· 4 years ago · Jul 26, 2021, 12:58 AM
1# This is the Dendrite configuration file.
2#
3# The configuration is split up into sections - each Dendrite component has a
4# configuration section, in addition to the "global" section which applies to
5# all components.
6#
7# At a minimum, to get started, you will need to update the settings in the
8# "global" section for your deployment, and you will need to check that the
9# database "connection_string" line in each component section is correct.
10#
11# Each component with a "database" section can accept the following formats
12# for "connection_string":
13# SQLite: file:filename.db
14# file:///path/to/filename.db
15# PostgreSQL: postgresql://user:pass@hostname/database?params=...
16#
17# SQLite is embedded into Dendrite and therefore no further prerequisites are
18# needed for the database when using SQLite mode. However, performance with
19# PostgreSQL is significantly better and recommended for multi-user deployments.
20# SQLite is typically around 20-30% slower than PostgreSQL when tested with a
21# small number of users and likely will perform worse still with a higher volume
22# of users.
23#
24# The "max_open_conns" and "max_idle_conns" settings configure the maximum
25# number of open/idle database connections. The value 0 will use the database
26# engine default, and a negative value will use unlimited connections. The
27# "conn_max_lifetime" option controls the maximum length of time a database
28# connection can be idle in seconds - a negative value is unlimited.
29
30# The version of the configuration file.
31version: 1
32
33# Global Matrix configuration. This configuration applies to all components.
34global:
35 # The domain name of this homeserver.
36 server_name: my_site.com
37
38 # The path to the signing private key file, used to sign requests and events.
39 # Note that this is NOT the same private key as used for TLS! To generate a
40 # signing key, use "./bin/generate-keys --private-key matrix_key.pem".
41 private_key: matrix_key.pem
42
43 # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
44 # to old signing private keys that were formerly in use on this domain. These
45 # keys will not be used for federation request or event signing, but will be
46 # provided to any other homeserver that asks when trying to verify old events.
47 # old_private_keys:
48 # - private_key: old_matrix_key.pem
49 # expired_at: 1601024554498
50
51 # How long a remote server can cache our server signing key before requesting it
52 # again. Increasing this number will reduce the number of requests made by other
53 # servers for our key but increases the period that a compromised key will be
54 # considered valid by other homeservers.
55 key_validity_period: 168h0m0s
56
57 # Lists of domains that the server will trust as identity servers to verify third
58 # party identifiers such as phone numbers and email addresses.
59 trusted_third_party_id_servers:
60 - matrix.org
61 - vector.im
62
63 # Disables federation. Dendrite will not be able to make any outbound HTTP requests
64 # to other servers and the federation API will not be exposed.
65 disable_federation: true
66
67 # Configuration for Kafka/Naffka.
68 kafka:
69 # List of Kafka broker addresses to connect to. This is not needed if using
70 # Naffka in monolith mode.
71 addresses:
72 - localhost:2181
73
74 # The prefix to use for Kafka topic names for this homeserver. Change this only if
75 # you are running more than one Dendrite homeserver on the same Kafka deployment.
76 topic_prefix: Dendrite
77
78 # Whether to use Naffka instead of Kafka. This is only available in monolith
79 # mode, but means that you can run a single-process server without requiring
80 # Kafka.
81 use_naffka: true
82
83 # The max size a Kafka message is allowed to use.
84 # You only need to change this value, if you encounter issues with too large messages.
85 # Must be less than/equal to "max.message.bytes" configured in Kafka.
86 # Defaults to 8388608 bytes.
87 # max_message_bytes: 8388608
88
89 # Naffka database options. Not required when using Kafka.
90 naffka_database:
91 connection_string: file:naffka.db
92 max_open_conns: 10
93 max_idle_conns: 2
94 conn_max_lifetime: -1
95
96 # Configuration for Prometheus metric collection.
97 metrics:
98 # Whether or not Prometheus metrics are enabled.
99 enabled: false
100
101 # HTTP basic authentication to protect access to monitoring.
102 basic_auth:
103 username: metrics
104 password: metrics
105
106 # DNS cache options. The DNS cache may reduce the load on DNS servers
107 # if there is no local caching resolver available for use.
108 dns_cache:
109 # Whether or not the DNS cache is enabled.
110 enabled: false
111
112 # Maximum number of entries to hold in the DNS cache, and
113 # for how long those items should be considered valid in seconds.
114 cache_size: 256
115 cache_lifetime: "5m" # 5minutes; see https://pkg.go.dev/time@master#ParseDuration for more
116
117# Configuration for the Appservice API.
118app_service_api:
119 internal_api:
120 listen: http://localhost:7777
121 connect: http://localhost:7777
122 database:
123 connection_string: file:appservice.db
124 max_open_conns: 10
125 max_idle_conns: 2
126 conn_max_lifetime: -1
127
128 # Disable the validation of TLS certificates of appservices. This is
129 # not recommended in production since it may allow appservice traffic
130 # to be sent to an unverified endpoint.
131 disable_tls_validation: false
132
133 # Appservice configuration files to load into this homeserver.
134 config_files: []
135
136# Configuration for the Client API.
137client_api:
138 internal_api:
139 listen: http://localhost:7771
140 connect: http://localhost:7771
141 external_api:
142 listen: http://[::]:8071
143
144 # Prevents new users from being able to register on this homeserver, except when
145 # using the registration shared secret below.
146 registration_disabled: false
147
148 # If set, allows registration by anyone who knows the shared secret, regardless of
149 # whether registration is otherwise disabled.
150 registration_shared_secret: "hello world"
151
152 # Whether to require reCAPTCHA for registration.
153 enable_registration_captcha: false
154
155 # Settings for ReCAPTCHA.
156 recaptcha_public_key: ""
157 recaptcha_private_key: ""
158 recaptcha_bypass_secret: ""
159 recaptcha_siteverify_api: ""
160
161 # TURN server information that this homeserver should send to clients.
162 turn:
163 turn_user_lifetime: ""
164 turn_uris: []
165 turn_shared_secret: ""
166 turn_username: ""
167 turn_password: ""
168
169 # Settings for rate-limited endpoints. Rate limiting will kick in after the
170 # threshold number of "slots" have been taken by requests from a specific
171 # host. Each "slot" will be released after the cooloff time in milliseconds.
172 rate_limiting:
173 enabled: true
174 threshold: 5
175 cooloff_ms: 500
176
177# Configuration for the EDU server.
178edu_server:
179 internal_api:
180 listen: http://localhost:7778
181 connect: http://localhost:7778
182
183# Configuration for the Federation API.
184federation_api:
185 internal_api:
186 listen: http://localhost:7772
187 connect: http://localhost:7772
188 external_api:
189 listen: http://[::]:8072
190
191 # List of paths to X.509 certificates to be used by the external federation listeners.
192 # These certificates will be used to calculate the TLS fingerprints and other servers
193 # will expect the certificate to match these fingerprints. Certificates must be in PEM
194 # format.
195 federation_certificates: []
196
197# Configuration for the Federation Sender.
198federation_sender:
199 internal_api:
200 listen: http://localhost:7775
201 connect: http://localhost:7775
202 database:
203 connection_string: file:federationsender.db
204 max_open_conns: 10
205 max_idle_conns: 2
206 conn_max_lifetime: -1
207
208 # How many times we will try to resend a failed transaction to a specific server. The
209 # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc.
210 send_max_retries: 16
211
212 # Disable the validation of TLS certificates of remote federated homeservers. Do not
213 # enable this option in production as it presents a security risk!
214 disable_tls_validation: false
215
216 # Use the following proxy server for outbound federation traffic.
217 proxy_outbound:
218 enabled: false
219 protocol: http
220 host: localhost
221 port: 8080
222
223# Configuration for the Key Server (for end-to-end encryption).
224key_server:
225 internal_api:
226 listen: http://localhost:7779
227 connect: http://localhost:7779
228 database:
229 connection_string: file:keyserver.db
230 max_open_conns: 10
231 max_idle_conns: 2
232 conn_max_lifetime: -1
233
234# Configuration for the Media API.
235media_api:
236 internal_api:
237 listen: http://localhost:7774
238 connect: http://localhost:7774
239 external_api:
240 listen: http://[::]:8074
241 database:
242 connection_string: file:mediaapi.db
243 max_open_conns: 5
244 max_idle_conns: 2
245 conn_max_lifetime: -1
246
247 # Storage path for uploaded media. May be relative or absolute.
248 base_path: ./media_store
249
250 # The maximum allowed file size (in bytes) for media uploads to this homeserver
251 # (0 = unlimited). If using a reverse proxy, ensure it allows requests at
252 # least this large (e.g. client_max_body_size in nginx.)
253 max_file_size_bytes: 10485760
254
255 # Whether to dynamically generate thumbnails if needed.
256 dynamic_thumbnails: false
257
258 # The maximum number of simultaneous thumbnail generators to run.
259 max_thumbnail_generators: 10
260
261 # A list of thumbnail sizes to be generated for media content.
262 thumbnail_sizes:
263 - width: 32
264 height: 32
265 method: crop
266 - width: 96
267 height: 96
268 method: crop
269 - width: 640
270 height: 480
271 method: scale
272
273# Configuration for experimental MSC's
274mscs:
275 # A list of enabled MSC's
276 # Currently valid values are:
277 # - msc2836 (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
278 # - msc2946 (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
279 mscs: []
280 database:
281 connection_string: file:mscs.db
282 max_open_conns: 5
283 max_idle_conns: 2
284 conn_max_lifetime: -1
285
286# Configuration for the Room Server.
287room_server:
288 internal_api:
289 listen: http://localhost:7770
290 connect: http://localhost:7770
291 database:
292 connection_string: file:roomserver.db
293 max_open_conns: 10
294 max_idle_conns: 2
295 conn_max_lifetime: -1
296
297# Configuration for the Signing Key Server (for server signing keys).
298signing_key_server:
299 internal_api:
300 listen: http://localhost:7780
301 connect: http://localhost:7780
302 database:
303 connection_string: file:signingkeyserver.db
304 max_open_conns: 10
305 max_idle_conns: 2
306 conn_max_lifetime: -1
307
308 # Perspective keyservers to use as a backup when direct key fetches fail. This may
309 # be required to satisfy key requests for servers that are no longer online when
310 # joining some rooms.
311 key_perspectives:
312 - server_name: matrix.org
313 keys:
314 - key_id: ed25519:auto
315 public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
316 - key_id: ed25519:a_RXGa
317 public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
318
319 # This option will control whether Dendrite will prefer to look up keys directly
320 # or whether it should try perspective servers first, using direct fetches as a
321 # last resort.
322 prefer_direct_fetch: false
323
324# Configuration for the Sync API.
325sync_api:
326 internal_api:
327 listen: http://localhost:7773
328 connect: http://localhost:7773
329 external_api:
330 listen: http://[::]:8073
331 database:
332 connection_string: file:syncapi.db
333 max_open_conns: 10
334 max_idle_conns: 2
335 conn_max_lifetime: -1
336
337 # This option controls which HTTP header to inspect to find the real remote IP
338 # address of the client. This is likely required if Dendrite is running behind
339 # a reverse proxy server.
340 real_ip_header: X-Real-IP
341
342# Configuration for the User API.
343user_api:
344 # The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31
345 # See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information.
346 # Setting this lower makes registration/login consume less CPU resources at the cost of security
347 # should the database be compromised. Setting this higher makes registration/login consume more
348 # CPU resources but makes it harder to brute force password hashes.
349 # This value can be low if performing tests or on embedded Dendrite instances (e.g WASM builds)
350 # bcrypt_cost: 10
351 internal_api:
352 listen: http://localhost:7781
353 connect: http://localhost:7781
354 account_database:
355 connection_string: file:userapi_accounts.db
356 max_open_conns: 10
357 max_idle_conns: 2
358 conn_max_lifetime: -1
359 device_database:
360 connection_string: file:userapi_devices.db
361 max_open_conns: 10
362 max_idle_conns: 2
363 conn_max_lifetime: -1
364 # The length of time that a token issued for a relying party from
365 # /_matrix/client/r0/user/{userId}/openid/request_token endpoint
366 # is considered to be valid in milliseconds.
367 # The default lifetime is 3600000ms (60 minutes).
368 # openid_token_lifetime_ms: 3600000
369
370# Configuration for Opentracing.
371# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
372# how this works and how to set it up.
373tracing:
374 enabled: false
375 jaeger:
376 serviceName: ""
377 disabled: false
378 rpc_metrics: false
379 tags: []
380 sampler: null
381 reporter: null
382 headers: null
383 baggage_restrictions: null
384 throttler: null
385
386# Logging configuration, in addition to the standard logging that is sent to
387# stdout by Dendrite.
388logging:
389- type: file
390 level: info
391 params:
392 path: ./logs