diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md index c52cb0a..fa8482b 100644 --- a/matrix/synapse/README.md +++ b/matrix/synapse/README.md @@ -183,40 +183,6 @@ and/or AAAA records in DNS, not CNAME. See [nginx](../nginx) for details about how to publish this data. -# Blacklists - -You don't want Synapse to try to contact certain IP-addresses, especially not -those that are unroutable or for special uses. Add these addresses to `ip_range_blacklist`, -in `conf.d/ip_range_blacklist.yaml`: - -``` -ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '192.0.0.0/24' - - '169.254.0.0/16' - - '192.88.99.0/24' - - '198.18.0.0/15' - - '192.0.2.0/24' - - '198.51.100.0/24' - - '203.0.113.0/24' - - '224.0.0.0/4' - - '::1/128' - - 'fe80::/10' - - 'fc00::/7' - - '2001:db8::/32' - - 'ff00::/8' - - 'fec0::/10' -``` - -You want to add addresses of malicious or otherwise unwanted machines to this -list too. See [Synapse's documentation](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=ip_range_blacklist#ip_range_blacklist) -for more information. - - # E-mail {#Email} Synapse should probably be able to send out e-mails; notifications for those @@ -307,7 +273,7 @@ Logging in can be done in basically two ways: an internal or external database. Let's start with the first: users and their passwords are stored in Synapse's database. -We use `conf.d/signon.yaml` to configure this stuff. +We use `conf.d/authentication.yaml` to configure this stuff. ``` password_config: @@ -358,5 +324,48 @@ live under `ou=users,o=Example,dc=example,dc=com` and that are active Posix accounts. Users will not be able to change their passwords via Matrix, they have to do that in LDAP. -(this setup has not been tested, although it borrows heavily from the current -ProcoliX setup). + +# Server configuration {#serverconfig} + +See [Define your homeserver name and other base options](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=require_auth_for_profile_requests#server) +in the Synapse documentation. + +It would be logical to put the next options under `conf.d/server.yaml`, but +Debian insists on `conf.d/server_name.yaml` existing and containing the name +of the domain. So we'll use that file for the next options as well. Add these +options: + +``` +presence: + enabled: true + include_offline_users_on_sync: false + +require_auth_for_profile_requests: true +allow_public_rooms_over_federation: true + +ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' + +filter_timeline_limit: 500 +``` + +These should be reasonable defaults, but do check the [Server block](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#server) +in Synapse's documentation for more options and information.