# ============================================================================= # This is the official example config for conduwuit. # If you use it for your server, you will need to adjust it to your own needs. # At the very least, change the server_name field! # ============================================================================= [global] # The server_name is the pretty name of this server. It is used as a suffix for user # and room ids. Examples: matrix.org, conduit.rs # The Conduit server needs all /_matrix/ requests to be reachable at # https://your.server.name/ on port 443 (client-server) and 8448 (federation). # If that's not possible for you, you can create /.well-known files to redirect # requests (delegation). See # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient # and # https://spec.matrix.org/v1.9/server-server-api/#getwell-knownmatrixserver # for more information # YOU NEED TO EDIT THIS #server_name = "your.server.name" # Servers listed here will be used to gather public keys of other servers. # Generally, copying this exactly should be enough. (Currently, conduwuit doesn't # support batched key requests, so this list should only contain Synapse # servers.) Defaults to `matrix.org` # trusted_servers = ["matrix.org"] ### Database configuration # This is the only directory where conduwuit will save its data, including media database_path = "/var/lib/conduwuit/" # Database backend: Only rocksdb and sqlite are supported. Please note that sqlite # will perform significantly worse than rocksdb as it is not intended to be used the # way it is by conduwuit. sqlite only exists for historical reasons. database_backend = "rocksdb" ### Network # The port conduwuit will be running on. You need to set up a reverse proxy such as # Caddy or Nginx so all requests to /_matrix on port 443 and 8448 will be # forwarded to the conduwuit instance running on this port # Docker users: Don't change this, you'll need to map an external port to this. port = 6167 # default address (IPv4 or IPv6) conduwuit will listen on. Generally you want this to be # localhost (127.0.0.1 / ::1). If you are using Docker or a container NAT networking setup, you # likely need this to be 0.0.0.0. address = "127.0.0.1" # How many requests conduwuit sends to other servers at the same time concurrently. Default is 500 # Note that because conduwuit is very fast unlike other homeserver implementations, setting this too # high could inadvertently result in ratelimits kicking in, or overloading lower-end homeservers out there. # # A valid use-case for enabling this is if you have a significant amount of overall federation activity # such as many rooms joined/tracked, and many servers in the true destination cache caused by that. Upon # rebooting conduwuit, depending on how fast your resources are, client and incoming federation requests # may timeout or be "stalled" for a period of time due to hitting the max concurrent requests limit from # refreshing federation/destination caches and such. # # If you have a lot of active users on your homeserver, you will definitely need to raise this. # # No this will not speed up room joins. #max_concurrent_requests = 500 # Max request size for file uploads max_request_size = 20_000_000 # in bytes # Uncomment unix_socket_path to listen on a UNIX socket at the specified path. # If listening on a UNIX socket, you must remove/comment the 'address' key if defined and add your # reverse proxy to the 'conduwuit' group, unless world RW permissions are specified with unix_socket_perms (666 minimum). #unix_socket_path = "/run/conduwuit/conduwuit.sock" #unix_socket_perms = 660 # Set this to true for conduwuit to compress HTTP response bodies using zstd. # Please be aware that enabling HTTP compression may weaken or even defeat TLS. # Most users should not need to enable this. # See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before deciding to enable this. zstd_compression = false # Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you do not want conduwuit to send outbound requests to. # Defaults to RFC1918, unroutable, loopback, multicast, and testnet addresses for security. # # To disable, set this to be an empty vector (`[]`). # # Currently this does not account for proxies in use like Synapse does. ip_range_denylist = [ "127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "169.254.0.0/16", "192.88.99.0/24", "198.18.0.0/15", "192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "::1/128", "fe80::/10", "fc00::/7", "2001:db8::/32", "ff00::/8", "fec0::/10", ] ### Moderation / Privacy / Security # Set to true to allow user type "guest" registrations. Element attempts to register guest users automatically. # For private homeservers, this is best at false. allow_guest_registration = false # Vector list of servers that conduwuit will refuse to download remote media from. # No default. # prevent_media_downloads_from = ["example.com", "example.local"] # Enables open registration. If set to false, no users can register on this # server. # If set to true without a token configured, users can register with no form of 2nd- # step only if you set # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to # true in your config. If you would like # registration only via token reg, please configure the `registration_token` key. allow_registration = false # Please note that an open registration homeserver with no second-step verification # is highly prone to abuse and potential defederation by homeservers, including # matrix.org. # A static registration token that new users will have to provide when creating # an account. If unset and `allow_registration` is true, registration is open # without any condition. YOU NEED TO EDIT THIS. registration_token = "change this token for something specific to your server" # controls whether federation is allowed or not # defaults to true # allow_federation = true # controls whether users are allowed to create rooms. # appservices and admins are always allowed to create rooms # defaults to true # allow_room_creation = true # Set this to true to allow your server's public room directory to be federated. # Set this to false to protect against /publicRooms spiders, but will forbid external users # from viewing your server's public room directory. If federation is disabled entirely # (`allow_federation`), this is inherently false. allow_public_room_directory_over_federation = false # Set this to true to allow your server's public room directory to be queried without client # authentication (access token) through the Client APIs. Set this to false to protect against /publicRooms spiders. allow_public_room_directory_without_auth = false # Set this to true to allow federating device display names / allow external users to see your device display name. # If federation is disabled entirely (`allow_federation`), this is inherently false. For privacy, this is best disabled. allow_device_name_federation = false # Vector list of domains allowed to send requests to for URL previews. Defaults to none. # Note: this is a *contains* match, not an explicit match. Putting "google.com" will match "https://google.com" and "http://mymaliciousdomainexamplegoogle.com" # Setting this to "*" will allow all URL previews. Please note that this opens up significant attack surface to your server, you are expected to be aware of the risks by doing so. url_preview_domain_contains_allowlist = [] # Vector list of explicit domains allowed to send requests to for URL previews. Defaults to none. # Note: This is an *explicit* match, not a ccontains match. Putting "google.com" will match "https://google.com", "http://google.com", but not "https://mymaliciousdomainexamplegoogle.com" # Setting this to "*" will allow all URL previews. Please note that this opens up significant attack surface to your server, you are expected to be aware of the risks by doing so. url_preview_domain_explicit_allowlist = [] # Vector list of URLs allowed to send requests to for URL previews. Defaults to none. # Note that this is a *contains* match, not an explicit match. Putting "https://google.com" will match "https://google.com/" and "https://google.com/url?q=https://mymaliciousdomainexample.com" # Setting this to "*" will allow all URL previews. Please note that this opens up significant attack surface to your server, you are expected to be aware of the risks by doing so. url_preview_url_contains_allowlist = [] ### Misc # max log level for conduwuit. allows debug, info, warn, or error #log = "warn" # controls whether encrypted rooms and events are allowed (default true) #allow_encryption = false # conduwuit will send a simple GET request periodically to `https://pupbrain.dev/check-for-updates/stable` # for any new announcements made. Despite the name, this is not an update check # endpoint, it is simply an announcement check endpoint. I don't plan on using # this so feel free to disable it. allow_check_for_updates = true # Enables adding the lightning bolt emoji (⚡️) to all newly registered users' # initial display names. enable_lightning_bolt = false # If you are using delegation via well-known files and you cannot serve them from your reverse proxy, you can # uncomment these to serve them directly from conduwuit. This requires proxying all requests to conduwuit, not just `/_matrix` to work. #well_known_server = "matrix.example.com:443" #well_known_client = "https://matrix.example.com" # Note that whatever you put will show up in the well-known JSON values. # Set to false to disable users from joining or creating room versions that aren't 100% officially supported by conduwuit. # conduwuit officially supports room versions 6 - 10. conduwuit has experimental/unstable support for 1 - 5, and 11. # Defaults to true. #allow_unstable_room_versions = true # Set this to any float value to multiply conduwuit's in-memory LRU caches with. # May be useful if you have significant memory to spare to increase performance. # Defaults to 1.0. #conduit_cache_capacity_modifier = 1.0 # Set this to any float value in megabytes for conduwuit to tell the database engine that this much memory is available for database-related caches. # May be useful if you have significant memory to spare to increase performance. # Defaults to 900.0 #db_cache_capacity_mb = 900.0 ### RocksDB options # Set this to true to use RocksDB config options that are tailored to HDDs (slower device storage) #rocksdb_optimize_for_spinning_disks = false # RocksDB log level. This is not the same as conduwuit's log level. This is the log level for RocksDB itself # which show up in your database folder/path as `LOG` files. Defaults to warn. conduwuit will typically log RocksDB errors. #rocksdb_log_level = "warn" # Max RocksDB `LOG` file size before rotating in bytes. Defaults to 4MB. #rocksdb_max_log_file_size = 4194304 # Time in seconds before RocksDB will forcibly rotate logs. Defaults to 0. #rocksdb_log_time_to_roll = 0 ### Presence # Config option to control local (your server only) presence updates/requests. Defaults to false. # Note that presence on conduwuit is very fast unlike Synapse's. #allow_local_presence = false # Config option to control incoming federated presence updates/requests. Defaults to false. # This option receives presence updates from other servers, but does not send any unless `allow_outgoing_presence` is true. # Note that presence on conduwuit is very fast unlike Synapse's. #allow_incoming_presence = false # Config option to control outgoing presence updates/requests. Defaults to false. # This option sends presence updates to other servers, but does not receive any unless `allow_incoming_presence` is true. # Note that presence on conduwuit is very fast unlike Synapse's. # # Warning: Outgoing federated presence is not spec compliant due to relying on PDUs and EDUs combined. # Outgoing presence will not be very reliable due to this and any issues with federated outgoing presence are very likely attributed to this issue. # Incoming presence and local presence are unaffected. #allow_outgoing_presence = false # Config option to control how many seconds before presence updates that you are idle. Defaults to 5 minutes. #presence_idle_timeout_s = 300 # Config option to control how many seconds before presence updates that you are offline. Defaults to 30 minutes. #presence_offline_timeout_s = 1800