· 5 years ago · Feb 26, 2021, 03:20 PM
1# vim:ft=yaml
2# PEM encoded X509 certificate for TLS.
3# You can replace the self-signed certificate that synapse
4# autogenerates on launch with your own SSL certificate + key pair
5# if you like. Any required intermediary certificates can be
6# appended after the primary certificate in hierarchical order.
7tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
8
9# PEM encoded private key for TLS
10tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
11
12# PEM dh parameters for ephemeral keys
13tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
14
15# Don't bind to the https port
16no_tls: False
17
18# List of allowed TLS fingerprints for this server to publish along
19# with the signing keys for this server. Other matrix servers that
20# make HTTPS requests to this server will check that the TLS
21# certificates returned by this server match one of the fingerprints.
22#
23# Synapse automatically adds the fingerprint of its own certificate
24# to the list. So if federation traffic is handled directly by synapse
25# then no modification to the list is required.
26#
27# If synapse is run behind a load balancer that handles the TLS then it
28# will be necessary to add the fingerprints of the certificates used by
29# the loadbalancers to this list if they are different to the one
30# synapse is using.
31#
32# Homeservers are permitted to cache the list of TLS fingerprints
33# returned in the key responses up to the "valid_until_ts" returned in
34# key. It may be necessary to publish the fingerprints of a new
35# certificate and wait until the "valid_until_ts" of the previous key
36# responses have passed before deploying it.
37#
38# You can calculate a fingerprint from a given TLS listener via:
39# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
40# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
41# or by checking matrix.org/federationtester/api/report?server_name=$host
42#
43tls_fingerprints: []
44# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
45
46
47## Server ##
48
49# When running as a daemon, the file to store the pid in
50pid_file: "/var/run/matrix-synapse.pid"
51
52# CPU affinity mask. Setting this restricts the CPUs on which the
53# process will be scheduled. It is represented as a bitmask, with the
54# lowest order bit corresponding to the first logical CPU and the
55# highest order bit corresponding to the last logical CPU. Not all CPUs
56# may exist on a given system but a mask may specify more CPUs than are
57# present.
58#
59# For example:
60# 0x00000001 is processor #0,
61# 0x00000003 is processors #0 and #1,
62# 0xFFFFFFFF is all processors (#0 through #31).
63#
64# Pinning a Python process to a single CPU is desirable, because Python
65# is inherently single-threaded due to the GIL, and can suffer a
66# 30-40% slowdown due to cache blow-out and thread context switching
67# if the scheduler happens to schedule the underlying threads across
68# different cores. See
69# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/.
70#
71# cpu_affinity: 0xFFFFFFFF
72
73# The path to the web client which will be served at /_matrix/client/
74# if 'webclient' is configured under the 'listeners' configuration.
75#
76# web_client_location: "/path/to/web/root"
77
78# The public-facing base URL for the client API (not including _matrix/...)
79# public_baseurl: https://example.com:8448/
80
81# Set the soft limit on the number of file descriptors synapse can use
82# Zero is used to indicate synapse should set the soft limit to the
83# hard limit.
84soft_file_limit: 0
85
86# Set to false to disable presence tracking on this homeserver.
87#
88#use_presence: false
89
90# Whether to require authentication to retrieve profile data (avatars,
91# display names) of other users through the client API. Defaults to
92# 'false'. Note that profile data is also available via the federation
93# API, so this setting is of limited value if federation is enabled on
94# the server.
95#
96#require_auth_for_profile_requests: true
97
98# Uncomment to require a user to share a room with another user in order
99# to retrieve their profile information. Only checked on Client-Server
100# requests. Profile requests from other servers should be checked by the
101# requesting server. Defaults to 'false'.
102#
103#limit_profile_requests_to_users_who_share_rooms: true
104
105# If set to 'true', removes the need for authentication to access the server's
106# public rooms directory through the client API, meaning that anyone can
107# query the room directory. Defaults to 'false'.
108#
109#allow_public_rooms_without_auth: true
110
111# If set to 'true', allows any other homeserver to fetch the server's public
112# rooms directory via federation. Defaults to 'false'.
113#
114#allow_public_rooms_over_federation: true
115
116# The default room version for newly created rooms.
117#
118# Known room versions are listed here:
119# https://matrix.org/docs/spec/#complete-list-of-room-versions
120#
121# For example, for room version 1, default_room_version should be set
122# to "1".
123#
124#default_room_version: "5"
125
126# The GC threshold parameters to pass to `gc.set_threshold`, if defined
127# gc_thresholds: [700, 10, 10]
128
129# Set the limit on the returned events in the timeline in the get
130# and sync operations. The default value is -1, means no upper limit.
131# filter_timeline_limit: 5000
132
133# Whether room invites to users on this server should be blocked
134# (except those sent by local server admins). The default is False.
135# block_non_admin_invites: True
136
137# Restrict federation to the following whitelist of domains.
138# N.B. we recommend also firewalling your federation listener to limit
139# inbound federation traffic as early as possible, rather than relying
140# purely on this application-layer restriction. If not specified, the
141# default is to whitelist everything.
142#
143# federation_domain_whitelist:
144# - lon.example.com
145# - nyc.example.com
146# - syd.example.com
147
148# Prevent federation requests from being sent to the following
149# blacklist IP address CIDR ranges. If this option is not specified, or
150# specified with an empty list, no ip range blacklist will be enforced.
151#
152# As of Synapse v1.4.0 this option also affects any outbound requests to identity
153# servers provided by user input.
154#
155# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
156# listed here, since they correspond to unroutable addresses.)
157#
158federation_ip_range_blacklist:
159 - '127.0.0.0/8'
160 - '10.0.0.0/8'
161 - '172.16.0.0/12'
162 - '192.168.0.0/16'
163 - '100.64.0.0/10'
164 - '169.254.0.0/16'
165 - '::1/128'
166 - 'fe80::/64'
167 - 'fc00::/7'
168
169# List of ports that Synapse should listen on, their purpose and their
170# configuration.
171listeners:
172 # Main HTTPS listener
173 # For when matrix traffic is sent directly to synapse.
174 -
175 # The port to listen for HTTPS requests on.
176 port: 8448
177
178 # Local addresses to listen on.
179 # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6
180 # addresses by default. For most other OSes, this will only listen
181 # on IPv6.
182 bind_addresses:
183 - '::1'
184 - '127.0.0.1'
185 # - '::'
186 # - '0.0.0.0'
187
188 # This is a 'http' listener, allows us to specify 'resources'.
189 type: http
190
191 tls: true
192
193 # Use the X-Forwarded-For (XFF) header as the client IP and not the
194 # actual client IP.
195 x_forwarded: false
196
197 # List of HTTP resources to serve on this listener.
198 resources:
199 -
200 # List of resources to host on this listener.
201 names:
202 - client # The client-server APIs, both v1 and v2
203
204 # Should synapse compress HTTP responses to clients that support it?
205 # This should be disabled if running synapse behind a load balancer
206 # that can do automatic compression.
207 compress: true
208
209 - names: [federation] # Federation APIs
210 compress: false
211
212 # optional list of additional endpoints which can be loaded via
213 # dynamic modules
214 # additional_resources:
215 # "/_matrix/my/custom/endpoint":
216 # module: my_module.CustomRequestHandler
217 # config: {}
218
219 # Unsecure HTTP listener,
220 # For when matrix traffic passes through loadbalancer that unwraps TLS.
221 - port: 8008
222 tls: false
223 bind_addresses:
224 - '::1'
225 - '127.0.0.1'
226 # - '::'
227 # - '0.0.0.0'
228 type: http
229
230 x_forwarded: false
231
232 resources:
233 - names: [client]
234 compress: true
235 - names: [federation]
236 compress: false
237
238 # Turn on the twisted ssh manhole service on localhost on the given
239 # port.
240 # - port: 9000
241 # bind_addresses:
242 # - '::1'
243 # - '127.0.0.1'
244 # type: manhole
245
246
247# Database configuration
248database:
249 # The database engine name
250 name: "sqlite3"
251 # Arguments to pass to the engine
252 args:
253 # Path to the database
254 database: "/var/lib/matrix-synapse/homeserver.db"
255
256# Number of events to cache in memory.
257event_cache_size: "10K"
258
259
260# A yaml python logging config file
261log_config: "/etc/matrix-synapse/log.yaml"
262
263
264
265## Ratelimiting ##
266
267# Number of messages a client can send per second
268rc_messages_per_second: 0.2
269
270# Number of message a client can send before being throttled
271rc_message_burst_count: 10.0
272
273# The federation window size in milliseconds
274federation_rc_window_size: 1000
275
276# The number of federation requests from a single server in a window
277# before the server will delay processing the request.
278federation_rc_sleep_limit: 10
279
280# The duration in milliseconds to delay processing events from
281# remote servers by if they go over the sleep limit.
282federation_rc_sleep_delay: 500
283
284# The maximum number of concurrent federation requests allowed
285# from a single server
286federation_rc_reject_limit: 50
287
288# The number of federation requests to concurrently process from a
289# single server
290federation_rc_concurrent: 3
291
292
293
294# Directory where uploaded images and attachments are stored.
295media_store_path: "/var/lib/matrix-synapse/media"
296
297# Media storage providers allow media to be stored in different
298# locations.
299# media_storage_providers:
300# - module: file_system
301# # Whether to write new local files.
302# store_local: false
303# # Whether to write new remote media
304# store_remote: false
305# # Whether to block upload requests waiting for write to this
306# # provider to complete
307# store_synchronous: false
308# config:
309# directory: /mnt/some/other/directory
310
311# Directory where in-progress uploads are stored.
312uploads_path: "/var/lib/matrix-synapse/uploads"
313
314# The largest allowed upload size in bytes
315max_upload_size: "10M"
316
317# Maximum number of pixels that will be thumbnailed
318max_image_pixels: "32M"
319
320# Whether to generate new thumbnails on the fly to precisely match
321# the resolution requested by the client. If true then whenever
322# a new resolution is requested by the client the server will
323# generate a new thumbnail. If false the server will pick a thumbnail
324# from a precalculated list.
325dynamic_thumbnails: false
326
327# List of thumbnail to precalculate when an image is uploaded.
328thumbnail_sizes:
329- width: 32
330 height: 32
331 method: crop
332- width: 96
333 height: 96
334 method: crop
335- width: 320
336 height: 240
337 method: scale
338- width: 640
339 height: 480
340 method: scale
341- width: 800
342 height: 600
343 method: scale
344
345# Is the preview URL API enabled? If enabled, you *must* specify
346# an explicit url_preview_ip_range_blacklist of IPs that the spider is
347# denied from accessing.
348url_preview_enabled: False
349
350# List of IP address CIDR ranges that the URL preview spider is denied
351# from accessing. There are no defaults: you must explicitly
352# specify a list for URL previewing to work. You should specify any
353# internal services in your network that you do not want synapse to try
354# to connect to, otherwise anyone in any Matrix room could cause your
355# synapse to issue arbitrary GET requests to your internal services,
356# causing serious security issues.
357#
358# url_preview_ip_range_blacklist:
359# - '127.0.0.0/8'
360# - '10.0.0.0/8'
361# - '172.16.0.0/12'
362# - '192.168.0.0/16'
363# - '100.64.0.0/10'
364# - '169.254.0.0/16'
365#
366# List of IP address CIDR ranges that the URL preview spider is allowed
367# to access even if they are specified in url_preview_ip_range_blacklist.
368# This is useful for specifying exceptions to wide-ranging blacklisted
369# target IP ranges - e.g. for enabling URL previews for a specific private
370# website only visible in your network.
371#
372# url_preview_ip_range_whitelist:
373# - '192.168.1.1'
374
375# Optional list of URL matches that the URL preview spider is
376# denied from accessing. You should use url_preview_ip_range_blacklist
377# in preference to this, otherwise someone could define a public DNS
378# entry that points to a private IP address and circumvent the blacklist.
379# This is more useful if you know there is an entire shape of URL that
380# you know that will never want synapse to try to spider.
381#
382# Each list entry is a dictionary of url component attributes as returned
383# by urlparse.urlsplit as applied to the absolute form of the URL. See
384# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
385# The values of the dictionary are treated as an filename match pattern
386# applied to that component of URLs, unless they start with a ^ in which
387# case they are treated as a regular expression match. If all the
388# specified component matches for a given list item succeed, the URL is
389# blacklisted.
390#
391# url_preview_url_blacklist:
392# # blacklist any URL with a username in its URI
393# - username: '*'
394#
395# # blacklist all *.google.com URLs
396# - netloc: 'google.com'
397# - netloc: '*.google.com'
398#
399# # blacklist all plain HTTP URLs
400# - scheme: 'http'
401#
402# # blacklist http(s)://www.acme.com/foo
403# - netloc: 'www.acme.com'
404# path: '/foo'
405#
406# # blacklist any URL with a literal IPv4 address
407# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
408
409# The largest allowed URL preview spidering size in bytes
410max_spider_size: "10M"
411
412
413
414
415## Captcha ##
416# See docs/CAPTCHA_SETUP for full details of configuring this.
417
418# This Home Server's ReCAPTCHA public key.
419recaptcha_public_key: "YOUR_PUBLIC_KEY"
420
421# This Home Server's ReCAPTCHA private key.
422recaptcha_private_key: "YOUR_PRIVATE_KEY"
423
424# Enables ReCaptcha checks when registering, preventing signup
425# unless a captcha is answered. Requires a valid ReCaptcha
426# public/private key.
427enable_registration_captcha: False
428
429# A secret key used to bypass the captcha test entirely.
430#captcha_bypass_secret: "YOUR_SECRET_HERE"
431
432# The API endpoint to use for verifying m.login.recaptcha responses.
433recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
434
435
436## Turn ##
437
438# The public URIs of the TURN server to give to clients
439turn_uris: []
440
441# The shared secret used to compute passwords for the TURN server
442turn_shared_secret: "YOUR_SHARED_SECRET"
443
444# The Username and password if the TURN server needs them and
445# does not use a token
446#turn_username: "TURNSERVER_USERNAME"
447#turn_password: "TURNSERVER_PASSWORD"
448
449# How long generated TURN credentials last
450turn_user_lifetime: "1h"
451
452# Whether guests should be allowed to use the TURN server.
453# This defaults to True, otherwise VoIP will be unreliable for guests.
454# However, it does introduce a slight security risk as it allows users to
455# connect to arbitrary endpoints without having first signed up for a
456# valid account (e.g. by passing a CAPTCHA).
457turn_allow_guests: False
458
459
460## Registration ##
461
462# Enable registration for new users.
463enable_registration: False
464
465# The user must provide all of the below types of 3PID when registering.
466#
467# registrations_require_3pid:
468# - email
469# - msisdn
470
471# Mandate that users are only allowed to associate certain formats of
472# 3PIDs with accounts on this server.
473#
474# allowed_local_3pids:
475# - medium: email
476# pattern: ".*@matrix\.org"
477# - medium: email
478# pattern: ".*@vector\.im"
479# - medium: msisdn
480# pattern: "\+44"
481
482# If set, allows registration by anyone who also has the shared
483# secret, even if registration is otherwise disabled.
484registration_shared_secret: "Flje46rktDhmwaXbuRepMBhL5VPOmX91"
485
486
487
488# Set the number of bcrypt rounds used to generate password hash.
489# Larger numbers increase the work factor needed to generate the hash.
490# The default number is 12 (which equates to 2^12 rounds).
491# N.B. that increasing this will exponentially increase the time required
492# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
493bcrypt_rounds: 12
494
495# Allows users to register as guests without a password/email/etc, and
496# participate in rooms hosted on this server which have been made
497# accessible to anonymous users.
498allow_guest_access: False
499
500# The list of identity servers trusted to verify third party
501# identifiers by this server.
502#
503# Also defines the ID server which will be called when an account is
504# deactivated (one will be picked arbitrarily).
505#
506# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
507# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
508# background migration script, informing itself that the identity server all of its
509# 3PIDs have been bound to is likely one of the below.
510#
511# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
512# it is now solely used for the purposes of the background migration script, and can be
513# removed once it has run.
514trusted_third_party_id_servers:
515 - matrix.org
516 - vector.im
517 - riot.im
518
519# Users who register on this homeserver will automatically be joined
520# to these rooms
521#auto_join_rooms:
522# - "#example:example.com"
523
524
525## Metrics ###
526
527# Enable collection and rendering of performance metrics
528enable_metrics: False
529
530## API Configuration ##
531
532# A list of event types that will be included in the room_invite_state
533room_invite_state_types:
534 - "m.room.join_rules"
535 - "m.room.canonical_alias"
536 - "m.room.avatar"
537 - "m.room.name"
538
539
540# A list of application service config file to use
541app_service_config_files: []
542
543
544# macaroon_secret_key: <PRIVATE STRING>
545
546# Used to enable access token expiration.
547expire_access_token: False
548
549## Signing Keys ##
550
551# Path to the signing key to sign messages with
552signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
553
554# The keys that the server used to sign messages with but won't use
555# to sign new messages. E.g. it has lost its private key
556old_signing_keys: {}
557# "ed25519:auto":
558# # Base64 encoded public key
559# key: "The public part of your old signing key."
560# # Millisecond POSIX timestamp when the key expired.
561# expired_ts: 123456789123
562
563# How long key response published by this server is valid for.
564# Used to set the valid_until_ts in /key/v2 APIs.
565# Determines how quickly servers will query to check which keys
566# are still valid.
567key_refresh_interval: "1d" # 1 Day.
568
569# The trusted servers to download signing keys from.
570#
571# When we need to fetch a signing key, each server is tried in parallel.
572#
573# Normally, the connection to the key server is validated via TLS certificates.
574# Additional security can be provided by configuring a `verify key`, which
575# will make synapse check that the response is signed by that key.
576#
577# This setting supercedes an older setting named `perspectives`. The old format
578# is still supported for backwards-compatibility, but it is deprecated.
579#
580# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
581# warning on start-up. To suppress this warning, set
582# 'suppress_key_server_warning' to true.
583#
584# Options for each entry in the list include:
585#
586# server_name: the name of the server. required.
587#
588# verify_keys: an optional map from key id to base64-encoded public key.
589# If specified, we will check that the response is signed by at least
590# one of the given keys.
591#
592# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
593# and federation_verify_certificates is not `true`, synapse will refuse
594# to start, because this would allow anyone who can spoof DNS responses
595# to masquerade as the trusted key server. If you know what you are doing
596# and are sure that your network environment provides a secure connection
597# to the key server, you can set this to `true` to override this
598# behaviour.
599#
600# An example configuration might look like:
601#
602#trusted_key_servers:
603# - server_name: "my_trusted_server.example.com"
604# verify_keys:
605# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
606# - server_name: "my_other_trusted_server.example.com"
607#
608trusted_key_servers:
609 - server_name: "matrix.org"
610
611# Uncomment the following to disable the warning that is emitted when the
612# trusted_key_servers include 'matrix.org'. See above.
613#
614#suppress_key_server_warning: true
615
616# The signing keys to use when acting as a trusted key server. If not specified
617# defaults to the server signing key.
618#
619# Can contain multiple keys, one per line.
620#
621#key_server_signing_keys_path: "key_server_signing_keys.key"
622
623
624# Enable SAML2 for registration and login. Uses pysaml2.
625#
626# At least one of `sp_config` or `config_path` must be set in this section to
627# enable SAML login.
628#
629# (You will probably also want to set the following options to `false` to
630# disable the regular login/registration flows:
631# * enable_registration
632# * password_config.enabled
633#
634# Once SAML support is enabled, a metadata file will be exposed at
635# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
636# use to configure your SAML IdP with. Alternatively, you can manually configure
637# the IdP to use an ACS location of
638# https://<server>:<port>/_matrix/saml2/authn_response.
639#
640saml2_config:
641 # `sp_config` is the configuration for the pysaml2 Service Provider.
642 # See pysaml2 docs for format of config.
643 #
644 # Default values will be used for the 'entityid' and 'service' settings,
645 # so it is not normally necessary to specify them unless you need to
646 # override them.
647 #
648 #sp_config:
649 # # point this to the IdP's metadata. You can use either a local file or
650 # # (preferably) a URL.
651 # metadata:
652 # #local: ["saml2/idp.xml"]
653 # remote:
654 # - url: https://our_idp/metadata.xml
655 #
656 # # By default, the user has to go to our login page first. If you'd like
657 # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
658 # # 'service.sp' section:
659 # #
660 # #service:
661 # # sp:
662 # # allow_unsolicited: true
663 #
664 # # The examples below are just used to generate our metadata xml, and you
665 # # may well not need them, depending on your setup. Alternatively you
666 # # may need a whole lot more detail - see the pysaml2 docs!
667 #
668 # description: ["My awesome SP", "en"]
669 # name: ["Test SP", "en"]
670 #
671 # organization:
672 # name: Example com
673 # display_name:
674 # - ["Example co", "en"]
675 # url: "http://example.com"
676 #
677 # contact_person:
678 # - given_name: Bob
679 # sur_name: "the Sysadmin"
680 # email_address": ["admin@example.com"]
681 # contact_type": technical
682
683 # Instead of putting the config inline as above, you can specify a
684 # separate pysaml2 configuration file:
685 #
686 #config_path: "CONFDIR/sp_conf.py"
687
688 # the lifetime of a SAML session. This defines how long a user has to
689 # complete the authentication process, if allow_unsolicited is unset.
690 # The default is 5 minutes.
691 #
692 #saml_session_lifetime: 5m
693
694 # The SAML attribute (after mapping via the attribute maps) to use to derive
695 # the Matrix ID from. 'uid' by default.
696 #
697 #mxid_source_attribute: displayName
698
699 # The mapping system to use for mapping the saml attribute onto a matrix ID.
700 # Options include:
701 # * 'hexencode' (which maps unpermitted characters to '=xx')
702 # * 'dotreplace' (which replaces unpermitted characters with '.').
703 # The default is 'hexencode'.
704 #
705 #mxid_mapping: dotreplace
706
707 # In previous versions of synapse, the mapping from SAML attribute to MXID was
708 # always calculated dynamically rather than stored in a table. For backwards-
709 # compatibility, we will look for user_ids matching such a pattern before
710 # creating a new account.
711 #
712 # This setting controls the SAML attribute which will be used for this
713 # backwards-compatibility lookup. Typically it should be 'uid', but if the
714 # attribute maps are changed, it may be necessary to change it.
715 #
716 # The default is 'uid'.
717 #
718 #grandfathered_mxid_source_attribute: upn
719
720
721
722# Enable CAS for registration and login.
723#cas_config:
724# enabled: true
725# server_url: "https://cas-server.com"
726# service_url: "https://homeserver.domain.com:8448"
727# #required_attributes:
728# # name: value
729
730
731# The JWT needs to contain a globally unique "sub" (subject) claim.
732#
733# jwt_config:
734# enabled: true
735# secret: "a secret"
736# algorithm: "HS256"
737
738
739
740# Enable password for login.
741password_config:
742 enabled: true
743 # Uncomment and change to a secret random string for extra security.
744 # DO NOT CHANGE THIS AFTER INITIAL SETUP!
745 #pepper: ""
746
747
748
749# Enable sending emails for notification events
750# Defining a custom URL for Riot is only needed if email notifications
751# should contain links to a self-hosted installation of Riot; when set
752# the "app_name" setting is ignored.
753#
754# If your SMTP server requires authentication, the optional smtp_user &
755# smtp_pass variables should be used
756#
757#email:
758# enable_notifs: false
759# smtp_host: "localhost"
760# smtp_port: 25
761# smtp_user: "exampleusername"
762# smtp_pass: "examplepassword"
763# require_transport_security: False
764# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
765# app_name: Matrix
766# template_dir: res/templates
767# notif_template_html: notif_mail.html
768# notif_template_text: notif_mail.txt
769# notif_for_new_users: True
770# riot_base_url: "http://localhost/riot"
771
772
773# password_providers:
774# - module: "ldap_auth_provider.LdapAuthProvider"
775# config:
776# enabled: true
777# uri: "ldap://ldap.example.com:389"
778# start_tls: true
779# base: "ou=users,dc=example,dc=com"
780# attributes:
781# uid: "cn"
782# mail: "email"
783# name: "givenName"
784# #bind_dn:
785# #bind_password:
786# #filter: "(objectClass=posixAccount)"
787
788
789
790# Clients requesting push notifications can either have the body of
791# the message sent in the notification poke along with other details
792# like the sender, or just the event ID and room ID (`event_id_only`).
793# If clients choose the former, this option controls whether the
794# notification request includes the content of the event (other details
795# like the sender are still included). For `event_id_only` push, it
796# has no effect.
797
798# For modern android devices the notification content will still appear
799# because it is loaded by the app. iPhone, however will send a
800# notification saying only that a message arrived and who it came from.
801#
802#push:
803# include_content: true
804
805
806# spam_checker:
807# module: "my_custom_project.SuperSpamChecker"
808# config:
809# example_option: 'things'
810
811
812# Whether to allow non server admins to create groups on this server
813enable_group_creation: false
814
815# If enabled, non server admins can only create groups with local parts
816# starting with this prefix
817# group_creation_prefix: "unofficial/"
818
819
820
821# User Directory configuration
822#
823# 'search_all_users' defines whether to search all users visible to your HS
824# when searching the user directory, rather than limiting to users visible
825# in public rooms. Defaults to false. If you set it True, you'll have to run
826# UPDATE user_directory_stream_pos SET stream_id = NULL;
827# on your database to tell it to rebuild the user_directory search indexes.
828#
829#user_directory:
830# search_all_users: false
831