image:
  repository: tccr.io/truecharts/synapse
  pullPolicy: IfNotPresent
  tag: 1.82.0@sha256:ed16bd72a84769040c24c49311a587e1cbb066b49a141126b5e377e84552c0c4

command:
  - sh
  - -c
  - |
    exec python -B -m synapse.app.homeserver \
                -c /data/homeserver.yaml \
                -c /data/secret/secret.yaml \
                -c /data/custom.yaml

service:
  main:
    ports:
      main:
        port: 8008
        targetPort: 8008
  federation:
    enabled: true
    ports:
      federation:
        enabled: true
        port: 8448
        targetPort: 8008
  replication:
    enabled: true
    ports:
      replication:
        enabled: true
        port: 9092
        targetPort: 9092
  metrics:
    enabled: true
    ports:
      metrics:
        enabled: true
        port: 9093
        targetPort: 9090

securityContext:
  allowPrivilegeEscalation: true

secretEnv: {}

installContainers:
  generate-signing-key:
    image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
    env:
      - name: SYNAPSE_SERVER_NAME
        value: "{{ .Values.matrix.serverName }}"
      - name: SYNAPSE_REPORT_STATS
        value: "no"
    command: ["python"]
    args:
      - "-m"
      - "synapse.app.homeserver"
      - "--config-path"
      - "/data/homeserver.yaml"
      - "--config-path"
      - "/data/secret/secret.yaml"
      - "--config-path"
      - "/data/custom.yaml"
      - "--keys-directory"
      - "/data/keys"
      - "--generate-keys"
    volumeMounts:
      - name: config
        mountPath: /data
      - name: secret
        mountPath: /data/secret
      - name: key
        mountPath: /data/keys

env: {}

persistence:
  config:
    enabled: true
    type: configMap
    objectName: synapse-config
    mountPath: /data
    readOnly: false
  secret:
    enabled: true
    type: secret
    objectName: synapse-secret
    mountPath: /data/secret
    readOnly: false
  key:
    enabled: true
    mountPath: "/data/keys"
  media:
    enabled: true
    mountPath: "/data/media_store"
  uploads:
    enabled: true
    mountPath: "/uploads"

probes:
  liveness:
    path: /health

  readiness:
    path: /health

  startup:
    path: /health

# Synapse Kubernetes resource settings
synapse:
  loadCustomConfig: false
  # -- List of application config .yaml files to be loaded from /appConfig
  appConfig: []
  # Prometheus metrics for Synapse
  # https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
  metrics:
    # Whether Synapse should capture metrics on an additional endpoint
    enabled: true
    # Port to listen on for metrics scraping
    port: 9092
    annotations: true

# Runtime configuration for Synapse and settings related to the Matrix protocol
matrix:
  # Manual overrides for homeserver.yaml, the main configuration file for Synapse
  # If homeserverOverride is set, the entirety of homeserver.yaml will be replaced with the contents.
  # If homeserverExtra is set, the contents will be appended to the end of the default configuration.
  # It is highly recommended that you take a look at the defaults in templates/synapse/_homeserver.yaml, to get a sense
  # of the requirements and default configuration options to use other services in this chart.
  # homeserverOverride: {}
  # homeserverExtra: {}

  # Domain name of the server
  # This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains
  # from this value as the server name set here will be the name of your homeserver in the fediverse, and will be the
  # domain name at the end of every user's username
  serverName: "example.com"

  urlPreviews:
    enabled: false

  # Hostname where Synapse can be reached.
  # This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the
  # Ingress will be used
  # hostname: "matrix.example.com"

  # Set to false to disable presence (online/offline indicators)
  presence: true

  # Set to true to block non-admins from inviting users to any rooms
  blockNonAdminInvites: false

  # Set to false to disable message searching
  search: true

  # Which types of rooms to enable end-to-end encryption on by default
  # off: none
  # invite: private messages, or rooms created with the private_chat or trusted_private_chat room preset
  # all: all rooms
  encryptByDefault: invite

  # Email address of the administrator
  adminEmail: "admin@example.com"

  # Settings related to image and multimedia uploads
  uploads:
    # Max upload size in bytes
    maxSize: 10M

    # Max image size in pixels
    maxPixels: 32M

  # Settings related to federation
  federation:
    # Set to false to disable federation and run an isolated homeserver
    enabled: true

    # Set to false to disallow members of other homeservers from fetching *public* rooms
    allowPublicRooms: true

    # Whitelist of domains to federate with (comment for all domains except blacklisted)
    # whitelist: []

    # IP addresses to blacklist federation requests to
    blacklist:
      - "127.0.0.0/8"
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"
      - "100.64.0.0/10"
      - "169.254.0.0/16"
      - "::1/128"
      - "fe80::/64"
      - "fc00::/7"

  # User registration settings
  registration:
    # Allow new users to register an account
    enabled: false

    # If set, allows registration of standard or admin accounts by anyone who
    # has the shared secret, even if registration is otherwise disabled.
    #
    # sharedSecret: <PRIVATE STRING>

    # Allow users to join rooms as a guest
    allowGuests: false

    # Required "3PIDs" - third-party identifiers such as email or msisdn (SMS)
    # required3Pids:
    #   - email
    #   - msisdn

    # Rooms to automatically join all new users to
    autoJoinRooms: []
    # - "#welcome:example.com"

  # How long to keep redacted events in unredacted form in the database
  retentionPeriod: 7d

  security:
    # This disables the warning that is emitted when the
    # trustedKeyServers include 'matrix.org'. See below.
    # Set to false to re-enable the warning.
    #
    surpressKeyServerWarning: true

    # The trusted servers to download signing keys from.
    #
    # When we need to fetch a signing key, each server is tried in parallel.
    #
    # Normally, the connection to the key server is validated via TLS certificates.
    # Additional security can be provided by configuring a `verify key`, which
    # will make synapse check that the response is signed by that key.
    #
    # This setting supercedes an older setting named `perspectives`. The old format
    # is still supported for backwards-compatibility, but it is deprecated.
    #
    # 'trustedKeyServers' defaults to matrix.org, but using it will generate a
    # warning on start-up. To suppress this warning, set
    # 'surpressKeyServerWarning' to true.
    #
    # Options for each entry in the list include:
    #
    #    serverName: the name of the server. required.
    #
    #    verifyKeys: an optional map from key id to base64-encoded public key.
    #       If specified, we will check that the response is signed by at least
    #       one of the given keys.
    #
    #    acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset,
    #       and federation_verify_certificates is not `true`, synapse will refuse
    #       to start, because this would allow anyone who can spoof DNS responses
    #       to masquerade as the trusted key server. If you know what you are doing
    #       and are sure that your network environment provides a secure connection
    #       to the key server, you can set this to `true` to override this
    #       behaviour.
    #
    # An example configuration might look like:
    #
    # trustedKeyServers:
    #   - serverName: my_trusted_server.example.com
    #     verifyKeys:
    #       - id: "ed25519:auto"
    #         key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
    #     acceptKeysInsecurely: false
    #   - serverName: my_other_trusted_server.example.com

  # Set to true to globally block access to the homeserver
  disabled: false
  # Human readable reason for why the homeserver is blocked
  disabledMessage: ""

  logging:
    # Root log level is the default log level for log outputs that do not have more
    # specific settings.
    rootLogLevel: WARNING
    # beware: increasing this to DEBUG will make synapse log sensitive
    # information such as access tokens.
    sqlLogLevel: WARNING
    # The log level for the synapse server
    synapseLogLevel: WARNING

# Settings for email notifications
mail:
  # Set to false to disable all email notifications
  # NOTE: If enabled, either enable the Exim relay or configure an external mail server below
  enabled: false
  # Name and email address for outgoing mail
  from: "Matrix <matrix@example.com>"
  # Optional: Element instance URL.
  # If the ingress is enabled, this is unnecessary.
  # If the ingress is disabled and this is left unspecified, emails will contain a link to https://app.element.io
  riotUrl: ""

  host: ""
  # -- Sets the smtp port
  # SSL: 465, STARTTLS: 587
  port: 25
  username: ""
  password: ""
  requireTransportSecurity: true

coturn:
  enabled: false

# Enabled postgres
postgresql:
  env:
    POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
  enabled: true
  existingSecret: "dbcreds"
  postgresqlUsername: synapse
  postgresqlDatabase: synapse

portal:
  enabled: true