1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
synapse_ynh/conf/homeserver.yaml

1007 lines
36 KiB
YAML
Raw Normal View History

#
# WARNING: Don't edit this file. All change will be removed after each upgrade
# In case of a need to edit, please edit the settings from the Yunohost admin config panel
# or create a custom file in: /etc/matrix-{{ app }}/conf.d/
# and add in this file all your custom settings
#
2022-05-28 00:17:09 +02:00
# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
2024-02-22 13:19:27 +01:00
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
2022-05-28 00:17:09 +02:00
2017-02-13 20:43:41 +01:00
## Server ##
2022-05-28 00:17:09 +02:00
# The public-facing domain of the server
#
# The server_name name will appear at the end of usernames and room addresses
# created on this server. For example if the server_name was example.com,
# usernames on this server would be in the format @user:example.com
#
# In most cases you should avoid using a matrix specific subdomain such as
# matrix.example.com or synapse.example.com as the server_name for the same
# reasons you wouldn't use user@email.example.com as your email address.
# See https://matrix-org.github.io/synapse/latest/delegate.html
# for information on how to host Synapse on a subdomain while preserving
# a clean server_name.
#
# The server_name cannot be changed later so it is important to
# configure this correctly before you start Synapse. It should be all
# lowercase and may contain an explicit port.
# Examples: matrix.org, localhost:8080
2019-11-12 21:58:10 +01:00
#
server_name: "{{ server_name }}"
2017-02-13 20:43:41 +01:00
# When running as a daemon, the file to store the pid in
2019-11-12 21:58:10 +01:00
#
pid_file: /run/matrix-{{ app }}/homeserver.pid
2017-02-13 20:43:41 +01:00
2022-05-28 00:17:09 +02:00
# The absolute URL to the web client which / will redirect to.
2018-05-06 00:49:14 +02:00
#
web_client_location: {{ web_client_location }}
2019-11-12 21:58:10 +01:00
2022-05-28 00:17:09 +02:00
# The public-facing base URL that clients use to access this Homeserver (not
# including _matrix/...). This is the same URL a user might enter into the
# 'Custom Homeserver URL' field on their client. If you use Synapse with a
# reverse proxy, this should be the URL to reach Synapse via the proxy.
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
# 'listeners' below).
#
# Defaults to 'https://<server_name>/'.
2018-05-06 00:49:14 +02:00
#
public_baseurl: https://{{ domain }}/
2019-11-12 21:58:10 +01:00
2022-05-28 00:17:09 +02:00
# If set to 'true', removes the need for authentication to access the server's
# public rooms directory through the client API, meaning that anyone can
# query the room directory. Defaults to 'false'.
2019-11-12 21:58:10 +01:00
#
allow_public_rooms_without_auth: {{ allow_public_rooms_without_auth }}
2017-02-13 20:43:41 +01:00
2022-05-28 00:17:09 +02:00
# If set to 'true', allows any other homeserver to fetch the server's public
# rooms directory via federation. Defaults to 'false'.
2019-11-12 21:58:10 +01:00
#
allow_public_rooms_over_federation: {{ allow_public_rooms_over_federation }}
2019-11-12 21:58:10 +01:00
2022-05-28 00:17:09 +02:00
# Prevent outgoing requests from being sent to the following blacklisted IP address
# CIDR ranges. If this option is not specified then it defaults to private IP
# address ranges (see the example below).
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
# The blacklist applies to the outbound requests for federation, identity servers,
# push servers, and for checking key validity for third-party invite events.
2019-11-12 21:58:10 +01:00
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
2022-05-28 00:17:09 +02:00
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
#
# Note: The value is ignored when an HTTP proxy is in use
#
ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
2017-02-13 20:43:41 +01:00
# List of ports that Synapse should listen on, their purpose and their
# configuration.
2019-11-12 21:58:10 +01:00
#
# Options for each listener include:
#
# port: the TCP port to bind to
#
# bind_addresses: a list of local addresses to listen on. The default is
# 'all local interfaces'.
#
# type: the type of listener. Normally 'http', but other valid options are:
2022-05-28 00:17:09 +02:00
# 'manhole' (see https://matrix-org.github.io/synapse/latest/manhole.html),
# 'metrics' (see https://matrix-org.github.io/synapse/latest/metrics-howto.html),
# 'replication' (see https://matrix-org.github.io/synapse/latest/workers.html).
2019-11-12 21:58:10 +01:00
#
# tls: set to true to enable TLS for this listener. Will use the TLS
# key/cert specified in tls_private_key_path / tls_certificate_path.
#
# x_forwarded: Only valid for an 'http' listener. Set to true to use the
# X-Forwarded-For header as the client IP. Useful when Synapse is
# behind a reverse-proxy.
#
# resources: Only valid for an 'http' listener. A list of resources to host
# on this port. Options for each resource are:
#
# names: a list of names of HTTP resources. See below for a list of
# valid resource names.
#
2022-05-28 00:17:09 +02:00
# compress: set to true to enable HTTP compression for this resource.
2019-11-12 21:58:10 +01:00
#
# additional_resources: Only valid for an 'http' listener. A map of
# additional endpoints which should be loaded via dynamic modules.
#
# Valid resource names are:
#
# client: the client-server API (/_matrix/client), and the synapse admin
# API (/_synapse/admin). Also implies 'media' and 'static'.
#
2022-05-28 00:17:09 +02:00
# consent: user consent forms (/_matrix/consent).
# See https://matrix-org.github.io/synapse/latest/consent_tracking.html.
2019-11-12 21:58:10 +01:00
#
# federation: the server-server API (/_matrix/federation). Also implies
# 'media', 'keys', 'openid'
#
# keys: the key discovery API (/_matrix/keys).
#
# media: the media API (/_matrix/media).
#
2022-05-28 00:17:09 +02:00
# metrics: the metrics interface.
# See https://matrix-org.github.io/synapse/latest/metrics-howto.html.
2019-11-12 21:58:10 +01:00
#
# openid: OpenID authentication.
#
2022-05-28 00:17:09 +02:00
# replication: the HTTP replication API (/_synapse/replication).
# See https://matrix-org.github.io/synapse/latest/workers.html.
2019-11-12 21:58:10 +01:00
#
# static: static resources under synapse/static (/_matrix/static). (Mostly
# useful for 'fallback authentication'.)
#
2017-02-13 20:43:41 +01:00
listeners:
2019-11-12 21:58:10 +01:00
# TLS-enabled listener: for when matrix traffic is sent directly to synapse.
#
# Disabled by default. To enable it, uncomment the following. (Note that you
# will also need to give Synapse a TLS key and certificate: see the TLS section
# below.)
#
- port: {{ port_synapse_tls }}
2017-02-13 20:43:41 +01:00
type: http
tls: true
resources:
2019-11-12 21:58:10 +01:00
- names: [client, federation]
# Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
# that unwraps TLS.
#
# If you plan to use a reverse proxy, please see
2022-05-28 00:17:09 +02:00
# https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
2019-11-12 21:58:10 +01:00
#
- port: {{ port_synapse }}
2017-02-13 20:43:41 +01:00
tls: false
type: http
x_forwarded: true
2019-11-12 21:58:10 +01:00
bind_addresses: ['::1', '127.0.0.1']
2017-02-13 20:43:41 +01:00
resources:
2019-11-12 21:58:10 +01:00
- names: [client, federation]
2017-02-13 20:43:41 +01:00
compress: false
2019-11-12 21:58:10 +01:00
# example additional_resources:
#
#additional_resources:
# "/_matrix/my/custom/endpoint":
# module: my_module.CustomRequestHandler
# config: {}
2017-02-13 20:43:41 +01:00
# Turn on the twisted ssh manhole service on localhost on the given
# port.
2019-11-12 21:58:10 +01:00
#
#- port: 9000
# bind_addresses: ['::1', '127.0.0.1']
# type: manhole
## Homeserver blocking ##
# How to reach the server admin, used in ResourceLimitError
#
2022-05-28 00:17:09 +02:00
admin_contact: 'mailto:root'
2019-11-12 21:58:10 +01:00
## TLS ##
# PEM-encoded X509 certificate for TLS.
# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
# certificate, signed by a recognised Certificate Authority.
#
2022-05-28 00:17:09 +02:00
# Be sure to use a `.pem` file that includes the full certificate chain including
# any intermediate certificates (for instance, if using certbot, use
# `fullchain.pem` as your certificate, not `cert.pem`).
2019-11-12 21:58:10 +01:00
#
tls_certificate_path: "/etc/yunohost/certs/{{ domain }}/crt.pem"
2019-11-12 21:58:10 +01:00
# PEM-encoded private key for TLS
#
tls_private_key_path: "/etc/yunohost/certs/{{ domain }}/key.pem"
2019-11-12 21:58:10 +01:00
2022-05-28 00:17:09 +02:00
## Database ##
# The 'database' setting defines the database that synapse uses to store all of
# its data.
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
# 'psycopg2' (for PostgreSQL).
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
# 'txn_limit' gives the maximum number of transactions to run per connection
# before reconnecting. Defaults to 0, which means no limit.
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
# 'allow_unsafe_locale' is an option specific to Postgres. Under the default behavior, Synapse will refuse to
# start if the postgres db is set to a non-C locale. You can override this behavior (which is *not* recommended)
# by setting 'allow_unsafe_locale' to true. Note that doing so may corrupt your database. You can find more information
# here: https://matrix-org.github.io/synapse/latest/postgres.html#fixing-incorrect-collate-or-ctype and here:
# https://wiki.postgresql.org/wiki/Locale_data_changes
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
# 'args' gives options which are passed through to the database engine,
# except for options starting 'cp_', which are used to configure the Twisted
# connection pool. For a reference to valid arguments, see:
# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
2019-11-12 21:58:10 +01:00
#
#
2022-05-28 00:17:09 +02:00
# Example SQLite configuration:
#
#database:
# name: sqlite3
# args:
# database: /path/to/homeserver.db
#
#
# Example Postgres configuration:
#
database:
name: psycopg2
#txn_limit: 10000
args:
user: {{ db_user }}
password: {{ db_pwd }}
database: {{ db_name }}
2022-05-28 00:17:09 +02:00
host: localhost
port: 5432
cp_min: 5
cp_max: 10
2019-11-12 21:58:10 +01:00
2017-02-13 20:43:41 +01:00
2019-11-12 21:58:10 +01:00
## Logging ##
2017-02-13 20:43:41 +01:00
2019-11-12 21:58:10 +01:00
# A yaml python logging config file as described by
# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
#
log_config: "/etc/matrix-{{ app }}/log.yaml"
2017-02-13 20:43:41 +01:00
2019-11-12 21:58:10 +01:00
## Media Store ##
2017-02-13 20:43:41 +01:00
# Directory where uploaded images and attachments are stored.
2019-11-12 21:58:10 +01:00
#
media_store_path: "{{ data_dir }}/media"
2017-02-13 20:43:41 +01:00
2018-05-06 00:49:14 +02:00
# Media storage providers allow media to be stored in different
# locations.
2019-11-12 21:58:10 +01:00
#
2018-05-06 00:49:14 +02:00
media_storage_providers:
2019-11-12 21:58:10 +01:00
- module: file_system
2022-05-28 00:17:09 +02:00
# Whether to store newly uploaded local files
2019-11-12 21:58:10 +01:00
store_local: false
2022-05-28 00:17:09 +02:00
# Whether to store newly downloaded remote files
2019-11-12 21:58:10 +01:00
store_remote: false
2022-05-28 00:17:09 +02:00
# Whether to wait for successful storage for local uploads
2019-11-12 21:58:10 +01:00
store_synchronous: false
config:
directory: "{{ data_dir }}/media_storage"
2018-05-06 00:49:14 +02:00
2017-02-13 20:43:41 +01:00
# The largest allowed upload size in bytes
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
# If you are using a reverse proxy you may also need to set this value in
# your reverse proxy's config. Notably Nginx has a small max body size by default.
# See https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
#
max_upload_size: {{ max_upload_size }}
2017-02-13 20:43:41 +01:00
2019-11-12 21:58:10 +01:00
# Is the preview URL API enabled?
#
# 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
2022-05-28 00:17:09 +02:00
#
url_preview_enabled: true
2017-02-13 20:43:41 +01:00
# List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly
# specify a list for URL previewing to work. You should specify any
# internal services in your network that you do not want synapse to try
# to connect to, otherwise anyone in any Matrix room could cause your
# synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues.
#
2019-11-12 21:58:10 +01:00
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
2017-02-13 20:43:41 +01:00
#
2019-11-12 21:58:10 +01:00
# This must be specified if url_preview_enabled is set. It is recommended that
# you uncomment the following list as a starting point.
2022-05-28 00:17:09 +02:00
#
# Note: The value is ignored when an HTTP proxy is in use
#
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
2022-05-28 00:17:09 +02:00
- '192.0.0.0/24'
- '169.254.0.0/16'
2022-05-28 00:17:09 +02:00
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
2022-05-28 00:17:09 +02:00
- 'fe80::/10'
- 'fc00::/7'
2022-05-28 00:17:09 +02:00
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
2019-11-12 21:58:10 +01:00
2017-02-13 20:43:41 +01:00
2019-11-12 21:58:10 +01:00
## TURN ##
2017-02-13 20:43:41 +01:00
# The public URIs of the TURN server to give to clients
2019-11-12 21:58:10 +01:00
#
{%- if enable_dtls_for_audio_video_turn_call == 'true' %}
turn_uris: [ "turns:{{ domain }}:{{ port_turnserver_tls }}", "turns:{{ domain }}:{{ port_turnserver_alt_tls }}" ]
{%- else %}
turn_uris: [ "turn:{{ domain }}:{{ port_turnserver_tls }}", "turn:{{ domain }}:{{ port_turnserver_alt_tls }}" ]
{%- endif %}
2017-02-13 20:43:41 +01:00
# The shared secret used to compute passwords for the TURN server
2019-11-12 21:58:10 +01:00
#
turn_shared_secret: "{{ turnserver_pwd }}"
2017-02-13 20:43:41 +01:00
2018-05-06 00:49:14 +02:00
# The Username and password if the TURN server needs them and
# does not use a token
2019-11-12 21:58:10 +01:00
#
2018-05-06 00:49:14 +02:00
#turn_username: "TURNSERVER_USERNAME"
#turn_password: "TURNSERVER_PASSWORD"
2017-02-13 20:43:41 +01:00
# How long generated TURN credentials last
2019-11-12 21:58:10 +01:00
#
2024-02-26 22:35:05 +01:00
turn_user_lifetime: 12h
2018-05-06 00:49:14 +02:00
# Whether guests should be allowed to use the TURN server.
# This defaults to True, otherwise VoIP will be unreliable for guests.
# However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA).
2019-11-12 21:58:10 +01:00
#
turn_allow_guests: {{ allow_guest_access }}
2017-02-13 20:43:41 +01:00
## Registration ##
2019-11-12 21:58:10 +01:00
#
# Registration can be rate-limited using the parameters in the "Ratelimiting"
# section of this file.
2017-02-13 20:43:41 +01:00
2022-05-28 00:17:09 +02:00
# Enable registration for new users. Defaults to 'false'. It is highly recommended that if you enable registration,
# you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration
# without any verification, you must also set `enable_registration_without_verification`, found below.
2019-11-12 21:58:10 +01:00
#
enable_registration: {{ enable_registration }}
2017-02-13 20:43:41 +01:00
2022-05-28 00:17:09 +02:00
# Time that an access token remains valid for, if the session is NOT
# using refresh tokens.
# Please note that not all clients support refresh tokens, so setting
# this to a short value may be inconvenient for some users who will
# then be logged out frequently.
#
# Note also that this is calculated at login time: changes are not applied
# retrospectively to existing sessions for users that have already logged in.
#
# By default, this is infinite.
#
#nonrefreshable_access_token_lifetime: 24h
2018-05-06 00:49:14 +02:00
# The user must provide all of the below types of 3PID when registering.
#
{%- if registrations_require_3pid %}
registrations_require_3pid:
{%- for pid in registrations_require_3pid.split('&') %}
- {{ pid }}
{%- endfor %}
{%- endif %}
2019-11-12 21:58:10 +01:00
# Explicitly disable asking for MSISDNs from the registration
# flow (overrides registrations_require_3pid if MSISDNs are set as required)
#
disable_msisdn_registration: {{ disable_msisdn_registration }}
2018-05-06 00:49:14 +02:00
# Mandate that users are only allowed to associate certain formats of
# 3PIDs with accounts on this server.
#
2023-01-19 10:08:18 +01:00
#allowed_local_3pids:
2019-11-12 21:58:10 +01:00
# - medium: email
2022-05-28 00:17:09 +02:00
# pattern: '^[^@]+@vector\.im$'
2019-11-12 21:58:10 +01:00
# - medium: msisdn
# pattern: '\+44'
{%- if allowed_local_3pids_email or allowed_local_3pids_msisdn %}
allowed_local_3pids:
{%- for pattern in allowed_local_3pids_email.strip(',').split(',') %}
- medium: email
pattern: '{{ pattern }}'
{%- endfor %}
{%- for pattern in allowed_local_3pids_msisdn.strip(',').split(',') %}
- medium: msisdn
pattern: '{{ pattern }}'
{%- endfor %}
{%- endif %}
2019-11-12 21:58:10 +01:00
# Enable 3PIDs lookup requests to identity servers from this server.
#
enable_3pid_lookup: {{ enable_3pid_lookup }}
2018-05-06 00:49:14 +02:00
2019-11-12 21:58:10 +01:00
# If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled.
#
registration_shared_secret: "{{ registration_shared_secret }}"
2017-02-13 20:43:41 +01:00
# Set the number of bcrypt rounds used to generate password hash.
# Larger numbers increase the work factor needed to generate the hash.
2018-05-06 00:49:14 +02:00
# The default number is 12 (which equates to 2^12 rounds).
# N.B. that increasing this will exponentially increase the time required
# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
2019-11-12 21:58:10 +01:00
#
#bcrypt_rounds: 12
2017-02-13 20:43:41 +01:00
# Allows users to register as guests without a password/email/etc, and
# participate in rooms hosted on this server which have been made
# accessible to anonymous users.
2019-11-12 21:58:10 +01:00
#
allow_guest_access: {{ allow_guest_access }}
2019-11-12 21:58:10 +01:00
# The identity server which we suggest that clients should use when users log
# in on this server.
#
# (By default, no suggestion is made, so it is left up to the client.
2022-05-28 00:17:09 +02:00
# This setting is ignored unless public_baseurl is also explicitly set.)
2019-11-12 21:58:10 +01:00
#
default_identity_server: {{ default_identity_server }}
2019-11-12 21:58:10 +01:00
# Handle threepid (email/phone etc) registration and password resets through a set of
# *trusted* identity servers. Note that this allows the configured identity server to
# reset passwords for accounts!
#
# Be aware that if `email` is not set, and SMTP options have not been
# configured in the email config block, registration and user password resets via
# email will be globally disabled.
#
# Additionally, if `msisdn` is not set, registration and password resets via msisdn
2022-05-28 00:17:09 +02:00
# will be disabled regardless, and users will not be able to associate an msisdn
# identifier to their account. This is due to Synapse currently not supporting
# any method of sending SMS messages on its own.
2019-11-12 21:58:10 +01:00
#
# To enable using an identity server for operations regarding a particular third-party
# identifier type, set the value to the URL of that identity server as shown in the
# examples below.
#
# Servers handling the these requests must answer the `/requestToken` endpoints defined
# by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest
#
# As email delegates is managed by the synapse server itself this email section is
2023-08-23 02:07:35 +02:00
# not necessary but msisdn format is still composed by msisdn: <value> on a new line
account_threepid_delegates:
msisdn: {{ account_threepid_delegates_msisdn }}
2022-05-28 00:17:09 +02:00
#email: https://example.com # Delegate email sending to example.com
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
2018-05-06 00:49:14 +02:00
# Users who register on this homeserver will automatically be joined
2022-05-28 00:17:09 +02:00
# to these rooms.
#
# By default, any room aliases included in this list will be created
# as a publicly joinable room when the first user registers for the
# homeserver. This behaviour can be customised with the settings below.
# If the room already exists, make certain it is a publicly joinable
# room. The join rule of the room must be set to 'public'.
2019-11-12 21:58:10 +01:00
#
{%- if auto_join_rooms %}
auto_join_rooms:
{%- for room in auto_join_rooms.split(',') %}
- '{{ room }}'
{%- endfor %}
{%- endif %}
2019-11-12 21:58:10 +01:00
# Where auto_join_rooms are specified, setting this flag ensures that the
# the rooms exist by creating them when the first user on the
# homeserver registers.
2022-05-28 00:17:09 +02:00
#
# By default the auto-created rooms are publicly joinable from any federated
# server. Use the autocreate_auto_join_rooms_federated and
# autocreate_auto_join_room_preset settings below to customise this behaviour.
#
2019-11-12 21:58:10 +01:00
# Setting to false means that if the rooms are not manually created,
# users cannot be auto-joined since they do not exist.
#
2022-05-28 00:17:09 +02:00
# Defaults to true. Uncomment the following line to disable automatically
# creating auto-join rooms.
#
autocreate_auto_join_rooms: {{ autocreate_auto_join_rooms }}
2022-05-28 00:17:09 +02:00
# When auto_join_rooms is specified, setting this flag to false prevents
# guest accounts from being automatically joined to the rooms.
2022-05-28 00:17:09 +02:00
#
# Defaults to true.
2022-05-28 00:17:09 +02:00
#
auto_join_rooms_for_guests: {{ auto_join_rooms_for_guests }}
2017-02-13 20:43:41 +01:00
## Metrics ###
2019-11-12 21:58:10 +01:00
# Flags to enable Prometheus metrics which are not suitable to be
# enabled by default, either for performance reasons or limited use.
#
metrics_flags:
2022-05-28 00:17:09 +02:00
# Publish synapse_federation_known_servers, a gauge of the number of
2019-11-12 21:58:10 +01:00
# servers this homeserver knows about, including itself. May cause
# performance problems on large homeservers.
#
#known_servers: true
# Whether or not to report anonymized homeserver usage statistics.
2022-05-28 00:17:09 +02:00
#
report_stats: {{ report_stats }}
2017-02-13 20:43:41 +01:00
2019-11-12 21:58:10 +01:00
2017-02-13 20:43:41 +01:00
## API Configuration ##
2019-11-12 21:58:10 +01:00
# a secret which is used to sign access tokens. If none is specified,
# the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key.
#
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
# So for the old install we just leave this as it is. And for the new install we use a real macaroon.
{%- if macaroon_secret_key is defined %}
macaroon_secret_key: '{{ macaroon_secret_key }}'
{%- endif %}
2017-02-13 20:43:41 +01:00
2018-05-06 00:49:14 +02:00
# a secret which is used to calculate HMACs for form values, to stop
2019-11-12 21:58:10 +01:00
# falsification of values. Must be specified for the User Consent
# forms to work.
#
form_secret: "{{ form_secret }}"
2018-05-06 00:49:14 +02:00
2017-02-13 20:43:41 +01:00
## Signing Keys ##
# Path to the signing key to sign messages with
2019-11-12 21:58:10 +01:00
#
signing_key_path: "/etc/matrix-{{ app }}/homeserver.signing.key"
2017-02-13 20:43:41 +01:00
# The keys that the server used to sign messages with but won't use
2022-05-28 00:17:09 +02:00
# to sign new messages.
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
old_signing_keys:
# For each key, `key` should be the base64-encoded public key, and
# `expired_ts`should be the time (in milliseconds since the unix epoch) that
# it was last used.
#
# It is possible to build an entry from an old signing.key file using the
# `export_signing_key` script which is provided with synapse.
#
# For example:
#
#"ed25519:id": { key: "base64string", expired_ts: 123456789123 }
2017-02-13 20:43:41 +01:00
# The trusted servers to download signing keys from.
2019-11-12 21:58:10 +01:00
#
# When we need to fetch a signing key, each server is tried in parallel.
#
# Normally, the connection to the key server is validated via TLS certificates.
# Additional security can be provided by configuring a `verify key`, which
# will make synapse check that the response is signed by that key.
#
# This setting supercedes an older setting named `perspectives`. The old format
# is still supported for backwards-compatibility, but it is deprecated.
#
# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
# warning on start-up. To suppress this warning, set
# 'suppress_key_server_warning' to true.
#
# Options for each entry in the list include:
#
# server_name: the name of the server. required.
#
# verify_keys: an optional map from key id to base64-encoded public key.
# If specified, we will check that the response is signed by at least
# one of the given keys.
#
# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
# and federation_verify_certificates is not `true`, synapse will refuse
# to start, because this would allow anyone who can spoof DNS responses
# to masquerade as the trusted key server. If you know what you are doing
# and are sure that your network environment provides a secure connection
# to the key server, you can set this to `true` to override this
# behaviour.
#
# An example configuration might look like:
#
#trusted_key_servers:
# - server_name: "my_trusted_server.example.com"
# verify_keys:
# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
# - server_name: "my_other_trusted_server.example.com"
#
trusted_key_servers:
- server_name: "matrix.org"
2017-02-13 20:43:41 +01:00
2019-11-12 21:58:10 +01:00
2022-05-28 00:17:09 +02:00
## Single sign-on integration ##
# The following settings can be used to make Synapse use a single sign-on
# provider for authentication, instead of its internal password database.
2019-11-12 21:58:10 +01:00
#
2022-05-28 00:17:09 +02:00
# You will probably also want to set the following options to `false` to
2019-11-12 21:58:10 +01:00
# disable the regular login/registration flows:
# * enable_registration
# * password_config.enabled
#
2022-05-28 00:17:09 +02:00
# You will also want to investigate the settings under the "sso" configuration
# section below.
# Enable Central Authentication Service (CAS) for registration and login.
2019-11-12 21:58:10 +01:00
#
2020-02-22 00:44:30 +01:00
cas_config:
2022-05-28 00:17:09 +02:00
# Uncomment the following to enable authorization against a CAS server.
# Defaults to false.
#
2024-02-20 23:53:52 +01:00
enabled: true
2022-05-28 00:17:09 +02:00
# The URL of the CAS authorization endpoint.
#
server_url: "https://{{ domain }}/_matrix/cas_server.php"
2022-05-28 00:17:09 +02:00
# The attribute of the CAS response to use as the display name.
#
# If unset, no displayname will be set.
#
#displayname_attribute: name
# It is possible to configure Synapse to only allow logins if CAS attributes
# match particular values. All of the keys in the mapping below must exist
# and the values must match the given value. Alternately if the given value
# is None then any value is allowed (the attribute just must exist).
# All of the listed attributes must match for the login to be permitted.
#
#required_attributes:
# userGroup: "staff"
# department: None
# Additional settings to use with single-sign on systems such as OpenID Connect,
# SAML2 and CAS.
#
# Server admins can configure custom templates for pages related to SSO. See
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
#
sso:
# A list of client URLs which are whitelisted so that the user does not
# have to confirm giving access to their account to the URL. Any client
# whose URL starts with an entry in the following list will not be subject
# to an additional confirmation step after the SSO login is completed.
#
# WARNING: An entry such as "https://my.client" is insecure, because it
# will also match "https://my.client.evil.site", exposing your users to
# phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/".
#
# The login fallback page (used by clients that don't natively support the
# required login flows) is whitelisted in addition to any URLs in this list.
#
# By default, this list contains only the login fallback page.
#
client_whitelist:
{%- for domain in domain_whitelist_client.splitlines() %}
- {{ domain }}
{%- endfor %}
2022-05-28 00:17:09 +02:00
# Uncomment to keep a user's profile fields in sync with information from
# the identity provider. Currently only syncing the displayname is
# supported. Fields are checked on every SSO login, and are updated
# if necessary.
#
# Note that enabling this option will override user profile information,
# regardless of whether users have opted-out of syncing that
# information when first signing in. Defaults to false.
#
#update_profile_information: true
2017-02-13 20:43:41 +01:00
password_config:
2019-11-12 21:58:10 +01:00
# Uncomment to disable password login
#
enabled: {{ password_enabled }}
2019-11-12 21:58:10 +01:00
# Uncomment to disable authentication against the local password
# database. This is ignored if `enabled` is false, and is only useful
# if you have other password_providers.
#
#localdb_enabled: false
2018-05-06 00:49:14 +02:00
# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
2019-11-12 21:58:10 +01:00
#
#pepper: "EVEN_MORE_SECRET"
2017-02-13 20:43:41 +01:00
2022-05-28 00:17:09 +02:00
# Define and enforce a password policy. Each parameter is optional.
# This is an implementation of MSC2000.
#
policy:
# Whether to enforce the password policy.
# Defaults to 'false'.
#
#enabled: true
# Minimum accepted length for a password.
# Defaults to 0.
#
#minimum_length: 15
# Whether a password must contain at least one digit.
# Defaults to 'false'.
#
#require_digit: true
# Whether a password must contain at least one symbol.
# A symbol is any character that's not a number or a letter.
# Defaults to 'false'.
#
#require_symbol: true
# Whether a password must contain at least one lowercase letter.
# Defaults to 'false'.
#
#require_lowercase: true
# Whether a password must contain at least one uppercase letter.
# Defaults to 'false'.
#
#require_uppercase: true
password_providers:
- module: "ldap_auth_provider.LdapAuthProvider"
config:
enabled: true
mode: "search"
uri: "ldap://localhost"
start_tls: false
base: "ou=users,dc=yunohost,dc=org"
attributes:
uid: "uid"
mail: "mail"
name: "givenName"
filter: "(&(objectClass=posixAccount)(permission=cn={{ app }}.main,ou=permission,dc=yunohost,dc=org))"
2017-02-13 20:43:41 +01:00
2022-05-28 00:17:09 +02:00
# Configuration for sending emails from Synapse.
2018-05-06 00:49:14 +02:00
#
2022-05-28 00:17:09 +02:00
# Server admins can configure custom templates for email content. See
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
2018-05-06 00:49:14 +02:00
#
email:
2022-05-28 00:17:09 +02:00
# The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
#
smtp_host: "{{ domain }}"
2022-05-28 00:17:09 +02:00
# The port on the mail server for outgoing SMTP. Defaults to 25.
#
smtp_port: 587
2022-05-28 00:17:09 +02:00
# Username/password for authentication to the SMTP server. By default, no
# authentication is attempted.
#
smtp_user: {{ app }}
smtp_pass: {{ mail_pwd }}
2022-05-28 00:17:09 +02:00
# Uncomment the following to require TLS transport security for SMTP.
# By default, Synapse will connect over plain text, and will then switch to
# TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
# Synapse will refuse to connect unless the server supports STARTTLS.
#
2022-05-28 00:17:09 +02:00
require_transport_security: true
2022-05-28 00:17:09 +02:00
# Uncomment the following to disable TLS for SMTP.
#
2022-05-28 00:17:09 +02:00
# By default, if the server supports TLS, it will be used, and the server
# must present a certificate that is valid for 'smtp_host'. If this option
# is set to false, TLS will not be used.
#
2022-05-28 00:17:09 +02:00
#enable_tls: false
2022-05-28 00:17:09 +02:00
# notif_from defines the "From" address to use when sending emails.
# It must be set if email sending is enabled.
#
2022-05-28 00:17:09 +02:00
# The placeholder '%(app)s' will be replaced by the application name,
# which is normally 'app_name' (below), but may be overridden by the
# Matrix client application.
#
2022-05-28 00:17:09 +02:00
# Note that the placeholder must be written '%(app)s', including the
# trailing 's'.
#
notif_from: "Your Friendly %(app)s Home Server <{{ app }}@{{ domain }}>"
2022-05-28 00:17:09 +02:00
# app_name defines the default value for '%(app)s' in notif_from and email
# subjects. It defaults to 'Matrix'.
#
2022-05-28 00:17:09 +02:00
app_name: Yunohost Matrix-Synapse
2022-05-28 00:17:09 +02:00
# Uncomment the following to enable sending emails for messages that the user
# has missed. Disabled by default.
#
enable_notifs: {{ enable_notifs }}
2022-05-28 00:17:09 +02:00
# Uncomment the following to disable automatic subscription to email
# notifications for new users. Enabled by default.
#
notif_for_new_users: {{ notif_for_new_users }}
2022-05-28 00:17:09 +02:00
# Custom URL for client links within the email notifications. By default
# links will be based on "https://matrix.to".
#
# (This setting used to be called riot_base_url; the old name is still
# supported for backwards-compatibility but is now deprecated.)
#
client_base_url: {{ client_base_url }}
2022-05-28 00:17:09 +02:00
# Configure the time that a validation email will expire after sending.
# Defaults to 1h.
#
2022-05-28 00:17:09 +02:00
#validation_token_lifetime: 15m
2022-05-28 00:17:09 +02:00
# The web client location to direct users to during an invite. This is passed
# to the identity server as the org.matrix.web_client_location key. Defaults
# to unset, giving no guidance to the identity server.
#
invite_client_location: {{ invite_client_location }}
2022-05-28 00:17:09 +02:00
# Subjects to use when sending emails from Synapse.
#
# The placeholder '%(app)s' will be replaced with the value of the 'app_name'
# setting above, or by a value dictated by the Matrix client application.
#
# If a subject isn't overridden in this configuration file, the value used as
# its example will be used.
#
2022-05-28 00:17:09 +02:00
#subjects:
# Subjects for notification emails.
#
# On top of the '%(app)s' placeholder, these can use the following
# placeholders:
#
# * '%(person)s', which will be replaced by the display name of the user(s)
# that sent the message(s), e.g. "Alice and Bob".
# * '%(room)s', which will be replaced by the name of the room the
# message(s) have been sent to, e.g. "My super room".
#
# See the example provided for each setting to see which placeholder can be
# used and how to use them.
#
# Subject to use to notify about one message from one or more user(s) in a
# room which has a name.
#message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
#
# Subject to use to notify about one message from one or more user(s) in a
# room which doesn't have a name.
#message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
#
# Subject to use to notify about multiple messages from one or more users in
# a room which doesn't have a name.
#messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
#
# Subject to use to notify about multiple messages in a room which has a
# name.
#messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
#
# Subject to use to notify about multiple messages in multiple rooms.
#messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
#
# Subject to use to notify about multiple messages from multiple persons in
# multiple rooms. This is similar to the setting above except it's used when
# the room in which the notification was triggered has no name.
#messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
#
# Subject to use to notify about an invite to a room which has a name.
#invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
#
# Subject to use to notify about an invite to a room which doesn't have a
# name.
#invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
2017-02-13 20:43:41 +01:00
2022-05-28 00:17:09 +02:00
# Subject for emails related to account administration.
#
# On top of the '%(app)s' placeholder, these one can use the
# '%(server_name)s' placeholder, which will be replaced by the value of the
# 'server_name' setting in your Synapse configuration.
#
# Subject to use when sending a password reset email.
#password_reset: "[%(server_name)s] Password reset"
#
# Subject to use when sending a verification email to assert an address's
# ownership.
#email_validation: "[%(server_name)s] Validate your email"
2017-02-13 20:43:41 +01:00
2018-05-06 00:49:14 +02:00
2022-05-28 00:17:09 +02:00
## Push ##
2018-05-06 00:49:14 +02:00
2022-05-28 00:17:09 +02:00
push:
# Clients requesting push notifications can either have the body of
# the message sent in the notification poke along with other details
# like the sender, or just the event ID and room ID (`event_id_only`).
# If clients choose the former, this option controls whether the
# notification request includes the content of the event (other details
# like the sender are still included). For `event_id_only` push, it
# has no effect.
#
# For modern android devices the notification content will still appear
# because it is loaded by the app. iPhone, however will send a
# notification saying only that a message arrived and who it came from.
#
# The default value is "true" to include message details. Uncomment to only
# include the event ID and room ID in push notification payloads.
#
include_content: {{ push_include_content }}
2022-05-28 00:17:09 +02:00
# When a push notification is received, an unread count is also sent.
# This number can either be calculated as the number of unread messages
# for the user, or the number of *rooms* the user has unread messages in.
#
# The default value is "true", meaning push clients will see the number of
# rooms with unread messages in them. Uncomment to instead send the number
# of unread messages.
#
#group_unread_count_by_room: false
2018-05-06 00:49:14 +02:00
2022-05-28 00:17:09 +02:00
## Rooms ##
# Controls whether locally-created rooms should be end-to-end encrypted by
# default.
#
# Possible options are "all", "invite", and "off". They are defined as:
#
# * "all": any locally-created room
# * "invite": any room created with the "private_chat" or "trusted_private_chat"
# room creation presets
# * "off": this option will take no effect
#
# The default value is "off".
#
# Note that this option will only affect rooms created after it is set. It
# will also not affect rooms created by other servers.
#
encryption_enabled_by_default_for_room_type: {{ e2e_enabled_by_default }}
2018-05-06 00:49:14 +02:00
2019-11-12 21:58:10 +01:00
# Uncomment to allow non-server-admin users to create groups on this server
#
enable_group_creation: {{ enable_group_creation }}