homeserver.yaml 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614
  1. # vim:ft=yaml
  2. # PEM encoded X509 certificate for TLS.
  3. # You can replace the self-signed certificate that synapse
  4. # autogenerates on launch with your own SSL certificate + key pair
  5. # if you like. Any required intermediary certificates can be
  6. # appended after the primary certificate in hierarchical order.
  7. tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
  8. # PEM encoded private key for TLS
  9. tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
  10. # Don't bind to the https port
  11. no_tls: False
  12. # List of allowed TLS fingerprints for this server to publish along
  13. # with the signing keys for this server. Other matrix servers that
  14. # make HTTPS requests to this server will check that the TLS
  15. # certificates returned by this server match one of the fingerprints.
  16. #
  17. # Synapse automatically adds the fingerprint of its own certificate
  18. # to the list. So if federation traffic is handled directly by synapse
  19. # then no modification to the list is required.
  20. #
  21. # If synapse is run behind a load balancer that handles the TLS then it
  22. # will be necessary to add the fingerprints of the certificates used by
  23. # the loadbalancers to this list if they are different to the one
  24. # synapse is using.
  25. #
  26. # Homeservers are permitted to cache the list of TLS fingerprints
  27. # returned in the key responses up to the "valid_until_ts" returned in
  28. # key. It may be necessary to publish the fingerprints of a new
  29. # certificate and wait until the "valid_until_ts" of the previous key
  30. # responses have passed before deploying it.
  31. #
  32. # You can calculate a fingerprint from a given TLS listener via:
  33. # openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
  34. # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
  35. # or by checking matrix.org/federationtester/api/report?server_name=$host
  36. #
  37. tls_fingerprints: []
  38. # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
  39. ## Server ##
  40. # When running as a daemon, the file to store the pid in
  41. pid_file: "/var/run/matrix-synapse.pid"
  42. # CPU affinity mask. Setting this restricts the CPUs on which the
  43. # process will be scheduled. It is represented as a bitmask, with the
  44. # lowest order bit corresponding to the first logical CPU and the
  45. # highest order bit corresponding to the last logical CPU. Not all CPUs
  46. # may exist on a given system but a mask may specify more CPUs than are
  47. # present.
  48. #
  49. # For example:
  50. # 0x00000001 is processor #0,
  51. # 0x00000003 is processors #0 and #1,
  52. # 0xFFFFFFFF is all processors (#0 through #31).
  53. #
  54. # Pinning a Python process to a single CPU is desirable, because Python
  55. # is inherently single-threaded due to the GIL, and can suffer a
  56. # 30-40% slowdown due to cache blow-out and thread context switching
  57. # if the scheduler happens to schedule the underlying threads across
  58. # different cores. See
  59. # https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/.
  60. #
  61. # cpu_affinity: 0xFFFFFFFF
  62. # The path to the web client which will be served at /_matrix/client/
  63. # if 'webclient' is configured under the 'listeners' configuration.
  64. #
  65. # web_client_location: "/path/to/web/root"
  66. # The public-facing base URL for the client API (not including _matrix/...)
  67. # public_baseurl: https://example.com:8448/
  68. # Set the soft limit on the number of file descriptors synapse can use
  69. # Zero is used to indicate synapse should set the soft limit to the
  70. # hard limit.
  71. soft_file_limit: 0
  72. # The GC threshold parameters to pass to `gc.set_threshold`, if defined
  73. # gc_thresholds: [700, 10, 10]
  74. # Set the limit on the returned events in the timeline in the get
  75. # and sync operations. The default value is -1, means no upper limit.
  76. # filter_timeline_limit: 5000
  77. # Whether room invites to users on this server should be blocked
  78. # (except those sent by local server admins). The default is False.
  79. # block_non_admin_invites: True
  80. # Restrict federation to the following whitelist of domains.
  81. # N.B. we recommend also firewalling your federation listener to limit
  82. # inbound federation traffic as early as possible, rather than relying
  83. # purely on this application-layer restriction. If not specified, the
  84. # default is to whitelist everything.
  85. #
  86. # federation_domain_whitelist:
  87. # - lon.example.com
  88. # - nyc.example.com
  89. # - syd.example.com
  90. # List of ports that Synapse should listen on, their purpose and their
  91. # configuration.
  92. listeners:
  93. # Main HTTPS listener
  94. # For when matrix traffic is sent directly to synapse.
  95. -
  96. # The port to listen for HTTPS requests on.
  97. port: 8448
  98. # Local addresses to listen on.
  99. # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6
  100. # addresses by default. For most other OSes, this will only listen
  101. # on IPv6.
  102. bind_addresses:
  103. - '::'
  104. - '0.0.0.0'
  105. # This is a 'http' listener, allows us to specify 'resources'.
  106. type: http
  107. tls: true
  108. # Use the X-Forwarded-For (XFF) header as the client IP and not the
  109. # actual client IP.
  110. x_forwarded: false
  111. # List of HTTP resources to serve on this listener.
  112. resources:
  113. -
  114. # List of resources to host on this listener.
  115. names:
  116. - client # The client-server APIs, both v1 and v2
  117. - webclient # The bundled webclient.
  118. # Should synapse compress HTTP responses to clients that support it?
  119. # This should be disabled if running synapse behind a load balancer
  120. # that can do automatic compression.
  121. compress: true
  122. - names: [federation] # Federation APIs
  123. compress: false
  124. # optional list of additional endpoints which can be loaded via
  125. # dynamic modules
  126. # additional_resources:
  127. # "/_matrix/my/custom/endpoint":
  128. # module: my_module.CustomRequestHandler
  129. # config: {}
  130. # Unsecure HTTP listener,
  131. # For when matrix traffic passes through loadbalancer that unwraps TLS.
  132. - port: 8008
  133. tls: false
  134. bind_addresses: ['::', '0.0.0.0']
  135. type: http
  136. x_forwarded: false
  137. resources:
  138. - names: [client, webclient]
  139. compress: true
  140. - names: [federation]
  141. compress: false
  142. # Turn on the twisted ssh manhole service on localhost on the given
  143. # port.
  144. # - port: 9000
  145. # bind_addresses: ['::1', '127.0.0.1']
  146. # type: manhole
  147. # Database configuration
  148. database:
  149. # The database engine name
  150. name: "sqlite3"
  151. # Arguments to pass to the engine
  152. args:
  153. # Path to the database
  154. database: "/var/lib/matrix-synapse/homeserver.db"
  155. # Number of events to cache in memory.
  156. event_cache_size: "10K"
  157. # A yaml python logging config file
  158. log_config: "/etc/matrix-synapse/log.yaml"
  159. ## Ratelimiting ##
  160. # Number of messages a client can send per second
  161. rc_messages_per_second: 0.2
  162. # Number of message a client can send before being throttled
  163. rc_message_burst_count: 10.0
  164. # The federation window size in milliseconds
  165. federation_rc_window_size: 1000
  166. # The number of federation requests from a single server in a window
  167. # before the server will delay processing the request.
  168. federation_rc_sleep_limit: 10
  169. # The duration in milliseconds to delay processing events from
  170. # remote servers by if they go over the sleep limit.
  171. federation_rc_sleep_delay: 500
  172. # The maximum number of concurrent federation requests allowed
  173. # from a single server
  174. federation_rc_reject_limit: 50
  175. # The number of federation requests to concurrently process from a
  176. # single server
  177. federation_rc_concurrent: 3
  178. # Directory where uploaded images and attachments are stored.
  179. media_store_path: "/var/lib/matrix-synapse/media"
  180. # Media storage providers allow media to be stored in different
  181. # locations.
  182. # media_storage_providers:
  183. # - module: file_system
  184. # # Whether to write new local files.
  185. # store_local: false
  186. # # Whether to write new remote media
  187. # store_remote: false
  188. # # Whether to block upload requests waiting for write to this
  189. # # provider to complete
  190. # store_synchronous: false
  191. # config:
  192. # directory: /mnt/some/other/directory
  193. # Directory where in-progress uploads are stored.
  194. uploads_path: "/var/lib/matrix-synapse/uploads"
  195. # The largest allowed upload size in bytes
  196. max_upload_size: "10M"
  197. # Maximum number of pixels that will be thumbnailed
  198. max_image_pixels: "32M"
  199. # Whether to generate new thumbnails on the fly to precisely match
  200. # the resolution requested by the client. If true then whenever
  201. # a new resolution is requested by the client the server will
  202. # generate a new thumbnail. If false the server will pick a thumbnail
  203. # from a precalculated list.
  204. dynamic_thumbnails: false
  205. # List of thumbnail to precalculate when an image is uploaded.
  206. thumbnail_sizes:
  207. - width: 32
  208. height: 32
  209. method: crop
  210. - width: 96
  211. height: 96
  212. method: crop
  213. - width: 320
  214. height: 240
  215. method: scale
  216. - width: 640
  217. height: 480
  218. method: scale
  219. - width: 800
  220. height: 600
  221. method: scale
  222. # Is the preview URL API enabled? If enabled, you *must* specify
  223. # an explicit url_preview_ip_range_blacklist of IPs that the spider is
  224. # denied from accessing.
  225. url_preview_enabled: False
  226. # List of IP address CIDR ranges that the URL preview spider is denied
  227. # from accessing. There are no defaults: you must explicitly
  228. # specify a list for URL previewing to work. You should specify any
  229. # internal services in your network that you do not want synapse to try
  230. # to connect to, otherwise anyone in any Matrix room could cause your
  231. # synapse to issue arbitrary GET requests to your internal services,
  232. # causing serious security issues.
  233. #
  234. # url_preview_ip_range_blacklist:
  235. # - '127.0.0.0/8'
  236. # - '10.0.0.0/8'
  237. # - '172.16.0.0/12'
  238. # - '192.168.0.0/16'
  239. # - '100.64.0.0/10'
  240. # - '169.254.0.0/16'
  241. #
  242. # List of IP address CIDR ranges that the URL preview spider is allowed
  243. # to access even if they are specified in url_preview_ip_range_blacklist.
  244. # This is useful for specifying exceptions to wide-ranging blacklisted
  245. # target IP ranges - e.g. for enabling URL previews for a specific private
  246. # website only visible in your network.
  247. #
  248. # url_preview_ip_range_whitelist:
  249. # - '192.168.1.1'
  250. # Optional list of URL matches that the URL preview spider is
  251. # denied from accessing. You should use url_preview_ip_range_blacklist
  252. # in preference to this, otherwise someone could define a public DNS
  253. # entry that points to a private IP address and circumvent the blacklist.
  254. # This is more useful if you know there is an entire shape of URL that
  255. # you know that will never want synapse to try to spider.
  256. #
  257. # Each list entry is a dictionary of url component attributes as returned
  258. # by urlparse.urlsplit as applied to the absolute form of the URL. See
  259. # https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
  260. # The values of the dictionary are treated as an filename match pattern
  261. # applied to that component of URLs, unless they start with a ^ in which
  262. # case they are treated as a regular expression match. If all the
  263. # specified component matches for a given list item succeed, the URL is
  264. # blacklisted.
  265. #
  266. # url_preview_url_blacklist:
  267. # # blacklist any URL with a username in its URI
  268. # - username: '*'
  269. #
  270. # # blacklist all *.google.com URLs
  271. # - netloc: 'google.com'
  272. # - netloc: '*.google.com'
  273. #
  274. # # blacklist all plain HTTP URLs
  275. # - scheme: 'http'
  276. #
  277. # # blacklist http(s)://www.acme.com/foo
  278. # - netloc: 'www.acme.com'
  279. # path: '/foo'
  280. #
  281. # # blacklist any URL with a literal IPv4 address
  282. # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
  283. # The largest allowed URL preview spidering size in bytes
  284. max_spider_size: "10M"
  285. ## Captcha ##
  286. # See docs/CAPTCHA_SETUP for full details of configuring this.
  287. # This Home Server's ReCAPTCHA public key.
  288. recaptcha_public_key: "YOUR_PUBLIC_KEY"
  289. # This Home Server's ReCAPTCHA private key.
  290. recaptcha_private_key: "YOUR_PRIVATE_KEY"
  291. # Enables ReCaptcha checks when registering, preventing signup
  292. # unless a captcha is answered. Requires a valid ReCaptcha
  293. # public/private key.
  294. enable_registration_captcha: False
  295. # A secret key used to bypass the captcha test entirely.
  296. #captcha_bypass_secret: "YOUR_SECRET_HERE"
  297. # The API endpoint to use for verifying m.login.recaptcha responses.
  298. recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
  299. ## Turn ##
  300. # The public URIs of the TURN server to give to clients
  301. turn_uris: []
  302. # The shared secret used to compute passwords for the TURN server
  303. turn_shared_secret: "YOUR_SHARED_SECRET"
  304. # The Username and password if the TURN server needs them and
  305. # does not use a token
  306. #turn_username: "TURNSERVER_USERNAME"
  307. #turn_password: "TURNSERVER_PASSWORD"
  308. # How long generated TURN credentials last
  309. turn_user_lifetime: "1h"
  310. # Whether guests should be allowed to use the TURN server.
  311. # This defaults to True, otherwise VoIP will be unreliable for guests.
  312. # However, it does introduce a slight security risk as it allows users to
  313. # connect to arbitrary endpoints without having first signed up for a
  314. # valid account (e.g. by passing a CAPTCHA).
  315. turn_allow_guests: False
  316. ## Registration ##
  317. # Enable registration for new users.
  318. enable_registration: False
  319. # The user must provide all of the below types of 3PID when registering.
  320. #
  321. # registrations_require_3pid:
  322. # - email
  323. # - msisdn
  324. # Mandate that users are only allowed to associate certain formats of
  325. # 3PIDs with accounts on this server.
  326. #
  327. # allowed_local_3pids:
  328. # - medium: email
  329. # pattern: ".*@matrix\.org"
  330. # - medium: email
  331. # pattern: ".*@vector\.im"
  332. # - medium: msisdn
  333. # pattern: "\+44"
  334. # If set, allows registration by anyone who also has the shared
  335. # secret, even if registration is otherwise disabled.
  336. # registration_shared_secret: <PRIVATE STRING>
  337. # Set the number of bcrypt rounds used to generate password hash.
  338. # Larger numbers increase the work factor needed to generate the hash.
  339. # The default number is 12 (which equates to 2^12 rounds).
  340. # N.B. that increasing this will exponentially increase the time required
  341. # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
  342. bcrypt_rounds: 12
  343. # Allows users to register as guests without a password/email/etc, and
  344. # participate in rooms hosted on this server which have been made
  345. # accessible to anonymous users.
  346. allow_guest_access: False
  347. # The list of identity servers trusted to verify third party
  348. # identifiers by this server.
  349. trusted_third_party_id_servers:
  350. - matrix.org
  351. - vector.im
  352. - riot.im
  353. # Users who register on this homeserver will automatically be joined
  354. # to these rooms
  355. #auto_join_rooms:
  356. # - "#example:example.com"
  357. ## Metrics ###
  358. # Enable collection and rendering of performance metrics
  359. enable_metrics: False
  360. ## API Configuration ##
  361. # A list of event types that will be included in the room_invite_state
  362. room_invite_state_types:
  363. - "m.room.join_rules"
  364. - "m.room.canonical_alias"
  365. - "m.room.avatar"
  366. - "m.room.name"
  367. # A list of application service config file to use
  368. app_service_config_files: []
  369. # macaroon_secret_key: <PRIVATE STRING>
  370. # Used to enable access token expiration.
  371. expire_access_token: False
  372. ## Signing Keys ##
  373. # Path to the signing key to sign messages with
  374. signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
  375. # The keys that the server used to sign messages with but won't use
  376. # to sign new messages. E.g. it has lost its private key
  377. old_signing_keys: {}
  378. # "ed25519:auto":
  379. # # Base64 encoded public key
  380. # key: "The public part of your old signing key."
  381. # # Millisecond POSIX timestamp when the key expired.
  382. # expired_ts: 123456789123
  383. # How long key response published by this server is valid for.
  384. # Used to set the valid_until_ts in /key/v2 APIs.
  385. # Determines how quickly servers will query to check which keys
  386. # are still valid.
  387. key_refresh_interval: "1d" # 1 Day.
  388. # The trusted servers to download signing keys from.
  389. perspectives:
  390. servers:
  391. "matrix.org":
  392. verify_keys:
  393. "ed25519:auto":
  394. key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
  395. # Enable SAML2 for registration and login. Uses pysaml2
  396. # config_path: Path to the sp_conf.py configuration file
  397. # idp_redirect_url: Identity provider URL which will redirect
  398. # the user back to /login/saml2 with proper info.
  399. # See pysaml2 docs for format of config.
  400. #saml2_config:
  401. # enabled: true
  402. # config_path: "/home/erikj/git/synapse/sp_conf.py"
  403. # idp_redirect_url: "http://test/idp"
  404. # Enable CAS for registration and login.
  405. #cas_config:
  406. # enabled: true
  407. # server_url: "https://cas-server.com"
  408. # service_url: "https://homeserver.domain.com:8448"
  409. # #required_attributes:
  410. # # name: value
  411. # The JWT needs to contain a globally unique "sub" (subject) claim.
  412. #
  413. # jwt_config:
  414. # enabled: true
  415. # secret: "a secret"
  416. # algorithm: "HS256"
  417. # Enable password for login.
  418. password_config:
  419. enabled: true
  420. # Uncomment and change to a secret random string for extra security.
  421. # DO NOT CHANGE THIS AFTER INITIAL SETUP!
  422. #pepper: ""
  423. # Enable sending emails for notification events
  424. # Defining a custom URL for Riot is only needed if email notifications
  425. # should contain links to a self-hosted installation of Riot; when set
  426. # the "app_name" setting is ignored.
  427. #
  428. # If your SMTP server requires authentication, the optional smtp_user &
  429. # smtp_pass variables should be used
  430. #
  431. #email:
  432. # enable_notifs: false
  433. # smtp_host: "localhost"
  434. # smtp_port: 25
  435. # smtp_user: "exampleusername"
  436. # smtp_pass: "examplepassword"
  437. # require_transport_security: False
  438. # notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
  439. # app_name: Matrix
  440. # template_dir: res/templates
  441. # notif_template_html: notif_mail.html
  442. # notif_template_text: notif_mail.txt
  443. # notif_for_new_users: True
  444. # riot_base_url: "http://localhost/riot"
  445. # password_providers:
  446. # - module: "ldap_auth_provider.LdapAuthProvider"
  447. # config:
  448. # enabled: true
  449. # uri: "ldap://ldap.example.com:389"
  450. # start_tls: true
  451. # base: "ou=users,dc=example,dc=com"
  452. # attributes:
  453. # uid: "cn"
  454. # mail: "email"
  455. # name: "givenName"
  456. # #bind_dn:
  457. # #bind_password:
  458. # #filter: "(objectClass=posixAccount)"
  459. # Clients requesting push notifications can either have the body of
  460. # the message sent in the notification poke along with other details
  461. # like the sender, or just the event ID and room ID (`event_id_only`).
  462. # If clients choose the former, this option controls whether the
  463. # notification request includes the content of the event (other details
  464. # like the sender are still included). For `event_id_only` push, it
  465. # has no effect.
  466. # For modern android devices the notification content will still appear
  467. # because it is loaded by the app. iPhone, however will send a
  468. # notification saying only that a message arrived and who it came from.
  469. #
  470. #push:
  471. # include_content: true
  472. # spam_checker:
  473. # module: "my_custom_project.SuperSpamChecker"
  474. # config:
  475. # example_option: 'things'
  476. # Whether to allow non server admins to create groups on this server
  477. enable_group_creation: false
  478. # If enabled, non server admins can only create groups with local parts
  479. # starting with this prefix
  480. # group_creation_prefix: "unofficial/"
  481. # User Directory configuration
  482. #
  483. # 'search_all_users' defines whether to search all users visible to your HS
  484. # when searching the user directory, rather than limiting to users visible
  485. # in public rooms. Defaults to false. If you set it True, you'll have to run
  486. # UPDATE user_directory_stream_pos SET stream_id = NULL;
  487. # on your database to tell it to rebuild the user_directory search indexes.
  488. #
  489. #user_directory:
  490. # search_all_users: false