matrix/variables.yml

---

# Name of the instance
instance: matrix

matrix:

  # Server name will determine your Matrix ID (@user:server_name), it cannot be changed later
  server_name: matrix.[[ .consul.domain ]]

  # The public URL where user should go to reach the web interface
  public_url: https://matrix.[[ .consul.domain ]]

  # Are guests allowed
  allow_guests: false

  # Consul settings, to connect to the postgres service
  consul:
    connect:
      upstreams:
        - destination_name: postgres[[ .consul.suffix ]]
          local_bind_port: 5432

  # Synpase settings
  synapse:

    # Version of synapse
    version: 1.106.0

    # The docker image to use
    image: '[[ .docker.repo ]]matrix-synapse:[[ .matrix.synapse.version ]]-1'
  
    # Additional env var to set in the container
    env: {}
  
    # You can define a custom yaml config which will be merged over the default one.
    # Eg, to setup OIDC auth
    # config:
    #  oidc_providers:
    #    - idp_id: oidc
    #      idp_name: ACME
    #      issuer: https://sso.example.org
    #      client_id: matrix
    #      client_secret: '{{ with secret "kv/service/matrix" }}{{ .Data.data.oidc_secret }}{{ end }}'
    #      scope:
    #        - openid
    #        - email
    #        - profile
    #      user_mapping_provider:
    #        config:
    #          display_name_template: '{{"{{"}} user.name {{"}}"}}'
    #          email_template: '{{"{{"}} user.email {{"}}"}}'
    config: {}
  
    # URL preview settings
    url_preview:
      enabled: true
      ip_range_blacklist:
        - 127.0.0.0/8
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
        - 100.64.0.0/10
        - 192.0.0.0/24
        - 169.254.0.0/16
        - 192.88.99.0/24
        - 198.18.0.0/15
        - 192.0.2.0/24
        - 198.51.100.0/24
        - 203.0.113.0/24
        - 224.0.0.0/4
      url_blacklist:
        - username: '*'
        - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
  
    vault:
      # Vault policies
      policies:
        - '[[ .instance ]]-synapse[[ .consul.suffix ]]'
      # Random secrets to generate and store in vault KV
      rand_secrets:
        fields:
          - macaroon_secret_key
          - form_secret
      database:
        role: '[[ .instance ]]-synapse'
        pgrole: '[[ .instance ]]-synapse'

    # Postgres database to use
    postgres:
      host: 127.0.0.1
      port: 5432
      database: '[[ .instance ]]-synapse'
      user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}'
      password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}'
  
    # Wait for the postgres service to be ready before starting
    wait_for:
      - service: postgres[[ .consul.suffix ]]
  
    # Resource allocation
    resources:
      cpu: 500
      memory: 384

    prometheus:
      metrics_url: http://127.0.0.1:9000/_synapse/metrics

  # Element settings.
  # Note : element will be served by the nginx container, so all the image, resources etc. are set there
  element:
    map_style_url: https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx
    version: 1.11.66

  # Synapse Admin is the admin interface for Synapse
  synapse_admin:
    version: 0.10.1

  # Nginx will servce static files (well-known, element, synapse-admin), and proxy requests to synapse
  nginx:

    # The image to use
    image: '[[ .docker.repo ]]matrix-element:[[ .matrix.element.version ]]-1'

    # Resource allocation
    resources:
      cpu: 20
      memory: 16

    # Traefik settings, to expose the service
    traefik:
      enabled: true

      auto_rule: false

      # Element will need some custom CSP
      csp:
        script-src: "'self' https://usercontent.riot.im https://scalar.vector.im"
        worker-src: "'self' blob:"
        connect-src: "'self' https://scalar.vector.im https://api.maptiler.com"
        img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com"
        frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io"

    # Admin will apply to requests directed to /_synapse/admin (admin API)
    # so you can restrict it further
    admin:
      traefik:
        auto_rule: false
        router: admin

    # Synapse admin
    synapse_admin:
      traefik:
        auto_rule: false
        router: synapse-admin
        csp:
          script-src: "'self' 'unsafe-inline'"

  # Volumes used for data persistance
  volumes:
    # Synapse will use this volume to store media, signing keys etc.
    data:
      type: csi
      source: "[[ .instance ]]-synapse-data"

prometheus:
  # Enable prometheus metrics if available
  enabled: '[[ .prometheus.available ]]'