infrastructure/roles/matrix/templates/homeserver.yaml.j2

server_name: "{{ matrix_server_name }}"
public_baseurl: https://{{ matrix_domain }}/

log_config: "/etc/synapse/log_config.yaml"

listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    bind_addresses: ['::1', '127.0.0.1']
    resources:
      - names: [client, federation]
        compress: false
  - port: 9093
    type: http
    bind_addresses: ['::1', '127.0.0.1']
    resources:
      - names: [replication]
        compress: false
  - port: 8019
    type: metrics
    bind_addresses: ['127.0.0.1']

database:
  name: psycopg2
  txn_limit: 10000
  args:
    dbname: synapse
    user: synapse
    password: {{ vault_postgres_users.synapse }}
    cp_min: 1
    cp_max: 8

email:
  smtp_host: 127.0.0.1
  smtp_port: 25
  notif_from: "Arch Linux %(app)s server <noreply@{{ matrix_server_name }}>"
  enable_notifs: true

app_service_config_files:
  - /etc/synapse/appservice-registration-irc.yaml

modules:
  - module: mjolnir.Module
    config:
      block_invites: true
      block_messages: false
      block_usernames: false
      ban_lists:
        - "!WuBtumawCeOGEieRrp:matrix.org"     # #matrix-org-coc-bl:matrix.org
        - "!tUPwPPmVTaiKXMiijj:matrix.org"     # #matrix-org-hs-tos-bl:matrix.org
        - "!vmRBOqUEHGdNBeweth:archlinux.org"  # #banlist:archlinux.org

event_cache_size: 15K
caches:
  global_factor: 1.0
  per_cache_factors:
    get_users_in_room: 5.0

presence:
  enabled: false

max_event_delay_duration: 24h

# Retention
delete_stale_devices_after: 1y
media_retention:
  remote_media_lifetime: 14d
forgotten_room_retention_period: 14d

# Media repository
media_store_path: "/var/lib/synapse/media_store"
max_upload_size: {{ matrix_max_upload_size }}
url_preview_enabled: true
url_preview_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '192.0.0.0/24'
  - '169.254.0.0/16'
  - '192.88.99.0/24'
  - '198.18.0.0/15'
  - '192.0.2.0/24'
  - '198.51.100.0/24'
  - '203.0.113.0/24'
  - '224.0.0.0/4'
  - '::1/128'
  - 'fe80::/10'
  - 'fc00::/7'
  - '2001:db8::/32'
  - 'ff00::/8'
  - 'fec0::/10'
url_preview_accept_language:
  - 'en'
oembed:
  disable_default_providers: true
  additional_providers:
    - "/etc/synapse/oembed-providers.json"

# WebRTC
turn_uris:
  - "turns:{{ matrix_domain }}:2420?transport=udp"
  - "turns:{{ matrix_domain }}:2420?transport=tcp"
  - "turn:{{ matrix_domain }}:2410?transport=udp"
  - "turn:{{ matrix_domain }}:2410?transport=tcp"
turn_shared_secret: "{{ vault_matrix_secrets.turn_shared_secret }}"

# Metrics
enable_metrics: true
metrics_flags:
    known_servers: true
report_stats: true
federation_metrics_domains:
  - matrix.org

# Auto-join new users to rooms
auto_join_rooms:
{% for room in vault_matrix_secrets.auto_join_rooms %}
  - {{ room | to_json }}
{% endfor %}
autocreate_auto_join_rooms: false
auto_join_mxid_localpart: mjolnir
auto_join_rooms_for_guests: false

auto_accept_invites:
  enabled: true
  only_for_direct_messages: false
  only_from_local_users: true

# Login and registration
registration_shared_secret: "{{ vault_matrix_secrets.registration_shared_secret }}"
macaroon_secret_key: "{{ vault_matrix_secrets.macaroon_secret_key }}"
form_secret: "{{ vault_matrix_secrets.form_secret }}"

password_config:
   enabled: false
   pepper: "{{ vault_matrix_secrets.pepper }}"

oidc_providers:
  - idp_id: oidc
    idp_name: "Arch Linux"
    idp_icon: "mxc://archlinux.org/iQmyhmksPLmphXWFUxiLEwVw"
    idp_brand: archlinux
    issuer: "https://accounts.archlinux.org/realms/archlinux"
    client_id: "openid_matrix"
    client_secret: "{{ vault_matrix_openid_client_secret }}"
    scopes: ["openid", "profile", "email", "roles"]
    allow_existing_users: false
    enable_registration: true
    backchannel_logout_enabled: true
    user_mapping_provider:
      config:
        localpart_template: "{{ '{{ user.preferred_username }}' }}"
        display_name_template: "{{ '{{ user.name | default(user.preferred_username, true) }}' }}"
        email_template: "{{ '{{ user.email }}' }}"
    attribute_requirements:
      - attribute: roles
        value: "Staff"

# Directories
user_directory:
    prefer_local_users: true
allow_public_rooms_without_auth: true
allow_public_rooms_over_federation: true
default_identity_server: https://matrix.org
account_threepid_delegates:
    msisdn: https://vector.im

# Federation
signing_key_path: "/etc/synapse/{{ matrix_server_name }}.signing.key"
trusted_key_servers:
  - server_name: "matrix.org"
suppress_key_server_warning: true

# Worker config
worker_app: synapse.app.homeserver
enable_media_repo: false
notify_appservices_from_worker: appservice
federation_sender_instances:
  - federation_sender
worker_replication_secret: "{{ vault_matrix_secrets.worker_replication_secret }}"
worker_log_config: "/etc/synapse/log_config.yaml"
redis:
  enabled: true
instance_map:
  main:
    host: 127.0.0.1
    port: 9093

# vim:set sw=2 sts=-1 et: