· 4 years ago · Jun 23, 2021, 01:14 PM
1# Configuration file for Synapse.
2#
3# This is a YAML file: see [1] for a quick introduction. Note in particular
4# that *indentation is important*: all the elements of a list or dictionary
5# should have the same indentation.
6#
7# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
8
9## Server ##
10
11# The public-facing domain of the server
12#
13# The server_name name will appear at the end of usernames and room addresses
14# created on this server. For example if the server_name was example.com,
15# usernames on this server would be in the format @user:example.com
16#
17# In most cases you should avoid using a matrix specific subdomain such as
18# matrix.example.com or synapse.example.com as the server_name for the same
19# reasons you wouldn't use user@email.example.com as your email address.
20# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md
21# for information on how to host Synapse on a subdomain while preserving
22# a clean server_name.
23#
24# The server_name cannot be changed later so it is important to
25# configure this correctly before you start Synapse. It should be all
26# lowercase and may contain an explicit port.
27# Examples: matrix.org, localhost:8080
28#
29#
30# This is set in /etc/matrix-synapse/conf.d/server_name.yaml for Debian installations.
31# server_name: "SERVERNAME"
32
33# When running as a daemon, the file to store the pid in
34#
35pid_file: "/var/run/matrix-synapse.pid"
36
37# The absolute URL to the web client which /_matrix/client will redirect
38# to if 'webclient' is configured under the 'listeners' configuration.
39#
40# This option can be also set to the filesystem path to the web client
41# which will be served at /_matrix/client/ if 'webclient' is configured
42# under the 'listeners' configuration, however this is a security risk:
43# https://github.com/matrix-org/synapse#security-note
44#
45web_client_location: https://element.nutclough.space
46
47# The public-facing base URL that clients use to access this Homeserver (not
48# including _matrix/...). This is the same URL a user might enter into the
49# 'Custom Homeserver URL' field on their client. If you use Synapse with a
50# reverse proxy, this should be the URL to reach Synapse via the proxy.
51# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
52# 'listeners' below).
53#
54public_baseurl: https://nutlcough.space
55
56# Set the soft limit on the number of file descriptors synapse can use
57# Zero is used to indicate synapse should set the soft limit to the
58# hard limit.
59#
60#soft_file_limit: 0
61
62# Presence tracking allows users to see the state (e.g online/offline)
63# of other local and remote users.
64#
65presence:
66 # Uncomment to disable presence tracking on this homeserver. This option
67 # replaces the previous top-level 'use_presence' option.
68 #
69 #enabled: false
70
71 # Presence routers are third-party modules that can specify additional logic
72 # to where presence updates from users are routed.
73 #
74 presence_router:
75 # The custom module's class. Uncomment to use a custom presence router module.
76 #
77 #module: "my_custom_router.PresenceRouter"
78
79 # Configuration options of the custom module. Refer to your module's
80 # documentation for available options.
81 #
82 #config:
83 # example_option: 'something'
84
85# Whether to require authentication to retrieve profile data (avatars,
86# display names) of other users through the client API. Defaults to
87# 'false'. Note that profile data is also available via the federation
88# API, unless allow_profile_lookup_over_federation is set to false.
89#
90#require_auth_for_profile_requests: true
91
92# Uncomment to require a user to share a room with another user in order
93# to retrieve their profile information. Only checked on Client-Server
94# requests. Profile requests from other servers should be checked by the
95# requesting server. Defaults to 'false'.
96#
97#limit_profile_requests_to_users_who_share_rooms: true
98
99# Uncomment to prevent a user's profile data from being retrieved and
100# displayed in a room until they have joined it. By default, a user's
101# profile data is included in an invite event, regardless of the values
102# of the above two settings, and whether or not the users share a server.
103# Defaults to 'true'.
104#
105#include_profile_data_on_invite: false
106
107# If set to 'true', removes the need for authentication to access the server's
108# public rooms directory through the client API, meaning that anyone can
109# query the room directory. Defaults to 'false'.
110#
111#allow_public_rooms_without_auth: true
112
113# If set to 'true', allows any other homeserver to fetch the server's public
114# rooms directory via federation. Defaults to 'false'.
115#
116#allow_public_rooms_over_federation: true
117
118# The default room version for newly created rooms.
119#
120# Known room versions are listed here:
121# https://matrix.org/docs/spec/#complete-list-of-room-versions
122#
123# For example, for room version 1, default_room_version should be set
124# to "1".
125#
126#default_room_version: "6"
127
128# The GC threshold parameters to pass to `gc.set_threshold`, if defined
129#
130#gc_thresholds: [700, 10, 10]
131
132# The minimum time in seconds between each GC for a generation, regardless of
133# the GC thresholds. This ensures that we don't do GC too frequently.
134#
135# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive
136# generation 0 GCs, etc.
137#
138# Defaults to `[1s, 10s, 30s]`.
139#
140#gc_min_interval: [0.5s, 30s, 1m]
141
142# Set the limit on the returned events in the timeline in the get
143# and sync operations. The default value is 100. -1 means no upper limit.
144#
145# Uncomment the following to increase the limit to 5000.
146#
147#filter_timeline_limit: 5000
148
149# Whether room invites to users on this server should be blocked
150# (except those sent by local server admins). The default is False.
151#
152#block_non_admin_invites: true
153
154# Room searching
155#
156# If disabled, new messages will not be indexed for searching and users
157# will receive errors when searching for messages. Defaults to enabled.
158#
159#enable_search: false
160
161# Prevent outgoing requests from being sent to the following blacklisted IP address
162# CIDR ranges. If this option is not specified then it defaults to private IP
163# address ranges (see the example below).
164#
165# The blacklist applies to the outbound requests for federation, identity servers,
166# push servers, and for checking key validity for third-party invite events.
167#
168# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
169# listed here, since they correspond to unroutable addresses.)
170#
171# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
172#
173#ip_range_blacklist:
174# - '127.0.0.0/8'
175# - '10.0.0.0/8'
176# - '172.16.0.0/12'
177# - '192.168.0.0/16'
178# - '100.64.0.0/10'
179# - '192.0.0.0/24'
180# - '169.254.0.0/16'
181# - '192.88.99.0/24'
182# - '198.18.0.0/15'
183# - '192.0.2.0/24'
184# - '198.51.100.0/24'
185# - '203.0.113.0/24'
186# - '224.0.0.0/4'
187# - '::1/128'
188# - 'fe80::/10'
189# - 'fc00::/7'
190# - '2001:db8::/32'
191# - 'ff00::/8'
192# - 'fec0::/10'
193
194# List of IP address CIDR ranges that should be allowed for federation,
195# identity servers, push servers, and for checking key validity for
196# third-party invite events. This is useful for specifying exceptions to
197# wide-ranging blacklisted target IP ranges - e.g. for communication with
198# a push server only visible in your network.
199#
200# This whitelist overrides ip_range_blacklist and defaults to an empty
201# list.
202#
203#ip_range_whitelist:
204# - '192.168.1.1'
205
206# List of ports that Synapse should listen on, their purpose and their
207# configuration.
208#
209# Options for each listener include:
210#
211# port: the TCP port to bind to
212#
213# bind_addresses: a list of local addresses to listen on. The default is
214# 'all local interfaces'.
215#
216# type: the type of listener. Normally 'http', but other valid options are:
217# 'manhole' (see docs/manhole.md),
218# 'metrics' (see docs/metrics-howto.md),
219# 'replication' (see docs/workers.md).
220#
221# tls: set to true to enable TLS for this listener. Will use the TLS
222# key/cert specified in tls_private_key_path / tls_certificate_path.
223#
224# x_forwarded: Only valid for an 'http' listener. Set to true to use the
225# X-Forwarded-For header as the client IP. Useful when Synapse is
226# behind a reverse-proxy.
227#
228# resources: Only valid for an 'http' listener. A list of resources to host
229# on this port. Options for each resource are:
230#
231# names: a list of names of HTTP resources. See below for a list of
232# valid resource names.
233#
234# compress: set to true to enable HTTP compression for this resource.
235#
236# additional_resources: Only valid for an 'http' listener. A map of
237# additional endpoints which should be loaded via dynamic modules.
238#
239# Valid resource names are:
240#
241# client: the client-server API (/_matrix/client), and the synapse admin
242# API (/_synapse/admin). Also implies 'media' and 'static'.
243#
244# consent: user consent forms (/_matrix/consent). See
245# docs/consent_tracking.md.
246#
247# federation: the server-server API (/_matrix/federation). Also implies
248# 'media', 'keys', 'openid'
249#
250# keys: the key discovery API (/_matrix/keys).
251#
252# media: the media API (/_matrix/media).
253#
254# metrics: the metrics interface. See docs/metrics-howto.md.
255#
256# openid: OpenID authentication.
257#
258# replication: the HTTP replication API (/_synapse/replication). See
259# docs/workers.md.
260#
261# static: static resources under synapse/static (/_matrix/static). (Mostly
262# useful for 'fallback authentication'.)
263#
264# webclient: A web client. Requires web_client_location to be set.
265#
266listeners:
267 # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
268 #
269 # Disabled by default. To enable it, uncomment the following. (Note that you
270 # will also need to give Synapse a TLS key and certificate: see the TLS section
271 # below.)
272
273 - port: 8448
274 type: http
275 tls: true
276 resources:
277 - names: [client, federation]
278
279 # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
280 # that unwraps TLS.
281 #
282 # If you plan to use a reverse proxy, please see
283 # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md.
284 #
285 - port: 8008
286 tls: false
287 type: http
288 x_forwarded: true
289 bind_addresses: ['::1', '127.0.0.1']
290
291 resources:
292 - names: [client, federation]
293 compress: false
294
295 # example additional_resources:
296 #
297 #additional_resources:
298 # "/_matrix/my/custom/endpoint":
299 # module: my_module.CustomRequestHandler
300 # config: {}
301
302 # Turn on the twisted ssh manhole service on localhost on the given
303 # port.
304 #
305 #- port: 9000
306 # bind_addresses: ['::1', '127.0.0.1']
307 # type: manhole
308
309# Forward extremities can build up in a room due to networking delays between
310# homeservers. Once this happens in a large room, calculation of the state of
311# that room can become quite expensive. To mitigate this, once the number of
312# forward extremities reaches a given threshold, Synapse will send an
313# org.matrix.dummy_event event, which will reduce the forward extremities
314# in the room.
315#
316# This setting defines the threshold (i.e. number of forward extremities in the
317# room) at which dummy events are sent. The default value is 10.
318#
319#dummy_events_threshold: 5
320
321
322## Homeserver blocking ##
323
324# How to reach the server admin, used in ResourceLimitError
325#
326#admin_contact: 'mailto:admin@server.com'
327
328# Global blocking
329#
330#hs_disabled: false
331#hs_disabled_message: 'Human readable reason for why the HS is blocked'
332
333# Monthly Active User Blocking
334#
335# Used in cases where the admin or server owner wants to limit to the
336# number of monthly active users.
337#
338# 'limit_usage_by_mau' disables/enables monthly active user blocking. When
339# enabled and a limit is reached the server returns a 'ResourceLimitError'
340# with error type Codes.RESOURCE_LIMIT_EXCEEDED
341#
342# 'max_mau_value' is the hard limit of monthly active users above which
343# the server will start blocking user actions.
344#
345# 'mau_trial_days' is a means to add a grace period for active users. It
346# means that users must be active for this number of days before they
347# can be considered active and guards against the case where lots of users
348# sign up in a short space of time never to return after their initial
349# session.
350#
351# 'mau_limit_alerting' is a means of limiting client side alerting
352# should the mau limit be reached. This is useful for small instances
353# where the admin has 5 mau seats (say) for 5 specific people and no
354# interest increasing the mau limit further. Defaults to True, which
355# means that alerting is enabled
356#
357#limit_usage_by_mau: false
358#max_mau_value: 50
359#mau_trial_days: 2
360#mau_limit_alerting: false
361
362# If enabled, the metrics for the number of monthly active users will
363# be populated, however no one will be limited. If limit_usage_by_mau
364# is true, this is implied to be true.
365#
366#mau_stats_only: false
367
368# Sometimes the server admin will want to ensure certain accounts are
369# never blocked by mau checking. These accounts are specified here.
370#
371#mau_limit_reserved_threepids:
372# - medium: 'email'
373# address: 'reserved_user@example.com'
374
375# Used by phonehome stats to group together related servers.
376#server_context: context
377
378# Resource-constrained homeserver settings
379#
380# When this is enabled, the room "complexity" will be checked before a user
381# joins a new remote room. If it is above the complexity limit, the server will
382# disallow joining, or will instantly leave.
383#
384# Room complexity is an arbitrary measure based on factors such as the number of
385# users in the room.
386#
387limit_remote_rooms:
388 # Uncomment to enable room complexity checking.
389 #
390 #enabled: true
391
392 # the limit above which rooms cannot be joined. The default is 1.0.
393 #
394 #complexity: 0.5
395
396 # override the error which is returned when the room is too complex.
397 #
398 #complexity_error: "This room is too complex."
399
400 # allow server admins to join complex rooms. Default is false.
401 #
402 #admins_can_join: true
403
404# Whether to require a user to be in the room to add an alias to it.
405# Defaults to 'true'.
406#
407#require_membership_for_aliases: false
408
409# Whether to allow per-room membership profiles through the send of membership
410# events with profile information that differ from the target's global profile.
411# Defaults to 'true'.
412#
413#allow_per_room_profiles: false
414
415# How long to keep redacted events in unredacted form in the database. After
416# this period redacted events get replaced with their redacted form in the DB.
417#
418# Defaults to `7d`. Set to `null` to disable.
419#
420#redaction_retention_period: 28d
421
422# How long to track users' last seen time and IPs in the database.
423#
424# Defaults to `28d`. Set to `null` to disable clearing out of old rows.
425#
426#user_ips_max_age: 14d
427
428# Message retention policy at the server level.
429#
430# Room admins and mods can define a retention period for their rooms using the
431# 'm.room.retention' state event, and server admins can cap this period by setting
432# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options.
433#
434# If this feature is enabled, Synapse will regularly look for and purge events
435# which are older than the room's maximum retention period. Synapse will also
436# filter events received over federation so that events that should have been
437# purged are ignored and not stored again.
438#
439retention:
440 # The message retention policies feature is disabled by default. Uncomment the
441 # following line to enable it.
442 #
443 #enabled: true
444
445 # Default retention policy. If set, Synapse will apply it to rooms that lack the
446 # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't
447 # matter much because Synapse doesn't take it into account yet.
448 #
449 #default_policy:
450 # min_lifetime: 1d
451 # max_lifetime: 1y
452
453 # Retention policy limits. If set, and the state of a room contains a
454 # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
455 # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
456 # to these limits when running purge jobs.
457 #
458 #allowed_lifetime_min: 1d
459 #allowed_lifetime_max: 1y
460
461 # Server admins can define the settings of the background jobs purging the
462 # events which lifetime has expired under the 'purge_jobs' section.
463 #
464 # If no configuration is provided, a single job will be set up to delete expired
465 # events in every room daily.
466 #
467 # Each job's configuration defines which range of message lifetimes the job
468 # takes care of. For example, if 'shortest_max_lifetime' is '2d' and
469 # 'longest_max_lifetime' is '3d', the job will handle purging expired events in
470 # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and
471 # lower than or equal to 3 days. Both the minimum and the maximum value of a
472 # range are optional, e.g. a job with no 'shortest_max_lifetime' and a
473 # 'longest_max_lifetime' of '3d' will handle every room with a retention policy
474 # which 'max_lifetime' is lower than or equal to three days.
475 #
476 # The rationale for this per-job configuration is that some rooms might have a
477 # retention policy with a low 'max_lifetime', where history needs to be purged
478 # of outdated messages on a more frequent basis than for the rest of the rooms
479 # (e.g. every 12h), but not want that purge to be performed by a job that's
480 # iterating over every room it knows, which could be heavy on the server.
481 #
482 # If any purge job is configured, it is strongly recommended to have at least
483 # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
484 # set, or one job without 'shortest_max_lifetime' and one job without
485 # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
486 # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
487 # room's policy to these values is done after the policies are retrieved from
488 # Synapse's database (which is done using the range specified in a purge job's
489 # configuration).
490 #
491 #purge_jobs:
492 # - longest_max_lifetime: 3d
493 # interval: 12h
494 # - shortest_max_lifetime: 3d
495 # interval: 1d
496
497# Inhibits the /requestToken endpoints from returning an error that might leak
498# information about whether an e-mail address is in use or not on this
499# homeserver.
500# Note that for some endpoints the error situation is the e-mail already being
501# used, and for others the error is entering the e-mail being unused.
502# If this option is enabled, instead of returning an error, these endpoints will
503# act as if no error happened and return a fake session ID ('sid') to clients.
504#
505#request_token_inhibit_3pid_errors: true
506
507# A list of domains that the domain portion of 'next_link' parameters
508# must match.
509#
510# This parameter is optionally provided by clients while requesting
511# validation of an email or phone number, and maps to a link that
512# users will be automatically redirected to after validation
513# succeeds. Clients can make use this parameter to aid the validation
514# process.
515#
516# The whitelist is applied whether the homeserver or an
517# identity server is handling validation.
518#
519# The default value is no whitelist functionality; all domains are
520# allowed. Setting this value to an empty list will instead disallow
521# all domains.
522#
523#next_link_domain_whitelist: ["matrix.org"]
524
525
526## TLS ##
527
528# PEM-encoded X509 certificate for TLS.
529# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
530# certificate, signed by a recognised Certificate Authority.
531#
532# See 'ACME support' below to enable auto-provisioning this certificate via
533# Let's Encrypt.
534#
535# If supplying your own, be sure to use a `.pem` file that includes the
536# full certificate chain including any intermediate certificates (for
537# instance, if using certbot, use `fullchain.pem` as your certificate,
538# not `cert.pem`).
539#
540tls_certificate_path: "/etc/matrix-synapse/SERVERNAME.tls.crt"
541
542# PEM-encoded private key for TLS
543#
544tls_private_key_path: "/etc/matrix-synapse/SERVERNAME.tls.key"
545
546# Whether to verify TLS server certificates for outbound federation requests.
547#
548# Defaults to `true`. To disable certificate verification, uncomment the
549# following line.
550#
551#federation_verify_certificates: false
552
553# The minimum TLS version that will be used for outbound federation requests.
554#
555# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
556# that setting this value higher than `1.2` will prevent federation to most
557# of the public Matrix network: only configure it to `1.3` if you have an
558# entirely private federation setup and you can ensure TLS 1.3 support.
559#
560#federation_client_minimum_tls_version: 1.2
561
562# Skip federation certificate verification on the following whitelist
563# of domains.
564#
565# This setting should only be used in very specific cases, such as
566# federation over Tor hidden services and similar. For private networks
567# of homeservers, you likely want to use a private CA instead.
568#
569# Only effective if federation_verify_certicates is `true`.
570#
571#federation_certificate_verification_whitelist:
572# - lon.example.com
573# - *.domain.com
574# - *.onion
575
576# List of custom certificate authorities for federation traffic.
577#
578# This setting should only normally be used within a private network of
579# homeservers.
580#
581# Note that this list will replace those that are provided by your
582# operating environment. Certificates must be in PEM format.
583#
584#federation_custom_ca_list:
585# - myCA1.pem
586# - myCA2.pem
587# - myCA3.pem
588
589# ACME support: This will configure Synapse to request a valid TLS certificate
590# for your configured `server_name` via Let's Encrypt.
591#
592# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
593# ACME v2. This means that this feature currently won't work with installs set
594# up after November 2019. For more info, and alternative solutions, see
595# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
596#
597# Note that provisioning a certificate in this way requires port 80 to be
598# routed to Synapse so that it can complete the http-01 ACME challenge.
599# By default, if you enable ACME support, Synapse will attempt to listen on
600# port 80 for incoming http-01 challenges - however, this will likely fail
601# with 'Permission denied' or a similar error.
602#
603# There are a couple of potential solutions to this:
604#
605# * If you already have an Apache, Nginx, or similar listening on port 80,
606# you can configure Synapse to use an alternate port, and have your web
607# server forward the requests. For example, assuming you set 'port: 8009'
608# below, on Apache, you would write:
609#
610# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
611#
612# * Alternatively, you can use something like `authbind` to give Synapse
613# permission to listen on port 80.
614#
615acme:
616 # ACME support is disabled by default. Set this to `true` and uncomment
617 # tls_certificate_path and tls_private_key_path above to enable it.
618 #
619 enabled: false
620
621 # Endpoint to use to request certificates. If you only want to test,
622 # use Let's Encrypt's staging url:
623 # https://acme-staging.api.letsencrypt.org/directory
624 #
625 #url: https://acme-v01.api.letsencrypt.org/directory
626
627 # Port number to listen on for the HTTP-01 challenge. Change this if
628 # you are forwarding connections through Apache/Nginx/etc.
629 #
630 port: 80
631
632 # Local addresses to listen on for incoming connections.
633 # Again, you may want to change this if you are forwarding connections
634 # through Apache/Nginx/etc.
635 #
636 bind_addresses: ['::', '0.0.0.0']
637
638 # How many days remaining on a certificate before it is renewed.
639 #
640 reprovision_threshold: 30
641
642 # The domain that the certificate should be for. Normally this
643 # should be the same as your Matrix domain (i.e., 'server_name'), but,
644 # by putting a file at 'https://<server_name>/.well-known/matrix/server',
645 # you can delegate incoming traffic to another server. If you do that,
646 # you should give the target of the delegation here.
647 #
648 # For example: if your 'server_name' is 'example.com', but
649 # 'https://example.com/.well-known/matrix/server' delegates to
650 # 'matrix.example.com', you should put 'matrix.example.com' here.
651 #
652 # If not set, defaults to your 'server_name'.
653 #
654 domain: matrix.example.com
655
656 # file to use for the account key. This will be generated if it doesn't
657 # exist.
658 #
659 # If unspecified, we will use CONFDIR/client.key.
660 #
661 account_key_file: /var/lib/matrix-synapse/acme_account.key
662
663
664## Federation ##
665
666# Restrict federation to the following whitelist of domains.
667# N.B. we recommend also firewalling your federation listener to limit
668# inbound federation traffic as early as possible, rather than relying
669# purely on this application-layer restriction. If not specified, the
670# default is to whitelist everything.
671#
672#federation_domain_whitelist:
673# - lon.example.com
674# - nyc.example.com
675# - syd.example.com
676
677# Report prometheus metrics on the age of PDUs being sent to and received from
678# the following domains. This can be used to give an idea of "delay" on inbound
679# and outbound federation, though be aware that any delay can be due to problems
680# at either end or with the intermediate network.
681#
682# By default, no domains are monitored in this way.
683#
684#federation_metrics_domains:
685# - matrix.org
686# - example.com
687
688# Uncomment to disable profile lookup over federation. By default, the
689# Federation API allows other homeservers to obtain profile data of any user
690# on this homeserver. Defaults to 'true'.
691#
692#allow_profile_lookup_over_federation: false
693
694# Uncomment to disable device display name lookup over federation. By default, the
695# Federation API allows other homeservers to obtain device display names of any user
696# on this homeserver. Defaults to 'true'.
697#
698#allow_device_name_lookup_over_federation: false
699
700
701## Caching ##
702
703# Caching can be configured through the following options.
704#
705# A cache 'factor' is a multiplier that can be applied to each of
706# Synapse's caches in order to increase or decrease the maximum
707# number of entries that can be stored.
708
709# The number of events to cache in memory. Not affected by
710# caches.global_factor.
711#
712#event_cache_size: 10K
713
714caches:
715 # Controls the global cache factor, which is the default cache factor
716 # for all caches if a specific factor for that cache is not otherwise
717 # set.
718 #
719 # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment
720 # variable. Setting by environment variable takes priority over
721 # setting through the config file.
722 #
723 # Defaults to 0.5, which will half the size of all caches.
724 #
725 #global_factor: 1.0
726
727 # A dictionary of cache name to cache factor for that individual
728 # cache. Overrides the global cache factor for a given cache.
729 #
730 # These can also be set through environment variables comprised
731 # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital
732 # letters and underscores. Setting by environment variable
733 # takes priority over setting through the config file.
734 # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0
735 #
736 # Some caches have '*' and other characters that are not
737 # alphanumeric or underscores. These caches can be named with or
738 # without the special characters stripped. For example, to specify
739 # the cache factor for `*stateGroupCache*` via an environment
740 # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`.
741 #
742 per_cache_factors:
743 #get_users_who_share_room_with_user: 2.0
744
745
746## Database ##
747
748# The 'database' setting defines the database that synapse uses to store all of
749# its data.
750#
751# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
752# 'psycopg2' (for PostgreSQL).
753#
754# 'args' gives options which are passed through to the database engine,
755# except for options starting 'cp_', which are used to configure the Twisted
756# connection pool. For a reference to valid arguments, see:
757# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
758# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
759# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
760#
761#
762# Example SQLite configuration:
763#
764#database:
765# name: sqlite3
766# args:
767# database: /path/to/homeserver.db
768#
769#
770# Example Postgres configuration:
771#
772#database:
773# name: psycopg2
774# args:
775# user: synapse_user
776# password: secretpassword
777# database: synapse
778# host: localhost
779# port: 5432
780# cp_min: 5
781# cp_max: 10
782#
783# For more information on using Synapse with Postgres, see `docs/postgres.md`.
784#
785database:
786 name: sqlite3
787 args:
788 database: /var/lib/matrix-synapse/homeserver.db
789
790
791## Logging ##
792
793# A yaml python logging config file as described by
794# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
795#
796log_config: "/etc/matrix-synapse/log.yaml"
797
798
799## Ratelimiting ##
800
801# Ratelimiting settings for client actions (registration, login, messaging).
802#
803# Each ratelimiting configuration is made of two parameters:
804# - per_second: number of requests a client can send per second.
805# - burst_count: number of requests a client can send before being throttled.
806#
807# Synapse currently uses the following configurations:
808# - one for messages that ratelimits sending based on the account the client
809# is using
810# - one for registration that ratelimits registration requests based on the
811# client's IP address.
812# - one for login that ratelimits login requests based on the client's IP
813# address.
814# - one for login that ratelimits login requests based on the account the
815# client is attempting to log into.
816# - one for login that ratelimits login requests based on the account the
817# client is attempting to log into, based on the amount of failed login
818# attempts for this account.
819# - one for ratelimiting redactions by room admins. If this is not explicitly
820# set then it uses the same ratelimiting as per rc_message. This is useful
821# to allow room admins to deal with abuse quickly.
822# - two for ratelimiting number of rooms a user can join, "local" for when
823# users are joining rooms the server is already in (this is cheap) vs
824# "remote" for when users are trying to join rooms not on the server (which
825# can be more expensive)
826# - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
827# - two for ratelimiting how often invites can be sent in a room or to a
828# specific user.
829#
830# The defaults are as shown below.
831#
832#rc_message:
833# per_second: 0.2
834# burst_count: 10
835#
836#rc_registration:
837# per_second: 0.17
838# burst_count: 3
839#
840#rc_login:
841# address:
842# per_second: 0.17
843# burst_count: 3
844# account:
845# per_second: 0.17
846# burst_count: 3
847# failed_attempts:
848# per_second: 0.17
849# burst_count: 3
850#
851#rc_admin_redaction:
852# per_second: 1
853# burst_count: 50
854#
855#rc_joins:
856# local:
857# per_second: 0.1
858# burst_count: 10
859# remote:
860# per_second: 0.01
861# burst_count: 10
862#
863#rc_3pid_validation:
864# per_second: 0.003
865# burst_count: 5
866#
867#rc_invites:
868# per_room:
869# per_second: 0.3
870# burst_count: 10
871# per_user:
872# per_second: 0.003
873# burst_count: 5
874
875# Ratelimiting settings for incoming federation
876#
877# The rc_federation configuration is made up of the following settings:
878# - window_size: window size in milliseconds
879# - sleep_limit: number of federation requests from a single server in
880# a window before the server will delay processing the request.
881# - sleep_delay: duration in milliseconds to delay processing events
882# from remote servers by if they go over the sleep limit.
883# - reject_limit: maximum number of concurrent federation requests
884# allowed from a single server
885# - concurrent: number of federation requests to concurrently process
886# from a single server
887#
888# The defaults are as shown below.
889#
890#rc_federation:
891# window_size: 1000
892# sleep_limit: 10
893# sleep_delay: 500
894# reject_limit: 50
895# concurrent: 3
896
897# Target outgoing federation transaction frequency for sending read-receipts,
898# per-room.
899#
900# If we end up trying to send out more read-receipts, they will get buffered up
901# into fewer transactions.
902#
903#federation_rr_transactions_per_room_per_second: 50
904
905
906
907## Media Store ##
908
909# Enable the media store service in the Synapse master. Uncomment the
910# following if you are using a separate media store worker.
911#
912#enable_media_repo: false
913
914# Directory where uploaded images and attachments are stored.
915#
916media_store_path: "/var/lib/matrix-synapse/media"
917
918# Media storage providers allow media to be stored in different
919# locations.
920#
921#media_storage_providers:
922# - module: file_system
923# # Whether to store newly uploaded local files
924# store_local: false
925# # Whether to store newly downloaded remote files
926# store_remote: false
927# # Whether to wait for successful storage for local uploads
928# store_synchronous: false
929# config:
930# directory: /mnt/some/other/directory
931
932# The largest allowed upload size in bytes
933#
934#max_upload_size: 50M
935
936# Maximum number of pixels that will be thumbnailed
937#
938#max_image_pixels: 32M
939
940# Whether to generate new thumbnails on the fly to precisely match
941# the resolution requested by the client. If true then whenever
942# a new resolution is requested by the client the server will
943# generate a new thumbnail. If false the server will pick a thumbnail
944# from a precalculated list.
945#
946#dynamic_thumbnails: false
947
948# List of thumbnails to precalculate when an image is uploaded.
949#
950#thumbnail_sizes:
951# - width: 32
952# height: 32
953# method: crop
954# - width: 96
955# height: 96
956# method: crop
957# - width: 320
958# height: 240
959# method: scale
960# - width: 640
961# height: 480
962# method: scale
963# - width: 800
964# height: 600
965# method: scale
966
967# Is the preview URL API enabled?
968#
969# 'false' by default: uncomment the following to enable it (and specify a
970# url_preview_ip_range_blacklist blacklist).
971#
972#url_preview_enabled: true
973
974# List of IP address CIDR ranges that the URL preview spider is denied
975# from accessing. There are no defaults: you must explicitly
976# specify a list for URL previewing to work. You should specify any
977# internal services in your network that you do not want synapse to try
978# to connect to, otherwise anyone in any Matrix room could cause your
979# synapse to issue arbitrary GET requests to your internal services,
980# causing serious security issues.
981#
982# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
983# listed here, since they correspond to unroutable addresses.)
984#
985# This must be specified if url_preview_enabled is set. It is recommended that
986# you uncomment the following list as a starting point.
987#
988#url_preview_ip_range_blacklist:
989# - '127.0.0.0/8'
990# - '10.0.0.0/8'
991# - '172.16.0.0/12'
992# - '192.168.0.0/16'
993# - '100.64.0.0/10'
994# - '192.0.0.0/24'
995# - '169.254.0.0/16'
996# - '192.88.99.0/24'
997# - '198.18.0.0/15'
998# - '192.0.2.0/24'
999# - '198.51.100.0/24'
1000# - '203.0.113.0/24'
1001# - '224.0.0.0/4'
1002# - '::1/128'
1003# - 'fe80::/10'
1004# - 'fc00::/7'
1005# - '2001:db8::/32'
1006# - 'ff00::/8'
1007# - 'fec0::/10'
1008
1009# List of IP address CIDR ranges that the URL preview spider is allowed
1010# to access even if they are specified in url_preview_ip_range_blacklist.
1011# This is useful for specifying exceptions to wide-ranging blacklisted
1012# target IP ranges - e.g. for enabling URL previews for a specific private
1013# website only visible in your network.
1014#
1015#url_preview_ip_range_whitelist:
1016# - '192.168.1.1'
1017
1018# Optional list of URL matches that the URL preview spider is
1019# denied from accessing. You should use url_preview_ip_range_blacklist
1020# in preference to this, otherwise someone could define a public DNS
1021# entry that points to a private IP address and circumvent the blacklist.
1022# This is more useful if you know there is an entire shape of URL that
1023# you know that will never want synapse to try to spider.
1024#
1025# Each list entry is a dictionary of url component attributes as returned
1026# by urlparse.urlsplit as applied to the absolute form of the URL. See
1027# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
1028# The values of the dictionary are treated as an filename match pattern
1029# applied to that component of URLs, unless they start with a ^ in which
1030# case they are treated as a regular expression match. If all the
1031# specified component matches for a given list item succeed, the URL is
1032# blacklisted.
1033#
1034#url_preview_url_blacklist:
1035# # blacklist any URL with a username in its URI
1036# - username: '*'
1037#
1038# # blacklist all *.google.com URLs
1039# - netloc: 'google.com'
1040# - netloc: '*.google.com'
1041#
1042# # blacklist all plain HTTP URLs
1043# - scheme: 'http'
1044#
1045# # blacklist http(s)://www.acme.com/foo
1046# - netloc: 'www.acme.com'
1047# path: '/foo'
1048#
1049# # blacklist any URL with a literal IPv4 address
1050# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
1051
1052# The largest allowed URL preview spidering size in bytes
1053#
1054#max_spider_size: 10M
1055
1056# A list of values for the Accept-Language HTTP header used when
1057# downloading webpages during URL preview generation. This allows
1058# Synapse to specify the preferred languages that URL previews should
1059# be in when communicating with remote servers.
1060#
1061# Each value is a IETF language tag; a 2-3 letter identifier for a
1062# language, optionally followed by subtags separated by '-', specifying
1063# a country or region variant.
1064#
1065# Multiple values can be provided, and a weight can be added to each by
1066# using quality value syntax (;q=). '*' translates to any language.
1067#
1068# Defaults to "en".
1069#
1070# Example:
1071#
1072# url_preview_accept_language:
1073# - en-UK
1074# - en-US;q=0.9
1075# - fr;q=0.8
1076# - *;q=0.7
1077#
1078url_preview_accept_language:
1079# - en
1080
1081
1082## Captcha ##
1083# See docs/CAPTCHA_SETUP.md for full details of configuring this.
1084
1085# This homeserver's ReCAPTCHA public key. Must be specified if
1086# enable_registration_captcha is enabled.
1087#
1088#recaptcha_public_key: "YOUR_PUBLIC_KEY"
1089
1090# This homeserver's ReCAPTCHA private key. Must be specified if
1091# enable_registration_captcha is enabled.
1092#
1093#recaptcha_private_key: "YOUR_PRIVATE_KEY"
1094
1095# Uncomment to enable ReCaptcha checks when registering, preventing signup
1096# unless a captcha is answered. Requires a valid ReCaptcha
1097# public/private key. Defaults to 'false'.
1098#
1099#enable_registration_captcha: true
1100
1101# The API endpoint to use for verifying m.login.recaptcha responses.
1102# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
1103#
1104#recaptcha_siteverify_api: "https://my.recaptcha.site"
1105
1106
1107## TURN ##
1108
1109# The public URIs of the TURN server to give to clients
1110#
1111#turn_uris: []
1112
1113# The shared secret used to compute passwords for the TURN server
1114#
1115#turn_shared_secret: "YOUR_SHARED_SECRET"
1116
1117# The Username and password if the TURN server needs them and
1118# does not use a token
1119#
1120#turn_username: "TURNSERVER_USERNAME"
1121#turn_password: "TURNSERVER_PASSWORD"
1122
1123# How long generated TURN credentials last
1124#
1125#turn_user_lifetime: 1h
1126
1127# Whether guests should be allowed to use the TURN server.
1128# This defaults to True, otherwise VoIP will be unreliable for guests.
1129# However, it does introduce a slight security risk as it allows users to
1130# connect to arbitrary endpoints without having first signed up for a
1131# valid account (e.g. by passing a CAPTCHA).
1132#
1133#turn_allow_guests: true
1134
1135
1136## Registration ##
1137#
1138# Registration can be rate-limited using the parameters in the "Ratelimiting"
1139# section of this file.
1140
1141# Enable registration for new users.
1142#
1143enable_registration: true
1144
1145# Time that a user's session remains valid for, after they log in.
1146#
1147# Note that this is not currently compatible with guest logins.
1148#
1149# Note also that this is calculated at login time: changes are not applied
1150# retrospectively to users who have already logged in.
1151#
1152# By default, this is infinite.
1153#
1154#session_lifetime: 24h
1155
1156# The user must provide all of the below types of 3PID when registering.
1157#
1158#registrations_require_3pid:
1159# - email
1160# - msisdn
1161
1162# Explicitly disable asking for MSISDNs from the registration
1163# flow (overrides registrations_require_3pid if MSISDNs are set as required)
1164#
1165#disable_msisdn_registration: true
1166
1167# Mandate that users are only allowed to associate certain formats of
1168# 3PIDs with accounts on this server.
1169#
1170#allowed_local_3pids:
1171# - medium: email
1172# pattern: '^[^@]+@matrix\.org$'
1173# - medium: email
1174# pattern: '^[^@]+@vector\.im$'
1175# - medium: msisdn
1176# pattern: '\+44'
1177
1178# Enable 3PIDs lookup requests to identity servers from this server.
1179#
1180#enable_3pid_lookup: true
1181
1182# If set, allows registration of standard or admin accounts by anyone who
1183# has the shared secret, even if registration is otherwise disabled.
1184#
1185#registration_shared_secret: <PRIVATE STRING>
1186
1187# Set the number of bcrypt rounds used to generate password hash.
1188# Larger numbers increase the work factor needed to generate the hash.
1189# The default number is 12 (which equates to 2^12 rounds).
1190# N.B. that increasing this will exponentially increase the time required
1191# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
1192#
1193#bcrypt_rounds: 12
1194
1195# Allows users to register as guests without a password/email/etc, and
1196# participate in rooms hosted on this server which have been made
1197# accessible to anonymous users.
1198#
1199#allow_guest_access: false
1200
1201# The identity server which we suggest that clients should use when users log
1202# in on this server.
1203#
1204# (By default, no suggestion is made, so it is left up to the client.
1205# This setting is ignored unless public_baseurl is also set.)
1206#
1207#default_identity_server: https://matrix.org
1208
1209# Handle threepid (email/phone etc) registration and password resets through a set of
1210# *trusted* identity servers. Note that this allows the configured identity server to
1211# reset passwords for accounts!
1212#
1213# Be aware that if `email` is not set, and SMTP options have not been
1214# configured in the email config block, registration and user password resets via
1215# email will be globally disabled.
1216#
1217# Additionally, if `msisdn` is not set, registration and password resets via msisdn
1218# will be disabled regardless, and users will not be able to associate an msisdn
1219# identifier to their account. This is due to Synapse currently not supporting
1220# any method of sending SMS messages on its own.
1221#
1222# To enable using an identity server for operations regarding a particular third-party
1223# identifier type, set the value to the URL of that identity server as shown in the
1224# examples below.
1225#
1226# Servers handling the these requests must answer the `/requestToken` endpoints defined
1227# by the Matrix Identity Service API specification:
1228# https://matrix.org/docs/spec/identity_service/latest
1229#
1230# If a delegate is specified, the config option public_baseurl must also be filled out.
1231#
1232account_threepid_delegates:
1233 #email: https://example.com # Delegate email sending to example.com
1234 #msisdn: http://localhost:8090 # Delegate SMS sending to this local process
1235
1236# Whether users are allowed to change their displayname after it has
1237# been initially set. Useful when provisioning users based on the
1238# contents of a third-party directory.
1239#
1240# Does not apply to server administrators. Defaults to 'true'
1241#
1242#enable_set_displayname: false
1243
1244# Whether users are allowed to change their avatar after it has been
1245# initially set. Useful when provisioning users based on the contents
1246# of a third-party directory.
1247#
1248# Does not apply to server administrators. Defaults to 'true'
1249#
1250#enable_set_avatar_url: false
1251
1252# Whether users can change the 3PIDs associated with their accounts
1253# (email address and msisdn).
1254#
1255# Defaults to 'true'
1256#
1257#enable_3pid_changes: false
1258
1259# Users who register on this homeserver will automatically be joined
1260# to these rooms.
1261#
1262# By default, any room aliases included in this list will be created
1263# as a publicly joinable room when the first user registers for the
1264# homeserver. This behaviour can be customised with the settings below.
1265# If the room already exists, make certain it is a publicly joinable
1266# room. The join rule of the room must be set to 'public'.
1267#
1268#auto_join_rooms:
1269# - "#example:example.com"
1270
1271# Where auto_join_rooms are specified, setting this flag ensures that the
1272# the rooms exist by creating them when the first user on the
1273# homeserver registers.
1274#
1275# By default the auto-created rooms are publicly joinable from any federated
1276# server. Use the autocreate_auto_join_rooms_federated and
1277# autocreate_auto_join_room_preset settings below to customise this behaviour.
1278#
1279# Setting to false means that if the rooms are not manually created,
1280# users cannot be auto-joined since they do not exist.
1281#
1282# Defaults to true. Uncomment the following line to disable automatically
1283# creating auto-join rooms.
1284#
1285#autocreate_auto_join_rooms: false
1286
1287# Whether the auto_join_rooms that are auto-created are available via
1288# federation. Only has an effect if autocreate_auto_join_rooms is true.
1289#
1290# Note that whether a room is federated cannot be modified after
1291# creation.
1292#
1293# Defaults to true: the room will be joinable from other servers.
1294# Uncomment the following to prevent users from other homeservers from
1295# joining these rooms.
1296#
1297#autocreate_auto_join_rooms_federated: false
1298
1299# The room preset to use when auto-creating one of auto_join_rooms. Only has an
1300# effect if autocreate_auto_join_rooms is true.
1301#
1302# This can be one of "public_chat", "private_chat", or "trusted_private_chat".
1303# If a value of "private_chat" or "trusted_private_chat" is used then
1304# auto_join_mxid_localpart must also be configured.
1305#
1306# Defaults to "public_chat", meaning that the room is joinable by anyone, including
1307# federated servers if autocreate_auto_join_rooms_federated is true (the default).
1308# Uncomment the following to require an invitation to join these rooms.
1309#
1310#autocreate_auto_join_room_preset: private_chat
1311
1312# The local part of the user id which is used to create auto_join_rooms if
1313# autocreate_auto_join_rooms is true. If this is not provided then the
1314# initial user account that registers will be used to create the rooms.
1315#
1316# The user id is also used to invite new users to any auto-join rooms which
1317# are set to invite-only.
1318#
1319# It *must* be configured if autocreate_auto_join_room_preset is set to
1320# "private_chat" or "trusted_private_chat".
1321#
1322# Note that this must be specified in order for new users to be correctly
1323# invited to any auto-join rooms which have been set to invite-only (either
1324# at the time of creation or subsequently).
1325#
1326# Note that, if the room already exists, this user must be joined and
1327# have the appropriate permissions to invite new members.
1328#
1329#auto_join_mxid_localpart: system
1330
1331# When auto_join_rooms is specified, setting this flag to false prevents
1332# guest accounts from being automatically joined to the rooms.
1333#
1334# Defaults to true.
1335#
1336#auto_join_rooms_for_guests: false
1337
1338
1339## Account Validity ##
1340
1341# Optional account validity configuration. This allows for accounts to be denied
1342# any request after a given period.
1343#
1344# Once this feature is enabled, Synapse will look for registered users without an
1345# expiration date at startup and will add one to every account it found using the
1346# current settings at that time.
1347# This means that, if a validity period is set, and Synapse is restarted (it will
1348# then derive an expiration date from the current validity period), and some time
1349# after that the validity period changes and Synapse is restarted, the users'
1350# expiration dates won't be updated unless their account is manually renewed. This
1351# date will be randomly selected within a range [now + period - d ; now + period],
1352# where d is equal to 10% of the validity period.
1353#
1354account_validity:
1355 # The account validity feature is disabled by default. Uncomment the
1356 # following line to enable it.
1357 #
1358 #enabled: true
1359
1360 # The period after which an account is valid after its registration. When
1361 # renewing the account, its validity period will be extended by this amount
1362 # of time. This parameter is required when using the account validity
1363 # feature.
1364 #
1365 #period: 6w
1366
1367 # The amount of time before an account's expiry date at which Synapse will
1368 # send an email to the account's email address with a renewal link. By
1369 # default, no such emails are sent.
1370 #
1371 # If you enable this setting, you will also need to fill out the 'email' and
1372 # 'public_baseurl' configuration sections.
1373 #
1374 #renew_at: 1w
1375
1376 # The subject of the email sent out with the renewal link. '%(app)s' can be
1377 # used as a placeholder for the 'app_name' parameter from the 'email'
1378 # section.
1379 #
1380 # Note that the placeholder must be written '%(app)s', including the
1381 # trailing 's'.
1382 #
1383 # If this is not set, a default value is used.
1384 #
1385 #renew_email_subject: "Renew your %(app)s account"
1386
1387 # Directory in which Synapse will try to find templates for the HTML files to
1388 # serve to the user when trying to renew an account. If not set, default
1389 # templates from within the Synapse package will be used.
1390 #
1391 # The currently available templates are:
1392 #
1393 # * account_renewed.html: Displayed to the user after they have successfully
1394 # renewed their account.
1395 #
1396 # * account_previously_renewed.html: Displayed to the user if they attempt to
1397 # renew their account with a token that is valid, but that has already
1398 # been used. In this case the account is not renewed again.
1399 #
1400 # * invalid_token.html: Displayed to the user when they try to renew an account
1401 # with an unknown or invalid renewal token.
1402 #
1403 # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for
1404 # default template contents.
1405 #
1406 # The file name of some of these templates can be configured below for legacy
1407 # reasons.
1408 #
1409 #template_dir: "res/templates"
1410
1411 # A custom file name for the 'account_renewed.html' template.
1412 #
1413 # If not set, the file is assumed to be named "account_renewed.html".
1414 #
1415 #account_renewed_html_path: "account_renewed.html"
1416
1417 # A custom file name for the 'invalid_token.html' template.
1418 #
1419 # If not set, the file is assumed to be named "invalid_token.html".
1420 #
1421 #invalid_token_html_path: "invalid_token.html"
1422
1423
1424## Metrics ###
1425
1426# Enable collection and rendering of performance metrics
1427#
1428#enable_metrics: false
1429
1430# Enable sentry integration
1431# NOTE: While attempts are made to ensure that the logs don't contain
1432# any sensitive information, this cannot be guaranteed. By enabling
1433# this option the sentry server may therefore receive sensitive
1434# information, and it in turn may then diseminate sensitive information
1435# through insecure notification channels if so configured.
1436#
1437#sentry:
1438# dsn: "..."
1439
1440# Flags to enable Prometheus metrics which are not suitable to be
1441# enabled by default, either for performance reasons or limited use.
1442#
1443metrics_flags:
1444 # Publish synapse_federation_known_servers, a gauge of the number of
1445 # servers this homeserver knows about, including itself. May cause
1446 # performance problems on large homeservers.
1447 #
1448 #known_servers: true
1449
1450# Whether or not to report anonymized homeserver usage statistics.
1451#
1452#report_stats: true|false
1453
1454# The endpoint to report the anonymized homeserver usage statistics to.
1455# Defaults to https://matrix.org/report-usage-stats/push
1456#
1457#report_stats_endpoint: https://example.com/report-usage-stats/push
1458
1459
1460## API Configuration ##
1461
1462# Controls for the state that is shared with users who receive an invite
1463# to a room
1464#
1465room_prejoin_state:
1466 # By default, the following state event types are shared with users who
1467 # receive invites to the room:
1468 #
1469 # - m.room.join_rules
1470 # - m.room.canonical_alias
1471 # - m.room.avatar
1472 # - m.room.encryption
1473 # - m.room.name
1474 # - m.room.create
1475 #
1476 # Uncomment the following to disable these defaults (so that only the event
1477 # types listed in 'additional_event_types' are shared). Defaults to 'false'.
1478 #
1479 #disable_default_event_types: true
1480
1481 # Additional state event types to share with users when they are invited
1482 # to a room.
1483 #
1484 # By default, this list is empty (so only the default event types are shared).
1485 #
1486 #additional_event_types:
1487 # - org.example.custom.event.type
1488
1489
1490# A list of application service config files to use
1491#
1492#app_service_config_files:
1493# - app_service_1.yaml
1494# - app_service_2.yaml
1495
1496# Uncomment to enable tracking of application service IP addresses. Implicitly
1497# enables MAU tracking for application service users.
1498#
1499#track_appservice_user_ips: true
1500
1501
1502# a secret which is used to sign access tokens. If none is specified,
1503# the registration_shared_secret is used, if one is given; otherwise,
1504# a secret key is derived from the signing key.
1505#
1506#macaroon_secret_key: <PRIVATE STRING>
1507
1508# a secret which is used to calculate HMACs for form values, to stop
1509# falsification of values. Must be specified for the User Consent
1510# forms to work.
1511#
1512#form_secret: <PRIVATE STRING>
1513
1514## Signing Keys ##
1515
1516# Path to the signing key to sign messages with
1517#
1518signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
1519
1520# The keys that the server used to sign messages with but won't use
1521# to sign new messages.
1522#
1523old_signing_keys:
1524 # For each key, `key` should be the base64-encoded public key, and
1525 # `expired_ts`should be the time (in milliseconds since the unix epoch) that
1526 # it was last used.
1527 #
1528 # It is possible to build an entry from an old signing.key file using the
1529 # `export_signing_key` script which is provided with synapse.
1530 #
1531 # For example:
1532 #
1533 #"ed25519:id": { key: "base64string", expired_ts: 123456789123 }
1534
1535# How long key response published by this server is valid for.
1536# Used to set the valid_until_ts in /key/v2 APIs.
1537# Determines how quickly servers will query to check which keys
1538# are still valid.
1539#
1540#key_refresh_interval: 1d
1541
1542# The trusted servers to download signing keys from.
1543#
1544# When we need to fetch a signing key, each server is tried in parallel.
1545#
1546# Normally, the connection to the key server is validated via TLS certificates.
1547# Additional security can be provided by configuring a `verify key`, which
1548# will make synapse check that the response is signed by that key.
1549#
1550# This setting supercedes an older setting named `perspectives`. The old format
1551# is still supported for backwards-compatibility, but it is deprecated.
1552#
1553# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
1554# warning on start-up. To suppress this warning, set
1555# 'suppress_key_server_warning' to true.
1556#
1557# Options for each entry in the list include:
1558#
1559# server_name: the name of the server. required.
1560#
1561# verify_keys: an optional map from key id to base64-encoded public key.
1562# If specified, we will check that the response is signed by at least
1563# one of the given keys.
1564#
1565# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
1566# and federation_verify_certificates is not `true`, synapse will refuse
1567# to start, because this would allow anyone who can spoof DNS responses
1568# to masquerade as the trusted key server. If you know what you are doing
1569# and are sure that your network environment provides a secure connection
1570# to the key server, you can set this to `true` to override this
1571# behaviour.
1572#
1573# An example configuration might look like:
1574#
1575#trusted_key_servers:
1576# - server_name: "my_trusted_server.example.com"
1577# verify_keys:
1578# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
1579# - server_name: "my_other_trusted_server.example.com"
1580#
1581trusted_key_servers:
1582 - server_name: "matrix.org"
1583
1584# Uncomment the following to disable the warning that is emitted when the
1585# trusted_key_servers include 'matrix.org'. See above.
1586#
1587#suppress_key_server_warning: true
1588
1589# The signing keys to use when acting as a trusted key server. If not specified
1590# defaults to the server signing key.
1591#
1592# Can contain multiple keys, one per line.
1593#
1594#key_server_signing_keys_path: "key_server_signing_keys.key"
1595
1596
1597## Single sign-on integration ##
1598
1599# The following settings can be used to make Synapse use a single sign-on
1600# provider for authentication, instead of its internal password database.
1601#
1602# You will probably also want to set the following options to `false` to
1603# disable the regular login/registration flows:
1604# * enable_registration
1605# * password_config.enabled
1606#
1607# You will also want to investigate the settings under the "sso" configuration
1608# section below.
1609
1610# Enable SAML2 for registration and login. Uses pysaml2.
1611#
1612# At least one of `sp_config` or `config_path` must be set in this section to
1613# enable SAML login.
1614#
1615# Once SAML support is enabled, a metadata file will be exposed at
1616# https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
1617# use to configure your SAML IdP with. Alternatively, you can manually configure
1618# the IdP to use an ACS location of
1619# https://<server>:<port>/_synapse/client/saml2/authn_response.
1620#
1621saml2_config:
1622 # `sp_config` is the configuration for the pysaml2 Service Provider.
1623 # See pysaml2 docs for format of config.
1624 #
1625 # Default values will be used for the 'entityid' and 'service' settings,
1626 # so it is not normally necessary to specify them unless you need to
1627 # override them.
1628 #
1629 sp_config:
1630 # Point this to the IdP's metadata. You must provide either a local
1631 # file via the `local` attribute or (preferably) a URL via the
1632 # `remote` attribute.
1633 #
1634 #metadata:
1635 # local: ["saml2/idp.xml"]
1636 # remote:
1637 # - url: https://our_idp/metadata.xml
1638
1639 # Allowed clock difference in seconds between the homeserver and IdP.
1640 #
1641 # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
1642 #
1643 #accepted_time_diff: 3
1644
1645 # By default, the user has to go to our login page first. If you'd like
1646 # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
1647 # 'service.sp' section:
1648 #
1649 #service:
1650 # sp:
1651 # allow_unsolicited: true
1652
1653 # The examples below are just used to generate our metadata xml, and you
1654 # may well not need them, depending on your setup. Alternatively you
1655 # may need a whole lot more detail - see the pysaml2 docs!
1656
1657 #description: ["My awesome SP", "en"]
1658 #name: ["Test SP", "en"]
1659
1660 #ui_info:
1661 # display_name:
1662 # - lang: en
1663 # text: "Display Name is the descriptive name of your service."
1664 # description:
1665 # - lang: en
1666 # text: "Description should be a short paragraph explaining the purpose of the service."
1667 # information_url:
1668 # - lang: en
1669 # text: "https://example.com/terms-of-service"
1670 # privacy_statement_url:
1671 # - lang: en
1672 # text: "https://example.com/privacy-policy"
1673 # keywords:
1674 # - lang: en
1675 # text: ["Matrix", "Element"]
1676 # logo:
1677 # - lang: en
1678 # text: "https://example.com/logo.svg"
1679 # width: "200"
1680 # height: "80"
1681
1682 #organization:
1683 # name: Example com
1684 # display_name:
1685 # - ["Example co", "en"]
1686 # url: "http://example.com"
1687
1688 #contact_person:
1689 # - given_name: Bob
1690 # sur_name: "the Sysadmin"
1691 # email_address": ["admin@example.com"]
1692 # contact_type": technical
1693
1694 # Instead of putting the config inline as above, you can specify a
1695 # separate pysaml2 configuration file:
1696 #
1697 #config_path: "/etc/matrix-synapse/sp_conf.py"
1698
1699 # The lifetime of a SAML session. This defines how long a user has to
1700 # complete the authentication process, if allow_unsolicited is unset.
1701 # The default is 15 minutes.
1702 #
1703 #saml_session_lifetime: 5m
1704
1705 # An external module can be provided here as a custom solution to
1706 # mapping attributes returned from a saml provider onto a matrix user.
1707 #
1708 user_mapping_provider:
1709 # The custom module's class. Uncomment to use a custom module.
1710 #
1711 #module: mapping_provider.SamlMappingProvider
1712
1713 # Custom configuration values for the module. Below options are
1714 # intended for the built-in provider, they should be changed if
1715 # using a custom module. This section will be passed as a Python
1716 # dictionary to the module's `parse_config` method.
1717 #
1718 config:
1719 # The SAML attribute (after mapping via the attribute maps) to use
1720 # to derive the Matrix ID from. 'uid' by default.
1721 #
1722 # Note: This used to be configured by the
1723 # saml2_config.mxid_source_attribute option. If that is still
1724 # defined, its value will be used instead.
1725 #
1726 #mxid_source_attribute: displayName
1727
1728 # The mapping system to use for mapping the saml attribute onto a
1729 # matrix ID.
1730 #
1731 # Options include:
1732 # * 'hexencode' (which maps unpermitted characters to '=xx')
1733 # * 'dotreplace' (which replaces unpermitted characters with
1734 # '.').
1735 # The default is 'hexencode'.
1736 #
1737 # Note: This used to be configured by the
1738 # saml2_config.mxid_mapping option. If that is still defined, its
1739 # value will be used instead.
1740 #
1741 #mxid_mapping: dotreplace
1742
1743 # In previous versions of synapse, the mapping from SAML attribute to
1744 # MXID was always calculated dynamically rather than stored in a
1745 # table. For backwards- compatibility, we will look for user_ids
1746 # matching such a pattern before creating a new account.
1747 #
1748 # This setting controls the SAML attribute which will be used for this
1749 # backwards-compatibility lookup. Typically it should be 'uid', but if
1750 # the attribute maps are changed, it may be necessary to change it.
1751 #
1752 # The default is 'uid'.
1753 #
1754 #grandfathered_mxid_source_attribute: upn
1755
1756 # It is possible to configure Synapse to only allow logins if SAML attributes
1757 # match particular values. The requirements can be listed under
1758 # `attribute_requirements` as shown below. All of the listed attributes must
1759 # match for the login to be permitted.
1760 #
1761 #attribute_requirements:
1762 # - attribute: userGroup
1763 # value: "staff"
1764 # - attribute: department
1765 # value: "sales"
1766
1767 # If the metadata XML contains multiple IdP entities then the `idp_entityid`
1768 # option must be set to the entity to redirect users to.
1769 #
1770 # Most deployments only have a single IdP entity and so should omit this
1771 # option.
1772 #
1773 #idp_entityid: 'https://our_idp/entityid'
1774
1775
1776# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
1777# and login.
1778#
1779# Options for each entry include:
1780#
1781# idp_id: a unique identifier for this identity provider. Used internally
1782# by Synapse; should be a single word such as 'github'.
1783#
1784# Note that, if this is changed, users authenticating via that provider
1785# will no longer be recognised as the same user!
1786#
1787# (Use "oidc" here if you are migrating from an old "oidc_config"
1788# configuration.)
1789#
1790# idp_name: A user-facing name for this identity provider, which is used to
1791# offer the user a choice of login mechanisms.
1792#
1793# idp_icon: An optional icon for this identity provider, which is presented
1794# by clients and Synapse's own IdP picker page. If given, must be an
1795# MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
1796# obtain such an MXC URI is to upload an image to an (unencrypted) room
1797# and then copy the "url" from the source of the event.)
1798#
1799# idp_brand: An optional brand for this identity provider, allowing clients
1800# to style the login flow according to the identity provider in question.
1801# See the spec for possible options here.
1802#
1803# discover: set to 'false' to disable the use of the OIDC discovery mechanism
1804# to discover endpoints. Defaults to true.
1805#
1806# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
1807# is enabled) to discover the provider's endpoints.
1808#
1809# client_id: Required. oauth2 client id to use.
1810#
1811# client_secret: oauth2 client secret to use. May be omitted if
1812# client_secret_jwt_key is given, or if client_auth_method is 'none'.
1813#
1814# client_secret_jwt_key: Alternative to client_secret: details of a key used
1815# to create a JSON Web Token to be used as an OAuth2 client secret. If
1816# given, must be a dictionary with the following properties:
1817#
1818# key: a pem-encoded signing key. Must be a suitable key for the
1819# algorithm specified. Required unless 'key_file' is given.
1820#
1821# key_file: the path to file containing a pem-encoded signing key file.
1822# Required unless 'key' is given.
1823#
1824# jwt_header: a dictionary giving properties to include in the JWT
1825# header. Must include the key 'alg', giving the algorithm used to
1826# sign the JWT, such as "ES256", using the JWA identifiers in
1827# RFC7518.
1828#
1829# jwt_payload: an optional dictionary giving properties to include in
1830# the JWT payload. Normally this should include an 'iss' key.
1831#
1832# client_auth_method: auth method to use when exchanging the token. Valid
1833# values are 'client_secret_basic' (default), 'client_secret_post' and
1834# 'none'.
1835#
1836# scopes: list of scopes to request. This should normally include the "openid"
1837# scope. Defaults to ["openid"].
1838#
1839# authorization_endpoint: the oauth2 authorization endpoint. Required if
1840# provider discovery is disabled.
1841#
1842# token_endpoint: the oauth2 token endpoint. Required if provider discovery is
1843# disabled.
1844#
1845# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
1846# disabled and the 'openid' scope is not requested.
1847#
1848# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
1849# the 'openid' scope is used.
1850#
1851# skip_verification: set to 'true' to skip metadata verification. Use this if
1852# you are connecting to a provider that is not OpenID Connect compliant.
1853# Defaults to false. Avoid this in production.
1854#
1855# user_profile_method: Whether to fetch the user profile from the userinfo
1856# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
1857#
1858# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
1859# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
1860# userinfo endpoint.
1861#
1862# allow_existing_users: set to 'true' to allow a user logging in via OIDC to
1863# match a pre-existing account instead of failing. This could be used if
1864# switching from password logins to OIDC. Defaults to false.
1865#
1866# user_mapping_provider: Configuration for how attributes returned from a OIDC
1867# provider are mapped onto a matrix user. This setting has the following
1868# sub-properties:
1869#
1870# module: The class name of a custom mapping module. Default is
1871# 'synapse.handlers.oidc.JinjaOidcMappingProvider'.
1872# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
1873# for information on implementing a custom mapping provider.
1874#
1875# config: Configuration for the mapping provider module. This section will
1876# be passed as a Python dictionary to the user mapping provider
1877# module's `parse_config` method.
1878#
1879# For the default provider, the following settings are available:
1880#
1881# subject_claim: name of the claim containing a unique identifier
1882# for the user. Defaults to 'sub', which OpenID Connect
1883# compliant providers should provide.
1884#
1885# localpart_template: Jinja2 template for the localpart of the MXID.
1886# If this is not set, the user will be prompted to choose their
1887# own username (see 'sso_auth_account_details.html' in the 'sso'
1888# section of this file).
1889#
1890# display_name_template: Jinja2 template for the display name to set
1891# on first login. If unset, no displayname will be set.
1892#
1893# email_template: Jinja2 template for the email address of the user.
1894# If unset, no email address will be added to the account.
1895#
1896# extra_attributes: a map of Jinja2 templates for extra attributes
1897# to send back to the client during login.
1898# Note that these are non-standard and clients will ignore them
1899# without modifications.
1900#
1901# When rendering, the Jinja2 templates are given a 'user' variable,
1902# which is set to the claims returned by the UserInfo Endpoint and/or
1903# in the ID Token.
1904#
1905# It is possible to configure Synapse to only allow logins if certain attributes
1906# match particular values in the OIDC userinfo. The requirements can be listed under
1907# `attribute_requirements` as shown below. All of the listed attributes must
1908# match for the login to be permitted. Additional attributes can be added to
1909# userinfo by expanding the `scopes` section of the OIDC config to retrieve
1910# additional information from the OIDC provider.
1911#
1912# If the OIDC claim is a list, then the attribute must match any value in the list.
1913# Otherwise, it must exactly match the value of the claim. Using the example
1914# below, the `family_name` claim MUST be "Stephensson", but the `groups`
1915# claim MUST contain "admin".
1916#
1917# attribute_requirements:
1918# - attribute: family_name
1919# value: "Stephensson"
1920# - attribute: groups
1921# value: "admin"
1922#
1923# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
1924# for information on how to configure these options.
1925#
1926# For backwards compatibility, it is also possible to configure a single OIDC
1927# provider via an 'oidc_config' setting. This is now deprecated and admins are
1928# advised to migrate to the 'oidc_providers' format. (When doing that migration,
1929# use 'oidc' for the idp_id to ensure that existing users continue to be
1930# recognised.)
1931#
1932oidc_providers:
1933 # Generic example
1934 #
1935 #- idp_id: my_idp
1936 # idp_name: "My OpenID provider"
1937 # idp_icon: "mxc://example.com/mediaid"
1938 # discover: false
1939 # issuer: "https://accounts.example.com/"
1940 # client_id: "provided-by-your-issuer"
1941 # client_secret: "provided-by-your-issuer"
1942 # client_auth_method: client_secret_post
1943 # scopes: ["openid", "profile"]
1944 # authorization_endpoint: "https://accounts.example.com/oauth2/auth"
1945 # token_endpoint: "https://accounts.example.com/oauth2/token"
1946 # userinfo_endpoint: "https://accounts.example.com/userinfo"
1947 # jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
1948 # skip_verification: true
1949 # user_mapping_provider:
1950 # config:
1951 # subject_claim: "id"
1952 # localpart_template: "{{ user.login }}"
1953 # display_name_template: "{{ user.name }}"
1954 # email_template: "{{ user.email }}"
1955 # attribute_requirements:
1956 # - attribute: userGroup
1957 # value: "synapseUsers"
1958
1959
1960# Enable Central Authentication Service (CAS) for registration and login.
1961#
1962cas_config:
1963 # Uncomment the following to enable authorization against a CAS server.
1964 # Defaults to false.
1965 #
1966 #enabled: true
1967
1968 # The URL of the CAS authorization endpoint.
1969 #
1970 #server_url: "https://cas-server.com"
1971
1972 # The attribute of the CAS response to use as the display name.
1973 #
1974 # If unset, no displayname will be set.
1975 #
1976 #displayname_attribute: name
1977
1978 # It is possible to configure Synapse to only allow logins if CAS attributes
1979 # match particular values. All of the keys in the mapping below must exist
1980 # and the values must match the given value. Alternately if the given value
1981 # is None then any value is allowed (the attribute just must exist).
1982 # All of the listed attributes must match for the login to be permitted.
1983 #
1984 #required_attributes:
1985 # userGroup: "staff"
1986 # department: None
1987
1988
1989# Additional settings to use with single-sign on systems such as OpenID Connect,
1990# SAML2 and CAS.
1991#
1992sso:
1993 # A list of client URLs which are whitelisted so that the user does not
1994 # have to confirm giving access to their account to the URL. Any client
1995 # whose URL starts with an entry in the following list will not be subject
1996 # to an additional confirmation step after the SSO login is completed.
1997 #
1998 # WARNING: An entry such as "https://my.client" is insecure, because it
1999 # will also match "https://my.client.evil.site", exposing your users to
2000 # phishing attacks from evil.site. To avoid this, include a slash after the
2001 # hostname: "https://my.client/".
2002 #
2003 # If public_baseurl is set, then the login fallback page (used by clients
2004 # that don't natively support the required login flows) is whitelisted in
2005 # addition to any URLs in this list.
2006 #
2007 # By default, this list is empty.
2008 #
2009 #client_whitelist:
2010 # - https://riot.im/develop
2011 # - https://my.custom.client/
2012
2013 # Directory in which Synapse will try to find the template files below.
2014 # If not set, or the files named below are not found within the template
2015 # directory, default templates from within the Synapse package will be used.
2016 #
2017 # Synapse will look for the following templates in this directory:
2018 #
2019 # * HTML page to prompt the user to choose an Identity Provider during
2020 # login: 'sso_login_idp_picker.html'.
2021 #
2022 # This is only used if multiple SSO Identity Providers are configured.
2023 #
2024 # When rendering, this template is given the following variables:
2025 # * redirect_url: the URL that the user will be redirected to after
2026 # login.
2027 #
2028 # * server_name: the homeserver's name.
2029 #
2030 # * providers: a list of available Identity Providers. Each element is
2031 # an object with the following attributes:
2032 #
2033 # * idp_id: unique identifier for the IdP
2034 # * idp_name: user-facing name for the IdP
2035 # * idp_icon: if specified in the IdP config, an MXC URI for an icon
2036 # for the IdP
2037 # * idp_brand: if specified in the IdP config, a textual identifier
2038 # for the brand of the IdP
2039 #
2040 # The rendered HTML page should contain a form which submits its results
2041 # back as a GET request, with the following query parameters:
2042 #
2043 # * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
2044 # to the template)
2045 #
2046 # * idp: the 'idp_id' of the chosen IDP.
2047 #
2048 # * HTML page to prompt new users to enter a userid and confirm other
2049 # details: 'sso_auth_account_details.html'. This is only shown if the
2050 # SSO implementation (with any user_mapping_provider) does not return
2051 # a localpart.
2052 #
2053 # When rendering, this template is given the following variables:
2054 #
2055 # * server_name: the homeserver's name.
2056 #
2057 # * idp: details of the SSO Identity Provider that the user logged in
2058 # with: an object with the following attributes:
2059 #
2060 # * idp_id: unique identifier for the IdP
2061 # * idp_name: user-facing name for the IdP
2062 # * idp_icon: if specified in the IdP config, an MXC URI for an icon
2063 # for the IdP
2064 # * idp_brand: if specified in the IdP config, a textual identifier
2065 # for the brand of the IdP
2066 #
2067 # * user_attributes: an object containing details about the user that
2068 # we received from the IdP. May have the following attributes:
2069 #
2070 # * display_name: the user's display_name
2071 # * emails: a list of email addresses
2072 #
2073 # The template should render a form which submits the following fields:
2074 #
2075 # * username: the localpart of the user's chosen user id
2076 #
2077 # * HTML page allowing the user to consent to the server's terms and
2078 # conditions. This is only shown for new users, and only if
2079 # `user_consent.require_at_registration` is set.
2080 #
2081 # When rendering, this template is given the following variables:
2082 #
2083 # * server_name: the homeserver's name.
2084 #
2085 # * user_id: the user's matrix proposed ID.
2086 #
2087 # * user_profile.display_name: the user's proposed display name, if any.
2088 #
2089 # * consent_version: the version of the terms that the user will be
2090 # shown
2091 #
2092 # * terms_url: a link to the page showing the terms.
2093 #
2094 # The template should render a form which submits the following fields:
2095 #
2096 # * accepted_version: the version of the terms accepted by the user
2097 # (ie, 'consent_version' from the input variables).
2098 #
2099 # * HTML page for a confirmation step before redirecting back to the client
2100 # with the login token: 'sso_redirect_confirm.html'.
2101 #
2102 # When rendering, this template is given the following variables:
2103 #
2104 # * redirect_url: the URL the user is about to be redirected to.
2105 #
2106 # * display_url: the same as `redirect_url`, but with the query
2107 # parameters stripped. The intention is to have a
2108 # human-readable URL to show to users, not to use it as
2109 # the final address to redirect to.
2110 #
2111 # * server_name: the homeserver's name.
2112 #
2113 # * new_user: a boolean indicating whether this is the user's first time
2114 # logging in.
2115 #
2116 # * user_id: the user's matrix ID.
2117 #
2118 # * user_profile.avatar_url: an MXC URI for the user's avatar, if any.
2119 # None if the user has not set an avatar.
2120 #
2121 # * user_profile.display_name: the user's display name. None if the user
2122 # has not set a display name.
2123 #
2124 # * HTML page which notifies the user that they are authenticating to confirm
2125 # an operation on their account during the user interactive authentication
2126 # process: 'sso_auth_confirm.html'.
2127 #
2128 # When rendering, this template is given the following variables:
2129 # * redirect_url: the URL the user is about to be redirected to.
2130 #
2131 # * description: the operation which the user is being asked to confirm
2132 #
2133 # * idp: details of the Identity Provider that we will use to confirm
2134 # the user's identity: an object with the following attributes:
2135 #
2136 # * idp_id: unique identifier for the IdP
2137 # * idp_name: user-facing name for the IdP
2138 # * idp_icon: if specified in the IdP config, an MXC URI for an icon
2139 # for the IdP
2140 # * idp_brand: if specified in the IdP config, a textual identifier
2141 # for the brand of the IdP
2142 #
2143 # * HTML page shown after a successful user interactive authentication session:
2144 # 'sso_auth_success.html'.
2145 #
2146 # Note that this page must include the JavaScript which notifies of a successful authentication
2147 # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback).
2148 #
2149 # This template has no additional variables.
2150 #
2151 # * HTML page shown after a user-interactive authentication session which
2152 # does not map correctly onto the expected user: 'sso_auth_bad_user.html'.
2153 #
2154 # When rendering, this template is given the following variables:
2155 # * server_name: the homeserver's name.
2156 # * user_id_to_verify: the MXID of the user that we are trying to
2157 # validate.
2158 #
2159 # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
2160 # attempts to login: 'sso_account_deactivated.html'.
2161 #
2162 # This template has no additional variables.
2163 #
2164 # * HTML page to display to users if something goes wrong during the
2165 # OpenID Connect authentication process: 'sso_error.html'.
2166 #
2167 # When rendering, this template is given two variables:
2168 # * error: the technical name of the error
2169 # * error_description: a human-readable message for the error
2170 #
2171 # You can see the default templates at:
2172 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
2173 #
2174 #template_dir: "res/templates"
2175
2176
2177# JSON web token integration. The following settings can be used to make
2178# Synapse JSON web tokens for authentication, instead of its internal
2179# password database.
2180#
2181# Each JSON Web Token needs to contain a "sub" (subject) claim, which is
2182# used as the localpart of the mxid.
2183#
2184# Additionally, the expiration time ("exp"), not before time ("nbf"),
2185# and issued at ("iat") claims are validated if present.
2186#
2187# Note that this is a non-standard login type and client support is
2188# expected to be non-existent.
2189#
2190# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md.
2191#
2192#jwt_config:
2193 # Uncomment the following to enable authorization using JSON web
2194 # tokens. Defaults to false.
2195 #
2196 #enabled: true
2197
2198 # This is either the private shared secret or the public key used to
2199 # decode the contents of the JSON web token.
2200 #
2201 # Required if 'enabled' is true.
2202 #
2203 #secret: "provided-by-your-issuer"
2204
2205 # The algorithm used to sign the JSON web token.
2206 #
2207 # Supported algorithms are listed at
2208 # https://pyjwt.readthedocs.io/en/latest/algorithms.html
2209 #
2210 # Required if 'enabled' is true.
2211 #
2212 #algorithm: "provided-by-your-issuer"
2213
2214 # The issuer to validate the "iss" claim against.
2215 #
2216 # Optional, if provided the "iss" claim will be required and
2217 # validated for all JSON web tokens.
2218 #
2219 #issuer: "provided-by-your-issuer"
2220
2221 # A list of audiences to validate the "aud" claim against.
2222 #
2223 # Optional, if provided the "aud" claim will be required and
2224 # validated for all JSON web tokens.
2225 #
2226 # Note that if the "aud" claim is included in a JSON web token then
2227 # validation will fail without configuring audiences.
2228 #
2229 #audiences:
2230 # - "provided-by-your-issuer"
2231
2232
2233password_config:
2234 # Uncomment to disable password login
2235 #
2236 #enabled: false
2237
2238 # Uncomment to disable authentication against the local password
2239 # database. This is ignored if `enabled` is false, and is only useful
2240 # if you have other password_providers.
2241 #
2242 #localdb_enabled: false
2243
2244 # Uncomment and change to a secret random string for extra security.
2245 # DO NOT CHANGE THIS AFTER INITIAL SETUP!
2246 #
2247 #pepper: "EVEN_MORE_SECRET"
2248
2249 # Define and enforce a password policy. Each parameter is optional.
2250 # This is an implementation of MSC2000.
2251 #
2252 policy:
2253 # Whether to enforce the password policy.
2254 # Defaults to 'false'.
2255 #
2256 #enabled: true
2257
2258 # Minimum accepted length for a password.
2259 # Defaults to 0.
2260 #
2261 #minimum_length: 15
2262
2263 # Whether a password must contain at least one digit.
2264 # Defaults to 'false'.
2265 #
2266 #require_digit: true
2267
2268 # Whether a password must contain at least one symbol.
2269 # A symbol is any character that's not a number or a letter.
2270 # Defaults to 'false'.
2271 #
2272 #require_symbol: true
2273
2274 # Whether a password must contain at least one lowercase letter.
2275 # Defaults to 'false'.
2276 #
2277 #require_lowercase: true
2278
2279 # Whether a password must contain at least one lowercase letter.
2280 # Defaults to 'false'.
2281 #
2282 #require_uppercase: true
2283
2284ui_auth:
2285 # The amount of time to allow a user-interactive authentication session
2286 # to be active.
2287 #
2288 # This defaults to 0, meaning the user is queried for their credentials
2289 # before every action, but this can be overridden to allow a single
2290 # validation to be re-used. This weakens the protections afforded by
2291 # the user-interactive authentication process, by allowing for multiple
2292 # (and potentially different) operations to use the same validation session.
2293 #
2294 # Uncomment below to allow for credential validation to last for 15
2295 # seconds.
2296 #
2297 #session_timeout: "15s"
2298
2299
2300# Configuration for sending emails from Synapse.
2301#
2302email:
2303 # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
2304 #
2305 #smtp_host: mail.server
2306
2307 # The port on the mail server for outgoing SMTP. Defaults to 25.
2308 #
2309 #smtp_port: 587
2310
2311 # Username/password for authentication to the SMTP server. By default, no
2312 # authentication is attempted.
2313 #
2314 #smtp_user: "exampleusername"
2315 #smtp_pass: "examplepassword"
2316
2317 # Uncomment the following to require TLS transport security for SMTP.
2318 # By default, Synapse will connect over plain text, and will then switch to
2319 # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
2320 # Synapse will refuse to connect unless the server supports STARTTLS.
2321 #
2322 #require_transport_security: true
2323
2324 # notif_from defines the "From" address to use when sending emails.
2325 # It must be set if email sending is enabled.
2326 #
2327 # The placeholder '%(app)s' will be replaced by the application name,
2328 # which is normally 'app_name' (below), but may be overridden by the
2329 # Matrix client application.
2330 #
2331 # Note that the placeholder must be written '%(app)s', including the
2332 # trailing 's'.
2333 #
2334 #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
2335
2336 # app_name defines the default value for '%(app)s' in notif_from and email
2337 # subjects. It defaults to 'Matrix'.
2338 #
2339 #app_name: my_branded_matrix_server
2340
2341 # Uncomment the following to enable sending emails for messages that the user
2342 # has missed. Disabled by default.
2343 #
2344 #enable_notifs: true
2345
2346 # Uncomment the following to disable automatic subscription to email
2347 # notifications for new users. Enabled by default.
2348 #
2349 #notif_for_new_users: false
2350
2351 # Custom URL for client links within the email notifications. By default
2352 # links will be based on "https://matrix.to".
2353 #
2354 # (This setting used to be called riot_base_url; the old name is still
2355 # supported for backwards-compatibility but is now deprecated.)
2356 #
2357 #client_base_url: "http://localhost/riot"
2358
2359 # Configure the time that a validation email will expire after sending.
2360 # Defaults to 1h.
2361 #
2362 #validation_token_lifetime: 15m
2363
2364 # The web client location to direct users to during an invite. This is passed
2365 # to the identity server as the org.matrix.web_client_location key. Defaults
2366 # to unset, giving no guidance to the identity server.
2367 #
2368 #invite_client_location: https://app.element.io
2369
2370 # Directory in which Synapse will try to find the template files below.
2371 # If not set, or the files named below are not found within the template
2372 # directory, default templates from within the Synapse package will be used.
2373 #
2374 # Synapse will look for the following templates in this directory:
2375 #
2376 # * The contents of email notifications of missed events: 'notif_mail.html' and
2377 # 'notif_mail.txt'.
2378 #
2379 # * The contents of account expiry notice emails: 'notice_expiry.html' and
2380 # 'notice_expiry.txt'.
2381 #
2382 # * The contents of password reset emails sent by the homeserver:
2383 # 'password_reset.html' and 'password_reset.txt'
2384 #
2385 # * An HTML page that a user will see when they follow the link in the password
2386 # reset email. The user will be asked to confirm the action before their
2387 # password is reset: 'password_reset_confirmation.html'
2388 #
2389 # * HTML pages for success and failure that a user will see when they confirm
2390 # the password reset flow using the page above: 'password_reset_success.html'
2391 # and 'password_reset_failure.html'
2392 #
2393 # * The contents of address verification emails sent during registration:
2394 # 'registration.html' and 'registration.txt'
2395 #
2396 # * HTML pages for success and failure that a user will see when they follow
2397 # the link in an address verification email sent during registration:
2398 # 'registration_success.html' and 'registration_failure.html'
2399 #
2400 # * The contents of address verification emails sent when an address is added
2401 # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt'
2402 #
2403 # * HTML pages for success and failure that a user will see when they follow
2404 # the link in an address verification email sent when an address is added
2405 # to a Matrix account: 'add_threepid_success.html' and
2406 # 'add_threepid_failure.html'
2407 #
2408 # You can see the default templates at:
2409 # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
2410 #
2411 #template_dir: "res/templates"
2412
2413 # Subjects to use when sending emails from Synapse.
2414 #
2415 # The placeholder '%(app)s' will be replaced with the value of the 'app_name'
2416 # setting above, or by a value dictated by the Matrix client application.
2417 #
2418 # If a subject isn't overridden in this configuration file, the value used as
2419 # its example will be used.
2420 #
2421 #subjects:
2422
2423 # Subjects for notification emails.
2424 #
2425 # On top of the '%(app)s' placeholder, these can use the following
2426 # placeholders:
2427 #
2428 # * '%(person)s', which will be replaced by the display name of the user(s)
2429 # that sent the message(s), e.g. "Alice and Bob".
2430 # * '%(room)s', which will be replaced by the name of the room the
2431 # message(s) have been sent to, e.g. "My super room".
2432 #
2433 # See the example provided for each setting to see which placeholder can be
2434 # used and how to use them.
2435 #
2436 # Subject to use to notify about one message from one or more user(s) in a
2437 # room which has a name.
2438 #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
2439 #
2440 # Subject to use to notify about one message from one or more user(s) in a
2441 # room which doesn't have a name.
2442 #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
2443 #
2444 # Subject to use to notify about multiple messages from one or more users in
2445 # a room which doesn't have a name.
2446 #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
2447 #
2448 # Subject to use to notify about multiple messages in a room which has a
2449 # name.
2450 #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
2451 #
2452 # Subject to use to notify about multiple messages in multiple rooms.
2453 #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
2454 #
2455 # Subject to use to notify about multiple messages from multiple persons in
2456 # multiple rooms. This is similar to the setting above except it's used when
2457 # the room in which the notification was triggered has no name.
2458 #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
2459 #
2460 # Subject to use to notify about an invite to a room which has a name.
2461 #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
2462 #
2463 # Subject to use to notify about an invite to a room which doesn't have a
2464 # name.
2465 #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
2466
2467 # Subject for emails related to account administration.
2468 #
2469 # On top of the '%(app)s' placeholder, these one can use the
2470 # '%(server_name)s' placeholder, which will be replaced by the value of the
2471 # 'server_name' setting in your Synapse configuration.
2472 #
2473 # Subject to use when sending a password reset email.
2474 #password_reset: "[%(server_name)s] Password reset"
2475 #
2476 # Subject to use when sending a verification email to assert an address's
2477 # ownership.
2478 #email_validation: "[%(server_name)s] Validate your email"
2479
2480
2481# Password providers allow homeserver administrators to integrate
2482# their Synapse installation with existing authentication methods
2483# ex. LDAP, external tokens, etc.
2484#
2485# For more information and known implementations, please see
2486# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md
2487#
2488# Note: instances wishing to use SAML or CAS authentication should
2489# instead use the `saml2_config` or `cas_config` options,
2490# respectively.
2491#
2492password_providers:
2493# # Example config for an LDAP auth provider
2494# - module: "ldap_auth_provider.LdapAuthProvider"
2495# config:
2496# enabled: true
2497# uri: "ldap://ldap.example.com:389"
2498# start_tls: true
2499# base: "ou=users,dc=example,dc=com"
2500# attributes:
2501# uid: "cn"
2502# mail: "email"
2503# name: "givenName"
2504# #bind_dn:
2505# #bind_password:
2506# #filter: "(objectClass=posixAccount)"
2507
2508
2509
2510## Push ##
2511
2512push:
2513 # Clients requesting push notifications can either have the body of
2514 # the message sent in the notification poke along with other details
2515 # like the sender, or just the event ID and room ID (`event_id_only`).
2516 # If clients choose the former, this option controls whether the
2517 # notification request includes the content of the event (other details
2518 # like the sender are still included). For `event_id_only` push, it
2519 # has no effect.
2520 #
2521 # For modern android devices the notification content will still appear
2522 # because it is loaded by the app. iPhone, however will send a
2523 # notification saying only that a message arrived and who it came from.
2524 #
2525 # The default value is "true" to include message details. Uncomment to only
2526 # include the event ID and room ID in push notification payloads.
2527 #
2528 #include_content: false
2529
2530 # When a push notification is received, an unread count is also sent.
2531 # This number can either be calculated as the number of unread messages
2532 # for the user, or the number of *rooms* the user has unread messages in.
2533 #
2534 # The default value is "true", meaning push clients will see the number of
2535 # rooms with unread messages in them. Uncomment to instead send the number
2536 # of unread messages.
2537 #
2538 #group_unread_count_by_room: false
2539
2540
2541# Spam checkers are third-party modules that can block specific actions
2542# of local users, such as creating rooms and registering undesirable
2543# usernames, as well as remote users by redacting incoming events.
2544#
2545spam_checker:
2546 #- module: "my_custom_project.SuperSpamChecker"
2547 # config:
2548 # example_option: 'things'
2549 #- module: "some_other_project.BadEventStopper"
2550 # config:
2551 # example_stop_events_from: ['@bad:example.com']
2552
2553
2554## Rooms ##
2555
2556# Controls whether locally-created rooms should be end-to-end encrypted by
2557# default.
2558#
2559# Possible options are "all", "invite", and "off". They are defined as:
2560#
2561# * "all": any locally-created room
2562# * "invite": any room created with the "private_chat" or "trusted_private_chat"
2563# room creation presets
2564# * "off": this option will take no effect
2565#
2566# The default value is "off".
2567#
2568# Note that this option will only affect rooms created after it is set. It
2569# will also not affect rooms created by other servers.
2570#
2571#encryption_enabled_by_default_for_room_type: invite
2572
2573
2574# Uncomment to allow non-server-admin users to create groups on this server
2575#
2576#enable_group_creation: true
2577
2578# If enabled, non server admins can only create groups with local parts
2579# starting with this prefix
2580#
2581#group_creation_prefix: "unofficial_"
2582
2583
2584
2585# User Directory configuration
2586#
2587user_directory:
2588 # Defines whether users can search the user directory. If false then
2589 # empty responses are returned to all queries. Defaults to true.
2590 #
2591 # Uncomment to disable the user directory.
2592 #
2593 #enabled: false
2594
2595 # Defines whether to search all users visible to your HS when searching
2596 # the user directory, rather than limiting to users visible in public
2597 # rooms. Defaults to false.
2598 #
2599 # If you set it true, you'll have to rebuild the user_directory search
2600 # indexes, see:
2601 # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
2602 #
2603 # Uncomment to return search results containing all known users, even if that
2604 # user does not share a room with the requester.
2605 #
2606 #search_all_users: true
2607
2608 # Defines whether to prefer local users in search query results.
2609 # If True, local users are more likely to appear above remote users
2610 # when searching the user directory. Defaults to false.
2611 #
2612 # Uncomment to prefer local over remote users in user directory search
2613 # results.
2614 #
2615 #prefer_local_users: true
2616
2617
2618# User Consent configuration
2619#
2620# for detailed instructions, see
2621# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
2622#
2623# Parts of this section are required if enabling the 'consent' resource under
2624# 'listeners', in particular 'template_dir' and 'version'.
2625#
2626# 'template_dir' gives the location of the templates for the HTML forms.
2627# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
2628# and each language directory should contain the policy document (named as
2629# '<version>.html') and a success page (success.html).
2630#
2631# 'version' specifies the 'current' version of the policy document. It defines
2632# the version to be served by the consent resource if there is no 'v'
2633# parameter.
2634#
2635# 'server_notice_content', if enabled, will send a user a "Server Notice"
2636# asking them to consent to the privacy policy. The 'server_notices' section
2637# must also be configured for this to work. Notices will *not* be sent to
2638# guest users unless 'send_server_notice_to_guests' is set to true.
2639#
2640# 'block_events_error', if set, will block any attempts to send events
2641# until the user consents to the privacy policy. The value of the setting is
2642# used as the text of the error.
2643#
2644# 'require_at_registration', if enabled, will add a step to the registration
2645# process, similar to how captcha works. Users will be required to accept the
2646# policy before their account is created.
2647#
2648# 'policy_name' is the display name of the policy users will see when registering
2649# for an account. Has no effect unless `require_at_registration` is enabled.
2650# Defaults to "Privacy Policy".
2651#
2652#user_consent:
2653# template_dir: res/templates/privacy
2654# version: 1.0
2655# server_notice_content:
2656# msgtype: m.text
2657# body: >-
2658# To continue using this homeserver you must review and agree to the
2659# terms and conditions at %(consent_uri)s
2660# send_server_notice_to_guests: true
2661# block_events_error: >-
2662# To continue using this homeserver you must review and agree to the
2663# terms and conditions at %(consent_uri)s
2664# require_at_registration: false
2665# policy_name: Privacy Policy
2666#
2667
2668
2669
2670# Settings for local room and user statistics collection. See
2671# docs/room_and_user_statistics.md.
2672#
2673stats:
2674 # Uncomment the following to disable room and user statistics. Note that doing
2675 # so may cause certain features (such as the room directory) not to work
2676 # correctly.
2677 #
2678 #enabled: false
2679
2680 # The size of each timeslice in the room_stats_historical and
2681 # user_stats_historical tables, as a time period. Defaults to "1d".
2682 #
2683 #bucket_size: 1h
2684
2685
2686# Server Notices room configuration
2687#
2688# Uncomment this section to enable a room which can be used to send notices
2689# from the server to users. It is a special room which cannot be left; notices
2690# come from a special "notices" user id.
2691#
2692# If you uncomment this section, you *must* define the system_mxid_localpart
2693# setting, which defines the id of the user which will be used to send the
2694# notices.
2695#
2696# It's also possible to override the room name, the display name of the
2697# "notices" user, and the avatar for the user.
2698#
2699#server_notices:
2700# system_mxid_localpart: notices
2701# system_mxid_display_name: "Server Notices"
2702# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
2703# room_name: "Server Notices"
2704
2705
2706
2707# Uncomment to disable searching the public room list. When disabled
2708# blocks searching local and remote room lists for local and remote
2709# users by always returning an empty list for all queries.
2710#
2711#enable_room_list_search: false
2712
2713# The `alias_creation` option controls who's allowed to create aliases
2714# on this server.
2715#
2716# The format of this option is a list of rules that contain globs that
2717# match against user_id, room_id and the new alias (fully qualified with
2718# server name). The action in the first rule that matches is taken,
2719# which can currently either be "allow" or "deny".
2720#
2721# Missing user_id/room_id/alias fields default to "*".
2722#
2723# If no rules match the request is denied. An empty list means no one
2724# can create aliases.
2725#
2726# Options for the rules include:
2727#
2728# user_id: Matches against the creator of the alias
2729# alias: Matches against the alias being created
2730# room_id: Matches against the room ID the alias is being pointed at
2731# action: Whether to "allow" or "deny" the request if the rule matches
2732#
2733# The default is:
2734#
2735#alias_creation_rules:
2736# - user_id: "*"
2737# alias: "*"
2738# room_id: "*"
2739# action: allow
2740
2741# The `room_list_publication_rules` option controls who can publish and
2742# which rooms can be published in the public room list.
2743#
2744# The format of this option is the same as that for
2745# `alias_creation_rules`.
2746#
2747# If the room has one or more aliases associated with it, only one of
2748# the aliases needs to match the alias rule. If there are no aliases
2749# then only rules with `alias: *` match.
2750#
2751# If no rules match the request is denied. An empty list means no one
2752# can publish rooms.
2753#
2754# Options for the rules include:
2755#
2756# user_id: Matches against the creator of the alias
2757# room_id: Matches against the room ID being published
2758# alias: Matches against any current local or canonical aliases
2759# associated with the room
2760# action: Whether to "allow" or "deny" the request if the rule matches
2761#
2762# The default is:
2763#
2764#room_list_publication_rules:
2765# - user_id: "*"
2766# alias: "*"
2767# room_id: "*"
2768# action: allow
2769
2770
2771# Server admins can define a Python module that implements extra rules for
2772# allowing or denying incoming events. In order to work, this module needs to
2773# override the methods defined in synapse/events/third_party_rules.py.
2774#
2775# This feature is designed to be used in closed federations only, where each
2776# participating server enforces the same rules.
2777#
2778#third_party_event_rules:
2779# module: "my_custom_project.SuperRulesSet"
2780# config:
2781# example_option: 'things'
2782
2783
2784## Opentracing ##
2785
2786# These settings enable opentracing, which implements distributed tracing.
2787# This allows you to observe the causal chains of events across servers
2788# including requests, key lookups etc., across any server running
2789# synapse or any other other services which supports opentracing
2790# (specifically those implemented with Jaeger).
2791#
2792opentracing:
2793 # tracing is disabled by default. Uncomment the following line to enable it.
2794 #
2795 #enabled: true
2796
2797 # The list of homeservers we wish to send and receive span contexts and span baggage.
2798 # See docs/opentracing.rst.
2799 #
2800 # This is a list of regexes which are matched against the server_name of the
2801 # homeserver.
2802 #
2803 # By default, it is empty, so no servers are matched.
2804 #
2805 #homeserver_whitelist:
2806 # - ".*"
2807
2808 # A list of the matrix IDs of users whose requests will always be traced,
2809 # even if the tracing system would otherwise drop the traces due to
2810 # probabilistic sampling.
2811 #
2812 # By default, the list is empty.
2813 #
2814 #force_tracing_for_users:
2815 # - "@user1:server_name"
2816 # - "@user2:server_name"
2817
2818 # Jaeger can be configured to sample traces at different rates.
2819 # All configuration options provided by Jaeger can be set here.
2820 # Jaeger's configuration is mostly related to trace sampling which
2821 # is documented here:
2822 # https://www.jaegertracing.io/docs/latest/sampling/.
2823 #
2824 #jaeger_config:
2825 # sampler:
2826 # type: const
2827 # param: 1
2828 # logging:
2829 # false
2830
2831
2832## Workers ##
2833
2834# Disables sending of outbound federation transactions on the main process.
2835# Uncomment if using a federation sender worker.
2836#
2837#send_federation: false
2838
2839# It is possible to run multiple federation sender workers, in which case the
2840# work is balanced across them.
2841#
2842# This configuration must be shared between all federation sender workers, and if
2843# changed all federation sender workers must be stopped at the same time and then
2844# started, to ensure that all instances are running with the same config (otherwise
2845# events may be dropped).
2846#
2847#federation_sender_instances:
2848# - federation_sender1
2849
2850# When using workers this should be a map from `worker_name` to the
2851# HTTP replication listener of the worker, if configured.
2852#
2853#instance_map:
2854# worker1:
2855# host: localhost
2856# port: 8034
2857
2858# Experimental: When using workers you can define which workers should
2859# handle event persistence and typing notifications. Any worker
2860# specified here must also be in the `instance_map`.
2861#
2862#stream_writers:
2863# events: worker1
2864# typing: worker1
2865
2866# The worker that is used to run background tasks (e.g. cleaning up expired
2867# data). If not provided this defaults to the main process.
2868#
2869#run_background_tasks_on: worker1
2870
2871# A shared secret used by the replication APIs to authenticate HTTP requests
2872# from workers.
2873#
2874# By default this is unused and traffic is not authenticated.
2875#
2876#worker_replication_secret: ""
2877
2878
2879# Configuration for Redis when using workers. This *must* be enabled when
2880# using workers (unless using old style direct TCP configuration).
2881#
2882redis:
2883 # Uncomment the below to enable Redis support.
2884 #
2885 #enabled: true
2886
2887 # Optional host and port to use to connect to redis. Defaults to
2888 # localhost and 6379
2889 #
2890 #host: localhost
2891 #port: 6379
2892
2893 # Optional password if configured on the Redis instance
2894 #
2895 #password: <secret_password>
2896