From ae912c4529cab0790e951fb55c3d205760edb377 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 16 Mar 2019 15:51:41 -0500 Subject: [PATCH] Update homeserver.yaml with some new options we could enable --- .../templates/synapse/homeserver.yaml.j2 | 148 ++++++++++++------ 1 file changed, 102 insertions(+), 46 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 36333788..9d663118 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -33,11 +33,6 @@ pid_file: /homeserver.pid # # cpu_affinity: 0xFFFFFFFF -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. -# -# web_client_location: "/path/to/web/root" - # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would # enter into the 'custom HS URL' field on their client. If you @@ -64,6 +59,13 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # (except those sent by local server admins). The default is False. # block_non_admin_invites: True +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +# enable_search: false + # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit # inbound federation traffic as early as possible, rather than relying @@ -137,8 +139,6 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # static: static resources under synapse/static (/_matrix/static). (Mostly # useful for 'fallback authentication'.) # -# webclient: A web client. Requires web_client_location to be set. -# listeners: {% if matrix_synapse_metrics_enabled %} - type: metrics @@ -192,41 +192,33 @@ listeners: # bind_addresses: ['::1', '127.0.0.1'] # type: manhole -# Homeserver blocking -# + +## Homeserver blocking ## + # How to reach the server admin, used in ResourceLimitError # admin_contact: 'mailto:admin@server.com' -# -# Global block config -# + +# Global blocking # hs_disabled: False # hs_disabled_message: 'Human readable reason for why the HS is blocked' # hs_disabled_limit_type: 'error code(str), to help clients decode reason' -# + # Monthly Active User Blocking -# -# Enables monthly active user checking # limit_usage_by_mau: False # max_mau_value: 50 # mau_trial_days: 2 -# + # If enabled, the metrics for the number of monthly active users will # be populated, however no one will be limited. If limit_usage_by_mau # is true, this is implied to be true. # mau_stats_only: False -# + # Sometimes the server admin will want to ensure certain accounts are # never blocked by mau checking. These accounts are specified here. # # mau_limit_reserved_threepids: # - medium: 'email' # address: 'reserved_user@example.com' -# -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# enable_search: true ## TLS ## @@ -321,7 +313,8 @@ tls_fingerprints: [] -# Database configuration +## Database ## + database: # The database engine name name: "psycopg2" @@ -337,6 +330,7 @@ database: event_cache_size: "{{ matrix_synapse_event_cache_size }}" +## Logging ## # A yaml python logging config file log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" @@ -369,6 +363,15 @@ federation_rc_reject_limit: 50 # single server federation_rc_concurrent: 3 +# Number of registration requests a client can send per second. +# Defaults to 1/minute (0.17). +# rc_registration_requests_per_second: 0.17 + +# Number of registration requests a client can send before being +# throttled. +# Defaults to 3. +# rc_registration_request_burst_count: 3.0 + # Directory where uploaded images and attachments are stored. @@ -404,7 +407,7 @@ max_image_pixels: "32M" # from a precalculated list. dynamic_thumbnails: false -# List of thumbnail to precalculate when an image is uploaded. +# List of thumbnails to precalculate when an image is uploaded. thumbnail_sizes: - width: 32 height: 32 @@ -494,7 +497,6 @@ max_spider_size: "10M" - ## Captcha ## # See docs/CAPTCHA_SETUP for full details of configuring this. @@ -510,13 +512,13 @@ recaptcha_private_key: "YOUR_PRIVATE_KEY" enable_registration_captcha: False # A secret key used to bypass the captcha test entirely. -#captcha_bypass_secret: "YOUR_SECRET_HERE" +# captcha_bypass_secret: "YOUR_SECRET_HERE" # The API endpoint to use for verifying m.login.recaptcha responses. -recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" -## Turn ## +## TURN ## # The public URIs of the TURN server to give to clients turn_uris: {{ matrix_synapse_turn_uris|to_json }} @@ -526,8 +528,8 @@ turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }} # The Username and password if the TURN server needs them and # does not use a token -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" +# turn_username: "TURNSERVER_USERNAME" +# turn_password: "TURNSERVER_PASSWORD" # How long generated TURN credentials last turn_user_lifetime: "1h" @@ -541,6 +543,8 @@ turn_allow_guests: False ## Registration ## +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. # Enable registration for new users. enable_registration: {{ matrix_synapse_enable_registration|to_json }} @@ -603,8 +607,6 @@ trusted_third_party_id_servers: # Users who register on this homeserver will automatically be joined # to these rooms -#auto_join_rooms: -# - "#example:example.com" {% if matrix_synapse_auto_join_rooms|length > 0 %} auto_join_rooms: {{ matrix_synapse_auto_join_rooms|to_nice_yaml }} @@ -624,6 +626,16 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms }} enable_metrics: {{ matrix_synapse_metrics_enabled }} report_stats: {{ matrix_synapse_report_stats|to_json }} +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +# sentry: +# dsn: "..." + ## API Configuration ## @@ -689,7 +701,8 @@ perspectives: # Enable SAML2 for registration and login. Uses pysaml2. # -# saml2_config: +# `sp_config` is the configuration for the pysaml2 Service Provider. +# See pysaml2 docs for format of config. # # # The following is the configuration for the pysaml2 Service Provider. # # See pysaml2 docs for format of config. @@ -848,8 +861,8 @@ password_providers: # because it is loaded by the app. iPhone, however will send a # notification saying only that a message arrived and who it came from. # -#push: -# include_content: true +# push: +# include_content: true # spam_checker: @@ -875,8 +888,8 @@ enable_group_creation: false # UPDATE user_directory_stream_pos SET stream_id = NULL; # on your database to tell it to rebuild the user_directory search indexes. # -#user_directory: -# search_all_users: false +# user_directory: +# search_all_users: false # User Consent configuration @@ -955,12 +968,55 @@ enable_group_creation: false # on this server. # # The format of this option is a list of rules that contain globs that -# match against user_id and the new alias (fully qualified with server -# name). The action in the first rule that matches is taken, which can -# currently either be "allow" or "deny". +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". # -# If no rules match the request is denied. -alias_creation_rules: - - user_id: "*" - alias: "*" - action: allow +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +# alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +# room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow