From 65e551b74b9bddbeb0475297f2ae1e6b4a09d003 Mon Sep 17 00:00:00 2001
From: Hans van Zijst <hans@procolix.com>
Date: Wed, 4 Dec 2024 10:00:45 +0100
Subject: [PATCH] Added to and polished Synapse configuration.

---
 matrix/synapse/README.md | 45 +++++++++++++++++++++++++++++++---------
 1 file changed, 35 insertions(+), 10 deletions(-)

diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md
index 816908b..c93f3fe 100644
--- a/matrix/synapse/README.md
+++ b/matrix/synapse/README.md
@@ -146,7 +146,8 @@ This will ask for a password, choose a safe one.
 Logging is configured in `log.yaml`. Some logging should go to systemd, the
 more specific logging to Synapse's own logfile(s).
 
-This part is yet to be completed.
+This part is yet to be completed, the default configuration is adequate for
+most cases.
 
 # Delegation and DNS {#Delegation}
 
@@ -163,8 +164,7 @@ JSON-code under `https://example.com/.well-known/matrix/server`:
 
 ```
 {
-  "m.homeserver": {"base_url": "https://matrix.example.com"},
-  "org.matrix.msc3575.proxy": {"url": "https://matrix.example.com"}
+  "m.homeserver": {"base_url": "https://matrix.example.com"}
 }
 ```
 
@@ -280,7 +280,7 @@ password_config:
   policy:
     enabled: true
     localdb_enabled: true
-    pepper: CxDC6jU5FAxAcvD
+    pepper: <random string>
     minimum_length: 8
     require_digit: true
     require_symbol: true
@@ -311,7 +311,7 @@ password_providers:
       enabled: true
       uri: "ldap://ldap.example.com:389"
       start_tls: true
-      base: "ou=users,o=Example,dc=example,dc=com"
+      base: "ou=users,dc=example,dc=com"
       attributes:
          uid: "uid"
          mail: "mail"
@@ -319,12 +319,12 @@ password_providers:
       filter: "(&(objectClass=posixAccount)(accountStatus=active))"
 
       mode: "search"
-      bind_dn: "cn=matrix,ou=service,o=Example,dc=example,dc=com"
+      bind_dn: "cn=matrix,ou=service,dc=example,dc=com"
       bind_password: "<very secure password>"
 ```
 
 This would connect to ldap.example.com over TLS, and authenticate users that
-live under `ou=users,o=Example,dc=example,dc=com` and that are active Posix
+live under `ou=users,dc=example,dc=com` and that are active Posix
 accounts. Users will not be able to change their passwords via Matrix, they
 have to do that in LDAP.
 
@@ -411,6 +411,10 @@ Check for more information about [how to configure the TURN
 server](../coturn) or [LiveKit](../element-call#livekit). You probably want
 LiveKit, but read on if you choose coturn.
 
+It might be useful to use both coturn and LiveKit, so as to support both
+legacy and EC calls, but you'd need to tweak the configurations so that they
+don't bite each other.
+
 Once you've set up your TURN server, configure it in
 Synapse, in `conf.d/turn.yaml`:
 
@@ -446,9 +450,9 @@ Add this bit of info to `conf.d/server_notices.yaml`:
 server_notices:
   system_mxid_localpart: server
   system_mxid_display_name: "Server Notices"
-# system_mxid_avatar_url: "mxc://matrixdev.example.com/QBBZcaxfrrpvreGeNhqRaCjG"
+# system_mxid_avatar_url: "mxc://example.com/QBBZcaxfrrpvreGeNhqRaCjG"
   room_name: "Server Notices"
-# room_avatar_url: "mxc://matrixdev.example.com/QBBZcaxfrrpvreGeNhqRaCjG"
+# room_avatar_url: "mxc://example.com/QBBZcaxfrrpvreGeNhqRaCjG"
   room_topic: "Room used by your server admin to notice you of important
 information"
   auto_join: true
@@ -464,7 +468,7 @@ Every user gets his own room, so if you send a server notice to 100 users,
 there will be (at least) 100 rooms by that name, all containing 1 user.
 
 The option `auto_join` means that users will automatically join the room as
-soon as it's created. They can leave afterwards, but they'll put into it again
+soon as it's created. They can leave afterwards, but they'll be put into it again
 as soon as they receive another server message.
 
 The two commented out options are the avatars for user and room. This is a bit
@@ -480,6 +484,9 @@ the thumbnailer. Pictures in encrypted rooms are stored as MIME type
 [Homeserver Blocking](#blocking). Or, if you haven't defined a whitelist, at
 least an image mimetype...
 
+Apparently this was a bug that's supposed to be fixed in Synapse 1.20, but we
+haven't tested that yet.
+
 You can find the ID of the picture in the database (table `local_media_repository`)
 or, more conveniently, in [Synapse-Admin](../synapse-admin), which is also
 where you'll want to go if you want to send a server notice.
@@ -606,6 +613,24 @@ user_consent:
     messages yet. Please read and accept the policy at %(consent_uri)s.
 ```
 
+Last bit it to enable the consent tracking on all listeners where `client` is
+active. We have only one listener, so we add `consent` to that:
+
+```
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names:
+        - client
+        - consent
+        - federation
+        compress: false
+```
+
 Restart Synapse for these changes to take effect.
 
 If you update your policy, you'll have to copy the current one to a new