image: repository: matrixdotorg/synapse pullPolicy: IfNotPresent tag: v1.52.0 command: - sh - -c - | exec python -B -m synapse.app.homeserver \ -c /data/homeserver.yaml \ -c /data/secret/secret.yaml \ -c /data/custom.yaml service: main: ports: main: port: 8008 targetPort: 8008 federation: enabled: true ports: federation: enabled: true port: 8448 targetPort: 8008 replication: enabled: true ports: replication: enabled: true port: 9092 targetPort: 9092 metrics: enabled: true ports: metrics: enabled: true port: 9093 targetPort: 9090 securityContext: allowPrivilegeEscalation: true secret: {} installContainers: generate-signing-key: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" env: - name: SYNAPSE_SERVER_NAME value: "{{ .Values.matrix.serverName }}" - name: SYNAPSE_REPORT_STATS value: "no" command: ["python"] args: - "-m" - "synapse.app.homeserver" - "--config-path" - "/data/homeserver.yaml" - "--config-path" - "/data/secret/secret.yaml" - "--config-path" - "/data/custom.yaml" - "--keys-directory" - "/data/keys" - "--generate-keys" volumeMounts: - name: config mountPath: /data - name: secret mountPath: /data/secret - name: key mountPath: /data/keys env: {} persistence: config: enabled: true type: configMap objectName: synapse-config mountPath: /data readOnly: false secret: enabled: true type: secret objectName: synapse-secret mountPath: /data/secret readOnly: false key: enabled: true mountPath: "/data/keys" media: enabled: true mountPath: "/data/media_store" uploads: enabled: true mountPath: "/uploads" probes: liveness: path: /health readiness: path: /health startup: path: /health # Synapse Kubernetes resource settings synapse: loadCustomConfig: false # -- List of application config .yaml files to be loaded from /appConfig appConfig: [] # Prometheus metrics for Synapse # https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md metrics: # Whether Synapse should capture metrics on an additional endpoint enabled: true # Port to listen on for metrics scraping port: 9092 annotations: true # Runtime configuration for Synapse and settings related to the Matrix protocol matrix: # Manual overrides for homeserver.yaml, the main configuration file for Synapse # If homeserverOverride is set, the entirety of homeserver.yaml will be replaced with the contents. # If homeserverExtra is set, the contents will be appended to the end of the default configuration. # It is highly recommended that you take a look at the defaults in templates/synapse/_homeserver.yaml, to get a sense # of the requirements and default configuration options to use other services in this chart. # homeserverOverride: {} # homeserverExtra: {} # Domain name of the server # This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains # from this value as the server name set here will be the name of your homeserver in the fediverse, and will be the # domain name at the end of every user's username serverName: "example.com" urlPreviews: enabled: false # Hostname where Synapse can be reached. # This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the # Ingress will be used # hostname: "matrix.example.com" # Set to false to disable presence (online/offline indicators) presence: true # Set to true to block non-admins from inviting users to any rooms blockNonAdminInvites: false # Set to false to disable message searching search: true # Which types of rooms to enable end-to-end encryption on by default # off: none # invite: private messages, or rooms created with the private_chat or trusted_private_chat room preset # all: all rooms encryptByDefault: invite # Email address of the administrator adminEmail: "admin@example.com" # Settings related to image and multimedia uploads uploads: # Max upload size in bytes maxSize: 10M # Max image size in pixels maxPixels: 32M # Settings related to federation federation: # Set to false to disable federation and run an isolated homeserver enabled: true # Set to false to disallow members of other homeservers from fetching *public* rooms allowPublicRooms: true # Whitelist of domains to federate with (comment for all domains except blacklisted) # whitelist: [] # IP addresses to blacklist federation requests to blacklist: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' - '100.64.0.0/10' - '169.254.0.0/16' - '::1/128' - 'fe80::/64' - 'fc00::/7' # User registration settings registration: # Allow new users to register an account enabled: false # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # # sharedSecret: # Allow users to join rooms as a guest allowGuests: false # Required "3PIDs" - third-party identifiers such as email or msisdn (SMS) # required3Pids: # - email # - msisdn # Rooms to automatically join all new users to autoJoinRooms: [] # - "#welcome:example.com" # How long to keep redacted events in unredacted form in the database retentionPeriod: 7d security: # This disables the warning that is emitted when the # trustedKeyServers include 'matrix.org'. See below. # Set to false to re-enable the warning. # surpressKeyServerWarning: true # The trusted servers to download signing keys from. # # When we need to fetch a signing key, each server is tried in parallel. # # Normally, the connection to the key server is validated via TLS certificates. # Additional security can be provided by configuring a `verify key`, which # will make synapse check that the response is signed by that key. # # This setting supercedes an older setting named `perspectives`. The old format # is still supported for backwards-compatibility, but it is deprecated. # # 'trustedKeyServers' defaults to matrix.org, but using it will generate a # warning on start-up. To suppress this warning, set # 'surpressKeyServerWarning' to true. # # Options for each entry in the list include: # # serverName: the name of the server. required. # # verifyKeys: an optional map from key id to base64-encoded public key. # If specified, we will check that the response is signed by at least # one of the given keys. # # acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset, # and federation_verify_certificates is not `true`, synapse will refuse # to start, because this would allow anyone who can spoof DNS responses # to masquerade as the trusted key server. If you know what you are doing # and are sure that your network environment provides a secure connection # to the key server, you can set this to `true` to override this # behaviour. # # An example configuration might look like: # # trustedKeyServers: # - serverName: my_trusted_server.example.com # verifyKeys: # - id: "ed25519:auto" # key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # acceptKeysInsecurely: false # - serverName: my_other_trusted_server.example.com # Set to true to globally block access to the homeserver disabled: false # Human readable reason for why the homeserver is blocked disabledMessage: "" logging: # Root log level is the default log level for log outputs that do not have more # specific settings. rootLogLevel: WARNING # beware: increasing this to DEBUG will make synapse log sensitive # information such as access tokens. sqlLogLevel: WARNING # The log level for the synapse server synapseLogLevel: WARNING # Settings for email notifications mail: # Set to false to disable all email notifications # NOTE: If enabled, either enable the Exim relay or configure an external mail server below enabled: false # Name and email address for outgoing mail from: "Matrix " # Optional: Element instance URL. # If the ingress is enabled, this is unnecessary. # If the ingress is disabled and this is left unspecified, emails will contain a link to https://app.element.io riotUrl: "" host: "" port: 25 # SSL: 465, STARTTLS: 587 username: "" password: "" requireTransportSecurity: true coturn: enabled: false # Enabled postgres postgresql: env: POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C" enabled: true existingSecret: "dbcreds" postgresqlUsername: synapse postgresqlDatabase: synapse