matrix: rebase homeserver.yaml.j2 on upstream 1.34.0

2021-05-20 18:36:05 +02:00 · 2021-05-20 18:36:05 +02:00 · 3e1cdb6bf5
commit 3e1cdb6bf5
parent e8dcf169e2
1 changed files with 392 additions and 166 deletions
--- a/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
+++ b/roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
@ -51,10 +51,6 @@ pid_file: "/var/run/matrix-synapse.pid"
 # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
 # 'listeners' below).
 #
 # If this is left unset, it defaults to 'https://<server_name>/'. (Note that
 # that will not work unless you configure Synapse or a reverse-proxy to listen
 # on port 443.)
 #
 public_baseurl: https://{{ matrix_domain }}/
 # Set the soft limit on the number of file descriptors synapse can use
@ -63,15 +59,33 @@ public_baseurl: https://{{ matrix_domain }}/
 #
 #soft_file_limit: 0
-# Set to false to disable presence tracking on this homeserver.
+# Presence tracking allows users to see the state (e.g online/offline)
 # of other local and remote users.
 #
-#use_presence: false
+presence:
  # Uncomment to disable presence tracking on this homeserver. This option
  # replaces the previous top-level 'use_presence' option.
  #
  #enabled: false
  # Presence routers are third-party modules that can specify additional logic
  # to where presence updates from users are routed.
  #
  presence_router:
    # The custom module's class. Uncomment to use a custom presence router module.
    #
    #module: "my_custom_router.PresenceRouter"
    # Configuration options of the custom module. Refer to your module's
    # documentation for available options.
    #
    #config:
    #  example_option: 'something'
 # Whether to require authentication to retrieve profile data (avatars,
 # display names) of other users through the client API. Defaults to
 # 'false'. Note that profile data is also available via the federation
-# API, so this setting is of limited value if federation is enabled on
+# API, unless allow_profile_lookup_over_federation is set to false.
 # the server.
 #
 #require_auth_for_profile_requests: true
@ -82,6 +96,14 @@ public_baseurl: https://{{ matrix_domain }}/
 #
 #limit_profile_requests_to_users_who_share_rooms: true
 # Uncomment to prevent a user's profile data from being retrieved and
 # displayed in a room until they have joined it. By default, a user's
 # profile data is included in an invite event, regardless of the values
 # of the above two settings, and whether or not the users share a server.
 # Defaults to 'true'.
 #
 #include_profile_data_on_invite: false
 # If set to 'true', removes the need for authentication to access the server's
 # public rooms directory through the client API, meaning that anyone can
 # query the room directory. Defaults to 'false'.
@ -107,6 +129,16 @@ public_baseurl: https://{{ matrix_domain }}/
 #
 #gc_thresholds: [700, 10, 10]
 # The minimum time in seconds between each GC for a generation, regardless of
 # the GC thresholds. This ensures that we don't do GC too frequently.
 #
 # A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive
 # generation 0 GCs, etc.
 #
 # Defaults to `[1s, 10s, 30s]`.
 #
 #gc_min_interval: [0.5s, 30s, 1m]
 # Set the limit on the returned events in the timeline in the get
 # and sync operations. The default value is 100. -1 means no upper limit.
 #
@ -146,6 +178,7 @@ public_baseurl: https://{{ matrix_domain }}/
 #  - '100.64.0.0/10'
 #  - '192.0.0.0/24'
 #  - '169.254.0.0/16'
 #  - '192.88.99.0/24'
 #  - '198.18.0.0/15'
 #  - '192.0.2.0/24'
 #  - '198.51.100.0/24'
@ -154,6 +187,9 @@ public_baseurl: https://{{ matrix_domain }}/
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'
 #  - '2001:db8::/32'
 #  - 'ff00::/8'
 #  - 'fec0::/10'
 # List of IP address CIDR ranges that should be allowed for federation,
 # identity servers, push servers, and for checking key validity for
@ -676,6 +712,18 @@ acme:
 #  - matrix.org
 #  - example.com
 # Uncomment to disable profile lookup over federation. By default, the
 # Federation API allows other homeservers to obtain profile data of any user
 # on this homeserver. Defaults to 'true'.
 #
 #allow_profile_lookup_over_federation: false
 # Uncomment to disable device display name lookup over federation. By default, the
 # Federation API allows other homeservers to obtain device display names of any user
 # on this homeserver. Defaults to 'true'.
 #
 #allow_device_name_lookup_over_federation: false
 ## Caching ##
@ -755,6 +803,7 @@ caches:
 #    password: secretpassword
 #    database: synapse
 #    host: localhost
 #    port: 5432
 #    cp_min: 5
 #    cp_max: 10
 #
@ -810,6 +859,9 @@ log_config: "/etc/matrix-synapse/log.yaml"
 #     users are joining rooms the server is already in (this is cheap) vs
 #     "remote" for when users are trying to join rooms not on the server (which
 #     can be more expensive)
 #   - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
 #   - two for ratelimiting how often invites can be sent in a room or to a
 #     specific user.
 #
 # The defaults are as shown below.
 #
@ -839,11 +891,22 @@ log_config: "/etc/matrix-synapse/log.yaml"
 #rc_joins:
 #  local:
 #    per_second: 0.1
-#    burst_count: 3
+#    burst_count: 10
 #  remote:
 #    per_second: 0.01
-#    burst_count: 3
+#    burst_count: 10
-
+#
 #rc_3pid_validation:
 #  per_second: 0.003
 #  burst_count: 5
 #
 #rc_invites:
 #  per_room:
 #    per_second: 0.3
 #    burst_count: 10
 #  per_user:
 #    per_second: 0.003
 #    burst_count: 5
 # Ratelimiting settings for incoming federation
 #
@ -966,6 +1029,7 @@ max_upload_size: 25M
 #  - '100.64.0.0/10'
 #  - '192.0.0.0/24'
 #  - '169.254.0.0/16'
 #  - '192.88.99.0/24'
 #  - '198.18.0.0/15'
 #  - '192.0.2.0/24'
 #  - '198.51.100.0/24'
@ -974,6 +1038,9 @@ max_upload_size: 25M
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'
 #  - '2001:db8::/32'
 #  - 'ff00::/8'
 #  - 'fec0::/10'
 # List of IP address CIDR ranges that the URL preview spider is allowed
 # to access even if they are specified in url_preview_ip_range_blacklist.
@ -1111,70 +1178,6 @@ turn_allow_guests: true
 #
 enable_registration: false
 # Optional account validity configuration. This allows for accounts to be denied
 # any request after a given period.
 #
 # Once this feature is enabled, Synapse will look for registered users without an
 # expiration date at startup and will add one to every account it found using the
 # current settings at that time.
 # This means that, if a validity period is set, and Synapse is restarted (it will
 # then derive an expiration date from the current validity period), and some time
 # after that the validity period changes and Synapse is restarted, the users'
 # expiration dates won't be updated unless their account is manually renewed. This
 # date will be randomly selected within a range [now + period - d ; now + period],
 # where d is equal to 10% of the validity period.
 #
 account_validity:
  # The account validity feature is disabled by default. Uncomment the
  # following line to enable it.
  #
  #enabled: true
  # The period after which an account is valid after its registration. When
  # renewing the account, its validity period will be extended by this amount
  # of time. This parameter is required when using the account validity
  # feature.
  #
  #period: 6w
  # The amount of time before an account's expiry date at which Synapse will
  # send an email to the account's email address with a renewal link. By
  # default, no such emails are sent.
  #
  # If you enable this setting, you will also need to fill out the 'email'
  # configuration section. You should also check that 'public_baseurl' is set
  # correctly.
  #
  #renew_at: 1w
  # The subject of the email sent out with the renewal link. '%(app)s' can be
  # used as a placeholder for the 'app_name' parameter from the 'email'
  # section.
  #
  # Note that the placeholder must be written '%(app)s', including the
  # trailing 's'.
  #
  # If this is not set, a default value is used.
  #
  #renew_email_subject: "Renew your %(app)s account"
  # Directory in which Synapse will try to find templates for the HTML files to
  # serve to the user when trying to renew an account. If not set, default
  # templates from within the Synapse package will be used.
  #
  #template_dir: "res/templates"
  # File within 'template_dir' giving the HTML to be displayed to the user after
  # they successfully renewed their account. If not set, default text is used.
  #
  #account_renewed_html_path: "account_renewed.html"
  # File within 'template_dir' giving the HTML to be displayed when the user
  # tries to renew an account with an invalid renewal token. If not set,
  # default text is used.
  #
  #invalid_token_html_path: "invalid_token.html"
 # Time that a user's session remains valid for, after they log in.
 #
 # Note that this is not currently compatible with guest logins.
@ -1202,9 +1205,9 @@ account_validity:
 #
 #allowed_local_3pids:
 #  - medium: email
-#    pattern: '.*@matrix\.org'
+#    pattern: '^[^@]+@matrix\.org$'
 #  - medium: email
-#    pattern: '.*@vector\.im'
+#    pattern: '^[^@]+@vector\.im$'
 #  - medium: msisdn
 #    pattern: '\+44'
@ -1234,7 +1237,8 @@ account_validity:
 # The identity server which we suggest that clients should use when users log
 # in on this server.
 #
-# (By default, no suggestion is made, so it is left up to the client.)
+# (By default, no suggestion is made, so it is left up to the client.
 # This setting is ignored unless public_baseurl is also set.)
 #
 #default_identity_server: https://matrix.org
@ -1259,6 +1263,8 @@ account_validity:
 # by the Matrix Identity Service API specification:
 # https://matrix.org/docs/spec/identity_service/latest
 #
 # If a delegate is specified, the config option public_baseurl must also be filled out.
 #
 account_threepid_delegates:
    #email: https://example.com     # Delegate email sending to example.com
    #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
@ -1292,6 +1298,8 @@ enable_3pid_changes: false
 # By default, any room aliases included in this list will be created
 # as a publicly joinable room when the first user registers for the
 # homeserver. This behaviour can be customised with the settings below.
 # If the room already exists, make certain it is a publicly joinable
 # room. The join rule of the room must be set to 'public'.
 #
 #auto_join_rooms:
 #  - "#example:example.com"
@ -1364,6 +1372,91 @@ enable_3pid_changes: false
 #auto_join_rooms_for_guests: false
 ## Account Validity ##
 # Optional account validity configuration. This allows for accounts to be denied
 # any request after a given period.
 #
 # Once this feature is enabled, Synapse will look for registered users without an
 # expiration date at startup and will add one to every account it found using the
 # current settings at that time.
 # This means that, if a validity period is set, and Synapse is restarted (it will
 # then derive an expiration date from the current validity period), and some time
 # after that the validity period changes and Synapse is restarted, the users'
 # expiration dates won't be updated unless their account is manually renewed. This
 # date will be randomly selected within a range [now + period - d ; now + period],
 # where d is equal to 10% of the validity period.
 #
 account_validity:
  # The account validity feature is disabled by default. Uncomment the
  # following line to enable it.
  #
  #enabled: true
  # The period after which an account is valid after its registration. When
  # renewing the account, its validity period will be extended by this amount
  # of time. This parameter is required when using the account validity
  # feature.
  #
  #period: 6w
  # The amount of time before an account's expiry date at which Synapse will
  # send an email to the account's email address with a renewal link. By
  # default, no such emails are sent.
  #
  # If you enable this setting, you will also need to fill out the 'email' and
  # 'public_baseurl' configuration sections.
  #
  #renew_at: 1w
  # The subject of the email sent out with the renewal link. '%(app)s' can be
  # used as a placeholder for the 'app_name' parameter from the 'email'
  # section.
  #
  # Note that the placeholder must be written '%(app)s', including the
  # trailing 's'.
  #
  # If this is not set, a default value is used.
  #
  #renew_email_subject: "Renew your %(app)s account"
  # Directory in which Synapse will try to find templates for the HTML files to
  # serve to the user when trying to renew an account. If not set, default
  # templates from within the Synapse package will be used.
  #
  # The currently available templates are:
  #
  # * account_renewed.html: Displayed to the user after they have successfully
  #       renewed their account.
  #
  # * account_previously_renewed.html: Displayed to the user if they attempt to
  #       renew their account with a token that is valid, but that has already
  #       been used. In this case the account is not renewed again.
  #
  # * invalid_token.html: Displayed to the user when they try to renew an account
  #       with an unknown or invalid renewal token.
  #
  # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for
  # default template contents.
  #
  # The file name of some of these templates can be configured below for legacy
  # reasons.
  #
  #template_dir: "res/templates"
  # A custom file name for the 'account_renewed.html' template.
  #
  # If not set, the file is assumed to be named "account_renewed.html".
  #
  #account_renewed_html_path: "account_renewed.html"
  # A custom file name for the 'invalid_token.html' template.
  #
  # If not set, the file is assumed to be named "invalid_token.html".
  #
  #invalid_token_html_path: "invalid_token.html"
 ## Metrics ###
 # Enable collection and rendering of performance metrics
@ -1402,14 +1495,32 @@ metrics_flags:
 ## API Configuration ##
-# A list of event types that will be included in the room_invite_state
+# Controls for the state that is shared with users who receive an invite
 # to a room
 #
-#room_invite_state_types:
+room_prejoin_state:
-#  - "m.room.join_rules"
+   # By default, the following state event types are shared with users who
-#  - "m.room.canonical_alias"
+   # receive invites to the room:
-#  - "m.room.avatar"
+   #
-#  - "m.room.encryption"
+   # - m.room.join_rules
-#  - "m.room.name"
+   # - m.room.canonical_alias
   # - m.room.avatar
   # - m.room.encryption
   # - m.room.name
   # - m.room.create
   #
   # Uncomment the following to disable these defaults (so that only the event
   # types listed in 'additional_event_types' are shared). Defaults to 'false'.
   #
   #disable_default_event_types: true
   # Additional state event types to share with users when they are invited
   # to a room.
   #
   # By default, this list is empty (so only the default event types are shared).
   #
   #additional_event_types:
   #  - org.example.custom.event.type
 # A list of application service config files to use
@ -1538,10 +1649,10 @@ trusted_key_servers:
 # enable SAML login.
 #
 # Once SAML support is enabled, a metadata file will be exposed at
-# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
+# https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
 # use to configure your SAML IdP with. Alternatively, you can manually configure
 # the IdP to use an ACS location of
-# https://<server>:<port>/_matrix/saml2/authn_response.
+# https://<server>:<port>/_synapse/client/saml2/authn_response.
 #
 saml2_config:
  # `sp_config` is the configuration for the pysaml2 Service Provider.
@ -1709,14 +1820,21 @@ saml2_config:
 #       Note that, if this is changed, users authenticating via that provider
 #       will no longer be recognised as the same user!
 #
 #       (Use "oidc" here if you are migrating from an old "oidc_config"
 #       configuration.)
 #
 #   idp_name: A user-facing name for this identity provider, which is used to
 #       offer the user a choice of login mechanisms.
 #
 #   idp_icon: An optional icon for this identity provider, which is presented
-#       by identity picker pages. If given, must be an MXC URI of the format
+#       by clients and Synapse's own IdP picker page. If given, must be an
-#       mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
+#       MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
-#       is to upload an image to an (unencrypted) room and then copy the "url"
+#       obtain such an MXC URI is to upload an image to an (unencrypted) room
-#       from the source of the event.)
+#       and then copy the "url" from the source of the event.)
 #
 #   idp_brand: An optional brand for this identity provider, allowing clients
 #       to style the login flow according to the identity provider in question.
 #       See the spec for possible options here.
 #
 #   discover: set to 'false' to disable the use of the OIDC discovery mechanism
 #       to discover endpoints. Defaults to true.
@ -1726,7 +1844,26 @@ saml2_config:
 #
 #   client_id: Required. oauth2 client id to use.
 #
-#   client_secret: Required. oauth2 client secret to use.
+#   client_secret: oauth2 client secret to use. May be omitted if
 #        client_secret_jwt_key is given, or if client_auth_method is 'none'.
 #
 #   client_secret_jwt_key: Alternative to client_secret: details of a key used
 #      to create a JSON Web Token to be used as an OAuth2 client secret. If
 #      given, must be a dictionary with the following properties:
 #
 #          key: a pem-encoded signing key. Must be a suitable key for the
 #              algorithm specified. Required unless 'key_file' is given.
 #
 #          key_file: the path to file containing a pem-encoded signing key file.
 #              Required unless 'key' is given.
 #
 #          jwt_header: a dictionary giving properties to include in the JWT
 #              header. Must include the key 'alg', giving the algorithm used to
 #              sign the JWT, such as "ES256", using the JWA identifiers in
 #              RFC7518.
 #
 #          jwt_payload: an optional dictionary giving properties to include in
 #              the JWT payload. Normally this should include an 'iss' key.
 #
 #   client_auth_method: auth method to use when exchanging the token. Valid
 #       values are 'client_secret_basic' (default), 'client_secret_post' and
@ -1767,7 +1904,7 @@ saml2_config:
 #       sub-properties:
 #
 #       module: The class name of a custom mapping module. Default is
-#           'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
+#           'synapse.handlers.oidc.JinjaOidcMappingProvider'.
 #           See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
 #           for information on implementing a custom mapping provider.
 #
@ -1777,17 +1914,21 @@ saml2_config:
 #
 #           For the default provider, the following settings are available:
 #
-#             sub: name of the claim containing a unique identifier for the
+#             subject_claim: name of the claim containing a unique identifier
-#                 user. Defaults to 'sub', which OpenID Connect compliant
+#                 for the user. Defaults to 'sub', which OpenID Connect
-#                 providers should provide.
+#                 compliant providers should provide.
 #
 #             localpart_template: Jinja2 template for the localpart of the MXID.
 #                 If this is not set, the user will be prompted to choose their
-#                 own username.
+#                 own username (see 'sso_auth_account_details.html' in the 'sso'
 #                 section of this file).
 #
 #             display_name_template: Jinja2 template for the display name to set
 #                 on first login. If unset, no displayname will be set.
 #
 #             email_template: Jinja2 template for the email address of the user.
 #                 If unset, no email address will be added to the account.
 #
 #             extra_attributes: a map of Jinja2 templates for extra attributes
 #                 to send back to the client during login.
 #                 Note that these are non-standard and clients will ignore them
@ -1797,6 +1938,24 @@ saml2_config:
 #           which is set to the claims returned by the UserInfo Endpoint and/or
 #           in the ID Token.
 #
 #   It is possible to configure Synapse to only allow logins if certain attributes
 #   match particular values in the OIDC userinfo. The requirements can be listed under
 #   `attribute_requirements` as shown below. All of the listed attributes must
 #   match for the login to be permitted. Additional attributes can be added to
 #   userinfo by expanding the `scopes` section of the OIDC config to retrieve
 #   additional information from the OIDC provider.
 #
 #   If the OIDC claim is a list, then the attribute must match any value in the list.
 #   Otherwise, it must exactly match the value of the claim. Using the example
 #   below, the `family_name` claim MUST be "Stephensson", but the `groups`
 #   claim MUST contain "admin".
 #
 #   attribute_requirements:
 #     - attribute: family_name
 #       value: "Stephensson"
 #     - attribute: groups
 #       value: "admin"
 #
 # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
 # for information on how to configure these options.
 #
@ -1823,33 +1982,15 @@ oidc_providers:
  #  userinfo_endpoint: "https://accounts.example.com/userinfo"
  #  jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
  #  skip_verification: true
  # For use with Keycloak
  #
  #- idp_id: keycloak
  #  idp_name: Keycloak
  #  issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name"
  #  client_id: "synapse"
  #  client_secret: "copy secret generated in Keycloak UI"
  #  scopes: ["openid", "profile"]
  # For use with Github
  #
  #- idp_id: github
  #  idp_name: Github
  #  discover: false
  #  issuer: "https://github.com/"
  #  client_id: "your-client-id" # TO BE FILLED
  #  client_secret: "your-client-secret" # TO BE FILLED
  #  authorization_endpoint: "https://github.com/login/oauth/authorize"
  #  token_endpoint: "https://github.com/login/oauth/access_token"
  #  userinfo_endpoint: "https://api.github.com/user"
  #  scopes: ["read:user"]
  #  user_mapping_provider:
  #    config:
  #      subject_claim: "id"
  #      localpart_template: "{ user.login }"
  #      display_name_template: "{ user.name }"
  #      email_template: "{ user.email }"
  #  attribute_requirements:
  #    - attribute: userGroup
  #      value: "synapseUsers"
 # Enable Central Authentication Service (CAS) for registration and login.
@ -1864,10 +2005,6 @@ cas_config:
  #
  #server_url: "https://cas-server.com"
  # The public URL of the homeserver.
  #
  #service_url: "https://homeserver.domain.com:8448"
  # The attribute of the CAS response to use as the display name.
  #
  # If unset, no displayname will be set.
@ -1899,9 +2036,9 @@ sso:
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
-    # The login fallback page (used by clients that don't natively support the
+    # If public_baseurl is set, then the login fallback page (used by clients
-    # required login flows) is automatically whitelisted in addition to any URLs
+    # that don't natively support the required login flows) is whitelisted in
-    # in this list.
+    # addition to any URLs in this list.
    #
    # By default, this list is empty.
    #
@ -1922,15 +2059,19 @@ sso:
    #
    #   When rendering, this template is given the following variables:
    #     * redirect_url: the URL that the user will be redirected to after
-    #       login. Needs manual escaping (see
+    #       login.
    #       https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * server_name: the homeserver's name.
    #
    #     * providers: a list of available Identity Providers. Each element is
    #       an object with the following attributes:
    #
    #         * idp_id: unique identifier for the IdP
    #         * idp_name: user-facing name for the IdP
    #         * idp_icon: if specified in the IdP config, an MXC URI for an icon
    #              for the IdP
    #         * idp_brand: if specified in the IdP config, a textual identifier
    #              for the brand of the IdP
    #
    #   The rendered HTML page should contain a form which submits its results
    #   back as a GET request, with the following query parameters:
@ -1940,33 +2081,101 @@ sso:
    #
    #     * idp: the 'idp_id' of the chosen IDP.
    #
    # * HTML page to prompt new users to enter a userid and confirm other
    #   details: 'sso_auth_account_details.html'. This is only shown if the
    #   SSO implementation (with any user_mapping_provider) does not return
    #   a localpart.
    #
    #   When rendering, this template is given the following variables:
    #
    #     * server_name: the homeserver's name.
    #
    #     * idp: details of the SSO Identity Provider that the user logged in
    #       with: an object with the following attributes:
    #
    #         * idp_id: unique identifier for the IdP
    #         * idp_name: user-facing name for the IdP
    #         * idp_icon: if specified in the IdP config, an MXC URI for an icon
    #              for the IdP
    #         * idp_brand: if specified in the IdP config, a textual identifier
    #              for the brand of the IdP
    #
    #     * user_attributes: an object containing details about the user that
    #       we received from the IdP. May have the following attributes:
    #
    #         * display_name: the user's display_name
    #         * emails: a list of email addresses
    #
    #   The template should render a form which submits the following fields:
    #
    #     * username: the localpart of the user's chosen user id
    #
    # * HTML page allowing the user to consent to the server's terms and
    #   conditions. This is only shown for new users, and only if
    #   `user_consent.require_at_registration` is set.
    #
    #   When rendering, this template is given the following variables:
    #
    #     * server_name: the homeserver's name.
    #
    #     * user_id: the user's matrix proposed ID.
    #
    #     * user_profile.display_name: the user's proposed display name, if any.
    #
    #     * consent_version: the version of the terms that the user will be
    #       shown
    #
    #     * terms_url: a link to the page showing the terms.
    #
    #   The template should render a form which submits the following fields:
    #
    #     * accepted_version: the version of the terms accepted by the user
    #       (ie, 'consent_version' from the input variables).
    #
    # * HTML page for a confirmation step before redirecting back to the client
    #   with the login token: 'sso_redirect_confirm.html'.
    #
-    #   When rendering, this template is given three variables:
+    #   When rendering, this template is given the following variables:
-    #     * redirect_url: the URL the user is about to be redirected to. Needs
+    #
-    #                     manual escaping (see
+    #     * redirect_url: the URL the user is about to be redirected to.
    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * display_url: the same as `redirect_url`, but with the query
    #                    parameters stripped. The intention is to have a
    #                    human-readable URL to show to users, not to use it as
-    #                    the final address to redirect to. Needs manual escaping
+    #                    the final address to redirect to.
    #                    (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * server_name: the homeserver's name.
    #
    #     * new_user: a boolean indicating whether this is the user's first time
    #          logging in.
    #
    #     * user_id: the user's matrix ID.
    #
    #     * user_profile.avatar_url: an MXC URI for the user's avatar, if any.
    #           None if the user has not set an avatar.
    #
    #     * user_profile.display_name: the user's display name. None if the user
    #           has not set a display name.
    #
    # * HTML page which notifies the user that they are authenticating to confirm
    #   an operation on their account during the user interactive authentication
    #   process: 'sso_auth_confirm.html'.
    #
    #   When rendering, this template is given the following variables:
-    #     * redirect_url: the URL the user is about to be redirected to. Needs
+    #     * redirect_url: the URL the user is about to be redirected to.
    #                     manual escaping (see
    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * description: the operation which the user is being asked to confirm
    #
    #     * idp: details of the Identity Provider that we will use to confirm
    #       the user's identity: an object with the following attributes:
    #
    #         * idp_id: unique identifier for the IdP
    #         * idp_name: user-facing name for the IdP
    #         * idp_icon: if specified in the IdP config, an MXC URI for an icon
    #              for the IdP
    #         * idp_brand: if specified in the IdP config, a textual identifier
    #              for the brand of the IdP
    #
    # * HTML page shown after a successful user interactive authentication session:
    #   'sso_auth_success.html'.
    #
@ -2109,11 +2318,11 @@ password_config:
      #require_uppercase: true
 ui_auth:
-    # The number of milliseconds to allow a user-interactive authentication
+    # The amount of time to allow a user-interactive authentication session
-    # session to be active.
+    # to be active.
    #
    # This defaults to 0, meaning the user is queried for their credentials
-    # before every action, but this can be overridden to alow a single
+    # before every action, but this can be overridden to allow a single
    # validation to be re-used.  This weakens the protections afforded by
    # the user-interactive authentication process, by allowing for multiple
    # (and potentially different) operations to use the same validation session.
@ -2121,7 +2330,7 @@ ui_auth:
    # Uncomment below to allow for credential validation to last for 15
    # seconds.
    #
-    #session_timeout: 15000
+    #session_timeout: "15s"
 # Configuration for sending emails from Synapse.
@ -2411,19 +2620,35 @@ spam_checker:
 # User Directory configuration
 #
-# 'enabled' defines whether users can search the user directory. If
+user_directory:
-# false then empty responses are returned to all queries. Defaults to
+    # Defines whether users can search the user directory. If false then
-# true.
+    # empty responses are returned to all queries. Defaults to true.
    #
-# 'search_all_users' defines whether to search all users visible to your HS
+    # Uncomment to disable the user directory.
-# when searching the user directory, rather than limiting to users visible
+    #
-# in public rooms.  Defaults to false.  If you set it True, you'll have to
+    #enabled: false
-# rebuild the user_directory search indexes, see
+
    # Defines whether to search all users visible to your HS when searching
    # the user directory, rather than limiting to users visible in public
    # rooms. Defaults to false.
    #
    # If you set it true, you'll have to rebuild the user_directory search
    # indexes, see:
    # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
    #
-#user_directory:
+    # Uncomment to return search results containing all known users, even if that
-#  enabled: true
+    # user does not share a room with the requester.
-#  search_all_users: false
+    #
    #search_all_users: true
    # Defines whether to prefer local users in search query results.
    # If True, local users are more likely to appear above remote users
    # when searching the user directory. Defaults to false.
    #
    # Uncomment to prefer local over remote users in user directory search
    # results.
    #
    #prefer_local_users: true
 # User Consent configuration
@ -2478,19 +2703,20 @@ spam_checker:
-# Local statistics collection. Used in populating the room directory.
+# Settings for local room and user statistics collection. See
 # docs/room_and_user_statistics.md.
 #
-# 'bucket_size' controls how large each statistics timeslice is. It can
+stats:
-# be defined in a human readable short form -- e.g. "1d", "1y".
+  # Uncomment the following to disable room and user statistics. Note that doing
  # so may cause certain features (such as the room directory) not to work
  # correctly.
  #
-# 'retention' controls how long historical statistics will be kept for.
+  #enabled: false
-# It can be defined in a human readable short form -- e.g. "1d", "1y".
+
  # The size of each timeslice in the room_stats_historical and
  # user_stats_historical tables, as a time period. Defaults to "1d".
  #
-#
+  #bucket_size: 1h
 #stats:
 #   enabled: true
 #   bucket_size: 1d
 #   retention: 1y
 # Server Notices room configuration