From 490b2ecba7f8e027af068f64d8f63f764266861c Mon Sep 17 00:00:00 2001 From: creme Date: Sun, 1 Aug 2021 14:34:00 +0200 Subject: [PATCH] init --- README.md | 5 + etc/defaults/matrix-synapse | 5 + etc/matrix-media-repo/media-repo.yaml | 571 ++++ etc/matrix-synapse/conf.d/report_stats.yaml | 5 + etc/matrix-synapse/conf.d/server_name.yaml | 9 + etc/matrix-synapse/homeserver.yaml | 2824 +++++++++++++++++ etc/matrix-synapse/log.yaml | 74 + etc/matrix-synapse/workers/appservice.yaml | 13 + .../workers/appservice_log_config.yaml | 42 + .../workers/federation_sender1.yaml | 13 + .../federation_sender1_log_config.yaml | 42 + .../workers/federation_sender2.yaml | 13 + .../federation_sender2_log_config.yaml | 42 + .../workers/federation_sender3.yaml | 13 + .../federation_sender3_log_config.yaml | 42 + .../workers/generic_worker1.yaml | 28 + .../workers/generic_worker1_log_config.yaml | 42 + .../workers/generic_worker2.yaml | 28 + .../workers/generic_worker2_log_config.yaml | 42 + .../workers/generic_worker3.yaml | 28 + .../workers/generic_worker3_log_config.yaml | 42 + etc/matrix-synapse/workers/pusher.yaml | 13 + .../workers/pusher_log_config.yaml | 42 + etc/matrix-synchrotron-balancer/config.yaml | 11 + etc/nginx/include.d/generic_worker.conf | 272 ++ etc/nginx/include.d/synapse-proxy.conf | 14 + etc/nginx/include.d/synapse_admin.conf | 19 + .../sites-available/matrix.envs.net.conf | 141 + etc/postgresql/11/main/postgresql.conf | 690 ++++ etc/systemd/system/matrix-media.service | 13 + .../system/matrix-synapse-worker@.service | 27 + etc/systemd/system/matrix-synapse.service | 22 + etc/systemd/system/matrix-synapse.target | 8 + .../matrix-synchrotron-balancer.service | 13 + usr/local/bin/matrix-get-obsolet-rooms.sh | 58 + usr/local/bin/matrix-remove-empty-rooms.sh | 47 + usr/local/bin/synapse-clear-state.sh | 76 + usr/local/bin/update_matrix-media.sh | 17 + usr/local/bin/update_riot.sh | 45 + 39 files changed, 5451 insertions(+) create mode 100644 README.md create mode 100644 etc/defaults/matrix-synapse create mode 100644 etc/matrix-media-repo/media-repo.yaml create mode 100644 etc/matrix-synapse/conf.d/report_stats.yaml create mode 100644 etc/matrix-synapse/conf.d/server_name.yaml create mode 100644 etc/matrix-synapse/homeserver.yaml create mode 100644 etc/matrix-synapse/log.yaml create mode 100644 etc/matrix-synapse/workers/appservice.yaml create mode 100644 etc/matrix-synapse/workers/appservice_log_config.yaml create mode 100644 etc/matrix-synapse/workers/federation_sender1.yaml create mode 100644 etc/matrix-synapse/workers/federation_sender1_log_config.yaml create mode 100644 etc/matrix-synapse/workers/federation_sender2.yaml create mode 100644 etc/matrix-synapse/workers/federation_sender2_log_config.yaml create mode 100644 etc/matrix-synapse/workers/federation_sender3.yaml create mode 100644 etc/matrix-synapse/workers/federation_sender3_log_config.yaml create mode 100644 etc/matrix-synapse/workers/generic_worker1.yaml create mode 100644 etc/matrix-synapse/workers/generic_worker1_log_config.yaml create mode 100644 etc/matrix-synapse/workers/generic_worker2.yaml create mode 100644 etc/matrix-synapse/workers/generic_worker2_log_config.yaml create mode 100644 etc/matrix-synapse/workers/generic_worker3.yaml create mode 100644 etc/matrix-synapse/workers/generic_worker3_log_config.yaml create mode 100644 etc/matrix-synapse/workers/pusher.yaml create mode 100644 etc/matrix-synapse/workers/pusher_log_config.yaml create mode 100644 etc/matrix-synchrotron-balancer/config.yaml create mode 100644 etc/nginx/include.d/generic_worker.conf create mode 100644 etc/nginx/include.d/synapse-proxy.conf create mode 100644 etc/nginx/include.d/synapse_admin.conf create mode 100644 etc/nginx/sites-available/matrix.envs.net.conf create mode 100644 etc/postgresql/11/main/postgresql.conf create mode 100644 etc/systemd/system/matrix-media.service create mode 100644 etc/systemd/system/matrix-synapse-worker@.service create mode 100644 etc/systemd/system/matrix-synapse.service create mode 100644 etc/systemd/system/matrix-synapse.target create mode 100644 etc/systemd/system/matrix-synchrotron-balancer.service create mode 100755 usr/local/bin/matrix-get-obsolet-rooms.sh create mode 100755 usr/local/bin/matrix-remove-empty-rooms.sh create mode 100755 usr/local/bin/synapse-clear-state.sh create mode 100755 usr/local/bin/update_matrix-media.sh create mode 100755 usr/local/bin/update_riot.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..e095d8c --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# envs.net matrix instance config's & tools + +**HS instance: envs.net** + +more informations on https://envs.net/chat/matrix/ diff --git a/etc/defaults/matrix-synapse b/etc/defaults/matrix-synapse new file mode 100644 index 0000000..e897ad9 --- /dev/null +++ b/etc/defaults/matrix-synapse @@ -0,0 +1,5 @@ +# Specify environment variables used when running Synapse +# SYNAPSE_CACHE_FACTOR=0.5 (default) +SYNAPSE_CACHE_FACTOR=2.0 +#LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so +#LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2 diff --git a/etc/matrix-media-repo/media-repo.yaml b/etc/matrix-media-repo/media-repo.yaml new file mode 100644 index 0000000..0545869 --- /dev/null +++ b/etc/matrix-media-repo/media-repo.yaml @@ -0,0 +1,571 @@ +# General repo configuration +repo: + bindAddress: '127.0.0.1' + port: 8000 + + # Where to store the logs, relative to where the repo is started from. Logs will be automatically + # rotated every day and held for 14 days. To disable the repo logging to files, set this to + # "-" (including quotation marks). + # + # Note: to change the log directory you'll have to restart the repository. This setting cannot be + # live reloaded. + logDirectory: /var/log/matrix-media + + # Set to true to enable color coding in your logs. Note that this may cause escape sequences to + # appear in logs which render them unreadable, which is why colors are disabled by default. + logColors: false + + # Set to true to enable JSON logging for consumption by things like logstash. Note that this is + # incompatible with the log color option and will always render without colors. + jsonLogs: false + + # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases + # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For + # header, but validates it to ensure the IP being given makes sense. + trustAnyForwardedAddress: false + + # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. + # Typically this should remain as true, though in some circumstances it may need to be disabled. + # See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. + useForwardedHost: true + +# Options for dealing with federation +federation: + # On a per-host basis, the number of consecutive failures in calling the host before the + # media repo will back off. This defaults to 20 if not given. Note that 404 errors from + # the remote server do not count towards this. + backoffAt: 20 + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +database: + # Currently only "postgres" is supported. + postgres: "postgres://matrix:password@localhost/matrixmedia?sslmode=disable" + + # The database pooling options + pool: + # The maximum number of connects to hold open. More of these allow for more concurrent + # processes to happen. + maxConnections: 25 + + # The maximum number of connects to leave idle. More of these reduces the time it takes + # to serve requests in low-traffic scenarios. + maxIdleConnections: 5 + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +homeservers: + - name: envs.net # This should match the server_name of your homeserver, and the Host header + # provided to the media repo. + csApi: "https://matrix.envs.net/" # The base URL to where the homeserver can actually be reached + backoffAt: 10 # The number of consecutive failures in calling this homeserver before the + # media repository will start backing off. This defaults to 10 if not given. + adminApiKind: "matrix" # The kind of admin API the homeserver supports. If set to "matrix", + # the media repo will use the Synapse-defined endpoints under the + # unstable client-server API. When this is "synapse", the new /_synapse + # endpoints will be used instead. Unknown values are treated as the + # default, "matrix". + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +accessTokens: + # The maximum time a cached access token will be considered valid. Set to zero (the default) + # to disable the cache and constantly hit the homeserver. This is recommended to be set to + # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and + # zero for servers who do not proxy the endpoints through. + maxCacheTimeSeconds: 0 + + # Whether or not to use the `appservices` config option below. If disabled (the default), + # the regular access token cache will be used for each user, potentially leading to high + # memory usage. + useLocalAppserviceConfig: false + + # The application services (and their namespaces) registered on the homeserver. Only used + # if `useLocalAppserviceConfig` is enabled (recommended). + # + # Usually the appservice will provide you with these config details - they'll just need + # translating from the appservice registration to here. Note that this does not require + # all options from the registration, and only requires the bare minimum required to run + # the media repo. + appservices: + - id: Name_of_appservice_for_your_reference + asToken: Secret_token_for_appservices_to_use + senderUserId: "@_example_bridge:envs.net" + userNamespaces: + - regex: "@_example_bridge_.+:envs.net" + # A note about regexes: it is best to suffix *all* namespaces with the homeserver + # domain users are valid for, as otherwise the appservice can use any user with + # any domain name it feels like, even if that domain is not configured with the + # media repo. This will lead to inaccurate reporting in the case of the media + # repo, and potentially leading to media being considered "remote". + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +admins: + - "@creme:envs.net" + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +sharedSecretAuth: + # Set this to true to enable shared secret auth. + enabled: false + + # Use a secure value here to prevent unauthorized access to the media repository. + token: "PutSomeRandomSecureValueHere" + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +datastores: + - type: file + enabled: true + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["all"] + opts: + path: /var/matrix-media +# - type: file +# enabled: true + #forKinds: ["all"] +# opts: +# path: /var/matrix/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + #region: "sfo2" + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. +archiving: + # Whether archiving is enabled or not. Default enabled. + enabled: true + # If true, users can request a copy of their own data. By default, only repository administrators + # can request a copy. + # This includes the ability for homeserver admins to request a copy of their own server's + # data, as known to the repo. + selfService: false + # The number of bytes to target per archive before breaking up the files. This is independent + # of any file upload limits and will require a similar amount of memory when performing an export. + # The file size is also a target, not a guarantee - it is possible to have files that are smaller + # or larger than the target. This is recommended to be approximately double the size of your + # file upload limit, provided there is enough memory available for the demand of exporting. + targetBytesPerPart: 209715200 # 200mb default + +# The file upload settings for the media repository +uploads: + # The maximum individual file size a user can upload. + maxBytes: 104857600 # 100MB default, 0 to disable + + # The minimum number of bytes to let people upload. This is recommended to be non-zero to + # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend + # to waste more CPU and database resources than small files, thus a default of 100 bytes + # is applied here as an approximate break-even point. + minBytes: 100 # 100 bytes by default + + # The number of bytes to claim as the maximum size for uploads for the limits API. If this + # is not provided then the maxBytes setting will be used instead. This is useful to provide + # if the media repo's settings and the reverse proxy do not match for maximum request size. + # This is purely for informational reasons and does not actually limit any functionality. + # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. + #reportedMaxBytes: 104857600 + + # Options for limiting how much content a user can upload. Quotas are applied to content + # associated with a user regardless of de-duplication. Quotas which affect remote servers + # or users will not take effect. When a user exceeds their quota they will be unable to + # upload any more media. + quotas: + # Whether or not quotas are enabled/enforced. Note that even when disabled the media repo + # will track how much media a user has uploaded. This is disabled by default. + enabled: false + + # The quota rules that affect users. The first rule to match the uploader will take effect. + # An implied rule which matches all users and has no quota is always last in this list, + # meaning that if no rules are supplied then users will be able to upload anything. Similarly, + # if no rules match a user then the implied rule will match, allowing the user to have no + # quota. The quota will let the user upload to 1 media past their quota, meaning that from + # a statistics perspective the user might exceed their quota however only by a small amount. + users: + - glob: "@*:*" # Affect all users. Use asterisks (*) to match any character. + maxBytes: 53687063712 # 50GB default, 0 to disable + +# Settings related to downloading files from the media repository +downloads: + # The maximum number of bytes to download from other servers + maxBytes: 104857600 # 100MB default, 0 to disable + + # The number of workers to use when downloading remote media. Raise this number if remote + # media is downloading slowly or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum download size + # Average memory usage is dependent on how many concurrent downloads your users are doing. + numWorkers: 10 + + # How long, in minutes, to cache errors related to downloading remote media. Once this time + # has passed, the media is able to be re-requested. + failureCacheMinutes: 5 + + # The cache control settings for downloads. This can help speed up downloads for users by + # keeping popular media in the cache. This cache is also used for thumbnails. + cache: + enabled: true + + # The maximum size of cache to have. Higher numbers are better. + maxSizeBytes: 1048576000 # 1GB default + + # The maximum file size to cache. This should normally be the same size as your maximum + # upload size. + maxFileSizeBytes: 104857600 # 100MB default + + # The number of minutes to track how many downloads a file gets + trackedMinutes: 30 + + # The number of downloads a file must receive in the window above (trackedMinutes) in + # order to be cached. + minDownloads: 5 + + # The minimum amount of time an item should remain in the cache. This prevents the cache + # from cycling out the file if it needs more room during this time. Note that the media + # repo regularly cleans out media which is past this point from the cache, so this number + # may need increasing depending on your use case. If the maxSizeBytes is reached for the + # media repo, and some cached items are still under this timer, new items will not be able + # to enter the cache. When this happens, consider raising maxSizeBytes or lowering this + # timer. + minCacheTimeSeconds: 300 + + # The minimum amount of time an item should remain outside the cache once it is removed. + minEvictedTimeSeconds: 60 + + # How many days after a piece of remote content is downloaded before it expires. It can be + # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or + # negative to disable. Defaults to disabled. + expireAfterDays: 90 + + +# URL Preview settings +urlPreviews: + enabled: true # If enabled, the preview_url routes will be accessible + maxPageSizeBytes: 10485760 # 10MB default, 0 to disable + + # If true, the media repository will try to provide previews for URLs with invalid or unsafe + # certificates. If false (the default), the media repo will fail requests to said URLs. + previewUnsafeCertificates: false + + # Note: URL previews are limited to a given number of words, which are then limited to a number + # of characters, taking off the last word if it needs to. This also applies for the title. + + numWords: 50 # The number of words to include in a preview (maximum) + maxLength: 200 # The maximum number of characters for a description + + numTitleWords: 30 # The maximum number of words to include in a preview's title + maxTitleLength: 150 # The maximum number of characters for a title + + # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are + # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be + # an image and the image's type must be allowed by the thumbnailer. + filePreviewTypes: + - "image/*" + + # The number of workers to use when generating url previews. Raise this number if url + # previews are slow or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum page size + # Average memory usage is dependent on how many concurrent urls your users are previewing. + numWorkers: 10 + + # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they + # will be merged. URL previews will be disabled if neither is supplied. Each entry must be + # a CIDR range. + disallowedNetworks: + - "127.0.0.1/8" + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - "100.64.0.0/10" + - "169.254.0.0/16" + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + allowedNetworks: + - "0.0.0.0/0" # "Everything". The blacklist will help limit this. + # This is the default value for this field. + + # How many days after a preview is generated before it expires and is deleted. The preview + # can be regenerated safely - this just helps free up some space in your database. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 90 + + # The default Accept-Language header to supply when generating URL previews when one isn't + # supplied by the client. + # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language + defaultLanguage: "en-US,en" + + # When true, oEmbed previews will be enabled. Typically these kinds of previews are used for + # sites that do not support OpenGraph or page scraping, such as Twitter. For information on + # specifying providers for oEmbed, including your own, see the following documentation: + # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html + # Defaults to disabled. + oEmbed: true + +# The thumbnail configuration for the media repository. +thumbnails: + # The maximum number of bytes an image can be before the thumbnailer refuses. + maxSourceBytes: 10485760 # 10MB default, 0 to disable + + # The maximum number of pixels an image can have before the thumbnailer refuses. Note that + # this only applies to image types: file types like audio and video are affected solely by + # the maxSourceBytes. + maxPixels: 96000000 # 32M default + #maxPixels: 0 + + # The number of workers to use when generating thumbnails. Raise this number if thumbnails + # are slow to generate or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum image source size + # Average memory usage is dependent on how many thumbnails are being generated by your users + numWorkers: 100 + + # All thumbnails are generated into one of the sizes listed here. The first size is used as + # the default for when no width or height is requested. The media repository will return + # either an exact match or the next largest size of thumbnail. + sizes: + - width: 32 + height: 32 + - width: 96 + height: 96 + - width: 320 + height: 240 + - width: 640 + height: 480 + - width: 768 # This size is primarily used for audio thumbnailing. + height: 240 + - width: 800 + height: 600 + + # To allow for thumbnails to be any size, not just in the sizes specified above, set this to + # true (default false). When enabled, whatever size requested by the client will be generated + # up to a maximum of the largest possible dimensions in the `sizes` list. For best results, + # specify only one size in the `sizes` list when this option is enabled. + dynamicSizing: false + + # The content types to thumbnail when requested. Types that are not supported by the media repo + # will not be thumbnailed (adding application/json here won't work). Clients may still not request + # thumbnails for these types - this won't make clients automatically thumbnail these file types. + types: + - "image/jpeg" + - "image/jpg" + - "image/png" + - "image/apng" + - "image/gif" + - "image/heif" + - "image/webp" + - "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files + - "audio/mpeg" + - "audio/ogg" + - "audio/wav" + - "audio/flac" + - "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files + + # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated + # thumbnails, set this to false. If disabled, regular thumbnails will be returned. + allowAnimated: true + + # Default to animated thumbnails, if available + defaultAnimated: false + + # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image + # is larger than this, the thumbnail will be generated as a static image. + maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable + + # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try + # and thumbnail animated content? Defaults to 0.5 (middle of animation). + stillFrame: 0.5 + + # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail + # can be regenerated safely - this just helps free up some space in your datastores. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 90 + + +# Controls for the rate limit functionality +rateLimit: + # Set this to false if rate limiting is handled at a higher level or you don't want it enabled. + enabled: true + + # The number of requests per second before an IP will be rate limited. Must be a whole number. + requestsPerSecond: 1 + + # The number of requests an IP can send at once before the rate limit is actually considered. + burst: 10 + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +identicons: + enabled: true + +# The quarantine media settings. +quarantine: + # If true, when a thumbnail of quarantined media is requested an image will be returned. If no + # image is given in the thumbnailPath below then a generated image will be provided. This does + # not affect regular downloads of files. + replaceThumbnails: true + + # If true, when media which has been quarantined is requested an image will be returned. If + # no image is given in the thumbnailPath below then a generated image will be provided. This + # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with + # an image). + replaceDownloads: false + + # If provided, the given image will be returned as a thumbnail for media that is quarantined. + #thumbnailPath: "/path/to/thumbnail.png" + + # If true, administrators of the configured homeservers may quarantine media for their server + # only. Global administrators can quarantine any media (local or remote) regardless of this + # flag. + allowLocalAdmins: true + +# The various timeouts that the media repo will use. +timeouts: + # The maximum amount of time the media repo should spend trying to fetch a resource that is + # being previewed. + urlPreviewTimeoutSeconds: 10 + + # The maximum amount of time the media repo will spend making remote requests to other repos + # or homeservers. This is primarily used to download media. + federationTimeoutSeconds: 120 + + # The maximum amount of time the media repo will spend talking to your configured homeservers. + # This is usually used to verify a user's identity. + clientServerTimeoutSeconds: 30 + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json +metrics: + # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. + enabled: true + + # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. + bindAddress: "0.0.0.0" + + # The port to listen on. Cannot be the same as the general web server port. + port: 9001 + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +featureSupport: + # MSC2248 - Blurhash + MSC2448: + # Whether or not this MSC is enabled for use in the media repo + enabled: false + + # Maximum dimensions for converting a blurhash to an image. When no width and + # height options are supplied, the default will be half these values. + maxWidth: 1024 + maxHeight: 1024 + + # Thumbnail size in pixels to use to generate the blurhash string + thumbWidth: 64 + thumbHeight: 64 + + # The X and Y components to use. Higher numbers blur less, lower numbers blur more. + xComponents: 4 + yComponents: 3 + + # The amount of contrast to apply when converting a blurhash to an image. Lower values + # make the effect more subtle, larger values make it stronger. + punch: 1 + + # IPFS Support + # This is currently experimental and might not work at all. + IPFS: + # Whether or not IPFS support is enabled for use in the media repo. + enabled: false + + # Options for the built in IPFS daemon + builtInDaemon: + # Enable this to spawn an in-process IPFS node to use instead of a localhost + # HTTP agent. If this is disabled, the media repo will assume you have an HTTP + # IPFS agent running and accessible. Defaults to using a daemon (true). + enabled: true + + # If the Daemon is enabled, set this to the location where the IPFS files should + # be stored. If you're using Docker, this should be something like "/data/ipfs" + # so it can be mapped to a volume. + repoPath: "./ipfs" + + # Support for redis as a cache mechanism + # + # Note: Enabling Redis support will mean that the existing cache mechanism will do nothing. + # It can be safely disabled once Redis support is enabled. + # + # See docs/redis.md for more information on how this works and how to set it up. + redis: + # Whether or not use Redis instead of in-process caching. + enabled: false + + # The Redis shards that should be used by the media repo in the ring. The names of the + # shards are for your reference and have no bearing on the connection, but must be unique. + shards: + - name: "server1" + addr: ":7000" + - name: "server2" + addr: ":7001" + - name: "server3" + addr: ":7002" diff --git a/etc/matrix-synapse/conf.d/report_stats.yaml b/etc/matrix-synapse/conf.d/report_stats.yaml new file mode 100644 index 0000000..8f048e5 --- /dev/null +++ b/etc/matrix-synapse/conf.d/report_stats.yaml @@ -0,0 +1,5 @@ +# This file is autogenerated, and will be recreated on upgrade if it is deleted. +# Any changes you make will be preserved. + +# Whether to report anonymized homeserver usage statistics. +report_stats: true diff --git a/etc/matrix-synapse/conf.d/server_name.yaml b/etc/matrix-synapse/conf.d/server_name.yaml new file mode 100644 index 0000000..7cb564d --- /dev/null +++ b/etc/matrix-synapse/conf.d/server_name.yaml @@ -0,0 +1,9 @@ +# This file is autogenerated, and will be recreated on upgrade if it is deleted. +# Any changes you make will be preserved. + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +# +server_name: envs.net diff --git a/etc/matrix-synapse/homeserver.yaml b/etc/matrix-synapse/homeserver.yaml new file mode 100644 index 0000000..1a83e9f --- /dev/null +++ b/etc/matrix-synapse/homeserver.yaml @@ -0,0 +1,2824 @@ +# This file is maintained as an up-to-date snapshot of the default +# homeserver.yaml configuration generated by Synapse. +# +# It is intended to act as a reference for the default configuration, +# helping admins keep track of new options and other changes, and compare +# their configs with the current default. As such, many of the actual +# config values shown are placeholders. +# +# It is *not* intended to be copied and used as the basis for a real +# homeserver.yaml. Instead, if you are starting from scratch, please generate +# a fresh config using Synapse by following the instructions in +# https://matrix-org.github.io/synapse/latest/setup/installation.html. + +# Configuration options that take a time period can be set using a number +# followed by a letter. Letters have the following meanings: +# s = second +# m = minute +# h = hour +# d = day +# w = week +# y = year +# For example, setting redaction_retention_period: 5m would remove redacted +# messages from the database after 5 minutes, rather than 5 months. + +################################################################################ + +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + + +## Modules ## + +# Server admins can expand Synapse's functionality with external modules. +# +# See https://matrix-org.github.io/synapse/latest/modules.html for more +# documentation on how to configure or create custom modules for Synapse. +# +modules: + # - module: my_super_module.MySuperClass + # config: + # do_thing: true + # - module: my_other_super_module.SomeClass + # config: {} + + +## Server ## + +# The public-facing domain of the server +# +# The server_name name will appear at the end of usernames and room addresses +# created on this server. For example if the server_name was example.com, +# usernames on this server would be in the format @user:example.com +# +# In most cases you should avoid using a matrix specific subdomain such as +# matrix.example.com or synapse.example.com as the server_name for the same +# reasons you wouldn't use user@email.example.com as your email address. +# See https://matrix-org.github.io/synapse/latest/delegate.html +# for information on how to host Synapse on a subdomain while preserving +# a clean server_name. +# +# The server_name cannot be changed later so it is important to +# configure this correctly before you start Synapse. It should be all +# lowercase and may contain an explicit port. +# Examples: matrix.org, localhost:8080 +# +# This is set in /etc/matrix-synapse/conf.d/server_name.yaml for Debian installations. +server_name: envs.net + +# When running as a daemon, the file to store the pid in +# +pid_file: "/etc/matrix-synapse/matrix-synapse.pid" + +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. +# +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +web_client_location: "https://element.envs.net/" + +# The public-facing base URL that clients use to access this Homeserver (not +# including _matrix/...). This is the same URL a user might enter into the +# 'Custom Homeserver URL' field on their client. If you use Synapse with a +# reverse proxy, this should be the URL to reach Synapse via the proxy. +# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see +# 'listeners' below). +# +public_baseurl: "https://matrix.envs.net/" + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +# +#soft_file_limit: 0 + +# Presence tracking allows users to see the state (e.g online/offline) +# of other local and remote users. +# +presence: + # Uncomment to disable presence tracking on this homeserver. This option + # replaces the previous top-level 'use_presence' option. + # + enabled: true + + # Presence routers are third-party modules that can specify additional logic + # to where presence updates from users are routed. + # + presence_router: + # The custom module's class. Uncomment to use a custom presence router module. + # + #module: "my_custom_router.PresenceRouter" + + # Configuration options of the custom module. Refer to your module's + # documentation for available options. + # + #config: + # example_option: 'something' + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, unless allow_profile_lookup_over_federation is set to false. +# +#require_auth_for_profile_requests: true + +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +# +#limit_profile_requests_to_users_who_share_rooms: true + +# Uncomment to prevent a user's profile data from being retrieved and +# displayed in a room until they have joined it. By default, a user's +# profile data is included in an invite event, regardless of the values +# of the above two settings, and whether or not the users share a server. +# Defaults to 'true'. +# +#include_profile_data_on_invite: false + +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. +# +allow_public_rooms_without_auth: true + +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. +# +allow_public_rooms_over_federation: true + +# The default room version for newly created rooms. +# +# Known room versions are listed here: +# https://matrix.org/docs/spec/#complete-list-of-room-versions +# +# For example, for room version 1, default_room_version should be set +# to "1". +# +#default_room_version: "6" + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# +#gc_thresholds: [700, 10, 10] + +# The minimum time in seconds between each GC for a generation, regardless of +# the GC thresholds. This ensures that we don't do GC too frequently. +# +# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive +# generation 0 GCs, etc. +# +# Defaults to `[1s, 10s, 30s]`. +# +#gc_min_interval: [0.5s, 30s, 1m] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is 100. -1 means no upper limit. +# +# Uncomment the following to increase the limit to 5000. +# +#filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# +#block_non_admin_invites: true + +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +#enable_search: false + +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). +# +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '192.88.99.0/24' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' +# - '2001:db8::/32' +# - 'ff00::/8' +# - 'fec0::/10' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see https://matrix-org.github.io/synapse/latest/manhole.html), +# 'metrics' (see https://matrix-org.github.io/synapse/latest/metrics-howto.html), +# 'replication' (see https://matrix-org.github.io/synapse/latest/workers.html). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP compression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client), and the synapse admin +# API (/_synapse/admin). Also implies 'media' and 'static'. +# +# consent: user consent forms (/_matrix/consent). +# See https://matrix-org.github.io/synapse/latest/consent_tracking.html. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. +# See https://matrix-org.github.io/synapse/latest/metrics-howto.html. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). +# See https://matrix-org.github.io/synapse/latest/workers.html. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# +listeners: + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + # + # Disabled by default. To enable it, uncomment the following. (Note that you + # will also need to give Synapse a TLS key and certificate: see the TLS section + # below.) + # + #- port: 8448 + # type: http + # tls: true + # x_forwarded: false + # bind_addresses: ['0.0.0.0'] + + # resources: + # - names: [client, webclient] + # compress: true + # - names: [federation] + # compress: false + + # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + # + # If you plan to use a reverse proxy, please see + # https://matrix-org.github.io/synapse/latest/reverse_proxy.html. + # + - type: http + port: 8008 + bind_addresses: ['127.0.0.1'] + tls: false + x_forwarded: true + resources: + - names: [federation, client, webclient, consent] + compress: false + + # example additional_resources: + # + #additional_resources: + # "/_matrix/my/custom/endpoint": + # module: my_module.CustomRequestHandler + # config: {} + + # Replication Endpoints + # The HTTP replication port + - type: http + port: 9093 + bind_addresses: ['127.0.0.1'] + resources: + - names: [replication] + + # Metrics Endpoint + - type: metrics + port: 9000 + bind_addresses: ['0.0.0.0'] + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # + #- port: 9000 + # bind_addresses: ['127.0.0.1'] + # type: manhole + + +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + +## Homeserver blocking ## + +# How to reach the server admin, used in ResourceLimitError +# +admin_contact: 'mailto:hostmaster@envs.net' + +# Global blocking +# +#hs_disabled: false +#hs_disabled_message: 'Human readable reason for why the HS is blocked' + +# Monthly Active User Blocking +# +# Used in cases where the admin or server owner wants to limit to the +# number of monthly active users. +# +# 'limit_usage_by_mau' disables/enables monthly active user blocking. When +# enabled and a limit is reached the server returns a 'ResourceLimitError' +# with error type Codes.RESOURCE_LIMIT_EXCEEDED +# +# 'max_mau_value' is the hard limit of monthly active users above which +# the server will start blocking user actions. +# +# 'mau_trial_days' is a means to add a grace period for active users. It +# means that users must be active for this number of days before they +# can be considered active and guards against the case where lots of users +# sign up in a short space of time never to return after their initial +# session. +# +# 'mau_limit_alerting' is a means of limiting client side alerting +# should the mau limit be reached. This is useful for small instances +# where the admin has 5 mau seats (say) for 5 specific people and no +# interest increasing the mau limit further. Defaults to True, which +# means that alerting is enabled +# +#limit_usage_by_mau: false +#max_mau_value: 50 +#mau_trial_days: 2 +#mau_limit_alerting: false + +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# +#mau_stats_only: false + +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' + +# Used by phonehome stats to group together related servers. +#server_context: context + +# Resource-constrained homeserver settings +# +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. +# +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. +# +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." + + # allow server admins to join complex rooms. Default is false. + # + #admins_can_join: true + +# Whether to require a user to be in the room to add an alias to it. +# Defaults to 'true'. +# +#require_membership_for_aliases: false + +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + +# How long to keep redacted events in unredacted form in the database. After +# this period redacted events get replaced with their redacted form in the DB. +# +# Defaults to `7d`. Set to `null` to disable. +# +redaction_retention_period: 7d + +# How long to track users' last seen time and IPs in the database. +# +# Defaults to `28d`. Set to `null` to disable clearing out of old rows. +# +user_ips_max_age: 7d + +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + enabled: true + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + #default_policy: + # min_lifetime: 30d + # max_lifetime: 1y + + # Retention policy limits. If set, and the state of a room contains a + # 'm.room.retention' event in its state which contains a 'min_lifetime' or a + # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy + # to these limits when running purge jobs. + # + allowed_lifetime_min: 30m + allowed_lifetime_max: 3y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + # If any purge job is configured, it is strongly recommended to have at least + # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' + # set, or one job without 'shortest_max_lifetime' and one job without + # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if + # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a + # room's policy to these values is done after the policies are retrieved from + # Synapse's database (which is done using the range specified in a purge job's + # configuration). + # + #purge_jobs: + # - shortest_max_lifetime: 1d + # longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # longest_max_lifetime: 1y + # interval: 24h + purge_jobs: + - longest_max_lifetime: 1h + interval: 30m + - longest_max_lifetime: 12h + interval: 1h + - shortest_max_lifetime: 1h + longest_max_lifetime: 1d + interval: 12h + - shortest_max_lifetime: 1d + longest_max_lifetime: 3y + interval: 24h + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# Be sure to use a `.pem` file that includes the full certificate chain including +# any intermediate certificates (for instance, if using certbot, use +# `fullchain.pem` as your certificate, not `cert.pem`). +# +#tls_certificate_path: "/etc/matrix-synapse/fullchain.pem" + +# PEM-encoded private key for TLS +# +#tls_private_key_path: "/etc/matrix-synapse/privkey.pem" + +#tls_dh_params_path: "/etc/ssl/certs/envs_dhparam.pem" + +#no_tls: false + +# Whether to verify TLS server certificates for outbound federation requests. +# +# Defaults to `true`. To disable certificate verification, uncomment the +# following line. +# +#federation_verify_certificates: false + +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + +# Skip federation certificate verification on the following whitelist +# of domains. +# +# This setting should only be used in very specific cases, such as +# federation over Tor hidden services and similar. For private networks +# of homeservers, you likely want to use a private CA instead. +# +# Only effective if federation_verify_certicates is `true`. +# +#federation_certificate_verification_whitelist: +# - lon.example.com +# - *.domain.com +# - *.onion + +# List of custom certificate authorities for federation traffic. +# +# This setting should only normally be used within a private network of +# homeservers. +# +# Note that this list will replace those that are provided by your +# operating environment. Certificates must be in PEM format. +# +#federation_custom_ca_list: +# - myCA1.pem +# - myCA2.pem +# - myCA3.pem + + +## Federation ## + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +#federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com + +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + +# Uncomment to disable profile lookup over federation. By default, the +# Federation API allows other homeservers to obtain profile data of any user +# on this homeserver. Defaults to 'true'. +# +#allow_profile_lookup_over_federation: false + +# Uncomment to disable device display name lookup over federation. By default, the +# Federation API allows other homeservers to obtain device display names of any user +# on this homeserver. Defaults to 'true'. +# +#allow_device_name_lookup_over_federation: false + + +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +#event_cache_size: 10K + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + global_factor: 2.0 + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + + # Controls how long an entry can be in a cache without having been + # accessed before being evicted. Defaults to None, which means + # entries are never evicted based on time. + # + expiry_time: 24h + + +## Database ## + +# The 'database' setting defines the database that synapse uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +database: + # The database engine name + #name: "sqlite3" + # Arguments to pass to the engine + #args: + # # Path to the database + # database: "/var/lib/matrix-synapse/homeserver.db" + name: "psycopg2" + args: + user: matrix + password: password + database: matrix + host: localhost + cp_min: 5 + cp_max: 10 + + +## Logging ## + +# A yaml python logging config file as described by +# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# +log_config: "/etc/matrix-synapse/log.yaml" + + +## Ratelimiting ## + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# - one for ratelimiting redactions by room admins. If this is not explicitly +# set then it uses the same ratelimiting as per rc_message. This is useful +# to allow room admins to deal with abuse quickly. +# - two for ratelimiting number of rooms a user can join, "local" for when +# users are joining rooms the server is already in (this is cheap) vs +# "remote" for when users are trying to join rooms not on the server (which +# can be more expensive) +# - one for ratelimiting how often a user or IP can attempt to validate a 3PID. +# - two for ratelimiting how often invites can be sent in a room or to a +# specific user. +# +# The defaults are as shown below. +# +#rc_message: +# per_second: 0.2 +# burst_count: 10 +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 +# +#rc_admin_redaction: +# per_second: 1 +# burst_count: 50 +# +#rc_joins: +# local: +# per_second: 0.1 +# burst_count: 10 +# remote: +# per_second: 0.01 +# burst_count: 10 +# +#rc_3pid_validation: +# per_second: 0.003 +# burst_count: 5 +# +#rc_invites: +# per_room: +# per_second: 0.3 +# burst_count: 10 +# per_user: +# per_second: 0.003 +# burst_count: 5 + +# Ratelimiting settings for incoming federation +# +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server +# +# The defaults are as shown below. +# +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 + +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 + + + +## Media Store ## + +# Enable the media store service in the Synapse master. Uncomment the +# following if you are using a separate media store worker. +# +enable_media_repo: false + +# Directory where uploaded images and attachments are stored. +# +media_store_path: "/var/lib/matrix-synapse/media" + +# Media storage providers allow media to be stored in different +# locations. +# +#media_storage_providers: +# - module: file_system +# # Whether to store newly uploaded local files +# store_local: false +# # Whether to store newly downloaded remote files +# store_remote: false +# # Whether to wait for successful storage for local uploads +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# The largest allowed upload size in bytes +# +# If you are using a reverse proxy you may also need to set this value in +# your reverse proxy's config. Notably Nginx has a small max body size by default. +# See https://matrix-org.github.io/synapse/latest/reverse_proxy.html. +# +#max_upload_size: 100M + +# Maximum number of pixels that will be thumbnailed +# +#max_image_pixels: 32M + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +# +#dynamic_thumbnails: false + +# List of thumbnails to precalculate when an image is uploaded. +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale + +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). +# +#url_preview_enabled: true + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# +#url_preview_ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '192.88.99.0/24' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' +# - '2001:db8::/32' +# - 'ff00::/8' +# - 'fec0::/10' + +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +#url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +#url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +# +#max_spider_size: 10M + +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + + +## Captcha ## +# See docs/CAPTCHA_SETUP.md for full details of configuring this. + +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. +# +#recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. +# +#recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Uncomment to enable ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. Defaults to 'false'. +# +#enable_registration_captcha: true + +# The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". +# +#recaptcha_siteverify_api: "https://my.recaptcha.site" + + +## TURN ## + +# The public URIs of the TURN server to give to clients +# +turn_uris: [ + "turn:turn.envs.net:3478?transport=udp", + "turn:turn.envs.net:3478?transport=tcp", + "turns:turn.envs.net:5349?transport=udp", + "turns:turn.envs.net:5349?transport=tcp" + ] + +# The shared secret used to compute passwords for the TURN server +# +turn_shared_secret: "mysecret" + +# The Username and password if the TURN server needs them and +# does not use a token +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +# +turn_user_lifetime: 1h + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +# +turn_allow_guests: true + + +## Registration ## +# +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. + +# Enable registration for new users. +# +enable_registration: true + +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. +# +registrations_require_3pid: + - email +# - msisdn + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +#disable_msisdn_registration: true + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '^[^@]+@matrix\.org$' +# - medium: email +# pattern: '^[^@]+@vector\.im$' +# - medium: msisdn +# pattern: '\+44' + +# Enable 3PIDs lookup requests to identity servers from this server. +# +#enable_3pid_lookup: true + +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# +registration_shared_secret: asecret + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +# +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +# +allow_guest_access: false + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +#default_identity_server: https://matrix.org + +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Be aware that if `email` is not set, and SMTP options have not been +# configured in the email config block, registration and user password resets via +# email will be globally disabled. +# +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. +# +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +# +# If a delegate is specified, the config option public_baseurl must also be filled out. +# +account_threepid_delegates: + #email: https://example.com # Delegate email sending to example.com + #msisdn: http://localhost:8090 # Delegate SMS sending to this local process + +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + +# Users who register on this homeserver will automatically be joined +# to these rooms. +# +# By default, any room aliases included in this list will be created +# as a publicly joinable room when the first user registers for the +# homeserver. This behaviour can be customised with the settings below. +# If the room already exists, make certain it is a publicly joinable +# room. The join rule of the room must be set to 'public'. +# +auto_join_rooms: + - "#home:envs.net" + - "#lounge:envs.net" + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +# +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# +autocreate_auto_join_rooms: true + +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false + + +## Metrics ### + +# Enable collection and rendering of performance metrics +# +enable_metrics: true + +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +#sentry: +# dsn: "..." + +# Flags to enable Prometheus metrics which are not suitable to be +# enabled by default, either for performance reasons or limited use. +# +metrics_flags: + # Publish synapse_federation_known_servers, a gauge of the number of + # servers this homeserver knows about, including itself. May cause + # performance problems on large homeservers. + # + #known_servers: true + +# Whether or not to report anonymized homeserver usage statistics. +# +report_stats: true + +# The endpoint to report the anonymized homeserver usage statistics to. +# Defaults to https://matrix.org/report-usage-stats/push +# +#report_stats_endpoint: https://example.com/report-usage-stats/push + + +## API Configuration ## + +# Controls for the state that is shared with users who receive an invite +# to a room +# +room_prejoin_state: + # By default, the following state event types are shared with users who + # receive invites to the room: + # + # - m.room.join_rules + # - m.room.canonical_alias + # - m.room.avatar + # - m.room.encryption + # - m.room.name + # - m.room.create + # + # Uncomment the following to disable these defaults (so that only the event + # types listed in 'additional_event_types' are shared). Defaults to 'false'. + # + #disable_default_event_types: true + + # Additional state event types to share with users when they are invited + # to a room. + # + # By default, this list is empty (so only the default event types are shared). + # + #additional_event_types: + # - org.example.custom.event.type + + +# A list of application service config files to use +# +app_service_config_files: + - "/opt/matrix-appservice-irc/appservice-registration-irc.yaml" + +# Uncomment to enable tracking of application service IP addresses. Implicitly +# enables MAU tracking for application service users. +# +#track_appservice_user_ips: true + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +# +macaroon_secret_key: "secret" + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +# +form_secret: "secret" + +## Signing Keys ## + +# Path to the signing key to sign messages with +# +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. +# +old_signing_keys: + # For each key, `key` should be the base64-encoded public key, and + # `expired_ts`should be the time (in milliseconds since the unix epoch) that + # it was last used. + # + # It is possible to build an entry from an old signing.key file using the + # `export_signing_key` script which is provided with synapse. + # + # For example: + # + #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +# +key_refresh_interval: 1d + +# The trusted servers to download signing keys from. +# +# When we need to fetch a signing key, each server is tried in parallel. +# +# Normally, the connection to the key server is validated via TLS certificates. +# Additional security can be provided by configuring a `verify key`, which +# will make synapse check that the response is signed by that key. +# +# This setting supercedes an older setting named `perspectives`. The old format +# is still supported for backwards-compatibility, but it is deprecated. +# +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. +# +# Options for each entry in the list include: +# +# server_name: the name of the server. required. +# +# verify_keys: an optional map from key id to base64-encoded public key. +# If specified, we will check that the response is signed by at least +# one of the given keys. +# +# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, +# and federation_verify_certificates is not `true`, synapse will refuse +# to start, because this would allow anyone who can spoof DNS responses +# to masquerade as the trusted key server. If you know what you are doing +# and are sure that your network environment provides a secure connection +# to the key server, you can set this to `true` to override this +# behaviour. +# +# An example configuration might look like: +# +#trusted_key_servers: +# - server_name: "my_trusted_server.example.com" +# verify_keys: +# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" +# - server_name: "my_other_trusted_server.example.com" +# +trusted_key_servers: + - server_name: "matrix.org" + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. +# +#suppress_key_server_warning: true + +# The signing keys to use when acting as a trusted key server. If not specified +# defaults to the server signing key. +# +# Can contain multiple keys, one per line. +# +#key_server_signing_keys_path: "key_server_signing_keys.key" + + +## Single sign-on integration ## + +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. +# +# You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# You will also want to investigate the settings under the "sso" configuration +# section below. + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. +# +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_synapse/client/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_synapse/client/saml2/authn_response. +# +saml2_config: + # `sp_config` is the configuration for the pysaml2 Service Provider. + # See pysaml2 docs for format of config. + # + # Default values will be used for the 'entityid' and 'service' settings, + # so it is not normally necessary to specify them unless you need to + # override them. + # + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the `local` attribute or (preferably) a URL via the + # `remote` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical + + # Instead of putting the config inline as above, you can specify a + # separate pysaml2 configuration file: + # + #config_path: "/etc/matrix-synapse/sp_conf.py" + + # The lifetime of a SAML session. This defines how long a user has to + # complete the authentication process, if allow_unsolicited is unset. + # The default is 15 minutes. + # + #saml_session_lifetime: 5m + + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider + + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's `parse_config` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName + + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. + # + # This setting controls the SAML attribute which will be used for this + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. + # + # The default is 'uid'. + # + #grandfathered_mxid_source_attribute: upn + + # It is possible to configure Synapse to only allow logins if SAML attributes + # match particular values. The requirements can be listed under + # `attribute_requirements` as shown below. All of the listed attributes must + # match for the login to be permitted. + # + #attribute_requirements: + # - attribute: userGroup + # value: "staff" + # - attribute: department + # value: "sales" + + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' + + +# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration +# and login. +# +# Options for each entry include: +# +# idp_id: a unique identifier for this identity provider. Used internally +# by Synapse; should be a single word such as 'github'. +# +# Note that, if this is changed, users authenticating via that provider +# will no longer be recognised as the same user! +# +# (Use "oidc" here if you are migrating from an old "oidc_config" +# configuration.) +# +# idp_name: A user-facing name for this identity provider, which is used to +# offer the user a choice of login mechanisms. +# +# idp_icon: An optional icon for this identity provider, which is presented +# by clients and Synapse's own IdP picker page. If given, must be an +# MXC URI of the format mxc:///. (An easy way to +# obtain such an MXC URI is to upload an image to an (unencrypted) room +# and then copy the "url" from the source of the event.) +# +# idp_brand: An optional brand for this identity provider, allowing clients +# to style the login flow according to the identity provider in question. +# See the spec for possible options here. +# +# discover: set to 'false' to disable the use of the OIDC discovery mechanism +# to discover endpoints. Defaults to true. +# +# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery +# is enabled) to discover the provider's endpoints. +# +# client_id: Required. oauth2 client id to use. +# +# client_secret: oauth2 client secret to use. May be omitted if +# client_secret_jwt_key is given, or if client_auth_method is 'none'. +# +# client_secret_jwt_key: Alternative to client_secret: details of a key used +# to create a JSON Web Token to be used as an OAuth2 client secret. If +# given, must be a dictionary with the following properties: +# +# key: a pem-encoded signing key. Must be a suitable key for the +# algorithm specified. Required unless 'key_file' is given. +# +# key_file: the path to file containing a pem-encoded signing key file. +# Required unless 'key' is given. +# +# jwt_header: a dictionary giving properties to include in the JWT +# header. Must include the key 'alg', giving the algorithm used to +# sign the JWT, such as "ES256", using the JWA identifiers in +# RFC7518. +# +# jwt_payload: an optional dictionary giving properties to include in +# the JWT payload. Normally this should include an 'iss' key. +# +# client_auth_method: auth method to use when exchanging the token. Valid +# values are 'client_secret_basic' (default), 'client_secret_post' and +# 'none'. +# +# scopes: list of scopes to request. This should normally include the "openid" +# scope. Defaults to ["openid"]. +# +# authorization_endpoint: the oauth2 authorization endpoint. Required if +# provider discovery is disabled. +# +# token_endpoint: the oauth2 token endpoint. Required if provider discovery is +# disabled. +# +# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is +# disabled and the 'openid' scope is not requested. +# +# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and +# the 'openid' scope is used. +# +# skip_verification: set to 'true' to skip metadata verification. Use this if +# you are connecting to a provider that is not OpenID Connect compliant. +# Defaults to false. Avoid this in production. +# +# user_profile_method: Whether to fetch the user profile from the userinfo +# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. +# +# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is +# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the +# userinfo endpoint. +# +# allow_existing_users: set to 'true' to allow a user logging in via OIDC to +# match a pre-existing account instead of failing. This could be used if +# switching from password logins to OIDC. Defaults to false. +# +# user_mapping_provider: Configuration for how attributes returned from a OIDC +# provider are mapped onto a matrix user. This setting has the following +# sub-properties: +# +# module: The class name of a custom mapping module. Default is +# 'synapse.handlers.oidc.JinjaOidcMappingProvider'. +# See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers +# for information on implementing a custom mapping provider. +# +# config: Configuration for the mapping provider module. This section will +# be passed as a Python dictionary to the user mapping provider +# module's `parse_config` method. +# +# For the default provider, the following settings are available: +# +# subject_claim: name of the claim containing a unique identifier +# for the user. Defaults to 'sub', which OpenID Connect +# compliant providers should provide. +# +# localpart_template: Jinja2 template for the localpart of the MXID. +# If this is not set, the user will be prompted to choose their +# own username (see 'sso_auth_account_details.html' in the 'sso' +# section of this file). +# +# display_name_template: Jinja2 template for the display name to set +# on first login. If unset, no displayname will be set. +# +# email_template: Jinja2 template for the email address of the user. +# If unset, no email address will be added to the account. +# +# extra_attributes: a map of Jinja2 templates for extra attributes +# to send back to the client during login. +# Note that these are non-standard and clients will ignore them +# without modifications. +# +# When rendering, the Jinja2 templates are given a 'user' variable, +# which is set to the claims returned by the UserInfo Endpoint and/or +# in the ID Token. +# +# It is possible to configure Synapse to only allow logins if certain attributes +# match particular values in the OIDC userinfo. The requirements can be listed under +# `attribute_requirements` as shown below. All of the listed attributes must +# match for the login to be permitted. Additional attributes can be added to +# userinfo by expanding the `scopes` section of the OIDC config to retrieve +# additional information from the OIDC provider. +# +# If the OIDC claim is a list, then the attribute must match any value in the list. +# Otherwise, it must exactly match the value of the claim. Using the example +# below, the `family_name` claim MUST be "Stephensson", but the `groups` +# claim MUST contain "admin". +# +# attribute_requirements: +# - attribute: family_name +# value: "Stephensson" +# - attribute: groups +# value: "admin" +# +# See https://matrix-org.github.io/synapse/latest/openid.html +# for information on how to configure these options. +# +# For backwards compatibility, it is also possible to configure a single OIDC +# provider via an 'oidc_config' setting. This is now deprecated and admins are +# advised to migrate to the 'oidc_providers' format. (When doing that migration, +# use 'oidc' for the idp_id to ensure that existing users continue to be +# recognised.) +# +oidc_providers: + # Generic example + # + #- idp_id: my_idp + # idp_name: "My OpenID provider" + # idp_icon: "mxc://example.com/mediaid" + # discover: false + # issuer: "https://accounts.example.com/" + # client_id: "provided-by-your-issuer" + # client_secret: "provided-by-your-issuer" + # client_auth_method: client_secret_post + # scopes: ["openid", "profile"] + # authorization_endpoint: "https://accounts.example.com/oauth2/auth" + # token_endpoint: "https://accounts.example.com/oauth2/token" + # userinfo_endpoint: "https://accounts.example.com/userinfo" + # jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + # skip_verification: true + # user_mapping_provider: + # config: + # subject_claim: "id" + # localpart_template: "{{ user.login }}" + # display_name_template: "{{ user.name }}" + # email_template: "{{ user.email }}" + # attribute_requirements: + # - attribute: userGroup + # value: "synapseUsers" + + +# Enable Central Authentication Service (CAS) for registration and login. +# +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None + + +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Uncomment to keep a user's profile fields in sync with information from + # the identity provider. Currently only syncing the displayname is + # supported. Fields are checked on every SSO login, and are updated + # if necessary. + # + # Note that enabling this option will override user profile information, + # regardless of whether users have opted-out of syncing that + # information when first signing in. Defaults to false. + # + #update_profile_information: true + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page to prompt the user to choose an Identity Provider during + # login: 'sso_login_idp_picker.html'. + # + # This is only used if multiple SSO Identity Providers are configured. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL that the user will be redirected to after + # login. + # + # * server_name: the homeserver's name. + # + # * providers: a list of available Identity Providers. Each element is + # an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # + # The rendered HTML page should contain a form which submits its results + # back as a GET request, with the following query parameters: + # + # * redirectUrl: the client redirect URI (ie, the `redirect_url` passed + # to the template) + # + # * idp: the 'idp_id' of the chosen IDP. + # + # * HTML page to prompt new users to enter a userid and confirm other + # details: 'sso_auth_account_details.html'. This is only shown if the + # SSO implementation (with any user_mapping_provider) does not return + # a localpart. + # + # When rendering, this template is given the following variables: + # + # * server_name: the homeserver's name. + # + # * idp: details of the SSO Identity Provider that the user logged in + # with: an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # + # * user_attributes: an object containing details about the user that + # we received from the IdP. May have the following attributes: + # + # * display_name: the user's display_name + # * emails: a list of email addresses + # + # The template should render a form which submits the following fields: + # + # * username: the localpart of the user's chosen user id + # + # * HTML page allowing the user to consent to the server's terms and + # conditions. This is only shown for new users, and only if + # `user_consent.require_at_registration` is set. + # + # When rendering, this template is given the following variables: + # + # * server_name: the homeserver's name. + # + # * user_id: the user's matrix proposed ID. + # + # * user_profile.display_name: the user's proposed display name, if any. + # + # * consent_version: the version of the terms that the user will be + # shown + # + # * terms_url: a link to the page showing the terms. + # + # The template should render a form which submits the following fields: + # + # * accepted_version: the version of the terms accepted by the user + # (ie, 'consent_version' from the input variables). + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given the following variables: + # + # * redirect_url: the URL the user is about to be redirected to. + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. + # + # * server_name: the homeserver's name. + # + # * new_user: a boolean indicating whether this is the user's first time + # logging in. + # + # * user_id: the user's matrix ID. + # + # * user_profile.avatar_url: an MXC URI for the user's avatar, if any. + # None if the user has not set an avatar. + # + # * user_profile.display_name: the user's display name. None if the user + # has not set a display name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. + # + # * description: the operation which the user is being asked to confirm + # + # * idp: details of the Identity Provider that we will use to confirm + # the user's identity: an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown after a user-interactive authentication session which + # does not map correctly onto the expected user: 'sso_auth_bad_user.html'. + # + # When rendering, this template is given the following variables: + # * server_name: the homeserver's name. + # * user_id_to_verify: the MXID of the user that we are trying to + # validate. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. +# +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. +# +# Additionally, the expiration time ("exp"), not before time ("nbf"), +# and issued at ("iat") claims are validated if present. +# +# Note that this is a non-standard login type and client support is +# expected to be non-existent. +# +# See https://matrix-org.github.io/synapse/latest/jwt.html. +# +#jwt_config: + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. + # + #enabled: true + + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. + # + # Required if 'enabled' is true. + # + #secret: "provided-by-your-issuer" + + # The algorithm used to sign the JSON web token. + # + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html + # + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" + + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" + + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" + + +password_config: + # Uncomment to disable password login + # + #enabled: false + + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + #localdb_enabled: false + + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # + #pepper: "EVEN_MORE_SECRET" + + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 8 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The amount of time to allow a user-interactive authentication session + # to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to allow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # This is ignored for potentially "dangerous" operations (including + # deactivating an account, modifying an account password, and + # adding a 3PID). + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: "15s" + + +# Configuration for sending emails from Synapse. +# +email: + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + smtp_host: mail.envs.net + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + smtp_port: 25 + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + # smtp_user: "exampleusername" + # smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + require_transport_security: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + notif_from: "Your Friendly envs.net %(app)s Server " + + # app_name defines the default value for '%(app)s' in notif_from and email + # subjects. It defaults to 'Matrix'. + # + app_name: Matrix + + # Uncomment the following to enable sending emails for messages that the user + # has missed. Disabled by default. + # + enable_notifs: true + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + notif_for_new_users: true + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + client_base_url: "https://matrix.envs.net/" + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + validation_token_lifetime: 1h + + # The web client location to direct users to during an invite. This is passed + # to the identity server as the org.matrix.web_client_location key. Defaults + # to unset, giving no guidance to the identity server. + # + #invite_client_location: https://app.element.io + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + notif_template_html: notif_mail.html + notif_template_text: notif_mail.txt + + # Subjects to use when sending emails from Synapse. + # + # The placeholder '%(app)s' will be replaced with the value of the 'app_name' + # setting above, or by a value dictated by the Matrix client application. + # + # If a subject isn't overridden in this configuration file, the value used as + # its example will be used. + # + #subjects: + + # Subjects for notification emails. + # + # On top of the '%(app)s' placeholder, these can use the following + # placeholders: + # + # * '%(person)s', which will be replaced by the display name of the user(s) + # that sent the message(s), e.g. "Alice and Bob". + # * '%(room)s', which will be replaced by the name of the room the + # message(s) have been sent to, e.g. "My super room". + # + # See the example provided for each setting to see which placeholder can be + # used and how to use them. + # + # Subject to use to notify about one message from one or more user(s) in a + # room which has a name. + #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." + # + # Subject to use to notify about one message from one or more user(s) in a + # room which doesn't have a name. + #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages from one or more users in + # a room which doesn't have a name. + #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages in a room which has a + # name. + #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." + # + # Subject to use to notify about multiple messages in multiple rooms. + #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." + # + # Subject to use to notify about multiple messages from multiple persons in + # multiple rooms. This is similar to the setting above except it's used when + # the room in which the notification was triggered has no name. + #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." + # + # Subject to use to notify about an invite to a room which has a name. + #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." + # + # Subject to use to notify about an invite to a room which doesn't have a + # name. + #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." + + # Subject for emails related to account administration. + # + # On top of the '%(app)s' placeholder, these one can use the + # '%(server_name)s' placeholder, which will be replaced by the value of the + # 'server_name' setting in your Synapse configuration. + # + # Subject to use when sending a password reset email. + #password_reset: "[%(server_name)s] Password reset" + # + # Subject to use when sending a verification email to assert an address's + # ownership. + #email_validation: "[%(server_name)s] Validate your email" + + +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://matrix-org.github.io/synapse/latest/password_auth_providers.html +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +password_providers: +# # Example config for an LDAP auth provider +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" + + + +## Push ## + +push: + # Clients requesting push notifications can either have the body of + # the message sent in the notification poke along with other details + # like the sender, or just the event ID and room ID (`event_id_only`). + # If clients choose the former, this option controls whether the + # notification request includes the content of the event (other details + # like the sender are still included). For `event_id_only` push, it + # has no effect. + # + # For modern android devices the notification content will still appear + # because it is loaded by the app. iPhone, however will send a + # notification saying only that a message arrived and who it came from. + # + # The default value is "true" to include message details. Uncomment to only + # include the event ID and room ID in push notification payloads. + # + #include_content: false + + # When a push notification is received, an unread count is also sent. + # This number can either be calculated as the number of unread messages + # for the user, or the number of *rooms* the user has unread messages in. + # + # The default value is "true", meaning push clients will see the number of + # rooms with unread messages in them. Uncomment to instead send the number + # of unread messages. + # + #group_unread_count_by_room: false + + +## Rooms ## + +# Controls whether locally-created rooms should be end-to-end encrypted by +# default. +# +# Possible options are "all", "invite", and "off". They are defined as: +# +# * "all": any locally-created room +# * "invite": any room created with the "private_chat" or "trusted_private_chat" +# room creation presets +# * "off": this option will take no effect +# +# The default value is "off". +# +# Note that this option will only affect rooms created after it is set. It +# will also not affect rooms created by other servers. +# +#encryption_enabled_by_default_for_room_type: invite + + +# Uncomment to allow non-server-admin users to create groups on this server +# +enable_group_creation: true + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# +#group_creation_prefix: "unofficial_" + +# User Directory configuration +# +user_directory: + # Defines whether users can search the user directory. If false then + # empty responses are returned to all queries. Defaults to true. + # + # Uncomment to disable the user directory. + # + enabled: true + + # Defines whether to search all users visible to your HS when searching + # the user directory, rather than limiting to users visible in public + # rooms. Defaults to false. + # + # If you set it true, you'll have to rebuild the user_directory search + # indexes, see: + # https://matrix-org.github.io/synapse/latest/user_directory.html + # + # Uncomment to return search results containing all known users, even if that + # user does not share a room with the requester. + # + search_all_users: true + + # Defines whether to prefer local users in search query results. + # If True, local users are more likely to appear above remote users + # when searching the user directory. Defaults to false. + # + # Uncomment to prefer local over remote users in user directory search + # results. + # + prefer_local_users: true + + +# User Consent configuration +# +# for detailed instructions, see +# https://matrix-org.github.io/synapse/latest/consent_tracking.html +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +user_consent: + template_dir: res/templates/privacy + version: 1.0 + server_notice_content: + msgtype: m.text + body: >- + Hello and welcome to the envs.net Matrix-homeserver! + This is the System Alerts room. We'll use it to send you important notices about maintenance or new features landing on the envs.net homeserver. + To continue using this homeserver you must review and agree to the + terms and conditions at %(consent_uri)s + send_server_notice_to_guests: true + block_events_error: >- + To continue using this homeserver you must review and agree to the + terms and conditions at %(consent_uri)s + require_at_registration: true + policy_name: Privacy Policy + + +# +# Settings for local room and user statistics collection. See +# https://matrix-org.github.io/synapse/latest/room_and_user_statistics.html. +# +stats: + # Uncomment the following to disable room and user statistics. Note that doing + # so may cause certain features (such as the room directory) not to work + # correctly. + # + enabled: true + + # The size of each timeslice in the room_stats_historical and + # user_stats_historical tables, as a time period. Defaults to "1d". + # + bucket_size: 1d + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +server_notices: + system_mxid_localpart: notices + system_mxid_display_name: "Server Notices" + system_mxid_avatar_url: "mxc://envs.net/83c0eed9ea5cf72417cc20b5e3b5fb01aa0c3967" + room_name: "Server Notices" + + + +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + + +## Opentracing ## + +# These settings enable opentracing, which implements distributed tracing. +# This allows you to observe the causal chains of events across servers +# including requests, key lookups etc., across any server running +# synapse or any other other services which supports opentracing +# (specifically those implemented with Jaeger). +# +opentracing: + # tracing is disabled by default. Uncomment the following line to enable it. + # + #enabled: true + + # The list of homeservers we wish to send and receive span contexts and span baggage. + # See https://matrix-org.github.io/synapse/latest/opentracing.html. + # + # This is a list of regexes which are matched against the server_name of the + # homeserver. + # + # By default, it is empty, so no servers are matched. + # + #homeserver_whitelist: + # - ".*" + + # A list of the matrix IDs of users whose requests will always be traced, + # even if the tracing system would otherwise drop the traces due to + # probabilistic sampling. + # + # By default, the list is empty. + # + #force_tracing_for_users: + # - "@user1:server_name" + # - "@user2:server_name" + + # Jaeger can be configured to sample traces at different rates. + # All configuration options provided by Jaeger can be set here. + # Jaeger's configuration is mostly related to trace sampling which + # is documented here: + # https://www.jaegertracing.io/docs/latest/sampling/. + # + #jaeger_config: + # sampler: + # type: const + # param: 1 + + # logging: + # false + + +## Workers ## + +worker_app: synapse.app.homeserver +#worker_name: homeserver + +notify_appservices: false +start_pushers: false +#update_user_directory: false + +# Disables sending of outbound federation transactions on the main process. +# Uncomment if using a federation sender worker. +# +send_federation: false + +# It is possible to run multiple federation sender workers, in which case the +# work is balanced across them. +# +# This configuration must be shared between all federation sender workers, and if +# changed all federation sender workers must be stopped at the same time and then +# started, to ensure that all instances are running with the same config (otherwise +# events may be dropped). +# +federation_sender_instances: + - federation_sender1 + - federation_sender2 + - federation_sender3 + +# When using workers this should be a map from `worker_name` to the +# HTTP replication listener of the worker, if configured. +# +#instance_map: +# worker1: +# host: localhost +# port: 8034 +instance_map: + generic_worker1: + host: localhost + port: 9094 + generic_worker2: + host: localhost + port: 9095 + +# Experimental: When using workers you can define which workers should +# handle event persistence and typing notifications. Any worker +# specified here must also be in the `instance_map`. +# +#stream_writers: +# events: worker1 +# typing: worker1 +stream_writers: + events: + - generic_worker1 + - generic_worker2 +# typing: worker1 + +# The worker that is used to run background tasks (e.g. cleaning up expired +# data). If not provided this defaults to the main process. +# +#run_background_tasks_on: background_worker + +# A shared secret used by the replication APIs to authenticate HTTP requests +# from workers. +# +# By default this is unused and traffic is not authenticated. +# +#worker_replication_secret: "" + + +# Configuration for Redis when using workers. This *must* be enabled when +# using workers (unless using old style direct TCP configuration). +# +redis: + # Uncomment the below to enable Redis support. + # + enabled: true + + # Optional host and port to use to connect to redis. Defaults to + # localhost and 6379 + # + #host: localhost + #port: 6379 + + # Optional password if configured on the Redis instance + # + #password: diff --git a/etc/matrix-synapse/log.yaml b/etc/matrix-synapse/log.yaml new file mode 100644 index 0000000..f046a15 --- /dev/null +++ b/etc/matrix-synapse/log.yaml @@ -0,0 +1,74 @@ +# Log configuration for Synapse. +# +# This is a YAML file containing a standard Python logging configuration +# dictionary. See [1] for details on the valid settings. +# +# Synapse also supports structured logging for machine readable logs which can +# be ingested by ELK stacks. See [2] for details. +# +# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# [2]: https://github.com/matrix-org/synapse/blob/master/docs/structured_logging.md + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/homeserver.log + when: midnight + backupCount: 3 # Does not include the current log file. + encoding: utf8 + + # Default to buffering writes to log file for efficiency. This means that + # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR + # logs will still be flushed immediately. + buffer: + class: logging.handlers.MemoryHandler + target: file + # The capacity is the number of log lines that are buffered before + # being written to disk. Increasing this will lead to better + # performance, at the expensive of it taking longer for log lines to + # be written to disk. + capacity: 10 + flushLevel: 30 # Flush for WARNING logs as well + + # A handler that writes logs to stderr. Unused by default, but can be used + # instead of "buffer" and "file" in the logger handlers. + console: + class: logging.StreamHandler + formatter: precise + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + + synapse.state.metrics: + level: DEBUG + + twisted: + # We send the twisted logging directly to the file handler, + # to work around https://github.com/matrix-org/synapse/issues/3471 + # when using "buffer" logger. Use "console" to log to stderr instead. + handlers: [file] + propagate: false + +root: + level: WARN + + # Write logs to the `buffer` handler, which will buffer them together in memory, + # then write them to a file. + # + # Replace "buffer" with "console" to log to stderr instead. (Note that you'll + # also need to update the configuration for the `twisted` logger above, in + # this case.) + # + handlers: [buffer] + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/appservice.yaml b/etc/matrix-synapse/workers/appservice.yaml new file mode 100644 index 0000000..92d4119 --- /dev/null +++ b/etc/matrix-synapse/workers/appservice.yaml @@ -0,0 +1,13 @@ +worker_app: synapse.app.appservice +worker_name: appservice + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/appservice_log_config.yaml + +worker_listeners: + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9121 diff --git a/etc/matrix-synapse/workers/appservice_log_config.yaml b/etc/matrix-synapse/workers/appservice_log_config.yaml new file mode 100644 index 0000000..b572305 --- /dev/null +++ b/etc/matrix-synapse/workers/appservice_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_appservice.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/federation_sender1.yaml b/etc/matrix-synapse/workers/federation_sender1.yaml new file mode 100644 index 0000000..7254aca --- /dev/null +++ b/etc/matrix-synapse/workers/federation_sender1.yaml @@ -0,0 +1,13 @@ +worker_app: synapse.app.federation_sender +worker_name: federation_sender1 + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/federation_sender1_log_config.yaml + +worker_listeners: + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9101 diff --git a/etc/matrix-synapse/workers/federation_sender1_log_config.yaml b/etc/matrix-synapse/workers/federation_sender1_log_config.yaml new file mode 100644 index 0000000..0483936 --- /dev/null +++ b/etc/matrix-synapse/workers/federation_sender1_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_federation_sender1.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/federation_sender2.yaml b/etc/matrix-synapse/workers/federation_sender2.yaml new file mode 100644 index 0000000..fd9d4e7 --- /dev/null +++ b/etc/matrix-synapse/workers/federation_sender2.yaml @@ -0,0 +1,13 @@ +worker_app: synapse.app.federation_sender +worker_name: federation_sender2 + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/federation_sender2_log_config.yaml + +worker_listeners: + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9102 diff --git a/etc/matrix-synapse/workers/federation_sender2_log_config.yaml b/etc/matrix-synapse/workers/federation_sender2_log_config.yaml new file mode 100644 index 0000000..080ae2e --- /dev/null +++ b/etc/matrix-synapse/workers/federation_sender2_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_federation_sender2.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/federation_sender3.yaml b/etc/matrix-synapse/workers/federation_sender3.yaml new file mode 100644 index 0000000..08a5427 --- /dev/null +++ b/etc/matrix-synapse/workers/federation_sender3.yaml @@ -0,0 +1,13 @@ +worker_app: synapse.app.federation_sender +worker_name: federation_sender3 + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/federation_sender3_log_config.yaml + +worker_listeners: + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9103 diff --git a/etc/matrix-synapse/workers/federation_sender3_log_config.yaml b/etc/matrix-synapse/workers/federation_sender3_log_config.yaml new file mode 100644 index 0000000..1b6e6ce --- /dev/null +++ b/etc/matrix-synapse/workers/federation_sender3_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_federation_sender3.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/generic_worker1.yaml b/etc/matrix-synapse/workers/generic_worker1.yaml new file mode 100644 index 0000000..8ae8266 --- /dev/null +++ b/etc/matrix-synapse/workers/generic_worker1.yaml @@ -0,0 +1,28 @@ +worker_app: synapse.app.generic_worker +worker_name: generic_worker1 + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/generic_worker1_log_config.yaml + +worker_listeners: + - type: http + bind_addresses: ['127.0.0.1'] + port: 8510 + tls: false + x_forwarded: true + resources: + - names: [client, federation] + compress: false + + - type: http + bind_addresses: ['127.0.0.1'] + port: 9094 + resources: + - names: [replication] + + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9131 diff --git a/etc/matrix-synapse/workers/generic_worker1_log_config.yaml b/etc/matrix-synapse/workers/generic_worker1_log_config.yaml new file mode 100644 index 0000000..4e6642b --- /dev/null +++ b/etc/matrix-synapse/workers/generic_worker1_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_generic_worker1.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/generic_worker2.yaml b/etc/matrix-synapse/workers/generic_worker2.yaml new file mode 100644 index 0000000..ae56696 --- /dev/null +++ b/etc/matrix-synapse/workers/generic_worker2.yaml @@ -0,0 +1,28 @@ +worker_app: synapse.app.generic_worker +worker_name: generic_worker2 + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/generic_worker2_log_config.yaml + +worker_listeners: + - type: http + bind_addresses: ['127.0.0.1'] + port: 8511 + tls: false + x_forwarded: true + resources: + - names: [client, federation] + compress: false + + - type: http + bind_addresses: ['127.0.0.1'] + port: 9095 + resources: + - names: [replication] + + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9132 diff --git a/etc/matrix-synapse/workers/generic_worker2_log_config.yaml b/etc/matrix-synapse/workers/generic_worker2_log_config.yaml new file mode 100644 index 0000000..b3a6914 --- /dev/null +++ b/etc/matrix-synapse/workers/generic_worker2_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_generic_worker2.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/generic_worker3.yaml b/etc/matrix-synapse/workers/generic_worker3.yaml new file mode 100644 index 0000000..8da8ed2 --- /dev/null +++ b/etc/matrix-synapse/workers/generic_worker3.yaml @@ -0,0 +1,28 @@ +worker_app: synapse.app.generic_worker +worker_name: generic_worker3 + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/generic_worker3_log_config.yaml + +worker_listeners: + - type: http + bind_addresses: ['127.0.0.1'] + port: 8512 + tls: false + x_forwarded: true + resources: + - names: [client, federation] + compress: false + + - type: http + bind_addresses: ['127.0.0.1'] + port: 9096 + resources: + - names: [replication] + + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9133 diff --git a/etc/matrix-synapse/workers/generic_worker3_log_config.yaml b/etc/matrix-synapse/workers/generic_worker3_log_config.yaml new file mode 100644 index 0000000..231f992 --- /dev/null +++ b/etc/matrix-synapse/workers/generic_worker3_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_generic_worker3.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synapse/workers/pusher.yaml b/etc/matrix-synapse/workers/pusher.yaml new file mode 100644 index 0000000..c51b464 --- /dev/null +++ b/etc/matrix-synapse/workers/pusher.yaml @@ -0,0 +1,13 @@ +worker_app: synapse.app.pusher +worker_name: pusher + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/workers/pusher_log_config.yaml + +worker_listeners: + - type: metrics + bind_addresses: ['0.0.0.0'] + port: 9111 diff --git a/etc/matrix-synapse/workers/pusher_log_config.yaml b/etc/matrix-synapse/workers/pusher_log_config.yaml new file mode 100644 index 0000000..f1a68aa --- /dev/null +++ b/etc/matrix-synapse/workers/pusher_log_config.yaml @@ -0,0 +1,42 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/worker_pusher.log + maxBytes: 104857600 + backupCount: 5 + filters: [context] + encoding: utf8 + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: WARN + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARN + +root: + level: WARN + handlers: [file, console] + + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +disable_existing_loggers: false diff --git a/etc/matrix-synchrotron-balancer/config.yaml b/etc/matrix-synchrotron-balancer/config.yaml new file mode 100644 index 0000000..0773897 --- /dev/null +++ b/etc/matrix-synchrotron-balancer/config.yaml @@ -0,0 +1,11 @@ +homeserver_url: http://localhost:8008 +listener: localhost:8083 +synchrotrons: + - address: localhost:8510 + pid_file: /etc/matrix-synapse/workers/generic_worker1.pid + - address: localhost:8511 + pid_file: /etc/matrix-synapse/workers/generic_worker2.pid + - address: localhost:8512 + pid_file: /etc/matrix-synapse/workers/generic_worker3.pid +balancer: + interval: 2 diff --git a/etc/nginx/include.d/generic_worker.conf b/etc/nginx/include.d/generic_worker.conf new file mode 100644 index 0000000..9c698c7 --- /dev/null +++ b/etc/nginx/include.d/generic_worker.conf @@ -0,0 +1,272 @@ +# Generic Worker + +## Sync requests +location ~* ^/_matrix/client/(v2_alpha|r0)/sync$ { + proxy_pass http://localhost:8083; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0)/initialSync$ { + proxy_pass http://localhost:8083; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ { + proxy_pass http://localhost:8083; + include include.d/synapse-proxy.conf; +} + + +## Federation requests +location ~* ^/_matrix/federation/v1/event/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/state/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/state_ids/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/backfill/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/get_missing_events/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/publicRooms { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/query/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/make_join/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/make_leave/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/send_join/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v2/send_join/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/send_leave/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v2/send_leave/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/invite/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v2/invite/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/query_auth/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/event_auth/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/exchange_third_party_invite/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/user/devices/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/federation/v1/get_groups_publicised$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/key/v2/query { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + + +## Inbound federation transaction request +location ~* ^/_matrix/federation/v1/send/ { + proxy_pass http://generic_worker_ih; + include include.d/synapse-proxy.conf; +} + + +## Client API requests +location ~* ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/devices$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/keys/changes$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/versions$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/search$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + + +## Registration/login requests +location ~* ^/_matrix/client/(api/v1|r0|unstable)/login$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(r0|unstable)/register$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + + +## Event sending requests +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/join/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} + +location ~* ^/_matrix/client/(api/v1|r0|unstable)/profile/ { + proxy_pass http://generic_worker_lc; + include include.d/synapse-proxy.conf; +} diff --git a/etc/nginx/include.d/synapse-proxy.conf b/etc/nginx/include.d/synapse-proxy.conf new file mode 100644 index 0000000..a4cd331 --- /dev/null +++ b/etc/nginx/include.d/synapse-proxy.conf @@ -0,0 +1,14 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header X-Forwarded-Proto $scheme; + +port_in_redirect off; +proxy_redirect off; +proxy_connect_timeout 360; +proxy_read_timeout 600; +proxy_send_timeout 600; + +#proxy_buffering off; +proxy_buffers 8 16k; +proxy_buffer_size 32k; diff --git a/etc/nginx/include.d/synapse_admin.conf b/etc/nginx/include.d/synapse_admin.conf new file mode 100644 index 0000000..49791a3 --- /dev/null +++ b/etc/nginx/include.d/synapse_admin.conf @@ -0,0 +1,19 @@ +location ^~ /_synapse/admin/v1/users/@creme:envs.net/admin { + proxy_pass http://localhost:8008; + include include.d/synapse-proxy.conf; +} +location ^~ /_synapse/admin/v1/whois/@creme:envs.net { + proxy_pass http://localhost:8008; + include include.d/synapse-proxy.conf; +} +location ^~ /_synapse/admin/v1/deactivate { + proxy_pass http://localhost:8008; + include include.d/synapse-proxy.conf; +} + +location ^~ /_synapse/admin { + allow 127.0.0.1; + deny all; + proxy_pass http://localhost:8008; + include include.d/synapse-proxy.conf; +} diff --git a/etc/nginx/sites-available/matrix.envs.net.conf b/etc/nginx/sites-available/matrix.envs.net.conf new file mode 100644 index 0000000..8dd77e1 --- /dev/null +++ b/etc/nginx/sites-available/matrix.envs.net.conf @@ -0,0 +1,141 @@ +server { + listen 80 default_server; + #listen [::]:80; + server_name matrix.envs.net; + + location / { + return 307 https://$host$request_uri; + } + + location /.well-known/acme-challenge/ { + alias /var/lib/letsencrypt/.well-known/acme-challenge/; + } +} +server { + listen 80; + #listen [::]:80; + server_name turn.envs.net; + + location / { + return 307 https://matrix.envs.net$request_uri; + } + + location /.well-known/acme-challenge/ { + alias /var/lib/letsencrypt/.well-known/acme-challenge/; + } +} + + +map $http_origin $DO_CORS { + # indicates all map values are hostnames and should be parsed as such + hostnames; + # default value + default 'true'; + # blocked domains + renaissance.eu.org 'false'; + element.renaissance.eu.org 'false'; +} + + +upstream generic_worker_rr { + server localhost:8510; + server localhost:8511; + server localhost:8512; +} +upstream generic_worker_ih { + ip_hash; + server localhost:8510; + server localhost:8511; + server localhost:8512; +} +upstream generic_worker_lc { + least_conn; + server localhost:8510; + server localhost:8511; + server localhost:8512; +} + + +server { + listen 443 ssl http2 default_server; + #listen [::]:443 ssl; + server_name matrix.envs.net; + + include snippets/ssl.conf; + + ## well-known + location /.well-known/matrix/support { + add_header Access-Control-Allow-Origin "$DO_CORS"; + add_header Content-Type application/json; + return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}]}'; + } + + location /.well-known/matrix/ { + add_header Access-Control-Allow-Origin "$DO_CORS"; + add_header Content-Type application/json; + return 200 '{"m.server": "matrix.envs.net:443", "m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}'; + } + + ## workers + include include.d/generic_worker.conf; + + ## + location ~* ^(\/_matrix|\/_synapse\/client) { + proxy_pass http://localhost:8008; + include include.d/synapse-proxy.conf; + } + # /synapse/admin + include include.d/synapse_admin.conf; + + ## media-repo + location ^~ /_matrix/media { + proxy_pass http://localhost:8000; + + client_max_body_size 100M; + + proxy_set_header Host envs.net; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_read_timeout 3600; + } + + ## appservice-irc + location ^~ /_matrix/provision { + allow 127.0.0.1; + deny all; + proxy_pass http://localhost:9999/_matrix/provision; + include include.d/synapse-proxy.conf; + } + + ## MAUBOT + location ^~ /_matrix/maubot { + proxy_pass http://localhost:29316/_matrix/maubot; + include include.d/synapse-proxy.conf; + } + # log + location ^~ /_matrix/maubot/v1/logs { + proxy_pass http://localhost:29316/_matrix/maubot/v1/logs; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + include include.d/synapse-proxy.conf; + } + + ## + location / { + proxy_pass http://localhost:8008; + include include.d/synapse-proxy.conf; + } +} + +server { + listen 8448 ssl http2; + server_name matrix.envs.net; + + include snippets/ssl.conf; + + location / { + proxy_pass http://localhost:8008; + include include.d/synapse-proxy.conf; + } +} diff --git a/etc/postgresql/11/main/postgresql.conf b/etc/postgresql/11/main/postgresql.conf new file mode 100644 index 0000000..5950727 --- /dev/null +++ b/etc/postgresql/11/main/postgresql.conf @@ -0,0 +1,690 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: kB = kilobytes Time units: ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +data_directory = '/var/lib/postgresql/11/main' # use data in another directory + # (change requires restart) +hba_file = '/etc/postgresql/11/main/pg_hba.conf' # host-based authentication file + # (change requires restart) +ident_file = '/etc/postgresql/11/main/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +listen_addresses = '127.0.0.1' # what IP address(es) to listen on; + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +port = 5432 # (change requires restart) +max_connections = 200 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP Keepalives - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +password_encryption = 'scram-sha-256' # md5 or scram-sha-256 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - SSL - + +ssl = on +#ssl_ca_file = '' +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' +#ssl_crl_file = '' +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 6GB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +work_mem = 15728kB # min 64kB +maintenance_work_mem = 1536MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#max_stack_depth = 2MB # min 100kB +dynamic_shared_memory_type = posix # the default is the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # use none to disable dynamic shared memory + # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kB, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 25 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 512kB # measured in pages, 0 disables + +# - Asynchronous Behavior - + +effective_io_concurrency = 200 # 1-1000; 0 disables prefetching +#max_worker_processes = 4 # (change requires restart) +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#parallel_leader_participation = on +#max_parallel_workers = 4 # maximum number of max_worker_processes that + # can be used in parallel operations +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) +#backend_flush_after = 0 # measured in pages, 0 disables + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +#fsync = on # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +synchronous_commit = off # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux) + # fsync + # fsync_writethrough + # open_sync +#full_page_writes = on # recover from partial page writes +#wal_compression = off # enable compression of full-page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +max_wal_size = 4GB +min_wal_size = 1GB +checkpoint_completion_target = 0.8 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 256kB # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the master and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#wal_keep_segments = 0 # in logfile segments; 0 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables + +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Master Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a master server. + +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from master + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_bitmapscan = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_parallel_hash = on +#enable_partition_pruning = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +random_page_cost = 1.1 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +effective_cache_size = 14GB + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#force_parallel_mode = off +#jit = off # allow JIT compilation + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, syslog, and eventlog, + # depending on platform. csvlog + # requires logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr and csvlog + # into log files. Required to be on for + # csvlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (win32): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +log_line_prefix = '%m [%p] %q%u@%d ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %p = process ID + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'Etc/UTC' + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +cluster_name = '11/main' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Query and Index Statistics Collector - + +#track_activities = on +#track_counts = on +#track_io_timing = off +#track_functions = none # none, pl, all +#track_activity_query_size = 1024 # (change requires restart) +stats_temp_directory = '/var/run/postgresql/11-main.pg_stat_tmp' + + +# - Monitoring - + +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off +#log_statement_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_tablespace = '' # a tablespace name, '' uses the default +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_min_age = 50000000 +#vacuum_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples + # before index cleanup, 0 always performs + # index cleanup +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_fuzzy_search_limit = 0 +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'Etc/UTC' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 0 # min -15, max 3 +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'en_US.UTF-8' # locale for system error message + # strings +lc_monetary = 'en_US.UTF-8' # locale for monetary formatting +lc_numeric = 'en_US.UTF-8' # locale for number formatting +lc_time = 'en_US.UTF-8' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Shared Library Preloading - + +#shared_preload_libraries = '' # (change requires restart) +#local_preload_libraries = '' +#session_preload_libraries = '' +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#default_with_oids = off +#escape_string_warning = on +#lo_compat_privileges = off +#operator_precedence_warning = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. + +include_dir = 'conf.d' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '' # include file only if it exists +#include = '' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here diff --git a/etc/systemd/system/matrix-media.service b/etc/systemd/system/matrix-media.service new file mode 100644 index 0000000..8a97c59 --- /dev/null +++ b/etc/systemd/system/matrix-media.service @@ -0,0 +1,13 @@ +[Unit] +Description=matrix-media-repo +After=network.target postgresql@11-main.service matrix-synapse.service + +[Service] +Type=simple +User=matrix-media +WorkingDirectory=/opt/matrix-media-repo +ExecStart=/opt/matrix-media-repo/media_repo --config /etc/matrix-media-repo/media-repo.yaml +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/matrix-synapse-worker@.service b/etc/systemd/system/matrix-synapse-worker@.service new file mode 100644 index 0000000..ae4f158 --- /dev/null +++ b/etc/systemd/system/matrix-synapse-worker@.service @@ -0,0 +1,27 @@ +[Unit] +Description=Synapse %i +AssertPathExists=/etc/matrix-synapse/workers/%i.yaml + +# This service should be restarted when the synapse target is restarted. +PartOf=matrix-synapse.target +ReloadPropagatedFrom=matrix-synapse.target + +# if this is started at the same time as the main, let the main process start +# first, to initialise the database schema. +After=matrix-synapse.service + +[Service] +Type=notify +NotifyAccess=main +User=matrix-synapse +WorkingDirectory=/var/lib/matrix-synapse +EnvironmentFile=/etc/default/matrix-synapse +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml +ExecStartPost=/bin/sh -c "echo $MAINPID > /etc/matrix-synapse/workers/%i.pid" +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 +SyslogIdentifier=matrix-synapse-%i + +[Install] +WantedBy=matrix-synapse.target diff --git a/etc/systemd/system/matrix-synapse.service b/etc/systemd/system/matrix-synapse.service new file mode 100644 index 0000000..f6b6dfd --- /dev/null +++ b/etc/systemd/system/matrix-synapse.service @@ -0,0 +1,22 @@ +[Unit] +Description=Synapse master + +# This service should be restarted when the synapse target is restarted. +PartOf=matrix-synapse.target +ReloadPropagatedFrom=matrix-synapse.target + +[Service] +Type=notify +NotifyAccess=main +User=matrix-synapse +WorkingDirectory=/var/lib/matrix-synapse +EnvironmentFile=/etc/default/matrix-synapse +ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 +SyslogIdentifier=matrix-synapse + +[Install] +WantedBy=matrix-synapse.target diff --git a/etc/systemd/system/matrix-synapse.target b/etc/systemd/system/matrix-synapse.target new file mode 100644 index 0000000..02aa3e5 --- /dev/null +++ b/etc/systemd/system/matrix-synapse.target @@ -0,0 +1,8 @@ +[Unit] +Description=Synapse parent target +After=network.target +Requires=postgresql@11-main.service +Requires=redis-server.service + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/matrix-synchrotron-balancer.service b/etc/systemd/system/matrix-synchrotron-balancer.service new file mode 100644 index 0000000..82167ff --- /dev/null +++ b/etc/systemd/system/matrix-synchrotron-balancer.service @@ -0,0 +1,13 @@ +[Unit] +Description=matrix-synchrotron-balancer +After=network.target matrix-synapse.service + +[Service] +Type=simple +User=synchrotron +WorkingDirectory=/opt/matrix-synchrotron-balancer +ExecStart=/opt/matrix-synchrotron-balancer/matrix-synchrotron-balancer +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/usr/local/bin/matrix-get-obsolet-rooms.sh b/usr/local/bin/matrix-get-obsolet-rooms.sh new file mode 100755 index 0000000..77ec860 --- /dev/null +++ b/usr/local/bin/matrix-get-obsolet-rooms.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +# +# you dont need to stop synapse. +# + +DOMAIN='' +TOKEN='' +file_rooms='/tmp/matrix_rooms.txt' +file_obsolet_rooms='/tmp/matrix_obsolet_rooms.txt' + +print_usage() { + printf '%s\n\n' "${0##*/}" + printf 'usage:\n' + printf ' -h print this help\n' + printf ' -d domain\n' + printf ' -t token\n' + printf 'example:\n' + printf ' %s -d "domain.com" -t "token"\n' "${0##*/}" + exit 1 +} + +while getopts ":d:t:h" opt "${@}"; do + case $opt in + d) DOMAIN="$OPTARG" ;; + t) TOKEN="$OPTARG" ;; + \?) printf 'Invalid option: -%s\n\n' "$OPTARG" ; print_usage ;; + h|*) print_usage ;; + esac +done + +if [ -z "$DOMAIN" ] || [ "$DOMAIN" == '-t' ]; then print_usage; fi +if [ -z "$TOKEN" ] || [ "$TOKEN" == '-d' ]; then print_usage; fi + +curl -s -X GET -H "Authorization: Bearer $TOKEN" "https://$DOMAIN/_synapse/admin/v1/rooms?limit=10000" | \ +jq -M '.rooms[] | .room_id' > $file_rooms +sed -i 's/"//g' $file_rooms + +while IFS= read -r room_id +do + curl -s -X GET -H "Authorization: Bearer $TOKEN" "https://$DOMAIN/_synapse/admin/v1/rooms/$room_id/state" | \ + jq -M '.state[] | select(.type == "m.room.tombstone") | .room_id' >> $file_obsolet_rooms +done < $file_rooms +sed -i 's/"//g' $file_obsolet_rooms + +printf '\nobsolet rooms:\n' +cat $file_obsolet_rooms + +#while IFS= read -r room_id +#do +# printf 'remove room %s\n' "$room_id" +# curl -s -X POST -H "Authorization: Bearer $TOKEN" "https://$DOMAIN/_synapse/admin/v1/rooms/$room_id/delete" \ +# -d "{ \"new_room_user_id\": \"@notices:$DOMAIN\", \"room_name\": \"Content Notification\", \"message\": \"remove obsolet room $room_id.\", \"block\": false, \"purge\": true, \"force-purge\": true }" +# printf 'done.\n' +#done < $file_obsolet_rooms + +rm $file_rooms $file_obsolet_rooms +# +exit 0 diff --git a/usr/local/bin/matrix-remove-empty-rooms.sh b/usr/local/bin/matrix-remove-empty-rooms.sh new file mode 100755 index 0000000..e2a38c7 --- /dev/null +++ b/usr/local/bin/matrix-remove-empty-rooms.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash +# +# you dont need to stop synapse. +# + +DOMAIN='' +TOKEN='' +tmp_file='/tmp/matrix_rooms_to_purge.txt' + +print_usage() { + printf '%s\n\n' "${0##*/}" + printf 'usage:\n' + printf ' -h print this help\n' + printf ' -d domain\n' + printf ' -t token\n' + printf 'example:\n' + printf ' %s -d "domain.com" -t "token"\n' "${0##*/}" + exit 1 +} + +while getopts ":d:t:h" opt "${@}"; do + case $opt in + d) DOMAIN="$OPTARG" ;; + t) TOKEN="$OPTARG" ;; + \?) printf 'Invalid option: -%s\n\n' "$OPTARG" ; print_usage ;; + h|*) print_usage ;; + esac +done + +if [ -z "$DOMAIN" ] || [ "$DOMAIN" == '-t' ]; then print_usage; fi +if [ -z "$TOKEN" ] || [ "$TOKEN" == '-d' ]; then print_usage; fi + +curl -s -X GET -H "Authorization: Bearer $TOKEN" "https://$DOMAIN/_synapse/admin/v1/rooms?limit=10000" | \ +jq -M '.rooms[] | select(.joined_local_members == 0) | .room_id' > $tmp_file +sed -i 's/"//g' $tmp_file + +while IFS= read -r room_id +do + printf 'remove room %s ' "$room_id" + curl -s -X POST -H "Authorization: Bearer $TOKEN" "https://$DOMAIN/_synapse/admin/v1/purge_room" \ + -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" + printf ' done.\n' +done < $tmp_file + +rm $tmp_file +# +exit 0 diff --git a/usr/local/bin/synapse-clear-state.sh b/usr/local/bin/synapse-clear-state.sh new file mode 100755 index 0000000..5e83083 --- /dev/null +++ b/usr/local/bin/synapse-clear-state.sh @@ -0,0 +1,76 @@ +#!/bin/sh +# +# you dont need to stop synapse. +# +# from: https://jo-so.de/2018-03/Matrix.html#state_groups_stateaufrumen +# +# this script used: +# https://github.com/matrix-org/rust-synapse-compress-state +# +## start task via: +# $ sudo systemd-run --nice=4 -pCPUSchedulingPolicy=batch \ +# -pIOSchedulingClass=idle --uid=matrix-synapse --collect \ +# --unit=synapse-clear-state ~/bin/synapse-clear-state +# +## watch task-log via: +# $ journalctl -Stoday -u synapse-clear-state -f +# + +set -e -u + +username='matrix' +db='matrix' + +conn_str="host=localhost user=$username dbname=$db application_name=state_compress" + +### + +export RUST_BACKTRACE=short LC_ALL=C.UTF-8 + +if which time >/dev/null +then + export TIME='%E elapsed %M rss' + time=time +else + time= +fi + +cd "$(mktemp -d)" +echo "Writing SQL files to $PWD" + +if [ $# -eq 0 ] +then + set -- $(psql -X -t -A -U "$username" -c 'SELECT room_id FROM state_groups + GROUP BY room_id ORDER BY count(*)' $db) +fi + +echo 'Disabling autovacuum on state_groups_state' +psql -X -q -b -U "$username" -c 'alter table state_groups_state set (autovacuum_enabled = false);' $db + +no=0 +for room in $* +do + echo '--------------------' + echo + + sql_file=state-compress-$((no += 1)).sql + echo "Writing SQL commands to $sql_file" + + $time synapse-compress-state -t -p "$conn_str" -o "$sql_file" -r "$room" -m 1000 + if test -s "$sql_file" + then + $time psql -X -q -b -U "$username" -c '\set ON_ERROR_STOP on' -f "$sql_file" $db + else + rm "$sql_file" + fi +done + +echo 'Enabling autovacuum on state_groups_state' +psql -X -q -b -U "$username" -c 'alter table state_groups_state set (autovacuum_enabled = true);' $db + +echo 'Running VACUUM and ANALYZE for state_groups_state ...' +$time psql -X -q -b -U "$username" -c 'VACUUM FULL ANALYZE state_groups_state' $db + +echo "All SQL scripts are in $PWD" + +exit 0 diff --git a/usr/local/bin/update_matrix-media.sh b/usr/local/bin/update_matrix-media.sh new file mode 100755 index 0000000..d1f81b1 --- /dev/null +++ b/usr/local/bin/update_matrix-media.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +[ "$(id -u)" -ne 0 ] && printf 'Please run as root!\n' && exit 1 + +ver="$1" +[ -z "$ver" ] && printf 'use: %s \n' "${0##*/}" && exit 1 + +systemctl stop matrix-media.service + +wget -O /opt/matrix-media-repo/media_repo-linux-x64 https://github.com/turt2live/matrix-media-repo/releases/download/v"$ver"/media_repo-linux-x64 +chmod +x /opt/matrix-media-repo/media_repo-linux-x64 + +wget -O /opt/matrix-media-repo/config.sample.yaml https://raw.githubusercontent.com/turt2live/matrix-media-repo/master/config.sample.yaml + +systemctl start matrix-media.service + +exit 0 diff --git a/usr/local/bin/update_riot.sh b/usr/local/bin/update_riot.sh new file mode 100755 index 0000000..24f59d4 --- /dev/null +++ b/usr/local/bin/update_riot.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +[[ ! -d /opt/Riot/resources ]] && mkdir -p /opt/Riot/resources +cd /opt/Riot/resources + +old_version="v$(cat webapp/version)" + +version="latest" +if [[ ! -z "$1" ]]; then + version="tags/$1" +fi + +echo "Fetching latest release info from GitHub" +version_info=$(curl -s "https://api.github.com/repositories/39487546/releases/$version") +new_version=$(echo "$version_info" | jq -r '.name') +URL=$(echo "$version_info" | jq -r '.assets[0].browser_download_url') + +if [[ "$new_version" == "$old_version" ]]; then + echo "No updates found" + exit +fi + +# Remove previous backup riot +rm -rf riot.bak + +# Create temp directory for new riot +mkdir riot.new +cd riot.new + +echo "Downloading Riot $new_version" +curl -L "$URL" -o riot-tmp.tar.gz + +echo "Unpacking archive" +tar -xzf riot-tmp.tar.gz --strip-components=1 +rm -f riot-tmp.tar.gz + +echo "Replacing files" +cd .. +cp -f webapp/config.json riot.new/config.json +# Back up old version and activate new version +mv webapp webapp.bak +mv riot.new webapp + +echo "Updated to Riot from $old_version to $new_version" + +exit 0