--- # Name of the instance instance: matrix matrix: # Server name will determine your Matrix ID (@user:server_name), it cannot be changed later server_name: matrix.[[ .consul.domain ]] # The public URL where user should go to reach the web interface public_url: https://matrix.[[ .consul.domain ]] # Are guests allowed allow_guests: false # Consul settings, to connect to the postgres service consul: connect: upstreams: - destination_name: postgres[[ .consul.suffix ]] local_bind_port: 5432 # Synpase settings synapse: # Version of synapse version: 1.107.0 # The docker image to use image: '[[ .docker.repo ]]matrix-synapse:[[ .matrix.synapse.version ]]-1' # Additional env var to set in the container env: {} # You can define a custom yaml config which will be merged over the default one. # Eg, to setup OIDC auth # config: # oidc_providers: # - idp_id: oidc # idp_name: ACME # issuer: https://sso.example.org # client_id: matrix # client_secret: '{{ with secret "kv/service/matrix" }}{{ .Data.data.oidc_secret }}{{ end }}' # scope: # - openid # - email # - profile # user_mapping_provider: # config: # display_name_template: '{{"{{"}} user.name {{"}}"}}' # email_template: '{{"{{"}} user.email {{"}}"}}' config: {} # URL preview settings url_preview: enabled: true ip_range_blacklist: - 127.0.0.0/8 - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - 100.64.0.0/10 - 192.0.0.0/24 - 169.254.0.0/16 - 192.88.99.0/24 - 198.18.0.0/15 - 192.0.2.0/24 - 198.51.100.0/24 - 203.0.113.0/24 - 224.0.0.0/4 url_blacklist: - username: '*' - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' vault: # Vault policies policies: - '[[ .instance ]]-synapse[[ .consul.suffix ]]' # Random secrets to generate and store in vault KV rand_secrets: fields: - macaroon_secret_key - form_secret database: role: '[[ .instance ]]-synapse' pgrole: '[[ .instance ]]-synapse' # Postgres database to use postgres: host: 127.0.0.1 port: 5432 database: '[[ .instance ]]-synapse' user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}' password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}' # Wait for the postgres service to be ready before starting wait_for: - service: postgres[[ .consul.suffix ]] # Resource allocation resources: cpu: 500 memory: 384 prometheus: metrics_url: http://127.0.0.1:9000/_synapse/metrics # Element settings. # Note : element will be served by the nginx container, so all the image, resources etc. are set there element: map_style_url: https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx version: 1.11.66 # Synapse Admin is the admin interface for Synapse synapse_admin: version: 0.10.1 # Nginx will servce static files (well-known, element, synapse-admin), and proxy requests to synapse nginx: # The image to use image: '[[ .docker.repo ]]matrix-element:[[ .matrix.element.version ]]-1' # Resource allocation resources: cpu: 20 memory: 16 # Traefik settings, to expose the service traefik: enabled: true auto_rule: false # Element will need some custom CSP csp: script-src: "'self' 'unsafe-eval' https://usercontent.riot.im https://scalar.vector.im" worker-src: "'self' blob:" connect-src: "'self' https://scalar.vector.im https://vector.im https://api.maptiler.com" img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com" frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io" # Admin will apply to requests directed to /_synapse/admin (admin API) # so you can restrict it further admin: traefik: auto_rule: false router: admin # Synapse admin synapse_admin: traefik: auto_rule: false router: synapse-admin csp: script-src: "'self' 'unsafe-inline'" # Volumes used for data persistance volumes: # Synapse will use this volume to store media, signing keys etc. data: type: csi source: "[[ .instance ]]-synapse-data" prometheus: # Enable prometheus metrics if available enabled: '[[ .prometheus.available ]]'