### conduwuit Configuration ### ### THIS FILE IS GENERATED. CHANGES/CONTRIBUTIONS IN THE REPO WILL ### BE OVERWRITTEN! ### ### You should rename this file before configuring your server. Changes ### to documentation and defaults can be contributed in source code at ### src/core/config/mod.rs. This file is generated when building. ### ### Any values pre-populated are the default values for said config option. ### ### At the minimum, you MUST edit all the config options to your environment ### that say "YOU NEED TO EDIT THIS". ### See https://conduwuit.puppyirl.gay/configuration.html for ways to ### configure conduwuit [global] # The server_name is the pretty name of this server. It is used as a # suffix for user and room IDs/aliases. # # See the docs for reverse proxying and delegation: https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy # Also see the `[global.well_known]` config section at the very bottom. # # Examples of delegation: # - https://puppygock.gay/.well-known/matrix/server # - https://puppygock.gay/.well-known/matrix/client # # YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE # WIPE. # # example: "conduwuit.woof" # #server_name = # default address (IPv4 or IPv6) conduwuit will listen on. # # If you are using Docker or a container NAT networking setup, this must # be "0.0.0.0". # # To listen on multiple addresses, specify a vector e.g. ["127.0.0.1", # "::1"] # #address = ["127.0.0.1", "::1"] # The port(s) conduwuit will be running on. # # See https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy for reverse proxying. # # Docker users: Don't change this, you'll need to map an external port to # this. # # To listen on multiple ports, specify a vector e.g. [8080, 8448] # #port = 8008 # Uncomment unix_socket_path to listen on a UNIX socket at the specified # path. If listening on a UNIX socket, you MUST remove/comment the # 'address' key if definedm AND add your reverse proxy to the 'conduwuit' # group, unless world RW permissions are specified with unix_socket_perms # (666 minimum). # # example: "/run/conduwuit/conduwuit.sock" # #unix_socket_path = # The default permissions (in octal) to create the UNIX socket with. # #unix_socket_perms = 660 # This is the only directory where conduwuit will save its data, including # media. # Note: this was previously "/var/lib/matrix-conduit" # # YOU NEED TO EDIT THIS. # # example: "/var/lib/conduwuit" # #database_path = # conduwuit supports online database backups using RocksDB's Backup engine # API. To use this, set a database backup path that conduwuit can write # to. # # See https://conduwuit.puppyirl.gay/maintenance.html#backups for more information. # # example: "/opt/conduwuit-db-backups" # #database_backup_path = # The amount of online RocksDB database backups to keep/retain, if using # "database_backup_path", before deleting the oldest one. # #database_backups_to_keep = 1 # Set this to any float value in megabytes for conduwuit to tell the # database engine that this much memory is available for database-related # caches. # # May be useful if you have significant memory to spare to increase # performance. # # Similar to the individual LRU caches, this is scaled up with your CPU # core count. # # This defaults to 128.0 + (64.0 * CPU core count) # #db_cache_capacity_mb = # Option to control adding arbitrary text to the end of the user's # displayname upon registration with a space before the text. This was the # lightning bolt emoji option, just replaced with support for adding your # own custom text or emojis. To disable, set this to "" (an empty string). # # The default is the trans pride flag. # # example: "🏳️⚧️" # #new_user_displayname_suffix = "🏳️⚧️" # If enabled, conduwuit will send a simple GET request periodically to # `https://pupbrain.dev/check-for-updates/stable` for any new # announcements made. Despite the name, this is not an update check # endpoint, it is simply an announcement check endpoint. # # This is disabled by default as this is rarely used except for security # updates or major updates. # #allow_check_for_updates = false # Set this to any float value to multiply conduwuit's in-memory LRU caches # with such as "auth_chain_cache_capacity". # # May be useful if you have significant memory to spare to increase # performance. This was previously called # `conduit_cache_capacity_modifier`. # # If you have low memory, reducing this may be viable. # # By default, the individual caches such as "auth_chain_cache_capacity" # are scaled by your CPU core count. # #cache_capacity_modifier = 1.0 # This item is undocumented. Please contribute documentation for it. # #pdu_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #auth_chain_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #shorteventid_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #eventidshort_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #eventid_pdu_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #shortstatekey_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #statekeyshort_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #server_visibility_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #user_visibility_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #stateinfo_cache_capacity = varies by system # This item is undocumented. Please contribute documentation for it. # #roomid_spacehierarchy_cache_capacity = varies by system # Maximum entries stored in DNS memory-cache. The size of an entry may # vary so please take care if raising this value excessively. Only # decrease this when using an external DNS cache. Please note # that systemd-resolved does *not* count as an external cache, even when # configured to do so. # #dns_cache_entries = 32768 # Minimum time-to-live in seconds for entries in the DNS cache. The # default may appear high to most administrators; this is by design as the # majority of NXDOMAINs are correct for a long time (e.g. the server is no # longer running Matrix). Only decrease this if you are using an external # DNS cache. # # default_dns_min_ttl: 259200 # #dns_min_ttl = # Minimum time-to-live in seconds for NXDOMAIN entries in the DNS cache. # This value is critical for the server to federate efficiently. # NXDOMAIN's are assumed to not be returning to the federation # and aggressively cached rather than constantly rechecked. # # Defaults to 3 days as these are *very rarely* false negatives. # #dns_min_ttl_nxdomain = 259200 # Number of retries after a timeout. # #dns_attempts = 10 # The number of seconds to wait for a reply to a DNS query. Please note # that recursive queries can take up to several seconds for some domains, # so this value should not be too low, especially on slower hardware or # resolvers. # #dns_timeout = 10 # Fallback to TCP on DNS errors. Set this to false if unsupported by # nameserver. # #dns_tcp_fallback = true # Enable to query all nameservers until the domain is found. Referred to # as "trust_negative_responses" in hickory_resolver. This can avoid # useless DNS queries if the first nameserver responds with NXDOMAIN or # an empty NOERROR response. # #query_all_nameservers = true # Enables using *only* TCP for querying your specified nameservers instead # of UDP. # # If you are running conduwuit in a container environment, this config option may need to be enabled. See https://conduwuit.puppyirl.gay/troubleshooting.html#potential-dns-issues-when-using-docker for more details. # #query_over_tcp_only = false # DNS A/AAAA record lookup strategy # # Takes a number of one of the following options: # 1 - Ipv4Only (Only query for A records, no AAAA/IPv6) # # 2 - Ipv6Only (Only query for AAAA records, no A/IPv4) # # 3 - Ipv4AndIpv6 (Query for A and AAAA records in parallel, uses whatever # returns a successful response first) # # 4 - Ipv6thenIpv4 (Query for AAAA record, if that fails then query the A # record) # # 5 - Ipv4thenIpv6 (Query for A record, if that fails then query the AAAA # record) # # If you don't have IPv6 networking, then for better DNS performance it # may be suitable to set this to Ipv4Only (1) as you will never ever use # the AAAA record contents even if the AAAA record is successful instead # of the A record. # #ip_lookup_strategy = 5 # Max request size for file uploads in bytes. Defaults to 20MB. # #max_request_size = 20971520 # This item is undocumented. Please contribute documentation for it. # #max_fetch_prev_events = 192 # Default/base connection timeout (seconds). This is used only by URL # previews and update/news endpoint checks. # #request_conn_timeout = 10 # Default/base request timeout (seconds). The time waiting to receive more # data from another server. This is used only by URL previews, # update/news, and misc endpoint checks. # #request_timeout = 35 # Default/base request total timeout (seconds). The time limit for a whole # request. This is set very high to not cancel healthy requests while # serving as a backstop. This is used only by URL previews and # update/news endpoint checks. # #request_total_timeout = 320 # Default/base idle connection pool timeout (seconds). This is used only # by URL previews and update/news endpoint checks. # #request_idle_timeout = 5 # Default/base max idle connections per host. This is used only by URL # previews and update/news endpoint checks. Defaults to 1 as generally the # same open connection can be re-used. # #request_idle_per_host = 1 # Federation well-known resolution connection timeout (seconds) # #well_known_conn_timeout = 6 # Federation HTTP well-known resolution request timeout (seconds) # #well_known_timeout = 10 # Federation client request timeout (seconds). You most definitely want # this to be high to account for extremely large room joins, slow # homeservers, your own resources etc. # #federation_timeout = 300 # Federation client idle connection pool timeout (seconds) # #federation_idle_timeout = 25 # Federation client max idle connections per host. Defaults to 1 as # generally the same open connection can be re-used # #federation_idle_per_host = 1 # Federation sender request timeout (seconds). The time it takes for the # remote server to process sent transactions can take a while. # #sender_timeout = 180 # Federation sender idle connection pool timeout (seconds) # #sender_idle_timeout = 180 # Federation sender transaction retry backoff limit (seconds) # #sender_retry_backoff_limit = 86400 # Appservice URL request connection timeout. Defaults to 35 seconds as # generally appservices are hosted within the same network. # #appservice_timeout = 35 # Appservice URL idle connection pool timeout (seconds) # #appservice_idle_timeout = 300 # Notification gateway pusher idle connection pool timeout # #pusher_idle_timeout = 15 # Enables registration. If set to false, no users can register on this # server. # # If set to true without a token configured, users can register with no # form of 2nd-step only if you set # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to # true in your config. # # If you would like registration only via token reg, please configure # `registration_token` or `registration_token_file`. # #allow_registration = false # This item is undocumented. Please contribute documentation for it. # #yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false # A static registration token that new users will have to provide when # creating an account. If unset and `allow_registration` is true, # registration is open without any condition. # # YOU NEED TO EDIT THIS OR USE registration_token_file. # # example: "o&^uCtes4HPf0Vu@F20jQeeWE7" # #registration_token = # Path to a file on the system that gets read for the registration token. # this config option takes precedence/priority over "registration_token". # # conduwuit must be able to access the file, and it must not be empty # # example: "/etc/conduwuit/.reg_token" # #registration_token_file = # Controls whether encrypted rooms and events are allowed. # #allow_encryption = true # Controls whether federation is allowed or not. It is not recommended to # disable this after the fact due to potential federation breakage. # #allow_federation = true # This item is undocumented. Please contribute documentation for it. # #federation_loopback = false # Set this to true to require authentication on the normally # unauthenticated profile retrieval endpoints (GET) # "/_matrix/client/v3/profile/{userId}". # # This can prevent profile scraping. # #require_auth_for_profile_requests = false # Set this to true to allow your server's public room directory to be # federated. Set this to false to protect against /publicRooms spiders, # but will forbid external users from viewing your server's public room # directory. If federation is disabled entirely (`allow_federation`), # this is inherently false. # #allow_public_room_directory_over_federation = false # Set this to true to allow your server's public room directory to be # queried without client authentication (access token) through the Client # APIs. Set this to false to protect against /publicRooms spiders. # #allow_public_room_directory_without_auth = false # allow guests/unauthenticated users to access TURN credentials # # this is the equivalent of Synapse's `turn_allow_guests` config option. # this allows any unauthenticated user to call the endpoint # `/_matrix/client/v3/voip/turnServer`. # # It is unlikely you need to enable this as all major clients support # authentication for this endpoint and prevents misuse of your TURN server # from potential bots. # #turn_allow_guests = false # Set this to true to lock down your server's public room directory and # only allow admins to publish rooms to the room directory. Unpublishing # is still allowed by all users with this enabled. # #lockdown_public_room_directory = false # Set this to true to allow federating device display names / allow # external users to see your device display name. If federation is # disabled entirely (`allow_federation`), this is inherently false. For # privacy reasons, this is best left disabled. # #allow_device_name_federation = false # Config option to allow or disallow incoming federation requests that # obtain the profiles of our local users from # `/_matrix/federation/v1/query/profile` # # Increases privacy of your local user's such as display names, but some # remote users may get a false "this user does not exist" error when they # try to invite you to a DM or room. Also can protect against profile # spiders. # # This is inherently false if `allow_federation` is disabled # #allow_inbound_profile_lookup_federation_requests = true # controls whether standard users are allowed to create rooms. appservices # and admins are always allowed to create rooms # #allow_room_creation = true # Set to false to disable users from joining or creating room versions # that aren't 100% officially supported by conduwuit. # # conduwuit officially supports room versions 6 - 11. # # conduwuit has slightly experimental (though works fine in practice) # support for versions 3 - 5 # #allow_unstable_room_versions = true # default room version conduwuit will create rooms with. # # per spec, room version 10 is the default. # #default_room_version = 10 # This item is undocumented. Please contribute documentation for it. # #allow_jaeger = false # This item is undocumented. Please contribute documentation for it. # #jaeger_filter = "info" # If the 'perf_measurements' compile-time feature is enabled, enables # collecting folded stack trace profile of tracing spans using # tracing_flame. The resulting profile can be visualized with inferno[1], # speedscope[2], or a number of other tools. # # [1]: https://github.com/jonhoo/inferno # [2]: www.speedscope.app # #tracing_flame = false # This item is undocumented. Please contribute documentation for it. # #tracing_flame_filter = "info" # This item is undocumented. Please contribute documentation for it. # #tracing_flame_output_path = "./tracing.folded" # Examples: # - No proxy (default): # proxy ="none" # # - For global proxy, create the section at the bottom of this file: # [global.proxy] # global = { url = "socks5h://localhost:9050" } # # - To proxy some domains: # [global.proxy] # [[global.proxy.by_domain]] # url = "socks5h://localhost:9050" # include = ["*.onion", "matrix.myspecial.onion"] # exclude = ["*.myspecial.onion"] # # Include vs. Exclude: # - If include is an empty list, it is assumed to be `["*"]`. # - If a domain matches both the exclude and include list, the proxy will # only be used if it was included because of a more specific rule than # it was excluded. In the above example, the proxy would be used for # `ordinary.onion`, `matrix.myspecial.onion`, but not # `hello.myspecial.onion`. # #proxy = "none" # This item is undocumented. Please contribute documentation for it. # #jwt_secret = # Servers listed here will be used to gather public keys of other servers # (notary trusted key servers). # # Currently, conduwuit doesn't support inbound batched key requests, so # this list should only contain other Synapse servers # # example: ["matrix.org", "constellatory.net", "tchncs.de"] # #trusted_servers = ["matrix.org"] # Whether to query the servers listed in trusted_servers first or query # the origin server first. For best security, querying the origin server # first is advised to minimize the exposure to a compromised trusted # server. For maximum federation/join performance this can be set to true, # however other options exist to query trusted servers first under # specific high-load circumstances and should be evaluated before setting # this to true. # #query_trusted_key_servers_first = false # Whether to query the servers listed in trusted_servers first # specifically on room joins. This option limits the exposure to a # compromised trusted server to room joins only. The join operation # requires gathering keys from many origin servers which can cause # significant delays. Therefor this defaults to true to mitigate # unexpected delays out-of-the-box. The security-paranoid or those # willing to tolerate delays are advised to set this to false. Note that # setting query_trusted_key_servers_first to true causes this option to # be ignored. # #query_trusted_key_servers_first_on_join = true # Only query trusted servers for keys and never the origin server. This is # intended for clusters or custom deployments using their trusted_servers # as forwarding-agents to cache and deduplicate requests. Notary servers # do not act as forwarding-agents by default, therefor do not enable this # unless you know exactly what you are doing. # #only_query_trusted_key_servers = false # Maximum number of keys to request in each trusted server batch query. # #trusted_server_batch_size = 1024 # max log level for conduwuit. allows debug, info, warn, or error # see also: https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives # # **Caveat**: # For release builds, the tracing crate is configured to only implement # levels higher than error to avoid unnecessary overhead in the compiled # binary from trace macros. For debug builds, this restriction is not # applied. # #log = "info" # controls whether logs will be outputted with ANSI colours # #log_colors = true # configures the span events which will be outputted with the log # #log_span_events = "none" # OpenID token expiration/TTL in seconds # # These are the OpenID tokens that are primarily used for Matrix account # integrations (e.g. Vector Integrations in Element), *not* OIDC/OpenID # Connect/etc # #openid_token_ttl = 3600 # static TURN username to provide the client if not using a shared secret # ("turn_secret"), It is recommended to use a shared secret over static # credentials. # #turn_username = false # static TURN password to provide the client if not using a shared secret # ("turn_secret"). It is recommended to use a shared secret over static # credentials. # #turn_password = false # vector list of TURN URIs/servers to use # # replace "example.turn.uri" with your TURN domain, such as the coturn # "realm" config option. if using TURN over TLS, replace the URI prefix # "turn:" with "turns:" # # example: ["turn:example.turn.uri?transport=udp", # "turn:example.turn.uri?transport=tcp"] # #turn_uris = [] # TURN secret to use for generating the HMAC-SHA1 hash apart of username # and password generation # # this is more secure, but if needed you can use traditional # static username/password credentials. # #turn_secret = false # TURN secret to use that's read from the file path specified # # this takes priority over "turn_secret" first, and falls back to # "turn_secret" if invalid or failed to open. # # example: "/etc/conduwuit/.turn_secret" # #turn_secret_file = # TURN TTL in seconds # #turn_ttl = 86400 # List/vector of room IDs or room aliases that conduwuit will make newly # registered users join. The rooms specified must be rooms that you # have joined at least once on the server, and must be public. # # example: ["#conduwuit:puppygock.gay", # "!eoIzvAvVwY23LPDay8:puppygock.gay"] # #auto_join_rooms = [] # Config option to automatically deactivate the account of any user who # attempts to join a: # - banned room # - forbidden room alias # - room alias or ID with a forbidden server name # # This may be useful if all your banned lists consist of toxic rooms or # servers that no good faith user would ever attempt to join, and # to automatically remediate the problem without any admin user # intervention. # # This will also make the user leave all rooms. Federation (e.g. remote # room invites) are ignored here. # # Defaults to false as rooms can be banned for non-moderation-related # reasons # #auto_deactivate_banned_room_attempts = false # RocksDB log level. This is not the same as conduwuit's log level. This # is the log level for the RocksDB engine/library which show up in your # database folder/path as `LOG` files. conduwuit will log RocksDB errors # as normal through tracing. # #rocksdb_log_level = "error" # This item is undocumented. Please contribute documentation for it. # #rocksdb_log_stderr = false # Max RocksDB `LOG` file size before rotating in bytes. Defaults to 4MB in # bytes. # #rocksdb_max_log_file_size = 4194304 # Time in seconds before RocksDB will forcibly rotate logs. # #rocksdb_log_time_to_roll = 0 # Set this to true to use RocksDB config options that are tailored to HDDs # (slower device storage) # # It is worth noting that by default, conduwuit will use RocksDB with # Direct IO enabled. *Generally* speaking this improves performance as it # bypasses buffered I/O (system page cache). However there is a potential # chance that Direct IO may cause issues with database operations if your # setup is uncommon. This has been observed with FUSE filesystems, and # possibly ZFS filesystem. RocksDB generally deals/corrects these issues # but it cannot account for all setups. If you experience any weird # RocksDB issues, try enabling this option as it turns off Direct IO and # feel free to report in the conduwuit Matrix room if this option fixes # your DB issues. # # See https://github.com/facebook/rocksdb/wiki/Direct-IO for more information. # #rocksdb_optimize_for_spinning_disks = false # Enables direct-io to increase database performance via unbuffered I/O. # # See https://github.com/facebook/rocksdb/wiki/Direct-IO for more details about Direct IO and RocksDB. # # Set this option to false if the database resides on a filesystem which # does not support direct-io like FUSE, or any form of complex filesystem # setup such as possibly ZFS. # #rocksdb_direct_io = true # Amount of threads that RocksDB will use for parallelism on database # operatons such as cleanup, sync, flush, compaction, etc. Set to 0 to use # all your logical threads. Defaults to your CPU logical thread count. # #rocksdb_parallelism_threads = 0 # Maximum number of LOG files RocksDB will keep. This must *not* be set to # 0. It must be at least 1. Defaults to 3 as these are not very useful # unless troubleshooting/debugging a RocksDB bug. # #rocksdb_max_log_files = 3 # Type of RocksDB database compression to use. # # Available options are "zstd", "zlib", "bz2", "lz4", or "none" # # It is best to use ZSTD as an overall good balance between # speed/performance, storage, IO amplification, and CPU usage. # For more performance but less compression (more storage used) and less # CPU usage, use LZ4. See https://github.com/facebook/rocksdb/wiki/Compression for more details. # # "none" will disable compression. # #rocksdb_compression_algo = "zstd" # Level of compression the specified compression algorithm for RocksDB to # use. # # Default is 32767, which is internally read by RocksDB as the # default magic number and translated to the library's default # compression level as they all differ. # See their `kDefaultCompressionLevel`. # #rocksdb_compression_level = 32767 # Level of compression the specified compression algorithm for the # bottommost level/data for RocksDB to use. Default is 32767, which is # internally read by RocksDB as the default magic number and translated # to the library's default compression level as they all differ. # See their `kDefaultCompressionLevel`. # # Since this is the bottommost level (generally old and least used data), # it may be desirable to have a very high compression level here as it's # lesss likely for this data to be used. Research your chosen compression # algorithm. # #rocksdb_bottommost_compression_level = 32767 # Whether to enable RocksDB's "bottommost_compression". # # At the expense of more CPU usage, this will further compress the # database to reduce more storage. It is recommended to use ZSTD # compression with this for best compression results. This may be useful # if you're trying to reduce storage usage from the database. # # See https://github.com/facebook/rocksdb/wiki/Compression for more details. # #rocksdb_bottommost_compression = false # Database recovery mode (for RocksDB WAL corruption) # # Use this option when the server reports corruption and refuses to start. # Set mode 2 (PointInTime) to cleanly recover from this corruption. The # server will continue from the last good state, several seconds or # minutes prior to the crash. Clients may have to run "clear-cache & # reload" to account for the rollback. Upon success, you may reset the # mode back to default and restart again. Please note in some cases the # corruption error may not be cleared for at least 30 minutes of # operation in PointInTime mode. # # As a very last ditch effort, if PointInTime does not fix or resolve # anything, you can try mode 3 (SkipAnyCorruptedRecord) but this will # leave the server in a potentially inconsistent state. # # The default mode 1 (TolerateCorruptedTailRecords) will automatically # drop the last entry in the database if corrupted during shutdown, but # nothing more. It is extraordinarily unlikely this will desynchronize # clients. To disable any form of silent rollback set mode 0 # (AbsoluteConsistency). # # The options are: # 0 = AbsoluteConsistency # 1 = TolerateCorruptedTailRecords (default) # 2 = PointInTime (use me if trying to recover) # 3 = SkipAnyCorruptedRecord (you now voided your Conduwuit warranty) # # See https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes for more information on these modes. # # See https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption for more details on recovering a corrupt database. # #rocksdb_recovery_mode = 1 # Database repair mode (for RocksDB SST corruption) # # Use this option when the server reports corruption while running or # panics. If the server refuses to start use the recovery mode options # first. Corruption errors containing the acronym 'SST' which occur after # startup will likely require this option. # # - Backing up your database directory is recommended prior to running the # repair. # - Disabling repair mode and restarting the server is recommended after # running the repair. # # See https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption for more details on recovering a corrupt database. # #rocksdb_repair = false # This item is undocumented. Please contribute documentation for it. # #rocksdb_read_only = false # This item is undocumented. Please contribute documentation for it. # #rocksdb_secondary = false # Enables idle CPU priority for compaction thread. This is not enabled by # default to prevent compaction from falling too far behind on busy # systems. # #rocksdb_compaction_prio_idle = false # Enables idle IO priority for compaction thread. This prevents any # unexpected lag in the server's operation and is usually a good idea. # Enabled by default. # #rocksdb_compaction_ioprio_idle = true # Config option to disable RocksDB compaction. You should never ever have # to disable this. If you for some reason find yourself needing to disable # this as part of troubleshooting or a bug, please reach out to us in the # conduwuit Matrix room with information and details. # # Disabling compaction will lead to a significantly bloated and # explosively large database, gradually poor performance, unnecessarily # excessive disk read/writes, and slower shutdowns and startups. # #rocksdb_compaction = true # Level of statistics collection. Some admin commands to display database # statistics may require this option to be set. Database performance may # be impacted by higher settings. # # Option is a number ranging from 0 to 6: # 0 = No statistics. # 1 = No statistics in release mode (default). # 2 to 3 = Statistics with no performance impact. # 3 to 5 = Statistics with possible performance impact. # 6 = All statistics. # #rocksdb_stats_level = 1 # This is a password that can be configured that will let you login to the # server bot account (currently `@conduit`) for emergency troubleshooting # purposes such as recovering/recreating your admin room, or inviting # yourself back. # # See https://conduwuit.puppyirl.gay/troubleshooting.html#lost-access-to-admin-room for other ways to get back into your admin room. # # Once this password is unset, all sessions will be logged out for # security purposes. # # example: "F670$2CP@Hw8mG7RY1$%!#Ic7YA" # #emergency_password = # This item is undocumented. Please contribute documentation for it. # #notification_push_path = "/_matrix/push/v1/notify" # Config option to control local (your server only) presence # updates/requests. Note that presence on conduwuit is # very fast unlike Synapse's. If using outgoing presence, this MUST be # enabled. # #allow_local_presence = true # Config option to control incoming federated presence updates/requests. # # This option receives presence updates from other # servers, but does not send any unless `allow_outgoing_presence` is true. # Note that presence on conduwuit is very fast unlike Synapse's. # #allow_incoming_presence = true # Config option to control outgoing presence updates/requests. # # This option sends presence updates to other servers, but does not # receive any unless `allow_incoming_presence` is true. # Note that presence on conduwuit is very fast unlike Synapse's. # If using outgoing presence, you MUST enable `allow_local_presence` as # well. # #allow_outgoing_presence = true # Config option to control how many seconds before presence updates that # you are idle. Defaults to 5 minutes. # #presence_idle_timeout_s = 300 # Config option to control how many seconds before presence updates that # you are offline. Defaults to 30 minutes. # #presence_offline_timeout_s = 1800 # Config option to enable the presence idle timer for remote users. # Disabling is offered as an optimization for servers participating in # many large rooms or when resources are limited. Disabling it may cause # incorrect presence states (i.e. stuck online) to be seen for some # remote users. # #presence_timeout_remote_users = true # Config option to control whether we should receive remote incoming read # receipts. # #allow_incoming_read_receipts = true # Config option to control whether we should send read receipts to remote # servers. # #allow_outgoing_read_receipts = true # Config option to control outgoing typing updates to federation. # #allow_outgoing_typing = true # Config option to control incoming typing updates from federation. # #allow_incoming_typing = true # Config option to control maximum time federation user can indicate # typing. # #typing_federation_timeout_s = 30 # Config option to control minimum time local client can indicate typing. # This does not override a client's request to stop typing. It only # enforces a minimum value in case of no stop request. # #typing_client_timeout_min_s = 15 # Config option to control maximum time local client can indicate typing. # #typing_client_timeout_max_s = 45 # Set this to true for conduwuit to compress HTTP response bodies using # zstd. This option does nothing if conduwuit was not built with # `zstd_compression` feature. Please be aware that enabling HTTP # compression may weaken TLS. Most users should not need to enable this. # See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH # before deciding to enable this. # #zstd_compression = false # Set this to true for conduwuit to compress HTTP response bodies using # gzip. This option does nothing if conduwuit was not built with # `gzip_compression` feature. Please be aware that enabling HTTP # compression may weaken TLS. Most users should not need to enable this. # See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before # deciding to enable this. # # If you are in a large amount of rooms, you may find that enabling this # is necessary to reduce the significantly large response bodies. # #gzip_compression = false # Set this to true for conduwuit to compress HTTP response bodies using # brotli. This option does nothing if conduwuit was not built with # `brotli_compression` feature. Please be aware that enabling HTTP # compression may weaken TLS. Most users should not need to enable this. # See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before # deciding to enable this. # #brotli_compression = false # Set to true to allow user type "guest" registrations. Some clients like # Element attempt to register guest users automatically. # #allow_guest_registration = false # Set to true to log guest registrations in the admin room. Note that # these may be noisy or unnecessary if you're a public homeserver. # #log_guest_registrations = false # Set to true to allow guest registrations/users to auto join any rooms # specified in `auto_join_rooms`. # #allow_guests_auto_join_rooms = false # Config option to control whether the legacy unauthenticated Matrix media # repository endpoints will be enabled. These endpoints consist of: # - /_matrix/media/*/config # - /_matrix/media/*/upload # - /_matrix/media/*/preview_url # - /_matrix/media/*/download/* # - /_matrix/media/*/thumbnail/* # # The authenticated equivalent endpoints are always enabled. # # Defaults to true for now, but this is highly subject to change, likely # in the next release. # #allow_legacy_media = true # This item is undocumented. Please contribute documentation for it. # #freeze_legacy_media = true # Checks consistency of the media directory at startup: # 1. When `media_compat_file_link` is enbled, this check will upgrade # media when switching back and forth between Conduit and conduwuit. # Both options must be enabled to handle this. # 2. When media is deleted from the directory, this check will also delete # its database entry. # # If none of these checks apply to your use cases, and your media # directory is significantly large setting this to false may reduce # startup time. # #media_startup_check = true # Enable backward-compatibility with Conduit's media directory by creating # symlinks of media. This option is only necessary if you plan on using # Conduit again. Otherwise setting this to false reduces filesystem # clutter and overhead for managing these symlinks in the directory. This # is now disabled by default. You may still return to upstream Conduit # but you have to run conduwuit at least once with this set to true and # allow the media_startup_check to take place before shutting # down to return to Conduit. # #media_compat_file_link = false # Prunes missing media from the database as part of the media startup # checks. This means if you delete files from the media directory the # corresponding entries will be removed from the database. This is # disabled by default because if the media directory is accidentally moved # or inaccessible, the metadata entries in the database will be lost with # sadness. # #prune_missing_media = false # Vector list of servers that conduwuit will refuse to download remote # media from. # #prevent_media_downloads_from = [] # List of forbidden server names that we will block incoming AND outgoing # federation with, and block client room joins / remote user invites. # # This check is applied on the room ID, room alias, sender server name, # sender user's server name, inbound federation X-Matrix origin, and # outbound federation handler. # # Basically "global" ACLs. # #forbidden_remote_server_names = [] # List of forbidden server names that we will block all outgoing federated # room directory requests for. Useful for preventing our users from # wandering into bad servers or spaces. # #forbidden_remote_room_directory_server_names = [] # Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you # do not want conduwuit to send outbound requests to. Defaults to # RFC1918, unroutable, loopback, multicast, and testnet addresses for # security. # # Please be aware that this is *not* a guarantee. You should be using a # firewall with zones as doing this on the application layer may have # bypasses. # # Currently this does not account for proxies in use like Synapse does. # # To disable, set this to be an empty vector (`[]`). # # "192.168.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "169.254.0.0/16", # "192.88.99.0/24", "198.18.0.0/15", "192.0.2.0/24", "198.51.100.0/24", # "203.0.113.0/24", "224.0.0.0/4", "::1/128", "fe80::/10", "fc00::/7", # "2001:db8::/32", "ff00::/8", "fec0::/10"] # #ip_range_denylist = ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", # Vector list of domains allowed to send requests to for URL previews. # Defaults to none. Note: this is a *contains* match, not an explicit # match. Putting "google.com" will match "https://google.com" and # "http://mymaliciousdomainexamplegoogle.com" Setting this to "*" will # allow all URL previews. Please note that this opens up significant # attack surface to your server, you are expected to be aware of the # risks by doing so. # #url_preview_domain_contains_allowlist = [] # Vector list of explicit domains allowed to send requests to for URL # previews. Defaults to none. Note: This is an *explicit* match, not a # contains match. Putting "google.com" will match "https://google.com", # "http://google.com", but not # "https://mymaliciousdomainexamplegoogle.com". Setting this to "*" will # allow all URL previews. Please note that this opens up significant # attack surface to your server, you are expected to be aware of the # risks by doing so. # #url_preview_domain_explicit_allowlist = [] # Vector list of explicit domains not allowed to send requests to for URL # previews. Defaults to none. Note: This is an *explicit* match, not a # contains match. Putting "google.com" will match "https://google.com", # "http://google.com", but not # "https://mymaliciousdomainexamplegoogle.com". The denylist is checked # first before allowlist. Setting this to "*" will not do anything. # #url_preview_domain_explicit_denylist = [] # Vector list of URLs allowed to send requests to for URL previews. # Defaults to none. Note that this is a *contains* match, not an # explicit match. Putting "google.com" will match # "https://google.com/", # "https://google.com/url?q=https://mymaliciousdomainexample.com", and # "https://mymaliciousdomainexample.com/hi/google.com" Setting this to # "*" will allow all URL previews. Please note that this opens up # significant attack surface to your server, you are expected to be # aware of the risks by doing so. # #url_preview_url_contains_allowlist = [] # Maximum amount of bytes allowed in a URL preview body size when # spidering. Defaults to 384KB in bytes. # #url_preview_max_spider_size = 384000 # Option to decide whether you would like to run the domain allowlist # checks (contains and explicit) on the root domain or not. Does not apply # to URL contains allowlist. Defaults to false. # # Example usecase: If this is # enabled and you have "wikipedia.org" allowed in the explicit and/or # contains domain allowlist, it will allow all subdomains under # "wikipedia.org" such as "en.m.wikipedia.org" as the root domain is # checked and matched. Useful if the domain contains allowlist is still # too broad for you but you still want to allow all the subdomains under a # root domain. # #url_preview_check_root_domain = false # List of forbidden room aliases and room IDs as strings of regex # patterns. # # Regex can be used or explicit contains matches can be done by # just specifying the words (see example). # # This is checked upon room alias creation, custom room ID creation if # used, and startup as warnings if any room aliases in your database have # a forbidden room alias/ID. # # example: ["19dollarfortnitecards", "b[4a]droom"] # #forbidden_alias_names = [] # List of forbidden username patterns/strings. # # Regex can be used or explicit contains matches can be done by just # specifying the words (see example). # # This is checked upon username availability check, registration, and # startup as warnings if any local users in your database have a forbidden # username. # # example: ["administrator", "b[a4]dusernam[3e]"] # #forbidden_usernames = [] # Retry failed and incomplete messages to remote servers immediately upon # startup. This is called bursting. If this is disabled, said messages # may not be delivered until more messages are queued for that server. Do # not change this option unless server resources are extremely limited or # the scale of the server's deployment is huge. Do not disable this # unless you know what you are doing. # #startup_netburst = true # messages are dropped and not reattempted. The `startup_netburst` option # must be enabled for this value to have any effect. Do not change this # value unless you know what you are doing. Set this value to -1 to # reattempt every message without trimming the queues; this may consume # significant disk. Set this value to 0 to drop all messages without any # attempt at redelivery. # #startup_netburst_keep = 50 # controls whether non-admin local users are forbidden from sending room # invites (local and remote), and if non-admin users can receive remote # room invites. admins are always allowed to send and receive all room # invites. # #block_non_admin_invites = false # Allows admins to enter commands in rooms other than "#admins" (admin # room) by prefixing your message with "\!admin" or "\\!admin" followed # up a normal conduwuit admin command. The reply will be publicly visible # to the room, originating from the sender. # # example: \\!admin debug ping puppygock.gay # #admin_escape_commands = true # Controls whether the conduwuit admin room console / CLI will immediately # activate on startup. This option can also be enabled with `--console` # conduwuit argument. # #admin_console_automatic = false # Controls what admin commands will be executed on startup. This is a # vector list of strings of admin commands to run. # # # This option can also be configured with the `--execute` conduwuit # argument and can take standard shell commands and environment variables # # Such example could be: `./conduwuit --execute "server admin-notice # conduwuit has started up at $(date)"` # # example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]` # #admin_execute = [] # Controls whether conduwuit should error and fail to start if an admin # execute command (`--execute` / `admin_execute`) fails. # #admin_execute_errors_ignore = false # Controls the max log level for admin command log captures (logs # generated from running admin commands). Defaults to "info" on release # builds, else "debug" on debug builds. # #admin_log_capture = "info" # The default room tag to apply on the admin room. # # On some clients like Element, the room tag "m.server_notice" is a # special pinned room at the very bottom of your room list. The conduwuit # admin room can be pinned here so you always have an easy-to-access # shortcut dedicated to your admin room. # #admin_room_tag = "m.server_notice" # Sentry.io crash/panic reporting, performance monitoring/metrics, etc. # This is NOT enabled by default. conduwuit's default Sentry reporting # endpoint is o4506996327251968.ingest.us.sentry.io # #sentry = false # Sentry reporting URL if a custom one is desired # #sentry_endpoint = "https://fe2eb4536aa04949e28eff3128d64757@o4506996327251968.ingest.us.sentry.io/4506996334657536" # Report your conduwuit server_name in Sentry.io crash reports and metrics # #sentry_send_server_name = false # Performance monitoring/tracing sample rate for Sentry.io # # Note that too high values may impact performance, and can be disabled by # setting it to 0.0 (0%) This value is read as a percentage to Sentry, # represented as a decimal. Defaults to 15% of traces (0.15) # #sentry_traces_sample_rate = 0.15 # Whether to attach a stacktrace to Sentry reports. # #sentry_attach_stacktrace = false # Send panics to sentry. This is true by default, but sentry has to be # enabled. The global "sentry" config option must be enabled to send any # data. # #sentry_send_panic = true # Send errors to sentry. This is true by default, but sentry has to be # enabled. This option is only effective in release-mode; forced to false # in debug-mode. # #sentry_send_error = true # Controls the tracing log level for Sentry to send things like # breadcrumbs and transactions # #sentry_filter = "info" # Enable the tokio-console. This option is only relevant to developers. # See https://conduwuit.puppyirl.gay/development.html#debugging-with-tokio-console for more information. # #tokio_console = false # This item is undocumented. Please contribute documentation for it. # #test = false # Controls whether admin room notices like account registrations, password # changes, account deactivations, room directory publications, etc will # be sent to the admin room. Update notices and normal admin command # responses will still be sent. # #admin_room_notices = true [global.tls] # Path to a valid TLS certificate file. # # example: "/path/to/my/certificate.crt" # #certs = # Path to a valid TLS certificate private key. # # example: "/path/to/my/certificate.key" # #key = # Whether to listen and allow for HTTP and HTTPS connections (insecure!) # #dual_protocol = false [global.well_known] # The server URL that the client well-known file will serve. This should # not contain a port, and should just be a valid HTTPS URL. # # example: "https://matrix.example.com" # #client = # The server base domain of the URL with a specific port that the server # well-known file will serve. This should contain a port at the end, and # should not be a URL. # # example: "matrix.example.com:443" # #server = # This item is undocumented. Please contribute documentation for it. # #support_page = # This item is undocumented. Please contribute documentation for it. # #support_role = # This item is undocumented. Please contribute documentation for it. # #support_email = # This item is undocumented. Please contribute documentation for it. # #support_mxid =