matrix: rebase config against 1.14.0

2020-05-30 14:47:22 +02:00 · 2020-05-30 14:47:22 +02:00 · 9bb3111efc
commit 9bb3111efc
parent 8e5ccda050
1 changed files with 400 additions and 65 deletions
--- a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
+++ b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
@ -21,10 +21,15 @@
 #
 pid_file: "/var/run/matrix-synapse.pid"
-# The path to the web client which will be served at /_matrix/client/
+# The absolute URL to the web client which /_matrix/client will redirect
-# if 'webclient' is configured under the 'listeners' configuration.
+# to if 'webclient' is configured under the 'listeners' configuration.
 #
-#web_client_location: "/path/to/web/root"
+# This option can be also set to the filesystem path to the web client
 # which will be served at /_matrix/client/ if 'webclient' is configured
 # under the 'listeners' configuration, however this is a security risk:
 # https://github.com/matrix-org/synapse#security-note
 #
 #web_client_location: https://riot.example.com/
 # The public-facing base URL that clients use to access this HS
 # (not including _matrix/...). This is the same URL a user would
@ -236,6 +241,18 @@ listeners:
  #  bind_addresses: ['::1', '127.0.0.1']
  #  type: manhole
 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of
 # forward extremities reaches a given threshold, Synapse will send an
 # org.matrix.dummy_event event, which will reduce the forward extremities
 # in the room.
 #
 # This setting defines the threshold (i.e. number of forward extremities in the
 # room) at which dummy events are sent. The default value is 10.
 #
 #dummy_events_threshold: 5
 ## Homeserver blocking ##
@ -293,22 +310,27 @@ listeners:
 # Used by phonehome stats to group together related servers.
 #server_context: context
-# Resource-constrained homeserver Settings
+# Resource-constrained homeserver settings
 #
-# If limit_remote_rooms.enabled is True, the room complexity will be
+# When this is enabled, the room "complexity" will be checked before a user
-# checked before a user joins a new remote room. If it is above
+# joins a new remote room. If it is above the complexity limit, the server will
-# limit_remote_rooms.complexity, it will disallow joining or
+# disallow joining, or will instantly leave.
 # instantly leave.
 #
-# limit_remote_rooms.complexity_error can be set to customise the text
+# Room complexity is an arbitrary measure based on factors such as the number of
-# displayed to the user when a room above the complexity threshold has
+# users in the room.
 # its join cancelled.
 #
-# Uncomment the below lines to enable:
+limit_remote_rooms:
-#limit_remote_rooms:
+  # Uncomment to enable room complexity checking.
-#  enabled: true
+  #
-#  complexity: 1.0
+  #enabled: true
-#  complexity_error: "This room is too complex."
+
  # the limit above which rooms cannot be joined. The default is 1.0.
  #
  #complexity: 0.5
  # override the error which is returned when the room is too complex.
  #
  #complexity_error: "This room is too complex."
 # Whether to require a user to be in the room to add an alias to it.
 # Defaults to 'true'.
@ -397,6 +419,16 @@ retention:
  #    longest_max_lifetime: 1y
  #    interval: 1d
 # Inhibits the /requestToken endpoints from returning an error that might leak
 # information about whether an e-mail address is in use or not on this
 # homeserver.
 # Note that for some endpoints the error situation is the e-mail already being
 # used, and for others the error is entering the e-mail being unused.
 # If this option is enabled, instead of returning an error, these endpoints will
 # act as if no error happened and return a fake session ID ('sid') to clients.
 #
 #request_token_inhibit_3pid_errors: true
 ## TLS ##
@ -564,12 +596,91 @@ acme:
 ## Caching ##
 # Caching can be configured through the following options.
 #
 # A cache 'factor' is a multiplier that can be applied to each of
 # Synapse's caches in order to increase or decrease the maximum
 # number of entries that can be stored.
 # The number of events to cache in memory. Not affected by
 # caches.global_factor.
 #
 #event_cache_size: 10K
 caches:
   # Controls the global cache factor, which is the default cache factor
   # for all caches if a specific factor for that cache is not otherwise
   # set.
   #
   # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment
   # variable. Setting by environment variable takes priority over
   # setting through the config file.
   #
   # Defaults to 0.5, which will half the size of all caches.
   #
   #global_factor: 1.0
   # A dictionary of cache name to cache factor for that individual
   # cache. Overrides the global cache factor for a given cache.
   #
   # These can also be set through environment variables comprised
   # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital
   # letters and underscores. Setting by environment variable
   # takes priority over setting through the config file.
   # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0
   #
   # Some caches have '*' and other characters that are not
   # alphanumeric or underscores. These caches can be named with or
   # without the special characters stripped. For example, to specify
   # the cache factor for `*stateGroupCache*` via an environment
   # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`.
   #
   per_cache_factors:
     #get_users_who_share_room_with_user: 2.0
 ## Database ##
 # The 'database' setting defines the database that synapse uses to store all of
 # its data.
 #
 # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
 # 'psycopg2' (for PostgreSQL).
 #
 # 'args' gives options which are passed through to the database engine,
 # except for options starting 'cp_', which are used to configure the Twisted
 # connection pool. For a reference to valid arguments, see:
 #   * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
 #   * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
 #   * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
 #
 #
 # Example SQLite configuration:
 #
 #database:
 #  name: sqlite3
 #  args:
 #    database: /path/to/homeserver.db
 #
 #
 # Example Postgres configuration:
 #
 #database:
 #  name: psycopg2
 #  args:
 #    user: synapse
 #    password: secretpassword
 #    database: synapse
 #    host: localhost
 #    cp_min: 5
 #    cp_max: 10
 #
 # For more information on using Synapse with Postgres, see `docs/postgres.md`.
 #
 database:
  # The database engine name
  name: "psycopg2"
  # Arguments to pass to the engine
  args:
    user: {{ matrix_dbuser }}
    password: {{ matrix_dbpass }}
@ -689,12 +800,11 @@ media_store_path: "/var/lib/matrix-synapse/media"
 #
 #media_storage_providers:
 #  - module: file_system
-#    # Whether to write new local files.
+#    # Whether to store newly uploaded local files
 #    store_local: false
-#    # Whether to write new remote media
+#    # Whether to store newly downloaded remote files
 #    store_remote: false
-#    # Whether to block upload requests waiting for write to this
+#    # Whether to wait for successful storage for local uploads
 #    # provider to complete
 #    store_synchronous: false
 #    config:
 #       directory: /mnt/some/other/directory
@ -813,31 +923,55 @@ max_upload_size: 10M
 #
 #max_spider_size: 10M
 # A list of values for the Accept-Language HTTP header used when
 # downloading webpages during URL preview generation. This allows
 # Synapse to specify the preferred languages that URL previews should
 # be in when communicating with remote servers.
 #
 # Each value is a IETF language tag; a 2-3 letter identifier for a
 # language, optionally followed by subtags separated by '-', specifying
 # a country or region variant.
 #
 # Multiple values can be provided, and a weight can be added to each by
 # using quality value syntax (;q=). '*' translates to any language.
 #
 # Defaults to "en".
 #
 # Example:
 #
 # url_preview_accept_language:
 #   - en-UK
 #   - en-US;q=0.9
 #   - fr;q=0.8
 #   - *;q=0.7
 #
 url_preview_accept_language:
 #   - en
 ## Captcha ##
-# See docs/CAPTCHA_SETUP for full details of configuring this.
+# See docs/CAPTCHA_SETUP.md for full details of configuring this.
-# This homeserver's ReCAPTCHA public key.
+# This homeserver's ReCAPTCHA public key. Must be specified if
 # enable_registration_captcha is enabled.
 #
 #recaptcha_public_key: "YOUR_PUBLIC_KEY"
-# This homeserver's ReCAPTCHA private key.
+# This homeserver's ReCAPTCHA private key. Must be specified if
 # enable_registration_captcha is enabled.
 #
 #recaptcha_private_key: "YOUR_PRIVATE_KEY"
-# Enables ReCaptcha checks when registering, preventing signup
+# Uncomment to enable ReCaptcha checks when registering, preventing signup
 # unless a captcha is answered. Requires a valid ReCaptcha
-# public/private key.
+# public/private key. Defaults to 'false'.
 #
-#enable_registration_captcha: false
+#enable_registration_captcha: true
 # A secret key used to bypass the captcha test entirely.
 #
 #captcha_bypass_secret: "YOUR_SECRET_HERE"
 # The API endpoint to use for verifying m.login.recaptcha responses.
 # Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
 #
-#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify"
+#recaptcha_siteverify_api: "https://my.recaptcha.site"
 ## TURN ##
@ -981,7 +1115,7 @@ account_validity:
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
-# registration_shared_secret: <PRIVATE STRING>
+#registration_shared_secret: <PRIVATE STRING>
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
@ -1049,6 +1183,29 @@ account_threepid_delegates:
    #email: https://example.com     # Delegate email sending to example.com
    #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
 # Whether users are allowed to change their displayname after it has
 # been initially set. Useful when provisioning users based on the
 # contents of a third-party directory.
 #
 # Does not apply to server administrators. Defaults to 'true'
 #
 #enable_set_displayname: false
 # Whether users are allowed to change their avatar after it has been
 # initially set. Useful when provisioning users based on the contents
 # of a third-party directory.
 #
 # Does not apply to server administrators. Defaults to 'true'
 #
 #enable_set_avatar_url: false
 # Whether users can change the 3PIDs associated with their accounts
 # (email address and msisdn).
 #
 # Defaults to 'true'
 #
 enable_3pid_changes: false
 # Users who register on this homeserver will automatically be joined
 # to these rooms
 #
@ -1084,13 +1241,15 @@ account_threepid_delegates:
 # enabled by default, either for performance reasons or limited use.
 #
 metrics_flags:
-    # Publish synapse_federation_known_servers, a g auge of the number of
+    # Publish synapse_federation_known_servers, a gauge of the number of
    # servers this homeserver knows about, including itself. May cause
    # performance problems on large homeservers.
    #
    #known_servers: true
 # Whether or not to report anonymized homeserver usage statistics.
 #
 #report_stats: true|false
 # The endpoint to report the anonymized homeserver usage statistics to.
 # Defaults to https://matrix.org/report-usage-stats/push
@ -1126,13 +1285,13 @@ metrics_flags:
 # the registration_shared_secret is used, if one is given; otherwise,
 # a secret key is derived from the signing key.
 #
-# macaroon_secret_key: <PRIVATE STRING>
+#macaroon_secret_key: <PRIVATE STRING>
 # a secret which is used to calculate HMACs for form values, to stop
 # falsification of values. Must be specified for the User Consent
 # forms to work.
 #
-# form_secret: <PRIVATE STRING>
+#form_secret: <PRIVATE STRING>
 ## Signing Keys ##
@ -1249,32 +1408,32 @@ saml2_config:
  #    remote:
  #      - url: https://our_idp/metadata.xml
  #
-  #    # By default, the user has to go to our login page first. If you'd like
+  #  # By default, the user has to go to our login page first. If you'd like
-  #    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+  #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
-  #    # 'service.sp' section:
+  #  # 'service.sp' section:
-  #    #
+  #  #
-  #    #service:
+  #  #service:
-  #    #  sp:
+  #  #  sp:
-  #    #    allow_unsolicited: true
+  #  #    allow_unsolicited: true
  #
-  #    # The examples below are just used to generate our metadata xml, and you
+  #  # The examples below are just used to generate our metadata xml, and you
-  #    # may well not need them, depending on your setup. Alternatively you
+  #  # may well not need them, depending on your setup. Alternatively you
-  #    # may need a whole lot more detail - see the pysaml2 docs!
+  #  # may need a whole lot more detail - see the pysaml2 docs!
  #
-  #    description: ["My awesome SP", "en"]
+  #  description: ["My awesome SP", "en"]
-  #    name: ["Test SP", "en"]
+  #  name: ["Test SP", "en"]
  #
-  #    organization:
+  #  organization:
-  #      name: Example com
+  #    name: Example com
-  #      display_name:
+  #    display_name:
-  #        - ["Example co", "en"]
+  #      - ["Example co", "en"]
-  #      url: "http://example.com"
+  #    url: "http://example.com"
  #
-  #    contact_person:
+  #  contact_person:
-  #      - given_name: Bob
+  #    - given_name: Bob
-  #        sur_name: "the Sysadmin"
+  #      sur_name: "the Sysadmin"
-  #        email_address": ["admin@example.com"]
+  #      email_address": ["admin@example.com"]
-  #        contact_type": technical
+  #      contact_type": technical
  # Instead of putting the config inline as above, you can specify a
  # separate pysaml2 configuration file:
@ -1358,6 +1517,94 @@ saml2_config:
  #template_dir: "res/templates"
 # Enable OpenID Connect for registration and login. Uses authlib.
 #
 oidc_config:
    # enable OpenID Connect. Defaults to false.
    #
    #enabled: true
    # use the OIDC discovery mechanism to discover endpoints. Defaults to true.
    #
    #discover: true
    # the OIDC issuer. Used to validate tokens and discover the providers endpoints. Required.
    #
    #issuer: "https://accounts.example.com/"
    # oauth2 client id to use. Required.
    #
    #client_id: "provided-by-your-issuer"
    # oauth2 client secret to use. Required.
    #
    #client_secret: "provided-by-your-issuer"
    # auth method to use when exchanging the token.
    # Valid values are "client_secret_basic" (default), "client_secret_post" and "none".
    #
    #client_auth_method: "client_secret_basic"
    # list of scopes to ask. This should include the "openid" scope. Defaults to ["openid"].
    #
    #scopes: ["openid"]
    # the oauth2 authorization endpoint. Required if provider discovery is disabled.
    #
    #authorization_endpoint: "https://accounts.example.com/oauth2/auth"
    # the oauth2 token endpoint. Required if provider discovery is disabled.
    #
    #token_endpoint: "https://accounts.example.com/oauth2/token"
    # the OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope is not asked.
    #
    #userinfo_endpoint: "https://accounts.example.com/userinfo"
    # URI where to fetch the JWKS. Required if discovery is disabled and the "openid" scope is used.
    #
    #jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
    # skip metadata verification. Defaults to false.
    # Use this if you are connecting to a provider that is not OpenID Connect compliant.
    # Avoid this in production.
    #
    #skip_verification: false
    # An external module can be provided here as a custom solution to mapping
    # attributes returned from a OIDC provider onto a matrix user.
    #
    user_mapping_provider:
      # The custom module's class. Uncomment to use a custom module.
      # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
      #
      #module: mapping_provider.OidcMappingProvider
      # Custom configuration values for the module. Below options are intended
      # for the built-in provider, they should be changed if using a custom
      # module. This section will be passed as a Python dictionary to the
      # module's `parse_config` method.
      #
      # Below is the config of the default mapping provider, based on Jinja2
      # templates. Those templates are used to render user attributes, where the
      # userinfo object is available through the `user` variable.
      #
      config:
        # name of the claim containing a unique identifier for the user.
        # Defaults to `sub`, which OpenID Connect compliant providers should provide.
        #
        #subject_claim: "sub"
        # Jinja2 template for the localpart of the MXID
        #
        localpart_template: "<{ user.preferred_username }>"
        # Jinja2 template for the display name to set on first login. Optional.
        #
        #display_name_template: "<{ user.given_name }> <{ user.last_name }>"
 # Enable CAS for registration and login.
 #
@ -1383,6 +1630,10 @@ sso:
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
    # If public_baseurl is set, then the login fallback page (used by clients
    # that don't natively support the required login flows) is whitelisted in
    # addition to any URLs in this list.
    #
    # By default, this list is empty.
    #
    #client_whitelist:
@ -1414,6 +1665,37 @@ sso:
    #
    #     * server_name: the homeserver's name.
    #
    # * HTML page which notifies the user that they are authenticating to confirm
    #   an operation on their account during the user interactive authentication
    #   process: 'sso_auth_confirm.html'.
    #
    #   When rendering, this template is given the following variables:
    #     * redirect_url: the URL the user is about to be redirected to. Needs
    #                     manual escaping (see
    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * description: the operation which the user is being asked to confirm
    #
    # * HTML page shown after a successful user interactive authentication session:
    #   'sso_auth_success.html'.
    #
    #   Note that this page must include the JavaScript which notifies of a successful authentication
    #   (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback).
    #
    #   This template has no additional variables.
    #
    # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
    #   attempts to login: 'sso_account_deactivated.html'.
    #
    #   This template has no additional variables.
    #
    # * HTML page to display to users if something goes wrong during the
    #   OpenID Connect authentication process: 'sso_error.html'.
    #
    #   When rendering, this template is given two variables:
    #     * error: the technical name of the error
    #     * error_description: a human-readable message for the error
    #
    # You can see the default templates at:
    # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
    #
@ -1444,6 +1726,41 @@ password_config:
   #
   #pepper: "EVEN_MORE_SECRET"
   # Define and enforce a password policy. Each parameter is optional.
   # This is an implementation of MSC2000.
   #
   policy:
      # Whether to enforce the password policy.
      # Defaults to 'false'.
      #
      #enabled: true
      # Minimum accepted length for a password.
      # Defaults to 0.
      #
      #minimum_length: 15
      # Whether a password must contain at least one digit.
      # Defaults to 'false'.
      #
      #require_digit: true
      # Whether a password must contain at least one symbol.
      # A symbol is any character that's not a number or a letter.
      # Defaults to 'false'.
      #
      #require_symbol: true
      # Whether a password must contain at least one lowercase letter.
      # Defaults to 'false'.
      #
      #require_lowercase: true
      # Whether a password must contain at least one lowercase letter.
      # Defaults to 'false'.
      #
      #require_uppercase: true
 # Configuration for sending emails from Synapse.
 #
@ -1459,8 +1776,8 @@ email:
  # Username/password for authentication to the SMTP server. By default, no
  # authentication is attempted.
  #
-  # smtp_user: "exampleusername"
+  #smtp_user: "exampleusername"
-  # smtp_pass: "examplepassword"
+  #smtp_pass: "examplepassword"
  # Uncomment the following to require TLS transport security for SMTP.
  # By default, Synapse will connect over plain text, and will then switch to
@ -1552,6 +1869,17 @@ email:
  #template_dir: "res/templates"
 # Password providers allow homeserver administrators to integrate
 # their Synapse installation with existing authentication methods
 # ex. LDAP, external tokens, etc.
 #
 # For more information and known implementations, please see
 # https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md
 #
 # Note: instances wishing to use SAML or CAS authentication should
 # instead use the `saml2_config` or `cas_config` options,
 # respectively.
 #
 password_providers:
    - module: "ldap_auth_provider.LdapAuthProvider"
      config:
@ -1585,10 +1913,17 @@ password_providers:
 #  include_content: true
-#spam_checker:
+# Spam checkers are third-party modules that can block specific actions
-#  module: "my_custom_project.SuperSpamChecker"
+# of local users, such as creating rooms and registering undesirable
-#  config:
+# usernames, as well as remote users by redacting incoming events.
-#    example_option: 'things'
+#
 spam_checker:
   #- module: "my_custom_project.SuperSpamChecker"
   #  config:
   #    example_option: 'things'
   #- module: "some_other_project.BadEventStopper"
   #  config:
   #    example_stop_events_from: ['@bad:example.com']
 # Uncomment to allow non-server-admin users to create groups on this server