diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2
index f6168583a1085810e2d0cb64d1deae0efeb7b833..ce9384a6109e23a59f8d5acddf9ce27ac6c24fb5 100644
--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -5,9 +5,11 @@
# This is used by remote servers to connect to this server,
# e.g. matrix.org, localhost:8080, etc.
# This is also the last part of your UserID.
+#
server_name: "{{ matrix_server_name }}"
# When running as a daemon, the file to store the pid in
+#
#pid_file: /var/lib/synapse/homeserver.pid
# CPU affinity mask. Setting this restricts the CPUs on which the
@@ -31,38 +33,51 @@ server_name: "{{ matrix_server_name }}"
#
# This setting requires the affinity package to be installed!
#
-# cpu_affinity: 0xFFFFFFFF
+#cpu_affinity: 0xFFFFFFFF
# The path to the web client which will be served at /_matrix/client/
# if 'webclient' is configured under the 'listeners' configuration.
#
-# web_client_location: "/path/to/web/root"
+#web_client_location: "/path/to/web/root"
# The public-facing base URL that clients use to access this HS
# (not including _matrix/...). This is the same URL a user would
# enter into the 'custom HS URL' field on their client. If you
# use synapse with a reverse proxy, this should be the URL to reach
# synapse via the proxy.
+#
public_baseurl: https://{{ matrix_domain }}/
# Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the
# hard limit.
-soft_file_limit: 0
+#
+#soft_file_limit: 0
# Set to false to disable presence tracking on this homeserver.
+#
use_presence: true
# The GC threshold parameters to pass to `gc.set_threshold`, if defined
-# gc_thresholds: [700, 10, 10]
+#
+#gc_thresholds: [700, 10, 10]
# Set the limit on the returned events in the timeline in the get
# and sync operations. The default value is -1, means no upper limit.
-# filter_timeline_limit: 5000
+#
+#filter_timeline_limit: 5000
# Whether room invites to users on this server should be blocked
# (except those sent by local server admins). The default is False.
-# block_non_admin_invites: True
+#
+#block_non_admin_invites: True
+
+# Room searching
+#
+# If disabled, new messages will not be indexed for searching and users
+# will receive errors when searching for messages. Defaults to enabled.
+#
+#enable_search: false
# Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit
@@ -70,7 +85,7 @@ use_presence: true
# purely on this application-layer restriction. If not specified, the
# default is to whitelist everything.
#
-# federation_domain_whitelist:
+#federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
@@ -166,52 +181,49 @@ listeners:
# example additonal_resources:
#
- # additional_resources:
- # "/_matrix/my/custom/endpoint":
- # module: my_module.CustomRequestHandler
- # config: {}
+ #additional_resources:
+ # "/_matrix/my/custom/endpoint":
+ # module: my_module.CustomRequestHandler
+ # config: {}
# Turn on the twisted ssh manhole service on localhost on the given
# port.
- # - port: 9000
- # bind_addresses: ['::1', '127.0.0.1']
- # type: manhole
+ #
+ #- port: 9000
+ # bind_addresses: ['::1', '127.0.0.1']
+ # type: manhole
+
+
+## Homeserver blocking ##
-# Homeserver blocking
-#
# How to reach the server admin, used in ResourceLimitError
-# admin_contact: 'mailto:admin@server.com'
#
-# Global block config
-#
-# hs_disabled: False
-# hs_disabled_message: 'Human readable reason for why the HS is blocked'
-# hs_disabled_limit_type: 'error code(str), to help clients decode reason'
+#admin_contact: 'mailto:admin@server.com'
+
+# Global blocking
#
+#hs_disabled: False
+#hs_disabled_message: 'Human readable reason for why the HS is blocked'
+#hs_disabled_limit_type: 'error code(str), to help clients decode reason'
+
# Monthly Active User Blocking
#
-# Enables monthly active user checking
-# limit_usage_by_mau: False
-# max_mau_value: 50
-# mau_trial_days: 2
-#
+#limit_usage_by_mau: False
+#max_mau_value: 50
+#mau_trial_days: 2
+
# If enabled, the metrics for the number of monthly active users will
# be populated, however no one will be limited. If limit_usage_by_mau
# is true, this is implied to be true.
-# mau_stats_only: False
#
+#mau_stats_only: False
+
# Sometimes the server admin will want to ensure certain accounts are
# never blocked by mau checking. These accounts are specified here.
#
-# mau_limit_reserved_threepids:
-# - medium: 'email'
-# address: 'reserved_user@example.com'
-#
-# Room searching
-#
-# If disabled, new messages will not be indexed for searching and users
-# will receive errors when searching for messages. Defaults to enabled.
-# enable_search: true
+#mau_limit_reserved_threepids:
+# - medium: 'email'
+# address: 'reserved_user@example.com'
## TLS ##
@@ -223,9 +235,15 @@ listeners:
# See 'ACME support' below to enable auto-provisioning this certificate via
# Let's Encrypt.
#
+# If supplying your own, be sure to use a `.pem` file that includes the
+# full certificate chain including any intermediate certificates (for
+# instance, if using certbot, use `fullchain.pem` as your certificate,
+# not `cert.pem`).
+#
tls_certificate_path: "/etc/synapse/{{ matrix_server_name }}.tls.crt"
# PEM-encoded private key for TLS
+#
tls_private_key_path: "/etc/synapse/{{ matrix_server_name }}.tls.key"
# ACME support: This will configure Synapse to request a valid TLS certificate
@@ -253,28 +271,42 @@ acme:
# ACME support is disabled by default. Uncomment the following line
# (and tls_certificate_path and tls_private_key_path above) to enable it.
#
- # enabled: true
+ #enabled: true
# Endpoint to use to request certificates. If you only want to test,
# use Let's Encrypt's staging url:
# https://acme-staging.api.letsencrypt.org/directory
#
- # url: https://acme-v01.api.letsencrypt.org/directory
+ #url: https://acme-v01.api.letsencrypt.org/directory
# Port number to listen on for the HTTP-01 challenge. Change this if
# you are forwarding connections through Apache/Nginx/etc.
#
- # port: 80
+ #port: 80
# Local addresses to listen on for incoming connections.
# Again, you may want to change this if you are forwarding connections
# through Apache/Nginx/etc.
#
- # bind_addresses: ['::', '0.0.0.0']
+ #bind_addresses: ['::', '0.0.0.0']
# How many days remaining on a certificate before it is renewed.
#
- # reprovision_threshold: 30
+ #reprovision_threshold: 30
+
+ # The domain that the certificate should be for. Normally this
+ # should be the same as your Matrix domain (i.e., 'server_name'), but,
+ # by putting a file at 'https://<server_name>/.well-known/matrix/server',
+ # you can delegate incoming traffic to another server. If you do that,
+ # you should give the target of the delegation here.
+ #
+ # For example: if your 'server_name' is 'example.com', but
+ # 'https://example.com/.well-known/matrix/server' delegates to
+ # 'matrix.example.com', you should put 'matrix.example.com' here.
+ #
+ # If not set, defaults to your 'server_name'.
+ #
+ domain: {{ matrix_domain }}
# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
@@ -301,12 +333,12 @@ acme:
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
# or by checking matrix.org/federationtester/api/report?server_name=$host
#
-tls_fingerprints: []
-# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
+#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
-# Database configuration
+## Database ##
+
database:
# The database engine name
name: "psycopg2"
@@ -319,98 +351,159 @@ database:
cp_max: 10
# Number of events to cache in memory.
-event_cache_size: "10K"
+#
+#event_cache_size: 10K
+## Logging ##
# A yaml python logging config file
+#
log_config: "/etc/synapse/log_config.yaml"
## Ratelimiting ##
# Number of messages a client can send per second
-rc_messages_per_second: 0.2
+#
+#rc_messages_per_second: 0.2
# Number of message a client can send before being throttled
-rc_message_burst_count: 10.0
+#
+#rc_message_burst_count: 10.0
+
+# Ratelimiting settings for registration and login.
+#
+# Each ratelimiting configuration is made of two parameters:
+# - per_second: number of requests a client can send per second.
+# - burst_count: number of requests a client can send before being throttled.
+#
+# Synapse currently uses the following configurations:
+# - one for registration that ratelimits registration requests based on the
+# client's IP address.
+# - one for login that ratelimits login requests based on the client's IP
+# address.
+# - one for login that ratelimits login requests based on the account the
+# client is attempting to log into.
+# - one for login that ratelimits login requests based on the account the
+# client is attempting to log into, based on the amount of failed login
+# attempts for this account.
+#
+# The defaults are as shown below.
+#
+#rc_registration:
+# per_second: 0.17
+# burst_count: 3
+#
+#rc_login:
+# address:
+# per_second: 0.17
+# burst_count: 3
+# account:
+# per_second: 0.17
+# burst_count: 3
+# failed_attempts:
+# per_second: 0.17
+# burst_count: 3
# The federation window size in milliseconds
-federation_rc_window_size: 1000
+#
+#federation_rc_window_size: 1000
# The number of federation requests from a single server in a window
# before the server will delay processing the request.
-federation_rc_sleep_limit: 10
+#
+#federation_rc_sleep_limit: 10
# The duration in milliseconds to delay processing events from
# remote servers by if they go over the sleep limit.
-federation_rc_sleep_delay: 500
+#
+#federation_rc_sleep_delay: 500
# The maximum number of concurrent federation requests allowed
# from a single server
-federation_rc_reject_limit: 50
+#
+#federation_rc_reject_limit: 50
# The number of federation requests to concurrently process from a
# single server
-federation_rc_concurrent: 3
+#
+#federation_rc_concurrent: 3
+
+# Target outgoing federation transaction frequency for sending read-receipts,
+# per-room.
+#
+# If we end up trying to send out more read-receipts, they will get buffered up
+# into fewer transactions.
+#
+#federation_rr_transactions_per_room_per_second: 50
# Directory where uploaded images and attachments are stored.
+#
media_store_path: "/var/lib/synapse/media_store"
# Media storage providers allow media to be stored in different
# locations.
-# media_storage_providers:
-# - module: file_system
-# # Whether to write new local files.
-# store_local: false
-# # Whether to write new remote media
-# store_remote: false
-# # Whether to block upload requests waiting for write to this
-# # provider to complete
-# store_synchronous: false
-# config:
-# directory: /mnt/some/other/directory
+#
+#media_storage_providers:
+# - module: file_system
+# # Whether to write new local files.
+# store_local: false
+# # Whether to write new remote media
+# store_remote: false
+# # Whether to block upload requests waiting for write to this
+# # provider to complete
+# store_synchronous: false
+# config:
+# directory: /mnt/some/other/directory
# Directory where in-progress uploads are stored.
+#
uploads_path: "/var/lib/synapse/uploads"
# The largest allowed upload size in bytes
-max_upload_size: "10M"
+#
+#max_upload_size: 10M
# Maximum number of pixels that will be thumbnailed
-max_image_pixels: "32M"
+#
+#max_image_pixels: 32M
# Whether to generate new thumbnails on the fly to precisely match
# the resolution requested by the client. If true then whenever
# a new resolution is requested by the client the server will
# generate a new thumbnail. If false the server will pick a thumbnail
# from a precalculated list.
-dynamic_thumbnails: false
-
-# List of thumbnail to precalculate when an image is uploaded.
-thumbnail_sizes:
-- width: 32
- height: 32
- method: crop
-- width: 96
- height: 96
- method: crop
-- width: 320
- height: 240
- method: scale
-- width: 640
- height: 480
- method: scale
-- width: 800
- height: 600
- method: scale
-
-# Is the preview URL API enabled? If enabled, you *must* specify
-# an explicit url_preview_ip_range_blacklist of IPs that the spider is
-# denied from accessing.
-url_preview_enabled: True
+#
+#dynamic_thumbnails: false
+
+# List of thumbnails to precalculate when an image is uploaded.
+#
+#thumbnail_sizes:
+# - width: 32
+# height: 32
+# method: crop
+# - width: 96
+# height: 96
+# method: crop
+# - width: 320
+# height: 240
+# method: scale
+# - width: 640
+# height: 480
+# method: scale
+# - width: 800
+# height: 600
+# method: scale
+
+# Is the preview URL API enabled?
+#
+# 'false' by default: uncomment the following to enable it (and specify a
+# url_preview_ip_range_blacklist blacklist).
+#
+url_preview_enabled: true
# List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly
@@ -420,25 +513,31 @@ url_preview_enabled: True
# synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues.
#
-url_preview_ip_range_blacklist:
-- '127.0.0.0/8'
-- '10.0.0.0/8'
-- '172.16.0.0/12'
-- '192.168.0.0/16'
-- '100.64.0.0/10'
-- '169.254.0.0/16'
-- '::1/128'
-- 'fe80::/64'
-- 'fc00::/7'
+# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
+# listed here, since they correspond to unroutable addresses.)
+#
+# This must be specified if url_preview_enabled is set. It is recommended that
+# you uncomment the following list as a starting point.
#
+url_preview_ip_range_blacklist:
+ - '127.0.0.0/8'
+ - '10.0.0.0/8'
+ - '172.16.0.0/12'
+ - '192.168.0.0/16'
+ - '100.64.0.0/10'
+ - '169.254.0.0/16'
+ - '::1/128'
+ - 'fe80::/64'
+ - 'fc00::/7'
+
# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted
# target IP ranges - e.g. for enabling URL previews for a specific private
# website only visible in your network.
#
-# url_preview_ip_range_whitelist:
-# - '192.168.1.1'
+#url_preview_ip_range_whitelist:
+# - '192.168.1.1'
# Optional list of URL matches that the URL preview spider is
# denied from accessing. You should use url_preview_ip_range_blacklist
@@ -456,104 +555,118 @@ url_preview_ip_range_blacklist:
# specified component matches for a given list item succeed, the URL is
# blacklisted.
#
-# url_preview_url_blacklist:
-# # blacklist any URL with a username in its URI
-# - username: '*'
+#url_preview_url_blacklist:
+# # blacklist any URL with a username in its URI
+# - username: '*'
#
-# # blacklist all *.google.com URLs
-# - netloc: 'google.com'
-# - netloc: '*.google.com'
+# # blacklist all *.google.com URLs
+# - netloc: 'google.com'
+# - netloc: '*.google.com'
#
-# # blacklist all plain HTTP URLs
-# - scheme: 'http'
+# # blacklist all plain HTTP URLs
+# - scheme: 'http'
#
-# # blacklist http(s)://www.acme.com/foo
-# - netloc: 'www.acme.com'
-# path: '/foo'
+# # blacklist http(s)://www.acme.com/foo
+# - netloc: 'www.acme.com'
+# path: '/foo'
#
-# # blacklist any URL with a literal IPv4 address
-# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
+# # blacklist any URL with a literal IPv4 address
+# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
# The largest allowed URL preview spidering size in bytes
-max_spider_size: "10M"
-
-
+#
+#max_spider_size: 10M
## Captcha ##
# See docs/CAPTCHA_SETUP for full details of configuring this.
# This Home Server's ReCAPTCHA public key.
-recaptcha_public_key: "YOUR_PUBLIC_KEY"
+#
+#recaptcha_public_key: "YOUR_PUBLIC_KEY"
# This Home Server's ReCAPTCHA private key.
-recaptcha_private_key: "YOUR_PRIVATE_KEY"
+#
+#recaptcha_private_key: "YOUR_PRIVATE_KEY"
# Enables ReCaptcha checks when registering, preventing signup
# unless a captcha is answered. Requires a valid ReCaptcha
# public/private key.
-enable_registration_captcha: False
+#
+#enable_registration_captcha: false
# A secret key used to bypass the captcha test entirely.
+#
#captcha_bypass_secret: "YOUR_SECRET_HERE"
# The API endpoint to use for verifying m.login.recaptcha responses.
-recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+#
+#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify"
-## Turn ##
+## TURN ##
# The public URIs of the TURN server to give to clients
+#
#turn_uris: []
# The shared secret used to compute passwords for the TURN server
+#
#turn_shared_secret: "YOUR_SHARED_SECRET"
# The Username and password if the TURN server needs them and
# does not use a token
+#
#turn_username: "TURNSERVER_USERNAME"
#turn_password: "TURNSERVER_PASSWORD"
# How long generated TURN credentials last
-turn_user_lifetime: "1h"
+#
+#turn_user_lifetime: 1h
# Whether guests should be allowed to use the TURN server.
# This defaults to True, otherwise VoIP will be unreliable for guests.
# However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA).
-turn_allow_guests: True
+#
+#turn_allow_guests: True
## Registration ##
+#
+# Registration can be rate-limited using the parameters in the "Ratelimiting"
+# section of this file.
# Enable registration for new users.
-enable_registration: False
+#
+#enable_registration: false
# The user must provide all of the below types of 3PID when registering.
#
-# registrations_require_3pid:
-# - email
-# - msisdn
+#registrations_require_3pid:
+# - email
+# - msisdn
# Explicitly disable asking for MSISDNs from the registration
# flow (overrides registrations_require_3pid if MSISDNs are set as required)
#
-# disable_msisdn_registration = True
+#disable_msisdn_registration: true
# Mandate that users are only allowed to associate certain formats of
# 3PIDs with accounts on this server.
#
-# allowed_local_3pids:
-# - medium: email
-# pattern: '.*@matrix\.org'
-# - medium: email
-# pattern: '.*@vector\.im'
-# - medium: msisdn
-# pattern: '\+44'
+#allowed_local_3pids:
+# - medium: email
+# pattern: '.*@matrix\.org'
+# - medium: email
+# pattern: '.*@vector\.im'
+# - medium: msisdn
+# pattern: '\+44'
-# If set, allows registration by anyone who also has the shared
-# secret, even if registration is otherwise disabled.
+# If set, allows registration of standard or admin accounts by anyone who
+# has the shared secret, even if registration is otherwise disabled.
+#
registration_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].registration_shared_secret }}"
# Set the number of bcrypt rounds used to generate password hash.
@@ -561,12 +674,14 @@ registration_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].registr
# The default number is 12 (which equates to 2^12 rounds).
# N.B. that increasing this will exponentially increase the time required
# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
-bcrypt_rounds: 12
+#
+#bcrypt_rounds: 12
# Allows users to register as guests without a password/email/etc, and
# participate in rooms hosted on this server which have been made
# accessible to anonymous users.
-allow_guest_access: False
+#
+#allow_guest_access: false
# The identity server which we suggest that clients should use when users log
# in on this server.
@@ -581,70 +696,95 @@ default_identity_server: https://matrix.org
#
# Also defines the ID server which will be called when an account is
# deactivated (one will be picked arbitrarily).
-trusted_third_party_id_servers:
- - matrix.org
- - vector.im
+#
+#trusted_third_party_id_servers:
+# - matrix.org
+# - vector.im
# Users who register on this homeserver will automatically be joined
# to these rooms
+#
#auto_join_rooms:
-# - "#example:example.com"
+# - "#example:example.com"
# Where auto_join_rooms are specified, setting this flag ensures that the
# the rooms exist by creating them when the first user on the
# homeserver registers.
# Setting to false means that if the rooms are not manually created,
# users cannot be auto-joined since they do not exist.
-autocreate_auto_join_rooms: true
+#
+#autocreate_auto_join_rooms: true
## Metrics ###
# Enable collection and rendering of performance metrics
-enable_metrics: False
-report_stats: false
+#
+#enable_metrics: False
+
+# Enable sentry integration
+# NOTE: While attempts are made to ensure that the logs don't contain
+# any sensitive information, this cannot be guaranteed. By enabling
+# this option the sentry server may therefore receive sensitive
+# information, and it in turn may then diseminate sensitive information
+# through insecure notification channels if so configured.
+#
+#sentry:
+# dsn: "..."
+
+# Whether or not to report anonymized homeserver usage statistics.
+# report_stats: true|false
## API Configuration ##
# A list of event types that will be included in the room_invite_state
-room_invite_state_types:
- - "m.room.join_rules"
- - "m.room.canonical_alias"
- - "m.room.avatar"
- - "m.room.encryption"
- - "m.room.name"
+#
+#room_invite_state_types:
+# - "m.room.join_rules"
+# - "m.room.canonical_alias"
+# - "m.room.avatar"
+# - "m.room.encryption"
+# - "m.room.name"
-# A list of application service config file to use
-app_service_config_files: ["/etc/synapse/appservice-registration-irc.yaml"]
+# A list of application service config files to use
+#
+app_service_config_files:
+ - "/etc/synapse/appservice-registration-irc.yaml"
-# Whether or not to track application service IP addresses. Implicitly
+# Uncomment to enable tracking of application service IP addresses. Implicitly
# enables MAU tracking for application service users.
-track_appservice_user_ips: False
+#
+#track_appservice_user_ips: True
# a secret which is used to sign access tokens. If none is specified,
# the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key.
+#
macaroon_secret_key: "{{ vault_matrix_secrets[matrix_server_name].macaroon_secret_key }}"
# Used to enable access token expiration.
-expire_access_token: False
+#
+#expire_access_token: False
# a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent
# forms to work.
+#
form_secret: "{{ vault_matrix_secrets[matrix_server_name].form_secret }}"
## Signing Keys ##
# Path to the signing key to sign messages with
+#
signing_key_path: "/etc/synapse/{{ matrix_server_name }}.signing.key"
# The keys that the server used to sign messages with but won't use
# to sign new messages. E.g. it has lost its private key
-old_signing_keys: {}
+#
+#old_signing_keys:
# "ed25519:auto":
# # Base64 encoded public key
# key: "The public part of your old signing key."
@@ -655,64 +795,65 @@ old_signing_keys: {}
# Used to set the valid_until_ts in /key/v2 APIs.
# Determines how quickly servers will query to check which keys
# are still valid.
-key_refresh_interval: "1d" # 1 Day.
+#
+#key_refresh_interval: 1d
# The trusted servers to download signing keys from.
-perspectives:
- servers:
- "matrix.org":
- verify_keys:
- "ed25519:auto":
- key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
-
+#
+#perspectives:
+# servers:
+# "matrix.org":
+# verify_keys:
+# "ed25519:auto":
+# key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
# Enable SAML2 for registration and login. Uses pysaml2.
#
-# saml2_config:
+# `sp_config` is the configuration for the pysaml2 Service Provider.
+# See pysaml2 docs for format of config.
#
-# # The following is the configuration for the pysaml2 Service Provider.
-# # See pysaml2 docs for format of config.
-# #
-# # Default values will be used for the 'entityid' and 'service' settings,
-# # so it is not normally necessary to specify them unless you need to
-# # override them.
+# Default values will be used for the 'entityid' and 'service' settings,
+# so it is not normally necessary to specify them unless you need to
+# override them.
#
-# sp_config:
-# # point this to the IdP's metadata. You can use either a local file or
-# # (preferably) a URL.
-# metadata:
-# # local: ["saml2/idp.xml"]
-# remote:
-# - url: https://our_idp/metadata.xml
+#saml2_config:
+# sp_config:
+# # point this to the IdP's metadata. You can use either a local file or
+# # (preferably) a URL.
+# metadata:
+# #local: ["saml2/idp.xml"]
+# remote:
+# - url: https://our_idp/metadata.xml
#
-# # The following is just used to generate our metadata xml, and you
-# # may well not need it, depending on your setup. Alternatively you
-# # may need a whole lot more detail - see the pysaml2 docs!
+# # The rest of sp_config is just used to generate our metadata xml, and you
+# # may well not need it, depending on your setup. Alternatively you
+# # may need a whole lot more detail - see the pysaml2 docs!
#
-# description: ["My awesome SP", "en"]
-# name: ["Test SP", "en"]
+# description: ["My awesome SP", "en"]
+# name: ["Test SP", "en"]
#
-# organization:
-# name: Example com
-# display_name:
-# - ["Example co", "en"]
-# url: "http://example.com"
+# organization:
+# name: Example com
+# display_name:
+# - ["Example co", "en"]
+# url: "http://example.com"
#
-# contact_person:
-# - given_name: Bob
-# sur_name: "the Sysadmin"
-# email_address": ["admin@example.com"]
-# contact_type": technical
+# contact_person:
+# - given_name: Bob
+# sur_name: "the Sysadmin"
+# email_address": ["admin@example.com"]
+# contact_type": technical
#
-# # Instead of putting the config inline as above, you can specify a
-# # separate pysaml2 configuration file:
-# #
-# # config_path: "/var/lib/synapse/testconf/sp_conf.py"
+# # Instead of putting the config inline as above, you can specify a
+# # separate pysaml2 configuration file:
+# #
+# config_path: "CONFDIR/sp_conf.py"
# Enable CAS for registration and login.
+#
#cas_config:
# enabled: true
# server_url: "https://cas-server.com"
@@ -723,18 +864,20 @@ perspectives:
# The JWT needs to contain a globally unique "sub" (subject) claim.
#
-# jwt_config:
-# enabled: true
-# secret: "a secret"
-# algorithm: "HS256"
-
+#jwt_config:
+# enabled: true
+# secret: "a secret"
+# algorithm: "HS256"
-# Enable password for login.
password_config:
- enabled: true
+ # Uncomment to disable password login
+ #
+ #enabled: false
+
# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
+ #
pepper: "{{ vault_matrix_secrets[matrix_server_name].pepper }}"
@@ -765,20 +908,20 @@ password_config:
# riot_base_url: "http://localhost/riot"
-# password_providers:
-# - module: "ldap_auth_provider.LdapAuthProvider"
-# config:
-# enabled: true
-# uri: "ldap://ldap.example.com:389"
-# start_tls: true
-# base: "ou=users,dc=example,dc=com"
-# attributes:
-# uid: "cn"
-# mail: "email"
-# name: "givenName"
-# #bind_dn:
-# #bind_password:
-# #filter: "(objectClass=posixAccount)"
+#password_providers:
+# - module: "ldap_auth_provider.LdapAuthProvider"
+# config:
+# enabled: true
+# uri: "ldap://ldap.example.com:389"
+# start_tls: true
+# base: "ou=users,dc=example,dc=com"
+# attributes:
+# uid: "cn"
+# mail: "email"
+# name: "givenName"
+# #bind_dn:
+# #bind_password:
+# #filter: "(objectClass=posixAccount)"
@@ -789,32 +932,38 @@ password_config:
# notification request includes the content of the event (other details
# like the sender are still included). For `event_id_only` push, it
# has no effect.
-
+#
# For modern android devices the notification content will still appear
# because it is loaded by the app. iPhone, however will send a
# notification saying only that a message arrived and who it came from.
#
#push:
-# include_content: true
+# include_content: true
-# spam_checker:
-# module: "my_custom_project.SuperSpamChecker"
-# config:
-# example_option: 'things'
+#spam_checker:
+# module: "my_custom_project.SuperSpamChecker"
+# config:
+# example_option: 'things'
-# Whether to allow non server admins to create groups on this server
-enable_group_creation: false
+# Uncomment to allow non-server-admin users to create groups on this server
+#
+#enable_group_creation: true
# If enabled, non server admins can only create groups with local parts
# starting with this prefix
-# group_creation_prefix: "unofficial/"
+#
+#group_creation_prefix: "unofficial/"
# User Directory configuration
#
+# 'enabled' defines whether users can search the user directory. If
+# false then empty responses are returned to all queries. Defaults to
+# true.
+#
# 'search_all_users' defines whether to search all users visible to your HS
# when searching the user directory, rather than limiting to users visible
# in public rooms. Defaults to false. If you set it True, you'll have to run
@@ -822,7 +971,8 @@ enable_group_creation: false
# on your database to tell it to rebuild the user_directory search indexes.
#
#user_directory:
-# search_all_users: false
+# enabled: true
+# search_all_users: false
# User Consent configuration
@@ -859,20 +1009,20 @@ enable_group_creation: false
# for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy".
#
-# user_consent:
-# template_dir: res/templates/privacy
-# version: 1.0
-# server_notice_content:
-# msgtype: m.text
-# body: >-
-# To continue using this homeserver you must review and agree to the
-# terms and conditions at %(consent_uri)s
-# send_server_notice_to_guests: True
-# block_events_error: >-
-# To continue using this homeserver you must review and agree to the
-# terms and conditions at %(consent_uri)s
-# require_at_registration: False
-# policy_name: Privacy Policy
+#user_consent:
+# template_dir: res/templates/privacy
+# version: 1.0
+# server_notice_content:
+# msgtype: m.text
+# body: >-
+# To continue using this homeserver you must review and agree to the
+# terms and conditions at %(consent_uri)s
+# send_server_notice_to_guests: True
+# block_events_error: >-
+# To continue using this homeserver you must review and agree to the
+# terms and conditions at %(consent_uri)s
+# require_at_registration: False
+# policy_name: Privacy Policy
#
@@ -889,24 +1039,73 @@ enable_group_creation: false
# It's also possible to override the room name, the display name of the
# "notices" user, and the avatar for the user.
#
-# server_notices:
-# system_mxid_localpart: notices
-# system_mxid_display_name: "Server Notices"
-# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
-# room_name: "Server Notices"
+#server_notices:
+# system_mxid_localpart: notices
+# system_mxid_display_name: "Server Notices"
+# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
+# room_name: "Server Notices"
+# Uncomment to disable searching the public room list. When disabled
+# blocks searching local and remote room lists for local and remote
+# users by always returning an empty list for all queries.
+#
+#enable_room_list_search: false
+
# The `alias_creation` option controls who's allowed to create aliases
# on this server.
#
# The format of this option is a list of rules that contain globs that
-# match against user_id and the new alias (fully qualified with server
-# name). The action in the first rule that matches is taken, which can
-# currently either be "allow" or "deny".
-#
-# If no rules match the request is denied.
-alias_creation_rules:
- - user_id: "*"
- alias: "*"
- action: allow
+# match against user_id, room_id and the new alias (fully qualified with
+# server name). The action in the first rule that matches is taken,
+# which can currently either be "allow" or "deny".
+#
+# Missing user_id/room_id/alias fields default to "*".
+#
+# If no rules match the request is denied. An empty list means no one
+# can create aliases.
+#
+# Options for the rules include:
+#
+# user_id: Matches against the creator of the alias
+# alias: Matches against the alias being created
+# room_id: Matches against the room ID the alias is being pointed at
+# action: Whether to "allow" or "deny" the request if the rule matches
+#
+# The default is:
+#
+#alias_creation_rules:
+# - user_id: "*"
+# alias: "*"
+# room_id: "*"
+# action: allow
+
+# The `room_list_publication_rules` option controls who can publish and
+# which rooms can be published in the public room list.
+#
+# The format of this option is the same as that for
+# `alias_creation_rules`.
+#
+# If the room has one or more aliases associated with it, only one of
+# the aliases needs to match the alias rule. If there are no aliases
+# then only rules with `alias: *` match.
+#
+# If no rules match the request is denied. An empty list means no one
+# can publish rooms.
+#
+# Options for the rules include:
+#
+# user_id: Matches agaisnt the creator of the alias
+# room_id: Matches against the room ID being published
+# alias: Matches against any current local or canonical aliases
+# associated with the room
+# action: Whether to "allow" or "deny" the request if the rule matches
+#
+# The default is:
+#
+#room_list_publication_rules:
+# - user_id: "*"
+# alias: "*"
+# room_id: "*"
+# action: allow