318 lines
9.1 KiB
YAML
318 lines
9.1 KiB
YAML
image:
|
|
repository: matrixdotorg/synapse
|
|
pullPolicy: IfNotPresent
|
|
tag: v1.56.0
|
|
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
exec python -B -m synapse.app.homeserver \
|
|
-c /data/homeserver.yaml \
|
|
-c /data/secret/secret.yaml \
|
|
-c /data/custom.yaml
|
|
|
|
service:
|
|
main:
|
|
ports:
|
|
main:
|
|
port: 8008
|
|
targetPort: 8008
|
|
federation:
|
|
enabled: true
|
|
ports:
|
|
federation:
|
|
enabled: true
|
|
port: 8448
|
|
targetPort: 8008
|
|
replication:
|
|
enabled: true
|
|
ports:
|
|
replication:
|
|
enabled: true
|
|
port: 9092
|
|
targetPort: 9092
|
|
metrics:
|
|
enabled: true
|
|
ports:
|
|
metrics:
|
|
enabled: true
|
|
port: 9093
|
|
targetPort: 9090
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: true
|
|
|
|
secret: {}
|
|
|
|
installContainers:
|
|
generate-signing-key:
|
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
|
env:
|
|
- name: SYNAPSE_SERVER_NAME
|
|
value: "{{ .Values.matrix.serverName }}"
|
|
- name: SYNAPSE_REPORT_STATS
|
|
value: "no"
|
|
command: ["python"]
|
|
args:
|
|
- "-m"
|
|
- "synapse.app.homeserver"
|
|
- "--config-path"
|
|
- "/data/homeserver.yaml"
|
|
- "--config-path"
|
|
- "/data/secret/secret.yaml"
|
|
- "--config-path"
|
|
- "/data/custom.yaml"
|
|
- "--keys-directory"
|
|
- "/data/keys"
|
|
- "--generate-keys"
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /data
|
|
- name: secret
|
|
mountPath: /data/secret
|
|
- name: key
|
|
mountPath: /data/keys
|
|
|
|
env: {}
|
|
|
|
persistence:
|
|
config:
|
|
enabled: true
|
|
type: configMap
|
|
objectName: synapse-config
|
|
mountPath: /data
|
|
readOnly: false
|
|
secret:
|
|
enabled: true
|
|
type: secret
|
|
objectName: synapse-secret
|
|
mountPath: /data/secret
|
|
readOnly: false
|
|
key:
|
|
enabled: true
|
|
mountPath: "/data/keys"
|
|
media:
|
|
enabled: true
|
|
mountPath: "/data/media_store"
|
|
uploads:
|
|
enabled: true
|
|
mountPath: "/uploads"
|
|
|
|
probes:
|
|
liveness:
|
|
path: /health
|
|
|
|
readiness:
|
|
path: /health
|
|
|
|
startup:
|
|
path: /health
|
|
|
|
# Synapse Kubernetes resource settings
|
|
synapse:
|
|
loadCustomConfig: false
|
|
# -- List of application config .yaml files to be loaded from /appConfig
|
|
appConfig: []
|
|
# Prometheus metrics for Synapse
|
|
# https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
|
|
metrics:
|
|
# Whether Synapse should capture metrics on an additional endpoint
|
|
enabled: true
|
|
# Port to listen on for metrics scraping
|
|
port: 9092
|
|
annotations: true
|
|
|
|
# Runtime configuration for Synapse and settings related to the Matrix protocol
|
|
matrix:
|
|
# Manual overrides for homeserver.yaml, the main configuration file for Synapse
|
|
# If homeserverOverride is set, the entirety of homeserver.yaml will be replaced with the contents.
|
|
# If homeserverExtra is set, the contents will be appended to the end of the default configuration.
|
|
# It is highly recommended that you take a look at the defaults in templates/synapse/_homeserver.yaml, to get a sense
|
|
# of the requirements and default configuration options to use other services in this chart.
|
|
# homeserverOverride: {}
|
|
# homeserverExtra: {}
|
|
|
|
# Domain name of the server
|
|
# This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains
|
|
# from this value as the server name set here will be the name of your homeserver in the fediverse, and will be the
|
|
# domain name at the end of every user's username
|
|
serverName: "example.com"
|
|
|
|
urlPreviews:
|
|
enabled: false
|
|
|
|
# Hostname where Synapse can be reached.
|
|
# This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the
|
|
# Ingress will be used
|
|
# hostname: "matrix.example.com"
|
|
|
|
# Set to false to disable presence (online/offline indicators)
|
|
presence: true
|
|
|
|
# Set to true to block non-admins from inviting users to any rooms
|
|
blockNonAdminInvites: false
|
|
|
|
# Set to false to disable message searching
|
|
search: true
|
|
|
|
# Which types of rooms to enable end-to-end encryption on by default
|
|
# off: none
|
|
# invite: private messages, or rooms created with the private_chat or trusted_private_chat room preset
|
|
# all: all rooms
|
|
encryptByDefault: invite
|
|
|
|
# Email address of the administrator
|
|
adminEmail: "admin@example.com"
|
|
|
|
# Settings related to image and multimedia uploads
|
|
uploads:
|
|
# Max upload size in bytes
|
|
maxSize: 10M
|
|
|
|
# Max image size in pixels
|
|
maxPixels: 32M
|
|
|
|
# Settings related to federation
|
|
federation:
|
|
# Set to false to disable federation and run an isolated homeserver
|
|
enabled: true
|
|
|
|
# Set to false to disallow members of other homeservers from fetching *public* rooms
|
|
allowPublicRooms: true
|
|
|
|
# Whitelist of domains to federate with (comment for all domains except blacklisted)
|
|
# whitelist: []
|
|
|
|
# IP addresses to blacklist federation requests to
|
|
blacklist:
|
|
- '127.0.0.0/8'
|
|
- '10.0.0.0/8'
|
|
- '172.16.0.0/12'
|
|
- '192.168.0.0/16'
|
|
- '100.64.0.0/10'
|
|
- '169.254.0.0/16'
|
|
- '::1/128'
|
|
- 'fe80::/64'
|
|
- 'fc00::/7'
|
|
|
|
# User registration settings
|
|
registration:
|
|
# Allow new users to register an account
|
|
enabled: false
|
|
|
|
# If set, allows registration of standard or admin accounts by anyone who
|
|
# has the shared secret, even if registration is otherwise disabled.
|
|
#
|
|
# sharedSecret: <PRIVATE STRING>
|
|
|
|
# Allow users to join rooms as a guest
|
|
allowGuests: false
|
|
|
|
# Required "3PIDs" - third-party identifiers such as email or msisdn (SMS)
|
|
# required3Pids:
|
|
# - email
|
|
# - msisdn
|
|
|
|
# Rooms to automatically join all new users to
|
|
autoJoinRooms: []
|
|
# - "#welcome:example.com"
|
|
|
|
# How long to keep redacted events in unredacted form in the database
|
|
retentionPeriod: 7d
|
|
|
|
security:
|
|
|
|
# This disables the warning that is emitted when the
|
|
# trustedKeyServers include 'matrix.org'. See below.
|
|
# Set to false to re-enable the warning.
|
|
#
|
|
surpressKeyServerWarning: true
|
|
|
|
# The trusted servers to download signing keys from.
|
|
#
|
|
# When we need to fetch a signing key, each server is tried in parallel.
|
|
#
|
|
# Normally, the connection to the key server is validated via TLS certificates.
|
|
# Additional security can be provided by configuring a `verify key`, which
|
|
# will make synapse check that the response is signed by that key.
|
|
#
|
|
# This setting supercedes an older setting named `perspectives`. The old format
|
|
# is still supported for backwards-compatibility, but it is deprecated.
|
|
#
|
|
# 'trustedKeyServers' defaults to matrix.org, but using it will generate a
|
|
# warning on start-up. To suppress this warning, set
|
|
# 'surpressKeyServerWarning' to true.
|
|
#
|
|
# Options for each entry in the list include:
|
|
#
|
|
# serverName: the name of the server. required.
|
|
#
|
|
# verifyKeys: an optional map from key id to base64-encoded public key.
|
|
# If specified, we will check that the response is signed by at least
|
|
# one of the given keys.
|
|
#
|
|
# acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset,
|
|
# and federation_verify_certificates is not `true`, synapse will refuse
|
|
# to start, because this would allow anyone who can spoof DNS responses
|
|
# to masquerade as the trusted key server. If you know what you are doing
|
|
# and are sure that your network environment provides a secure connection
|
|
# to the key server, you can set this to `true` to override this
|
|
# behaviour.
|
|
#
|
|
# An example configuration might look like:
|
|
#
|
|
# trustedKeyServers:
|
|
# - serverName: my_trusted_server.example.com
|
|
# verifyKeys:
|
|
# - id: "ed25519:auto"
|
|
# key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
|
|
# acceptKeysInsecurely: false
|
|
# - serverName: my_other_trusted_server.example.com
|
|
|
|
# Set to true to globally block access to the homeserver
|
|
disabled: false
|
|
# Human readable reason for why the homeserver is blocked
|
|
disabledMessage: ""
|
|
|
|
logging:
|
|
# Root log level is the default log level for log outputs that do not have more
|
|
# specific settings.
|
|
rootLogLevel: WARNING
|
|
# beware: increasing this to DEBUG will make synapse log sensitive
|
|
# information such as access tokens.
|
|
sqlLogLevel: WARNING
|
|
# The log level for the synapse server
|
|
synapseLogLevel: WARNING
|
|
|
|
|
|
# Settings for email notifications
|
|
mail:
|
|
# Set to false to disable all email notifications
|
|
# NOTE: If enabled, either enable the Exim relay or configure an external mail server below
|
|
enabled: false
|
|
# Name and email address for outgoing mail
|
|
from: "Matrix <matrix@example.com>"
|
|
# Optional: Element instance URL.
|
|
# If the ingress is enabled, this is unnecessary.
|
|
# If the ingress is disabled and this is left unspecified, emails will contain a link to https://app.element.io
|
|
riotUrl: ""
|
|
|
|
host: ""
|
|
port: 25 # SSL: 465, STARTTLS: 587
|
|
username: ""
|
|
password: ""
|
|
requireTransportSecurity: true
|
|
|
|
coturn:
|
|
enabled: false
|
|
|
|
# Enabled postgres
|
|
postgresql:
|
|
env:
|
|
POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
|
|
enabled: true
|
|
existingSecret: "dbcreds"
|
|
postgresqlUsername: synapse
|
|
postgresqlDatabase: synapse
|