forked from infra/ansible
matrix: rebase homeserver.yml against upstream
This commit is contained in:
parent
4cc75159d2
commit
a7373f86f3
@ -8,10 +8,23 @@
|
|||||||
|
|
||||||
## Server ##
|
## Server ##
|
||||||
|
|
||||||
# The domain name of the server, with optional explicit port.
|
# The public-facing domain of the server
|
||||||
# This is used by remote servers to connect to this server,
|
#
|
||||||
# e.g. matrix.org, localhost:8080, etc.
|
# The server_name name will appear at the end of usernames and room addresses
|
||||||
# This is also the last part of your UserID.
|
# created on this server. For example if the server_name was example.com,
|
||||||
|
# usernames on this server would be in the format @user:example.com
|
||||||
|
#
|
||||||
|
# In most cases you should avoid using a matrix specific subdomain such as
|
||||||
|
# matrix.example.com or synapse.example.com as the server_name for the same
|
||||||
|
# reasons you wouldn't use user@email.example.com as your email address.
|
||||||
|
# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md
|
||||||
|
# for information on how to host Synapse on a subdomain while preserving
|
||||||
|
# a clean server_name.
|
||||||
|
#
|
||||||
|
# The server_name cannot be changed later so it is important to
|
||||||
|
# configure this correctly before you start Synapse. It should be all
|
||||||
|
# lowercase and may contain an explicit port.
|
||||||
|
# Examples: matrix.org, localhost:8080
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# This is set in /etc/matrix-synapse/conf.d/server_name.yaml for Debian installations.
|
# This is set in /etc/matrix-synapse/conf.d/server_name.yaml for Debian installations.
|
||||||
@ -31,11 +44,16 @@ pid_file: "/var/run/matrix-synapse.pid"
|
|||||||
#
|
#
|
||||||
#web_client_location: https://riot.example.com/
|
#web_client_location: https://riot.example.com/
|
||||||
|
|
||||||
# The public-facing base URL that clients use to access this HS
|
# The public-facing base URL that clients use to access this Homeserver (not
|
||||||
# (not including _matrix/...). This is the same URL a user would
|
# including _matrix/...). This is the same URL a user might enter into the
|
||||||
# enter into the 'custom HS URL' field on their client. If you
|
# 'Custom Homeserver URL' field on their client. If you use Synapse with a
|
||||||
# use synapse with a reverse proxy, this should be the URL to reach
|
# reverse proxy, this should be the URL to reach Synapse via the proxy.
|
||||||
# synapse via the proxy.
|
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
|
||||||
|
# 'listeners' below).
|
||||||
|
#
|
||||||
|
# If this is left unset, it defaults to 'https://<server_name>/'. (Note that
|
||||||
|
# that will not work unless you configure Synapse or a reverse-proxy to listen
|
||||||
|
# on port 443.)
|
||||||
#
|
#
|
||||||
public_baseurl: https://{{ matrix_domain }}/
|
public_baseurl: https://{{ matrix_domain }}/
|
||||||
|
|
||||||
@ -83,7 +101,7 @@ public_baseurl: https://{{ matrix_domain }}/
|
|||||||
# For example, for room version 1, default_room_version should be set
|
# For example, for room version 1, default_room_version should be set
|
||||||
# to "1".
|
# to "1".
|
||||||
#
|
#
|
||||||
#default_room_version: "5"
|
#default_room_version: "6"
|
||||||
|
|
||||||
# The GC threshold parameters to pass to `gc.set_threshold`, if defined
|
# The GC threshold parameters to pass to `gc.set_threshold`, if defined
|
||||||
#
|
#
|
||||||
@ -108,6 +126,47 @@ public_baseurl: https://{{ matrix_domain }}/
|
|||||||
#
|
#
|
||||||
#enable_search: false
|
#enable_search: false
|
||||||
|
|
||||||
|
# Prevent outgoing requests from being sent to the following blacklisted IP address
|
||||||
|
# CIDR ranges. If this option is not specified then it defaults to private IP
|
||||||
|
# address ranges (see the example below).
|
||||||
|
#
|
||||||
|
# The blacklist applies to the outbound requests for federation, identity servers,
|
||||||
|
# push servers, and for checking key validity for third-party invite events.
|
||||||
|
#
|
||||||
|
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
||||||
|
# listed here, since they correspond to unroutable addresses.)
|
||||||
|
#
|
||||||
|
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
||||||
|
#
|
||||||
|
#ip_range_blacklist:
|
||||||
|
# - '127.0.0.0/8'
|
||||||
|
# - '10.0.0.0/8'
|
||||||
|
# - '172.16.0.0/12'
|
||||||
|
# - '192.168.0.0/16'
|
||||||
|
# - '100.64.0.0/10'
|
||||||
|
# - '192.0.0.0/24'
|
||||||
|
# - '169.254.0.0/16'
|
||||||
|
# - '198.18.0.0/15'
|
||||||
|
# - '192.0.2.0/24'
|
||||||
|
# - '198.51.100.0/24'
|
||||||
|
# - '203.0.113.0/24'
|
||||||
|
# - '224.0.0.0/4'
|
||||||
|
# - '::1/128'
|
||||||
|
# - 'fe80::/10'
|
||||||
|
# - 'fc00::/7'
|
||||||
|
|
||||||
|
# List of IP address CIDR ranges that should be allowed for federation,
|
||||||
|
# identity servers, push servers, and for checking key validity for
|
||||||
|
# third-party invite events. This is useful for specifying exceptions to
|
||||||
|
# wide-ranging blacklisted target IP ranges - e.g. for communication with
|
||||||
|
# a push server only visible in your network.
|
||||||
|
#
|
||||||
|
# This whitelist overrides ip_range_blacklist and defaults to an empty
|
||||||
|
# list.
|
||||||
|
#
|
||||||
|
#ip_range_whitelist:
|
||||||
|
# - '192.168.1.1'
|
||||||
|
|
||||||
# List of ports that Synapse should listen on, their purpose and their
|
# List of ports that Synapse should listen on, their purpose and their
|
||||||
# configuration.
|
# configuration.
|
||||||
#
|
#
|
||||||
@ -355,11 +414,10 @@ retention:
|
|||||||
# min_lifetime: 1d
|
# min_lifetime: 1d
|
||||||
# max_lifetime: 1y
|
# max_lifetime: 1y
|
||||||
|
|
||||||
# Retention policy limits. If set, a user won't be able to send a
|
# Retention policy limits. If set, and the state of a room contains a
|
||||||
# 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime'
|
# 'm.room.retention' event in its state which contains a 'min_lifetime' or a
|
||||||
# that's not within this range. This is especially useful in closed federations,
|
# 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
|
||||||
# in which server admins can make sure every federating server applies the same
|
# to these limits when running purge jobs.
|
||||||
# rules.
|
|
||||||
#
|
#
|
||||||
#allowed_lifetime_min: 1d
|
#allowed_lifetime_min: 1d
|
||||||
#allowed_lifetime_max: 1y
|
#allowed_lifetime_max: 1y
|
||||||
@ -385,12 +443,19 @@ retention:
|
|||||||
# (e.g. every 12h), but not want that purge to be performed by a job that's
|
# (e.g. every 12h), but not want that purge to be performed by a job that's
|
||||||
# iterating over every room it knows, which could be heavy on the server.
|
# iterating over every room it knows, which could be heavy on the server.
|
||||||
#
|
#
|
||||||
|
# If any purge job is configured, it is strongly recommended to have at least
|
||||||
|
# a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
|
||||||
|
# set, or one job without 'shortest_max_lifetime' and one job without
|
||||||
|
# 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
|
||||||
|
# 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
|
||||||
|
# room's policy to these values is done after the policies are retrieved from
|
||||||
|
# Synapse's database (which is done using the range specified in a purge job's
|
||||||
|
# configuration).
|
||||||
|
#
|
||||||
#purge_jobs:
|
#purge_jobs:
|
||||||
# - shortest_max_lifetime: 1d
|
# - longest_max_lifetime: 3d
|
||||||
# longest_max_lifetime: 3d
|
|
||||||
# interval: 12h
|
# interval: 12h
|
||||||
# - shortest_max_lifetime: 3d
|
# - shortest_max_lifetime: 3d
|
||||||
# longest_max_lifetime: 1y
|
|
||||||
# interval: 1d
|
# interval: 1d
|
||||||
|
|
||||||
# Inhibits the /requestToken endpoints from returning an error that might leak
|
# Inhibits the /requestToken endpoints from returning an error that might leak
|
||||||
@ -403,6 +468,24 @@ retention:
|
|||||||
#
|
#
|
||||||
#request_token_inhibit_3pid_errors: true
|
#request_token_inhibit_3pid_errors: true
|
||||||
|
|
||||||
|
# A list of domains that the domain portion of 'next_link' parameters
|
||||||
|
# must match.
|
||||||
|
#
|
||||||
|
# This parameter is optionally provided by clients while requesting
|
||||||
|
# validation of an email or phone number, and maps to a link that
|
||||||
|
# users will be automatically redirected to after validation
|
||||||
|
# succeeds. Clients can make use this parameter to aid the validation
|
||||||
|
# process.
|
||||||
|
#
|
||||||
|
# The whitelist is applied whether the homeserver or an
|
||||||
|
# identity server is handling validation.
|
||||||
|
#
|
||||||
|
# The default value is no whitelist functionality; all domains are
|
||||||
|
# allowed. Setting this value to an empty list will instead disallow
|
||||||
|
# all domains.
|
||||||
|
#
|
||||||
|
#next_link_domain_whitelist: ["matrix.org"]
|
||||||
|
|
||||||
|
|
||||||
## TLS ##
|
## TLS ##
|
||||||
|
|
||||||
@ -569,6 +652,7 @@ acme:
|
|||||||
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
||||||
|
|
||||||
|
|
||||||
|
## Federation ##
|
||||||
|
|
||||||
# Restrict federation to the following whitelist of domains.
|
# Restrict federation to the following whitelist of domains.
|
||||||
# N.B. we recommend also firewalling your federation listener to limit
|
# N.B. we recommend also firewalling your federation listener to limit
|
||||||
@ -581,26 +665,16 @@ acme:
|
|||||||
# - nyc.example.com
|
# - nyc.example.com
|
||||||
# - syd.example.com
|
# - syd.example.com
|
||||||
|
|
||||||
# Prevent federation requests from being sent to the following
|
# Report prometheus metrics on the age of PDUs being sent to and received from
|
||||||
# blacklist IP address CIDR ranges. If this option is not specified, or
|
# the following domains. This can be used to give an idea of "delay" on inbound
|
||||||
# specified with an empty list, no ip range blacklist will be enforced.
|
# and outbound federation, though be aware that any delay can be due to problems
|
||||||
|
# at either end or with the intermediate network.
|
||||||
#
|
#
|
||||||
# As of Synapse v1.4.0 this option also affects any outbound requests to identity
|
# By default, no domains are monitored in this way.
|
||||||
# servers provided by user input.
|
|
||||||
#
|
#
|
||||||
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
|
#federation_metrics_domains:
|
||||||
# listed here, since they correspond to unroutable addresses.)
|
# - matrix.org
|
||||||
#
|
# - example.com
|
||||||
federation_ip_range_blacklist:
|
|
||||||
- '127.0.0.0/8'
|
|
||||||
- '10.0.0.0/8'
|
|
||||||
- '172.16.0.0/12'
|
|
||||||
- '192.168.0.0/16'
|
|
||||||
- '100.64.0.0/10'
|
|
||||||
- '169.254.0.0/16'
|
|
||||||
- '::1/128'
|
|
||||||
- 'fe80::/64'
|
|
||||||
- 'fc00::/7'
|
|
||||||
|
|
||||||
|
|
||||||
## Caching ##
|
## Caching ##
|
||||||
@ -890,9 +964,15 @@ max_upload_size: 25M
|
|||||||
# - '172.16.0.0/12'
|
# - '172.16.0.0/12'
|
||||||
# - '192.168.0.0/16'
|
# - '192.168.0.0/16'
|
||||||
# - '100.64.0.0/10'
|
# - '100.64.0.0/10'
|
||||||
|
# - '192.0.0.0/24'
|
||||||
# - '169.254.0.0/16'
|
# - '169.254.0.0/16'
|
||||||
|
# - '198.18.0.0/15'
|
||||||
|
# - '192.0.2.0/24'
|
||||||
|
# - '198.51.100.0/24'
|
||||||
|
# - '203.0.113.0/24'
|
||||||
|
# - '224.0.0.0/4'
|
||||||
# - '::1/128'
|
# - '::1/128'
|
||||||
# - 'fe80::/64'
|
# - 'fe80::/10'
|
||||||
# - 'fc00::/7'
|
# - 'fc00::/7'
|
||||||
|
|
||||||
# List of IP address CIDR ranges that the URL preview spider is allowed
|
# List of IP address CIDR ranges that the URL preview spider is allowed
|
||||||
@ -1061,8 +1141,9 @@ account_validity:
|
|||||||
# send an email to the account's email address with a renewal link. By
|
# send an email to the account's email address with a renewal link. By
|
||||||
# default, no such emails are sent.
|
# default, no such emails are sent.
|
||||||
#
|
#
|
||||||
# If you enable this setting, you will also need to fill out the 'email' and
|
# If you enable this setting, you will also need to fill out the 'email'
|
||||||
# 'public_baseurl' configuration sections.
|
# configuration section. You should also check that 'public_baseurl' is set
|
||||||
|
# correctly.
|
||||||
#
|
#
|
||||||
#renew_at: 1w
|
#renew_at: 1w
|
||||||
|
|
||||||
@ -1153,8 +1234,7 @@ account_validity:
|
|||||||
# The identity server which we suggest that clients should use when users log
|
# The identity server which we suggest that clients should use when users log
|
||||||
# in on this server.
|
# in on this server.
|
||||||
#
|
#
|
||||||
# (By default, no suggestion is made, so it is left up to the client.
|
# (By default, no suggestion is made, so it is left up to the client.)
|
||||||
# This setting is ignored unless public_baseurl is also set.)
|
|
||||||
#
|
#
|
||||||
#default_identity_server: https://matrix.org
|
#default_identity_server: https://matrix.org
|
||||||
|
|
||||||
@ -1167,8 +1247,9 @@ account_validity:
|
|||||||
# email will be globally disabled.
|
# email will be globally disabled.
|
||||||
#
|
#
|
||||||
# Additionally, if `msisdn` is not set, registration and password resets via msisdn
|
# Additionally, if `msisdn` is not set, registration and password resets via msisdn
|
||||||
# will be disabled regardless. This is due to Synapse currently not supporting any
|
# will be disabled regardless, and users will not be able to associate an msisdn
|
||||||
# method of sending SMS messages on its own.
|
# identifier to their account. This is due to Synapse currently not supporting
|
||||||
|
# any method of sending SMS messages on its own.
|
||||||
#
|
#
|
||||||
# To enable using an identity server for operations regarding a particular third-party
|
# To enable using an identity server for operations regarding a particular third-party
|
||||||
# identifier type, set the value to the URL of that identity server as shown in the
|
# identifier type, set the value to the URL of that identity server as shown in the
|
||||||
@ -1178,8 +1259,6 @@ account_validity:
|
|||||||
# by the Matrix Identity Service API specification:
|
# by the Matrix Identity Service API specification:
|
||||||
# https://matrix.org/docs/spec/identity_service/latest
|
# https://matrix.org/docs/spec/identity_service/latest
|
||||||
#
|
#
|
||||||
# If a delegate is specified, the config option public_baseurl must also be filled out.
|
|
||||||
#
|
|
||||||
account_threepid_delegates:
|
account_threepid_delegates:
|
||||||
#email: https://example.com # Delegate email sending to example.com
|
#email: https://example.com # Delegate email sending to example.com
|
||||||
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
|
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
|
||||||
@ -1442,16 +1521,22 @@ trusted_key_servers:
|
|||||||
|
|
||||||
## Single sign-on integration ##
|
## Single sign-on integration ##
|
||||||
|
|
||||||
|
# The following settings can be used to make Synapse use a single sign-on
|
||||||
|
# provider for authentication, instead of its internal password database.
|
||||||
|
#
|
||||||
|
# You will probably also want to set the following options to `false` to
|
||||||
|
# disable the regular login/registration flows:
|
||||||
|
# * enable_registration
|
||||||
|
# * password_config.enabled
|
||||||
|
#
|
||||||
|
# You will also want to investigate the settings under the "sso" configuration
|
||||||
|
# section below.
|
||||||
|
|
||||||
# Enable SAML2 for registration and login. Uses pysaml2.
|
# Enable SAML2 for registration and login. Uses pysaml2.
|
||||||
#
|
#
|
||||||
# At least one of `sp_config` or `config_path` must be set in this section to
|
# At least one of `sp_config` or `config_path` must be set in this section to
|
||||||
# enable SAML login.
|
# enable SAML login.
|
||||||
#
|
#
|
||||||
# (You will probably also want to set the following options to `false` to
|
|
||||||
# disable the regular login/registration flows:
|
|
||||||
# * enable_registration
|
|
||||||
# * password_config.enabled
|
|
||||||
#
|
|
||||||
# Once SAML support is enabled, a metadata file will be exposed at
|
# Once SAML support is enabled, a metadata file will be exposed at
|
||||||
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
|
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
|
||||||
# use to configure your SAML IdP with. Alternatively, you can manually configure
|
# use to configure your SAML IdP with. Alternatively, you can manually configure
|
||||||
@ -1466,36 +1551,66 @@ saml2_config:
|
|||||||
# so it is not normally necessary to specify them unless you need to
|
# so it is not normally necessary to specify them unless you need to
|
||||||
# override them.
|
# override them.
|
||||||
#
|
#
|
||||||
#sp_config:
|
sp_config:
|
||||||
# # point this to the IdP's metadata. You can use either a local file or
|
# Point this to the IdP's metadata. You must provide either a local
|
||||||
# # (preferably) a URL.
|
# file via the `local` attribute or (preferably) a URL via the
|
||||||
# metadata:
|
# `remote` attribute.
|
||||||
# #local: ["saml2/idp.xml"]
|
#
|
||||||
|
#metadata:
|
||||||
|
# local: ["saml2/idp.xml"]
|
||||||
# remote:
|
# remote:
|
||||||
# - url: https://our_idp/metadata.xml
|
# - url: https://our_idp/metadata.xml
|
||||||
|
|
||||||
|
# Allowed clock difference in seconds between the homeserver and IdP.
|
||||||
#
|
#
|
||||||
# # By default, the user has to go to our login page first. If you'd like
|
# Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
|
||||||
# # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
|
|
||||||
# # 'service.sp' section:
|
|
||||||
# #
|
|
||||||
# #service:
|
|
||||||
# # sp:
|
|
||||||
# # allow_unsolicited: true
|
|
||||||
#
|
#
|
||||||
# # The examples below are just used to generate our metadata xml, and you
|
#accepted_time_diff: 3
|
||||||
# # may well not need them, depending on your setup. Alternatively you
|
|
||||||
# # may need a whole lot more detail - see the pysaml2 docs!
|
# By default, the user has to go to our login page first. If you'd like
|
||||||
|
# to allow IdP-initiated login, set 'allow_unsolicited: true' in a
|
||||||
|
# 'service.sp' section:
|
||||||
#
|
#
|
||||||
# description: ["My awesome SP", "en"]
|
#service:
|
||||||
# name: ["Test SP", "en"]
|
# sp:
|
||||||
#
|
# allow_unsolicited: true
|
||||||
# organization:
|
|
||||||
|
# The examples below are just used to generate our metadata xml, and you
|
||||||
|
# may well not need them, depending on your setup. Alternatively you
|
||||||
|
# may need a whole lot more detail - see the pysaml2 docs!
|
||||||
|
|
||||||
|
#description: ["My awesome SP", "en"]
|
||||||
|
#name: ["Test SP", "en"]
|
||||||
|
|
||||||
|
#ui_info:
|
||||||
|
# display_name:
|
||||||
|
# - lang: en
|
||||||
|
# text: "Display Name is the descriptive name of your service."
|
||||||
|
# description:
|
||||||
|
# - lang: en
|
||||||
|
# text: "Description should be a short paragraph explaining the purpose of the service."
|
||||||
|
# information_url:
|
||||||
|
# - lang: en
|
||||||
|
# text: "https://example.com/terms-of-service"
|
||||||
|
# privacy_statement_url:
|
||||||
|
# - lang: en
|
||||||
|
# text: "https://example.com/privacy-policy"
|
||||||
|
# keywords:
|
||||||
|
# - lang: en
|
||||||
|
# text: ["Matrix", "Element"]
|
||||||
|
# logo:
|
||||||
|
# - lang: en
|
||||||
|
# text: "https://example.com/logo.svg"
|
||||||
|
# width: "200"
|
||||||
|
# height: "80"
|
||||||
|
|
||||||
|
#organization:
|
||||||
# name: Example com
|
# name: Example com
|
||||||
# display_name:
|
# display_name:
|
||||||
# - ["Example co", "en"]
|
# - ["Example co", "en"]
|
||||||
# url: "http://example.com"
|
# url: "http://example.com"
|
||||||
#
|
|
||||||
# contact_person:
|
#contact_person:
|
||||||
# - given_name: Bob
|
# - given_name: Bob
|
||||||
# sur_name: "the Sysadmin"
|
# sur_name: "the Sysadmin"
|
||||||
# email_address": ["admin@example.com"]
|
# email_address": ["admin@example.com"]
|
||||||
@ -1574,157 +1689,200 @@ saml2_config:
|
|||||||
# - attribute: department
|
# - attribute: department
|
||||||
# value: "sales"
|
# value: "sales"
|
||||||
|
|
||||||
# Directory in which Synapse will try to find the template files below.
|
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
|
||||||
# If not set, default templates from within the Synapse package will be used.
|
# option must be set to the entity to redirect users to.
|
||||||
#
|
#
|
||||||
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
|
# Most deployments only have a single IdP entity and so should omit this
|
||||||
# If you *do* uncomment it, you will need to make sure that all the templates
|
# option.
|
||||||
# below are in the directory.
|
|
||||||
#
|
#
|
||||||
# Synapse will look for the following templates in this directory:
|
#idp_entityid: 'https://our_idp/entityid'
|
||||||
#
|
|
||||||
# * HTML page to display to users if something goes wrong during the
|
|
||||||
# authentication process: 'saml_error.html'.
|
|
||||||
#
|
|
||||||
# When rendering, this template is given the following variables:
|
|
||||||
# * code: an HTML error code corresponding to the error that is being
|
|
||||||
# returned (typically 400 or 500)
|
|
||||||
#
|
|
||||||
# * msg: a textual message describing the error.
|
|
||||||
#
|
|
||||||
# The variables will automatically be HTML-escaped.
|
|
||||||
#
|
|
||||||
# You can see the default templates at:
|
|
||||||
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
|
|
||||||
#
|
|
||||||
#template_dir: "res/templates"
|
|
||||||
|
|
||||||
|
|
||||||
# OpenID Connect integration. The following settings can be used to make Synapse
|
# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
|
||||||
# use an OpenID Connect Provider for authentication, instead of its internal
|
# and login.
|
||||||
# password database.
|
|
||||||
#
|
#
|
||||||
# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md.
|
# Options for each entry include:
|
||||||
#
|
#
|
||||||
oidc_config:
|
# idp_id: a unique identifier for this identity provider. Used internally
|
||||||
# Uncomment the following to enable authorization against an OpenID Connect
|
# by Synapse; should be a single word such as 'github'.
|
||||||
# server. Defaults to false.
|
#
|
||||||
|
# Note that, if this is changed, users authenticating via that provider
|
||||||
|
# will no longer be recognised as the same user!
|
||||||
|
#
|
||||||
|
# idp_name: A user-facing name for this identity provider, which is used to
|
||||||
|
# offer the user a choice of login mechanisms.
|
||||||
|
#
|
||||||
|
# idp_icon: An optional icon for this identity provider, which is presented
|
||||||
|
# by identity picker pages. If given, must be an MXC URI of the format
|
||||||
|
# mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
|
||||||
|
# is to upload an image to an (unencrypted) room and then copy the "url"
|
||||||
|
# from the source of the event.)
|
||||||
|
#
|
||||||
|
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
||||||
|
# to discover endpoints. Defaults to true.
|
||||||
|
#
|
||||||
|
# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
|
||||||
|
# is enabled) to discover the provider's endpoints.
|
||||||
|
#
|
||||||
|
# client_id: Required. oauth2 client id to use.
|
||||||
|
#
|
||||||
|
# client_secret: Required. oauth2 client secret to use.
|
||||||
|
#
|
||||||
|
# client_auth_method: auth method to use when exchanging the token. Valid
|
||||||
|
# values are 'client_secret_basic' (default), 'client_secret_post' and
|
||||||
|
# 'none'.
|
||||||
|
#
|
||||||
|
# scopes: list of scopes to request. This should normally include the "openid"
|
||||||
|
# scope. Defaults to ["openid"].
|
||||||
|
#
|
||||||
|
# authorization_endpoint: the oauth2 authorization endpoint. Required if
|
||||||
|
# provider discovery is disabled.
|
||||||
|
#
|
||||||
|
# token_endpoint: the oauth2 token endpoint. Required if provider discovery is
|
||||||
|
# disabled.
|
||||||
|
#
|
||||||
|
# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
|
||||||
|
# disabled and the 'openid' scope is not requested.
|
||||||
|
#
|
||||||
|
# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
|
||||||
|
# the 'openid' scope is used.
|
||||||
|
#
|
||||||
|
# skip_verification: set to 'true' to skip metadata verification. Use this if
|
||||||
|
# you are connecting to a provider that is not OpenID Connect compliant.
|
||||||
|
# Defaults to false. Avoid this in production.
|
||||||
|
#
|
||||||
|
# user_profile_method: Whether to fetch the user profile from the userinfo
|
||||||
|
# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
|
||||||
|
#
|
||||||
|
# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
|
||||||
|
# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
|
||||||
|
# userinfo endpoint.
|
||||||
|
#
|
||||||
|
# allow_existing_users: set to 'true' to allow a user logging in via OIDC to
|
||||||
|
# match a pre-existing account instead of failing. This could be used if
|
||||||
|
# switching from password logins to OIDC. Defaults to false.
|
||||||
|
#
|
||||||
|
# user_mapping_provider: Configuration for how attributes returned from a OIDC
|
||||||
|
# provider are mapped onto a matrix user. This setting has the following
|
||||||
|
# sub-properties:
|
||||||
|
#
|
||||||
|
# module: The class name of a custom mapping module. Default is
|
||||||
|
# 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
|
||||||
|
# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
|
||||||
|
# for information on implementing a custom mapping provider.
|
||||||
|
#
|
||||||
|
# config: Configuration for the mapping provider module. This section will
|
||||||
|
# be passed as a Python dictionary to the user mapping provider
|
||||||
|
# module's `parse_config` method.
|
||||||
|
#
|
||||||
|
# For the default provider, the following settings are available:
|
||||||
|
#
|
||||||
|
# sub: name of the claim containing a unique identifier for the
|
||||||
|
# user. Defaults to 'sub', which OpenID Connect compliant
|
||||||
|
# providers should provide.
|
||||||
|
#
|
||||||
|
# localpart_template: Jinja2 template for the localpart of the MXID.
|
||||||
|
# If this is not set, the user will be prompted to choose their
|
||||||
|
# own username.
|
||||||
|
#
|
||||||
|
# display_name_template: Jinja2 template for the display name to set
|
||||||
|
# on first login. If unset, no displayname will be set.
|
||||||
|
#
|
||||||
|
# extra_attributes: a map of Jinja2 templates for extra attributes
|
||||||
|
# to send back to the client during login.
|
||||||
|
# Note that these are non-standard and clients will ignore them
|
||||||
|
# without modifications.
|
||||||
|
#
|
||||||
|
# When rendering, the Jinja2 templates are given a 'user' variable,
|
||||||
|
# which is set to the claims returned by the UserInfo Endpoint and/or
|
||||||
|
# in the ID Token.
|
||||||
|
#
|
||||||
|
# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
|
||||||
|
# for information on how to configure these options.
|
||||||
|
#
|
||||||
|
# For backwards compatibility, it is also possible to configure a single OIDC
|
||||||
|
# provider via an 'oidc_config' setting. This is now deprecated and admins are
|
||||||
|
# advised to migrate to the 'oidc_providers' format. (When doing that migration,
|
||||||
|
# use 'oidc' for the idp_id to ensure that existing users continue to be
|
||||||
|
# recognised.)
|
||||||
|
#
|
||||||
|
oidc_providers:
|
||||||
|
# Generic example
|
||||||
|
#
|
||||||
|
#- idp_id: my_idp
|
||||||
|
# idp_name: "My OpenID provider"
|
||||||
|
# idp_icon: "mxc://example.com/mediaid"
|
||||||
|
# discover: false
|
||||||
|
# issuer: "https://accounts.example.com/"
|
||||||
|
# client_id: "provided-by-your-issuer"
|
||||||
|
# client_secret: "provided-by-your-issuer"
|
||||||
|
# client_auth_method: client_secret_post
|
||||||
|
# scopes: ["openid", "profile"]
|
||||||
|
# authorization_endpoint: "https://accounts.example.com/oauth2/auth"
|
||||||
|
# token_endpoint: "https://accounts.example.com/oauth2/token"
|
||||||
|
# userinfo_endpoint: "https://accounts.example.com/userinfo"
|
||||||
|
# jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
|
||||||
|
# skip_verification: true
|
||||||
|
|
||||||
|
# For use with Keycloak
|
||||||
|
#
|
||||||
|
#- idp_id: keycloak
|
||||||
|
# idp_name: Keycloak
|
||||||
|
# issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name"
|
||||||
|
# client_id: "synapse"
|
||||||
|
# client_secret: "copy secret generated in Keycloak UI"
|
||||||
|
# scopes: ["openid", "profile"]
|
||||||
|
|
||||||
|
# For use with Github
|
||||||
|
#
|
||||||
|
#- idp_id: github
|
||||||
|
# idp_name: Github
|
||||||
|
# discover: false
|
||||||
|
# issuer: "https://github.com/"
|
||||||
|
# client_id: "your-client-id" # TO BE FILLED
|
||||||
|
# client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
# authorization_endpoint: "https://github.com/login/oauth/authorize"
|
||||||
|
# token_endpoint: "https://github.com/login/oauth/access_token"
|
||||||
|
# userinfo_endpoint: "https://api.github.com/user"
|
||||||
|
# scopes: ["read:user"]
|
||||||
|
# user_mapping_provider:
|
||||||
|
# config:
|
||||||
|
# subject_claim: "id"
|
||||||
|
# localpart_template: "{ user.login }"
|
||||||
|
# display_name_template: "{ user.name }"
|
||||||
|
|
||||||
|
|
||||||
|
# Enable Central Authentication Service (CAS) for registration and login.
|
||||||
|
#
|
||||||
|
cas_config:
|
||||||
|
# Uncomment the following to enable authorization against a CAS server.
|
||||||
|
# Defaults to false.
|
||||||
#
|
#
|
||||||
#enabled: true
|
#enabled: true
|
||||||
|
|
||||||
# Uncomment the following to disable use of the OIDC discovery mechanism to
|
# The URL of the CAS authorization endpoint.
|
||||||
# discover endpoints. Defaults to true.
|
|
||||||
#
|
#
|
||||||
#discover: false
|
#server_url: "https://cas-server.com"
|
||||||
|
|
||||||
# the OIDC issuer. Used to validate tokens and (if discovery is enabled) to
|
# The public URL of the homeserver.
|
||||||
# discover the provider's endpoints.
|
|
||||||
#
|
#
|
||||||
# Required if 'enabled' is true.
|
#service_url: "https://homeserver.domain.com:8448"
|
||||||
#
|
|
||||||
#issuer: "https://accounts.example.com/"
|
|
||||||
|
|
||||||
# oauth2 client id to use.
|
# The attribute of the CAS response to use as the display name.
|
||||||
#
|
|
||||||
# Required if 'enabled' is true.
|
|
||||||
#
|
|
||||||
#client_id: "provided-by-your-issuer"
|
|
||||||
|
|
||||||
# oauth2 client secret to use.
|
|
||||||
#
|
|
||||||
# Required if 'enabled' is true.
|
|
||||||
#
|
|
||||||
#client_secret: "provided-by-your-issuer"
|
|
||||||
|
|
||||||
# auth method to use when exchanging the token.
|
|
||||||
# Valid values are 'client_secret_basic' (default), 'client_secret_post' and
|
|
||||||
# 'none'.
|
|
||||||
#
|
|
||||||
#client_auth_method: client_secret_post
|
|
||||||
|
|
||||||
# list of scopes to request. This should normally include the "openid" scope.
|
|
||||||
# Defaults to ["openid"].
|
|
||||||
#
|
|
||||||
#scopes: ["openid", "profile"]
|
|
||||||
|
|
||||||
# the oauth2 authorization endpoint. Required if provider discovery is disabled.
|
|
||||||
#
|
|
||||||
#authorization_endpoint: "https://accounts.example.com/oauth2/auth"
|
|
||||||
|
|
||||||
# the oauth2 token endpoint. Required if provider discovery is disabled.
|
|
||||||
#
|
|
||||||
#token_endpoint: "https://accounts.example.com/oauth2/token"
|
|
||||||
|
|
||||||
# the OIDC userinfo endpoint. Required if discovery is disabled and the
|
|
||||||
# "openid" scope is not requested.
|
|
||||||
#
|
|
||||||
#userinfo_endpoint: "https://accounts.example.com/userinfo"
|
|
||||||
|
|
||||||
# URI where to fetch the JWKS. Required if discovery is disabled and the
|
|
||||||
# "openid" scope is used.
|
|
||||||
#
|
|
||||||
#jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
|
|
||||||
|
|
||||||
# Uncomment to skip metadata verification. Defaults to false.
|
|
||||||
#
|
|
||||||
# Use this if you are connecting to a provider that is not OpenID Connect
|
|
||||||
# compliant.
|
|
||||||
# Avoid this in production.
|
|
||||||
#
|
|
||||||
#skip_verification: true
|
|
||||||
|
|
||||||
# An external module can be provided here as a custom solution to mapping
|
|
||||||
# attributes returned from a OIDC provider onto a matrix user.
|
|
||||||
#
|
|
||||||
user_mapping_provider:
|
|
||||||
# The custom module's class. Uncomment to use a custom module.
|
|
||||||
# Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
|
|
||||||
#
|
|
||||||
# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
|
|
||||||
# for information on implementing a custom mapping provider.
|
|
||||||
#
|
|
||||||
#module: mapping_provider.OidcMappingProvider
|
|
||||||
|
|
||||||
# Custom configuration values for the module. This section will be passed as
|
|
||||||
# a Python dictionary to the user mapping provider module's `parse_config`
|
|
||||||
# method.
|
|
||||||
#
|
|
||||||
# The examples below are intended for the default provider: they should be
|
|
||||||
# changed if using a custom provider.
|
|
||||||
#
|
|
||||||
config:
|
|
||||||
# name of the claim containing a unique identifier for the user.
|
|
||||||
# Defaults to `sub`, which OpenID Connect compliant providers should provide.
|
|
||||||
#
|
|
||||||
#subject_claim: "sub"
|
|
||||||
|
|
||||||
# Jinja2 template for the localpart of the MXID.
|
|
||||||
#
|
|
||||||
# When rendering, this template is given the following variables:
|
|
||||||
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
|
|
||||||
# Token
|
|
||||||
#
|
|
||||||
# This must be configured if using the default mapping provider.
|
|
||||||
#
|
|
||||||
#localpart_template: "<{ user.preferred_username }>"
|
|
||||||
|
|
||||||
# Jinja2 template for the display name to set on first login.
|
|
||||||
#
|
#
|
||||||
# If unset, no displayname will be set.
|
# If unset, no displayname will be set.
|
||||||
#
|
#
|
||||||
#display_name_template: "<{ user.given_name }> <{ user.last_name }>"
|
#displayname_attribute: name
|
||||||
|
|
||||||
|
# It is possible to configure Synapse to only allow logins if CAS attributes
|
||||||
|
# match particular values. All of the keys in the mapping below must exist
|
||||||
# Enable CAS for registration and login.
|
# and the values must match the given value. Alternately if the given value
|
||||||
#
|
# is None then any value is allowed (the attribute just must exist).
|
||||||
#cas_config:
|
# All of the listed attributes must match for the login to be permitted.
|
||||||
# enabled: true
|
#
|
||||||
# server_url: "https://cas-server.com"
|
#required_attributes:
|
||||||
# service_url: "https://homeserver.domain.com:8448"
|
# userGroup: "staff"
|
||||||
# #displayname_attribute: name
|
# department: None
|
||||||
# #required_attributes:
|
|
||||||
# # name: value
|
|
||||||
|
|
||||||
|
|
||||||
# Additional settings to use with single-sign on systems such as OpenID Connect,
|
# Additional settings to use with single-sign on systems such as OpenID Connect,
|
||||||
@ -1741,9 +1899,9 @@ sso:
|
|||||||
# phishing attacks from evil.site. To avoid this, include a slash after the
|
# phishing attacks from evil.site. To avoid this, include a slash after the
|
||||||
# hostname: "https://my.client/".
|
# hostname: "https://my.client/".
|
||||||
#
|
#
|
||||||
# If public_baseurl is set, then the login fallback page (used by clients
|
# The login fallback page (used by clients that don't natively support the
|
||||||
# that don't natively support the required login flows) is whitelisted in
|
# required login flows) is automatically whitelisted in addition to any URLs
|
||||||
# addition to any URLs in this list.
|
# in this list.
|
||||||
#
|
#
|
||||||
# By default, this list is empty.
|
# By default, this list is empty.
|
||||||
#
|
#
|
||||||
@ -1752,14 +1910,36 @@ sso:
|
|||||||
# - https://my.custom.client/
|
# - https://my.custom.client/
|
||||||
|
|
||||||
# Directory in which Synapse will try to find the template files below.
|
# Directory in which Synapse will try to find the template files below.
|
||||||
# If not set, default templates from within the Synapse package will be used.
|
# If not set, or the files named below are not found within the template
|
||||||
#
|
# directory, default templates from within the Synapse package will be used.
|
||||||
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
|
|
||||||
# If you *do* uncomment it, you will need to make sure that all the templates
|
|
||||||
# below are in the directory.
|
|
||||||
#
|
#
|
||||||
# Synapse will look for the following templates in this directory:
|
# Synapse will look for the following templates in this directory:
|
||||||
#
|
#
|
||||||
|
# * HTML page to prompt the user to choose an Identity Provider during
|
||||||
|
# login: 'sso_login_idp_picker.html'.
|
||||||
|
#
|
||||||
|
# This is only used if multiple SSO Identity Providers are configured.
|
||||||
|
#
|
||||||
|
# When rendering, this template is given the following variables:
|
||||||
|
# * redirect_url: the URL that the user will be redirected to after
|
||||||
|
# login. Needs manual escaping (see
|
||||||
|
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
|
||||||
|
#
|
||||||
|
# * server_name: the homeserver's name.
|
||||||
|
#
|
||||||
|
# * providers: a list of available Identity Providers. Each element is
|
||||||
|
# an object with the following attributes:
|
||||||
|
# * idp_id: unique identifier for the IdP
|
||||||
|
# * idp_name: user-facing name for the IdP
|
||||||
|
#
|
||||||
|
# The rendered HTML page should contain a form which submits its results
|
||||||
|
# back as a GET request, with the following query parameters:
|
||||||
|
#
|
||||||
|
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
|
||||||
|
# to the template)
|
||||||
|
#
|
||||||
|
# * idp: the 'idp_id' of the chosen IDP.
|
||||||
|
#
|
||||||
# * HTML page for a confirmation step before redirecting back to the client
|
# * HTML page for a confirmation step before redirecting back to the client
|
||||||
# with the login token: 'sso_redirect_confirm.html'.
|
# with the login token: 'sso_redirect_confirm.html'.
|
||||||
#
|
#
|
||||||
@ -1795,6 +1975,14 @@ sso:
|
|||||||
#
|
#
|
||||||
# This template has no additional variables.
|
# This template has no additional variables.
|
||||||
#
|
#
|
||||||
|
# * HTML page shown after a user-interactive authentication session which
|
||||||
|
# does not map correctly onto the expected user: 'sso_auth_bad_user.html'.
|
||||||
|
#
|
||||||
|
# When rendering, this template is given the following variables:
|
||||||
|
# * server_name: the homeserver's name.
|
||||||
|
# * user_id_to_verify: the MXID of the user that we are trying to
|
||||||
|
# validate.
|
||||||
|
#
|
||||||
# * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
|
# * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
|
||||||
# attempts to login: 'sso_account_deactivated.html'.
|
# attempts to login: 'sso_account_deactivated.html'.
|
||||||
#
|
#
|
||||||
@ -1824,7 +2012,7 @@ sso:
|
|||||||
# and issued at ("iat") claims are validated if present.
|
# and issued at ("iat") claims are validated if present.
|
||||||
#
|
#
|
||||||
# Note that this is a non-standard login type and client support is
|
# Note that this is a non-standard login type and client support is
|
||||||
# expected to be non-existant.
|
# expected to be non-existent.
|
||||||
#
|
#
|
||||||
# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md.
|
# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md.
|
||||||
#
|
#
|
||||||
@ -1920,6 +2108,21 @@ password_config:
|
|||||||
#
|
#
|
||||||
#require_uppercase: true
|
#require_uppercase: true
|
||||||
|
|
||||||
|
ui_auth:
|
||||||
|
# The number of milliseconds to allow a user-interactive authentication
|
||||||
|
# session to be active.
|
||||||
|
#
|
||||||
|
# This defaults to 0, meaning the user is queried for their credentials
|
||||||
|
# before every action, but this can be overridden to alow a single
|
||||||
|
# validation to be re-used. This weakens the protections afforded by
|
||||||
|
# the user-interactive authentication process, by allowing for multiple
|
||||||
|
# (and potentially different) operations to use the same validation session.
|
||||||
|
#
|
||||||
|
# Uncomment below to allow for credential validation to last for 15
|
||||||
|
# seconds.
|
||||||
|
#
|
||||||
|
#session_timeout: 15000
|
||||||
|
|
||||||
|
|
||||||
# Configuration for sending emails from Synapse.
|
# Configuration for sending emails from Synapse.
|
||||||
#
|
#
|
||||||
@ -1985,12 +2188,15 @@ email:
|
|||||||
#
|
#
|
||||||
#validation_token_lifetime: 15m
|
#validation_token_lifetime: 15m
|
||||||
|
|
||||||
# Directory in which Synapse will try to find the template files below.
|
# The web client location to direct users to during an invite. This is passed
|
||||||
# If not set, default templates from within the Synapse package will be used.
|
# to the identity server as the org.matrix.web_client_location key. Defaults
|
||||||
|
# to unset, giving no guidance to the identity server.
|
||||||
#
|
#
|
||||||
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
|
#invite_client_location: https://app.element.io
|
||||||
# If you *do* uncomment it, you will need to make sure that all the templates
|
|
||||||
# below are in the directory.
|
# Directory in which Synapse will try to find the template files below.
|
||||||
|
# If not set, or the files named below are not found within the template
|
||||||
|
# directory, default templates from within the Synapse package will be used.
|
||||||
#
|
#
|
||||||
# Synapse will look for the following templates in this directory:
|
# Synapse will look for the following templates in this directory:
|
||||||
#
|
#
|
||||||
@ -2003,9 +2209,13 @@ email:
|
|||||||
# * The contents of password reset emails sent by the homeserver:
|
# * The contents of password reset emails sent by the homeserver:
|
||||||
# 'password_reset.html' and 'password_reset.txt'
|
# 'password_reset.html' and 'password_reset.txt'
|
||||||
#
|
#
|
||||||
# * HTML pages for success and failure that a user will see when they follow
|
# * An HTML page that a user will see when they follow the link in the password
|
||||||
# the link in the password reset email: 'password_reset_success.html' and
|
# reset email. The user will be asked to confirm the action before their
|
||||||
# 'password_reset_failure.html'
|
# password is reset: 'password_reset_confirmation.html'
|
||||||
|
#
|
||||||
|
# * HTML pages for success and failure that a user will see when they confirm
|
||||||
|
# the password reset flow using the page above: 'password_reset_success.html'
|
||||||
|
# and 'password_reset_failure.html'
|
||||||
#
|
#
|
||||||
# * The contents of address verification emails sent during registration:
|
# * The contents of address verification emails sent during registration:
|
||||||
# 'registration.html' and 'registration.txt'
|
# 'registration.html' and 'registration.txt'
|
||||||
@ -2107,6 +2317,7 @@ email:
|
|||||||
# respectively.
|
# respectively.
|
||||||
#
|
#
|
||||||
password_providers:
|
password_providers:
|
||||||
|
# # Example config for an LDAP auth provider
|
||||||
- module: "ldap_auth_provider.LdapAuthProvider"
|
- module: "ldap_auth_provider.LdapAuthProvider"
|
||||||
config:
|
config:
|
||||||
enabled: true
|
enabled: true
|
||||||
@ -2123,20 +2334,35 @@ password_providers:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Clients requesting push notifications can either have the body of
|
## Push ##
|
||||||
# the message sent in the notification poke along with other details
|
|
||||||
# like the sender, or just the event ID and room ID (`event_id_only`).
|
push:
|
||||||
# If clients choose the former, this option controls whether the
|
# Clients requesting push notifications can either have the body of
|
||||||
# notification request includes the content of the event (other details
|
# the message sent in the notification poke along with other details
|
||||||
# like the sender are still included). For `event_id_only` push, it
|
# like the sender, or just the event ID and room ID (`event_id_only`).
|
||||||
# has no effect.
|
# If clients choose the former, this option controls whether the
|
||||||
#
|
# notification request includes the content of the event (other details
|
||||||
# For modern android devices the notification content will still appear
|
# like the sender are still included). For `event_id_only` push, it
|
||||||
# because it is loaded by the app. iPhone, however will send a
|
# has no effect.
|
||||||
# notification saying only that a message arrived and who it came from.
|
#
|
||||||
#
|
# For modern android devices the notification content will still appear
|
||||||
#push:
|
# because it is loaded by the app. iPhone, however will send a
|
||||||
# include_content: true
|
# notification saying only that a message arrived and who it came from.
|
||||||
|
#
|
||||||
|
# The default value is "true" to include message details. Uncomment to only
|
||||||
|
# include the event ID and room ID in push notification payloads.
|
||||||
|
#
|
||||||
|
#include_content: false
|
||||||
|
|
||||||
|
# When a push notification is received, an unread count is also sent.
|
||||||
|
# This number can either be calculated as the number of unread messages
|
||||||
|
# for the user, or the number of *rooms* the user has unread messages in.
|
||||||
|
#
|
||||||
|
# The default value is "true", meaning push clients will see the number of
|
||||||
|
# rooms with unread messages in them. Uncomment to instead send the number
|
||||||
|
# of unread messages.
|
||||||
|
#
|
||||||
|
#group_unread_count_by_room: false
|
||||||
|
|
||||||
|
|
||||||
# Spam checkers are third-party modules that can block specific actions
|
# Spam checkers are third-party modules that can block specific actions
|
||||||
@ -2179,7 +2405,7 @@ spam_checker:
|
|||||||
# If enabled, non server admins can only create groups with local parts
|
# If enabled, non server admins can only create groups with local parts
|
||||||
# starting with this prefix
|
# starting with this prefix
|
||||||
#
|
#
|
||||||
#group_creation_prefix: "unofficial/"
|
#group_creation_prefix: "unofficial_"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -2337,7 +2563,7 @@ spam_checker:
|
|||||||
#
|
#
|
||||||
# Options for the rules include:
|
# Options for the rules include:
|
||||||
#
|
#
|
||||||
# user_id: Matches agaisnt the creator of the alias
|
# user_id: Matches against the creator of the alias
|
||||||
# room_id: Matches against the room ID being published
|
# room_id: Matches against the room ID being published
|
||||||
# alias: Matches against any current local or canonical aliases
|
# alias: Matches against any current local or canonical aliases
|
||||||
# associated with the room
|
# associated with the room
|
||||||
@ -2383,7 +2609,7 @@ opentracing:
|
|||||||
# This is a list of regexes which are matched against the server_name of the
|
# This is a list of regexes which are matched against the server_name of the
|
||||||
# homeserver.
|
# homeserver.
|
||||||
#
|
#
|
||||||
# By defult, it is empty, so no servers are matched.
|
# By default, it is empty, so no servers are matched.
|
||||||
#
|
#
|
||||||
#homeserver_whitelist:
|
#homeserver_whitelist:
|
||||||
# - ".*"
|
# - ".*"
|
||||||
@ -2439,6 +2665,18 @@ opentracing:
|
|||||||
# events: worker1
|
# events: worker1
|
||||||
# typing: worker1
|
# typing: worker1
|
||||||
|
|
||||||
|
# The worker that is used to run background tasks (e.g. cleaning up expired
|
||||||
|
# data). If not provided this defaults to the main process.
|
||||||
|
#
|
||||||
|
#run_background_tasks_on: worker1
|
||||||
|
|
||||||
|
# A shared secret used by the replication APIs to authenticate HTTP requests
|
||||||
|
# from workers.
|
||||||
|
#
|
||||||
|
# By default this is unused and traffic is not authenticated.
|
||||||
|
#
|
||||||
|
#worker_replication_secret: ""
|
||||||
|
|
||||||
|
|
||||||
# Configuration for Redis when using workers. This *must* be enabled when
|
# Configuration for Redis when using workers. This *must* be enabled when
|
||||||
# using workers (unless using old style direct TCP configuration).
|
# using workers (unless using old style direct TCP configuration).
|
||||||
|
Loading…
Reference in New Issue
Block a user