1 # Configuration file for Synapse. |
|
2 # |
|
3 # This is a YAML file: see [1] for a quick introduction. Note in particular |
|
4 # that *indentation is important*: all the elements of a list or dictionary |
|
5 # should have the same indentation. |
|
6 # |
|
7 # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html |
|
8 |
|
9 ## Server ## |
|
10 |
|
11 # The domain name of the server, with optional explicit port. |
|
12 # This is used by remote servers to connect to this server, |
|
13 # e.g. matrix.org, localhost:8080, etc. |
|
14 # This is also the last part of your UserID. |
|
15 # |
|
16 server_name: "{{matrix_synapse_server_name}}" |
|
17 |
|
18 # When running as a daemon, the file to store the pid in |
|
19 # |
|
20 pid_file: "/var/run/matrix-synapse.pid" |
|
21 |
|
22 # The absolute URL to the web client which /_matrix/client will redirect |
|
23 # to if 'webclient' is configured under the 'listeners' configuration. |
|
24 # |
|
25 # This option can be also set to the filesystem path to the web client |
|
26 # which will be served at /_matrix/client/ if 'webclient' is configured |
|
27 # under the 'listeners' configuration, however this is a security risk: |
|
28 # https://github.com/matrix-org/synapse#security-note |
|
29 # |
|
30 #web_client_location: https://riot.example.com/ |
|
31 |
|
32 # The public-facing base URL that clients use to access this HS |
|
33 # (not including _matrix/...). This is the same URL a user would |
|
34 # enter into the 'custom HS URL' field on their client. If you |
|
35 # use synapse with a reverse proxy, this should be the URL to reach |
|
36 # synapse via the proxy. |
|
37 # |
|
38 #public_baseurl: https://example.com/ |
|
39 |
|
40 # Set the soft limit on the number of file descriptors synapse can use |
|
41 # Zero is used to indicate synapse should set the soft limit to the |
|
42 # hard limit. |
|
43 # |
|
44 #soft_file_limit: 0 |
|
45 |
|
46 # Set to false to disable presence tracking on this homeserver. |
|
47 # |
|
48 #use_presence: false |
|
49 |
|
50 # Whether to require authentication to retrieve profile data (avatars, |
|
51 # display names) of other users through the client API. Defaults to |
|
52 # 'false'. Note that profile data is also available via the federation |
|
53 # API, so this setting is of limited value if federation is enabled on |
|
54 # the server. |
|
55 # |
|
56 #require_auth_for_profile_requests: true |
|
57 |
|
58 # Uncomment to require a user to share a room with another user in order |
|
59 # to retrieve their profile information. Only checked on Client-Server |
|
60 # requests. Profile requests from other servers should be checked by the |
|
61 # requesting server. Defaults to 'false'. |
|
62 # |
|
63 #limit_profile_requests_to_users_who_share_rooms: true |
|
64 |
|
65 # If set to 'true', removes the need for authentication to access the server's |
|
66 # public rooms directory through the client API, meaning that anyone can |
|
67 # query the room directory. Defaults to 'false'. |
|
68 # |
|
69 #allow_public_rooms_without_auth: true |
|
70 |
|
71 # If set to 'true', allows any other homeserver to fetch the server's public |
|
72 # rooms directory via federation. Defaults to 'false'. |
|
73 # |
|
74 #allow_public_rooms_over_federation: true |
|
75 |
|
76 # The default room version for newly created rooms. |
|
77 # |
|
78 # Known room versions are listed here: |
|
79 # https://matrix.org/docs/spec/#complete-list-of-room-versions |
|
80 # |
|
81 # For example, for room version 1, default_room_version should be set |
|
82 # to "1". |
|
83 # |
|
84 #default_room_version: "5" |
|
85 |
|
86 # The GC threshold parameters to pass to `gc.set_threshold`, if defined |
|
87 # |
|
88 #gc_thresholds: [700, 10, 10] |
|
89 |
|
90 # Set the limit on the returned events in the timeline in the get |
|
91 # and sync operations. The default value is -1, means no upper limit. |
|
92 # |
|
93 #filter_timeline_limit: 5000 |
|
94 |
|
95 # Whether room invites to users on this server should be blocked |
|
96 # (except those sent by local server admins). The default is False. |
|
97 # |
|
98 #block_non_admin_invites: true |
|
99 |
|
100 # Room searching |
|
101 # |
|
102 # If disabled, new messages will not be indexed for searching and users |
|
103 # will receive errors when searching for messages. Defaults to enabled. |
|
104 # |
|
105 #enable_search: false |
|
106 |
|
107 # Restrict federation to the following whitelist of domains. |
|
108 # N.B. we recommend also firewalling your federation listener to limit |
|
109 # inbound federation traffic as early as possible, rather than relying |
|
110 # purely on this application-layer restriction. If not specified, the |
|
111 # default is to whitelist everything. |
|
112 # |
|
113 #federation_domain_whitelist: |
|
114 # - lon.example.com |
|
115 # - nyc.example.com |
|
116 # - syd.example.com |
|
117 |
|
118 # Prevent federation requests from being sent to the following |
|
119 # blacklist IP address CIDR ranges. If this option is not specified, or |
|
120 # specified with an empty list, no ip range blacklist will be enforced. |
|
121 # |
|
122 # As of Synapse v1.4.0 this option also affects any outbound requests to identity |
|
123 # servers provided by user input. |
|
124 # |
|
125 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly |
|
126 # listed here, since they correspond to unroutable addresses.) |
|
127 # |
|
128 federation_ip_range_blacklist: |
|
129 - '127.0.0.0/8' |
|
130 - '10.0.0.0/8' |
|
131 - '172.16.0.0/12' |
|
132 - '192.168.0.0/16' |
|
133 - '100.64.0.0/10' |
|
134 - '169.254.0.0/16' |
|
135 - '::1/128' |
|
136 - 'fe80::/64' |
|
137 - 'fc00::/7' |
|
138 |
|
139 # List of ports that Synapse should listen on, their purpose and their |
|
140 # configuration. |
|
141 # |
|
142 # Options for each listener include: |
|
143 # |
|
144 # port: the TCP port to bind to |
|
145 # |
|
146 # bind_addresses: a list of local addresses to listen on. The default is |
|
147 # 'all local interfaces'. |
|
148 # |
|
149 # type: the type of listener. Normally 'http', but other valid options are: |
|
150 # 'manhole' (see docs/manhole.md), |
|
151 # 'metrics' (see docs/metrics-howto.md), |
|
152 # 'replication' (see docs/workers.md). |
|
153 # |
|
154 # tls: set to true to enable TLS for this listener. Will use the TLS |
|
155 # key/cert specified in tls_private_key_path / tls_certificate_path. |
|
156 # |
|
157 # x_forwarded: Only valid for an 'http' listener. Set to true to use the |
|
158 # X-Forwarded-For header as the client IP. Useful when Synapse is |
|
159 # behind a reverse-proxy. |
|
160 # |
|
161 # resources: Only valid for an 'http' listener. A list of resources to host |
|
162 # on this port. Options for each resource are: |
|
163 # |
|
164 # names: a list of names of HTTP resources. See below for a list of |
|
165 # valid resource names. |
|
166 # |
|
167 # compress: set to true to enable HTTP comression for this resource. |
|
168 # |
|
169 # additional_resources: Only valid for an 'http' listener. A map of |
|
170 # additional endpoints which should be loaded via dynamic modules. |
|
171 # |
|
172 # Valid resource names are: |
|
173 # |
|
174 # client: the client-server API (/_matrix/client), and the synapse admin |
|
175 # API (/_synapse/admin). Also implies 'media' and 'static'. |
|
176 # |
|
177 # consent: user consent forms (/_matrix/consent). See |
|
178 # docs/consent_tracking.md. |
|
179 # |
|
180 # federation: the server-server API (/_matrix/federation). Also implies |
|
181 # 'media', 'keys', 'openid' |
|
182 # |
|
183 # keys: the key discovery API (/_matrix/keys). |
|
184 # |
|
185 # media: the media API (/_matrix/media). |
|
186 # |
|
187 # metrics: the metrics interface. See docs/metrics-howto.md. |
|
188 # |
|
189 # openid: OpenID authentication. |
|
190 # |
|
191 # replication: the HTTP replication API (/_synapse/replication). See |
|
192 # docs/workers.md. |
|
193 # |
|
194 # static: static resources under synapse/static (/_matrix/static). (Mostly |
|
195 # useful for 'fallback authentication'.) |
|
196 # |
|
197 # webclient: A web client. Requires web_client_location to be set. |
|
198 # |
|
199 listeners: |
|
200 # TLS-enabled listener: for when matrix traffic is sent directly to synapse. |
|
201 # |
|
202 # Disabled by default. To enable it, uncomment the following. (Note that you |
|
203 # will also need to give Synapse a TLS key and certificate: see the TLS section |
|
204 # below.) |
|
205 # |
|
206 #- port: 8448 |
|
207 # type: http |
|
208 # tls: true |
|
209 # resources: |
|
210 # - names: [client, federation] |
|
211 |
|
212 # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy |
|
213 # that unwraps TLS. |
|
214 # |
|
215 # If you plan to use a reverse proxy, please see |
|
216 # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. |
|
217 # |
|
218 - port: 8008 |
|
219 tls: false |
|
220 type: http |
|
221 x_forwarded: true |
|
222 bind_addresses: ['::1', '127.0.0.1'] |
|
223 |
|
224 resources: |
|
225 - names: [client, federation] |
|
226 compress: false |
|
227 |
|
228 # example additional_resources: |
|
229 # |
|
230 #additional_resources: |
|
231 # "/_matrix/my/custom/endpoint": |
|
232 # module: my_module.CustomRequestHandler |
|
233 # config: {} |
|
234 |
|
235 # Turn on the twisted ssh manhole service on localhost on the given |
|
236 # port. |
|
237 # |
|
238 #- port: 9000 |
|
239 # bind_addresses: ['::1', '127.0.0.1'] |
|
240 # type: manhole |
|
241 |
|
242 # Forward extremities can build up in a room due to networking delays between |
|
243 # homeservers. Once this happens in a large room, calculation of the state of |
|
244 # that room can become quite expensive. To mitigate this, once the number of |
|
245 # forward extremities reaches a given threshold, Synapse will send an |
|
246 # org.matrix.dummy_event event, which will reduce the forward extremities |
|
247 # in the room. |
|
248 # |
|
249 # This setting defines the threshold (i.e. number of forward extremities in the |
|
250 # room) at which dummy events are sent. The default value is 10. |
|
251 # |
|
252 #dummy_events_threshold: 5 |
|
253 |
|
254 |
|
255 ## Homeserver blocking ## |
|
256 |
|
257 # How to reach the server admin, used in ResourceLimitError |
|
258 # |
|
259 #admin_contact: 'mailto:[email protected]' |
|
260 |
|
261 # Global blocking |
|
262 # |
|
263 #hs_disabled: false |
|
264 #hs_disabled_message: 'Human readable reason for why the HS is blocked' |
|
265 |
|
266 # Monthly Active User Blocking |
|
267 # |
|
268 # Used in cases where the admin or server owner wants to limit to the |
|
269 # number of monthly active users. |
|
270 # |
|
271 # 'limit_usage_by_mau' disables/enables monthly active user blocking. When |
|
272 # anabled and a limit is reached the server returns a 'ResourceLimitError' |
|
273 # with error type Codes.RESOURCE_LIMIT_EXCEEDED |
|
274 # |
|
275 # 'max_mau_value' is the hard limit of monthly active users above which |
|
276 # the server will start blocking user actions. |
|
277 # |
|
278 # 'mau_trial_days' is a means to add a grace period for active users. It |
|
279 # means that users must be active for this number of days before they |
|
280 # can be considered active and guards against the case where lots of users |
|
281 # sign up in a short space of time never to return after their initial |
|
282 # session. |
|
283 # |
|
284 # 'mau_limit_alerting' is a means of limiting client side alerting |
|
285 # should the mau limit be reached. This is useful for small instances |
|
286 # where the admin has 5 mau seats (say) for 5 specific people and no |
|
287 # interest increasing the mau limit further. Defaults to True, which |
|
288 # means that alerting is enabled |
|
289 # |
|
290 #limit_usage_by_mau: false |
|
291 #max_mau_value: 50 |
|
292 #mau_trial_days: 2 |
|
293 #mau_limit_alerting: false |
|
294 |
|
295 # If enabled, the metrics for the number of monthly active users will |
|
296 # be populated, however no one will be limited. If limit_usage_by_mau |
|
297 # is true, this is implied to be true. |
|
298 # |
|
299 #mau_stats_only: false |
|
300 |
|
301 # Sometimes the server admin will want to ensure certain accounts are |
|
302 # never blocked by mau checking. These accounts are specified here. |
|
303 # |
|
304 #mau_limit_reserved_threepids: |
|
305 # - medium: 'email' |
|
306 # address: '[email protected]' |
|
307 |
|
308 # Used by phonehome stats to group together related servers. |
|
309 #server_context: context |
|
310 |
|
311 # Resource-constrained homeserver Settings |
|
312 # |
|
313 # If limit_remote_rooms.enabled is True, the room complexity will be |
|
314 # checked before a user joins a new remote room. If it is above |
|
315 # limit_remote_rooms.complexity, it will disallow joining or |
|
316 # instantly leave. |
|
317 # |
|
318 # limit_remote_rooms.complexity_error can be set to customise the text |
|
319 # displayed to the user when a room above the complexity threshold has |
|
320 # its join cancelled. |
|
321 # |
|
322 # Uncomment the below lines to enable: |
|
323 #limit_remote_rooms: |
|
324 # enabled: true |
|
325 # complexity: 1.0 |
|
326 # complexity_error: "This room is too complex." |
|
327 |
|
328 # Whether to require a user to be in the room to add an alias to it. |
|
329 # Defaults to 'true'. |
|
330 # |
|
331 #require_membership_for_aliases: false |
|
332 |
|
333 # Whether to allow per-room membership profiles through the send of membership |
|
334 # events with profile information that differ from the target's global profile. |
|
335 # Defaults to 'true'. |
|
336 # |
|
337 #allow_per_room_profiles: false |
|
338 |
|
339 # How long to keep redacted events in unredacted form in the database. After |
|
340 # this period redacted events get replaced with their redacted form in the DB. |
|
341 # |
|
342 # Defaults to `7d`. Set to `null` to disable. |
|
343 # |
|
344 #redaction_retention_period: 28d |
|
345 |
|
346 # How long to track users' last seen time and IPs in the database. |
|
347 # |
|
348 # Defaults to `28d`. Set to `null` to disable clearing out of old rows. |
|
349 # |
|
350 #user_ips_max_age: 14d |
|
351 |
|
352 # Message retention policy at the server level. |
|
353 # |
|
354 # Room admins and mods can define a retention period for their rooms using the |
|
355 # 'm.room.retention' state event, and server admins can cap this period by setting |
|
356 # the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. |
|
357 # |
|
358 # If this feature is enabled, Synapse will regularly look for and purge events |
|
359 # which are older than the room's maximum retention period. Synapse will also |
|
360 # filter events received over federation so that events that should have been |
|
361 # purged are ignored and not stored again. |
|
362 # |
|
363 retention: |
|
364 # The message retention policies feature is disabled by default. Uncomment the |
|
365 # following line to enable it. |
|
366 # |
|
367 #enabled: true |
|
368 |
|
369 # Default retention policy. If set, Synapse will apply it to rooms that lack the |
|
370 # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't |
|
371 # matter much because Synapse doesn't take it into account yet. |
|
372 # |
|
373 #default_policy: |
|
374 # min_lifetime: 1d |
|
375 # max_lifetime: 1y |
|
376 |
|
377 # Retention policy limits. If set, a user won't be able to send a |
|
378 # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' |
|
379 # that's not within this range. This is especially useful in closed federations, |
|
380 # in which server admins can make sure every federating server applies the same |
|
381 # rules. |
|
382 # |
|
383 #allowed_lifetime_min: 1d |
|
384 #allowed_lifetime_max: 1y |
|
385 |
|
386 # Server admins can define the settings of the background jobs purging the |
|
387 # events which lifetime has expired under the 'purge_jobs' section. |
|
388 # |
|
389 # If no configuration is provided, a single job will be set up to delete expired |
|
390 # events in every room daily. |
|
391 # |
|
392 # Each job's configuration defines which range of message lifetimes the job |
|
393 # takes care of. For example, if 'shortest_max_lifetime' is '2d' and |
|
394 # 'longest_max_lifetime' is '3d', the job will handle purging expired events in |
|
395 # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and |
|
396 # lower than or equal to 3 days. Both the minimum and the maximum value of a |
|
397 # range are optional, e.g. a job with no 'shortest_max_lifetime' and a |
|
398 # 'longest_max_lifetime' of '3d' will handle every room with a retention policy |
|
399 # which 'max_lifetime' is lower than or equal to three days. |
|
400 # |
|
401 # The rationale for this per-job configuration is that some rooms might have a |
|
402 # retention policy with a low 'max_lifetime', where history needs to be purged |
|
403 # of outdated messages on a more frequent basis than for the rest of the rooms |
|
404 # (e.g. every 12h), but not want that purge to be performed by a job that's |
|
405 # iterating over every room it knows, which could be heavy on the server. |
|
406 # |
|
407 #purge_jobs: |
|
408 # - shortest_max_lifetime: 1d |
|
409 # longest_max_lifetime: 3d |
|
410 # interval: 12h |
|
411 # - shortest_max_lifetime: 3d |
|
412 # longest_max_lifetime: 1y |
|
413 # interval: 1d |
|
414 |
|
415 # Inhibits the /requestToken endpoints from returning an error that might leak |
|
416 # information about whether an e-mail address is in use or not on this |
|
417 # homeserver. |
|
418 # Note that for some endpoints the error situation is the e-mail already being |
|
419 # used, and for others the error is entering the e-mail being unused. |
|
420 # If this option is enabled, instead of returning an error, these endpoints will |
|
421 # act as if no error happened and return a fake session ID ('sid') to clients. |
|
422 # |
|
423 #request_token_inhibit_3pid_errors: true |
|
424 |
|
425 |
|
426 ## TLS ## |
|
427 |
|
428 # PEM-encoded X509 certificate for TLS. |
|
429 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable |
|
430 # certificate, signed by a recognised Certificate Authority. |
|
431 # |
|
432 # See 'ACME support' below to enable auto-provisioning this certificate via |
|
433 # Let's Encrypt. |
|
434 # |
|
435 # If supplying your own, be sure to use a `.pem` file that includes the |
|
436 # full certificate chain including any intermediate certificates (for |
|
437 # instance, if using certbot, use `fullchain.pem` as your certificate, |
|
438 # not `cert.pem`). |
|
439 # |
|
440 #tls_certificate_path: "path/to/homeserver.tls.crt" |
|
441 |
|
442 # PEM-encoded private key for TLS |
|
443 # |
|
444 #tls_private_key_path: "path/to/homeserver.tls.key" |
|
445 |
|
446 # Whether to verify TLS server certificates for outbound federation requests. |
|
447 # |
|
448 # Defaults to `true`. To disable certificate verification, uncomment the |
|
449 # following line. |
|
450 # |
|
451 #federation_verify_certificates: false |
|
452 |
|
453 # The minimum TLS version that will be used for outbound federation requests. |
|
454 # |
|
455 # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note |
|
456 # that setting this value higher than `1.2` will prevent federation to most |
|
457 # of the public Matrix network: only configure it to `1.3` if you have an |
|
458 # entirely private federation setup and you can ensure TLS 1.3 support. |
|
459 # |
|
460 #federation_client_minimum_tls_version: 1.2 |
|
461 |
|
462 # Skip federation certificate verification on the following whitelist |
|
463 # of domains. |
|
464 # |
|
465 # This setting should only be used in very specific cases, such as |
|
466 # federation over Tor hidden services and similar. For private networks |
|
467 # of homeservers, you likely want to use a private CA instead. |
|
468 # |
|
469 # Only effective if federation_verify_certicates is `true`. |
|
470 # |
|
471 #federation_certificate_verification_whitelist: |
|
472 # - lon.example.com |
|
473 # - *.domain.com |
|
474 # - *.onion |
|
475 |
|
476 # List of custom certificate authorities for federation traffic. |
|
477 # |
|
478 # This setting should only normally be used within a private network of |
|
479 # homeservers. |
|
480 # |
|
481 # Note that this list will replace those that are provided by your |
|
482 # operating environment. Certificates must be in PEM format. |
|
483 # |
|
484 #federation_custom_ca_list: |
|
485 # - myCA1.pem |
|
486 # - myCA2.pem |
|
487 # - myCA3.pem |
|
488 |
|
489 # ACME support: This will configure Synapse to request a valid TLS certificate |
|
490 # for your configured `server_name` via Let's Encrypt. |
|
491 # |
|
492 # Note that ACME v1 is now deprecated, and Synapse currently doesn't support |
|
493 # ACME v2. This means that this feature currently won't work with installs set |
|
494 # up after November 2019. For more info, and alternative solutions, see |
|
495 # https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 |
|
496 # |
|
497 # Note that provisioning a certificate in this way requires port 80 to be |
|
498 # routed to Synapse so that it can complete the http-01 ACME challenge. |
|
499 # By default, if you enable ACME support, Synapse will attempt to listen on |
|
500 # port 80 for incoming http-01 challenges - however, this will likely fail |
|
501 # with 'Permission denied' or a similar error. |
|
502 # |
|
503 # There are a couple of potential solutions to this: |
|
504 # |
|
505 # * If you already have an Apache, Nginx, or similar listening on port 80, |
|
506 # you can configure Synapse to use an alternate port, and have your web |
|
507 # server forward the requests. For example, assuming you set 'port: 8009' |
|
508 # below, on Apache, you would write: |
|
509 # |
|
510 # ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge |
|
511 # |
|
512 # * Alternatively, you can use something like `authbind` to give Synapse |
|
513 # permission to listen on port 80. |
|
514 # |
|
515 acme: |
|
516 # ACME support is disabled by default. Set this to `true` and uncomment |
|
517 # tls_certificate_path and tls_private_key_path above to enable it. |
|
518 # |
|
519 enabled: false |
|
520 |
|
521 # Endpoint to use to request certificates. If you only want to test, |
|
522 # use Let's Encrypt's staging url: |
|
523 # https://acme-staging.api.letsencrypt.org/directory |
|
524 # |
|
525 #url: https://acme-v01.api.letsencrypt.org/directory |
|
526 |
|
527 # Port number to listen on for the HTTP-01 challenge. Change this if |
|
528 # you are forwarding connections through Apache/Nginx/etc. |
|
529 # |
|
530 port: 80 |
|
531 |
|
532 # Local addresses to listen on for incoming connections. |
|
533 # Again, you may want to change this if you are forwarding connections |
|
534 # through Apache/Nginx/etc. |
|
535 # |
|
536 bind_addresses: ['::', '0.0.0.0'] |
|
537 |
|
538 # How many days remaining on a certificate before it is renewed. |
|
539 # |
|
540 reprovision_threshold: 30 |
|
541 |
|
542 # The domain that the certificate should be for. Normally this |
|
543 # should be the same as your Matrix domain (i.e., 'server_name'), but, |
|
544 # by putting a file at 'https://<server_name>/.well-known/matrix/server', |
|
545 # you can delegate incoming traffic to another server. If you do that, |
|
546 # you should give the target of the delegation here. |
|
547 # |
|
548 # For example: if your 'server_name' is 'example.com', but |
|
549 # 'https://example.com/.well-known/matrix/server' delegates to |
|
550 # 'matrix.example.com', you should put 'matrix.example.com' here. |
|
551 # |
|
552 # If not set, defaults to your 'server_name'. |
|
553 # |
|
554 domain: matrix.example.com |
|
555 |
|
556 # file to use for the account key. This will be generated if it doesn't |
|
557 # exist. |
|
558 # |
|
559 # If unspecified, we will use CONFDIR/client.key. |
|
560 # |
|
561 account_key_file: path/to/homeserver/acme_account.key |
|
562 |
|
563 # List of allowed TLS fingerprints for this server to publish along |
|
564 # with the signing keys for this server. Other matrix servers that |
|
565 # make HTTPS requests to this server will check that the TLS |
|
566 # certificates returned by this server match one of the fingerprints. |
|
567 # |
|
568 # Synapse automatically adds the fingerprint of its own certificate |
|
569 # to the list. So if federation traffic is handled directly by synapse |
|
570 # then no modification to the list is required. |
|
571 # |
|
572 # If synapse is run behind a load balancer that handles the TLS then it |
|
573 # will be necessary to add the fingerprints of the certificates used by |
|
574 # the loadbalancers to this list if they are different to the one |
|
575 # synapse is using. |
|
576 # |
|
577 # Homeservers are permitted to cache the list of TLS fingerprints |
|
578 # returned in the key responses up to the "valid_until_ts" returned in |
|
579 # key. It may be necessary to publish the fingerprints of a new |
|
580 # certificate and wait until the "valid_until_ts" of the previous key |
|
581 # responses have passed before deploying it. |
|
582 # |
|
583 # You can calculate a fingerprint from a given TLS listener via: |
|
584 # openssl s_client -connect $host:$port < /dev/null 2> /dev/null | |
|
585 # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' |
|
586 # or by checking matrix.org/federationtester/api/report?server_name=$host |
|
587 # |
|
588 #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] |
|
589 |
|
590 |
|
591 |
|
592 ## Database ## |
|
593 |
|
594 # The 'database' setting defines the database that synapse uses to store all of |
|
595 # its data. |
|
596 # |
|
597 # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or |
|
598 # 'psycopg2' (for PostgreSQL). |
|
599 # |
|
600 # 'args' gives options which are passed through to the database engine, |
|
601 # except for options starting 'cp_', which are used to configure the Twisted |
|
602 # connection pool. For a reference to valid arguments, see: |
|
603 # * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect |
|
604 # * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS |
|
605 # * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ |
|
606 # |
|
607 # |
|
608 # Example SQLite configuration: |
|
609 # |
|
610 #database: |
|
611 # name: sqlite3 |
|
612 # args: |
|
613 # database: /path/to/homeserver.db |
|
614 # |
|
615 # |
|
616 # Example Postgres configuration: |
|
617 # |
|
618 #database: |
|
619 # name: psycopg2 |
|
620 # args: |
|
621 # user: synapse |
|
622 # password: secretpassword |
|
623 # database: synapse |
|
624 # host: localhost |
|
625 # cp_min: 5 |
|
626 # cp_max: 10 |
|
627 # |
|
628 # For more information on using Synapse with Postgres, see `docs/postgres.md`. |
|
629 # |
|
630 # database: |
|
631 # name: sqlite3 |
|
632 # args: |
|
633 # database: "{{matrix_synapse_sqlite_db}}" |
|
634 |
|
635 database: |
|
636 name: psycopg2 |
|
637 args: |
|
638 user: "{{matrix_synapse_pgsql_user}}" |
|
639 password: "{{matrix_synapse_pgsql_pass}}" |
|
640 database: "{{matrix_synapse_pgsql_db}}" |
|
641 host: "{{matrix_synapse_pgsql_host}}" |
|
642 cp_min: 5 |
|
643 cp_max: 10 |
|
644 |
|
645 # Number of events to cache in memory. |
|
646 # |
|
647 #event_cache_size: 10K |
|
648 |
|
649 |
|
650 ## Logging ## |
|
651 |
|
652 # A yaml python logging config file as described by |
|
653 # https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema |
|
654 # |
|
655 log_config: "/etc/matrix-synapse/log.yaml" |
|
656 |
|
657 |
|
658 ## Ratelimiting ## |
|
659 |
|
660 # Ratelimiting settings for client actions (registration, login, messaging). |
|
661 # |
|
662 # Each ratelimiting configuration is made of two parameters: |
|
663 # - per_second: number of requests a client can send per second. |
|
664 # - burst_count: number of requests a client can send before being throttled. |
|
665 # |
|
666 # Synapse currently uses the following configurations: |
|
667 # - one for messages that ratelimits sending based on the account the client |
|
668 # is using |
|
669 # - one for registration that ratelimits registration requests based on the |
|
670 # client's IP address. |
|
671 # - one for login that ratelimits login requests based on the client's IP |
|
672 # address. |
|
673 # - one for login that ratelimits login requests based on the account the |
|
674 # client is attempting to log into. |
|
675 # - one for login that ratelimits login requests based on the account the |
|
676 # client is attempting to log into, based on the amount of failed login |
|
677 # attempts for this account. |
|
678 # - one for ratelimiting redactions by room admins. If this is not explicitly |
|
679 # set then it uses the same ratelimiting as per rc_message. This is useful |
|
680 # to allow room admins to deal with abuse quickly. |
|
681 # |
|
682 # The defaults are as shown below. |
|
683 # |
|
684 #rc_message: |
|
685 # per_second: 0.2 |
|
686 # burst_count: 10 |
|
687 # |
|
688 #rc_registration: |
|
689 # per_second: 0.17 |
|
690 # burst_count: 3 |
|
691 # |
|
692 #rc_login: |
|
693 # address: |
|
694 # per_second: 0.17 |
|
695 # burst_count: 3 |
|
696 # account: |
|
697 # per_second: 0.17 |
|
698 # burst_count: 3 |
|
699 # failed_attempts: |
|
700 # per_second: 0.17 |
|
701 # burst_count: 3 |
|
702 # |
|
703 #rc_admin_redaction: |
|
704 # per_second: 1 |
|
705 # burst_count: 50 |
|
706 |
|
707 |
|
708 # Ratelimiting settings for incoming federation |
|
709 # |
|
710 # The rc_federation configuration is made up of the following settings: |
|
711 # - window_size: window size in milliseconds |
|
712 # - sleep_limit: number of federation requests from a single server in |
|
713 # a window before the server will delay processing the request. |
|
714 # - sleep_delay: duration in milliseconds to delay processing events |
|
715 # from remote servers by if they go over the sleep limit. |
|
716 # - reject_limit: maximum number of concurrent federation requests |
|
717 # allowed from a single server |
|
718 # - concurrent: number of federation requests to concurrently process |
|
719 # from a single server |
|
720 # |
|
721 # The defaults are as shown below. |
|
722 # |
|
723 #rc_federation: |
|
724 # window_size: 1000 |
|
725 # sleep_limit: 10 |
|
726 # sleep_delay: 500 |
|
727 # reject_limit: 50 |
|
728 # concurrent: 3 |
|
729 |
|
730 # Target outgoing federation transaction frequency for sending read-receipts, |
|
731 # per-room. |
|
732 # |
|
733 # If we end up trying to send out more read-receipts, they will get buffered up |
|
734 # into fewer transactions. |
|
735 # |
|
736 #federation_rr_transactions_per_room_per_second: 50 |
|
737 |
|
738 |
|
739 |
|
740 ## Media Store ## |
|
741 |
|
742 # Enable the media store service in the Synapse master. Uncomment the |
|
743 # following if you are using a separate media store worker. |
|
744 # |
|
745 #enable_media_repo: false |
|
746 |
|
747 # Directory where uploaded images and attachments are stored. |
|
748 # |
|
749 media_store_path: "{{matrix_synapse_media_store}}" |
|
750 |
|
751 # Media storage providers allow media to be stored in different |
|
752 # locations. |
|
753 # |
|
754 #media_storage_providers: |
|
755 # - module: file_system |
|
756 # # Whether to store newly uploaded local files |
|
757 # store_local: false |
|
758 # # Whether to store newly downloaded remote files |
|
759 # store_remote: false |
|
760 # # Whether to wait for successful storage for local uploads |
|
761 # store_synchronous: false |
|
762 # config: |
|
763 # directory: /mnt/some/other/directory |
|
764 |
|
765 # The largest allowed upload size in bytes |
|
766 # |
|
767 #max_upload_size: 10M |
|
768 |
|
769 # Maximum number of pixels that will be thumbnailed |
|
770 # |
|
771 #max_image_pixels: 32M |
|
772 |
|
773 # Whether to generate new thumbnails on the fly to precisely match |
|
774 # the resolution requested by the client. If true then whenever |
|
775 # a new resolution is requested by the client the server will |
|
776 # generate a new thumbnail. If false the server will pick a thumbnail |
|
777 # from a precalculated list. |
|
778 # |
|
779 #dynamic_thumbnails: false |
|
780 |
|
781 # List of thumbnails to precalculate when an image is uploaded. |
|
782 # |
|
783 #thumbnail_sizes: |
|
784 # - width: 32 |
|
785 # height: 32 |
|
786 # method: crop |
|
787 # - width: 96 |
|
788 # height: 96 |
|
789 # method: crop |
|
790 # - width: 320 |
|
791 # height: 240 |
|
792 # method: scale |
|
793 # - width: 640 |
|
794 # height: 480 |
|
795 # method: scale |
|
796 # - width: 800 |
|
797 # height: 600 |
|
798 # method: scale |
|
799 |
|
800 # Is the preview URL API enabled? |
|
801 # |
|
802 # 'false' by default: uncomment the following to enable it (and specify a |
|
803 # url_preview_ip_range_blacklist blacklist). |
|
804 # |
|
805 #url_preview_enabled: true |
|
806 |
|
807 # List of IP address CIDR ranges that the URL preview spider is denied |
|
808 # from accessing. There are no defaults: you must explicitly |
|
809 # specify a list for URL previewing to work. You should specify any |
|
810 # internal services in your network that you do not want synapse to try |
|
811 # to connect to, otherwise anyone in any Matrix room could cause your |
|
812 # synapse to issue arbitrary GET requests to your internal services, |
|
813 # causing serious security issues. |
|
814 # |
|
815 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly |
|
816 # listed here, since they correspond to unroutable addresses.) |
|
817 # |
|
818 # This must be specified if url_preview_enabled is set. It is recommended that |
|
819 # you uncomment the following list as a starting point. |
|
820 # |
|
821 #url_preview_ip_range_blacklist: |
|
822 # - '127.0.0.0/8' |
|
823 # - '10.0.0.0/8' |
|
824 # - '172.16.0.0/12' |
|
825 # - '192.168.0.0/16' |
|
826 # - '100.64.0.0/10' |
|
827 # - '169.254.0.0/16' |
|
828 # - '::1/128' |
|
829 # - 'fe80::/64' |
|
830 # - 'fc00::/7' |
|
831 |
|
832 # List of IP address CIDR ranges that the URL preview spider is allowed |
|
833 # to access even if they are specified in url_preview_ip_range_blacklist. |
|
834 # This is useful for specifying exceptions to wide-ranging blacklisted |
|
835 # target IP ranges - e.g. for enabling URL previews for a specific private |
|
836 # website only visible in your network. |
|
837 # |
|
838 #url_preview_ip_range_whitelist: |
|
839 # - '192.168.1.1' |
|
840 |
|
841 # Optional list of URL matches that the URL preview spider is |
|
842 # denied from accessing. You should use url_preview_ip_range_blacklist |
|
843 # in preference to this, otherwise someone could define a public DNS |
|
844 # entry that points to a private IP address and circumvent the blacklist. |
|
845 # This is more useful if you know there is an entire shape of URL that |
|
846 # you know that will never want synapse to try to spider. |
|
847 # |
|
848 # Each list entry is a dictionary of url component attributes as returned |
|
849 # by urlparse.urlsplit as applied to the absolute form of the URL. See |
|
850 # https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit |
|
851 # The values of the dictionary are treated as an filename match pattern |
|
852 # applied to that component of URLs, unless they start with a ^ in which |
|
853 # case they are treated as a regular expression match. If all the |
|
854 # specified component matches for a given list item succeed, the URL is |
|
855 # blacklisted. |
|
856 # |
|
857 #url_preview_url_blacklist: |
|
858 # # blacklist any URL with a username in its URI |
|
859 # - username: '*' |
|
860 # |
|
861 # # blacklist all *.google.com URLs |
|
862 # - netloc: 'google.com' |
|
863 # - netloc: '*.google.com' |
|
864 # |
|
865 # # blacklist all plain HTTP URLs |
|
866 # - scheme: 'http' |
|
867 # |
|
868 # # blacklist http(s)://www.acme.com/foo |
|
869 # - netloc: 'www.acme.com' |
|
870 # path: '/foo' |
|
871 # |
|
872 # # blacklist any URL with a literal IPv4 address |
|
873 # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' |
|
874 |
|
875 # The largest allowed URL preview spidering size in bytes |
|
876 # |
|
877 #max_spider_size: 10M |
|
878 |
|
879 # A list of values for the Accept-Language HTTP header used when |
|
880 # downloading webpages during URL preview generation. This allows |
|
881 # Synapse to specify the preferred languages that URL previews should |
|
882 # be in when communicating with remote servers. |
|
883 # |
|
884 # Each value is a IETF language tag; a 2-3 letter identifier for a |
|
885 # language, optionally followed by subtags separated by '-', specifying |
|
886 # a country or region variant. |
|
887 # |
|
888 # Multiple values can be provided, and a weight can be added to each by |
|
889 # using quality value syntax (;q=). '*' translates to any language. |
|
890 # |
|
891 # Defaults to "en". |
|
892 # |
|
893 # Example: |
|
894 # |
|
895 # url_preview_accept_language: |
|
896 # - en-UK |
|
897 # - en-US;q=0.9 |
|
898 # - fr;q=0.8 |
|
899 # - *;q=0.7 |
|
900 # |
|
901 url_preview_accept_language: |
|
902 # - en |
|
903 |
|
904 |
|
905 ## Captcha ## |
|
906 # See docs/CAPTCHA_SETUP for full details of configuring this. |
|
907 |
|
908 # This homeserver's ReCAPTCHA public key. |
|
909 # |
|
910 #recaptcha_public_key: "YOUR_PUBLIC_KEY" |
|
911 |
|
912 # This homeserver's ReCAPTCHA private key. |
|
913 # |
|
914 #recaptcha_private_key: "YOUR_PRIVATE_KEY" |
|
915 |
|
916 # Enables ReCaptcha checks when registering, preventing signup |
|
917 # unless a captcha is answered. Requires a valid ReCaptcha |
|
918 # public/private key. |
|
919 # |
|
920 #enable_registration_captcha: false |
|
921 |
|
922 # The API endpoint to use for verifying m.login.recaptcha responses. |
|
923 # |
|
924 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" |
|
925 |
|
926 |
|
927 ## TURN ## |
|
928 |
|
929 # The public URIs of the TURN server to give to clients |
|
930 # |
|
931 #turn_uris: [] |
|
932 |
|
933 # The shared secret used to compute passwords for the TURN server |
|
934 # |
|
935 #turn_shared_secret: "YOUR_SHARED_SECRET" |
|
936 |
|
937 # The Username and password if the TURN server needs them and |
|
938 # does not use a token |
|
939 # |
|
940 #turn_username: "TURNSERVER_USERNAME" |
|
941 #turn_password: "TURNSERVER_PASSWORD" |
|
942 |
|
943 # How long generated TURN credentials last |
|
944 # |
|
945 #turn_user_lifetime: 1h |
|
946 |
|
947 # Whether guests should be allowed to use the TURN server. |
|
948 # This defaults to True, otherwise VoIP will be unreliable for guests. |
|
949 # However, it does introduce a slight security risk as it allows users to |
|
950 # connect to arbitrary endpoints without having first signed up for a |
|
951 # valid account (e.g. by passing a CAPTCHA). |
|
952 # |
|
953 #turn_allow_guests: true |
|
954 |
|
955 |
|
956 ## Registration ## |
|
957 # |
|
958 # Registration can be rate-limited using the parameters in the "Ratelimiting" |
|
959 # section of this file. |
|
960 |
|
961 # Enable registration for new users. |
|
962 # |
|
963 enable_registration: {{matrix_synapse_enable_registrations}} |
|
964 |
|
965 # Optional account validity configuration. This allows for accounts to be denied |
|
966 # any request after a given period. |
|
967 # |
|
968 # Once this feature is enabled, Synapse will look for registered users without an |
|
969 # expiration date at startup and will add one to every account it found using the |
|
970 # current settings at that time. |
|
971 # This means that, if a validity period is set, and Synapse is restarted (it will |
|
972 # then derive an expiration date from the current validity period), and some time |
|
973 # after that the validity period changes and Synapse is restarted, the users' |
|
974 # expiration dates won't be updated unless their account is manually renewed. This |
|
975 # date will be randomly selected within a range [now + period - d ; now + period], |
|
976 # where d is equal to 10% of the validity period. |
|
977 # |
|
978 account_validity: |
|
979 # The account validity feature is disabled by default. Uncomment the |
|
980 # following line to enable it. |
|
981 # |
|
982 #enabled: true |
|
983 |
|
984 # The period after which an account is valid after its registration. When |
|
985 # renewing the account, its validity period will be extended by this amount |
|
986 # of time. This parameter is required when using the account validity |
|
987 # feature. |
|
988 # |
|
989 #period: 6w |
|
990 |
|
991 # The amount of time before an account's expiry date at which Synapse will |
|
992 # send an email to the account's email address with a renewal link. By |
|
993 # default, no such emails are sent. |
|
994 # |
|
995 # If you enable this setting, you will also need to fill out the 'email' and |
|
996 # 'public_baseurl' configuration sections. |
|
997 # |
|
998 #renew_at: 1w |
|
999 |
|
1000 # The subject of the email sent out with the renewal link. '%(app)s' can be |
|
1001 # used as a placeholder for the 'app_name' parameter from the 'email' |
|
1002 # section. |
|
1003 # |
|
1004 # Note that the placeholder must be written '%(app)s', including the |
|
1005 # trailing 's'. |
|
1006 # |
|
1007 # If this is not set, a default value is used. |
|
1008 # |
|
1009 #renew_email_subject: "Renew your %(app)s account" |
|
1010 |
|
1011 # Directory in which Synapse will try to find templates for the HTML files to |
|
1012 # serve to the user when trying to renew an account. If not set, default |
|
1013 # templates from within the Synapse package will be used. |
|
1014 # |
|
1015 #template_dir: "res/templates" |
|
1016 |
|
1017 # File within 'template_dir' giving the HTML to be displayed to the user after |
|
1018 # they successfully renewed their account. If not set, default text is used. |
|
1019 # |
|
1020 #account_renewed_html_path: "account_renewed.html" |
|
1021 |
|
1022 # File within 'template_dir' giving the HTML to be displayed when the user |
|
1023 # tries to renew an account with an invalid renewal token. If not set, |
|
1024 # default text is used. |
|
1025 # |
|
1026 #invalid_token_html_path: "invalid_token.html" |
|
1027 |
|
1028 # Time that a user's session remains valid for, after they log in. |
|
1029 # |
|
1030 # Note that this is not currently compatible with guest logins. |
|
1031 # |
|
1032 # Note also that this is calculated at login time: changes are not applied |
|
1033 # retrospectively to users who have already logged in. |
|
1034 # |
|
1035 # By default, this is infinite. |
|
1036 # |
|
1037 #session_lifetime: 24h |
|
1038 |
|
1039 # The user must provide all of the below types of 3PID when registering. |
|
1040 # |
|
1041 #registrations_require_3pid: |
|
1042 # - email |
|
1043 # - msisdn |
|
1044 |
|
1045 # Explicitly disable asking for MSISDNs from the registration |
|
1046 # flow (overrides registrations_require_3pid if MSISDNs are set as required) |
|
1047 # |
|
1048 #disable_msisdn_registration: true |
|
1049 |
|
1050 # Mandate that users are only allowed to associate certain formats of |
|
1051 # 3PIDs with accounts on this server. |
|
1052 # |
|
1053 #allowed_local_3pids: |
|
1054 # - medium: email |
|
1055 # pattern: '.*@matrix\.org' |
|
1056 # - medium: email |
|
1057 # pattern: '.*@vector\.im' |
|
1058 # - medium: msisdn |
|
1059 # pattern: '\+44' |
|
1060 |
|
1061 # Enable 3PIDs lookup requests to identity servers from this server. |
|
1062 # |
|
1063 #enable_3pid_lookup: true |
|
1064 |
|
1065 # If set, allows registration of standard or admin accounts by anyone who |
|
1066 # has the shared secret, even if registration is otherwise disabled. |
|
1067 # |
|
1068 registration_shared_secret: "UgG6FB~1cV1Z5:v+_6m*1tE4m143m6xM*fiBp:T+ZhF+sNdeH*" |
|
1069 |
|
1070 # Set the number of bcrypt rounds used to generate password hash. |
|
1071 # Larger numbers increase the work factor needed to generate the hash. |
|
1072 # The default number is 12 (which equates to 2^12 rounds). |
|
1073 # N.B. that increasing this will exponentially increase the time required |
|
1074 # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. |
|
1075 # |
|
1076 #bcrypt_rounds: 12 |
|
1077 |
|
1078 # Allows users to register as guests without a password/email/etc, and |
|
1079 # participate in rooms hosted on this server which have been made |
|
1080 # accessible to anonymous users. |
|
1081 # |
|
1082 #allow_guest_access: false |
|
1083 |
|
1084 # The identity server which we suggest that clients should use when users log |
|
1085 # in on this server. |
|
1086 # |
|
1087 # (By default, no suggestion is made, so it is left up to the client. |
|
1088 # This setting is ignored unless public_baseurl is also set.) |
|
1089 # |
|
1090 #default_identity_server: https://matrix.org |
|
1091 |
|
1092 # The list of identity servers trusted to verify third party |
|
1093 # identifiers by this server. |
|
1094 # |
|
1095 # Also defines the ID server which will be called when an account is |
|
1096 # deactivated (one will be picked arbitrarily). |
|
1097 # |
|
1098 # Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity |
|
1099 # server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a |
|
1100 # background migration script, informing itself that the identity server all of its |
|
1101 # 3PIDs have been bound to is likely one of the below. |
|
1102 # |
|
1103 # As of Synapse v1.4.0, all other functionality of this option has been deprecated, and |
|
1104 # it is now solely used for the purposes of the background migration script, and can be |
|
1105 # removed once it has run. |
|
1106 #trusted_third_party_id_servers: |
|
1107 # - matrix.org |
|
1108 # - vector.im |
|
1109 |
|
1110 # Handle threepid (email/phone etc) registration and password resets through a set of |
|
1111 # *trusted* identity servers. Note that this allows the configured identity server to |
|
1112 # reset passwords for accounts! |
|
1113 # |
|
1114 # Be aware that if `email` is not set, and SMTP options have not been |
|
1115 # configured in the email config block, registration and user password resets via |
|
1116 # email will be globally disabled. |
|
1117 # |
|
1118 # Additionally, if `msisdn` is not set, registration and password resets via msisdn |
|
1119 # will be disabled regardless. This is due to Synapse currently not supporting any |
|
1120 # method of sending SMS messages on its own. |
|
1121 # |
|
1122 # To enable using an identity server for operations regarding a particular third-party |
|
1123 # identifier type, set the value to the URL of that identity server as shown in the |
|
1124 # examples below. |
|
1125 # |
|
1126 # Servers handling the these requests must answer the `/requestToken` endpoints defined |
|
1127 # by the Matrix Identity Service API specification: |
|
1128 # https://matrix.org/docs/spec/identity_service/latest |
|
1129 # |
|
1130 # If a delegate is specified, the config option public_baseurl must also be filled out. |
|
1131 # |
|
1132 account_threepid_delegates: |
|
1133 #email: https://example.com # Delegate email sending to example.com |
|
1134 #msisdn: http://localhost:8090 # Delegate SMS sending to this local process |
|
1135 |
|
1136 # Whether users are allowed to change their displayname after it has |
|
1137 # been initially set. Useful when provisioning users based on the |
|
1138 # contents of a third-party directory. |
|
1139 # |
|
1140 # Does not apply to server administrators. Defaults to 'true' |
|
1141 # |
|
1142 #enable_set_displayname: false |
|
1143 |
|
1144 # Whether users are allowed to change their avatar after it has been |
|
1145 # initially set. Useful when provisioning users based on the contents |
|
1146 # of a third-party directory. |
|
1147 # |
|
1148 # Does not apply to server administrators. Defaults to 'true' |
|
1149 # |
|
1150 #enable_set_avatar_url: false |
|
1151 |
|
1152 # Whether users can change the 3PIDs associated with their accounts |
|
1153 # (email address and msisdn). |
|
1154 # |
|
1155 # Defaults to 'true' |
|
1156 # |
|
1157 #enable_3pid_changes: false |
|
1158 |
|
1159 # Users who register on this homeserver will automatically be joined |
|
1160 # to these rooms |
|
1161 # |
|
1162 #auto_join_rooms: |
|
1163 # - "#example:example.com" |
|
1164 |
|
1165 # Where auto_join_rooms are specified, setting this flag ensures that the |
|
1166 # the rooms exist by creating them when the first user on the |
|
1167 # homeserver registers. |
|
1168 # Setting to false means that if the rooms are not manually created, |
|
1169 # users cannot be auto-joined since they do not exist. |
|
1170 # |
|
1171 #autocreate_auto_join_rooms: true |
|
1172 |
|
1173 |
|
1174 ## Metrics ### |
|
1175 |
|
1176 # Enable collection and rendering of performance metrics |
|
1177 # |
|
1178 #enable_metrics: false |
|
1179 |
|
1180 # Enable sentry integration |
|
1181 # NOTE: While attempts are made to ensure that the logs don't contain |
|
1182 # any sensitive information, this cannot be guaranteed. By enabling |
|
1183 # this option the sentry server may therefore receive sensitive |
|
1184 # information, and it in turn may then diseminate sensitive information |
|
1185 # through insecure notification channels if so configured. |
|
1186 # |
|
1187 #sentry: |
|
1188 # dsn: "..." |
|
1189 |
|
1190 # Flags to enable Prometheus metrics which are not suitable to be |
|
1191 # enabled by default, either for performance reasons or limited use. |
|
1192 # |
|
1193 metrics_flags: |
|
1194 # Publish synapse_federation_known_servers, a gauge of the number of |
|
1195 # servers this homeserver knows about, including itself. May cause |
|
1196 # performance problems on large homeservers. |
|
1197 # |
|
1198 #known_servers: true |
|
1199 |
|
1200 # Whether or not to report anonymized homeserver usage statistics. |
|
1201 report_stats: false |
|
1202 |
|
1203 # The endpoint to report the anonymized homeserver usage statistics to. |
|
1204 # Defaults to https://matrix.org/report-usage-stats/push |
|
1205 # |
|
1206 #report_stats_endpoint: https://example.com/report-usage-stats/push |
|
1207 |
|
1208 |
|
1209 ## API Configuration ## |
|
1210 |
|
1211 # A list of event types that will be included in the room_invite_state |
|
1212 # |
|
1213 #room_invite_state_types: |
|
1214 # - "m.room.join_rules" |
|
1215 # - "m.room.canonical_alias" |
|
1216 # - "m.room.avatar" |
|
1217 # - "m.room.encryption" |
|
1218 # - "m.room.name" |
|
1219 |
|
1220 |
|
1221 # A list of application service config files to use |
|
1222 # |
|
1223 #app_service_config_files: |
|
1224 # - app_service_1.yaml |
|
1225 # - app_service_2.yaml |
|
1226 |
|
1227 # Uncomment to enable tracking of application service IP addresses. Implicitly |
|
1228 # enables MAU tracking for application service users. |
|
1229 # |
|
1230 #track_appservice_user_ips: true |
|
1231 |
|
1232 |
|
1233 # a secret which is used to sign access tokens. If none is specified, |
|
1234 # the registration_shared_secret is used, if one is given; otherwise, |
|
1235 # a secret key is derived from the signing key. |
|
1236 # |
|
1237 macaroon_secret_key: "yENyX9gJV:JDVK-yH.2Dls8dLE*PfEAD6ebKlDfA;e0#CYjNE:" |
|
1238 |
|
1239 # a secret which is used to calculate HMACs for form values, to stop |
|
1240 # falsification of values. Must be specified for the User Consent |
|
1241 # forms to work. |
|
1242 # |
|
1243 form_secret: "xko,ABwYOV*SqSfu3PGyLq#ZdHe5tU9nwHE+rcKYmV0Q~@Hg#D" |
|
1244 |
|
1245 ## Signing Keys ## |
|
1246 |
|
1247 # Path to the signing key to sign messages with |
|
1248 # |
|
1249 signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" |
|
1250 |
|
1251 # The keys that the server used to sign messages with but won't use |
|
1252 # to sign new messages. |
|
1253 # |
|
1254 old_signing_keys: |
|
1255 # For each key, `key` should be the base64-encoded public key, and |
|
1256 # `expired_ts`should be the time (in milliseconds since the unix epoch) that |
|
1257 # it was last used. |
|
1258 # |
|
1259 # It is possible to build an entry from an old signing.key file using the |
|
1260 # `export_signing_key` script which is provided with synapse. |
|
1261 # |
|
1262 # For example: |
|
1263 # |
|
1264 #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } |
|
1265 |
|
1266 # How long key response published by this server is valid for. |
|
1267 # Used to set the valid_until_ts in /key/v2 APIs. |
|
1268 # Determines how quickly servers will query to check which keys |
|
1269 # are still valid. |
|
1270 # |
|
1271 #key_refresh_interval: 1d |
|
1272 |
|
1273 # The trusted servers to download signing keys from. |
|
1274 # |
|
1275 # When we need to fetch a signing key, each server is tried in parallel. |
|
1276 # |
|
1277 # Normally, the connection to the key server is validated via TLS certificates. |
|
1278 # Additional security can be provided by configuring a `verify key`, which |
|
1279 # will make synapse check that the response is signed by that key. |
|
1280 # |
|
1281 # This setting supercedes an older setting named `perspectives`. The old format |
|
1282 # is still supported for backwards-compatibility, but it is deprecated. |
|
1283 # |
|
1284 # 'trusted_key_servers' defaults to matrix.org, but using it will generate a |
|
1285 # warning on start-up. To suppress this warning, set |
|
1286 # 'suppress_key_server_warning' to true. |
|
1287 # |
|
1288 # Options for each entry in the list include: |
|
1289 # |
|
1290 # server_name: the name of the server. required. |
|
1291 # |
|
1292 # verify_keys: an optional map from key id to base64-encoded public key. |
|
1293 # If specified, we will check that the response is signed by at least |
|
1294 # one of the given keys. |
|
1295 # |
|
1296 # accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, |
|
1297 # and federation_verify_certificates is not `true`, synapse will refuse |
|
1298 # to start, because this would allow anyone who can spoof DNS responses |
|
1299 # to masquerade as the trusted key server. If you know what you are doing |
|
1300 # and are sure that your network environment provides a secure connection |
|
1301 # to the key server, you can set this to `true` to override this |
|
1302 # behaviour. |
|
1303 # |
|
1304 # An example configuration might look like: |
|
1305 # |
|
1306 #trusted_key_servers: |
|
1307 # - server_name: "my_trusted_server.example.com" |
|
1308 # verify_keys: |
|
1309 # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" |
|
1310 # - server_name: "my_other_trusted_server.example.com" |
|
1311 # |
|
1312 trusted_key_servers: |
|
1313 - server_name: "matrix.org" |
|
1314 |
|
1315 # Uncomment the following to disable the warning that is emitted when the |
|
1316 # trusted_key_servers include 'matrix.org'. See above. |
|
1317 # |
|
1318 suppress_key_server_warning: true |
|
1319 |
|
1320 # The signing keys to use when acting as a trusted key server. If not specified |
|
1321 # defaults to the server signing key. |
|
1322 # |
|
1323 # Can contain multiple keys, one per line. |
|
1324 # |
|
1325 #key_server_signing_keys_path: "key_server_signing_keys.key" |
|
1326 |
|
1327 |
|
1328 # Enable SAML2 for registration and login. Uses pysaml2. |
|
1329 # |
|
1330 # At least one of `sp_config` or `config_path` must be set in this section to |
|
1331 # enable SAML login. |
|
1332 # |
|
1333 # (You will probably also want to set the following options to `false` to |
|
1334 # disable the regular login/registration flows: |
|
1335 # * enable_registration |
|
1336 # * password_config.enabled |
|
1337 # |
|
1338 # Once SAML support is enabled, a metadata file will be exposed at |
|
1339 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to |
|
1340 # use to configure your SAML IdP with. Alternatively, you can manually configure |
|
1341 # the IdP to use an ACS location of |
|
1342 # https://<server>:<port>/_matrix/saml2/authn_response. |
|
1343 # |
|
1344 saml2_config: |
|
1345 # `sp_config` is the configuration for the pysaml2 Service Provider. |
|
1346 # See pysaml2 docs for format of config. |
|
1347 # |
|
1348 # Default values will be used for the 'entityid' and 'service' settings, |
|
1349 # so it is not normally necessary to specify them unless you need to |
|
1350 # override them. |
|
1351 # |
|
1352 #sp_config: |
|
1353 # # point this to the IdP's metadata. You can use either a local file or |
|
1354 # # (preferably) a URL. |
|
1355 # metadata: |
|
1356 # #local: ["saml2/idp.xml"] |
|
1357 # remote: |
|
1358 # - url: https://our_idp/metadata.xml |
|
1359 # |
|
1360 # # By default, the user has to go to our login page first. If you'd like |
|
1361 # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a |
|
1362 # # 'service.sp' section: |
|
1363 # # |
|
1364 # #service: |
|
1365 # # sp: |
|
1366 # # allow_unsolicited: true |
|
1367 # |
|
1368 # # The examples below are just used to generate our metadata xml, and you |
|
1369 # # may well not need them, depending on your setup. Alternatively you |
|
1370 # # may need a whole lot more detail - see the pysaml2 docs! |
|
1371 # |
|
1372 # description: ["My awesome SP", "en"] |
|
1373 # name: ["Test SP", "en"] |
|
1374 # |
|
1375 # organization: |
|
1376 # name: Example com |
|
1377 # display_name: |
|
1378 # - ["Example co", "en"] |
|
1379 # url: "http://example.com" |
|
1380 # |
|
1381 # contact_person: |
|
1382 # - given_name: Bob |
|
1383 # sur_name: "the Sysadmin" |
|
1384 # email_address": ["[email protected]"] |
|
1385 # contact_type": technical |
|
1386 |
|
1387 # Instead of putting the config inline as above, you can specify a |
|
1388 # separate pysaml2 configuration file: |
|
1389 # |
|
1390 #config_path: "path/to/homeserver/sp_conf.py" |
|
1391 |
|
1392 # The lifetime of a SAML session. This defines how long a user has to |
|
1393 # complete the authentication process, if allow_unsolicited is unset. |
|
1394 # The default is 5 minutes. |
|
1395 # |
|
1396 #saml_session_lifetime: 5m |
|
1397 |
|
1398 # An external module can be provided here as a custom solution to |
|
1399 # mapping attributes returned from a saml provider onto a matrix user. |
|
1400 # |
|
1401 user_mapping_provider: |
|
1402 # The custom module's class. Uncomment to use a custom module. |
|
1403 # |
|
1404 #module: mapping_provider.SamlMappingProvider |
|
1405 |
|
1406 # Custom configuration values for the module. Below options are |
|
1407 # intended for the built-in provider, they should be changed if |
|
1408 # using a custom module. This section will be passed as a Python |
|
1409 # dictionary to the module's `parse_config` method. |
|
1410 # |
|
1411 config: |
|
1412 # The SAML attribute (after mapping via the attribute maps) to use |
|
1413 # to derive the Matrix ID from. 'uid' by default. |
|
1414 # |
|
1415 # Note: This used to be configured by the |
|
1416 # saml2_config.mxid_source_attribute option. If that is still |
|
1417 # defined, its value will be used instead. |
|
1418 # |
|
1419 #mxid_source_attribute: displayName |
|
1420 |
|
1421 # The mapping system to use for mapping the saml attribute onto a |
|
1422 # matrix ID. |
|
1423 # |
|
1424 # Options include: |
|
1425 # * 'hexencode' (which maps unpermitted characters to '=xx') |
|
1426 # * 'dotreplace' (which replaces unpermitted characters with |
|
1427 # '.'). |
|
1428 # The default is 'hexencode'. |
|
1429 # |
|
1430 # Note: This used to be configured by the |
|
1431 # saml2_config.mxid_mapping option. If that is still defined, its |
|
1432 # value will be used instead. |
|
1433 # |
|
1434 #mxid_mapping: dotreplace |
|
1435 |
|
1436 # In previous versions of synapse, the mapping from SAML attribute to |
|
1437 # MXID was always calculated dynamically rather than stored in a |
|
1438 # table. For backwards- compatibility, we will look for user_ids |
|
1439 # matching such a pattern before creating a new account. |
|
1440 # |
|
1441 # This setting controls the SAML attribute which will be used for this |
|
1442 # backwards-compatibility lookup. Typically it should be 'uid', but if |
|
1443 # the attribute maps are changed, it may be necessary to change it. |
|
1444 # |
|
1445 # The default is 'uid'. |
|
1446 # |
|
1447 #grandfathered_mxid_source_attribute: upn |
|
1448 |
|
1449 # Directory in which Synapse will try to find the template files below. |
|
1450 # If not set, default templates from within the Synapse package will be used. |
|
1451 # |
|
1452 # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. |
|
1453 # If you *do* uncomment it, you will need to make sure that all the templates |
|
1454 # below are in the directory. |
|
1455 # |
|
1456 # Synapse will look for the following templates in this directory: |
|
1457 # |
|
1458 # * HTML page to display to users if something goes wrong during the |
|
1459 # authentication process: 'saml_error.html'. |
|
1460 # |
|
1461 # This template doesn't currently need any variable to render. |
|
1462 # |
|
1463 # You can see the default templates at: |
|
1464 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates |
|
1465 # |
|
1466 #template_dir: "res/templates" |
|
1467 |
|
1468 |
|
1469 |
|
1470 # Enable CAS for registration and login. |
|
1471 # |
|
1472 #cas_config: |
|
1473 # enabled: true |
|
1474 # server_url: "https://cas-server.com" |
|
1475 # service_url: "https://homeserver.domain.com:8448" |
|
1476 # #displayname_attribute: name |
|
1477 # #required_attributes: |
|
1478 # # name: value |
|
1479 |
|
1480 |
|
1481 # Additional settings to use with single-sign on systems such as SAML2 and CAS. |
|
1482 # |
|
1483 sso: |
|
1484 # A list of client URLs which are whitelisted so that the user does not |
|
1485 # have to confirm giving access to their account to the URL. Any client |
|
1486 # whose URL starts with an entry in the following list will not be subject |
|
1487 # to an additional confirmation step after the SSO login is completed. |
|
1488 # |
|
1489 # WARNING: An entry such as "https://my.client" is insecure, because it |
|
1490 # will also match "https://my.client.evil.site", exposing your users to |
|
1491 # phishing attacks from evil.site. To avoid this, include a slash after the |
|
1492 # hostname: "https://my.client/". |
|
1493 # |
|
1494 # If public_baseurl is set, then the login fallback page (used by clients |
|
1495 # that don't natively support the required login flows) is whitelisted in |
|
1496 # addition to any URLs in this list. |
|
1497 # |
|
1498 # By default, this list is empty. |
|
1499 # |
|
1500 #client_whitelist: |
|
1501 # - https://riot.im/develop |
|
1502 # - https://my.custom.client/ |
|
1503 |
|
1504 # Directory in which Synapse will try to find the template files below. |
|
1505 # If not set, default templates from within the Synapse package will be used. |
|
1506 # |
|
1507 # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. |
|
1508 # If you *do* uncomment it, you will need to make sure that all the templates |
|
1509 # below are in the directory. |
|
1510 # |
|
1511 # Synapse will look for the following templates in this directory: |
|
1512 # |
|
1513 # * HTML page for a confirmation step before redirecting back to the client |
|
1514 # with the login token: 'sso_redirect_confirm.html'. |
|
1515 # |
|
1516 # When rendering, this template is given three variables: |
|
1517 # * redirect_url: the URL the user is about to be redirected to. Needs |
|
1518 # manual escaping (see |
|
1519 # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
1520 # |
|
1521 # * display_url: the same as `redirect_url`, but with the query |
|
1522 # parameters stripped. The intention is to have a |
|
1523 # human-readable URL to show to users, not to use it as |
|
1524 # the final address to redirect to. Needs manual escaping |
|
1525 # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
1526 # |
|
1527 # * server_name: the homeserver's name. |
|
1528 # |
|
1529 # * HTML page which notifies the user that they are authenticating to confirm |
|
1530 # an operation on their account during the user interactive authentication |
|
1531 # process: 'sso_auth_confirm.html'. |
|
1532 # |
|
1533 # When rendering, this template is given the following variables: |
|
1534 # * redirect_url: the URL the user is about to be redirected to. Needs |
|
1535 # manual escaping (see |
|
1536 # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
1537 # |
|
1538 # * description: the operation which the user is being asked to confirm |
|
1539 # |
|
1540 # * HTML page shown after a successful user interactive authentication session: |
|
1541 # 'sso_auth_success.html'. |
|
1542 # |
|
1543 # Note that this page must include the JavaScript which notifies of a successful authentication |
|
1544 # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). |
|
1545 # |
|
1546 # This template has no additional variables. |
|
1547 # |
|
1548 # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) |
|
1549 # attempts to login: 'sso_account_deactivated.html'. |
|
1550 # |
|
1551 # This template has no additional variables. |
|
1552 # |
|
1553 # You can see the default templates at: |
|
1554 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates |
|
1555 # |
|
1556 #template_dir: "res/templates" |
|
1557 |
|
1558 |
|
1559 # The JWT needs to contain a globally unique "sub" (subject) claim. |
|
1560 # |
|
1561 #jwt_config: |
|
1562 # enabled: true |
|
1563 # secret: "a secret" |
|
1564 # algorithm: "HS256" |
|
1565 |
|
1566 |
|
1567 password_config: |
|
1568 # Uncomment to disable password login |
|
1569 # |
|
1570 #enabled: false |
|
1571 |
|
1572 # Uncomment to disable authentication against the local password |
|
1573 # database. This is ignored if `enabled` is false, and is only useful |
|
1574 # if you have other password_providers. |
|
1575 # |
|
1576 #localdb_enabled: false |
|
1577 |
|
1578 # Uncomment and change to a secret random string for extra security. |
|
1579 # DO NOT CHANGE THIS AFTER INITIAL SETUP! |
|
1580 # |
|
1581 #pepper: "EVEN_MORE_SECRET" |
|
1582 |
|
1583 # Define and enforce a password policy. Each parameter is optional. |
|
1584 # This is an implementation of MSC2000. |
|
1585 # |
|
1586 policy: |
|
1587 # Whether to enforce the password policy. |
|
1588 # Defaults to 'false'. |
|
1589 # |
|
1590 #enabled: true |
|
1591 |
|
1592 # Minimum accepted length for a password. |
|
1593 # Defaults to 0. |
|
1594 # |
|
1595 #minimum_length: 15 |
|
1596 |
|
1597 # Whether a password must contain at least one digit. |
|
1598 # Defaults to 'false'. |
|
1599 # |
|
1600 #require_digit: true |
|
1601 |
|
1602 # Whether a password must contain at least one symbol. |
|
1603 # A symbol is any character that's not a number or a letter. |
|
1604 # Defaults to 'false'. |
|
1605 # |
|
1606 #require_symbol: true |
|
1607 |
|
1608 # Whether a password must contain at least one lowercase letter. |
|
1609 # Defaults to 'false'. |
|
1610 # |
|
1611 #require_lowercase: true |
|
1612 |
|
1613 # Whether a password must contain at least one lowercase letter. |
|
1614 # Defaults to 'false'. |
|
1615 # |
|
1616 #require_uppercase: true |
|
1617 |
|
1618 |
|
1619 # Configuration for sending emails from Synapse. |
|
1620 # |
|
1621 email: |
|
1622 # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. |
|
1623 # |
|
1624 #smtp_host: mail.server |
|
1625 |
|
1626 # The port on the mail server for outgoing SMTP. Defaults to 25. |
|
1627 # |
|
1628 #smtp_port: 587 |
|
1629 |
|
1630 # Username/password for authentication to the SMTP server. By default, no |
|
1631 # authentication is attempted. |
|
1632 # |
|
1633 # smtp_user: "exampleusername" |
|
1634 # smtp_pass: "examplepassword" |
|
1635 |
|
1636 # Uncomment the following to require TLS transport security for SMTP. |
|
1637 # By default, Synapse will connect over plain text, and will then switch to |
|
1638 # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, |
|
1639 # Synapse will refuse to connect unless the server supports STARTTLS. |
|
1640 # |
|
1641 #require_transport_security: true |
|
1642 |
|
1643 # notif_from defines the "From" address to use when sending emails. |
|
1644 # It must be set if email sending is enabled. |
|
1645 # |
|
1646 # The placeholder '%(app)s' will be replaced by the application name, |
|
1647 # which is normally 'app_name' (below), but may be overridden by the |
|
1648 # Matrix client application. |
|
1649 # |
|
1650 # Note that the placeholder must be written '%(app)s', including the |
|
1651 # trailing 's'. |
|
1652 # |
|
1653 #notif_from: "Your Friendly %(app)s homeserver <[email protected]>" |
|
1654 |
|
1655 # app_name defines the default value for '%(app)s' in notif_from. It |
|
1656 # defaults to 'Matrix'. |
|
1657 # |
|
1658 #app_name: my_branded_matrix_server |
|
1659 |
|
1660 # Uncomment the following to enable sending emails for messages that the user |
|
1661 # has missed. Disabled by default. |
|
1662 # |
|
1663 #enable_notifs: true |
|
1664 |
|
1665 # Uncomment the following to disable automatic subscription to email |
|
1666 # notifications for new users. Enabled by default. |
|
1667 # |
|
1668 #notif_for_new_users: false |
|
1669 |
|
1670 # Custom URL for client links within the email notifications. By default |
|
1671 # links will be based on "https://matrix.to". |
|
1672 # |
|
1673 # (This setting used to be called riot_base_url; the old name is still |
|
1674 # supported for backwards-compatibility but is now deprecated.) |
|
1675 # |
|
1676 #client_base_url: "http://localhost/riot" |
|
1677 |
|
1678 # Configure the time that a validation email will expire after sending. |
|
1679 # Defaults to 1h. |
|
1680 # |
|
1681 #validation_token_lifetime: 15m |
|
1682 |
|
1683 # Directory in which Synapse will try to find the template files below. |
|
1684 # If not set, default templates from within the Synapse package will be used. |
|
1685 # |
|
1686 # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. |
|
1687 # If you *do* uncomment it, you will need to make sure that all the templates |
|
1688 # below are in the directory. |
|
1689 # |
|
1690 # Synapse will look for the following templates in this directory: |
|
1691 # |
|
1692 # * The contents of email notifications of missed events: 'notif_mail.html' and |
|
1693 # 'notif_mail.txt'. |
|
1694 # |
|
1695 # * The contents of account expiry notice emails: 'notice_expiry.html' and |
|
1696 # 'notice_expiry.txt'. |
|
1697 # |
|
1698 # * The contents of password reset emails sent by the homeserver: |
|
1699 # 'password_reset.html' and 'password_reset.txt' |
|
1700 # |
|
1701 # * HTML pages for success and failure that a user will see when they follow |
|
1702 # the link in the password reset email: 'password_reset_success.html' and |
|
1703 # 'password_reset_failure.html' |
|
1704 # |
|
1705 # * The contents of address verification emails sent during registration: |
|
1706 # 'registration.html' and 'registration.txt' |
|
1707 # |
|
1708 # * HTML pages for success and failure that a user will see when they follow |
|
1709 # the link in an address verification email sent during registration: |
|
1710 # 'registration_success.html' and 'registration_failure.html' |
|
1711 # |
|
1712 # * The contents of address verification emails sent when an address is added |
|
1713 # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' |
|
1714 # |
|
1715 # * HTML pages for success and failure that a user will see when they follow |
|
1716 # the link in an address verification email sent when an address is added |
|
1717 # to a Matrix account: 'add_threepid_success.html' and |
|
1718 # 'add_threepid_failure.html' |
|
1719 # |
|
1720 # You can see the default templates at: |
|
1721 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates |
|
1722 # |
|
1723 #template_dir: "res/templates" |
|
1724 |
|
1725 |
|
1726 # Password providers allow homeserver administrators to integrate |
|
1727 # their Synapse installation with existing authentication methods |
|
1728 # ex. LDAP, external tokens, etc. |
|
1729 # |
|
1730 # For more information and known implementations, please see |
|
1731 # https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md |
|
1732 # |
|
1733 # Note: instances wishing to use SAML or CAS authentication should |
|
1734 # instead use the `saml2_config` or `cas_config` options, |
|
1735 # respectively. |
|
1736 # |
|
1737 password_providers: |
|
1738 # # Example config for an LDAP auth provider |
|
1739 # - module: "ldap_auth_provider.LdapAuthProvider" |
|
1740 # config: |
|
1741 # enabled: true |
|
1742 # uri: "ldap://ldap.example.com:389" |
|
1743 # start_tls: true |
|
1744 # base: "ou=users,dc=example,dc=com" |
|
1745 # attributes: |
|
1746 # uid: "cn" |
|
1747 # mail: "email" |
|
1748 # name: "givenName" |
|
1749 # #bind_dn: |
|
1750 # #bind_password: |
|
1751 # #filter: "(objectClass=posixAccount)" |
|
1752 |
|
1753 |
|
1754 |
|
1755 # Clients requesting push notifications can either have the body of |
|
1756 # the message sent in the notification poke along with other details |
|
1757 # like the sender, or just the event ID and room ID (`event_id_only`). |
|
1758 # If clients choose the former, this option controls whether the |
|
1759 # notification request includes the content of the event (other details |
|
1760 # like the sender are still included). For `event_id_only` push, it |
|
1761 # has no effect. |
|
1762 # |
|
1763 # For modern android devices the notification content will still appear |
|
1764 # because it is loaded by the app. iPhone, however will send a |
|
1765 # notification saying only that a message arrived and who it came from. |
|
1766 # |
|
1767 #push: |
|
1768 # include_content: true |
|
1769 |
|
1770 |
|
1771 #spam_checker: |
|
1772 # module: "my_custom_project.SuperSpamChecker" |
|
1773 # config: |
|
1774 # example_option: 'things' |
|
1775 |
|
1776 |
|
1777 # Uncomment to allow non-server-admin users to create groups on this server |
|
1778 # |
|
1779 #enable_group_creation: true |
|
1780 |
|
1781 # If enabled, non server admins can only create groups with local parts |
|
1782 # starting with this prefix |
|
1783 # |
|
1784 #group_creation_prefix: "unofficial/" |
|
1785 |
|
1786 |
|
1787 |
|
1788 # User Directory configuration |
|
1789 # |
|
1790 # 'enabled' defines whether users can search the user directory. If |
|
1791 # false then empty responses are returned to all queries. Defaults to |
|
1792 # true. |
|
1793 # |
|
1794 # 'search_all_users' defines whether to search all users visible to your HS |
|
1795 # when searching the user directory, rather than limiting to users visible |
|
1796 # in public rooms. Defaults to false. If you set it True, you'll have to |
|
1797 # rebuild the user_directory search indexes, see |
|
1798 # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md |
|
1799 # |
|
1800 #user_directory: |
|
1801 # enabled: true |
|
1802 # search_all_users: false |
|
1803 |
|
1804 |
|
1805 # User Consent configuration |
|
1806 # |
|
1807 # for detailed instructions, see |
|
1808 # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md |
|
1809 # |
|
1810 # Parts of this section are required if enabling the 'consent' resource under |
|
1811 # 'listeners', in particular 'template_dir' and 'version'. |
|
1812 # |
|
1813 # 'template_dir' gives the location of the templates for the HTML forms. |
|
1814 # This directory should contain one subdirectory per language (eg, 'en', 'fr'), |
|
1815 # and each language directory should contain the policy document (named as |
|
1816 # '<version>.html') and a success page (success.html). |
|
1817 # |
|
1818 # 'version' specifies the 'current' version of the policy document. It defines |
|
1819 # the version to be served by the consent resource if there is no 'v' |
|
1820 # parameter. |
|
1821 # |
|
1822 # 'server_notice_content', if enabled, will send a user a "Server Notice" |
|
1823 # asking them to consent to the privacy policy. The 'server_notices' section |
|
1824 # must also be configured for this to work. Notices will *not* be sent to |
|
1825 # guest users unless 'send_server_notice_to_guests' is set to true. |
|
1826 # |
|
1827 # 'block_events_error', if set, will block any attempts to send events |
|
1828 # until the user consents to the privacy policy. The value of the setting is |
|
1829 # used as the text of the error. |
|
1830 # |
|
1831 # 'require_at_registration', if enabled, will add a step to the registration |
|
1832 # process, similar to how captcha works. Users will be required to accept the |
|
1833 # policy before their account is created. |
|
1834 # |
|
1835 # 'policy_name' is the display name of the policy users will see when registering |
|
1836 # for an account. Has no effect unless `require_at_registration` is enabled. |
|
1837 # Defaults to "Privacy Policy". |
|
1838 # |
|
1839 #user_consent: |
|
1840 # template_dir: res/templates/privacy |
|
1841 # version: 1.0 |
|
1842 # server_notice_content: |
|
1843 # msgtype: m.text |
|
1844 # body: >- |
|
1845 # To continue using this homeserver you must review and agree to the |
|
1846 # terms and conditions at %(consent_uri)s |
|
1847 # send_server_notice_to_guests: true |
|
1848 # block_events_error: >- |
|
1849 # To continue using this homeserver you must review and agree to the |
|
1850 # terms and conditions at %(consent_uri)s |
|
1851 # require_at_registration: false |
|
1852 # policy_name: Privacy Policy |
|
1853 # |
|
1854 |
|
1855 |
|
1856 |
|
1857 # Local statistics collection. Used in populating the room directory. |
|
1858 # |
|
1859 # 'bucket_size' controls how large each statistics timeslice is. It can |
|
1860 # be defined in a human readable short form -- e.g. "1d", "1y". |
|
1861 # |
|
1862 # 'retention' controls how long historical statistics will be kept for. |
|
1863 # It can be defined in a human readable short form -- e.g. "1d", "1y". |
|
1864 # |
|
1865 # |
|
1866 #stats: |
|
1867 # enabled: true |
|
1868 # bucket_size: 1d |
|
1869 # retention: 1y |
|
1870 |
|
1871 |
|
1872 # Server Notices room configuration |
|
1873 # |
|
1874 # Uncomment this section to enable a room which can be used to send notices |
|
1875 # from the server to users. It is a special room which cannot be left; notices |
|
1876 # come from a special "notices" user id. |
|
1877 # |
|
1878 # If you uncomment this section, you *must* define the system_mxid_localpart |
|
1879 # setting, which defines the id of the user which will be used to send the |
|
1880 # notices. |
|
1881 # |
|
1882 # It's also possible to override the room name, the display name of the |
|
1883 # "notices" user, and the avatar for the user. |
|
1884 # |
|
1885 #server_notices: |
|
1886 # system_mxid_localpart: notices |
|
1887 # system_mxid_display_name: "Server Notices" |
|
1888 # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" |
|
1889 # room_name: "Server Notices" |
|
1890 |
|
1891 |
|
1892 |
|
1893 # Uncomment to disable searching the public room list. When disabled |
|
1894 # blocks searching local and remote room lists for local and remote |
|
1895 # users by always returning an empty list for all queries. |
|
1896 # |
|
1897 #enable_room_list_search: false |
|
1898 |
|
1899 # The `alias_creation` option controls who's allowed to create aliases |
|
1900 # on this server. |
|
1901 # |
|
1902 # The format of this option is a list of rules that contain globs that |
|
1903 # match against user_id, room_id and the new alias (fully qualified with |
|
1904 # server name). The action in the first rule that matches is taken, |
|
1905 # which can currently either be "allow" or "deny". |
|
1906 # |
|
1907 # Missing user_id/room_id/alias fields default to "*". |
|
1908 # |
|
1909 # If no rules match the request is denied. An empty list means no one |
|
1910 # can create aliases. |
|
1911 # |
|
1912 # Options for the rules include: |
|
1913 # |
|
1914 # user_id: Matches against the creator of the alias |
|
1915 # alias: Matches against the alias being created |
|
1916 # room_id: Matches against the room ID the alias is being pointed at |
|
1917 # action: Whether to "allow" or "deny" the request if the rule matches |
|
1918 # |
|
1919 # The default is: |
|
1920 # |
|
1921 #alias_creation_rules: |
|
1922 # - user_id: "*" |
|
1923 # alias: "*" |
|
1924 # room_id: "*" |
|
1925 # action: allow |
|
1926 |
|
1927 # The `room_list_publication_rules` option controls who can publish and |
|
1928 # which rooms can be published in the public room list. |
|
1929 # |
|
1930 # The format of this option is the same as that for |
|
1931 # `alias_creation_rules`. |
|
1932 # |
|
1933 # If the room has one or more aliases associated with it, only one of |
|
1934 # the aliases needs to match the alias rule. If there are no aliases |
|
1935 # then only rules with `alias: *` match. |
|
1936 # |
|
1937 # If no rules match the request is denied. An empty list means no one |
|
1938 # can publish rooms. |
|
1939 # |
|
1940 # Options for the rules include: |
|
1941 # |
|
1942 # user_id: Matches agaisnt the creator of the alias |
|
1943 # room_id: Matches against the room ID being published |
|
1944 # alias: Matches against any current local or canonical aliases |
|
1945 # associated with the room |
|
1946 # action: Whether to "allow" or "deny" the request if the rule matches |
|
1947 # |
|
1948 # The default is: |
|
1949 # |
|
1950 #room_list_publication_rules: |
|
1951 # - user_id: "*" |
|
1952 # alias: "*" |
|
1953 # room_id: "*" |
|
1954 # action: allow |
|
1955 |
|
1956 |
|
1957 # Server admins can define a Python module that implements extra rules for |
|
1958 # allowing or denying incoming events. In order to work, this module needs to |
|
1959 # override the methods defined in synapse/events/third_party_rules.py. |
|
1960 # |
|
1961 # This feature is designed to be used in closed federations only, where each |
|
1962 # participating server enforces the same rules. |
|
1963 # |
|
1964 #third_party_event_rules: |
|
1965 # module: "my_custom_project.SuperRulesSet" |
|
1966 # config: |
|
1967 # example_option: 'things' |
|
1968 |
|
1969 |
|
1970 ## Opentracing ## |
|
1971 |
|
1972 # These settings enable opentracing, which implements distributed tracing. |
|
1973 # This allows you to observe the causal chains of events across servers |
|
1974 # including requests, key lookups etc., across any server running |
|
1975 # synapse or any other other services which supports opentracing |
|
1976 # (specifically those implemented with Jaeger). |
|
1977 # |
|
1978 opentracing: |
|
1979 # tracing is disabled by default. Uncomment the following line to enable it. |
|
1980 # |
|
1981 #enabled: true |
|
1982 |
|
1983 # The list of homeservers we wish to send and receive span contexts and span baggage. |
|
1984 # See docs/opentracing.rst |
|
1985 # This is a list of regexes which are matched against the server_name of the |
|
1986 # homeserver. |
|
1987 # |
|
1988 # By defult, it is empty, so no servers are matched. |
|
1989 # |
|
1990 #homeserver_whitelist: |
|
1991 # - ".*" |
|
1992 |
|
1993 # Jaeger can be configured to sample traces at different rates. |
|
1994 # All configuration options provided by Jaeger can be set here. |
|
1995 # Jaeger's configuration mostly related to trace sampling which |
|
1996 # is documented here: |
|
1997 # https://www.jaegertracing.io/docs/1.13/sampling/. |
|
1998 # |
|
1999 #jaeger_config: |
|
2000 # sampler: |
|
2001 # type: const |
|
2002 # param: 1 |
|
2003 |
|
2004 # Logging whether spans were started and reported |
|
2005 # |
|
2006 # logging: |
|
2007 # false |
|
2008 |
|
2009 |
|
2010 # vim:ft=yaml |
|