values.yaml

---
# -- override the full name of the chart
fullnameOverride: ""

# -- override the name of the chart
nameOverride: ""

# -- imagePullSecrets to use for all below images
imagePullSecrets: []

networkPolicies:
  # -- whether to enable kubernetes network policies or not
  enabled: true


# Runtime configuration for Synapse and settings related to the Matrix protocol
matrix:
  # -- Manual overrides for homeserver.yaml, the main config file for Synapse
  # Its highly recommended that you take a look at the defaults in
  # templates/synapse/_homeserver.yaml, to get a sense of the requirements and
  # default config options to use other services in this chart.
  homeserverOverride: {}

  # -- Contents will be appended to the end of the default configuration
  homeserverExtra: {}

  # -- Domain name of the server: This is not necessarily the host name where
  # the service is reachable. In fact, you may want to omit any subdomains from
  # this value as the server name set here will be the name of your homeserver
  # in the fediverse, & will be the domain name at the end of every username
  serverName: "example.com"

  # -- Enable anonymous telemetry to matrix.org
  telemetry: false

  # This is *optional* if an Ingress is configured below.
  # -- Hostname where Synapse can be reached, e.g. matrix.mydomain.com
  hostname: ""

  # -- Set to false to disable presence (online/offline indicators)
  presence: true

  # -- Set to true to block non-admins from inviting users to any rooms
  blockNonAdminInvites: false

  # -- Set to false to disable message searching
  search: true

  # -- Which types of rooms to enable end-to-end encryption on by default.
  # options: off (none), all (all rooms), or invite (private msg/room created
  # w/ private_chat or trusted_private_chat room presets)
  encryptByDefault: invite

  # -- Email address of the administrator
  adminEmail: "admin@example.com"

  # -- Settings related to image and multimedia uploads
  uploads:
    # -- Max upload size in bytes
    maxSize: 10M

    # -- Max image size in pixels
    maxPixels: 32M

  # -- extra sections for the your /.well-known/matrix/client which returns json
  # used by clients to know where your matrix sliding sync server is
  extra_well_known_client_content: {}
  # uncomment for using sliding sync. url must be your sliding sync hostname
  #  "org.matrix.msc3575.proxy":
  #    "url": "https://wherever-your-sliding-sync-proxy-is.com"

  # -- By default, other servers will try to reach our server on port 8448, which can be inconvenient in some environments. Provided https://<server_name>/ on port 443 is routed to Synapse, this option configures Synapse to serve a file at https://<server_name>/.well-known/matrix/server. This will tell other servers to send traffic to port 443 instead
  serve_server_wellknown: false

  # Settings related to federation
  federation:
    # -- Set to true to enable federation
    enabled: false

    # -- timeout for the federation requests
    client_timeout: 60s

    # -- maximum delay to be used for the short retry algo
    max_short_retry_delay: 2s

    # -- maximum delay to be used for the short retry algo
    max_long_retry_delay: 60s

    # -- maximum number of retries for the short retry algo
    max_short_retries: 3

    # -- maximum number of retries for the long retry algo
    max_long_retries: 10

    # -- the initial backoff, after the first request fails
    destination_min_retry_interval: 10m

    # -- how much we multiply the backoff by after each subsequent fail
    destination_retry_multiplier: 2

    # -- a cap on the backoff. Defaults to a week
    destination_max_retry_interval: 1w

    ingress:
      # -- enable ingress for federation
      enabled: false
      tls:
        # -- enable a TLS cert
        enabled: true
      host: matrix-fed.chart-example.local
      # -- ingressClassName for the k8s ingress
      className: "nginx"
      annotations:
        # -- required for the Nginx ingress provider. You can remove it if you
        # use a different ingress provider
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_intercept_errors off;
        # -- required for TLS certs issued by cert-manager
        cert-manager.io/cluster-issuer: letsencrypt-staging

  # -- Allow members of other homeservers to fetch *public* rooms
  allow_public_rooms_over_federation: false

  # -- If set to true, removes the need for authentication to access the server's public rooms directory through the client API, meaning that anyone can query the room directory
  allow_public_rooms_without_auth: false

  # -- Restrict federation to the given whitelist of domains. N.B. we recommend also firewalling your federation listener to limit inbound federation traffic as early as possible, rather than relying purely on this application-layer restriction. If not specified, the default is to whitelist everythingNote
  # Note: this does not stop a server from joining rooms that servers not on the whitelist are in. As such, this option is really only useful to establish a "private federation", where a group of servers all whitelist each other and have the same whitelist.
  federation_domain_whitelist: []

  # -- This option prevents outgoing requests from being sent to the specified blacklisted IP address CIDR ranges. If this option is not specified then it defaults to private IP address ranges (see the example below). The blacklist applies to the outbound requests for federation, identity servers, push servers, and for checking key validity for third-party invite events.
  # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly listed here, since they correspond to unroutable addresses.)
  # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
  # Note: The value is ignored when an HTTP proxy is in use.
  ip_range_blacklist:
    - '127.0.0.0/8'
    - '10.0.0.0/8'
    - '172.16.0.0/12'
    - '192.168.0.0/16'
    - '100.64.0.0/10'
    - '192.0.0.0/24'
    - '169.254.0.0/16'
    - '192.88.99.0/24'
    - '198.18.0.0/15'
    - '192.0.2.0/24'
    - '198.51.100.0/24'
    - '203.0.113.0/24'
    - '224.0.0.0/4'
    - '::1/128'
    - 'fe80::/10'
    - 'fc00::/7'
    - '2001:db8::/32'
    - 'ff00::/8'
    - 'fec0::/10'

  # User registration settings
  registration:
    # -- Allow new users to register an account
    enabled: false

    # -- If set, allows registration of standard or admin accounts by anyone who
    # has the shared secret, even if registration is otherwise disabled.
    # ignored if existingSecret is passed in
    sharedSecret: ""

    # -- if set, allows user to generate a random shared secret in a k8s secret
    # ignored if existingSecret is passed in
    generateSharedSecret: false

    # -- if set, pull sharedSecret from an existing k8s secret
    existingSecret: ""

    # -- key in existing k8s secret for registration shared secret
    secretKey: "registrationSharedSecret"

    # -- Allow users to join rooms as a guest
    allowGuests: false

    # Required "3PIDs" - third-party identifiers such as email or msisdn (SMS)
    # required3Pids:
    #   - email
    #   - msisdn

    # -- Rooms to automatically join all new users to
    autoJoinRooms: []
    # - "#welcome:example.com"

    # -- Whether to allow token based registration
    requiresToken: false

  # see: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=password%20disable#password_config
  password_config: {}
    # -- set to true to enable password authentication
    # enabled: false
    # localdb_enabled: false

  # OpenID Connect integration. The following settings can be used to make Synapse
  # use an OpenID Connect Provider for authentication, instead of its internal
  # password database. will be considered legacy way of doing things after
  # element-x comes out of beta ref:
  # https://github.com/element-hq/synapse/blob/develop/docs/openid.md
  # https://github.com/element-hq/synapse/blob/develop/docs/openid.md
  oidc:
    # -- set to true to enable authorization against an OpenID Connect server
    # unless using OIDC on synapse AND you want to allow usage of Element-X (the
    # beta of element), then you must set experimental_feature.msc3861.enabled
    # to True to use the MAS (Matrix Authentication Service) and fill out the values there.
    enabled: false
    # -- existing secret to use for the OIDC config
    existingSecret: ""
    # keys in an existing secret to use for oidc config
    secretKeys:
      # -- key in secret with the issuer
      issuer: "issuer"
      # -- key in secret with the client_id
      client_id: "client_id"
      # -- key in secret with the client_secret
      client_secret: "client_secret"
      # -- key in secret with the authorization_endpoint if discovery is disabled
      authorization_endpoint: ""
      # -- key in secret with the token_endpoint if discovery is disabled
      token_endpoint: ""
      # -- key in secret with the userinfo_endpoint if discovery is disabled
      userinfo_endpoint: ""
    # -- each of these will be templated under oidc_providers in homeserver.yaml
    # ref: https://element-hq.github.io/synapse/latest/openid.html?search=
    providers:
      # -- id of your identity provider, e.g. dex
      - idp_id: ""
        # -- human readable comment of your identity provider, e.g. "My Dex Server"
        idp_name: ""
        # -- optional styling hint for clients
        idp_brand: ""
        # -- turn off discovery by setting this to false
        discover: true
        # set to true to skip metadata verification. Defaults to false. Use this if
        # you are connecting to a provider that is not OpenID Connect compliant.
        # Avoid this in production.
        skip_verification: false
        # -- OIDC issuer. Used to validate tokens and (if discovery is enabled) to
        # discover the provider's endpoints. Required if 'enabled' is true.
        issuer: "https://accounts.example.com/"
        # -- oauth2 client id to use. Required if 'enabled' is true.
        client_id: "provided-by-your-issuer"
        # -- oauth2 client secret to use. Required if 'enabled' is true.
        client_secret: "provided-by-your-issuer"
        # -- auth method to use when exchanging the token. Valid values are:
        # 'client_secret_basic' (default), 'client_secret_post' and 'none'.
        client_auth_method: client_secret_post
        # -- list of scopes to request. should normally include the "openid" scope.
        # Defaults to ["openid"].
        scopes:
          - "openid"
          - "profile"
        # -- oauth2 authorization endpoint. Required if provider discovery disabled.
        authorization_endpoint: "https://accounts.example.com/oauth2/auth"
        # -- the oauth2 token endpoint. Required if provider discovery is disabled.
        token_endpoint: "https://accounts.example.com/oauth2/token"
        # -- the OIDC userinfo endpoint. Required if discovery is disabled and the
        # "openid" scope is not requested.
        userinfo_endpoint: "https://accounts.example.com/userinfo"
        # An external module can be provided here as a custom solution to mapping
        # attributes returned from a OIDC provider onto a matrix user.
        user_mapping_provider:
          config:
            # -- name of the claim containing a unique identifier for user. Defaults
            # to `sub`, which OpenID Connect compliant providers should provide.
            subject_claim: ""
            # -- This must be configured if using the default mapping provider.
            localpart_template: ""
            # -- Jinja2 template for the display name to set on first login.
            # If unset, no displayname will be set.
            display_name_template: ""
            # for X (formally twitter):
            # https://element-hq.github.io/synapse/latest/openid.html?highlight=twitter#twitter
            picture_template: "{{ user.data.profile_image_url }}"
        # -- optional - maybe useful for keycloak
        backchannel_logout_enabled: true

  # -- require auth for profile requests, not useful if federation is enable
  require_auth_for_profile_requests: true

  # -- require a user to share a room with another user in order
  # to retrieve their profile information. Only checked on Client-Server
  # requests. Profile requests from other servers should be checked by the
  # requesting server.
  limit_profile_requests_to_users_who_share_rooms: true

  # -- minimum required tls version support. set to 1.3 if you know all clients implement this. may break public servers
  federation_client_minimum_tls_version: 1.2

  # Settings for the URL preview crawler
  urlPreviews:
    # -- Enable URL previews. WARN: Make sure to review default rules below to
    # ensure that users cannot crawl sensitive internal endpoints on yr cluster
    enabled: false

    # Blacklists and whitelists for the URL preview crawler
    rules:
      # -- Max size of a crawlable page. Keep this low to prevent a DOS vector
      maxSize: 10M

      # Whitelist and blacklist for crawlable IP addresses
      ip:
        whitelist: []
        blacklist:
          - '127.0.0.0/8'
          - '10.0.0.0/8'
          - '172.16.0.0/12'
          - '192.168.0.0/16'
          - '100.64.0.0/10'
          - '169.254.0.0/16'
          - '::1/128'
          - 'fe80::/64'
          - 'fc00::/7'

      # -- Whitelist and blacklist based on URL pattern matching
      url: {}
      # whitelist:
      # blacklist:
      #  # blacklist any URL with a username in its URI
      #  - username: '*'
      #
      #  # blacklist all *.google.com URLs
      #  - netloc: 'google.com'
      #  - netloc: '*.google.com'
      #
      #  # blacklist all plain HTTP URLs
      #  - scheme: 'http'
      #
      #  # blacklist http(s)://www.acme.com/foo
      #  - netloc: 'www.acme.com'
      #    path: '/foo'
      #
      #  # blacklist any URL with a literal IPv4 address
      #  - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'

  # -- How long to keep redacted events in unredacted form in the database
  retentionPeriod: 7d

  security:
    # a secret which is used to sign access tokens. If none is specified,
    # the registration_shared_secret is used, if one is given; otherwise,
    # a secret key is derived from the signing key.
    #
    # macaroonSecretKey: <PRIVATE STRING>

    # This disables the warning that is emitted when the
    # trustedKeyServers include 'matrix.org'. See below.
    # Set to false to re-enable the warning.
    #
    surpressKeyServerWarning: true

    # The trusted servers to download signing keys from.
    #
    # When we need to fetch a signing key, each server is tried in parallel.
    #
    # Normally, the connection to the key server is validated via TLS certs.
    # Additional security can be provided by configuring a `verify key`, which
    # will make synapse check that the response is signed by that key.
    #
    # This setting supercedes an older setting named `perspectives`. Old format
    # is still supported for backwards-compatibility, but it is deprecated.
    #
    # 'trustedKeyServers' defaults to matrix.org, but using it will generate a
    # warning on start-up. To suppress this warning, set
    # 'surpressKeyServerWarning' to true.
    #
    # Options for each entry in the list include:
    #
    #  serverName: the name of the server. required.
    #
    #  verifyKeys: an optional map from key id to base64-encoded public key.
    #     If specified, we will check that the response is signed by at least
    #     one of the given keys.
    #
    #  acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset,
    #    and federation_verify_certificates is not `true`, synapse will refuse
    #    to start, because this would allow anyone who can spoof DNS responses
    #    to masquerade as the trusted key server. If you know what you are doing
    #    and are sure that your network environment provides a secure connection
    #    to the key server, you can set this to `true` to override this
    #    behaviour.
    #
    # An example configuration might look like:
    #
    # trustedKeyServers:
    #   - serverName: my_trusted_server.example.com
    #     verifyKeys:
    #       - id: "ed25519:auto"
    #         key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
    #     acceptKeysInsecurely: false
    #   - serverName: my_other_trusted_server.example.com
    trustedKeyServers: []

    # -- use an existing Kubernetes Secret for trusted server list instead of
    # matrix.security.trustedKeyServers
    trustedKeyServersExistingSecret: ""

    # -- key in existing Kubernetes Secret for trusted server list
    trustedKeyServersSecretKey: "trustedKeys"

  # -- Set to true to globally block access to the homeserver
  disabled: false
  # -- Human readable reason for why the homeserver is blocked
  disabledMessage: ""

  logging:
    # -- Root log level is the default log level for log outputs that don't
    # have more specific settings.
    rootLogLevel: WARNING
    # -- beware: increasing this to DEBUG will make synapse log sensitive
    # information such as access tokens.
    sqlLogLevel: WARNING
    # -- The log level for the synapse server
    synapseLogLevel: WARNING

  # -- use an existing secret for all msc3861 (matrix authentication service) related values
  # if set, all other msc3861 values are ignored (issuer, client_id,
  # client_auth_method, client_secret, admin_token, account_management_url)
  msc3861ExistingSecret: ""

  msc3861SecretKeys:
    # -- secret key to use in existing secret for msc3861 issuer
    issuer: ""
    # -- secret key to use in existing secret for msc3861 client id
    client_id: ""
    # -- secret key to use in existing secret for msc3861 client secret
    client_secret: ""
    # -- secret key to use in existing secret for msc3861 admin_token
    admin_token: ""
    # -- secret key to use in existing secret for msc3861 account_management_url
    account_management_url: ""

  experimental_features:
    msc3861:
      # -- experimental_feature msc3861 - enable this if you want to use the matrix authentication service
      # Likely needed if using OIDC on synapse and you want to allow usage of Element-X (the beta of element)
      # See: [Matrix authentication service home server docs](https://matrix-org.github.io/matrix-authentication-service/setup/homeserver.html#configure-the-homeserver-to-delegate-authentication-to-the-service), [full matrix authentication service docs](https://matrix-org.github.io/matrix-authentication-service/index.html), and [issue#1915](https://github.com/element-hq/element-meta/issues/1915#issuecomment-2119297748) where this is being discussed
      enabled: false

      # -- Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
      issuer: http://localhost:8080/

      # -- Matches the `mas.mas.clients[0].client_id` in the auth service config
      client_id: 0000000000000000000SYNAPSE

      # -- Matches the `client_auth_method` in the auth service config
      client_auth_method: client_secret_basic

      # -- Matches the `mas.mas.clients[0].client_secret` in the auth service config
      client_secret: "SomeRandomSecret"

      # -- Matches the `mas.mas.matrix.secret` in the auth service config
      admin_token: "AnotherRandomSecret"

      # -- URL to advertise to clients where users can self-manage their account
      # this is typically https://your-mas-domain.com/account
      account_management_url: ""

s3:
  # -- enable s3 storage via https://github.com/matrix-org/synapse-s3-storage-provider
  enabled: false
  # -- your s3 endpoint
  endpoint: ""
  # -- name of the bucket to use
  bucket: ""
  # -- optional region to use for s3
  region: ""
  # -- optional Server Side Encryption for Customer-provided keys
  sse_c_key: ""
  # -- optional SSE-C algorithm - very likely AES256
  sse_algorithm: "AES256"
  # -- use credentials from an existing kubernetes secret
  existingSecret: ""
  # these are the keys within the existing k8s secret to use for s3 credentials
  secretKeys:
    # -- key in existing secret fo the S3 key
    accessKey: "S3_ACCESS_KEY"
    # -- key in existing secret fo the S3 secret
    secretKey: "S3_SECRET_KEY"
  cronjob:
    # -- enable a regular cleanup k8s cronjob to automatically backup everything
    # to your s3 bucket for you and delete it from local disk ref:
    # https://github.com/matrix-org/synapse-s3-storage-provider/tree/main#regular-cleanup-job
    enabled: false
    # -- cron schedule to run the k8s cronjob. Defaults to every day at midnight
    schedule: "0 0 * * *"
    # -- this is the age of files you'd like to clean up, defaults files not used
    # within two months (2m)
    file_age: 2m

# Persistent volumes configuration
volumes:
  # Uploaded attachments/multimedia
  media:
    # -- Capacity of the media PVC - ignored if using exsitingClaim
    capacity: 10Gi
    # -- Storage class of the media PVC - ignored if using exsitingClaim
    storageClass: ""
    # -- name of an existing PVC to use for uploaded attachments and multimedia
    existingClaim: ""
  signingKey:
    # -- Capacity of the signing key PVC. Note: 1Mi is more than enough, but
    # some cloud providers set a min PVC size of 1Mi or 1Gi, adjust as necessary
    capacity: 1Mi
    # -- Storage class (optional)
    storageClass: ""
    # -- name of an existing persistent volume claim to use for signing key
    existingClaim: ""
  synapseConfig:
    # -- Capacity of the signing key PVC. Note: 1Mi is more than enough, but
    # some cloud providers set a min PVC size of 1Mi or 1Gi, adjust as necessary
    capacity: 1Mi
    # -- Storage class (optional)
    storageClass: ""
    # -- name of an existing persistent volume claim for synapse config file
    existingClaim: ""
  # optional PVC used only when s3.enabled is set to true, to install synapse-s3-storage-provider
  extraPipPackages:
    # -- Capacity of the extra pip packages PVC. Note: 1Mi is more than enough, but
    # some cloud providers set a min PVC size of 1Mi or 1Gi, adjust as necessary
    capacity: 100Mi
    # -- Storage class (optional)
    storageClass: ""
    # -- name of an existing persistent volume claim for the extra pip packages
    existingClaim: ""

externalDatabase:
  # -- enable using an external database *instead of* the Bitnami PostgreSQL sub-chart
  # if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
  enabled: false
  # optional SSL parameters for postgresql, if using your own db instead of the subchart
  # ref: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
  # -- sslmode to use, example: verify-full
  sslmode: ""
  # make sure any paths here are reflected in synapse.extraVolumes and synapse.extraVolumeMounts
  # -- optional: tls/ssl root cert for postgresql connections
  sslrootcert: ""
  # -- optional: tls/ssl cert for postgresql connections
  sslcert: ""
  # -- optional: tls/ssl key for postgresql connections
  sslkey: ""
  # database credentials to use if you don't use an existingSecret
  # -- username of matrix postgres user
  username: matrix
  # -- password of matrix postgres user - ignored using exsitingSecret
  password: changeme
  # -- which port to use to connect to your database server
  port: 5432
  # -- hostname of db server. Can be left blank if using postgres subchart
  hostname: ""
  # -- name of the database to try and connect to
  database: "matrix"
  # -- Name of existing secret to use for PostgreSQL credentials
  existingSecret: ""
  # if externalDatabase.existingSecret is provided, the following are ignored
  # password, username, hostname, database
  # secretKeys to grab from existingSecret
  secretKeys:
    # -- key in existingSecret with hostname of the database
    databaseHostname: hostname
    # -- key in existingSecret with name of the database
    database: database
    # -- key in existingSecret with username for matrix to connect to db
    databaseUsername: username
    # -- key in existingSecret with password for matrix to connect to db
    userPasswordKey: password
    # -- key in existingSecret with the admin postgresql password
    adminPasswordKey: postgresPassword


# PostgreSQL Database configuration for synapse, for more options:
# https://github.com/bitnami/charts/tree/main/bitnami/postgresql
postgresql:
  # -- Whether to deploy the Bitnami Postgresql sub chart
  # If postgresql.enabled is set to true, externalDatabase.enabled must be set to false
  # else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
  enabled: true
  persistence:
    enabled: false
  volumePermissions:
    # -- Enable init container that changes the owner and group of the PVC
    enabled: true
  global:
    postgresql:
      # global.postgresql.auth overrides postgresql.auth
      auth:
        # database credentials to use if you don't use an existingSecret
        # -- username of matrix postgres user
        username: matrix
        # -- password of matrix postgres user - ignored using exsitingSecret
        password: changeme
        # -- which port to use to connect to your database server
        port: 5432
        # -- Name of existing secret to use for PostgreSQL credentials
        existingSecret: ""
        # secretKeys to grab from existingSecret
        # if postgresql.existingSecret is provided, the following are ignored
        # postgresql.password/username/hostname/database
        secretKeys:
          # -- key in existingSecret with hostname of the database
          databaseHostname: hostname
          # -- key in existingSecret with name of the database
          database: database
          # -- key in existingSecret with username for matrix to connect to db
          databaseUsername: username
          # -- key in existingSecret with password for matrix to connect to db
          userPasswordKey: password
          # -- key in existingSecret with the admin postgresql password
          adminPasswordKey: postgresPassword

  # primary database node config
  primary:
    # -- run the scripts in templates/postgresql/initdb-configmap.yaml
    # If using an external Postgres server, make sure to configure the database
    # ref: https://github.com/element-hq/synapse/blob/develop/docs/postgres.md
    initdb:
      scriptsConfigMap: "{{ .Release.Name }}-postgresql-initdb"

    podSecurityContext:
      enabled: true
      runAsUser: 1000
      fsGroup: 1000

# Synapse (home server that implements matrix) Kubernetes resource settings
synapse:
  image:
    # -- image registry and repository to use for synapse
    repository: "matrixdotorg/synapse"
    # -- tag of synapse docker image to use. change this to latest to grab the
    #    cutting-edge release of synapse
    tag: ""
    # -- pullPolicy for synapse image, Use Always if using image.tag: latest
    pullPolicy: IfNotPresent

  service:
    # -- service type for synpase
    type: ClusterIP
    # -- service port for synapse
    port: 80
    federation:
      type: ClusterIP
      port: 80

  ingress:
    # -- enable ingress for synapse, so the server is reachable outside the cluster
    enabled: true

    # -- @DEPRECATION: hostname for your synapse server, please use
    # synapse.ingress.hosts for ingress instead. This has been removed in helm
    # chart verison 13.0.0. You must also set matrix.hostname for all to work normally
    # host: ""

    # -- ingressClassName for the k8s ingress
    className: "nginx"
    annotations:
      # required for TLS certs issued by cert-manager
      # cert-manager.io/cluster-issuer: letsencrypt-staging

      # -- This annotation is required for the Nginx ingress provider. You can
      # remove it if you use a different ingress provider
      nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_intercept_errors off;

    hosts:
      - host: "matrix.chart-example.local"
        paths:
          - path: /
            pathType: ImplementationSpecific
            # if mas.enabled is set to true, you want pathType for / to be Prefix
            # pathType: Prefix

          # if mas.enabled is set to true, you want to uncomment the following:
          # - path: "/_matrix/client/(r0|v3)/(refresh|login|logout).*"
          #   pathType: ImplementationSpecific
          #   backend:
          #     service:
          #       value: release-name-mas
          #       port:
          #         name: http

          # if bridges.hookshot.generic.enabled, you want to uncomment the following:
          #  - path: /webhook
          #   pathType: ImplementationSpecific
          #   backend:
          #     service:
          #       value: release-name-bridge-hookshot
          #       port:
          #         name: http

    # -- enable tls for synapse ingress
    tls: []
    # to enable tls for synapse remove the [] on the line above and uncomment the
    # following lines, replacing matrix.chart-example.local with your synapse domain
    #  - secretName: "matrix-tls"
    #    hosts:
    #      - matrix.chart-example.local

  # -- replica count of the synapse pods
  replicaCount: 1

  # -- set the revisionHistoryLimit to decide how many replicaSets are
  # kept when you change a deployment. Explicitly setting this field to 0,
  # will result in cleaning up all the history of your Deployment thus that
  # Deployment will not be able to roll back.
  revisionHistoryLimit: 2

  # -- resource requests and limits for synapse
  resources: {}

  # Configure timings for readiness, startup, and liveness probes here
  probes:
    readiness:
      # -- readiness probe seconds before timing out
      timeoutSeconds: 5
      # -- readiness probe seconds trying again
      periodSeconds: 10
    startup:
      # -- startup probe seconds before timing out
      timeoutSeconds: 5
      # -- startup probe seconds trying again
      periodSeconds: 5
      # -- startup probe times to try and fail before giving up
      failureThreshold: 6
    liveness:
      # -- liveness probe seconds before timing out
      timeoutSeconds: 5
      # -- liveness probe seconds trying again
      periodSeconds: 10


  # -- securityContext for the synapse CONTAINER ONLY
  # Does not work by default in all cloud providers, disable by default
  securityContext:
    # -- user ID to run the synapse container as
    runAsUser: 1000
    # -- group ID to run the synapse container as
    runAsGroup: 1000
    # -- Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed.
    runAsNonRoot: true
    # -- Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
    readOnlyRootFilesystem: false
    # -- AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
    allowPrivilegeEscalation: false

  # -- securityContext for the entire synapse pod, including the all containers
  # Does not work by default in all cloud providers, disable by default
  podSecurityContext:
    # -- user ID to run the synapse POD as
    runAsUser: 1000
    # -- group ID to run the synapse POD as
    runAsGroup: 1000
    # -- A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.
    fsGroup: 1000
    # -- Indicates that the pod's containers must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed.
    runAsNonRoot: true
    # -- Enable if your k8s environment allows containers to chuser/setuid
    # https://github.com/matrix-org/synapse/blob/96cf81e312407f0caba1b45ba9899906b1dcc098/docker/start.py#L196
    env: false

  # -- Labels to be appended to all Synapse resources
  labels:
    component: synapse

  # Prometheus metrics for Synapse
  # https://github.com/element-hq/synapse/blob/develop/docs/metrics-howto.md
  metrics:
    # -- Whether Synapse should capture metrics on an additional endpoint
    enabled: true
    # -- Port to listen on for metrics scraping
    port: 9092
    annotations: true
    serviceMonitor:
      # -- enable a prometheus ServiceMonitor to send metrics to prometheus
      enabled: false

  # -- optiona: extra env variables to pass to the matrix synapse deployment
  extraEnv: []

  # -- optional: extra volumes for the matrix synapse deployment
  extraVolumes: []

  # -- optional: extra volume mounts for the matrix synapse deployment
  extraVolumeMounts: []

mas:
  # -- enable the MAS (Matrix Authentication Service) sub chart to use OIDC
  # This is the only way that's tested to use with element-x beta right now
  # You must also fill out matrix.experimental_feature.msc3861 if you use this method
  enabled: false
  replicaCount: 1

  image:
    repository: ghcr.io/matrix-org/matrix-authentication-service
    # -- image pull policy. if image.tag is set to "latest", set to "Always"
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is the chart appVersion.
    tag: ""

  imagePullSecrets: []
  nameOverride: ""
  fullnameOverride: ""

  serviceAccount:
    # -- Specifies whether a service account should be created
    create: true
    # -- Automatically mount a ServiceAccount's API credentials?
    automount: true
    # -- Annotations to add to the service account
    annotations: {}
    # -- The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: ""

  podAnnotations: {}
  podLabels: {}

  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  service:
    # -- annotations for your service
    annotations: {}
    # -- type of service
    type: ClusterIP
    # -- targetPort of service. should be the same as port for bindaddr
    targetPort: 8080
    # -- Port of service
    port: 80

  ingress:
    # -- enable ingress for matrix authentication service
    enabled: true
    className: ""
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: chart-example.local
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local

  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  livenessProbe:
    # -- enable a liveness probe on the deployment
    enabled: false
    httpGet:
      path: /
      port: http

  readinessProbe:
    # -- enable a readiness probe on the deployment
    enabled: false
    httpGet:
      path: /
      port: http

  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 100
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80

  # Additional volumes on the output Deployment definition.
  extravolumes: []
  # - name: foo
  #   secret:
  #     secretName: mysecret
  #     optional: false

  # Additional volumeMounts on the output Deployment definition.
  extraVolumeMounts: []
  # - name: foo
  #   mountPath: "/etc/foo"
  #   readOnly: true

  nodeSelector: {}

  tolerations: []

  affinity: {}

  # PostgreSQL Database configuration for matrix-authentication-service, for more options:
  # https://github.com/bitnami/charts/tree/main/bitnami/postgresql
  postgresql:
    # -- Whether to deploy the Bitnami Postgresql sub chart
    # If postgresql.enabled is set to true, externalDatabase.enabled must be set to false
    # else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
    enabled: false
    # persistence:
    #   enabled: false
    volumePermissions:
      # -- Enable init container that changes the owner and group of the PVC
      enabled: true

    tls:
      # -- Enable TLS traffic support for postgresql, see [bitnami/charts/postgresql#securing-traffic-using-tls](https://github.com/bitnami/charts/tree/main/bitnami/postgresql#securing-traffic-using-tls)
      enabled: false
      # -- Generate automatically self-signed TLS certificates
      autoGenerated: false
      # -- Whether to use the server's TLS cipher preferences rather than the client's
      preferServerCiphers: true
      # -- Name of an existing secret that contains the certificates
      certificatesSecret: ""
      # -- Certificate filename
      certFilename: ""
      # -- Certificate key filename
      certKeyFilename: ""
      # -- CA Certificate filename
      certCAFilename: ""
      # -- File containing a Certificate Revocation List
      crlFilename: ""

    global:
      postgresql:
        # global.postgresql.auth overrides postgresql.auth
        auth:
          # database credentials to use if you don't use an existingSecret
          # -- username of matrix-authentication-service postgres user
          username: mas
          # -- password of matrix-authentication-service postgres user - ignored using exsitingSecret
          password: changeme
          # -- which port to use to connect to your database server
          port: '5432'
          # -- name of the database
          database: mas
          # -- Name of existing secret to use for PostgreSQL credentials
          existingSecret: ""
          # secretKeys to grab from existingSecret
          # if postgresql.existingSecret is provided, the following are ignored
          # postgresql.password/username/hostname/database
          secretKeys:
            # -- key in existingSecret with hostname of the database
            databaseHostname: hostname
            # -- key in existingSecret with name of the database
            database: database
            # -- key in existingSecret with username for matrix-authentication-service to connect to db
            databaseUsername: username
            # -- key in existingSecret with password for matrix-authentication-service to connect to db
            userPasswordKey: password
            # -- key in existingSecret with the admin postgresql password
            adminPasswordKey: postgresPassword

    # primary database node config
    primary:
      # -- run the scripts in templates/postgresql/initdb-configmap.yaml
      # If using an external Postgres server, make sure to configure the database
      # ref: https://github.com/element-hq/synapse/blob/develop/docs/postgres.md
      initdb:
        scriptsConfigMap: "{{ .Release.Name }}-postgresql-initdb"

      podSecurityContext:
        enabled: true
        runAsUser: 1000
        fsGroup: 1000

  externalDatabase:
    # -- enable using an external database *instead of* the Bitnami PostgreSQL sub-chart
    # if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
    enabled: false
    # optional SSL parameters for postgresql, if using your own db instead of the subchart
    # ref: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
    # -- sslmode to use, example: verify-full
    sslmode: ""
    # make sure any paths here are reflected in extraVolumes and extraVolumeMounts
    # -- optional: tls/ssl root cert for postgresql connections
    sslrootcert: ""
    # -- optional: tls/ssl cert for postgresql connections
    sslcert: ""
    # -- optional: tls/ssl key for postgresql connections
    sslkey: ""
    # database credentials to use if you don't use an existingSecret
    # -- username of matrix-authentication-service postgres user
    username: mas
    # -- password of matrix-authentication-service postgres user - ignored using exsitingSecret
    password: changeme
    # -- which port to use to connect to your database server
    port: '5432'
    # -- hostname of db server. Can be left blank if using postgres subchart
    hostname: ""
    # -- name of the database to try and connect to
    database: "mas"
    # -- Name of existing secret to use for PostgreSQL credentials
    existingSecret: ""
    # if externalDatabase.existingSecret is provided, the following are ignored
    # password, username, hostname, database
    # secretKeys to grab from existingSecret
    secretKeys:
      # -- key in existingSecret with hostname of the database
      databaseHostname: hostname
      # -- key in existingSecret with name of the database
      database: database
      # -- key in existingSecret with username for matrix to connect to db
      databaseUsername: username
      # -- key in existingSecret with password for matrix to connect to db
      userPasswordKey: password
      # -- key in existingSecret with the admin postgresql password
      adminPasswordKey: postgresPassword

  networkPolicies:
    enabled: true

  # this is for storing your matrix authentication service config file
  configVolume:
    # -- name of an existing persistent volume claim to use for matrix-authentication-service config. If provided, ignores mas parameter map
    existingClaim: ""
    # -- name of storage class for the persistent volume
    storageClassName: "default"
    # -- storage capacity for creating a persistent volume
    storage: "500Mi"

  # -- Existing Kubernetes Secret for entire matrix authentication service `config.yaml` file.
  # If set, everything under the mas section of the values.yaml is ignored.
  existingMasConfigSecret: ""

  # this stands for Matrix Authentication Service and is for templating out the config.yaml
  # learn more about the config file here: https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html
  mas:
    database:
      # -- if blank, this can be autogenerated from mas.postgres or mas.externalDatabase
      # settings, or you can set this to a valid [postgres URI](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING-URIS)
      uri: ""
      max_connections: 10
      min_connections: 0
      connect_timeout: 30
      idle_timeout: 600
      max_lifetime: 1800

    http:
      # -- Public URL base used when building absolute public URLs
      public_base: ""
      # -- OIDC issuer advertised by the service. Defaults to `public_base`
      issuer: ""
      # List of HTTP listeners, see below
      listeners:
        # The name of the listener, used in logs and metrics
        - name: web
          # List of resources to serve
          resources:
            # Serves the .well-known/openid-configuration document
            - name: discovery
            # Serves the human-facing pages, such as the login page
            - name: human
            # Serves the OAuth 2.0/OIDC endpoints
            - name: oauth
            # Serves the Matrix C-S API compatibility endpoints
            - name: compat
            # Serve the GraphQL API used by the frontend,
            # and optionally the GraphQL playground
            - name: graphql
              playground: true
            # Serve the given folder on the /assets/ path
            - name: assets
            #   path: ./share/assets/
          # List of addresses and ports to listen to
          binds:
            # First option: listen to the given address
            # - address: "[::]:8080"
            # Second option: listen on the given host and port combination
            - host: localhost
              port: 8080
            # Third option: listen on the given UNIX socket
            # - socket: /tmp/mas.sock
            # Fourth option: grab an already open file descriptor given by the parent process
            # This is useful when using systemd socket activation
            # - fd: 1
            #   # Kind of socket that was passed, defaults to tcp, but can be unix
            #   kind: tcp
          # Whether to enable the PROXY protocol on the listener
          proxy_protocol: false

          # -- If set, makes the listener use TLS with the provided certificate and key. more info: https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#httplisteners
          tls: {}
            # certificate: <inline PEM>
            # certificate_file: /path/to/cert.pem
            # key: <inline PEM>
            # key_file: /path/to/key.pem
            # password: <password to decrypt the key>
            # password_file: /path/to/password.txt

    masClientSecret:
      # -- use an existing secret for clients section of config.yaml for:
      # mas.clients[0].client_id, mas.clients[0].client_secret
      # if set, ignores mas.clients[0].client_id, mas.clients[0].client_secret
      existingSecret: ""

      secretKeys:
        # -- key in secret with the client_id
        client_id: "client_id"
        # -- key in secret with the client_secret
        client_secret: "client_secret"

    # see more info here:  https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#clients
    clients:
        # -- a unique identifier for the client. It must be a valid ULID, and it happens that 0000000000000000000SYNAPSE is a valid ULID.
      - client_id: "0000000000000000000SYNAPSE"
        # -- set to client_secret_basic. Other methods are possible, such as client_secret_post, but this is the easiest to set up.
        client_auth_method: client_secret_basic
        # -- a shared secret used for the homeserver to authenticate
        client_secret: "exampletest"

    # see more info here: https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#matrix
    matrix:
      # -- name of your matrix home server (synapse or dendrite) with port if needed
      homeserver: "localhost:8008"
      # -- a shared secret the service will use to call the homeserver admin API
      secret: "test"
      # -- endpoint of your matrix home server (synapse or dendrite) with port if needed
      endpoint: "https://localhost:8008"
      # -- grab the above secret from an existing k8s secret. if set, ignores mas.matrix.secret
      existingSecret: ""
      # -- name of the key in existing secret to grab matrix.secret from
      secretKey: "secret"

    # see more info here: https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#policy
    policy:
      data:
        # -- Users which are allowed to ask for admin access. If possible, use the
        # can_request_admin flag on users instead.
        admin_users: []
        #  - person1

        # -- Client IDs which are allowed to ask for admin access with a
        # client_credentials grant
        admin_clients: []
        #  - 01H8PKNWKKRPCBW4YGH1RWV279

        # Dynamic Client Registration
        client_registration:
          # -- don't require URIs to be on the same host. default: false
          allow_host_mismatch: true
          # -- allow non-SSL and localhost URIs. default: false
          allow_insecure_uris: true

        # Registration using passwords
        passwords: {}

    # see: https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#passwords
    passwords:
      # -- Whether to enable the password database.
      # If disabled, users will only be able to log in using upstream OIDC providers
      enabled: false

    # see: https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#email
    email:
      # -- email.from
      from: '"The almighty auth service" <auth@example.com>'
      # -- email.reply_to
      reply_to: '"No reply" <no-reply@example.com>'
      # -- Default transport: don't send any emails, options: blackhole, smtp,
      # sendmail, aws_ses (use AWS SESv2 API, via the AWS SDK, so the usual AWS
      # environment variables are supported)
      transport: blackhole
      # -- SMTP mode. options are plan, tls, or starttls. only used if transport is smtp
      mode: "plain"
      # -- SMTP hostname. only used if transport is smtp
      hostname: localhost
      # -- SMTP port. only used if transport is smtp
      port: 587
      # -- SMTP username. only used if transport is smtp
      username: username
      # -- SMTP password. only used if transport is smtp
      password: password
      # -- Send emails by calling a local sendmail binary, only used if transport is sendmail
      command: /usr/sbin/sendmail

    captcha:
      # -- Which service to use for CAPTCHA protection. Set to `null` (or `~`) to
      # disable CAPTCHA protection. options are: ~, null, recaptcha_v2 (google),
      # cloudflare_turnstile, or hcaptcha. see: https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#captcha
      service: ~
      # -- ignored if mas.captcha.service is ~ or null
      site_key: ""
      # -- ignored if mas.captcha.service is ~ or null
      secret_key: ""

    # see: https://matrix-org.github.io/matrix-authentication-service/setup/sso.html?highlight=ulid#general-configuration
    # and also see: https://matrix-org.github.io/matrix-authentication-service/setup/sso.html#keycloak
    upstream_oauth2:

      # -- use an existing k8s secret for upstream oauth2 client_id and client_secret
      existingSecret: ""
      secretKeys:
        # -- key in secret with the issuer
        issuer: "issuer"
        # -- key in secret with the client_id
        client_id: "client_id"
        # -- key in secret with the client_secret
        client_secret: "client_secret"
        # -- key in secret with the authorization_endpoint if discovery is disabled
        authorization_endpoint: ""
        # -- key in secret with the token_endpoint if discovery is disabled
        token_endpoint: ""
        # -- key in secret with the userinfo_endpoint if discovery is disabled
        userinfo_endpoint: ""

      # only one provider supported at this time, but if you want more, feel free to submit a PR
      providers:
        # -- A unique identifier for the provider
        # Must be a valid ULID, and can be generated using online tools like:
        # https://www.ulidtools.com
        - id: ""

          # -- The issuer URL, which will be used to discover the provider's configuration.
          # If discovery is enabled, this *must* exactly match the `issuer` field
          # advertised in `<issuer>/.well-known/openid-configuration`.
          issuer: https://example.com/

          # -- A human-readable name for the provider, which will be displayed on the login page
          # human_name: Example

          # -- A brand identifier for the provider, which will be used to display a logo
          # on the login page. Values supported by the default template are:
          #  - `apple`
          #  - `google`
          #  - `facebook`
          #  - `github`
          #  - `gitlab`
          #  - `twitter`
          # brand_name: zitadel

          # -- The client ID to use to authenticate to the provider
          client_id: ""

          # -- The client secret to use to authenticate to the provider
          # This is only used by the `client_secret_post`, `client_secret_basic`
          # and `client_secret_jwk` authentication methods
          client_secret: ""

          # -- Which authentication method to use to authenticate to the provider
          # Supported methods are:
          #   - `none`
          #   - `client_secret_basic`
          #   - `client_secret_post`
          #   - `client_secret_jwt`
          #   - `private_key_jwt` (using the keys defined in the `secrets.keys` section)
          token_endpoint_auth_method: client_secret_basic

          # -- Which signing algorithm to use to sign the authentication request when using
          # the `private_key_jwt` or the `client_secret_jwt` authentication methods
          # token_endpoint_auth_signing_alg: RS256

          # -- The scopes to request from the provider
          # In most cases, it should always include `openid` scope
          scope: "openid email profile"

          # Possible values are:
          #  - `oidc`: discover the provider through OIDC discovery,
          #     with strict metadata validation (default)
          #  - `insecure`: discover through OIDC discovery, but skip metadata validation
          #  - `disabled`: don't discover the provider and use the endpoints below
          # -- How the provider configuration and endpoints should be discovered
          discovery_mode: oidc

          # -- Whether PKCE should be used during the authorization code flow.
          # Possible values are:
          #  - `auto`: use PKCE if the provider supports it (default)
          #    Determined through discovery, and disabled if discovery is disabled
          #  - `always`: always use PKCE (with the S256 method)
          #  - `never`: never use PKCE
          pkce_method: auto

          # -- The provider authorization endpoint, takes precedence over the discovery mechanism
          authorization_endpoint: ""

          # -- The provider token endpoint. takes precedence over the discovery mechanism
          token_endpoint: ""

          # -- The provider JWKS URI. takes precedence over the discovery mechanism
          jwks_uri: ""

          # How user attributes should be mapped
          #
          # Most of those attributes have two main properties:
          #   - `action`: what to do with the attribute. Possible values are:
          #      - `ignore`: ignore the attribute
          #      - `suggest`: suggest the attribute to the user, but let them opt out
          #      - `force`: always import the attribute, and don't fail if it's missing
          #      - `require`: always import the attribute, and fail if it's missing
          #   - `template`: a Jinja2 template used to generate the value. In this template,
          #      the `user` variable is available, which contains the user's attributes
          #      retrieved from the `id_token` given by the upstream provider.
          #
          # Each attribute has a default template which follows the well-known OIDC claims.
          #
          claims_imports:
            # -- The subject is an internal identifier used to link the
            # user's provider identity to local accounts.
            # By default it uses the `sub` claim as per the OIDC spec,
            # which should fit most use cases.
            subject:
              template: "{{ user.sub }}"

            # -- The localpart is the local part of the user's Matrix ID.
            # For example, on the `example.com` server, if the localpart is `alice`,
            #  the user's Matrix ID will be `@alice:example.com`.
            localpart:
              action: require
              template: "{{ user.preferred_username }}"

            # -- The display name is the user's display name.
            displayname:
              action: suggest
              template: "{{ user.name }}"

            # -- An email address to import.
            email:
              action: suggest
              template: "{{ user.email }}"
              # -- Whether the email address must be marked as verified.
              # Possible values are:
              #  - `import`: mark the email address as verified if the upstream provider
              #     has marked it as verified, using the `email_verified` claim.
              #     This is the default.
              #   - `always`: mark the email address as verified
              #   - `never`: mark the email address as not verified
              set_email_verification: always
element:
  # -- Set to false to disable a deployment of Element. Users will still be able
  # to connect via any other instances of Element e.g. https://app.element.io,
  # Element Desktop, or any other Matrix clients
  enabled: true

  # -- set the revisionHistoryLimit to decide how many replicaSets are
  # kept when you change a deployment. Explicitly setting this field to 0,
  # will result in cleaning up all the history of your Deployment thus that
  # Deployment will not be able to roll back.
  revisionHistoryLimit: 2

  ingress:
    # -- ingressClassName for the k8s ingress
    className: "nginx"
    # -- enable ingress for element
    enabled: true
    tls:
      # -- enable a fairly stock ingress, open a github issue if you need more features
      enabled: true
      # -- name for the element tls secret for ingress
      secretName: "element-tls"
    # -- the hostname to use for element
    host: element.chart-example.local
    annotations:
      # This annotation is required for the Nginx ingress provider. You can
      # remove it if you use a different ingress provider
      nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_intercept_errors off;
      # -- required for TLS certs issued by cert-manager
      cert-manager.io/cluster-issuer: letsencrypt-staging

  # Organization/enterprise branding
  branding:
    # -- brand shown in email notifications
    brand: "Element"
    # -- Background of login splash screen
    welcomeBackgroundUrl: ""
    # -- Logo shown at top of login screen
    authHeaderLogoUrl: ""
    # -- Array of links to show at the bottom of the login screen
    authFooterLinks: []
    #  - text:
    #    url:

  # Element integrations configuration
  integrations:
    # -- enables the Integrations menu, including:
    #    widgets, bots, and other plugins to Element
    #    disabled by default as this is for enterprise users
    enabled: false
    # -- UI to load when a user selects the Integrations button at the top-right
    #    of a room
    ui: "https://scalar.vector.im/"
    # -- API for the integration server
    api: "https://scalar.vector.im/api"
    # -- Array of API paths providing widgets
    widgets:
      - "https://scalar.vector.im/_matrix/integrations/v1"
      - "https://scalar.vector.im/api"
      - "https://scalar-staging.vector.im/_matrix/integrations/v1"
      - "https://scalar-staging.vector.im/api"
      - "https://scalar-staging.element.im/scalar/api"

  # -- Experimental features in Element, see:
  # https://github.com/vector-im/element-web/blob/develop/docs/labs.md
  labs:
    - feature_new_spinner
    - feature_pinning
    - feature_custom_status
    - feature_custom_tags
    - feature_state_counters
    - feature_many_integration_managers
    - feature_mjolnir
    - feature_dm_verification
    - feature_bridge_state
    - feature_presence_in_room_list
    - feature_custom_themes

  # -- Servers to show in the Explore menu (the current server is always shown)
  roomDirectoryServers:
    - matrix.org

  # -- Set to the user ID (@username:domain.tld) of a bot to invite all new
  # users to a DM with the bot upon registration
  welcomeUserId: ""

  # -- Prefix before permalinks generated when users share links to rooms,
  # users, or messages. If running an unfederated Synapse, set the below to the
  # URL of your Element instance.
  permalinkPrefix: "https://matrix.to"

  # Element Kubernetes resource settings
  image:
    # -- registry and repository to use for element docker image
    repository: "vectorim/element-web"
    # -- tag to use for element docker image
    tag: v1.11.88
    # -- pullPolicy to use for element image, set to Always if using latest tag
    pullPolicy: IfNotPresent
  service:
    # -- service type for element
    type: ClusterIP
    # -- service port for element
    port: 80

  # -- replicas for element pods
  replicaCount: 1
  resources: {}
  probes:
    readiness: {}
    startup: {}
    liveness: {}

  # -- Element specific labels
  labels:
    component: element

# Settings for Coturn TURN relay, used for routing voice calls
coturn:
  # -- Set to false to disable the included deployment of Coturn
  enabled: false

  certificate:
    # -- set to true to generate a TLS certificate for encrypted comms
    enabled: false
    # -- hostname for TLS cert
    host: turn.example.com
    # -- cert-manager cert Issuer or ClusterIssuer to use
    issuerName: "letsencrypt-staging"

  # -- URIs of the Coturn servers. If deploying Coturn with this chart, include
  # the public IPs of each node in your cluster (or a DNS round-robin hostname)
  # You can also include an external Coturn instance if you'd prefer
  uris: []
  #  - "turn:turn.example.com?transport=udp"

  # -- Whether to allow guests to use the TURN server
  allowGuests: true

  # -- shared secert for comms b/w Synapse/Coturn. autogenerated if not provided
  sharedSecret: ""
  # -- Optional: name of an existingSecret with key for sharedSecret
  existingSecret: ""
  # -- key in existing secret with sharedSecret value. Required if
  # coturn.enabled=true and existingSecret not ""
  secretKey: "coturnSharedSecret"

  # -- UDP port range for TURN connections
  ports:
    from: 3478
    to: 3478

  service:
    # The type of service to deploy for routing Coturn traffic. Options:
    #   ClusterIP: Recommended for DaemonSet configurations. This will create a
    #              standard Kubernetes service for Coturn within the cluster.
    #              No external networking will be configured as the DaemonSet
    #              will handle binding to each Node's host networking
    #
    #   NodePort:  Recommended for Deployment configurations. This will open
    #              TURN ports on every node and route traffic on these ports to
    #              the Coturn pods. You will need to make sure your cloud
    #              provider supports the cluster config setting,
    #              apiserver.service-node-port-range, as this range must contain
    #              the ports defined above for the service to be created.
    type: ClusterIP
    # -- I don't actually know what this is 🤔 open a PR if you know
    externalTrafficPolicy: Local

  image:
    # -- container registry and repo for coturn docker image
    repository: "coturn/coturn"
    # -- docker tag for coturn server
    tag: ""
    # -- image pull policy, set to Always if using image.tag: latest
    pullPolicy: IfNotPresent

  # -- ref: kubernetes.io/docs/concepts/configuration/manage-resources-containers
  resources: {}

  # -- Coturn specific labels
  labels:
    component: coturn

  externalDatabase:
    # -- enables the use of postgresql instead of the default sqlite for coturn
    # to use the bundled subchart, enable this, and postgresql.enable
    enabled: false
    # -- Currently only postgresql is supported. mysql coming soon
    type: "postgresql"
    # -- required if externalDatabase.enabled: true and postgresql.enabled:false
    hostname: ""
    # -- username for database, ignored if existingSecret is passed in
    username: ""
    # -- password for database, ignored if existingSecret is passed in
    password: ""
    # -- database to create, ignored if existingSecret is passed in
    database: ""
    # -- name of existing Secret to use for postgresql credentials
    existingSecret: ""
    # Names of the keys in existing secret to use for PostgreSQL credentials
    secretKeys:
      # -- key in existing Secret to use for the db user
      username: ""
      # -- key in existing Secret to use for db user's password
      password: ""
      # -- key in existing Secret to use for the database name
      database: ""
      # -- key in existing Secret to use for the db's hostname
      hostname: ""

  # PostgreSQL chart configuration for coturn
  # see: https://github.com/bitnami/charts/tree/main/bitnami/postgresql
  postgresql:
    # -- enables bitnami postgresql subchart, you can disable to use external db
    enabled: false
    global:
      postgresql:
        # -- global.postgresql.auth overrides postgresql.auth
        auth:
          # -- username for database, ignored if existingSecret is passed in
          username: "coturn"
          # -- password for db, autogenerated if empty & existingSecret empty
          password: ""
          # -- database to create, ignored if existingSecret is passed in
          database: "coturn"
          # -- name of existing Secret to use for postgresql credentials
          existingSecret: ""
          # Names of the keys in existing secret to use for PostgreSQL creds
          # all of these are ignored if existingSecret is empty
          secretKeys:
            # -- key in existingSecret for database to create
            hostname: "hostname"
            # -- key in existingSecret for database to create
            database: "database"
            # -- key in exsiting Secret to use for the coturn user
            username: "username"
            # -- key in existing Secret to use for postgres admin user's password
            adminPasswordKey: "postgresPassword"
            # -- key in existing Secret to use for coturn user's password
            userPasswordKey: "password"

  persistence:
    # -- existing PVC to use instead of creating one on the fly
    existingClaim: ""
    # -- annotations for the PVC, ignored if persistence.existingClaim passed in
    annotations: {}
    # -- access mode for the PVC, ignored if persistence.existingClaim passed in
    accessMode: "ReadWriteOnce"
    # -- size of the PVC, ignored if persistence.existingClaim passed in
    size: "1Mi"
    # -- storageClass for the PVC, ignored if persistence.existingClaim passed in
    storageClass: ""

  # most coturn config parameters that you really need
  coturn:
    # --  hostname for the coturn server realm
    realm: "turn.example.com"

    auth:
      # -- username for the main user of the turn server
      username: "coturn"
      # -- password for the main user of the turn server
      password: ""
      # -- existing secret with keys username/password for coturn
      existingSecret: ""
      secretKeys:
        # -- key in existing secret for turn server user
        username: username
        # -- key in existing secret for turn server user's password
        password: password

    # -- coturn's listening IP address
    listeningIP: "0.0.0.0"

    ports:
      # -- minimum ephemeral port for coturn
      min: 49152
      # -- maximum ephemeral port for coturn
      max: 65535
      # -- insecure listening port
      listening: 3478
      # -- secure listening port
      tlsListening: 5349

    # -- set the logfile. Defaults to stdout for use with kubectl logs
    logFile: "stdout"

    # -- extra configuration for turnserver.conf
    extraTurnserverConfiguration: |
      verbose

  # k8s pod security context:
  # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
  securityContext:
    # -- for all Containers in the Pod, all processes run w/ this userID
    runAsUser: 1000
    # -- for all Containers in the Pod, all processes run w/ this GroupID
    runAsGroup: 1000
    # -- all processes of the container are also part of the supplementary groupID
    fsGroup: 1000
    # -- allow modificatin to root filesystem
    readOnlyRootFilesystem: false
    # -- allow priviledged access
    allowPrivilegeEscalation: true
    capabilities:
      # -- linux cabilities to allow for the coturn k8s pod
      add: ["NET_BIND_SERVICE"]
      # -- linux cabilities to disallow for the coturn k8s pod
      drop: ["ALL"]


# Settings for email notifications
mail:
  # -- disabled all email notifications by default. NOTE: If enabled, either
  # enable the Exim relay or configure an external mail server below
  enabled: false
  # -- Name and email address for outgoing mail
  from: "Matrix <matrix@example.com>"
  # -- Optional: Element instance URL.
  # If ingress is enabled, this is unnecessary, else if this is empty, emails
  # will contain a link to https://app.element.io
  elementUrl: ""

  # Exim relay
  relay:
    # -- whether to enable exim relay or not
    enabled: true
    image:
      repository: "devture/exim-relay"
      tag: "4.95-r0"
      pullPolicy: IfNotPresent
    service:
      type: ClusterIP
      port: 25
    replicaCount: 1
    resources: {}
    probes:
      readiness: {}
      startup: {}
      liveness: {}
    # Mail relay specific labels
    labels:
      component: mail

  # External SMTP (mail) server
  external:
    # -- External mail server hostname - ignored if existingSecret not ""
    host: ""
    # -- External mail server port INSECURE: 25, SSL: 465, STARTTLS: 587
    port: 587
    # -- External mail server username - ignored if existingSecret not ""
    username: ""
    # -- External mail server password - ignored if existingSecret not ""
    password: ""
    # -- require TLS, I think
    requireTransportSecurity: true
    # -- use an existing k8s Secret for your host, username, and password
    existingSecret: ""
    # -- secret keys to use for your existing SMTP server
    secretKeys:
      host: "host"
      username: "username"
      password: "password"

############################################################################
#  Bridges to synapse, for services such as Discord, Webhooks, IRC, and RSS
############################################################################
bridges:
  alertmanager:
    enabled: false
    image:
      # -- alertmanager bridge docker image
      repository: "jessebot/matrix-alertmanager-bot"
      # -- alertmanager bridge docker image tag
      tag: "0.12.0"
      # -- alertmanager bridge docker image pull policy. If tag is "latest", set tag to "Always"
      pullPolicy: IfNotPresent

    service:
      # -- service type for the alertmanager bridge
      type: ClusterIP

    # -- alertmanager bridge pod replicas
    replicaCount: 1

    # -- set the revisionHistoryLimit to decide how many replicaSets are
    # kept when you change a deployment. Explicitly setting this field to 0,
    # will result in cleaning up all the history of your Deployment thus that
    # Deployment will not be able to roll back.
    revisionHistoryLimit: 2

    existingSecret:
      registration: ""

    # this section is for registering the application service with matrix
    # read more about application services here:
    # https://spec.matrix.org/v1.11/application-service-api/
    registration:
      # -- name of the application service
      id: "alertmanager"
      # -- url of the alertmanager service. if not provided, we will template it
      # for you like http://matrix-alertmanager-service:3000
      url: ""
      # -- should this bot be rate limited?
      rate_limited: false
      # -- localpart of the user associated with the application service.
      # Events will be sent to the AS if this user is the target of the event,
      # or is a joined member of the room where the event occurred.
      sender_localpart: "alertmanager"
      # A secret token that the application service will use to authenticate
      # requests to the homeserver.
      as_token: ""
      # -- Use an existing Kubernetes Secret to store your own generated appservice
      # and homeserver tokens. If this is not set, we'll generate them for you.
      # Setting this won't override the ENTIRE registration.yaml we generate for
      # the synapse pod to authenticate mautrix/discord. It will only replaces the tokens.
      # To replaces the ENTIRE registration.yaml, use
      # bridges.alertmanager.existingSecret.registration
      existingSecret: ""
      existingSecretKeys:
        # -- key in existingSecret for as_token (application service token). If
        # provided and existingSecret is set, ignores bridges.alertmanager.registration.as_token
        as_token: "as_token"
        # -- key in existingSecret for hs_token (home server token)
        hs_token: "hs_token"

    encryption: false

    config:
      # -- alertmanager's container port
      app_port: 3000
      # -- secret key for the alertmanager webhook config URL
      app_alertmanager_secret: ""
      # -- your homeserver url, e.g. https://homeserver.tld
      homeserver_url: ""

      bot:
        # -- user in matrix for the the alertmanager bot e.g. alertmanager
        # which becomes @alertmanager:homeserver.tld
        user: "alertmanager"
        # -- optional: display name to set for the bot user
        display_name: ""
        # -- optional: mxc:// avatar to set for the bot user
        avatar_url: ""
        # -- rooms to send alerts to, separated by a |
        # Each entry contains the receiver name (from alertmanager) and the
        # internal id (not the public alias) of the Matrix channel to forward to.
        rooms: ""
        # -- Set this to true to make firing alerts do a `@room` mention.
        # NOTE! Bot should also have enough power in the room for this to be useful.
        mention_room: false

      # -- set to enable Grafana links, e.g. https://grafana.example.com
      grafana_url: ""
      # -- grafana data source, e.g. default
      grafana_datasource: ""
      # -- set to enable silence link, e.g. https://alertmanager.example.com
      alertmanager_url: ""

  # see: https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html
  hookshot:
    # -- enable the [hookshot](https://matrix-org.github.io/matrix-hookshot) bridge
    enabled: false

    # -- if you'd like to enable encryption in your registration.yml
    encryption: false

    image:
      # -- hookshot bridge docker image
      repository: "halfshot/matrix-hookshot"
      # -- hookshot bridge docker image tag
      tag: "6.0.1"
      # -- hookshot bridge docker image pull policy. If tag is "latest", set tag to "Always"
      pullPolicy: IfNotPresent

    # -- hookshot bridge pod replicas
    replicaCount: 1

    # -- set the revisionHistoryLimit to decide how many replicaSets are
    # kept when you change a deployment. Explicitly setting this field to 0,
    # will result in cleaning up all the history of your Deployment thus that
    # Deployment will not be able to roll back.
    revisionHistoryLimit: 2

    # -- resources limits/requests for the hookshot bridge pod
    resources: {}

    service:
      # -- service type for the hookshot bridge
      type: ClusterIP
      webhook:
        # -- webhook service port for the hookshot bridge
        port: 9000
      metrics:
        # -- metrics service port for the hookshot bridge
        port: 9001
      appservice:
        # -- appservice service port for the hookshot bridge
        port: 9993

    # -- hookshot pod security context
    podSecurityContext: {}

    # -- hookshot container securityContext
    securityContext: {}
    #  runAsUser: 1000
    #  runAsGroup: 1000
    #  capabilities:
    #    drop:
    #      - ALL
    #  readOnlyRootFilesystem: true
    #  allowPrivilegeEscalation: false


    # -- If bridges.hookshot.passkey AND bridges.hookshot.existingSecret.passkey are
    # BOTH empty strings, we will generate a passkey for you. To Generate yourself:
    # openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
    passkey: ""

    # -- use the name of an existing ConfigMap for hookshot bridge. If set, ignores
    # entire bridges.hookshot.config section
    existingConfigMap: ""

    # optionally use existing kubernetes Secrets for passkey.pem, registration.yml, config.yml
    existingSecret:
      # -- optionally use existing kubernetes Secret for passkey.pem, ignores hookshot.passkey
      passkey: ""
      # -- optionally use existing kubernetes Secret for registration
      registration: ""
      # -- optionally use existing kubernetes Secret for config.yml, ignores hookshot.config
      config: ""

    # this file config is used to register the hookshot service with synapse
    # if you don't provide any of these parameters, we will guess them
    registration:
      # -- This should match the bridges.hookshot.config.bridge.port in your config file
      url: ""
      sender_localpart: "hookshot"
      rate_limited: false
      # To replace the ENTIRE registration.yaml, use
      # bridges.hookshot.existingSecret.registration
      existingSecret: ""
      existingSecretKeys:
        # -- key in existingSecret for as_token (application service token)
        as_token: "as_token"
        # -- key in existingSecret for hs_token (home server token)
        hs_token: "hs_token"

    config:
      bridge:
        # -- if not set, defaults to matrix.serverName
        domain: ""
        # -- url in example is http://localhost:8008, but if not set, we use matrix.baseUrl
        url: ""
        # -- example is https://example.com, but if left blank, we don't include it
        mediaUrl: ""
        # -- the port to run the application service on
        port: 9993
        # -- this probably shouldn't change since we're using docker
        bindAddress: 0.0.0.0

      # -- A passkey used to encrypt tokens stored inside the bridge.
      passFile: /data/passkey.pem

      logging:
        # -- log severity level. Options: debug, info, warn, error
        level: info
        # -- enable text colors in logging
        colorize: true
        # -- enable json formatted logging
        json: false
        # -- logging timestamp format
        timestampFormat: HH:mm:ss:SSS

      listeners:
        # HTTP Listener configuration.
        # Bind resource endpoints to ports and addresses.
        # 'port' must be specified. Each listener must listen on a unique port.
        # 'bindAddress' will default to '127.0.0.1' if not specified, which may not be suited to Docker environments.
        # 'resources' may be any of webhooks, metrics, provisioning
        - port: 9000
          bindAddress: 0.0.0.0
          resources:
            - webhooks
        - port: 9001
          bindAddress: 0.0.0.0
          resources:
            - metrics
            - provisioning
        # - port: 9002
        #   bindAddress: 0.0.0.0
        #   resources:
        #     - widgets

      # https://matrix-org.github.io/matrix-hookshot/latest/setup/github.html
      github:
        # -- enable GitHub support in the hookshot bridge
        enabled: false
        # -- grab sensitive values for github from an existing Kubernetes secret
        existingSecret: ""
        existingSecretKeys:
          # -- key in existing Kubernetes secret for GitHub auth.id which is the GitHub App ID
          auth_id: ""
          # -- key in existing Kubernetes secret for GitHub webhook secret
          webhook_secret: ""
          # -- key in existing Kubernetes secret for GitHub oauth client id
          oauth_client_id: ""
          # -- key in existing Kubernetes secret for GitHub oauth client secret
          oauth_client_secret: ""
          # -- key in existin Kubernetes secret for GitHub privatekey
          private_key: ""

        # -- If you are using an on-premise / enterprise edition of GitHub,
        # you need provide the base URL in enterpriseUrl. You do not need to
        # specify the /api/... path in the URL
        enterpriseUrl: ""
        auth:
          # -- App ID for the GitHub App, e.g. 123
          id: ""
          # -- privateKeyFile can be generated by clicking "Generate a private key"
          # under the Private keys section on the GitHub app page.
          privateKeyFile: /data/github-key.pem

        webhook:
          # -- Webhook settings for the GitHub app. example showed value secrettoken
          secret: ""

        # -- oauth section should include both the Client ID and Client Secret
        # on the GitHub App page. The redirect_uri value must be the public path
        # to /oauth on the webhooks path. E.g. if your load balancer points
        # https://example.com/hookshot to the bridge webhooks listener, you should
        # use the path https://example.com/hookshot/oauth. This value MUST exactly
        # match the Callback URL on the GitHub App page.
        oauth:
          client_id: ""
          client_secret: ""
          redirect_uri: ""

        # -- (Optional) Default options for GitHub connections. see docs for more:
        # https://matrix-org.github.io/matrix-hookshot/latest/usage/room_configuration/github_repo.html#configuration
        defaultOptions:
          showIssueRoomLink: false
          hotlinkIssues:
            prefix: "#"

        # -- (Optional) Prefix used when creating ghost users for GitHub accounts.
        userIdPrefix: _github_

      # https://matrix-org.github.io/matrix-hookshot/latest/setup/gitlab.html
      gitlab:
        # -- enable GitLab support in the hookshot bridge
        enabled: false

        # -- gitlab instances to use
        instances: {}
        # gitlab.com:
        #   url: https://gitlab.com

        webhook:
          # -- example showed value of secrettoken
          secret: ""
          # -- example showed https://example.com/hookshot/
          publicUrl: ""

        # -- (Optional) Prefix used when creating ghost users for GitLab accounts.
        # docs suggest: "_gitlab_"
        userIdPrefix: ""

        # -- (Optional) Aggregate comments by waiting this many miliseconds before posting them to Matrix. Defaults to 5000 (5 seconds)
        commentDebounceMs: 5000

      figma:
        # -- (Optional) Configure this to enable Figma support
        enabled: false
        publicUrl: https://example.com/hookshot/
        instances:
          your-instance:
            teamId: your-team-id
            accessToken: your-personal-access-token
            passcode: your-webhook-passcode

      generic:
        # -- enable support for generic webhook events via the hookshot bridge,
        # see [docs](https://matrix-org.github.io/matrix-hookshot/latest/setup/webhooks.html) for more info
        enabled: false
        # -- configure Hookshot to send outgoing requests to other services when
        # a message appears on Matrix
        outbound: false
        # -- means that webhooks can be triggered by GET requests, in addition to
        # POST and PUT. This was previously on by default, but is now disabled
        # due to concerns mentioned in docs.
        enableHttpGet: false
        # -- describes the public facing URL of your webhook handler. For instance,
        # if your load balancer redirected webhook requests from
        # https://example.com/mywebhookspath to the bridge (on /webhook), an
        # example webhook URL would look like: https://example.com/mywebhookspath/abcdef.
        urlPrefix: ""
        # -- create a specific user for each new webhook connection in a room.
        # For example, a connection with a name like example for a prefix of
        # webhook_ will create a user called @webhook_example:example.com. If you
        # enable this option, you need to configure the user to be part of your
        # registration file
        userIdPrefix: ""
        # -- will allow users to write short transformation snippets in code,
        # and thus is unsafe in untrusted environments
        allowJsTransformationFunctions: false
        # -- causes the bridge to wait until the webhook is processed before
        # sending a response. Some services prefer you always respond with a 200
        # as soon as the webhook has entered processing (false) while others
        # prefer to know if the resulting Matrix message has been sent (true)
        waitForComplete: false

      feeds:
        # -- enable RSS/Atom feed support
        enabled: false
        pollConcurrency: 4
        # -- specifies how often each feed will be checked for updates. It may be checked less often if under exceptional load, but it will never be checked more often than every pollIntervalSeconds
        pollIntervalSeconds: 600
        pollTimeoutSeconds: 30


      provisioning:
        # -- (Optional) Provisioning API for integration managers
        enabled: false
        secret: "!secretToken"

      # (Optional) Define profile information for the bot user
      bot:
        # -- Define profile display name for the bot user
        displayname: ""
        # -- optional: Define profile avatar for the bot user
        # example: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d
        avatar: ""

      # -- (Optional) Define additional bot users for specific services
      serviceBots: []
      #  - localpart: feeds
      #    displayname: Feeds
      #    avatar: ./assets/feeds_avatar.png
      #    prefix: "!feeds"
      #    service: feeds

      metrics:
        # -- enable Prometheus metrics support from hookshot to Prometheus, see
        # [docs](https://matrix-org.github.io/matrix-hookshot/latest/metrics.html)
        enabled: false

      # -- (Optional) Cache options for large scale deployments.
      cache:
        # -- For encryption to work, this must be configured.
        # example value: redis://localhost:6379
        redisUri: ""

      # -- (Optional) Message queue configuration options for large scale deployments.
      queue:
        # -- For encryption to work, this must not be configured.
        # example value: redis://localhost:6379
        redisUri: ""

      widgets:
        # -- (Optional) EXPERIMENTAL support for complimentary widgets
        enabled: false
        # -- The admin room feature is still very barebones so while it's
        # included here for completeness, most instances should leave
        # addToAdminRooms off (as it is by default). This flag will add an
        # "admin room" widget to user admin rooms.
        addToAdminRooms: false
        # -- which IP ranges should be disallowed when resolving homeserver IP
        # addresses (for security reasons). Unless you know what you are doing,
        # it is recommended to not include this key. The default blocked IPs are
        # listed below for your convenience. In addition to setting up the widgets
        # config, you must bind a listener for the widgets resource in your listeners config.
        disallowedIpRanges: []
        #  - 127.0.0.0/8
        #  - 10.0.0.0/8
        #  - 172.16.0.0/12
        #  - 192.168.0.0/16
        #  - 100.64.0.0/10
        #  - 192.0.0.0/24
        #  - 169.254.0.0/16
        #  - 192.88.99.0/24
        #  - 198.18.0.0/15
        #  - 192.0.2.0/24
        #  - 198.51.100.0/24
        #  - 203.0.113.0/24
        #  - 224.0.0.0/4
        #  - ::1/128
        #  - fe80::/10
        #  - fc00::/7
        #  - 2001:db8::/32
        #  - ff00::/8
        #  - fec0::/10

        # -- The room setup feature is more complete, supporting generic webhook
        # configuration (with more options coming soon). This can be enabled by
        # setting roomSetupWidget to an object. You can add the widget by saying
        # !hookshot setup-widget in any room. When addOnInvite is true, the bridge
        # will add a widget to rooms when the bot is invited, and the room has
        # no existing connections.
        roomSetupWidget:
          addOnInvite: false
        # -- should be set to the publicly reachable address for the widget
        # public content. By default, Hookshot hosts this content on the widgets
        # listener under /widgetapi/v1/static.
        publicUrl: https://example.com/widgetapi/v1/static/
        branding:
          # allows you to change the strings used for various bits of widget UI.
          # At the moment you can: Set widgetTitle to change the title of the
          # widget that is created.
          widgetTitle: Hookshot Configuration
        # -- allows you to configure the correct federation endpoints for a
        # given set of Matrix server names. This is useful if you are
        # testing/developing Hookshot in a local dev environment. Production
        # environments should not use this configuration (as their Matrix server
        # name should be resolvable). The config takes a mapping of Matrix server
        # name => base path for federation. E.g. if your server name was
        # my-local-server and your federation was readable via
        # http://localhost/_matrix/federation,
        # you would put configure my-local-server: "http://localhost"
        openIdOverrides: {}
        #  my-local-server: "http://localhost"

      # -- (Optional) Configure Sentry error reporting
      sentry:
        # -- example value: https://examplePublicKey@o0.ingest.sentry.io/0
        dsn: ""
        # -- example value: production
        environment: ""

      # -- (Optional) Permissions for using the bridge. See
      # [docs](https://matrix-org.github.io/matrix-hookshot/latest/setup.html#permissions)
      permissions: []
      #  - actor: example.com
      #    services:
      #      - service: "*"
      #        level: admin

  irc:
    # -- Set to true to enable the IRC bridge
    enabled: false
    # -- Whether to enable presence (online/offline indicators). If presence is
    # disabled for the homeserver (above), it should be disabled here too
    presence: false
    # -- Postgres database to store IRC bridge data in, this db will be created
    # if postgresql.enabled: true, otherwise you must create it manually
    database: "matrix_irc"
    databaseSslVerify: true

    # Object of IRC servers to connect to. Ref: https://tinyurl.com/mr2ee5ts
    servers:
      chat.freenode.net:
        # -- A human-readable short name.
        name: "Freenode"
        # -- The port to connect to. Optional.
        port: 6697
        # -- Whether to use SSL or not. Default: false.
        ssl: true

    data:
      # -- Size of the data PVC to allocate
      capacity: 1Mi

    image:
      repository: "matrixdotorg/matrix-appservice-irc"
      tag: "release-1.0.1"
      pullPolicy: IfNotPresent
    replicaCount: 1
    resources: {}
    service:
      type: ClusterIP
      port: 9006

  whatsapp:
    # -- Set to true to enable the WhatsApp bridge
    enabled: false

    bot:
      # -- Username of the WhatsApp bridge bot
      username: "whatsappbot"

      # -- display name of the WhatsApp bridge bot
      displayName: "WhatsApp bridge bot"

      # -- avatar of the WhatsApp bridge bot
      # example: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
      avatar: ""

    # -- Permissions for using the bridge.
    # Permitted values:
    # relaybot - Talk through the relaybot (if enabled), no access otherwise
    #     user - Access to use the bridge to chat with a WhatsApp account.
    #    admin - User level and some additional administration tools
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions:
      "*": relaybot

    # WhatsApp server connection settings
    connection:
      # -- WhatsApp server connection timeout (seconds)
      timeout: 20
      # -- Number of QR codes to store, which multiplies the connection timeout
      qrRegenCount: 2
      # -- Maximum number of connection attempts before failing
      maxAttempts: 3
      # -- Retry delay. Negative numbers are exponential backoff:
      # -connection_retry_delay + 1 + 2^attempts
      retryDelay: -1
      # -- Whether or not to notify the user when attempting to reconnect. Set
      # to false to only report when maxAttempts has been reached
      reportRetry: true

    # -- Send notifications for incoming calls
    callNotices: true

    users:
      # -- Username for WhatsApp users. Evaluated as a template where {{.}} is
      # replaced with the phone number of the WhatsApp user
      username: "whatsapp_{{.}}"

      # -- Display name for WhatsApp users
      # Evaluated as a template, with variables:
      # {{.Notify}} - nickname set by the WhatsApp user
      # {{.Jid}}    - phone number (international format)
      # following vars are available, but cause issue on multi-user instances:
      # {{.Name}}   - display name from contact list
      # {{.Short}}  - short display name from contact list
      displayName: "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)"

    # -- Display name for communities. A community will be automatically
    # generated for each user using the bridge, and can be used to group
    # WhatsApp chats together. Evaluated as a template, with variables:
    # {{.Localpart}} - MXID localpart
    # {{.Server}}    - MXID server part of the user.
    communityName: "whatsapp_{{.Localpart}}={{.Server}}"

    relaybot:
      # -- Set to true to enable the relaybot and management room
      enabled: false

      # -- Management room for the relay bot where status notifs are posted
      management: "!foo:example.com"

      # Users to invite to the management room automatically
      invites: []

    data:
      # -- Size of the PVC to allocate for the SQLite database
      capacity: 512Mi
      # -- Storage class (optional)
      storageClass: ""

    image:
      repository: "dock.mau.dev/tulir/mautrix-whatsapp"
      tag: "latest"
      pullPolicy: Always
    replicaCount: 1
    resources: {}
    service:
      type: ClusterIP
      port: 29318

  discord_mautrix:
    # -- Set to true to enable the Discord bridge. Learn more in the
    # [mautrix bridge docs](https://docs.mau.fi/bridges/go/discord/index.html).
    enabled: false

    # -- set the revisionHistoryLimit to decide how many replicaSets are
    # kept when you change a deployment. Explicitly setting this field to 0,
    # will result in cleaning up all the history of your Deployment thus that
    # Deployment will not be able to roll back.
    revisionHistoryLimit: 2

    image:
      # -- docker image repo for mautrix/discord bridge
      repository: "dock.mau.dev/mautrix/discord"
      # -- tag for mautrix/discord bridge docker image
      tag: "8d01c30014978e2360d5cb102e96542ecb2402b6-amd64"
      pullPolicy: IfNotPresent

    service:
      type: ClusterIP
      bridge:
        port: 29334

    # -- security context for the init container and main container in the discord pod
    securityContext: {}
    #  runAsUser: 1337
    #  runAsGroup: 1337

    # -- security context for the entire mautrix/discord pod
    podSecurityContext: {}
    #  runAsUser: 1337
    #  fsGroup: 1337

    registration:
      # -- I don't actually know what this does
      sender_localpart: "discord"
      # -- Use an existing Kubernetes Secret to store your own generated appservice
      # and homeserver tokens. If this is not set, we'll generate them for you.
      # Setting this won't override the ENTIRE registration.yaml we generate for
      # the synapse pod to authenticate mautrix/discord. It will only replaces the tokens.
      # To replaces the ENTIRE registration.yaml, use
      # bridges.discord_mautrix.existingSecret.registration
      existingSecret: ""
      existingSecretKeys:
        # -- key in existingSecret for as_token (appservice token)
        as_token: "as_token"
        # -- key in existingSecret for hs_token (home server token)
        hs_token: "hs_token"

    # -- use an existingSecret for mautrix/discord bridge config.yaml,
    # if set, ignores everything under bridges.discord_mautrix.config
    # Cannot be used in combination with bridges.discord_mautrix.registration.existingSecret.
    existingSecret:
      registration: ""
      config: ""

    # -- extra volumes for the mautrix/discord deployment
    extraVolumes: []

    # -- extra volumeMounts for the mautrix/discord deployment
    extraVolumeMounts: []

    # -- optional: if set and bridges.discord_mautrix.config.permissions are NOT
    # set below, we'll use this list of admin users to template an admin user
    # using your matrix host. You MUST also set the matrix.hostname parameter.
    # example value of ["admin"] would become @admin:matrix.example.com
    admin_users: []

    # templates out to config.yaml for the mautrix bridge
    config:
      # Homeserver details
      homeserver:
        # -- The address that this appservice can use to connect to the homeserver.
        # this would be something like https://matrix.example.com, but if not set,
        # we'll try to guess the correct homeserver url :)
        address: ""
        # Publicly accessible base URL for media, used for avatars in relay mode.
        # If not set, the connection address above will be used.
        public_address: null
        # -- domain of the homeserver (also known as server_name, used for MXIDs, etc).
        # if not provided, we'll try to guess the correct one, but if your server is
        # https://matrix.example.com, it's probably example.com
        domain: ""

        # -- What software is the homeserver running? Standard Matrix homeservers
        # like Synapse, Dendrite and Conduit should just use "standard" here.
        software: standard
        # -- The URL to push real-time bridge status to. If set, the bridge
        # will make POST requests to this URL whenever a user's discord connection state changes.
        # The bridge will use the appservice as_token to authorize requests.
        status_endpoint: null
        # -- Endpoint for reporting per-message status.
        message_send_checkpoint_endpoint: null
        # -- Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
        async_media: false

        # -- Should the bridge use a websocket for connecting to the homeserver?
        # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
        # mautrix-asmux (deprecated), and hungryserv (proprietary).
        websocket: false
        # -- How often should the websocket be pinged? Pinging will be disabled if this is zero.
        ping_interval_seconds: 0

      # Application service host/registration related details.
      # Changing these values requires regeneration of the registration.
      appservice:
        # -- The address that the homeserver can use to connect to this appservice.
        # example is http://localhost:29334 but if not provided, we guess :)
        address: ""
        # -- The hostname where this appservice should listen.
        hostname: 0.0.0.0
        # -- The port where this appservice should listen.
        port: 29334

        # Database config.
        database:
          # -- The database type. "sqlite3-fk-wal" and "postgres" are supported.
          type: sqlite3-fk-wal
          # -- The database URI.
          # SQLite: A raw file path is supported, but recommended way is:
          #   `file:<path>?_txlock=immediate`
          #   https://github.com/mattn/go-sqlite3#connection-string
          # Postgres: Connection string. For example,
          #   postgres://user:password@host/database?sslmode=disable
          # To connect via Unix socket, use something like,
          #   postgres:///dbname?host=/var/run/postgresql
          uri: file:/mautrixdiscord.db?_txlock=immediate
          # -- Maximum number of connections. Mostly relevant for Postgres.
          max_open_conns: 20
          max_idle_conns: 2
          # -- Maximum connection idle time before its closed. Disabled if null.
          # Parsed with https://pkg.go.dev/time#ParseDuration
          max_conn_idle_time: null
          # -- Maximum connection lifetime before its closed. Disabled if null.
          # Parsed with https://pkg.go.dev/time#ParseDuration
          max_conn_lifetime: null

        # -- The unique ID of this appservice.
        id: discord
        # Appservice bot details.
        bot:
          # -- Username of the appservice bot.
          username: discordbot
          # -- Display name for bot. Set to "remove" to remove display name.
          displayname: Discord bridge bot
          # -- Display avatar for bot. Set to "remove" to remove display avatar.
          # example: mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC
          avatar: "remove"

        # -- Whether or not to receive ephemeral events via appservice transactions.
        # Requires MSC2409 support (i.e. Synapse 1.22+).
        ephemeral_events: true

        # -- Should incoming events be handled asynchronously?
        # This may be necessary for large public instances with lots of messages going through.
        # However, messages will not be guaranteed to be bridged in the same order they were sent in.
        async_transactions: false

        ## Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
        # as_token: "This value is generated when generating the registration"
        ## Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
        # hs_token: "This value is generated when generating the registration"

      # Bridge config
      bridge:
        # -- Localpart template of MXIDs for Discord users.
        # {{.}} is replaced with the internal ID of the Discord user.
        username_template: "{{`discord_{{.}}`}}"
        # -- Displayname template for Discord users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
        # Available variables:
        #   .ID - Internal user ID
        #   .Username - Legacy display/username on Discord
        #   .GlobalName - New displayname on Discord
        #   .Discriminator - The 4 numbers after the name on Discord
        #   .Bot - Whether the user is a bot
        #   .System - Whether the user is an official system user
        #   .Webhook - Whether the user is a webhook and is not an application
        #   .Application - Whether the user is an application
        displayname_template: '{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}'
        # -- Displayname template for Discord channels (bridged as rooms, or spaces when type=4).
        # Available variables:
        #   .Name - Channel name, or user displayname (pre-formatted with displayname_template) in DMs.
        #   .ParentName - Parent channel name (used for categories).
        #   .GuildName - Guild name.
        #   .NSFW - Whether the channel is marked as NSFW.
        #   .Type - Channel type (see values at https://github.com/bwmarrin/discordgo/blob/v0.25.0/structs.go#L251-L267)
        channel_name_template: '{{if or (eq .Type 3) (eq .Type 4)}}{{.Name}}{{else}}#{{.Name}}{{end}}'
        # -- Displayname template for Discord guilds (bridged as spaces).
        # Available variables:
        #   .Name - Guild name
        guild_name_template: '{{.Name}}'
        # -- Whether to explicitly set the avatar and room name for private chat portal rooms.
        # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
        # If set to `always`, all DM rooms will have explicit names and avatars set.
        # If set to `never`, DM rooms will never have names and avatars set.
        private_chat_portal_meta: default

        portal_message_buffer: 128

        # -- Number of private channel portals to create on bridge startup.
        # Other portals will be created when receiving messages.
        startup_private_channel_create_limit: 5
        # -- Should the bridge send a read receipt from the bridge bot when a message has been sent to Discord?
        delivery_receipts: false
        # -- Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
        message_status_events: false
        # -- Whether the bridge should send error notices via m.notice events when a message fails to bridge.
        message_error_notices: true
        # -- Should the bridge use space-restricted join rules instead of invite-only for guild rooms?
        # This can avoid unnecessary invite events in guild rooms when members are synced in.
        restricted_rooms: true
        # -- Should the bridge automatically join the user to threads on Discord when the thread is opened on Matrix?
        # This only works with clients that support thread read receipts (MSC3771 added in Matrix v1.4).
        autojoin_thread_on_open: true
        # -- Should inline fields in Discord embeds be bridged as HTML tables to Matrix?
        # Tables aren't supported in all clients, but are the only way to emulate the Discord inline field UI.
        embed_fields_as_tables: true
        # -- Should guild channels be muted when the portal is created? This only meant for single-user instances,
        # it won't mute it for all users if there are multiple Matrix users in the same Discord guild.
        mute_channels_on_create: false
        # -- Should the bridge update the m.direct account data event when double puppeting is enabled.
        # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
        # and is therefore prone to race conditions.
        sync_direct_chat_list: false
        # -- Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
        # This field will automatically be changed back to false after it, except if the config file is not writable.
        resend_bridge_info: false
        # -- Should incoming custom emoji reactions be bridged as mxc:// URIs?
        # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available.
        custom_emoji_reactions: true
        # -- Should the bridge attempt to completely delete portal rooms when a channel is deleted on Discord?
        # If true, the bridge will try to kick Matrix users from the room. Otherwise, the bridge only makes ghosts leave.
        delete_portal_on_channel_delete: false
        # -- Should the bridge delete all portal rooms when you leave a guild on Discord?
        # This only applies if the guild has no other Matrix users on this bridge instance.
        delete_guild_on_leave: true
        # -- Whether or not created rooms should have federation enabled.
        # If false, created portal rooms will never be federated.
        federate_rooms: true
        # -- Prefix messages from webhooks with the profile info? This can be used along with a custom displayname_template
        # to better handle webhooks that change their name all the time (like ones used by bridges).
        prefix_webhook_messages: false
        # -- Bridge webhook avatars?
        enable_webhook_avatars: true
        # -- Should the bridge upload media to the Discord CDN directly before sending the message when using a user token,
        # like the official client does? The other option is sending the media in the message send request as a form part
        # (which is always used by bots and webhooks).
        use_discord_cdn_upload: true
        # -- Should mxc uris copied from Discord be cached?
        # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything.
        # If you have a media repo that generates non-unique mxc uris, you should set this to never.
        cache_media: unencrypted
        # -- Settings for converting Discord media to custom mxc:// URIs instead of reuploading.
        # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
        direct_media:
          # -- Should custom mxc:// URIs be used instead of reuploading media?
          enabled: false
          # -- The server name to use for the custom mxc:// URIs.
          # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
          # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
          server_name: discord-media.example.com
          # -- Optionally a custom .well-known response. This defaults to `server_name:443`
          well_known_response:
          # -- The bridge supports MSC3860 media download redirects and will use them if the requester supports it.
          # Optionally, you can force redirects and not allow proxying at all by setting this to false.
          allow_proxy: true
          # -- Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
          server_key: generate
        # Settings for converting animated stickers.
        animated_sticker:
          # -- Format to which animated stickers should be converted.
          # disable - No conversion, send as-is (lottie JSON)
          # png - converts to non-animated png (fastest)
          # gif - converts to animated gif
          # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
          # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
          target: webp
          # Arguments for converter. All converters take width and height.
          args:
            # -- width arg for converter
            width: 320
            # -- height arg for converter
            height: 320
            # -- fps, only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
            fps: 25
        # -- Servers to always allow double puppeting from
        double_puppet_server_map: {}
        #  example.com: https://example.com
        # -- Allow using double puppeting from any server with a valid client .well-known file.
        double_puppet_allow_discovery: false
        # -- Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
        #
        # If set, double puppeting will be enabled automatically for local users
        # instead of users having to find an access token and run `login-matrix`
        # manually.
        login_shared_secret_map: {}
        #  example.com: foobar

        # -- The prefix for commands. Only required in non-management rooms.
        command_prefix: '!discord'
        # Messages sent upon joining a management room.
        # Markdown is supported. The defaults are listed below.
        management_room_text:
          # -- Sent when joining a room.
          welcome: "Hello, I'm a Discord bridge bot."
          # -- Sent when joining a management room and the user is already logged in.
          welcome_connected: "Use `help` for help."
          # -- Sent when joining a management room and the user is not logged in.
          welcome_unconnected: "Use `help` for help or `login` to log in."
          # -- Optional extra text sent when joining a management room.
          additional_help: ""

        # Settings for backfilling messages.
        backfill:
          # Limits for forward backfilling.
          forward_limits:
            # Initial backfill (when creating portal). 0 means backfill is disabled.
            # A special unlimited value is not supported, you must set a limit. Initial backfill will
            # fetch all messages first before backfilling anything, so high limits can take a lot of time.
            initial:
              dm: 0
              channel: 0
              thread: 0
            # Missed message backfill (on startup).
            # 0 means backfill is disabled, -1 means fetch all messages since last bridged message.
            # When using unlimited backfill (-1), messages are backfilled as they are fetched.
            # With limits, all messages up to the limit are fetched first and backfilled afterwards.
            missed:
              dm: 0
              channel: 0
              thread: 0
          # -- Maximum members in a guild to enable backfilling. Set to -1 to disable limit.
          # This can be used as a rough heuristic to disable backfilling in channels that are too active.
          # Currently only applies to missed message backfill.
          max_guild_members: -1

        # End-to-bridge encryption support options.
        #
        # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
        encryption:
          # -- Allow encryption, work in group chat rooms with e2ee enabled
          allow: false
          # -- Default to encryption, force-enable encryption in all portals the bridge creates
          # This will cause the bridge bot to be in private chats for the encryption to work properly.
          default: false
          # -- Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
          appservice: false
          # -- Require encryption, drop any unencrypted messages.
          require: false
          # -- Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
          # You must use a client that supports requesting keys from other users to use this feature.
          allow_key_sharing: false
          # -- Should users mentions be in the event wire content to enable the server to send push notifications?
          plaintext_mentions: false
          # Options for deleting megolm sessions from the bridge.
          delete_keys:
            # -- Beeper-specific: delete outbound sessions when hungryserv confirms
            # that the user has uploaded the key to key backup.
            delete_outbound_on_ack: false
            # -- Don't store outbound sessions in the inbound table.
            dont_store_outbound: false
            # -- Ratchet megolm sessions forward after decrypting messages.
            ratchet_on_decrypt: false
            # -- Delete fully used keys (index >= max_messages) after decrypting messages.
            delete_fully_used_on_decrypt: false
            # -- Delete previous megolm sessions from same device when receiving a new one.
            delete_prev_on_new_session: false
            # -- Delete megolm sessions received from a device when the device is deleted.
            delete_on_device_delete: false
            # -- Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
            periodically_delete_expired: false
            # -- Delete inbound megolm sessions that don't have the received_at field used for
            # automatic ratcheting and expired session deletion. This is meant as a migration
            # to delete old keys prior to the bridge update.
            delete_outdated_inbound: false

          # What level of device verification should be required from users?
          #
          # Valid levels:
          #   unverified - Send keys to all device in the room.
          #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
          #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
          #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
          #                           Note that creating user signatures from the bridge bot is not currently possible.
          #   verified - Require manual per-device verification
          #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
          verification_levels:
            # -- Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
            receive: unverified
            # -- Minimum level that the bridge should accept for incoming Matrix messages.
            send: unverified
            # -- Minimum level that the bridge should require for accepting key requests.
            share: cross-signed-tofu

          # Options for Megolm room key rotation. These options allow you to
          # configure the m.room.encryption event content. See:
          # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
          # more information about that event.
          rotation:
            # -- Enable custom Megolm room key rotation settings. Note that these
            # settings will only apply to rooms created after this option is
            # set.
            enable_custom: false
            # -- The maximum number of milliseconds a session should be used
            # before changing it. The Matrix spec recommends 604800000 (a week)
            # as the default.
            milliseconds: 604800000
            # -- The maximum number of messages that should be sent with a given a
            # session before changing it. The Matrix spec recommends 100 as the
            # default.
            messages: 100

            # -- Disable rotating keys when a user's devices change?
            # You should not enable this option unless you understand all the implications.
            disable_device_change_key_rotation: false

        # Settings for provisioning API
        provisioning:
          # -- Prefix for the provisioning API paths.
          prefix: /_matrix/provision
          # -- Shared secret for authentication. If set to "generate", a random
          # secret will be generated, or if set to "disable", the provisioning
          # API will be disabled.
          shared_secret: generate
          # -- Enable debug API at /debug with provisioning authentication.
          debug_endpoints: false

        # Permissions for using the bridge.
        # Permitted values:
        #    relay - Talk through the relaybot (if enabled), no access otherwise
        #     user - Access to use the bridge to chat with a Discord account.
        #    admin - User level and some additional administration tools
        # Permitted keys:
        #        * - All Matrix users
        #   domain - All users on that homeserver
        #     mxid - Specific user
        permissions: {}
        #   "*": relay
        #   "example.com": user
        #   "@admin:example.com": admin

      # Logging config. See https://github.com/tulir/zeroconfig for details.
      logging:
        # -- min logging level
        min_level: debug
        writers:
          - type: stdout
            format: pretty-colored
          - type: file
            format: json
            filename: ./logs/mautrix-discord.log
            max_size: 100
            max_backups: 10
            compress: true


  ## DEPRECATION: This section is for the old halfshot/matrix-appservice-discord
  # docker image which is no longer maintained. Please use the bridges.discord_mautrix
  # section instead. !! We will remove this secton in the future. !!
  discord:
    # -- Set to true to enable the DEPRECATED Discord bridge. This will be
    # removed in the future in favor of discord_mautrix.enabled
    enabled: false

    # Discord bot authentication.
    # ref: github.com/Half-Shot/matrix-appservice-discord#setting-up-discord
    auth:
      # -- Discord bot clientID for authentication
      clientId: ""
      # -- Discord bot token for authentication
      botToken: ""

    # The name of bridged rooms
    # Available vars:
    #   :guild - guild/server name
    #   :name  - channel name prefixed with #
    channelName: "[Discord] :guild :name"

    users:
      # -- Nickname of bridged Discord users
      # Available vars:
      #   :nick     - user's Discord nickname
      #   :username - user's Discord username
      #   :tag      - user's 4 digit Discord tag
      #   :id       - user's Discord developer ID (long)
      nickname: ":nick"
      # -- Username of bridged Discord users
      # Available vars:
      #   :username - user's Discord username
      #   :tag      - user's 4 digit Discord tag
      #   :id       - user's Discord developer ID (long)
      username: ":username#:tag"

    # -- Set to false to disable online/offline presence for Discord users
    presence: true

    # -- Set to false to disable typing notifications (only for Discord to Matrix)
    typingNotifications: true

    # -- Set to true to allow users to bridge rooms themselves using !discord cmds
    # More info: https://t2bot.io/discord
    selfService: false

    # -- Discord bot read receipt, which advances whenever the bot bridges a msg
    readReceipt: true

    # -- Discord notifications when a user joins/leaves the Matrix channel
    joinLeaveEvents: true

    # -- Default visibility of bridged rooms (public/private)
    defaultVisibility: public

    data:
      # -- Size of the PVC to allocate for the SQLite database
      capacity: 512Mi
      # -- Storage class (optional)
      storageClass: ""

    image:
      # -- docker image repo for discord bridge
      repository: "halfshot/matrix-appservice-discord"
      # -- tag for discord brdige docker image
      tag: "latest"
      pullPolicy: Always

    # -- pod replicas for the discord bridge pod
    replicaCount: 1

    # -- resources for the discord bridge pod
    resources: {}

    service:
      # -- service type for the discord bridge
      type: ClusterIP
      port: 9005

  # -- Recommended to leave this disabled to allow bridges to be scheduled on
  # separate nodes. Set this to true to reduce latency between the homeserver
  # and bridges, or if your cloud provider does not allow the ReadWriteMany
  # access mode (see below)
  affinity: false

  volume:
    # -- Capacity of the shared volume for storing bridge/appservice
    # registration files. Note: 1Mi should be enough but some cloud providers
    # may set a minimum PVC size of 1Gi, adjust as necessary
    capacity: 1Mi
    # -- Storage class (optional)
    storageClass: ""
    # -- Access mode of the shared volume. ReadWriteMany is recommended to allow
    # bridges to be scheduled on separate nodes. Some cloud providers may not
    # allow the ReadWriteMany access mode. In that case, change this to
    # ReadWriteOnce AND set bridges.affinity (above) to true
    accessMode: ReadWriteMany
    # -- name of an existing persistent volume claim to use for bridges
    existingClaim: ""