to True, otherwise VoIP will be unreliable for guests. |
393 # However, it does introduce a slight security risk as it allows users to |
939 # However, it does introduce a slight security risk as it allows users to |
394 # connect to arbitrary endpoints without having first signed up for a |
940 # connect to arbitrary endpoints without having first signed up for a |
395 # valid account (e.g. by passing a CAPTCHA). |
941 # valid account (e.g. by passing a CAPTCHA). |
396 turn_allow_guests: False |
942 # |
|
943 #turn_allow_guests: true |
397 |
944 |
398 |
945 |
399 ## Registration ## |
946 ## Registration ## |
|
947 # |
|
948 # Registration can be rate-limited using the parameters in the "Ratelimiting" |
|
949 # section of this file. |
400 |
950 |
401 # Enable registration for new users. |
951 # Enable registration for new users. |
|
952 # |
402 enable_registration: {{matrix_synapse_enable_registrations}} |
953 enable_registration: {{matrix_synapse_enable_registrations}} |
403 |
954 |
|
955 # Optional account validity configuration. This allows for accounts to be denied |
|
956 # any request after a given period. |
|
957 # |
|
958 # Once this feature is enabled, Synapse will look for registered users without an |
|
959 # expiration date at startup and will add one to every account it found using the |
|
960 # current settings at that time. |
|
961 # This means that, if a validity period is set, and Synapse is restarted (it will |
|
962 # then derive an expiration date from the current validity period), and some time |
|
963 # after that the validity period changes and Synapse is restarted, the users' |
|
964 # expiration dates won't be updated unless their account is manually renewed. This |
|
965 # date will be randomly selected within a range [now + period - d ; now + period], |
|
966 # where d is equal to 10% of the validity period. |
|
967 # |
|
968 account_validity: |
|
969 # The account validity feature is disabled by default. Uncomment the |
|
970 # following line to enable it. |
|
971 # |
|
972 #enabled: true |
|
973 |
|
974 # The period after which an account is valid after its registration. When |
|
975 # renewing the account, its validity period will be extended by this amount |
|
976 # of time. This parameter is required when using the account validity |
|
977 # feature. |
|
978 # |
|
979 #period: 6w |
|
980 |
|
981 # The amount of time before an account's expiry date at which Synapse will |
|
982 # send an email to the account's email address with a renewal link. By |
|
983 # default, no such emails are sent. |
|
984 # |
|
985 # If you enable this setting, you will also need to fill out the 'email' and |
|
986 # 'public_baseurl' configuration sections. |
|
987 # |
|
988 #renew_at: 1w |
|
989 |
|
990 # The subject of the email sent out with the renewal link. '%(app)s' can be |
|
991 # used as a placeholder for the 'app_name' parameter from the 'email' |
|
992 # section. |
|
993 # |
|
994 # Note that the placeholder must be written '%(app)s', including the |
|
995 # trailing 's'. |
|
996 # |
|
997 # If this is not set, a default value is used. |
|
998 # |
|
999 #renew_email_subject: "Renew your %(app)s account" |
|
1000 |
|
1001 # Directory in which Synapse will try to find templates for the HTML files to |
|
1002 # serve to the user when trying to renew an account. If not set, default |
|
1003 # templates from within the Synapse package will be used. |
|
1004 # |
|
1005 #template_dir: "res/templates" |
|
1006 |
|
1007 # File within 'template_dir' giving the HTML to be displayed to the user after |
|
1008 # they successfully renewed their account. If not set, default text is used. |
|
1009 # |
|
1010 #account_renewed_html_path: "account_renewed.html" |
|
1011 |
|
1012 # File within 'template_dir' giving the HTML to be displayed when the user |
|
1013 # tries to renew an account with an invalid renewal token. If not set, |
|
1014 # default text is used. |
|
1015 # |
|
1016 #invalid_token_html_path: "invalid_token.html" |
|
1017 |
|
1018 # Time that a user's session remains valid for, after they log in. |
|
1019 # |
|
1020 # Note that this is not currently compatible with guest logins. |
|
1021 # |
|
1022 # Note also that this is calculated at login time: changes are not applied |
|
1023 # retrospectively to users who have already logged in. |
|
1024 # |
|
1025 # By default, this is infinite. |
|
1026 # |
|
1027 #session_lifetime: 24h |
|
1028 |
404 # The user must provide all of the below types of 3PID when registering. |
1029 # The user must provide all of the below types of 3PID when registering. |
405 # |
1030 # |
406 # registrations_require_3pid: |
1031 #registrations_require_3pid: |
407 # - email |
1032 # - email |
408 # - msisdn |
1033 # - msisdn |
|
1034 |
|
1035 # Explicitly disable asking for MSISDNs from the registration |
|
1036 # flow (overrides registrations_require_3pid if MSISDNs are set as required) |
|
1037 # |
|
1038 #disable_msisdn_registration: true |
409 |
1039 |
410 # Mandate that users are only allowed to associate certain formats of |
1040 # Mandate that users are only allowed to associate certain formats of |
411 # 3PIDs with accounts on this server. |
1041 # 3PIDs with accounts on this server. |
412 # |
1042 # |
413 # allowed_local_3pids: |
1043 #allowed_local_3pids: |
414 # - medium: email |
1044 # - medium: email |
415 # pattern: ".*@matrix\.org" |
1045 # pattern: '.*@matrix\.org' |
416 # - medium: email |
1046 # - medium: email |
417 # pattern: ".*@vector\.im" |
1047 # pattern: '.*@vector\.im' |
418 # - medium: msisdn |
1048 # - medium: msisdn |
419 # pattern: "\+44" |
1049 # pattern: '\+44' |
420 |
1050 |
421 # If set, allows registration by anyone who also has the shared |
1051 # Enable 3PIDs lookup requests to identity servers from this server. |
422 # secret, even if registration is otherwise disabled. |
1052 # |
423 # registration_shared_secret: <PRIVATE STRING> |
1053 #enable_3pid_lookup: true |
|
1054 |
|
1055 # If set, allows registration of standard or admin accounts by anyone who |
|
1056 # has the shared secret, even if registration is otherwise disabled. |
|
1057 # |
|
1058 registration_shared_secret: "UgG6FB~1cV1Z5:v+_6m*1tE4m143m6xM*fiBp:T+ZhF+sNdeH*" |
424 |
1059 |
425 # Set the number of bcrypt rounds used to generate password hash. |
1060 # Set the number of bcrypt rounds used to generate password hash. |
426 # Larger numbers increase the work factor needed to generate the hash. |
1061 # Larger numbers increase the work factor needed to generate the hash. |
427 # The default number is 12 (which equates to 2^12 rounds). |
1062 # The default number is 12 (which equates to 2^12 rounds). |
428 # N.B. that increasing this will exponentially increase the time required |
1063 # N.B. that increasing this will exponentially increase the time required |
429 # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. |
1064 # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. |
430 bcrypt_rounds: 12 |
1065 # |
|
1066 #bcrypt_rounds: 12 |
431 |
1067 |
432 # Allows users to register as guests without a password/email/etc, and |
1068 # Allows users to register as guests without a password/email/etc, and |
433 # participate in rooms hosted on this server which have been made |
1069 # participate in rooms hosted on this server which have been made |
434 # accessible to anonymous users. |
1070 # accessible to anonymous users. |
435 allow_guest_access: False |
1071 # |
|
1072 #allow_guest_access: false |
|
1073 |
|
1074 # The identity server which we suggest that clients should use when users log |
|
1075 # in on this server. |
|
1076 # |
|
1077 # (By default, no suggestion is made, so it is left up to the client. |
|
1078 # This setting is ignored unless public_baseurl is also set.) |
|
1079 # |
|
1080 #default_identity_server: https://matrix.org |
436 |
1081 |
437 # The list of identity servers trusted to verify third party |
1082 # The list of identity servers trusted to verify third party |
438 # identifiers by this server. |
1083 # identifiers by this server. |
439 trusted_third_party_id_servers: |
1084 # |
440 - matrix.org |
1085 # Also defines the ID server which will be called when an account is |
441 - vector.im |
1086 # deactivated (one will be picked arbitrarily). |
442 - riot.im |
1087 # |
|
1088 # Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity |
|
1089 # server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a |
|
1090 # background migration script, informing itself that the identity server all of its |
|
1091 # 3PIDs have been bound to is likely one of the below. |
|
1092 # |
|
1093 # As of Synapse v1.4.0, all other functionality of this option has been deprecated, and |
|
1094 # it is now solely used for the purposes of the background migration script, and can be |
|
1095 # removed once it has run. |
|
1096 #trusted_third_party_id_servers: |
|
1097 # - matrix.org |
|
1098 # - vector.im |
|
1099 |
|
1100 # Handle threepid (email/phone etc) registration and password resets through a set of |
|
1101 # *trusted* identity servers. Note that this allows the configured identity server to |
|
1102 # reset passwords for accounts! |
|
1103 # |
|
1104 # Be aware that if `email` is not set, and SMTP options have not been |
|
1105 # configured in the email config block, registration and user password resets via |
|
1106 # email will be globally disabled. |
|
1107 # |
|
1108 # Additionally, if `msisdn` is not set, registration and password resets via msisdn |
|
1109 # will be disabled regardless. This is due to Synapse currently not supporting any |
|
1110 # method of sending SMS messages on its own. |
|
1111 # |
|
1112 # To enable using an identity server for operations regarding a particular third-party |
|
1113 # identifier type, set the value to the URL of that identity server as shown in the |
|
1114 # examples below. |
|
1115 # |
|
1116 # Servers handling the these requests must answer the `/requestToken` endpoints defined |
|
1117 # by the Matrix Identity Service API specification: |
|
1118 # https://matrix.org/docs/spec/identity_service/latest |
|
1119 # |
|
1120 # If a delegate is specified, the config option public_baseurl must also be filled out. |
|
1121 # |
|
1122 account_threepid_delegates: |
|
1123 #email: https://example.com # Delegate email sending to example.com |
|
1124 #msisdn: http://localhost:8090 # Delegate SMS sending to this local process |
|
1125 |
|
1126 # Whether users are allowed to change their displayname after it has |
|
1127 # been initially set. Useful when provisioning users based on the |
|
1128 # contents of a third-party directory. |
|
1129 # |
|
1130 # Does not apply to server administrators. Defaults to 'true' |
|
1131 # |
|
1132 #enable_set_displayname: false |
|
1133 |
|
1134 # Whether users are allowed to change their avatar after it has been |
|
1135 # initially set. Useful when provisioning users based on the contents |
|
1136 # of a third-party directory. |
|
1137 # |
|
1138 # Does not apply to server administrators. Defaults to 'true' |
|
1139 # |
|
1140 #enable_set_avatar_url: false |
|
1141 |
|
1142 # Whether users can change the 3PIDs associated with their accounts |
|
1143 # (email address and msisdn). |
|
1144 # |
|
1145 # Defaults to 'true' |
|
1146 # |
|
1147 #enable_3pid_changes: false |
443 |
1148 |
444 # Users who register on this homeserver will automatically be joined |
1149 # Users who register on this homeserver will automatically be joined |
445 # to these rooms |
1150 # to these rooms |
|
1151 # |
446 #auto_join_rooms: |
1152 #auto_join_rooms: |
447 # - "#example:example.com" |
1153 # - "#example:example.com" |
|
1154 |
|
1155 # Where auto_join_rooms are specified, setting this flag ensures that the |
|
1156 # the rooms exist by creating them when the first user on the |
|
1157 # homeserver registers. |
|
1158 # Setting to false means that if the rooms are not manually created, |
|
1159 # users cannot be auto-joined since they do not exist. |
|
1160 # |
|
1161 #autocreate_auto_join_rooms: true |
448 |
1162 |
449 |
1163 |
450 ## Metrics ### |
1164 ## Metrics ### |
451 |
1165 |
452 # Enable collection and rendering of performance metrics |
1166 # Enable collection and rendering of performance metrics |
453 enable_metrics: False |
1167 # |
|
1168 #enable_metrics: false |
|
1169 |
|
1170 # Enable sentry integration |
|
1171 # NOTE: While attempts are made to ensure that the logs don't contain |
|
1172 # any sensitive information, this cannot be guaranteed. By enabling |
|
1173 # this option the sentry server may therefore receive sensitive |
|
1174 # information, and it in turn may then diseminate sensitive information |
|
1175 # through insecure notification channels if so configured. |
|
1176 # |
|
1177 #sentry: |
|
1178 # dsn: "..." |
|
1179 |
|
1180 # Flags to enable Prometheus metrics which are not suitable to be |
|
1181 # enabled by default, either for performance reasons or limited use. |
|
1182 # |
|
1183 metrics_flags: |
|
1184 # Publish synapse_federation_known_servers, a gauge of the number of |
|
1185 # servers this homeserver knows about, including itself. May cause |
|
1186 # performance problems on large homeservers. |
|
1187 # |
|
1188 #known_servers: true |
|
1189 |
|
1190 # Whether or not to report anonymized homeserver usage statistics. |
|
1191 report_stats: false |
|
1192 |
|
1193 # The endpoint to report the anonymized homeserver usage statistics to. |
|
1194 # Defaults to https://matrix.org/report-usage-stats/push |
|
1195 # |
|
1196 #report_stats_endpoint: https://example.com/report-usage-stats/push |
|
1197 |
454 |
1198 |
455 ## API Configuration ## |
1199 ## API Configuration ## |
456 |
1200 |
457 # A list of event types that will be included in the room_invite_state |
1201 # A list of event types that will be included in the room_invite_state |
458 room_invite_state_types: |
1202 # |
459 - "m.room.join_rules" |
1203 #room_invite_state_types: |
460 - "m.room.canonical_alias" |
1204 # - "m.room.join_rules" |
461 - "m.room.avatar" |
1205 # - "m.room.canonical_alias" |
462 - "m.room.name" |
1206 # - "m.room.avatar" |
463 |
1207 # - "m.room.encryption" |
464 |
1208 # - "m.room.name" |
465 # A list of application service config file to use |
1209 |
466 app_service_config_files: [] |
1210 |
467 |
1211 # A list of application service config files to use |
468 |
1212 # |
469 # macaroon_secret_key: <PRIVATE STRING> |
1213 #app_service_config_files: |
470 |
1214 # - app_service_1.yaml |
471 # Used to enable access token expiration. |
1215 # - app_service_2.yaml |
472 expire_access_token: False |
1216 |
|
1217 # Uncomment to enable tracking of application service IP addresses. Implicitly |
|
1218 # enables MAU tracking for application service users. |
|
1219 # |
|
1220 #track_appservice_user_ips: true |
|
1221 |
|
1222 |
|
1223 # a secret which is used to sign access tokens. If none is specified, |
|
1224 # the registration_shared_secret is used, if one is given; otherwise, |
|
1225 # a secret key is derived from the signing key. |
|
1226 # |
|
1227 macaroon_secret_key: "yENyX9gJV:JDVK-yH.2Dls8dLE*PfEAD6ebKlDfA;e0#CYjNE:" |
|
1228 |
|
1229 # a secret which is used to calculate HMACs for form values, to stop |
|
1230 # falsification of values. Must be specified for the User Consent |
|
1231 # forms to work. |
|
1232 # |
|
1233 form_secret: "xko,ABwYOV*SqSfu3PGyLq#ZdHe5tU9nwHE+rcKYmV0Q~@Hg#D" |
473 |
1234 |
474 ## Signing Keys ## |
1235 ## Signing Keys ## |
475 |
1236 |
476 # Path to the signing key to sign messages with |
1237 # Path to the signing key to sign messages with |
|
1238 # |
477 signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" |
1239 signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" |
478 |
1240 |
479 # The keys that the server used to sign messages with but won't use |
1241 # The keys that the server used to sign messages with but won't use |
480 # to sign new messages. E.g. it has lost its private key |
1242 # to sign new messages. |
481 old_signing_keys: {} |
1243 # |
482 # "ed25519:auto": |
1244 old_signing_keys: |
483 # # Base64 encoded public key |
1245 # For each key, `key` should be the base64-encoded public key, and |
484 # key: "The public part of your old signing key." |
1246 # `expired_ts`should be the time (in milliseconds since the unix epoch) that |
485 # # Millisecond POSIX timestamp when the key expired. |
1247 # it was last used. |
486 # expired_ts: 123456789123 |
1248 # |
|
1249 # It is possible to build an entry from an old signing.key file using the |
|
1250 # `export_signing_key` script which is provided with synapse. |
|
1251 # |
|
1252 # For example: |
|
1253 # |
|
1254 #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } |
487 |
1255 |
488 # How long key response published by this server is valid for. |
1256 # How long key response published by this server is valid for. |
489 # Used to set the valid_until_ts in /key/v2 APIs. |
1257 # Used to set the valid_until_ts in /key/v2 APIs. |
490 # Determines how quickly servers will query to check which keys |
1258 # Determines how quickly servers will query to check which keys |
491 # are still valid. |
1259 # are still valid. |
492 key_refresh_interval: "1d" # 1 Day. |
1260 # |
|
1261 #key_refresh_interval: 1d |
493 |
1262 |
494 # The trusted servers to download signing keys from. |
1263 # The trusted servers to download signing keys from. |
495 perspectives: |
1264 # |
496 servers: |
1265 # When we need to fetch a signing key, each server is tried in parallel. |
497 "matrix.org": |
1266 # |
498 verify_keys: |
1267 # Normally, the connection to the key server is validated via TLS certificates. |
499 "ed25519:auto": |
1268 # Additional security can be provided by configuring a `verify key`, which |
500 key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" |
1269 # will make synapse check that the response is signed by that key. |
501 |
1270 # |
502 |
1271 # This setting supercedes an older setting named `perspectives`. The old format |
503 |
1272 # is still supported for backwards-compatibility, but it is deprecated. |
504 # Enable SAML2 for registration and login. Uses pysaml2 |
1273 # |
505 # config_path: Path to the sp_conf.py configuration file |
1274 # 'trusted_key_servers' defaults to matrix.org, but using it will generate a |
506 # idp_redirect_url: Identity provider URL which will redirect |
1275 # warning on start-up. To suppress this warning, set |
507 # the user back to /login/saml2 with proper info. |
1276 # 'suppress_key_server_warning' to true. |
508 # See pysaml2 docs for format of config. |
1277 # |
509 #saml2_config: |
1278 # Options for each entry in the list include: |
510 # enabled: true |
1279 # |
511 # config_path: "/home/erikj/git/synapse/sp_conf.py" |
1280 # server_name: the name of the server. required. |
512 # idp_redirect_url: "http://test/idp" |
1281 # |
|
1282 # verify_keys: an optional map from key id to base64-encoded public key. |
|
1283 # If specified, we will check that the response is signed by at least |
|
1284 # one of the given keys. |
|
1285 # |
|
1286 # accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, |
|
1287 # and federation_verify_certificates is not `true`, synapse will refuse |
|
1288 # to start, because this would allow anyone who can spoof DNS responses |
|
1289 # to masquerade as the trusted key server. If you know what you are doing |
|
1290 # and are sure that your network environment provides a secure connection |
|
1291 # to the key server, you can set this to `true` to override this |
|
1292 # behaviour. |
|
1293 # |
|
1294 # An example configuration might look like: |
|
1295 # |
|
1296 #trusted_key_servers: |
|
1297 # - server_name: "my_trusted_server.example.com" |
|
1298 # verify_keys: |
|
1299 # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" |
|
1300 # - server_name: "my_other_trusted_server.example.com" |
|
1301 # |
|
1302 trusted_key_servers: |
|
1303 - server_name: "matrix.org" |
|
1304 |
|
1305 # Uncomment the following to disable the warning that is emitted when the |
|
1306 # trusted_key_servers include 'matrix.org'. See above. |
|
1307 # |
|
1308 #suppress_key_server_warning: true |
|
1309 |
|
1310 # The signing keys to use when acting as a trusted key server. If not specified |
|
1311 # defaults to the server signing key. |
|
1312 # |
|
1313 # Can contain multiple keys, one per line. |
|
1314 # |
|
1315 #key_server_signing_keys_path: "key_server_signing_keys.key" |
|
1316 |
|
1317 |
|
1318 # Enable SAML2 for registration and login. Uses pysaml2. |
|
1319 # |
|
1320 # At least one of `sp_config` or `config_path` must be set in this section to |
|
1321 # enable SAML login. |
|
1322 # |
|
1323 # (You will probably also want to set the following options to `false` to |
|
1324 # disable the regular login/registration flows: |
|
1325 # * enable_registration |
|
1326 # * password_config.enabled |
|
1327 # |
|
1328 # Once SAML support is enabled, a metadata file will be exposed at |
|
1329 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to |
|
1330 # use to configure your SAML IdP with. Alternatively, you can manually configure |
|
1331 # the IdP to use an ACS location of |
|
1332 # https://<server>:<port>/_matrix/saml2/authn_response. |
|
1333 # |
|
1334 saml2_config: |
|
1335 # `sp_config` is the configuration for the pysaml2 Service Provider. |
|
1336 # See pysaml2 docs for format of config. |
|
1337 # |
|
1338 # Default values will be used for the 'entityid' and 'service' settings, |
|
1339 # so it is not normally necessary to specify them unless you need to |
|
1340 # override them. |
|
1341 # |
|
1342 #sp_config: |
|
1343 # # point this to the IdP's metadata. You can use either a local file or |
|
1344 # # (preferably) a URL. |
|
1345 # metadata: |
|
1346 # #local: ["saml2/idp.xml"] |
|
1347 # remote: |
|
1348 # - url: https://our_idp/metadata.xml |
|
1349 # |
|
1350 # # By default, the user has to go to our login page first. If you'd like |
|
1351 # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a |
|
1352 # # 'service.sp' section: |
|
1353 # # |
|
1354 # #service: |
|
1355 # # sp: |
|
1356 # # allow_unsolicited: true |
|
1357 # |
|
1358 # # The examples below are just used to generate our metadata xml, and you |
|
1359 # # may well not need them, depending on your setup. Alternatively you |
|
1360 # # may need a whole lot more detail - see the pysaml2 docs! |
|
1361 # |
|
1362 # description: ["My awesome SP", "en"] |
|
1363 # name: ["Test SP", "en"] |
|
1364 # |
|
1365 # organization: |
|
1366 # name: Example com |
|
1367 # display_name: |
|
1368 # - ["Example co", "en"] |
|
1369 # url: "http://example.com" |
|
1370 # |
|
1371 # contact_person: |
|
1372 # - given_name: Bob |
|
1373 # sur_name: "the Sysadmin" |
|
1374 # email_address": ["[email protected]"] |
|
1375 # contact_type": technical |
|
1376 |
|
1377 # Instead of putting the config inline as above, you can specify a |
|
1378 # separate pysaml2 configuration file: |
|
1379 # |
|
1380 #config_path: "/home/lhoersten/sp_conf.py" |
|
1381 |
|
1382 # The lifetime of a SAML session. This defines how long a user has to |
|
1383 # complete the authentication process, if allow_unsolicited is unset. |
|
1384 # The default is 5 minutes. |
|
1385 # |
|
1386 #saml_session_lifetime: 5m |
|
1387 |
|
1388 # An external module can be provided here as a custom solution to |
|
1389 # mapping attributes returned from a saml provider onto a matrix user. |
|
1390 # |
|
1391 user_mapping_provider: |
|
1392 # The custom module's class. Uncomment to use a custom module. |
|
1393 # |
|
1394 #module: mapping_provider.SamlMappingProvider |
|
1395 |
|
1396 # Custom configuration values for the module. Below options are |
|
1397 # intended for the built-in provider, they should be changed if |
|
1398 # using a custom module. This section will be passed as a Python |
|
1399 # dictionary to the module's `parse_config` method. |
|
1400 # |
|
1401 config: |
|
1402 # The SAML attribute (after mapping via the attribute maps) to use |
|
1403 # to derive the Matrix ID from. 'uid' by default. |
|
1404 # |
|
1405 # Note: This used to be configured by the |
|
1406 # saml2_config.mxid_source_attribute option. If that is still |
|
1407 # defined, its value will be used instead. |
|
1408 # |
|
1409 #mxid_source_attribute: displayName |
|
1410 |
|
1411 # The mapping system to use for mapping the saml attribute onto a |
|
1412 # matrix ID. |
|
1413 # |
|
1414 # Options include: |
|
1415 # * 'hexencode' (which maps unpermitted characters to '=xx') |
|
1416 # * 'dotreplace' (which replaces unpermitted characters with |
|
1417 # '.'). |
|
1418 # The default is 'hexencode'. |
|
1419 # |
|
1420 # Note: This used to be configured by the |
|
1421 # saml2_config.mxid_mapping option. If that is still defined, its |
|
1422 # value will be used instead. |
|
1423 # |
|
1424 #mxid_mapping: dotreplace |
|
1425 |
|
1426 # In previous versions of synapse, the mapping from SAML attribute to |
|
1427 # MXID was always calculated dynamically rather than stored in a |
|
1428 # table. For backwards- compatibility, we will look for user_ids |
|
1429 # matching such a pattern before creating a new account. |
|
1430 # |
|
1431 # This setting controls the SAML attribute which will be used for this |
|
1432 # backwards-compatibility lookup. Typically it should be 'uid', but if |
|
1433 # the attribute maps are changed, it may be necessary to change it. |
|
1434 # |
|
1435 # The default is 'uid'. |
|
1436 # |
|
1437 #grandfathered_mxid_source_attribute: upn |
|
1438 |
|
1439 # Directory in which Synapse will try to find the template files below. |
|
1440 # If not set, default templates from within the Synapse package will be used. |
|
1441 # |
|
1442 # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. |
|
1443 # If you *do* uncomment it, you will need to make sure that all the templates |
|
1444 # below are in the directory. |
|
1445 # |
|
1446 # Synapse will look for the following templates in this directory: |
|
1447 # |
|
1448 # * HTML page to display to users if something goes wrong during the |
|
1449 # authentication process: 'saml_error.html'. |
|
1450 # |
|
1451 # This template doesn't currently need any variable to render. |
|
1452 # |
|
1453 # You can see the default templates at: |
|
1454 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates |
|
1455 # |
|
1456 #template_dir: "res/templates" |
513 |
1457 |
514 |
1458 |
515 |
1459 |
516 # Enable CAS for registration and login. |
1460 # Enable CAS for registration and login. |
|
1461 # |
517 #cas_config: |
1462 #cas_config: |
518 # enabled: true |
1463 # enabled: true |
519 # server_url: "https://cas-server.com" |
1464 # server_url: "https://cas-server.com" |
520 # service_url: "https://homeserver.domain.com:8448" |
1465 # service_url: "https://homeserver.domain.com:8448" |
|
1466 # #displayname_attribute: name |
521 # #required_attributes: |
1467 # #required_attributes: |
522 # # name: value |
1468 # # name: value |
523 |
1469 |
524 |
1470 |
|
1471 # Additional settings to use with single-sign on systems such as SAML2 and CAS. |
|
1472 # |
|
1473 sso: |
|
1474 # A list of client URLs which are whitelisted so that the user does not |
|
1475 # have to confirm giving access to their account to the URL. Any client |
|
1476 # whose URL starts with an entry in the following list will not be subject |
|
1477 # to an additional confirmation step after the SSO login is completed. |
|
1478 # |
|
1479 # WARNING: An entry such as "https://my.client" is insecure, because it |
|
1480 # will also match "https://my.client.evil.site", exposing your users to |
|
1481 # phishing attacks from evil.site. To avoid this, include a slash after the |
|
1482 # hostname: "https://my.client/". |
|
1483 # |
|
1484 # If public_baseurl is set, then the login fallback page (used by clients |
|
1485 # that don't natively support the required login flows) is whitelisted in |
|
1486 # addition to any URLs in this list. |
|
1487 # |
|
1488 # By default, this list is empty. |
|
1489 # |
|
1490 #client_whitelist: |
|
1491 # - https://riot.im/develop |
|
1492 # - https://my.custom.client/ |
|
1493 |
|
1494 # Directory in which Synapse will try to find the template files below. |
|
1495 # If not set, default templates from within the Synapse package will be used. |
|
1496 # |
|
1497 # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. |
|
1498 # If you *do* uncomment it, you will need to make sure that all the templates |
|
1499 # below are in the directory. |
|
1500 # |
|
1501 # Synapse will look for the following templates in this directory: |
|
1502 # |
|
1503 # * HTML page for a confirmation step before redirecting back to the client |
|
1504 # with the login token: 'sso_redirect_confirm.html'. |
|
1505 # |
|
1506 # When rendering, this template is given three variables: |
|
1507 # * redirect_url: the URL the user is about to be redirected to. Needs |
|
1508 # manual escaping (see |
|
1509 # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
1510 # |
|
1511 # * display_url: the same as `redirect_url`, but with the query |
|
1512 # parameters stripped. The intention is to have a |
|
1513 # human-readable URL to show to users, not to use it as |
|
1514 # the final address to redirect to. Needs manual escaping |
|
1515 # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
1516 # |
|
1517 # * server_name: the homeserver's name. |
|
1518 # |
|
1519 # * HTML page which notifies the user that they are authenticating to confirm |
|
1520 # an operation on their account during the user interactive authentication |
|
1521 # process: 'sso_auth_confirm.html'. |
|
1522 # |
|
1523 # When rendering, this template is given the following variables: |
|
1524 # * redirect_url: the URL the user is about to be redirected to. Needs |
|
1525 # manual escaping (see |
|
1526 # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
1527 # |
|
1528 # * description: the operation which the user is being asked to confirm |
|
1529 # |
|
1530 # * HTML page shown after a successful user interactive authentication session: |
|
1531 # 'sso_auth_success.html'. |
|
1532 # |
|
1533 # Note that this page must include the JavaScript which notifies of a successful authentication |
|
1534 # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). |
|
1535 # |
|
1536 # This template has no additional variables. |
|
1537 # |
|
1538 # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) |
|
1539 # attempts to login: 'sso_account_deactivated.html'. |
|
1540 # |
|
1541 # This template has no additional variables. |
|
1542 # |
|
1543 # You can see the default templates at: |
|
1544 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates |
|
1545 # |
|
1546 #template_dir: "res/templates" |
|
1547 |
|
1548 |
525 # The JWT needs to contain a globally unique "sub" (subject) claim. |
1549 # The JWT needs to contain a globally unique "sub" (subject) claim. |
526 # |
1550 # |
527 # jwt_config: |
1551 #jwt_config: |
528 # enabled: true |
1552 # enabled: true |
529 # secret: "a secret" |
1553 # secret: "a secret" |
530 # algorithm: "HS256" |
1554 # algorithm: "HS256" |
531 |
1555 |
532 |
1556 |
533 |
|
534 # Enable password for login. |
|
535 password_config: |
1557 password_config: |
536 enabled: true |
1558 # Uncomment to disable password login |
|
1559 # |
|
1560 #enabled: false |
|
1561 |
|
1562 # Uncomment to disable authentication against the local password |
|
1563 # database. This is ignored if `enabled` is false, and is only useful |
|
1564 # if you have other password_providers. |
|
1565 # |
|
1566 #localdb_enabled: false |
|
1567 |
537 # Uncomment and change to a secret random string for extra security. |
1568 # Uncomment and change to a secret random string for extra security. |
538 # DO NOT CHANGE THIS AFTER INITIAL SETUP! |
1569 # DO NOT CHANGE THIS AFTER INITIAL SETUP! |
539 #pepper: "" |
1570 # |
540 |
1571 #pepper: "EVEN_MORE_SECRET" |
541 |
1572 |
542 |
1573 # Define and enforce a password policy. Each parameter is optional. |
543 # Enable sending emails for notification events |
1574 # This is an implementation of MSC2000. |
544 # Defining a custom URL for Riot is only needed if email notifications |
1575 # |
545 # should contain links to a self-hosted installation of Riot; when set |
1576 policy: |
546 # the "app_name" setting is ignored. |
1577 # Whether to enforce the password policy. |
547 # |
1578 # Defaults to 'false'. |
548 # If your SMTP server requires authentication, the optional smtp_user & |
1579 # |
549 # smtp_pass variables should be used |
1580 #enabled: true |
550 # |
1581 |
551 #email: |
1582 # Minimum accepted length for a password. |
552 # enable_notifs: false |
1583 # Defaults to 0. |
553 # smtp_host: "localhost" |
1584 # |
554 # smtp_port: 25 |
1585 #minimum_length: 15 |
555 # smtp_user: "exampleusername" |
1586 |
556 # smtp_pass: "examplepassword" |
1587 # Whether a password must contain at least one digit. |
557 # require_transport_security: False |
1588 # Defaults to 'false'. |
558 # notif_from: "Your Friendly %(app)s Home Server <[email protected]>" |
1589 # |
559 # app_name: Matrix |
1590 #require_digit: true |
560 # template_dir: res/templates |
1591 |
561 # notif_template_html: notif_mail.html |
1592 # Whether a password must contain at least one symbol. |
562 # notif_template_text: notif_mail.txt |
1593 # A symbol is any character that's not a number or a letter. |
563 # notif_for_new_users: True |
1594 # Defaults to 'false'. |
564 # riot_base_url: "http://localhost/riot" |
1595 # |
565 |
1596 #require_symbol: true |
566 |
1597 |
567 # password_providers: |
1598 # Whether a password must contain at least one lowercase letter. |
568 # - module: "ldap_auth_provider.LdapAuthProvider" |
1599 # Defaults to 'false'. |
569 # config: |
1600 # |
570 # enabled: true |
1601 #require_lowercase: true |
571 # uri: "ldap://ldap.example.com:389" |
1602 |
572 # start_tls: true |
1603 # Whether a password must contain at least one lowercase letter. |
573 # base: "ou=users,dc=example,dc=com" |
1604 # Defaults to 'false'. |
574 # attributes: |
1605 # |
575 # uid: "cn" |
1606 #require_uppercase: true |
576 # mail: "email" |
1607 |
577 # name: "givenName" |
1608 |
578 # #bind_dn: |
1609 # Configuration for sending emails from Synapse. |
579 # #bind_password: |
1610 # |
580 # #filter: "(objectClass=posixAccount)" |
1611 email: |
|
1612 # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. |
|
1613 # |
|
1614 #smtp_host: mail.server |
|
1615 |
|
1616 # The port on the mail server for outgoing SMTP. Defaults to 25. |
|
1617 # |
|
1618 #smtp_port: 587 |
|
1619 |
|
1620 # Username/password for authentication to the SMTP server. By default, no |
|
1621 # authentication is attempted. |
|
1622 # |
|
1623 # smtp_user: "exampleusername" |
|
1624 # smtp_pass: "examplepassword" |
|
1625 |
|
1626 # Uncomment the following to require TLS transport security for SMTP. |
|
1627 # By default, Synapse will connect over plain text, and will then switch to |
|
1628 # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, |
|
1629 # Synapse will refuse to connect unless the server supports STARTTLS. |
|
1630 # |
|
1631 #require_transport_security: true |
|
1632 |
|
1633 # notif_from defines the "From" address to use when sending emails. |
|
1634 # It must be set if email sending is enabled. |
|
1635 # |
|
1636 # The placeholder '%(app)s' will be replaced by the application name, |
|
1637 # which is normally 'app_name' (below), but may be overridden by the |
|
1638 # Matrix client application. |
|
1639 # |
|
1640 # Note that the placeholder must be written '%(app)s', including the |
|
1641 # trailing 's'. |
|
1642 # |
|
1643 #notif_from: "Your Friendly %(app)s homeserver <[email protected]>" |
|
1644 |
|
1645 # app_name defines the default value for '%(app)s' in notif_from. It |
|
1646 # defaults to 'Matrix'. |
|
1647 # |
|
1648 #app_name: my_branded_matrix_server |
|
1649 |
|
1650 # Uncomment the following to enable sending emails for messages that the user |
|
1651 # has missed. Disabled by default. |
|
1652 # |
|
1653 #enable_notifs: true |
|
1654 |
|
1655 # Uncomment the following to disable automatic subscription to email |
|
1656 # notifications for new users. Enabled by default. |
|
1657 # |
|
1658 #notif_for_new_users: false |
|
1659 |
|
1660 # Custom URL for client links within the email notifications. By default |
|
1661 # links will be based on "https://matrix.to". |
|
1662 # |
|
1663 # (This setting used to be called riot_base_url; the old name is still |
|
1664 # supported for backwards-compatibility but is now deprecated.) |
|
1665 # |
|
1666 #client_base_url: "http://localhost/riot" |
|
1667 |
|
1668 # Configure the time that a validation email will expire after sending. |
|
1669 # Defaults to 1h. |
|
1670 # |
|
1671 #validation_token_lifetime: 15m |
|
1672 |
|
1673 # Directory in which Synapse will try to find the template files below. |
|
1674 # If not set, default templates from within the Synapse package will be used. |
|
1675 # |
|
1676 # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. |
|
1677 # If you *do* uncomment it, you will need to make sure that all the templates |
|
1678 # below are in the directory. |
|
1679 # |
|
1680 # Synapse will look for the following templates in this directory: |
|
1681 # |
|
1682 # * The contents of email notifications of missed events: 'notif_mail.html' and |
|
1683 # 'notif_mail.txt'. |
|
1684 # |
|
1685 # * The contents of account expiry notice emails: 'notice_expiry.html' and |
|
1686 # 'notice_expiry.txt'. |
|
1687 # |
|
1688 # * The contents of password reset emails sent by the homeserver: |
|
1689 # 'password_reset.html' and 'password_reset.txt' |
|
1690 # |
|
1691 # * HTML pages for success and failure that a user will see when they follow |
|
1692 # the link in the password reset email: 'password_reset_success.html' and |
|
1693 # 'password_reset_failure.html' |
|
1694 # |
|
1695 # * The contents of address verification emails sent during registration: |
|
1696 # 'registration.html' and 'registration.txt' |
|
1697 # |
|
1698 # * HTML pages for success and failure that a user will see when they follow |
|
1699 # the link in an address verification email sent during registration: |
|
1700 # 'registration_success.html' and 'registration_failure.html' |
|
1701 # |
|
1702 # * The contents of address verification emails sent when an address is added |
|
1703 # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' |
|
1704 # |
|
1705 # * HTML pages for success and failure that a user will see when they follow |
|
1706 # the link in an address verification email sent when an address is added |
|
1707 # to a Matrix account: 'add_threepid_success.html' and |
|
1708 # 'add_threepid_failure.html' |
|
1709 # |
|
1710 # You can see the default templates at: |
|
1711 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates |
|
1712 # |
|
1713 #template_dir: "res/templates" |
|
1714 |
|
1715 |
|
1716 # Password providers allow homeserver administrators to integrate |
|
1717 # their Synapse installation with existing authentication methods |
|
1718 # ex. LDAP, external tokens, etc. |
|
1719 # |
|
1720 # For more information and known implementations, please see |
|
1721 # https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md |
|
1722 # |
|
1723 # Note: instances wishing to use SAML or CAS authentication should |
|
1724 # instead use the `saml2_config` or `cas_config` options, |
|
1725 # respectively. |
|
1726 # |
|
1727 password_providers: |
|
1728 # # Example config for an LDAP auth provider |
|
1729 # - module: "ldap_auth_provider.LdapAuthProvider" |
|
1730 # config: |
|
1731 # enabled: true |
|
1732 # uri: "ldap://ldap.example.com:389" |
|
1733 # start_tls: true |
|
1734 # base: "ou=users,dc=example,dc=com" |
|
1735 # attributes: |
|
1736 # uid: "cn" |
|
1737 # mail: "email" |
|
1738 # name: "givenName" |
|
1739 # #bind_dn: |
|
1740 # #bind_password: |
|
1741 # #filter: "(objectClass=posixAccount)" |
581 |
1742 |
582 |
1743 |
583 |
1744 |
584 # Clients requesting push notifications can either have the body of |
1745 # Clients requesting push notifications can either have the body of |
585 # the message sent in the notification poke along with other details |
1746 # the message sent in the notification poke along with other details |
586 # like the sender, or just the event ID and room ID (`event_id_only`). |
1747 # like the sender, or just the event ID and room ID (`event_id_only`). |
587 # If clients choose the former, this option controls whether the |
1748 # If clients choose the former, this option controls whether the |
588 # notification request includes the content of the event (other details |
1749 # notification request includes the content of the event (other details |
589 # like the sender are still included). For `event_id_only` push, it |
1750 # like the sender are still included). For `event_id_only` push, it |
590 # has no effect. |
1751 # has no effect. |
591 |
1752 # |
592 # For modern android devices the notification content will still appear |
1753 # For modern android devices the notification content will still appear |
593 # because it is loaded by the app. iPhone, however will send a |
1754 # because it is loaded by the app. iPhone, however will send a |
594 # notification saying only that a message arrived and who it came from. |
1755 # notification saying only that a message arrived and who it came from. |
595 # |
1756 # |
596 #push: |
1757 #push: |
597 # include_content: true |
1758 # include_content: true |
598 |
1759 |
599 |
1760 |
600 # spam_checker: |
1761 #spam_checker: |
601 # module: "my_custom_project.SuperSpamChecker" |
1762 # module: "my_custom_project.SuperSpamChecker" |
602 # config: |
1763 # config: |
603 # example_option: 'things' |
1764 # example_option: 'things' |
604 |
1765 |
605 |
1766 |
606 # Whether to allow non server admins to create groups on this server |
1767 # Uncomment to allow non-server-admin users to create groups on this server |
607 enable_group_creation: false |
1768 # |
|
1769 #enable_group_creation: true |
608 |
1770 |
609 # If enabled, non server admins can only create groups with local parts |
1771 # If enabled, non server admins can only create groups with local parts |
610 # starting with this prefix |
1772 # starting with this prefix |
611 # group_creation_prefix: "unofficial/" |
1773 # |
|
1774 #group_creation_prefix: "unofficial/" |
612 |
1775 |
613 |
1776 |
614 |
1777 |
615 # User Directory configuration |
1778 # User Directory configuration |
|
1779 # |
|
1780 # 'enabled' defines whether users can search the user directory. If |
|
1781 # false then empty responses are returned to all queries. Defaults to |
|
1782 # true. |
616 # |
1783 # |
617 # 'search_all_users' defines whether to search all users visible to your HS |
1784 # 'search_all_users' defines whether to search all users visible to your HS |
618 # when searching the user directory, rather than limiting to users visible |
1785 # when searching the user directory, rather than limiting to users visible |
619 # in public rooms. Defaults to false. If you set it True, you'll have to run |
1786 # in public rooms. Defaults to false. If you set it True, you'll have to |
620 # UPDATE user_directory_stream_pos SET stream_id = NULL; |
1787 # rebuild the user_directory search indexes, see |
621 # on your database to tell it to rebuild the user_directory search indexes. |
1788 # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md |
622 # |
1789 # |
623 #user_directory: |
1790 #user_directory: |
624 # search_all_users: false |
1791 # enabled: true |
|
1792 # search_all_users: false |
|
1793 |
|
1794 |
|
1795 # User Consent configuration |
|
1796 # |
|
1797 # for detailed instructions, see |
|
1798 # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md |
|
1799 # |
|
1800 # Parts of this section are required if enabling the 'consent' resource under |
|
1801 # 'listeners', in particular 'template_dir' and 'version'. |
|
1802 # |
|
1803 # 'template_dir' gives the location of the templates for the HTML forms. |
|
1804 # This directory should contain one subdirectory per language (eg, 'en', 'fr'), |
|
1805 # and each language directory should contain the policy document (named as |
|
1806 # '<version>.html') and a success page (success.html). |
|
1807 # |
|
1808 # 'version' specifies the 'current' version of the policy document. It defines |
|
1809 # the version to be served by the consent resource if there is no 'v' |
|
1810 # parameter. |
|
1811 # |
|
1812 # 'server_notice_content', if enabled, will send a user a "Server Notice" |
|
1813 # asking them to consent to the privacy policy. The 'server_notices' section |
|
1814 # must also be configured for this to work. Notices will *not* be sent to |
|
1815 # guest users unless 'send_server_notice_to_guests' is set to true. |
|
1816 # |
|
1817 # 'block_events_error', if set, will block any attempts to send events |
|
1818 # until the user consents to the privacy policy. The value of the setting is |
|
1819 # used as the text of the error. |
|
1820 # |
|
1821 # 'require_at_registration', if enabled, will add a step to the registration |
|
1822 # process, similar to how captcha works. Users will be required to accept the |
|
1823 # policy before their account is created. |
|
1824 # |
|
1825 # 'policy_name' is the display name of the policy users will see when registering |
|
1826 # for an account. Has no effect unless `require_at_registration` is enabled. |
|
1827 # Defaults to "Privacy Policy". |
|
1828 # |
|
1829 #user_consent: |
|
1830 # template_dir: res/templates/privacy |
|
1831 # version: 1.0 |
|
1832 # server_notice_content: |
|
1833 # msgtype: m.text |
|
1834 # body: >- |
|
1835 # To continue using this homeserver you must review and agree to the |
|
1836 # terms and conditions at %(consent_uri)s |
|
1837 # send_server_notice_to_guests: true |
|
1838 # block_events_error: >- |
|
1839 # To continue using this homeserver you must review and agree to the |
|
1840 # terms and conditions at %(consent_uri)s |
|
1841 # require_at_registration: false |
|
1842 # policy_name: Privacy Policy |
|
1843 # |
|
1844 |
|
1845 |
|
1846 |
|
1847 # Local statistics collection. Used in populating the room directory. |
|
1848 # |
|
1849 # 'bucket_size' controls how large each statistics timeslice is. It can |
|
1850 # be defined in a human readable short form -- e.g. "1d", "1y". |
|
1851 # |
|
1852 # 'retention' controls how long historical statistics will be kept for. |
|
1853 # It can be defined in a human readable short form -- e.g. "1d", "1y". |
|
1854 # |
|
1855 # |
|
1856 #stats: |
|
1857 # enabled: true |
|
1858 # bucket_size: 1d |
|
1859 # retention: 1y |
|
1860 |
|
1861 |
|
1862 # Server Notices room configuration |
|
1863 # |
|
1864 # Uncomment this section to enable a room which can be used to send notices |
|
1865 # from the server to users. It is a special room which cannot be left; notices |
|
1866 # come from a special "notices" user id. |
|
1867 # |
|
1868 # If you uncomment this section, you *must* define the system_mxid_localpart |
|
1869 # setting, which defines the id of the user which will be used to send the |
|
1870 # notices. |
|
1871 # |
|
1872 # It's also possible to override the room name, the display name of the |
|
1873 # "notices" user, and the avatar for the user. |
|
1874 # |
|
1875 #server_notices: |
|
1876 # system_mxid_localpart: notices |
|
1877 # system_mxid_display_name: "Server Notices" |
|
1878 # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" |
|
1879 # room_name: "Server Notices" |
|
1880 |
|
1881 |
|
1882 |
|
1883 # Uncomment to disable searching the public room list. When disabled |
|
1884 # blocks searching local and remote room lists for local and remote |
|
1885 # users by always returning an empty list for all queries. |
|
1886 # |
|
1887 #enable_room_list_search: false |
|
1888 |
|
1889 # The `alias_creation` option controls who's allowed to create aliases |
|
1890 # on this server. |
|
1891 # |
|
1892 # The format of this option is a list of rules that contain globs that |
|
1893 # match against user_id, room_id and the new alias (fully qualified with |
|
1894 # server name). The action in the first rule that matches is taken, |
|
1895 # which can currently either be "allow" or "deny". |
|
1896 # |
|
1897 # Missing user_id/room_id/alias fields default to "*". |
|
1898 # |
|
1899 # If no rules match the request is denied. An empty list means no one |
|
1900 # can create aliases. |
|
1901 # |
|
1902 # Options for the rules include: |
|
1903 # |
|
1904 # user_id: Matches against the creator of the alias |
|
1905 # alias: Matches against the alias being created |
|
1906 # room_id: Matches against the room ID the alias is being pointed at |
|
1907 # action: Whether to "allow" or "deny" the request if the rule matches |
|
1908 # |
|
1909 # The default is: |
|
1910 # |
|
1911 #alias_creation_rules: |
|
1912 # - user_id: "*" |
|
1913 # alias: "*" |
|
1914 # room_id: "*" |
|
1915 # action: allow |
|
1916 |
|
1917 # The `room_list_publication_rules` option controls who can publish and |
|
1918 # which rooms can be published in the public room list. |
|
1919 # |
|
1920 # The format of this option is the same as that for |
|
1921 # `alias_creation_rules`. |
|
1922 # |
|
1923 # If the room has one or more aliases associated with it, only one of |
|
1924 # the aliases needs to match the alias rule. If there are no aliases |
|
1925 # then only rules with `alias: *` match. |
|
1926 # |
|
1927 # If no rules match the request is denied. An empty list means no one |
|
1928 # can publish rooms. |
|
1929 # |
|
1930 # Options for the rules include: |
|
1931 # |
|
1932 # user_id: Matches agaisnt the creator of the alias |
|
1933 # room_id: Matches against the room ID being published |
|
1934 # alias: Matches against any current local or canonical aliases |
|
1935 # associated with the room |
|
1936 # action: Whether to "allow" or "deny" the request if the rule matches |
|
1937 # |
|
1938 # The default is: |
|
1939 # |
|
1940 #room_list_publication_rules: |
|
1941 # - user_id: "*" |
|
1942 # alias: "*" |
|
1943 # room_id: "*" |
|
1944 # action: allow |
|
1945 |
|
1946 |
|
1947 # Server admins can define a Python module that implements extra rules for |
|
1948 # allowing or denying incoming events. In order to work, this module needs to |
|
1949 # override the methods defined in synapse/events/third_party_rules.py. |
|
1950 # |
|
1951 # This feature is designed to be used in closed federations only, where each |
|
1952 # participating server enforces the same rules. |
|
1953 # |
|
1954 #third_party_event_rules: |
|
1955 # module: "my_custom_project.SuperRulesSet" |
|
1956 # config: |
|
1957 # example_option: 'things' |
|
1958 |
|
1959 |
|
1960 ## Opentracing ## |
|
1961 |
|
1962 # These settings enable opentracing, which implements distributed tracing. |
|
1963 # This allows you to observe the causal chains of events across servers |
|
1964 # including requests, key lookups etc., across any server running |
|
1965 # synapse or any other other services which supports opentracing |
|
1966 # (specifically those implemented with Jaeger). |
|
1967 # |
|
1968 opentracing: |
|
1969 # tracing is disabled by default. Uncomment the following line to enable it. |
|
1970 # |
|
1971 #enabled: true |
|
1972 |
|
1973 # The list of homeservers we wish to send and receive span contexts and span baggage. |
|
1974 # See docs/opentracing.rst |
|
1975 # This is a list of regexes which are matched against the server_name of the |
|
1976 # homeserver. |
|
1977 # |
|
1978 # By defult, it is empty, so no servers are matched. |
|
1979 # |
|
1980 #homeserver_whitelist: |
|
1981 # - ".*" |
|
1982 |
|
1983 # Jaeger can be configured to sample traces at different rates. |
|
1984 # All configuration options provided by Jaeger can be set here. |
|
1985 # Jaeger's configuration mostly related to trace sampling which |
|
1986 # is documented here: |
|
1987 # https://www.jaegertracing.io/docs/1.13/sampling/. |
|
1988 # |
|
1989 #jaeger_config: |
|
1990 # sampler: |
|
1991 # type: const |
|
1992 # param: 1 |
|
1993 |
|
1994 # Logging whether spans were started and reported |
|
1995 # |
|
1996 # logging: |
|
1997 # false |
|
1998 |
|
1999 |
|
2000 # vim:ft=yaml |