cc9d7705b6
Some checks failed
Forge CI / smoke-and-build (pull_request) Failing after 1m1s
Deploy Synapse on Ezra VPS with PostgreSQL backend, bot registration, and management tooling. Closes #272 Components: - docker-compose.yml: Synapse + PostgreSQL 16 stack - homeserver.yaml: Production config (registration disabled, rate limits, retention) - setup.sh: One-shot deploy (generates secrets, starts stack, registers accounts, gets bot token) - manage.sh: Day-to-day ops (status, restart, logs, backup, update, create-user, teardown) - docs/synapse-deployment.md: Full deployment guide with Nginx TLS, DNS, troubleshooting Security: - Registration disabled by default - Rate limiting on login/registration/messages - Client API bound to localhost (Nginx proxy for public access) - Secrets chmod 600, .gitignore'd - Federation certificate verification enabled Bot account auto-registered and access token acquired — credentials written to synapse-credentials.env for hermes-agent integration.
102 lines
2.0 KiB
YAML
102 lines
2.0 KiB
YAML
# Synapse Homeserver Configuration
|
|
# Generated by setup.sh — edit with care.
|
|
#
|
|
# Docs: https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
|
|
|
|
# Server name — your Matrix domain (e.g. matrix.example.com)
|
|
server_name: "SERVER_NAME_PLACEHOLDER"
|
|
|
|
# Signing key — generated by setup.sh
|
|
signing_key_path: "/data/signing.key"
|
|
|
|
# Trusted key servers (empty = trust only ourselves for our own keys)
|
|
trusted_key_servers: []
|
|
|
|
# Report stats to matrix.org (no for sovereignty)
|
|
report_stats: false
|
|
|
|
# Listeners
|
|
listeners:
|
|
- port: 8008
|
|
tls: false
|
|
type: http
|
|
x_forwarded: true
|
|
resources:
|
|
- names: [client, federation]
|
|
compress: false
|
|
|
|
# Database — PostgreSQL
|
|
database:
|
|
name: psycopg2
|
|
args:
|
|
user: synapse
|
|
password: "${POSTGRES_PASSWORD}"
|
|
database: synapse
|
|
host: synapse-db
|
|
cp_min: 5
|
|
cp_max: 10
|
|
|
|
# Media store
|
|
media_store_path: "/data/media_store"
|
|
|
|
# Upload limits
|
|
max_upload_size: "50M"
|
|
|
|
# URL previews (disable to reduce attack surface)
|
|
url_preview_enabled: false
|
|
|
|
# Enable room list publishing
|
|
enable_room_list_search: true
|
|
|
|
# Turn off public registration by default (create users via admin API)
|
|
enable_registration: false
|
|
enable_registration_without_verification: false
|
|
|
|
# Rate limiting
|
|
rc_message:
|
|
per_second: 0.2
|
|
burst_count: 10
|
|
|
|
rc_registration:
|
|
per_second: 0.1
|
|
burst_count: 3
|
|
|
|
rc_login:
|
|
address:
|
|
per_second: 0.05
|
|
burst_count: 2
|
|
account:
|
|
per_second: 0.05
|
|
burst_count: 2
|
|
failed_attempts:
|
|
per_second: 0.15
|
|
burst_count: 3
|
|
|
|
# Retention — keep messages for 90 days by default
|
|
retention:
|
|
enabled: true
|
|
default_policy:
|
|
min_lifetime: 1d
|
|
max_lifetime: 90d
|
|
|
|
# Logging
|
|
log_config: "/data/log.config"
|
|
|
|
# Metrics (optional — enable if running Prometheus)
|
|
enable_metrics: false
|
|
|
|
# Presence
|
|
use_presence: true
|
|
|
|
# Federation
|
|
federation_verify_certificates: true
|
|
federation_sender_instances: 1
|
|
|
|
# Appservice config directory
|
|
app_service_config_files: []
|
|
|
|
# Experimental features
|
|
experimental_features:
|
|
# MSC3440: Threading support
|
|
msc3440_enabled: true
|