Move dendrite configuration again

2026-01-19 20:13:09 -06:00 · 2023-01-06 10:24:31 +01:00 · 2023-01-06 10:24:31 +01:00 · 37fa1fcde3
parent 37b251dd99
commit 37fa1fcde3
6 changed files with 298 additions and 328 deletions
--- a/helm/dendrite/README.md
+++ b/helm/dendrite/README.md
@ -41,54 +41,64 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| clientapi.enable_registration_captcha | bool | `false` | enable reCAPTCHA registration |
+| dendrite_config.app_service_api.disable_tls_validation | bool | `false` | Disable the validation of TLS certificates of appservices. This is not recommended in production since it may allow appservice traffic to be sent to an insecure endpoint. |
-| clientapi.guests_disabled | bool | `true` |  |
+| dendrite_config.clientapi.enable_registration_captcha | bool | `false` | enable reCAPTCHA registration |
-| clientapi.rate_limiting.cooloff_ms | int | `500` | Cooloff time in milliseconds |
+| dendrite_config.clientapi.guests_disabled | bool | `true` |  |
-| clientapi.rate_limiting.enabled | bool | `true` | Enable rate limiting |
+| dendrite_config.clientapi.rate_limiting.cooloff_ms | int | `500` | Cooloff time in milliseconds |
-| clientapi.rate_limiting.exempt_user_ids | string | `nil` | Users which should be exempt from rate limiting |
+| dendrite_config.clientapi.rate_limiting.enabled | bool | `true` | Enable rate limiting |
-| clientapi.rate_limiting.threshold | int | `20` | After how many requests a rate limit should be activated |
+| dendrite_config.clientapi.rate_limiting.exempt_user_ids | string | `nil` | Users which should be exempt from rate limiting |
-| clientapi.recaptcha_bypass_secret | string | `""` | reCAPTCHA bypass secret |
+| dendrite_config.clientapi.rate_limiting.threshold | int | `20` | After how many requests a rate limit should be activated |
-| clientapi.recaptcha_private_key | string | `""` | reCAPTCHA private key |
+| dendrite_config.clientapi.recaptcha_bypass_secret | string | `""` | reCAPTCHA bypass secret |
-| clientapi.recaptcha_public_key | string | `""` | reCAPTCHA public key |
+| dendrite_config.clientapi.recaptcha_private_key | string | `""` | reCAPTCHA private key |
-| clientapi.recaptcha_siteverify_api | string | `""` |  |
+| dendrite_config.clientapi.recaptcha_public_key | string | `""` | reCAPTCHA public key |
-| clientapi.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
+| dendrite_config.clientapi.recaptcha_siteverify_api | string | `""` |  |
-| clientapi.shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
+| dendrite_config.clientapi.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
-| clientapi.turn.turn_password | string | `""` | The TURN password |
+| dendrite_config.clientapi.shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
-| clientapi.turn.turn_shared_secret | string | `""` |  |
+| dendrite_config.clientapi.turn.turn_password | string | `""` | The TURN password |
-| clientapi.turn.turn_uris | list | `[]` |  |
+| dendrite_config.clientapi.turn.turn_shared_secret | string | `""` |  |
-| clientapi.turn.turn_user_lifetime | string | `"24h"` | Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
+| dendrite_config.clientapi.turn.turn_uris | list | `[]` |  |
-| clientapi.turn.turn_username | string | `""` | The TURN username |
+| dendrite_config.clientapi.turn.turn_user_lifetime | string | `"24h"` | Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
-| federationapi.disable_tls_validation | bool | `false` | Disable TLS validation |
+| dendrite_config.clientapi.turn.turn_username | string | `""` | The TURN username |
-| federationapi.prefer_direct_fetch | bool | `false` |  |
+| dendrite_config.federation_api.disable_http_keepalives | bool | `false` | Prevents Dendrite from keeping HTTP connections open for reuse for future requests. Connections will be closed quicker but we may spend more time on TLS handshakes instead. |
-| federationapi.send_max_retries | int | `16` |  |
+| dendrite_config.federation_api.disable_tls_validation | bool | `false` | Disable TLS validation. This is not recommended in production! |
-| global.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
+| dendrite_config.federation_api.key_perspectives | list | `[{"keys":[{"key_id":"ed25519:auto","public_key":"Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"},{"key_id":"ed25519:a_RXGa","public_key":"l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"}],"server_name":"matrix.org"}]` | Perspective keyservers, to use as a backup when direct key fetch requests don't succeed. |
-| global.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
+| dendrite_config.federation_api.prefer_direct_fetch | bool | `false` |  |
-| global.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
+| dendrite_config.federation_api.send_max_retries | int | `16` | Federation failure threshold. How many consecutive failures that we should tolerate when sending federation requests to a specific server. The backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc. The default value is 16 if not specified, which is circa 18 hours. |
-| global.database.host | string | `""` | Default database host |
+| dendrite_config.global.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
-| global.database.max_idle_conns | int | `5` | Default database maximum idle connections |
+| dendrite_config.global.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
-| global.database.max_open_conns | int | `90` | Default database maximum open connections |
+| dendrite_config.global.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
-| global.database.password | string | `""` | Default database password |
+| dendrite_config.global.database.host | string | `""` | Default database host |
-| global.database.user | string | `""` | Default database user |
+| dendrite_config.global.database.max_idle_conns | int | `5` | Default database maximum idle connections |
-| global.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
+| dendrite_config.global.database.max_open_conns | int | `90` | Default database maximum open connections |
-| global.dns_cache.cache_lifetime | string | `"10m"` | Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
+| dendrite_config.global.database.password | string | `""` | Default database password |
-| global.dns_cache.cache_size | int | `256` | Maximum number of entries to hold in the DNS cache |
+| dendrite_config.global.database.user | string | `""` | Default database user |
-| global.dns_cache.enabled | bool | `false` | Whether or not the DNS cache is enabled. |
+| dendrite_config.global.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
-| global.key_validity_period | string | `"168h0m0s"` |  |
+| dendrite_config.global.dns_cache.cache_lifetime | string | `"10m"` | Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
-| global.logging | list | [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml) | Default logging configuration |
+| dendrite_config.global.dns_cache.cache_size | int | `256` | Maximum number of entries to hold in the DNS cache |
-| global.metrics.basic_auth.password | string | `"metrics"` | HTTP basic authentication password |
+| dendrite_config.global.dns_cache.enabled | bool | `false` | Whether or not the DNS cache is enabled. |
-| global.metrics.basic_auth.user | string | `"metrics"` | HTTP basic authentication username |
+| dendrite_config.global.key_validity_period | string | `"168h0m0s"` |  |
-| global.metrics.enabled | bool | `false` | Whether or not Prometheus metrics are enabled. |
+| dendrite_config.global.metrics.basic_auth.password | string | `"metrics"` | HTTP basic authentication password |
-| global.mscs | list | `["msc2946"]` | Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946) |
+| dendrite_config.global.metrics.basic_auth.user | string | `"metrics"` | HTTP basic authentication username |
-| global.presence | object | `{"enable_inbound":false,"enable_outbound":false}` | Configures the handling of presence events. Inbound controls whether we receive presence events from other servers, outbound controls whether we send presence events for our local users to other servers. |
+| dendrite_config.global.metrics.enabled | bool | `false` | Whether or not Prometheus metrics are enabled. |
-| global.profiling.enabled | bool | `false` | Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF, as it will only listen on localhost and the defined port. e.g. `kubectl port-forward deployments/dendrite 65432:65432` |
+| dendrite_config.global.presence | object | `{"enable_inbound":false,"enable_outbound":false}` | Configures the handling of presence events. Inbound controls whether we receive presence events from other servers, outbound controls whether we send presence events for our local users to other servers. |
-| global.profiling.port | int | `65432` | pprof port, if enabled |
+| dendrite_config.global.profiling.enabled | bool | `false` | Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF, as it will only listen on localhost and the defined port. e.g. `kubectl port-forward deployments/dendrite 65432:65432` |
-| global.report_stats | object | `{"enabled":false,"endpoint":"https://matrix.org/report-usage-stats/push"}` | Configures phone-home statistics reporting. These statistics contain the server name, number of active users and some information on your deployment config. We use this information to understand how Dendrite is being used in the wild. |
+| dendrite_config.global.profiling.port | int | `65432` | pprof port, if enabled |
-| global.server_name | string | `""` | Servername for this Dendrite deployment |
+| dendrite_config.global.report_stats | object | `{"enabled":false,"endpoint":"https://matrix.org/report-usage-stats/push"}` | Configures phone-home statistics reporting. These statistics contain the server name, number of active users and some information on your deployment config. We use this information to understand how Dendrite is being used in the wild. |
-| global.server_notices | object | `{"avatar_url":"","display_name":"Server Alerts","enabled":false,"local_part":"_server","room_name":"Server Alerts"}` | Server notices allows server admins to send messages to all users on the server. |
+| dendrite_config.global.server_name | string | `""` | Servername for this Dendrite deployment |
-| global.tracing | object | disabled | Default tracing configuration |
+| dendrite_config.global.server_notices | object | `{"avatar_url":"","display_name":"Server Alerts","enabled":false,"local_part":"_server","room_name":"Server Alerts"}` | Server notices allows server admins to send messages to all users on the server. |
-| global.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
+| dendrite_config.global.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
-| global.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
+| dendrite_config.global.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
-| global.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
+| dendrite_config.global.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
 | dendrite_config.logging | list | `[{"level":"info","type":"std"}]` | Default logging configuration |
 | dendrite_config.mediaapi.dynamic_thumbnails | bool | `false` |  |
 | dendrite_config.mediaapi.max_file_size_bytes | string | `"10485760"` | The max file size for uploaded media files |
 | dendrite_config.mediaapi.max_thumbnail_generators | int | `10` | The maximum number of simultaneous thumbnail generators to run. |
 | dendrite_config.mediaapi.thumbnail_sizes | list | `[{"height":32,"method":"crop","width":32},{"height":96,"method":"crop","width":96},{"height":480,"method":"scale","width":640}]` | A list of thumbnail sizes to be generated for media content. |
 | dendrite_config.mscs | object | `{"mscs":["msc2946"]}` | Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946) |
 | dendrite_config.sync_api.real_ip_header | string | `"X-Real-IP"` | This option controls which HTTP header to inspect to find the real remote IP address of the client. This is likely required if Dendrite is running behind a reverse proxy server. |
 | dendrite_config.sync_api.search | object | `{"enabled":true,"language":"en"}` | Configuration for the full-text search engine. |
 | dendrite_config.sync_api.search.enabled | bool | `true` | Whether or not search is enabled. |
 | dendrite_config.sync_api.search.language | string | `"en"` | The language most likely to be used on the server - used when indexing, to ensure the returned results match expectations. A full list of possible languages can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46) |
 | image.name | string | `"ghcr.io/matrix-org/dendrite-monolith:v0.10.8"` | Docker repository/image to use |
 | image.pullPolicy | string | `"IfNotPresent"` | Kubernetes pullPolicy |
 | ingress.annotations | object | `{}` | Extra, custom annotations |
@ -97,10 +107,6 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | ingress.hostName | string | `""` |  |
 | ingress.hosts | list | `[]` |  |
 | ingress.tls | list | `[]` |  |
 | mediaapi.dynamic_thumbnails | bool | `false` |  |
 | mediaapi.max_file_size_bytes | string | `"10485760"` | The max file size for uploaded media files |
 | mediaapi.max_thumbnail_generators | int | `10` | The maximum number of simultaneous thumbnail generators to run. |
 | mediaapi.thumbnail_sizes | list | [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml) | A list of thumbnail sizes to be generated for media content. |
 | persistence.jetstream.capacity | string | `"1Gi"` |  |
 | persistence.jetstream.existingClaim | string | `""` | Use an existing volume claim for jetstream |
 | persistence.media.capacity | string | `"1Gi"` |  |
@ -120,7 +126,3 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | service.type | string | `"ClusterIP"` |  |
 | signing_key.create | bool | `true` | Create a new signing key, if not exists |
 | signing_key.existingSecret | string | `""` | Use an existing secret |
 | syncapi.real_ip_header | string | `"X-Real-IP"` | This option controls which HTTP header to inspect to find the real remote IP address of the client. This is likely required if Dendrite is running behind a reverse proxy server. |
 | syncapi.search | object | `{"enabled":false,"language":"en"}` | Configuration for the full-text search engine. |
 | syncapi.search.enabled | bool | `false` | Whether or not search is enabled. |
 | syncapi.search.language | string | `"en"` | The language most likely to be used on the server - used when indexing, to ensure the returned results match expectations. A full list of possible languages can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46) |
--- a/helm/dendrite/ci/ct-postgres-values.yaml
+++ b/helm/dendrite/ci/ct-postgres-values.yaml
@ -1,9 +0,0 @@
 ---
 postgresql:
  enabled: true
  primary:
    persistence:
      size: 1Gi
 global:
  server_name: "localhost"
--- a/helm/dendrite/templates/_helpers.tpl
+++ b/helm/dendrite/templates/_helpers.tpl
@ -2,13 +2,13 @@
 {{- if not .Values.signing_key.create -}}
 {{-  fail "You must create a signing key for configuration.signing_key. (see https://github.com/matrix-org/dendrite/blob/master/docs/INSTALL.md#server-key-generation)" -}}
 {{- end -}}
-{{- if not (or .Values.global.database.host .Values.postgresql.enabled) -}}
+{{- if not (or .Values.dendrite_config.global.database.host .Values.postgresql.enabled) -}}
 {{-  fail "Database server must be set." -}}
 {{- end -}}
-{{- if not (or .Values.global.database.user .Values.postgresql.enabled) -}}
+{{- if not (or .Values.dendrite_config.global.database.user .Values.postgresql.enabled) -}}
 {{-  fail "Database user must be set." -}}
 {{- end -}}
-{{- if not (or .Values.global.database.password .Values.postgresql.enabled) -}}
+{{- if not (or .Values.dendrite_config.global.database.password .Values.postgresql.enabled) -}}
 {{-  fail "Database password must be set." -}}
 {{- end -}}
 {{- end -}}
--- a/helm/dendrite/templates/deployment.yaml
+++ b/helm/dendrite/templates/deployment.yaml
@ -54,7 +54,7 @@ spec:
          - name: http
            containerPort: 8008
            protocol: TCP
-        {{- if $.Values.global.profiling.enabled }}
+        {{- if $.Values.dendrite_config.global.profiling.enabled }}
        env:
          - name: PPROFLISTEN
            value: "localhost:{{- $.Values.global.profiling.port -}}"
--- a/helm/dendrite/templates/secrets.yaml
+++ b/helm/dendrite/templates/secrets.yaml
@ -21,7 +21,7 @@ metadata:
 type: Opaque
 {{ end }}
-{{- $connectionString := print "postgresql://" .Values.global.database.user ":" .Values.global.database.password "@" .Values.global.database.host }}
+{{- $connectionString := print "postgresql://" .Values.dendrite_config.global.database.user ":" .Values.dendrite_config.global.database.password "@" .Values.dendrite_config.global.database.host }}
 {{- if .Values.postgresql.enabled }}
 {{- $connectionString = print "postgresql://" .Values.postgresql.auth.username ":" .Values.postgresql.auth.password "@" .Release.Name "-postgresql/dendrite" -}}
 {{ end }}
@ -36,88 +36,57 @@ stringData:
  dendrite.yaml: |
    version: 2
    global:
-      server_name: {{ .Values.global.server_name }}
+      server_name: {{ .Values.dendrite_config.global.server_name }}
      private_key: /etc/dendrite/secrets/signing.key
      key_id: ed25519:auto
-      key_validity_period: {{ .Values.global.key_validity_period | quote }}
+      key_validity_period: {{ .Values.dendrite_config.global.key_validity_period | quote }}
      database:
        connection_string: {{ $connectionString }}?sslmode=disable
-        max_open_conns: {{ .Values.global.database.max_open_conns }}
+        max_open_conns: {{ .Values.dendrite_config.global.database.max_open_conns }}
-        max_idle_conns: {{ .Values.global.database.max_idle_conns }}
+        max_idle_conns: {{ .Values.dendrite_config.global.database.max_idle_conns }}
-        conn_max_lifetime: {{ .Values.global.database.conn_max_lifetime }}
+        conn_max_lifetime: {{ .Values.dendrite_config.global.database.conn_max_lifetime }}
      cache:
-        max_size_estimated: {{ .Values.global.cache.max_size_estimated | quote }}
+        max_size_estimated: {{ .Values.dendrite_config.global.cache.max_size_estimated | quote }}
-        max_age: {{ .Values.global.cache.max_age }}
+        max_age: {{ .Values.dendrite_config.global.cache.max_age }}
-      well_known_server_name: {{ .Values.global.well_known_server_name | quote }}
+      well_known_server_name: {{ .Values.dendrite_config.global.well_known_server_name | quote }}
-      well_known_client_name: {{ .Values.global.well_known_client_name | quote }}
+      well_known_client_name: {{ .Values.dendrite_config.global.well_known_client_name | quote }}
      trusted_third_party_id_servers:
-      {{- toYaml .Values.global.trusted_third_party_id_servers | nindent 8 }}
+      {{- toYaml .Values.dendrite_config.global.trusted_third_party_id_servers | nindent 8 }}
-      disable_federation: {{ .Values.global.disable_federation }}
+      disable_federation: {{ .Values.dendrite_config.global.disable_federation }}
      report_stats:
-        {{- toYaml .Values.global.report_stats | nindent 8 }}
+        {{- toYaml .Values.dendrite_config.global.report_stats | nindent 8 }}
      presence:
-        {{- toYaml .Values.global.presence | nindent 8 }}
+        {{- toYaml .Values.dendrite_config.global.presence | nindent 8 }}
      server_notices:
-        {{- toYaml .Values.global.server_notices | nindent 8 }}
+        {{- toYaml .Values.dendrite_config.global.server_notices | nindent 8 }}
      jetstream:
        in_memory: false
        storage_path: /data/jetstream
      metrics:
-        {{- toYaml .Values.global.metrics | nindent 8 }}
+        {{- toYaml .Values.dendrite_config.global.metrics | nindent 8 }}
      dns_cache:
-        {{- toYaml .Values.global.dns_cache | nindent 8 }}
+        {{- toYaml .Values.dendrite_config.global.dns_cache | nindent 8 }}
    mscs:
      mscs:
-        {{- toYaml .Values.global.mscs | nindent 8 }}
+        {{- toYaml .Values.dendrite_config.mscs.mscs | nindent 8 }}
    app_service_api:
      disable_tls_validation: {{ .Values.dendrite_config.app_service_api.disable_tls_validation }} 
      config_files:
        {{- range $x, $y := .Files.Glob "appservices/*" }}
          - /etc/dendrite/appservices/{{ base $x }}
        {{ end }}
    client_api:
-    {{- with .Values.clientapi }}
+      {{- toYaml .Values.dendrite_config.clientapi | nindent 6 }}
      registration_disabled: {{ .registration_disabled }}
      guests_disabled: {{ .guests_disabled }}
      registration_shared_secret: {{ .shared_secret | quote }}
      enable_registration_captcha:  {{ .enable_registration_captcha }}
      recaptcha_public_key: {{ .recaptcha_public_key | quote }}
      recaptcha_private_key: {{ .recaptcha_private_key | quote}}
      recaptcha_bypass_secret: {{ .recaptcha_bypass_secret | quote}}
      recaptcha_siteverify_api: {{ .recaptcha_siteverify_api | quote}}
      turn:
        {{- toYaml .turn | nindent 8 }}
      rate_limiting:
        {{- toYaml .rate_limiting | nindent 8 }}
    {{ end }}
    federation_api:
-      #federation_certificates: []
+      {{- toYaml .Values.dendrite_config.federation_api | nindent 6 }}
      send_max_retries: {{ .Values.federationapi.send_max_retries }}
      disable_tls_validation: {{ .Values.federationapi.disable_tls_validation }}
      key_perspectives:
      - server_name: matrix.org
        keys:
        - key_id: ed25519:auto
          public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
        - key_id: ed25519:a_RXGa
          public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ 
      prefer_direct_fetch: {{ .Values.federationapi.prefer_direct_fetch }}
    media_api:
      base_path: /data/media_store
-      max_file_size_bytes: {{ int .Values.mediaapi.max_file_size_bytes }}
+      max_file_size_bytes: {{ int .Values.dendrite_config.mediaapi.max_file_size_bytes }}
-      dynamic_thumbnails: {{ .Values.mediaapi.dynamic_thumbnails }}
+      dynamic_thumbnails: {{ .Values.dendrite_config.mediaapi.dynamic_thumbnails }}
-      max_thumbnail_generators: {{ .Values.mediaapi.max_thumbnail_generators }}
+      max_thumbnail_generators: {{ .Values.dendrite_config.mediaapi.max_thumbnail_generators }}
      thumbnail_sizes:
-        {{- toYaml .Values.mediaapi.thumbnail_sizes | nindent 8 }}
+        {{- toYaml .Values.dendrite_config.mediaapi.thumbnail_sizes | nindent 8 }}
    room_server:
    sync_api:
-      real_ip_header: {{ .Values.syncapi.real_ip_header }}
+      {{- toYaml .Values.dendrite_config.sync_api | nindent 6 }}
      search:
        enabled: {{ .Values.syncapi.search.enabled }}
        index_path: /data/search
        language: {{ .Values.syncapi.search.language }}
    tracing:
      {{- toYaml .Values.global.tracing | nindent 6 }}
    logging:
-    {{- if .Values.global.logging }}
+      {{- toYaml .Values.dendrite_config.logging | nindent 6 }}
    {{- toYaml .Values.global.logging | nindent 4 }}
    {{ end }}
--- a/helm/dendrite/values.yaml
+++ b/helm/dendrite/values.yaml
@ -36,227 +36,235 @@ persistence:
    existingClaim: ""
    capacity: "1Gi"
 dendrite_config:
  global:
    # -- Servername for this Dendrite deployment
    server_name: ""
-global:
+    # -- The server name to delegate server-server communications to, with optional port
-  # -- Servername for this Dendrite deployment
+    # e.g. localhost:443
-  server_name: ""
+    well_known_server_name: ""
-  # -- The server name to delegate server-server communications to, with optional port
+    # -- The server name to delegate client-server communications to, with optional port
-  # e.g. localhost:443
+    # e.g. localhost:443
-  well_known_server_name: ""
+    well_known_client_name: ""
-  # -- The server name to delegate client-server communications to, with optional port
+    # -- Lists of domains that the server will trust as identity servers to verify third
-  # e.g. localhost:443
+    # party identifiers such as phone numbers and email addresses.
-  well_known_client_name: ""
+    trusted_third_party_id_servers:
      - matrix.org
      - vector.im
-  # -- Lists of domains that the server will trust as identity servers to verify third
+    # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
-  # party identifiers such as phone numbers and email addresses.
+    # to other servers and the federation API will not be exposed.
-  trusted_third_party_id_servers:
+    disable_federation: false
    - matrix.org
    - vector.im
-  # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
+    key_validity_period: 168h0m0s
  # to other servers and the federation API will not be exposed.
  disable_federation: false
-  key_validity_period: 168h0m0s
+    database:
      # -- Default database host
      host: ""
      # -- Default database user
      user: ""
      # -- Default database password
      password: ""
-  database:
+      # -- Default database maximum open connections
-    # -- Default database host
+      max_open_conns: 90
-    host: ""
+      # -- Default database maximum idle connections
-    # -- Default database user
+      max_idle_conns: 5
-    user: ""
+      # -- Default database maximum lifetime
-    # -- Default database password
+      conn_max_lifetime: -1
    password: ""
-    # -- Default database maximum open connections
+    cache:
-    max_open_conns: 90
+      # -- The estimated maximum size for the global cache in bytes, or in terabytes,
-    # -- Default database maximum idle connections
+      # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
-    max_idle_conns: 5
+      # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
-    # -- Default database maximum lifetime
+      # memory limit for the entire process. A cache that is too small may ultimately
-    conn_max_lifetime: -1
+      # provide little or no benefit.
      max_size_estimated: 1gb
      # -- The maximum amount of time that a cache entry can live for in memory before
      # it will be evicted and/or refreshed from the database. Lower values result in
      # easier admission of new cache entries but may also increase database load in
      # comparison to higher values, so adjust conservatively. Higher values may make
      # it harder for new items to make it into the cache, e.g. if new rooms suddenly
      # become popular.
      max_age: 1h
-  cache:
+    # -- Configures phone-home statistics reporting. These statistics contain the server
-    # -- The estimated maximum size for the global cache in bytes, or in terabytes,
+    # name, number of active users and some information on your deployment config.
-    # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
+    # We use this information to understand how Dendrite is being used in the wild.
-    # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
+    report_stats:
-    # memory limit for the entire process. A cache that is too small may ultimately
+      enabled: false
-    # provide little or no benefit.
+      endpoint: https://matrix.org/report-usage-stats/push
    max_size_estimated: 1gb
    # -- The maximum amount of time that a cache entry can live for in memory before
    # it will be evicted and/or refreshed from the database. Lower values result in
    # easier admission of new cache entries but may also increase database load in
    # comparison to higher values, so adjust conservatively. Higher values may make
    # it harder for new items to make it into the cache, e.g. if new rooms suddenly
    # become popular.
    max_age: 1h
-  # -- Configures phone-home statistics reporting. These statistics contain the server
+    # -- Configures the handling of presence events. Inbound controls whether we receive
-  # name, number of active users and some information on your deployment config.
+    # presence events from other servers, outbound controls whether we send presence
-  # We use this information to understand how Dendrite is being used in the wild.
+    # events for our local users to other servers.
-  report_stats:
+    presence:
-    enabled: false
+      enable_inbound: false
-    endpoint: https://matrix.org/report-usage-stats/push
+      enable_outbound: false
-  # -- Configures the handling of presence events. Inbound controls whether we receive
+    # -- Server notices allows server admins to send messages to all users on the server.
-  # presence events from other servers, outbound controls whether we send presence
+    server_notices:
-  # events for our local users to other servers.
+      enabled: false
-  presence:
+      # The local part, display name and avatar URL (as a mxc:// URL) for the user that
-    enable_inbound: false
+      # will send the server notices. These are visible to all users on the deployment.
-    enable_outbound: false
+      local_part: "_server"
      display_name: "Server Alerts"
      avatar_url: ""
      # The room name to be used when sending server notices. This room name will
      # appear in user clients.
      room_name: "Server Alerts"
-  # -- Server notices allows server admins to send messages to all users on the server.
+    # prometheus metrics
-  server_notices:
+    metrics:
-    enabled: false
+      # -- Whether or not Prometheus metrics are enabled.
-    # The local part, display name and avatar URL (as a mxc:// URL) for the user that
+      enabled: false
-    # will send the server notices. These are visible to all users on the deployment.
+      # HTTP basic authentication to protect access to monitoring.
-    local_part: "_server"
+      basic_auth:
-    display_name: "Server Alerts"
+        # -- HTTP basic authentication username
-    avatar_url: ""
+        user: "metrics"
-    # The room name to be used when sending server notices. This room name will
+        # -- HTTP basic authentication password
-    # appear in user clients.
+        password: metrics
    room_name: "Server Alerts"
-  # prometheus metrics
+    dns_cache:
-  metrics:
+      # -- Whether or not the DNS cache is enabled.
-    # -- Whether or not Prometheus metrics are enabled.
+      enabled: false
-    enabled: false
+      # -- Maximum number of entries to hold in the DNS cache
-    # HTTP basic authentication to protect access to monitoring.
+      cache_size: 256
-    basic_auth:
+      # -- Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
-      # -- HTTP basic authentication username
+      cache_lifetime: "10m"
      user: "metrics"
      # -- HTTP basic authentication password
      password: metrics
-  dns_cache:
+    profiling:
-    # -- Whether or not the DNS cache is enabled.
+      # -- Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF,
-    enabled: false
+      # as it will only listen on localhost and the defined port.
-    # -- Maximum number of entries to hold in the DNS cache
+      # e.g. `kubectl port-forward deployments/dendrite 65432:65432`
-    cache_size: 256
+      enabled: false
-    # -- Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
+      # -- pprof port, if enabled
-    cache_lifetime: "10m"
+      port: 65432
  # -- Default logging configuration
  # @default -- [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml)
  logging:
    - type: std
      level: info
  # -- Default tracing configuration
  # @default -- disabled
  tracing:
    enabled: false
    jaeger:
      serviceName: ""
      disabled: false
      rpc_metrics: false
      tags: []
      sampler: null
      reporter: null
      headers: null
      baggage_restrictions: null
      throttler: null
  profiling:
    # -- Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF,
    # as it will only listen on localhost and the defined port.
    # e.g. `kubectl port-forward deployments/dendrite 65432:65432`
    enabled: false
    # -- pprof port, if enabled
    port: 65432
  # -- Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946)
  mscs:
-    - msc2946
+    mscs:
-    # A list of enabled MSC's
+      - msc2946
-    # Currently valid values are:
+      # A list of enabled MSC's
-    # - msc2836    (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
+      # Currently valid values are:
-    # - msc2946    (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
+      # - msc2836    (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
-
+      # - msc2946    (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
 clientapi:
  # -- Prevents new users from being able to register on this homeserver, except when
  # using the registration shared secret below.
  registration_disabled: true
  # Prevents new guest accounts from being created. Guest registration is also
  # disabled implicitly by setting 'registration_disabled' above.
  guests_disabled: true
  # -- If set, allows registration by anyone who knows the shared secret, regardless of
  # whether registration is otherwise disabled.
  shared_secret: ""
  # -- enable reCAPTCHA registration
  enable_registration_captcha: false
  # -- reCAPTCHA public key
  recaptcha_public_key: ""
  # -- reCAPTCHA private key
  recaptcha_private_key: ""
  # -- reCAPTCHA bypass secret
  recaptcha_bypass_secret: ""
  recaptcha_siteverify_api: ""
  # TURN server information that this homeserver should send to clients.
  turn:
    # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
    turn_user_lifetime: "24h"
    turn_uris: []
    turn_shared_secret: ""
    # -- The TURN username
    turn_username: ""
    # -- The TURN password
    turn_password: ""
  rate_limiting:
    # -- Enable rate limiting
    enabled: true
    # -- After how many requests a rate limit should be activated
    threshold: 20
    # -- Cooloff time in milliseconds
    cooloff_ms: 500
    # -- Users which should be exempt from rate limiting
    exempt_user_ids:
 federationapi:
  send_max_retries: 16
  # -- Disable TLS validation
  disable_tls_validation: false
  prefer_direct_fetch: false
-mediaapi:
+  app_service_api:
-  # -- The max file size for uploaded media files
+    # -- Disable the validation of TLS certificates of appservices. This is
-  max_file_size_bytes: "10485760"
+    # not recommended in production since it may allow appservice traffic
-  # Whether to dynamically generate thumbnails if needed.
+    # to be sent to an insecure endpoint.
-  dynamic_thumbnails: false
+    disable_tls_validation: false
  # -- The maximum number of simultaneous thumbnail generators to run.
  max_thumbnail_generators: 10
  # -- A list of thumbnail sizes to be generated for media content.
  # @default -- [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml)
  thumbnail_sizes:
  - width: 32
    height: 32
    method: crop
  - width: 96
    height: 96
    method: crop
  - width: 640
    height: 480
    method: scale
-syncapi:
+
-  # -- This option controls which HTTP header to inspect to find the real remote IP
+  clientapi:
-  # address of the client. This is likely required if Dendrite is running behind
+    # -- Prevents new users from being able to register on this homeserver, except when
-  # a reverse proxy server.
+    # using the registration shared secret below.
-  real_ip_header: X-Real-IP
+    registration_disabled: true
-  # -- Configuration for the full-text search engine.
+
-  search:
+    # Prevents new guest accounts from being created. Guest registration is also
-    # -- Whether or not search is enabled.
+    # disabled implicitly by setting 'registration_disabled' above.
-    enabled: false
+    guests_disabled: true
-    # -- The language most likely to be used on the server - used when indexing, to
+
-    # ensure the returned results match expectations. A full list of possible languages
+    # -- If set, allows registration by anyone who knows the shared secret, regardless of
-    # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
+    # whether registration is otherwise disabled.
-    language: "en"
+    shared_secret: ""
    # -- enable reCAPTCHA registration
    enable_registration_captcha: false
    # -- reCAPTCHA public key
    recaptcha_public_key: ""
    # -- reCAPTCHA private key
    recaptcha_private_key: ""
    # -- reCAPTCHA bypass secret
    recaptcha_bypass_secret: ""
    recaptcha_siteverify_api: ""
    # TURN server information that this homeserver should send to clients.
    turn:
      # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
      turn_user_lifetime: "24h"
      turn_uris: []
      turn_shared_secret: ""
      # -- The TURN username
      turn_username: ""
      # -- The TURN password
      turn_password: ""
    rate_limiting:
      # -- Enable rate limiting
      enabled: true
      # -- After how many requests a rate limit should be activated
      threshold: 20
      # -- Cooloff time in milliseconds
      cooloff_ms: 500
      # -- Users which should be exempt from rate limiting
      exempt_user_ids:
  federation_api:
    # -- Federation failure threshold. How many consecutive failures that we should
    # tolerate when sending federation requests to a specific server. The backoff
    # is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
    # The default value is 16 if not specified, which is circa 18 hours.
    send_max_retries: 16
    # -- Disable TLS validation. This is not recommended in production!
    disable_tls_validation: false
    prefer_direct_fetch: false
    # -- Prevents Dendrite from keeping HTTP connections
    # open for reuse for future requests. Connections will be closed quicker
    # but we may spend more time on TLS handshakes instead.
    disable_http_keepalives: false
    # -- Perspective keyservers, to use as a backup when direct key fetch
    # requests don't succeed.
    key_perspectives:
      - server_name: matrix.org
        keys:
          - key_id: ed25519:auto
            public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
          - key_id: ed25519:a_RXGa
            public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
  mediaapi:
    # -- The max file size for uploaded media files
    max_file_size_bytes: "10485760"
    # Whether to dynamically generate thumbnails if needed.
    dynamic_thumbnails: false
    # -- The maximum number of simultaneous thumbnail generators to run.
    max_thumbnail_generators: 10
    # -- A list of thumbnail sizes to be generated for media content.
    thumbnail_sizes:
      - width: 32
        height: 32
        method: crop
      - width: 96
        height: 96
        method: crop
      - width: 640
        height: 480
        method: scale
  sync_api:
    # -- This option controls which HTTP header to inspect to find the real remote IP
    # address of the client. This is likely required if Dendrite is running behind
    # a reverse proxy server.
    real_ip_header: X-Real-IP
    # -- Configuration for the full-text search engine.
    search:
      # -- Whether or not search is enabled.
      enabled: true
      # -- The language most likely to be used on the server - used when indexing, to
      # ensure the returned results match expectations. A full list of possible languages
      # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
      language: "en"
  # -- Default logging configuration
  logging:
  - type: std
    level: info
 postgresql:
  # -- Enable and configure postgres as the database for dendrite.