Resubmission of the Synapse Template

[palmcoasty]

Summary

Testing

• jq . templates/<template-name>/template.json
• Validated template or docs using the listed commands
• Other (add details below)

Validation details

Checklist

• I installed the pre-commit hooks and ran pre-commit run --all-files.
• I described the service or scenario this change targets.
• template.json references only files shipped in the same template directory.
• Template docs note how to import it (plugin bundle and/or web UI upload).
• I updated configs, screenshots, or notes impacted by this change.
• I linked related issues or discussions and added context for reviewers.

After trough research and testing synapse template is now complete and allows now to fully use synapse matrix server.
Turn server for calls should be setup trough firewall for best performance and reliability and not be directed trough bunker since that can cause call interuptions, failed calls and more.

[TheophileDiot]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Synapse Matrix Server Template (Resubmission)

Critical Issues Identified:

template.json Schema

• Syntax error: Trailing comma at line 47 (after "USE_BROTLI": "yes",) breaks JSON validation; template will not parse
• Typo in settings: "USE_CLIENT_CACHE": "n0" should be "no"
• Template ID: synapse-no-turn; reverse proxy path: /_matrix/ routing to http://mysynapse-server:8008

Security Configuration

• Rate limiting: LIMIT_REQ_RATE: 10r/s applied globally to /
• Client payload limit: MAX_CLIENT_SIZE: 50m (generous for Matrix media server)
• HTTP/3 disabled, HTTPS-only enforced (LISTEN_HTTP: no)
• Auto TLS via Let's Encrypt enabled with HTTP challenge (no DNS provider specified)
• IP/RDNS whitelisting enabled with hardcoded search engine bot domains (Google, Yandex, Baidu, LinkedIn, Yahoo)
• No ModSecurity or CRS rule exclusions present
• No specific rate-limit relaxations for Matrix federation endpoints

NGINX Configuration (well-known.conf)

• Serves Matrix client/server discovery via /.well-known/matrix/ endpoints
• Critical flaw: Hardcoded domain references (matrix.palmcoasty.com) embedded in return statements; these are NOT templated and will not adapt to user's SERVER_NAME configuration. Should use variable substitution (e.g., $server_name or template variables)
• CORS header Access-Control-Allow-Origin: * is permissive but appropriate for federation discovery

Repository Metadata

• CHANGELOG.md not updated: No entry added to ## Unreleased section despite PR status. Must be added before merge.
• No service-specific README in templates/synapse/
• Only two files added: template.json and well-known.conf; no additional ModSecurity or request filtering configs

Recommendations

• Fix JSON syntax error (remove trailing comma on line 46)
• Fix USE_CLIENT_CACHE typo
• Templat the hardcoded domain strings in well-known.conf to use dynamic values (SERVER_NAME or REVERSE_PROXY_HOST)
• Add entry to CHANGELOG.md ## Unreleased section
• Consider service-specific README documenting Matrix federation, TURN server setup (noted as firewall-only in PR description), and any CRS rule exclusions if needed
• Validate template.json with jq . templates/synapse/template.json before merge

Walkthrough

Added a new Synapse Matrix server template comprising three components: a README entry, an Nginx configuration file for Matrix well-known endpoints with CORS headers and hardcoded homeserver references, and a comprehensive template.json file defining server identity, TLS provisioning, security rules, and operational parameters.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added single row to "Available Templates" table referencing templates/synapse/ with template description.
Nginx Configuration templates/synapse/configs/server-http/well-known.conf	New Nginx configuration file with two location blocks serving Matrix well-known endpoints (/.well-known/matrix/client and /.well-known/matrix/server) with hardcoded homeserver references and CORS headers set to Access-Control-Allow-Origin: *.
Template Configuration templates/synapse/template.json	New template configuration file (ID: synapse-no-turn) defining comprehensive Synapse server settings including server identity, Let's Encrypt TLS provisioning, reverse proxy configuration, client request limits, rate limiting thresholds, IP/rDNS allowlisting rules, and runtime performance parameters (caching, compression).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

Synapse arrives with well-known grace,
Nginx routes the Matrix space,
Templates bloom in ordered code,
A homeserver template on the road! 🏠✨

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Resubmission of the Synapse Template' describes the action but lacks imperative mood and specificity; it reads as a statement rather than a directive like 'Add Synapse template'.	Revise to imperative mood following the style guide: 'Add Synapse template' or 'feat: add Synapse template' (under 70 characters, matching existing history).

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is related to the changeset, detailing TURN server setup recommendations and referencing Synapse Matrix server functionality, though most checklist items remain unchecked and validation details are absent.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Warning

⚠️ This pull request might be slop. It has been flagged by CodeRabbit slop detection and should be reviewed carefully.

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Line 69: The table row for the Synapse template has awkward wording; update
the summary cell for the "Synapse" entry (the row referencing "Synapse" and
`templates/synapse/`) to a concise, British-English phrase such as "Secure
template with Matrix Synapse-aware defaults" and ensure the wording is tightened
and punctuation/capitalisation follow the repository's style.

In `@templates/synapse/configs/server-http/well-known.conf`:
- Line 1: Add a short top-of-file comment header above the "location
/.well-known/matrix/client" block that states this snippet belongs to the
Synapse template (Synapse HTTP well-known config) and include the upstream
Synapse version it was validated against (e.g., "Validated against Synapse
vX.Y.Z") plus an owner/maintainer identifier; place the header as plain comment
lines at the very top of the file so it is clearly visible for future
maintainers.

In `@templates/synapse/template.json`:
- Around line 3-47: The template.json currently contains only generic "settings"
and lacks app-specific guided steps for Synapse; update the template to be
Synapse-focused by adding a top-level "steps" array that walks the user through
Synapse-specific setup: domain and TLS configuration (use/validate SERVER_NAME,
AUTO_LETS_ENCRYPT, LETS_ENCRYPT_*), upstream/Reverse Proxy setup
(REVERSE_PROXY_URL, REVERSE_PROXY_HOST, REVERSE_PROXY_INTERCEPT_ERRORS), Matrix
well-known and federation checks, and runtime limits/tuning (MAX_CLIENT_SIZE,
LIMIT_REQ_RATE, BAD_BEHAVIOR_*); keep the existing "settings" keys but replace
the generic description ("name") and include step ids/titles that reference
these setting keys so the UI can prompt users for domain, TLS credentials,
reverse-proxy endpoint, and rate-limit thresholds.
- Line 3: The template's top-level "name" field is too long and descriptive for
UI display; change the "name" value to a concise user-facing label (e.g.,
"Synapse Matrix") by editing the "name" key in templates/synapse/template.json,
and relocate the TURN caveat and hardening details into the template's longer
description or the documentation/steps section so the top-level name remains
short and UI-friendly.
- Line 2: The template "id" value currently set to "synapse-no-turn" must be
changed to match the template directory name by using a stable
lowercase-kebab-case id (e.g., "synapse"); update the "id" property in the
template.json where it currently reads "synapse-no-turn" so it exactly matches
the directory name "synapse" and ensure the id remains immutable once published.
- Line 44: The template value for the configuration key USE_CLIENT_CACHE is a
typo: it uses the string "n0" (zero) instead of the intended "no", which can
break downstream parsing/validation; update the template so the value for
USE_CLIENT_CACHE is the correct string "no" (fix the token for USE_CLIENT_CACHE
in the template.json so it matches documented allowed values and types).
- Around line 1-47: The template.json is missing a top-level "configs" array so
the snippet templates/synapse/configs/server-http/well-known.conf is never
wired; add a "configs" array entry in templates/synapse/template.json that
includes the relative path to "configs/server-http/well-known.conf" (and any
other owned config snippets), ensuring each path matches the file names under
the template directory and follows the existing template schema so the
well-known.conf is loaded.
- Around line 46-47: Fix the JSON syntax and structural template issues: remove
the trailing comma after "USE_BROTLI" and close the root object, validate with
jq; change "id" from "synapse-no-turn" to "synapse" to match the directory name,
shorten the "name" value to a concise label (e.g., "Synapse (no TURN)"), correct
"USE_CLIENT_CACHE" from "n0" to "no", add a top-level "configs" array that
references the existing server-http well-known config (e.g., include its
filename/key in the array), and add a top-level "steps" array with the required
guided import workflow entries so the template passes structural validation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d867131f-2a68-47a3-a72f-1d696e9c12da

📥 Commits

Reviewing files that changed from the base of the PR and between ab602a3 and b45bd30.

📒 Files selected for processing (3)

• README.md
• templates/synapse/configs/server-http/well-known.conf
• templates/synapse/template.json

📜 Review details

🧰 Additional context used

📓 Path-based instructions (3)

**/*.md

⚙️ CodeRabbit configuration file

**/*.md: Documentation should be concise, accurate, and written in British English:

• Keep a sensible heading hierarchy and prefer concrete instructions over narrative.
• Commands go in backticks or fenced code blocks; keep lines under roughly 100 characters.
• Check that referenced paths, settings, workflows, and external links still match the current repository.
• When a PR changes behaviour, defaults, or packaging, require the matching doc update in the same PR.

Files:

• README.md

templates/**/configs/**/*.conf

⚙️ CodeRabbit configuration file

templates/**/configs/**/*.conf: These are NGINX and ModSecurity snippets loaded by BunkerWeb at runtime. They must be safe and minimal:

• ModSecurity / CRS tuning files (*_false_positives.conf): prefer targeted ctl:ruleRemoveTargetById= / ctl:ruleRemoveById= over SecRuleRemoveById with broad ranges. Every exclusion must have a short comment explaining the specific legitimate traffic it unblocks (endpoint, parameter, rule ID, reason). Do not disable whole paranoia levels or broad rule families.
• Rule IDs authored here must live in the user range (>= 9,000,000 for SecAction markers used by CRS plugins, or the custom range documented by the upstream CRS plugin being enabled).
• Do not set SecRuleEngine Off or SecRequestBodyAccess Off in a template config.
• NGINX fragments: avoid if inside location where a prefix match would do; never proxy_pass to an upstream constructed from a request variable (SSRF); do not strip security headers added by BunkerWeb core; do not lower TLS/SSL protocol or cipher strength.
• Every file referenced here must also be listed in the owning template.json configs array, and vice versa. Flag orphans in either direction.
• Add a short top-of-file comment describing the template the snippet belongs to and the upstream service version it was validated against.

Files:

• templates/synapse/configs/server-http/well-known.conf

templates/**/template.json

⚙️ CodeRabbit configuration file

templates/**/template.json: template.json is the BunkerWeb template definition consumed by the configurator and the guided-import UI. Apply these rules:

• Required top-level fields: id (lowercase-kebab-case, matching the template directory name, treated as immutable once published), name (concise user-facing label). Optional: settings (object of BunkerWeb multisite settings), configs (array of relative paths), steps (ordered guided-import workflow).
• Two-space indentation, double-quoted keys and strings, no trailing commas. The file must parse with jq . templates/<name>/template.json.
• Setting keys must match BunkerWeb multisite setting names exactly (e.g. SERVER_NAME, USE_REVERSE_PROXY, REVERSE_PROXY_HOST, MODSECURITY_CRS_PLUGINS, USE_LIMIT_REQ, LIMIT_REQ_RATE, WHITELIST_RDNS). Flag typos, unknown keys, and values that violate documented types or ranges.
• Every path referenced from configs (top-level or inside a step) must resolve to a file that exists under the template directory. Flag missing files, paths that escape the template directory, or duplicate entries. Templates must be self-contained: never reference files outside their own templates/<name>/ directory.
• Each steps[].settings entry must refer to a key that also exists in the top-level settings object — the UI surfaces the step by reading those keys. Flag orphan references.
• Templates must stay integration-agnostic. They work identically across Docker, Kubernetes, and Linux, so never introduce environment-specific assets (Dockerfiles, docker-compose.yml, Kubernetes manifests, Helm charts, systemd units) inside templates/<name>/, and never condition settings on the host integration.
• Templates must be app-specific, not generic hardening. BunkerWeb already ships built-in low/medium/high presets for generic defaults; a template in this repo should target a named upstream service and ship app-aware configs and guided steps. Push back on PR...

Files:

• templates/synapse/template.json

🔇 Additional comments (1)

templates/synapse/configs/server-http/well-known.conf (1)

4-10: ⚠️ Potential issue | 🟠 Major

Hard-coded real domain makes the template non-reusable and leaks environment details.

Lines 4 and 10 embed matrix.palmcoasty.com. Replace with an obvious placeholder (or a configurable value) so users do not deploy someone else’s domain by default.

💡 Example safer default

-    return 200 '{"m.homeserver":{"base_url":"https://matrix.palmcoasty.com"}}';
+    return 200 '{"m.homeserver":{"base_url":"https://www.example.com"}}';
@@
-    return 200 '{"m.server":"matrix.palmcoasty.com:443"}';
+    return 200 '{"m.server":"www.example.com:443"}';

As per coding guidelines, “Never commit real domains … Use obvious placeholders (www.example.com, http://myservice).”

			> Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Template summary text is awkward and should be tightened.

Line 69 reads unnaturally (“matrix server synapse”). Use concise wording, e.g. “Secure template with Matrix Synapse-aware defaults”.

As per coding guidelines, documentation should be “concise, accurate, and written in British English”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 69, The table row for the Synapse template has awkward
wording; update the summary cell for the "Synapse" entry (the row referencing
"Synapse" and `templates/synapse/`) to a concise, British-English phrase such as
"Secure template with Matrix Synapse-aware defaults" and ensure the wording is
tightened and punctuation/capitalisation follow the repository's style.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Add a short file header describing ownership and tested upstream version.

Please add a top-of-file comment stating this snippet belongs to the Synapse template and which Synapse version it was validated against.

As per coding guidelines, “Add a short top-of-file comment describing the template the snippet belongs to and the upstream service version it was validated against.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/synapse/configs/server-http/well-known.conf` at line 1, Add a short
top-of-file comment header above the "location /.well-known/matrix/client" block
that states this snippet belongs to the Synapse template (Synapse HTTP
well-known config) and include the upstream Synapse version it was validated
against (e.g., "Validated against Synapse vX.Y.Z") plus an owner/maintainer
identifier; place the header as plain comment lines at the very top of the file
so it is clearly visible for future maintainers.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing configs entry leaves well-known.conf unused.

There is no top-level configs array, so templates/synapse/configs/server-http/well-known.conf will not be loaded by the template.

💡 Minimal fix

 {
   "id": "synapse",
   "name": "Synapse Matrix",
   "settings": {
@@
-    "USE_BROTLI": "yes"
-  }
+    "USE_BROTLI": "yes"
+  },
+  "configs": [
+    "server-http/well-known.conf"
+  ]
 }

As per coding guidelines, “Every path referenced from configs … must resolve to a file that exists under the template directory” and templates are expected to wire owned config snippets through template.json.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{
	"id": "synapse-no-turn",
	"name": "Synapse Matrix server without Turn, secure template with essential hardening defaults",
	"settings": {
	"SERVER_NAME": "example.com",
	"AUTO_LETS_ENCRYPT": "yes",
	"USE_LETS_ENCRYPT_STAGING": "no",
	"USE_LETS_ENCRYPT_WILDCARD": "no",
	"LETS_ENCRYPT_CHALLENGE": "http",
	"LETS_ENCRYPT_DNS_PROVIDER": "",
	"LETS_ENCRYPT_DNS_PROPAGATION": "default",
	"LETS_ENCRYPT_DNS_CREDENTIAL_ITEM": "",
	"USE_CUSTOM_SSL": "no",
	"CUSTOM_SSL_CERT_PRIORITY": "file",
	"CUSTOM_SSL_CERT": "",
	"CUSTOM_SSL_KEY": "",
	"CUSTOM_SSL_CERT_DATA": "",
	"CUSTOM_SSL_KEY_DATA": "",
	"USE_REVERSE_PROXY": "yes",
	"REVERSE_PROXY_URL": "/_matrix/",
	"REVERSE_PROXY_HOST": "http://mysynapse-server:8008",
	"REVERSE_PROXY_INTERCEPT_ERRORS": "no",
	"REVERSE_PROXY_KEEPALIVE": "yes",
	"REVERSE_PROXY_HIDE_HEADERS": "",
	"REVERSE_PROXY_CONNECT_TIMEOUT": "30s",
	"REVERSE_PROXY_READ_TIMEOUT": "300s",
	"REVERSE_PROXY_SEND_TIMEOUT": "60s",
	"HTTP3": "no",
	"LISTEN_HTTP": "no",
	"MAX_CLIENT_SIZE": "50m",
	"ALLOWED_METHODS": "GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH",
	"USE_LIMIT_REQ": "yes",
	"LIMIT_REQ_URL": "/",
	"LIMIT_REQ_RATE": "10r/s",
	"INTERCEPTED_ERROR_CODES": "400 401 403 404 405 413 429 501 502 503 504",
	"USE_WHITELIST": "yes",
	"BAD_BEHAVIOR_STATUS_CODES": "405",
	"BAD_BEHAVIOR_THRESHOLD": "100",
	"WHITELIST_IP": "",
	"WHITELIST_RDNS": ".google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com",
	"WHITELIST_RDNS_GLOBAL": "yes",
	"WHITELIST_ASN": "",
	"SERVE_FILES": "no",
	"USE_CLIENT_CACHE": "n0",
	"USE_GZIP": "yes",
	"USE_BROTLI": "yes",
	}
	{
	"id": "synapse-no-turn",
	"name": "Synapse Matrix server without Turn, secure template with essential hardening defaults",
	"settings": {
	"SERVER_NAME": "example.com",
	"AUTO_LETS_ENCRYPT": "yes",
	"USE_LETS_ENCRYPT_STAGING": "no",
	"USE_LETS_ENCRYPT_WILDCARD": "no",
	"LETS_ENCRYPT_CHALLENGE": "http",
	"LETS_ENCRYPT_DNS_PROVIDER": "",
	"LETS_ENCRYPT_DNS_PROPAGATION": "default",
	"LETS_ENCRYPT_DNS_CREDENTIAL_ITEM": "",
	"USE_CUSTOM_SSL": "no",
	"CUSTOM_SSL_CERT_PRIORITY": "file",
	"CUSTOM_SSL_CERT": "",
	"CUSTOM_SSL_KEY": "",
	"CUSTOM_SSL_CERT_DATA": "",
	"CUSTOM_SSL_KEY_DATA": "",
	"USE_REVERSE_PROXY": "yes",
	"REVERSE_PROXY_URL": "/_matrix/",
	"REVERSE_PROXY_HOST": "http://mysynapse-server:8008",
	"REVERSE_PROXY_INTERCEPT_ERRORS": "no",
	"REVERSE_PROXY_KEEPALIVE": "yes",
	"REVERSE_PROXY_HIDE_HEADERS": "",
	"REVERSE_PROXY_CONNECT_TIMEOUT": "30s",
	"REVERSE_PROXY_READ_TIMEOUT": "300s",
	"REVERSE_PROXY_SEND_TIMEOUT": "60s",
	"HTTP3": "no",
	"LISTEN_HTTP": "no",
	"MAX_CLIENT_SIZE": "50m",
	"ALLOWED_METHODS": "GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH",
	"USE_LIMIT_REQ": "yes",
	"LIMIT_REQ_URL": "/",
	"LIMIT_REQ_RATE": "10r/s",
	"INTERCEPTED_ERROR_CODES": "400 401 403 404 405 413 429 501 502 503 504",
	"USE_WHITELIST": "yes",
	"BAD_BEHAVIOR_STATUS_CODES": "405",
	"BAD_BEHAVIOR_THRESHOLD": "100",
	"WHITELIST_IP": "",
	"WHITELIST_RDNS": ".google.com .googlebot.com .yandex.ru .yandex.net .yandex.com .search.msn.com .baidu.com .baidu.jp .crawl.yahoo.net .fwd.linkedin.com",
	"WHITELIST_RDNS_GLOBAL": "yes",
	"WHITELIST_ASN": "",
	"SERVE_FILES": "no",
	"USE_CLIENT_CACHE": "n0",
	"USE_GZIP": "yes",
	"USE_BROTLI": "yes"
	},
	"configs": [
	"server-http/well-known.conf"
	]
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/synapse/template.json` around lines 1 - 47, The template.json is
missing a top-level "configs" array so the snippet
templates/synapse/configs/server-http/well-known.conf is never wired; add a
"configs" array entry in templates/synapse/template.json that includes the
relative path to "configs/server-http/well-known.conf" (and any other owned
config snippets), ensuring each path matches the file names under the template
directory and follows the existing template schema so the well-known.conf is
loaded.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Template id does not match the directory name.

Line 2 uses synapse-no-turn, but the template lives under templates/synapse/. Use a stable id aligned with the directory name to avoid lookup/migration issues.

As per coding guidelines, id must be “lowercase-kebab-case, matching the template directory name, treated as immutable once published”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/synapse/template.json` at line 2, The template "id" value currently
set to "synapse-no-turn" must be changed to match the template directory name by
using a stable lowercase-kebab-case id (e.g., "synapse"); update the "id"
property in the template.json where it currently reads "synapse-no-turn" so it
exactly matches the directory name "synapse" and ensure the id remains immutable
once published.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

This reads as a generic hardening profile, not a guided Synapse template.

The template has no steps and is framed around generic hardening defaults rather than a clear Synapse workflow (domain/TLS, upstream, Matrix well-known, limits). Please add app-aware guided steps.

As per coding guidelines, “Templates must be app-specific, not generic hardening … and ship app-aware configs and guided steps”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/synapse/template.json` around lines 3 - 47, The template.json
currently contains only generic "settings" and lacks app-specific guided steps
for Synapse; update the template to be Synapse-focused by adding a top-level
"steps" array that walks the user through Synapse-specific setup: domain and TLS
configuration (use/validate SERVER_NAME, AUTO_LETS_ENCRYPT, LETS_ENCRYPT_*),
upstream/Reverse Proxy setup (REVERSE_PROXY_URL, REVERSE_PROXY_HOST,
REVERSE_PROXY_INTERCEPT_ERRORS), Matrix well-known and federation checks, and
runtime limits/tuning (MAX_CLIENT_SIZE, LIMIT_REQ_RATE, BAD_BEHAVIOR_*); keep
the existing "settings" keys but replace the generic description ("name") and
include step ids/titles that reference these setting keys so the UI can prompt
users for domain, TLS credentials, reverse-proxy endpoint, and rate-limit
thresholds.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Template name is not concise for UI display.

Line 3 is overly long and mixes product name, TURN caveat, and hardening description. Keep name short (e.g., Synapse Matrix), and move caveats to docs/steps.

As per coding guidelines, required top-level name is a “concise user-facing label”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/synapse/template.json` at line 3, The template's top-level "name"
field is too long and descriptive for UI display; change the "name" value to a
concise user-facing label (e.g., "Synapse Matrix") by editing the "name" key in
templates/synapse/template.json, and relocate the TURN caveat and hardening
details into the template's longer description or the documentation/steps
section so the top-level name remains short and UI-friendly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

USE_CLIENT_CACHE has a typo likely causing invalid behaviour.

Line 44 uses "n0" (zero) instead of "no".

💡 Proposed fix

-    "USE_CLIENT_CACHE": "n0",
+    "USE_CLIENT_CACHE": "no",

As per coding guidelines, setting values must not “violate documented types or ranges”.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"USE_CLIENT_CACHE": "n0",
	"USE_CLIENT_CACHE": "no",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/synapse/template.json` at line 44, The template value for the
configuration key USE_CLIENT_CACHE is a typo: it uses the string "n0" (zero)
instead of the intended "no", which can break downstream parsing/validation;
update the template so the value for USE_CLIENT_CACHE is the correct string "no"
(fix the token for USE_CLIENT_CACHE in the template.json so it matches
documented allowed values and types).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
jq . templates/synapse/template.json >/dev/null

Repository: bunkerity/bunkerweb-templates

Length of output: 138

---

🏁 Script executed:

cat templates/synapse/template.json

Repository: bunkerity/bunkerweb-templates

Length of output: 1842

---

🏁 Script executed:

find templates/synapse -type f | head -20

Repository: bunkerity/bunkerweb-templates

Length of output: 158

---

template.json fails JSON validation and contains multiple structural violations.

Line 46 has a trailing comma and the root object is not closed—line 47 ends the file prematurely. This fails jq validation and blocks template import.

Additionally:

• Line 2: id is "synapse-no-turn" but must match the template directory name synapse (immutable once published, per guidelines).
• Line 44: "USE_CLIENT_CACHE": "n0" is invalid; must be "no" (all other boolean settings use yes or no).
• Missing top-level configs array: File templates/synapse/configs/server-http/well-known.conf exists but is unreferenced and orphaned; add a configs array to include it.
• Missing steps array: Templates must include guided steps for the import workflow per guidelines; currently absent.
• Line 3: name is excessively verbose ("Synapse Matrix server without Turn, secure template with essential hardening defaults"); use a concise label.

Fix the JSON syntax first, then resolve structural issues. The template is app-specific (targets Synapse with service-aware configs) but incomplete without guided steps and proper configs references.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/synapse/template.json` around lines 46 - 47, Fix the JSON syntax
and structural template issues: remove the trailing comma after "USE_BROTLI" and
close the root object, validate with jq; change "id" from "synapse-no-turn" to
"synapse" to match the directory name, shorten the "name" value to a concise
label (e.g., "Synapse (no TURN)"), correct "USE_CLIENT_CACHE" from "n0" to "no",
add a top-level "configs" array that references the existing server-http
well-known config (e.g., include its filename/key in the array), and add a
top-level "steps" array with the required guided import workflow entries so the
template passes structural validation.