mirror of
https://github.com/girlbossceo/conduwuit.git
synced 2024-12-04 20:08:10 +00:00
1c751168c6
Signed-off-by: Jason Volk <jason@zemos.net>
1387 lines
47 KiB
TOML
1387 lines
47 KiB
TOML
### conduwuit Configuration
|
|
###
|
|
### THIS FILE IS GENERATED. CHANGES/CONTRIBUTIONS IN THE REPO WILL
|
|
### BE OVERWRITTEN!
|
|
###
|
|
### You should rename this file before configuring your server. Changes
|
|
### to documentation and defaults can be contributed in source code at
|
|
### src/core/config/mod.rs. This file is generated when building.
|
|
###
|
|
### Any values pre-populated are the default values for said config option.
|
|
###
|
|
### At the minimum, you MUST edit all the config options to your environment
|
|
### that say "YOU NEED TO EDIT THIS".
|
|
### See https://conduwuit.puppyirl.gay/configuration.html for ways to
|
|
### configure conduwuit
|
|
|
|
[global]
|
|
|
|
# The server_name is the pretty name of this server. It is used as a
|
|
# suffix for user and room IDs/aliases.
|
|
#
|
|
# See the docs for reverse proxying and delegation: https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy
|
|
# Also see the `[global.well_known]` config section at the very bottom.
|
|
#
|
|
# Examples of delegation:
|
|
# - https://puppygock.gay/.well-known/matrix/server
|
|
# - https://puppygock.gay/.well-known/matrix/client
|
|
#
|
|
# YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
|
|
# WIPE.
|
|
#
|
|
# example: "conduwuit.woof"
|
|
#
|
|
#server_name =
|
|
|
|
# default address (IPv4 or IPv6) conduwuit will listen on.
|
|
#
|
|
# If you are using Docker or a container NAT networking setup, this must
|
|
# be "0.0.0.0".
|
|
#
|
|
# To listen on multiple addresses, specify a vector e.g. ["127.0.0.1",
|
|
# "::1"]
|
|
#
|
|
#address = ["127.0.0.1", "::1"]
|
|
|
|
# The port(s) conduwuit will be running on.
|
|
#
|
|
# See https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy for reverse proxying.
|
|
#
|
|
# Docker users: Don't change this, you'll need to map an external port to
|
|
# this.
|
|
#
|
|
# To listen on multiple ports, specify a vector e.g. [8080, 8448]
|
|
#
|
|
#port = 8008
|
|
|
|
# Uncomment unix_socket_path to listen on a UNIX socket at the specified
|
|
# path. If listening on a UNIX socket, you MUST remove/comment the
|
|
# 'address' key if definedm AND add your reverse proxy to the 'conduwuit'
|
|
# group, unless world RW permissions are specified with unix_socket_perms
|
|
# (666 minimum).
|
|
#
|
|
# example: "/run/conduwuit/conduwuit.sock"
|
|
#
|
|
#unix_socket_path =
|
|
|
|
# The default permissions (in octal) to create the UNIX socket with.
|
|
#
|
|
#unix_socket_perms = 660
|
|
|
|
# This is the only directory where conduwuit will save its data, including
|
|
# media.
|
|
# Note: this was previously "/var/lib/matrix-conduit"
|
|
#
|
|
# YOU NEED TO EDIT THIS.
|
|
#
|
|
# example: "/var/lib/conduwuit"
|
|
#
|
|
#database_path =
|
|
|
|
# conduwuit supports online database backups using RocksDB's Backup engine
|
|
# API. To use this, set a database backup path that conduwuit can write
|
|
# to.
|
|
#
|
|
# See https://conduwuit.puppyirl.gay/maintenance.html#backups for more information.
|
|
#
|
|
# example: "/opt/conduwuit-db-backups"
|
|
#
|
|
#database_backup_path =
|
|
|
|
# The amount of online RocksDB database backups to keep/retain, if using
|
|
# "database_backup_path", before deleting the oldest one.
|
|
#
|
|
#database_backups_to_keep = 1
|
|
|
|
# Set this to any float value in megabytes for conduwuit to tell the
|
|
# database engine that this much memory is available for database-related
|
|
# caches.
|
|
#
|
|
# May be useful if you have significant memory to spare to increase
|
|
# performance.
|
|
#
|
|
# Similar to the individual LRU caches, this is scaled up with your CPU
|
|
# core count.
|
|
#
|
|
# This defaults to 128.0 + (64.0 * CPU core count)
|
|
#
|
|
#db_cache_capacity_mb =
|
|
|
|
# Option to control adding arbitrary text to the end of the user's
|
|
# displayname upon registration with a space before the text. This was the
|
|
# lightning bolt emoji option, just replaced with support for adding your
|
|
# own custom text or emojis. To disable, set this to "" (an empty string).
|
|
#
|
|
# The default is the trans pride flag.
|
|
#
|
|
# example: "🏳️⚧️"
|
|
#
|
|
#new_user_displayname_suffix = "🏳️⚧️"
|
|
|
|
# If enabled, conduwuit will send a simple GET request periodically to
|
|
# `https://pupbrain.dev/check-for-updates/stable` for any new
|
|
# announcements made. Despite the name, this is not an update check
|
|
# endpoint, it is simply an announcement check endpoint.
|
|
#
|
|
# This is disabled by default as this is rarely used except for security
|
|
# updates or major updates.
|
|
#
|
|
#allow_check_for_updates = false
|
|
|
|
# Set this to any float value to multiply conduwuit's in-memory LRU caches
|
|
# with such as "auth_chain_cache_capacity".
|
|
#
|
|
# May be useful if you have significant memory to spare to increase
|
|
# performance. This was previously called
|
|
# `conduit_cache_capacity_modifier`.
|
|
#
|
|
# If you have low memory, reducing this may be viable.
|
|
#
|
|
# By default, the individual caches such as "auth_chain_cache_capacity"
|
|
# are scaled by your CPU core count.
|
|
#
|
|
#cache_capacity_modifier = 1.0
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#pdu_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#auth_chain_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#shorteventid_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#eventidshort_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#eventid_pdu_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#shortstatekey_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#statekeyshort_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#server_visibility_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#user_visibility_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#stateinfo_cache_capacity = varies by system
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#roomid_spacehierarchy_cache_capacity = varies by system
|
|
|
|
# Maximum entries stored in DNS memory-cache. The size of an entry may
|
|
# vary so please take care if raising this value excessively. Only
|
|
# decrease this when using an external DNS cache. Please note
|
|
# that systemd-resolved does *not* count as an external cache, even when
|
|
# configured to do so.
|
|
#
|
|
#dns_cache_entries = 32768
|
|
|
|
# Minimum time-to-live in seconds for entries in the DNS cache. The
|
|
# default may appear high to most administrators; this is by design as the
|
|
# majority of NXDOMAINs are correct for a long time (e.g. the server is no
|
|
# longer running Matrix). Only decrease this if you are using an external
|
|
# DNS cache.
|
|
#
|
|
# default_dns_min_ttl: 259200
|
|
#
|
|
#dns_min_ttl =
|
|
|
|
# Minimum time-to-live in seconds for NXDOMAIN entries in the DNS cache.
|
|
# This value is critical for the server to federate efficiently.
|
|
# NXDOMAIN's are assumed to not be returning to the federation
|
|
# and aggressively cached rather than constantly rechecked.
|
|
#
|
|
# Defaults to 3 days as these are *very rarely* false negatives.
|
|
#
|
|
#dns_min_ttl_nxdomain = 259200
|
|
|
|
# Number of retries after a timeout.
|
|
#
|
|
#dns_attempts = 10
|
|
|
|
# The number of seconds to wait for a reply to a DNS query. Please note
|
|
# that recursive queries can take up to several seconds for some domains,
|
|
# so this value should not be too low, especially on slower hardware or
|
|
# resolvers.
|
|
#
|
|
#dns_timeout = 10
|
|
|
|
# Fallback to TCP on DNS errors. Set this to false if unsupported by
|
|
# nameserver.
|
|
#
|
|
#dns_tcp_fallback = true
|
|
|
|
# Enable to query all nameservers until the domain is found. Referred to
|
|
# as "trust_negative_responses" in hickory_resolver. This can avoid
|
|
# useless DNS queries if the first nameserver responds with NXDOMAIN or
|
|
# an empty NOERROR response.
|
|
#
|
|
#query_all_nameservers = true
|
|
|
|
# Enables using *only* TCP for querying your specified nameservers instead
|
|
# of UDP.
|
|
#
|
|
# If you are running conduwuit in a container environment, this config option may need to be enabled. See https://conduwuit.puppyirl.gay/troubleshooting.html#potential-dns-issues-when-using-docker for more details.
|
|
#
|
|
#query_over_tcp_only = false
|
|
|
|
# DNS A/AAAA record lookup strategy
|
|
#
|
|
# Takes a number of one of the following options:
|
|
# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6)
|
|
#
|
|
# 2 - Ipv6Only (Only query for AAAA records, no A/IPv4)
|
|
#
|
|
# 3 - Ipv4AndIpv6 (Query for A and AAAA records in parallel, uses whatever
|
|
# returns a successful response first)
|
|
#
|
|
# 4 - Ipv6thenIpv4 (Query for AAAA record, if that fails then query the A
|
|
# record)
|
|
#
|
|
# 5 - Ipv4thenIpv6 (Query for A record, if that fails then query the AAAA
|
|
# record)
|
|
#
|
|
# If you don't have IPv6 networking, then for better DNS performance it
|
|
# may be suitable to set this to Ipv4Only (1) as you will never ever use
|
|
# the AAAA record contents even if the AAAA record is successful instead
|
|
# of the A record.
|
|
#
|
|
#ip_lookup_strategy = 5
|
|
|
|
# Max request size for file uploads in bytes. Defaults to 20MB.
|
|
#
|
|
#max_request_size = 20971520
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#max_fetch_prev_events = 192
|
|
|
|
# Default/base connection timeout (seconds). This is used only by URL
|
|
# previews and update/news endpoint checks.
|
|
#
|
|
#request_conn_timeout = 10
|
|
|
|
# Default/base request timeout (seconds). The time waiting to receive more
|
|
# data from another server. This is used only by URL previews,
|
|
# update/news, and misc endpoint checks.
|
|
#
|
|
#request_timeout = 35
|
|
|
|
# Default/base request total timeout (seconds). The time limit for a whole
|
|
# request. This is set very high to not cancel healthy requests while
|
|
# serving as a backstop. This is used only by URL previews and
|
|
# update/news endpoint checks.
|
|
#
|
|
#request_total_timeout = 320
|
|
|
|
# Default/base idle connection pool timeout (seconds). This is used only
|
|
# by URL previews and update/news endpoint checks.
|
|
#
|
|
#request_idle_timeout = 5
|
|
|
|
# Default/base max idle connections per host. This is used only by URL
|
|
# previews and update/news endpoint checks. Defaults to 1 as generally the
|
|
# same open connection can be re-used.
|
|
#
|
|
#request_idle_per_host = 1
|
|
|
|
# Federation well-known resolution connection timeout (seconds)
|
|
#
|
|
#well_known_conn_timeout = 6
|
|
|
|
# Federation HTTP well-known resolution request timeout (seconds)
|
|
#
|
|
#well_known_timeout = 10
|
|
|
|
# Federation client request timeout (seconds). You most definitely want
|
|
# this to be high to account for extremely large room joins, slow
|
|
# homeservers, your own resources etc.
|
|
#
|
|
#federation_timeout = 300
|
|
|
|
# Federation client idle connection pool timeout (seconds)
|
|
#
|
|
#federation_idle_timeout = 25
|
|
|
|
# Federation client max idle connections per host. Defaults to 1 as
|
|
# generally the same open connection can be re-used
|
|
#
|
|
#federation_idle_per_host = 1
|
|
|
|
# Federation sender request timeout (seconds). The time it takes for the
|
|
# remote server to process sent transactions can take a while.
|
|
#
|
|
#sender_timeout = 180
|
|
|
|
# Federation sender idle connection pool timeout (seconds)
|
|
#
|
|
#sender_idle_timeout = 180
|
|
|
|
# Federation sender transaction retry backoff limit (seconds)
|
|
#
|
|
#sender_retry_backoff_limit = 86400
|
|
|
|
# Appservice URL request connection timeout. Defaults to 35 seconds as
|
|
# generally appservices are hosted within the same network.
|
|
#
|
|
#appservice_timeout = 35
|
|
|
|
# Appservice URL idle connection pool timeout (seconds)
|
|
#
|
|
#appservice_idle_timeout = 300
|
|
|
|
# Notification gateway pusher idle connection pool timeout
|
|
#
|
|
#pusher_idle_timeout = 15
|
|
|
|
# Enables registration. If set to false, no users can register on this
|
|
# server.
|
|
#
|
|
# If set to true without a token configured, users can register with no
|
|
# form of 2nd-step only if you set
|
|
# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to
|
|
# true in your config.
|
|
#
|
|
# If you would like registration only via token reg, please configure
|
|
# `registration_token` or `registration_token_file`.
|
|
#
|
|
#allow_registration = false
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false
|
|
|
|
# A static registration token that new users will have to provide when
|
|
# creating an account. If unset and `allow_registration` is true,
|
|
# registration is open without any condition.
|
|
#
|
|
# YOU NEED TO EDIT THIS OR USE registration_token_file.
|
|
#
|
|
# example: "o&^uCtes4HPf0Vu@F20jQeeWE7"
|
|
#
|
|
#registration_token =
|
|
|
|
# Path to a file on the system that gets read for the registration token.
|
|
# this config option takes precedence/priority over "registration_token".
|
|
#
|
|
# conduwuit must be able to access the file, and it must not be empty
|
|
#
|
|
# example: "/etc/conduwuit/.reg_token"
|
|
#
|
|
#registration_token_file =
|
|
|
|
# Controls whether encrypted rooms and events are allowed.
|
|
#
|
|
#allow_encryption = true
|
|
|
|
# Controls whether federation is allowed or not. It is not recommended to
|
|
# disable this after the fact due to potential federation breakage.
|
|
#
|
|
#allow_federation = true
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#federation_loopback = false
|
|
|
|
# Set this to true to require authentication on the normally
|
|
# unauthenticated profile retrieval endpoints (GET)
|
|
# "/_matrix/client/v3/profile/{userId}".
|
|
#
|
|
# This can prevent profile scraping.
|
|
#
|
|
#require_auth_for_profile_requests = false
|
|
|
|
# Set this to true to allow your server's public room directory to be
|
|
# federated. Set this to false to protect against /publicRooms spiders,
|
|
# but will forbid external users from viewing your server's public room
|
|
# directory. If federation is disabled entirely (`allow_federation`),
|
|
# this is inherently false.
|
|
#
|
|
#allow_public_room_directory_over_federation = false
|
|
|
|
# Set this to true to allow your server's public room directory to be
|
|
# queried without client authentication (access token) through the Client
|
|
# APIs. Set this to false to protect against /publicRooms spiders.
|
|
#
|
|
#allow_public_room_directory_without_auth = false
|
|
|
|
# allow guests/unauthenticated users to access TURN credentials
|
|
#
|
|
# this is the equivalent of Synapse's `turn_allow_guests` config option.
|
|
# this allows any unauthenticated user to call the endpoint
|
|
# `/_matrix/client/v3/voip/turnServer`.
|
|
#
|
|
# It is unlikely you need to enable this as all major clients support
|
|
# authentication for this endpoint and prevents misuse of your TURN server
|
|
# from potential bots.
|
|
#
|
|
#turn_allow_guests = false
|
|
|
|
# Set this to true to lock down your server's public room directory and
|
|
# only allow admins to publish rooms to the room directory. Unpublishing
|
|
# is still allowed by all users with this enabled.
|
|
#
|
|
#lockdown_public_room_directory = false
|
|
|
|
# Set this to true to allow federating device display names / allow
|
|
# external users to see your device display name. If federation is
|
|
# disabled entirely (`allow_federation`), this is inherently false. For
|
|
# privacy reasons, this is best left disabled.
|
|
#
|
|
#allow_device_name_federation = false
|
|
|
|
# Config option to allow or disallow incoming federation requests that
|
|
# obtain the profiles of our local users from
|
|
# `/_matrix/federation/v1/query/profile`
|
|
#
|
|
# Increases privacy of your local user's such as display names, but some
|
|
# remote users may get a false "this user does not exist" error when they
|
|
# try to invite you to a DM or room. Also can protect against profile
|
|
# spiders.
|
|
#
|
|
# This is inherently false if `allow_federation` is disabled
|
|
#
|
|
#allow_inbound_profile_lookup_federation_requests = true
|
|
|
|
# controls whether standard users are allowed to create rooms. appservices
|
|
# and admins are always allowed to create rooms
|
|
#
|
|
#allow_room_creation = true
|
|
|
|
# Set to false to disable users from joining or creating room versions
|
|
# that aren't 100% officially supported by conduwuit.
|
|
#
|
|
# conduwuit officially supports room versions 6 - 11.
|
|
#
|
|
# conduwuit has slightly experimental (though works fine in practice)
|
|
# support for versions 3 - 5
|
|
#
|
|
#allow_unstable_room_versions = true
|
|
|
|
# default room version conduwuit will create rooms with.
|
|
#
|
|
# per spec, room version 10 is the default.
|
|
#
|
|
#default_room_version = 10
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#allow_jaeger = false
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#jaeger_filter = "info"
|
|
|
|
# If the 'perf_measurements' compile-time feature is enabled, enables
|
|
# collecting folded stack trace profile of tracing spans using
|
|
# tracing_flame. The resulting profile can be visualized with inferno[1],
|
|
# speedscope[2], or a number of other tools.
|
|
#
|
|
# [1]: https://github.com/jonhoo/inferno
|
|
# [2]: www.speedscope.app
|
|
#
|
|
#tracing_flame = false
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#tracing_flame_filter = "info"
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#tracing_flame_output_path = "./tracing.folded"
|
|
|
|
# Examples:
|
|
# - No proxy (default):
|
|
# proxy ="none"
|
|
#
|
|
# - For global proxy, create the section at the bottom of this file:
|
|
# [global.proxy]
|
|
# global = { url = "socks5h://localhost:9050" }
|
|
#
|
|
# - To proxy some domains:
|
|
# [global.proxy]
|
|
# [[global.proxy.by_domain]]
|
|
# url = "socks5h://localhost:9050"
|
|
# include = ["*.onion", "matrix.myspecial.onion"]
|
|
# exclude = ["*.myspecial.onion"]
|
|
#
|
|
# Include vs. Exclude:
|
|
# - If include is an empty list, it is assumed to be `["*"]`.
|
|
# - If a domain matches both the exclude and include list, the proxy will
|
|
# only be used if it was included because of a more specific rule than
|
|
# it was excluded. In the above example, the proxy would be used for
|
|
# `ordinary.onion`, `matrix.myspecial.onion`, but not
|
|
# `hello.myspecial.onion`.
|
|
#
|
|
#proxy = "none"
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#jwt_secret =
|
|
|
|
# Servers listed here will be used to gather public keys of other servers
|
|
# (notary trusted key servers).
|
|
#
|
|
# Currently, conduwuit doesn't support inbound batched key requests, so
|
|
# this list should only contain other Synapse servers
|
|
#
|
|
# example: ["matrix.org", "constellatory.net", "tchncs.de"]
|
|
#
|
|
#trusted_servers = ["matrix.org"]
|
|
|
|
# Whether to query the servers listed in trusted_servers first or query
|
|
# the origin server first. For best security, querying the origin server
|
|
# first is advised to minimize the exposure to a compromised trusted
|
|
# server. For maximum federation/join performance this can be set to true,
|
|
# however other options exist to query trusted servers first under
|
|
# specific high-load circumstances and should be evaluated before setting
|
|
# this to true.
|
|
#
|
|
#query_trusted_key_servers_first = false
|
|
|
|
# Whether to query the servers listed in trusted_servers first
|
|
# specifically on room joins. This option limits the exposure to a
|
|
# compromised trusted server to room joins only. The join operation
|
|
# requires gathering keys from many origin servers which can cause
|
|
# significant delays. Therefor this defaults to true to mitigate
|
|
# unexpected delays out-of-the-box. The security-paranoid or those
|
|
# willing to tolerate delays are advised to set this to false. Note that
|
|
# setting query_trusted_key_servers_first to true causes this option to
|
|
# be ignored.
|
|
#
|
|
#query_trusted_key_servers_first_on_join = true
|
|
|
|
# Only query trusted servers for keys and never the origin server. This is
|
|
# intended for clusters or custom deployments using their trusted_servers
|
|
# as forwarding-agents to cache and deduplicate requests. Notary servers
|
|
# do not act as forwarding-agents by default, therefor do not enable this
|
|
# unless you know exactly what you are doing.
|
|
#
|
|
#only_query_trusted_key_servers = false
|
|
|
|
# Maximum number of keys to request in each trusted server batch query.
|
|
#
|
|
#trusted_server_batch_size = 1024
|
|
|
|
# max log level for conduwuit. allows debug, info, warn, or error
|
|
# see also: https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives
|
|
#
|
|
# **Caveat**:
|
|
# For release builds, the tracing crate is configured to only implement
|
|
# levels higher than error to avoid unnecessary overhead in the compiled
|
|
# binary from trace macros. For debug builds, this restriction is not
|
|
# applied.
|
|
#
|
|
#log = "info"
|
|
|
|
# controls whether logs will be outputted with ANSI colours
|
|
#
|
|
#log_colors = true
|
|
|
|
# configures the span events which will be outputted with the log
|
|
#
|
|
#log_span_events = "none"
|
|
|
|
# OpenID token expiration/TTL in seconds
|
|
#
|
|
# These are the OpenID tokens that are primarily used for Matrix account
|
|
# integrations (e.g. Vector Integrations in Element), *not* OIDC/OpenID
|
|
# Connect/etc
|
|
#
|
|
#openid_token_ttl = 3600
|
|
|
|
# static TURN username to provide the client if not using a shared secret
|
|
# ("turn_secret"), It is recommended to use a shared secret over static
|
|
# credentials.
|
|
#
|
|
#turn_username = false
|
|
|
|
# static TURN password to provide the client if not using a shared secret
|
|
# ("turn_secret"). It is recommended to use a shared secret over static
|
|
# credentials.
|
|
#
|
|
#turn_password = false
|
|
|
|
# vector list of TURN URIs/servers to use
|
|
#
|
|
# replace "example.turn.uri" with your TURN domain, such as the coturn
|
|
# "realm" config option. if using TURN over TLS, replace the URI prefix
|
|
# "turn:" with "turns:"
|
|
#
|
|
# example: ["turn:example.turn.uri?transport=udp",
|
|
# "turn:example.turn.uri?transport=tcp"]
|
|
#
|
|
#turn_uris = []
|
|
|
|
# TURN secret to use for generating the HMAC-SHA1 hash apart of username
|
|
# and password generation
|
|
#
|
|
# this is more secure, but if needed you can use traditional
|
|
# static username/password credentials.
|
|
#
|
|
#turn_secret = false
|
|
|
|
# TURN secret to use that's read from the file path specified
|
|
#
|
|
# this takes priority over "turn_secret" first, and falls back to
|
|
# "turn_secret" if invalid or failed to open.
|
|
#
|
|
# example: "/etc/conduwuit/.turn_secret"
|
|
#
|
|
#turn_secret_file =
|
|
|
|
# TURN TTL in seconds
|
|
#
|
|
#turn_ttl = 86400
|
|
|
|
# List/vector of room IDs or room aliases that conduwuit will make newly
|
|
# registered users join. The rooms specified must be rooms that you
|
|
# have joined at least once on the server, and must be public.
|
|
#
|
|
# example: ["#conduwuit:puppygock.gay",
|
|
# "!eoIzvAvVwY23LPDay8:puppygock.gay"]
|
|
#
|
|
#auto_join_rooms = []
|
|
|
|
# Config option to automatically deactivate the account of any user who
|
|
# attempts to join a:
|
|
# - banned room
|
|
# - forbidden room alias
|
|
# - room alias or ID with a forbidden server name
|
|
#
|
|
# This may be useful if all your banned lists consist of toxic rooms or
|
|
# servers that no good faith user would ever attempt to join, and
|
|
# to automatically remediate the problem without any admin user
|
|
# intervention.
|
|
#
|
|
# This will also make the user leave all rooms. Federation (e.g. remote
|
|
# room invites) are ignored here.
|
|
#
|
|
# Defaults to false as rooms can be banned for non-moderation-related
|
|
# reasons
|
|
#
|
|
#auto_deactivate_banned_room_attempts = false
|
|
|
|
# RocksDB log level. This is not the same as conduwuit's log level. This
|
|
# is the log level for the RocksDB engine/library which show up in your
|
|
# database folder/path as `LOG` files. conduwuit will log RocksDB errors
|
|
# as normal through tracing.
|
|
#
|
|
#rocksdb_log_level = "error"
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#rocksdb_log_stderr = false
|
|
|
|
# Max RocksDB `LOG` file size before rotating in bytes. Defaults to 4MB in
|
|
# bytes.
|
|
#
|
|
#rocksdb_max_log_file_size = 4194304
|
|
|
|
# Time in seconds before RocksDB will forcibly rotate logs.
|
|
#
|
|
#rocksdb_log_time_to_roll = 0
|
|
|
|
# Set this to true to use RocksDB config options that are tailored to HDDs
|
|
# (slower device storage)
|
|
#
|
|
# It is worth noting that by default, conduwuit will use RocksDB with
|
|
# Direct IO enabled. *Generally* speaking this improves performance as it
|
|
# bypasses buffered I/O (system page cache). However there is a potential
|
|
# chance that Direct IO may cause issues with database operations if your
|
|
# setup is uncommon. This has been observed with FUSE filesystems, and
|
|
# possibly ZFS filesystem. RocksDB generally deals/corrects these issues
|
|
# but it cannot account for all setups. If you experience any weird
|
|
# RocksDB issues, try enabling this option as it turns off Direct IO and
|
|
# feel free to report in the conduwuit Matrix room if this option fixes
|
|
# your DB issues.
|
|
#
|
|
# See https://github.com/facebook/rocksdb/wiki/Direct-IO for more information.
|
|
#
|
|
#rocksdb_optimize_for_spinning_disks = false
|
|
|
|
# Enables direct-io to increase database performance via unbuffered I/O.
|
|
#
|
|
# See https://github.com/facebook/rocksdb/wiki/Direct-IO for more details about Direct IO and RocksDB.
|
|
#
|
|
# Set this option to false if the database resides on a filesystem which
|
|
# does not support direct-io like FUSE, or any form of complex filesystem
|
|
# setup such as possibly ZFS.
|
|
#
|
|
#rocksdb_direct_io = true
|
|
|
|
# Amount of threads that RocksDB will use for parallelism on database
|
|
# operatons such as cleanup, sync, flush, compaction, etc. Set to 0 to use
|
|
# all your logical threads. Defaults to your CPU logical thread count.
|
|
#
|
|
#rocksdb_parallelism_threads = 0
|
|
|
|
# Maximum number of LOG files RocksDB will keep. This must *not* be set to
|
|
# 0. It must be at least 1. Defaults to 3 as these are not very useful
|
|
# unless troubleshooting/debugging a RocksDB bug.
|
|
#
|
|
#rocksdb_max_log_files = 3
|
|
|
|
# Type of RocksDB database compression to use.
|
|
#
|
|
# Available options are "zstd", "zlib", "bz2", "lz4", or "none"
|
|
#
|
|
# It is best to use ZSTD as an overall good balance between
|
|
# speed/performance, storage, IO amplification, and CPU usage.
|
|
# For more performance but less compression (more storage used) and less
|
|
# CPU usage, use LZ4. See https://github.com/facebook/rocksdb/wiki/Compression for more details.
|
|
#
|
|
# "none" will disable compression.
|
|
#
|
|
#rocksdb_compression_algo = "zstd"
|
|
|
|
# Level of compression the specified compression algorithm for RocksDB to
|
|
# use.
|
|
#
|
|
# Default is 32767, which is internally read by RocksDB as the
|
|
# default magic number and translated to the library's default
|
|
# compression level as they all differ.
|
|
# See their `kDefaultCompressionLevel`.
|
|
#
|
|
#rocksdb_compression_level = 32767
|
|
|
|
# Level of compression the specified compression algorithm for the
|
|
# bottommost level/data for RocksDB to use. Default is 32767, which is
|
|
# internally read by RocksDB as the default magic number and translated
|
|
# to the library's default compression level as they all differ.
|
|
# See their `kDefaultCompressionLevel`.
|
|
#
|
|
# Since this is the bottommost level (generally old and least used data),
|
|
# it may be desirable to have a very high compression level here as it's
|
|
# lesss likely for this data to be used. Research your chosen compression
|
|
# algorithm.
|
|
#
|
|
#rocksdb_bottommost_compression_level = 32767
|
|
|
|
# Whether to enable RocksDB's "bottommost_compression".
|
|
#
|
|
# At the expense of more CPU usage, this will further compress the
|
|
# database to reduce more storage. It is recommended to use ZSTD
|
|
# compression with this for best compression results. This may be useful
|
|
# if you're trying to reduce storage usage from the database.
|
|
#
|
|
# See https://github.com/facebook/rocksdb/wiki/Compression for more details.
|
|
#
|
|
#rocksdb_bottommost_compression = false
|
|
|
|
# Database recovery mode (for RocksDB WAL corruption)
|
|
#
|
|
# Use this option when the server reports corruption and refuses to start.
|
|
# Set mode 2 (PointInTime) to cleanly recover from this corruption. The
|
|
# server will continue from the last good state, several seconds or
|
|
# minutes prior to the crash. Clients may have to run "clear-cache &
|
|
# reload" to account for the rollback. Upon success, you may reset the
|
|
# mode back to default and restart again. Please note in some cases the
|
|
# corruption error may not be cleared for at least 30 minutes of
|
|
# operation in PointInTime mode.
|
|
#
|
|
# As a very last ditch effort, if PointInTime does not fix or resolve
|
|
# anything, you can try mode 3 (SkipAnyCorruptedRecord) but this will
|
|
# leave the server in a potentially inconsistent state.
|
|
#
|
|
# The default mode 1 (TolerateCorruptedTailRecords) will automatically
|
|
# drop the last entry in the database if corrupted during shutdown, but
|
|
# nothing more. It is extraordinarily unlikely this will desynchronize
|
|
# clients. To disable any form of silent rollback set mode 0
|
|
# (AbsoluteConsistency).
|
|
#
|
|
# The options are:
|
|
# 0 = AbsoluteConsistency
|
|
# 1 = TolerateCorruptedTailRecords (default)
|
|
# 2 = PointInTime (use me if trying to recover)
|
|
# 3 = SkipAnyCorruptedRecord (you now voided your Conduwuit warranty)
|
|
#
|
|
# See https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes for more information on these modes.
|
|
#
|
|
# See https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption for more details on recovering a corrupt database.
|
|
#
|
|
#rocksdb_recovery_mode = 1
|
|
|
|
# Database repair mode (for RocksDB SST corruption)
|
|
#
|
|
# Use this option when the server reports corruption while running or
|
|
# panics. If the server refuses to start use the recovery mode options
|
|
# first. Corruption errors containing the acronym 'SST' which occur after
|
|
# startup will likely require this option.
|
|
#
|
|
# - Backing up your database directory is recommended prior to running the
|
|
# repair.
|
|
# - Disabling repair mode and restarting the server is recommended after
|
|
# running the repair.
|
|
#
|
|
# See https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption for more details on recovering a corrupt database.
|
|
#
|
|
#rocksdb_repair = false
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#rocksdb_read_only = false
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#rocksdb_secondary = false
|
|
|
|
# Enables idle CPU priority for compaction thread. This is not enabled by
|
|
# default to prevent compaction from falling too far behind on busy
|
|
# systems.
|
|
#
|
|
#rocksdb_compaction_prio_idle = false
|
|
|
|
# Enables idle IO priority for compaction thread. This prevents any
|
|
# unexpected lag in the server's operation and is usually a good idea.
|
|
# Enabled by default.
|
|
#
|
|
#rocksdb_compaction_ioprio_idle = true
|
|
|
|
# Config option to disable RocksDB compaction. You should never ever have
|
|
# to disable this. If you for some reason find yourself needing to disable
|
|
# this as part of troubleshooting or a bug, please reach out to us in the
|
|
# conduwuit Matrix room with information and details.
|
|
#
|
|
# Disabling compaction will lead to a significantly bloated and
|
|
# explosively large database, gradually poor performance, unnecessarily
|
|
# excessive disk read/writes, and slower shutdowns and startups.
|
|
#
|
|
#rocksdb_compaction = true
|
|
|
|
# Level of statistics collection. Some admin commands to display database
|
|
# statistics may require this option to be set. Database performance may
|
|
# be impacted by higher settings.
|
|
#
|
|
# Option is a number ranging from 0 to 6:
|
|
# 0 = No statistics.
|
|
# 1 = No statistics in release mode (default).
|
|
# 2 to 3 = Statistics with no performance impact.
|
|
# 3 to 5 = Statistics with possible performance impact.
|
|
# 6 = All statistics.
|
|
#
|
|
#rocksdb_stats_level = 1
|
|
|
|
# This is a password that can be configured that will let you login to the
|
|
# server bot account (currently `@conduit`) for emergency troubleshooting
|
|
# purposes such as recovering/recreating your admin room, or inviting
|
|
# yourself back.
|
|
#
|
|
# See https://conduwuit.puppyirl.gay/troubleshooting.html#lost-access-to-admin-room for other ways to get back into your admin room.
|
|
#
|
|
# Once this password is unset, all sessions will be logged out for
|
|
# security purposes.
|
|
#
|
|
# example: "F670$2CP@Hw8mG7RY1$%!#Ic7YA"
|
|
#
|
|
#emergency_password =
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#notification_push_path = "/_matrix/push/v1/notify"
|
|
|
|
# Config option to control local (your server only) presence
|
|
# updates/requests. Note that presence on conduwuit is
|
|
# very fast unlike Synapse's. If using outgoing presence, this MUST be
|
|
# enabled.
|
|
#
|
|
#allow_local_presence = true
|
|
|
|
# Config option to control incoming federated presence updates/requests.
|
|
#
|
|
# This option receives presence updates from other
|
|
# servers, but does not send any unless `allow_outgoing_presence` is true.
|
|
# Note that presence on conduwuit is very fast unlike Synapse's.
|
|
#
|
|
#allow_incoming_presence = true
|
|
|
|
# Config option to control outgoing presence updates/requests.
|
|
#
|
|
# This option sends presence updates to other servers, but does not
|
|
# receive any unless `allow_incoming_presence` is true.
|
|
# Note that presence on conduwuit is very fast unlike Synapse's.
|
|
# If using outgoing presence, you MUST enable `allow_local_presence` as
|
|
# well.
|
|
#
|
|
#allow_outgoing_presence = true
|
|
|
|
# Config option to control how many seconds before presence updates that
|
|
# you are idle. Defaults to 5 minutes.
|
|
#
|
|
#presence_idle_timeout_s = 300
|
|
|
|
# Config option to control how many seconds before presence updates that
|
|
# you are offline. Defaults to 30 minutes.
|
|
#
|
|
#presence_offline_timeout_s = 1800
|
|
|
|
# Config option to enable the presence idle timer for remote users.
|
|
# Disabling is offered as an optimization for servers participating in
|
|
# many large rooms or when resources are limited. Disabling it may cause
|
|
# incorrect presence states (i.e. stuck online) to be seen for some
|
|
# remote users.
|
|
#
|
|
#presence_timeout_remote_users = true
|
|
|
|
# Config option to control whether we should receive remote incoming read
|
|
# receipts.
|
|
#
|
|
#allow_incoming_read_receipts = true
|
|
|
|
# Config option to control whether we should send read receipts to remote
|
|
# servers.
|
|
#
|
|
#allow_outgoing_read_receipts = true
|
|
|
|
# Config option to control outgoing typing updates to federation.
|
|
#
|
|
#allow_outgoing_typing = true
|
|
|
|
# Config option to control incoming typing updates from federation.
|
|
#
|
|
#allow_incoming_typing = true
|
|
|
|
# Config option to control maximum time federation user can indicate
|
|
# typing.
|
|
#
|
|
#typing_federation_timeout_s = 30
|
|
|
|
# Config option to control minimum time local client can indicate typing.
|
|
# This does not override a client's request to stop typing. It only
|
|
# enforces a minimum value in case of no stop request.
|
|
#
|
|
#typing_client_timeout_min_s = 15
|
|
|
|
# Config option to control maximum time local client can indicate typing.
|
|
#
|
|
#typing_client_timeout_max_s = 45
|
|
|
|
# Set this to true for conduwuit to compress HTTP response bodies using
|
|
# zstd. This option does nothing if conduwuit was not built with
|
|
# `zstd_compression` feature. Please be aware that enabling HTTP
|
|
# compression may weaken TLS. Most users should not need to enable this.
|
|
# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH
|
|
# before deciding to enable this.
|
|
#
|
|
#zstd_compression = false
|
|
|
|
# Set this to true for conduwuit to compress HTTP response bodies using
|
|
# gzip. This option does nothing if conduwuit was not built with
|
|
# `gzip_compression` feature. Please be aware that enabling HTTP
|
|
# compression may weaken TLS. Most users should not need to enable this.
|
|
# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before
|
|
# deciding to enable this.
|
|
#
|
|
# If you are in a large amount of rooms, you may find that enabling this
|
|
# is necessary to reduce the significantly large response bodies.
|
|
#
|
|
#gzip_compression = false
|
|
|
|
# Set this to true for conduwuit to compress HTTP response bodies using
|
|
# brotli. This option does nothing if conduwuit was not built with
|
|
# `brotli_compression` feature. Please be aware that enabling HTTP
|
|
# compression may weaken TLS. Most users should not need to enable this.
|
|
# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before
|
|
# deciding to enable this.
|
|
#
|
|
#brotli_compression = false
|
|
|
|
# Set to true to allow user type "guest" registrations. Some clients like
|
|
# Element attempt to register guest users automatically.
|
|
#
|
|
#allow_guest_registration = false
|
|
|
|
# Set to true to log guest registrations in the admin room. Note that
|
|
# these may be noisy or unnecessary if you're a public homeserver.
|
|
#
|
|
#log_guest_registrations = false
|
|
|
|
# Set to true to allow guest registrations/users to auto join any rooms
|
|
# specified in `auto_join_rooms`.
|
|
#
|
|
#allow_guests_auto_join_rooms = false
|
|
|
|
# Config option to control whether the legacy unauthenticated Matrix media
|
|
# repository endpoints will be enabled. These endpoints consist of:
|
|
# - /_matrix/media/*/config
|
|
# - /_matrix/media/*/upload
|
|
# - /_matrix/media/*/preview_url
|
|
# - /_matrix/media/*/download/*
|
|
# - /_matrix/media/*/thumbnail/*
|
|
#
|
|
# The authenticated equivalent endpoints are always enabled.
|
|
#
|
|
# Defaults to true for now, but this is highly subject to change, likely
|
|
# in the next release.
|
|
#
|
|
#allow_legacy_media = true
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#freeze_legacy_media = true
|
|
|
|
# Checks consistency of the media directory at startup:
|
|
# 1. When `media_compat_file_link` is enbled, this check will upgrade
|
|
# media when switching back and forth between Conduit and conduwuit.
|
|
# Both options must be enabled to handle this.
|
|
# 2. When media is deleted from the directory, this check will also delete
|
|
# its database entry.
|
|
#
|
|
# If none of these checks apply to your use cases, and your media
|
|
# directory is significantly large setting this to false may reduce
|
|
# startup time.
|
|
#
|
|
#media_startup_check = true
|
|
|
|
# Enable backward-compatibility with Conduit's media directory by creating
|
|
# symlinks of media. This option is only necessary if you plan on using
|
|
# Conduit again. Otherwise setting this to false reduces filesystem
|
|
# clutter and overhead for managing these symlinks in the directory. This
|
|
# is now disabled by default. You may still return to upstream Conduit
|
|
# but you have to run conduwuit at least once with this set to true and
|
|
# allow the media_startup_check to take place before shutting
|
|
# down to return to Conduit.
|
|
#
|
|
#media_compat_file_link = false
|
|
|
|
# Prunes missing media from the database as part of the media startup
|
|
# checks. This means if you delete files from the media directory the
|
|
# corresponding entries will be removed from the database. This is
|
|
# disabled by default because if the media directory is accidentally moved
|
|
# or inaccessible, the metadata entries in the database will be lost with
|
|
# sadness.
|
|
#
|
|
#prune_missing_media = false
|
|
|
|
# Vector list of servers that conduwuit will refuse to download remote
|
|
# media from.
|
|
#
|
|
#prevent_media_downloads_from = []
|
|
|
|
# List of forbidden server names that we will block incoming AND outgoing
|
|
# federation with, and block client room joins / remote user invites.
|
|
#
|
|
# This check is applied on the room ID, room alias, sender server name,
|
|
# sender user's server name, inbound federation X-Matrix origin, and
|
|
# outbound federation handler.
|
|
#
|
|
# Basically "global" ACLs.
|
|
#
|
|
#forbidden_remote_server_names = []
|
|
|
|
# List of forbidden server names that we will block all outgoing federated
|
|
# room directory requests for. Useful for preventing our users from
|
|
# wandering into bad servers or spaces.
|
|
#
|
|
#forbidden_remote_room_directory_server_names = []
|
|
|
|
# Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
|
|
# do not want conduwuit to send outbound requests to. Defaults to
|
|
# RFC1918, unroutable, loopback, multicast, and testnet addresses for
|
|
# security.
|
|
#
|
|
# Please be aware that this is *not* a guarantee. You should be using a
|
|
# firewall with zones as doing this on the application layer may have
|
|
# bypasses.
|
|
#
|
|
# Currently this does not account for proxies in use like Synapse does.
|
|
#
|
|
# To disable, set this to be an empty vector (`[]`).
|
|
#
|
|
# "192.168.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "169.254.0.0/16",
|
|
# "192.88.99.0/24", "198.18.0.0/15", "192.0.2.0/24", "198.51.100.0/24",
|
|
# "203.0.113.0/24", "224.0.0.0/4", "::1/128", "fe80::/10", "fc00::/7",
|
|
# "2001:db8::/32", "ff00::/8", "fec0::/10"]
|
|
#
|
|
#ip_range_denylist = ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12",
|
|
|
|
# Vector list of domains allowed to send requests to for URL previews.
|
|
# Defaults to none. Note: this is a *contains* match, not an explicit
|
|
# match. Putting "google.com" will match "https://google.com" and
|
|
# "http://mymaliciousdomainexamplegoogle.com" Setting this to "*" will
|
|
# allow all URL previews. Please note that this opens up significant
|
|
# attack surface to your server, you are expected to be aware of the
|
|
# risks by doing so.
|
|
#
|
|
#url_preview_domain_contains_allowlist = []
|
|
|
|
# Vector list of explicit domains allowed to send requests to for URL
|
|
# previews. Defaults to none. Note: This is an *explicit* match, not a
|
|
# contains match. Putting "google.com" will match "https://google.com",
|
|
# "http://google.com", but not
|
|
# "https://mymaliciousdomainexamplegoogle.com". Setting this to "*" will
|
|
# allow all URL previews. Please note that this opens up significant
|
|
# attack surface to your server, you are expected to be aware of the
|
|
# risks by doing so.
|
|
#
|
|
#url_preview_domain_explicit_allowlist = []
|
|
|
|
# Vector list of explicit domains not allowed to send requests to for URL
|
|
# previews. Defaults to none. Note: This is an *explicit* match, not a
|
|
# contains match. Putting "google.com" will match "https://google.com",
|
|
# "http://google.com", but not
|
|
# "https://mymaliciousdomainexamplegoogle.com". The denylist is checked
|
|
# first before allowlist. Setting this to "*" will not do anything.
|
|
#
|
|
#url_preview_domain_explicit_denylist = []
|
|
|
|
# Vector list of URLs allowed to send requests to for URL previews.
|
|
# Defaults to none. Note that this is a *contains* match, not an
|
|
# explicit match. Putting "google.com" will match
|
|
# "https://google.com/",
|
|
# "https://google.com/url?q=https://mymaliciousdomainexample.com", and
|
|
# "https://mymaliciousdomainexample.com/hi/google.com" Setting this to
|
|
# "*" will allow all URL previews. Please note that this opens up
|
|
# significant attack surface to your server, you are expected to be
|
|
# aware of the risks by doing so.
|
|
#
|
|
#url_preview_url_contains_allowlist = []
|
|
|
|
# Maximum amount of bytes allowed in a URL preview body size when
|
|
# spidering. Defaults to 384KB in bytes.
|
|
#
|
|
#url_preview_max_spider_size = 384000
|
|
|
|
# Option to decide whether you would like to run the domain allowlist
|
|
# checks (contains and explicit) on the root domain or not. Does not apply
|
|
# to URL contains allowlist. Defaults to false.
|
|
#
|
|
# Example usecase: If this is
|
|
# enabled and you have "wikipedia.org" allowed in the explicit and/or
|
|
# contains domain allowlist, it will allow all subdomains under
|
|
# "wikipedia.org" such as "en.m.wikipedia.org" as the root domain is
|
|
# checked and matched. Useful if the domain contains allowlist is still
|
|
# too broad for you but you still want to allow all the subdomains under a
|
|
# root domain.
|
|
#
|
|
#url_preview_check_root_domain = false
|
|
|
|
# List of forbidden room aliases and room IDs as strings of regex
|
|
# patterns.
|
|
#
|
|
# Regex can be used or explicit contains matches can be done by
|
|
# just specifying the words (see example).
|
|
#
|
|
# This is checked upon room alias creation, custom room ID creation if
|
|
# used, and startup as warnings if any room aliases in your database have
|
|
# a forbidden room alias/ID.
|
|
#
|
|
# example: ["19dollarfortnitecards", "b[4a]droom"]
|
|
#
|
|
#forbidden_alias_names = []
|
|
|
|
# List of forbidden username patterns/strings.
|
|
#
|
|
# Regex can be used or explicit contains matches can be done by just
|
|
# specifying the words (see example).
|
|
#
|
|
# This is checked upon username availability check, registration, and
|
|
# startup as warnings if any local users in your database have a forbidden
|
|
# username.
|
|
#
|
|
# example: ["administrator", "b[a4]dusernam[3e]"]
|
|
#
|
|
#forbidden_usernames = []
|
|
|
|
# Retry failed and incomplete messages to remote servers immediately upon
|
|
# startup. This is called bursting. If this is disabled, said messages
|
|
# may not be delivered until more messages are queued for that server. Do
|
|
# not change this option unless server resources are extremely limited or
|
|
# the scale of the server's deployment is huge. Do not disable this
|
|
# unless you know what you are doing.
|
|
#
|
|
#startup_netburst = true
|
|
|
|
# messages are dropped and not reattempted. The `startup_netburst` option
|
|
# must be enabled for this value to have any effect. Do not change this
|
|
# value unless you know what you are doing. Set this value to -1 to
|
|
# reattempt every message without trimming the queues; this may consume
|
|
# significant disk. Set this value to 0 to drop all messages without any
|
|
# attempt at redelivery.
|
|
#
|
|
#startup_netburst_keep = 50
|
|
|
|
# controls whether non-admin local users are forbidden from sending room
|
|
# invites (local and remote), and if non-admin users can receive remote
|
|
# room invites. admins are always allowed to send and receive all room
|
|
# invites.
|
|
#
|
|
#block_non_admin_invites = false
|
|
|
|
# Allows admins to enter commands in rooms other than "#admins" (admin
|
|
# room) by prefixing your message with "\!admin" or "\\!admin" followed
|
|
# up a normal conduwuit admin command. The reply will be publicly visible
|
|
# to the room, originating from the sender.
|
|
#
|
|
# example: \\!admin debug ping puppygock.gay
|
|
#
|
|
#admin_escape_commands = true
|
|
|
|
# Controls whether the conduwuit admin room console / CLI will immediately
|
|
# activate on startup. This option can also be enabled with `--console`
|
|
# conduwuit argument.
|
|
#
|
|
#admin_console_automatic = false
|
|
|
|
# Controls what admin commands will be executed on startup. This is a
|
|
# vector list of strings of admin commands to run.
|
|
#
|
|
#
|
|
# This option can also be configured with the `--execute` conduwuit
|
|
# argument and can take standard shell commands and environment variables
|
|
#
|
|
# Such example could be: `./conduwuit --execute "server admin-notice
|
|
# conduwuit has started up at $(date)"`
|
|
#
|
|
# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
|
|
#
|
|
#admin_execute = []
|
|
|
|
# Controls whether conduwuit should error and fail to start if an admin
|
|
# execute command (`--execute` / `admin_execute`) fails.
|
|
#
|
|
#admin_execute_errors_ignore = false
|
|
|
|
# Controls the max log level for admin command log captures (logs
|
|
# generated from running admin commands). Defaults to "info" on release
|
|
# builds, else "debug" on debug builds.
|
|
#
|
|
#admin_log_capture = "info"
|
|
|
|
# The default room tag to apply on the admin room.
|
|
#
|
|
# On some clients like Element, the room tag "m.server_notice" is a
|
|
# special pinned room at the very bottom of your room list. The conduwuit
|
|
# admin room can be pinned here so you always have an easy-to-access
|
|
# shortcut dedicated to your admin room.
|
|
#
|
|
#admin_room_tag = "m.server_notice"
|
|
|
|
# Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
|
|
# This is NOT enabled by default. conduwuit's default Sentry reporting
|
|
# endpoint is o4506996327251968.ingest.us.sentry.io
|
|
#
|
|
#sentry = false
|
|
|
|
# Sentry reporting URL if a custom one is desired
|
|
#
|
|
#sentry_endpoint = "https://fe2eb4536aa04949e28eff3128d64757@o4506996327251968.ingest.us.sentry.io/4506996334657536"
|
|
|
|
# Report your conduwuit server_name in Sentry.io crash reports and metrics
|
|
#
|
|
#sentry_send_server_name = false
|
|
|
|
# Performance monitoring/tracing sample rate for Sentry.io
|
|
#
|
|
# Note that too high values may impact performance, and can be disabled by
|
|
# setting it to 0.0 (0%) This value is read as a percentage to Sentry,
|
|
# represented as a decimal. Defaults to 15% of traces (0.15)
|
|
#
|
|
#sentry_traces_sample_rate = 0.15
|
|
|
|
# Whether to attach a stacktrace to Sentry reports.
|
|
#
|
|
#sentry_attach_stacktrace = false
|
|
|
|
# Send panics to sentry. This is true by default, but sentry has to be
|
|
# enabled. The global "sentry" config option must be enabled to send any
|
|
# data.
|
|
#
|
|
#sentry_send_panic = true
|
|
|
|
# Send errors to sentry. This is true by default, but sentry has to be
|
|
# enabled. This option is only effective in release-mode; forced to false
|
|
# in debug-mode.
|
|
#
|
|
#sentry_send_error = true
|
|
|
|
# Controls the tracing log level for Sentry to send things like
|
|
# breadcrumbs and transactions
|
|
#
|
|
#sentry_filter = "info"
|
|
|
|
# Enable the tokio-console. This option is only relevant to developers.
|
|
# See https://conduwuit.puppyirl.gay/development.html#debugging-with-tokio-console for more information.
|
|
#
|
|
#tokio_console = false
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#test = false
|
|
|
|
# Controls whether admin room notices like account registrations, password
|
|
# changes, account deactivations, room directory publications, etc will
|
|
# be sent to the admin room. Update notices and normal admin command
|
|
# responses will still be sent.
|
|
#
|
|
#admin_room_notices = true
|
|
|
|
[global.tls]
|
|
|
|
# Path to a valid TLS certificate file.
|
|
#
|
|
# example: "/path/to/my/certificate.crt"
|
|
#
|
|
#certs =
|
|
|
|
# Path to a valid TLS certificate private key.
|
|
#
|
|
# example: "/path/to/my/certificate.key"
|
|
#
|
|
#key =
|
|
|
|
# Whether to listen and allow for HTTP and HTTPS connections (insecure!)
|
|
#
|
|
#dual_protocol = false
|
|
|
|
[global.well_known]
|
|
|
|
# The server URL that the client well-known file will serve. This should
|
|
# not contain a port, and should just be a valid HTTPS URL.
|
|
#
|
|
# example: "https://matrix.example.com"
|
|
#
|
|
#client =
|
|
|
|
# The server base domain of the URL with a specific port that the server
|
|
# well-known file will serve. This should contain a port at the end, and
|
|
# should not be a URL.
|
|
#
|
|
# example: "matrix.example.com:443"
|
|
#
|
|
#server =
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#support_page =
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#support_role =
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#support_email =
|
|
|
|
# This item is undocumented. Please contribute documentation for it.
|
|
#
|
|
#support_mxid =
|