├── .env
├── README.md
├── db.env
├── docker-compose.yml
├── proxy.env
├── sample_configs
    ├── facebook-bridge
    │   └── config.yaml
    ├── homeserver
    │   └── homeserver.yaml
    ├── maubot
    │   └── config.yaml
    ├── proxy
    │   └── traefik-ssl.toml
    ├── telegram-bridge
    │   └── config.yaml
    └── webhook-service
    │   ├── appservice-registration-webhooks.yaml
    │   ├── config.yaml
    │   ├── database.json
    │   ├── production.db
    │   ├── room-store.db
    │   └── user-store.db
└── synapse.env


/.env:
--------------------------------------------------------------------------------
1 | DOMAIN=ms.local
2 | CONF_PATH=/mnt/configs
3 | DATA_PATH=/mnt/data
4 | CERT_PATH=/mnt/certs


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # A Matrix (Synapse) Stack with Traefik, bots, bridges and more
  2 | 
  3 | This is a stack in a single `docker-compose.yaml` file. The guide starts by preconfiguring the various services and finally bringing the stack up.
  4 | 
  5 | The stack follows some specific logic concerning the file organization and a couple "bad practices" (exposing ports and folders) that should not be a problem for a non production environment.
  6 | 
  7 | # Compoments (and images used)
  8 | - Postgres - `postgres:latest`
  9 | - Synapse homeserver - `matrixdotorg/synapse:latest`
 10 | - Element Web Client - `vectorim/element-web`
 11 | - Synapse Admin - `awesometechnologies/synapse-admin`
 12 | - Telegram Bridge - `dock.mau.dev/tulir/mautrix-telegram:latest`
 13 | - Facebook Bridge - `dock.mau.dev/tulir/mautrix-facebook:latest`
 14 | - Maubot bot manager - `dock.mau.dev/maubot/maubot:latest`
 15 | - Webhook Appservice - `turt2live/matrix-appservice-webhooks`
 16 | 
 17 | 
 18 | # Assuptions
 19 | 
 20 | <br/>
 21 | 
 22 | ## Domain and subdomains
 23 | 
 24 | You should have a locally (at least) resolved domain (During the instructions we will use `ms.local`). We also use the following subdomains at various points:
 25 | - matrix.ms.local
 26 | - turn.ms.local
 27 | - webhooks.ms.local
 28 | - proxy.ms.local
 29 | - maubot.ms.local
 30 | 
 31 | 
 32 | <br/>
 33 | 
 34 | 
 35 | ## Certificates
 36 | 
 37 | The guide assumes you have a wildcard ceritificate for your domain name (`WILDCARD.ms.local`) in `CERT_PATH` folder. 
 38 | ```
 39 | /${CERT_PATH}/
 40 |     WILDCARD.ms.local.crt
 41 |     WILDCARD.ms.local.key
 42 | ```
 43 | 
 44 | You can genarate a self-signed certificate folowing guide from @cecilemuller:
 45 | https://gist.github.com/cecilemuller/9492b848eb8fe46d462abeb26656c4f8
 46 | 
 47 | You can ofcource use diffrent certificates for every service. 
 48 | 
 49 | <br/>
 50 | 
 51 | ## Folder hierarchy
 52 | 
 53 | The docker-compose.yaml file assumes the following hiecrasy:
 54 | ```
 55 | ${CONF_PATH}/
 56 |       db/
 57 |       homeserver/
 58 |       webchat/
 59 |       telegram-bridge/
 60 |       facebook-bridge/
 61 |       webhook-service/
 62 |       maubot/
 63 | ${DATA_PATH}
 64 |       homeserver_media-store
 65 |       turn
 66 | ${CERT_PATH}/
 67 | ```
 68 | - `/configs/` : configuration persistent data
 69 | 
 70 | - `/certs/` : certificates
 71 | 
 72 | - `/data/` : other kind of persistent data (like synapse media store etc.)
 73 | 
 74 | <br/>
 75 | 
 76 | 
 77 | <br/>
 78 | 
 79 | # Initialization and preconfigurations
 80 | 
 81 | ## Expsose ENV
 82 | 
 83 | Edit `.env` file to your liking. Then expose each ENV with `export VAR=VAL`. You will need:
 84 | ```
 85 | export DOMAIN=ms.local
 86 | export CONF_PATH=/mnt/configs
 87 | ```
 88 | 
 89 | Some of the services need to initialize some config files before you can finally start them.
 90 | 
 91 | <br/>
 92 | 
 93 | ## Proxy
 94 | 1. Create  file `traefik-ssl.toml` in `${CONF_PATH}/proxy/` and paste the following:
 95 |     ```
 96 |     [tls]
 97 |     [tls.stores]
 98 |     [tls.stores.default]
 99 |     [tls.stores.default.defaultCertificate]
100 |     certFile = "/certs/WILDCARD.ms.local.crt"
101 |     keyFile = "/certs/WILDCARD.ms.local.key"
102 |     ```
103 |     Change the file name of the certificate if you have to.
104 | 
105 | <br/>
106 | 
107 | ## Prostgres
108 | 
109 | - Create a docker volume: `sudo docker volume create db-data`
110 | - Change the values in `db.env` to your liking. You should at least change `POSTGRES_PASSWORD=`
111 | 
112 | <br/>
113 | 
114 | ## Synapse
115 | Generate a `homeserver.yaml` file in `${CONF_PATH}/homeserver/`. You can find a sample config at `sample_configs/homeserver/homeserver.yaml`
116 | 
117 | 
118 |  __IMPORTANT: the subdomain (`matrix.${DOMAIN}`) CANNOT be changed later. Make sure you have decided correctly.__
119 | 
120 | ```
121 | sudo docker run -it --rm \
122 |     -v=${CONF_PATH}/homeserver:/data \
123 |     -e SYNAPSE_SERVER_NAME=matrix.${DOMAIN} \
124 |     -e SYNAPSE_REPORT_STATS=yes \
125 |     matrixdotorg/synapse:latest generate
126 | ```
127 | Edit/Uncomment some important fields:
128 | -  `server_name` will be autofilled
129 | ```
130 | server_name: "matrix.ms.local"
131 | ```
132 | 
133 | - Add an https listener for secure connections, bind it to all addresses and enable federation.
134 | ```
135 | listeners:
136 |   - port: 8448
137 |     type: http
138 |     tls: true
139 |     bind_addresses: ['0.0.0.0']
140 |     x_forwarded: true
141 | 
142 |     resources:
143 |       - names: [client]
144 |         compress: true
145 |       - names: [federation]
146 |         compress: false
147 | 
148 | 
149 |   - port: 8008
150 |     tls: false
151 |     type: http
152 |     x_forwarded: true
153 |     bind_addresses: ['0.0.0.0']
154 |     resources:
155 |       - names: [client]
156 |         compress: true
157 | 
158 | ```
159 | 
160 | - Add the postgress info to connect to `db` container
161 | ```
162 | database:
163 |   name: psycopg2
164 |   args:
165 |     user: synapse
166 |     password: <SAME AS db.env>
167 |     database: synapse_db
168 |     host: db
169 |     cp_min: 5
170 |     cp_max: 10
171 | ```
172 | 
173 | - Change the default `media_store` path to the that will be mounted in `docker-compose.yaml`
174 | ```
175 | media_store_path: "/media_store"
176 | ```
177 | 
178 | - Specify the path to our certificate
179 | ```
180 | tls_certificate_path: "/certs/WILDCARD.ms.local.crt"
181 | tls_private_key_path: "/certs/WILDCARD.ms.local.key"
182 | ```
183 | 
184 | - Enable registrations
185 | ```
186 | enable_registration: true
187 | ```
188 | - Enable user directory search. (This will help us find the bot accounts later)
189 | ```
190 | user_directory:
191 |     enabled: true
192 |     search_all_users: true
193 |     prefer_local_users: true
194 | ```
195 | - Save the file (_We will edit more while configuring Turn, Bridges and Bots_)
196 | 
197 | <br/>
198 | 
199 | <br/>
200 | 
201 | 
202 | ## Bridges and Bots
203 | 
204 | <br/>
205 | 
206 | ### Telegram Brige
207 | _Source_: https://docs.mau.fi/bridges/python/setup/docker.html?bridge=telegram
208 | 
209 | 1. Run the command to generate a `config.yaml`:
210 |     ```
211 |     sudo docker run --rm -v ${CONF_PATH}/telegram-bridge:/data:z dock.mau.dev/mautrix/telegram:latest
212 |     ```
213 |  
214 | 
215 | 2. Edit the file (reference `sample_configs/telegram-bridge/config.yaml`):
216 |     - Main connection configurations (_Since this is a dev/testing server we will use HTTPS but we won't verify any certificates between the bridge and the homeserver. Same goes for othe bridges and services_)
217 |         ```
218 |         homeserver:
219 |             # The address that this appservice can use to connect to the homeserver.
220 |             address: https://homeserver:8448
221 |             # The domain of the homeserver (for MXIDs, etc).
222 |             domain: matrix.ms.local
223 |             # Whether or not to verify the SSL certificate of the homeserver.
224 |             # Only applies if address starts with https://
225 |             verify_ssl: false
226 | 
227 |         appservice:
228 |             # The address that the homeserver can use to connect to this appservice.
229 |             address: http://telegram-bridge:29317
230 |             database: sqlite:////data/telegram-bridge.db
231 |         ```
232 |     - Bridge permissions
233 | 
234 |       We should also give permission to some users to use the bridge. Since we don't even have a homeserver yet we will give admin permissions to all users that share the domain `matrix.ms.local` . Edit the following:
235 |       ```
236 |       permissions:
237 |               "*": relaybot
238 |               "matrix.ms.local": admin
239 |       ```
240 |     - Telegram API key
241 |       ```
242 |       telegram:
243 |           # Get your own API keys at https://my.telegram.org/apps
244 |           api_id: 12345
245 |           api_hash: tjyd5yge35lbodk1xwzw2jstp90k55qz
246 | 
247 |       ```
248 | 
249 | 3. Run the docker command again to generate a 'registration.yaml'
250 |     ```
251 |     sudo docker run --rm -v ${CONF_PATH}/telegram-bridge:/data:z dock.mau.dev/mautrix/telegram:latest
252 |     ```
253 |       The `registration.yaml` file is mounted on the `homeserver` cotainer. 
254 | 
255 | <br/>
256 | 
257 | 
258 | ### Facebook Bridge (Almost identical to Telegram bridge)
259 | _Source_: https://docs.mau.fi/bridges/python/setup/docker.html?bridge=facebook
260 | 
261 | 1. Run the command to generate a `config.yaml`:
262 |     ```
263 |     sudo docker run --rm -v ${CONF_PATH}/facebook-bridge:/data:z dock.mau.dev/mautrix/facebook:latest
264 |     ```
265 |  
266 | 
267 | 2. Edit the file (reference `sample_configs/facebookm-bridge/config.yaml`):
268 |     - Main connection configurations (_Since this is a dev/testing server we will use HTTPS but we won't verify any certificates between the bridge and the homeserver. Same goes for othe bridges and services_)
269 |         ```
270 |         homeserver:
271 |             # The address that this appservice can use to connect to the homeserver.
272 |             address: https://homeserver:8448
273 |             # The domain of the homeserver (for MXIDs, etc).
274 |             domain: matrix.ms.local
275 |             # Whether or not to verify the SSL certificate of the homeserver.
276 |             # Only applies if address starts with https://
277 |             verify_ssl: false
278 | 
279 |         appservice:
280 |             # The address that the homeserver can use to connect to this appservice.
281 |             address: http://facebook-bridge:29317
282 |             database: sqlite:////data/facebook-bridge.db
283 |         ```
284 |     - Bridge permissions
285 | 
286 |       We should also give permission to some users to use the bridge. Since we don't even have a homeserver yet we will give admin permissions to all users that share the domain `matrix.ms.local` . Edit the following:
287 |       ```
288 |       permissions:
289 |         "*": "relay"
290 |         "matrix.ms.local": "admin"
291 |       ```
292 | 
293 | 3. Run the docker command again to generate a 'registration.yaml'
294 |     ```
295 |     sudo docker run --rm -v ${CONF_PATH}/facebook-bridge:/data:z dock.mau.dev/mautrix/facebook:latest
296 |     ```
297 |     The `registration.yaml` file is mounted on the `homeserver` cotainer.
298 |       
299 |       
300 | <br/>
301 | 
302 | 
303 | ### Webhook App Service
304 | Source: https://github.com/turt2live/matrix-appservice-webhooks#docker 
305 | 
306 | 1. Create an `appservice-registration-webhooks.yaml` file in `${CONF_PATH}/webhooks` and copy the following (make sure you generate `hs_token` and `as_token`):
307 | 
308 |     ```
309 |     id: webhooks
310 |     hs_token: A_RANDOM_ALPHANUMERIC_STRING  # CHANGE THIS
311 |     as_token: ANOTHER_RANDOM_ALPHANUMERIC_STRING  # CHANGE THIS
312 |     namespaces:
313 |       users:
314 |         - exclusive: true
315 |           regex: '@_webhook.*'
316 |     url: 'http://webhook-service:9000'  
317 |     sender_localpart: webhooks
318 |     rate_limited: false
319 |     ```
320 | 
321 | 2. Create an `config.yaml` file in `${CONF_PATH}/webhooks` and copy/edit the following:
322 |     ```
323 |     homeserver:
324 |       url: "http://homeserver:8008"
325 |       domain: "matrix.ms.local"
326 | 
327 |     webhookBot:
328 |       localpart: "webhooks"
329 |       appearance:
330 |         displayName: "Webhook Bridge"
331 |         avatarUrl: "http://i.imgur.com/IDOBtEJ.png"
332 | 
333 |     provisioning:
334 |       secret: 'CHANGE_ME'
335 | 
336 |     web:
337 |       hookUrlBase: 'https://webhooks.ms.local'
338 | 
339 |     logging:
340 |       file: logs/webhook.log
341 |       console: true
342 |       consoleLevel: debug
343 |       fileLevel: verbose
344 |       writeFiles: true
345 |       rotate:
346 |         size: 52428800 # bytes, default is 50mb
347 |         count: 5
348 |     ```
349 | 
350 | 3. Create a `database.json` file in `${CONF_PATH}/webhooks` and copy the following:
351 |     ```
352 |     {
353 |       "defaultEnv": {
354 |         "ENV": "NODE_ENV"
355 |       },
356 |       "development": {
357 |         "driver": "sqlite3",
358 |         "filename": "/data/development.db"
359 |       },
360 |       "production": {
361 |         "driver": "sqlite3",
362 |         "filename": "/data/production.db"
363 |       }
364 |     }
365 |     ```
366 | 
367 | 4. Run the command to check for errors:
368 |     ```
369 |     sudo docker run --rm -v ${CONF_PATH}/webhooks:/data turt2live/matrix-appservice-webhooks
370 |     ```
371 |     _If you get an `[ERROR] ConnectionError: request failed: getaddrinfo ENOTFOUND homeserver homeserver:8008`, this is normal since we don't have a working homeserver yet._
372 | 
373 | <br/>
374 | 
375 | ### Maubot Manager
376 | _Source_: https://docs.mau.fi/maubot/usage/setup/docker.html
377 | 
378 | 1. Run the command to generate a `config.yaml`: 
379 |     ```
380 |     sudo docker run --rm -v ${CONF_PATH}/maubot:/data:z dock.mau.dev/maubot/maubot:latest
381 |     ```
382 |  
383 | 
384 | 2. Update the file to add your homeserver:
385 |     ```
386 |     homeservers:
387 |       matrix.ms.local
388 |           url: https://homeserver:8448
389 |           secret: <THE registration_shared_secret FROM homeserver.yaml>
390 |     ```
391 | 
392 | 3. Create an admin user
393 |     ```
394 |     admins:
395 |       root: ''
396 |       admin: '12345' #use a password you like
397 |     ```
398 | 4. Save the file
399 | 
400 | 
401 | <br/>
402 | 
403 | ### Registering the new services to the home server:
404 | 
405 | Edit `homeserver.yaml` and add the following:
406 | ```
407 | app_service_config_files:
408 |   - /app_services/telegram-registration.yaml
409 |   - /app_services/facebook-registration.yaml
410 |   - /app_services/webhooks-registration.yaml
411 | ```
412 | (in the docker-compose file we have mounted each file in the `homeserver` container)
413 | 
414 | <br/>
415 | 
416 | 
417 | <br/>
418 | 
419 | <br/>
420 | 
421 | # Bringing up the Chat Server
422 | 
423 | If everything is correctly initialized we can bring up the stack with `sudo docker-compose up`. <br/>
424 | After a while we should be able to visit the web element UI at `https://webchat.${DOMAIN}`, and register a new user.
425 | 
426 | <br/>
427 | 
428 | <br/>
429 | 
430 | # Final Notes
431 | 
432 | - This is by __no means__ a production ready setup. Some of the things that should be changed are:
433 |   - Diffrent certificates for every service (plus for the bots)
434 |   - Postgres for the bridges databases
435 |   - No `--serverstransport.insecureskipverify=true` in traefik commands
436 |   - Use `secrets` for sensitive information
437 | - There are some more things to setup for the homeserver, bots and bridges. Please refer to their respective documentations.
438 | 
439 | 
440 | # Disclaimer
441 | 
442 | It goes without saying that I'm not responsible for anything that might go wrong. __BUT__ I will be more than happy to help in any situation. If you have any suggestions on how this guide can be better (I'm sure there are a lot), please feel free to contact me!
443 | 
444 | # Sources and links
445 | 
446 | - Synapse
447 |   - Github: @matrix-org | https://github.com/matrix-org/synapse
448 |   - Documentation: https://matrix-org.github.io/synapse/latest/
449 |   - Docker image: https://hub.docker.com/r/matrixdotorg/synapse/
450 | - Postgres
451 |   - Github: @postgres | https://github.com/postgres/postgres
452 |   - Documentation: https://www.postgresql.org/docs/current/
453 |   - Docker image: https://hub.docker.com/_/postgres/
454 | - Element.io Web
455 |   - Github: @vector-im
456 |   - Docker image: https://hub.docker.com/r/vectorim/element-web/
457 | - Synapse Admin
458 |   - Github: @Awesome-Technologies | https://github.com/Awesome-Technologies/synapse-admin
459 |   - Docker image: https://hub.docker.com/r/awesometechnologies/synapse-admin
460 | - Telegram Bridge
461 |   - Github: @mautrix | https://github.com/mautrix/telegram
462 |   - Documentation: https://docs.mau.fi/bridges/python/setup/docker.html?bridge=telegram
463 | - Facebook Bridge
464 |   - Github: @mautrix | https://github.com/mautrix/facebook
465 |   - Documentation: https://docs.mau.fi/bridges/python/setup/docker.html?bridge=facebook
466 | - Maubot Manager
467 |   - Github: @maubot | https://github.com/maubot/maubot
468 |   - Documentation: https://docs.mau.fi/maubot/usage/setup/docker.html
469 | - Webhook Appservice
470 |   - Github: @turt2live | https://github.com/turt2live/matrix-appservice-webhooks
471 | 


--------------------------------------------------------------------------------
/db.env:
--------------------------------------------------------------------------------
1 | POSTGRES_PASSWORD=12345
2 | POSTGRES_USER=synapse
3 | POSTGRES_DB=synapse_db
4 | PGDATA=/var/lib/postgresql/data/synapse
5 | TZ=Europe/Athens
6 | POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
  1 | version: "3"
  2 | 
  3 | networks:
  4 |  db:
  5 |  proxy:
  6 |  bots:
  7 | volumes:
  8 |  db-data:
  9 |    external: true
 10 | 
 11 | services:
 12 | 
 13 | ## PROXY
 14 |   proxy:
 15 |    image: traefik:v2.4
 16 |    container_name: proxy
 17 |    restart: unless-stopped
 18 |    command:
 19 |    - --providers.docker=true
 20 |    - --api.insecure=true
 21 |    - --entrypoints.web.address=:80
 22 |    - --entrypoints.websecure.address=:443
 23 |    - --entrypoints.web.http.redirections.entryPoint.to=websecure
 24 |    - --providers.file.filename=/root/.config/ssl.toml
 25 |    - --entrypoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 26 |    - --serverstransport.insecureskipverify=true
 27 |    volumes:
 28 |      - ${CONF_PATH}/proxy/traefik-ssl.toml:/root/.config/ssl.toml
 29 |      - ${CERT_PATH}:/certs
 30 |      - /var/run/docker.sock:/var/run/docker.sock
 31 |    ports:
 32 |      - 80:80
 33 |      - 443:443
 34 |      - 8080:8080
 35 |    networks:
 36 |      - proxy
 37 |    labels:
 38 |      - traefik.docker.network=proxy
 39 |      - traefik.http.routers.proxy.middlewares=proxy-https
 40 |      - traefik.http.middlewares.proxy-https.redirectscheme.scheme=https
 41 |      - traefik.http.routers.proxy.rule=Host(`proxy.${DOMAIN}`)
 42 |      - traefik.http.services.proxy.loadbalancer.server.port=8080
 43 |      - traefik.http.routers.proxy.tls=true
 44 | 
 45 | ## DATABASE
 46 |   db:
 47 |     image: postgres:latest
 48 |     container_name: db
 49 |     restart: always
 50 |     env_file:
 51 |      - db.env
 52 |     volumes: 
 53 |      - db-data:/var/lib/postgresql/data/synapse
 54 |     networks:
 55 |      - db
 56 |     labels:
 57 |       - traefik.enable=false
 58 |     
 59 | ## HOMESERVER
 60 |   homeserver:
 61 |    image: matrixdotorg/synapse:latest
 62 |    container_name: homeserver
 63 |    restart: always
 64 |    depends_on:
 65 |     - db   
 66 |    env_file:
 67 |     - synapse.env
 68 |    volumes:
 69 |      - ${CONF_PATH}/homeserver:/data
 70 |      - ${DATA_PATH}/homeserver-media_store:/media_store
 71 |      - ${CERT_PATH}:/certs
 72 |      - ${CONF_PATH}/telegram-bridge/registration.yaml:/app_services/telegram-registration.yaml
 73 |      - ${CONF_PATH}/facebook-bridge/registration.yaml:/app_services/facebook-registration.yaml
 74 |      - ${CONF_PATH}/webhooks/appservice-registration-webhooks.yaml:/app_services/webhooks-registration.yaml
 75 |    networks:
 76 |      - db
 77 |      - proxy
 78 |      - bots
 79 |    labels:
 80 |      - traefik.docker.network=proxy
 81 |      - traefik.http.routers.homeserver.rule=Host(`matrix.${DOMAIN}`)
 82 |      - traefik.http.services.homeserver.loadbalancer.server.port=8448
 83 |      - traefik.http.services.homeserver.loadbalancer.server.scheme=https
 84 |      - traefik.http.middlewares.homeserver.headers.customrequestheaders.X-Forwarded-Proto=https
 85 |      - traefik.http.routers.homeserver.middlewares=homeserver
 86 |      - traefik.http.routers.homeserver.tls=true
 87 |  
 88 |  ## ELEMENT WEB CLIENT    
 89 |   webchat:
 90 |    image: vectorim/element-web
 91 |    container_name: webchat
 92 |    restart: always
 93 |    depends_on: 
 94 |     - homeserver
 95 |    networks:
 96 |      - proxy
 97 |    labels:
 98 |      - traefik.docker.network=proxy
 99 |      - traefik.http.routers.webchat.rule=Host(`webchat.${DOMAIN}`)
100 |      - traefik.http.services.webchat.loadbalancer.server.port=80
101 |      - traefik.http.middlewares.webchat.headers.customrequestheaders.X-Forwarded-Proto=https
102 |      - traefik.http.routers.webchat.middlewares=webchat
103 |      - traefik.http.routers.webchat.tls=true
104 | 
105 | ##SYNAPSE ADMIN
106 |   admin:
107 |     image: awesometechnologies/synapse-admin
108 |     container_name: admin
109 |     restart: always
110 |     networks:
111 |      - proxy
112 |     labels:
113 |      - traefik.docker.network=proxy
114 |      - traefik.http.routers.admin.rule=Host(`admin.${DOMAIN}`)
115 |      - traefik.http.services.admin.loadbalancer.server.port=80
116 |      - traefik.http.middlewares.admin.headers.customrequestheaders.X-Forwarded-Proto=https
117 |      - traefik.http.routers.admin.middlewares=admin
118 |      - traefik.http.routers.admin.tls=true
119 | 
120 |    
121 | # BRIDGES
122 |   telegram-bridge:
123 |     container_name: telegram-bridge
124 |     image: dock.mau.dev/mautrix/telegram:latest
125 |     restart: always
126 |     depends_on:
127 |      - homeserver
128 |     volumes:
129 |      - ${CONF_PATH}/telegram-bridge:/data
130 |     networks:
131 |      - bots
132 |     labels:
133 |       - traefik.enable=false
134 |      
135 |   facebook-bridge:
136 |     container_name: facebook-bridge
137 |     image: dock.mau.dev/mautrix/facebook:latest
138 |     restart: always
139 |     depends_on:
140 |      - homeserver
141 |     volumes:
142 |      - ${CONF_PATH}/facebook-bridge:/data
143 |     networks:
144 |      - bots
145 |     labels:
146 |       - traefik.enable=false
147 | 
148 | ##WEBHOOKS
149 |   webhook-service:
150 |     container_name: webhook-service
151 |     image: turt2live/matrix-appservice-webhooks
152 |     restart: always
153 |     depends_on:
154 |      - homeserver
155 |     volumes:
156 |      - ${CONF_PATH}/webhooks:/data
157 |     networks:
158 |      - bots
159 |      - proxy
160 |     labels:
161 |      - traefik.docker.network=proxy
162 |      - traefik.http.routers.webhook-service.rule=Host(`webhooks.${DOMAIN}`)
163 |      - traefik.http.services.webhook-service.loadbalancer.server.port=29316
164 |      - traefik.http.middlewares.webhook-service.headers.customrequestheaders.X-Forwarded-Proto=https
165 |      - traefik.http.routers.webhook-service.middlewares=webhook-service
166 |      - traefik.http.routers.webhook-service.tls=true
167 | 
168 | ## BOTS
169 |   maubot:
170 |     image: dock.mau.dev/maubot/maubot:latest
171 |     container_name: maubot
172 |     restart: always
173 |     depends_on:
174 |      - homeserver
175 |     volumes:
176 |      - ${CONF_PATH}/maubot:/data
177 |     networks:
178 |      - bots
179 |      - proxy
180 |     labels:
181 |      - traefik.docker.network=proxy
182 |      - traefik.http.routers.maubot.rule=Host(`maubot.${DOMAIN}`)
183 |      - traefik.http.services.maubot.loadbalancer.server.port=29316
184 |      - traefik.http.middlewares.maubot.headers.customrequestheaders.X-Forwarded-Proto=https
185 |      - traefik.http.routers.maubot.middlewares=maubot
186 |      - traefik.http.routers.maubot.tls=true
187 | 


--------------------------------------------------------------------------------
/proxy.env:
--------------------------------------------------------------------------------
1 | TRAEFIK_ENTRYPOINTS_WEB=true
2 | TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=:80
3 | TRAEFIK_ENTRYPOINTS_WEBSEC=true
4 | TRAEFIK_ENTRYPOINTS_WEBSEC_ADDRESS=:443
5 | TRAEFIK_PROVIDERS_DOCKER=true
6 | TRAEFIK_API=true
7 | TRAEFIK_API_DASHBOARD=true
8 | TRAEFIK_API_INSECURE=true
9 | 


--------------------------------------------------------------------------------
/sample_configs/facebook-bridge/config.yaml:
--------------------------------------------------------------------------------
  1 | # Homeserver details
  2 | homeserver:
  3 |     # The address that this appservice can use to connect to the homeserver.
  4 |     address: https://homeserver:8448
  5 |     # The domain of the homeserver (for MXIDs, etc).
  6 |     domain: matrix.ms.local
  7 |     # Whether or not to verify the SSL certificate of the homeserver.
  8 |     # Only applies if address starts with https://
  9 |     verify_ssl: false
 10 |     # Whether or not the homeserver supports asmux-specific endpoints,
 11 |     # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically
 12 |     # updating m.direct.
 13 |     asmux: false
 14 |     # Number of retries for all HTTP requests if the homeserver isn't reachable.
 15 |     http_retry_count: 4
 16 |     # The URL to push real-time bridge status to.
 17 |     # If set, the bridge will make POST requests to this URL whenever a user's Facebook MQTT connection state changes.
 18 |     # The bridge will use the appservice as_token to authorize requests.
 19 |     status_endpoint:
 20 |     # Endpoint for reporting per-message status.
 21 |     message_send_checkpoint_endpoint:
 22 | 
 23 | # Application service host/registration related details
 24 | # Changing these values requires regeneration of the registration.
 25 | appservice:
 26 |     # The address that the homeserver can use to connect to this appservice.
 27 |     address: http://facebook-bridge:29319
 28 | 
 29 |     # The hostname and port where this appservice should listen.
 30 |     hostname: 0.0.0.0
 31 |     port: 29319
 32 |     # The maximum body size of appservice API requests (from the homeserver) in mebibytes
 33 |     # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
 34 |     max_body_size: 1
 35 | 
 36 |     # The full URI to the database. SQLite and Postgres are supported.
 37 |     # Format examples:
 38 |     #   SQLite:   sqlite:///filename.db
 39 |     #   Postgres: postgres://username:password@hostname/dbname
 40 |     database: sqlite:////data/facebook-bridge.db
 41 |     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
 42 |     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
 43 |     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
 44 |     # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
 45 |     database_opts:
 46 |         min_size: 5
 47 |         max_size: 10
 48 |     public:
 49 |         # Whether or not the public-facing endpoints should be enabled.
 50 |         enabled: false
 51 |         # The prefix to use in the public-facing endpoints.
 52 |         prefix: /public
 53 |         # The base URL where the public-facing endpoints are available. The prefix is not added
 54 |         # implicitly.
 55 |         external: https://example.com/public
 56 |         # Shared secret for integration managers such as mautrix-manager.
 57 |         # If set to "generate", a random string will be generated on the next startup.
 58 |         # If null, integration manager access to the API will not be possible.
 59 |         shared_secret: miGugZSRxldY1l35HEOGKmqV7EfpAIszy7_xn1iaKe6wzFsiXlE4uJ_4kyegV8PJ
 60 |         # Allow logging in within Matrix. If false, users can only log in using the web interface.
 61 |         allow_matrix_login: true
 62 |         # Segment API key to enable analytics tracking for web server endpoints. Set to null to disable.
 63 |         # Currently the only events are login start, success and fail.
 64 |         segment_key:
 65 | 
 66 |     # The unique ID of this appservice.
 67 |     id: facebook
 68 |     # Username of the appservice bot.
 69 |     bot_username: facebookbot
 70 |     # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
 71 |     # to leave display name/avatar as-is.
 72 |     bot_displayname: Facebook bridge bot
 73 |     bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak
 74 | 
 75 |     # Whether or not to receive ephemeral events via appservice transactions.
 76 |     # Requires MSC2409 support (i.e. Synapse 1.22+).
 77 |     # You should disable bridge -> sync_with_custom_puppets when this is enabled.
 78 |     ephemeral_events: false
 79 | 
 80 |     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
 81 |     as_token: G5yTjMjB9WzAAy9QxpaQvr5kikAV2yybkUbB0Wfi0l0Pq62W_xopdp-GRX_Ysgfv
 82 |     hs_token: NzUfinOQ0V9hNjNG11OH_K5ZmAg3nqfeFSORwgYgeCCgRDb_GWRtmA3MqlBCDaHZ
 83 | 
 84 | # Prometheus telemetry config. Requires prometheus-client to be installed.
 85 | metrics:
 86 |     enabled: false
 87 |     listen_port: 8000
 88 | 
 89 | # Manhole config.
 90 | manhole:
 91 |     # Whether or not opening the manhole is allowed.
 92 |     enabled: false
 93 |     # The path for the unix socket.
 94 |     path: /var/tmp/mautrix-facebook.manhole
 95 |     # The list of UIDs who can be added to the whitelist.
 96 |     # If empty, any UIDs can be specified in the open-manhole command.
 97 |     whitelist:
 98 |     - 0
 99 | bridge:
100 |     # Localpart template of MXIDs for Facebook users.
101 |     # {userid} is replaced with the user ID of the Facebook user.
102 |     username_template: facebook_{userid}
103 |     # Displayname template for Facebook users.
104 |     # {displayname} is replaced with the display name of the Facebook user
105 |     #               as defined below in displayname_preference.
106 |     # Keys available for displayname_preference are also available here.
107 |     displayname_template: '{displayname} (FB)'
108 |     # Available keys:
109 |     # "name" (full name)
110 |     # "first_name"
111 |     # "last_name"
112 |     # "nickname"
113 |     # "own_nickname" (user-specific!)
114 |     displayname_preference:
115 |     - name
116 |     - first_name
117 |     command_prefix: '!fb'
118 | 
119 |     # Number of chats to sync (and create portals for) on startup/login.
120 |     # Set 0 to disable automatic syncing.
121 |     initial_chat_sync: 20
122 |     # Whether or not the Facebook users of logged in Matrix users should be
123 |     # invited to private chats when the user sends a message from another client.
124 |     invite_own_puppet_to_pm: false
125 |     # Whether or not to use /sync to get presence, read receipts and typing notifications
126 |     # when double puppeting is enabled
127 |     sync_with_custom_puppets: true
128 |     # Whether or not to update the m.direct account data event when double puppeting is enabled.
129 |     # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
130 |     # and is therefore prone to race conditions.
131 |     sync_direct_chat_list: false
132 |     # Servers to always allow double puppeting from
133 |     double_puppet_server_map:
134 |         example.com: https://example.com
135 |     double_puppet_allow_discovery: false
136 |     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
137 |     #
138 |     # If set, custom puppets will be enabled automatically for local users
139 |     # instead of users having to find an access token and run `login-matrix`
140 |     # manually.
141 |     # If using this for other servers than the bridge's server,
142 |     # you must also set the URL in the double_puppet_server_map.
143 |     login_shared_secret_map:
144 |         example.com: foobar
145 |     presence_from_facebook: false
146 |     # Whether or not to update avatars when syncing all contacts at startup.
147 |     update_avatar_initial_sync: true
148 |     # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
149 |     # and login_shared_secret to be configured in order to get a device for the bridge bot.
150 |     #
151 |     # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
152 |     # application service.
153 |     encryption:
154 |         # Allow encryption, work in group chat rooms with e2ee enabled
155 |         allow: false
156 |         # Default to encryption, force-enable encryption in all portals the bridge creates
157 |         # This will cause the bridge bot to be in private chats for the encryption to work properly.
158 |         default: false
159 |         # Options for automatic key sharing.
160 |         key_sharing:
161 |             # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
162 |             # You must use a client that supports requesting keys from other users to use this feature.
163 |             allow: false
164 |             # Require the requesting device to have a valid cross-signing signature?
165 |             # This doesn't require that the bridge has verified the device, only that the user has verified it.
166 |             # Not yet implemented.
167 |             require_cross_signing: false
168 |             # Require devices to be verified by the bridge?
169 |             # Verification by the bridge is not yet implemented.
170 |             require_verification: true
171 |     # Whether or not the bridge should send a read receipt from the bridge bot when a message has
172 |     # been sent to Facebook.
173 |     delivery_receipts: false
174 |     # Whether to allow inviting arbitrary mxids to portal rooms
175 |     allow_invites: false
176 |     # Whether or not created rooms should have federation enabled.
177 |     # If false, created portal rooms will never be federated.
178 |     federate_rooms: true
179 |     # Settings for backfilling messages from Facebook.
180 |     backfill:
181 |         # Whether or not the Facebook users of logged in Matrix users should be
182 |         # invited to private chats when backfilling history from Facebook. This is
183 |         # usually needed to prevent rate limits and to allow timestamp massaging.
184 |         invite_own_puppet: true
185 |         # Maximum number of messages to backfill initially.
186 |         # Set to 0 to disable backfilling when creating portal.
187 |         initial_limit: 0
188 |         # Maximum number of messages to backfill if messages were missed while
189 |         # the bridge was disconnected.
190 |         # Set to 0 to disable backfilling missed messages.
191 |         missed_limit: 1000
192 |         # If using double puppeting, should notifications be disabled
193 |         # while the initial backfill is in progress?
194 |         disable_notifications: false
195 |     periodic_reconnect:
196 |         # Interval in seconds in which to automatically reconnect all users.
197 |         # This can be used to automatically mitigate the bug where Facebook stops sending messages.
198 |         # Set to -1 to disable periodic reconnections entirely.
199 |         # Set to a list of two items to randomize the interval (min, max).
200 |         interval: -1
201 |         # What to do in periodic reconnects. Either "refresh" or "reconnect"
202 |         mode: refresh
203 |         # Should even disconnected users be reconnected?
204 |         always: false
205 |         # Only reconnect if the user has been connected for longer than this value
206 |         min_connected_time: 0
207 |     # The number of seconds that a disconnection can last without triggering an automatic re-sync
208 |     # and missed message backfilling when reconnecting.
209 |     # Set to 0 to always re-sync, or -1 to never re-sync automatically.
210 |     resync_max_disconnected_time: 5
211 |     # Should the bridge do a resync on startup?
212 |     sync_on_startup: true
213 |     # Whether or not temporary disconnections should send notices to the notice room.
214 |     # If this is false, disconnections will never send messages and connections will only send
215 |     # messages if it was disconnected for more than resync_max_disconnected_time seconds.
216 |     temporary_disconnect_notices: false
217 |     # Disable bridge notices entirely
218 |     disable_bridge_notices: false
219 |     on_reconnection_fail:
220 |         # What to do if a reconnection attempt fails? Options: reconnect, refresh, null
221 |         action: reconnect
222 |         # Seconds to wait before attempting to refresh the connection, set a list of two items to
223 |         # to randomize the interval (min, max).
224 |         wait_for: 0
225 |     # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
226 |     # This field will automatically be changed back to false after it,
227 |     # except if the config file is not writable.
228 |     resend_bridge_info: false
229 |     # When using double puppeting, should muted chats be muted in Matrix?
230 |     mute_bridging: false
231 |     # Whether or not mute status and tags should only be bridged when the portal room is created.
232 |     tag_only_on_create: true
233 |     # If set to true, downloading media from the CDN will use a plain aiohttp client without the usual headers or
234 |     # other configuration. This may be useful if you don't want to use the default proxy for large files.
235 |     sandbox_media_download: false
236 | 
237 |     # Permissions for using the bridge.
238 |     # Permitted values:
239 |     #      relay - Allowed to be relayed through the bridge, no access to commands.
240 |     #       user - Use the bridge with puppeting.
241 |     #      admin - Use and administrate the bridge.
242 |     # Permitted keys:
243 |     #        * - All Matrix users
244 |     #   domain - All users on that homeserver
245 |     #     mxid - Specific user
246 |     permissions:
247 |         '*': relay
248 |         matrix.ms.local: admin
249 |     relay:
250 |         # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any
251 |         # authenticated user into a relaybot for that chat.
252 |         enabled: false
253 |         # The formats to use when sending messages to Messenger via a relay user.
254 |         #
255 |         # Available variables:
256 |         #   $sender_displayname - The display name of the sender (e.g. Example User)
257 |         #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
258 |         #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
259 |         #   $message            - The message content
260 |         message_formats:
261 |             m.text: '<b>$sender_displayname</b>: $message'
262 |             m.notice: '<b>$sender_displayname<b>: $message'
263 |             m.emote: '* <b>$sender_displayname<b> $message'
264 |             m.file: <b>$sender_displayname</b> sent a file
265 |             m.image: <b>$sender_displayname</b> sent an image
266 |             m.audio: <b>$sender_displayname</b> sent an audio file
267 |             m.video: <b>$sender_displayname</b> sent a video
268 |             m.location: <b>$sender_displayname</b> sent a location
269 | 
270 | facebook:
271 |     device_seed: -Z_CWn7ssS67iEADiyECe0fLQvs1jLKd5sQEKA9WnOmWevwQm8a0UiURU3BdjLRQ
272 |     default_region_hint: ODN
273 |     connection_type: WIFI
274 |     carrier: Verizon
275 |     hni: 311390
276 | 
277 | # Python logging configuration.
278 | #
279 | # See section 16.7.2 of the Python documentation for more info:
280 | # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
281 | logging:
282 |     version: 1
283 |     formatters:
284 |         colored:
285 |             (): mautrix_facebook.util.ColorFormatter
286 |             format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
287 |         normal:
288 |             format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
289 |     handlers:
290 |         file:
291 |             class: logging.handlers.RotatingFileHandler
292 |             formatter: normal
293 |             filename: ./mautrix-facebook.log
294 |             maxBytes: 10485760
295 |             backupCount: 10
296 |         console:
297 |             class: logging.StreamHandler
298 |             formatter: colored
299 |     loggers:
300 |         mau:
301 |             level: DEBUG
302 |         paho:
303 |             level: INFO
304 |         aiohttp:
305 |             level: INFO
306 |     root:
307 |         level: DEBUG
308 |         handlers: [file, console]
309 | 


--------------------------------------------------------------------------------
/sample_configs/homeserver/homeserver.yaml:
--------------------------------------------------------------------------------
   1 | # Configuration file for Synapse.
   2 | #
   3 | # This is a YAML file: see [1] for a quick introduction. Note in particular
   4 | # that *indentation is important*: all the elements of a list or dictionary
   5 | # should have the same indentation.
   6 | #
   7 | # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
   8 | 
   9 | 
  10 | ## Modules ##
  11 | 
  12 | # Server admins can expand Synapse's functionality with external modules.
  13 | #
  14 | # See https://matrix-org.github.io/synapse/latest/modules/index.html for more
  15 | # documentation on how to configure or create custom modules for Synapse.
  16 | #
  17 | modules:
  18 |   #- module: my_super_module.MySuperClass
  19 |   #  config:
  20 |   #    do_thing: true
  21 |   #- module: my_other_super_module.SomeClass
  22 |   #  config: {}
  23 | 
  24 | 
  25 | ## Server ##
  26 | 
  27 | # The public-facing domain of the server
  28 | #
  29 | # The server_name name will appear at the end of usernames and room addresses
  30 | # created on this server. For example if the server_name was example.com,
  31 | # usernames on this server would be in the format @user:example.com
  32 | #
  33 | # In most cases you should avoid using a matrix specific subdomain such as
  34 | # matrix.example.com or synapse.example.com as the server_name for the same
  35 | # reasons you wouldn't use user@email.example.com as your email address.
  36 | # See https://matrix-org.github.io/synapse/latest/delegate.html
  37 | # for information on how to host Synapse on a subdomain while preserving
  38 | # a clean server_name.
  39 | #
  40 | # The server_name cannot be changed later so it is important to
  41 | # configure this correctly before you start Synapse. It should be all
  42 | # lowercase and may contain an explicit port.
  43 | # Examples: matrix.org, localhost:8080
  44 | #
  45 | server_name: "matrix.ms.local"
  46 | 
  47 | # When running as a daemon, the file to store the pid in
  48 | #
  49 | pid_file: /data/homeserver.pid
  50 | 
  51 | # The absolute URL to the web client which / will redirect to.
  52 | #
  53 | #web_client_location: https://riot.example.com/
  54 | 
  55 | # The public-facing base URL that clients use to access this Homeserver (not
  56 | # including _matrix/...). This is the same URL a user might enter into the
  57 | # 'Custom Homeserver URL' field on their client. If you use Synapse with a
  58 | # reverse proxy, this should be the URL to reach Synapse via the proxy.
  59 | # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
  60 | # 'listeners' below).
  61 | #
  62 | # Defaults to 'https://<server_name>/'.
  63 | #
  64 | #public_baseurl: https://example.com/
  65 | 
  66 | # Uncomment the following to tell other servers to send federation traffic on
  67 | # port 443.
  68 | #
  69 | # By default, other servers will try to reach our server on port 8448, which can
  70 | # be inconvenient in some environments.
  71 | #
  72 | # Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
  73 | # option configures Synapse to serve a file at
  74 | # 'https://<server_name>/.well-known/matrix/server'. This will tell other
  75 | # servers to send traffic to port 443 instead.
  76 | #
  77 | # See https://matrix-org.github.io/synapse/latest/delegate.html for more
  78 | # information.
  79 | #
  80 | # Defaults to 'false'.
  81 | #
  82 | #serve_server_wellknown: true
  83 | 
  84 | # Set the soft limit on the number of file descriptors synapse can use
  85 | # Zero is used to indicate synapse should set the soft limit to the
  86 | # hard limit.
  87 | #
  88 | #soft_file_limit: 0
  89 | 
  90 | # Presence tracking allows users to see the state (e.g online/offline)
  91 | # of other local and remote users.
  92 | #
  93 | presence:
  94 |   # Uncomment to disable presence tracking on this homeserver. This option
  95 |   # replaces the previous top-level 'use_presence' option.
  96 |   #
  97 |   #enabled: false
  98 | 
  99 | # Whether to require authentication to retrieve profile data (avatars,
 100 | # display names) of other users through the client API. Defaults to
 101 | # 'false'. Note that profile data is also available via the federation
 102 | # API, unless allow_profile_lookup_over_federation is set to false.
 103 | #
 104 | #require_auth_for_profile_requests: true
 105 | 
 106 | # Uncomment to require a user to share a room with another user in order
 107 | # to retrieve their profile information. Only checked on Client-Server
 108 | # requests. Profile requests from other servers should be checked by the
 109 | # requesting server. Defaults to 'false'.
 110 | #
 111 | #limit_profile_requests_to_users_who_share_rooms: true
 112 | 
 113 | # Uncomment to prevent a user's profile data from being retrieved and
 114 | # displayed in a room until they have joined it. By default, a user's
 115 | # profile data is included in an invite event, regardless of the values
 116 | # of the above two settings, and whether or not the users share a server.
 117 | # Defaults to 'true'.
 118 | #
 119 | #include_profile_data_on_invite: false
 120 | 
 121 | # If set to 'true', removes the need for authentication to access the server's
 122 | # public rooms directory through the client API, meaning that anyone can
 123 | # query the room directory. Defaults to 'false'.
 124 | #
 125 | #allow_public_rooms_without_auth: true
 126 | 
 127 | # If set to 'true', allows any other homeserver to fetch the server's public
 128 | # rooms directory via federation. Defaults to 'false'.
 129 | #
 130 | #allow_public_rooms_over_federation: true
 131 | 
 132 | # The default room version for newly created rooms.
 133 | #
 134 | # Known room versions are listed here:
 135 | # https://spec.matrix.org/latest/rooms/#complete-list-of-room-versions
 136 | #
 137 | # For example, for room version 1, default_room_version should be set
 138 | # to "1".
 139 | #
 140 | #default_room_version: "6"
 141 | 
 142 | # The GC threshold parameters to pass to `gc.set_threshold`, if defined
 143 | #
 144 | #gc_thresholds: [700, 10, 10]
 145 | 
 146 | # The minimum time in seconds between each GC for a generation, regardless of
 147 | # the GC thresholds. This ensures that we don't do GC too frequently.
 148 | #
 149 | # A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive
 150 | # generation 0 GCs, etc.
 151 | #
 152 | # Defaults to `[1s, 10s, 30s]`.
 153 | #
 154 | #gc_min_interval: [0.5s, 30s, 1m]
 155 | 
 156 | # Set the limit on the returned events in the timeline in the get
 157 | # and sync operations. The default value is 100. -1 means no upper limit.
 158 | #
 159 | # Uncomment the following to increase the limit to 5000.
 160 | #
 161 | #filter_timeline_limit: 5000
 162 | 
 163 | # Whether room invites to users on this server should be blocked
 164 | # (except those sent by local server admins). The default is False.
 165 | #
 166 | #block_non_admin_invites: true
 167 | 
 168 | # Room searching
 169 | #
 170 | # If disabled, new messages will not be indexed for searching and users
 171 | # will receive errors when searching for messages. Defaults to enabled.
 172 | #
 173 | #enable_search: false
 174 | 
 175 | # Prevent outgoing requests from being sent to the following blacklisted IP address
 176 | # CIDR ranges. If this option is not specified then it defaults to private IP
 177 | # address ranges (see the example below).
 178 | #
 179 | # The blacklist applies to the outbound requests for federation, identity servers,
 180 | # push servers, and for checking key validity for third-party invite events.
 181 | #
 182 | # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
 183 | # listed here, since they correspond to unroutable addresses.)
 184 | #
 185 | # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
 186 | #
 187 | # Note: The value is ignored when an HTTP proxy is in use
 188 | #
 189 | #ip_range_blacklist:
 190 | #  - '127.0.0.0/8'
 191 | #  - '10.0.0.0/8'
 192 | #  - '172.16.0.0/12'
 193 | #  - '192.168.0.0/16'
 194 | #  - '100.64.0.0/10'
 195 | #  - '192.0.0.0/24'
 196 | #  - '169.254.0.0/16'
 197 | #  - '192.88.99.0/24'
 198 | #  - '198.18.0.0/15'
 199 | #  - '192.0.2.0/24'
 200 | #  - '198.51.100.0/24'
 201 | #  - '203.0.113.0/24'
 202 | #  - '224.0.0.0/4'
 203 | #  - '::1/128'
 204 | #  - 'fe80::/10'
 205 | #  - 'fc00::/7'
 206 | #  - '2001:db8::/32'
 207 | #  - 'ff00::/8'
 208 | #  - 'fec0::/10'
 209 | 
 210 | # List of IP address CIDR ranges that should be allowed for federation,
 211 | # identity servers, push servers, and for checking key validity for
 212 | # third-party invite events. This is useful for specifying exceptions to
 213 | # wide-ranging blacklisted target IP ranges - e.g. for communication with
 214 | # a push server only visible in your network.
 215 | #
 216 | # This whitelist overrides ip_range_blacklist and defaults to an empty
 217 | # list.
 218 | #
 219 | #ip_range_whitelist:
 220 | #   - '192.168.1.1'
 221 | 
 222 | # List of ports that Synapse should listen on, their purpose and their
 223 | # configuration.
 224 | #
 225 | # Options for each listener include:
 226 | #
 227 | #   port: the TCP port to bind to
 228 | #
 229 | #   bind_addresses: a list of local addresses to listen on. The default is
 230 | #       'all local interfaces'.
 231 | #
 232 | #   type: the type of listener. Normally 'http', but other valid options are:
 233 | #       'manhole' (see https://matrix-org.github.io/synapse/latest/manhole.html),
 234 | #       'metrics' (see https://matrix-org.github.io/synapse/latest/metrics-howto.html),
 235 | #       'replication' (see https://matrix-org.github.io/synapse/latest/workers.html).
 236 | #
 237 | #   tls: set to true to enable TLS for this listener. Will use the TLS
 238 | #       key/cert specified in tls_private_key_path / tls_certificate_path.
 239 | #
 240 | #   x_forwarded: Only valid for an 'http' listener. Set to true to use the
 241 | #       X-Forwarded-For header as the client IP. Useful when Synapse is
 242 | #       behind a reverse-proxy.
 243 | #
 244 | #   resources: Only valid for an 'http' listener. A list of resources to host
 245 | #       on this port. Options for each resource are:
 246 | #
 247 | #       names: a list of names of HTTP resources. See below for a list of
 248 | #           valid resource names.
 249 | #
 250 | #       compress: set to true to enable HTTP compression for this resource.
 251 | #
 252 | #   additional_resources: Only valid for an 'http' listener. A map of
 253 | #        additional endpoints which should be loaded via dynamic modules.
 254 | #
 255 | # Valid resource names are:
 256 | #
 257 | #   client: the client-server API (/_matrix/client), and the synapse admin
 258 | #       API (/_synapse/admin). Also implies 'media' and 'static'.
 259 | #
 260 | #   consent: user consent forms (/_matrix/consent).
 261 | #       See https://matrix-org.github.io/synapse/latest/consent_tracking.html.
 262 | #
 263 | #   federation: the server-server API (/_matrix/federation). Also implies
 264 | #       'media', 'keys', 'openid'
 265 | #
 266 | #   keys: the key discovery API (/_matrix/keys).
 267 | #
 268 | #   media: the media API (/_matrix/media).
 269 | #
 270 | #   metrics: the metrics interface.
 271 | #       See https://matrix-org.github.io/synapse/latest/metrics-howto.html.
 272 | #
 273 | #   openid: OpenID authentication.
 274 | #
 275 | #   replication: the HTTP replication API (/_synapse/replication).
 276 | #       See https://matrix-org.github.io/synapse/latest/workers.html.
 277 | #
 278 | #   static: static resources under synapse/static (/_matrix/static). (Mostly
 279 | #       useful for 'fallback authentication'.)
 280 | #
 281 | listeners:
 282 |   # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
 283 |   #
 284 |   # Disabled by default. To enable it, uncomment the following. (Note that you
 285 |   # will also need to give Synapse a TLS key and certificate: see the TLS section
 286 |   # below.)
 287 |   #
 288 |   #- port: 8448
 289 |   #  type: http
 290 |   #  tls: true
 291 |   #  resources:
 292 |   #    - names: [client, federation]
 293 | 
 294 |   # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
 295 |   # that unwraps TLS.
 296 |   #
 297 |   # If you plan to use a reverse proxy, please see
 298 |   # https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
 299 |   #
 300 |   - port: 8448
 301 |     type: http
 302 |     tls: true
 303 |     bind_addresses: ['0.0.0.0']
 304 |     x_forwarded: true
 305 | 
 306 |     resources:
 307 |       - names: [client]
 308 |         compress: true
 309 |       - names: [federation]
 310 |         compress: false
 311 | 
 312 | 
 313 |   - port: 8008
 314 |     tls: false
 315 |     type: http
 316 |     x_forwarded: true
 317 |     bind_addresses: ['0.0.0.0']
 318 |     resources:
 319 |       - names: [client]
 320 |         compress: true
 321 | 
 322 | 
 323 | 
 324 |     # example additional_resources:
 325 |     #
 326 |     #additional_resources:
 327 |     #  "/_matrix/my/custom/endpoint":
 328 |     #    module: my_module.CustomRequestHandler
 329 |     #    config: {}
 330 | 
 331 |   # Turn on the twisted ssh manhole service on localhost on the given
 332 |   # port.
 333 |   #
 334 |   #- port: 9000
 335 |   #  bind_addresses: ['::1', '127.0.0.1']
 336 |   #  type: manhole
 337 | 
 338 | # Connection settings for the manhole
 339 | #
 340 | manhole_settings:
 341 |   # The username for the manhole. This defaults to 'matrix'.
 342 |   #
 343 |   #username: manhole
 344 | 
 345 |   # The password for the manhole. This defaults to 'rabbithole'.
 346 |   #
 347 |   #password: mypassword
 348 | 
 349 |   # The private and public SSH key pair used to encrypt the manhole traffic.
 350 |   # If these are left unset, then hardcoded and non-secret keys are used,
 351 |   # which could allow traffic to be intercepted if sent over a public network.
 352 |   #
 353 |   #ssh_priv_key_path: /data/id_rsa
 354 |   #ssh_pub_key_path: /data/id_rsa.pub
 355 | 
 356 | # Forward extremities can build up in a room due to networking delays between
 357 | # homeservers. Once this happens in a large room, calculation of the state of
 358 | # that room can become quite expensive. To mitigate this, once the number of
 359 | # forward extremities reaches a given threshold, Synapse will send an
 360 | # org.matrix.dummy_event event, which will reduce the forward extremities
 361 | # in the room.
 362 | #
 363 | # This setting defines the threshold (i.e. number of forward extremities in the
 364 | # room) at which dummy events are sent. The default value is 10.
 365 | #
 366 | #dummy_events_threshold: 5
 367 | 
 368 | 
 369 | ## Homeserver blocking ##
 370 | 
 371 | # How to reach the server admin, used in ResourceLimitError
 372 | #
 373 | #admin_contact: 'mailto:admin@server.com'
 374 | 
 375 | # Global blocking
 376 | #
 377 | #hs_disabled: false
 378 | #hs_disabled_message: 'Human readable reason for why the HS is blocked'
 379 | 
 380 | # Monthly Active User Blocking
 381 | #
 382 | # Used in cases where the admin or server owner wants to limit to the
 383 | # number of monthly active users.
 384 | #
 385 | # 'limit_usage_by_mau' disables/enables monthly active user blocking. When
 386 | # enabled and a limit is reached the server returns a 'ResourceLimitError'
 387 | # with error type Codes.RESOURCE_LIMIT_EXCEEDED
 388 | #
 389 | # 'max_mau_value' is the hard limit of monthly active users above which
 390 | # the server will start blocking user actions.
 391 | #
 392 | # 'mau_trial_days' is a means to add a grace period for active users. It
 393 | # means that users must be active for this number of days before they
 394 | # can be considered active and guards against the case where lots of users
 395 | # sign up in a short space of time never to return after their initial
 396 | # session.
 397 | #
 398 | # 'mau_limit_alerting' is a means of limiting client side alerting
 399 | # should the mau limit be reached. This is useful for small instances
 400 | # where the admin has 5 mau seats (say) for 5 specific people and no
 401 | # interest increasing the mau limit further. Defaults to True, which
 402 | # means that alerting is enabled
 403 | #
 404 | #limit_usage_by_mau: false
 405 | #max_mau_value: 50
 406 | #mau_trial_days: 2
 407 | #mau_limit_alerting: false
 408 | 
 409 | # If enabled, the metrics for the number of monthly active users will
 410 | # be populated, however no one will be limited. If limit_usage_by_mau
 411 | # is true, this is implied to be true.
 412 | #
 413 | #mau_stats_only: false
 414 | 
 415 | # Sometimes the server admin will want to ensure certain accounts are
 416 | # never blocked by mau checking. These accounts are specified here.
 417 | #
 418 | #mau_limit_reserved_threepids:
 419 | #  - medium: 'email'
 420 | #    address: 'reserved_user@example.com'
 421 | 
 422 | # Used by phonehome stats to group together related servers.
 423 | #server_context: context
 424 | 
 425 | # Resource-constrained homeserver settings
 426 | #
 427 | # When this is enabled, the room "complexity" will be checked before a user
 428 | # joins a new remote room. If it is above the complexity limit, the server will
 429 | # disallow joining, or will instantly leave.
 430 | #
 431 | # Room complexity is an arbitrary measure based on factors such as the number of
 432 | # users in the room.
 433 | #
 434 | limit_remote_rooms:
 435 |   # Uncomment to enable room complexity checking.
 436 |   #
 437 |   #enabled: true
 438 | 
 439 |   # the limit above which rooms cannot be joined. The default is 1.0.
 440 |   #
 441 |   #complexity: 0.5
 442 | 
 443 |   # override the error which is returned when the room is too complex.
 444 |   #
 445 |   #complexity_error: "This room is too complex."
 446 | 
 447 |   # allow server admins to join complex rooms. Default is false.
 448 |   #
 449 |   #admins_can_join: true
 450 | 
 451 | # Whether to require a user to be in the room to add an alias to it.
 452 | # Defaults to 'true'.
 453 | #
 454 | #require_membership_for_aliases: false
 455 | 
 456 | # Whether to allow per-room membership profiles through the send of membership
 457 | # events with profile information that differ from the target's global profile.
 458 | # Defaults to 'true'.
 459 | #
 460 | #allow_per_room_profiles: false
 461 | 
 462 | # The largest allowed file size for a user avatar. Defaults to no restriction.
 463 | #
 464 | # Note that user avatar changes will not work if this is set without
 465 | # using Synapse's media repository.
 466 | #
 467 | #max_avatar_size: 10M
 468 | 
 469 | # The MIME types allowed for user avatars. Defaults to no restriction.
 470 | #
 471 | # Note that user avatar changes will not work if this is set without
 472 | # using Synapse's media repository.
 473 | #
 474 | #allowed_avatar_mimetypes: ["image/png", "image/jpeg", "image/gif"]
 475 | 
 476 | # How long to keep redacted events in unredacted form in the database. After
 477 | # this period redacted events get replaced with their redacted form in the DB.
 478 | #
 479 | # Defaults to `7d`. Set to `null` to disable.
 480 | #
 481 | #redaction_retention_period: 28d
 482 | 
 483 | # How long to track users' last seen time and IPs in the database.
 484 | #
 485 | # Defaults to `28d`. Set to `null` to disable clearing out of old rows.
 486 | #
 487 | #user_ips_max_age: 14d
 488 | 
 489 | # Inhibits the /requestToken endpoints from returning an error that might leak
 490 | # information about whether an e-mail address is in use or not on this
 491 | # homeserver.
 492 | # Note that for some endpoints the error situation is the e-mail already being
 493 | # used, and for others the error is entering the e-mail being unused.
 494 | # If this option is enabled, instead of returning an error, these endpoints will
 495 | # act as if no error happened and return a fake session ID ('sid') to clients.
 496 | #
 497 | #request_token_inhibit_3pid_errors: true
 498 | 
 499 | # A list of domains that the domain portion of 'next_link' parameters
 500 | # must match.
 501 | #
 502 | # This parameter is optionally provided by clients while requesting
 503 | # validation of an email or phone number, and maps to a link that
 504 | # users will be automatically redirected to after validation
 505 | # succeeds. Clients can make use this parameter to aid the validation
 506 | # process.
 507 | #
 508 | # The whitelist is applied whether the homeserver or an
 509 | # identity server is handling validation.
 510 | #
 511 | # The default value is no whitelist functionality; all domains are
 512 | # allowed. Setting this value to an empty list will instead disallow
 513 | # all domains.
 514 | #
 515 | #next_link_domain_whitelist: ["matrix.org"]
 516 | 
 517 | # Templates to use when generating email or HTML page contents.
 518 | #
 519 | templates:
 520 |   # Directory in which Synapse will try to find template files to use to generate
 521 |   # email or HTML page contents.
 522 |   # If not set, or a file is not found within the template directory, a default
 523 |   # template from within the Synapse package will be used.
 524 |   #
 525 |   # See https://matrix-org.github.io/synapse/latest/templates.html for more
 526 |   # information about using custom templates.
 527 |   #
 528 |   #custom_template_directory: /path/to/custom/templates/
 529 | 
 530 | 
 531 | # Message retention policy at the server level.
 532 | #
 533 | # Room admins and mods can define a retention period for their rooms using the
 534 | # 'm.room.retention' state event, and server admins can cap this period by setting
 535 | # the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options.
 536 | #
 537 | # If this feature is enabled, Synapse will regularly look for and purge events
 538 | # which are older than the room's maximum retention period. Synapse will also
 539 | # filter events received over federation so that events that should have been
 540 | # purged are ignored and not stored again.
 541 | #
 542 | retention:
 543 |   # The message retention policies feature is disabled by default. Uncomment the
 544 |   # following line to enable it.
 545 |   #
 546 |   #enabled: true
 547 | 
 548 |   # Default retention policy. If set, Synapse will apply it to rooms that lack the
 549 |   # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't
 550 |   # matter much because Synapse doesn't take it into account yet.
 551 |   #
 552 |   #default_policy:
 553 |   #  min_lifetime: 1d
 554 |   #  max_lifetime: 1y
 555 | 
 556 |   # Retention policy limits. If set, and the state of a room contains a
 557 |   # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
 558 |   # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
 559 |   # to these limits when running purge jobs.
 560 |   #
 561 |   #allowed_lifetime_min: 1d
 562 |   #allowed_lifetime_max: 1y
 563 | 
 564 |   # Server admins can define the settings of the background jobs purging the
 565 |   # events which lifetime has expired under the 'purge_jobs' section.
 566 |   #
 567 |   # If no configuration is provided, a single job will be set up to delete expired
 568 |   # events in every room daily.
 569 |   #
 570 |   # Each job's configuration defines which range of message lifetimes the job
 571 |   # takes care of. For example, if 'shortest_max_lifetime' is '2d' and
 572 |   # 'longest_max_lifetime' is '3d', the job will handle purging expired events in
 573 |   # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and
 574 |   # lower than or equal to 3 days. Both the minimum and the maximum value of a
 575 |   # range are optional, e.g. a job with no 'shortest_max_lifetime' and a
 576 |   # 'longest_max_lifetime' of '3d' will handle every room with a retention policy
 577 |   # which 'max_lifetime' is lower than or equal to three days.
 578 |   #
 579 |   # The rationale for this per-job configuration is that some rooms might have a
 580 |   # retention policy with a low 'max_lifetime', where history needs to be purged
 581 |   # of outdated messages on a more frequent basis than for the rest of the rooms
 582 |   # (e.g. every 12h), but not want that purge to be performed by a job that's
 583 |   # iterating over every room it knows, which could be heavy on the server.
 584 |   #
 585 |   # If any purge job is configured, it is strongly recommended to have at least
 586 |   # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
 587 |   # set, or one job without 'shortest_max_lifetime' and one job without
 588 |   # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
 589 |   # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
 590 |   # room's policy to these values is done after the policies are retrieved from
 591 |   # Synapse's database (which is done using the range specified in a purge job's
 592 |   # configuration).
 593 |   #
 594 |   #purge_jobs:
 595 |   #  - longest_max_lifetime: 3d
 596 |   #    interval: 12h
 597 |   #  - shortest_max_lifetime: 3d
 598 |   #    interval: 1d
 599 | 
 600 | 
 601 | ## TLS ##
 602 | 
 603 | # PEM-encoded X509 certificate for TLS.
 604 | # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
 605 | # certificate, signed by a recognised Certificate Authority.
 606 | #
 607 | # Be sure to use a `.pem` file that includes the full certificate chain including
 608 | # any intermediate certificates (for instance, if using certbot, use
 609 | # `fullchain.pem` as your certificate, not `cert.pem`).
 610 | #
 611 | tls_certificate_path: "/certs/WILDCARD.ms.local.crt"
 612 | 
 613 | # PEM-encoded private key for TLS
 614 | #
 615 | tls_private_key_path: "/certs/WILDCARD.ms.local.key"
 616 | 
 617 | # Whether to verify TLS server certificates for outbound federation requests.
 618 | #
 619 | # Defaults to `true`. To disable certificate verification, uncomment the
 620 | # following line.
 621 | #
 622 | #federation_verify_certificates: false
 623 | 
 624 | # The minimum TLS version that will be used for outbound federation requests.
 625 | #
 626 | # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
 627 | # that setting this value higher than `1.2` will prevent federation to most
 628 | # of the public Matrix network: only configure it to `1.3` if you have an
 629 | # entirely private federation setup and you can ensure TLS 1.3 support.
 630 | #
 631 | #federation_client_minimum_tls_version: 1.2
 632 | 
 633 | # Skip federation certificate verification on the following whitelist
 634 | # of domains.
 635 | #
 636 | # This setting should only be used in very specific cases, such as
 637 | # federation over Tor hidden services and similar. For private networks
 638 | # of homeservers, you likely want to use a private CA instead.
 639 | #
 640 | # Only effective if federation_verify_certicates is `true`.
 641 | #
 642 | #federation_certificate_verification_whitelist:
 643 | #  - lon.example.com
 644 | #  - "*.domain.com"
 645 | #  - "*.onion"
 646 | 
 647 | # List of custom certificate authorities for federation traffic.
 648 | #
 649 | # This setting should only normally be used within a private network of
 650 | # homeservers.
 651 | #
 652 | # Note that this list will replace those that are provided by your
 653 | # operating environment. Certificates must be in PEM format.
 654 | #
 655 | #federation_custom_ca_list:
 656 | #  - myCA1.pem
 657 | #  - myCA2.pem
 658 | #  - myCA3.pem
 659 | 
 660 | 
 661 | ## Federation ##
 662 | 
 663 | # Restrict federation to the following whitelist of domains.
 664 | # N.B. we recommend also firewalling your federation listener to limit
 665 | # inbound federation traffic as early as possible, rather than relying
 666 | # purely on this application-layer restriction.  If not specified, the
 667 | # default is to whitelist everything.
 668 | #
 669 | #federation_domain_whitelist:
 670 | #  - lon.example.com
 671 | #  - nyc.example.com
 672 | #  - syd.example.com
 673 | 
 674 | # Report prometheus metrics on the age of PDUs being sent to and received from
 675 | # the following domains. This can be used to give an idea of "delay" on inbound
 676 | # and outbound federation, though be aware that any delay can be due to problems
 677 | # at either end or with the intermediate network.
 678 | #
 679 | # By default, no domains are monitored in this way.
 680 | #
 681 | #federation_metrics_domains:
 682 | #  - matrix.org
 683 | #  - example.com
 684 | 
 685 | # Uncomment to disable profile lookup over federation. By default, the
 686 | # Federation API allows other homeservers to obtain profile data of any user
 687 | # on this homeserver. Defaults to 'true'.
 688 | #
 689 | #allow_profile_lookup_over_federation: false
 690 | 
 691 | # Uncomment to disable device display name lookup over federation. By default, the
 692 | # Federation API allows other homeservers to obtain device display names of any user
 693 | # on this homeserver. Defaults to 'true'.
 694 | #
 695 | #allow_device_name_lookup_over_federation: false
 696 | 
 697 | 
 698 | ## Caching ##
 699 | 
 700 | # Caching can be configured through the following options.
 701 | #
 702 | # A cache 'factor' is a multiplier that can be applied to each of
 703 | # Synapse's caches in order to increase or decrease the maximum
 704 | # number of entries that can be stored.
 705 | 
 706 | # The number of events to cache in memory. Not affected by
 707 | # caches.global_factor.
 708 | #
 709 | #event_cache_size: 10K
 710 | 
 711 | caches:
 712 |   # Controls the global cache factor, which is the default cache factor
 713 |   # for all caches if a specific factor for that cache is not otherwise
 714 |   # set.
 715 |   #
 716 |   # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment
 717 |   # variable. Setting by environment variable takes priority over
 718 |   # setting through the config file.
 719 |   #
 720 |   # Defaults to 0.5, which will half the size of all caches.
 721 |   #
 722 |   #global_factor: 1.0
 723 | 
 724 |   # A dictionary of cache name to cache factor for that individual
 725 |   # cache. Overrides the global cache factor for a given cache.
 726 |   #
 727 |   # These can also be set through environment variables comprised
 728 |   # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital
 729 |   # letters and underscores. Setting by environment variable
 730 |   # takes priority over setting through the config file.
 731 |   # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0
 732 |   #
 733 |   # Some caches have '*' and other characters that are not
 734 |   # alphanumeric or underscores. These caches can be named with or
 735 |   # without the special characters stripped. For example, to specify
 736 |   # the cache factor for `*stateGroupCache*` via an environment
 737 |   # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`.
 738 |   #
 739 |   per_cache_factors:
 740 |     #get_users_who_share_room_with_user: 2.0
 741 | 
 742 |   # Controls how long an entry can be in a cache without having been
 743 |   # accessed before being evicted. Defaults to None, which means
 744 |   # entries are never evicted based on time.
 745 |   #
 746 |   #expiry_time: 30m
 747 | 
 748 |   # Controls how long the results of a /sync request are cached for after
 749 |   # a successful response is returned. A higher duration can help clients with
 750 |   # intermittent connections, at the cost of higher memory usage.
 751 |   #
 752 |   # By default, this is zero, which means that sync responses are not cached
 753 |   # at all.
 754 |   #
 755 |   #sync_response_cache_duration: 2m
 756 | 
 757 | 
 758 | ## Database ##
 759 | 
 760 | # The 'database' setting defines the database that synapse uses to store all of
 761 | # its data.
 762 | #
 763 | # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
 764 | # 'psycopg2' (for PostgreSQL).
 765 | #
 766 | # 'txn_limit' gives the maximum number of transactions to run per connection
 767 | # before reconnecting. Defaults to 0, which means no limit.
 768 | #
 769 | # 'args' gives options which are passed through to the database engine,
 770 | # except for options starting 'cp_', which are used to configure the Twisted
 771 | # connection pool. For a reference to valid arguments, see:
 772 | #   * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
 773 | #   * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
 774 | #   * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
 775 | #
 776 | #
 777 | # Example SQLite configuration:
 778 | #
 779 | #database:
 780 | #  name: sqlite3
 781 | #  args:
 782 | #    database: /path/to/homeserver.db
 783 | #
 784 | #
 785 | # Example Postgres configuration:
 786 | #
 787 | #database:
 788 | #  name: psycopg2
 789 | #  txn_limit: 10000
 790 | #  args:
 791 | #    user: synapse_user
 792 | #    password: secretpassword
 793 | #    database: synapse
 794 | #    host: localhost
 795 | #    port: 5432
 796 | #    cp_min: 5
 797 | #    cp_max: 10
 798 | #
 799 | # For more information on using Synapse with Postgres,
 800 | # see https://matrix-org.github.io/synapse/latest/postgres.html.
 801 | #
 802 | database:
 803 | #  name: sqlite3
 804 | #  args:
 805 | #    database: /data/homeserver.db
 806 | 
 807 |   name: psycopg2
 808 |   args:
 809 |     user: synapse
 810 |     password: 12345
 811 |     database: synapse_db
 812 |     host: db
 813 |     cp_min: 5
 814 |     cp_max: 10
 815 | 
 816 | ## Logging ##
 817 | 
 818 | # A yaml python logging config file as described by
 819 | # https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
 820 | #
 821 | log_config: "/data/matrix.ms.local.log.config"
 822 | 
 823 | 
 824 | ## Ratelimiting ##
 825 | 
 826 | # Ratelimiting settings for client actions (registration, login, messaging).
 827 | #
 828 | # Each ratelimiting configuration is made of two parameters:
 829 | #   - per_second: number of requests a client can send per second.
 830 | #   - burst_count: number of requests a client can send before being throttled.
 831 | #
 832 | # Synapse currently uses the following configurations:
 833 | #   - one for messages that ratelimits sending based on the account the client
 834 | #     is using
 835 | #   - one for registration that ratelimits registration requests based on the
 836 | #     client's IP address.
 837 | #   - one for checking the validity of registration tokens that ratelimits
 838 | #     requests based on the client's IP address.
 839 | #   - one for login that ratelimits login requests based on the client's IP
 840 | #     address.
 841 | #   - one for login that ratelimits login requests based on the account the
 842 | #     client is attempting to log into.
 843 | #   - one for login that ratelimits login requests based on the account the
 844 | #     client is attempting to log into, based on the amount of failed login
 845 | #     attempts for this account.
 846 | #   - one for ratelimiting redactions by room admins. If this is not explicitly
 847 | #     set then it uses the same ratelimiting as per rc_message. This is useful
 848 | #     to allow room admins to deal with abuse quickly.
 849 | #   - two for ratelimiting number of rooms a user can join, "local" for when
 850 | #     users are joining rooms the server is already in (this is cheap) vs
 851 | #     "remote" for when users are trying to join rooms not on the server (which
 852 | #     can be more expensive)
 853 | #   - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
 854 | #   - two for ratelimiting how often invites can be sent in a room or to a
 855 | #     specific user.
 856 | #
 857 | # The defaults are as shown below.
 858 | #
 859 | #rc_message:
 860 | #  per_second: 0.2
 861 | #  burst_count: 10
 862 | #
 863 | #rc_registration:
 864 | #  per_second: 0.17
 865 | #  burst_count: 3
 866 | #
 867 | #rc_registration_token_validity:
 868 | #  per_second: 0.1
 869 | #  burst_count: 5
 870 | #
 871 | #rc_login:
 872 | #  address:
 873 | #    per_second: 0.17
 874 | #    burst_count: 3
 875 | #  account:
 876 | #    per_second: 0.17
 877 | #    burst_count: 3
 878 | #  failed_attempts:
 879 | #    per_second: 0.17
 880 | #    burst_count: 3
 881 | #
 882 | #rc_admin_redaction:
 883 | #  per_second: 1
 884 | #  burst_count: 50
 885 | #
 886 | #rc_joins:
 887 | #  local:
 888 | #    per_second: 0.1
 889 | #    burst_count: 10
 890 | #  remote:
 891 | #    per_second: 0.01
 892 | #    burst_count: 10
 893 | #
 894 | #rc_3pid_validation:
 895 | #  per_second: 0.003
 896 | #  burst_count: 5
 897 | #
 898 | #rc_invites:
 899 | #  per_room:
 900 | #    per_second: 0.3
 901 | #    burst_count: 10
 902 | #  per_user:
 903 | #    per_second: 0.003
 904 | #    burst_count: 5
 905 | 
 906 | # Ratelimiting settings for incoming federation
 907 | #
 908 | # The rc_federation configuration is made up of the following settings:
 909 | #   - window_size: window size in milliseconds
 910 | #   - sleep_limit: number of federation requests from a single server in
 911 | #     a window before the server will delay processing the request.
 912 | #   - sleep_delay: duration in milliseconds to delay processing events
 913 | #     from remote servers by if they go over the sleep limit.
 914 | #   - reject_limit: maximum number of concurrent federation requests
 915 | #     allowed from a single server
 916 | #   - concurrent: number of federation requests to concurrently process
 917 | #     from a single server
 918 | #
 919 | # The defaults are as shown below.
 920 | #
 921 | #rc_federation:
 922 | #  window_size: 1000
 923 | #  sleep_limit: 10
 924 | #  sleep_delay: 500
 925 | #  reject_limit: 50
 926 | #  concurrent: 3
 927 | 
 928 | # Target outgoing federation transaction frequency for sending read-receipts,
 929 | # per-room.
 930 | #
 931 | # If we end up trying to send out more read-receipts, they will get buffered up
 932 | # into fewer transactions.
 933 | #
 934 | #federation_rr_transactions_per_room_per_second: 50
 935 | 
 936 | 
 937 | 
 938 | ## Media Store ##
 939 | 
 940 | # Enable the media store service in the Synapse master. Uncomment the
 941 | # following if you are using a separate media store worker.
 942 | #
 943 | #enable_media_repo: false
 944 | 
 945 | # Directory where uploaded images and attachments are stored.
 946 | #
 947 | media_store_path: "/media_store"
 948 | 
 949 | # Media storage providers allow media to be stored in different
 950 | # locations.
 951 | #
 952 | #media_storage_providers:
 953 | #  - module: file_system
 954 | #    # Whether to store newly uploaded local files
 955 | #    store_local: false
 956 | #    # Whether to store newly downloaded remote files
 957 | #    store_remote: false
 958 | #    # Whether to wait for successful storage for local uploads
 959 | #    store_synchronous: false
 960 | #    config:
 961 | #       directory: /mnt/some/other/directory
 962 | 
 963 | # The largest allowed upload size in bytes
 964 | #
 965 | # If you are using a reverse proxy you may also need to set this value in
 966 | # your reverse proxy's config. Notably Nginx has a small max body size by default.
 967 | # See https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
 968 | #
 969 | #max_upload_size: 50M
 970 | 
 971 | # Maximum number of pixels that will be thumbnailed
 972 | #
 973 | #max_image_pixels: 32M
 974 | 
 975 | # Whether to generate new thumbnails on the fly to precisely match
 976 | # the resolution requested by the client. If true then whenever
 977 | # a new resolution is requested by the client the server will
 978 | # generate a new thumbnail. If false the server will pick a thumbnail
 979 | # from a precalculated list.
 980 | #
 981 | #dynamic_thumbnails: false
 982 | 
 983 | # List of thumbnails to precalculate when an image is uploaded.
 984 | #
 985 | #thumbnail_sizes:
 986 | #  - width: 32
 987 | #    height: 32
 988 | #    method: crop
 989 | #  - width: 96
 990 | #    height: 96
 991 | #    method: crop
 992 | #  - width: 320
 993 | #    height: 240
 994 | #    method: scale
 995 | #  - width: 640
 996 | #    height: 480
 997 | #    method: scale
 998 | #  - width: 800
 999 | #    height: 600
1000 | #    method: scale
1001 | 
1002 | # Is the preview URL API enabled?
1003 | #
1004 | # 'false' by default: uncomment the following to enable it (and specify a
1005 | # url_preview_ip_range_blacklist blacklist).
1006 | #
1007 | #url_preview_enabled: true
1008 | 
1009 | # List of IP address CIDR ranges that the URL preview spider is denied
1010 | # from accessing.  There are no defaults: you must explicitly
1011 | # specify a list for URL previewing to work.  You should specify any
1012 | # internal services in your network that you do not want synapse to try
1013 | # to connect to, otherwise anyone in any Matrix room could cause your
1014 | # synapse to issue arbitrary GET requests to your internal services,
1015 | # causing serious security issues.
1016 | #
1017 | # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
1018 | # listed here, since they correspond to unroutable addresses.)
1019 | #
1020 | # This must be specified if url_preview_enabled is set. It is recommended that
1021 | # you uncomment the following list as a starting point.
1022 | #
1023 | # Note: The value is ignored when an HTTP proxy is in use
1024 | #
1025 | #url_preview_ip_range_blacklist:
1026 | #  - '127.0.0.0/8'
1027 | #  - '10.0.0.0/8'
1028 | #  - '172.16.0.0/12'
1029 | #  - '192.168.0.0/16'
1030 | #  - '100.64.0.0/10'
1031 | #  - '192.0.0.0/24'
1032 | #  - '169.254.0.0/16'
1033 | #  - '192.88.99.0/24'
1034 | #  - '198.18.0.0/15'
1035 | #  - '192.0.2.0/24'
1036 | #  - '198.51.100.0/24'
1037 | #  - '203.0.113.0/24'
1038 | #  - '224.0.0.0/4'
1039 | #  - '::1/128'
1040 | #  - 'fe80::/10'
1041 | #  - 'fc00::/7'
1042 | #  - '2001:db8::/32'
1043 | #  - 'ff00::/8'
1044 | #  - 'fec0::/10'
1045 | 
1046 | # List of IP address CIDR ranges that the URL preview spider is allowed
1047 | # to access even if they are specified in url_preview_ip_range_blacklist.
1048 | # This is useful for specifying exceptions to wide-ranging blacklisted
1049 | # target IP ranges - e.g. for enabling URL previews for a specific private
1050 | # website only visible in your network.
1051 | #
1052 | #url_preview_ip_range_whitelist:
1053 | #   - '192.168.1.1'
1054 | 
1055 | # Optional list of URL matches that the URL preview spider is
1056 | # denied from accessing.  You should use url_preview_ip_range_blacklist
1057 | # in preference to this, otherwise someone could define a public DNS
1058 | # entry that points to a private IP address and circumvent the blacklist.
1059 | # This is more useful if you know there is an entire shape of URL that
1060 | # you know that will never want synapse to try to spider.
1061 | #
1062 | # Each list entry is a dictionary of url component attributes as returned
1063 | # by urlparse.urlsplit as applied to the absolute form of the URL.  See
1064 | # https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
1065 | # The values of the dictionary are treated as an filename match pattern
1066 | # applied to that component of URLs, unless they start with a ^ in which
1067 | # case they are treated as a regular expression match.  If all the
1068 | # specified component matches for a given list item succeed, the URL is
1069 | # blacklisted.
1070 | #
1071 | #url_preview_url_blacklist:
1072 | #  # blacklist any URL with a username in its URI
1073 | #  - username: '*'
1074 | #
1075 | #  # blacklist all *.google.com URLs
1076 | #  - netloc: 'google.com'
1077 | #  - netloc: '*.google.com'
1078 | #
1079 | #  # blacklist all plain HTTP URLs
1080 | #  - scheme: 'http'
1081 | #
1082 | #  # blacklist http(s)://www.acme.com/foo
1083 | #  - netloc: 'www.acme.com'
1084 | #    path: '/foo'
1085 | #
1086 | #  # blacklist any URL with a literal IPv4 address
1087 | #  - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
1088 | 
1089 | # The largest allowed URL preview spidering size in bytes
1090 | #
1091 | #max_spider_size: 10M
1092 | 
1093 | # A list of values for the Accept-Language HTTP header used when
1094 | # downloading webpages during URL preview generation. This allows
1095 | # Synapse to specify the preferred languages that URL previews should
1096 | # be in when communicating with remote servers.
1097 | #
1098 | # Each value is a IETF language tag; a 2-3 letter identifier for a
1099 | # language, optionally followed by subtags separated by '-', specifying
1100 | # a country or region variant.
1101 | #
1102 | # Multiple values can be provided, and a weight can be added to each by
1103 | # using quality value syntax (;q=). '*' translates to any language.
1104 | #
1105 | # Defaults to "en".
1106 | #
1107 | # Example:
1108 | #
1109 | # url_preview_accept_language:
1110 | #   - en-UK
1111 | #   - en-US;q=0.9
1112 | #   - fr;q=0.8
1113 | #   - *;q=0.7
1114 | #
1115 | url_preview_accept_language:
1116 | #   - en
1117 | 
1118 | 
1119 | # oEmbed allows for easier embedding content from a website. It can be
1120 | # used for generating URLs previews of services which support it.
1121 | #
1122 | oembed:
1123 |   # A default list of oEmbed providers is included with Synapse.
1124 |   #
1125 |   # Uncomment the following to disable using these default oEmbed URLs.
1126 |   # Defaults to 'false'.
1127 |   #
1128 |   #disable_default_providers: true
1129 | 
1130 |   # Additional files with oEmbed configuration (each should be in the
1131 |   # form of providers.json).
1132 |   #
1133 |   # By default, this list is empty (so only the default providers.json
1134 |   # is used).
1135 |   #
1136 |   #additional_providers:
1137 |   #  - oembed/my_providers.json
1138 | 
1139 | 
1140 | ## Captcha ##
1141 | # See docs/CAPTCHA_SETUP.md for full details of configuring this.
1142 | 
1143 | # This homeserver's ReCAPTCHA public key. Must be specified if
1144 | # enable_registration_captcha is enabled.
1145 | #
1146 | #recaptcha_public_key: "YOUR_PUBLIC_KEY"
1147 | 
1148 | # This homeserver's ReCAPTCHA private key. Must be specified if
1149 | # enable_registration_captcha is enabled.
1150 | #
1151 | #recaptcha_private_key: "YOUR_PRIVATE_KEY"
1152 | 
1153 | # Uncomment to enable ReCaptcha checks when registering, preventing signup
1154 | # unless a captcha is answered. Requires a valid ReCaptcha
1155 | # public/private key. Defaults to 'false'.
1156 | #
1157 | #enable_registration_captcha: true
1158 | 
1159 | # The API endpoint to use for verifying m.login.recaptcha responses.
1160 | # Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
1161 | #
1162 | #recaptcha_siteverify_api: "https://my.recaptcha.site"
1163 | 
1164 | 
1165 | ## TURN ##
1166 | 
1167 | # The public URIs of the TURN server to give to clients
1168 | #
1169 | #turn_uris:
1170 | 
1171 | 
1172 | # The shared secret used to compute passwords for the TURN server
1173 | #
1174 | #turn_shared_secret: 
1175 | 
1176 | # The Username and password if the TURN server needs them and
1177 | # does not use a token
1178 | #
1179 | #turn_username: "TURNSERVER_USERNAME"
1180 | #turn_password: "TURNSERVER_PASSWORD"
1181 | 
1182 | # How long generated TURN credentials last
1183 | #
1184 | #turn_user_lifetime: 1h
1185 | 
1186 | # Whether guests should be allowed to use the TURN server.
1187 | # This defaults to True, otherwise VoIP will be unreliable for guests.
1188 | # However, it does introduce a slight security risk as it allows users to
1189 | # connect to arbitrary endpoints without having first signed up for a
1190 | # valid account (e.g. by passing a CAPTCHA).
1191 | #
1192 | #turn_allow_guests: true
1193 | 
1194 | 
1195 | ## Registration ##
1196 | #
1197 | # Registration can be rate-limited using the parameters in the "Ratelimiting"
1198 | # section of this file.
1199 | 
1200 | # Enable registration for new users.
1201 | #
1202 | enable_registration: true
1203 | 
1204 | # Time that a user's session remains valid for, after they log in.
1205 | #
1206 | # Note that this is not currently compatible with guest logins.
1207 | #
1208 | # Note also that this is calculated at login time: changes are not applied
1209 | # retrospectively to users who have already logged in.
1210 | #
1211 | # By default, this is infinite.
1212 | #
1213 | #session_lifetime: 24h
1214 | 
1215 | # Time that an access token remains valid for, if the session is
1216 | # using refresh tokens.
1217 | # For more information about refresh tokens, please see the manual.
1218 | # Note that this only applies to clients which advertise support for
1219 | # refresh tokens.
1220 | #
1221 | # Note also that this is calculated at login time and refresh time:
1222 | # changes are not applied to existing sessions until they are refreshed.
1223 | #
1224 | # By default, this is 5 minutes.
1225 | #
1226 | #refreshable_access_token_lifetime: 5m
1227 | 
1228 | # Time that a refresh token remains valid for (provided that it is not
1229 | # exchanged for another one first).
1230 | # This option can be used to automatically log-out inactive sessions.
1231 | # Please see the manual for more information.
1232 | #
1233 | # Note also that this is calculated at login time and refresh time:
1234 | # changes are not applied to existing sessions until they are refreshed.
1235 | #
1236 | # By default, this is infinite.
1237 | #
1238 | #refresh_token_lifetime: 24h
1239 | 
1240 | # Time that an access token remains valid for, if the session is NOT
1241 | # using refresh tokens.
1242 | # Please note that not all clients support refresh tokens, so setting
1243 | # this to a short value may be inconvenient for some users who will
1244 | # then be logged out frequently.
1245 | #
1246 | # Note also that this is calculated at login time: changes are not applied
1247 | # retrospectively to existing sessions for users that have already logged in.
1248 | #
1249 | # By default, this is infinite.
1250 | #
1251 | #nonrefreshable_access_token_lifetime: 24h
1252 | 
1253 | # The user must provide all of the below types of 3PID when registering.
1254 | #
1255 | #registrations_require_3pid:
1256 | #  - email
1257 | #  - msisdn
1258 | 
1259 | # Explicitly disable asking for MSISDNs from the registration
1260 | # flow (overrides registrations_require_3pid if MSISDNs are set as required)
1261 | #
1262 | #disable_msisdn_registration: true
1263 | 
1264 | # Mandate that users are only allowed to associate certain formats of
1265 | # 3PIDs with accounts on this server.
1266 | #
1267 | #allowed_local_3pids:
1268 | #  - medium: email
1269 | #    pattern: '^[^@]+@matrix\.org$'
1270 | #  - medium: email
1271 | #    pattern: '^[^@]+@vector\.im$'
1272 | #  - medium: msisdn
1273 | #    pattern: '\+44'
1274 | 
1275 | # Enable 3PIDs lookup requests to identity servers from this server.
1276 | #
1277 | #enable_3pid_lookup: true
1278 | 
1279 | # Require users to submit a token during registration.
1280 | # Tokens can be managed using the admin API:
1281 | # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/registration_tokens.html
1282 | # Note that `enable_registration` must be set to `true`.
1283 | # Disabling this option will not delete any tokens previously generated.
1284 | # Defaults to false. Uncomment the following to require tokens:
1285 | #
1286 | #registration_requires_token: true
1287 | 
1288 | # If set, allows registration of standard or admin accounts by anyone who
1289 | # has the shared secret, even if registration is otherwise disabled.
1290 | #
1291 | registration_shared_secret: "TT09R*PTB*oScj^XnSm=g,OtQ3R@.kVT&CCyNA2Cj8jt=5cEhe"
1292 | 
1293 | # Set the number of bcrypt rounds used to generate password hash.
1294 | # Larger numbers increase the work factor needed to generate the hash.
1295 | # The default number is 12 (which equates to 2^12 rounds).
1296 | # N.B. that increasing this will exponentially increase the time required
1297 | # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
1298 | #
1299 | #bcrypt_rounds: 12
1300 | 
1301 | # Allows users to register as guests without a password/email/etc, and
1302 | # participate in rooms hosted on this server which have been made
1303 | # accessible to anonymous users.
1304 | #
1305 | #allow_guest_access: false
1306 | 
1307 | # The identity server which we suggest that clients should use when users log
1308 | # in on this server.
1309 | #
1310 | # (By default, no suggestion is made, so it is left up to the client.
1311 | # This setting is ignored unless public_baseurl is also explicitly set.)
1312 | #
1313 | #default_identity_server: https://matrix.org
1314 | 
1315 | # Handle threepid (email/phone etc) registration and password resets through a set of
1316 | # *trusted* identity servers. Note that this allows the configured identity server to
1317 | # reset passwords for accounts!
1318 | #
1319 | # Be aware that if `email` is not set, and SMTP options have not been
1320 | # configured in the email config block, registration and user password resets via
1321 | # email will be globally disabled.
1322 | #
1323 | # Additionally, if `msisdn` is not set, registration and password resets via msisdn
1324 | # will be disabled regardless, and users will not be able to associate an msisdn
1325 | # identifier to their account. This is due to Synapse currently not supporting
1326 | # any method of sending SMS messages on its own.
1327 | #
1328 | # To enable using an identity server for operations regarding a particular third-party
1329 | # identifier type, set the value to the URL of that identity server as shown in the
1330 | # examples below.
1331 | #
1332 | # Servers handling the these requests must answer the `/requestToken` endpoints defined
1333 | # by the Matrix Identity Service API specification:
1334 | # https://matrix.org/docs/spec/identity_service/latest
1335 | #
1336 | account_threepid_delegates:
1337 |     #email: https://example.com     # Delegate email sending to example.com
1338 |     #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
1339 | 
1340 | # Whether users are allowed to change their displayname after it has
1341 | # been initially set. Useful when provisioning users based on the
1342 | # contents of a third-party directory.
1343 | #
1344 | # Does not apply to server administrators. Defaults to 'true'
1345 | #
1346 | #enable_set_displayname: false
1347 | 
1348 | # Whether users are allowed to change their avatar after it has been
1349 | # initially set. Useful when provisioning users based on the contents
1350 | # of a third-party directory.
1351 | #
1352 | # Does not apply to server administrators. Defaults to 'true'
1353 | #
1354 | #enable_set_avatar_url: false
1355 | 
1356 | # Whether users can change the 3PIDs associated with their accounts
1357 | # (email address and msisdn).
1358 | #
1359 | # Defaults to 'true'
1360 | #
1361 | #enable_3pid_changes: false
1362 | 
1363 | # Users who register on this homeserver will automatically be joined
1364 | # to these rooms.
1365 | #
1366 | # By default, any room aliases included in this list will be created
1367 | # as a publicly joinable room when the first user registers for the
1368 | # homeserver. This behaviour can be customised with the settings below.
1369 | # If the room already exists, make certain it is a publicly joinable
1370 | # room. The join rule of the room must be set to 'public'.
1371 | #
1372 | #auto_join_rooms:
1373 | #  - "#example:example.com"
1374 | 
1375 | # Where auto_join_rooms are specified, setting this flag ensures that the
1376 | # the rooms exist by creating them when the first user on the
1377 | # homeserver registers.
1378 | #
1379 | # By default the auto-created rooms are publicly joinable from any federated
1380 | # server. Use the autocreate_auto_join_rooms_federated and
1381 | # autocreate_auto_join_room_preset settings below to customise this behaviour.
1382 | #
1383 | # Setting to false means that if the rooms are not manually created,
1384 | # users cannot be auto-joined since they do not exist.
1385 | #
1386 | # Defaults to true. Uncomment the following line to disable automatically
1387 | # creating auto-join rooms.
1388 | #
1389 | #autocreate_auto_join_rooms: false
1390 | 
1391 | # Whether the auto_join_rooms that are auto-created are available via
1392 | # federation. Only has an effect if autocreate_auto_join_rooms is true.
1393 | #
1394 | # Note that whether a room is federated cannot be modified after
1395 | # creation.
1396 | #
1397 | # Defaults to true: the room will be joinable from other servers.
1398 | # Uncomment the following to prevent users from other homeservers from
1399 | # joining these rooms.
1400 | #
1401 | #autocreate_auto_join_rooms_federated: false
1402 | 
1403 | # The room preset to use when auto-creating one of auto_join_rooms. Only has an
1404 | # effect if autocreate_auto_join_rooms is true.
1405 | #
1406 | # This can be one of "public_chat", "private_chat", or "trusted_private_chat".
1407 | # If a value of "private_chat" or "trusted_private_chat" is used then
1408 | # auto_join_mxid_localpart must also be configured.
1409 | #
1410 | # Defaults to "public_chat", meaning that the room is joinable by anyone, including
1411 | # federated servers if autocreate_auto_join_rooms_federated is true (the default).
1412 | # Uncomment the following to require an invitation to join these rooms.
1413 | #
1414 | #autocreate_auto_join_room_preset: private_chat
1415 | 
1416 | # The local part of the user id which is used to create auto_join_rooms if
1417 | # autocreate_auto_join_rooms is true. If this is not provided then the
1418 | # initial user account that registers will be used to create the rooms.
1419 | #
1420 | # The user id is also used to invite new users to any auto-join rooms which
1421 | # are set to invite-only.
1422 | #
1423 | # It *must* be configured if autocreate_auto_join_room_preset is set to
1424 | # "private_chat" or "trusted_private_chat".
1425 | #
1426 | # Note that this must be specified in order for new users to be correctly
1427 | # invited to any auto-join rooms which have been set to invite-only (either
1428 | # at the time of creation or subsequently).
1429 | #
1430 | # Note that, if the room already exists, this user must be joined and
1431 | # have the appropriate permissions to invite new members.
1432 | #
1433 | #auto_join_mxid_localpart: system
1434 | 
1435 | # When auto_join_rooms is specified, setting this flag to false prevents
1436 | # guest accounts from being automatically joined to the rooms.
1437 | #
1438 | # Defaults to true.
1439 | #
1440 | #auto_join_rooms_for_guests: false
1441 | 
1442 | # Whether to inhibit errors raised when registering a new account if the user ID
1443 | # already exists. If turned on, that requests to /register/available will always
1444 | # show a user ID as available, and Synapse won't raise an error when starting
1445 | # a registration with a user ID that already exists. However, Synapse will still
1446 | # raise an error if the registration completes and the username conflicts.
1447 | #
1448 | # Defaults to false.
1449 | #
1450 | #inhibit_user_in_use_error: true
1451 | 
1452 | 
1453 | ## Metrics ###
1454 | 
1455 | # Enable collection and rendering of performance metrics
1456 | #
1457 | #enable_metrics: false
1458 | 
1459 | # Enable sentry integration
1460 | # NOTE: While attempts are made to ensure that the logs don't contain
1461 | # any sensitive information, this cannot be guaranteed. By enabling
1462 | # this option the sentry server may therefore receive sensitive
1463 | # information, and it in turn may then diseminate sensitive information
1464 | # through insecure notification channels if so configured.
1465 | #
1466 | #sentry:
1467 | #    dsn: "..."
1468 | 
1469 | # Flags to enable Prometheus metrics which are not suitable to be
1470 | # enabled by default, either for performance reasons or limited use.
1471 | #
1472 | metrics_flags:
1473 |     # Publish synapse_federation_known_servers, a gauge of the number of
1474 |     # servers this homeserver knows about, including itself. May cause
1475 |     # performance problems on large homeservers.
1476 |     #
1477 |     #known_servers: true
1478 | 
1479 | # Whether or not to report anonymized homeserver usage statistics.
1480 | #
1481 | report_stats: true
1482 | 
1483 | # The endpoint to report the anonymized homeserver usage statistics to.
1484 | # Defaults to https://matrix.org/report-usage-stats/push
1485 | #
1486 | #report_stats_endpoint: https://example.com/report-usage-stats/push
1487 | 
1488 | 
1489 | ## API Configuration ##
1490 | 
1491 | # Controls for the state that is shared with users who receive an invite
1492 | # to a room
1493 | #
1494 | room_prejoin_state:
1495 |    # By default, the following state event types are shared with users who
1496 |    # receive invites to the room:
1497 |    #
1498 |    # - m.room.join_rules
1499 |    # - m.room.canonical_alias
1500 |    # - m.room.avatar
1501 |    # - m.room.encryption
1502 |    # - m.room.name
1503 |    # - m.room.create
1504 |    # - m.room.topic
1505 |    #
1506 |    # Uncomment the following to disable these defaults (so that only the event
1507 |    # types listed in 'additional_event_types' are shared). Defaults to 'false'.
1508 |    #
1509 |    #disable_default_event_types: true
1510 | 
1511 |    # Additional state event types to share with users when they are invited
1512 |    # to a room.
1513 |    #
1514 |    # By default, this list is empty (so only the default event types are shared).
1515 |    #
1516 |    #additional_event_types:
1517 |    #  - org.example.custom.event.type
1518 | 
1519 | # We record the IP address of clients used to access the API for various
1520 | # reasons, including displaying it to the user in the "Where you're signed in"
1521 | # dialog.
1522 | #
1523 | # By default, when puppeting another user via the admin API, the client IP
1524 | # address is recorded against the user who created the access token (ie, the
1525 | # admin user), and *not* the puppeted user.
1526 | #
1527 | # Uncomment the following to also record the IP address against the puppeted
1528 | # user. (This also means that the puppeted user will count as an "active" user
1529 | # for the purpose of monthly active user tracking - see 'limit_usage_by_mau' etc
1530 | # above.)
1531 | #
1532 | #track_puppeted_user_ips: true
1533 | 
1534 | 
1535 | # A list of application service config files to use
1536 | #
1537 | app_service_config_files:
1538 |   - /app_services/telegram-registration.yaml
1539 |   - /app_services/facebook-registration.yaml
1540 |   - /app_services/webhooks-registration.yaml
1541 | 
1542 | 
1543 | # Uncomment to enable tracking of application service IP addresses. Implicitly
1544 | # enables MAU tracking for application service users.
1545 | #
1546 | #track_appservice_user_ips: true
1547 | 
1548 | 
1549 | # a secret which is used to sign access tokens. If none is specified,
1550 | # the registration_shared_secret is used, if one is given; otherwise,
1551 | # a secret key is derived from the signing key.
1552 | #
1553 | macaroon_secret_key: "7X#uIKZ@h*dYOq^E+aOj,:q;sXqes+7s_mLP@h.YOY=pn^DvAu"
1554 | 
1555 | # a secret which is used to calculate HMACs for form values, to stop
1556 | # falsification of values. Must be specified for the User Consent
1557 | # forms to work.
1558 | #
1559 | form_secret: "UUwP-~IWZ27&Hp9N~t^xKfeXj-HchW:d#fwLWq~pWKP:S3H1kN"
1560 | 
1561 | ## Signing Keys ##
1562 | 
1563 | # Path to the signing key to sign messages with
1564 | #
1565 | signing_key_path: "/data/matrix.ms.local.signing.key"
1566 | 
1567 | # The keys that the server used to sign messages with but won't use
1568 | # to sign new messages.
1569 | #
1570 | old_signing_keys:
1571 |   # For each key, `key` should be the base64-encoded public key, and
1572 |   # `expired_ts`should be the time (in milliseconds since the unix epoch) that
1573 |   # it was last used.
1574 |   #
1575 |   # It is possible to build an entry from an old signing.key file using the
1576 |   # `export_signing_key` script which is provided with synapse.
1577 |   #
1578 |   # For example:
1579 |   #
1580 |   #"ed25519:id": { key: "base64string", expired_ts: 123456789123 }
1581 | 
1582 | # How long key response published by this server is valid for.
1583 | # Used to set the valid_until_ts in /key/v2 APIs.
1584 | # Determines how quickly servers will query to check which keys
1585 | # are still valid.
1586 | #
1587 | #key_refresh_interval: 1d
1588 | 
1589 | # The trusted servers to download signing keys from.
1590 | #
1591 | # When we need to fetch a signing key, each server is tried in parallel.
1592 | #
1593 | # Normally, the connection to the key server is validated via TLS certificates.
1594 | # Additional security can be provided by configuring a `verify key`, which
1595 | # will make synapse check that the response is signed by that key.
1596 | #
1597 | # This setting supercedes an older setting named `perspectives`. The old format
1598 | # is still supported for backwards-compatibility, but it is deprecated.
1599 | #
1600 | # 'trusted_key_servers' defaults to matrix.org, but using it will generate a
1601 | # warning on start-up. To suppress this warning, set
1602 | # 'suppress_key_server_warning' to true.
1603 | #
1604 | # Options for each entry in the list include:
1605 | #
1606 | #    server_name: the name of the server. required.
1607 | #
1608 | #    verify_keys: an optional map from key id to base64-encoded public key.
1609 | #       If specified, we will check that the response is signed by at least
1610 | #       one of the given keys.
1611 | #
1612 | #    accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
1613 | #       and federation_verify_certificates is not `true`, synapse will refuse
1614 | #       to start, because this would allow anyone who can spoof DNS responses
1615 | #       to masquerade as the trusted key server. If you know what you are doing
1616 | #       and are sure that your network environment provides a secure connection
1617 | #       to the key server, you can set this to `true` to override this
1618 | #       behaviour.
1619 | #
1620 | # An example configuration might look like:
1621 | #
1622 | #trusted_key_servers:
1623 | #  - server_name: "my_trusted_server.example.com"
1624 | #    verify_keys:
1625 | #      "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
1626 | #  - server_name: "my_other_trusted_server.example.com"
1627 | #
1628 | trusted_key_servers:
1629 |   - server_name: "matrix.org"
1630 | 
1631 | # Uncomment the following to disable the warning that is emitted when the
1632 | # trusted_key_servers include 'matrix.org'. See above.
1633 | #
1634 | #suppress_key_server_warning: true
1635 | 
1636 | # The signing keys to use when acting as a trusted key server. If not specified
1637 | # defaults to the server signing key.
1638 | #
1639 | # Can contain multiple keys, one per line.
1640 | #
1641 | #key_server_signing_keys_path: "key_server_signing_keys.key"
1642 | 
1643 | 
1644 | ## Single sign-on integration ##
1645 | 
1646 | # The following settings can be used to make Synapse use a single sign-on
1647 | # provider for authentication, instead of its internal password database.
1648 | #
1649 | # You will probably also want to set the following options to `false` to
1650 | # disable the regular login/registration flows:
1651 | #   * enable_registration
1652 | #   * password_config.enabled
1653 | #
1654 | # You will also want to investigate the settings under the "sso" configuration
1655 | # section below.
1656 | 
1657 | # Enable SAML2 for registration and login. Uses pysaml2.
1658 | #
1659 | # At least one of `sp_config` or `config_path` must be set in this section to
1660 | # enable SAML login.
1661 | #
1662 | # Once SAML support is enabled, a metadata file will be exposed at
1663 | # https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
1664 | # use to configure your SAML IdP with. Alternatively, you can manually configure
1665 | # the IdP to use an ACS location of
1666 | # https://<server>:<port>/_synapse/client/saml2/authn_response.
1667 | #
1668 | saml2_config:
1669 |   # `sp_config` is the configuration for the pysaml2 Service Provider.
1670 |   # See pysaml2 docs for format of config.
1671 |   #
1672 |   # Default values will be used for the 'entityid' and 'service' settings,
1673 |   # so it is not normally necessary to specify them unless you need to
1674 |   # override them.
1675 |   #
1676 |   sp_config:
1677 |     # Point this to the IdP's metadata. You must provide either a local
1678 |     # file via the `local` attribute or (preferably) a URL via the
1679 |     # `remote` attribute.
1680 |     #
1681 |     #metadata:
1682 |     #  local: ["saml2/idp.xml"]
1683 |     #  remote:
1684 |     #    - url: https://our_idp/metadata.xml
1685 | 
1686 |     # Allowed clock difference in seconds between the homeserver and IdP.
1687 |     #
1688 |     # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
1689 |     #
1690 |     #accepted_time_diff: 3
1691 | 
1692 |     # By default, the user has to go to our login page first. If you'd like
1693 |     # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
1694 |     # 'service.sp' section:
1695 |     #
1696 |     #service:
1697 |     #  sp:
1698 |     #    allow_unsolicited: true
1699 | 
1700 |     # The examples below are just used to generate our metadata xml, and you
1701 |     # may well not need them, depending on your setup. Alternatively you
1702 |     # may need a whole lot more detail - see the pysaml2 docs!
1703 | 
1704 |     #description: ["My awesome SP", "en"]
1705 |     #name: ["Test SP", "en"]
1706 | 
1707 |     #ui_info:
1708 |     #  display_name:
1709 |     #    - lang: en
1710 |     #      text: "Display Name is the descriptive name of your service."
1711 |     #  description:
1712 |     #    - lang: en
1713 |     #      text: "Description should be a short paragraph explaining the purpose of the service."
1714 |     #  information_url:
1715 |     #    - lang: en
1716 |     #      text: "https://example.com/terms-of-service"
1717 |     #  privacy_statement_url:
1718 |     #    - lang: en
1719 |     #      text: "https://example.com/privacy-policy"
1720 |     #  keywords:
1721 |     #    - lang: en
1722 |     #      text: ["Matrix", "Element"]
1723 |     #  logo:
1724 |     #    - lang: en
1725 |     #      text: "https://example.com/logo.svg"
1726 |     #      width: "200"
1727 |     #      height: "80"
1728 | 
1729 |     #organization:
1730 |     #  name: Example com
1731 |     #  display_name:
1732 |     #    - ["Example co", "en"]
1733 |     #  url: "http://example.com"
1734 | 
1735 |     #contact_person:
1736 |     #  - given_name: Bob
1737 |     #    sur_name: "the Sysadmin"
1738 |     #    email_address": ["admin@example.com"]
1739 |     #    contact_type": technical
1740 | 
1741 |   # Instead of putting the config inline as above, you can specify a
1742 |   # separate pysaml2 configuration file:
1743 |   #
1744 |   #config_path: "/data/sp_conf.py"
1745 | 
1746 |   # The lifetime of a SAML session. This defines how long a user has to
1747 |   # complete the authentication process, if allow_unsolicited is unset.
1748 |   # The default is 15 minutes.
1749 |   #
1750 |   #saml_session_lifetime: 5m
1751 | 
1752 |   # An external module can be provided here as a custom solution to
1753 |   # mapping attributes returned from a saml provider onto a matrix user.
1754 |   #
1755 |   user_mapping_provider:
1756 |     # The custom module's class. Uncomment to use a custom module.
1757 |     #
1758 |     #module: mapping_provider.SamlMappingProvider
1759 | 
1760 |     # Custom configuration values for the module. Below options are
1761 |     # intended for the built-in provider, they should be changed if
1762 |     # using a custom module. This section will be passed as a Python
1763 |     # dictionary to the module's `parse_config` method.
1764 |     #
1765 |     config:
1766 |       # The SAML attribute (after mapping via the attribute maps) to use
1767 |       # to derive the Matrix ID from. 'uid' by default.
1768 |       #
1769 |       # Note: This used to be configured by the
1770 |       # saml2_config.mxid_source_attribute option. If that is still
1771 |       # defined, its value will be used instead.
1772 |       #
1773 |       #mxid_source_attribute: displayName
1774 | 
1775 |       # The mapping system to use for mapping the saml attribute onto a
1776 |       # matrix ID.
1777 |       #
1778 |       # Options include:
1779 |       #  * 'hexencode' (which maps unpermitted characters to '=xx')
1780 |       #  * 'dotreplace' (which replaces unpermitted characters with
1781 |       #     '.').
1782 |       # The default is 'hexencode'.
1783 |       #
1784 |       # Note: This used to be configured by the
1785 |       # saml2_config.mxid_mapping option. If that is still defined, its
1786 |       # value will be used instead.
1787 |       #
1788 |       #mxid_mapping: dotreplace
1789 | 
1790 |   # In previous versions of synapse, the mapping from SAML attribute to
1791 |   # MXID was always calculated dynamically rather than stored in a
1792 |   # table. For backwards- compatibility, we will look for user_ids
1793 |   # matching such a pattern before creating a new account.
1794 |   #
1795 |   # This setting controls the SAML attribute which will be used for this
1796 |   # backwards-compatibility lookup. Typically it should be 'uid', but if
1797 |   # the attribute maps are changed, it may be necessary to change it.
1798 |   #
1799 |   # The default is 'uid'.
1800 |   #
1801 |   #grandfathered_mxid_source_attribute: upn
1802 | 
1803 |   # It is possible to configure Synapse to only allow logins if SAML attributes
1804 |   # match particular values. The requirements can be listed under
1805 |   # `attribute_requirements` as shown below. All of the listed attributes must
1806 |   # match for the login to be permitted.
1807 |   #
1808 |   #attribute_requirements:
1809 |   #  - attribute: userGroup
1810 |   #    value: "staff"
1811 |   #  - attribute: department
1812 |   #    value: "sales"
1813 | 
1814 |   # If the metadata XML contains multiple IdP entities then the `idp_entityid`
1815 |   # option must be set to the entity to redirect users to.
1816 |   #
1817 |   # Most deployments only have a single IdP entity and so should omit this
1818 |   # option.
1819 |   #
1820 |   #idp_entityid: 'https://our_idp/entityid'
1821 | 
1822 | 
1823 | # List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
1824 | # and login.
1825 | #
1826 | # Options for each entry include:
1827 | #
1828 | #   idp_id: a unique identifier for this identity provider. Used internally
1829 | #       by Synapse; should be a single word such as 'github'.
1830 | #
1831 | #       Note that, if this is changed, users authenticating via that provider
1832 | #       will no longer be recognised as the same user!
1833 | #
1834 | #       (Use "oidc" here if you are migrating from an old "oidc_config"
1835 | #       configuration.)
1836 | #
1837 | #   idp_name: A user-facing name for this identity provider, which is used to
1838 | #       offer the user a choice of login mechanisms.
1839 | #
1840 | #   idp_icon: An optional icon for this identity provider, which is presented
1841 | #       by clients and Synapse's own IdP picker page. If given, must be an
1842 | #       MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
1843 | #       obtain such an MXC URI is to upload an image to an (unencrypted) room
1844 | #       and then copy the "url" from the source of the event.)
1845 | #
1846 | #   idp_brand: An optional brand for this identity provider, allowing clients
1847 | #       to style the login flow according to the identity provider in question.
1848 | #       See the spec for possible options here.
1849 | #
1850 | #   discover: set to 'false' to disable the use of the OIDC discovery mechanism
1851 | #       to discover endpoints. Defaults to true.
1852 | #
1853 | #   issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
1854 | #       is enabled) to discover the provider's endpoints.
1855 | #
1856 | #   client_id: Required. oauth2 client id to use.
1857 | #
1858 | #   client_secret: oauth2 client secret to use. May be omitted if
1859 | #        client_secret_jwt_key is given, or if client_auth_method is 'none'.
1860 | #
1861 | #   client_secret_jwt_key: Alternative to client_secret: details of a key used
1862 | #      to create a JSON Web Token to be used as an OAuth2 client secret. If
1863 | #      given, must be a dictionary with the following properties:
1864 | #
1865 | #          key: a pem-encoded signing key. Must be a suitable key for the
1866 | #              algorithm specified. Required unless 'key_file' is given.
1867 | #
1868 | #          key_file: the path to file containing a pem-encoded signing key file.
1869 | #              Required unless 'key' is given.
1870 | #
1871 | #          jwt_header: a dictionary giving properties to include in the JWT
1872 | #              header. Must include the key 'alg', giving the algorithm used to
1873 | #              sign the JWT, such as "ES256", using the JWA identifiers in
1874 | #              RFC7518.
1875 | #
1876 | #          jwt_payload: an optional dictionary giving properties to include in
1877 | #              the JWT payload. Normally this should include an 'iss' key.
1878 | #
1879 | #   client_auth_method: auth method to use when exchanging the token. Valid
1880 | #       values are 'client_secret_basic' (default), 'client_secret_post' and
1881 | #       'none'.
1882 | #
1883 | #   scopes: list of scopes to request. This should normally include the "openid"
1884 | #       scope. Defaults to ["openid"].
1885 | #
1886 | #   authorization_endpoint: the oauth2 authorization endpoint. Required if
1887 | #       provider discovery is disabled.
1888 | #
1889 | #   token_endpoint: the oauth2 token endpoint. Required if provider discovery is
1890 | #       disabled.
1891 | #
1892 | #   userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
1893 | #       disabled and the 'openid' scope is not requested.
1894 | #
1895 | #   jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
1896 | #       the 'openid' scope is used.
1897 | #
1898 | #   skip_verification: set to 'true' to skip metadata verification. Use this if
1899 | #       you are connecting to a provider that is not OpenID Connect compliant.
1900 | #       Defaults to false. Avoid this in production.
1901 | #
1902 | #   user_profile_method: Whether to fetch the user profile from the userinfo
1903 | #       endpoint, or to rely on the data returned in the id_token from the
1904 | #       token_endpoint.
1905 | #
1906 | #       Valid values are: 'auto' or 'userinfo_endpoint'.
1907 | #
1908 | #       Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
1909 | #       not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
1910 | #       userinfo endpoint.
1911 | #
1912 | #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to
1913 | #       match a pre-existing account instead of failing. This could be used if
1914 | #       switching from password logins to OIDC. Defaults to false.
1915 | #
1916 | #   user_mapping_provider: Configuration for how attributes returned from a OIDC
1917 | #       provider are mapped onto a matrix user. This setting has the following
1918 | #       sub-properties:
1919 | #
1920 | #       module: The class name of a custom mapping module. Default is
1921 | #           'synapse.handlers.oidc.JinjaOidcMappingProvider'.
1922 | #           See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers
1923 | #           for information on implementing a custom mapping provider.
1924 | #
1925 | #       config: Configuration for the mapping provider module. This section will
1926 | #           be passed as a Python dictionary to the user mapping provider
1927 | #           module's `parse_config` method.
1928 | #
1929 | #           For the default provider, the following settings are available:
1930 | #
1931 | #             subject_claim: name of the claim containing a unique identifier
1932 | #                 for the user. Defaults to 'sub', which OpenID Connect
1933 | #                 compliant providers should provide.
1934 | #
1935 | #             localpart_template: Jinja2 template for the localpart of the MXID.
1936 | #                 If this is not set, the user will be prompted to choose their
1937 | #                 own username (see 'sso_auth_account_details.html' in the 'sso'
1938 | #                 section of this file).
1939 | #
1940 | #             display_name_template: Jinja2 template for the display name to set
1941 | #                 on first login. If unset, no displayname will be set.
1942 | #
1943 | #             email_template: Jinja2 template for the email address of the user.
1944 | #                 If unset, no email address will be added to the account.
1945 | #
1946 | #             extra_attributes: a map of Jinja2 templates for extra attributes
1947 | #                 to send back to the client during login.
1948 | #                 Note that these are non-standard and clients will ignore them
1949 | #                 without modifications.
1950 | #
1951 | #           When rendering, the Jinja2 templates are given a 'user' variable,
1952 | #           which is set to the claims returned by the UserInfo Endpoint and/or
1953 | #           in the ID Token.
1954 | #
1955 | #   It is possible to configure Synapse to only allow logins if certain attributes
1956 | #   match particular values in the OIDC userinfo. The requirements can be listed under
1957 | #   `attribute_requirements` as shown below. All of the listed attributes must
1958 | #   match for the login to be permitted. Additional attributes can be added to
1959 | #   userinfo by expanding the `scopes` section of the OIDC config to retrieve
1960 | #   additional information from the OIDC provider.
1961 | #
1962 | #   If the OIDC claim is a list, then the attribute must match any value in the list.
1963 | #   Otherwise, it must exactly match the value of the claim. Using the example
1964 | #   below, the `family_name` claim MUST be "Stephensson", but the `groups`
1965 | #   claim MUST contain "admin".
1966 | #
1967 | #   attribute_requirements:
1968 | #     - attribute: family_name
1969 | #       value: "Stephensson"
1970 | #     - attribute: groups
1971 | #       value: "admin"
1972 | #
1973 | # See https://matrix-org.github.io/synapse/latest/openid.html
1974 | # for information on how to configure these options.
1975 | #
1976 | # For backwards compatibility, it is also possible to configure a single OIDC
1977 | # provider via an 'oidc_config' setting. This is now deprecated and admins are
1978 | # advised to migrate to the 'oidc_providers' format. (When doing that migration,
1979 | # use 'oidc' for the idp_id to ensure that existing users continue to be
1980 | # recognised.)
1981 | #
1982 | oidc_providers:
1983 |   # Generic example
1984 |   #
1985 |   #- idp_id: my_idp
1986 |   #  idp_name: "My OpenID provider"
1987 |   #  idp_icon: "mxc://example.com/mediaid"
1988 |   #  discover: false
1989 |   #  issuer: "https://accounts.example.com/"
1990 |   #  client_id: "provided-by-your-issuer"
1991 |   #  client_secret: "provided-by-your-issuer"
1992 |   #  client_auth_method: client_secret_post
1993 |   #  scopes: ["openid", "profile"]
1994 |   #  authorization_endpoint: "https://accounts.example.com/oauth2/auth"
1995 |   #  token_endpoint: "https://accounts.example.com/oauth2/token"
1996 |   #  userinfo_endpoint: "https://accounts.example.com/userinfo"
1997 |   #  jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
1998 |   #  skip_verification: true
1999 |   #  user_mapping_provider:
2000 |   #    config:
2001 |   #      subject_claim: "id"
2002 |   #      localpart_template: "{{ user.login }}"
2003 |   #      display_name_template: "{{ user.name }}"
2004 |   #      email_template: "{{ user.email }}"
2005 |   #  attribute_requirements:
2006 |   #    - attribute: userGroup
2007 |   #      value: "synapseUsers"
2008 | 
2009 | 
2010 | # Enable Central Authentication Service (CAS) for registration and login.
2011 | #
2012 | cas_config:
2013 |   # Uncomment the following to enable authorization against a CAS server.
2014 |   # Defaults to false.
2015 |   #
2016 |   #enabled: true
2017 | 
2018 |   # The URL of the CAS authorization endpoint.
2019 |   #
2020 |   #server_url: "https://cas-server.com"
2021 | 
2022 |   # The attribute of the CAS response to use as the display name.
2023 |   #
2024 |   # If unset, no displayname will be set.
2025 |   #
2026 |   #displayname_attribute: name
2027 | 
2028 |   # It is possible to configure Synapse to only allow logins if CAS attributes
2029 |   # match particular values. All of the keys in the mapping below must exist
2030 |   # and the values must match the given value. Alternately if the given value
2031 |   # is None then any value is allowed (the attribute just must exist).
2032 |   # All of the listed attributes must match for the login to be permitted.
2033 |   #
2034 |   #required_attributes:
2035 |   #  userGroup: "staff"
2036 |   #  department: None
2037 | 
2038 | 
2039 | # Additional settings to use with single-sign on systems such as OpenID Connect,
2040 | # SAML2 and CAS.
2041 | #
2042 | # Server admins can configure custom templates for pages related to SSO. See
2043 | # https://matrix-org.github.io/synapse/latest/templates.html for more information.
2044 | #
2045 | sso:
2046 |     # A list of client URLs which are whitelisted so that the user does not
2047 |     # have to confirm giving access to their account to the URL. Any client
2048 |     # whose URL starts with an entry in the following list will not be subject
2049 |     # to an additional confirmation step after the SSO login is completed.
2050 |     #
2051 |     # WARNING: An entry such as "https://my.client" is insecure, because it
2052 |     # will also match "https://my.client.evil.site", exposing your users to
2053 |     # phishing attacks from evil.site. To avoid this, include a slash after the
2054 |     # hostname: "https://my.client/".
2055 |     #
2056 |     # The login fallback page (used by clients that don't natively support the
2057 |     # required login flows) is whitelisted in addition to any URLs in this list.
2058 |     #
2059 |     # By default, this list contains only the login fallback page.
2060 |     #
2061 |     #client_whitelist:
2062 |     #  - https://riot.im/develop
2063 |     #  - https://my.custom.client/
2064 | 
2065 |     # Uncomment to keep a user's profile fields in sync with information from
2066 |     # the identity provider. Currently only syncing the displayname is
2067 |     # supported. Fields are checked on every SSO login, and are updated
2068 |     # if necessary.
2069 |     #
2070 |     # Note that enabling this option will override user profile information,
2071 |     # regardless of whether users have opted-out of syncing that
2072 |     # information when first signing in. Defaults to false.
2073 |     #
2074 |     #update_profile_information: true
2075 | 
2076 | 
2077 | # JSON web token integration. The following settings can be used to make
2078 | # Synapse JSON web tokens for authentication, instead of its internal
2079 | # password database.
2080 | #
2081 | # Each JSON Web Token needs to contain a "sub" (subject) claim, which is
2082 | # used as the localpart of the mxid.
2083 | #
2084 | # Additionally, the expiration time ("exp"), not before time ("nbf"),
2085 | # and issued at ("iat") claims are validated if present.
2086 | #
2087 | # Note that this is a non-standard login type and client support is
2088 | # expected to be non-existent.
2089 | #
2090 | # See https://matrix-org.github.io/synapse/latest/jwt.html.
2091 | #
2092 | #jwt_config:
2093 |     # Uncomment the following to enable authorization using JSON web
2094 |     # tokens. Defaults to false.
2095 |     #
2096 |     #enabled: true
2097 | 
2098 |     # This is either the private shared secret or the public key used to
2099 |     # decode the contents of the JSON web token.
2100 |     #
2101 |     # Required if 'enabled' is true.
2102 |     #
2103 |     #secret: "provided-by-your-issuer"
2104 | 
2105 |     # The algorithm used to sign the JSON web token.
2106 |     #
2107 |     # Supported algorithms are listed at
2108 |     # https://pyjwt.readthedocs.io/en/latest/algorithms.html
2109 |     #
2110 |     # Required if 'enabled' is true.
2111 |     #
2112 |     #algorithm: "provided-by-your-issuer"
2113 | 
2114 |     # Name of the claim containing a unique identifier for the user.
2115 |     #
2116 |     # Optional, defaults to `sub`.
2117 |     #
2118 |     #subject_claim: "sub"
2119 | 
2120 |     # The issuer to validate the "iss" claim against.
2121 |     #
2122 |     # Optional, if provided the "iss" claim will be required and
2123 |     # validated for all JSON web tokens.
2124 |     #
2125 |     #issuer: "provided-by-your-issuer"
2126 | 
2127 |     # A list of audiences to validate the "aud" claim against.
2128 |     #
2129 |     # Optional, if provided the "aud" claim will be required and
2130 |     # validated for all JSON web tokens.
2131 |     #
2132 |     # Note that if the "aud" claim is included in a JSON web token then
2133 |     # validation will fail without configuring audiences.
2134 |     #
2135 |     #audiences:
2136 |     #    - "provided-by-your-issuer"
2137 | 
2138 | 
2139 | password_config:
2140 |    # Uncomment to disable password login
2141 |    #
2142 |    #enabled: false
2143 | 
2144 |    # Uncomment to disable authentication against the local password
2145 |    # database. This is ignored if `enabled` is false, and is only useful
2146 |    # if you have other password_providers.
2147 |    #
2148 |    #localdb_enabled: false
2149 | 
2150 |    # Uncomment and change to a secret random string for extra security.
2151 |    # DO NOT CHANGE THIS AFTER INITIAL SETUP!
2152 |    #
2153 |    #pepper: "EVEN_MORE_SECRET"
2154 | 
2155 |    # Define and enforce a password policy. Each parameter is optional.
2156 |    # This is an implementation of MSC2000.
2157 |    #
2158 |    policy:
2159 |       # Whether to enforce the password policy.
2160 |       # Defaults to 'false'.
2161 |       #
2162 |       #enabled: true
2163 | 
2164 |       # Minimum accepted length for a password.
2165 |       # Defaults to 0.
2166 |       #
2167 |       #minimum_length: 15
2168 | 
2169 |       # Whether a password must contain at least one digit.
2170 |       # Defaults to 'false'.
2171 |       #
2172 |       #require_digit: true
2173 | 
2174 |       # Whether a password must contain at least one symbol.
2175 |       # A symbol is any character that's not a number or a letter.
2176 |       # Defaults to 'false'.
2177 |       #
2178 |       #require_symbol: true
2179 | 
2180 |       # Whether a password must contain at least one lowercase letter.
2181 |       # Defaults to 'false'.
2182 |       #
2183 |       #require_lowercase: true
2184 | 
2185 |       # Whether a password must contain at least one uppercase letter.
2186 |       # Defaults to 'false'.
2187 |       #
2188 |       #require_uppercase: true
2189 | 
2190 | ui_auth:
2191 |     # The amount of time to allow a user-interactive authentication session
2192 |     # to be active.
2193 |     #
2194 |     # This defaults to 0, meaning the user is queried for their credentials
2195 |     # before every action, but this can be overridden to allow a single
2196 |     # validation to be re-used.  This weakens the protections afforded by
2197 |     # the user-interactive authentication process, by allowing for multiple
2198 |     # (and potentially different) operations to use the same validation session.
2199 |     #
2200 |     # This is ignored for potentially "dangerous" operations (including
2201 |     # deactivating an account, modifying an account password, and
2202 |     # adding a 3PID).
2203 |     #
2204 |     # Uncomment below to allow for credential validation to last for 15
2205 |     # seconds.
2206 |     #
2207 |     #session_timeout: "15s"
2208 | 
2209 | 
2210 | # Configuration for sending emails from Synapse.
2211 | #
2212 | # Server admins can configure custom templates for email content. See
2213 | # https://matrix-org.github.io/synapse/latest/templates.html for more information.
2214 | #
2215 | email:
2216 |   # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
2217 |   #
2218 |   #smtp_host: mail.server
2219 | 
2220 |   # The port on the mail server for outgoing SMTP. Defaults to 25.
2221 |   #
2222 |   #smtp_port: 587
2223 | 
2224 |   # Username/password for authentication to the SMTP server. By default, no
2225 |   # authentication is attempted.
2226 |   #
2227 |   #smtp_user: "exampleusername"
2228 |   #smtp_pass: "examplepassword"
2229 | 
2230 |   # Uncomment the following to require TLS transport security for SMTP.
2231 |   # By default, Synapse will connect over plain text, and will then switch to
2232 |   # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
2233 |   # Synapse will refuse to connect unless the server supports STARTTLS.
2234 |   #
2235 |   #require_transport_security: true
2236 | 
2237 |   # Uncomment the following to disable TLS for SMTP.
2238 |   #
2239 |   # By default, if the server supports TLS, it will be used, and the server
2240 |   # must present a certificate that is valid for 'smtp_host'. If this option
2241 |   # is set to false, TLS will not be used.
2242 |   #
2243 |   #enable_tls: false
2244 | 
2245 |   # notif_from defines the "From" address to use when sending emails.
2246 |   # It must be set if email sending is enabled.
2247 |   #
2248 |   # The placeholder '%(app)s' will be replaced by the application name,
2249 |   # which is normally 'app_name' (below), but may be overridden by the
2250 |   # Matrix client application.
2251 |   #
2252 |   # Note that the placeholder must be written '%(app)s', including the
2253 |   # trailing 's'.
2254 |   #
2255 |   #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
2256 | 
2257 |   # app_name defines the default value for '%(app)s' in notif_from and email
2258 |   # subjects. It defaults to 'Matrix'.
2259 |   #
2260 |   #app_name: my_branded_matrix_server
2261 | 
2262 |   # Uncomment the following to enable sending emails for messages that the user
2263 |   # has missed. Disabled by default.
2264 |   #
2265 |   #enable_notifs: true
2266 | 
2267 |   # Uncomment the following to disable automatic subscription to email
2268 |   # notifications for new users. Enabled by default.
2269 |   #
2270 |   #notif_for_new_users: false
2271 | 
2272 |   # Custom URL for client links within the email notifications. By default
2273 |   # links will be based on "https://matrix.to".
2274 |   #
2275 |   # (This setting used to be called riot_base_url; the old name is still
2276 |   # supported for backwards-compatibility but is now deprecated.)
2277 |   #
2278 |   #client_base_url: "http://localhost/riot"
2279 | 
2280 |   # Configure the time that a validation email will expire after sending.
2281 |   # Defaults to 1h.
2282 |   #
2283 |   #validation_token_lifetime: 15m
2284 | 
2285 |   # The web client location to direct users to during an invite. This is passed
2286 |   # to the identity server as the org.matrix.web_client_location key. Defaults
2287 |   # to unset, giving no guidance to the identity server.
2288 |   #
2289 |   #invite_client_location: https://app.element.io
2290 | 
2291 |   # Subjects to use when sending emails from Synapse.
2292 |   #
2293 |   # The placeholder '%(app)s' will be replaced with the value of the 'app_name'
2294 |   # setting above, or by a value dictated by the Matrix client application.
2295 |   #
2296 |   # If a subject isn't overridden in this configuration file, the value used as
2297 |   # its example will be used.
2298 |   #
2299 |   #subjects:
2300 | 
2301 |     # Subjects for notification emails.
2302 |     #
2303 |     # On top of the '%(app)s' placeholder, these can use the following
2304 |     # placeholders:
2305 |     #
2306 |     #   * '%(person)s', which will be replaced by the display name of the user(s)
2307 |     #      that sent the message(s), e.g. "Alice and Bob".
2308 |     #   * '%(room)s', which will be replaced by the name of the room the
2309 |     #      message(s) have been sent to, e.g. "My super room".
2310 |     #
2311 |     # See the example provided for each setting to see which placeholder can be
2312 |     # used and how to use them.
2313 |     #
2314 |     # Subject to use to notify about one message from one or more user(s) in a
2315 |     # room which has a name.
2316 |     #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
2317 |     #
2318 |     # Subject to use to notify about one message from one or more user(s) in a
2319 |     # room which doesn't have a name.
2320 |     #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
2321 |     #
2322 |     # Subject to use to notify about multiple messages from one or more users in
2323 |     # a room which doesn't have a name.
2324 |     #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
2325 |     #
2326 |     # Subject to use to notify about multiple messages in a room which has a
2327 |     # name.
2328 |     #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
2329 |     #
2330 |     # Subject to use to notify about multiple messages in multiple rooms.
2331 |     #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
2332 |     #
2333 |     # Subject to use to notify about multiple messages from multiple persons in
2334 |     # multiple rooms. This is similar to the setting above except it's used when
2335 |     # the room in which the notification was triggered has no name.
2336 |     #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
2337 |     #
2338 |     # Subject to use to notify about an invite to a room which has a name.
2339 |     #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
2340 |     #
2341 |     # Subject to use to notify about an invite to a room which doesn't have a
2342 |     # name.
2343 |     #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
2344 | 
2345 |     # Subject for emails related to account administration.
2346 |     #
2347 |     # On top of the '%(app)s' placeholder, these one can use the
2348 |     # '%(server_name)s' placeholder, which will be replaced by the value of the
2349 |     # 'server_name' setting in your Synapse configuration.
2350 |     #
2351 |     # Subject to use when sending a password reset email.
2352 |     #password_reset: "[%(server_name)s] Password reset"
2353 |     #
2354 |     # Subject to use when sending a verification email to assert an address's
2355 |     # ownership.
2356 |     #email_validation: "[%(server_name)s] Validate your email"
2357 | 
2358 | 
2359 | 
2360 | ## Push ##
2361 | 
2362 | push:
2363 |   # Clients requesting push notifications can either have the body of
2364 |   # the message sent in the notification poke along with other details
2365 |   # like the sender, or just the event ID and room ID (`event_id_only`).
2366 |   # If clients choose the former, this option controls whether the
2367 |   # notification request includes the content of the event (other details
2368 |   # like the sender are still included). For `event_id_only` push, it
2369 |   # has no effect.
2370 |   #
2371 |   # For modern android devices the notification content will still appear
2372 |   # because it is loaded by the app. iPhone, however will send a
2373 |   # notification saying only that a message arrived and who it came from.
2374 |   #
2375 |   # The default value is "true" to include message details. Uncomment to only
2376 |   # include the event ID and room ID in push notification payloads.
2377 |   #
2378 |   #include_content: false
2379 | 
2380 |   # When a push notification is received, an unread count is also sent.
2381 |   # This number can either be calculated as the number of unread messages
2382 |   # for the user, or the number of *rooms* the user has unread messages in.
2383 |   #
2384 |   # The default value is "true", meaning push clients will see the number of
2385 |   # rooms with unread messages in them. Uncomment to instead send the number
2386 |   # of unread messages.
2387 |   #
2388 |   #group_unread_count_by_room: false
2389 | 
2390 | 
2391 | ## Rooms ##
2392 | 
2393 | # Controls whether locally-created rooms should be end-to-end encrypted by
2394 | # default.
2395 | #
2396 | # Possible options are "all", "invite", and "off". They are defined as:
2397 | #
2398 | # * "all": any locally-created room
2399 | # * "invite": any room created with the "private_chat" or "trusted_private_chat"
2400 | #             room creation presets
2401 | # * "off": this option will take no effect
2402 | #
2403 | # The default value is "off".
2404 | #
2405 | # Note that this option will only affect rooms created after it is set. It
2406 | # will also not affect rooms created by other servers.
2407 | #
2408 | #encryption_enabled_by_default_for_room_type: invite
2409 | 
2410 | 
2411 | # Uncomment to allow non-server-admin users to create groups on this server
2412 | #
2413 | #enable_group_creation: true
2414 | 
2415 | # If enabled, non server admins can only create groups with local parts
2416 | # starting with this prefix
2417 | #
2418 | #group_creation_prefix: "unofficial_"
2419 | 
2420 | 
2421 | 
2422 | # User Directory configuration
2423 | #
2424 | user_directory:
2425 |     # Defines whether users can search the user directory. If false then
2426 |     # empty responses are returned to all queries. Defaults to true.
2427 |     #
2428 |     # Uncomment to disable the user directory.
2429 |     #
2430 |     enabled: true
2431 | 
2432 |     # Defines whether to search all users visible to your HS when searching
2433 |     # the user directory. If false, search results will only contain users
2434 |     # visible in public rooms and users sharing a room with the requester.
2435 |     # Defaults to false.
2436 |     #
2437 |     # NB. If you set this to true, and the last time the user_directory search
2438 |     # indexes were (re)built was before Synapse 1.44, you'll have to
2439 |     # rebuild the indexes in order to search through all known users.
2440 |     # These indexes are built the first time Synapse starts; admins can
2441 |     # manually trigger a rebuild via API following the instructions at
2442 |     #     https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
2443 |     #
2444 |     # Uncomment to return search results containing all known users, even if that
2445 |     # user does not share a room with the requester.
2446 |     #
2447 |     search_all_users: true
2448 | 
2449 |     # Defines whether to prefer local users in search query results.
2450 |     # If True, local users are more likely to appear above remote users
2451 |     # when searching the user directory. Defaults to false.
2452 |     #
2453 |     # Uncomment to prefer local over remote users in user directory search
2454 |     # results.
2455 |     #
2456 |     prefer_local_users: true
2457 | 
2458 | 
2459 | # User Consent configuration
2460 | #
2461 | # for detailed instructions, see
2462 | # https://matrix-org.github.io/synapse/latest/consent_tracking.html
2463 | #
2464 | # Parts of this section are required if enabling the 'consent' resource under
2465 | # 'listeners', in particular 'template_dir' and 'version'.
2466 | #
2467 | # 'template_dir' gives the location of the templates for the HTML forms.
2468 | # This directory should contain one subdirectory per language (eg, 'en', 'fr'),
2469 | # and each language directory should contain the policy document (named as
2470 | # '<version>.html') and a success page (success.html).
2471 | #
2472 | # 'version' specifies the 'current' version of the policy document. It defines
2473 | # the version to be served by the consent resource if there is no 'v'
2474 | # parameter.
2475 | #
2476 | # 'server_notice_content', if enabled, will send a user a "Server Notice"
2477 | # asking them to consent to the privacy policy. The 'server_notices' section
2478 | # must also be configured for this to work. Notices will *not* be sent to
2479 | # guest users unless 'send_server_notice_to_guests' is set to true.
2480 | #
2481 | # 'block_events_error', if set, will block any attempts to send events
2482 | # until the user consents to the privacy policy. The value of the setting is
2483 | # used as the text of the error.
2484 | #
2485 | # 'require_at_registration', if enabled, will add a step to the registration
2486 | # process, similar to how captcha works. Users will be required to accept the
2487 | # policy before their account is created.
2488 | #
2489 | # 'policy_name' is the display name of the policy users will see when registering
2490 | # for an account. Has no effect unless `require_at_registration` is enabled.
2491 | # Defaults to "Privacy Policy".
2492 | #
2493 | #user_consent:
2494 | #  template_dir: res/templates/privacy
2495 | #  version: 1.0
2496 | #  server_notice_content:
2497 | #    msgtype: m.text
2498 | #    body: >-
2499 | #      To continue using this homeserver you must review and agree to the
2500 | #      terms and conditions at %(consent_uri)s
2501 | #  send_server_notice_to_guests: true
2502 | #  block_events_error: >-
2503 | #    To continue using this homeserver you must review and agree to the
2504 | #    terms and conditions at %(consent_uri)s
2505 | #  require_at_registration: false
2506 | #  policy_name: Privacy Policy
2507 | #
2508 | 
2509 | 
2510 | 
2511 | # Settings for local room and user statistics collection. See
2512 | # https://matrix-org.github.io/synapse/latest/room_and_user_statistics.html.
2513 | #
2514 | stats:
2515 |   # Uncomment the following to disable room and user statistics. Note that doing
2516 |   # so may cause certain features (such as the room directory) not to work
2517 |   # correctly.
2518 |   #
2519 |   #enabled: false
2520 | 
2521 | 
2522 | # Server Notices room configuration
2523 | #
2524 | # Uncomment this section to enable a room which can be used to send notices
2525 | # from the server to users. It is a special room which cannot be left; notices
2526 | # come from a special "notices" user id.
2527 | #
2528 | # If you uncomment this section, you *must* define the system_mxid_localpart
2529 | # setting, which defines the id of the user which will be used to send the
2530 | # notices.
2531 | #
2532 | # It's also possible to override the room name, the display name of the
2533 | # "notices" user, and the avatar for the user.
2534 | #
2535 | #server_notices:
2536 | #  system_mxid_localpart: notices
2537 | #  system_mxid_display_name: "Server Notices"
2538 | #  system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
2539 | #  room_name: "Server Notices"
2540 | 
2541 | 
2542 | 
2543 | # Uncomment to disable searching the public room list. When disabled
2544 | # blocks searching local and remote room lists for local and remote
2545 | # users by always returning an empty list for all queries.
2546 | #
2547 | #enable_room_list_search: false
2548 | 
2549 | # The `alias_creation` option controls who's allowed to create aliases
2550 | # on this server.
2551 | #
2552 | # The format of this option is a list of rules that contain globs that
2553 | # match against user_id, room_id and the new alias (fully qualified with
2554 | # server name). The action in the first rule that matches is taken,
2555 | # which can currently either be "allow" or "deny".
2556 | #
2557 | # Missing user_id/room_id/alias fields default to "*".
2558 | #
2559 | # If no rules match the request is denied. An empty list means no one
2560 | # can create aliases.
2561 | #
2562 | # Options for the rules include:
2563 | #
2564 | #   user_id: Matches against the creator of the alias
2565 | #   alias: Matches against the alias being created
2566 | #   room_id: Matches against the room ID the alias is being pointed at
2567 | #   action: Whether to "allow" or "deny" the request if the rule matches
2568 | #
2569 | # The default is:
2570 | #
2571 | #alias_creation_rules:
2572 | #  - user_id: "*"
2573 | #    alias: "*"
2574 | #    room_id: "*"
2575 | #    action: allow
2576 | 
2577 | # The `room_list_publication_rules` option controls who can publish and
2578 | # which rooms can be published in the public room list.
2579 | #
2580 | # The format of this option is the same as that for
2581 | # `alias_creation_rules`.
2582 | #
2583 | # If the room has one or more aliases associated with it, only one of
2584 | # the aliases needs to match the alias rule. If there are no aliases
2585 | # then only rules with `alias: *` match.
2586 | #
2587 | # If no rules match the request is denied. An empty list means no one
2588 | # can publish rooms.
2589 | #
2590 | # Options for the rules include:
2591 | #
2592 | #   user_id: Matches against the creator of the alias
2593 | #   room_id: Matches against the room ID being published
2594 | #   alias: Matches against any current local or canonical aliases
2595 | #            associated with the room
2596 | #   action: Whether to "allow" or "deny" the request if the rule matches
2597 | #
2598 | # The default is:
2599 | #
2600 | #room_list_publication_rules:
2601 | #  - user_id: "*"
2602 | #    alias: "*"
2603 | #    room_id: "*"
2604 | #    action: allow
2605 | 
2606 | 
2607 | ## Opentracing ##
2608 | 
2609 | # These settings enable opentracing, which implements distributed tracing.
2610 | # This allows you to observe the causal chains of events across servers
2611 | # including requests, key lookups etc., across any server running
2612 | # synapse or any other other services which supports opentracing
2613 | # (specifically those implemented with Jaeger).
2614 | #
2615 | opentracing:
2616 |     # tracing is disabled by default. Uncomment the following line to enable it.
2617 |     #
2618 |     #enabled: true
2619 | 
2620 |     # The list of homeservers we wish to send and receive span contexts and span baggage.
2621 |     # See https://matrix-org.github.io/synapse/latest/opentracing.html.
2622 |     #
2623 |     # This is a list of regexes which are matched against the server_name of the
2624 |     # homeserver.
2625 |     #
2626 |     # By default, it is empty, so no servers are matched.
2627 |     #
2628 |     #homeserver_whitelist:
2629 |     #  - ".*"
2630 | 
2631 |     # A list of the matrix IDs of users whose requests will always be traced,
2632 |     # even if the tracing system would otherwise drop the traces due to
2633 |     # probabilistic sampling.
2634 |     #
2635 |     # By default, the list is empty.
2636 |     #
2637 |     #force_tracing_for_users:
2638 |     #  - "@user1:server_name"
2639 |     #  - "@user2:server_name"
2640 | 
2641 |     # Jaeger can be configured to sample traces at different rates.
2642 |     # All configuration options provided by Jaeger can be set here.
2643 |     # Jaeger's configuration is mostly related to trace sampling which
2644 |     # is documented here:
2645 |     # https://www.jaegertracing.io/docs/latest/sampling/.
2646 |     #
2647 |     #jaeger_config:
2648 |     #  sampler:
2649 |     #    type: const
2650 |     #    param: 1
2651 |     #  logging:
2652 |     #    false
2653 | 
2654 | 
2655 | ## Workers ##
2656 | 
2657 | # Disables sending of outbound federation transactions on the main process.
2658 | # Uncomment if using a federation sender worker.
2659 | #
2660 | #send_federation: false
2661 | 
2662 | # It is possible to run multiple federation sender workers, in which case the
2663 | # work is balanced across them.
2664 | #
2665 | # This configuration must be shared between all federation sender workers, and if
2666 | # changed all federation sender workers must be stopped at the same time and then
2667 | # started, to ensure that all instances are running with the same config (otherwise
2668 | # events may be dropped).
2669 | #
2670 | #federation_sender_instances:
2671 | #  - federation_sender1
2672 | 
2673 | # When using workers this should be a map from `worker_name` to the
2674 | # HTTP replication listener of the worker, if configured.
2675 | #
2676 | #instance_map:
2677 | #  worker1:
2678 | #    host: localhost
2679 | #    port: 8034
2680 | 
2681 | # Experimental: When using workers you can define which workers should
2682 | # handle event persistence and typing notifications. Any worker
2683 | # specified here must also be in the `instance_map`.
2684 | #
2685 | #stream_writers:
2686 | #  events: worker1
2687 | #  typing: worker1
2688 | 
2689 | # The worker that is used to run background tasks (e.g. cleaning up expired
2690 | # data). If not provided this defaults to the main process.
2691 | #
2692 | #run_background_tasks_on: worker1
2693 | 
2694 | # A shared secret used by the replication APIs to authenticate HTTP requests
2695 | # from workers.
2696 | #
2697 | # By default this is unused and traffic is not authenticated.
2698 | #
2699 | #worker_replication_secret: ""
2700 | 
2701 | 
2702 | # Configuration for Redis when using workers. This *must* be enabled when
2703 | # using workers (unless using old style direct TCP configuration).
2704 | #
2705 | redis:
2706 |   # Uncomment the below to enable Redis support.
2707 |   #
2708 |   #enabled: true
2709 | 
2710 |   # Optional host and port to use to connect to redis. Defaults to
2711 |   # localhost and 6379
2712 |   #
2713 |   #host: localhost
2714 |   #port: 6379
2715 | 
2716 |   # Optional password if configured on the Redis instance
2717 |   #
2718 |   #password: <secret_password>
2719 | 
2720 | 
2721 | # vim:ft=yaml
2722 | 


--------------------------------------------------------------------------------
/sample_configs/maubot/config.yaml:
--------------------------------------------------------------------------------
  1 | # The full URI to the database. SQLite and Postgres are fully supported.
  2 | # Other DBMSes supported by SQLAlchemy may or may not work.
  3 | # Format examples:
  4 | #   SQLite:   sqlite:///filename.db
  5 | #   Postgres: postgresql://username:password@hostname/dbname
  6 | database: sqlite:////data/maubot.db
  7 | 
  8 | # Separate database URL for the crypto database. "default" means use the same database as above.
  9 | crypto_database: default
 10 | 
 11 | plugin_directories:
 12 |     # The directory where uploaded new plugins should be stored.
 13 |     upload: /data/plugins
 14 |     # The directories from which plugins should be loaded.
 15 |     # Duplicate plugin IDs will be moved to the trash.
 16 |     load:
 17 |     - /data/plugins
 18 |   # The directory where old plugin versions and conflicting plugins should be moved.
 19 |   # Set to "delete" to delete files immediately.
 20 |     trash: /data/trash
 21 |     # The directory where plugin databases should be stored.
 22 |     db: /data/dbs
 23 | 
 24 | server:
 25 |     # The IP and port to listen to.
 26 |     hostname: 0.0.0.0
 27 |     port: 29316
 28 |     # Public base URL where the server is visible.
 29 |     public_url: https://maubot.ms.local
 30 |     # The base management API path.
 31 |     base_path: /_matrix/maubot/v1
 32 |     # The base path for the UI.
 33 |     ui_base_path: /_matrix/maubot
 34 |     # The base path for plugin endpoints. The instance ID will be appended directly.
 35 |     plugin_base_path: /_matrix/maubot/plugin/
 36 |     # Override path from where to load UI resources.
 37 |     # Set to false to using pkg_resources to find the path.
 38 |     override_resource_path: /opt/maubot/frontend
 39 |     # The base appservice API path. Use / for legacy appservice API and /_matrix/app/v1 for v1.
 40 |     appservice_base_path: /_matrix/app/v1
 41 |     # The shared secret to sign API access tokens.
 42 |     # Set to "generate" to generate and save a new token at startup.
 43 |     unshared_secret: ep01teidiaesdwvk4ybuew2ytwlmicnvbe9gnubigh4yettvhmkp6c4ep3pvils9
 44 | 
 45 | # Known homeservers. This is required for the `mbc auth` command and also allows
 46 | # more convenient access from the management UI. This is not required to create
 47 | # clients in the management UI, since you can also just type the homeserver URL
 48 | # into the box there.
 49 | homeservers:
 50 |     matrix.ms.local:
 51 |     # Client-server API URL
 52 |         url: https://homeserver:8448
 53 |     # registration_shared_secret from synapse config
 54 |     # You can leave this empty if you don't have access to the homeserver.
 55 |     # When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will.
 56 |         secret: TT09R*PTB*oScj^XnSm=g,OtQ3R@.kVT&CCyNA2Cj8jt=5cEhe
 57 | # List of administrator users. Plaintext passwords will be bcrypted on startup. Set empty password
 58 | # to prevent normal login. Root is a special user that can't have a password and will always exist.
 59 | admins:
 60 |     root: ''
 61 |     admin: $2b$12$TVJXArqxcL6/1v.X5BHD3.sB0VbGtHjuH/dBQOdbFkEzXEynU7Uoi
 62 | # API feature switches.
 63 | api_features:
 64 |     login: true
 65 |     plugin: true
 66 |     plugin_upload: true
 67 |     instance: true
 68 |     instance_database: true
 69 |     client: true
 70 |     client_proxy: true
 71 |     client_auth: true
 72 |     dev_open: true
 73 |     log: true
 74 | 
 75 | # Python logging configuration.
 76 | #
 77 | # See section 16.7.2 of the Python documentation for more info:
 78 | # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
 79 | logging:
 80 |     version: 1
 81 |     formatters:
 82 |         colored:
 83 |             (): maubot.lib.color_log.ColorFormatter
 84 |             format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
 85 |         normal:
 86 |             format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
 87 |     handlers:
 88 |         file:
 89 |             class: logging.handlers.RotatingFileHandler
 90 |             formatter: normal
 91 |             filename: /var/log/maubot.log
 92 |             maxBytes: 10485760
 93 |             backupCount: 10
 94 |         console:
 95 |             class: logging.StreamHandler
 96 |             formatter: colored
 97 |     loggers:
 98 |         maubot:
 99 |             level: DEBUG
100 |         mau:
101 |             level: DEBUG
102 |         aiohttp:
103 |             level: INFO
104 |     root:
105 |         level: DEBUG
106 |         handlers: [file, console]
107 | 


--------------------------------------------------------------------------------
/sample_configs/proxy/traefik-ssl.toml:
--------------------------------------------------------------------------------
1 | [tls]
2 | [tls.stores]
3 | [tls.stores.default]
4 | [tls.stores.default.defaultCertificate]
5 | certFile = "/certs/WILDCARD.ms.local.crt"
6 | keyFile = "/certs/WILDCARD.ms.local.key"
7 | 


--------------------------------------------------------------------------------
/sample_configs/telegram-bridge/config.yaml:
--------------------------------------------------------------------------------
  1 | # Homeserver details
  2 | homeserver:
  3 |     # The address that this appservice can use to connect to the homeserver.
  4 |     address: https://homeserver:8448
  5 |     # The domain of the homeserver (for MXIDs, etc).
  6 |     domain: matrix.ms.local
  7 |     # Whether or not to verify the SSL certificate of the homeserver.
  8 |     # Only applies if address starts with https://
  9 |     verify_ssl: false
 10 |     asmux: false
 11 |     # Number of retries for all HTTP requests if the homeserver isn't reachable.
 12 |     http_retry_count: 4
 13 |     # The URL to push real-time bridge status to.
 14 |     # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
 15 |     # The bridge will use the appservice as_token to authorize requests.
 16 |     status_endpoint:
 17 |     # Endpoint for reporting per-message status.
 18 |     message_send_checkpoint_endpoint:
 19 | 
 20 | # Application service host/registration related details
 21 | # Changing these values requires regeneration of the registration.
 22 | appservice:
 23 |     # The address that the homeserver can use to connect to this appservice.
 24 |     address: http://telegram-bridge:29317
 25 |     # When using https:// the TLS certificate and key files for the address.
 26 |     tls_cert: false
 27 |     tls_key: false
 28 | 
 29 |     # The hostname and port where this appservice should listen.
 30 |     hostname: 0.0.0.0
 31 |     port: 29317
 32 |     # The maximum body size of appservice API requests (from the homeserver) in mebibytes
 33 |     # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
 34 |     max_body_size: 1
 35 | 
 36 |     # The full URI to the database. SQLite and Postgres are supported.
 37 |     # Format examples:
 38 |     #   SQLite:   sqlite:///filename.db
 39 |     #   Postgres: postgres://username:password@hostname/dbname
 40 |     database: sqlite:////data/telegram-bridge.db
 41 |     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
 42 |     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
 43 |     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
 44 |     # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
 45 |     database_opts:
 46 |         min_size: 1
 47 |         max_size: 10
 48 |     public:
 49 |         # Whether or not the public-facing endpoints should be enabled.
 50 |         enabled: false
 51 |         # The prefix to use in the public-facing endpoints.
 52 |         prefix: /public
 53 |         # The base URL where the public-facing endpoints are available. The prefix is not added
 54 |         # implicitly.
 55 |         external: https://example.com/public
 56 | 
 57 |     # Provisioning API part of the web server for automated portal creation and fetching information.
 58 |     # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
 59 |     provisioning:
 60 |         # Whether or not the provisioning API should be enabled.
 61 |         enabled: true
 62 |         # The prefix to use in the provisioning API endpoints.
 63 |         prefix: /_matrix/provision/v1
 64 |         # The shared secret to authorize users of the API.
 65 |         # Set to "generate" to generate and save a new token.
 66 |         shared_secret: 7GZB-OeVY8kbmq10e6WdGnZsTmAIABre_YdLFRITIbQDRVgkdLnuLklqMdS9hfWY
 67 | 
 68 |     # The unique ID of this appservice.
 69 |     id: telegram
 70 |     # Username of the appservice bot.
 71 |     bot_username: telegrambot
 72 |     # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
 73 |     # to leave display name/avatar as-is.
 74 |     bot_displayname: Telegram bridge bot
 75 |     bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
 76 | 
 77 |     # Whether or not to receive ephemeral events via appservice transactions.
 78 |     # Requires MSC2409 support (i.e. Synapse 1.22+).
 79 |     # You should disable bridge -> sync_with_custom_puppets when this is enabled.
 80 |     ephemeral_events: false
 81 | 
 82 |     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
 83 |     as_token: zksgVW2K5BiOsV_4INuC9qhYR6-wUmv4YbycjDzEfrbZiRvfDSBnAE6KZYklusLp
 84 |     hs_token: q9zI3F4z8Jr7mG2IN7g4-2jkgaeczYNScHlXgAXwlbrZw5VEgNtXRCQf1jk0Xe9S
 85 | 
 86 | # Prometheus telemetry config. Requires prometheus-client to be installed.
 87 | metrics:
 88 |     enabled: false
 89 |     listen_port: 8000
 90 | 
 91 | # Manhole config.
 92 | manhole:
 93 |     # Whether or not opening the manhole is allowed.
 94 |     enabled: false
 95 |     # The path for the unix socket.
 96 |     path: /var/tmp/mautrix-telegram.manhole
 97 |     # The list of UIDs who can be added to the whitelist.
 98 |     # If empty, any UIDs can be specified in the open-manhole command.
 99 |     whitelist:
100 |     - 0
101 | bridge:
102 |     # Localpart template of MXIDs for Telegram users.
103 |     # {userid} is replaced with the user ID of the Telegram user.
104 |     username_template: telegram_{userid}
105 |     # Localpart template of room aliases for Telegram portal rooms.
106 |     # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
107 |     alias_template: telegram_{groupname}
108 |     # Displayname template for Telegram users.
109 |     # {displayname} is replaced with the display name of the Telegram user.
110 |     displayname_template: '{displayname} (Telegram)'
111 | 
112 |     # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
113 |     # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
114 |     # ID is used.
115 |     #
116 |     # If the bridge is working properly, a phone number or an username should always be known, but
117 |     # the other one can very well be empty.
118 |     #
119 |     # Valid keys:
120 |     #   "full name"          (First and/or last name)
121 |     #   "full name reversed" (Last and/or first name)
122 |     #   "first name"
123 |     #   "last name"
124 |     #   "username"
125 |     #   "phone number"
126 |     displayname_preference:
127 |     - full name
128 |     - username
129 |     - phone number
130 |     displayname_max_length: 100
131 |     # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
132 |     # as there's no way to determine whether an avatar is removed or just hidden from some users. If
133 |     # you're on a single-user instance, this should be safe to enable.
134 |     allow_avatar_remove: false
135 | 
136 |     # Maximum number of members to sync per portal when starting up. Other members will be
137 |     # synced when they send messages. The maximum is 10000, after which the Telegram server
138 |     # will not send any more members.
139 |     # -1 means no limit (which means it's limited to 10000 by the server)
140 |     max_initial_member_sync: 100
141 |     # Whether or not to sync the member list in channels.
142 |     # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
143 |     # list regardless of this setting.
144 |     sync_channel_members: true
145 |     # Whether or not to skip deleted members when syncing members.
146 |     skip_deleted_members: true
147 |     # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
148 |     # their Telegram account at startup.
149 |     startup_sync: true
150 |     # Number of most recently active dialogs to check when syncing chats.
151 |     # Set to 0 to remove limit.
152 |     sync_update_limit: 0
153 |     # Number of most recently active dialogs to create portals for when syncing chats.
154 |     # Set to 0 to remove limit.
155 |     sync_create_limit: 30
156 |     # Whether or not to sync and create portals for direct chats at startup.
157 |     sync_direct_chats: false
158 |     # The maximum number of simultaneous Telegram deletions to handle.
159 |     # A large number of simultaneous redactions could put strain on your homeserver.
160 |     max_telegram_delete: 10
161 |     # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
162 |     # at startup and when creating a bridge.
163 |     sync_matrix_state: true
164 |     # Allow logging in within Matrix. If false, users can only log in using login-qr or the
165 |     # out-of-Matrix login website (see appservice.public config section)
166 |     allow_matrix_login: true
167 |     # Whether or not to bridge plaintext highlights.
168 |     # Only enable this if your displayname_template has some static part that the bridge can use to
169 |     # reliably identify what is a plaintext highlight.
170 |     plaintext_highlights: false
171 |     # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
172 |     public_portals: true
173 |     # Whether or not to use /sync to get presence, read receipts and typing notifications
174 |     # when double puppeting is enabled
175 |     sync_with_custom_puppets: true
176 |     # Whether or not to update the m.direct account data event when double puppeting is enabled.
177 |     # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
178 |     # and is therefore prone to race conditions.
179 |     sync_direct_chat_list: false
180 |     # Servers to always allow double puppeting from
181 |     double_puppet_server_map:
182 |         example.com: https://example.com
183 |     double_puppet_allow_discovery: false
184 |     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
185 |     #
186 |     # If set, custom puppets will be enabled automatically for local users
187 |     # instead of users having to find an access token and run `login-matrix`
188 |     # manually.
189 |     # If using this for other servers than the bridge's server,
190 |     # you must also set the URL in the double_puppet_server_map.
191 |     login_shared_secret_map:
192 |         example.com: foobar
193 |     telegram_link_preview: true
194 |     # Whether or not the !tg join command should do a HTTP request
195 |     # to resolve redirects in invite links.
196 |     invite_link_resolve: false
197 |     # Use inline images instead of a separate message for the caption.
198 |     # N.B. Inline images are not supported on all clients (e.g. Element iOS/Android).
199 |     inline_images: false
200 |     # Maximum size of image in megabytes before sending to Telegram as a document.
201 |     image_as_file_size: 10
202 |     # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 1280x1280 = 1638400.
203 |     image_as_file_pixels: 1638400
204 |     # Maximum size of Telegram documents in megabytes to bridge.
205 |     max_document_size: 100
206 |     # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
207 |     # streaming from/to Matrix and using many connections for Telegram.
208 |     # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
209 |     # This option uses internal Telethon implementation details and may break with minor updates.
210 |     parallel_file_transfer: false
211 |     # Whether or not created rooms should have federation enabled.
212 |     # If false, created portal rooms will never be federated.
213 |     federate_rooms: true
214 |     # Settings for converting animated stickers.
215 |     animated_sticker:
216 |         # Format to which animated stickers should be converted.
217 |         # disable - No conversion, send as-is (gzipped lottie)
218 |         # png - converts to non-animated png (fastest),
219 |         # gif - converts to animated gif
220 |         # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
221 |         target: gif
222 |         # Arguments for converter. All converters take width and height.
223 |         args:
224 |             width: 256
225 |             height: 256
226 |             fps: 25 # only for webm and gif (2, 5, 10, 20 or 25 recommended)
227 |     # End-to-bridge encryption support options.
228 |     #
229 |     # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
230 |     encryption:
231 |         # Allow encryption, work in group chat rooms with e2ee enabled
232 |         allow: false
233 |         # Default to encryption, force-enable encryption in all portals the bridge creates
234 |         # This will cause the bridge bot to be in private chats for the encryption to work properly.
235 |         default: false
236 |         # Database for the encryption data. If set to `default`, will use the appservice database.
237 |         database: default
238 |         # Options for automatic key sharing.
239 |         key_sharing:
240 |             # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
241 |             # You must use a client that supports requesting keys from other users to use this feature.
242 |             allow: false
243 |             # Require the requesting device to have a valid cross-signing signature?
244 |             # This doesn't require that the bridge has verified the device, only that the user has verified it.
245 |             # Not yet implemented.
246 |             require_cross_signing: false
247 |             # Require devices to be verified by the bridge?
248 |             # Verification by the bridge is not yet implemented.
249 |             require_verification: true
250 |     # Whether or not to explicitly set the avatar and room name for private
251 |     # chat portal rooms. This will be implicitly enabled if encryption.default is true.
252 |     private_chat_portal_meta: false
253 |     # Whether or not the bridge should send a read receipt from the bridge bot when a message has
254 |     # been sent to Telegram.
255 |     delivery_receipts: false
256 |     # Whether or not delivery errors should be reported as messages in the Matrix room.
257 |     delivery_error_reports: false
258 |     # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
259 |     # This field will automatically be changed back to false after it,
260 |     # except if the config file is not writable.
261 |     resend_bridge_info: false
262 |     # When using double puppeting, should muted chats be muted in Matrix?
263 |     mute_bridging: false
264 |     # When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
265 |     # The favorites tag is `m.favourite`.
266 |     pinned_tag:
267 |     # Same as above for archived chats, the low priority tag is `m.lowpriority`.
268 |     archive_tag:
269 |     # Whether or not mute status and tags should only be bridged when the portal room is created.
270 |     tag_only_on_create: true
271 |     # Should leaving the room on Matrix make the user leave on Telegram?
272 |     bridge_matrix_leave: true
273 |     # Should the user be kicked out of all portals when logging out of the bridge?
274 |     kick_on_logout: true
275 |     # Settings for backfilling messages from Telegram.
276 |     backfill:
277 |         # Whether or not the Telegram ghosts of logged in Matrix users should be
278 |         # invited to private chats when backfilling history from Telegram. This is
279 |         # usually needed to prevent rate limits and to allow timestamp massaging.
280 |         invite_own_puppet: true
281 |         # Maximum number of messages to backfill without using a takeout.
282 |         # The first time a takeout is used, the user has to manually approve it from a different
283 |         # device. If initial_limit or missed_limit are higher than this value, the bridge will ask
284 |         # the user to accept the takeout after logging in before syncing any chats.
285 |         takeout_limit: 100
286 |         # Maximum number of messages to backfill initially.
287 |         # Set to 0 to disable backfilling when creating portal, or -1 to disable the limit.
288 |         #
289 |         # N.B. Initial backfill will only start after member sync. Make sure your
290 |         #      max_initial_member_sync is set to a low enough value so it doesn't take forever.
291 |         initial_limit: 0
292 |         # Maximum number of messages to backfill if messages were missed while the bridge was
293 |         # disconnected. Note that this only works for logged in users and only if the chat isn't
294 |         # older than sync_update_limit
295 |         # Set to 0 to disable backfilling missed messages.
296 |         missed_limit: 50
297 |         # If using double puppeting, should notifications be disabled
298 |         # while the initial backfill is in progress?
299 |         disable_notifications: false
300 |         # Whether or not to enable backfilling in normal groups.
301 |         # Normal groups have numerous technical problems in Telegram, and backfilling normal groups
302 |         # will likely cause problems if there are multiple Matrix users in the group.
303 |         normal_groups: false
304 | 
305 |     # Overrides for base power levels.
306 |     initial_power_level_overrides:
307 |         user: {}
308 |         group: {}
309 | 
310 |     # Whether to bridge Telegram bot messages as m.notices or m.texts.
311 |     bot_messages_as_notices: true
312 |     bridge_notices:
313 |         # Whether or not Matrix bot messages (type m.notice) should be bridged.
314 |         default: false
315 |         # List of user IDs for whom the previous flag is flipped.
316 |         # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
317 |         #      notices from users listed here will be bridged.
318 |         exceptions: []
319 | 
320 |     # An array of possible values for the $distinguisher variable in message formats.
321 |     # Each user gets one of the values here, based on a hash of their user ID.
322 |     # If the array is empty, the $distinguisher variable will also be empty.
323 |     relay_user_distinguishers: [🟦, 🟣, 🟩, ⭕️, 🔶, ⬛️, 🔵, 🟢]
324 |     # The formats to use when sending messages to Telegram via the relay bot.
325 |     # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
326 |     #
327 |     # Available variables:
328 |     #   $sender_displayname - The display name of the sender (e.g. Example User)
329 |     #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
330 |     #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
331 |     #   $distinguisher      - A random string from the options in the relay_user_distinguishers array.
332 |     #   $message            - The message content
333 |     message_formats:
334 |         m.text: '$distinguisher <b>$sender_displayname</b>: $message'
335 |         m.notice: '$distinguisher <b>$sender_displayname</b>: $message'
336 |         m.emote: '* $distinguisher <b>$sender_displayname</b> $message'
337 |         m.file: '$distinguisher <b>$sender_displayname</b> sent a file: $message'
338 |         m.image: '$distinguisher <b>$sender_displayname</b> sent an image: $message'
339 |         m.audio: '$distinguisher <b>$sender_displayname</b> sent an audio file: $message'
340 |         m.video: '$distinguisher <b>$sender_displayname</b> sent a video: $message'
341 |         m.location: '$distinguisher <b>$sender_displayname</b> sent a location: $message'
342 |     # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
343 |     # users are sent to telegram. All fields in message_formats are supported. Additionally, the
344 |     # Telegram user info is available in the following variables:
345 |     #    $displayname - Telegram displayname
346 |     #    $username    - Telegram username (may not exist)
347 |     #    $mention     - Telegram @username or displayname mention (depending on which exists)
348 |     emote_format: '* $mention $formatted_body'
349 | 
350 |     # The formats to use when sending state events to Telegram via the relay bot.
351 |     #
352 |     # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
353 |     # In name_change events, `$prev_displayname` is the previous displayname.
354 |     #
355 |     # Set format to an empty string to disable the messages for that event.
356 |     state_event_formats:
357 |         join: $distinguisher <b>$displayname</b> joined the room.
358 |         leave: $distinguisher <b>$displayname</b> left the room.
359 |         name_change: $distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>
360 | 
361 |     # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
362 |     # `filter-mode` management commands.
363 |     #
364 |     # Filters do not affect direct chats.
365 |     # An empty blacklist will essentially disable the filter.
366 |     filter:
367 |         # Filter mode to use. Either "blacklist" or "whitelist".
368 |         # If the mode is "blacklist", the listed chats will never be bridged.
369 |         # If the mode is "whitelist", only the listed chats can be bridged.
370 |         mode: blacklist
371 |         # The list of group/channel IDs to filter.
372 |         list: []
373 | 
374 |     # The prefix for commands. Only required in non-management rooms.
375 |     command_prefix: '!tg'
376 | 
377 |     # Messages sent upon joining a management room.
378 |     # Markdown is supported. The defaults are listed below.
379 |     management_room_text:
380 |         # Sent when joining a room.
381 |         welcome: Hello, I'm a Telegram bridge bot.
382 |         # Sent when joining a management room and the user is already logged in.
383 |         welcome_connected: Use `help` for help.
384 |         # Sent when joining a management room and the user is not logged in.
385 |         welcome_unconnected: Use `help` for help or `login` to log in.
386 |         # Optional extra text sent when joining a management room.
387 |         additional_help: ''
388 | 
389 |     # Send each message separately (for readability in some clients)
390 |     management_room_multiple_messages: false
391 | 
392 |     # Permissions for using the bridge.
393 |     # Permitted values:
394 |     #   relaybot - Only use the bridge via the relaybot, no access to commands.
395 |     #       user - Relaybot level + access to commands to create bridges.
396 |     #  puppeting - User level + logging in with a Telegram account.
397 |     #       full - Full access to use the bridge, i.e. previous levels + Matrix login.
398 |     #      admin - Full access to use the bridge and some extra administration commands.
399 |     # Permitted keys:
400 |     #        * - All Matrix users
401 |     #   domain - All users on that homeserver
402 |     #     mxid - Specific user
403 |     permissions:
404 |         '*': relaybot
405 |         matrix.ms.local: admin
406 |     relaybot:
407 |         private_chat:
408 |             # List of users to invite to the portal when someone starts a private chat with the bot.
409 |             # If empty, private chats with the bot won't create a portal.
410 |             invite: []
411 |             # Whether or not to bridge state change messages in relaybot private chats.
412 |             state_changes: true
413 |             # When private_chat_invite is empty, this message is sent to users /starting the
414 |             # relaybot. Telegram's "markdown" is supported.
415 |             message: This is a Matrix bridge relaybot and does not support direct chats
416 |         # List of users to invite to all group chat portals created by the bridge.
417 |         group_chat_invite: []
418 |         # Whether or not the relaybot should not bridge events in unbridged group chats.
419 |         # If false, portals will be created when the relaybot receives messages, just like normal
420 |         # users. This behavior is usually not desirable, as it interferes with manually bridging
421 |         # the chat to another room.
422 |         ignore_unbridged_group_chat: true
423 |         # Whether or not to allow creating portals from Telegram.
424 |         authless_portals: true
425 |         # Whether or not to allow Telegram group admins to use the bot commands.
426 |         whitelist_group_admins: true
427 |         # Whether or not to ignore incoming events sent by the relay bot.
428 |         ignore_own_incoming_events: true
429 |         # List of usernames/user IDs who are also allowed to use the bot commands.
430 |         whitelist:
431 |         - myusername
432 |         - 12345678
433 | telegram:
434 |     # Get your own API keys at https://my.telegram.org/apps
435 |     api_id: 1921940
436 |     api_hash: f2d1cc19e30ec195165b4f5f6b27ae15
437 |     # (Optional) Create your own bot at https://t.me/BotFather
438 |     bot_token: disabled
439 | 
440 |     # Telethon connection options.
441 |     connection:
442 |         # The timeout in seconds to be used when connecting.
443 |         timeout: 120
444 |         # How many times the reconnection should retry, either on the initial connection or when
445 |         # Telegram disconnects us. May be set to a negative or null value for infinite retries, but
446 |         # this is not recommended, since the program can get stuck in an infinite loop.
447 |         retries: 5
448 |         # The delay in seconds to sleep between automatic reconnections.
449 |         retry_delay: 1
450 |         # The threshold below which the library should automatically sleep on flood wait errors
451 |         # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
452 |         # is 20s, the library will sleep automatically. If the error was for 21s, it would raise
453 |         # the error instead. Values larger than a day (86400) will be changed to a day.
454 |         flood_sleep_threshold: 60
455 |         # How many times a request should be retried. Request are retried when Telegram is having
456 |         # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
457 |         # there's a migrate error. May take a negative or null value for infinite retries, but this
458 |         # is not recommended, since some requests can always trigger a call fail (such as searching
459 |         # for messages).
460 |         request_retries: 5
461 | 
462 |     # Device info sent to Telegram.
463 |     device_info:
464 |         # "auto" = OS name+version.
465 |         device_model: auto
466 |         # "auto" = Telethon version.
467 |         system_version: auto
468 |         # "auto" = mautrix-telegram version.
469 |         app_version: auto
470 |         lang_code: en
471 |         system_lang_code: en
472 | 
473 |     # Custom server to connect to.
474 |     server:
475 |         # Set to true to use these server settings. If false, will automatically
476 |         # use production server assigned by Telegram. Set to false in production.
477 |         enabled: false
478 |         # The DC ID to connect to.
479 |         dc: 2
480 |         # The IP to connect to.
481 |         ip: 149.154.167.40
482 |         # The port to connect to. 443 may not work, 80 is better and both are equally secure.
483 |         port: 80
484 | 
485 |     # Telethon proxy configuration.
486 |     # You must install PySocks from pip for proxies to work.
487 |     proxy:
488 |         # Allowed types: disabled, socks4, socks5, http, mtproxy
489 |         type: disabled
490 |         # Proxy IP address and port.
491 |         address: 127.0.0.1
492 |         port: 1080
493 |         # Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
494 |         rdns: true
495 |         # Proxy authentication (optional). Put MTProxy secret in password field.
496 |         username: ''
497 |         password: ''
498 | 
499 | # Python logging configuration.
500 | #
501 | # See section 16.7.2 of the Python documentation for more info:
502 | # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
503 | logging:
504 |     version: 1
505 |     formatters:
506 |         colored:
507 |             (): mautrix_telegram.util.ColorFormatter
508 |             format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
509 |         normal:
510 |             format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
511 |     handlers:
512 |         file:
513 |             class: logging.handlers.RotatingFileHandler
514 |             formatter: normal
515 |             filename: ./mautrix-telegram.log
516 |             maxBytes: 10485760
517 |             backupCount: 10
518 |         console:
519 |             class: logging.StreamHandler
520 |             formatter: colored
521 |     loggers:
522 |         mau:
523 |             level: DEBUG
524 |         telethon:
525 |             level: INFO
526 |         aiohttp:
527 |             level: INFO
528 |     root:
529 |         level: DEBUG
530 |         handlers: [file, console]
531 | 


--------------------------------------------------------------------------------
/sample_configs/webhook-service/appservice-registration-webhooks.yaml:
--------------------------------------------------------------------------------
 1 | id: webhooks
 2 | hs_token: oWZdX2TBb3z8t9TGAtG28aUFAXCW8p4X9U2ovuFXAQuDitx5dd8d8tPWiqkZrca8
 3 | as_token: tfBQmLm5UUas2wxNiLR6Z7vBSf9vdKCq9eTjZ6noAHB9gstiwWFzdsdfMW3UvjZ3
 4 | namespaces:
 5 |   users:
 6 |     - exclusive: true
 7 |       regex: '@_webhook.*'
 8 | url: 'http://webhook-service:9000'  
 9 | sender_localpart: webhooks
10 | rate_limited: false
11 | 


--------------------------------------------------------------------------------
/sample_configs/webhook-service/config.yaml:
--------------------------------------------------------------------------------
 1 | # Configuration specific to the application service. All fields (unless otherwise marked) are required.
 2 | homeserver:
 3 |   # The domain for the client-server API calls.
 4 |   url: "http://homeserver:8008"
 5 | 
 6 |   # The domain part for user IDs on this home server. Usually, but not always, this is the same as the
 7 |   # home server's URL.
 8 |   domain: "matrix.ms.local"
 9 | 
10 | # Configuration specific to the bridge. All fields (unless otherwise marked) are required.
11 | webhookBot:
12 |   # The localpart to use for the bot. May require re-registering the application service.
13 |   localpart: "webhooks"
14 | 
15 |   # Appearance options for the Matrix bot
16 |   appearance:
17 |     displayName: "Webhook Bridge"
18 |     avatarUrl: "http://i.imgur.com/IDOBtEJ.png" # webhook icon
19 | 
20 | # Provisioning API options
21 | provisioning:
22 |   # Your secret for the API. Required for all provisioning API requests.
23 |   secret: 8sRqS76LUNRM6W6Z8p5syJMqdBUajcxM2wTC9hpZXh3N8ZKh8Es3oGoGHbPM853j
24 | 
25 | # Configuration related to the web portion of the bridge. Handles the inbound webhooks
26 | web:
27 |   hookUrlBase: 'https://webhooks.ms.local'
28 | 
29 | logging:
30 |   file: logs/webhook.log
31 |   console: true
32 |   consoleLevel: debug
33 |   fileLevel: verbose
34 |   writeFiles: true
35 |   rotate:
36 |     size: 52428800 # bytes, default is 50mb
37 |     count: 5
38 | 


--------------------------------------------------------------------------------
/sample_configs/webhook-service/database.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "defaultEnv": {
 3 |     "ENV": "NODE_ENV"
 4 |   },
 5 |   "development": {
 6 |     "driver": "sqlite3",
 7 |     "filename": "/data/development.db"
 8 |   },
 9 |   "production": {
10 |     "driver": "sqlite3",
11 |     "filename": "/data/production.db"
12 |   }
13 | }
14 | 


--------------------------------------------------------------------------------
/sample_configs/webhook-service/production.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/twicechild/matrix-synapse-stack/3784ba79a72e919228c4c0f77935d587c92bd7c2/sample_configs/webhook-service/production.db


--------------------------------------------------------------------------------
/sample_configs/webhook-service/room-store.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/twicechild/matrix-synapse-stack/3784ba79a72e919228c4c0f77935d587c92bd7c2/sample_configs/webhook-service/room-store.db


--------------------------------------------------------------------------------
/sample_configs/webhook-service/user-store.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/twicechild/matrix-synapse-stack/3784ba79a72e919228c4c0f77935d587c92bd7c2/sample_configs/webhook-service/user-store.db


--------------------------------------------------------------------------------
/synapse.env:
--------------------------------------------------------------------------------
1 | SYNAPSE_SERVER_NAME=matrix.ms.local
2 | TZ=Europe/Athens


--------------------------------------------------------------------------------