diff --git a/type/__matrix_synapse/files/environment.sh b/type/__matrix_synapse/files/environment.sh deleted file mode 100644 index 99179be..0000000 --- a/type/__matrix_synapse/files/environment.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -cat << EOF -# Specify environment variables used when running Synapse -SYNAPSE_CACHE_FACTOR=$CACHE_FACTOR -EOF diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh index 4d47ed3..e164342 100755 --- a/type/__matrix_synapse/files/homeserver.yaml.sh +++ b/type/__matrix_synapse/files/homeserver.yaml.sh @@ -1,208 +1,68 @@ #!/bin/sh -# NOTE: this template has been generated using the -# matrix-synapse-1.5.1-1.fc31.noarch Fedora package for use with CDIST. +# Note: template originally generated from synapse's 1.26.0 sample config. -generate_extra_settings () { - for line in $EXTRA_SETTINGS; do - echo "$line" - done -} - -generate_database () { - if [ "$DATABASE_ENGINE" = "sqlite3" ]; then - cat << EOF -database: - # The database engine name - name: "$DATABASE_ENGINE" - # Arguments to pass to the engine - args: - # Path to the database - database: "$DATABASE_NAME" -EOF - else cat << EOF -database: - # The database engine name - name: "$DATABASE_ENGINE" - # Arguments to pass to the engine - args: - database: "$DATABASE_NAME" - host: "$DATABASE_HOST" - user: "$DATABASE_USER" - password: "$DATABASE_PASSWORD" -EOF - fi -} +############################################################### +# THIS FILE HAS BEEN GENERATED BY CDIST. DO NOT EDIT BY HAND. # +############################################################### -generate_password_providers () { - if [ "$ENABLE_LDAP_AUTH" = "true" ]; then - cat </'. (Note that +# that will not work unless you configure Synapse or a reverse-proxy to listen +# on port 443.) +# +public_baseurl: "${BASE_URL:?}" # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the @@ -212,7 +72,7 @@ public_baseurl: "$BASE_URL" # Set to false to disable presence tracking on this homeserver. # -#use_presence: false +use_presence: ${USE_PRESENCE:?} # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -222,15 +82,23 @@ public_baseurl: "$BASE_URL" # #require_auth_for_profile_requests: true -# If set to 'false', requires authentication to access the server's public rooms -# directory through the client API. Defaults to 'true'. +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. # -allow_public_rooms_without_auth: $ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH +#limit_profile_requests_to_users_who_share_rooms: true -# If set to 'false', forbids any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'true'. +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. # -allow_public_rooms_over_federation: $ALLOW_PUBLIC_ROOMS_OVER_FEDERATION +allow_public_rooms_without_auth: ${ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH} + +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. +# +allow_public_rooms_over_federation: ${ALLOW_PUBLIC_ROOMS_OVER_FEDERATION:?} # The default room version for newly created rooms. # @@ -240,14 +108,16 @@ allow_public_rooms_over_federation: $ALLOW_PUBLIC_ROOMS_OVER_FEDERATION # For example, for room version 1, default_room_version should be set # to "1". # -#default_room_version: "4" +#default_room_version: "6" # The GC threshold parameters to pass to \`gc.set_threshold\`, if defined # #gc_thresholds: [700, 10, 10] # Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is -1, means no upper limit. +# and sync operations. The default value is 100. -1 means no upper limit. +# +# Uncomment the following to increase the limit to 5000. # #filter_timeline_limit: 5000 @@ -263,39 +133,46 @@ allow_public_rooms_over_federation: $ALLOW_PUBLIC_ROOMS_OVER_FEDERATION # #enable_search: false -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. - -$(generate_federation_whitelist) - -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com - -# Prevent federation requests from being sent to the following -# blacklist IP address CIDR ranges. If this option is not specified, or -# specified with an empty list, no ip range blacklist will be enforced. +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). # -# As of Synapse v1.4.0 this option also affects any outbound requests to identity -# servers provided by user input. +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. # # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly # listed here, since they correspond to unroutable addresses.) # -federation_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' # List of ports that Synapse should listen on, their purpose and their # configuration. @@ -325,7 +202,7 @@ federation_ip_range_blacklist: # names: a list of names of HTTP resources. See below for a list of # valid resource names. # -# compress: set to true to enable HTTP comression for this resource. +# compress: set to true to enable HTTP compression for this resource. # # additional_resources: Only valid for an 'http' listener. A map of # additional endpoints which should be loaded via dynamic modules. @@ -376,16 +253,28 @@ listeners: # If you plan to use a reverse proxy, please see # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. # - - port: 8008 + - port: ${MAIN_LISTENER_PORT:?} tls: false type: http x_forwarded: true bind_addresses: ['::1', '127.0.0.1'] resources: - - names: $(generate_resources) + - names: ${MAIN_LISTENER_RESOURCES:?} compress: false +EOF +if [ -n "$ENABLE_REPLICATION" ]; then + cat << EOF + - port: 9093 + bind_addresses: ['::1', '127.0.0.1'] + type: http + resources: + - names: [replication] +EOF +fi + +cat << EOF # example additional_resources: # #additional_resources: @@ -400,6 +289,18 @@ listeners: # bind_addresses: ['::1', '127.0.0.1'] # type: manhole +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + ## Homeserver blocking ## @@ -418,7 +319,7 @@ listeners: # number of monthly active users. # # 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# anabled and a limit is reached the server returns a 'ResourceLimitError' +# enabled and a limit is reached the server returns a 'ResourceLimitError' # with error type Codes.RESOURCE_LIMIT_EXCEEDED # # 'max_mau_value' is the hard limit of monthly active users above which @@ -457,22 +358,31 @@ listeners: # Used by phonehome stats to group together related servers. #server_context: context -# Resource-constrained Homeserver Settings +# Resource-constrained homeserver settings # -# If limit_remote_rooms.enabled is True, the room complexity will be -# checked before a user joins a new remote room. If it is above -# limit_remote_rooms.complexity, it will disallow joining or -# instantly leave. +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. # -# limit_remote_rooms.complexity_error can be set to customise the text -# displayed to the user when a room above the complexity threshold has -# its join cancelled. +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. # -# Uncomment the below lines to enable: -#limit_remote_rooms: -# enabled: true -# complexity: 1.0 -# complexity_error: "This room is too complex." +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + enabled: ${LIMIT_REMOTE_ROOM_COMPLEXITY:?} + + # the limit above which rooms cannot be joined. The default is 1.0. + # + complexity: ${REMOTE_ROOM_COMPLEXITY_TRESHOLD:?} + + # override the error which is returned when the room is too complex. + # + complexity_error: "This room is too complex." + + # allow server admins to join complex rooms. Default is false. + # + #admins_can_join: true # Whether to require a user to be in the room to add an alias to it. # Defaults to 'true'. @@ -498,6 +408,103 @@ listeners: # #user_ips_max_age: 14d +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + enabled: ${ENABLE_MESSAGE_RETENTION_POLICY:?} + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + default_policy: + min_lifetime: 1d + max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?} + + # Retention policy limits. If set, and the state of a room contains a + # 'm.room.retention' event in its state which contains a 'min_lifetime' or a + # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy + # to these limits when running purge jobs. + # + #allowed_lifetime_min: 1d + #allowed_lifetime_max: 1y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + # If any purge job is configured, it is strongly recommended to have at least + # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' + # set, or one job without 'shortest_max_lifetime' and one job without + # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if + # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a + # room's policy to these values is done after the policies are retrieved from + # Synapse's database (which is done using the range specified in a purge job's + # configuration). + # + #purge_jobs: + # - longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # interval: 1d + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + ## TLS ## @@ -513,11 +520,11 @@ listeners: # instance, if using certbot, use \`fullchain.pem\` as your certificate, # not \`cert.pem\`). # -#tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt" +tls_certificate_path: "${TLS_CERTIFICATE_PATH:?}" # PEM-encoded private key for TLS # -#tls_private_key_path: "CONFDIR/SERVERNAME.tls.key" +tls_private_key_path: "${TLS_PRIVATE_KEY_PATH:?}" # Whether to verify TLS server certificates for outbound federation requests. # @@ -565,6 +572,11 @@ listeners: # ACME support: This will configure Synapse to request a valid TLS certificate # for your configured \`server_name\` via Let's Encrypt. # +# Note that ACME v1 is now deprecated, and Synapse currently doesn't support +# ACME v2. This means that this feature currently won't work with installs set +# up after November 2019. For more info, and alternative solutions, see +# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 +# # Note that provisioning a certificate in this way requires port 80 to be # routed to Synapse so that it can complete the http-01 ACME challenge. # By default, if you enable ACME support, Synapse will attempt to listen on @@ -629,7 +641,7 @@ acme: # # If unspecified, we will use CONFDIR/client.key. # - account_key_file: "$DATA_DIR/acme_account.key" + account_key_file: /etc/synapse/acme_account.key # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that @@ -659,14 +671,49 @@ acme: #tls_fingerprints: [{"sha256": ""}] +## Federation ## -## Database ## - -$(generate_database) - -# Number of events to cache in memory. +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. # -event_cache_size: $EVENT_CACHE_SIZE +#federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com +EOF + +if [ -n "$DISABLE_FEDERATION" ]; then + echo "federation_domain_whitelist: []" +fi + +cat << EOF +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + + +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +event_cache_size: ${EVENT_CACHE_SIZE:?} caches: # Controls the global cache factor, which is the default cache factor @@ -679,7 +726,7 @@ caches: # # Defaults to 0.5, which will half the size of all caches. # - global_factor: $GLOBAL_CACHE_FACTOR + global_factor: ${GLOBAL_CACHE_FACTOR:?} # A dictionary of cache name to cache factor for that individual # cache. Overrides the global cache factor for a given cache. @@ -699,12 +746,85 @@ caches: per_cache_factors: #get_users_who_share_room_with_user: 2.0 + +## Database ## + +# The 'database' setting defines the database that synapse uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +# +# Example SQLite configuration: +# +#database: +# name: sqlite3 +# args: +# database: /path/to/homeserver.db +# +# +# Example Postgres configuration: +# +#database: +# name: psycopg2 +# args: +# user: synapse_user +# password: secretpassword +# database: synapse +# host: localhost +# cp_min: 5 +# cp_max: 10 +# +# For more information on using Synapse with Postgres, see \`docs/postgres.md\`. +# +EOF + +case "${DATABASE_ENGINE:?}" in + sqlite3) + cat << EOF +database: + # The database engine name + name: "sqlite3" + # Arguments to pass to the engine + args: + # Path to the database + database: "${DATABASE_NAME:?}" +EOF + ;; + psycopg2) + cat << EOF +database: + # The database engine name + name: "psycopg2" + # Arguments to pass to the engine + args: + database: "${DATABASE_NAME:?}" + host: "${DATABASE_HOST:?}" + user: "${DATABASE_USER:?}" + password: "$DATABASE_PASSWORD" +EOF + ;; + *) + echo "Invalid database engine $DATABASE_ENGINE." >&2 + exit 1 + ;; +esac + +cat << EOF ## Logging ## # A yaml python logging config file as described by # https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema # -log_config: "$LOG_CONFIG_PATH" +log_config: "${LOG_CONFIG_PATH:?}" ## Ratelimiting ## @@ -730,13 +850,20 @@ log_config: "$LOG_CONFIG_PATH" # - one for ratelimiting redactions by room admins. If this is not explicitly # set then it uses the same ratelimiting as per rc_message. This is useful # to allow room admins to deal with abuse quickly. +# - two for ratelimiting number of rooms a user can join, "local" for when +# users are joining rooms the server is already in (this is cheap) vs +# "remote" for when users are trying to join rooms not on the server (which +# can be more expensive) # # The defaults are as shown below. # #rc_message: # per_second: 0.2 # burst_count: 10 -# +rc_message: + per_second: ${RC_MESSAGE_PER_SECOND:?} + burst_count: ${RC_MESSAGE_BURST:?} + #rc_registration: # per_second: 0.17 # burst_count: 3 @@ -751,25 +878,29 @@ log_config: "$LOG_CONFIG_PATH" # failed_attempts: # per_second: 0.17 # burst_count: 3 +rc_login: + address: + per_second: ${RC_LOGIN_PER_SECOND:?} + burst_count: ${RC_LOGIN_BURST:?} + account: + per_second: ${RC_LOGIN_PER_SECOND:?} + burst_count: ${RC_LOGIN_BURST:?} + failed_attempts: + per_second: ${RC_LOGIN_PER_SECOND:?} + burst_count: ${RC_LOGIN_BURST:?} # #rc_admin_redaction: # per_second: 1 # burst_count: 50 +# +#rc_joins: +# local: +# per_second: 0.1 +# burst_count: 3 +# remote: +# per_second: 0.01 +# burst_count: 3 -rc_message: - per_second: $RC_MESSAGE_PER_SECOND - burst_count: $RC_MESSAGE_BURST - -rc_login: - address: - per_second: $RC_LOGIN_PER_SECOND - burst_count: $RC_LOGIN_BURST - account: - per_second: $RC_LOGIN_PER_SECOND - burst_count: $RC_LOGIN_BURST - failed_attempts: - per_second: $RC_LOGIN_PER_SECOND - burst_count: $RC_LOGIN_BURST # Ratelimiting settings for incoming federation # @@ -808,34 +939,29 @@ rc_login: # Enable the media store service in the Synapse master. Uncomment the # following if you are using a separate media store worker. # -#enable_media_repo: false +enable_media_repo: ${ENABLE_MEDIA_REPO:?} # Directory where uploaded images and attachments are stored. # -media_store_path: "$DATA_DIR/media_store" +media_store_path: "${DATA_DIR:?}/media_store" # Media storage providers allow media to be stored in different # locations. # #media_storage_providers: # - module: file_system -# # Whether to write new local files. +# # Whether to store newly uploaded local files # store_local: false -# # Whether to write new remote media +# # Whether to store newly downloaded remote files # store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete +# # Whether to wait for successful storage for local uploads # store_synchronous: false # config: # directory: /mnt/some/other/directory -# Directory where in-progress uploads are stored. -# -uploads_path: "$DATA_DIR/uploads" - # The largest allowed upload size in bytes # -max_upload_size: "$MAX_UPLOAD_SIZE" +max_upload_size: "${MAX_UPLOAD_SIZE:?}" # Maximum number of pixels that will be thumbnailed # @@ -873,7 +999,7 @@ max_upload_size: "$MAX_UPLOAD_SIZE" # 'false' by default: uncomment the following to enable it (and specify a # url_preview_ip_range_blacklist blacklist). # -#url_preview_enabled: true +url_preview_enabled: ${ENABLE_URL_PREVIEW:?} # List of IP address CIDR ranges that the URL preview spider is denied # from accessing. There are no defaults: you must explicitly @@ -895,9 +1021,15 @@ max_upload_size: "$MAX_UPLOAD_SIZE" # - '172.16.0.0/12' # - '192.168.0.0/16' # - '100.64.0.0/10' +# - '192.0.0.0/24' # - '169.254.0.0/16' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' # - '::1/128' -# - 'fe80::/64' +# - 'fe80::/10' # - 'fc00::/7' # List of IP address CIDR ranges that the URL preview spider is allowed @@ -947,39 +1079,73 @@ max_upload_size: "$MAX_UPLOAD_SIZE" # #max_spider_size: 10M +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + ## Captcha ## -# See docs/CAPTCHA_SETUP for full details of configuring this. +# See docs/CAPTCHA_SETUP.md for full details of configuring this. -# This Home Server's ReCAPTCHA public key. +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. # #recaptcha_public_key: "YOUR_PUBLIC_KEY" -# This Home Server's ReCAPTCHA private key. +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. # #recaptcha_private_key: "YOUR_PRIVATE_KEY" -# Enables ReCaptcha checks when registering, preventing signup +# Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. +# public/private key. Defaults to 'false'. # -#enable_registration_captcha: false - -# A secret key used to bypass the captcha test entirely. -# -#captcha_bypass_secret: "YOUR_SECRET_HERE" +#enable_registration_captcha: true # The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". # -#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" +#recaptcha_siteverify_api: "https://my.recaptcha.site" ## TURN ## # The public URIs of the TURN server to give to clients -# -turn_uris: $TURN_URIS +EOF + +if [ -n "$TURN_URIS" ]; then + echo "turn_uris:" + for uri in $TURN_URIS; do + echo " - '$uri'" + done +else + echo "# turn_uris: []" +fi + +cat << EOF # The shared secret used to compute passwords for the TURN server # turn_shared_secret: "$TURN_SHARED_SECRET" @@ -992,7 +1158,7 @@ turn_shared_secret: "$TURN_SHARED_SECRET" # How long generated TURN credentials last # -turn_user_lifetime: "$TURN_USER_LIFETIME" +turn_user_lifetime: ${TURN_USER_LIFETIME:?} # Whether guests should be allowed to use the TURN server. # This defaults to True, otherwise VoIP will be unreliable for guests. @@ -1002,6 +1168,7 @@ turn_user_lifetime: "$TURN_USER_LIFETIME" # #turn_allow_guests: true + ## Registration ## # # Registration can be rate-limited using the parameters in the "Ratelimiting" @@ -1009,28 +1176,11 @@ turn_user_lifetime: "$TURN_USER_LIFETIME" # Enable registration for new users. # -enable_registration: $ALLOW_REGISTRATION +enable_registration: ${ENABLE_REGISTRATIONS:?} # Optional account validity configuration. This allows for accounts to be denied # any request after a given period. # -# \`\`enabled\`\` defines whether the account validity feature is enabled. Defaults -# to False. -# -# \`\`period\`\` allows setting the period after which an account is valid -# after its registration. When renewing the account, its validity period -# will be extended by this amount of time. This parameter is required when using -# the account validity feature. -# -# \`\`renew_at\`\` is the amount of time before an account's expiry date at which -# Synapse will send an email to the account's email address with a renewal link. -# This needs the \`\`email\`\` and \`\`public_baseurl\`\` configuration sections to be -# filled. -# -# \`\`renew_email_subject\`\` is the subject of the email sent out with the renewal -# link. \`\`%(app)s\`\` can be used as a placeholder for the \`\`app_name\`\` parameter -# from the \`\`email\`\` section. -# # Once this feature is enabled, Synapse will look for registered users without an # expiration date at startup and will add one to every account it found using the # current settings at that time. @@ -1041,21 +1191,56 @@ enable_registration: $ALLOW_REGISTRATION # date will be randomly selected within a range [now + period - d ; now + period], # where d is equal to 10% of the validity period. # -#account_validity: -# enabled: true -# period: 6w -# renew_at: 1w -# renew_email_subject: "Renew your %(app)s account" -# # Directory in which Synapse will try to find the HTML files to serve to the -# # user when trying to renew an account. Optional, defaults to -# # synapse/res/templates. -# template_dir: "res/templates" -# # HTML to be displayed to the user after they successfully renewed their -# # account. Optional. -# account_renewed_html_path: "account_renewed.html" -# # HTML to be displayed when the user tries to renew an account with an invalid -# # renewal token. Optional. -# invalid_token_html_path: "invalid_token.html" +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' + # configuration section. You should also check that 'public_baseurl' is set + # correctly. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + #template_dir: "res/templates" + + # File within 'template_dir' giving the HTML to be displayed to the user after + # they successfully renewed their account. If not set, default text is used. + # + #account_renewed_html_path: "account_renewed.html" + + # File within 'template_dir' giving the HTML to be displayed when the user + # tries to renew an account with an invalid renewal token. If not set, + # default text is used. + # + #invalid_token_html_path: "invalid_token.html" # Time that a user's session remains valid for, after they log in. # @@ -1068,24 +1253,59 @@ enable_registration: $ALLOW_REGISTRATION # #session_lifetime: 24h -$(generate_registration_requirements) +# The user must provide all of the below types of 3PID when registering. +# +#registrations_require_3pid: +# - email +# - msisdn +EOF +if [ -n "$REGISTRATION_REQUIRES_EMAIL" ]; then + echo "registrations_require_3pid: [email]" +fi + +cat << EOF # Explicitly disable asking for MSISDNs from the registration # flow (overrides registrations_require_3pid if MSISDNs are set as required) # #disable_msisdn_registration: true -$(generate_allowed_3pid_patterns) +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' +EOF +if [ -n "$RESGISTRATION_ALLOWS_EMAIL_PATTERN" ]; then + echo "allowed_local_3pids:" + for pattern in $RESGISTRATION_ALLOWS_EMAIL_PATTERN; do + cat << EOF + - medium: email + pattern: $pattern +EOF + done +fi + +cat << EOF # Enable 3PIDs lookup requests to identity servers from this server. # #enable_3pid_lookup: true # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. -# -# registration_shared_secret: +EOF +if [ -n "$REGISTRATION_SHARED_SECRET" ]; then + echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'" +fi + +cat << EOF # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. # The default number is 12 (which equates to 2^12 rounds). @@ -1097,35 +1317,16 @@ $(generate_allowed_3pid_patterns) # Allows users to register as guests without a password/email/etc, and # participate in rooms hosted on this server which have been made # accessible to anonymous users. -# -allow_guest_access: $ALLOW_GUEST_ACCESS + +allow_guest_access: ${ALLOW_GUEST_ACCESS:?} # The identity server which we suggest that clients should use when users log # in on this server. # -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) +# (By default, no suggestion is made, so it is left up to the client.) # #default_identity_server: https://matrix.org -# The list of identity servers trusted to verify third party -# identifiers by this server. -# -# Also defines the ID server which will be called when an account is -# deactivated (one will be picked arbitrarily). -# -# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity -# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a -# background migration script, informing itself that the identity server all of its -# 3PIDs have been bound to is likely one of the below. -# -# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and -# it is now solely used for the purposes of the background migration script, and can be -# removed once it has run. -#trusted_third_party_id_servers: -# - matrix.org -# - vector.im - # Handle threepid (email/phone etc) registration and password resets through a set of # *trusted* identity servers. Note that this allows the configured identity server to # reset passwords for accounts! @@ -1135,8 +1336,9 @@ allow_guest_access: $ALLOW_GUEST_ACCESS # email will be globally disabled. # # Additionally, if \`msisdn\` is not set, registration and password resets via msisdn -# will be disabled regardless. This is due to Synapse currently not supporting any -# method of sending SMS messages on its own. +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party # identifier type, set the value to the URL of that identity server as shown in the @@ -1146,29 +1348,127 @@ allow_guest_access: $ALLOW_GUEST_ACCESS # by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # -# If a delegate is specified, the config option public_baseurl must also be filled out. -# account_threepid_delegates: - #email: https://example.com # Delegate email sending to example.org + #email: https://example.com # Delegate email sending to example.com #msisdn: http://localhost:8090 # Delegate SMS sending to this local process +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false -$(generate_auto_join_rooms) +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + +# Users who register on this homeserver will automatically be joined +# to these rooms. +# +# By default, any room aliases included in this list will be created +# as a publicly joinable room when the first user registers for the +# homeserver. This behaviour can be customised with the settings below. +# +#auto_join_rooms: +# - "#example:example.com" +EOF + +if [ -n "$AUTO_JOIN_ROOMS" ]; then + echo "auto_join_rooms:" + for room in $AUTO_JOIN_ROOMS; do + cat << EOF + - "$room" +EOF + done +fi + +cat << EOF # Where auto_join_rooms are specified, setting this flag ensures that the # the rooms exist by creating them when the first user on the # homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# # Setting to false means that if the rooms are not manually created, # users cannot be auto-joined since they do not exist. # -#autocreate_auto_join_rooms: true +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# +#autocreate_auto_join_rooms: false + +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false ## Metrics ### # Enable collection and rendering of performance metrics # -enable_metrics: $EXPOSE_METRICS +enable_metrics: ${EXPOSE_METRICS:?} # Enable sentry integration # NOTE: While attempts are made to ensure that the logs don't contain @@ -1184,14 +1484,15 @@ enable_metrics: $EXPOSE_METRICS # enabled by default, either for performance reasons or limited use. # metrics_flags: - # Publish synapse_federation_known_servers, a g auge of the number of + # Publish synapse_federation_known_servers, a gauge of the number of # servers this homeserver knows about, including itself. May cause # performance problems on large homeservers. # #known_servers: true # Whether or not to report anonymized homeserver usage statistics. -report_stats: $REPORT_STATS +# +report_stats: ${REPORT_STATS:?} # The endpoint to report the anonymized homeserver usage statistics to. # Defaults to https://matrix.org/report-usage-stats/push @@ -1210,10 +1511,22 @@ report_stats: $REPORT_STATS # - "m.room.encryption" # - "m.room.name" + # A list of application service config files to use # -$(generate_app_service_config_files) +#app_service_config_files: +# - app_service_1.yaml +# - app_service_2.yaml +EOF +if [ -n "$APP_SERVICE_CONFIG_FILES" ]; then + echo "app_service_config_files:" + for file in $APP_SERVICE_CONFIG_FILES; do + echo " - $file" + done +fi + +cat << EOF # Uncomment to enable tracking of application service IP addresses. Implicitly # enables MAU tracking for application service users. # @@ -1224,29 +1537,34 @@ $(generate_app_service_config_files) # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. # -# macaroon_secret_key: +# macaroon_secret_key: "JCMj1A@Me_tSnQwS@,LeInKrEPr@..w4Q6reqqeYWLC:k4tFLn" # a secret which is used to calculate HMACs for form values, to stop # falsification of values. Must be specified for the User Consent # forms to work. # -# form_secret: +# form_secret: "Hfc:voJY1;,L==VSuq^^@D8Dpa8,Lm13YVnLwLA&2wmfnPloy8" ## Signing Keys ## # Path to the signing key to sign messages with # -signing_key_path: "$SIGNING_KEY_PATH" +signing_key_path: "${SIGNING_KEY_PATH:?}" # The keys that the server used to sign messages with but won't use -# to sign new messages. E.g. it has lost its private key +# to sign new messages. # -#old_signing_keys: -# "ed25519:auto": -# # Base64 encoded public key -# key: "The public part of your old signing key." -# # Millisecond POSIX timestamp when the key expired. -# expired_ts: 123456789123 +old_signing_keys: + # For each key, \`key\` should be the base64-encoded public key, and + # \`expired_ts\` should be the time (in milliseconds since the unix epoch) that + # it was last used. + # + # It is possible to build an entry from an old signing.key file using the + # \`export_signing_key\` script which is provided with synapse. + # + # For example: + # + #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } # How long key response published by this server is valid for. # Used to set the valid_until_ts in /key/v2 APIs. @@ -1260,7 +1578,7 @@ signing_key_path: "$SIGNING_KEY_PATH" # When we need to fetch a signing key, each server is tried in parallel. # # Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a \`verify key\`, which +# Additional security can be provided by configuring a \`verify key\`, which # will make synapse check that the response is signed by that key. # # This setting supercedes an older setting named \`perspectives\`. The old format @@ -1310,16 +1628,24 @@ trusted_key_servers: #key_server_signing_keys_path: "key_server_signing_keys.key" +## Single sign-on integration ## + +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. +# +# You will probably also want to set the following options to \`false\` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# You will also want to investigate the settings under the "sso" configuration +# section below. + # Enable SAML2 for registration and login. Uses pysaml2. # # At least one of \`sp_config\` or \`config_path\` must be set in this section to # enable SAML login. # -# (You will probably also want to set the following options to \`false\` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# # Once SAML support is enabled, a metadata file will be exposed at # https://:/_matrix/saml2/metadata.xml, which you may be able to # use to configure your SAML IdP with. Alternatively, you can manually configure @@ -1334,97 +1660,510 @@ saml2_config: # so it is not normally necessary to specify them unless you need to # override them. # - #sp_config: - # # point this to the IdP's metadata. You can use either a local file or - # # (preferably) a URL. - # metadata: - # #local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the \`local\` attribute or (preferably) a URL via the + # \`remote\` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical # Instead of putting the config inline as above, you can specify a # separate pysaml2 configuration file: # - #config_path: "CONFDIR/sp_conf.py" + #config_path: "/etc/synapse/sp_conf.py" - # the lifetime of a SAML session. This defines how long a user has to + # The lifetime of a SAML session. This defines how long a user has to # complete the authentication process, if allow_unsolicited is unset. - # The default is 5 minutes. + # The default is 15 minutes. # #saml_session_lifetime: 5m - # The SAML attribute (after mapping via the attribute maps) to use to derive - # the Matrix ID from. 'uid' by default. + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. # - #mxid_source_attribute: displayName + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider - # The mapping system to use for mapping the saml attribute onto a matrix ID. - # Options include: - # * 'hexencode' (which maps unpermitted characters to '=xx') - # * 'dotreplace' (which replaces unpermitted characters with '.'). - # The default is 'hexencode'. - # - #mxid_mapping: dotreplace + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's \`parse_config\` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName - # In previous versions of synapse, the mapping from SAML attribute to MXID was - # always calculated dynamically rather than stored in a table. For backwards- - # compatibility, we will look for user_ids matching such a pattern before - # creating a new account. + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. # # This setting controls the SAML attribute which will be used for this - # backwards-compatibility lookup. Typically it should be 'uid', but if the - # attribute maps are changed, it may be necessary to change it. + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. # # The default is 'uid'. # #grandfathered_mxid_source_attribute: upn + # It is possible to configure Synapse to only allow logins if SAML attributes + # match particular values. The requirements can be listed under + # \`attribute_requirements\` as shown below. All of the listed attributes must + # match for the login to be permitted. + # + #attribute_requirements: + # - attribute: userGroup + # value: "staff" + # - attribute: department + # value: "sales" + + # If the metadata XML contains multiple IdP entities then the \`idp_entityid\` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' -# Enable CAS for registration and login. +# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration +# and login. # -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homeserver.domain.com:8448" -# #displayname_attribute: name -# #required_attributes: -# # name: value +# Options for each entry include: +# +# idp_id: a unique identifier for this identity provider. Used internally +# by Synapse; should be a single word such as 'github'. +# +# Note that, if this is changed, users authenticating via that provider +# will no longer be recognised as the same user! +# +# idp_name: A user-facing name for this identity provider, which is used to +# offer the user a choice of login mechanisms. +# +# idp_icon: An optional icon for this identity provider, which is presented +# by identity picker pages. If given, must be an MXC URI of the format +# mxc:///. (An easy way to obtain such an MXC URI +# is to upload an image to an (unencrypted) room and then copy the "url" +# from the source of the event.) +# +# discover: set to 'false' to disable the use of the OIDC discovery mechanism +# to discover endpoints. Defaults to true. +# +# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery +# is enabled) to discover the provider's endpoints. +# +# client_id: Required. oauth2 client id to use. +# +# client_secret: Required. oauth2 client secret to use. +# +# client_auth_method: auth method to use when exchanging the token. Valid +# values are 'client_secret_basic' (default), 'client_secret_post' and +# 'none'. +# +# scopes: list of scopes to request. This should normally include the "openid" +# scope. Defaults to ["openid"]. +# +# authorization_endpoint: the oauth2 authorization endpoint. Required if +# provider discovery is disabled. +# +# token_endpoint: the oauth2 token endpoint. Required if provider discovery is +# disabled. +# +# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is +# disabled and the 'openid' scope is not requested. +# +# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and +# the 'openid' scope is used. +# +# skip_verification: set to 'true' to skip metadata verification. Use this if +# you are connecting to a provider that is not OpenID Connect compliant. +# Defaults to false. Avoid this in production. +# +# user_profile_method: Whether to fetch the user profile from the userinfo +# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. +# +# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is +# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the +# userinfo endpoint. +# +# allow_existing_users: set to 'true' to allow a user logging in via OIDC to +# match a pre-existing account instead of failing. This could be used if +# switching from password logins to OIDC. Defaults to false. +# +# user_mapping_provider: Configuration for how attributes returned from a OIDC +# provider are mapped onto a matrix user. This setting has the following +# sub-properties: +# +# module: The class name of a custom mapping module. Default is +# 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. +# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers +# for information on implementing a custom mapping provider. +# +# config: Configuration for the mapping provider module. This section will +# be passed as a Python dictionary to the user mapping provider +# module's \`parse_config\` method. +# +# For the default provider, the following settings are available: +# +# sub: name of the claim containing a unique identifier for the +# user. Defaults to 'sub', which OpenID Connect compliant +# providers should provide. +# +# localpart_template: Jinja2 template for the localpart of the MXID. +# If this is not set, the user will be prompted to choose their +# own username. +# +# display_name_template: Jinja2 template for the display name to set +# on first login. If unset, no displayname will be set. +# +# extra_attributes: a map of Jinja2 templates for extra attributes +# to send back to the client during login. +# Note that these are non-standard and clients will ignore them +# without modifications. +# +# When rendering, the Jinja2 templates are given a 'user' variable, +# which is set to the claims returned by the UserInfo Endpoint and/or +# in the ID Token. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for information on how to configure these options. +# +# For backwards compatibility, it is also possible to configure a single OIDC +# provider via an 'oidc_config' setting. This is now deprecated and admins are +# advised to migrate to the 'oidc_providers' format. (When doing that migration, +# use 'oidc' for the idp_id to ensure that existing users continue to be +# recognised.) +# +oidc_providers: + # Generic example + # + #- idp_id: my_idp + # idp_name: "My OpenID provider" + # idp_icon: "mxc://example.com/mediaid" + # discover: false + # issuer: "https://accounts.example.com/" + # client_id: "provided-by-your-issuer" + # client_secret: "provided-by-your-issuer" + # client_auth_method: client_secret_post + # scopes: ["openid", "profile"] + # authorization_endpoint: "https://accounts.example.com/oauth2/auth" + # token_endpoint: "https://accounts.example.com/oauth2/token" + # userinfo_endpoint: "https://accounts.example.com/userinfo" + # jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + # skip_verification: true + + # For use with Keycloak + # + #- idp_id: keycloak + # idp_name: Keycloak + # issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name" + # client_id: "synapse" + # client_secret: "copy secret generated in Keycloak UI" + # scopes: ["openid", "profile"] + + # For use with Github + # + #- idp_id: github + # idp_name: Github + # discover: false + # issuer: "https://github.com/" + # client_id: "your-client-id" # TO BE FILLED + # client_secret: "your-client-secret" # TO BE FILLED + # authorization_endpoint: "https://github.com/login/oauth/authorize" + # token_endpoint: "https://github.com/login/oauth/access_token" + # userinfo_endpoint: "https://api.github.com/user" + # scopes: ["read:user"] + # user_mapping_provider: + # config: + # subject_claim: "id" + # localpart_template: "{ user.login }" + # display_name_template: "{ user.name }" -# The JWT needs to contain a globally unique "sub" (subject) claim. +# Enable Central Authentication Service (CAS) for registration and login. +# +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The public URL of the homeserver. + # + #service_url: "https://homeserver.domain.com:8448" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None + + +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # The login fallback page (used by clients that don't natively support the + # required login flows) is automatically whitelisted in addition to any URLs + # in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page to prompt the user to choose an Identity Provider during + # login: 'sso_login_idp_picker.html'. + # + # This is only used if multiple SSO Identity Providers are configured. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL that the user will be redirected to after + # login. Needs manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * providers: a list of available Identity Providers. Each element is + # an object with the following attributes: + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # + # The rendered HTML page should contain a form which submits its results + # back as a GET request, with the following query parameters: + # + # * redirectUrl: the client redirect URI (ie, the \`redirect_url\` passed + # to the template) + # + # * idp: the 'idp_id' of the chosen IDP. + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as \`redirect_url\`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown after a user-interactive authentication session which + # does not map correctly onto the expected user: 'sso_auth_bad_user.html'. + # + # When rendering, this template is given the following variables: + # * server_name: the homeserver's name. + # * user_id_to_verify: the MXID of the user that we are trying to + # validate. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. +# +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. +# +# Additionally, the expiration time ("exp"), not before time ("nbf"), +# and issued at ("iat") claims are validated if present. +# +# Note that this is a non-standard login type and client support is +# expected to be non-existent. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. # #jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. + # + #enabled: true + + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. + # + # Required if 'enabled' is true. + # + #secret: "provided-by-your-issuer" + + # The algorithm used to sign the JSON web token. + # + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html + # + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" + + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" + + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" password_config: @@ -1443,116 +2182,352 @@ password_config: # #pepper: "EVEN_MORE_SECRET" + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The number of milliseconds to allow a user-interactive authentication + # session to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to alow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: 15000 -# Enable sending emails for password resets, notification events or -# account expiry notices -# -# If your SMTP server requires authentication, the optional smtp_user & -# smtp_pass variables should be used +# Configuration for sending emails from Synapse. # email: - enable_notifs: $ENABLE_NOTIFICATIONS - smtp_host: "$SMTP_HOST" - smtp_port: $SMTP_PORT # SSL: 465, STARTTLS: 587 - smtp_user: "$SMTP_USER" - smtp_pass: $SMTP_PASS - require_transport_security: $SMTP_TLS - notif_from: "%(app)s <$SMTP_USER>" - app_name: Matrix + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + smtp_host: "${SMTP_HOST:?}" - # Enable email notifications by default - # - notif_for_new_users: $ENABLE_NOTIFICATIONS_BY_DEFAULT + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + smtp_port: ${SMTP_PORT:?} - # Defining a custom URL for Riot is only needed if email notifications - # should contain links to a self-hosted installation of Riot; when set - # the "app_name" setting is ignored - # - riot_base_url: "$RIOT_BASE_URL" + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + smtp_user: "$SMTP_USER" + smtp_pass: "$SMTP_PASS" - # Configure the time that a validation email or text message code - # will expire after sending - # - # This is currently used for password resets - # - #validation_token_lifetime: 1h + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + require_transport_security: ${SMTP_USE_STARTTLS:?} - # Template directory. All template files should be stored within this - # directory. If not set, default templates from within the Synapse - # package will be used - # - # For the list of default templates, please see - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: res/templates + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + notif_from: "${NOTIFICATION_FROM:?}" - # Templates for email notifications - # - notif_template_html: notif_mail.html - notif_template_text: notif_mail.txt + # app_name defines the default value for '%(app)s' in notif_from and email + # subjects. It defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server - # Templates for account expiry notices - # - expiry_template_html: notice_expiry.html - expiry_template_text: notice_expiry.txt + # Uncomment the following to enable sending emails for messages that the user + # has missed. Disabled by default. + # + enable_notifs: ${ENABLE_NOTIFICATIONS:?} - # Templates for password reset emails sent by the homeserver - # - #password_reset_template_html: password_reset.html - #password_reset_template_text: password_reset.txt + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false - # Templates for registration emails sent by the homeserver - # - #registration_template_html: registration.html - #registration_template_text: registration.txt + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + client_base_url: "${WEB_CLIENT_URL:?}" - # Templates for validation emails sent by the homeserver when adding an email to - # your user account - # - #add_threepid_template_html: add_threepid.html - #add_threepid_template_text: add_threepid.txt + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m - # Templates for password reset success and failure pages that a user - # will see after attempting to reset their password - # - #password_reset_template_success_html: password_reset_success.html - #password_reset_template_failure_html: password_reset_failure.html + # The web client location to direct users to during an invite. This is passed + # to the identity server as the org.matrix.web_client_location key. Defaults + # to unset, giving no guidance to the identity server. + # + #invite_client_location: https://app.element.io - # Templates for registration success and failure pages that a user - # will see after attempting to register using an email or phone - # - #registration_template_success_html: registration_success.html - #registration_template_failure_html: registration_failure.html + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" - # Templates for success and failure pages that a user will see after attempting - # to add an email or phone to their account - # - #add_threepid_success_html: add_threepid_success.html - #add_threepid_failure_html: add_threepid_failure.html + # Subjects to use when sending emails from Synapse. + # + # The placeholder '%(app)s' will be replaced with the value of the 'app_name' + # setting above, or by a value dictated by the Matrix client application. + # + # If a subject isn't overridden in this configuration file, the value used as + # its example will be used. + # + #subjects: -$(generate_password_providers) + # Subjects for notification emails. + # + # On top of the '%(app)s' placeholder, these can use the following + # placeholders: + # + # * '%(person)s', which will be replaced by the display name of the user(s) + # that sent the message(s), e.g. "Alice and Bob". + # * '%(room)s', which will be replaced by the name of the room the + # message(s) have been sent to, e.g. "My super room". + # + # See the example provided for each setting to see which placeholder can be + # used and how to use them. + # + # Subject to use to notify about one message from one or more user(s) in a + # room which has a name. + #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." + # + # Subject to use to notify about one message from one or more user(s) in a + # room which doesn't have a name. + #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages from one or more users in + # a room which doesn't have a name. + #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages in a room which has a + # name. + #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." + # + # Subject to use to notify about multiple messages in multiple rooms. + #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." + # + # Subject to use to notify about multiple messages from multiple persons in + # multiple rooms. This is similar to the setting above except it's used when + # the room in which the notification was triggered has no name. + #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." + # + # Subject to use to notify about an invite to a room which has a name. + #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." + # + # Subject to use to notify about an invite to a room which doesn't have a + # name. + #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (\`event_id_only\`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For \`event_id_only\` push, it -# has no effect. + # Subject for emails related to account administration. + # + # On top of the '%(app)s' placeholder, these one can use the + # '%(server_name)s' placeholder, which will be replaced by the value of the + # 'server_name' setting in your Synapse configuration. + # + # Subject to use when sending a password reset email. + #password_reset: "[%(server_name)s] Password reset" + # + # Subject to use when sending a verification email to assert an address's + # ownership. + #email_validation: "[%(server_name)s] Validate your email" + + +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. # -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md # -#push: -# include_content: true +# Note: instances wishing to use SAML or CAS authentication should +# instead use the \`saml2_config\` or \`cas_config\` options, +# respectively. +# +password_providers: +# # Example config for an LDAP auth provider +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" +EOF + +if [ -n "$ENABLE_LDAP_AUTH" ]; then + cat <&2 + exit 1 + ;; +esac + +if grep -qE "^__file/$synapse_conf_dir" "${__messages_in}"; then + case "$init" in + systemd) + echo "systemctl try-reload-or-restart $synapse_service" + ;; + initd) + echo "service --ifstopped $synapse_service start" + echo "service --ifstarted $synapse_service restart" + ;; + *) + echo "Unknown init $init." >&2 + exit 1 + ;; + esac +fi diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest index 96795e7..1f01ca9 100755 --- a/type/__matrix_synapse/manifest +++ b/type/__matrix_synapse/manifest @@ -23,109 +23,161 @@ os=$(cat "$__global/explorer/os") distribution=$(cat "$__global/explorer/lsb_codename") case "$os" in - debian) - synapse_user=matrix-synapse - synapse_pkg=matrix-synapse - synapse_service=matrix-synapse - ldap_auth_provider_pkg=matrix-synapse-ldap3 - psycopg2_pkg=python3-psycopg2 - synapse_conf_dir='/etc/matrix-synapse' - synapse_data_dir='/var/lib/matrix-synapse' + debian) + synapse_user=matrix-synapse + synapse_pkg=matrix-synapse + synapse_service=matrix-synapse + ldap_auth_provider_pkg=matrix-synapse-ldap3 + synapse_conf_dir='/etc/matrix-synapse' + synapse_data_dir='/var/lib/matrix-synapse' - if [ ! -f "$__global/explorer/lsb_codename" ]; then - ls "$__global/explorer" >&2 - echo "Could not determine Debian release, ensure that lsb-release is installed on the target." >&2 - exit 1 - fi - ;; - fedora) - synapse_user=synapse - synapse_pkg=matrix-synapse - synapse_service=synapse - ldap_auth_provider_pkg=python-matrix-synapse-ldap3 - synapse_conf_dir='/etc/synapse' - synapse_data_dir='/var/lib/synapse' - ;; - freebsd) - synapse_user=synapse - synapse_pkg=py36-matrix-synapse - synapse_service=synapse - ldap_auth_provider_pkg=py36-matrix-synapse-ldap3 - synapse_conf_dir='/usr/local/etc/matrix-synapse' - synapse_data_dir='/var/matrix-synapse' - ;; - alpine) - echo "As of 2019-12-19 matrix-synapse is not in alpine stable. Exiting." - exit 1 - ;; - *) - printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2 - printf "Please contribute an implementation for it if you can.\n" >&2 - exit 1 - ;; + # See https://packages.debian.org/bullseye/matrix-synapse for state of + # synapse packaging in debian. + case "$distribution" in + stretch) + echo "The matrix-synapse package in debian stretch is outdated and unusable." >&2 + exit 1 + ;; + buster) + # Enable debian-backports for debian Buster, as the 'stable' + # matrix-synapse package is ways too old (< 1.0). + apt_target_release=buster-backports + __apt_source debian-backports \ + --uri http://deb.debian.org/debian/ \ + --distribution "$apt_target_release" \ + --component main + ;; + bullseye|sid) + # As of writting (2021-02), the default matrix-synapse of those + # release is perfectly usable. + : + ;; + *) + echo "Unknown debian release '$distribution'. Exiting" >&2 + exit 1 + ;; + esac + ;; + alpine) + synapse_user=synapse + synapse_pkg=synapse + synapse_service=synapse + # Note available as of writing (2021-02-15) + ldap_auth_provider_pkg= + synapse_conf_dir='/etc/synapse' + synapse_data_dir='/var/lib/synapse' + ;; + *) + printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; esac -# Required parameters: -SERVER_NAME=$(cat "$__object/parameter/server-name") -export SERVER_NAME -BASE_URL=$(cat "$__object/parameter/base-url") -export BASE_URL +# Small helper used to get boolean values which can be used as-is in the +# configuration template. +get_boolean_for () { + if [ -f "$__object/parameter/${1:?}" ]; then + echo 'true' + else + echo 'false' + fi +} +# Small helper for erroring out on invalid combinations. +is_required_when () { + value=$1 + flag=$2 + when=$3 + + if [ -z "$value" ]; then + echo "$flag is required when $when." >&2 + exit 1 + fi +} + +# Generic configuration. export DATA_DIR=$synapse_data_dir export LOG_DIR='/var/log/matrix-synapse' export PIDFILE='/var/run/matrix/homeserver.pid' export LOG_CONFIG_PATH="$synapse_conf_dir/log.yaml" export SIGNING_KEY_PATH="$synapse_conf_dir/signin.key" -DATABASE_ENGINE=$(cat "$__object/parameter/database-engine") -export DATABASE_ENGINE -DATABASE_NAME=$(cat "$__object/parameter/database-name") -export DATABASE_NAME +# Base parameters. +SERVER_NAME=$(cat "$__object/parameter/server-name") +BASE_URL=$(cat "$__object/parameter/base-url") +REPORT_STATS=$(get_boolean_for 'report-stats') +MAX_UPLOAD_SIZE=$(cat "$__object/parameter/max-upload-size") +EXPOSE_METRICS=$(get_boolean_for 'expose-metrics') +WEB_CLIENT_URL=$(cat "$__object/parameter/web-client-url") +ROOM_ENCRYPTION_POLICY=$(cat "$__object/parameter/room-encryption-policy") +export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \ + WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY -# Optional parameters: -DATABASE_HOST=$(cat "$__object/parameter/database-host") -export DATABASE_HOST -DATABASE_USER=$(cat "$__object/parameter/database-user") -export DATABASE_USER -DATABASE_PASSWORD=$(cat "$__object/parameter/database-password") -export DATABASE_PASSWORD +if [ -f "$__object/parameter/enable-server-notices" ]; then + export ENABLE_SERVER_NOTICES=1 +fi +# Performance flags. GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global-cache-factor") -export GLOBAL_CACHE_FACTOR EVENT_CACHE_SIZE=$(cat "$__object/parameter/event-cache-size") -export EVENT_CACHE_SIZE +export GLOBAL_CACHE_FACTOR EVENT_CACHE_SIZE +if [ -f "$__object/parameter/disable-presence" ]; then + export USE_PRESENCE='false' +else + export USE_PRESENCE='true' +fi + +# Database configuration. +DATABASE_ENGINE=$(cat "$__object/parameter/database-engine") +DATABASE_NAME=$(cat "$__object/parameter/database-name") +DATABASE_HOST=$(cat "$__object/parameter/database-host") +DATABASE_USER=$(cat "$__object/parameter/database-user") +DATABASE_PASSWORD=$(cat "$__object/parameter/database-password") +export DATABASE_ENGINE DATABASE_NAME DATABASE_HOST DATABASE_USER \ + DATABASE_PASSWORD + +# LDAP-based authentication. +ENABLE_LDAP_AUTH=$(get_boolean_for 'enable-ldap-auth') LDAP_FILTER=$(cat "$__object/parameter/ldap-filter") -export LDAP_FILTER LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap-uid-attribute") -export LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap-mail-attribute") -export LDAP_MAIL_ATTRIBUTE LDAP_NAME_ATTRIBUTE=$(cat "$__object/parameter/ldap-name-attribute") -export LDAP_NAME_ATTRIBUTE LDAP_URI=$(cat "$__object/parameter/ldap-uri") -export LDAP_URI LDAP_BASE_DN=$(cat "$__object/parameter/ldap-base-dn") -export LDAP_BASE_DN LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn") -export LDAP_BIND_DN LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password") -export LDAP_BIND_PASSWORD +LDAP_USE_STARTTLS=$(get_boolean_for 'ldap-use-starttls') +export ENABLE_LDAP_AUTH LDAP_FILTER LDAP_UID_ATTRIBUTE LDAP_MAIL_ATTRIBUTE \ + LDAP_NAME_ATTRIBUTE LDAP_URI LDAP_BASE_DN LDAP_BIND_DN LDAP_BIND_PASSWORD \ + LDAP_USE_STARTTLS -TURN_USER_LIFETIME=$(cat "$__object/parameter/turn-user-lifetime") -export TURN_USER_LIFETIME -if [ -f "$__object/parameter/turn-shared-secret" ]; then - TURN_SHARED_SECRET=$(cat "$__object/parameter/turn-shared-secret") - export TURN_SHARED_SECRET -fi -if [ -f "$__object/parameter/turn-uri" ]; then - uris=$(tr "\n" "," < "$__object/parameter/turn-uri" | sed 's/,$//') - export TURN_URIS="[$uris]" +# Outgoing emails (= notifications). +ENABLE_NOTIFICATIONS=$(get_boolean_for 'enable-notifications') +SMTP_HOST=$(cat "$__object/parameter/smtp-host") +SMTP_PORT=$(cat "$__object/parameter/smtp-port") +SMTP_USE_STARTTLS=$(get_boolean_for 'smtp-use-starttls') +SMTP_USER=$(cat "$__object/parameter/smtp-user") +SMTP_PASSWORD=$(cat "$__object/parameter/smtp-password") +export SMTP_HOST SMTP_PORT SMTP_USER SMTP_PASSWORD SMTP_USE_STARTTLS \ + ENABLE_NOTIFICATIONS + +if [ -f "$__object/parameter/notification-from" ]; then + NOTIFICATION_FROM=$(cat "$__object/parameter/notification-from") + export NOTIFICATION_FROM +else + export NOTIFICATION_FROM="Matrix " fi -if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then - RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern") - export RESGISTRATION_ALLOWS_EMAIL_PATTERN +# Registrations and users. +ALLOW_GUEST_ACCESS=$(get_boolean_for 'allow-guest-access') +ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations') +USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users') +export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS + +if [ -f "$__object/parameter/registration-requires-email" ]; then + export REGISTRATION_REQUIRES_EMAIL=1 fi if [ -f "$__object/parameter/auto-join-room" ]; then @@ -133,153 +185,109 @@ if [ -f "$__object/parameter/auto-join-room" ]; then export AUTO_JOIN_ROOMS fi -if [ -f "$__object/parameter/app-service-config-file" ]; then - APP_SERVICE_CONFIG_FILES=$(cat "$__object/parameter/app-service-config-file") - export APP_SERVICE_CONFIG_FILES +if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then + RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern") + export RESGISTRATION_ALLOWS_EMAIL_PATTERN fi -MAX_UPLOAD_SIZE=$(cat "$__object/parameter/max-upload-size") -export MAX_UPLOAD_SIZE -RIOT_BASE_URL=$(cat "$__object/parameter/riot-base-url") -export RIOT_BASE_URL +# Federation. +DISABLE_FEDERATION=$(get_boolean_for 'disable-federation') +ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation') +ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth') +LIMIT_REMOTE_ROOM_COMPLEXITY=$(get_boolean_for 'limit-remote-room-complexity') +REMOTE_ROOM_COMPLEXITY_TRESHOLD=$(cat "$__object/parameter/remote-room-complexity-treshold") +export DISABLE_FEDERATION ALLOW_PUBLIC_ROOMS_OVER_FEDERATION \ + ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH LIMIT_REMOTE_ROOM_COMPLEXITY \ + REMOTE_ROOM_COMPLEXITY_TRESHOLD -SMTP_HOST=$(cat "$__object/parameter/smtp-host") -export SMTP_HOST -SMTP_PORT=$(cat "$__object/parameter/smtp-port") -export SMTP_PORT -SMTP_USER=$(cat "$__object/parameter/smtp-user") -export SMTP_USER -SMTP_PASS=$(cat "$__object/parameter/smtp-pass") -export SMTP_PASS +# Message retention. +ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy') +MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime") +export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME +# Rate-limiting RC_MESSAGE_PER_SECOND=$(cat "$__object/parameter/rc-message-per-second") -export RC_MESSAGE_PER_SECOND -RC_MESSAGE_BURST=$(cat "$__object/parameter/rc_message_burst") -export RC_MESSAGE_BURST +RC_MESSAGE_BURST=$(cat "$__object/parameter/rc-message-burst") RC_LOGIN_PER_SECOND=$(cat "$__object/parameter/rc-login-per-second") -export RC_LOGIN_PER_SECOND RC_LOGIN_BURST=$(cat "$__object/parameter/rc-login-burst") -export RC_LOGIN_BURST +export RC_MESSAGE_PER_SECOND RC_MESSAGE_BURST RC_LOGIN_PER_SECOND \ + RC_LOGIN_BURST +# Application services. +if [ -f "$__object/parameter/app-service-config-file" ]; then + APP_SERVICE_CONFIG_FILES=$(cat "$__object/parameter/app-service-config-file") + export APP_SERVICE_CONFIG_FILES +fi + +# Anything that did not fit in this type's template. if [ -f "$__object/parameter/extra-setting" ]; then - EXTRA_SETTINGS=$(cat "$__object/parameter/extra-setting") - export EXTRA_SETTINGS + EXTRA_SETTINGS=$(cat "$__object/parameter/extra-setting") + export EXTRA_SETTINGS fi -# Boolean parameters: -if [ -f "$__object/parameter/report-stats" ]; then - export REPORT_STATS='true' -else - export REPORT_STATS='false' -fi -if [ -f "$__object/parameter/allow-registration" ]; then - export ALLOW_REGISTRATION='true' -else - export ALLOW_REGISTRATION='false' -fi -if [ -f "$__object/parameter/enable-ldap-auth" ]; then - export ENABLE_LDAP_AUTH='true' -else - export ENABLE_LDAP_AUTH='false' -fi -if [ -f "$__object/parameter/ldap-search-mode" ]; then - export LDAP_SEARCH_MODE=1 -fi -if [ -f "$__object/parameter/expose-metrics" ]; then - export EXPOSE_METRICS='true' -else - export EXPOSE_METRICS='false' -fi -if [ -f "$__object/parameter/enable-notifications" ]; then - export ENABLE_NOTIFICATIONS='true' -else - export ENABLE_NOTIFICATIONS='false' -fi -if [ -f "$__object/parameter/enable_notifications-by-default" ]; then - export ENABLE_NOTIFICATIONS_BY_DEFAULT='true' -else - export ENABLE_NOTIFICATIONS_BY_DEFAULT='false' -fi -if [ -f "$__object/parameter/smtp-requires-tls" ]; then - export SMTP_TLS='true' -else - export SMTP_TLS='false' -fi -if [ -f "$__object/parameter/disable-federation" ]; then - export DISABLE_FEDERATION='true' -else - export DISABLE_FEDERATION='false' -fi -if [ -f "$__object/parameter/allow-guest-access" ]; then - export ALLOW_GUEST_ACCESS='true' -else - export ALLOW_GUEST_ACCESS='false' -fi -if [ -f "$__object/parameter/registration-requires-email" ]; then - export REGISTRATION_REQUIRES_EMAIL=1 -fi -if [ -f "$__object/parameter/allow-public-rooms-over-federation" ]; then - export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION='true' -else - export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION='false' -fi -if [ -f "$__object/parameter/allow-public-rooms-without-auth" ]; then - export ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH='true' -else - export ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH='false' -fi -if [ -f "$__object/parameter/enable-server-notices" ]; then - export ENABLE_SERVER_NOTICES=1 +# TURN server (NAT traversal for P2P calls). +TURN_USER_LIFETIME=$(cat "$__object/parameter/turn-user-lifetime") +export TURN_USER_LIFETIME + +if [ -f "$__object/parameter/turn-shared-secret" ]; then + TURN_SHARED_SECRET=$(cat "$__object/parameter/turn-shared-secret") + export TURN_SHARED_SECRET fi -# Specific case for debian-buster, boilerplate but there's not much I can do -# about it. +if [ -f "$__object/parameter/turn-uri" ]; then + TURN_URIS=$(cat "$__object/parameter/turn-uri") + export TURN_URIS +fi -installation_reqs="" -if [ "$os" = "debian" ] && [ "$distribution" = "buster" ]; then - # Enable debian-backports for debian Buster, as the 'stable' - # matrix-synapse package is ways too old (< 1.0). - __apt_source debian-backports \ - --uri http://deb.debian.org/debian/ \ - --distribution "$distribution-backports" \ - --component main - require="__apt_source/debian-backports" __apt_update_index +# Worker-mode configuration. +export MAIN_LISTENER_PORT=8008 +export ENABLE_MEDIA_REPO='true' +export SEND_FEDERATION_FROM_MAIN_PROCESS='true' +export RUN_BACKGROUND_TASKS_ON= +export ENABLE_REPLICATION= +export ENABLE_REDIS_SUPPORT='false' +MAIN_LISTENER_RESOURCES="[federation,client]" +if [ "$EXPOSE_METRICS" = "true" ]; then + MAIN_LISTENER_RESOURCES="$(echo "$MAIN_LISTENER_RESOURCES" | tr -d ']'),metrics]" +fi +export MAIN_LISTENER_RESOURCES - # Install base matrix-synapse package. - require="__apt_update_index" __package_apt $synapse_pkg \ - --state present \ - --target-release "$distribution-backports" +# Error out on invalid parameter combination. +case "$DATABASE_ENGINE" in + sqlite3) + : + ;; + psycopg2) + when='database engine is psycopg2' + is_required_when "$DATABASE_HOST" '--database-host' "$when" + is_required_when "$DATABASE_USER" '--database-user' "$when" + ;; + *) + echo "Invalid database engine: $DATABASE_ENGINE." >&2 + exit 1 + ;; +esac - # Install LdapAuthProvider module if LDAP auth is enabled. - if [ "$ENABLE_LDAP_AUTH" = "true" ]; then - require="__package_apt/$synapse_pkg" __package_apt $ldap_auth_provider_pkg \ - --state present \ - --target-release "$distribution-backports" - installation_reqs="$installation_reqs __package_apt/$ldap_auth_provider_pkg" - fi - # For some reason, psycopg2 is not considered a dependency of - # matrix-synapse in matrix.org's APT repository. - if [ "$DATABASE_ENGINE" = "psycopg2" ]; then - require="__package_apt/$synapse_pkg" __package_apt $psycopg2_pkg \ - --state present - installation_reqs="$installation_reqs __package_apt/$psycopg2_pkg" - fi - - # Used for dependency order resolution. - installation_reqs="$installation_reqs __package_apt/$synapse_pkg" +# Install OS packages. We have a bit of boilerplate to handle the debian +# backports situation. +synapse_req= +if [ -n "$apt_target_release" ]; then + __package_apt "$synapse_pkg" \ + --target-release "$apt_target_release" + synapse_req="__package_apt/$synapse_pkg" else - # Install base matrix-synapse package. - __package $synapse_pkg --state present + __package "$synapse_pkg" + synapse_req="__package/$synapse_pkg" +fi - # Install LdapAuthProvider module if LDAP auth is enabled. - if [ "$ENABLE_LDAP_AUTH" = "true" ]; then - require="__package/$synapse_pkg" __package $ldap_auth_provider_pkg \ - --state present - fi - - # Used for dependency order resolution. - installation_reqs="__package/$synapse_pkg" +if [ "$ENABLE_LDAP_AUTH" = "true" ]; then + if [ -n "$apt_target_release" ]; then + require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \ + --target-release "$apt_target_release" + else + __package "$ldap_auth_provider_pkg" + fi fi # Generate and deploy configuration files. @@ -287,34 +295,35 @@ mkdir -p "$__object/files" "$__type/files/homeserver.yaml.sh" > "$__object/files/homeserver.yaml" "$__type/files/log.config.sh" > "$__object/files/log.config" -require="$installation_reqs" __file "$synapse_conf_dir/homeserver.yaml" \ - --state present \ +require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \ --owner $synapse_user \ --mode 600 \ --source "$__object/files/homeserver.yaml" -require="$installation_reqs" __file "$LOG_CONFIG_PATH" \ - --state present \ +require="$synapse_req" __file "$LOG_CONFIG_PATH" \ --owner $synapse_user \ --mode 600 \ --source "$__object/files/log.config" -require="$installation_reqs" __directory $DATA_DIR --state present --owner $synapse_user -require="$installation_reqs" __directory $LOG_DIR --state present --owner $synapse_user -# Work around dpkg-reconfigure for Debian package. -RESTART_REQUIRES="__file/$synapse_conf_dir/homeserver.yaml" +for directory in $DATA_DIR $LOG_DIR; do + require="$synapse_req" __directory $directory \ + --state present \ + --owner $synapse_user +done + +# Make dpkg-reconfigure happy on debian systems. if [ "$os" = "debian" ]; then - require="$installation_reqs" __file "$synapse_conf_dir/conf.d/server_name.yaml" \ - --state present --owner $synapse_user --source - << EOF -server_name: "$SERVER_NAME" -EOF - require="$installation_reqs" __file "$synapse_conf_dir/conf.d/report_stats.yaml" \ - --state present --owner $synapse_user --source - << EOF -report_stats: $REPORT_STATS -EOF + require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \ + --owner $synapse_user \ + --source - <<- EOF + server_name: "$SERVER_NAME" + EOF - RESTART_REQUIRES="$RESTART_REQUIRES __file/$synapse_conf_dir/conf.d/server_name.yaml \ - __file/$synapse_conf_dir/conf.d/report_stats.yaml" + require="$synapse_req" __file "$synapse_conf_dir/conf.d/report_stats.yaml" \ + --owner $synapse_user \ + --source - <<- EOF + report_stats: $REPORT_STATS + EOF fi -# Restart synapse homeserver to reload configuration. -require="$RESTART_REQUIRES" __service $synapse_service --action restart +# Start service at boot - started/reload in gencode-remote. +require="$synapse_req" __start_on_boot $synapse_service diff --git a/type/__matrix_synapse/parameter/boolean b/type/__matrix_synapse/parameter/boolean index 62905a5..809bf63 100644 --- a/type/__matrix_synapse/parameter/boolean +++ b/type/__matrix_synapse/parameter/boolean @@ -1,14 +1,18 @@ allow-registration enable-ldap-auth -ldap-search-mode report-stats expose-metrics enable-notifications enable-notifications-by-default -smtp-requires-tls +smtp-use-starttls disable-federation registration-requires-email allow-public-rooms-over-federation enable-server-notices allow-guest-access allow-public-rooms-without-auth +limit-remote-room-complexity +disable-presence +ldap-use-starttls +user-directory-search-all-users +enable-message-retention-policy diff --git a/type/__matrix_synapse/parameter/default/message-max-lifetime b/type/__matrix_synapse/parameter/default/message-max-lifetime new file mode 100644 index 0000000..4730191 --- /dev/null +++ b/type/__matrix_synapse/parameter/default/message-max-lifetime @@ -0,0 +1 @@ +1y diff --git a/type/__matrix_synapse/parameter/default/remote-room-complexity-treshold b/type/__matrix_synapse/parameter/default/remote-room-complexity-treshold new file mode 100644 index 0000000..d3827e7 --- /dev/null +++ b/type/__matrix_synapse/parameter/default/remote-room-complexity-treshold @@ -0,0 +1 @@ +1.0 diff --git a/type/__matrix_synapse/parameter/default/room-encryption-policy b/type/__matrix_synapse/parameter/default/room-encryption-policy new file mode 100644 index 0000000..cfb931e --- /dev/null +++ b/type/__matrix_synapse/parameter/default/room-encryption-policy @@ -0,0 +1 @@ +off diff --git a/type/__matrix_synapse/parameter/default/smtp-pass b/type/__matrix_synapse/parameter/default/smtp-password similarity index 100% rename from type/__matrix_synapse/parameter/default/smtp-pass rename to type/__matrix_synapse/parameter/default/smtp-password diff --git a/type/__matrix_synapse/parameter/default/web-client-url b/type/__matrix_synapse/parameter/default/web-client-url new file mode 100644 index 0000000..4ed1053 --- /dev/null +++ b/type/__matrix_synapse/parameter/default/web-client-url @@ -0,0 +1 @@ +https://app.element.io/ diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional index 529c06a..73a7dfa 100644 --- a/type/__matrix_synapse/parameter/optional +++ b/type/__matrix_synapse/parameter/optional @@ -15,11 +15,15 @@ max-upload-size smtp-host smtp-port smtp-user -smtp-pass -riot-base-url +smtp-password +web-client-url rc-message-per-second rc-message-burst rc-login-per-second rc-login-burst global-cache-factor event-cache-size +remote-room-complexity-treshold +room-encryption-policy +notification-from +message-max-lifetime