|
|
@ -120,6 +120,47 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
|
|
|
|
#
|
|
|
|
#
|
|
|
|
#enable_search: false
|
|
|
|
#enable_search: false
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Prevent outgoing requests from being sent to the following blacklisted IP address
|
|
|
|
|
|
|
|
# CIDR ranges. If this option is not specified then it defaults to private IP
|
|
|
|
|
|
|
|
# address ranges (see the example below).
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# The blacklist applies to the outbound requests for federation, identity servers,
|
|
|
|
|
|
|
|
# push servers, and for checking key validity for third-party invite events.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
|
|
|
|
|
|
|
# listed here, since they correspond to unroutable addresses.)
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#ip_range_blacklist:
|
|
|
|
|
|
|
|
# - '127.0.0.0/8'
|
|
|
|
|
|
|
|
# - '10.0.0.0/8'
|
|
|
|
|
|
|
|
# - '172.16.0.0/12'
|
|
|
|
|
|
|
|
# - '192.168.0.0/16'
|
|
|
|
|
|
|
|
# - '100.64.0.0/10'
|
|
|
|
|
|
|
|
# - '192.0.0.0/24'
|
|
|
|
|
|
|
|
# - '169.254.0.0/16'
|
|
|
|
|
|
|
|
# - '198.18.0.0/15'
|
|
|
|
|
|
|
|
# - '192.0.2.0/24'
|
|
|
|
|
|
|
|
# - '198.51.100.0/24'
|
|
|
|
|
|
|
|
# - '203.0.113.0/24'
|
|
|
|
|
|
|
|
# - '224.0.0.0/4'
|
|
|
|
|
|
|
|
# - '::1/128'
|
|
|
|
|
|
|
|
# - 'fe80::/10'
|
|
|
|
|
|
|
|
# - 'fc00::/7'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# List of IP address CIDR ranges that should be allowed for federation,
|
|
|
|
|
|
|
|
# identity servers, push servers, and for checking key validity for
|
|
|
|
|
|
|
|
# third-party invite events. This is useful for specifying exceptions to
|
|
|
|
|
|
|
|
# wide-ranging blacklisted target IP ranges - e.g. for communication with
|
|
|
|
|
|
|
|
# a push server only visible in your network.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# This whitelist overrides ip_range_blacklist and defaults to an empty
|
|
|
|
|
|
|
|
# list.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#ip_range_whitelist:
|
|
|
|
|
|
|
|
# - '192.168.1.1'
|
|
|
|
|
|
|
|
|
|
|
|
# List of ports that Synapse should listen on, their purpose and their
|
|
|
|
# List of ports that Synapse should listen on, their purpose and their
|
|
|
|
# configuration.
|
|
|
|
# configuration.
|
|
|
|
#
|
|
|
|
#
|
|
|
@ -633,27 +674,6 @@ acme:
|
|
|
|
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
|
|
|
|
federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }}
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
|
|
# Prevent federation requests from being sent to the following
|
|
|
|
|
|
|
|
# blacklist IP address CIDR ranges. If this option is not specified, or
|
|
|
|
|
|
|
|
# specified with an empty list, no ip range blacklist will be enforced.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
|
|
|
|
|
|
|
|
# servers provided by user input.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
|
|
|
|
|
|
|
# listed here, since they correspond to unroutable addresses.)
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
federation_ip_range_blacklist:
|
|
|
|
|
|
|
|
- '127.0.0.0/8'
|
|
|
|
|
|
|
|
- '10.0.0.0/8'
|
|
|
|
|
|
|
|
- '172.16.0.0/12'
|
|
|
|
|
|
|
|
- '192.168.0.0/16'
|
|
|
|
|
|
|
|
- '100.64.0.0/10'
|
|
|
|
|
|
|
|
- '169.254.0.0/16'
|
|
|
|
|
|
|
|
- '::1/128'
|
|
|
|
|
|
|
|
- 'fe80::/64'
|
|
|
|
|
|
|
|
- 'fc00::/7'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Report prometheus metrics on the age of PDUs being sent to and received from
|
|
|
|
# Report prometheus metrics on the age of PDUs being sent to and received from
|
|
|
|
# the following domains. This can be used to give an idea of "delay" on inbound
|
|
|
|
# the following domains. This can be used to give an idea of "delay" on inbound
|
|
|
|
# and outbound federation, though be aware that any delay can be due to problems
|
|
|
|
# and outbound federation, though be aware that any delay can be due to problems
|
|
|
@ -919,9 +939,15 @@ url_preview_ip_range_blacklist:
|
|
|
|
- '172.16.0.0/12'
|
|
|
|
- '172.16.0.0/12'
|
|
|
|
- '192.168.0.0/16'
|
|
|
|
- '192.168.0.0/16'
|
|
|
|
- '100.64.0.0/10'
|
|
|
|
- '100.64.0.0/10'
|
|
|
|
|
|
|
|
- '192.0.0.0/24'
|
|
|
|
- '169.254.0.0/16'
|
|
|
|
- '169.254.0.0/16'
|
|
|
|
|
|
|
|
- '198.18.0.0/15'
|
|
|
|
|
|
|
|
- '192.0.2.0/24'
|
|
|
|
|
|
|
|
- '198.51.100.0/24'
|
|
|
|
|
|
|
|
- '203.0.113.0/24'
|
|
|
|
|
|
|
|
- '224.0.0.0/4'
|
|
|
|
- '::1/128'
|
|
|
|
- '::1/128'
|
|
|
|
- 'fe80::/64'
|
|
|
|
- 'fe80::/10'
|
|
|
|
- 'fc00::/7'
|
|
|
|
- 'fc00::/7'
|
|
|
|
|
|
|
|
|
|
|
|
# List of IP address CIDR ranges that the URL preview spider is allowed
|
|
|
|
# List of IP address CIDR ranges that the URL preview spider is allowed
|
|
|
@ -1776,7 +1802,8 @@ oidc_config:
|
|
|
|
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
|
|
|
|
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
|
|
|
|
# Token
|
|
|
|
# Token
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# This must be configured if using the default mapping provider.
|
|
|
|
# If this is not set, the user will be prompted to choose their
|
|
|
|
|
|
|
|
# own username.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
|
|
|
|
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
|
|
|
|
|
|
|
|
|
|
|
@ -1854,11 +1881,8 @@ sso:
|
|
|
|
# - https://my.custom.client/
|
|
|
|
# - https://my.custom.client/
|
|
|
|
|
|
|
|
|
|
|
|
# Directory in which Synapse will try to find the template files below.
|
|
|
|
# Directory in which Synapse will try to find the template files below.
|
|
|
|
# If not set, default templates from within the Synapse package will be used.
|
|
|
|
# If not set, or the files named below are not found within the template
|
|
|
|
#
|
|
|
|
# directory, default templates from within the Synapse package will be used.
|
|
|
|
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
|
|
|
|
|
|
|
|
# If you *do* uncomment it, you will need to make sure that all the templates
|
|
|
|
|
|
|
|
# below are in the directory.
|
|
|
|
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Synapse will look for the following templates in this directory:
|
|
|
|
# Synapse will look for the following templates in this directory:
|
|
|
|
#
|
|
|
|
#
|
|
|
@ -1987,6 +2011,56 @@ password_config:
|
|
|
|
#
|
|
|
|
#
|
|
|
|
pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
|
|
|
|
pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Define and enforce a password policy. Each parameter is optional.
|
|
|
|
|
|
|
|
# This is an implementation of MSC2000.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
policy:
|
|
|
|
|
|
|
|
# Whether to enforce the password policy.
|
|
|
|
|
|
|
|
# Defaults to 'false'.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#enabled: true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Minimum accepted length for a password.
|
|
|
|
|
|
|
|
# Defaults to 0.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#minimum_length: 15
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether a password must contain at least one digit.
|
|
|
|
|
|
|
|
# Defaults to 'false'.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#require_digit: true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether a password must contain at least one symbol.
|
|
|
|
|
|
|
|
# A symbol is any character that's not a number or a letter.
|
|
|
|
|
|
|
|
# Defaults to 'false'.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#require_symbol: true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether a password must contain at least one lowercase letter.
|
|
|
|
|
|
|
|
# Defaults to 'false'.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#require_lowercase: true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Whether a password must contain at least one lowercase letter.
|
|
|
|
|
|
|
|
# Defaults to 'false'.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#require_uppercase: true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ui_auth:
|
|
|
|
|
|
|
|
# The number of milliseconds to allow a user-interactive authentication
|
|
|
|
|
|
|
|
# session to be active.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# This defaults to 0, meaning the user is queried for their credentials
|
|
|
|
|
|
|
|
# before every action, but this can be overridden to alow a single
|
|
|
|
|
|
|
|
# validation to be re-used. This weakens the protections afforded by
|
|
|
|
|
|
|
|
# the user-interactive authentication process, by allowing for multiple
|
|
|
|
|
|
|
|
# (and potentially different) operations to use the same validation session.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# Uncomment below to allow for credential validation to last for 15
|
|
|
|
|
|
|
|
# seconds.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#session_timeout: 15000
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
{% if matrix_synapse_email_enabled %}
|
|
|
|
{% if matrix_synapse_email_enabled %}
|
|
|
|
# Configuration for sending emails from Synapse.
|
|
|
|
# Configuration for sending emails from Synapse.
|
|
|
@ -2061,9 +2135,8 @@ email:
|
|
|
|
#validation_token_lifetime: 15m
|
|
|
|
#validation_token_lifetime: 15m
|
|
|
|
|
|
|
|
|
|
|
|
# Directory in which Synapse will try to find the template files below.
|
|
|
|
# Directory in which Synapse will try to find the template files below.
|
|
|
|
# If not set, default templates from within the Synapse package will be used.
|
|
|
|
# If not set, or the files named below are not found within the template
|
|
|
|
#
|
|
|
|
# directory, default templates from within the Synapse package will be used.
|
|
|
|
# Do not uncomment this setting unless you want to customise the templates.
|
|
|
|
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Synapse will look for the following templates in this directory:
|
|
|
|
# Synapse will look for the following templates in this directory:
|
|
|
|
#
|
|
|
|
#
|
|
|
@ -2309,7 +2382,7 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }}
|
|
|
|
# If enabled, non server admins can only create groups with local parts
|
|
|
|
# If enabled, non server admins can only create groups with local parts
|
|
|
|
# starting with this prefix
|
|
|
|
# starting with this prefix
|
|
|
|
#
|
|
|
|
#
|
|
|
|
#group_creation_prefix: "unofficial/"
|
|
|
|
#group_creation_prefix: "unofficial_"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -2580,6 +2653,13 @@ opentracing:
|
|
|
|
#
|
|
|
|
#
|
|
|
|
#run_background_tasks_on: worker1
|
|
|
|
#run_background_tasks_on: worker1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# A shared secret used by the replication APIs to authenticate HTTP requests
|
|
|
|
|
|
|
|
# from workers.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# By default this is unused and traffic is not authenticated.
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
#worker_replication_secret: ""
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Configuration for Redis when using workers. This *must* be enabled when
|
|
|
|
# Configuration for Redis when using workers. This *must* be enabled when
|
|
|
|
# using workers (unless using old style direct TCP configuration).
|
|
|
|
# using workers (unless using old style direct TCP configuration).
|
|
|
|