From 6e5e9da04c6a55fe6669c15f2e46c7dbac7ea43b Mon Sep 17 00:00:00 2001 From: Kjeld Schouten-Lebbing Date: Mon, 24 Jan 2022 00:22:17 +0100 Subject: [PATCH] feat(synapse): add synapse (#1768) --- charts/incubator/synapse/.helmignore | 24 ++ charts/incubator/synapse/Chart.yaml | 32 ++ charts/incubator/synapse/ci/base-values.yaml | 5 + charts/incubator/synapse/ci/basic-values.yaml | 5 + charts/incubator/synapse/questions.yaml | 349 ++++++++++++++++++ .../synapse/templates/_configmap.tpl | 153 ++++++++ .../incubator/synapse/templates/_helpers.tpl | 20 + .../incubator/synapse/templates/_secret.tpl | 55 +++ .../incubator/synapse/templates/common.yaml | 11 + charts/incubator/synapse/values.yaml | 313 ++++++++++++++++ 10 files changed, 967 insertions(+) create mode 100644 charts/incubator/synapse/.helmignore create mode 100644 charts/incubator/synapse/Chart.yaml create mode 100644 charts/incubator/synapse/ci/base-values.yaml create mode 100644 charts/incubator/synapse/ci/basic-values.yaml create mode 100644 charts/incubator/synapse/questions.yaml create mode 100644 charts/incubator/synapse/templates/_configmap.tpl create mode 100644 charts/incubator/synapse/templates/_helpers.tpl create mode 100644 charts/incubator/synapse/templates/_secret.tpl create mode 100644 charts/incubator/synapse/templates/common.yaml create mode 100644 charts/incubator/synapse/values.yaml diff --git a/charts/incubator/synapse/.helmignore b/charts/incubator/synapse/.helmignore new file mode 100644 index 00000000000..e559de0a012 --- /dev/null +++ b/charts/incubator/synapse/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# OWNERS file for Kubernetes +OWNERS diff --git a/charts/incubator/synapse/Chart.yaml b/charts/incubator/synapse/Chart.yaml new file mode 100644 index 00000000000..7184d0a687b --- /dev/null +++ b/charts/incubator/synapse/Chart.yaml @@ -0,0 +1,32 @@ +apiVersion: v2 +appVersion: "23.0.0" +dependencies: +- name: common + repository: https://truecharts.org + version: 8.14.1 +- condition: postgresql.enabled + name: postgresql + repository: https://truecharts.org/ + version: 6.0.56 +deprecated: false +description: A Helm chart to deploy a Matrix homeserver stack into Kubernetes +home: https://github.com/truecharts/apps/charts/stable/synapse +icon: https://truecharts.org/_static/img/appicons/synapse-icon.png +keywords: +- chat +- matrix +- synapse +kubeVersion: '>=1.16.0-0' +maintainers: +- email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: synapse +sources: [] +type: application +version: 0.0.1 +annotations: + truecharts.org/catagories: | + - cloud + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/charts/incubator/synapse/ci/base-values.yaml b/charts/incubator/synapse/ci/base-values.yaml new file mode 100644 index 00000000000..7e5ba36f000 --- /dev/null +++ b/charts/incubator/synapse/ci/base-values.yaml @@ -0,0 +1,5 @@ +matrix: + # Hostname where Synapse can be reached. + # This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the + # Ingress will be used + hostname: "matrix.example.com" diff --git a/charts/incubator/synapse/ci/basic-values.yaml b/charts/incubator/synapse/ci/basic-values.yaml new file mode 100644 index 00000000000..7e5ba36f000 --- /dev/null +++ b/charts/incubator/synapse/ci/basic-values.yaml @@ -0,0 +1,5 @@ +matrix: + # Hostname where Synapse can be reached. + # This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the + # Ingress will be used + hostname: "matrix.example.com" diff --git a/charts/incubator/synapse/questions.yaml b/charts/incubator/synapse/questions.yaml new file mode 100644 index 00000000000..7e11bdef241 --- /dev/null +++ b/charts/incubator/synapse/questions.yaml @@ -0,0 +1,349 @@ +# Include{groups} +portals: + web_portal: + protocols: + - "$kubernetes-resource_configmap_portal_protocol" + host: + - "$kubernetes-resource_configmap_portal_host" + ports: + - "$kubernetes-resource_configmap_portal_port" +questions: + - variable: portal + group: "Container Image" + label: "Configure Portal Button" + schema: + type: dict + hidden: true + attrs: + - variable: enabled + label: "Enable" + description: "enable the portal button" + schema: + hidden: true + editable: false + type: boolean + default: true +# Include{global} + - variable: controller + group: "Controller" + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: advanced + label: "Show Advanced Controller Settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: type + description: "Please specify type of workload to deploy" + label: "(Advanced) Controller Type" + schema: + type: string + default: "deployment" + required: true + enum: + - value: "deployment" + description: "Deployment" + - value: "statefulset" + description: "Statefulset" + - value: "daemonset" + description: "Daemonset" + - variable: replicas + description: "Number of desired pod replicas" + label: "Desired Replicas" + schema: + type: int + default: 1 + required: true + - variable: strategy + description: "Please specify type of workload to deploy" + label: "(Advanced) Update Strategy" + schema: + type: string + default: "Recreate" + required: true + enum: + - value: "Recreate" + description: "Recreate: Kill existing pods before creating new ones" + - value: "RollingUpdate" + description: "RollingUpdate: Create new pods and then kill old ones" + - value: "OnDelete" + description: "(Legacy) OnDelete: ignore .spec.template changes" +# Include{controllerExpert} + - variable: secret + group: "Container Configuration" + label: "Image Secrets" + schema: + additional_attrs: true + type: dict + attrs: + - variable: NEXTCLOUD_ADMIN_USER + label: "NEXTCLOUD_ADMIN_USER (First Install Only)" + description: "Sets the initial nextcloud's admin username, changing this variable after first launch will NOT change admin's username" + schema: + type: string + required: true + default: "REPLACETHIS" + - variable: NEXTCLOUD_ADMIN_PASSWORD + label: "NEXTCLOUD_ADMIN_PASSWORD (First Install Only)" + description: "Sets the initial nextcloud's admin password, changing this variable after first launch will NOT change admin's password" + schema: + type: string + private: true + required: true + default: "REPLACETHIS" + - variable: env + group: "Container Configuration" + label: "Image Environment" + schema: + additional_attrs: true + type: dict + attrs: +# Include{fixedEnv} + - variable: TRUSTED_PROXIES + label: "Trusted Proxies (Advanced)" + description: "Sets nextcloud Trusted Proxies" + schema: + type: string + default: "172.16.0.0/16" + - variable: NODE_IP + label: "NODE_IP" + description: "Sets nextcloud nodeip for nodeport connections (Ensure this is correct at first install!)" + schema: + type: string + $ref: + - "definitions/nodeIP" + +# Include{containerConfig} + + - variable: service + group: "Networking and Services" + label: "Configure Service(s)" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Service" + description: "The Primary service on which the healthcheck runs, often the webUI" + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelector} + - variable: main + label: "Main Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 10020 + required: true + - variable: advanced + label: "Show Advanced settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: protocol + label: "Port Type" + schema: + type: string + default: "HTTP" + enum: + - value: HTTP + description: "HTTP" + - value: "HTTPS" + description: "HTTPS" + - value: TCP + description: "TCP" + - value: "UDP" + description: "UDP" + - variable: nodePort + label: "Node Port (Optional)" + description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" + schema: + type: int + min: 9000 + max: 65535 + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 80 + + - variable: serviceexpert + group: "Networking and Services" + label: "Show Expert Config" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hostNetwork + group: "Networking and Services" + label: "Host-Networking (Complicated)" + schema: + type: boolean + default: false + +# Include{serviceExpert} + +# Include{serviceList} + + - variable: persistence + label: "Integrated Persistent Storage" + description: "Integrated Persistent Storage" + group: "Storage and Persistence" + schema: + additional_attrs: true + type: dict + attrs: + - variable: data + label: "App Data Storage" + description: "Stores the Application Data." + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: "Type of Storage" + description: "Sets the persistence type, Anything other than PVC could break rollback!" + schema: + type: string + default: "simplePVC" + enum: + - value: "simplePVC" + description: "PVC (simple)" + - value: "simpleHP" + description: "HostPath (simple)" + - value: "emptyDir" + description: "emptyDir" + - value: "pvc" + description: "pvc" + - value: "hostPath" + description: "hostPath" +# Include{persistenceBasic} + - variable: hostPath + label: "hostPath" + description: "Path inside the container the storage is mounted" + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: "EmptyDir Medium" + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: "Default" + - value: "Memory" + description: "Memory" +# Include{persistenceAdvanced} + +# Include{persistenceList} + + - variable: ingress + label: "" + group: "Ingress" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Ingress" + schema: + additional_attrs: true + type: dict + attrs: +# Include{ingressDefault} + +# Include{ingressTLS} + +# Include{ingressTraefik} + +# Include{ingressExpert} + +# Include{ingressList} + + - variable: advancedSecurity + label: "Show Advanced Security Settings" + group: "Security and Permissions" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: securityContext + label: "Security Context" + schema: + additional_attrs: true + type: dict + attrs: + - variable: privileged + label: "Privileged mode" + schema: + type: boolean + default: false + - variable: readOnlyRootFilesystem + label: "ReadOnly Root Filesystem" + schema: + type: boolean + default: false + - variable: allowPrivilegeEscalation + label: "Allow Privilege Escalation" + schema: + type: boolean + default: false + - variable: runAsNonRoot + label: "runAsNonRoot" + schema: + type: boolean + default: false +# Include{securityContextAdvanced} + + - variable: podSecurityContext + group: "Security and Permissions" + label: "Pod Security Context" + schema: + additional_attrs: true + type: dict + attrs: + - variable: runAsUser + label: "runAsUser" + description: "The UserID of the user running the application" + schema: + type: int + default: 0 + - variable: runAsGroup + label: "runAsGroup" + description: The groupID this App of the user running the application" + schema: + type: int + default: 0 + - variable: fsGroup + label: "fsGroup" + description: "The group that should own ALL storage." + schema: + type: int + default: 33 +# Include{podSecurityContextAdvanced} + +# Include{resources} + +# Include{advanced} + +# Include{addons} diff --git a/charts/incubator/synapse/templates/_configmap.tpl b/charts/incubator/synapse/templates/_configmap.tpl new file mode 100644 index 00000000000..b9597f3dab9 --- /dev/null +++ b/charts/incubator/synapse/templates/_configmap.tpl @@ -0,0 +1,153 @@ +{{/* Define the configs */}} +{{- define "synapse.config" -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: synapse-config + labels: + {{ include "common.labels" . | nindent 4 }} + annotations: + rollme: {{ randAlphaNum 5 | quote }} +data: + homeserver.yaml: | + server_name: {{ .Values.matrix.serverName }} + pid_file: /data/homeserver.pid + public_baseurl: {{ include "matrix.baseUrl" . | quote }} + use_presence: {{ .Values.matrix.presence }} + + allow_public_rooms_over_federation: {{ and .Values.matrix.federation.enabled .Values.matrix.federation.allowPublicRooms }} + + block_non_admin_invites: {{ .Values.matrix.blockNonAdminInvites }} + + enable_search: {{ .Values.matrix.search }} + + {{- if .Values.matrix.federation.whitelist }} + federation_domain_whitelist: + {{- range .Values.matrix.federation.whitelist }} + - {{ . }} + {{- end }} + {{- end}} + + federation_ip_range_blacklist: + {{- range .Values.matrix.federation.blacklist }} + - {{ . }} + {{- end }} + + listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['0.0.0.0'] + resources: + - names: [client, federation] + compress: false + + {{- if .Values.synapse.metrics.enabled }} + - type: metrics + port: {{ .Values.synapse.metrics.port }} + bind_addresses: ['0.0.0.0'] + resources: + - names: [metrics] + {{- end }} + + admin_contact: 'mailto:{{ .Values.matrix.adminEmail }}' + hs_disabled: {{ .Values.matrix.disabled }} + hs_disabled_message: {{ .Values.matrix.disabledMessage }} + redaction_retention_period: {{ .Values.matrix.retentionPeriod }} + + log_config: "/data/{{ .Values.matrix.serverName }}.log.config" + media_store_path: "/data/media_store" + uploads_path: "/data/uploads" + max_upload_size: {{ .Values.matrix.uploads.maxSize }} + max_image_pixels: {{ .Values.matrix.uploads.maxPixels }} + url_preview_enabled: {{ .Values.matrix.urlPreviews.enabled }} + + {{- if .Values.coturn.enabled -}} + {{- if not (empty .Values.coturn.uris) }} + turn_uris: + {{- range .Values.coturn.uris }} + - {{ . }} + {{- end }} + {{- else }} + turn_uris: + - "turn:{{ include "matrix.hostname" . }}?transport=udp" + {{- end }} + turn_user_lifetime: 1h + turn_allow_guests: {{ .Values.coturn.allowGuests }} + {{- end }} + + enable_registration: {{ .Values.matrix.registration.enabled }} + + allow_guest_access: {{ .Values.matrix.registration.allowGuests }} + + {{- if .Values.synapse.metrics.enabled }} + enable_metrics: true + {{- end }} + + report_stats: false + + {{- if .Values.synapse.appConfig }} + app_service_config_files: + {{- range .Values.synapse.appConfig }} + - {{ . }} + {{- end }} + {{- end }} + + signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key" + + {{- if .Values.matrix.security.trustedKeyServers }} + trusted_key_servers: + {{- range .Values.matrix.security.trustedKeyServers }} + - server_name: {{ .serverName }} + {{- if .verifyKeys }} + verify_keys: + {{- range .verifyKeys }} + {{ .id | quote }}: {{ .key | quote }} + {{- end }} + {{- end }} + {{- if .acceptKeysInsecurely }} + accept_keys_insecurely: {{ .acceptKeysInsecurely }} + {{- end }} + {{- end }} + {{- end }} + + suppress_key_server_warning: {{ .Values.matrix.security.supressKeyServerWarning }} + {{- if not .Values.loadCustomConfig }} + custom.yaml: | + # PLACEHOLDER + {{- end }} + + {{ .Values.matrix.serverName }}.log.config: | + version: 1 + + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + + handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + + loggers: + synapse: + level: {{ .Values.matrix.logging.synapseLogLevel }} + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: {{ .Values.matrix.logging.sqlLogLevel }} + + + root: + level: {{ .Values.matrix.logging.rootLogLevel }} + handlers: [console] +{{- end }} diff --git a/charts/incubator/synapse/templates/_helpers.tpl b/charts/incubator/synapse/templates/_helpers.tpl new file mode 100644 index 00000000000..21bbda61c3c --- /dev/null +++ b/charts/incubator/synapse/templates/_helpers.tpl @@ -0,0 +1,20 @@ +Synapse hostname, derived from either the Values.matrix.hostname override or the Ingress definition +*/}} +{{- define "matrix.hostname" -}} +{{- if .Values.matrix.hostname }} +{{- .Values.matrix.hostname -}} +{{- else }} +{{- .Values.ingress.hosts.synapse -}} +{{- end }} +{{- end }} + +{{/* +Synapse hostname prepended with https:// to form a complete URL +*/}} +{{- define "matrix.baseUrl" -}} +{{- if .Values.matrix.hostname }} +{{- printf "https://%s" .Values.matrix.hostname -}} +{{- else }} +{{- printf "https://%s" .Values.ingress.hosts.synapse -}} +{{- end }} +{{- end }} diff --git a/charts/incubator/synapse/templates/_secret.tpl b/charts/incubator/synapse/templates/_secret.tpl new file mode 100644 index 00000000000..f83ef68469c --- /dev/null +++ b/charts/incubator/synapse/templates/_secret.tpl @@ -0,0 +1,55 @@ +{{/* Define the configs */}} +{{- define "synapse.secret" -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: synapse-secret + labels: + {{ include "common.labels" . | nindent 4 }} + annotations: + rollme: {{ randAlphaNum 5 | quote }} +stringData: + {{- $previous := lookup "v1" "Secret" .Release.Namespace "synapse-secret" }} + {{- $msk := "" }} + secret.yaml: | + {{- if .Values.mail.enabled }} + email: + enable_notifs: {{ .Values.mail.enabled }} + notif_from: {{ .Values.mail.from }} + smtp_host: {{ .Values.mail.external.host }} + smtp_port: {{ .Values.mail.external.port }} + smtp_user: {{ .Values.mail.external.username }} + smtp_pass: {{ .Values.mail.external.password }} + require_transport_security: {{ .Values.mail.external.requireTransportSecurity }} + {{- end }} + + database: + name: "psycopg2" + args: + user: "{{ .Values.postgresql.postgresqlUsername }}" + password: {{ .Values.postgresql.postgresqlPassword }} + database: "{{ .Values.postgresql.postgresqlDatabase }}" + host: "{{ printf "%v-%v" .Release.Name "postgresql" }}" + port: "5432" + cp_min: 5 + cp_max: 10 + sslmode: "disable" + + {{- if .Values.matrix.registration.sharedSecret }} + registration_shared_secret: {{ .Values.matrix.registration.sharedSecret }} + {{- end }} + + {{- if $previous }} + {{- $msk = ( index $previous.data "macaroon_secret_key" ) | b64dec }} + macaroon_secret_key: {{ ( index $previous.data "macaroon_secret_key" ) }} + {{- else }} + {{- $msk = randAlphaNum 50 }} + macaroon_secret_key: {{ $msk | b64enc | quote }} + {{- end }} + + {{- if .Values.coturn.enabled -}} + turn_shared_secret: {{ include "matrix.coturn.sharedSecret" . }} + {{- end }} + +{{- end }} diff --git a/charts/incubator/synapse/templates/common.yaml b/charts/incubator/synapse/templates/common.yaml new file mode 100644 index 00000000000..1bac1bd32ee --- /dev/null +++ b/charts/incubator/synapse/templates/common.yaml @@ -0,0 +1,11 @@ +{{/* Make sure all variables are set properly */}} +{{- include "common.setup" . }} + +{{/* Render configmap for synapse */}} +{{- include "synapse.config" . }} + +{{/* Render secret for synapse */}} +{{- include "synapse.secret" . }} + +{{/* Render the templates */}} +{{ include "common.postSetup" . }} diff --git a/charts/incubator/synapse/values.yaml b/charts/incubator/synapse/values.yaml new file mode 100644 index 00000000000..525c2421065 --- /dev/null +++ b/charts/incubator/synapse/values.yaml @@ -0,0 +1,313 @@ +image: + repository: matrixdotorg/synapse + pullPolicy: IfNotPresent + tag: v1.50.1 + +command: + - sh + - -c + - | + exec python -B -m synapse.app.homeserver \ + -c /data/homeserver.yaml \ + -c /data/secret/secret.yaml \ + -c /data/custom.yaml + +service: + main: + ports: + main: + port: 8008 + targetPort: 8008 + replication: + enabled: true + ports: + replication: + enabled: true + port: 9092 + targetPort: 9092 + metrics: + enabled: true + ports: + metrics: + enabled: true + port: 9090 + targetPort: 9090 + +securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: true + runAsNonRoot: true + +secret: {} + +installContainers: + generate-signing-key: + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: SYNAPSE_SERVER_NAME + value: "{{ .Values.matrix.serverName }}" + - name: SYNAPSE_REPORT_STATS + value: "no" + command: ["python"] + args: + - "-m" + - "synapse.app.homeserver" + - "--config-path" + - "/data/homeserver.yaml" + - "--keys-directory" + - "/data/keys" + - "--generate-keys" + volumeMounts: + - name: config + mountPath: /data + - name: secret + mountPath: /data/secret + - name: key + mountPath: /data/keys + +env: {} + +persistence: + config: + enabled: true + type: configMap + objectName: synapse-config + mountPath: /data + readOnly: false + secret: + enabled: true + type: secret + objectName: synapse-secret + mountPath: /data/secret + readOnly: false + key: + enabled: true + mountPath: "/data/keys" + media: + enabled: true + mountPath: "/data/media_store" + uploads: + enabled: true + mountPath: "/uploads" + +probes: + liveness: + path: /health + + readiness: + path: /health + + startup: + path: /health + +# Synapse Kubernetes resource settings +synapse: + loadCustomConfig: false + # -- List of application config .yaml files to be loaded from /appConfig + appConfig: [] + # Prometheus metrics for Synapse + # https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md + metrics: + # Whether Synapse should capture metrics on an additional endpoint + enabled: true + # Port to listen on for metrics scraping + port: 9092 + annotations: true + +# Runtime configuration for Synapse and settings related to the Matrix protocol +matrix: + # Manual overrides for homeserver.yaml, the main configuration file for Synapse + # If homeserverOverride is set, the entirety of homeserver.yaml will be replaced with the contents. + # If homeserverExtra is set, the contents will be appended to the end of the default configuration. + # It is highly recommended that you take a look at the defaults in templates/synapse/_homeserver.yaml, to get a sense + # of the requirements and default configuration options to use other services in this chart. + # homeserverOverride: {} + # homeserverExtra: {} + + # Domain name of the server + # This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains + # from this value as the server name set here will be the name of your homeserver in the fediverse, and will be the + # domain name at the end of every user's username + serverName: "example.com" + + urlPreviews: + enabled: false + + # Hostname where Synapse can be reached. + # This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the + # Ingress will be used + # hostname: "matrix.example.com" + + # Set to false to disable presence (online/offline indicators) + presence: true + + # Set to true to block non-admins from inviting users to any rooms + blockNonAdminInvites: false + + # Set to false to disable message searching + search: true + + # Which types of rooms to enable end-to-end encryption on by default + # off: none + # invite: private messages, or rooms created with the private_chat or trusted_private_chat room preset + # all: all rooms + encryptByDefault: invite + + # Email address of the administrator + adminEmail: "admin@example.com" + + # Settings related to image and multimedia uploads + uploads: + # Max upload size in bytes + maxSize: 10M + + # Max image size in pixels + maxPixels: 32M + + # Settings related to federation + federation: + # Set to false to disable federation and run an isolated homeserver + enabled: true + + # Set to false to disallow members of other homeservers from fetching *public* rooms + allowPublicRooms: true + + # Whitelist of domains to federate with (comment for all domains except blacklisted) + # whitelist: [] + + # IP addresses to blacklist federation requests to + blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + + # User registration settings + registration: + # Allow new users to register an account + enabled: false + + # If set, allows registration of standard or admin accounts by anyone who + # has the shared secret, even if registration is otherwise disabled. + # + # sharedSecret: + + # Allow users to join rooms as a guest + allowGuests: false + + # Required "3PIDs" - third-party identifiers such as email or msisdn (SMS) + # required3Pids: + # - email + # - msisdn + + # Rooms to automatically join all new users to + autoJoinRooms: [] + # - "#welcome:example.com" + + # How long to keep redacted events in unredacted form in the database + retentionPeriod: 7d + + security: + # a secret which is used to sign access tokens. If none is specified, + # the registration_shared_secret is used, if one is given; otherwise, + # a secret key is derived from the signing key. + # + # macaroonSecretKey: + + # This disables the warning that is emitted when the + # trustedKeyServers include 'matrix.org'. See below. + # Set to false to re-enable the warning. + # + surpressKeyServerWarning: true + + # The trusted servers to download signing keys from. + # + # When we need to fetch a signing key, each server is tried in parallel. + # + # Normally, the connection to the key server is validated via TLS certificates. + # Additional security can be provided by configuring a `verify key`, which + # will make synapse check that the response is signed by that key. + # + # This setting supercedes an older setting named `perspectives`. The old format + # is still supported for backwards-compatibility, but it is deprecated. + # + # 'trustedKeyServers' defaults to matrix.org, but using it will generate a + # warning on start-up. To suppress this warning, set + # 'surpressKeyServerWarning' to true. + # + # Options for each entry in the list include: + # + # serverName: the name of the server. required. + # + # verifyKeys: an optional map from key id to base64-encoded public key. + # If specified, we will check that the response is signed by at least + # one of the given keys. + # + # acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset, + # and federation_verify_certificates is not `true`, synapse will refuse + # to start, because this would allow anyone who can spoof DNS responses + # to masquerade as the trusted key server. If you know what you are doing + # and are sure that your network environment provides a secure connection + # to the key server, you can set this to `true` to override this + # behaviour. + # + # An example configuration might look like: + # + # trustedKeyServers: + # - serverName: my_trusted_server.example.com + # verifyKeys: + # - id: "ed25519:auto" + # key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" + # acceptKeysInsecurely: false + # - serverName: my_other_trusted_server.example.com + + # Set to true to globally block access to the homeserver + disabled: false + # Human readable reason for why the homeserver is blocked + disabledMessage: "" + + logging: + # Root log level is the default log level for log outputs that do not have more + # specific settings. + rootLogLevel: WARNING + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + sqlLogLevel: WARNING + # The log level for the synapse server + synapseLogLevel: WARNING + + +# Settings for email notifications +mail: + # Set to false to disable all email notifications + # NOTE: If enabled, either enable the Exim relay or configure an external mail server below + enabled: false + # Name and email address for outgoing mail + from: "Matrix " + # Optional: Element instance URL. + # If the ingress is enabled, this is unnecessary. + # If the ingress is disabled and this is left unspecified, emails will contain a link to https://app.element.io + riotUrl: "" + + host: "" + port: 25 # SSL: 465, STARTTLS: 587 + username: "" + password: "" + requireTransportSecurity: true + +coturn: + enabled: false + +# Enabled postgres +postgresql: + env: + POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C" + enabled: true + existingSecret: "dbcreds" + postgresqlUsername: synapse + postgresqlDatabase: synapse