diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md index 816908b..c93f3fe 100644 --- a/matrix/synapse/README.md +++ b/matrix/synapse/README.md @@ -146,7 +146,8 @@ This will ask for a password, choose a safe one. Logging is configured in `log.yaml`. Some logging should go to systemd, the more specific logging to Synapse's own logfile(s). -This part is yet to be completed. +This part is yet to be completed, the default configuration is adequate for +most cases. # Delegation and DNS {#Delegation} @@ -163,8 +164,7 @@ JSON-code under `https://example.com/.well-known/matrix/server`: ``` { - "m.homeserver": {"base_url": "https://matrix.example.com"}, - "org.matrix.msc3575.proxy": {"url": "https://matrix.example.com"} + "m.homeserver": {"base_url": "https://matrix.example.com"} } ``` @@ -280,7 +280,7 @@ password_config: policy: enabled: true localdb_enabled: true - pepper: CxDC6jU5FAxAcvD + pepper: minimum_length: 8 require_digit: true require_symbol: true @@ -311,7 +311,7 @@ password_providers: enabled: true uri: "ldap://ldap.example.com:389" start_tls: true - base: "ou=users,o=Example,dc=example,dc=com" + base: "ou=users,dc=example,dc=com" attributes: uid: "uid" mail: "mail" @@ -319,12 +319,12 @@ password_providers: filter: "(&(objectClass=posixAccount)(accountStatus=active))" mode: "search" - bind_dn: "cn=matrix,ou=service,o=Example,dc=example,dc=com" + bind_dn: "cn=matrix,ou=service,dc=example,dc=com" bind_password: "" ``` This would connect to ldap.example.com over TLS, and authenticate users that -live under `ou=users,o=Example,dc=example,dc=com` and that are active Posix +live under `ou=users,dc=example,dc=com` and that are active Posix accounts. Users will not be able to change their passwords via Matrix, they have to do that in LDAP. @@ -411,6 +411,10 @@ Check for more information about [how to configure the TURN server](../coturn) or [LiveKit](../element-call#livekit). You probably want LiveKit, but read on if you choose coturn. +It might be useful to use both coturn and LiveKit, so as to support both +legacy and EC calls, but you'd need to tweak the configurations so that they +don't bite each other. + Once you've set up your TURN server, configure it in Synapse, in `conf.d/turn.yaml`: @@ -446,9 +450,9 @@ Add this bit of info to `conf.d/server_notices.yaml`: server_notices: system_mxid_localpart: server system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://matrixdev.example.com/QBBZcaxfrrpvreGeNhqRaCjG" +# system_mxid_avatar_url: "mxc://example.com/QBBZcaxfrrpvreGeNhqRaCjG" room_name: "Server Notices" -# room_avatar_url: "mxc://matrixdev.example.com/QBBZcaxfrrpvreGeNhqRaCjG" +# room_avatar_url: "mxc://example.com/QBBZcaxfrrpvreGeNhqRaCjG" room_topic: "Room used by your server admin to notice you of important information" auto_join: true @@ -464,7 +468,7 @@ Every user gets his own room, so if you send a server notice to 100 users, there will be (at least) 100 rooms by that name, all containing 1 user. The option `auto_join` means that users will automatically join the room as -soon as it's created. They can leave afterwards, but they'll put into it again +soon as it's created. They can leave afterwards, but they'll be put into it again as soon as they receive another server message. The two commented out options are the avatars for user and room. This is a bit @@ -480,6 +484,9 @@ the thumbnailer. Pictures in encrypted rooms are stored as MIME type [Homeserver Blocking](#blocking). Or, if you haven't defined a whitelist, at least an image mimetype... +Apparently this was a bug that's supposed to be fixed in Synapse 1.20, but we +haven't tested that yet. + You can find the ID of the picture in the database (table `local_media_repository`) or, more conveniently, in [Synapse-Admin](../synapse-admin), which is also where you'll want to go if you want to send a server notice. @@ -606,6 +613,24 @@ user_consent: messages yet. Please read and accept the policy at %(consent_uri)s. ``` +Last bit it to enable the consent tracking on all listeners where `client` is +active. We have only one listener, so we add `consent` to that: + +``` +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: + - client + - consent + - federation + compress: false +``` + Restart Synapse for these changes to take effect. If you update your policy, you'll have to copy the current one to a new