|      1 # vim:ft=yaml |      1 # Configuration file for Synapse. | 
|      2 # PEM encoded X509 certificate for TLS. |      2 # | 
|      3 # You can replace the self-signed certificate that synapse |      3 # This is a YAML file: see [1] for a quick introduction. Note in particular | 
|      4 # autogenerates on launch with your own SSL certificate + key pair |      4 # that *indentation is important*: all the elements of a list or dictionary | 
|      5 # if you like.  Any required intermediary certificates can be |      5 # should have the same indentation. | 
|      6 # appended after the primary certificate in hierarchical order. |      6 # | 
|      7 tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" |      7 # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html | 
|      8  |      8  | 
|      9 # PEM encoded private key for TLS |      9 ## Server ## | 
|     10 tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" |     10  | 
|     11  |     11 # The domain name of the server, with optional explicit port. | 
|     12 # PEM dh parameters for ephemeral keys |     12 # This is used by remote servers to connect to this server, | 
|     13 tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" |     13 # e.g. matrix.org, localhost:8080, etc. | 
|     14  |     14 # This is also the last part of your UserID. | 
|     15 # Don't bind to the https port |     15 # | 
|     16 no_tls: True |     16 server_name: "{{nginx_server_name}}" | 
|         |     17  | 
|         |     18 # When running as a daemon, the file to store the pid in | 
|         |     19 # | 
|         |     20 pid_file: "/var/run/matrix-synapse.pid" | 
|         |     21  | 
|         |     22 # The absolute URL to the web client which /_matrix/client will redirect | 
|         |     23 # to if 'webclient' is configured under the 'listeners' configuration. | 
|         |     24 # | 
|         |     25 # This option can be also set to the filesystem path to the web client | 
|         |     26 # which will be served at /_matrix/client/ if 'webclient' is configured | 
|         |     27 # under the 'listeners' configuration, however this is a security risk: | 
|         |     28 # https://github.com/matrix-org/synapse#security-note | 
|         |     29 # | 
|         |     30 #web_client_location: https://riot.example.com/ | 
|         |     31  | 
|         |     32 # The public-facing base URL that clients use to access this HS | 
|         |     33 # (not including _matrix/...). This is the same URL a user would | 
|         |     34 # enter into the 'custom HS URL' field on their client. If you | 
|         |     35 # use synapse with a reverse proxy, this should be the URL to reach | 
|         |     36 # synapse via the proxy. | 
|         |     37 # | 
|         |     38 #public_baseurl: https://example.com/ | 
|         |     39  | 
|         |     40 # Set the soft limit on the number of file descriptors synapse can use | 
|         |     41 # Zero is used to indicate synapse should set the soft limit to the | 
|         |     42 # hard limit. | 
|         |     43 # | 
|         |     44 #soft_file_limit: 0 | 
|         |     45  | 
|         |     46 # Set to false to disable presence tracking on this homeserver. | 
|         |     47 # | 
|         |     48 #use_presence: false | 
|         |     49  | 
|         |     50 # Whether to require authentication to retrieve profile data (avatars, | 
|         |     51 # display names) of other users through the client API. Defaults to | 
|         |     52 # 'false'. Note that profile data is also available via the federation | 
|         |     53 # API, so this setting is of limited value if federation is enabled on | 
|         |     54 # the server. | 
|         |     55 # | 
|         |     56 #require_auth_for_profile_requests: true | 
|         |     57  | 
|         |     58 # Uncomment to require a user to share a room with another user in order | 
|         |     59 # to retrieve their profile information. Only checked on Client-Server | 
|         |     60 # requests. Profile requests from other servers should be checked by the | 
|         |     61 # requesting server. Defaults to 'false'. | 
|         |     62 # | 
|         |     63 #limit_profile_requests_to_users_who_share_rooms: true | 
|         |     64  | 
|         |     65 # If set to 'true', removes the need for authentication to access the server's | 
|         |     66 # public rooms directory through the client API, meaning that anyone can | 
|         |     67 # query the room directory. Defaults to 'false'. | 
|         |     68 # | 
|         |     69 #allow_public_rooms_without_auth: true | 
|         |     70  | 
|         |     71 # If set to 'true', allows any other homeserver to fetch the server's public | 
|         |     72 # rooms directory via federation. Defaults to 'false'. | 
|         |     73 # | 
|         |     74 #allow_public_rooms_over_federation: true | 
|         |     75  | 
|         |     76 # The default room version for newly created rooms. | 
|         |     77 # | 
|         |     78 # Known room versions are listed here: | 
|         |     79 # https://matrix.org/docs/spec/#complete-list-of-room-versions | 
|         |     80 # | 
|         |     81 # For example, for room version 1, default_room_version should be set | 
|         |     82 # to "1". | 
|         |     83 # | 
|         |     84 #default_room_version: "5" | 
|         |     85  | 
|         |     86 # The GC threshold parameters to pass to `gc.set_threshold`, if defined | 
|         |     87 # | 
|         |     88 #gc_thresholds: [700, 10, 10] | 
|         |     89  | 
|         |     90 # Set the limit on the returned events in the timeline in the get | 
|         |     91 # and sync operations. The default value is -1, means no upper limit. | 
|         |     92 # | 
|         |     93 #filter_timeline_limit: 5000 | 
|         |     94  | 
|         |     95 # Whether room invites to users on this server should be blocked | 
|         |     96 # (except those sent by local server admins). The default is False. | 
|         |     97 # | 
|         |     98 #block_non_admin_invites: true | 
|         |     99  | 
|         |    100 # Room searching | 
|         |    101 # | 
|         |    102 # If disabled, new messages will not be indexed for searching and users | 
|         |    103 # will receive errors when searching for messages. Defaults to enabled. | 
|         |    104 # | 
|         |    105 #enable_search: false | 
|         |    106  | 
|         |    107 # Restrict federation to the following whitelist of domains. | 
|         |    108 # N.B. we recommend also firewalling your federation listener to limit | 
|         |    109 # inbound federation traffic as early as possible, rather than relying | 
|         |    110 # purely on this application-layer restriction.  If not specified, the | 
|         |    111 # default is to whitelist everything. | 
|         |    112 # | 
|         |    113 #federation_domain_whitelist: | 
|         |    114 #  - lon.example.com | 
|         |    115 #  - nyc.example.com | 
|         |    116 #  - syd.example.com | 
|         |    117  | 
|         |    118 # Prevent federation requests from being sent to the following | 
|         |    119 # blacklist IP address CIDR ranges. If this option is not specified, or | 
|         |    120 # specified with an empty list, no ip range blacklist will be enforced. | 
|         |    121 # | 
|         |    122 # As of Synapse v1.4.0 this option also affects any outbound requests to identity | 
|         |    123 # servers provided by user input. | 
|         |    124 # | 
|         |    125 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly | 
|         |    126 # listed here, since they correspond to unroutable addresses.) | 
|         |    127 # | 
|         |    128 federation_ip_range_blacklist: | 
|         |    129   - '127.0.0.0/8' | 
|         |    130   - '10.0.0.0/8' | 
|         |    131   - '172.16.0.0/12' | 
|         |    132   - '192.168.0.0/16' | 
|         |    133   - '100.64.0.0/10' | 
|         |    134   - '169.254.0.0/16' | 
|         |    135   - '::1/128' | 
|         |    136   - 'fe80::/64' | 
|         |    137   - 'fc00::/7' | 
|         |    138  | 
|         |    139 # List of ports that Synapse should listen on, their purpose and their | 
|         |    140 # configuration. | 
|         |    141 # | 
|         |    142 # Options for each listener include: | 
|         |    143 # | 
|         |    144 #   port: the TCP port to bind to | 
|         |    145 # | 
|         |    146 #   bind_addresses: a list of local addresses to listen on. The default is | 
|         |    147 #       'all local interfaces'. | 
|         |    148 # | 
|         |    149 #   type: the type of listener. Normally 'http', but other valid options are: | 
|         |    150 #       'manhole' (see docs/manhole.md), | 
|         |    151 #       'metrics' (see docs/metrics-howto.md), | 
|         |    152 #       'replication' (see docs/workers.md). | 
|         |    153 # | 
|         |    154 #   tls: set to true to enable TLS for this listener. Will use the TLS | 
|         |    155 #       key/cert specified in tls_private_key_path / tls_certificate_path. | 
|         |    156 # | 
|         |    157 #   x_forwarded: Only valid for an 'http' listener. Set to true to use the | 
|         |    158 #       X-Forwarded-For header as the client IP. Useful when Synapse is | 
|         |    159 #       behind a reverse-proxy. | 
|         |    160 # | 
|         |    161 #   resources: Only valid for an 'http' listener. A list of resources to host | 
|         |    162 #       on this port. Options for each resource are: | 
|         |    163 # | 
|         |    164 #       names: a list of names of HTTP resources. See below for a list of | 
|         |    165 #           valid resource names. | 
|         |    166 # | 
|         |    167 #       compress: set to true to enable HTTP comression for this resource. | 
|         |    168 # | 
|         |    169 #   additional_resources: Only valid for an 'http' listener. A map of | 
|         |    170 #        additional endpoints which should be loaded via dynamic modules. | 
|         |    171 # | 
|         |    172 # Valid resource names are: | 
|         |    173 # | 
|         |    174 #   client: the client-server API (/_matrix/client), and the synapse admin | 
|         |    175 #       API (/_synapse/admin). Also implies 'media' and 'static'. | 
|         |    176 # | 
|         |    177 #   consent: user consent forms (/_matrix/consent). See | 
|         |    178 #       docs/consent_tracking.md. | 
|         |    179 # | 
|         |    180 #   federation: the server-server API (/_matrix/federation). Also implies | 
|         |    181 #       'media', 'keys', 'openid' | 
|         |    182 # | 
|         |    183 #   keys: the key discovery API (/_matrix/keys). | 
|         |    184 # | 
|         |    185 #   media: the media API (/_matrix/media). | 
|         |    186 # | 
|         |    187 #   metrics: the metrics interface. See docs/metrics-howto.md. | 
|         |    188 # | 
|         |    189 #   openid: OpenID authentication. | 
|         |    190 # | 
|         |    191 #   replication: the HTTP replication API (/_synapse/replication). See | 
|         |    192 #       docs/workers.md. | 
|         |    193 # | 
|         |    194 #   static: static resources under synapse/static (/_matrix/static). (Mostly | 
|         |    195 #       useful for 'fallback authentication'.) | 
|         |    196 # | 
|         |    197 #   webclient: A web client. Requires web_client_location to be set. | 
|         |    198 # | 
|         |    199 listeners: | 
|         |    200   # TLS-enabled listener: for when matrix traffic is sent directly to synapse. | 
|         |    201   # | 
|         |    202   # Disabled by default. To enable it, uncomment the following. (Note that you | 
|         |    203   # will also need to give Synapse a TLS key and certificate: see the TLS section | 
|         |    204   # below.) | 
|         |    205   # | 
|         |    206   #- port: 8448 | 
|         |    207   #  type: http | 
|         |    208   #  tls: true | 
|         |    209   #  resources: | 
|         |    210   #    - names: [client, federation] | 
|         |    211  | 
|         |    212   # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy | 
|         |    213   # that unwraps TLS. | 
|         |    214   # | 
|         |    215   # If you plan to use a reverse proxy, please see | 
|         |    216   # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. | 
|         |    217   # | 
|         |    218   - port: 8008 | 
|         |    219     tls: false | 
|         |    220     type: http | 
|         |    221     x_forwarded: true | 
|         |    222     bind_addresses: ['::1', '127.0.0.1'] | 
|         |    223  | 
|         |    224     resources: | 
|         |    225       - names: [client, federation] | 
|         |    226         compress: false | 
|         |    227  | 
|         |    228     # example additional_resources: | 
|         |    229     # | 
|         |    230     #additional_resources: | 
|         |    231     #  "/_matrix/my/custom/endpoint": | 
|         |    232     #    module: my_module.CustomRequestHandler | 
|         |    233     #    config: {} | 
|         |    234  | 
|         |    235   # Turn on the twisted ssh manhole service on localhost on the given | 
|         |    236   # port. | 
|         |    237   # | 
|         |    238   #- port: 9000 | 
|         |    239   #  bind_addresses: ['::1', '127.0.0.1'] | 
|         |    240   #  type: manhole | 
|         |    241  | 
|         |    242 # Forward extremities can build up in a room due to networking delays between | 
|         |    243 # homeservers. Once this happens in a large room, calculation of the state of | 
|         |    244 # that room can become quite expensive. To mitigate this, once the number of | 
|         |    245 # forward extremities reaches a given threshold, Synapse will send an | 
|         |    246 # org.matrix.dummy_event event, which will reduce the forward extremities | 
|         |    247 # in the room. | 
|         |    248 # | 
|         |    249 # This setting defines the threshold (i.e. number of forward extremities in the | 
|         |    250 # room) at which dummy events are sent. The default value is 10. | 
|         |    251 # | 
|         |    252 #dummy_events_threshold: 5 | 
|         |    253  | 
|         |    254  | 
|         |    255 ## Homeserver blocking ## | 
|         |    256  | 
|         |    257 # How to reach the server admin, used in ResourceLimitError | 
|         |    258 # | 
|         |    259 #admin_contact: 'mailto:[email protected]' | 
|         |    260  | 
|         |    261 # Global blocking | 
|         |    262 # | 
|         |    263 #hs_disabled: false | 
|         |    264 #hs_disabled_message: 'Human readable reason for why the HS is blocked' | 
|         |    265  | 
|         |    266 # Monthly Active User Blocking | 
|         |    267 # | 
|         |    268 # Used in cases where the admin or server owner wants to limit to the | 
|         |    269 # number of monthly active users. | 
|         |    270 # | 
|         |    271 # 'limit_usage_by_mau' disables/enables monthly active user blocking. When | 
|         |    272 # anabled and a limit is reached the server returns a 'ResourceLimitError' | 
|         |    273 # with error type Codes.RESOURCE_LIMIT_EXCEEDED | 
|         |    274 # | 
|         |    275 # 'max_mau_value' is the hard limit of monthly active users above which | 
|         |    276 # the server will start blocking user actions. | 
|         |    277 # | 
|         |    278 # 'mau_trial_days' is a means to add a grace period for active users. It | 
|         |    279 # means that users must be active for this number of days before they | 
|         |    280 # can be considered active and guards against the case where lots of users | 
|         |    281 # sign up in a short space of time never to return after their initial | 
|         |    282 # session. | 
|         |    283 # | 
|         |    284 # 'mau_limit_alerting' is a means of limiting client side alerting | 
|         |    285 # should the mau limit be reached. This is useful for small instances | 
|         |    286 # where the admin has 5 mau seats (say) for 5 specific people and no | 
|         |    287 # interest increasing the mau limit further. Defaults to True, which | 
|         |    288 # means that alerting is enabled | 
|         |    289 # | 
|         |    290 #limit_usage_by_mau: false | 
|         |    291 #max_mau_value: 50 | 
|         |    292 #mau_trial_days: 2 | 
|         |    293 #mau_limit_alerting: false | 
|         |    294  | 
|         |    295 # If enabled, the metrics for the number of monthly active users will | 
|         |    296 # be populated, however no one will be limited. If limit_usage_by_mau | 
|         |    297 # is true, this is implied to be true. | 
|         |    298 # | 
|         |    299 #mau_stats_only: false | 
|         |    300  | 
|         |    301 # Sometimes the server admin will want to ensure certain accounts are | 
|         |    302 # never blocked by mau checking. These accounts are specified here. | 
|         |    303 # | 
|         |    304 #mau_limit_reserved_threepids: | 
|         |    305 #  - medium: 'email' | 
|         |    306 #    address: '[email protected]' | 
|         |    307  | 
|         |    308 # Used by phonehome stats to group together related servers. | 
|         |    309 #server_context: context | 
|         |    310  | 
|         |    311 # Resource-constrained homeserver Settings | 
|         |    312 # | 
|         |    313 # If limit_remote_rooms.enabled is True, the room complexity will be | 
|         |    314 # checked before a user joins a new remote room. If it is above | 
|         |    315 # limit_remote_rooms.complexity, it will disallow joining or | 
|         |    316 # instantly leave. | 
|         |    317 # | 
|         |    318 # limit_remote_rooms.complexity_error can be set to customise the text | 
|         |    319 # displayed to the user when a room above the complexity threshold has | 
|         |    320 # its join cancelled. | 
|         |    321 # | 
|         |    322 # Uncomment the below lines to enable: | 
|         |    323 #limit_remote_rooms: | 
|         |    324 #  enabled: true | 
|         |    325 #  complexity: 1.0 | 
|         |    326 #  complexity_error: "This room is too complex." | 
|         |    327  | 
|         |    328 # Whether to require a user to be in the room to add an alias to it. | 
|         |    329 # Defaults to 'true'. | 
|         |    330 # | 
|         |    331 #require_membership_for_aliases: false | 
|         |    332  | 
|         |    333 # Whether to allow per-room membership profiles through the send of membership | 
|         |    334 # events with profile information that differ from the target's global profile. | 
|         |    335 # Defaults to 'true'. | 
|         |    336 # | 
|         |    337 #allow_per_room_profiles: false | 
|         |    338  | 
|         |    339 # How long to keep redacted events in unredacted form in the database. After | 
|         |    340 # this period redacted events get replaced with their redacted form in the DB. | 
|         |    341 # | 
|         |    342 # Defaults to `7d`. Set to `null` to disable. | 
|         |    343 # | 
|         |    344 #redaction_retention_period: 28d | 
|         |    345  | 
|         |    346 # How long to track users' last seen time and IPs in the database. | 
|         |    347 # | 
|         |    348 # Defaults to `28d`. Set to `null` to disable clearing out of old rows. | 
|         |    349 # | 
|         |    350 #user_ips_max_age: 14d | 
|         |    351  | 
|         |    352 # Message retention policy at the server level. | 
|         |    353 # | 
|         |    354 # Room admins and mods can define a retention period for their rooms using the | 
|         |    355 # 'm.room.retention' state event, and server admins can cap this period by setting | 
|         |    356 # the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. | 
|         |    357 # | 
|         |    358 # If this feature is enabled, Synapse will regularly look for and purge events | 
|         |    359 # which are older than the room's maximum retention period. Synapse will also | 
|         |    360 # filter events received over federation so that events that should have been | 
|         |    361 # purged are ignored and not stored again. | 
|         |    362 # | 
|         |    363 retention: | 
|         |    364   # The message retention policies feature is disabled by default. Uncomment the | 
|         |    365   # following line to enable it. | 
|         |    366   # | 
|         |    367   #enabled: true | 
|         |    368  | 
|         |    369   # Default retention policy. If set, Synapse will apply it to rooms that lack the | 
|         |    370   # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't | 
|         |    371   # matter much because Synapse doesn't take it into account yet. | 
|         |    372   # | 
|         |    373   #default_policy: | 
|         |    374   #  min_lifetime: 1d | 
|         |    375   #  max_lifetime: 1y | 
|         |    376  | 
|         |    377   # Retention policy limits. If set, a user won't be able to send a | 
|         |    378   # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' | 
|         |    379   # that's not within this range. This is especially useful in closed federations, | 
|         |    380   # in which server admins can make sure every federating server applies the same | 
|         |    381   # rules. | 
|         |    382   # | 
|         |    383   #allowed_lifetime_min: 1d | 
|         |    384   #allowed_lifetime_max: 1y | 
|         |    385  | 
|         |    386   # Server admins can define the settings of the background jobs purging the | 
|         |    387   # events which lifetime has expired under the 'purge_jobs' section. | 
|         |    388   # | 
|         |    389   # If no configuration is provided, a single job will be set up to delete expired | 
|         |    390   # events in every room daily. | 
|         |    391   # | 
|         |    392   # Each job's configuration defines which range of message lifetimes the job | 
|         |    393   # takes care of. For example, if 'shortest_max_lifetime' is '2d' and | 
|         |    394   # 'longest_max_lifetime' is '3d', the job will handle purging expired events in | 
|         |    395   # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and | 
|         |    396   # lower than or equal to 3 days. Both the minimum and the maximum value of a | 
|         |    397   # range are optional, e.g. a job with no 'shortest_max_lifetime' and a | 
|         |    398   # 'longest_max_lifetime' of '3d' will handle every room with a retention policy | 
|         |    399   # which 'max_lifetime' is lower than or equal to three days. | 
|         |    400   # | 
|         |    401   # The rationale for this per-job configuration is that some rooms might have a | 
|         |    402   # retention policy with a low 'max_lifetime', where history needs to be purged | 
|         |    403   # of outdated messages on a more frequent basis than for the rest of the rooms | 
|         |    404   # (e.g. every 12h), but not want that purge to be performed by a job that's | 
|         |    405   # iterating over every room it knows, which could be heavy on the server. | 
|         |    406   # | 
|         |    407   #purge_jobs: | 
|         |    408   #  - shortest_max_lifetime: 1d | 
|         |    409   #    longest_max_lifetime: 3d | 
|         |    410   #    interval: 12h | 
|         |    411   #  - shortest_max_lifetime: 3d | 
|         |    412   #    longest_max_lifetime: 1y | 
|         |    413   #    interval: 1d | 
|         |    414  | 
|         |    415 # Inhibits the /requestToken endpoints from returning an error that might leak | 
|         |    416 # information about whether an e-mail address is in use or not on this | 
|         |    417 # homeserver. | 
|         |    418 # Note that for some endpoints the error situation is the e-mail already being | 
|         |    419 # used, and for others the error is entering the e-mail being unused. | 
|         |    420 # If this option is enabled, instead of returning an error, these endpoints will | 
|         |    421 # act as if no error happened and return a fake session ID ('sid') to clients. | 
|         |    422 # | 
|         |    423 #request_token_inhibit_3pid_errors: true | 
|         |    424  | 
|         |    425  | 
|         |    426 ## TLS ## | 
|         |    427  | 
|         |    428 # PEM-encoded X509 certificate for TLS. | 
|         |    429 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable | 
|         |    430 # certificate, signed by a recognised Certificate Authority. | 
|         |    431 # | 
|         |    432 # See 'ACME support' below to enable auto-provisioning this certificate via | 
|         |    433 # Let's Encrypt. | 
|         |    434 # | 
|         |    435 # If supplying your own, be sure to use a `.pem` file that includes the | 
|         |    436 # full certificate chain including any intermediate certificates (for | 
|         |    437 # instance, if using certbot, use `fullchain.pem` as your certificate, | 
|         |    438 # not `cert.pem`). | 
|         |    439 # | 
|         |    440 #tls_certificate_path: "/home/lhoersten/nth.io.tls.crt" | 
|         |    441  | 
|         |    442 # PEM-encoded private key for TLS | 
|         |    443 # | 
|         |    444 #tls_private_key_path: "/home/lhoersten/nth.io.tls.key" | 
|         |    445  | 
|         |    446 # Whether to verify TLS server certificates for outbound federation requests. | 
|         |    447 # | 
|         |    448 # Defaults to `true`. To disable certificate verification, uncomment the | 
|         |    449 # following line. | 
|         |    450 # | 
|         |    451 #federation_verify_certificates: false | 
|         |    452  | 
|         |    453 # The minimum TLS version that will be used for outbound federation requests. | 
|         |    454 # | 
|         |    455 # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note | 
|         |    456 # that setting this value higher than `1.2` will prevent federation to most | 
|         |    457 # of the public Matrix network: only configure it to `1.3` if you have an | 
|         |    458 # entirely private federation setup and you can ensure TLS 1.3 support. | 
|         |    459 # | 
|         |    460 #federation_client_minimum_tls_version: 1.2 | 
|         |    461  | 
|         |    462 # Skip federation certificate verification on the following whitelist | 
|         |    463 # of domains. | 
|         |    464 # | 
|         |    465 # This setting should only be used in very specific cases, such as | 
|         |    466 # federation over Tor hidden services and similar. For private networks | 
|         |    467 # of homeservers, you likely want to use a private CA instead. | 
|         |    468 # | 
|         |    469 # Only effective if federation_verify_certicates is `true`. | 
|         |    470 # | 
|         |    471 #federation_certificate_verification_whitelist: | 
|         |    472 #  - lon.example.com | 
|         |    473 #  - *.domain.com | 
|         |    474 #  - *.onion | 
|         |    475  | 
|         |    476 # List of custom certificate authorities for federation traffic. | 
|         |    477 # | 
|         |    478 # This setting should only normally be used within a private network of | 
|         |    479 # homeservers. | 
|         |    480 # | 
|         |    481 # Note that this list will replace those that are provided by your | 
|         |    482 # operating environment. Certificates must be in PEM format. | 
|         |    483 # | 
|         |    484 #federation_custom_ca_list: | 
|         |    485 #  - myCA1.pem | 
|         |    486 #  - myCA2.pem | 
|         |    487 #  - myCA3.pem | 
|         |    488  | 
|         |    489 # ACME support: This will configure Synapse to request a valid TLS certificate | 
|         |    490 # for your configured `server_name` via Let's Encrypt. | 
|         |    491 # | 
|         |    492 # Note that ACME v1 is now deprecated, and Synapse currently doesn't support | 
|         |    493 # ACME v2. This means that this feature currently won't work with installs set | 
|         |    494 # up after November 2019. For more info, and alternative solutions, see | 
|         |    495 # https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 | 
|         |    496 # | 
|         |    497 # Note that provisioning a certificate in this way requires port 80 to be | 
|         |    498 # routed to Synapse so that it can complete the http-01 ACME challenge. | 
|         |    499 # By default, if you enable ACME support, Synapse will attempt to listen on | 
|         |    500 # port 80 for incoming http-01 challenges - however, this will likely fail | 
|         |    501 # with 'Permission denied' or a similar error. | 
|         |    502 # | 
|         |    503 # There are a couple of potential solutions to this: | 
|         |    504 # | 
|         |    505 #  * If you already have an Apache, Nginx, or similar listening on port 80, | 
|         |    506 #    you can configure Synapse to use an alternate port, and have your web | 
|         |    507 #    server forward the requests. For example, assuming you set 'port: 8009' | 
|         |    508 #    below, on Apache, you would write: | 
|         |    509 # | 
|         |    510 #    ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge | 
|         |    511 # | 
|         |    512 #  * Alternatively, you can use something like `authbind` to give Synapse | 
|         |    513 #    permission to listen on port 80. | 
|         |    514 # | 
|         |    515 acme: | 
|         |    516     # ACME support is disabled by default. Set this to `true` and uncomment | 
|         |    517     # tls_certificate_path and tls_private_key_path above to enable it. | 
|         |    518     # | 
|         |    519     enabled: false | 
|         |    520  | 
|         |    521     # Endpoint to use to request certificates. If you only want to test, | 
|         |    522     # use Let's Encrypt's staging url: | 
|         |    523     #     https://acme-staging.api.letsencrypt.org/directory | 
|         |    524     # | 
|         |    525     #url: https://acme-v01.api.letsencrypt.org/directory | 
|         |    526  | 
|         |    527     # Port number to listen on for the HTTP-01 challenge. Change this if | 
|         |    528     # you are forwarding connections through Apache/Nginx/etc. | 
|         |    529     # | 
|         |    530     port: 80 | 
|         |    531  | 
|         |    532     # Local addresses to listen on for incoming connections. | 
|         |    533     # Again, you may want to change this if you are forwarding connections | 
|         |    534     # through Apache/Nginx/etc. | 
|         |    535     # | 
|         |    536     bind_addresses: ['::', '0.0.0.0'] | 
|         |    537  | 
|         |    538     # How many days remaining on a certificate before it is renewed. | 
|         |    539     # | 
|         |    540     reprovision_threshold: 30 | 
|         |    541  | 
|         |    542     # The domain that the certificate should be for. Normally this | 
|         |    543     # should be the same as your Matrix domain (i.e., 'server_name'), but, | 
|         |    544     # by putting a file at 'https://<server_name>/.well-known/matrix/server', | 
|         |    545     # you can delegate incoming traffic to another server. If you do that, | 
|         |    546     # you should give the target of the delegation here. | 
|         |    547     # | 
|         |    548     # For example: if your 'server_name' is 'example.com', but | 
|         |    549     # 'https://example.com/.well-known/matrix/server' delegates to | 
|         |    550     # 'matrix.example.com', you should put 'matrix.example.com' here. | 
|         |    551     # | 
|         |    552     # If not set, defaults to your 'server_name'. | 
|         |    553     # | 
|         |    554     domain: matrix.example.com | 
|         |    555  | 
|         |    556     # file to use for the account key. This will be generated if it doesn't | 
|         |    557     # exist. | 
|         |    558     # | 
|         |    559     # If unspecified, we will use CONFDIR/client.key. | 
|         |    560     # | 
|         |    561     account_key_file: /home/lhoersten/acme_account.key | 
|     17  |    562  | 
|     18 # List of allowed TLS fingerprints for this server to publish along |    563 # List of allowed TLS fingerprints for this server to publish along | 
|     19 # with the signing keys for this server. Other matrix servers that |    564 # with the signing keys for this server. Other matrix servers that | 
|     20 # make HTTPS requests to this server will check that the TLS |    565 # make HTTPS requests to this server will check that the TLS | 
|     21 # certificates returned by this server match one of the fingerprints. |    566 # certificates returned by this server match one of the fingerprints. | 
|     38 # You can calculate a fingerprint from a given TLS listener via: |    583 # You can calculate a fingerprint from a given TLS listener via: | 
|     39 # openssl s_client -connect $host:$port < /dev/null 2> /dev/null | |    584 # openssl s_client -connect $host:$port < /dev/null 2> /dev/null | | 
|     40 #   openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' |    585 #   openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' | 
|     41 # or by checking matrix.org/federationtester/api/report?server_name=$host |    586 # or by checking matrix.org/federationtester/api/report?server_name=$host | 
|     42 # |    587 # | 
|     43 tls_fingerprints: [] |    588 #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] | 
|     44 # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] |    589  | 
|     45  |    590  | 
|     46  |    591  | 
|     47 ## Server ## |    592 ## Database ## | 
|     48  |    593  | 
|     49 # When running as a daemon, the file to store the pid in |    594 # The 'database' setting defines the database that synapse uses to store all of | 
|     50 pid_file: "/var/run/matrix-synapse.pid" |    595 # its data. | 
|     51  |    596 # | 
|     52 # CPU affinity mask. Setting this restricts the CPUs on which the |    597 # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or | 
|     53 # process will be scheduled. It is represented as a bitmask, with the |    598 # 'psycopg2' (for PostgreSQL). | 
|     54 # lowest order bit corresponding to the first logical CPU and the |    599 # | 
|     55 # highest order bit corresponding to the last logical CPU. Not all CPUs |    600 # 'args' gives options which are passed through to the database engine, | 
|     56 # may exist on a given system but a mask may specify more CPUs than are |    601 # except for options starting 'cp_', which are used to configure the Twisted | 
|     57 # present. |    602 # connection pool. For a reference to valid arguments, see: | 
|     58 # |    603 #   * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect | 
|     59 # For example: |    604 #   * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS | 
|     60 #    0x00000001  is processor #0, |    605 #   * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ | 
|     61 #    0x00000003  is processors #0 and #1, |    606 # | 
|     62 #    0xFFFFFFFF  is all processors (#0 through #31). |    607 # | 
|     63 # |    608 # Example SQLite configuration: | 
|     64 # Pinning a Python process to a single CPU is desirable, because Python |    609 # | 
|     65 # is inherently single-threaded due to the GIL, and can suffer a |    610 #database: | 
|     66 # 30-40% slowdown due to cache blow-out and thread context switching |    611 #  name: sqlite3 | 
|     67 # if the scheduler happens to schedule the underlying threads across |    612 #  args: | 
|     68 # different cores. See |    613 #    database: /path/to/homeserver.db | 
|     69 # https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. |    614 # | 
|     70 # |    615 # | 
|     71 # cpu_affinity: 0xFFFFFFFF |    616 # Example Postgres configuration: | 
|     72  |    617 # | 
|     73 # The path to the web client which will be served at /_matrix/client/ |    618 #database: | 
|     74 # if 'webclient' is configured under the 'listeners' configuration. |    619 #  name: psycopg2 | 
|     75 # |    620 #  args: | 
|     76 # web_client_location: "/path/to/web/root" |    621 #    user: synapse | 
|     77  |    622 #    password: secretpassword | 
|     78 # The public-facing base URL for the client API (not including _matrix/...) |    623 #    database: synapse | 
|     79 # public_baseurl: https://example.com:8448/ |    624 #    host: localhost | 
|     80  |    625 #    cp_min: 5 | 
|     81 # Set the soft limit on the number of file descriptors synapse can use |    626 #    cp_max: 10 | 
|     82 # Zero is used to indicate synapse should set the soft limit to the |    627 # | 
|     83 # hard limit. |    628 # For more information on using Synapse with Postgres, see `docs/postgres.md`. | 
|     84 soft_file_limit: 0 |    629 # | 
|     85  |         | 
|     86 # The GC threshold parameters to pass to `gc.set_threshold`, if defined |         | 
|     87 # gc_thresholds: [700, 10, 10] |         | 
|     88  |         | 
|     89 # Set the limit on the returned events in the timeline in the get |         | 
|     90 # and sync operations. The default value is -1, means no upper limit. |         | 
|     91 # filter_timeline_limit: 5000 |         | 
|     92  |         | 
|     93 # Whether room invites to users on this server should be blocked |         | 
|     94 # (except those sent by local server admins). The default is False. |         | 
|     95 # block_non_admin_invites: True |         | 
|     96  |         | 
|     97 # Restrict federation to the following whitelist of domains. |         | 
|     98 # N.B. we recommend also firewalling your federation listener to limit |         | 
|     99 # inbound federation traffic as early as possible, rather than relying |         | 
|    100 # purely on this application-layer restriction.  If not specified, the |         | 
|    101 # default is to whitelist everything. |         | 
|    102 # |         | 
|    103 # federation_domain_whitelist: |         | 
|    104 #  - lon.example.com |         | 
|    105 #  - nyc.example.com |         | 
|    106 #  - syd.example.com |         | 
|    107  |         | 
|    108 # List of ports that Synapse should listen on, their purpose and their |         | 
|    109 # configuration. |         | 
|    110 listeners: |         | 
|    111   # Main HTTPS listener |         | 
|    112   # For when matrix traffic is sent directly to synapse. |         | 
|    113   # - |         | 
|    114   #   # The port to listen for HTTPS requests on. |         | 
|    115   #   port: 8448 |         | 
|    116  |         | 
|    117   #   # Local addresses to listen on. |         | 
|    118   #   # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 |         | 
|    119   #   # addresses by default. For most other OSes, this will only listen |         | 
|    120   #   # on IPv6. |         | 
|    121   #   bind_addresses: |         | 
|    122   #     - '::1' |         | 
|    123   #     - '127.0.0.1' |         | 
|    124   #     # - '::' |         | 
|    125   #     # - '0.0.0.0' |         | 
|    126  |         | 
|    127   #   # This is a 'http' listener, allows us to specify 'resources'. |         | 
|    128   #   type: http |         | 
|    129  |         | 
|    130   #   tls: true |         | 
|    131  |         | 
|    132   #   # Use the X-Forwarded-For (XFF) header as the client IP and not the |         | 
|    133   #   # actual client IP. |         | 
|    134   #   x_forwarded: false |         | 
|    135  |         | 
|    136   #   # List of HTTP resources to serve on this listener. |         | 
|    137   #   resources: |         | 
|    138   #     - |         | 
|    139   #       # List of resources to host on this listener. |         | 
|    140   #       names: |         | 
|    141   #         - client     # The client-server APIs, both v1 and v2 |         | 
|    142  |         | 
|    143   #       # Should synapse compress HTTP responses to clients that support it? |         | 
|    144   #       # This should be disabled if running synapse behind a load balancer |         | 
|    145   #       # that can do automatic compression. |         | 
|    146   #       compress: true |         | 
|    147  |         | 
|    148   #     - names: [federation]  # Federation APIs |         | 
|    149   #       compress: false |         | 
|    150  |         | 
|    151   #   # optional list of additional endpoints which can be loaded via |         | 
|    152   #   # dynamic modules |         | 
|    153   #   # additional_resources: |         | 
|    154   #   #   "/_matrix/my/custom/endpoint": |         | 
|    155   #   #     module: my_module.CustomRequestHandler |         | 
|    156   #   #     config: {} |         | 
|    157  |         | 
|    158   # Unsecure HTTP listener, |         | 
|    159   # For when matrix traffic passes through loadbalancer that unwraps TLS. |         | 
|    160   - port: 8008 |         | 
|    161     tls: false |         | 
|    162     bind_addresses: |         | 
|    163       - '::1' |         | 
|    164       - '127.0.0.1' |         | 
|    165       # - '::' |         | 
|    166       # - '0.0.0.0' |         | 
|    167     type: http |         | 
|    168  |         | 
|    169     x_forwarded: true |         | 
|    170  |         | 
|    171     resources: |         | 
|    172       - names: [client] |         | 
|    173         compress: true |         | 
|    174       - names: [federation] |         | 
|    175         compress: false |         | 
|    176  |         | 
|    177   # Turn on the twisted ssh manhole service on localhost on the given |         | 
|    178   # port. |         | 
|    179   # - port: 9000 |         | 
|    180   #   bind_addresses: |         | 
|    181   #     - '::1' |         | 
|    182   #     - '127.0.0.1' |         | 
|    183   #   type: manhole |         | 
|    184  |         | 
|    185  |         | 
|    186 # Database configuration |         | 
|    187 database: |    630 database: | 
|    188   # The database engine name |    631   name: sqlite3 | 
|    189   name: "sqlite3" |         | 
|    190   # Arguments to pass to the engine |         | 
|    191   args: |    632   args: | 
|    192     # Path to the database |         | 
|    193     database: "{{matrix_synapse_db}}" |    633     database: "{{matrix_synapse_db}}" | 
|    194  |    634  | 
|    195 # Number of events to cache in memory. |    635 # Number of events to cache in memory. | 
|    196 event_cache_size: "10K" |    636 # | 
|    197  |    637 #event_cache_size: 10K | 
|    198  |    638  | 
|    199 # A yaml python logging config file |    639  | 
|         |    640 ## Logging ## | 
|         |    641  | 
|         |    642 # A yaml python logging config file as described by | 
|         |    643 # https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema | 
|         |    644 # | 
|    200 log_config: "/etc/matrix-synapse/log.yaml" |    645 log_config: "/etc/matrix-synapse/log.yaml" | 
|    201  |    646  | 
|    202  |    647  | 
|    203  |         | 
|    204 ## Ratelimiting ## |    648 ## Ratelimiting ## | 
|    205  |    649  | 
|    206 # Number of messages a client can send per second |    650 # Ratelimiting settings for client actions (registration, login, messaging). | 
|    207 rc_messages_per_second: 0.2 |    651 # | 
|    208  |    652 # Each ratelimiting configuration is made of two parameters: | 
|    209 # Number of message a client can send before being throttled |    653 #   - per_second: number of requests a client can send per second. | 
|    210 rc_message_burst_count: 10.0 |    654 #   - burst_count: number of requests a client can send before being throttled. | 
|    211  |    655 # | 
|    212 # The federation window size in milliseconds |    656 # Synapse currently uses the following configurations: | 
|    213 federation_rc_window_size: 1000 |    657 #   - one for messages that ratelimits sending based on the account the client | 
|    214  |    658 #     is using | 
|    215 # The number of federation requests from a single server in a window |    659 #   - one for registration that ratelimits registration requests based on the | 
|    216 # before the server will delay processing the request. |    660 #     client's IP address. | 
|    217 federation_rc_sleep_limit: 10 |    661 #   - one for login that ratelimits login requests based on the client's IP | 
|    218  |    662 #     address. | 
|    219 # The duration in milliseconds to delay processing events from |    663 #   - one for login that ratelimits login requests based on the account the | 
|    220 # remote servers by if they go over the sleep limit. |    664 #     client is attempting to log into. | 
|    221 federation_rc_sleep_delay: 500 |    665 #   - one for login that ratelimits login requests based on the account the | 
|    222  |    666 #     client is attempting to log into, based on the amount of failed login | 
|    223 # The maximum number of concurrent federation requests allowed |    667 #     attempts for this account. | 
|    224 # from a single server |    668 #   - one for ratelimiting redactions by room admins. If this is not explicitly | 
|    225 federation_rc_reject_limit: 50 |    669 #     set then it uses the same ratelimiting as per rc_message. This is useful | 
|    226  |    670 #     to allow room admins to deal with abuse quickly. | 
|    227 # The number of federation requests to concurrently process from a |    671 # | 
|    228 # single server |    672 # The defaults are as shown below. | 
|    229 federation_rc_concurrent: 3 |    673 # | 
|    230  |    674 #rc_message: | 
|    231  |    675 #  per_second: 0.2 | 
|         |    676 #  burst_count: 10 | 
|         |    677 # | 
|         |    678 #rc_registration: | 
|         |    679 #  per_second: 0.17 | 
|         |    680 #  burst_count: 3 | 
|         |    681 # | 
|         |    682 #rc_login: | 
|         |    683 #  address: | 
|         |    684 #    per_second: 0.17 | 
|         |    685 #    burst_count: 3 | 
|         |    686 #  account: | 
|         |    687 #    per_second: 0.17 | 
|         |    688 #    burst_count: 3 | 
|         |    689 #  failed_attempts: | 
|         |    690 #    per_second: 0.17 | 
|         |    691 #    burst_count: 3 | 
|         |    692 # | 
|         |    693 #rc_admin_redaction: | 
|         |    694 #  per_second: 1 | 
|         |    695 #  burst_count: 50 | 
|         |    696  | 
|         |    697  | 
|         |    698 # Ratelimiting settings for incoming federation | 
|         |    699 # | 
|         |    700 # The rc_federation configuration is made up of the following settings: | 
|         |    701 #   - window_size: window size in milliseconds | 
|         |    702 #   - sleep_limit: number of federation requests from a single server in | 
|         |    703 #     a window before the server will delay processing the request. | 
|         |    704 #   - sleep_delay: duration in milliseconds to delay processing events | 
|         |    705 #     from remote servers by if they go over the sleep limit. | 
|         |    706 #   - reject_limit: maximum number of concurrent federation requests | 
|         |    707 #     allowed from a single server | 
|         |    708 #   - concurrent: number of federation requests to concurrently process | 
|         |    709 #     from a single server | 
|         |    710 # | 
|         |    711 # The defaults are as shown below. | 
|         |    712 # | 
|         |    713 #rc_federation: | 
|         |    714 #  window_size: 1000 | 
|         |    715 #  sleep_limit: 10 | 
|         |    716 #  sleep_delay: 500 | 
|         |    717 #  reject_limit: 50 | 
|         |    718 #  concurrent: 3 | 
|         |    719  | 
|         |    720 # Target outgoing federation transaction frequency for sending read-receipts, | 
|         |    721 # per-room. | 
|         |    722 # | 
|         |    723 # If we end up trying to send out more read-receipts, they will get buffered up | 
|         |    724 # into fewer transactions. | 
|         |    725 # | 
|         |    726 #federation_rr_transactions_per_room_per_second: 50 | 
|         |    727  | 
|         |    728  | 
|         |    729  | 
|         |    730 ## Media Store ## | 
|         |    731  | 
|         |    732 # Enable the media store service in the Synapse master. Uncomment the | 
|         |    733 # following if you are using a separate media store worker. | 
|         |    734 # | 
|         |    735 #enable_media_repo: false | 
|    232  |    736  | 
|    233 # Directory where uploaded images and attachments are stored. |    737 # Directory where uploaded images and attachments are stored. | 
|         |    738 # | 
|    234 media_store_path: "{{matrix_synapse_media_store}}" |    739 media_store_path: "{{matrix_synapse_media_store}}" | 
|    235  |    740  | 
|    236 # Media storage providers allow media to be stored in different |    741 # Media storage providers allow media to be stored in different | 
|    237 # locations. |    742 # locations. | 
|    238 # media_storage_providers: |    743 # | 
|    239 # - module: file_system |    744 #media_storage_providers: | 
|    240 #   # Whether to write new local files. |    745 #  - module: file_system | 
|    241 #   store_local: false |    746 #    # Whether to store newly uploaded local files | 
|    242 #   # Whether to write new remote media |    747 #    store_local: false | 
|    243 #   store_remote: false |    748 #    # Whether to store newly downloaded remote files | 
|    244 #   # Whether to block upload requests waiting for write to this |    749 #    store_remote: false | 
|    245 #   # provider to complete |    750 #    # Whether to wait for successful storage for local uploads | 
|    246 #   store_synchronous: false |    751 #    store_synchronous: false | 
|    247 #   config: |    752 #    config: | 
|    248 #     directory: /mnt/some/other/directory |    753 #       directory: /mnt/some/other/directory | 
|    249  |         | 
|    250 # Directory where in-progress uploads are stored. |         | 
|    251 uploads_path: "{{matrix_synapse_uploads}}" |         | 
|    252  |    754  | 
|    253 # The largest allowed upload size in bytes |    755 # The largest allowed upload size in bytes | 
|    254 max_upload_size: "10M" |    756 # | 
|         |    757 #max_upload_size: 10M | 
|    255  |    758  | 
|    256 # Maximum number of pixels that will be thumbnailed |    759 # Maximum number of pixels that will be thumbnailed | 
|    257 max_image_pixels: "32M" |    760 # | 
|         |    761 #max_image_pixels: 32M | 
|    258  |    762  | 
|    259 # Whether to generate new thumbnails on the fly to precisely match |    763 # Whether to generate new thumbnails on the fly to precisely match | 
|    260 # the resolution requested by the client. If true then whenever |    764 # the resolution requested by the client. If true then whenever | 
|    261 # a new resolution is requested by the client the server will |    765 # a new resolution is requested by the client the server will | 
|    262 # generate a new thumbnail. If false the server will pick a thumbnail |    766 # generate a new thumbnail. If false the server will pick a thumbnail | 
|    263 # from a precalculated list. |    767 # from a precalculated list. | 
|    264 dynamic_thumbnails: false |    768 # | 
|    265  |    769 #dynamic_thumbnails: false | 
|    266 # List of thumbnail to precalculate when an image is uploaded. |    770  | 
|    267 thumbnail_sizes: |    771 # List of thumbnails to precalculate when an image is uploaded. | 
|    268 - width: 32 |    772 # | 
|    269   height: 32 |    773 #thumbnail_sizes: | 
|    270   method: crop |    774 #  - width: 32 | 
|    271 - width: 96 |    775 #    height: 32 | 
|    272   height: 96 |    776 #    method: crop | 
|    273   method: crop |    777 #  - width: 96 | 
|    274 - width: 320 |    778 #    height: 96 | 
|    275   height: 240 |    779 #    method: crop | 
|    276   method: scale |    780 #  - width: 320 | 
|    277 - width: 640 |    781 #    height: 240 | 
|    278   height: 480 |    782 #    method: scale | 
|    279   method: scale |    783 #  - width: 640 | 
|    280 - width: 800 |    784 #    height: 480 | 
|    281   height: 600 |    785 #    method: scale | 
|    282   method: scale |    786 #  - width: 800 | 
|    283  |    787 #    height: 600 | 
|    284 # Is the preview URL API enabled?  If enabled, you *must* specify |    788 #    method: scale | 
|    285 # an explicit url_preview_ip_range_blacklist of IPs that the spider is |    789  | 
|    286 # denied from accessing. |    790 # Is the preview URL API enabled? | 
|    287 url_preview_enabled: False |    791 # | 
|         |    792 # 'false' by default: uncomment the following to enable it (and specify a | 
|         |    793 # url_preview_ip_range_blacklist blacklist). | 
|         |    794 # | 
|         |    795 #url_preview_enabled: true | 
|    288  |    796  | 
|    289 # List of IP address CIDR ranges that the URL preview spider is denied |    797 # List of IP address CIDR ranges that the URL preview spider is denied | 
|    290 # from accessing.  There are no defaults: you must explicitly |    798 # from accessing.  There are no defaults: you must explicitly | 
|    291 # specify a list for URL previewing to work.  You should specify any |    799 # specify a list for URL previewing to work.  You should specify any | 
|    292 # internal services in your network that you do not want synapse to try |    800 # internal services in your network that you do not want synapse to try | 
|    293 # to connect to, otherwise anyone in any Matrix room could cause your |    801 # to connect to, otherwise anyone in any Matrix room could cause your | 
|    294 # synapse to issue arbitrary GET requests to your internal services, |    802 # synapse to issue arbitrary GET requests to your internal services, | 
|    295 # causing serious security issues. |    803 # causing serious security issues. | 
|    296 # |    804 # | 
|    297 # url_preview_ip_range_blacklist: |    805 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly | 
|    298 # - '127.0.0.0/8' |    806 # listed here, since they correspond to unroutable addresses.) | 
|    299 # - '10.0.0.0/8' |    807 # | 
|    300 # - '172.16.0.0/12' |    808 # This must be specified if url_preview_enabled is set. It is recommended that | 
|    301 # - '192.168.0.0/16' |    809 # you uncomment the following list as a starting point. | 
|    302 # - '100.64.0.0/10' |    810 # | 
|    303 # - '169.254.0.0/16' |    811 #url_preview_ip_range_blacklist: | 
|    304 # |    812 #  - '127.0.0.0/8' | 
|         |    813 #  - '10.0.0.0/8' | 
|         |    814 #  - '172.16.0.0/12' | 
|         |    815 #  - '192.168.0.0/16' | 
|         |    816 #  - '100.64.0.0/10' | 
|         |    817 #  - '169.254.0.0/16' | 
|         |    818 #  - '::1/128' | 
|         |    819 #  - 'fe80::/64' | 
|         |    820 #  - 'fc00::/7' | 
|         |    821  | 
|    305 # List of IP address CIDR ranges that the URL preview spider is allowed |    822 # List of IP address CIDR ranges that the URL preview spider is allowed | 
|    306 # to access even if they are specified in url_preview_ip_range_blacklist. |    823 # to access even if they are specified in url_preview_ip_range_blacklist. | 
|    307 # This is useful for specifying exceptions to wide-ranging blacklisted |    824 # This is useful for specifying exceptions to wide-ranging blacklisted | 
|    308 # target IP ranges - e.g. for enabling URL previews for a specific private |    825 # target IP ranges - e.g. for enabling URL previews for a specific private | 
|    309 # website only visible in your network. |    826 # website only visible in your network. | 
|    310 # |    827 # | 
|    311 # url_preview_ip_range_whitelist: |    828 #url_preview_ip_range_whitelist: | 
|    312 # - '192.168.1.1' |    829 #   - '192.168.1.1' | 
|    313  |    830  | 
|    314 # Optional list of URL matches that the URL preview spider is |    831 # Optional list of URL matches that the URL preview spider is | 
|    315 # denied from accessing.  You should use url_preview_ip_range_blacklist |    832 # denied from accessing.  You should use url_preview_ip_range_blacklist | 
|    316 # in preference to this, otherwise someone could define a public DNS |    833 # in preference to this, otherwise someone could define a public DNS | 
|    317 # entry that points to a private IP address and circumvent the blacklist. |    834 # entry that points to a private IP address and circumvent the blacklist. | 
|    325 # applied to that component of URLs, unless they start with a ^ in which |    842 # applied to that component of URLs, unless they start with a ^ in which | 
|    326 # case they are treated as a regular expression match.  If all the |    843 # case they are treated as a regular expression match.  If all the | 
|    327 # specified component matches for a given list item succeed, the URL is |    844 # specified component matches for a given list item succeed, the URL is | 
|    328 # blacklisted. |    845 # blacklisted. | 
|    329 # |    846 # | 
|    330 # url_preview_url_blacklist: |    847 #url_preview_url_blacklist: | 
|    331 # # blacklist any URL with a username in its URI |    848 #  # blacklist any URL with a username in its URI | 
|    332 # - username: '*' |    849 #  - username: '*' | 
|    333 # |    850 # | 
|    334 # # blacklist all *.google.com URLs |    851 #  # blacklist all *.google.com URLs | 
|    335 # - netloc: 'google.com' |    852 #  - netloc: 'google.com' | 
|    336 # - netloc: '*.google.com' |    853 #  - netloc: '*.google.com' | 
|    337 # |    854 # | 
|    338 # # blacklist all plain HTTP URLs |    855 #  # blacklist all plain HTTP URLs | 
|    339 # - scheme: 'http' |    856 #  - scheme: 'http' | 
|    340 # |    857 # | 
|    341 # # blacklist http(s)://www.acme.com/foo |    858 #  # blacklist http(s)://www.acme.com/foo | 
|    342 # - netloc: 'www.acme.com' |    859 #  - netloc: 'www.acme.com' | 
|    343 #   path: '/foo' |    860 #    path: '/foo' | 
|    344 # |    861 # | 
|    345 # # blacklist any URL with a literal IPv4 address |    862 #  # blacklist any URL with a literal IPv4 address | 
|    346 # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' |    863 #  - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | 
|    347  |    864  | 
|    348 # The largest allowed URL preview spidering size in bytes |    865 # The largest allowed URL preview spidering size in bytes | 
|    349 max_spider_size: "10M" |    866 # | 
|    350  |    867 #max_spider_size: 10M | 
|    351  |    868  | 
|         |    869 # A list of values for the Accept-Language HTTP header used when | 
|         |    870 # downloading webpages during URL preview generation. This allows | 
|         |    871 # Synapse to specify the preferred languages that URL previews should | 
|         |    872 # be in when communicating with remote servers. | 
|         |    873 # | 
|         |    874 # Each value is a IETF language tag; a 2-3 letter identifier for a | 
|         |    875 # language, optionally followed by subtags separated by '-', specifying | 
|         |    876 # a country or region variant. | 
|         |    877 # | 
|         |    878 # Multiple values can be provided, and a weight can be added to each by | 
|         |    879 # using quality value syntax (;q=). '*' translates to any language. | 
|         |    880 # | 
|         |    881 # Defaults to "en". | 
|         |    882 # | 
|         |    883 # Example: | 
|         |    884 # | 
|         |    885 # url_preview_accept_language: | 
|         |    886 #   - en-UK | 
|         |    887 #   - en-US;q=0.9 | 
|         |    888 #   - fr;q=0.8 | 
|         |    889 #   - *;q=0.7 | 
|         |    890 # | 
|         |    891 url_preview_accept_language: | 
|         |    892 #   - en | 
|    352  |    893  | 
|    353  |    894  | 
|    354 ## Captcha ## |    895 ## Captcha ## | 
|    355 # See docs/CAPTCHA_SETUP for full details of configuring this. |    896 # See docs/CAPTCHA_SETUP for full details of configuring this. | 
|    356  |    897  | 
|    357 # This Home Server's ReCAPTCHA public key. |    898 # This homeserver's ReCAPTCHA public key. | 
|    358 recaptcha_public_key: "YOUR_PUBLIC_KEY" |    899 # | 
|    359  |    900 #recaptcha_public_key: "YOUR_PUBLIC_KEY" | 
|    360 # This Home Server's ReCAPTCHA private key. |    901  | 
|    361 recaptcha_private_key: "YOUR_PRIVATE_KEY" |    902 # This homeserver's ReCAPTCHA private key. | 
|         |    903 # | 
|         |    904 #recaptcha_private_key: "YOUR_PRIVATE_KEY" | 
|    362  |    905  | 
|    363 # Enables ReCaptcha checks when registering, preventing signup |    906 # Enables ReCaptcha checks when registering, preventing signup | 
|    364 # unless a captcha is answered. Requires a valid ReCaptcha |    907 # unless a captcha is answered. Requires a valid ReCaptcha | 
|    365 # public/private key. |    908 # public/private key. | 
|    366 enable_registration_captcha: False |    909 # | 
|    367  |    910 #enable_registration_captcha: false | 
|    368 # A secret key used to bypass the captcha test entirely. |         | 
|    369 #captcha_bypass_secret: "YOUR_SECRET_HERE" |         | 
|    370  |    911  | 
|    371 # The API endpoint to use for verifying m.login.recaptcha responses. |    912 # The API endpoint to use for verifying m.login.recaptcha responses. | 
|    372 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" |    913 # | 
|    373  |    914 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" | 
|    374  |    915  | 
|    375 ## Turn ## |    916  | 
|         |    917 ## TURN ## | 
|    376  |    918  | 
|    377 # The public URIs of the TURN server to give to clients |    919 # The public URIs of the TURN server to give to clients | 
|    378 turn_uris: [] |    920 # | 
|         |    921 #turn_uris: [] | 
|    379  |    922  | 
|    380 # The shared secret used to compute passwords for the TURN server |    923 # The shared secret used to compute passwords for the TURN server | 
|    381 turn_shared_secret: "YOUR_SHARED_SECRET" |    924 # | 
|         |    925 #turn_shared_secret: "YOUR_SHARED_SECRET" | 
|    382  |    926  | 
|    383 # The Username and password if the TURN server needs them and |    927 # The Username and password if the TURN server needs them and | 
|    384 # does not use a token |    928 # does not use a token | 
|         |    929 # | 
|    385 #turn_username: "TURNSERVER_USERNAME" |    930 #turn_username: "TURNSERVER_USERNAME" | 
|    386 #turn_password: "TURNSERVER_PASSWORD" |    931 #turn_password: "TURNSERVER_PASSWORD" | 
|    387  |    932  | 
|    388 # How long generated TURN credentials last |    933 # How long generated TURN credentials last | 
|    389 turn_user_lifetime: "1h" |    934 # | 
|         |    935 #turn_user_lifetime: 1h | 
|    390  |    936  | 
|    391 # Whether guests should be allowed to use the TURN server. |    937 # Whether guests should be allowed to use the TURN server. | 
|    392 # This defaults to True, otherwise VoIP will be unreliable for guests. |    938 # This defaults to True, otherwise VoIP will be unreliable for guests. | 
|    393 # However, it does introduce a slight security risk as it allows users to |    939 # However, it does introduce a slight security risk as it allows users to | 
|    394 # connect to arbitrary endpoints without having first signed up for a |    940 # connect to arbitrary endpoints without having first signed up for a | 
|    395 # valid account (e.g. by passing a CAPTCHA). |    941 # valid account (e.g. by passing a CAPTCHA). | 
|    396 turn_allow_guests: False |    942 # | 
|         |    943 #turn_allow_guests: true | 
|    397  |    944  | 
|    398  |    945  | 
|    399 ## Registration ## |    946 ## Registration ## | 
|         |    947 # | 
|         |    948 # Registration can be rate-limited using the parameters in the "Ratelimiting" | 
|         |    949 # section of this file. | 
|    400  |    950  | 
|    401 # Enable registration for new users. |    951 # Enable registration for new users. | 
|         |    952 # | 
|    402 enable_registration: {{matrix_synapse_enable_registrations}} |    953 enable_registration: {{matrix_synapse_enable_registrations}} | 
|    403  |    954  | 
|         |    955 # Optional account validity configuration. This allows for accounts to be denied | 
|         |    956 # any request after a given period. | 
|         |    957 # | 
|         |    958 # Once this feature is enabled, Synapse will look for registered users without an | 
|         |    959 # expiration date at startup and will add one to every account it found using the | 
|         |    960 # current settings at that time. | 
|         |    961 # This means that, if a validity period is set, and Synapse is restarted (it will | 
|         |    962 # then derive an expiration date from the current validity period), and some time | 
|         |    963 # after that the validity period changes and Synapse is restarted, the users' | 
|         |    964 # expiration dates won't be updated unless their account is manually renewed. This | 
|         |    965 # date will be randomly selected within a range [now + period - d ; now + period], | 
|         |    966 # where d is equal to 10% of the validity period. | 
|         |    967 # | 
|         |    968 account_validity: | 
|         |    969   # The account validity feature is disabled by default. Uncomment the | 
|         |    970   # following line to enable it. | 
|         |    971   # | 
|         |    972   #enabled: true | 
|         |    973  | 
|         |    974   # The period after which an account is valid after its registration. When | 
|         |    975   # renewing the account, its validity period will be extended by this amount | 
|         |    976   # of time. This parameter is required when using the account validity | 
|         |    977   # feature. | 
|         |    978   # | 
|         |    979   #period: 6w | 
|         |    980  | 
|         |    981   # The amount of time before an account's expiry date at which Synapse will | 
|         |    982   # send an email to the account's email address with a renewal link. By | 
|         |    983   # default, no such emails are sent. | 
|         |    984   # | 
|         |    985   # If you enable this setting, you will also need to fill out the 'email' and | 
|         |    986   # 'public_baseurl' configuration sections. | 
|         |    987   # | 
|         |    988   #renew_at: 1w | 
|         |    989  | 
|         |    990   # The subject of the email sent out with the renewal link. '%(app)s' can be | 
|         |    991   # used as a placeholder for the 'app_name' parameter from the 'email' | 
|         |    992   # section. | 
|         |    993   # | 
|         |    994   # Note that the placeholder must be written '%(app)s', including the | 
|         |    995   # trailing 's'. | 
|         |    996   # | 
|         |    997   # If this is not set, a default value is used. | 
|         |    998   # | 
|         |    999   #renew_email_subject: "Renew your %(app)s account" | 
|         |   1000  | 
|         |   1001   # Directory in which Synapse will try to find templates for the HTML files to | 
|         |   1002   # serve to the user when trying to renew an account. If not set, default | 
|         |   1003   # templates from within the Synapse package will be used. | 
|         |   1004   # | 
|         |   1005   #template_dir: "res/templates" | 
|         |   1006  | 
|         |   1007   # File within 'template_dir' giving the HTML to be displayed to the user after | 
|         |   1008   # they successfully renewed their account. If not set, default text is used. | 
|         |   1009   # | 
|         |   1010   #account_renewed_html_path: "account_renewed.html" | 
|         |   1011  | 
|         |   1012   # File within 'template_dir' giving the HTML to be displayed when the user | 
|         |   1013   # tries to renew an account with an invalid renewal token. If not set, | 
|         |   1014   # default text is used. | 
|         |   1015   # | 
|         |   1016   #invalid_token_html_path: "invalid_token.html" | 
|         |   1017  | 
|         |   1018 # Time that a user's session remains valid for, after they log in. | 
|         |   1019 # | 
|         |   1020 # Note that this is not currently compatible with guest logins. | 
|         |   1021 # | 
|         |   1022 # Note also that this is calculated at login time: changes are not applied | 
|         |   1023 # retrospectively to users who have already logged in. | 
|         |   1024 # | 
|         |   1025 # By default, this is infinite. | 
|         |   1026 # | 
|         |   1027 #session_lifetime: 24h | 
|         |   1028  | 
|    404 # The user must provide all of the below types of 3PID when registering. |   1029 # The user must provide all of the below types of 3PID when registering. | 
|    405 # |   1030 # | 
|    406 # registrations_require_3pid: |   1031 #registrations_require_3pid: | 
|    407 #     - email |   1032 #  - email | 
|    408 #     - msisdn |   1033 #  - msisdn | 
|         |   1034  | 
|         |   1035 # Explicitly disable asking for MSISDNs from the registration | 
|         |   1036 # flow (overrides registrations_require_3pid if MSISDNs are set as required) | 
|         |   1037 # | 
|         |   1038 #disable_msisdn_registration: true | 
|    409  |   1039  | 
|    410 # Mandate that users are only allowed to associate certain formats of |   1040 # Mandate that users are only allowed to associate certain formats of | 
|    411 # 3PIDs with accounts on this server. |   1041 # 3PIDs with accounts on this server. | 
|    412 # |   1042 # | 
|    413 # allowed_local_3pids: |   1043 #allowed_local_3pids: | 
|    414 #     - medium: email |   1044 #  - medium: email | 
|    415 #       pattern: ".*@matrix\.org" |   1045 #    pattern: '.*@matrix\.org' | 
|    416 #     - medium: email |   1046 #  - medium: email | 
|    417 #       pattern: ".*@vector\.im" |   1047 #    pattern: '.*@vector\.im' | 
|    418 #     - medium: msisdn |   1048 #  - medium: msisdn | 
|    419 #       pattern: "\+44" |   1049 #    pattern: '\+44' | 
|    420  |   1050  | 
|    421 # If set, allows registration by anyone who also has the shared |   1051 # Enable 3PIDs lookup requests to identity servers from this server. | 
|    422 # secret, even if registration is otherwise disabled. |   1052 # | 
|    423 # registration_shared_secret: <PRIVATE STRING> |   1053 #enable_3pid_lookup: true | 
|         |   1054  | 
|         |   1055 # If set, allows registration of standard or admin accounts by anyone who | 
|         |   1056 # has the shared secret, even if registration is otherwise disabled. | 
|         |   1057 # | 
|         |   1058 registration_shared_secret: "UgG6FB~1cV1Z5:v+_6m*1tE4m143m6xM*fiBp:T+ZhF+sNdeH*" | 
|    424  |   1059  | 
|    425 # Set the number of bcrypt rounds used to generate password hash. |   1060 # Set the number of bcrypt rounds used to generate password hash. | 
|    426 # Larger numbers increase the work factor needed to generate the hash. |   1061 # Larger numbers increase the work factor needed to generate the hash. | 
|    427 # The default number is 12 (which equates to 2^12 rounds). |   1062 # The default number is 12 (which equates to 2^12 rounds). | 
|    428 # N.B. that increasing this will exponentially increase the time required |   1063 # N.B. that increasing this will exponentially increase the time required | 
|    429 # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. |   1064 # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. | 
|    430 bcrypt_rounds: 12 |   1065 # | 
|         |   1066 #bcrypt_rounds: 12 | 
|    431  |   1067  | 
|    432 # Allows users to register as guests without a password/email/etc, and |   1068 # Allows users to register as guests without a password/email/etc, and | 
|    433 # participate in rooms hosted on this server which have been made |   1069 # participate in rooms hosted on this server which have been made | 
|    434 # accessible to anonymous users. |   1070 # accessible to anonymous users. | 
|    435 allow_guest_access: False |   1071 # | 
|         |   1072 #allow_guest_access: false | 
|         |   1073  | 
|         |   1074 # The identity server which we suggest that clients should use when users log | 
|         |   1075 # in on this server. | 
|         |   1076 # | 
|         |   1077 # (By default, no suggestion is made, so it is left up to the client. | 
|         |   1078 # This setting is ignored unless public_baseurl is also set.) | 
|         |   1079 # | 
|         |   1080 #default_identity_server: https://matrix.org | 
|    436  |   1081  | 
|    437 # The list of identity servers trusted to verify third party |   1082 # The list of identity servers trusted to verify third party | 
|    438 # identifiers by this server. |   1083 # identifiers by this server. | 
|    439 trusted_third_party_id_servers: |   1084 # | 
|    440     - matrix.org |   1085 # Also defines the ID server which will be called when an account is | 
|    441     - vector.im |   1086 # deactivated (one will be picked arbitrarily). | 
|    442     - riot.im |   1087 # | 
|         |   1088 # Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity | 
|         |   1089 # server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a | 
|         |   1090 # background migration script, informing itself that the identity server all of its | 
|         |   1091 # 3PIDs have been bound to is likely one of the below. | 
|         |   1092 # | 
|         |   1093 # As of Synapse v1.4.0, all other functionality of this option has been deprecated, and | 
|         |   1094 # it is now solely used for the purposes of the background migration script, and can be | 
|         |   1095 # removed once it has run. | 
|         |   1096 #trusted_third_party_id_servers: | 
|         |   1097 #  - matrix.org | 
|         |   1098 #  - vector.im | 
|         |   1099  | 
|         |   1100 # Handle threepid (email/phone etc) registration and password resets through a set of | 
|         |   1101 # *trusted* identity servers. Note that this allows the configured identity server to | 
|         |   1102 # reset passwords for accounts! | 
|         |   1103 # | 
|         |   1104 # Be aware that if `email` is not set, and SMTP options have not been | 
|         |   1105 # configured in the email config block, registration and user password resets via | 
|         |   1106 # email will be globally disabled. | 
|         |   1107 # | 
|         |   1108 # Additionally, if `msisdn` is not set, registration and password resets via msisdn | 
|         |   1109 # will be disabled regardless. This is due to Synapse currently not supporting any | 
|         |   1110 # method of sending SMS messages on its own. | 
|         |   1111 # | 
|         |   1112 # To enable using an identity server for operations regarding a particular third-party | 
|         |   1113 # identifier type, set the value to the URL of that identity server as shown in the | 
|         |   1114 # examples below. | 
|         |   1115 # | 
|         |   1116 # Servers handling the these requests must answer the `/requestToken` endpoints defined | 
|         |   1117 # by the Matrix Identity Service API specification: | 
|         |   1118 # https://matrix.org/docs/spec/identity_service/latest | 
|         |   1119 # | 
|         |   1120 # If a delegate is specified, the config option public_baseurl must also be filled out. | 
|         |   1121 # | 
|         |   1122 account_threepid_delegates: | 
|         |   1123     #email: https://example.com     # Delegate email sending to example.com | 
|         |   1124     #msisdn: http://localhost:8090  # Delegate SMS sending to this local process | 
|         |   1125  | 
|         |   1126 # Whether users are allowed to change their displayname after it has | 
|         |   1127 # been initially set. Useful when provisioning users based on the | 
|         |   1128 # contents of a third-party directory. | 
|         |   1129 # | 
|         |   1130 # Does not apply to server administrators. Defaults to 'true' | 
|         |   1131 # | 
|         |   1132 #enable_set_displayname: false | 
|         |   1133  | 
|         |   1134 # Whether users are allowed to change their avatar after it has been | 
|         |   1135 # initially set. Useful when provisioning users based on the contents | 
|         |   1136 # of a third-party directory. | 
|         |   1137 # | 
|         |   1138 # Does not apply to server administrators. Defaults to 'true' | 
|         |   1139 # | 
|         |   1140 #enable_set_avatar_url: false | 
|         |   1141  | 
|         |   1142 # Whether users can change the 3PIDs associated with their accounts | 
|         |   1143 # (email address and msisdn). | 
|         |   1144 # | 
|         |   1145 # Defaults to 'true' | 
|         |   1146 # | 
|         |   1147 #enable_3pid_changes: false | 
|    443  |   1148  | 
|    444 # Users who register on this homeserver will automatically be joined |   1149 # Users who register on this homeserver will automatically be joined | 
|    445 # to these rooms |   1150 # to these rooms | 
|         |   1151 # | 
|    446 #auto_join_rooms: |   1152 #auto_join_rooms: | 
|    447 #    - "#example:example.com" |   1153 #  - "#example:example.com" | 
|         |   1154  | 
|         |   1155 # Where auto_join_rooms are specified, setting this flag ensures that the | 
|         |   1156 # the rooms exist by creating them when the first user on the | 
|         |   1157 # homeserver registers. | 
|         |   1158 # Setting to false means that if the rooms are not manually created, | 
|         |   1159 # users cannot be auto-joined since they do not exist. | 
|         |   1160 # | 
|         |   1161 #autocreate_auto_join_rooms: true | 
|    448  |   1162  | 
|    449  |   1163  | 
|    450 ## Metrics ### |   1164 ## Metrics ### | 
|    451  |   1165  | 
|    452 # Enable collection and rendering of performance metrics |   1166 # Enable collection and rendering of performance metrics | 
|    453 enable_metrics: False |   1167 # | 
|         |   1168 #enable_metrics: false | 
|         |   1169  | 
|         |   1170 # Enable sentry integration | 
|         |   1171 # NOTE: While attempts are made to ensure that the logs don't contain | 
|         |   1172 # any sensitive information, this cannot be guaranteed. By enabling | 
|         |   1173 # this option the sentry server may therefore receive sensitive | 
|         |   1174 # information, and it in turn may then diseminate sensitive information | 
|         |   1175 # through insecure notification channels if so configured. | 
|         |   1176 # | 
|         |   1177 #sentry: | 
|         |   1178 #    dsn: "..." | 
|         |   1179  | 
|         |   1180 # Flags to enable Prometheus metrics which are not suitable to be | 
|         |   1181 # enabled by default, either for performance reasons or limited use. | 
|         |   1182 # | 
|         |   1183 metrics_flags: | 
|         |   1184     # Publish synapse_federation_known_servers, a gauge of the number of | 
|         |   1185     # servers this homeserver knows about, including itself. May cause | 
|         |   1186     # performance problems on large homeservers. | 
|         |   1187     # | 
|         |   1188     #known_servers: true | 
|         |   1189  | 
|         |   1190 # Whether or not to report anonymized homeserver usage statistics. | 
|         |   1191 report_stats: false | 
|         |   1192  | 
|         |   1193 # The endpoint to report the anonymized homeserver usage statistics to. | 
|         |   1194 # Defaults to https://matrix.org/report-usage-stats/push | 
|         |   1195 # | 
|         |   1196 #report_stats_endpoint: https://example.com/report-usage-stats/push | 
|         |   1197  | 
|    454  |   1198  | 
|    455 ## API Configuration ## |   1199 ## API Configuration ## | 
|    456  |   1200  | 
|    457 # A list of event types that will be included in the room_invite_state |   1201 # A list of event types that will be included in the room_invite_state | 
|    458 room_invite_state_types: |   1202 # | 
|    459     - "m.room.join_rules" |   1203 #room_invite_state_types: | 
|    460     - "m.room.canonical_alias" |   1204 #  - "m.room.join_rules" | 
|    461     - "m.room.avatar" |   1205 #  - "m.room.canonical_alias" | 
|    462     - "m.room.name" |   1206 #  - "m.room.avatar" | 
|    463  |   1207 #  - "m.room.encryption" | 
|    464  |   1208 #  - "m.room.name" | 
|    465 # A list of application service config file to use |   1209  | 
|    466 app_service_config_files: [] |   1210  | 
|    467  |   1211 # A list of application service config files to use | 
|    468  |   1212 # | 
|    469 # macaroon_secret_key: <PRIVATE STRING> |   1213 #app_service_config_files: | 
|    470  |   1214 #  - app_service_1.yaml | 
|    471 # Used to enable access token expiration. |   1215 #  - app_service_2.yaml | 
|    472 expire_access_token: False |   1216  | 
|         |   1217 # Uncomment to enable tracking of application service IP addresses. Implicitly | 
|         |   1218 # enables MAU tracking for application service users. | 
|         |   1219 # | 
|         |   1220 #track_appservice_user_ips: true | 
|         |   1221  | 
|         |   1222  | 
|         |   1223 # a secret which is used to sign access tokens. If none is specified, | 
|         |   1224 # the registration_shared_secret is used, if one is given; otherwise, | 
|         |   1225 # a secret key is derived from the signing key. | 
|         |   1226 # | 
|         |   1227 macaroon_secret_key: "yENyX9gJV:JDVK-yH.2Dls8dLE*PfEAD6ebKlDfA;e0#CYjNE:" | 
|         |   1228  | 
|         |   1229 # a secret which is used to calculate HMACs for form values, to stop | 
|         |   1230 # falsification of values. Must be specified for the User Consent | 
|         |   1231 # forms to work. | 
|         |   1232 # | 
|         |   1233 form_secret: "xko,ABwYOV*SqSfu3PGyLq#ZdHe5tU9nwHE+rcKYmV0Q~@Hg#D" | 
|    473  |   1234  | 
|    474 ## Signing Keys ## |   1235 ## Signing Keys ## | 
|    475  |   1236  | 
|    476 # Path to the signing key to sign messages with |   1237 # Path to the signing key to sign messages with | 
|         |   1238 # | 
|    477 signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" |   1239 signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" | 
|    478  |   1240  | 
|    479 # The keys that the server used to sign messages with but won't use |   1241 # The keys that the server used to sign messages with but won't use | 
|    480 # to sign new messages. E.g. it has lost its private key |   1242 # to sign new messages. | 
|    481 old_signing_keys: {} |   1243 # | 
|    482 #  "ed25519:auto": |   1244 old_signing_keys: | 
|    483 #    # Base64 encoded public key |   1245   # For each key, `key` should be the base64-encoded public key, and | 
|    484 #    key: "The public part of your old signing key." |   1246   # `expired_ts`should be the time (in milliseconds since the unix epoch) that | 
|    485 #    # Millisecond POSIX timestamp when the key expired. |   1247   # it was last used. | 
|    486 #    expired_ts: 123456789123 |   1248   # | 
|         |   1249   # It is possible to build an entry from an old signing.key file using the | 
|         |   1250   # `export_signing_key` script which is provided with synapse. | 
|         |   1251   # | 
|         |   1252   # For example: | 
|         |   1253   # | 
|         |   1254   #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } | 
|    487  |   1255  | 
|    488 # How long key response published by this server is valid for. |   1256 # How long key response published by this server is valid for. | 
|    489 # Used to set the valid_until_ts in /key/v2 APIs. |   1257 # Used to set the valid_until_ts in /key/v2 APIs. | 
|    490 # Determines how quickly servers will query to check which keys |   1258 # Determines how quickly servers will query to check which keys | 
|    491 # are still valid. |   1259 # are still valid. | 
|    492 key_refresh_interval: "1d" # 1 Day. |   1260 # | 
|         |   1261 #key_refresh_interval: 1d | 
|    493  |   1262  | 
|    494 # The trusted servers to download signing keys from. |   1263 # The trusted servers to download signing keys from. | 
|    495 perspectives: |   1264 # | 
|    496   servers: |   1265 # When we need to fetch a signing key, each server is tried in parallel. | 
|    497     "matrix.org": |   1266 # | 
|    498       verify_keys: |   1267 # Normally, the connection to the key server is validated via TLS certificates. | 
|    499         "ed25519:auto": |   1268 # Additional security can be provided by configuring a `verify key`, which | 
|    500           key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" |   1269 # will make synapse check that the response is signed by that key. | 
|    501  |   1270 # | 
|    502  |   1271 # This setting supercedes an older setting named `perspectives`. The old format | 
|    503  |   1272 # is still supported for backwards-compatibility, but it is deprecated. | 
|    504 # Enable SAML2 for registration and login. Uses pysaml2 |   1273 # | 
|    505 # config_path:      Path to the sp_conf.py configuration file |   1274 # 'trusted_key_servers' defaults to matrix.org, but using it will generate a | 
|    506 # idp_redirect_url: Identity provider URL which will redirect |   1275 # warning on start-up. To suppress this warning, set | 
|    507 #                   the user back to /login/saml2 with proper info. |   1276 # 'suppress_key_server_warning' to true. | 
|    508 # See pysaml2 docs for format of config. |   1277 # | 
|    509 #saml2_config: |   1278 # Options for each entry in the list include: | 
|    510 #   enabled: true |   1279 # | 
|    511 #   config_path: "/home/erikj/git/synapse/sp_conf.py" |   1280 #    server_name: the name of the server. required. | 
|    512 #   idp_redirect_url: "http://test/idp" |   1281 # | 
|         |   1282 #    verify_keys: an optional map from key id to base64-encoded public key. | 
|         |   1283 #       If specified, we will check that the response is signed by at least | 
|         |   1284 #       one of the given keys. | 
|         |   1285 # | 
|         |   1286 #    accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, | 
|         |   1287 #       and federation_verify_certificates is not `true`, synapse will refuse | 
|         |   1288 #       to start, because this would allow anyone who can spoof DNS responses | 
|         |   1289 #       to masquerade as the trusted key server. If you know what you are doing | 
|         |   1290 #       and are sure that your network environment provides a secure connection | 
|         |   1291 #       to the key server, you can set this to `true` to override this | 
|         |   1292 #       behaviour. | 
|         |   1293 # | 
|         |   1294 # An example configuration might look like: | 
|         |   1295 # | 
|         |   1296 #trusted_key_servers: | 
|         |   1297 #  - server_name: "my_trusted_server.example.com" | 
|         |   1298 #    verify_keys: | 
|         |   1299 #      "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" | 
|         |   1300 #  - server_name: "my_other_trusted_server.example.com" | 
|         |   1301 # | 
|         |   1302 trusted_key_servers: | 
|         |   1303   - server_name: "matrix.org" | 
|         |   1304  | 
|         |   1305 # Uncomment the following to disable the warning that is emitted when the | 
|         |   1306 # trusted_key_servers include 'matrix.org'. See above. | 
|         |   1307 # | 
|         |   1308 #suppress_key_server_warning: true | 
|         |   1309  | 
|         |   1310 # The signing keys to use when acting as a trusted key server. If not specified | 
|         |   1311 # defaults to the server signing key. | 
|         |   1312 # | 
|         |   1313 # Can contain multiple keys, one per line. | 
|         |   1314 # | 
|         |   1315 #key_server_signing_keys_path: "key_server_signing_keys.key" | 
|         |   1316  | 
|         |   1317  | 
|         |   1318 # Enable SAML2 for registration and login. Uses pysaml2. | 
|         |   1319 # | 
|         |   1320 # At least one of `sp_config` or `config_path` must be set in this section to | 
|         |   1321 # enable SAML login. | 
|         |   1322 # | 
|         |   1323 # (You will probably also want to set the following options to `false` to | 
|         |   1324 # disable the regular login/registration flows: | 
|         |   1325 #   * enable_registration | 
|         |   1326 #   * password_config.enabled | 
|         |   1327 # | 
|         |   1328 # Once SAML support is enabled, a metadata file will be exposed at | 
|         |   1329 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to | 
|         |   1330 # use to configure your SAML IdP with. Alternatively, you can manually configure | 
|         |   1331 # the IdP to use an ACS location of | 
|         |   1332 # https://<server>:<port>/_matrix/saml2/authn_response. | 
|         |   1333 # | 
|         |   1334 saml2_config: | 
|         |   1335   # `sp_config` is the configuration for the pysaml2 Service Provider. | 
|         |   1336   # See pysaml2 docs for format of config. | 
|         |   1337   # | 
|         |   1338   # Default values will be used for the 'entityid' and 'service' settings, | 
|         |   1339   # so it is not normally necessary to specify them unless you need to | 
|         |   1340   # override them. | 
|         |   1341   # | 
|         |   1342   #sp_config: | 
|         |   1343   #  # point this to the IdP's metadata. You can use either a local file or | 
|         |   1344   #  # (preferably) a URL. | 
|         |   1345   #  metadata: | 
|         |   1346   #    #local: ["saml2/idp.xml"] | 
|         |   1347   #    remote: | 
|         |   1348   #      - url: https://our_idp/metadata.xml | 
|         |   1349   # | 
|         |   1350   #  # By default, the user has to go to our login page first. If you'd like | 
|         |   1351   #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a | 
|         |   1352   #  # 'service.sp' section: | 
|         |   1353   #  # | 
|         |   1354   #  #service: | 
|         |   1355   #  #  sp: | 
|         |   1356   #  #    allow_unsolicited: true | 
|         |   1357   # | 
|         |   1358   #  # The examples below are just used to generate our metadata xml, and you | 
|         |   1359   #  # may well not need them, depending on your setup. Alternatively you | 
|         |   1360   #  # may need a whole lot more detail - see the pysaml2 docs! | 
|         |   1361   # | 
|         |   1362   #  description: ["My awesome SP", "en"] | 
|         |   1363   #  name: ["Test SP", "en"] | 
|         |   1364   # | 
|         |   1365   #  organization: | 
|         |   1366   #    name: Example com | 
|         |   1367   #    display_name: | 
|         |   1368   #      - ["Example co", "en"] | 
|         |   1369   #    url: "http://example.com" | 
|         |   1370   # | 
|         |   1371   #  contact_person: | 
|         |   1372   #    - given_name: Bob | 
|         |   1373   #      sur_name: "the Sysadmin" | 
|         |   1374   #      email_address": ["[email protected]"] | 
|         |   1375   #      contact_type": technical | 
|         |   1376  | 
|         |   1377   # Instead of putting the config inline as above, you can specify a | 
|         |   1378   # separate pysaml2 configuration file: | 
|         |   1379   # | 
|         |   1380   #config_path: "/home/lhoersten/sp_conf.py" | 
|         |   1381  | 
|         |   1382   # The lifetime of a SAML session. This defines how long a user has to | 
|         |   1383   # complete the authentication process, if allow_unsolicited is unset. | 
|         |   1384   # The default is 5 minutes. | 
|         |   1385   # | 
|         |   1386   #saml_session_lifetime: 5m | 
|         |   1387  | 
|         |   1388   # An external module can be provided here as a custom solution to | 
|         |   1389   # mapping attributes returned from a saml provider onto a matrix user. | 
|         |   1390   # | 
|         |   1391   user_mapping_provider: | 
|         |   1392     # The custom module's class. Uncomment to use a custom module. | 
|         |   1393     # | 
|         |   1394     #module: mapping_provider.SamlMappingProvider | 
|         |   1395  | 
|         |   1396     # Custom configuration values for the module. Below options are | 
|         |   1397     # intended for the built-in provider, they should be changed if | 
|         |   1398     # using a custom module. This section will be passed as a Python | 
|         |   1399     # dictionary to the module's `parse_config` method. | 
|         |   1400     # | 
|         |   1401     config: | 
|         |   1402       # The SAML attribute (after mapping via the attribute maps) to use | 
|         |   1403       # to derive the Matrix ID from. 'uid' by default. | 
|         |   1404       # | 
|         |   1405       # Note: This used to be configured by the | 
|         |   1406       # saml2_config.mxid_source_attribute option. If that is still | 
|         |   1407       # defined, its value will be used instead. | 
|         |   1408       # | 
|         |   1409       #mxid_source_attribute: displayName | 
|         |   1410  | 
|         |   1411       # The mapping system to use for mapping the saml attribute onto a | 
|         |   1412       # matrix ID. | 
|         |   1413       # | 
|         |   1414       # Options include: | 
|         |   1415       #  * 'hexencode' (which maps unpermitted characters to '=xx') | 
|         |   1416       #  * 'dotreplace' (which replaces unpermitted characters with | 
|         |   1417       #     '.'). | 
|         |   1418       # The default is 'hexencode'. | 
|         |   1419       # | 
|         |   1420       # Note: This used to be configured by the | 
|         |   1421       # saml2_config.mxid_mapping option. If that is still defined, its | 
|         |   1422       # value will be used instead. | 
|         |   1423       # | 
|         |   1424       #mxid_mapping: dotreplace | 
|         |   1425  | 
|         |   1426   # In previous versions of synapse, the mapping from SAML attribute to | 
|         |   1427   # MXID was always calculated dynamically rather than stored in a | 
|         |   1428   # table. For backwards- compatibility, we will look for user_ids | 
|         |   1429   # matching such a pattern before creating a new account. | 
|         |   1430   # | 
|         |   1431   # This setting controls the SAML attribute which will be used for this | 
|         |   1432   # backwards-compatibility lookup. Typically it should be 'uid', but if | 
|         |   1433   # the attribute maps are changed, it may be necessary to change it. | 
|         |   1434   # | 
|         |   1435   # The default is 'uid'. | 
|         |   1436   # | 
|         |   1437   #grandfathered_mxid_source_attribute: upn | 
|         |   1438  | 
|         |   1439   # Directory in which Synapse will try to find the template files below. | 
|         |   1440   # If not set, default templates from within the Synapse package will be used. | 
|         |   1441   # | 
|         |   1442   # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. | 
|         |   1443   # If you *do* uncomment it, you will need to make sure that all the templates | 
|         |   1444   # below are in the directory. | 
|         |   1445   # | 
|         |   1446   # Synapse will look for the following templates in this directory: | 
|         |   1447   # | 
|         |   1448   # * HTML page to display to users if something goes wrong during the | 
|         |   1449   #   authentication process: 'saml_error.html'. | 
|         |   1450   # | 
|         |   1451   #   This template doesn't currently need any variable to render. | 
|         |   1452   # | 
|         |   1453   # You can see the default templates at: | 
|         |   1454   # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates | 
|         |   1455   # | 
|         |   1456   #template_dir: "res/templates" | 
|    513  |   1457  | 
|    514  |   1458  | 
|    515  |   1459  | 
|    516 # Enable CAS for registration and login. |   1460 # Enable CAS for registration and login. | 
|         |   1461 # | 
|    517 #cas_config: |   1462 #cas_config: | 
|    518 #   enabled: true |   1463 #   enabled: true | 
|    519 #   server_url: "https://cas-server.com" |   1464 #   server_url: "https://cas-server.com" | 
|    520 #   service_url: "https://homeserver.domain.com:8448" |   1465 #   service_url: "https://homeserver.domain.com:8448" | 
|         |   1466 #   #displayname_attribute: name | 
|    521 #   #required_attributes: |   1467 #   #required_attributes: | 
|    522 #   #    name: value |   1468 #   #    name: value | 
|    523  |   1469  | 
|    524  |   1470  | 
|         |   1471 # Additional settings to use with single-sign on systems such as SAML2 and CAS. | 
|         |   1472 # | 
|         |   1473 sso: | 
|         |   1474     # A list of client URLs which are whitelisted so that the user does not | 
|         |   1475     # have to confirm giving access to their account to the URL. Any client | 
|         |   1476     # whose URL starts with an entry in the following list will not be subject | 
|         |   1477     # to an additional confirmation step after the SSO login is completed. | 
|         |   1478     # | 
|         |   1479     # WARNING: An entry such as "https://my.client" is insecure, because it | 
|         |   1480     # will also match "https://my.client.evil.site", exposing your users to | 
|         |   1481     # phishing attacks from evil.site. To avoid this, include a slash after the | 
|         |   1482     # hostname: "https://my.client/". | 
|         |   1483     # | 
|         |   1484     # If public_baseurl is set, then the login fallback page (used by clients | 
|         |   1485     # that don't natively support the required login flows) is whitelisted in | 
|         |   1486     # addition to any URLs in this list. | 
|         |   1487     # | 
|         |   1488     # By default, this list is empty. | 
|         |   1489     # | 
|         |   1490     #client_whitelist: | 
|         |   1491     #  - https://riot.im/develop | 
|         |   1492     #  - https://my.custom.client/ | 
|         |   1493  | 
|         |   1494     # Directory in which Synapse will try to find the template files below. | 
|         |   1495     # If not set, default templates from within the Synapse package will be used. | 
|         |   1496     # | 
|         |   1497     # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. | 
|         |   1498     # If you *do* uncomment it, you will need to make sure that all the templates | 
|         |   1499     # below are in the directory. | 
|         |   1500     # | 
|         |   1501     # Synapse will look for the following templates in this directory: | 
|         |   1502     # | 
|         |   1503     # * HTML page for a confirmation step before redirecting back to the client | 
|         |   1504     #   with the login token: 'sso_redirect_confirm.html'. | 
|         |   1505     # | 
|         |   1506     #   When rendering, this template is given three variables: | 
|         |   1507     #     * redirect_url: the URL the user is about to be redirected to. Needs | 
|         |   1508     #                     manual escaping (see | 
|         |   1509     #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). | 
|         |   1510     # | 
|         |   1511     #     * display_url: the same as `redirect_url`, but with the query | 
|         |   1512     #                    parameters stripped. The intention is to have a | 
|         |   1513     #                    human-readable URL to show to users, not to use it as | 
|         |   1514     #                    the final address to redirect to. Needs manual escaping | 
|         |   1515     #                    (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). | 
|         |   1516     # | 
|         |   1517     #     * server_name: the homeserver's name. | 
|         |   1518     # | 
|         |   1519     # * HTML page which notifies the user that they are authenticating to confirm | 
|         |   1520     #   an operation on their account during the user interactive authentication | 
|         |   1521     #   process: 'sso_auth_confirm.html'. | 
|         |   1522     # | 
|         |   1523     #   When rendering, this template is given the following variables: | 
|         |   1524     #     * redirect_url: the URL the user is about to be redirected to. Needs | 
|         |   1525     #                     manual escaping (see | 
|         |   1526     #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). | 
|         |   1527     # | 
|         |   1528     #     * description: the operation which the user is being asked to confirm | 
|         |   1529     # | 
|         |   1530     # * HTML page shown after a successful user interactive authentication session: | 
|         |   1531     #   'sso_auth_success.html'. | 
|         |   1532     # | 
|         |   1533     #   Note that this page must include the JavaScript which notifies of a successful authentication | 
|         |   1534     #   (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). | 
|         |   1535     # | 
|         |   1536     #   This template has no additional variables. | 
|         |   1537     # | 
|         |   1538     # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) | 
|         |   1539     #   attempts to login: 'sso_account_deactivated.html'. | 
|         |   1540     # | 
|         |   1541     #   This template has no additional variables. | 
|         |   1542     # | 
|         |   1543     # You can see the default templates at: | 
|         |   1544     # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates | 
|         |   1545     # | 
|         |   1546     #template_dir: "res/templates" | 
|         |   1547  | 
|         |   1548  | 
|    525 # The JWT needs to contain a globally unique "sub" (subject) claim. |   1549 # The JWT needs to contain a globally unique "sub" (subject) claim. | 
|    526 # |   1550 # | 
|    527 # jwt_config: |   1551 #jwt_config: | 
|    528 #    enabled: true |   1552 #   enabled: true | 
|    529 #    secret: "a secret" |   1553 #   secret: "a secret" | 
|    530 #    algorithm: "HS256" |   1554 #   algorithm: "HS256" | 
|    531  |   1555  | 
|    532  |   1556  | 
|    533  |         | 
|    534 # Enable password for login. |         | 
|    535 password_config: |   1557 password_config: | 
|    536    enabled: true |   1558    # Uncomment to disable password login | 
|         |   1559    # | 
|         |   1560    #enabled: false | 
|         |   1561  | 
|         |   1562    # Uncomment to disable authentication against the local password | 
|         |   1563    # database. This is ignored if `enabled` is false, and is only useful | 
|         |   1564    # if you have other password_providers. | 
|         |   1565    # | 
|         |   1566    #localdb_enabled: false | 
|         |   1567  | 
|    537    # Uncomment and change to a secret random string for extra security. |   1568    # Uncomment and change to a secret random string for extra security. | 
|    538    # DO NOT CHANGE THIS AFTER INITIAL SETUP! |   1569    # DO NOT CHANGE THIS AFTER INITIAL SETUP! | 
|    539    #pepper: "" |   1570    # | 
|    540  |   1571    #pepper: "EVEN_MORE_SECRET" | 
|    541  |   1572  | 
|    542  |   1573    # Define and enforce a password policy. Each parameter is optional. | 
|    543 # Enable sending emails for notification events |   1574    # This is an implementation of MSC2000. | 
|    544 # Defining a custom URL for Riot is only needed if email notifications |   1575    # | 
|    545 # should contain links to a self-hosted installation of Riot; when set |   1576    policy: | 
|    546 # the "app_name" setting is ignored. |   1577       # Whether to enforce the password policy. | 
|    547 # |   1578       # Defaults to 'false'. | 
|    548 # If your SMTP server requires authentication, the optional smtp_user & |   1579       # | 
|    549 # smtp_pass variables should be used |   1580       #enabled: true | 
|    550 # |   1581  | 
|    551 #email: |   1582       # Minimum accepted length for a password. | 
|    552 #   enable_notifs: false |   1583       # Defaults to 0. | 
|    553 #   smtp_host: "localhost" |   1584       # | 
|    554 #   smtp_port: 25 |   1585       #minimum_length: 15 | 
|    555 #   smtp_user: "exampleusername" |   1586  | 
|    556 #   smtp_pass: "examplepassword" |   1587       # Whether a password must contain at least one digit. | 
|    557 #   require_transport_security: False |   1588       # Defaults to 'false'. | 
|    558 #   notif_from: "Your Friendly %(app)s Home Server <[email protected]>" |   1589       # | 
|    559 #   app_name: Matrix |   1590       #require_digit: true | 
|    560 #   template_dir: res/templates |   1591  | 
|    561 #   notif_template_html: notif_mail.html |   1592       # Whether a password must contain at least one symbol. | 
|    562 #   notif_template_text: notif_mail.txt |   1593       # A symbol is any character that's not a number or a letter. | 
|    563 #   notif_for_new_users: True |   1594       # Defaults to 'false'. | 
|    564 #   riot_base_url: "http://localhost/riot" |   1595       # | 
|    565  |   1596       #require_symbol: true | 
|    566  |   1597  | 
|    567 # password_providers: |   1598       # Whether a password must contain at least one lowercase letter. | 
|    568 #     - module: "ldap_auth_provider.LdapAuthProvider" |   1599       # Defaults to 'false'. | 
|    569 #       config: |   1600       # | 
|    570 #         enabled: true |   1601       #require_lowercase: true | 
|    571 #         uri: "ldap://ldap.example.com:389" |   1602  | 
|    572 #         start_tls: true |   1603       # Whether a password must contain at least one lowercase letter. | 
|    573 #         base: "ou=users,dc=example,dc=com" |   1604       # Defaults to 'false'. | 
|    574 #         attributes: |   1605       # | 
|    575 #            uid: "cn" |   1606       #require_uppercase: true | 
|    576 #            mail: "email" |   1607  | 
|    577 #            name: "givenName" |   1608  | 
|    578 #         #bind_dn: |   1609 # Configuration for sending emails from Synapse. | 
|    579 #         #bind_password: |   1610 # | 
|    580 #         #filter: "(objectClass=posixAccount)" |   1611 email: | 
|         |   1612   # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. | 
|         |   1613   # | 
|         |   1614   #smtp_host: mail.server | 
|         |   1615  | 
|         |   1616   # The port on the mail server for outgoing SMTP. Defaults to 25. | 
|         |   1617   # | 
|         |   1618   #smtp_port: 587 | 
|         |   1619  | 
|         |   1620   # Username/password for authentication to the SMTP server. By default, no | 
|         |   1621   # authentication is attempted. | 
|         |   1622   # | 
|         |   1623   # smtp_user: "exampleusername" | 
|         |   1624   # smtp_pass: "examplepassword" | 
|         |   1625  | 
|         |   1626   # Uncomment the following to require TLS transport security for SMTP. | 
|         |   1627   # By default, Synapse will connect over plain text, and will then switch to | 
|         |   1628   # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, | 
|         |   1629   # Synapse will refuse to connect unless the server supports STARTTLS. | 
|         |   1630   # | 
|         |   1631   #require_transport_security: true | 
|         |   1632  | 
|         |   1633   # notif_from defines the "From" address to use when sending emails. | 
|         |   1634   # It must be set if email sending is enabled. | 
|         |   1635   # | 
|         |   1636   # The placeholder '%(app)s' will be replaced by the application name, | 
|         |   1637   # which is normally 'app_name' (below), but may be overridden by the | 
|         |   1638   # Matrix client application. | 
|         |   1639   # | 
|         |   1640   # Note that the placeholder must be written '%(app)s', including the | 
|         |   1641   # trailing 's'. | 
|         |   1642   # | 
|         |   1643   #notif_from: "Your Friendly %(app)s homeserver <[email protected]>" | 
|         |   1644  | 
|         |   1645   # app_name defines the default value for '%(app)s' in notif_from. It | 
|         |   1646   # defaults to 'Matrix'. | 
|         |   1647   # | 
|         |   1648   #app_name: my_branded_matrix_server | 
|         |   1649  | 
|         |   1650   # Uncomment the following to enable sending emails for messages that the user | 
|         |   1651   # has missed. Disabled by default. | 
|         |   1652   # | 
|         |   1653   #enable_notifs: true | 
|         |   1654  | 
|         |   1655   # Uncomment the following to disable automatic subscription to email | 
|         |   1656   # notifications for new users. Enabled by default. | 
|         |   1657   # | 
|         |   1658   #notif_for_new_users: false | 
|         |   1659  | 
|         |   1660   # Custom URL for client links within the email notifications. By default | 
|         |   1661   # links will be based on "https://matrix.to". | 
|         |   1662   # | 
|         |   1663   # (This setting used to be called riot_base_url; the old name is still | 
|         |   1664   # supported for backwards-compatibility but is now deprecated.) | 
|         |   1665   # | 
|         |   1666   #client_base_url: "http://localhost/riot" | 
|         |   1667  | 
|         |   1668   # Configure the time that a validation email will expire after sending. | 
|         |   1669   # Defaults to 1h. | 
|         |   1670   # | 
|         |   1671   #validation_token_lifetime: 15m | 
|         |   1672  | 
|         |   1673   # Directory in which Synapse will try to find the template files below. | 
|         |   1674   # If not set, default templates from within the Synapse package will be used. | 
|         |   1675   # | 
|         |   1676   # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. | 
|         |   1677   # If you *do* uncomment it, you will need to make sure that all the templates | 
|         |   1678   # below are in the directory. | 
|         |   1679   # | 
|         |   1680   # Synapse will look for the following templates in this directory: | 
|         |   1681   # | 
|         |   1682   # * The contents of email notifications of missed events: 'notif_mail.html' and | 
|         |   1683   #   'notif_mail.txt'. | 
|         |   1684   # | 
|         |   1685   # * The contents of account expiry notice emails: 'notice_expiry.html' and | 
|         |   1686   #   'notice_expiry.txt'. | 
|         |   1687   # | 
|         |   1688   # * The contents of password reset emails sent by the homeserver: | 
|         |   1689   #   'password_reset.html' and 'password_reset.txt' | 
|         |   1690   # | 
|         |   1691   # * HTML pages for success and failure that a user will see when they follow | 
|         |   1692   #   the link in the password reset email: 'password_reset_success.html' and | 
|         |   1693   #   'password_reset_failure.html' | 
|         |   1694   # | 
|         |   1695   # * The contents of address verification emails sent during registration: | 
|         |   1696   #   'registration.html' and 'registration.txt' | 
|         |   1697   # | 
|         |   1698   # * HTML pages for success and failure that a user will see when they follow | 
|         |   1699   #   the link in an address verification email sent during registration: | 
|         |   1700   #   'registration_success.html' and 'registration_failure.html' | 
|         |   1701   # | 
|         |   1702   # * The contents of address verification emails sent when an address is added | 
|         |   1703   #   to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' | 
|         |   1704   # | 
|         |   1705   # * HTML pages for success and failure that a user will see when they follow | 
|         |   1706   #   the link in an address verification email sent when an address is added | 
|         |   1707   #   to a Matrix account: 'add_threepid_success.html' and | 
|         |   1708   #   'add_threepid_failure.html' | 
|         |   1709   # | 
|         |   1710   # You can see the default templates at: | 
|         |   1711   # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates | 
|         |   1712   # | 
|         |   1713   #template_dir: "res/templates" | 
|         |   1714  | 
|         |   1715  | 
|         |   1716 # Password providers allow homeserver administrators to integrate | 
|         |   1717 # their Synapse installation with existing authentication methods | 
|         |   1718 # ex. LDAP, external tokens, etc. | 
|         |   1719 # | 
|         |   1720 # For more information and known implementations, please see | 
|         |   1721 # https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md | 
|         |   1722 # | 
|         |   1723 # Note: instances wishing to use SAML or CAS authentication should | 
|         |   1724 # instead use the `saml2_config` or `cas_config` options, | 
|         |   1725 # respectively. | 
|         |   1726 # | 
|         |   1727 password_providers: | 
|         |   1728 #    # Example config for an LDAP auth provider | 
|         |   1729 #    - module: "ldap_auth_provider.LdapAuthProvider" | 
|         |   1730 #      config: | 
|         |   1731 #        enabled: true | 
|         |   1732 #        uri: "ldap://ldap.example.com:389" | 
|         |   1733 #        start_tls: true | 
|         |   1734 #        base: "ou=users,dc=example,dc=com" | 
|         |   1735 #        attributes: | 
|         |   1736 #           uid: "cn" | 
|         |   1737 #           mail: "email" | 
|         |   1738 #           name: "givenName" | 
|         |   1739 #        #bind_dn: | 
|         |   1740 #        #bind_password: | 
|         |   1741 #        #filter: "(objectClass=posixAccount)" | 
|    581  |   1742  | 
|    582  |   1743  | 
|    583  |   1744  | 
|    584 # Clients requesting push notifications can either have the body of |   1745 # Clients requesting push notifications can either have the body of | 
|    585 # the message sent in the notification poke along with other details |   1746 # the message sent in the notification poke along with other details | 
|    586 # like the sender, or just the event ID and room ID (`event_id_only`). |   1747 # like the sender, or just the event ID and room ID (`event_id_only`). | 
|    587 # If clients choose the former, this option controls whether the |   1748 # If clients choose the former, this option controls whether the | 
|    588 # notification request includes the content of the event (other details |   1749 # notification request includes the content of the event (other details | 
|    589 # like the sender are still included). For `event_id_only` push, it |   1750 # like the sender are still included). For `event_id_only` push, it | 
|    590 # has no effect. |   1751 # has no effect. | 
|    591  |   1752 # | 
|    592 # For modern android devices the notification content will still appear |   1753 # For modern android devices the notification content will still appear | 
|    593 # because it is loaded by the app. iPhone, however will send a |   1754 # because it is loaded by the app. iPhone, however will send a | 
|    594 # notification saying only that a message arrived and who it came from. |   1755 # notification saying only that a message arrived and who it came from. | 
|    595 # |   1756 # | 
|    596 #push: |   1757 #push: | 
|    597 #   include_content: true |   1758 #  include_content: true | 
|    598  |   1759  | 
|    599  |   1760  | 
|    600 # spam_checker: |   1761 #spam_checker: | 
|    601 #     module: "my_custom_project.SuperSpamChecker" |   1762 #  module: "my_custom_project.SuperSpamChecker" | 
|    602 #     config: |   1763 #  config: | 
|    603 #         example_option: 'things' |   1764 #    example_option: 'things' | 
|    604  |   1765  | 
|    605  |   1766  | 
|    606 # Whether to allow non server admins to create groups on this server |   1767 # Uncomment to allow non-server-admin users to create groups on this server | 
|    607 enable_group_creation: false |   1768 # | 
|         |   1769 #enable_group_creation: true | 
|    608  |   1770  | 
|    609 # If enabled, non server admins can only create groups with local parts |   1771 # If enabled, non server admins can only create groups with local parts | 
|    610 # starting with this prefix |   1772 # starting with this prefix | 
|    611 # group_creation_prefix: "unofficial/" |   1773 # | 
|         |   1774 #group_creation_prefix: "unofficial/" | 
|    612  |   1775  | 
|    613  |   1776  | 
|    614  |   1777  | 
|    615 # User Directory configuration |   1778 # User Directory configuration | 
|         |   1779 # | 
|         |   1780 # 'enabled' defines whether users can search the user directory. If | 
|         |   1781 # false then empty responses are returned to all queries. Defaults to | 
|         |   1782 # true. | 
|    616 # |   1783 # | 
|    617 # 'search_all_users' defines whether to search all users visible to your HS |   1784 # 'search_all_users' defines whether to search all users visible to your HS | 
|    618 # when searching the user directory, rather than limiting to users visible |   1785 # when searching the user directory, rather than limiting to users visible | 
|    619 # in public rooms.  Defaults to false.  If you set it True, you'll have to run |   1786 # in public rooms.  Defaults to false.  If you set it True, you'll have to | 
|    620 # UPDATE user_directory_stream_pos SET stream_id = NULL; |   1787 # rebuild the user_directory search indexes, see | 
|    621 # on your database to tell it to rebuild the user_directory search indexes. |   1788 # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md | 
|    622 # |   1789 # | 
|    623 #user_directory: |   1790 #user_directory: | 
|    624 #   search_all_users: false |   1791 #  enabled: true | 
|         |   1792 #  search_all_users: false | 
|         |   1793  | 
|         |   1794  | 
|         |   1795 # User Consent configuration | 
|         |   1796 # | 
|         |   1797 # for detailed instructions, see | 
|         |   1798 # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md | 
|         |   1799 # | 
|         |   1800 # Parts of this section are required if enabling the 'consent' resource under | 
|         |   1801 # 'listeners', in particular 'template_dir' and 'version'. | 
|         |   1802 # | 
|         |   1803 # 'template_dir' gives the location of the templates for the HTML forms. | 
|         |   1804 # This directory should contain one subdirectory per language (eg, 'en', 'fr'), | 
|         |   1805 # and each language directory should contain the policy document (named as | 
|         |   1806 # '<version>.html') and a success page (success.html). | 
|         |   1807 # | 
|         |   1808 # 'version' specifies the 'current' version of the policy document. It defines | 
|         |   1809 # the version to be served by the consent resource if there is no 'v' | 
|         |   1810 # parameter. | 
|         |   1811 # | 
|         |   1812 # 'server_notice_content', if enabled, will send a user a "Server Notice" | 
|         |   1813 # asking them to consent to the privacy policy. The 'server_notices' section | 
|         |   1814 # must also be configured for this to work. Notices will *not* be sent to | 
|         |   1815 # guest users unless 'send_server_notice_to_guests' is set to true. | 
|         |   1816 # | 
|         |   1817 # 'block_events_error', if set, will block any attempts to send events | 
|         |   1818 # until the user consents to the privacy policy. The value of the setting is | 
|         |   1819 # used as the text of the error. | 
|         |   1820 # | 
|         |   1821 # 'require_at_registration', if enabled, will add a step to the registration | 
|         |   1822 # process, similar to how captcha works. Users will be required to accept the | 
|         |   1823 # policy before their account is created. | 
|         |   1824 # | 
|         |   1825 # 'policy_name' is the display name of the policy users will see when registering | 
|         |   1826 # for an account. Has no effect unless `require_at_registration` is enabled. | 
|         |   1827 # Defaults to "Privacy Policy". | 
|         |   1828 # | 
|         |   1829 #user_consent: | 
|         |   1830 #  template_dir: res/templates/privacy | 
|         |   1831 #  version: 1.0 | 
|         |   1832 #  server_notice_content: | 
|         |   1833 #    msgtype: m.text | 
|         |   1834 #    body: >- | 
|         |   1835 #      To continue using this homeserver you must review and agree to the | 
|         |   1836 #      terms and conditions at %(consent_uri)s | 
|         |   1837 #  send_server_notice_to_guests: true | 
|         |   1838 #  block_events_error: >- | 
|         |   1839 #    To continue using this homeserver you must review and agree to the | 
|         |   1840 #    terms and conditions at %(consent_uri)s | 
|         |   1841 #  require_at_registration: false | 
|         |   1842 #  policy_name: Privacy Policy | 
|         |   1843 # | 
|         |   1844  | 
|         |   1845  | 
|         |   1846  | 
|         |   1847 # Local statistics collection. Used in populating the room directory. | 
|         |   1848 # | 
|         |   1849 # 'bucket_size' controls how large each statistics timeslice is. It can | 
|         |   1850 # be defined in a human readable short form -- e.g. "1d", "1y". | 
|         |   1851 # | 
|         |   1852 # 'retention' controls how long historical statistics will be kept for. | 
|         |   1853 # It can be defined in a human readable short form -- e.g. "1d", "1y". | 
|         |   1854 # | 
|         |   1855 # | 
|         |   1856 #stats: | 
|         |   1857 #   enabled: true | 
|         |   1858 #   bucket_size: 1d | 
|         |   1859 #   retention: 1y | 
|         |   1860  | 
|         |   1861  | 
|         |   1862 # Server Notices room configuration | 
|         |   1863 # | 
|         |   1864 # Uncomment this section to enable a room which can be used to send notices | 
|         |   1865 # from the server to users. It is a special room which cannot be left; notices | 
|         |   1866 # come from a special "notices" user id. | 
|         |   1867 # | 
|         |   1868 # If you uncomment this section, you *must* define the system_mxid_localpart | 
|         |   1869 # setting, which defines the id of the user which will be used to send the | 
|         |   1870 # notices. | 
|         |   1871 # | 
|         |   1872 # It's also possible to override the room name, the display name of the | 
|         |   1873 # "notices" user, and the avatar for the user. | 
|         |   1874 # | 
|         |   1875 #server_notices: | 
|         |   1876 #  system_mxid_localpart: notices | 
|         |   1877 #  system_mxid_display_name: "Server Notices" | 
|         |   1878 #  system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" | 
|         |   1879 #  room_name: "Server Notices" | 
|         |   1880  | 
|         |   1881  | 
|         |   1882  | 
|         |   1883 # Uncomment to disable searching the public room list. When disabled | 
|         |   1884 # blocks searching local and remote room lists for local and remote | 
|         |   1885 # users by always returning an empty list for all queries. | 
|         |   1886 # | 
|         |   1887 #enable_room_list_search: false | 
|         |   1888  | 
|         |   1889 # The `alias_creation` option controls who's allowed to create aliases | 
|         |   1890 # on this server. | 
|         |   1891 # | 
|         |   1892 # The format of this option is a list of rules that contain globs that | 
|         |   1893 # match against user_id, room_id and the new alias (fully qualified with | 
|         |   1894 # server name). The action in the first rule that matches is taken, | 
|         |   1895 # which can currently either be "allow" or "deny". | 
|         |   1896 # | 
|         |   1897 # Missing user_id/room_id/alias fields default to "*". | 
|         |   1898 # | 
|         |   1899 # If no rules match the request is denied. An empty list means no one | 
|         |   1900 # can create aliases. | 
|         |   1901 # | 
|         |   1902 # Options for the rules include: | 
|         |   1903 # | 
|         |   1904 #   user_id: Matches against the creator of the alias | 
|         |   1905 #   alias: Matches against the alias being created | 
|         |   1906 #   room_id: Matches against the room ID the alias is being pointed at | 
|         |   1907 #   action: Whether to "allow" or "deny" the request if the rule matches | 
|         |   1908 # | 
|         |   1909 # The default is: | 
|         |   1910 # | 
|         |   1911 #alias_creation_rules: | 
|         |   1912 #  - user_id: "*" | 
|         |   1913 #    alias: "*" | 
|         |   1914 #    room_id: "*" | 
|         |   1915 #    action: allow | 
|         |   1916  | 
|         |   1917 # The `room_list_publication_rules` option controls who can publish and | 
|         |   1918 # which rooms can be published in the public room list. | 
|         |   1919 # | 
|         |   1920 # The format of this option is the same as that for | 
|         |   1921 # `alias_creation_rules`. | 
|         |   1922 # | 
|         |   1923 # If the room has one or more aliases associated with it, only one of | 
|         |   1924 # the aliases needs to match the alias rule. If there are no aliases | 
|         |   1925 # then only rules with `alias: *` match. | 
|         |   1926 # | 
|         |   1927 # If no rules match the request is denied. An empty list means no one | 
|         |   1928 # can publish rooms. | 
|         |   1929 # | 
|         |   1930 # Options for the rules include: | 
|         |   1931 # | 
|         |   1932 #   user_id: Matches agaisnt the creator of the alias | 
|         |   1933 #   room_id: Matches against the room ID being published | 
|         |   1934 #   alias: Matches against any current local or canonical aliases | 
|         |   1935 #            associated with the room | 
|         |   1936 #   action: Whether to "allow" or "deny" the request if the rule matches | 
|         |   1937 # | 
|         |   1938 # The default is: | 
|         |   1939 # | 
|         |   1940 #room_list_publication_rules: | 
|         |   1941 #  - user_id: "*" | 
|         |   1942 #    alias: "*" | 
|         |   1943 #    room_id: "*" | 
|         |   1944 #    action: allow | 
|         |   1945  | 
|         |   1946  | 
|         |   1947 # Server admins can define a Python module that implements extra rules for | 
|         |   1948 # allowing or denying incoming events. In order to work, this module needs to | 
|         |   1949 # override the methods defined in synapse/events/third_party_rules.py. | 
|         |   1950 # | 
|         |   1951 # This feature is designed to be used in closed federations only, where each | 
|         |   1952 # participating server enforces the same rules. | 
|         |   1953 # | 
|         |   1954 #third_party_event_rules: | 
|         |   1955 #  module: "my_custom_project.SuperRulesSet" | 
|         |   1956 #  config: | 
|         |   1957 #    example_option: 'things' | 
|         |   1958  | 
|         |   1959  | 
|         |   1960 ## Opentracing ## | 
|         |   1961  | 
|         |   1962 # These settings enable opentracing, which implements distributed tracing. | 
|         |   1963 # This allows you to observe the causal chains of events across servers | 
|         |   1964 # including requests, key lookups etc., across any server running | 
|         |   1965 # synapse or any other other services which supports opentracing | 
|         |   1966 # (specifically those implemented with Jaeger). | 
|         |   1967 # | 
|         |   1968 opentracing: | 
|         |   1969     # tracing is disabled by default. Uncomment the following line to enable it. | 
|         |   1970     # | 
|         |   1971     #enabled: true | 
|         |   1972  | 
|         |   1973     # The list of homeservers we wish to send and receive span contexts and span baggage. | 
|         |   1974     # See docs/opentracing.rst | 
|         |   1975     # This is a list of regexes which are matched against the server_name of the | 
|         |   1976     # homeserver. | 
|         |   1977     # | 
|         |   1978     # By defult, it is empty, so no servers are matched. | 
|         |   1979     # | 
|         |   1980     #homeserver_whitelist: | 
|         |   1981     #  - ".*" | 
|         |   1982  | 
|         |   1983     # Jaeger can be configured to sample traces at different rates. | 
|         |   1984     # All configuration options provided by Jaeger can be set here. | 
|         |   1985     # Jaeger's configuration mostly related to trace sampling which | 
|         |   1986     # is documented here: | 
|         |   1987     # https://www.jaegertracing.io/docs/1.13/sampling/. | 
|         |   1988     # | 
|         |   1989     #jaeger_config: | 
|         |   1990     #  sampler: | 
|         |   1991     #    type: const | 
|         |   1992     #    param: 1 | 
|         |   1993  | 
|         |   1994     #  Logging whether spans were started and reported | 
|         |   1995     # | 
|         |   1996     #  logging: | 
|         |   1997     #    false | 
|         |   1998  | 
|         |   1999  | 
|         |   2000 # vim:ft=yaml |