matrix: rebase homeserver.yml against upstream

2021-01-28 18:29:47 +01:00 · 2021-01-28 18:29:47 +01:00 · a7373f86f3
commit a7373f86f3
parent 4cc75159d2
1 changed files with 492 additions and 254 deletions
--- a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
+++ b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
@ -8,10 +8,23 @@
 ## Server ##
-# The domain name of the server, with optional explicit port.
+# The public-facing domain of the server
-# This is used by remote servers to connect to this server,
+#
-# e.g. matrix.org, localhost:8080, etc.
+# The server_name name will appear at the end of usernames and room addresses
-# This is also the last part of your UserID.
+# created on this server. For example if the server_name was example.com,
 # usernames on this server would be in the format @user:example.com
 #
 # In most cases you should avoid using a matrix specific subdomain such as
 # matrix.example.com or synapse.example.com as the server_name for the same
 # reasons you wouldn't use user@email.example.com as your email address.
 # See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md
 # for information on how to host Synapse on a subdomain while preserving
 # a clean server_name.
 #
 # The server_name cannot be changed later so it is important to
 # configure this correctly before you start Synapse. It should be all
 # lowercase and may contain an explicit port.
 # Examples: matrix.org, localhost:8080
 #
 #
 # This is set in /etc/matrix-synapse/conf.d/server_name.yaml for Debian installations.
@ -31,11 +44,16 @@ pid_file: "/var/run/matrix-synapse.pid"
 #
 #web_client_location: https://riot.example.com/
-# The public-facing base URL that clients use to access this HS
+# The public-facing base URL that clients use to access this Homeserver (not
-# (not including _matrix/...). This is the same URL a user would
+# including _matrix/...). This is the same URL a user might enter into the
-# enter into the 'custom HS URL' field on their client. If you
+# 'Custom Homeserver URL' field on their client. If you use Synapse with a
-# use synapse with a reverse proxy, this should be the URL to reach
+# reverse proxy, this should be the URL to reach Synapse via the proxy.
-# synapse via the proxy.
+# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
 # 'listeners' below).
 #
 # If this is left unset, it defaults to 'https://<server_name>/'. (Note that
 # that will not work unless you configure Synapse or a reverse-proxy to listen
 # on port 443.)
 #
 public_baseurl: https://{{ matrix_domain }}/
@ -83,7 +101,7 @@ public_baseurl: https://{{ matrix_domain }}/
 # For example, for room version 1, default_room_version should be set
 # to "1".
 #
-#default_room_version: "5"
+#default_room_version: "6"
 # The GC threshold parameters to pass to `gc.set_threshold`, if defined
 #
@ -108,6 +126,47 @@ public_baseurl: https://{{ matrix_domain }}/
 #
 #enable_search: false
 # Prevent outgoing requests from being sent to the following blacklisted IP address
 # CIDR ranges. If this option is not specified then it defaults to private IP
 # address ranges (see the example below).
 #
 # The blacklist applies to the outbound requests for federation, identity servers,
 # push servers, and for checking key validity for third-party invite events.
 #
 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
 # listed here, since they correspond to unroutable addresses.)
 #
 # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
 #
 #ip_range_blacklist:
 #  - '127.0.0.0/8'
 #  - '10.0.0.0/8'
 #  - '172.16.0.0/12'
 #  - '192.168.0.0/16'
 #  - '100.64.0.0/10'
 #  - '192.0.0.0/24'
 #  - '169.254.0.0/16'
 #  - '198.18.0.0/15'
 #  - '192.0.2.0/24'
 #  - '198.51.100.0/24'
 #  - '203.0.113.0/24'
 #  - '224.0.0.0/4'
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'
 # List of IP address CIDR ranges that should be allowed for federation,
 # identity servers, push servers, and for checking key validity for
 # third-party invite events. This is useful for specifying exceptions to
 # wide-ranging blacklisted target IP ranges - e.g. for communication with
 # a push server only visible in your network.
 #
 # This whitelist overrides ip_range_blacklist and defaults to an empty
 # list.
 #
 #ip_range_whitelist:
 #   - '192.168.1.1'
 # List of ports that Synapse should listen on, their purpose and their
 # configuration.
 #
@ -355,11 +414,10 @@ retention:
  #  min_lifetime: 1d
  #  max_lifetime: 1y
-  # Retention policy limits. If set, a user won't be able to send a
+  # Retention policy limits. If set, and the state of a room contains a
-  # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime'
+  # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
-  # that's not within this range. This is especially useful in closed federations,
+  # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
-  # in which server admins can make sure every federating server applies the same
+  # to these limits when running purge jobs.
  # rules.
  #
  #allowed_lifetime_min: 1d
  #allowed_lifetime_max: 1y
@ -385,12 +443,19 @@ retention:
  # (e.g. every 12h), but not want that purge to be performed by a job that's
  # iterating over every room it knows, which could be heavy on the server.
  #
  # If any purge job is configured, it is strongly recommended to have at least
  # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
  # set, or one job without 'shortest_max_lifetime' and one job without
  # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
  # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
  # room's policy to these values is done after the policies are retrieved from
  # Synapse's database (which is done using the range specified in a purge job's
  # configuration).
  #
  #purge_jobs:
-  #  - shortest_max_lifetime: 1d
+  #  - longest_max_lifetime: 3d
  #    longest_max_lifetime: 3d
  #    interval: 12h
  #  - shortest_max_lifetime: 3d
  #    longest_max_lifetime: 1y
  #    interval: 1d
 # Inhibits the /requestToken endpoints from returning an error that might leak
@ -403,6 +468,24 @@ retention:
 #
 #request_token_inhibit_3pid_errors: true
 # A list of domains that the domain portion of 'next_link' parameters
 # must match.
 #
 # This parameter is optionally provided by clients while requesting
 # validation of an email or phone number, and maps to a link that
 # users will be automatically redirected to after validation
 # succeeds. Clients can make use this parameter to aid the validation
 # process.
 #
 # The whitelist is applied whether the homeserver or an
 # identity server is handling validation.
 #
 # The default value is no whitelist functionality; all domains are
 # allowed. Setting this value to an empty list will instead disallow
 # all domains.
 #
 #next_link_domain_whitelist: ["matrix.org"]
 ## TLS ##
@ -569,6 +652,7 @@ acme:
 #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
 ## Federation ##
 # Restrict federation to the following whitelist of domains.
 # N.B. we recommend also firewalling your federation listener to limit
@ -581,26 +665,16 @@ acme:
 #  - nyc.example.com
 #  - syd.example.com
-# Prevent federation requests from being sent to the following
+# Report prometheus metrics on the age of PDUs being sent to and received from
-# blacklist IP address CIDR ranges. If this option is not specified, or
+# the following domains. This can be used to give an idea of "delay" on inbound
-# specified with an empty list, no ip range blacklist will be enforced.
+# and outbound federation, though be aware that any delay can be due to problems
 # at either end or with the intermediate network.
 #
-# As of Synapse v1.4.0 this option also affects any outbound requests to identity
+# By default, no domains are monitored in this way.
 # servers provided by user input.
 #
-# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
+#federation_metrics_domains:
-# listed here, since they correspond to unroutable addresses.)
+#  - matrix.org
-#
+#  - example.com
 federation_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '169.254.0.0/16'
  - '::1/128'
  - 'fe80::/64'
  - 'fc00::/7'
 ## Caching ##
@ -890,9 +964,15 @@ max_upload_size: 25M
 #  - '172.16.0.0/12'
 #  - '192.168.0.0/16'
 #  - '100.64.0.0/10'
 #  - '192.0.0.0/24'
 #  - '169.254.0.0/16'
 #  - '198.18.0.0/15'
 #  - '192.0.2.0/24'
 #  - '198.51.100.0/24'
 #  - '203.0.113.0/24'
 #  - '224.0.0.0/4'
 #  - '::1/128'
-#  - 'fe80::/64'
+#  - 'fe80::/10'
 #  - 'fc00::/7'
 # List of IP address CIDR ranges that the URL preview spider is allowed
@ -1061,8 +1141,9 @@ account_validity:
  # send an email to the account's email address with a renewal link. By
  # default, no such emails are sent.
  #
-  # If you enable this setting, you will also need to fill out the 'email' and
+  # If you enable this setting, you will also need to fill out the 'email'
-  # 'public_baseurl' configuration sections.
+  # configuration section. You should also check that 'public_baseurl' is set
  # correctly.
  #
  #renew_at: 1w
@ -1153,8 +1234,7 @@ account_validity:
 # The identity server which we suggest that clients should use when users log
 # in on this server.
 #
-# (By default, no suggestion is made, so it is left up to the client.
+# (By default, no suggestion is made, so it is left up to the client.)
 # This setting is ignored unless public_baseurl is also set.)
 #
 #default_identity_server: https://matrix.org
@ -1167,8 +1247,9 @@ account_validity:
 # email will be globally disabled.
 #
 # Additionally, if `msisdn` is not set, registration and password resets via msisdn
-# will be disabled regardless. This is due to Synapse currently not supporting any
+# will be disabled regardless, and users will not be able to associate an msisdn
-# method of sending SMS messages on its own.
+# identifier to their account. This is due to Synapse currently not supporting
 # any method of sending SMS messages on its own.
 #
 # To enable using an identity server for operations regarding a particular third-party
 # identifier type, set the value to the URL of that identity server as shown in the
@ -1178,8 +1259,6 @@ account_validity:
 # by the Matrix Identity Service API specification:
 # https://matrix.org/docs/spec/identity_service/latest
 #
 # If a delegate is specified, the config option public_baseurl must also be filled out.
 #
 account_threepid_delegates:
    #email: https://example.com     # Delegate email sending to example.com
    #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
@ -1442,16 +1521,22 @@ trusted_key_servers:
 ## Single sign-on integration ##
 # The following settings can be used to make Synapse use a single sign-on
 # provider for authentication, instead of its internal password database.
 #
 # You will probably also want to set the following options to `false` to
 # disable the regular login/registration flows:
 #   * enable_registration
 #   * password_config.enabled
 #
 # You will also want to investigate the settings under the "sso" configuration
 # section below.
 # Enable SAML2 for registration and login. Uses pysaml2.
 #
 # At least one of `sp_config` or `config_path` must be set in this section to
 # enable SAML login.
 #
 # (You will probably also want to set the following options to `false` to
 # disable the regular login/registration flows:
 #   * enable_registration
 #   * password_config.enabled
 #
 # Once SAML support is enabled, a metadata file will be exposed at
 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
 # use to configure your SAML IdP with. Alternatively, you can manually configure
@ -1466,40 +1551,70 @@ saml2_config:
  # so it is not normally necessary to specify them unless you need to
  # override them.
  #
-  #sp_config:
+  sp_config:
-  #  # point this to the IdP's metadata. You can use either a local file or
+    # Point this to the IdP's metadata. You must provide either a local
-  #  # (preferably) a URL.
+    # file via the `local` attribute or (preferably) a URL via the
-  #  metadata:
+    # `remote` attribute.
-  #    #local: ["saml2/idp.xml"]
+    #
-  #    remote:
+    #metadata:
-  #      - url: https://our_idp/metadata.xml
+    #  local: ["saml2/idp.xml"]
-  #
+    #  remote:
-  #  # By default, the user has to go to our login page first. If you'd like
+    #    - url: https://our_idp/metadata.xml
-  #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+
-  #  # 'service.sp' section:
+    # Allowed clock difference in seconds between the homeserver and IdP.
-  #  #
+    #
-  #  #service:
+    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
-  #  #  sp:
+    #
-  #  #    allow_unsolicited: true
+    #accepted_time_diff: 3
-  #
+
-  #  # The examples below are just used to generate our metadata xml, and you
+    # By default, the user has to go to our login page first. If you'd like
-  #  # may well not need them, depending on your setup. Alternatively you
+    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
-  #  # may need a whole lot more detail - see the pysaml2 docs!
+    # 'service.sp' section:
-  #
+    #
-  #  description: ["My awesome SP", "en"]
+    #service:
-  #  name: ["Test SP", "en"]
+    #  sp:
-  #
+    #    allow_unsolicited: true
-  #  organization:
+
-  #    name: Example com
+    # The examples below are just used to generate our metadata xml, and you
-  #    display_name:
+    # may well not need them, depending on your setup. Alternatively you
-  #      - ["Example co", "en"]
+    # may need a whole lot more detail - see the pysaml2 docs!
-  #    url: "http://example.com"
+
-  #
+    #description: ["My awesome SP", "en"]
-  #  contact_person:
+    #name: ["Test SP", "en"]
-  #    - given_name: Bob
+
-  #      sur_name: "the Sysadmin"
+    #ui_info:
-  #      email_address": ["admin@example.com"]
+    #  display_name:
-  #      contact_type": technical
+    #    - lang: en
    #      text: "Display Name is the descriptive name of your service."
    #  description:
    #    - lang: en
    #      text: "Description should be a short paragraph explaining the purpose of the service."
    #  information_url:
    #    - lang: en
    #      text: "https://example.com/terms-of-service"
    #  privacy_statement_url:
    #    - lang: en
    #      text: "https://example.com/privacy-policy"
    #  keywords:
    #    - lang: en
    #      text: ["Matrix", "Element"]
    #  logo:
    #    - lang: en
    #      text: "https://example.com/logo.svg"
    #      width: "200"
    #      height: "80"
    #organization:
    #  name: Example com
    #  display_name:
    #    - ["Example co", "en"]
    #  url: "http://example.com"
    #contact_person:
    #  - given_name: Bob
    #    sur_name: "the Sysadmin"
    #    email_address": ["admin@example.com"]
    #    contact_type": technical
  # Instead of putting the config inline as above, you can specify a
  # separate pysaml2 configuration file:
@ -1574,157 +1689,200 @@ saml2_config:
  #  - attribute: department
  #    value: "sales"
-  # Directory in which Synapse will try to find the template files below.
+  # If the metadata XML contains multiple IdP entities then the `idp_entityid`
-  # If not set, default templates from within the Synapse package will be used.
+  # option must be set to the entity to redirect users to.
  #
-  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+  # Most deployments only have a single IdP entity and so should omit this
-  # If you *do* uncomment it, you will need to make sure that all the templates
+  # option.
  # below are in the directory.
  #
-  # Synapse will look for the following templates in this directory:
+  #idp_entityid: 'https://our_idp/entityid'
  #
  # * HTML page to display to users if something goes wrong during the
  #   authentication process: 'saml_error.html'.
  #
  #   When rendering, this template is given the following variables:
  #     * code: an HTML error code corresponding to the error that is being
  #       returned (typically 400 or 500)
  #
  #     * msg: a textual message describing the error.
  #
  #   The variables will automatically be HTML-escaped.
  #
  # You can see the default templates at:
  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
  #
  #template_dir: "res/templates"
-# OpenID Connect integration. The following settings can be used to make Synapse
+# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
-# use an OpenID Connect Provider for authentication, instead of its internal
+# and login.
 # password database.
 #
-# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md.
+# Options for each entry include:
 #
-oidc_config:
+#   idp_id: a unique identifier for this identity provider. Used internally
-  # Uncomment the following to enable authorization against an OpenID Connect
+#       by Synapse; should be a single word such as 'github'.
-  # server. Defaults to false.
+#
 #       Note that, if this is changed, users authenticating via that provider
 #       will no longer be recognised as the same user!
 #
 #   idp_name: A user-facing name for this identity provider, which is used to
 #       offer the user a choice of login mechanisms.
 #
 #   idp_icon: An optional icon for this identity provider, which is presented
 #       by identity picker pages. If given, must be an MXC URI of the format
 #       mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
 #       is to upload an image to an (unencrypted) room and then copy the "url"
 #       from the source of the event.)
 #
 #   discover: set to 'false' to disable the use of the OIDC discovery mechanism
 #       to discover endpoints. Defaults to true.
 #
 #   issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
 #       is enabled) to discover the provider's endpoints.
 #
 #   client_id: Required. oauth2 client id to use.
 #
 #   client_secret: Required. oauth2 client secret to use.
 #
 #   client_auth_method: auth method to use when exchanging the token. Valid
 #       values are 'client_secret_basic' (default), 'client_secret_post' and
 #       'none'.
 #
 #   scopes: list of scopes to request. This should normally include the "openid"
 #       scope. Defaults to ["openid"].
 #
 #   authorization_endpoint: the oauth2 authorization endpoint. Required if
 #       provider discovery is disabled.
 #
 #   token_endpoint: the oauth2 token endpoint. Required if provider discovery is
 #       disabled.
 #
 #   userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
 #       disabled and the 'openid' scope is not requested.
 #
 #   jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
 #       the 'openid' scope is used.
 #
 #   skip_verification: set to 'true' to skip metadata verification. Use this if
 #       you are connecting to a provider that is not OpenID Connect compliant.
 #       Defaults to false. Avoid this in production.
 #
 #   user_profile_method: Whether to fetch the user profile from the userinfo
 #       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
 #
 #       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
 #       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
 #       userinfo endpoint.
 #
 #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to
 #       match a pre-existing account instead of failing. This could be used if
 #       switching from password logins to OIDC. Defaults to false.
 #
 #   user_mapping_provider: Configuration for how attributes returned from a OIDC
 #       provider are mapped onto a matrix user. This setting has the following
 #       sub-properties:
 #
 #       module: The class name of a custom mapping module. Default is
 #           'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
 #           See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
 #           for information on implementing a custom mapping provider.
 #
 #       config: Configuration for the mapping provider module. This section will
 #           be passed as a Python dictionary to the user mapping provider
 #           module's `parse_config` method.
 #
 #           For the default provider, the following settings are available:
 #
 #             sub: name of the claim containing a unique identifier for the
 #                 user. Defaults to 'sub', which OpenID Connect compliant
 #                 providers should provide.
 #
 #             localpart_template: Jinja2 template for the localpart of the MXID.
 #                 If this is not set, the user will be prompted to choose their
 #                 own username.
 #
 #             display_name_template: Jinja2 template for the display name to set
 #                 on first login. If unset, no displayname will be set.
 #
 #             extra_attributes: a map of Jinja2 templates for extra attributes
 #                 to send back to the client during login.
 #                 Note that these are non-standard and clients will ignore them
 #                 without modifications.
 #
 #           When rendering, the Jinja2 templates are given a 'user' variable,
 #           which is set to the claims returned by the UserInfo Endpoint and/or
 #           in the ID Token.
 #
 # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
 # for information on how to configure these options.
 #
 # For backwards compatibility, it is also possible to configure a single OIDC
 # provider via an 'oidc_config' setting. This is now deprecated and admins are
 # advised to migrate to the 'oidc_providers' format. (When doing that migration,
 # use 'oidc' for the idp_id to ensure that existing users continue to be
 # recognised.)
 #
 oidc_providers:
  # Generic example
  #
  #- idp_id: my_idp
  #  idp_name: "My OpenID provider"
  #  idp_icon: "mxc://example.com/mediaid"
  #  discover: false
  #  issuer: "https://accounts.example.com/"
  #  client_id: "provided-by-your-issuer"
  #  client_secret: "provided-by-your-issuer"
  #  client_auth_method: client_secret_post
  #  scopes: ["openid", "profile"]
  #  authorization_endpoint: "https://accounts.example.com/oauth2/auth"
  #  token_endpoint: "https://accounts.example.com/oauth2/token"
  #  userinfo_endpoint: "https://accounts.example.com/userinfo"
  #  jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
  #  skip_verification: true
  # For use with Keycloak
  #
  #- idp_id: keycloak
  #  idp_name: Keycloak
  #  issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name"
  #  client_id: "synapse"
  #  client_secret: "copy secret generated in Keycloak UI"
  #  scopes: ["openid", "profile"]
  # For use with Github
  #
  #- idp_id: github
  #  idp_name: Github
  #  discover: false
  #  issuer: "https://github.com/"
  #  client_id: "your-client-id" # TO BE FILLED
  #  client_secret: "your-client-secret" # TO BE FILLED
  #  authorization_endpoint: "https://github.com/login/oauth/authorize"
  #  token_endpoint: "https://github.com/login/oauth/access_token"
  #  userinfo_endpoint: "https://api.github.com/user"
  #  scopes: ["read:user"]
  #  user_mapping_provider:
  #    config:
  #      subject_claim: "id"
  #      localpart_template: "{ user.login }"
  #      display_name_template: "{ user.name }"
 # Enable Central Authentication Service (CAS) for registration and login.
 #
 cas_config:
  # Uncomment the following to enable authorization against a CAS server.
  # Defaults to false.
  #
  #enabled: true
-  # Uncomment the following to disable use of the OIDC discovery mechanism to
+  # The URL of the CAS authorization endpoint.
  # discover endpoints. Defaults to true.
  #
-  #discover: false
+  #server_url: "https://cas-server.com"
-  # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to
+  # The public URL of the homeserver.
  # discover the provider's endpoints.
  #
-  # Required if 'enabled' is true.
+  #service_url: "https://homeserver.domain.com:8448"
  # The attribute of the CAS response to use as the display name.
  #
-  #issuer: "https://accounts.example.com/"
+  # If unset, no displayname will be set.
  # oauth2 client id to use.
  #
-  # Required if 'enabled' is true.
+  #displayname_attribute: name
  # It is possible to configure Synapse to only allow logins if CAS attributes
  # match particular values. All of the keys in the mapping below must exist
  # and the values must match the given value. Alternately if the given value
  # is None then any value is allowed (the attribute just must exist).
  # All of the listed attributes must match for the login to be permitted.
  #
-  #client_id: "provided-by-your-issuer"
+  #required_attributes:
-
+  #  userGroup: "staff"
-  # oauth2 client secret to use.
+  #  department: None
  #
  # Required if 'enabled' is true.
  #
  #client_secret: "provided-by-your-issuer"
  # auth method to use when exchanging the token.
  # Valid values are 'client_secret_basic' (default), 'client_secret_post' and
  # 'none'.
  #
  #client_auth_method: client_secret_post
  # list of scopes to request. This should normally include the "openid" scope.
  # Defaults to ["openid"].
  #
  #scopes: ["openid", "profile"]
  # the oauth2 authorization endpoint. Required if provider discovery is disabled.
  #
  #authorization_endpoint: "https://accounts.example.com/oauth2/auth"
  # the oauth2 token endpoint. Required if provider discovery is disabled.
  #
  #token_endpoint: "https://accounts.example.com/oauth2/token"
  # the OIDC userinfo endpoint. Required if discovery is disabled and the
  # "openid" scope is not requested.
  #
  #userinfo_endpoint: "https://accounts.example.com/userinfo"
  # URI where to fetch the JWKS. Required if discovery is disabled and the
  # "openid" scope is used.
  #
  #jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
  # Uncomment to skip metadata verification. Defaults to false.
  #
  # Use this if you are connecting to a provider that is not OpenID Connect
  # compliant.
  # Avoid this in production.
  #
  #skip_verification: true
  # An external module can be provided here as a custom solution to mapping
  # attributes returned from a OIDC provider onto a matrix user.
  #
  user_mapping_provider:
    # The custom module's class. Uncomment to use a custom module.
    # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
    #
    # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
    # for information on implementing a custom mapping provider.
    #
    #module: mapping_provider.OidcMappingProvider
    # Custom configuration values for the module. This section will be passed as
    # a Python dictionary to the user mapping provider module's `parse_config`
    # method.
    #
    # The examples below are intended for the default provider: they should be
    # changed if using a custom provider.
    #
    config:
      # name of the claim containing a unique identifier for the user.
      # Defaults to `sub`, which OpenID Connect compliant providers should provide.
      #
      #subject_claim: "sub"
      # Jinja2 template for the localpart of the MXID.
      #
      # When rendering, this template is given the following variables:
      #   * user: The claims returned by the UserInfo Endpoint and/or in the ID
      #     Token
      #
      # This must be configured if using the default mapping provider.
      #
      #localpart_template: "<{ user.preferred_username }>"
      # Jinja2 template for the display name to set on first login.
      #
      # If unset, no displayname will be set.
      #
      #display_name_template: "<{ user.given_name }> <{ user.last_name }>"
 # Enable CAS for registration and login.
 #
 #cas_config:
 #   enabled: true
 #   server_url: "https://cas-server.com"
 #   service_url: "https://homeserver.domain.com:8448"
 #   #displayname_attribute: name
 #   #required_attributes:
 #   #    name: value
 # Additional settings to use with single-sign on systems such as OpenID Connect,
@ -1741,9 +1899,9 @@ sso:
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
-    # If public_baseurl is set, then the login fallback page (used by clients
+    # The login fallback page (used by clients that don't natively support the
-    # that don't natively support the required login flows) is whitelisted in
+    # required login flows) is automatically whitelisted in addition to any URLs
-    # addition to any URLs in this list.
+    # in this list.
    #
    # By default, this list is empty.
    #
@ -1752,14 +1910,36 @@ sso:
    #  - https://my.custom.client/
    # Directory in which Synapse will try to find the template files below.
-    # If not set, default templates from within the Synapse package will be used.
+    # If not set, or the files named below are not found within the template
-    #
+    # directory, default templates from within the Synapse package will be used.
    # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
    # If you *do* uncomment it, you will need to make sure that all the templates
    # below are in the directory.
    #
    # Synapse will look for the following templates in this directory:
    #
    # * HTML page to prompt the user to choose an Identity Provider during
    #   login: 'sso_login_idp_picker.html'.
    #
    #   This is only used if multiple SSO Identity Providers are configured.
    #
    #   When rendering, this template is given the following variables:
    #     * redirect_url: the URL that the user will be redirected to after
    #       login. Needs manual escaping (see
    #       https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * server_name: the homeserver's name.
    #
    #     * providers: a list of available Identity Providers. Each element is
    #       an object with the following attributes:
    #         * idp_id: unique identifier for the IdP
    #         * idp_name: user-facing name for the IdP
    #
    #   The rendered HTML page should contain a form which submits its results
    #   back as a GET request, with the following query parameters:
    #
    #     * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
    #       to the template)
    #
    #     * idp: the 'idp_id' of the chosen IDP.
    #
    # * HTML page for a confirmation step before redirecting back to the client
    #   with the login token: 'sso_redirect_confirm.html'.
    #
@ -1795,6 +1975,14 @@ sso:
    #
    #   This template has no additional variables.
    #
    # * HTML page shown after a user-interactive authentication session which
    #   does not map correctly onto the expected user: 'sso_auth_bad_user.html'.
    #
    #   When rendering, this template is given the following variables:
    #     * server_name: the homeserver's name.
    #     * user_id_to_verify: the MXID of the user that we are trying to
    #       validate.
    #
    # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
    #   attempts to login: 'sso_account_deactivated.html'.
    #
@ -1824,7 +2012,7 @@ sso:
 # and issued at ("iat") claims are validated if present.
 #
 # Note that this is a non-standard login type and client support is
-# expected to be non-existant.
+# expected to be non-existent.
 #
 # See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md.
 #
@ -1920,6 +2108,21 @@ password_config:
      #
      #require_uppercase: true
 ui_auth:
    # The number of milliseconds to allow a user-interactive authentication
    # session to be active.
    #
    # This defaults to 0, meaning the user is queried for their credentials
    # before every action, but this can be overridden to alow a single
    # validation to be re-used.  This weakens the protections afforded by
    # the user-interactive authentication process, by allowing for multiple
    # (and potentially different) operations to use the same validation session.
    #
    # Uncomment below to allow for credential validation to last for 15
    # seconds.
    #
    #session_timeout: 15000
 # Configuration for sending emails from Synapse.
 #
@ -1985,12 +2188,15 @@ email:
  #
  #validation_token_lifetime: 15m
-  # Directory in which Synapse will try to find the template files below.
+  # The web client location to direct users to during an invite. This is passed
-  # If not set, default templates from within the Synapse package will be used.
+  # to the identity server as the org.matrix.web_client_location key. Defaults
  # to unset, giving no guidance to the identity server.
  #
-  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+  #invite_client_location: https://app.element.io
-  # If you *do* uncomment it, you will need to make sure that all the templates
+
-  # below are in the directory.
+  # Directory in which Synapse will try to find the template files below.
  # If not set, or the files named below are not found within the template
  # directory, default templates from within the Synapse package will be used.
  #
  # Synapse will look for the following templates in this directory:
  #
@ -2003,9 +2209,13 @@ email:
  # * The contents of password reset emails sent by the homeserver:
  #   'password_reset.html' and 'password_reset.txt'
  #
-  # * HTML pages for success and failure that a user will see when they follow
+  # * An HTML page that a user will see when they follow the link in the password
-  #   the link in the password reset email: 'password_reset_success.html' and
+  #   reset email. The user will be asked to confirm the action before their
-  #   'password_reset_failure.html'
+  #   password is reset: 'password_reset_confirmation.html'
  #
  # * HTML pages for success and failure that a user will see when they confirm
  #   the password reset flow using the page above: 'password_reset_success.html'
  #   and 'password_reset_failure.html'
  #
  # * The contents of address verification emails sent during registration:
  #   'registration.html' and 'registration.txt'
@ -2107,6 +2317,7 @@ email:
 # respectively.
 #
 password_providers:
 #    # Example config for an LDAP auth provider
    - module: "ldap_auth_provider.LdapAuthProvider"
      config:
        enabled: true
@ -2123,20 +2334,35 @@ password_providers:
-# Clients requesting push notifications can either have the body of
+## Push ##
-# the message sent in the notification poke along with other details
+
-# like the sender, or just the event ID and room ID (`event_id_only`).
+push:
-# If clients choose the former, this option controls whether the
+  # Clients requesting push notifications can either have the body of
-# notification request includes the content of the event (other details
+  # the message sent in the notification poke along with other details
-# like the sender are still included). For `event_id_only` push, it
+  # like the sender, or just the event ID and room ID (`event_id_only`).
-# has no effect.
+  # If clients choose the former, this option controls whether the
-#
+  # notification request includes the content of the event (other details
-# For modern android devices the notification content will still appear
+  # like the sender are still included). For `event_id_only` push, it
-# because it is loaded by the app. iPhone, however will send a
+  # has no effect.
-# notification saying only that a message arrived and who it came from.
+  #
-#
+  # For modern android devices the notification content will still appear
-#push:
+  # because it is loaded by the app. iPhone, however will send a
-#  include_content: true
+  # notification saying only that a message arrived and who it came from.
  #
  # The default value is "true" to include message details. Uncomment to only
  # include the event ID and room ID in push notification payloads.
  #
  #include_content: false
  # When a push notification is received, an unread count is also sent.
  # This number can either be calculated as the number of unread messages
  # for the user, or the number of *rooms* the user has unread messages in.
  #
  # The default value is "true", meaning push clients will see the number of
  # rooms with unread messages in them. Uncomment to instead send the number
  # of unread messages.
  #
  #group_unread_count_by_room: false
 # Spam checkers are third-party modules that can block specific actions
@ -2179,7 +2405,7 @@ spam_checker:
 # If enabled, non server admins can only create groups with local parts
 # starting with this prefix
 #
-#group_creation_prefix: "unofficial/"
+#group_creation_prefix: "unofficial_"
@ -2337,7 +2563,7 @@ spam_checker:
 #
 # Options for the rules include:
 #
-#   user_id: Matches agaisnt the creator of the alias
+#   user_id: Matches against the creator of the alias
 #   room_id: Matches against the room ID being published
 #   alias: Matches against any current local or canonical aliases
 #            associated with the room
@ -2383,7 +2609,7 @@ opentracing:
    # This is a list of regexes which are matched against the server_name of the
    # homeserver.
    #
-    # By defult, it is empty, so no servers are matched.
+    # By default, it is empty, so no servers are matched.
    #
    #homeserver_whitelist:
    #  - ".*"
@ -2439,6 +2665,18 @@ opentracing:
 #  events: worker1
 #  typing: worker1
 # The worker that is used to run background tasks (e.g. cleaning up expired
 # data). If not provided this defaults to the main process.
 #
 #run_background_tasks_on: worker1
 # A shared secret used by the replication APIs to authenticate HTTP requests
 # from workers.
 #
 # By default this is unused and traffic is not authenticated.
 #
 #worker_replication_secret: ""
 # Configuration for Redis when using workers. This *must* be enabled when
 # using workers (unless using old style direct TCP configuration).