|
|
|
@@ -320,22 +320,27 @@ listeners: |
|
|
|
# Used by phonehome stats to group together related servers. |
|
|
|
#server_context: context |
|
|
|
|
|
|
|
# Resource-constrained homeserver Settings |
|
|
|
# Resource-constrained homeserver settings |
|
|
|
# |
|
|
|
# If limit_remote_rooms.enabled is True, the room complexity will be |
|
|
|
# checked before a user joins a new remote room. If it is above |
|
|
|
# limit_remote_rooms.complexity, it will disallow joining or |
|
|
|
# instantly leave. |
|
|
|
# When this is enabled, the room "complexity" will be checked before a user |
|
|
|
# joins a new remote room. If it is above the complexity limit, the server will |
|
|
|
# disallow joining, or will instantly leave. |
|
|
|
# |
|
|
|
# limit_remote_rooms.complexity_error can be set to customise the text |
|
|
|
# displayed to the user when a room above the complexity threshold has |
|
|
|
# its join cancelled. |
|
|
|
# Room complexity is an arbitrary measure based on factors such as the number of |
|
|
|
# users in the room. |
|
|
|
# |
|
|
|
# Uncomment the below lines to enable: |
|
|
|
#limit_remote_rooms: |
|
|
|
# enabled: True |
|
|
|
# complexity: 1.0 |
|
|
|
# complexity_error: "This room is too complex." |
|
|
|
limit_remote_rooms: |
|
|
|
# Uncomment to enable room complexity checking. |
|
|
|
# |
|
|
|
#enabled: true |
|
|
|
|
|
|
|
# the limit above which rooms cannot be joined. The default is 1.0. |
|
|
|
# |
|
|
|
#complexity: 0.5 |
|
|
|
|
|
|
|
# override the error which is returned when the room is too complex. |
|
|
|
# |
|
|
|
#complexity_error: "This room is too complex." |
|
|
|
|
|
|
|
# Whether to require a user to be in the room to add an alias to it. |
|
|
|
# Defaults to 'true'. |
|
|
|
@@ -605,6 +610,50 @@ acme: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Caching ## |
|
|
|
|
|
|
|
# Caching can be configured through the following options. |
|
|
|
# |
|
|
|
# A cache 'factor' is a multiplier that can be applied to each of |
|
|
|
# Synapse's caches in order to increase or decrease the maximum |
|
|
|
# number of entries that can be stored. |
|
|
|
|
|
|
|
# The number of events to cache in memory. Not affected by |
|
|
|
# caches.global_factor. |
|
|
|
# |
|
|
|
event_cache_size: "{{ matrix_synapse_event_cache_size }}" |
|
|
|
|
|
|
|
caches: |
|
|
|
# Controls the global cache factor, which is the default cache factor |
|
|
|
# for all caches if a specific factor for that cache is not otherwise |
|
|
|
# set. |
|
|
|
# |
|
|
|
# This can also be set by the "SYNAPSE_CACHE_FACTOR" environment |
|
|
|
# variable. Setting by environment variable takes priority over |
|
|
|
# setting through the config file. |
|
|
|
# |
|
|
|
# Defaults to 0.5, which will half the size of all caches. |
|
|
|
# |
|
|
|
global_factor: {{ matrix_synapse_caches_global_factor }} |
|
|
|
|
|
|
|
# A dictionary of cache name to cache factor for that individual |
|
|
|
# cache. Overrides the global cache factor for a given cache. |
|
|
|
# |
|
|
|
# These can also be set through environment variables comprised |
|
|
|
# of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital |
|
|
|
# letters and underscores. Setting by environment variable |
|
|
|
# takes priority over setting through the config file. |
|
|
|
# Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 |
|
|
|
# |
|
|
|
# Some caches have '*' and other characters that are not |
|
|
|
# alphanumeric or underscores. These caches can be named with or |
|
|
|
# without the special characters stripped. For example, to specify |
|
|
|
# the cache factor for `*stateGroupCache*` via an environment |
|
|
|
# variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. |
|
|
|
# |
|
|
|
per_cache_factors: |
|
|
|
#get_users_who_share_room_with_user: 2.0 |
|
|
|
|
|
|
|
## Database ## |
|
|
|
|
|
|
|
database: |
|
|
|
@@ -618,10 +667,6 @@ database: |
|
|
|
cp_min: 5 |
|
|
|
cp_max: 10 |
|
|
|
|
|
|
|
# Number of events to cache in memory. |
|
|
|
# |
|
|
|
event_cache_size: "{{ matrix_synapse_event_cache_size }}" |
|
|
|
|
|
|
|
|
|
|
|
## Logging ## |
|
|
|
|
|
|
|
@@ -884,25 +929,28 @@ url_preview_accept_language: |
|
|
|
|
|
|
|
|
|
|
|
## Captcha ## |
|
|
|
# See docs/CAPTCHA_SETUP for full details of configuring this. |
|
|
|
# See docs/CAPTCHA_SETUP.md for full details of configuring this. |
|
|
|
|
|
|
|
# This homeserver's ReCAPTCHA public key. |
|
|
|
# This homeserver's ReCAPTCHA public key. Must be specified if |
|
|
|
# enable_registration_captcha is enabled. |
|
|
|
# |
|
|
|
#recaptcha_public_key: "YOUR_PUBLIC_KEY" |
|
|
|
|
|
|
|
# This homeserver's ReCAPTCHA private key. |
|
|
|
# This homeserver's ReCAPTCHA private key. Must be specified if |
|
|
|
# enable_registration_captcha is enabled. |
|
|
|
# |
|
|
|
#recaptcha_private_key: "YOUR_PRIVATE_KEY" |
|
|
|
|
|
|
|
# Enables ReCaptcha checks when registering, preventing signup |
|
|
|
# Uncomment to enable ReCaptcha checks when registering, preventing signup |
|
|
|
# unless a captcha is answered. Requires a valid ReCaptcha |
|
|
|
# public/private key. |
|
|
|
# public/private key. Defaults to 'false'. |
|
|
|
# |
|
|
|
#enable_registration_captcha: false |
|
|
|
#enable_registration_captcha: true |
|
|
|
|
|
|
|
# The API endpoint to use for verifying m.login.recaptcha responses. |
|
|
|
# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". |
|
|
|
# |
|
|
|
#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" |
|
|
|
#recaptcha_siteverify_api: "https://my.recaptcha.site" |
|
|
|
|
|
|
|
|
|
|
|
## TURN ## |
|
|
|
@@ -1182,6 +1230,7 @@ metrics_flags: |
|
|
|
#known_servers: true |
|
|
|
|
|
|
|
# Whether or not to report anonymized homeserver usage statistics. |
|
|
|
# |
|
|
|
report_stats: {{ matrix_synapse_report_stats|to_json }} |
|
|
|
|
|
|
|
# The endpoint to report the anonymized homeserver usage statistics to. |
|
|
|
@@ -1448,6 +1497,94 @@ saml2_config: |
|
|
|
#template_dir: "res/templates" |
|
|
|
|
|
|
|
|
|
|
|
# Enable OpenID Connect for registration and login. Uses authlib. |
|
|
|
# |
|
|
|
oidc_config: |
|
|
|
# enable OpenID Connect. Defaults to false. |
|
|
|
# |
|
|
|
#enabled: true |
|
|
|
|
|
|
|
# use the OIDC discovery mechanism to discover endpoints. Defaults to true. |
|
|
|
# |
|
|
|
#discover: true |
|
|
|
|
|
|
|
# the OIDC issuer. Used to validate tokens and discover the providers endpoints. Required. |
|
|
|
# |
|
|
|
#issuer: "https://accounts.example.com/" |
|
|
|
|
|
|
|
# oauth2 client id to use. Required. |
|
|
|
# |
|
|
|
#client_id: "provided-by-your-issuer" |
|
|
|
|
|
|
|
# oauth2 client secret to use. Required. |
|
|
|
# |
|
|
|
#client_secret: "provided-by-your-issuer" |
|
|
|
|
|
|
|
# auth method to use when exchanging the token. |
|
|
|
# Valid values are "client_secret_basic" (default), "client_secret_post" and "none". |
|
|
|
# |
|
|
|
#client_auth_method: "client_secret_basic" |
|
|
|
|
|
|
|
# list of scopes to ask. This should include the "openid" scope. Defaults to ["openid"]. |
|
|
|
# |
|
|
|
#scopes: ["openid"] |
|
|
|
|
|
|
|
# the oauth2 authorization endpoint. Required if provider discovery is disabled. |
|
|
|
# |
|
|
|
#authorization_endpoint: "https://accounts.example.com/oauth2/auth" |
|
|
|
|
|
|
|
# the oauth2 token endpoint. Required if provider discovery is disabled. |
|
|
|
# |
|
|
|
#token_endpoint: "https://accounts.example.com/oauth2/token" |
|
|
|
|
|
|
|
# the OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope is not asked. |
|
|
|
# |
|
|
|
#userinfo_endpoint: "https://accounts.example.com/userinfo" |
|
|
|
|
|
|
|
# URI where to fetch the JWKS. Required if discovery is disabled and the "openid" scope is used. |
|
|
|
# |
|
|
|
#jwks_uri: "https://accounts.example.com/.well-known/jwks.json" |
|
|
|
|
|
|
|
# skip metadata verification. Defaults to false. |
|
|
|
# Use this if you are connecting to a provider that is not OpenID Connect compliant. |
|
|
|
# Avoid this in production. |
|
|
|
# |
|
|
|
#skip_verification: false |
|
|
|
|
|
|
|
|
|
|
|
# An external module can be provided here as a custom solution to mapping |
|
|
|
# attributes returned from a OIDC provider onto a matrix user. |
|
|
|
# |
|
|
|
user_mapping_provider: |
|
|
|
# The custom module's class. Uncomment to use a custom module. |
|
|
|
# Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. |
|
|
|
# |
|
|
|
#module: mapping_provider.OidcMappingProvider |
|
|
|
|
|
|
|
# Custom configuration values for the module. Below options are intended |
|
|
|
# for the built-in provider, they should be changed if using a custom |
|
|
|
# module. This section will be passed as a Python dictionary to the |
|
|
|
# module's `parse_config` method. |
|
|
|
# |
|
|
|
# Below is the config of the default mapping provider, based on Jinja2 |
|
|
|
# templates. Those templates are used to render user attributes, where the |
|
|
|
# userinfo object is available through the `user` variable. |
|
|
|
# |
|
|
|
config: |
|
|
|
# name of the claim containing a unique identifier for the user. |
|
|
|
# Defaults to `sub`, which OpenID Connect compliant providers should provide. |
|
|
|
# |
|
|
|
#subject_claim: "sub" |
|
|
|
|
|
|
|
# Jinja2 template for the localpart of the MXID |
|
|
|
# |
|
|
|
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" |
|
|
|
|
|
|
|
# Jinja2 template for the display name to set on first login. Optional. |
|
|
|
# |
|
|
|
#display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Enable CAS for registration and login. |
|
|
|
# |
|
|
|
@@ -1455,10 +1592,96 @@ saml2_config: |
|
|
|
# enabled: true |
|
|
|
# server_url: "https://cas-server.com" |
|
|
|
# service_url: "https://homeserver.domain.com:8448" |
|
|
|
# #displayname_attribute: name |
|
|
|
# #required_attributes: |
|
|
|
# # name: value |
|
|
|
|
|
|
|
|
|
|
|
# Additional settings to use with single-sign on systems such as SAML2 and CAS. |
|
|
|
# |
|
|
|
sso: |
|
|
|
# A list of client URLs which are whitelisted so that the user does not |
|
|
|
# have to confirm giving access to their account to the URL. Any client |
|
|
|
# whose URL starts with an entry in the following list will not be subject |
|
|
|
# to an additional confirmation step after the SSO login is completed. |
|
|
|
# |
|
|
|
# WARNING: An entry such as "https://my.client" is insecure, because it |
|
|
|
# will also match "https://my.client.evil.site", exposing your users to |
|
|
|
# phishing attacks from evil.site. To avoid this, include a slash after the |
|
|
|
# hostname: "https://my.client/". |
|
|
|
# |
|
|
|
# If public_baseurl is set, then the login fallback page (used by clients |
|
|
|
# that don't natively support the required login flows) is whitelisted in |
|
|
|
# addition to any URLs in this list. |
|
|
|
# |
|
|
|
# By default, this list is empty. |
|
|
|
# |
|
|
|
#client_whitelist: |
|
|
|
# - https://riot.im/develop |
|
|
|
# - https://my.custom.client/ |
|
|
|
|
|
|
|
# Directory in which Synapse will try to find the template files below. |
|
|
|
# If not set, default templates from within the Synapse package will be used. |
|
|
|
# |
|
|
|
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. |
|
|
|
# If you *do* uncomment it, you will need to make sure that all the templates |
|
|
|
# below are in the directory. |
|
|
|
# |
|
|
|
# Synapse will look for the following templates in this directory: |
|
|
|
# |
|
|
|
# * HTML page for a confirmation step before redirecting back to the client |
|
|
|
# with the login token: 'sso_redirect_confirm.html'. |
|
|
|
# |
|
|
|
# When rendering, this template is given three variables: |
|
|
|
# * redirect_url: the URL the user is about to be redirected to. Needs |
|
|
|
# manual escaping (see |
|
|
|
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
|
|
# |
|
|
|
# * display_url: the same as `redirect_url`, but with the query |
|
|
|
# parameters stripped. The intention is to have a |
|
|
|
# human-readable URL to show to users, not to use it as |
|
|
|
# the final address to redirect to. Needs manual escaping |
|
|
|
# (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
|
|
# |
|
|
|
# * server_name: the homeserver's name. |
|
|
|
# |
|
|
|
# * HTML page which notifies the user that they are authenticating to confirm |
|
|
|
# an operation on their account during the user interactive authentication |
|
|
|
# process: 'sso_auth_confirm.html'. |
|
|
|
# |
|
|
|
# When rendering, this template is given the following variables: |
|
|
|
# * redirect_url: the URL the user is about to be redirected to. Needs |
|
|
|
# manual escaping (see |
|
|
|
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). |
|
|
|
# |
|
|
|
# * description: the operation which the user is being asked to confirm |
|
|
|
# |
|
|
|
# * HTML page shown after a successful user interactive authentication session: |
|
|
|
# 'sso_auth_success.html'. |
|
|
|
# |
|
|
|
# Note that this page must include the JavaScript which notifies of a successful authentication |
|
|
|
# (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). |
|
|
|
# |
|
|
|
# This template has no additional variables. |
|
|
|
# |
|
|
|
# * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) |
|
|
|
# attempts to login: 'sso_account_deactivated.html'. |
|
|
|
# |
|
|
|
# This template has no additional variables. |
|
|
|
# |
|
|
|
# * HTML page to display to users if something goes wrong during the |
|
|
|
# OpenID Connect authentication process: 'sso_error.html'. |
|
|
|
# |
|
|
|
# When rendering, this template is given two variables: |
|
|
|
# * error: the technical name of the error |
|
|
|
# * error_description: a human-readable message for the error |
|
|
|
# |
|
|
|
# You can see the default templates at: |
|
|
|
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates |
|
|
|
# |
|
|
|
#template_dir: "res/templates" |
|
|
|
|
|
|
|
|
|
|
|
# The JWT needs to contain a globally unique "sub" (subject) claim. |
|
|
|
# |
|
|
|
#jwt_config: |
|
|
|
@@ -1501,8 +1724,8 @@ email: |
|
|
|
# Username/password for authentication to the SMTP server. By default, no |
|
|
|
# authentication is attempted. |
|
|
|
# |
|
|
|
# smtp_user: "exampleusername" |
|
|
|
# smtp_pass: "examplepassword" |
|
|
|
#smtp_user: "exampleusername" |
|
|
|
#smtp_pass: "examplepassword" |
|
|
|
|
|
|
|
# Uncomment the following to require TLS transport security for SMTP. |
|
|
|
# By default, Synapse will connect over plain text, and will then switch to |
|
|
|
@@ -1681,10 +1904,17 @@ push: |
|
|
|
include_content: {{ matrix_synapse_push_include_content|to_json }} |
|
|
|
|
|
|
|
|
|
|
|
#spam_checker: |
|
|
|
# module: "my_custom_project.SuperSpamChecker" |
|
|
|
# config: |
|
|
|
# example_option: 'things' |
|
|
|
# Spam checkers are third-party modules that can block specific actions |
|
|
|
# of local users, such as creating rooms and registering undesirable |
|
|
|
# usernames, as well as remote users by redacting incoming events. |
|
|
|
# |
|
|
|
# spam_checker: |
|
|
|
#- module: "my_custom_project.SuperSpamChecker" |
|
|
|
# config: |
|
|
|
# example_option: 'things' |
|
|
|
#- module: "some_other_project.BadEventStopper" |
|
|
|
# config: |
|
|
|
# example_stop_events_from: ['@bad:example.com'] |
|
|
|
spam_checker: {{ matrix_synapse_spam_checker|to_json }} |
|
|
|
|
|
|
|
# Uncomment to allow non-server-admin users to create groups on this server |
|
|
|
|
Slavi Pantaleev
5 lat temu
GitHub