sample_config.yaml

  # If unset, no displayname will be set.
  #
  #displayname_attribute: name

  # It is possible to configure Synapse to only allow logins if CAS attributes
  # match particular values. All of the keys in the mapping below must exist
  # and the values must match the given value. Alternately if the given value
  # is None then any value is allowed (the attribute just must exist).
  # All of the listed attributes must match for the login to be permitted.
  #
  #required_attributes:
  #  userGroup: "staff"
  #  department: None


# Additional settings to use with single-sign on systems such as OpenID Connect,
# SAML2 and CAS.
#
# Server admins can configure custom templates for pages related to SSO. See
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
#
sso:
    # A list of client URLs which are whitelisted so that the user does not
    # have to confirm giving access to their account to the URL. Any client
    # whose URL starts with an entry in the following list will not be subject
    # to an additional confirmation step after the SSO login is completed.
    #
    # WARNING: An entry such as "https://my.client" is insecure, because it
    # will also match "https://my.client.evil.site", exposing your users to
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
    # The login fallback page (used by clients that don't natively support the
    # required login flows) is whitelisted in addition to any URLs in this list.
    #
    # By default, this list contains only the login fallback page.
    #
    #client_whitelist:
    #  - https://riot.im/develop
    #  - https://my.custom.client/

    # Uncomment to keep a user's profile fields in sync with information from
    # the identity provider. Currently only syncing the displayname is
    # supported. Fields are checked on every SSO login, and are updated
    # if necessary.
    #
    # Note that enabling this option will override user profile information,
    # regardless of whether users have opted-out of syncing that
    # information when first signing in. Defaults to false.
    #
    #update_profile_information: true


# JSON web token integration. The following settings can be used to make
# Synapse JSON web tokens for authentication, instead of its internal
# password database.
#
# Each JSON Web Token needs to contain a "sub" (subject) claim, which is
# used as the localpart of the mxid.
#
# Additionally, the expiration time ("exp"), not before time ("nbf"),
# and issued at ("iat") claims are validated if present.
#
# Note that this is a non-standard login type and client support is
# expected to be non-existent.
#
# See https://matrix-org.github.io/synapse/latest/jwt.html.
#
#jwt_config:
    # Uncomment the following to enable authorization using JSON web
    # tokens. Defaults to false.
    #
    #enabled: true

    # This is either the private shared secret or the public key used to
    # decode the contents of the JSON web token.
    #
    # Required if 'enabled' is true.
    #
    #secret: "provided-by-your-issuer"

    # The algorithm used to sign the JSON web token.
    #
    # Supported algorithms are listed at
    # https://pyjwt.readthedocs.io/en/latest/algorithms.html
    #
    # Required if 'enabled' is true.
    #
    #algorithm: "provided-by-your-issuer"

    # Name of the claim containing a unique identifier for the user.
    #
    # Optional, defaults to `sub`.
    #
    #subject_claim: "sub"

    # The issuer to validate the "iss" claim against.
    #
    # Optional, if provided the "iss" claim will be required and
    # validated for all JSON web tokens.
    #
    #issuer: "provided-by-your-issuer"

    # A list of audiences to validate the "aud" claim against.
    #
    # Optional, if provided the "aud" claim will be required and
    # validated for all JSON web tokens.
    #
    # Note that if the "aud" claim is included in a JSON web token then
    # validation will fail without configuring audiences.
    #
    #audiences:
    #    - "provided-by-your-issuer"


password_config:
   # Uncomment to disable password login
   #
   #enabled: false

   # Uncomment to disable authentication against the local password
   # database. This is ignored if `enabled` is false, and is only useful
   # if you have other password_providers.
   #
   #localdb_enabled: false

   # Uncomment and change to a secret random string for extra security.
   # DO NOT CHANGE THIS AFTER INITIAL SETUP!
   #
   #pepper: "EVEN_MORE_SECRET"

   # Define and enforce a password policy. Each parameter is optional.
   # This is an implementation of MSC2000.
   #
   policy:
      # Whether to enforce the password policy.
      # Defaults to 'false'.
      #
      #enabled: true

      # Minimum accepted length for a password.
      # Defaults to 0.
      #
      #minimum_length: 15

      # Whether a password must contain at least one digit.
      # Defaults to 'false'.
      #
      #require_digit: true

      # Whether a password must contain at least one symbol.
      # A symbol is any character that's not a number or a letter.
      # Defaults to 'false'.
      #
      #require_symbol: true

      # Whether a password must contain at least one lowercase letter.
      # Defaults to 'false'.
      #
      #require_lowercase: true

      # Whether a password must contain at least one uppercase letter.
      # Defaults to 'false'.
      #
      #require_uppercase: true

ui_auth:
    # The amount of time to allow a user-interactive authentication session
    # to be active.
    #
    # This defaults to 0, meaning the user is queried for their credentials
    # before every action, but this can be overridden to allow a single
    # validation to be re-used.  This weakens the protections afforded by
    # the user-interactive authentication process, by allowing for multiple
    # (and potentially different) operations to use the same validation session.
    #
    # This is ignored for potentially "dangerous" operations (including
    # deactivating an account, modifying an account password, and
    # adding a 3PID).
    #
    # Uncomment below to allow for credential validation to last for 15
    # seconds.
    #
    #session_timeout: "15s"


# Configuration for sending emails from Synapse.
#
# Server admins can configure custom templates for email content. See
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
#
email:
  # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
  #
  #smtp_host: mail.server

  # The port on the mail server for outgoing SMTP. Defaults to 25.
  #
  #smtp_port: 587

  # Username/password for authentication to the SMTP server. By default, no
  # authentication is attempted.
  #
  #smtp_user: "exampleusername"
  #smtp_pass: "examplepassword"

  # Uncomment the following to require TLS transport security for SMTP.
  # By default, Synapse will connect over plain text, and will then switch to
  # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
  # Synapse will refuse to connect unless the server supports STARTTLS.
  #
  #require_transport_security: true

  # Uncomment the following to disable TLS for SMTP.
  #
  # By default, if the server supports TLS, it will be used, and the server
  # must present a certificate that is valid for 'smtp_host'. If this option
  # is set to false, TLS will not be used.
  #
  #enable_tls: false

  # notif_from defines the "From" address to use when sending emails.
  # It must be set if email sending is enabled.
  #
  # The placeholder '%(app)s' will be replaced by the application name,
  # which is normally 'app_name' (below), but may be overridden by the
  # Matrix client application.
  #
  # Note that the placeholder must be written '%(app)s', including the
  # trailing 's'.
  #
  #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"

  # app_name defines the default value for '%(app)s' in notif_from and email
  # subjects. It defaults to 'Matrix'.
  #
  #app_name: my_branded_matrix_server

  # Uncomment the following to enable sending emails for messages that the user
  # has missed. Disabled by default.
  #
  #enable_notifs: true

  # Uncomment the following to disable automatic subscription to email
  # notifications for new users. Enabled by default.
  #
  #notif_for_new_users: false

  # Custom URL for client links within the email notifications. By default
  # links will be based on "https://matrix.to".
  #
  # (This setting used to be called riot_base_url; the old name is still
  # supported for backwards-compatibility but is now deprecated.)
  #
  #client_base_url: "http://localhost/riot"

  # Configure the time that a validation email will expire after sending.
  # Defaults to 1h.
  #
  #validation_token_lifetime: 15m

  # The web client location to direct users to during an invite. This is passed
  # to the identity server as the org.matrix.web_client_location key. Defaults
  # to unset, giving no guidance to the identity server.
  #
  #invite_client_location: https://app.element.io

  # Subjects to use when sending emails from Synapse.
  #
  # The placeholder '%(app)s' will be replaced with the value of the 'app_name'
  # setting above, or by a value dictated by the Matrix client application.
  #
  # If a subject isn't overridden in this configuration file, the value used as
  # its example will be used.
  #
  #subjects:

    # Subjects for notification emails.
    #
    # On top of the '%(app)s' placeholder, these can use the following
    # placeholders:
    #
    #   * '%(person)s', which will be replaced by the display name of the user(s)
    #      that sent the message(s), e.g. "Alice and Bob".
    #   * '%(room)s', which will be replaced by the name of the room the
    #      message(s) have been sent to, e.g. "My super room".
    #
    # See the example provided for each setting to see which placeholder can be
    # used and how to use them.
    #
    # Subject to use to notify about one message from one or more user(s) in a
    # room which has a name.
    #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
    #
    # Subject to use to notify about one message from one or more user(s) in a
    # room which doesn't have a name.
    #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
    #
    # Subject to use to notify about multiple messages from one or more users in
    # a room which doesn't have a name.
    #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
    #
    # Subject to use to notify about multiple messages in a room which has a
    # name.
    #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
    #
    # Subject to use to notify about multiple messages in multiple rooms.
    #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
    #
    # Subject to use to notify about multiple messages from multiple persons in
    # multiple rooms. This is similar to the setting above except it's used when
    # the room in which the notification was triggered has no name.
    #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
    #
    # Subject to use to notify about an invite to a room which has a name.
    #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
    #
    # Subject to use to notify about an invite to a room which doesn't have a
    # name.
    #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."

    # Subject for emails related to account administration.
    #
    # On top of the '%(app)s' placeholder, these one can use the
    # '%(server_name)s' placeholder, which will be replaced by the value of the
    # 'server_name' setting in your Synapse configuration.
    #
    # Subject to use when sending a password reset email.
    #password_reset: "[%(server_name)s] Password reset"
    #
    # Subject to use when sending a verification email to assert an address's
    # ownership.
    #email_validation: "[%(server_name)s] Validate your email"



## Push ##

push:
  # Clients requesting push notifications can either have the body of
  # the message sent in the notification poke along with other details
  # like the sender, or just the event ID and room ID (`event_id_only`).
  # If clients choose the former, this option controls whether the
  # notification request includes the content of the event (other details
  # like the sender are still included). For `event_id_only` push, it
  # has no effect.
  #
  # For modern android devices the notification content will still appear
  # because it is loaded by the app. iPhone, however will send a
  # notification saying only that a message arrived and who it came from.
  #
  # The default value is "true" to include message details. Uncomment to only
  # include the event ID and room ID in push notification payloads.
  #
  #include_content: false

  # When a push notification is received, an unread count is also sent.
  # This number can either be calculated as the number of unread messages
  # for the user, or the number of *rooms* the user has unread messages in.
  #
  # The default value is "true", meaning push clients will see the number of
  # rooms with unread messages in them. Uncomment to instead send the number
  # of unread messages.
  #
  #group_unread_count_by_room: false


## Rooms ##

# Controls whether locally-created rooms should be end-to-end encrypted by
# default.
#
# Possible options are "all", "invite", and "off". They are defined as:
#
# * "all": any locally-created room
# * "invite": any room created with the "private_chat" or "trusted_private_chat"
#             room creation presets
# * "off": this option will take no effect
#
# The default value is "off".
#
# Note that this option will only affect rooms created after it is set. It
# will also not affect rooms created by other servers.
#
#encryption_enabled_by_default_for_room_type: invite


# Uncomment to allow non-server-admin users to create groups on this server
#
#enable_group_creation: true

# If enabled, non server admins can only create groups with local parts
# starting with this prefix
#
#group_creation_prefix: "unofficial_"



# User Directory configuration
#
user_directory:
    # Defines whether users can search the user directory. If false then
    # empty responses are returned to all queries. Defaults to true.
    #
    # Uncomment to disable the user directory.
    #
    #enabled: false

    # Defines whether to search all users visible to your HS when searching
    # the user directory. If false, search results will only contain users
    # visible in public rooms and users sharing a room with the requester.
    # Defaults to false.
    #
    # NB. If you set this to true, and the last time the user_directory search
    # indexes were (re)built was before Synapse 1.44, you'll have to
    # rebuild the indexes in order to search through all known users.
    # These indexes are built the first time Synapse starts; admins can
    # manually trigger a rebuild via API following the instructions at
    #     https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
    #
    # Uncomment to return search results containing all known users, even if that
    # user does not share a room with the requester.
    #
    #search_all_users: true

    # Defines whether to prefer local users in search query results.
    # If True, local users are more likely to appear above remote users
    # when searching the user directory. Defaults to false.
    #
    # Uncomment to prefer local over remote users in user directory search
    # results.
    #
    #prefer_local_users: true


# User Consent configuration
#
# for detailed instructions, see
# https://matrix-org.github.io/synapse/latest/consent_tracking.html
#
# Parts of this section are required if enabling the 'consent' resource under
# 'listeners', in particular 'template_dir' and 'version'.
#
# 'template_dir' gives the location of the templates for the HTML forms.
# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
# and each language directory should contain the policy document (named as
# '<version>.html') and a success page (success.html).
#
# 'version' specifies the 'current' version of the policy document. It defines
# the version to be served by the consent resource if there is no 'v'
# parameter.
#
# 'server_notice_content', if enabled, will send a user a "Server Notice"
# asking them to consent to the privacy policy. The 'server_notices' section
# must also be configured for this to work. Notices will *not* be sent to
# guest users unless 'send_server_notice_to_guests' is set to true.
#
# 'block_events_error', if set, will block any attempts to send events
# until the user consents to the privacy policy. The value of the setting is
# used as the text of the error.
#
# 'require_at_registration', if enabled, will add a step to the registration
# process, similar to how captcha works. Users will be required to accept the
# policy before their account is created.
#
# 'policy_name' is the display name of the policy users will see when registering
# for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy".
#
#user_consent:
#  template_dir: res/templates/privacy
#  version: 1.0
#  server_notice_content:
#    msgtype: m.text
#    body: >-
#      To continue using this homeserver you must review and agree to the
#      terms and conditions at %(consent_uri)s
#  send_server_notice_to_guests: true
#  block_events_error: >-
#    To continue using this homeserver you must review and agree to the
#    terms and conditions at %(consent_uri)s
#  require_at_registration: false
#  policy_name: Privacy Policy
#



# Settings for local room and user statistics collection. See
# https://matrix-org.github.io/synapse/latest/room_and_user_statistics.html.
#
stats:
  # Uncomment the following to disable room and user statistics. Note that doing
  # so may cause certain features (such as the room directory) not to work
  # correctly.
  #
  #enabled: false


# Server Notices room configuration
#
# Uncomment this section to enable a room which can be used to send notices
# from the server to users. It is a special room which cannot be left; notices
# come from a special "notices" user id.
#
# If you uncomment this section, you *must* define the system_mxid_localpart
# setting, which defines the id of the user which will be used to send the
# notices.
#
# It's also possible to override the room name, the display name of the
# "notices" user, and the avatar for the user.
#
#server_notices:
#  system_mxid_localpart: notices
#  system_mxid_display_name: "Server Notices"
#  system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
#  room_name: "Server Notices"



# Uncomment to disable searching the public room list. When disabled
# blocks searching local and remote room lists for local and remote
# users by always returning an empty list for all queries.
#
#enable_room_list_search: false

# The `alias_creation` option controls who's allowed to create aliases
# on this server.
#
# The format of this option is a list of rules that contain globs that
# match against user_id, room_id and the new alias (fully qualified with
# server name). The action in the first rule that matches is taken,
# which can currently either be "allow" or "deny".
#
# Missing user_id/room_id/alias fields default to "*".
#
# If no rules match the request is denied. An empty list means no one
# can create aliases.
#
# Options for the rules include:
#
#   user_id: Matches against the creator of the alias
#   alias: Matches against the alias being created
#   room_id: Matches against the room ID the alias is being pointed at
#   action: Whether to "allow" or "deny" the request if the rule matches
#
# The default is:
#
#alias_creation_rules:
#  - user_id: "*"
#    alias: "*"
#    room_id: "*"
#    action: allow

# The `room_list_publication_rules` option controls who can publish and
# which rooms can be published in the public room list.
#
# The format of this option is the same as that for
# `alias_creation_rules`.
#
# If the room has one or more aliases associated with it, only one of
# the aliases needs to match the alias rule. If there are no aliases
# then only rules with `alias: *` match.
#
# If no rules match the request is denied. An empty list means no one
# can publish rooms.
#
# Options for the rules include:
#
#   user_id: Matches against the creator of the alias
#   room_id: Matches against the room ID being published
#   alias: Matches against any current local or canonical aliases
#            associated with the room
#   action: Whether to "allow" or "deny" the request if the rule matches
#
# The default is:
#
#room_list_publication_rules:
#  - user_id: "*"
#    alias: "*"
#    room_id: "*"
#    action: allow


## Opentracing ##

# These settings enable opentracing, which implements distributed tracing.
# This allows you to observe the causal chains of events across servers
# including requests, key lookups etc., across any server running
# synapse or any other other services which supports opentracing
# (specifically those implemented with Jaeger).
#
opentracing:
    # tracing is disabled by default. Uncomment the following line to enable it.
    #
    #enabled: true

    # The list of homeservers we wish to send and receive span contexts and span baggage.
    # See https://matrix-org.github.io/synapse/latest/opentracing.html.
    #
    # This is a list of regexes which are matched against the server_name of the
    # homeserver.
    #
    # By default, it is empty, so no servers are matched.
    #
    #homeserver_whitelist:
    #  - ".*"

    # A list of the matrix IDs of users whose requests will always be traced,
    # even if the tracing system would otherwise drop the traces due to
    # probabilistic sampling.
    #
    # By default, the list is empty.
    #
    #force_tracing_for_users:
    #  - "@user1:server_name"
    #  - "@user2:server_name"

    # Jaeger can be configured to sample traces at different rates.
    # All configuration options provided by Jaeger can be set here.
    # Jaeger's configuration is mostly related to trace sampling which
    # is documented here:
    # https://www.jaegertracing.io/docs/latest/sampling/.
    #
    #jaeger_config:
    #  sampler:
    #    type: const
    #    param: 1
    #  logging:
    #    false


## Workers ##

# Disables sending of outbound federation transactions on the main process.
# Uncomment if using a federation sender worker.
#
#send_federation: false

# It is possible to run multiple federation sender workers, in which case the
# work is balanced across them.
#
# This configuration must be shared between all federation sender workers, and if
# changed all federation sender workers must be stopped at the same time and then
# started, to ensure that all instances are running with the same config (otherwise
# events may be dropped).
#
#federation_sender_instances:
#  - federation_sender1

# When using workers this should be a map from `worker_name` to the
# HTTP replication listener of the worker, if configured.
#
#instance_map:
#  worker1:
#    host: localhost
#    port: 8034

# Experimental: When using workers you can define which workers should
# handle event persistence and typing notifications. Any worker
# specified here must also be in the `instance_map`.
#
#stream_writers:
#  events: worker1
#  typing: worker1

# The worker that is used to run background tasks (e.g. cleaning up expired
# data). If not provided this defaults to the main process.
#
#run_background_tasks_on: worker1

# A shared secret used by the replication APIs to authenticate HTTP requests
# from workers.
#
# By default this is unused and traffic is not authenticated.
#
#worker_replication_secret: ""


# Configuration for Redis when using workers. This *must* be enabled when
# using workers (unless using old style direct TCP configuration).
#
redis:
  # Uncomment the below to enable Redis support.
  #
  #enabled: true

  # Optional host and port to use to connect to redis. Defaults to
  # localhost and 6379
  #
  #host: localhost
  #port: 6379

  # Optional password if configured on the Redis instance
  #
  #password: <secret_password>