Merge pull request #4678 from matrix-org/rav/tls_install_instructions

Attempt to clarify installation/config instructions
This commit is contained in:
Richard van der Hoff 2019-02-20 11:10:33 +00:00 committed by GitHub
commit 86920ac266
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 266 additions and 214 deletions

View File

@ -358,26 +358,25 @@ For information on using a reverse proxy, see
[docs/reverse_proxy.rst](docs/reverse_proxy.rst). [docs/reverse_proxy.rst](docs/reverse_proxy.rst).
To configure Synapse to expose an HTTPS port, you will need to edit To configure Synapse to expose an HTTPS port, you will need to edit
`homeserver.yaml`. `homeserver.yaml`, as follows:
First, under the `listeners` section, uncomment the configuration for the * First, under the `listeners` section, uncomment the configuration for the
TLS-enabled listener. (Remove the hash sign (`#`) and space at the start of TLS-enabled listener. (Remove the hash sign (`#`) at the start of
each line). The relevant lines are like this: each line). The relevant lines are like this:
``` ```
- port: 8448 - port: 8448
type: http type: http
tls: true tls: true
resources: resources:
- names: [client, federation] - names: [client, federation]
``` ```
* You will also need to uncomment the `tls_certificate_path` and
You will also need to uncomment the `tls_certificate_path` and `tls_private_key_path` lines under the `TLS` section. You can either
`tls_private_key_path` lines under the `TLS` section. You can either point point these settings at an existing certificate and key, or you can
these settings at an existing certificate and key, or you can enable Synapse's enable Synapse's built-in ACME (Let's Encrypt) support. Instructions
built-in ACME (Let's Encrypt) support. Instructions for having Synapse for having Synapse automatically provision and renew federation
automatically provision and renew federation certificates through ACME can be certificates through ACME can be found at [ACME.md](docs/ACME.md).
found at [ACME.md](docs/ACME.md).
## Registering a user ## Registering a user

1
changelog.d/4681.misc Normal file
View File

@ -0,0 +1 @@
Attempt to clarify installation instructions/config

View File

@ -33,6 +33,7 @@ class ApiConfig(Config):
## API Configuration ## ## API Configuration ##
# A list of event types that will be included in the room_invite_state # A list of event types that will be included in the room_invite_state
#
room_invite_state_types: room_invite_state_types:
- "{JoinRules}" - "{JoinRules}"
- "{CanonicalAlias}" - "{CanonicalAlias}"

View File

@ -38,10 +38,12 @@ class AppServiceConfig(Config):
def default_config(cls, **kwargs): def default_config(cls, **kwargs):
return """\ return """\
# A list of application service config file to use # A list of application service config file to use
#
app_service_config_files: [] app_service_config_files: []
# Whether or not to track application service IP addresses. Implicitly # Whether or not to track application service IP addresses. Implicitly
# enables MAU tracking for application service users. # enables MAU tracking for application service users.
#
track_appservice_user_ips: False track_appservice_user_ips: False
""" """

View File

@ -30,14 +30,17 @@ class CaptchaConfig(Config):
# See docs/CAPTCHA_SETUP for full details of configuring this. # See docs/CAPTCHA_SETUP for full details of configuring this.
# This Home Server's ReCAPTCHA public key. # This Home Server's ReCAPTCHA public key.
#
recaptcha_public_key: "YOUR_PUBLIC_KEY" recaptcha_public_key: "YOUR_PUBLIC_KEY"
# This Home Server's ReCAPTCHA private key. # This Home Server's ReCAPTCHA private key.
#
recaptcha_private_key: "YOUR_PRIVATE_KEY" recaptcha_private_key: "YOUR_PRIVATE_KEY"
# Enables ReCaptcha checks when registering, preventing signup # Enables ReCaptcha checks when registering, preventing signup
# unless a captcha is answered. Requires a valid ReCaptcha # unless a captcha is answered. Requires a valid ReCaptcha
# public/private key. # public/private key.
#
enable_registration_captcha: False enable_registration_captcha: False
# A secret key used to bypass the captcha test entirely. # A secret key used to bypass the captcha test entirely.

View File

@ -38,6 +38,7 @@ class CasConfig(Config):
def default_config(self, config_dir_path, server_name, **kwargs): def default_config(self, config_dir_path, server_name, **kwargs):
return """ return """
# Enable CAS for registration and login. # Enable CAS for registration and login.
#
#cas_config: #cas_config:
# enabled: true # enabled: true
# server_url: "https://cas-server.com" # server_url: "https://cas-server.com"

View File

@ -54,20 +54,20 @@ DEFAULT_CONFIG = """\
# for an account. Has no effect unless `require_at_registration` is enabled. # for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy". # Defaults to "Privacy Policy".
# #
# user_consent: #user_consent:
# template_dir: res/templates/privacy # template_dir: res/templates/privacy
# version: 1.0 # version: 1.0
# server_notice_content: # server_notice_content:
# msgtype: m.text # msgtype: m.text
# body: >- # body: >-
# To continue using this homeserver you must review and agree to the # To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s # terms and conditions at %(consent_uri)s
# send_server_notice_to_guests: True # send_server_notice_to_guests: True
# block_events_error: >- # block_events_error: >-
# To continue using this homeserver you must review and agree to the # To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s # terms and conditions at %(consent_uri)s
# require_at_registration: False # require_at_registration: False
# policy_name: Privacy Policy # policy_name: Privacy Policy
# #
""" """

View File

@ -24,9 +24,11 @@ class GroupsConfig(Config):
def default_config(self, **kwargs): def default_config(self, **kwargs):
return """\ return """\
# Whether to allow non server admins to create groups on this server # Whether to allow non server admins to create groups on this server
#
enable_group_creation: false enable_group_creation: false
# If enabled, non server admins can only create groups with local parts # If enabled, non server admins can only create groups with local parts
# starting with this prefix # starting with this prefix
# group_creation_prefix: "unofficial/" #
#group_creation_prefix: "unofficial/"
""" """

View File

@ -46,8 +46,8 @@ class JWTConfig(Config):
return """\ return """\
# The JWT needs to contain a globally unique "sub" (subject) claim. # The JWT needs to contain a globally unique "sub" (subject) claim.
# #
# jwt_config: #jwt_config:
# enabled: true # enabled: true
# secret: "a secret" # secret: "a secret"
# algorithm: "HS256" # algorithm: "HS256"
""" """

View File

@ -40,7 +40,7 @@ class KeyConfig(Config):
def read_config(self, config): def read_config(self, config):
self.signing_key = self.read_signing_key(config["signing_key_path"]) self.signing_key = self.read_signing_key(config["signing_key_path"])
self.old_signing_keys = self.read_old_signing_keys( self.old_signing_keys = self.read_old_signing_keys(
config["old_signing_keys"] config.get("old_signing_keys", {})
) )
self.key_refresh_interval = self.parse_duration( self.key_refresh_interval = self.parse_duration(
config["key_refresh_interval"] config["key_refresh_interval"]
@ -83,24 +83,29 @@ class KeyConfig(Config):
# a secret which is used to sign access tokens. If none is specified, # a secret which is used to sign access tokens. If none is specified,
# the registration_shared_secret is used, if one is given; otherwise, # the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key. # a secret key is derived from the signing key.
#
%(macaroon_secret_key)s %(macaroon_secret_key)s
# Used to enable access token expiration. # Used to enable access token expiration.
#
expire_access_token: False expire_access_token: False
# a secret which is used to calculate HMACs for form values, to stop # a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent # falsification of values. Must be specified for the User Consent
# forms to work. # forms to work.
#
%(form_secret)s %(form_secret)s
## Signing Keys ## ## Signing Keys ##
# Path to the signing key to sign messages with # Path to the signing key to sign messages with
#
signing_key_path: "%(base_key_name)s.signing.key" signing_key_path: "%(base_key_name)s.signing.key"
# The keys that the server used to sign messages with but won't use # The keys that the server used to sign messages with but won't use
# to sign new messages. E.g. it has lost its private key # to sign new messages. E.g. it has lost its private key
old_signing_keys: {} #
#old_signing_keys:
# "ed25519:auto": # "ed25519:auto":
# # Base64 encoded public key # # Base64 encoded public key
# key: "The public part of your old signing key." # key: "The public part of your old signing key."
@ -111,9 +116,11 @@ class KeyConfig(Config):
# Used to set the valid_until_ts in /key/v2 APIs. # Used to set the valid_until_ts in /key/v2 APIs.
# Determines how quickly servers will query to check which keys # Determines how quickly servers will query to check which keys
# are still valid. # are still valid.
#
key_refresh_interval: "1d" # 1 Day. key_refresh_interval: "1d" # 1 Day.
# The trusted servers to download signing keys from. # The trusted servers to download signing keys from.
#
perspectives: perspectives:
servers: servers:
"matrix.org": "matrix.org":

View File

@ -83,6 +83,7 @@ class LoggingConfig(Config):
log_config = os.path.join(config_dir_path, server_name + ".log.config") log_config = os.path.join(config_dir_path, server_name + ".log.config")
return """ return """
# A yaml python logging config file # A yaml python logging config file
#
log_config: "%(log_config)s" log_config: "%(log_config)s"
""" % locals() """ % locals()

View File

@ -47,6 +47,7 @@ class MetricsConfig(Config):
## Metrics ### ## Metrics ###
# Enable collection and rendering of performance metrics # Enable collection and rendering of performance metrics
#
enable_metrics: False enable_metrics: False
# Enable sentry integration # Enable sentry integration
@ -55,6 +56,7 @@ class MetricsConfig(Config):
# this option the sentry server may therefore receive sensitive # this option the sentry server may therefore receive sensitive
# information, and it in turn may then diseminate sensitive information # information, and it in turn may then diseminate sensitive information
# through insecure notification channels if so configured. # through insecure notification channels if so configured.
#
#sentry: #sentry:
# dsn: "..." # dsn: "..."
""" """

View File

@ -28,6 +28,7 @@ class PasswordConfig(Config):
def default_config(self, config_dir_path, server_name, **kwargs): def default_config(self, config_dir_path, server_name, **kwargs):
return """ return """
# Enable password for login. # Enable password for login.
#
password_config: password_config:
enabled: true enabled: true
# Uncomment and change to a secret random string for extra security. # Uncomment and change to a secret random string for extra security.

View File

@ -52,18 +52,18 @@ class PasswordAuthProviderConfig(Config):
def default_config(self, **kwargs): def default_config(self, **kwargs):
return """\ return """\
# password_providers: #password_providers:
# - module: "ldap_auth_provider.LdapAuthProvider" # - module: "ldap_auth_provider.LdapAuthProvider"
# config: # config:
# enabled: true # enabled: true
# uri: "ldap://ldap.example.com:389" # uri: "ldap://ldap.example.com:389"
# start_tls: true # start_tls: true
# base: "ou=users,dc=example,dc=com" # base: "ou=users,dc=example,dc=com"
# attributes: # attributes:
# uid: "cn" # uid: "cn"
# mail: "email" # mail: "email"
# name: "givenName" # name: "givenName"
# #bind_dn: # #bind_dn:
# #bind_password: # #bind_password:
# #filter: "(objectClass=posixAccount)" # #filter: "(objectClass=posixAccount)"
""" """

View File

@ -51,11 +51,11 @@ class PushConfig(Config):
# notification request includes the content of the event (other details # notification request includes the content of the event (other details
# like the sender are still included). For `event_id_only` push, it # like the sender are still included). For `event_id_only` push, it
# has no effect. # has no effect.
#
# For modern android devices the notification content will still appear # For modern android devices the notification content will still appear
# because it is loaded by the app. iPhone, however will send a # because it is loaded by the app. iPhone, however will send a
# notification saying only that a message arrived and who it came from. # notification saying only that a message arrived and who it came from.
# #
#push: #push:
# include_content: true # include_content: true
""" """

View File

@ -32,27 +32,34 @@ class RatelimitConfig(Config):
## Ratelimiting ## ## Ratelimiting ##
# Number of messages a client can send per second # Number of messages a client can send per second
#
rc_messages_per_second: 0.2 rc_messages_per_second: 0.2
# Number of message a client can send before being throttled # Number of message a client can send before being throttled
#
rc_message_burst_count: 10.0 rc_message_burst_count: 10.0
# The federation window size in milliseconds # The federation window size in milliseconds
#
federation_rc_window_size: 1000 federation_rc_window_size: 1000
# The number of federation requests from a single server in a window # The number of federation requests from a single server in a window
# before the server will delay processing the request. # before the server will delay processing the request.
#
federation_rc_sleep_limit: 10 federation_rc_sleep_limit: 10
# The duration in milliseconds to delay processing events from # The duration in milliseconds to delay processing events from
# remote servers by if they go over the sleep limit. # remote servers by if they go over the sleep limit.
#
federation_rc_sleep_delay: 500 federation_rc_sleep_delay: 500
# The maximum number of concurrent federation requests allowed # The maximum number of concurrent federation requests allowed
# from a single server # from a single server
#
federation_rc_reject_limit: 50 federation_rc_reject_limit: 50
# The number of federation requests to concurrently process from a # The number of federation requests to concurrently process from a
# single server # single server
#
federation_rc_concurrent: 3 federation_rc_concurrent: 3
""" """

View File

@ -70,28 +70,29 @@ class RegistrationConfig(Config):
# The user must provide all of the below types of 3PID when registering. # The user must provide all of the below types of 3PID when registering.
# #
# registrations_require_3pid: #registrations_require_3pid:
# - email # - email
# - msisdn # - msisdn
# Explicitly disable asking for MSISDNs from the registration # Explicitly disable asking for MSISDNs from the registration
# flow (overrides registrations_require_3pid if MSISDNs are set as required) # flow (overrides registrations_require_3pid if MSISDNs are set as required)
# #
# disable_msisdn_registration = True #disable_msisdn_registration: True
# Mandate that users are only allowed to associate certain formats of # Mandate that users are only allowed to associate certain formats of
# 3PIDs with accounts on this server. # 3PIDs with accounts on this server.
# #
# allowed_local_3pids: #allowed_local_3pids:
# - medium: email # - medium: email
# pattern: '.*@matrix\\.org' # pattern: '.*@matrix\\.org'
# - medium: email # - medium: email
# pattern: '.*@vector\\.im' # pattern: '.*@vector\\.im'
# - medium: msisdn # - medium: msisdn
# pattern: '\\+44' # pattern: '\\+44'
# If set, allows registration by anyone who also has the shared # If set, allows registration by anyone who also has the shared
# secret, even if registration is otherwise disabled. # secret, even if registration is otherwise disabled.
#
%(registration_shared_secret)s %(registration_shared_secret)s
# Set the number of bcrypt rounds used to generate password hash. # Set the number of bcrypt rounds used to generate password hash.
@ -99,11 +100,13 @@ class RegistrationConfig(Config):
# The default number is 12 (which equates to 2^12 rounds). # The default number is 12 (which equates to 2^12 rounds).
# N.B. that increasing this will exponentially increase the time required # N.B. that increasing this will exponentially increase the time required
# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
#
bcrypt_rounds: 12 bcrypt_rounds: 12
# Allows users to register as guests without a password/email/etc, and # Allows users to register as guests without a password/email/etc, and
# participate in rooms hosted on this server which have been made # participate in rooms hosted on this server which have been made
# accessible to anonymous users. # accessible to anonymous users.
#
allow_guest_access: False allow_guest_access: False
# The identity server which we suggest that clients should use when users log # The identity server which we suggest that clients should use when users log
@ -112,27 +115,30 @@ class RegistrationConfig(Config):
# (By default, no suggestion is made, so it is left up to the client. # (By default, no suggestion is made, so it is left up to the client.
# This setting is ignored unless public_baseurl is also set.) # This setting is ignored unless public_baseurl is also set.)
# #
# default_identity_server: https://matrix.org #default_identity_server: https://matrix.org
# The list of identity servers trusted to verify third party # The list of identity servers trusted to verify third party
# identifiers by this server. # identifiers by this server.
# #
# Also defines the ID server which will be called when an account is # Also defines the ID server which will be called when an account is
# deactivated (one will be picked arbitrarily). # deactivated (one will be picked arbitrarily).
#
trusted_third_party_id_servers: trusted_third_party_id_servers:
- matrix.org - matrix.org
- vector.im - vector.im
# Users who register on this homeserver will automatically be joined # Users who register on this homeserver will automatically be joined
# to these rooms # to these rooms
#
#auto_join_rooms: #auto_join_rooms:
# - "#example:example.com" # - "#example:example.com"
# Where auto_join_rooms are specified, setting this flag ensures that the # Where auto_join_rooms are specified, setting this flag ensures that the
# the rooms exist by creating them when the first user on the # the rooms exist by creating them when the first user on the
# homeserver registers. # homeserver registers.
# Setting to false means that if the rooms are not manually created, # Setting to false means that if the rooms are not manually created,
# users cannot be auto-joined since they do not exist. # users cannot be auto-joined since they do not exist.
#
autocreate_auto_join_rooms: true autocreate_auto_join_rooms: true
""" % locals() """ % locals()

View File

@ -180,29 +180,34 @@ class ContentRepositoryConfig(Config):
uploads_path = os.path.join(data_dir_path, "uploads") uploads_path = os.path.join(data_dir_path, "uploads")
return r""" return r"""
# Directory where uploaded images and attachments are stored. # Directory where uploaded images and attachments are stored.
#
media_store_path: "%(media_store)s" media_store_path: "%(media_store)s"
# Media storage providers allow media to be stored in different # Media storage providers allow media to be stored in different
# locations. # locations.
# media_storage_providers: #
# - module: file_system #media_storage_providers:
# # Whether to write new local files. # - module: file_system
# store_local: false # # Whether to write new local files.
# # Whether to write new remote media # store_local: false
# store_remote: false # # Whether to write new remote media
# # Whether to block upload requests waiting for write to this # store_remote: false
# # provider to complete # # Whether to block upload requests waiting for write to this
# store_synchronous: false # # provider to complete
# config: # store_synchronous: false
# directory: /mnt/some/other/directory # config:
# directory: /mnt/some/other/directory
# Directory where in-progress uploads are stored. # Directory where in-progress uploads are stored.
#
uploads_path: "%(uploads_path)s" uploads_path: "%(uploads_path)s"
# The largest allowed upload size in bytes # The largest allowed upload size in bytes
#
max_upload_size: "10M" max_upload_size: "10M"
# Maximum number of pixels that will be thumbnailed # Maximum number of pixels that will be thumbnailed
#
max_image_pixels: "32M" max_image_pixels: "32M"
# Whether to generate new thumbnails on the fly to precisely match # Whether to generate new thumbnails on the fly to precisely match
@ -210,9 +215,11 @@ class ContentRepositoryConfig(Config):
# a new resolution is requested by the client the server will # a new resolution is requested by the client the server will
# generate a new thumbnail. If false the server will pick a thumbnail # generate a new thumbnail. If false the server will pick a thumbnail
# from a precalculated list. # from a precalculated list.
#
dynamic_thumbnails: false dynamic_thumbnails: false
# List of thumbnail to precalculate when an image is uploaded. # List of thumbnails to precalculate when an image is uploaded.
#
thumbnail_sizes: thumbnail_sizes:
- width: 32 - width: 32
height: 32 height: 32
@ -233,6 +240,7 @@ class ContentRepositoryConfig(Config):
# Is the preview URL API enabled? If enabled, you *must* specify # Is the preview URL API enabled? If enabled, you *must* specify
# an explicit url_preview_ip_range_blacklist of IPs that the spider is # an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing. # denied from accessing.
#
url_preview_enabled: False url_preview_enabled: False
# List of IP address CIDR ranges that the URL preview spider is denied # List of IP address CIDR ranges that the URL preview spider is denied
@ -243,16 +251,16 @@ class ContentRepositoryConfig(Config):
# synapse to issue arbitrary GET requests to your internal services, # synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues. # causing serious security issues.
# #
# url_preview_ip_range_blacklist: #url_preview_ip_range_blacklist:
# - '127.0.0.0/8' # - '127.0.0.0/8'
# - '10.0.0.0/8' # - '10.0.0.0/8'
# - '172.16.0.0/12' # - '172.16.0.0/12'
# - '192.168.0.0/16' # - '192.168.0.0/16'
# - '100.64.0.0/10' # - '100.64.0.0/10'
# - '169.254.0.0/16' # - '169.254.0.0/16'
# - '::1/128' # - '::1/128'
# - 'fe80::/64' # - 'fe80::/64'
# - 'fc00::/7' # - 'fc00::/7'
# #
# List of IP address CIDR ranges that the URL preview spider is allowed # List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist. # to access even if they are specified in url_preview_ip_range_blacklist.
@ -260,8 +268,8 @@ class ContentRepositoryConfig(Config):
# target IP ranges - e.g. for enabling URL previews for a specific private # target IP ranges - e.g. for enabling URL previews for a specific private
# website only visible in your network. # website only visible in your network.
# #
# url_preview_ip_range_whitelist: #url_preview_ip_range_whitelist:
# - '192.168.1.1' # - '192.168.1.1'
# Optional list of URL matches that the URL preview spider is # Optional list of URL matches that the URL preview spider is
# denied from accessing. You should use url_preview_ip_range_blacklist # denied from accessing. You should use url_preview_ip_range_blacklist
@ -279,26 +287,25 @@ class ContentRepositoryConfig(Config):
# specified component matches for a given list item succeed, the URL is # specified component matches for a given list item succeed, the URL is
# blacklisted. # blacklisted.
# #
# url_preview_url_blacklist: #url_preview_url_blacklist:
# # blacklist any URL with a username in its URI # # blacklist any URL with a username in its URI
# - username: '*' # - username: '*'
# #
# # blacklist all *.google.com URLs # # blacklist all *.google.com URLs
# - netloc: 'google.com' # - netloc: 'google.com'
# - netloc: '*.google.com' # - netloc: '*.google.com'
# #
# # blacklist all plain HTTP URLs # # blacklist all plain HTTP URLs
# - scheme: 'http' # - scheme: 'http'
# #
# # blacklist http(s)://www.acme.com/foo # # blacklist http(s)://www.acme.com/foo
# - netloc: 'www.acme.com' # - netloc: 'www.acme.com'
# path: '/foo' # path: '/foo'
# #
# # blacklist any URL with a literal IPv4 address # # blacklist any URL with a literal IPv4 address
# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
# The largest allowed URL preview spidering size in bytes # The largest allowed URL preview spidering size in bytes
max_spider_size: "10M" max_spider_size: "10M"
""" % locals() """ % locals()

View File

@ -76,11 +76,11 @@ class RoomDirectoryConfig(Config):
# #
# The default is: # The default is:
# #
# alias_creation_rules: #alias_creation_rules:
# - user_id: "*" # - user_id: "*"
# alias: "*" # alias: "*"
# room_id: "*" # room_id: "*"
# action: allow # action: allow
# The `room_list_publication_rules` option controls who can publish and # The `room_list_publication_rules` option controls who can publish and
# which rooms can be published in the public room list. # which rooms can be published in the public room list.
@ -105,11 +105,11 @@ class RoomDirectoryConfig(Config):
# #
# The default is: # The default is:
# #
# room_list_publication_rules: #room_list_publication_rules:
# - user_id: "*" # - user_id: "*"
# alias: "*" # alias: "*"
# room_id: "*" # room_id: "*"
# action: allow # action: allow
""" """
def is_alias_creation_allowed(self, user_id, room_id, alias): def is_alias_creation_allowed(self, user_id, room_id, alias):

View File

@ -67,44 +67,43 @@ class SAML2Config(Config):
return """ return """
# Enable SAML2 for registration and login. Uses pysaml2. # Enable SAML2 for registration and login. Uses pysaml2.
# #
# saml2_config: # `sp_config` is the configuration for the pysaml2 Service Provider.
# See pysaml2 docs for format of config.
# #
# # The following is the configuration for the pysaml2 Service Provider. # Default values will be used for the 'entityid' and 'service' settings,
# # See pysaml2 docs for format of config. # so it is not normally necessary to specify them unless you need to
# # # override them.
# # Default values will be used for the 'entityid' and 'service' settings,
# # so it is not normally necessary to specify them unless you need to
# # override them.
# #
# sp_config: #saml2_config:
# # point this to the IdP's metadata. You can use either a local file or # sp_config:
# # (preferably) a URL. # # point this to the IdP's metadata. You can use either a local file or
# metadata: # # (preferably) a URL.
# # local: ["saml2/idp.xml"] # metadata:
# remote: # #local: ["saml2/idp.xml"]
# - url: https://our_idp/metadata.xml # remote:
# - url: https://our_idp/metadata.xml
# #
# # The following is just used to generate our metadata xml, and you # # The rest of sp_config is just used to generate our metadata xml, and you
# # may well not need it, depending on your setup. Alternatively you # # may well not need it, depending on your setup. Alternatively you
# # may need a whole lot more detail - see the pysaml2 docs! # # may need a whole lot more detail - see the pysaml2 docs!
# #
# description: ["My awesome SP", "en"] # description: ["My awesome SP", "en"]
# name: ["Test SP", "en"] # name: ["Test SP", "en"]
# #
# organization: # organization:
# name: Example com # name: Example com
# display_name: # display_name:
# - ["Example co", "en"] # - ["Example co", "en"]
# url: "http://example.com" # url: "http://example.com"
# #
# contact_person: # contact_person:
# - given_name: Bob # - given_name: Bob
# sur_name: "the Sysadmin" # sur_name: "the Sysadmin"
# email_address": ["admin@example.com"] # email_address": ["admin@example.com"]
# contact_type": technical # contact_type": technical
# #
# # Instead of putting the config inline as above, you can specify a # # Instead of putting the config inline as above, you can specify a
# # separate pysaml2 configuration file: # # separate pysaml2 configuration file:
# # # #
# # config_path: "%(config_dir_path)s/sp_conf.py" # config_path: "%(config_dir_path)s/sp_conf.py"
""" % {"config_dir_path": config_dir_path} """ % {"config_dir_path": config_dir_path}

View File

@ -286,19 +286,20 @@ class ServerConfig(Config):
# #
# This setting requires the affinity package to be installed! # This setting requires the affinity package to be installed!
# #
# cpu_affinity: 0xFFFFFFFF #cpu_affinity: 0xFFFFFFFF
# The path to the web client which will be served at /_matrix/client/ # The path to the web client which will be served at /_matrix/client/
# if 'webclient' is configured under the 'listeners' configuration. # if 'webclient' is configured under the 'listeners' configuration.
# #
# web_client_location: "/path/to/web/root" #web_client_location: "/path/to/web/root"
# The public-facing base URL that clients use to access this HS # The public-facing base URL that clients use to access this HS
# (not including _matrix/...). This is the same URL a user would # (not including _matrix/...). This is the same URL a user would
# enter into the 'custom HS URL' field on their client. If you # enter into the 'custom HS URL' field on their client. If you
# use synapse with a reverse proxy, this should be the URL to reach # use synapse with a reverse proxy, this should be the URL to reach
# synapse via the proxy. # synapse via the proxy.
# public_baseurl: https://example.com/ #
#public_baseurl: https://example.com/
# Set the soft limit on the number of file descriptors synapse can use # Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the # Zero is used to indicate synapse should set the soft limit to the
@ -309,15 +310,25 @@ class ServerConfig(Config):
use_presence: true use_presence: true
# The GC threshold parameters to pass to `gc.set_threshold`, if defined # The GC threshold parameters to pass to `gc.set_threshold`, if defined
# gc_thresholds: [700, 10, 10] #
#gc_thresholds: [700, 10, 10]
# Set the limit on the returned events in the timeline in the get # Set the limit on the returned events in the timeline in the get
# and sync operations. The default value is -1, means no upper limit. # and sync operations. The default value is -1, means no upper limit.
# filter_timeline_limit: 5000 #
#filter_timeline_limit: 5000
# Whether room invites to users on this server should be blocked # Whether room invites to users on this server should be blocked
# (except those sent by local server admins). The default is False. # (except those sent by local server admins). The default is False.
# block_non_admin_invites: True #
#block_non_admin_invites: True
# Room searching
#
# If disabled, new messages will not be indexed for searching and users
# will receive errors when searching for messages. Defaults to enabled.
#
#enable_search: false
# Restrict federation to the following whitelist of domains. # Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit # N.B. we recommend also firewalling your federation listener to limit
@ -325,7 +336,7 @@ class ServerConfig(Config):
# purely on this application-layer restriction. If not specified, the # purely on this application-layer restriction. If not specified, the
# default is to whitelist everything. # default is to whitelist everything.
# #
# federation_domain_whitelist: #federation_domain_whitelist:
# - lon.example.com # - lon.example.com
# - nyc.example.com # - nyc.example.com
# - syd.example.com # - syd.example.com
@ -397,11 +408,11 @@ class ServerConfig(Config):
# will also need to give Synapse a TLS key and certificate: see the TLS section # will also need to give Synapse a TLS key and certificate: see the TLS section
# below.) # below.)
# #
# - port: %(bind_port)s #- port: %(bind_port)s
# type: http # type: http
# tls: true # tls: true
# resources: # resources:
# - names: [client, federation] # - names: [client, federation]
# Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
# that unwraps TLS. # that unwraps TLS.
@ -421,52 +432,49 @@ class ServerConfig(Config):
# example additonal_resources: # example additonal_resources:
# #
# additional_resources: #additional_resources:
# "/_matrix/my/custom/endpoint": # "/_matrix/my/custom/endpoint":
# module: my_module.CustomRequestHandler # module: my_module.CustomRequestHandler
# config: {} # config: {}
# Turn on the twisted ssh manhole service on localhost on the given # Turn on the twisted ssh manhole service on localhost on the given
# port. # port.
# - port: 9000 #
# bind_addresses: ['::1', '127.0.0.1'] #- port: 9000
# type: manhole # bind_addresses: ['::1', '127.0.0.1']
# type: manhole
## Homeserver blocking ##
# Homeserver blocking
#
# How to reach the server admin, used in ResourceLimitError # How to reach the server admin, used in ResourceLimitError
# admin_contact: 'mailto:admin@server.com'
# #
# Global block config #admin_contact: 'mailto:admin@server.com'
#
# hs_disabled: False # Global blocking
# hs_disabled_message: 'Human readable reason for why the HS is blocked'
# hs_disabled_limit_type: 'error code(str), to help clients decode reason'
# #
#hs_disabled: False
#hs_disabled_message: 'Human readable reason for why the HS is blocked'
#hs_disabled_limit_type: 'error code(str), to help clients decode reason'
# Monthly Active User Blocking # Monthly Active User Blocking
# #
# Enables monthly active user checking #limit_usage_by_mau: False
# limit_usage_by_mau: False #max_mau_value: 50
# max_mau_value: 50 #mau_trial_days: 2
# mau_trial_days: 2
#
# If enabled, the metrics for the number of monthly active users will # If enabled, the metrics for the number of monthly active users will
# be populated, however no one will be limited. If limit_usage_by_mau # be populated, however no one will be limited. If limit_usage_by_mau
# is true, this is implied to be true. # is true, this is implied to be true.
# mau_stats_only: False
# #
#mau_stats_only: False
# Sometimes the server admin will want to ensure certain accounts are # Sometimes the server admin will want to ensure certain accounts are
# never blocked by mau checking. These accounts are specified here. # never blocked by mau checking. These accounts are specified here.
# #
# mau_limit_reserved_threepids: #mau_limit_reserved_threepids:
# - medium: 'email' # - medium: 'email'
# address: 'reserved_user@example.com' # address: 'reserved_user@example.com'
#
# Room searching
#
# If disabled, new messages will not be indexed for searching and users
# will receive errors when searching for messages. Defaults to enabled.
# enable_search: true
""" % locals() """ % locals()
def read_arguments(self, args): def read_arguments(self, args):

View File

@ -30,11 +30,11 @@ DEFAULT_CONFIG = """\
# It's also possible to override the room name, the display name of the # It's also possible to override the room name, the display name of the
# "notices" user, and the avatar for the user. # "notices" user, and the avatar for the user.
# #
# server_notices: #server_notices:
# system_mxid_localpart: notices # system_mxid_localpart: notices
# system_mxid_display_name: "Server Notices" # system_mxid_display_name: "Server Notices"
# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
# room_name: "Server Notices" # room_name: "Server Notices"
""" """

View File

@ -28,8 +28,8 @@ class SpamCheckerConfig(Config):
def default_config(self, **kwargs): def default_config(self, **kwargs):
return """\ return """\
# spam_checker: #spam_checker:
# module: "my_custom_project.SuperSpamChecker" # module: "my_custom_project.SuperSpamChecker"
# config: # config:
# example_option: 'things' # example_option: 'things'
""" """

View File

@ -177,10 +177,11 @@ class TlsConfig(Config):
# See 'ACME support' below to enable auto-provisioning this certificate via # See 'ACME support' below to enable auto-provisioning this certificate via
# Let's Encrypt. # Let's Encrypt.
# #
# tls_certificate_path: "%(tls_certificate_path)s" #tls_certificate_path: "%(tls_certificate_path)s"
# PEM-encoded private key for TLS # PEM-encoded private key for TLS
# tls_private_key_path: "%(tls_private_key_path)s" #
#tls_private_key_path: "%(tls_private_key_path)s"
# ACME support: This will configure Synapse to request a valid TLS certificate # ACME support: This will configure Synapse to request a valid TLS certificate
# for your configured `server_name` via Let's Encrypt. # for your configured `server_name` via Let's Encrypt.
@ -207,28 +208,28 @@ class TlsConfig(Config):
# ACME support is disabled by default. Uncomment the following line # ACME support is disabled by default. Uncomment the following line
# (and tls_certificate_path and tls_private_key_path above) to enable it. # (and tls_certificate_path and tls_private_key_path above) to enable it.
# #
# enabled: true #enabled: true
# Endpoint to use to request certificates. If you only want to test, # Endpoint to use to request certificates. If you only want to test,
# use Let's Encrypt's staging url: # use Let's Encrypt's staging url:
# https://acme-staging.api.letsencrypt.org/directory # https://acme-staging.api.letsencrypt.org/directory
# #
# url: https://acme-v01.api.letsencrypt.org/directory #url: https://acme-v01.api.letsencrypt.org/directory
# Port number to listen on for the HTTP-01 challenge. Change this if # Port number to listen on for the HTTP-01 challenge. Change this if
# you are forwarding connections through Apache/Nginx/etc. # you are forwarding connections through Apache/Nginx/etc.
# #
# port: 80 #port: 80
# Local addresses to listen on for incoming connections. # Local addresses to listen on for incoming connections.
# Again, you may want to change this if you are forwarding connections # Again, you may want to change this if you are forwarding connections
# through Apache/Nginx/etc. # through Apache/Nginx/etc.
# #
# bind_addresses: ['::', '0.0.0.0'] #bind_addresses: ['::', '0.0.0.0']
# How many days remaining on a certificate before it is renewed. # How many days remaining on a certificate before it is renewed.
# #
# reprovision_threshold: 30 #reprovision_threshold: 30
# The domain that the certificate should be for. Normally this # The domain that the certificate should be for. Normally this
# should be the same as your Matrix domain (i.e., 'server_name'), but, # should be the same as your Matrix domain (i.e., 'server_name'), but,
@ -242,7 +243,7 @@ class TlsConfig(Config):
# #
# If not set, defaults to your 'server_name'. # If not set, defaults to your 'server_name'.
# #
# domain: matrix.example.com #domain: matrix.example.com
# List of allowed TLS fingerprints for this server to publish along # List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that # with the signing keys for this server. Other matrix servers that
@ -269,8 +270,7 @@ class TlsConfig(Config):
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
# or by checking matrix.org/federationtester/api/report?server_name=$host # or by checking matrix.org/federationtester/api/report?server_name=$host
# #
tls_fingerprints: [] #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
""" """
% locals() % locals()

View File

@ -40,5 +40,5 @@ class UserDirectoryConfig(Config):
# on your database to tell it to rebuild the user_directory search indexes. # on your database to tell it to rebuild the user_directory search indexes.
# #
#user_directory: #user_directory:
# search_all_users: false # search_all_users: false
""" """

View File

@ -27,20 +27,24 @@ class VoipConfig(Config):
def default_config(self, **kwargs): def default_config(self, **kwargs):
return """\ return """\
## Turn ## ## TURN ##
# The public URIs of the TURN server to give to clients # The public URIs of the TURN server to give to clients
#
#turn_uris: [] #turn_uris: []
# The shared secret used to compute passwords for the TURN server # The shared secret used to compute passwords for the TURN server
#
#turn_shared_secret: "YOUR_SHARED_SECRET" #turn_shared_secret: "YOUR_SHARED_SECRET"
# The Username and password if the TURN server needs them and # The Username and password if the TURN server needs them and
# does not use a token # does not use a token
#
#turn_username: "TURNSERVER_USERNAME" #turn_username: "TURNSERVER_USERNAME"
#turn_password: "TURNSERVER_PASSWORD" #turn_password: "TURNSERVER_PASSWORD"
# How long generated TURN credentials last # How long generated TURN credentials last
#
turn_user_lifetime: "1h" turn_user_lifetime: "1h"
# Whether guests should be allowed to use the TURN server. # Whether guests should be allowed to use the TURN server.
@ -48,5 +52,6 @@ class VoipConfig(Config):
# However, it does introduce a slight security risk as it allows users to # However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a # connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA). # valid account (e.g. by passing a CAPTCHA).
#
turn_allow_guests: True turn_allow_guests: True
""" """