diff --git a/etc/matrix-synapse/homeserver.yaml b/etc/matrix-synapse/homeserver.yaml index ebdbd63..5be0f76 100644 --- a/etc/matrix-synapse/homeserver.yaml +++ b/etc/matrix-synapse/homeserver.yaml @@ -327,7 +327,7 @@ allow_public_rooms_over_federation: true # federation: the server-server API (/_matrix/federation). Also implies # 'media', 'keys', 'openid' # -# keys: the key discovery API (/_matrix/keys). +# keys: the key discovery API (/_matrix/key). # # media: the media API (/_matrix/media). # @@ -602,6 +602,15 @@ templates: # #custom_template_directory: /var/lib/matrix-synapse/res/templates/ +# List of rooms to exclude from sync responses. This is useful for server +# administrators wishing to group users into a room without these users being able +# to see it from their client. +# +# By default, no room is excluded. +# +#exclude_rooms_from_sync: +# - !foo:example.com + # Message retention policy at the server level. # @@ -625,8 +634,8 @@ retention: # matter much because Synapse doesn't take it into account yet. # #default_policy: - # min_lifetime: 30d - # max_lifetime: 3y + # min_lifetime: 30m + # max_lifetime: 10y # Retention policy limits. If set, and the state of a room contains a # 'm.room.retention' event in its state which contains a 'min_lifetime' or a @@ -683,7 +692,7 @@ retention: longest_max_lifetime: 1d interval: 12h - shortest_max_lifetime: 1d - longest_max_lifetime: 3y + longest_max_lifetime: 10y interval: 24h @@ -795,6 +804,12 @@ retention: # A cache 'factor' is a multiplier that can be applied to each of # Synapse's caches in order to increase or decrease the maximum # number of entries that can be stored. +# +# The configuration for cache factors (caches.global_factor and +# caches.per_cache_factors) can be reloaded while the application is running, +# by sending a SIGHUP signal to the Synapse process. Changes to other parts of +# the caching config will NOT be applied after a SIGHUP is received; a restart +# is necessary. # The number of events to cache in memory. Not affected by # caches.global_factor. @@ -845,6 +860,24 @@ caches: # #cache_entry_ttl: 30m + # This flag enables cache autotuning, and is further specified by the sub-options `max_cache_memory_usage`, + # `target_cache_memory_usage`, `min_cache_ttl`. These flags work in conjunction with each other to maintain + # a balance between cache memory usage and cache entry availability. You must be using jemalloc to utilize + # this option, and all three of the options must be specified for this feature to work. + #cache_autotuning: + # This flag sets a ceiling on much memory the cache can use before caches begin to be continuously evicted. + # They will continue to be evicted until the memory usage drops below the `target_memory_usage`, set in + # the flag below, or until the `min_cache_ttl` is hit. + #max_cache_memory_usage: 1024M + + # This flag sets a rough target for the desired memory usage of the caches. + #target_cache_memory_usage: 758M + + # 'min_cache_ttl` sets a limit under which newer cache entries are not evicted and is only applied when + # caches are actively being evicted/`max_cache_memory_usage` has been exceeded. This is to protect hot caches + # from being emptied while Synapse is evicting due to memory. + #min_cache_ttl: 5m + # Controls how long the results of a /sync request are cached for after # a successful response is returned. A higher duration can help clients with # intermittent connections, at the cost of higher memory usage. @@ -866,6 +899,12 @@ caches: # 'txn_limit' gives the maximum number of transactions to run per connection # before reconnecting. Defaults to 0, which means no limit. # +# 'allow_unsafe_locale' is an option specific to Postgres. Under the default behavior, Synapse will refuse to +# start if the postgres db is set to a non-C locale. You can override this behavior (which is *not* recommended) +# by setting 'allow_unsafe_locale' to true. Note that doing so may corrupt your database. You can find more information +# here: https://matrix-org.github.io/synapse/latest/postgres.html#fixing-incorrect-collate-or-ctype and here: +# https://wiki.postgresql.org/wiki/Locale_data_changes +# # 'args' gives options which are passed through to the database engine, # except for options starting 'cp_', which are used to configure the Twisted # connection pool. For a reference to valid arguments, see: @@ -1227,7 +1266,7 @@ oembed: # This homeserver's ReCAPTCHA public key. Must be specified if # enable_registration_captcha is enabled. # -recaptcha_public_key: "xxx" +recaptcha_public_key: "6Ld8CXQeAAAAAFDdclTQL43Ox4BvrUKkH56Y_zWQ" # This homeserver's ReCAPTCHA private key. Must be specified if # enable_registration_captcha is enabled. @@ -1285,10 +1324,18 @@ turn_allow_guests: true # Registration can be rate-limited using the parameters in the "Ratelimiting" # section of this file. -# Enable registration for new users. +# Enable registration for new users. Defaults to 'false'. It is highly recommended that if you enable registration, +# you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration +# without any verification, you must also set `enable_registration_without_verification`, found below. # enable_registration: true +# Enable registration without email or captcha verification. Note: this option is *not* recommended, +# as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect +# unless `enable_registration` is also enabled. +# +#enable_registration_without_verification: true + # Time that a user's session remains valid for, after they log in. # # Note that this is not currently compatible with guest logins. @@ -1373,6 +1420,12 @@ registrations_require_3pid: # #registration_requires_token: true +# Allow users to submit a token during registration to bypass any required 3pid +# steps configured in `registrations_require_3pid`. +# Defaults to false, requiring that registration tokens (if enabled) complete a 3pid flow. +# +#enable_registration_token_3pid_bypass: false + # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # @@ -2020,8 +2073,14 @@ saml2_config: # # localpart_template: Jinja2 template for the localpart of the MXID. # If this is not set, the user will be prompted to choose their -# own username (see 'sso_auth_account_details.html' in the 'sso' -# section of this file). +# own username (see the documentation for the +# 'sso_auth_account_details.html' template). This template can +# use the 'localpart_from_email' filter. +# +# confirm_localpart: Whether to prompt the user to validate (or +# change) the generated localpart (see the documentation for the +# 'sso_auth_account_details.html' template), instead of +# registering the account right away. # # display_name_template: Jinja2 template for the display name to set # on first login. If unset, no displayname will be set. @@ -2223,7 +2282,9 @@ sso: password_config: - # Uncomment to disable password login + # Uncomment to disable password login. + # Set to `only_for_reauth` to permit reauthentication for users that + # have passwords and are already logged in. # #enabled: false @@ -2492,15 +2553,39 @@ push: # #encryption_enabled_by_default_for_room_type: invite - -# Uncomment to allow non-server-admin users to create groups on this server +# Override the default power levels for rooms created on this server, per +# room creation preset. # -enable_group_creation: true - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix +# The appropriate dictionary for the room preset will be applied on top +# of the existing power levels content. # -#group_creation_prefix: "unofficial_" +# Useful if you know that your users need special permissions in rooms +# that they create (e.g. to send particular types of state events without +# needing an elevated power level). This takes the same shape as the +# `power_level_content_override` parameter in the /createRoom API, but +# is applied before that parameter. +# +# Valid keys are some or all of `private_chat`, `trusted_private_chat` +# and `public_chat`. Inside each of those should be any of the +# properties allowed in `power_level_content_override` in the +# /createRoom API. If any property is missing, its default value will +# continue to be used. If any property is present, it will overwrite +# the existing default completely (so if the `events` property exists, +# the default event power levels will be ignored). +# +#default_power_level_content_override: +# private_chat: +# "events": +# "com.example.myeventtype" : 0 +# "m.room.avatar": 50 +# "m.room.canonical_alias": 50 +# "m.room.encryption": 100 +# "m.room.history_visibility": 100 +# "m.room.name": 50 +# "m.room.power_levels": 100 +# "m.room.server_acl": 100 +# "m.room.tombstone": 100 +# "events_default": 1 @@ -2847,5 +2932,37 @@ redis: #password: +## Background Updates ## + +# Background updates are database updates that are run in the background in batches. +# The duration, minimum batch size, default batch size, whether to sleep between batches and if so, how long to +# sleep can all be configured. This is helpful to speed up or slow down the updates. +# +background_updates: + # How long in milliseconds to run a batch of background updates for. Defaults to 100. Uncomment and set + # a time to change the default. + # + #background_update_duration_ms: 500 + + # Whether to sleep between updates. Defaults to True. Uncomment to change the default. + # + #sleep_enabled: false + + # If sleeping between updates, how long in milliseconds to sleep for. Defaults to 1000. Uncomment + # and set a duration to change the default. + # + #sleep_duration_ms: 300 + + # Minimum size a batch of background updates can be. Must be greater than 0. Defaults to 1. Uncomment and + # set a size to change the default. + # + #min_batch_size: 10 + + # The batch size to use for the first iteration of a new background update. The default is 100. + # Uncomment and set a size to change the default. + # + #default_batch_size: 50 + + experimental_features: msc2285_enabled: true diff --git a/etc/matrix-synapse/log.yaml b/etc/matrix-synapse/log.yaml index ad75541..657e65c 100644 --- a/etc/matrix-synapse/log.yaml +++ b/etc/matrix-synapse/log.yaml @@ -21,7 +21,7 @@ handlers: formatter: precise filename: /var/log/matrix-synapse/homeserver.log when: midnight - backupCount: 3 # Does not include the current log file. + backupCount: 2 # Does not include the current log file. encoding: utf8 # Default to buffering writes to log file for efficiency. @@ -65,13 +65,6 @@ loggers: synapse.state.metrics: level: DEBUG - twisted: - # We send the twisted logging directly to the file handler, - # to work around https://github.com/matrix-org/synapse/issues/3471 - # when using "buffer" logger. Use "console" to log to stderr instead. - handlers: [file] - propagate: false - root: level: WARN diff --git a/etc/nginx/include.d/generic_worker.conf b/etc/nginx/include.d/generic_worker.conf index 474e67d..cf752f1 100644 --- a/etc/nginx/include.d/generic_worker.conf +++ b/etc/nginx/include.d/generic_worker.conf @@ -104,17 +104,12 @@ location ~ ^/_matrix/federation/v1/user/devices/ { proxy_pass http://generic_worker_lc; } -location ~ ^/_matrix/federation/v1/get_groups_publicised$ { - include include.d/synapse-proxy.conf; - proxy_pass http://generic_worker_lc; -} - location ~ ^/_matrix/key/v2/query { include include.d/synapse-proxy.conf; proxy_pass http://generic_worker_lc; } -location ~ ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/ { +location ~ ^/_matrix/federation/v1/hierarchy/ { include include.d/synapse-proxy.conf; proxy_pass http://generic_worker_lc; } @@ -158,7 +153,12 @@ location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ { proxy_pass http://generic_worker_lc; } -location ~ ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$ { +location ~ ^/_matrix/client/v1/rooms/.*/hierarchy$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ { include include.d/synapse-proxy.conf; proxy_pass http://generic_worker_lc; } @@ -173,6 +173,11 @@ location ~ ^/_matrix/client/(r0|v3|unstable)/account/3pid$ { proxy_pass http://generic_worker_lc; } +location ~ ^/_matrix/client/(r0|v3|unstable)/account/whoami$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + location ~ ^/_matrix/client/(r0|v3|unstable)/devices$ { include include.d/synapse-proxy.conf; proxy_pass http://generic_worker_lc; @@ -188,21 +193,6 @@ location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ { proxy_pass http://generic_worker_lc; } -location ~ ^/_matrix/client/(r0|v3|unstable)/joined_groups$ { - include include.d/synapse-proxy.conf; - proxy_pass http://generic_worker_lc; -} - -location ~ ^/_matrix/client/(r0|v3|unstable)/publicised_groups$ { - include include.d/synapse-proxy.conf; - proxy_pass http://generic_worker_lc; -} - -location ~ ^/_matrix/client/(r0|v3|unstable)/publicised_groups/ { - include include.d/synapse-proxy.conf; - proxy_pass http://generic_worker_lc; -} - location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ { include include.d/synapse-proxy.conf; proxy_pass http://generic_worker_lc; diff --git a/etc/nginx/include.d/mjolnir-report.conf b/etc/nginx/include.d/mjolnir-report.conf index 8a54d97..62cee22 100644 --- a/etc/nginx/include.d/mjolnir-report.conf +++ b/etc/nginx/include.d/mjolnir-report.conf @@ -1,7 +1,6 @@ -# Abuse reports should be sent to Mjölnir. - +# Abuse reports should be sent to Mjolnir. location ~ ^/_matrix/client/r0/rooms/([^/]*)/report/(.*)$ { - add_header 'Access-Control-Allow-Origin' '*' always; +# add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since' always; diff --git a/etc/nginx/sites-available/element.envs.net.conf b/etc/nginx/sites-available/element.envs.net.conf index d00834d..40fd2a4 100644 --- a/etc/nginx/sites-available/element.envs.net.conf +++ b/etc/nginx/sites-available/element.envs.net.conf @@ -25,6 +25,16 @@ server { location = /index.html { add_header Cache-Control "no-cache"; } + + location = /version { + add_header Cache-Control "no-cache"; + add_header Content-Type text/plain; + } + # covers config.json and config.hostname.json requests as it is prefix. + location /config { + add_header Cache-Control "no-cache"; + add_header Content-Type application/json; + } } #ALIAS diff --git a/etc/nginx/sites-available/matrix.envs.net.conf b/etc/nginx/sites-available/matrix.envs.net.conf index 5c878ff..648adc4 100644 --- a/etc/nginx/sites-available/matrix.envs.net.conf +++ b/etc/nginx/sites-available/matrix.envs.net.conf @@ -25,19 +25,19 @@ server { ## well-known location /.well-known/matrix/support { - add_header Access-Control-Allow-Origin '*' always; + add_header Access-Control-Allow-Origin '*'; add_header Content-Type application/json; return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}], "support_page": "https://matrix.to/#/#envs:envs.net"}'; } location /.well-known/matrix/server { - add_header Access-Control-Allow-Origin '*' always; + add_header Access-Control-Allow-Origin '*'; add_header Content-Type application/json; return 200 '{"m.server": "matrix.envs.net:443"}'; } location /.well-known/matrix/client { - add_header Access-Control-Allow-Origin '*' always; + add_header Access-Control-Allow-Origin '*'; add_header Content-Type application/json; return 200 '{"m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}, "m.tile_server": {"map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=jrKVgM1ozvdgREfvtZ8X"}}'; }