# ManaCore Matrix Synapse Configuration # Documentation: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html server_name: "mana.how" pid_file: /data/homeserver.pid public_baseurl: https://matrix.mana.how/ # ============================================ # Listeners # ============================================ listeners: - port: 8008 tls: false type: http x_forwarded: true resources: - names: [client, federation] compress: false # ============================================ # Database (PostgreSQL) # ============================================ database: name: psycopg2 txn_limit: 10000 args: user: synapse password: "synapse-secure-password" database: matrix host: postgres port: 5432 cp_min: 5 cp_max: 10 # ============================================ # Logging # ============================================ log_config: "/config/log.config.yaml" # ============================================ # Media Storage # ============================================ media_store_path: /data/media_store max_upload_size: 50M url_preview_enabled: true url_preview_ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' - '100.64.0.0/10' - '192.0.0.0/24' - '169.254.0.0/16' - '198.18.0.0/15' - '192.0.2.0/24' - '198.51.100.0/24' - '203.0.113.0/24' - '224.0.0.0/4' - '::1/128' - 'fe80::/10' - 'fc00::/7' - '2001:db8::/32' - 'ff00::/8' - 'fec0::/10' # ============================================ # Registration & Authentication # ============================================ enable_registration: false enable_registration_without_verification: false # Password config (disabled - all users authenticate via OIDC/SSO) password_config: enabled: false localdb_enabled: false pepper: "${SYNAPSE_PASSWORD_PEPPER:-change-me-pepper}" # Session lifetime (must be >= refresh_token_lifetime) # Set to 10 years for bot tokens to avoid frequent expiration session_lifetime: 87600h refresh_token_lifetime: 87600h # ============================================ # Rate Limiting # ============================================ rc_message: per_second: 5 burst_count: 20 rc_registration: per_second: 0.5 burst_count: 5 rc_login: address: per_second: 0.5 burst_count: 5 account: per_second: 0.5 burst_count: 5 failed_attempts: per_second: 0.5 burst_count: 5 # ============================================ # Federation # ============================================ # Allow federation with other Matrix servers federation_domain_whitelist: [] trusted_key_servers: - server_name: "matrix.org" # ============================================ # DSGVO / Data Retention # ============================================ retention: enabled: true default_policy: min_lifetime: 1d max_lifetime: 365d allowed_lifetime_min: 1d allowed_lifetime_max: 365d purge_jobs: - longest_max_lifetime: 3d interval: 12h - shortest_max_lifetime: 365d interval: 1d # Forgotten room retention forgotten_room_retention_period: 7d # ============================================ # Security # ============================================ signing_key_path: "/data/signing.key" form_secret: "${SYNAPSE_FORM_SECRET:-change-me-form-secret}" macaroon_secret_key: "${SYNAPSE_MACAROON_SECRET:-change-me-macaroon-secret}" registration_shared_secret: "${SYNAPSE_REGISTRATION_SECRET:-change-me-registration-secret}" # ============================================ # Application Services (for Bots) # Currently disabled - using long-lived user tokens instead # TODO: Migrate bots to AS for truly permanent tokens # ============================================ app_service_config_files: [] # ============================================ # Metrics & Telemetry # ============================================ report_stats: false enable_metrics: true metrics_port: 9002 # ============================================ # Caching # ============================================ caches: global_factor: 0.5 per_cache_factors: {} expire_caches: true cache_entry_ttl: 30m # ============================================ # Background Tasks # ============================================ run_background_tasks_on: synapse # ============================================ # Email (optional, for password reset) # ============================================ # email: # smtp_host: smtp-relay.brevo.com # smtp_port: 587 # smtp_user: "${SMTP_USER}" # smtp_pass: "${SMTP_PASSWORD}" # require_transport_security: true # notif_from: "ManaCore Matrix " # ============================================ # OIDC / SSO Configuration (Mana Core Auth) # ============================================ # Enable SSO via Mana Core Auth OIDC Provider oidc_providers: - idp_id: manacore idp_name: "Mana Core" idp_brand: "org.matrix.custom" discover: true issuer: "https://auth.mana.how" client_id: "matrix-synapse" client_secret: "6dc67d2dbea5c19409d21cbaec5ba77265b0296796d4ebb015d70209c68f3fd5" scopes: ["openid", "profile", "email"] user_mapping_provider: config: subject_claim: "sub" localpart_template: "{{ user.email.split('@')[0] }}" display_name_template: "{{ user.name }}" email_template: "{{ user.email }}" allow_existing_users: true enable_registration: true # SSO UI Settings sso: client_whitelist: - "https://element.mana.how" - "https://matrix.mana.how"