160 lines
4.5 KiB
YAML
160 lines
4.5 KiB
YAML
---
|
|
|
|
# Name of the instance
|
|
instance: matrix
|
|
|
|
matrix:
|
|
|
|
# Server name will determine your Matrix ID (@user:server_name), it cannot be changed later
|
|
server_name: matrix.[[ .consul.domain ]]
|
|
|
|
# The public URL where user should go to reach the web interface
|
|
public_url: https://matrix.[[ .consul.domain ]]
|
|
|
|
# Are guests allowed
|
|
allow_guests: false
|
|
|
|
# Consul settings, to connect to the postgres service
|
|
consul:
|
|
connect:
|
|
upstreams:
|
|
- destination_name: postgres[[ .consul.suffix ]]
|
|
local_bind_port: 5432
|
|
|
|
# Synpase settings
|
|
synapse:
|
|
|
|
# Version of synapse
|
|
version: 1.103.0
|
|
|
|
# The docker image to use
|
|
image: '[[ .docker.repo ]]matrix-synapse:[[ .matrix.synapse.version ]]-1'
|
|
|
|
# Additional env var to set in the container
|
|
env: {}
|
|
|
|
# You can define a custom yaml config which will be merged over the default one.
|
|
# Eg, to setup OIDC auth
|
|
# config:
|
|
# oidc_providers:
|
|
# - idp_id: oidc
|
|
# idp_name: ACME
|
|
# issuer: https://sso.example.org
|
|
# client_id: matrix
|
|
# client_secret: '{{ with secret "kv/service/matrix" }}{{ .Data.data.oidc_secret }}{{ end }}'
|
|
# scope:
|
|
# - openid
|
|
# - email
|
|
# - profile
|
|
# user_mapping_provider:
|
|
# config:
|
|
# display_name_template: '{{"{{"}} user.name {{"}}"}}'
|
|
# email_template: '{{"{{"}} user.email {{"}}"}}'
|
|
config: {}
|
|
|
|
# URL preview settings
|
|
url_preview:
|
|
enabled: true
|
|
ip_range_blacklist:
|
|
- 127.0.0.0/8
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
- 100.64.0.0/10
|
|
- 192.0.0.0/24
|
|
- 169.254.0.0/16
|
|
- 192.88.99.0/24
|
|
- 198.18.0.0/15
|
|
- 192.0.2.0/24
|
|
- 198.51.100.0/24
|
|
- 203.0.113.0/24
|
|
- 224.0.0.0/4
|
|
url_blacklist:
|
|
- username: '*'
|
|
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
|
|
|
vault:
|
|
# Vault policies
|
|
policies:
|
|
- '[[ .instance ]]-synapse[[ .consul.suffix ]]'
|
|
# Random secrets to generate and store in vault KV
|
|
rand_secrets:
|
|
fields:
|
|
- macaroon_secret_key
|
|
- form_secret
|
|
database:
|
|
role: '[[ .instance ]]-synapse'
|
|
pgrole: '[[ .instance ]]-synapse'
|
|
|
|
# Postgres database to use
|
|
postgres:
|
|
host: 127.0.0.1
|
|
port: 5432
|
|
database: '[[ .instance ]]-synapse'
|
|
user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}'
|
|
password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}'
|
|
|
|
# Wait for the postgres service to be ready before starting
|
|
wait_for:
|
|
- service: postgres[[ .consul.suffix ]]
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 500
|
|
memory: 384
|
|
|
|
prometheus:
|
|
metrics_url: http://127.0.0.1:9000/_synapse/metrics
|
|
|
|
# Element settings.
|
|
# Note : element will be served by the nginx container, so all the image, resources etc. are set there
|
|
element:
|
|
map_style_url: https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx
|
|
version: 1.11.63
|
|
|
|
synapse_admin:
|
|
version: 0.9.1
|
|
|
|
# Nginx will servce static files (well-known, element, synapse-admin), and proxy requests to synapse
|
|
nginx:
|
|
|
|
# The image to use
|
|
image: '[[ .docker.repo ]]matrix-element:[[ .matrix.element.version ]]-1'
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 20
|
|
memory: 16
|
|
|
|
# Traefik settings, to expose the service
|
|
traefik:
|
|
enabled: true
|
|
|
|
# Element will need some custom CSP
|
|
csp:
|
|
script-src: "'self' https://usercontent.riot.im https://scalar.vector.im"
|
|
worker-src: "'self' blob:"
|
|
connect-src: "'self' https://scalar.vector.im https://api.maptiler.com"
|
|
img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com"
|
|
frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io"
|
|
|
|
auto_rule: false
|
|
|
|
# Admin will apply to requests directed to /_admin/ (synapse-admin) and /_synapse/admin (admin API)
|
|
# so you can restrict it further
|
|
admin:
|
|
traefik:
|
|
auto_rule: false
|
|
router: admin
|
|
|
|
# Volumes used for data persistance
|
|
volumes:
|
|
# Synapse will use this volume to store media, signing keys etc.
|
|
data:
|
|
type: csi
|
|
source: "[[ .instance ]]-synapse-data"
|
|
|
|
prometheus:
|
|
# Enable prometheus metrics if available
|
|
enabled: '[[ .prometheus.available ]]'
|