--- ## Docker image configuration, used for Synapse and workers. ## image: repository: ananace/matrix-synapse ## Tag to override with, will default to the application version. ## # tag: '' pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistryKeySecretName ## Override part of the installed name, will still keep release name. ## # nameOverride: "" ## Override the full name of the installed chart. ## # fullnameOverride: "" ## The source of the signing key used by Synapse in federation. ## signingkey: ## Enable a Kubernetes job to generate and store a signing key if one does not ## exist. ## job: enabled: true ## Specify an existing signing key secret, will need to be created in advance. ## # existingSecret: # existingSecretKey: signing.key ## Common Matrix configuration values, for any value not handled by this block, ## you will want to instead set it in extraConfig. ## config: ## The Matrix domain name, this is what will be used for the domain part in ## your MXIDs. ## # serverName: 'example.com' ## The publicly accessible URL for the Synapse instance, will default to ## https://. ## # publicBaseurl: 'https://example.com' ## The size of the event cache. ## # eventCacheSize: 10K ## The maximum allowed size of uploaded media. ## # maxUploadSize: 10M ## The log level for Synapse and all modules. ## # logLevel: INFO ## The recaptcha configuration for registering. (optional) ## # recaptcha: # publicKey: # privateKey: ## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC ## calls. ## # turnUris: [] # turnSecret: '' ## Registration configuration, note that registration with the ## container-internal register_new_matrix_user tool is always possible. ## # enableRegistration: false ## Note; this value will default to a random string if not specified. # registrationSharedSecret: '' # allowGuests: false ## Should the Synapse instance report stats. ## # reportStats: false ## Servers to contact when doing 3PID lookups - for example when searching for ## Matrix users by email/phone number. ## thirdPartyIDServers: - matrix.org - vector.im ## A set of fallback servers - and their key fingerprint - to contact if a ## server doesn't respond to a signing key request. ## perspectiveServers: matrix.org: verify_keys: ed25519:auto: key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" ## Extra listeners to configure. ## extraListeners: [] # - port: 9000 # bind_addresses: ['::'] # type: manhole ## Specify arbitrary Synapse configuration here; ## extraConfig: {} # use_presence: false # enable_search: false # federation_domain_whitelist: # - lon.example.com # - nyc.example.com # - syd.example.com ## Configuration to apply to the main Synapse pod. ## synapse: ## Annotations to apply to the main Synapse pod. ## annotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: 9090 ## Labels to apply to the main Synapse pod. ## labels: {} ## Additional environment variables to apply to the main Synapse pod ## extraEnv: {} # - name: USE_JEMALLOC # value: "1" # - name: SYNAPSE_CACHE_FACTOR # value: "2" ## Configuration for the pod security policy, Synapse will by default run as its ## own user, even if not set. ## Note that changing this may also require you to use the volumePermission ## helper depending on your storage. ## ## NB; The synapse install is currently unable to run as anything but UID:GID ## 666:666. ## podSecurityContext: {} # fsGroup: 666 # runAsGroup: 666 # runAsUser: 666 ## Configuration for the container security policy, refer to the above ## podSecurityContext for more relevant information. ## securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 666 ## Resources to apply to the main Synapse pod. ## resources: {} # limits: # cpu: 1000m # memory: 2500Mi # requests: # cpu: 1000m # memory: 2500Mi ## Node selectors to set for the main Synapse pod. ## nodeSelector: {} ## Tolerations to set for the main Synapse pod. ## tolerations: [] ## Affinity to set for the main Synapse pod. ## affinity: {} ## Configuration for handling Synapse workers, which are useful for handling ## high-load deployments. ## ## More information is available at; ## https://github.com/matrix-org/synapse/blob/master/docs/workers.md ## workers: ## Default configuration, this is inherited into all workers, and can also be ## overriden on each worker type. ## default: ## The number of worker replicas, note that some workers require special ## handling. Refer to the information URL above. ## replicaCount: 1 ## Annotations to apply to the worker. ## annotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: 9090 ## Additional environment variables to add to the worker. ## extraEnv: {} # - name: USE_JEMALLOC # value: "1" # - name: SYNAPSE_CACHE_FACTOR # value: "2" ## Additional volume mounts to add to the worker. ## Useful for the media repo. ## volumeMounts: {} ## Additional volumes to add to the worker. ## Useful for the media repo. ## volumes: {} ## Security context information to set to the worker. ## podSecurityContext: {} # fsGroup: 666 # runAsGroup: 666 # runAsUser: 666 ## Container security context information to set to the worker. ## securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 666 ## Resources to apply to the worker. ## resources: {} # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi ## Node selector configuration to set on the worker. ## nodeSelector: {} ## Toleration configuration to set on the worker. ## tolerations: [] ## Affinity configuration to set on the worker. ## affinity: {} ## The generic worker can be used to handle most endpoints. ## Be careful when enabling the sync endpoints as they can eat large amounts of ## resources. Refer to the information URL above for more info. ## Proper load balancing with the K8s Ingress resource may not be possible. ## generic_worker: enabled: false listeners: [client, federation] csPaths: # - "/_matrix/client/(v2_alpha|r0)/sync" - "/_matrix/client/(api/v1|v2_alpha|r0)/events" # - "/_matrix/client/(api/v1|r0)/initialSync" # - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync" - "/_matrix/client/(api/v1|r0|unstable)/publicRooms" - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members" - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*" - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members" - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state" - "/_matrix/client/(api/v1|r0|unstable)/account/3pid" - "/_matrix/client/(api/v1|r0|unstable)/keys/query" - "/_matrix/client/(api/v1|r0|unstable)/keys/changes" - "/_matrix/client/versions" - "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer" - "/_matrix/client/(api/v1|r0|unstable)/joined_groups" - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups" - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/" - "/_matrix/client/(api/v1|r0|unstable)/login" - "/_matrix/client/(r0|unstable)/register" - "/_matrix/client/(r0|unstable)/auth/.*/fallback/web" - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send" - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/" - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)" - "/_matrix/client/(api/v1|r0|unstable)/join/" - "/_matrix/client/(api/v1|r0|unstable)/profile/" paths: - "/_matrix/federation/v1/event/" - "/_matrix/federation/v1/state/" - "/_matrix/federation/v1/state_ids/" - "/_matrix/federation/v1/backfill/" - "/_matrix/federation/v1/get_missing_events/" - "/_matrix/federation/v1/publicRooms" - "/_matrix/federation/v1/query/" - "/_matrix/federation/v1/make_join/" - "/_matrix/federation/v1/make_leave/" - "/_matrix/federation/v1/send_join/" - "/_matrix/federation/v2/send_join/" - "/_matrix/federation/v1/send_leave/" - "/_matrix/federation/v2/send_leave/" - "/_matrix/federation/v1/invite/" - "/_matrix/federation/v2/invite/" - "/_matrix/federation/v1/query_auth/" - "/_matrix/federation/v1/event_auth/" - "/_matrix/federation/v1/exchange_third_party_invite/" - "/_matrix/federation/v1/user/devices/" - "/_matrix/federation/v1/get_groups_publicised" - "/_matrix/key/v2/query" - "/_matrix/federation/v1/send/" ## This worker deals with pushing notifications. ## NB; Only one instance of this worker can be run at a time, refer to the ## information URL above. ## pusher: enabled: false ## This worker handles sending data to registered appservices. ## NB; Only one instance of this worker can be run at at time, refer to the ## information URL above. ## appservice: enabled: false ## This worker handles sending federation traffic to other Synapse servers. ## federation_sender: enabled: false ## This worker deals with serving and storing media. ## NB; Running multiple instances will conflict with background jobs. ## media_repository: enabled: false listeners: [media] csPaths: - "/_matrix/media/" - "/_synapse/admin/v1/purge_media_cache" - "/_synapse/admin/v1/room/.*/media.*" - "/_synapse/admin/v1/user/.*/media.*" - "/_synapse/admin/v1/media/.*" - "/_synapse/admin/v1/quarantine_media/.*" paths: - "/_matrix/media/" ## This worker deals with user directory searches. ## user_dir: enabled: false listeners: [client] csPaths: - "/_matrix/client/(api/v1|r0|unstable)/user_directory/search" ## This worker handles key uploads, and may also stub out presence if that is ## disabled. If you set extraConfig.use_presence=false then you may want to ## uncomment the second path. ## frontend_proxy: enabled: false listeners: [client] csPaths: - "/_matrix/client/(api/v1|r0|unstable)/keys/upload" # - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status" ## This will set up a Lighttpd server to respond to any ## /.well-known/matrix/server requests, to make federation possible without ## adding SRV-records to DNS. ## wellknown: enabled: false replicaCount: 1 ## The host and port combo to serve on .well-known/matrix/server. ## # host: matrix.example.com # port: 443 ## A custom htdocs path, useful when running another image. ## htdocsPath: /var/www/localhost/htdocs ## The lighttpd image to run. ## image: repository: m4rcu5/lighttpd tag: latest pullPolicy: Always ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistryKeySecretName ## Configuration for the pod security policy. ## podSecurityContext: {} # fsGroup: 101 # runAsGroup: 101 # runAsUser: 100 ## Configuration for the container security policy. ## securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 100 ## Resource configuration to apply to the well-known server. ## resources: {} # limits: # cpu: 5m # memory: 15Mi # requests: # cpu: 5m # memory: 15Mi ## Node selectors to set for the well-known server. ## nodeSelector: {} ## Tolerations to set for the well-known server. ## tolerations: [] ## Affinity to set for the main well-known server. ## affinity: {} ## This configuration is for setting up the internally provided Postgres server, ## if you instead want to use an existing server, then you may want to set ## enabled to false and configure the externalPostgresql block. ## postgresql: enabled: true postgresqlUsername: synapse postgresqlDatabase: synapse postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C" persistence: size: 16G ## An externally configured Postgres server to use for Synapse's database, note ## that the database needs to have both COLLATE and CTYPE set to "C". ## externalPostgresql: # host: postgres port: 5432 username: synapse # password: synapse database: synapse # sslMode: require ## This configuration is for the internal Redis that's deployed for use with ## workers/sharding, for an external Redis server you want to set enabled to ## false and configure the externalRedis block. ## redis: enabled: true # usePassword: false # password: synapse cluster: enabled: false master: persistence: ## Note that Synapse only uses redis as a synchronization utility, so no ## data will ever need to be persisted. ## enabled: false statefulset: updateStrategy: RollingUpdate ## An externally configured Redis server to use for workers/sharding. ## externalRedis: # host: redis port: 6379 # password: synapse ## Persistence configuration for the media repository function. ## This PVC will be mounted in either Synapse or a media_repo worker. ## ## NB; If you want to be able to scale this, you will have to set the ## accessMode to RWX/ReadWriteMany. ## persistence: enabled: true # existingClaim: synapse-data # storageClass: "-" accessMode: ReadWriteOnce size: 10Gi ## Set up an init container to chown the mounted media if necessary. ## volumePermissions: enabled: false image: repository: alpine tag: latest pullPolicy: Always ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistryKeySecretName resources: {} # resources: # requests: # memory: 128Mi # cpu: 100m ## The K8s ingress configuration, this will be quite heavily used in order to set ## up all routing necessary for use with a sharded Synapse instance. ## If you're not using a Ingress compatible K8s ingress, you will need to set up ## your own routing instead. ## ingress: enabled: true ## Generate traefik-compatible regex paths instead of nginx-compatible ones. ## traefikPaths: false ## Annotations to apply to the created ingress resource. ## annotations: {} # nginx.ingress.kubernetes.io/use-regex: "true" # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" ## Hosts to add to the ingress configuration for handling Client-to-Server ## API request paths. ## ## NB; config.serverName is included if includeServerName is set. (default) ## csHosts: [] # - matrix.example.com ## Additional hosts to add to the ingress configuration for handling ## Server-to-Server API requests. ## ## NB; config.serverName is included if includeServerName is set. (default) ## hosts: [] # - example.com ## Additional hosts to add to the ingress configuration for handling ## well-known requests. ## ## NB; config.serverName is included if includeServerName is set. (default) ## wkHosts: [] # - example.com ## Additional paths to add to the Server-to-Server ingress blocks, will be ## inserted before the /_matrix catch-all path. ## paths: [] # - path: /_matrix/media # backend: # serviceName: matrix-media-repo # servicePort: 8000 ## Additional paths to add to the Client-to-Server ingress blocks, will be ## inserted before the /_matrix and /_synapse catch-all paths. ## csPaths: [] # - path: /_matrix/media # backend: # serviceName: matrix-media-repo # servicePort: 8000 ## Should the /_synapse path be included in the ingress, admin APIs are ## provided under this path. ## includeUnderscoreSynapse: true ## Should config.serverName be included in the list of ingress paths, can be ## set to false if the main domain is managed in some external way. ## includeServerName: true ## TLS configuration to include in the ingress configuration ## tls: [] # - secretName: chart-example-tls # hosts: # - example.com # - matrix.example.com