till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-15 01:41:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/docker/matrix/homeserver.yaml
Till-JS d81b8aebf2 🔒 refactor(bots): remove !login command and enforce OIDC-only auth 
- Remove !login and !logout commands from all 16+ Matrix bots
- Remove login/logout references from all help/welcome messages
- Disable password login in Synapse (password_config.enabled: false)
- System is now OIDC-only via Mana Core authentication

Users must authenticate via "Sign in with Mana Core" in Element.
Existing bot access tokens remain valid.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-14 11:26:58 +01:00

222 lines
5.4 KiB
YAML
Raw Blame History

# ManaCore Matrix Synapse Configuration
# Documentation: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "mana.how"
pid_file: /data/homeserver.pid
public_baseurl: https://matrix.mana.how/
# ============================================
# Listeners
# ============================================
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
# ============================================
# Database (PostgreSQL)
# ============================================
database:
name: psycopg2
txn_limit: 10000
args:
user: synapse
password: "synapse-secure-password"
database: matrix
host: postgres
port: 5432
cp_min: 5
cp_max: 10
# ============================================
# Logging
# ============================================
log_config: "/config/log.config.yaml"
# ============================================
# Media Storage
# ============================================
media_store_path: /data/media_store
max_upload_size: 50M
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
# ============================================
# Registration & Authentication
# ============================================
enable_registration: false
enable_registration_without_verification: false
# Password config (disabled - all users authenticate via OIDC/SSO)
password_config:
enabled: false
localdb_enabled: false
pepper: "${SYNAPSE_PASSWORD_PEPPER:-change-me-pepper}"
# Session lifetime (must be >= refresh_token_lifetime)
# Set to 10 years for bot tokens to avoid frequent expiration
session_lifetime: 87600h
refresh_token_lifetime: 87600h
# ============================================
# Rate Limiting
# ============================================
rc_message:
per_second: 5
burst_count: 20
rc_registration:
per_second: 0.5
burst_count: 5
rc_login:
address:
per_second: 0.5
burst_count: 5
account:
per_second: 0.5
burst_count: 5
failed_attempts:
per_second: 0.5
burst_count: 5
# ============================================
# Federation
# ============================================
# Allow federation with other Matrix servers
federation_domain_whitelist: []
trusted_key_servers:
- server_name: "matrix.org"
# ============================================
# DSGVO / Data Retention
# ============================================
retention:
enabled: true
default_policy:
min_lifetime: 1d
max_lifetime: 365d
allowed_lifetime_min: 1d
allowed_lifetime_max: 365d
purge_jobs:
- longest_max_lifetime: 3d
interval: 12h
- shortest_max_lifetime: 365d
interval: 1d
# Forgotten room retention
forgotten_room_retention_period: 7d
# ============================================
# Security
# ============================================
signing_key_path: "/data/signing.key"
form_secret: "${SYNAPSE_FORM_SECRET:-change-me-form-secret}"
macaroon_secret_key: "${SYNAPSE_MACAROON_SECRET:-change-me-macaroon-secret}"
registration_shared_secret: "${SYNAPSE_REGISTRATION_SECRET:-change-me-registration-secret}"
# ============================================
# Application Services (for Bots)
# Currently disabled - using long-lived user tokens instead
# TODO: Migrate bots to AS for truly permanent tokens
# ============================================
app_service_config_files: []
# ============================================
# Metrics & Telemetry
# ============================================
report_stats: false
enable_metrics: true
metrics_port: 9002
# ============================================
# Caching
# ============================================
caches:
global_factor: 0.5
per_cache_factors: {}
expire_caches: true
cache_entry_ttl: 30m
# ============================================
# Background Tasks
# ============================================
run_background_tasks_on: synapse
# ============================================
# Email (optional, for password reset)
# ============================================
# email:
# smtp_host: smtp-relay.brevo.com
# smtp_port: 587
# smtp_user: "${SMTP_USER}"
# smtp_pass: "${SMTP_PASSWORD}"
# require_transport_security: true
# notif_from: "ManaCore Matrix <noreply@mana.how>"
# ============================================
# OIDC / SSO Configuration (Mana Core Auth)
# ============================================
# Enable SSO via Mana Core Auth OIDC Provider
oidc_providers:
- idp_id: manacore
idp_name: "Mana Core"
idp_brand: "org.matrix.custom"
discover: true
issuer: "https://auth.mana.how"
client_id: "matrix-synapse"
client_secret: "6dc67d2dbea5c19409d21cbaec5ba77265b0296796d4ebb015d70209c68f3fd5"
scopes: ["openid", "profile", "email"]
user_mapping_provider:
config:
subject_claim: "sub"
localpart_template: "{{ user.email.split('@')[0] }}"
display_name_template: "{{ user.name }}"
email_template: "{{ user.email }}"
allow_existing_users: true
enable_registration: true
# SSO UI Settings
sso:
client_whitelist:
- "https://element.mana.how"
- "https://matrix.mana.how"
Reference in a new issue View git blame Copy permalink