TYPE=matrix-synapse DOMAIN=matrix-synapse.example.com # SERVER_NAME=example.com TIMEOUT=300 ENABLE_AUTO_UPDATE=true LETS_ENCRYPT_ENV=production COMPOSE_FILE="compose.yml" # POST_DEPLOY_CMDS="db set_admin" ENABLE_BACKUPS=true ## Admin details ADMIN_EMAIL=admin@example.com ## Secrets SECRET_DB_PASSWORD_VERSION=v1 SECRET_FORM_SECRET_VERSION=v1 SECRET_MACAROON_VERSION=v1 SECRET_REGISTRATION_VERSION=v1 ## Authentication # All login / SSO / MAS-related toggles in one place. ### Local password & registration (Synapse native) # With MAS_ENABLED=1 you must set PASSWORD_LOGIN_ENABLED=false — Synapse forbids legacy password DB alongside matrix_authentication_service. PASSWORD_LOGIN_ENABLED=true ENABLE_REGISTRATION=false # Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens. #REGISTRATION_REQUIRES_TOKEN=true ### OIDC via Keycloak-shaped API (e.g. Authentik) #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml" #KEYCLOAK_ENABLED=1 #KEYCLOAK_ID=keycloak #KEYCLOAK_NAME= #KEYCLOAK_URL= #KEYCLOAK_CLIENT_ID= #KEYCLOAK_CLIENT_DOMAIN= #KEYCLOAK_ALLOW_EXISTING_USERS=false #SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1 ### Second OIDC provider (compose.keycloak2.yml) #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak2.yml" #KEYCLOAK2_ENABLED=1 #KEYCLOAK2_ID=keycloak2 #KEYCLOAK2_NAME= #KEYCLOAK2_URL= #KEYCLOAK2_CLIENT_ID= #KEYCLOAK2_CLIENT_DOMAIN= #KEYCLOAK2_ALLOW_EXISTING_USERS=false #SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION=v1 ### Third OIDC provider (compose.keycloak3.yml) #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml" #KEYCLOAK3_ENABLED=1 #KEYCLOAK3_ID=keycloak3 #KEYCLOAK3_NAME= #KEYCLOAK3_URL= #KEYCLOAK3_CLIENT_ID= #KEYCLOAK3_CLIENT_DOMAIN= #KEYCLOAK3_ALLOW_EXISTING_USERS=false #SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1 ### Matrix Authentication Service (MAS) — Element X / OIDC-native auth #COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml" #MAS_ENABLED=1 #PASSWORD_LOGIN_ENABLED=false #SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex #SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex # PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …) #SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false #### MAS upstream OIDC provider (e.g. Authentik) # See mas-authentik-and-roadmap.md for migration procedure. # Create a new OAuth2 app in your IdP with redirect URI: https:///upstream/callback/ #COMPOSE_FILE="$COMPOSE_FILE:compose.mas-upstream.yml" #MAS_UPSTREAM_PROVIDER_ID= # ULID, e.g. 01JSHPZHAXC50QBKH67MH33TNF — generate at https://www.ulidtools.com #MAS_UPSTREAM_ISSUER= # e.g. https://auth.example.com/application/o/matrix-mas/ #MAS_UPSTREAM_CLIENT_ID= #MAS_UPSTREAM_HUMAN_NAME=Authentik # For migration from previous direct Keycloud-style config: set to oidc- so syn2mas maps users correctly. #MAS_UPSTREAM_SYNAPSE_IDP_ID= #SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION=v1 ### Shared secret auth (bridges / automation) #COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml" #SHARED_SECRET_AUTH_ENABLED=1 #SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128 ## Federation #DISABLE_FEDERATION=1 # Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server SERVE_SERVER_WELLKNOWN=false ALLOW_PUBLIC_ROOMS_FEDERATION=false ## Room auto-join #AUTO_JOIN_ROOM_ENABLED=1 #AUTO_JOIN_ROOM="#example:example.com" ## Logging # for the homserver SQL_LOG_LEVEL=WARN ROOT_LOG_LEVEL=WARN # for nginx NGINX_ACCESS_LOG_LOCATION="/dev/null" NGINX_ERROR_LOG_LOCATION="/dev/null" # Comment the previous two lines and uncomment these to enable logging #NGINX_ACCESS_LOG_LOCATION="/dev/stdout" #NGINX_ERROR_LOG_LOCATION="/dev/stderr" ## Privacy ENABLE_3PID_LOOKUP=true USER_IPS_MAX_AGE=1d ENCRYPTED_BY_DEFAULT=all #ENABLE_ALLOWLIST=1 #FEDERATION_ALLOWLIST="[]" # Set these to keyservers you trust - usually the same as your federation allowlist #TRUSTED_KEYSERVERS="trusted_key_servers:\n - server_name: 'example.com'\n - server_name: 'example2.com'" # some optional configs to increase privacy and security #REQUIRE_AUTH_FOR_PROFILE_REQUESTS=true #LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=true #DELETE_STALE_DEVICES_AFTER=1y #SESSION_LIFETIME=60d #TRACK_PUPPETED_USER_IPS=true ## Retention ALLOWED_LIFETIME_MAX=4w REDACTION_RETENTION_PERIOD=7d RETENTION_MAX_LIFETIME=4w #MEDIA_RETENTION_LOCAL_LIFETIME=30d #MEDIA_RETENTION_REMOTE_LIFETIME=14d ## Old Signing Key #OLD_SIGNING_KEY_ID=a_OLDKEYID #OLD_SIGNING_KEY=base64string #OLD_SIGNING_KEY_EXPIRES=123456789123 ## Ratelimit #LOGIN_LIMIT_IP_PER_SECOND=5 #LOGIN_LIMIT_IP_BURST=15 #LOGIN_LIMIT_ACCOUNT_PER_SECOND=1 #LOGIN_LIMIT_ACCOUNT_BURST=10 ## TURN #COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml" #TURN_ENABLED=1 #TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]" #TURN_ALLOW_GUESTS=true #SECRET_TURN_SHARED_SECRET_VERSION=v1 ## SMTP #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml" #SMTP_ENABLED=1 #SMTP_APP_NAME= #SMTP_FROM= #SMTP_HOST= #SMTP_PORT= #SMTP_USER= #SECRET_SMTP_PASSWORD_VERSION=v1 ## USER-DIRECTORY #USER_DIRECTORY_ENABLED=true #USER_DIRECTORY_SEARCH_ALL_USERS=true #USER_DIRECTORY_PREFER_LOCAL_USERS=true #USER_DIRECTORY_SHOW_LOCKED_USERS=false ## App services #APP_SERVICES_ENABLED=1 #APP_SERVICE_CONFIGS="[\"...\"]" ## Telegram bridge #COMPOSE_FILE="$COMPOSE_FILE:compose.telegram.yml" #APP_SERVICE_BOT_USERNAME=telegrambot #APP_SERVICE_DISPLAY_NAME="Telegram bridge bot" #APP_SERVICE_ID= #HOMESERVER_DOMAIN=$DOMAIN #HOMESERVER_URL=https://$DOMAIN #VERIFY_SSL=false #ENABLE_ENCRYPTION=true #TELEGRAM_APP_ID= #TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@foo:matrix.example.com\": \"admin\" }" #TELEGRAM_SYNC_CHANNEL_MEMBERS=true #SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1 #SECRET_TELEGRAM_API_HASH_VERSION=v1 #SECRET_TELEGRAM_BOT_TOKEN_VERSION=v1 #SECRET_TELEGRAM_AS_TOKEN_VERSION=v1 #SECRET_TELEGRAM_HS_TOKEN_VERSION=v1 ## Discord bridge #COMPOSE_FILE="$COMPOSE_FILE:compose.discord.yml" #DISCORD_CLIENT_ID= #DISCORD_BRIDGE_ADMIN= #SECRET_DISCORD_BOT_TOKEN_VERSION=v1 #SECRET_DISCORD_DB_PASSWORD_VERSION=v1 ## Signal bridge #COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml" #SIGNAL_ENABLE_ENCRYPTION=true #SIGNAL_DEFAULT_ENCRYPTION=true #SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }" #SECRET_SIGNAL_AS_TOKEN_VERSION=v1 #SECRET_SIGNAL_DB_PASSWORD_VERSION=v1 #SECRET_SIGNAL_HS_TOKEN_VERSION=v1 #SECRET_SIGNAL_PICKLE_KEY_VERSION=v1 ## Web Client (Redirect) #WEB_CLIENT_LOCATION=https://element-web.example.com ## Admin interface at /admin #COMPOSE_FILE="$COMPOSE_FILE:compose.admin.yml" #ADMIN_INTERFACE_ENABLED=1