Fix typo again

Specify MSC name; fix typo
one day I'll learn how to spell hierarchy
2025-12-17 02:10:27 +00:00 · 2021-09-21 12:24:47 +01:00 · 2021-09-21 12:10:50 +01:00 · 2021-09-21 12:01:54 +01:00 · 2021-09-21 11:52:37 +01:00 · 2021-09-21 11:49:15 +01:00
688 changed files with 48365 additions and 20985 deletions
--- a/.buildkite/.env
+++ b/.buildkite/.env
@@ -1,13 +0,0 @@
 CI
 BUILDKITE
 BUILDKITE_BUILD_NUMBER
 BUILDKITE_BRANCH
 BUILDKITE_BUILD_NUMBER
 BUILDKITE_JOB_ID
 BUILDKITE_BUILD_URL
 BUILDKITE_PROJECT_SLUG
 BUILDKITE_COMMIT
 BUILDKITE_PULL_REQUEST
 BUILDKITE_TAG
 CODECOV_TOKEN
 TRIAL_FLAGS
--- a/.buildkite/merge_base_branch.sh
+++ b/.buildkite/merge_base_branch.sh
@@ -1,35 +0,0 @@
 #!/usr/bin/env bash
 set -e
 if [[ "$BUILDKITE_BRANCH" =~ ^(develop|master|dinsic|shhs|release-.*)$ ]]; then
    echo "Not merging forward, as this is a release branch"
    exit 0
 fi
 if [[ -z $BUILDKITE_PULL_REQUEST_BASE_BRANCH ]]; then
    echo "Not a pull request, or hasn't had a PR opened yet..."
    # It probably hasn't had a PR opened yet. Since all PRs land on develop, we
    # can probably assume it's based on it and will be merged into it.
    GITBASE="develop"
 else
    # Get the reference, using the GitHub API
    GITBASE=$BUILDKITE_PULL_REQUEST_BASE_BRANCH
 fi
 echo "--- merge_base_branch $GITBASE"
 # Show what we are before
 git --no-pager show -s
 # Set up username so it can do a merge
 git config --global user.email bot@matrix.org
 git config --global user.name "A robot"
 # Fetch and merge. If it doesn't work, it will raise due to set -e.
 git fetch -u origin $GITBASE
 git merge --no-edit --no-commit origin/$GITBASE
 # Show what we are after.
 git --no-pager show -s
--- a/.buildkite/worker-blacklist
+++ b/.buildkite/worker-blacklist
@@ -1,10 +0,0 @@
 # This file serves as a blacklist for SyTest tests that we expect will fail in
 # Synapse when run under worker mode. For more details, see sytest-blacklist.
 Can re-join room if re-invited
 # new failures as of https://github.com/matrix-org/sytest/pull/732
 Device list doesn't change if remote server is down
 # https://buildkite.com/matrix-dot-org/synapse/builds/6134#6f67bf47-e234-474d-80e8-c6e1868b15c5
 Server correctly handles incoming m.device_list_update
--- a/.ci/patch_for_twisted_trunk.sh
+++ b/.ci/patch_for_twisted_trunk.sh
@@ -0,0 +1,8 @@
 #!/bin/sh
 # replaces the dependency on Twisted in `python_dependencies` with trunk.
 set -e
 cd "$(dirname "$0")"/..
 sed -i -e 's#"Twisted.*"#"Twisted @ git+https://github.com/twisted/twisted"#' synapse/python_dependencies.py
--- a/.buildkite/postgres-config.yaml
+++ b/.buildkite/postgres-config.yaml
@@ -3,7 +3,7 @@
 # CI's Docker setup at the point where this file is considered.
 server_name: "localhost:8800"
-signing_key_path: "/src/.buildkite/test.signing.key"
+signing_key_path: ".ci/test.signing.key"
 report_stats: false
@@ -11,11 +11,9 @@ database:
  name: "psycopg2"
  args:
    user: postgres
-    host: postgres
+    host: localhost
    password: postgres
    database: synapse
 # Suppress the key server warning.
-trusted_key_servers:
+trusted_key_servers: []
  - server_name: "matrix.org"
 suppress_key_server_warning: true
--- a/.buildkite/scripts/postgres_exec.py
+++ b/.buildkite/scripts/postgres_exec.py
@@ -23,7 +23,7 @@ import psycopg2
 # We use "postgres" as a database because it's bound to exist and the "synapse" one
 # doesn't exist yet.
 db_conn = psycopg2.connect(
-    user="postgres", host="postgres", password="postgres", dbname="postgres"
+    user="postgres", host="localhost", password="postgres", dbname="postgres"
 )
 db_conn.autocommit = True
 cur = db_conn.cursor()
--- a/.buildkite/scripts/test_old_deps.sh
+++ b/.buildkite/scripts/test_old_deps.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
-# this script is run by buildkite in a plain `bionic` container; it installs the
+# this script is run by GitHub Actions in a plain `bionic` container; it installs the
 # minimal requirements for tox and hands over to the py3-old tox environment.
 set -ex
--- a/.buildkite/scripts/test_synapse_port_db.sh
+++ b/.buildkite/scripts/test_synapse_port_db.sh
@@ -20,18 +20,22 @@ pip install -e .
 echo "--- Generate the signing key"
 # Generate the server's signing key.
-python -m synapse.app.homeserver --generate-keys -c .buildkite/sqlite-config.yaml
+python -m synapse.app.homeserver --generate-keys -c .ci/sqlite-config.yaml
 echo "--- Prepare test database"
 # Make sure the SQLite3 database is using the latest schema and has no pending background update.
-scripts-dev/update_database --database-config .buildkite/sqlite-config.yaml
+scripts-dev/update_database --database-config .ci/sqlite-config.yaml
 # Create the PostgreSQL database.
-./.buildkite/scripts/postgres_exec.py "CREATE DATABASE synapse"
+.ci/scripts/postgres_exec.py "CREATE DATABASE synapse"
 echo "+++ Run synapse_port_db against test database"
-coverage run scripts/synapse_port_db --sqlite-database .buildkite/test_db.db --postgres-config .buildkite/postgres-config.yaml
+coverage run scripts/synapse_port_db --sqlite-database .ci/test_db.db --postgres-config .ci/postgres-config.yaml
 # We should be able to run twice against the same database.
 echo "+++ Run synapse_port_db a second time"
 coverage run scripts/synapse_port_db --sqlite-database .ci/test_db.db --postgres-config .ci/postgres-config.yaml
 #####
@@ -40,14 +44,14 @@ coverage run scripts/synapse_port_db --sqlite-database .buildkite/test_db.db --p
 echo "--- Prepare empty SQLite database"
 # we do this by deleting the sqlite db, and then doing the same again.
-rm .buildkite/test_db.db
+rm .ci/test_db.db
-scripts-dev/update_database --database-config .buildkite/sqlite-config.yaml
+scripts-dev/update_database --database-config .ci/sqlite-config.yaml
 # re-create the PostgreSQL database.
-./.buildkite/scripts/postgres_exec.py \
+.ci/scripts/postgres_exec.py \
  "DROP DATABASE synapse" \
  "CREATE DATABASE synapse"
 echo "+++ Run synapse_port_db against empty database"
-coverage run scripts/synapse_port_db --sqlite-database .buildkite/test_db.db --postgres-config .buildkite/postgres-config.yaml
+coverage run scripts/synapse_port_db --sqlite-database .ci/test_db.db --postgres-config .ci/postgres-config.yaml
--- a/.buildkite/sqlite-config.yaml
+++ b/.buildkite/sqlite-config.yaml
@@ -3,16 +3,14 @@
 # schema and run background updates on it.
 server_name: "localhost:8800"
-signing_key_path: "/src/.buildkite/test.signing.key"
+signing_key_path: ".ci/test.signing.key"
 report_stats: false
 database:
  name: "sqlite3"
  args:
-    database: ".buildkite/test_db.db"
+    database: ".ci/test_db.db"
 # Suppress the key server warning.
-trusted_key_servers:
+trusted_key_servers: []
  - server_name: "matrix.org"
 suppress_key_server_warning: true
--- a/.buildkite/test_db.db
+++ b/.buildkite/test_db.db
--- a/.ci/twisted_trunk_build_failed_issue_template.md
+++ b/.ci/twisted_trunk_build_failed_issue_template.md
@@ -0,0 +1,4 @@
 ---
 title: CI run against Twisted trunk is failing
 ---
 See https://github.com/{{env.GITHUB_REPOSITORY}}/actions/runs/{{env.GITHUB_RUN_ID}}
--- a/.ci/worker-blacklist
+++ b/.ci/worker-blacklist
@@ -0,0 +1,2 @@
 # This file serves as a blacklist for SyTest tests that we expect will fail in
 # Synapse when run under worker mode. For more details, see sytest-blacklist.
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,78 +0,0 @@
 version: 2.1
 jobs:
  dockerhubuploadrelease:
    docker:
      - image: docker:git
    steps:
      - checkout
      - docker_prepare
      - run: docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
      # for release builds, we want to get the amd64 image out asap, so first
      # we do an amd64-only build, before following up with a multiarch build.
      - docker_build:
          tag: -t matrixdotorg/synapse:${CIRCLE_TAG}
          platforms: linux/amd64
      - docker_build:
          tag: -t matrixdotorg/synapse:${CIRCLE_TAG}
          platforms: linux/amd64,linux/arm64
  dockerhubuploadlatest:
    docker:
      - image: docker:git
    steps:
      - checkout
      - docker_prepare
      - run: docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
      # for `latest`, we don't want the arm images to disappear, so don't update the tag
      # until all of the platforms are built.
      - docker_build:
          tag: -t matrixdotorg/synapse:latest
          platforms: linux/amd64,linux/arm64
 workflows:
  build:
    jobs:
      - dockerhubuploadrelease:
          filters:
            tags:
              only: /v[0-9].[0-9]+.[0-9]+.*/
            branches:
              ignore: /.*/
      - dockerhubuploadlatest:
          filters:
            branches:
              only: master
 commands:
  docker_prepare:
    description: Sets up a remote docker server, downloads the buildx cli plugin, and enables multiarch images
    parameters:
      buildx_version:
        type: string
        default: "v0.4.1"
    steps:
      - setup_remote_docker:
          # 19.03.13 was the most recent available on circleci at the time of
          # writing.
          version: 19.03.13
      - run: apk add --no-cache curl
      - run: mkdir -vp ~/.docker/cli-plugins/ ~/dockercache
      - run: curl --silent -L "https://github.com/docker/buildx/releases/download/<< parameters.buildx_version >>/buildx-<< parameters.buildx_version >>.linux-amd64" > ~/.docker/cli-plugins/docker-buildx
      - run: chmod a+x ~/.docker/cli-plugins/docker-buildx
      # install qemu links in /proc/sys/fs/binfmt_misc on the docker instance running the circleci job
      - run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
      # create a context named `builder` for the builds
      - run: docker context create builder
      # create a buildx builder using the new context, and set it as the default
      - run: docker buildx create builder --use
  docker_build:
    description: Builds and pushed images to dockerhub using buildx
    parameters:
      platforms:
        type: string
        default: linux/amd64
      tag:
        type: string
    steps:
      - run: docker buildx build -f docker/Dockerfile --push --platform << parameters.platforms >> --label gitsha1=${CIRCLE_SHA1} << parameters.tag >> --progress=plain .
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,72 @@
 # GitHub actions workflow which builds and publishes the docker images.
 name: Build docker images
 on:
  push:
    tags: ["v*"]
    branches: [ master, main ]
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Set up QEMU
        id: qemu
        uses: docker/setup-qemu-action@v1
        with:
          platforms: arm64
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1
      - name: Inspect builder
        run: docker buildx inspect
      - name: Log in to DockerHub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Calculate docker image tag
        id: set-tag
        run: |
          case "${GITHUB_REF}" in
              refs/heads/master|refs/heads/main)
                  tag=latest
                  ;;
              refs/tags/*)
                  tag=${GITHUB_REF#refs/tags/}
                  ;;
              *)
                  tag=${GITHUB_SHA}
                  ;;
          esac
          echo "::set-output name=tag::$tag"
        # for release builds, we want to get the amd64 image out asap, so first
        # we do an amd64-only build, before following up with a multiarch build.
      - name: Build and push amd64
        uses: docker/build-push-action@v2
        if: "${{ startsWith(github.ref, 'refs/tags/v') }}"
        with:
          push: true
          labels: "gitsha1=${{ github.sha }}"
          tags: "matrixdotorg/synapse:${{ steps.set-tag.outputs.tag }}"
          file: "docker/Dockerfile"
          platforms: linux/amd64
      - name: Build and push all platforms
        uses: docker/build-push-action@v2
        with:
          push: true
          labels: "gitsha1=${{ github.sha }}"
          tags: "matrixdotorg/synapse:${{ steps.set-tag.outputs.tag }}"
          file: "docker/Dockerfile"
          platforms: linux/amd64,linux/arm64
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -0,0 +1,66 @@
 name: Deploy the documentation
 on:
  push:
    branches:
      # For bleeding-edge documentation
      - develop
      # For documentation specific to a release
      - 'release-v*'
      # stable docs
      - master
  workflow_dispatch:
 jobs:
  pages:
    name: GitHub Pages
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup mdbook
        uses: peaceiris/actions-mdbook@4b5ef36b314c2599664ca107bb8c02412548d79d # v1.1.14
        with:
          mdbook-version: '0.4.9'
      - name: Build the documentation
        # mdbook will only create an index.html if we're including docs/README.md in SUMMARY.md.
        # However, we're using docs/README.md for other purposes and need to pick a new page
        # as the default. Let's opt for the welcome page instead.
        run: |
          mdbook build
          cp book/welcome_and_overview.html book/index.html
      # Figure out the target directory.
      #
      # The target directory depends on the name of the branch
      #
      - name: Get the target directory name
        id: vars
        run: |
          # first strip the 'refs/heads/' prefix with some shell foo
          branch="${GITHUB_REF#refs/heads/}"
          case $branch in
              release-*)
                  # strip 'release-' from the name for release branches.
                  branch="${branch#release-}"
                  ;;
              master)
                  # deploy to "latest" for the master branch.
                  branch="latest"
                  ;;
          esac
          # finally, set the 'branch-version' var.
          echo "::set-output name=branch-version::$branch"
      # Deploy to the target directory.
      - name: Deploy to gh pages
        uses: peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 # v3.8.0
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          keep_files: true
          publish_dir: ./book
          destination_dir: ./${{ steps.vars.outputs.branch-version }}
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@@ -0,0 +1,130 @@
 # GitHub actions workflow which builds the release artifacts.
 name: Build release artifacts
 on:
  # we build on PRs and develop to (hopefully) get early warning
  # of things breaking (but only build one set of debs)
  pull_request:
  push:
    branches: ["develop"]
    # we do the full build on tags.
    tags: ["v*"]
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 permissions:
  contents: write
 jobs:
  get-distros:
    name: "Calculate list of debian distros"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
      - id: set-distros
        run: |
          # if we're running from a tag, get the full list of distros; otherwise just use debian:sid
          dists='["debian:sid"]'
          if [[ $GITHUB_REF == refs/tags/* ]]; then
              dists=$(scripts-dev/build_debian_packages --show-dists-json)
          fi
          echo "::set-output name=distros::$dists"
    # map the step outputs to job outputs
    outputs:
      distros: ${{ steps.set-distros.outputs.distros }}
  # now build the packages with a matrix build.
  build-debs:
    needs: get-distros
    name: "Build .deb packages"
    runs-on: ubuntu-latest
    strategy:
      matrix:
        distro: ${{ fromJson(needs.get-distros.outputs.distros) }}
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          path: src
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1
        with:
          install: true
      - name: Set up docker layer caching
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-
      - name: Set up python
        uses: actions/setup-python@v2
      - name: Build the packages
        # see https://github.com/docker/build-push-action/issues/252
        # for the cache magic here
        run: |
          ./src/scripts-dev/build_debian_packages \
            --docker-build-arg=--cache-from=type=local,src=/tmp/.buildx-cache \
            --docker-build-arg=--cache-to=type=local,mode=max,dest=/tmp/.buildx-cache-new \
            --docker-build-arg=--progress=plain \
            --docker-build-arg=--load \
            "${{ matrix.distro }}"
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
      - name: Upload debs as artifacts
        uses: actions/upload-artifact@v2
        with:
          name: debs
          path: debs/*
  build-sdist:
    name: "Build pypi distribution files"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
      - run: pip install wheel
      - run: |
          python setup.py sdist bdist_wheel
      - uses: actions/upload-artifact@v2
        with:
          name: python-dist
          path: dist/*
  # if it's a tag, create a release and attach the artifacts to it
  attach-assets:
    name: "Attach assets to release"
    if: ${{ !failure() && !cancelled() && startsWith(github.ref, 'refs/tags/') }}
    needs:
      - build-debs
      - build-sdist
    runs-on: ubuntu-latest
    steps:
      - name: Download all workflow run artifacts
        uses: actions/download-artifact@v2
      - name: Build a tarball for the debs
        run: tar -cvJf debs.tar.xz debs
      - name: Attach to release
        uses: softprops/action-gh-release@a929a66f232c1b11af63782948aa2210f981808a  # PR#109
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          files: |
            python-dist/*
            debs.tar.xz
          # if it's not already published, keep the release as a draft.
          draft: true
          # mark it as a prerelease if the tag contains 'rc'.
          prerelease: ${{ contains(github.ref, 'rc') }}
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -5,6 +5,10 @@ on:
    branches: ["develop", "release-*"]
  pull_request:
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  lint:
    runs-on: ubuntu-latest
@@ -35,13 +39,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
      - uses: actions/setup-python@v2
      - run: pip install tox
      - name: Patch Buildkite-specific test script
        run: |
          sed -i -e 's/\$BUILDKITE_PULL_REQUEST/${{ github.event.number }}/' \
            scripts-dev/check-newsfragment
      - run: scripts-dev/check-newsfragment
        env:
          PULL_REQUEST_NUMBER: ${{ github.event.number }}
  lint-sdist:
    runs-on: ubuntu-latest
@@ -59,14 +64,14 @@ jobs:
  # Dummy step to gate other tests on without repeating the whole list
  linting-done:
-    if: ${{ always() }} # Run this even if prior jobs were skipped
+    if: ${{ !cancelled() }} # Run this even if prior jobs were skipped
    needs: [lint, lint-crlf, lint-newsfile, lint-sdist]
    runs-on: ubuntu-latest
    steps:
      - run: "true"
  trial:
-    if: ${{ !failure() }} # Allow previous steps to be skipped, but not fail
+    if: ${{ !cancelled() && !failure() }} # Allow previous steps to be skipped, but not fail
    needs: linting-done
    runs-on: ubuntu-latest
    strategy:
@@ -125,7 +130,7 @@ jobs:
          || true
  trial-olddeps:
-    if: ${{ !failure() }} # Allow previous steps to be skipped, but not fail
+    if: ${{ !cancelled() && !failure() }} # Allow previous steps to be skipped, but not fail
    needs: linting-done
    runs-on: ubuntu-latest
    steps:
@@ -134,7 +139,7 @@ jobs:
        uses: docker://ubuntu:bionic # For old python and sqlite
        with:
          workdir: /github/workspace
-          entrypoint: .buildkite/scripts/test_old_deps.sh
+          entrypoint: .ci/scripts/test_old_deps.sh
        env:
          TRIAL_FLAGS: "--jobs=2"
      - name: Dump logs
@@ -150,7 +155,7 @@ jobs:
  trial-pypy:
    # Very slow; only run if the branch name includes 'pypy'
-    if: ${{ contains(github.ref, 'pypy') && !failure() }}
+    if: ${{ contains(github.ref, 'pypy') && !failure() && !cancelled() }}
    needs: linting-done
    runs-on: ubuntu-latest
    strategy:
@@ -179,7 +184,7 @@ jobs:
          || true
  sytest:
-    if: ${{ !failure() }}
+    if: ${{ !failure() && !cancelled() }}
    needs: linting-done
    runs-on: ubuntu-latest
    container:
@@ -187,12 +192,12 @@ jobs:
      volumes:
        - ${{ github.workspace }}:/src
      env:
        BUILDKITE_BRANCH: ${{ github.head_ref }}
        POSTGRES: ${{ matrix.postgres && 1}}
        MULTI_POSTGRES: ${{ (matrix.postgres == 'multi-postgres') && 1}}
        WORKERS: ${{ matrix.workers && 1 }}
        REDIS: ${{ matrix.redis && 1 }}
        BLACKLIST: ${{ matrix.workers && 'synapse-blacklist-with-workers' }}
        TOP: ${{ github.workspace }}
    strategy:
      fail-fast: false
@@ -222,13 +227,13 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - name: Prepare test blacklist
-        run: cat sytest-blacklist .buildkite/worker-blacklist > synapse-blacklist-with-workers
+        run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers
      - name: Run SyTest
        run: /bootstrap.sh synapse
        working-directory: /src
-      - name: Dump results.tap
+      - name: Summarise results.tap
        if: ${{ always() }}
-        run: cat /logs/results.tap
+        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
        uses: actions/upload-artifact@v2
        if: ${{ always() }}
@@ -239,9 +244,11 @@ jobs:
            /logs/**/*.log*
  portdb:
-    if: ${{ !failure() }} # Allow previous steps to be skipped, but not fail
+    if: ${{ !failure() && !cancelled() }} # Allow previous steps to be skipped, but not fail
    needs: linting-done
    runs-on: ubuntu-latest
    env:
      TOP: ${{ github.workspace }}
    strategy:
      matrix:
        include:
@@ -271,16 +278,10 @@ jobs:
      - uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.python-version }}
-      - name: Patch Buildkite-specific test scripts
+      - run: .ci/scripts/test_synapse_port_db.sh
        run: |
          sed -i -e 's/host="postgres"/host="localhost"/' .buildkite/scripts/postgres_exec.py
          sed -i -e 's/host: postgres/host: localhost/' .buildkite/postgres-config.yaml
          sed -i -e 's|/src/||' .buildkite/{sqlite,postgres}-config.yaml
          sed -i -e 's/\$TOP/\$GITHUB_WORKSPACE/' .coveragerc
      - run: .buildkite/scripts/test_synapse_port_db.sh
  complement:
-    if: ${{ !failure() }}
+    if: ${{ !failure() && !cancelled() }}
    needs: linting-done
    runs-on: ubuntu-latest
    container:
@@ -299,11 +300,29 @@ jobs:
        with:
          path: synapse
-      - name: Run actions/checkout@v2 for complement
+      # Attempt to check out the same branch of Complement as the PR. If it
-        uses: actions/checkout@v2
+      # doesn't exist, fallback to master.
-        with:
+      - name: Checkout complement
-          repository: "matrix-org/complement"
+        shell: bash
-          path: complement
+        run: |
          mkdir -p complement
          # Attempt to use the version of complement which best matches the current
          # build. Depending on whether this is a PR or release, etc. we need to
          # use different fallbacks.
          #
          # 1. First check if there's a similarly named branch (GITHUB_HEAD_REF
          #    for pull requests, otherwise GITHUB_REF).
          # 2. Attempt to use the base branch, e.g. when merging into release-vX.Y
          #    (GITHUB_BASE_REF for pull requests).
          # 3. Use the default complement branch ("master").
          for BRANCH_NAME in "$GITHUB_HEAD_REF" "$GITHUB_BASE_REF" "${GITHUB_REF#refs/heads/}" "master"; do
            # Skip empty branch names and merge commits.
            if [[ -z "$BRANCH_NAME" || $BRANCH_NAME =~ ^refs/pull/.* ]]; then
              continue
            fi
            (wget -O - "https://github.com/matrix-org/complement/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C complement) && break
          done
      # Build initial Synapse image
      - run: docker build -t matrixdotorg/synapse:latest -f docker/Dockerfile .
@@ -316,7 +335,44 @@ jobs:
        working-directory: complement/dockerfiles
      # Run Complement
-      - run: go test -v -tags synapse_blacklist ./tests
+      - run: go test -v -tags synapse_blacklist,msc2403,msc2946,msc3083 ./tests/...
        env:
          COMPLEMENT_BASE_IMAGE: complement-synapse:latest
        working-directory: complement
  # a job which marks all the other jobs as complete, thus allowing PRs to be merged.
  tests-done:
    if: ${{ always() }}
    needs:
      - lint
      - lint-crlf
      - lint-newsfile
      - lint-sdist
      - trial
      - trial-olddeps
      - sytest
      - portdb
      - complement
    runs-on: ubuntu-latest
    steps:
      - name: Set build result
        env:
          NEEDS_CONTEXT: ${{ toJSON(needs) }}
        # the `jq` incantation dumps out a series of "<job> <result>" lines.
        # we set it to an intermediate variable to avoid a pipe, which makes it
        # hard to set $rc.
        run: |
          rc=0
          results=$(jq -r 'to_entries[] | [.key,.value.result] | join(" ")' <<< $NEEDS_CONTEXT)
          while read job result ; do
              # The newsfile lint may be skipped on non PR builds
              if [ $result == "skipped" ] && [ $job == "lint-newsfile" ]; then
                continue
              fi
              if [ "$result" != "success" ]; then
                  echo "::set-failed ::Job $job returned $result"
                  rc=1
              fi
          done <<< $results
          exit $rc
--- a/.github/workflows/twisted_trunk.yml
+++ b/.github/workflows/twisted_trunk.yml
@@ -0,0 +1,90 @@
 name: Twisted Trunk
 on:
  schedule:
    - cron: 0 8 * * *
  workflow_dispatch:
 jobs:
  mypy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
      - run: .ci/patch_for_twisted_trunk.sh
      - run: pip install tox
      - run: tox -e mypy
  trial:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: sudo apt-get -qq install xmlsec1
      - uses: actions/setup-python@v2
        with:
          python-version: 3.6
      - run: .ci/patch_for_twisted_trunk.sh
      - run: pip install tox
      - run: tox -e py
        env:
          TRIAL_FLAGS: "--jobs=2"
      - name: Dump logs
        # Note: Dumps to workflow logs instead of using actions/upload-artifact
        #       This keeps logs colocated with failing jobs
        #       It also ignores find's exit code; this is a best effort affair
        run: >-
          find _trial_temp -name '*.log'
          -exec echo "::group::{}" \;
          -exec cat {} \;
          -exec echo "::endgroup::" \;
          || true
  sytest:
    runs-on: ubuntu-latest
    container:
      image: matrixdotorg/sytest-synapse:buster
      volumes:
        - ${{ github.workspace }}:/src
    steps:
      - uses: actions/checkout@v2
      - name: Patch dependencies
        run: .ci/patch_for_twisted_trunk.sh
        working-directory: /src
      - name: Run SyTest
        run: /bootstrap.sh synapse
        working-directory: /src
      - name: Summarise results.tap
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
        uses: actions/upload-artifact@v2
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
          path: |
            /logs/results.tap
            /logs/**/*.log*
  # open an issue if the build fails, so we know about it.
  open-issue:
    if: failure()
    needs:
      - mypy
      - trial
      - sytest
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: JasonEtco/create-an-issue@5d9504915f79f9cc6d791934b8ef34f2353dd74d # v2.5.0, 2020-12-06
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          update_existing: true
          filename: .ci/twisted_trunk_build_failed_issue_template.md
--- a/.gitignore
+++ b/.gitignore
@@ -46,3 +46,6 @@ __pycache__/
 /docs/build/
 /htmlcov
 /pip-wheel-metadata/
 # docs
 book/
--- a/CHANGES.md
+++ b/CHANGES.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,397 +1,3 @@
-Welcome to Synapse
+# Welcome to Synapse
-This document aims to get you started with contributing to this repo! 
+Please see the [contributors' guide](https://matrix-org.github.io/synapse/latest/development/contributing_guide.html) in our rendered documentation.
 - [1. Who can contribute to Synapse?](#1-who-can-contribute-to-synapse)
 - [2. What do I need?](#2-what-do-i-need)
 - [3. Get the source.](#3-get-the-source)
 - [4. Install the dependencies](#4-install-the-dependencies)
  * [Under Unix (macOS, Linux, BSD, ...)](#under-unix-macos-linux-bsd-)
  * [Under Windows](#under-windows)
 - [5. Get in touch.](#5-get-in-touch)
 - [6. Pick an issue.](#6-pick-an-issue)
 - [7. Turn coffee and documentation into code and documentation!](#7-turn-coffee-and-documentation-into-code-and-documentation)
 - [8. Test, test, test!](#8-test-test-test)
  * [Run the linters.](#run-the-linters)
  * [Run the unit tests.](#run-the-unit-tests)
  * [Run the integration tests.](#run-the-integration-tests)
 - [9. Submit your patch.](#9-submit-your-patch)
  * [Changelog](#changelog)
    + [How do I know what to call the changelog file before I create the PR?](#how-do-i-know-what-to-call-the-changelog-file-before-i-create-the-pr)
    + [Debian changelog](#debian-changelog)
  * [Sign off](#sign-off)
 - [10. Turn feedback into better code.](#10-turn-feedback-into-better-code)
 - [11. Find a new issue.](#11-find-a-new-issue)
 - [Notes for maintainers on merging PRs etc](#notes-for-maintainers-on-merging-prs-etc)
 - [Conclusion](#conclusion)
 # 1. Who can contribute to Synapse?
 Everyone is welcome to contribute code to [matrix.org
 projects](https://github.com/matrix-org), provided that they are willing to
 license their contributions under the same license as the project itself. We
 follow a simple 'inbound=outbound' model for contributions: the act of
 submitting an 'inbound' contribution means that the contributor agrees to
 license the code under the same terms as the project's overall 'outbound'
 license - in our case, this is almost always Apache Software License v2 (see
 [LICENSE](LICENSE)).
 # 2. What do I need?
 The code of Synapse is written in Python 3. To do pretty much anything, you'll need [a recent version of Python 3](https://wiki.python.org/moin/BeginnersGuide/Download).
 The source code of Synapse is hosted on GitHub. You will also need [a recent version of git](https://github.com/git-guides/install-git).
 For some tests, you will need [a recent version of Docker](https://docs.docker.com/get-docker/).
 # 3. Get the source.
 The preferred and easiest way to contribute changes is to fork the relevant
 project on GitHub, and then [create a pull request](
 https://help.github.com/articles/using-pull-requests/) to ask us to pull your
 changes into our repo.
 Please base your changes on the `develop` branch.
 ```sh
 git clone git@github.com:YOUR_GITHUB_USER_NAME/synapse.git
 git checkout develop
 ```
 If you need help getting started with git, this is beyond the scope of the document, but you
 can find many good git tutorials on the web.
 # 4. Install the dependencies
 ## Under Unix (macOS, Linux, BSD, ...)
 Once you have installed Python 3 and added the source, please open a terminal and
 setup a *virtualenv*, as follows:
 ```sh
 cd path/where/you/have/cloned/the/repository
 python3 -m venv ./env
 source ./env/bin/activate
 pip install -e ".[all,lint,mypy,test]"
 pip install tox
 ```
 This will install the developer dependencies for the project.
 ## Under Windows
 TBD
 # 5. Get in touch.
 Join our developer community on Matrix: #synapse-dev:matrix.org !
 # 6. Pick an issue.
 Fix your favorite problem or perhaps find a [Good First Issue](https://github.com/matrix-org/synapse/issues?q=is%3Aopen+is%3Aissue+label%3A%22Good+First+Issue%22)
 to work on.
 # 7. Turn coffee and documentation into code and documentation!
 Synapse's code style is documented [here](docs/code_style.md). Please follow
 it, including the conventions for the [sample configuration
 file](docs/code_style.md#configuration-file-format).
 There is a growing amount of documentation located in the [docs](docs)
 directory. This documentation is intended primarily for sysadmins running their
 own Synapse instance, as well as developers interacting externally with
 Synapse. [docs/dev](docs/dev) exists primarily to house documentation for
 Synapse developers. [docs/admin_api](docs/admin_api) houses documentation
 regarding Synapse's Admin API, which is used mostly by sysadmins and external
 service developers.
 If you add new files added to either of these folders, please use [GitHub-Flavoured
 Markdown](https://guides.github.com/features/mastering-markdown/).
 Some documentation also exists in [Synapse's GitHub
 Wiki](https://github.com/matrix-org/synapse/wiki), although this is primarily
 contributed to by community authors.
 # 8. Test, test, test!
 <a name="test-test-test"></a>
 While you're developing and before submitting a patch, you'll
 want to test your code.
 ## Run the linters.
 The linters look at your code and do two things:
 - ensure that your code follows the coding style adopted by the project;
 - catch a number of errors in your code.
 They're pretty fast, don't hesitate!
 ```sh
 source ./env/bin/activate
 ./scripts-dev/lint.sh
 ```
 Note that this script *will modify your files* to fix styling errors.
 Make sure that you have saved all your files.
 If you wish to restrict the linters to only the files changed since the last commit
 (much faster!), you can instead run:
 ```sh
 source ./env/bin/activate
 ./scripts-dev/lint.sh -d
 ```
 Or if you know exactly which files you wish to lint, you can instead run:
 ```sh
 source ./env/bin/activate
 ./scripts-dev/lint.sh path/to/file1.py path/to/file2.py path/to/folder
 ```
 ## Run the unit tests.
 The unit tests run parts of Synapse, including your changes, to see if anything
 was broken. They are slower than the linters but will typically catch more errors.
 ```sh
 source ./env/bin/activate
 trial tests
 ```
 If you wish to only run *some* unit tests, you may specify
 another module instead of `tests` - or a test class or a method:
 ```sh
 source ./env/bin/activate
 trial tests.rest.admin.test_room tests.handlers.test_admin.ExfiltrateData.test_invite
 ```
 If your tests fail, you may wish to look at the logs:
 ```sh
 less _trial_temp/test.log
 ```
 ## Run the integration tests.
 The integration tests are a more comprehensive suite of tests. They
 run a full version of Synapse, including your changes, to check if
 anything was broken. They are slower than the unit tests but will
 typically catch more errors.
 The following command will let you run the integration test with the most common
 configuration:
 ```sh
 $ docker run --rm -it -v /path/where/you/have/cloned/the/repository\:/src:ro -v /path/to/where/you/want/logs\:/logs matrixdotorg/sytest-synapse:py37
 ```
 This configuration should generally cover  your needs. For more details about other configurations, see [documentation in the SyTest repo](https://github.com/matrix-org/sytest/blob/develop/docker/README.md).
 # 9. Submit your patch.
 Once you're happy with your patch, it's time to prepare a Pull Request.
 To prepare a Pull Request, please:
 1. verify that [all the tests pass](#test-test-test), including the coding style;
 2. [sign off](#sign-off) your contribution;
 3. `git push` your commit to your fork of Synapse;
 4. on GitHub, [create the Pull Request](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request);
 5. add a [changelog entry](#changelog) and push it to your Pull Request;
 6. for most contributors, that's all - however, if you are a member of the organization `matrix-org`, on GitHub, please request a review from `matrix.org / Synapse Core`.
 ## Changelog
 All changes, even minor ones, need a corresponding changelog / newsfragment
 entry. These are managed by [Towncrier](https://github.com/hawkowl/towncrier).
 To create a changelog entry, make a new file in the `changelog.d` directory named
 in the format of `PRnumber.type`. The type can be one of the following:
 * `feature`
 * `bugfix`
 * `docker` (for updates to the Docker image)
 * `doc` (for updates to the documentation)
 * `removal` (also used for deprecations)
 * `misc` (for internal-only changes)
 This file will become part of our [changelog](
 https://github.com/matrix-org/synapse/blob/master/CHANGES.md) at the next
 release, so the content of the file should be a short description of your
 change in the same style as the rest of the changelog. The file can contain Markdown
 formatting, and should end with a full stop (.) or an exclamation mark (!) for
 consistency.
 Adding credits to the changelog is encouraged, we value your
 contributions and would like to have you shouted out in the release notes!
 For example, a fix in PR #1234 would have its changelog entry in
 `changelog.d/1234.bugfix`, and contain content like:
 > The security levels of Florbs are now validated when received
 > via the `/federation/florb` endpoint. Contributed by Jane Matrix.
 If there are multiple pull requests involved in a single bugfix/feature/etc,
 then the content for each `changelog.d` file should be the same. Towncrier will
 merge the matching files together into a single changelog entry when we come to
 release.
 ### How do I know what to call the changelog file before I create the PR?
 Obviously, you don't know if you should call your newsfile
 `1234.bugfix` or `5678.bugfix` until you create the PR, which leads to a
 chicken-and-egg problem.
 There are two options for solving this:
 1. Open the PR without a changelog file, see what number you got, and *then*
    add the changelog file to your branch (see [Updating your pull
    request](#updating-your-pull-request)), or:
 1. Look at the [list of all
    issues/PRs](https://github.com/matrix-org/synapse/issues?q=), add one to the
    highest number you see, and quickly open the PR before somebody else claims
    your number.
    [This
    script](https://github.com/richvdh/scripts/blob/master/next_github_number.sh)
    might be helpful if you find yourself doing this a lot.
 Sorry, we know it's a bit fiddly, but it's *really* helpful for us when we come
 to put together a release!
 ### Debian changelog
 Changes which affect the debian packaging files (in `debian`) are an
 exception to the rule that all changes require a `changelog.d` file.
 In this case, you will need to add an entry to the debian changelog for the
 next release. For this, run the following command:
 ```
 dch
 ```
 This will make up a new version number (if there isn't already an unreleased
 version in flight), and open an editor where you can add a new changelog entry.
 (Our release process will ensure that the version number and maintainer name is
 corrected for the release.)
 If your change affects both the debian packaging *and* files outside the debian
 directory, you will need both a regular newsfragment *and* an entry in the
 debian changelog. (Though typically such changes should be submitted as two
 separate pull requests.)
 ## Sign off
 In order to have a concrete record that your contribution is intentional
 and you agree to license it under the same terms as the project's license, we've adopted the
 same lightweight approach that the Linux Kernel
 [submitting patches process](
 https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin>),
 [Docker](https://github.com/docker/docker/blob/master/CONTRIBUTING.md), and many other
 projects use: the DCO (Developer Certificate of Origin:
 http://developercertificate.org/). This is a simple declaration that you wrote
 the contribution or otherwise have the right to contribute it to Matrix:
 ```
 Developer Certificate of Origin
 Version 1.1
 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 660 York Street, Suite 102,
 San Francisco, CA 94110 USA
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 Developer's Certificate of Origin 1.1
 By making a contribution to this project, I certify that:
 (a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or
 (b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or
 (c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.
 (d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.
 ```
 If you agree to this for your contribution, then all that's needed is to
 include the line in your commit or pull request comment:
 ```
 Signed-off-by: Your Name <your@email.example.org>
 ```
 We accept contributions under a legally identifiable name, such as
 your name on government documentation or common-law names (names
 claimed by legitimate usage or repute). Unfortunately, we cannot
 accept anonymous contributions at this time.
 Git allows you to add this signoff automatically when using the `-s`
 flag to `git commit`, which uses the name and email set in your
 `user.name` and `user.email` git configs.
 # 10. Turn feedback into better code.
 Once the Pull Request is opened, you will see a few things:
 1. our automated CI (Continuous Integration) pipeline will run (again) the linters, the unit tests, the integration tests and more;
 2. one or more of the developers will take a look at your Pull Request and offer feedback.
 From this point, you should:
 1. Look at the results of the CI pipeline.
   - If there is any error, fix the error.
 2. If a developer has requested changes, make these changes and let us know if it is ready for a developer to review again.
 3. Create a new commit with the changes.
   - Please do NOT overwrite the history. New commits make the reviewer's life easier.
   - Push this commits to your Pull Request.
 4. Back to 1.
 Once both the CI and the developers are happy, the patch will be merged into Synapse and released shortly!
 # 11. Find a new issue.
 By now, you know the drill!
 # Notes for maintainers on merging PRs etc
 There are some notes for those with commit access to the project on how we
 manage git [here](docs/dev/git.md).
 # Conclusion
 That's it! Matrix is a very open and collaborative project as you might expect
 given our obsession with open communication. If we're going to successfully
 matrix together all the fragmented communication technologies out there we are
 reliant on contributions and collaboration from the community to do so. So
 please get involved - and we hope you have as much fun hacking on Matrix as we
 do!
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1,594 +1,7 @@
 # Installation Instructions
-There are 3 steps to follow under **Installation Instructions**.
+This document has moved to the
 [Synapse documentation website](https://matrix-org.github.io/synapse/latest/setup/installation.html).
 Please update your links.
- [Installation Instructions](#installation-instructions)
+The markdown source is available in [docs/setup/installation.md](docs/setup/installation.md).
  - [Choosing your server name](#choosing-your-server-name)
  - [Installing Synapse](#installing-synapse)
    - [Installing from source](#installing-from-source)
      - [Platform-specific prerequisites](#platform-specific-prerequisites)
        - [Debian/Ubuntu/Raspbian](#debianubunturaspbian)
        - [ArchLinux](#archlinux)
        - [CentOS/Fedora](#centosfedora)
        - [macOS](#macos)
        - [OpenSUSE](#opensuse)
        - [OpenBSD](#openbsd)
        - [Windows](#windows)
    - [Prebuilt packages](#prebuilt-packages)
      - [Docker images and Ansible playbooks](#docker-images-and-ansible-playbooks)
      - [Debian/Ubuntu](#debianubuntu)
        - [Matrix.org packages](#matrixorg-packages)
        - [Downstream Debian packages](#downstream-debian-packages)
        - [Downstream Ubuntu packages](#downstream-ubuntu-packages)
      - [Fedora](#fedora)
      - [OpenSUSE](#opensuse-1)
      - [SUSE Linux Enterprise Server](#suse-linux-enterprise-server)
      - [ArchLinux](#archlinux-1)
      - [Void Linux](#void-linux)
      - [FreeBSD](#freebsd)
      - [OpenBSD](#openbsd-1)
      - [NixOS](#nixos)
  - [Setting up Synapse](#setting-up-synapse)
    - [Using PostgreSQL](#using-postgresql)
    - [TLS certificates](#tls-certificates)
    - [Client Well-Known URI](#client-well-known-uri)
    - [Email](#email)
    - [Registering a user](#registering-a-user)
    - [Setting up a TURN server](#setting-up-a-turn-server)
    - [URL previews](#url-previews)
    - [Troubleshooting Installation](#troubleshooting-installation)
 ## Choosing your server name
 It is important to choose the name for your server before you install Synapse,
 because it cannot be changed later.
 The server name determines the "domain" part of user-ids for users on your
 server: these will all be of the format `@user:my.domain.name`. It also
 determines how other matrix servers will reach yours for federation.
 For a test configuration, set this to the hostname of your server. For a more
 production-ready setup, you will probably want to specify your domain
 (`example.com`) rather than a matrix-specific hostname here (in the same way
 that your email address is probably `user@example.com` rather than
 `user@email.example.com`) - but doing so may require more advanced setup: see
 [Setting up Federation](docs/federate.md).
 ## Installing Synapse
 ### Installing from source
 (Prebuilt packages are available for some platforms - see [Prebuilt packages](#prebuilt-packages).)
 When installing from source please make sure that the [Platform-specific prerequisites](#platform-specific-prerequisites) are already installed.
 System requirements:
 - POSIX-compliant system (tested on Linux & OS X)
 - Python 3.5.2 or later, up to Python 3.9.
 - At least 1GB of free RAM if you want to join large public rooms like #matrix:matrix.org
 To install the Synapse homeserver run:
 ```sh
 mkdir -p ~/synapse
 virtualenv -p python3 ~/synapse/env
 source ~/synapse/env/bin/activate
 pip install --upgrade pip
 pip install --upgrade setuptools
 pip install matrix-synapse
 ```
 This will download Synapse from [PyPI](https://pypi.org/project/matrix-synapse)
 and install it, along with the python libraries it uses, into a virtual environment
 under `~/synapse/env`.  Feel free to pick a different directory if you
 prefer.
 This Synapse installation can then be later upgraded by using pip again with the
 update flag:
 ```sh
 source ~/synapse/env/bin/activate
 pip install -U matrix-synapse
 ```
 Before you can start Synapse, you will need to generate a configuration
 file. To do this, run (in your virtualenv, as before):
 ```sh
 cd ~/synapse
 python -m synapse.app.homeserver \
    --server-name my.domain.name \
    --config-path homeserver.yaml \
    --generate-config \
    --report-stats=[yes|no]
 ```
 ... substituting an appropriate value for `--server-name`.
 This command will generate you a config file that you can then customise, but it will
 also generate a set of keys for you. These keys will allow your homeserver to
 identify itself to other homeserver, so don't lose or delete them. It would be
 wise to back them up somewhere safe. (If, for whatever reason, you do need to
 change your homeserver's keys, you may find that other homeserver have the
 old key cached. If you update the signing key, you should change the name of the
 key in the `<server name>.signing.key` file (the second word) to something
 different. See the [spec](https://matrix.org/docs/spec/server_server/latest.html#retrieving-server-keys) for more information on key management).
 To actually run your new homeserver, pick a working directory for Synapse to
 run (e.g. `~/synapse`), and:
 ```sh
 cd ~/synapse
 source env/bin/activate
 synctl start
 ```
 #### Platform-specific prerequisites
 Synapse is written in Python but some of the libraries it uses are written in
 C. So before we can install Synapse itself we need a working C compiler and the
 header files for Python C extensions.
 ##### Debian/Ubuntu/Raspbian
 Installing prerequisites on Ubuntu or Debian:
 ```sh
 sudo apt install build-essential python3-dev libffi-dev \
                     python3-pip python3-setuptools sqlite3 \
                     libssl-dev virtualenv libjpeg-dev libxslt1-dev
 ```
 ##### ArchLinux
 Installing prerequisites on ArchLinux:
 ```sh
 sudo pacman -S base-devel python python-pip \
               python-setuptools python-virtualenv sqlite3
 ```
 ##### CentOS/Fedora
 Installing prerequisites on CentOS or Fedora Linux:
 ```sh
 sudo dnf install libtiff-devel libjpeg-devel libzip-devel freetype-devel \
                 libwebp-devel libxml2-devel libxslt-devel libpq-devel \
                 python3-virtualenv libffi-devel openssl-devel python3-devel
 sudo dnf groupinstall "Development Tools"
 ```
 ##### macOS
 Installing prerequisites on macOS:
 ```sh
 xcode-select --install
 sudo easy_install pip
 sudo pip install virtualenv
 brew install pkg-config libffi
 ```
 On macOS Catalina (10.15) you may need to explicitly install OpenSSL
 via brew and inform `pip` about it so that `psycopg2` builds:
 ```sh
 brew install openssl@1.1
 export LDFLAGS="-L/usr/local/opt/openssl/lib"
 export CPPFLAGS="-I/usr/local/opt/openssl/include"
 ```
 ##### OpenSUSE
 Installing prerequisites on openSUSE:
 ```sh
 sudo zypper in -t pattern devel_basis
 sudo zypper in python-pip python-setuptools sqlite3 python-virtualenv \
               python-devel libffi-devel libopenssl-devel libjpeg62-devel
 ```
 ##### OpenBSD
 A port of Synapse is available under `net/synapse`. The filesystem
 underlying the homeserver directory (defaults to `/var/synapse`) has to be
 mounted with `wxallowed` (cf. `mount(8)`), so creating a separate filesystem
 and mounting it to `/var/synapse` should be taken into consideration.
 To be able to build Synapse's dependency on python the `WRKOBJDIR`
 (cf. `bsd.port.mk(5)`) for building python, too, needs to be on a filesystem
 mounted with `wxallowed` (cf. `mount(8)`).
 Creating a `WRKOBJDIR` for building python under `/usr/local` (which on a
 default OpenBSD installation is mounted with `wxallowed`):
 ```sh
 doas mkdir /usr/local/pobj_wxallowed
 ```
 Assuming `PORTS_PRIVSEP=Yes` (cf. `bsd.port.mk(5)`) and `SUDO=doas` are
 configured in `/etc/mk.conf`:
 ```sh
 doas chown _pbuild:_pbuild /usr/local/pobj_wxallowed
 ```
 Setting the `WRKOBJDIR` for building python:
 ```sh
 echo WRKOBJDIR_lang/python/3.7=/usr/local/pobj_wxallowed  \\nWRKOBJDIR_lang/python/2.7=/usr/local/pobj_wxallowed >> /etc/mk.conf
 ```
 Building Synapse:
 ```sh
 cd /usr/ports/net/synapse
 make install
 ```
 ##### Windows
 If you wish to run or develop Synapse on Windows, the Windows Subsystem For
 Linux provides a Linux environment on Windows 10 which is capable of using the
 Debian, Fedora, or source installation methods. More information about WSL can
 be found at <https://docs.microsoft.com/en-us/windows/wsl/install-win10> for
 Windows 10 and <https://docs.microsoft.com/en-us/windows/wsl/install-on-server>
 for Windows Server.
 ### Prebuilt packages
 As an alternative to installing from source, prebuilt packages are available
 for a number of platforms.
 #### Docker images and Ansible playbooks
 There is an official synapse image available at
 <https://hub.docker.com/r/matrixdotorg/synapse> which can be used with
 the docker-compose file available at [contrib/docker](contrib/docker). Further
 information on this including configuration options is available in the README
 on hub.docker.com.
 Alternatively, Andreas Peters (previously Silvio Fricke) has contributed a
 Dockerfile to automate a synapse server in a single Docker image, at
 <https://hub.docker.com/r/avhost/docker-matrix/tags/>
 Slavi Pantaleev has created an Ansible playbook,
 which installs the offical Docker image of Matrix Synapse
 along with many other Matrix-related services (Postgres database, Element, coturn,
 ma1sd, SSL support, etc.).
 For more details, see
 <https://github.com/spantaleev/matrix-docker-ansible-deploy>
 #### Debian/Ubuntu
 ##### Matrix.org packages
 Matrix.org provides Debian/Ubuntu packages of the latest stable version of
 Synapse via <https://packages.matrix.org/debian/>. They are available for Debian
 9 (Stretch), Ubuntu 16.04 (Xenial), and later. To use them:
 ```sh
 sudo apt install -y lsb-release wget apt-transport-https
 sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" |
    sudo tee /etc/apt/sources.list.d/matrix-org.list
 sudo apt update
 sudo apt install matrix-synapse-py3
 ```
 **Note**: if you followed a previous version of these instructions which
 recommended using `apt-key add` to add an old key from
 `https://matrix.org/packages/debian/`, you should note that this key has been
 revoked. You should remove the old key with `sudo apt-key remove
 C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61`, and follow the above instructions to
 update your configuration.
 The fingerprint of the repository signing key (as shown by `gpg
 /usr/share/keyrings/matrix-org-archive-keyring.gpg`) is
 `AAF9AE843A7584B5A3E4CD2BCF45A512DE2DA058`.
 ##### Downstream Debian packages
 We do not recommend using the packages from the default Debian `buster`
 repository at this time, as they are old and suffer from known security
 vulnerabilities. You can install the latest version of Synapse from
 [our repository](#matrixorg-packages) or from `buster-backports`. Please
 see the [Debian documentation](https://backports.debian.org/Instructions/)
 for information on how to use backports.
 If you are using Debian `sid` or testing, Synapse is available in the default
 repositories and it should be possible to install it simply with:
 ```sh
 sudo apt install matrix-synapse
 ```
 ##### Downstream Ubuntu packages
 We do not recommend using the packages in the default Ubuntu repository
 at this time, as they are old and suffer from known security vulnerabilities.
 The latest version of Synapse can be installed from [our repository](#matrixorg-packages).
 #### Fedora
 Synapse is in the Fedora repositories as `matrix-synapse`:
 ```sh
 sudo dnf install matrix-synapse
 ```
 Oleg Girko provides Fedora RPMs at
 <https://obs.infoserver.lv/project/monitor/matrix-synapse>
 #### OpenSUSE
 Synapse is in the OpenSUSE repositories as `matrix-synapse`:
 ```sh
 sudo zypper install matrix-synapse
 ```
 #### SUSE Linux Enterprise Server
 Unofficial package are built for SLES 15 in the openSUSE:Backports:SLE-15 repository at
 <https://download.opensuse.org/repositories/openSUSE:/Backports:/SLE-15/standard/>
 #### ArchLinux
 The quickest way to get up and running with ArchLinux is probably with the community package
 <https://www.archlinux.org/packages/community/any/matrix-synapse/>, which should pull in most of
 the necessary dependencies.
 pip may be outdated (6.0.7-1 and needs to be upgraded to 6.0.8-1 ):
 ```sh
 sudo pip install --upgrade pip
 ```
 If you encounter an error with lib bcrypt causing an Wrong ELF Class:
 ELFCLASS32 (x64 Systems), you may need to reinstall py-bcrypt to correctly
 compile it under the right architecture. (This should not be needed if
 installing under virtualenv):
 ```sh
 sudo pip uninstall py-bcrypt
 sudo pip install py-bcrypt
 ```
 #### Void Linux
 Synapse can be found in the void repositories as 'synapse':
 ```sh
 xbps-install -Su
 xbps-install -S synapse
 ```
 #### FreeBSD
 Synapse can be installed via FreeBSD Ports or Packages contributed by Brendan Molloy from:
 - Ports: `cd /usr/ports/net-im/py-matrix-synapse && make install clean`
 - Packages: `pkg install py37-matrix-synapse`
 #### OpenBSD
 As of OpenBSD 6.7 Synapse is available as a pre-compiled binary. The filesystem
 underlying the homeserver directory (defaults to `/var/synapse`) has to be
 mounted with `wxallowed` (cf. `mount(8)`), so creating a separate filesystem
 and mounting it to `/var/synapse` should be taken into consideration.
 Installing Synapse:
 ```sh
 doas pkg_add synapse
 ```
 #### NixOS
 Robin Lambertz has packaged Synapse for NixOS at:
 <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/matrix-synapse.nix>
 ## Setting up Synapse
 Once you have installed synapse as above, you will need to configure it.
 ### Using PostgreSQL
 By default Synapse uses [SQLite](https://sqlite.org/) and in doing so trades performance for convenience.
 SQLite is only recommended in Synapse for testing purposes or for servers with
 very light workloads.
 Almost all installations should opt to use [PostgreSQL](https://www.postgresql.org). Advantages include:
 - significant performance improvements due to the superior threading and
  caching model, smarter query optimiser
 - allowing the DB to be run on separate hardware
 For information on how to install and use PostgreSQL in Synapse, please see
 [docs/postgres.md](docs/postgres.md)
 ### TLS certificates
 The default configuration exposes a single HTTP port on the local
 interface: `http://localhost:8008`. It is suitable for local testing,
 but for any practical use, you will need Synapse's APIs to be served
 over HTTPS.
 The recommended way to do so is to set up a reverse proxy on port
 `8448`. You can find documentation on doing so in
 [docs/reverse_proxy.md](docs/reverse_proxy.md).
 Alternatively, you can configure Synapse to expose an HTTPS port. To do
 so, you will need to edit `homeserver.yaml`, as follows:
 - First, under the `listeners` section, uncomment the configuration for the
  TLS-enabled listener. (Remove the hash sign (`#`) at the start of
  each line). The relevant lines are like this:
 ```yaml
  - port: 8448
    type: http
    tls: true
    resources:
      - names: [client, federation]
  ```
 - You will also need to uncomment the `tls_certificate_path` and
  `tls_private_key_path` lines under the `TLS` section. You will need to manage
  provisioning of these certificates yourself — Synapse had built-in ACME
  support, but the ACMEv1 protocol Synapse implements is deprecated, not
  allowed by LetsEncrypt for new sites, and will break for existing sites in
  late 2020. See [ACME.md](docs/ACME.md).
  If you are using your own certificate, be sure to use a `.pem` file that
  includes the full certificate chain including any intermediate certificates
  (for instance, if using certbot, use `fullchain.pem` as your certificate, not
  `cert.pem`).
 For a more detailed guide to configuring your server for federation, see
 [federate.md](docs/federate.md).
 ### Client Well-Known URI
 Setting up the client Well-Known URI is optional but if you set it up, it will
 allow users to enter their full username (e.g. `@user:<server_name>`) into clients
 which support well-known lookup to automatically configure the homeserver and
 identity server URLs. This is useful so that users don't have to memorize or think
 about the actual homeserver URL you are using.
 The URL `https://<server_name>/.well-known/matrix/client` should return JSON in
 the following format.
 ```json
 {
  "m.homeserver": {
    "base_url": "https://<matrix.example.com>"
  }
 }
 ```
 It can optionally contain identity server information as well.
 ```json
 {
  "m.homeserver": {
    "base_url": "https://<matrix.example.com>"
  },
  "m.identity_server": {
    "base_url": "https://<identity.example.com>"
  }
 }
 ```
 To work in browser based clients, the file must be served with the appropriate
 Cross-Origin Resource Sharing (CORS) headers. A recommended value would be
 `Access-Control-Allow-Origin: *` which would allow all browser based clients to
 view it.
 In nginx this would be something like:
 ```nginx
 location /.well-known/matrix/client {
    return 200 '{"m.homeserver": {"base_url": "https://<matrix.example.com>"}}';
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
 }
 ```
 You should also ensure the `public_baseurl` option in `homeserver.yaml` is set
 correctly. `public_baseurl` should be set to the URL that clients will use to
 connect to your server. This is the same URL you put for the `m.homeserver`
 `base_url` above.
 ```yaml
 public_baseurl: "https://<matrix.example.com>"
 ```
 ### Email
 It is desirable for Synapse to have the capability to send email. This allows
 Synapse to send password reset emails, send verifications when an email address
 is added to a user's account, and send email notifications to users when they
 receive new messages.
 To configure an SMTP server for Synapse, modify the configuration section
 headed `email`, and be sure to have at least the `smtp_host`, `smtp_port`
 and `notif_from` fields filled out.  You may also need to set `smtp_user`,
 `smtp_pass`, and `require_transport_security`.
 If email is not configured, password reset, registration and notifications via
 email will be disabled.
 ### Registering a user
 The easiest way to create a new user is to do so from a client like [Element](https://element.io/).
 Alternatively, you can do so from the command line. This can be done as follows:
 1. If synapse was installed via pip, activate the virtualenv as follows (if Synapse was
    installed via a prebuilt package, `register_new_matrix_user` should already be
    on the search path):
    ```sh
    cd ~/synapse
    source env/bin/activate
    synctl start # if not already running
    ```
 2. Run the following command:
    ```sh
    register_new_matrix_user -c homeserver.yaml http://localhost:8008
    ```
 This will prompt you to add details for the new user, and will then connect to
 the running Synapse to create the new user. For example:
 ```
 New user localpart: erikj
 Password:
 Confirm password:
 Make admin [no]:
 Success!
 ```
 This process uses a setting `registration_shared_secret` in
 `homeserver.yaml`, which is shared between Synapse itself and the
 `register_new_matrix_user` script. It doesn't matter what it is (a random
 value is generated by `--generate-config`), but it should be kept secret, as
 anyone with knowledge of it can register users, including admin accounts,
 on your server even if `enable_registration` is `false`.
 ### Setting up a TURN server
 For reliable VoIP calls to be routed via this homeserver, you MUST configure
 a TURN server. See [docs/turn-howto.md](docs/turn-howto.md) for details.
 ### URL previews
 Synapse includes support for previewing URLs, which is disabled by default.  To
 turn it on you must enable the `url_preview_enabled: True` config parameter
 and explicitly specify the IP ranges that Synapse is not allowed to spider for
 previewing in the `url_preview_ip_range_blacklist` configuration parameter.
 This is critical from a security perspective to stop arbitrary Matrix users
 spidering 'internal' URLs on your network. At the very least we recommend that
 your loopback and RFC1918 IP addresses are blacklisted.
 This also requires the optional `lxml` python dependency to be  installed. This
 in turn requires the `libxml2` library to be available - on  Debian/Ubuntu this
 means `apt-get install libxml2-dev`, or equivalent for your OS.
 ### Troubleshooting Installation
 `pip` seems to leak *lots* of memory during installation. For instance, a Linux
 host with 512MB of RAM may run out of memory whilst installing Twisted. If this
 happens, you will have to individually install the dependencies which are
 failing, e.g.:
 ```sh
 pip install twisted
 ```
 If you have any other problems, feel free to ask in
 [#synapse:matrix.org](https://matrix.to/#/#synapse:matrix.org).
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -40,12 +40,13 @@ exclude mypy.ini
 exclude sytest-blacklist
 exclude test_postgresql.sh
 include book.toml
 include pyproject.toml
 recursive-include changelog.d *
 prune .buildkite
 prune .circleci
 prune .github
 prune .ci
 prune contrib
 prune debian
 prune demo/etc
--- a/README.rst
+++ b/README.rst
@@ -1,6 +1,6 @@
-=========================================================
+=========================================================================
-Synapse |support| |development| |license| |pypi| |python|
+Synapse |support| |development| |documentation| |license| |pypi| |python|
-=========================================================
+=========================================================================
 .. contents::
@@ -25,7 +25,7 @@ The overall architecture is::
 ``#matrix:matrix.org`` is the official support room for Matrix, and can be
 accessed by any client from https://matrix.org/docs/projects/try-matrix-now.html or
-via IRC bridge at irc://irc.freenode.net/matrix.
+via IRC bridge at irc://irc.libera.chat/matrix.
 Synapse is currently in rapid development, but as of version 0.5 we believe it
 is sufficiently stable to be run as an internet-facing service for real usage!
@@ -85,16 +85,22 @@ For support installing or managing Synapse, please join |room|_ (from a matrix.o
 account if necessary) and ask questions there. We do not use GitHub issues for
 support requests, only for bug reports and feature requests.
 Synapse's documentation is `nicely rendered on GitHub Pages <https://matrix-org.github.io/synapse>`_,
 with its source available in |docs|_.
 .. |room| replace:: ``#synapse:matrix.org``
 .. _room: https://matrix.to/#/#synapse:matrix.org
 .. |docs| replace:: ``docs``
 .. _docs: docs
 Synapse Installation
 ====================
 .. _federation:
-* For details on how to install synapse, see `<INSTALL.md>`_.
+* For details on how to install synapse, see
  `Installation Instructions <https://matrix-org.github.io/synapse/latest/setup/installation.html>`_.
 * For specific details on how to configure Synapse for federation see `docs/federate.md <docs/federate.md>`_
@@ -106,7 +112,8 @@ from a web client.
 Unless you are running a test instance of Synapse on your local machine, in
 general, you will need to enable TLS support before you can successfully
-connect from a client: see `<INSTALL.md#tls-certificates>`_.
+connect from a client: see
 `TLS certificates <https://matrix-org.github.io/synapse/latest/setup/installation.html#tls-certificates>`_.
 An easy way to get started is to login or register via Element at
 https://app.element.io/#/login or https://app.element.io/#/register respectively.
@@ -142,38 +149,55 @@ the form of::
 As when logging in, you will need to specify a "Custom server".  Specify your
 desired ``localpart`` in the 'User name' box.
-ACME setup
+Security note
 ==========
 For details on having Synapse manage your federation TLS certificates
 automatically, please see `<docs/ACME.md>`_.
 Security Note
 =============
-Matrix serves raw user generated data in some APIs - specifically the `content
+Matrix serves raw, user-supplied data in some APIs -- specifically the `content
-repository endpoints <https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid>`_.
+repository endpoints`_.
-Whilst we have tried to mitigate against possible XSS attacks (e.g.
+.. _content repository endpoints: https://matrix.org/docs/spec/client_server/latest.html#get-matrix-media-r0-download-servername-mediaid
 https://github.com/matrix-org/synapse/pull/1021) we recommend running
 matrix homeservers on a dedicated domain name, to limit any malicious user generated
 content served to web browsers a matrix API from being able to attack webapps hosted
 on the same domain.  This is particularly true of sharing a matrix webclient and
 server on the same domain.
-See https://github.com/vector-im/riot-web/issues/1977 and
+Whilst we make a reasonable effort to mitigate against XSS attacks (for
-https://developer.github.com/changes/2014-04-25-user-content-security for more details.
+instance, by using `CSP`_), a Matrix homeserver should not be hosted on a
 domain hosting other web applications. This especially applies to sharing
 the domain with Matrix web clients and other sensitive applications like
 webmail. See
 https://developer.github.com/changes/2014-04-25-user-content-security for more
 information.
 .. _CSP: https://github.com/matrix-org/synapse/pull/1021
 Ideally, the homeserver should not simply be on a different subdomain, but on
 a completely different `registered domain`_ (also known as top-level site or
 eTLD+1). This is because `some attacks`_ are still possible as long as the two
 applications share the same registered domain.
 .. _registered domain: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-2.3
 .. _some attacks: https://en.wikipedia.org/wiki/Session_fixation#Attacks_using_cross-subdomain_cookie
 To illustrate this with an example, if your Element Web or other sensitive web
 application is hosted on ``A.example1.com``, you should ideally host Synapse on
 ``example2.com``. Some amount of protection is offered by hosting on
 ``B.example1.com`` instead, so this is also acceptable in some scenarios.
 However, you should *not* host your Synapse on ``A.example1.com``.
 Note that all of the above refers exclusively to the domain used in Synapse's
 ``public_baseurl`` setting. In particular, it has no bearing on the domain
 mentioned in MXIDs hosted on that server.
 Following this advice ensures that even if an XSS is found in Synapse, the
 impact to other applications will be minimal.
 Upgrading an existing Synapse
 =============================
-The instructions for upgrading synapse are in `UPGRADE.rst`_.
+The instructions for upgrading synapse are in `the upgrade notes`_.
 Please check these instructions as upgrading may require extra steps for some
 versions of synapse.
-.. _UPGRADE.rst: UPGRADE.rst
+.. _the upgrade notes: https://matrix-org.github.io/synapse/develop/upgrade.html
 .. _reverse-proxy:
@@ -244,11 +268,27 @@ Then update the ``users`` table in the database::
 Synapse Development
 ===================
-Join our developer community on Matrix: `#synapse-dev:matrix.org <https://matrix.to/#/#synapse-dev:matrix.org>`_
+The best place to get started is our
 `guide for contributors <https://matrix-org.github.io/synapse/latest/development/contributing_guide.html>`_.
 This is part of our larger `documentation <https://matrix-org.github.io/synapse/latest>`_, which includes
 information for synapse developers as well as synapse administrators.
 Developers might be particularly interested in:
 * `Synapse's database schema <https://matrix-org.github.io/synapse/latest/development/database_schema.html>`_,
 * `notes on Synapse's implementation details <https://matrix-org.github.io/synapse/latest/development/internal_documentation/index.html>`_, and
 * `how we use git <https://matrix-org.github.io/synapse/latest/development/git.html>`_.
 Alongside all that, join our developer community on Matrix:
 `#synapse-dev:matrix.org <https://matrix.to/#/#synapse-dev:matrix.org>`_, featuring real humans!
 Quick start
 -----------
 Before setting up a development environment for synapse, make sure you have the
 system dependencies (such as the python header files) installed - see
-`Installing from source <INSTALL.md#installing-from-source>`_.
+`Installing from source <https://matrix-org.github.io/synapse/latest/setup/installation.html#installing-from-source>`_.
 To check out a synapse for development, clone the git repo into a working
 directory of your choice::
@@ -269,18 +309,6 @@ try installing the failing modules individually::
    pip install -e "module-name"
 Once this is done, you may wish to run Synapse's unit tests to
 check that everything is installed correctly::
    python -m twisted.trial tests
 This should end with a 'PASSED' result (note that exact numbers will
 differ)::
    Ran 1337 tests in 716.064s
    PASSED (skips=15, successes=1322)
 We recommend using the demo which starts 3 federated instances running on ports `8080` - `8082`
    ./demo/start.sh
@@ -300,10 +328,27 @@ If you just want to start a single instance of the app and run it directly::
    python -m synapse.app.homeserver --config-path homeserver.yaml
 Running the unit tests
 ----------------------
 After getting up and running, you may wish to run Synapse's unit tests to
 check that everything is installed correctly::
    trial tests
 This should end with a 'PASSED' result (note that exact numbers will
 differ)::
    Ran 1337 tests in 716.064s
    PASSED (skips=15, successes=1322)
 For more tips on running the unit tests, like running a specific test or
 to see the logging output, see the `CONTRIBUTING doc <CONTRIBUTING.md#run-the-unit-tests>`_.
 Running the Integration Tests
-=============================
+-----------------------------
 Synapse is accompanied by `SyTest <https://github.com/matrix-org/sytest>`_,
 a Matrix homeserver integration testing suite, which uses HTTP requests to
@@ -311,8 +356,8 @@ access the API as a Matrix client would. It is able to run Synapse directly from
 the source tree, so installation of the server is not required.
 Testing with SyTest is recommended for verifying that changes related to the
-Client-Server API are functioning correctly. See the `installation instructions
+Client-Server API are functioning correctly. See the `SyTest installation
-<https://github.com/matrix-org/sytest#installing>`_ for details.
+instructions <https://github.com/matrix-org/sytest#installing>`_ for details.
 Platform dependencies
@@ -421,6 +466,10 @@ This is normally caused by a misconfiguration in your reverse-proxy. See
  :alt: (discuss development on #synapse-dev:matrix.org)
  :target: https://matrix.to/#/#synapse-dev:matrix.org
 .. |documentation| image:: https://img.shields.io/badge/documentation-%E2%9C%93-success
  :alt: (Rendered documentation on GitHub Pages)
  :target: https://matrix-org.github.io/synapse/latest/
 .. |license| image:: https://img.shields.io/github/license/matrix-org/synapse
  :alt: (check license in LICENSE file)
  :target: LICENSE
--- a/UPGRADE.rst
+++ b/UPGRADE.rst
--- a/book.toml
+++ b/book.toml
@@ -0,0 +1,39 @@
 # Documentation for possible options in this file is at
 # https://rust-lang.github.io/mdBook/format/config.html
 [book]
 title = "Synapse"
 authors = ["The Matrix.org Foundation C.I.C."]
 language = "en"
 multilingual = false
 # The directory that documentation files are stored in
 src = "docs"
 [build]
 # Prevent markdown pages from being automatically generated when they're
 # linked to in SUMMARY.md
 create-missing = false
 [output.html]
 # The URL visitors will be directed to when they try to edit a page
 edit-url-template = "https://github.com/matrix-org/synapse/edit/develop/{path}"
 # Remove the numbers that appear before each item in the sidebar, as they can
 # get quite messy as we nest deeper
 no-section-label = true
 # The source code URL of the repository
 git-repository-url = "https://github.com/matrix-org/synapse"
 # The path that the docs are hosted on
 site-url = "/synapse/"
 # Additional HTML, JS, CSS that's injected into each page of the book.
 # More information available in docs/website_files/README.md
 additional-css = [
    "docs/website_files/table-of-contents.css",
    "docs/website_files/remove-nav-buttons.css",
    "docs/website_files/indent-section-headers.css",
 ]
 additional-js = ["docs/website_files/table-of-contents.js"]
 theme = "docs/website_files/theme"
--- a/contrib/docker/docker-compose.yml
+++ b/contrib/docker/docker-compose.yml
@@ -56,7 +56,7 @@ services:
      - POSTGRES_USER=synapse
      - POSTGRES_PASSWORD=changeme
      # ensure the database gets created correctly
-      # https://github.com/matrix-org/synapse/blob/master/docs/postgres.md#set-up-database
+      # https://matrix-org.github.io/synapse/latest/postgres.html#set-up-database
      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
    volumes:
      # You may store the database tables in a local folder..
--- a/contrib/experiments/cursesio.py
+++ b/contrib/experiments/cursesio.py
@@ -46,14 +46,14 @@ class CursesStdIO:
        self.callback = callback
    def fileno(self):
-        """ We want to select on FD 0 """
+        """We want to select on FD 0"""
        return 0
    def connectionLost(self, reason):
        self.close()
    def print_line(self, text):
-        """ add a line to the internal list of lines"""
+        """add a line to the internal list of lines"""
        self.lines.append(text)
        self.redraw()
@@ -92,7 +92,7 @@ class CursesStdIO:
        )
    def doRead(self):
-        """ Input is ready! """
+        """Input is ready!"""
        curses.noecho()
        c = self.stdscr.getch()  # read a character
@@ -132,7 +132,7 @@ class CursesStdIO:
        return "CursesStdIO"
    def close(self):
-        """ clean up """
+        """clean up"""
        curses.nocbreak()
        self.stdscr.keypad(0)
--- a/contrib/grafana/README.md
+++ b/contrib/grafana/README.md
@@ -1,6 +1,6 @@
 # Using the Synapse Grafana dashboard
 0. Set up Prometheus and Grafana. Out of scope for this readme. Useful documentation about using Grafana with Prometheus: http://docs.grafana.org/features/datasources/prometheus/
-1. Have your Prometheus scrape your Synapse. https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
+1. Have your Prometheus scrape your Synapse. https://matrix-org.github.io/synapse/latest/metrics-howto.html
 2. Import dashboard into Grafana. Download `synapse.json`. Import it to Grafana and select the correct Prometheus datasource. http://docs.grafana.org/reference/export_import/
-3. Set up required recording rules. https://github.com/matrix-org/synapse/tree/master/contrib/prometheus
+3. Set up required recording rules. [contrib/prometheus](../prometheus)
--- a/contrib/grafana/synapse.json
+++ b/contrib/grafana/synapse.json
--- a/contrib/prometheus/README.md
+++ b/contrib/prometheus/README.md
@@ -34,7 +34,7 @@ Add a new job to the main prometheus.yml file:
 ```
 An example of a Prometheus configuration with workers can be found in
-[metrics-howto.md](https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md).
+[metrics-howto.md](https://matrix-org.github.io/synapse/latest/metrics-howto.html).
 To use `synapse.rules` add
--- a/contrib/purge_api/README.md
+++ b/contrib/purge_api/README.md
@@ -3,8 +3,9 @@ Purge history API examples
 # `purge_history.sh`
-A bash file, that uses the [purge history API](/docs/admin_api/purge_history_api.rst) to 
+A bash file, that uses the
-purge all messages in a list of rooms up to a certain event. You can select a 
+[purge history API](https://matrix-org.github.io/synapse/latest/admin_api/purge_history_api.html)
 to purge all messages in a list of rooms up to a certain event. You can select a 
 timeframe or a number of messages that you want to keep in the room.
 Just configure the variables DOMAIN, ADMIN, ROOMS_ARRAY and TIME at the top of
@@ -12,5 +13,6 @@ the script.
 # `purge_remote_media.sh`
-A bash file, that uses the [purge history API](/docs/admin_api/purge_history_api.rst) to 
+A bash file, that uses the
-purge all old cached remote media.
+[purge history API](https://matrix-org.github.io/synapse/latest/admin_api/purge_history_api.html)
 to purge all old cached remote media.
--- a/contrib/purge_api/purge_history.sh
+++ b/contrib/purge_api/purge_history.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # this script will use the api:
-#    https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst
+#    https://matrix-org.github.io/synapse/latest/admin_api/purge_history_api.html
 # 
 # It will purge all messages in a list of rooms up to a cetrain event
--- a/contrib/systemd-with-workers/README.md
+++ b/contrib/systemd-with-workers/README.md
@@ -1,2 +1,3 @@
 The documentation for using systemd to manage synapse workers is now part of
-the main synapse distribution. See [docs/systemd-with-workers](../../docs/systemd-with-workers).
+the main synapse distribution. See
 [docs/systemd-with-workers](https://matrix-org.github.io/synapse/latest/systemd-with-workers/index.html).
--- a/contrib/systemd/README.md
+++ b/contrib/systemd/README.md
@@ -2,7 +2,8 @@
 This is a setup for managing synapse with a user contributed systemd unit 
 file. It provides a `matrix-synapse` systemd unit file that should be tailored 
 to accommodate your installation in accordance with the installation 
-instructions provided in [installation instructions](../../INSTALL.md).
+instructions provided in
 [installation instructions](https://matrix-org.github.io/synapse/latest/setup/installation.html).
 ## Setup
 1. Under the service section, ensure the `User` variable matches which user
--- a/contrib/systemd/override-hardened.conf
+++ b/contrib/systemd/override-hardened.conf
@@ -0,0 +1,71 @@
 [Service]
 # The following directives give the synapse service R/W access to:
 # - /run/matrix-synapse
 # - /var/lib/matrix-synapse
 # - /var/log/matrix-synapse
 RuntimeDirectory=matrix-synapse
 StateDirectory=matrix-synapse
 LogsDirectory=matrix-synapse
 ######################
 ## Security Sandbox ##
 ######################
 # Make sure that the service has its own unshared tmpfs at /tmp and that it
 # cannot see or change any real devices
 PrivateTmp=true
 PrivateDevices=true
 # We give no capabilities to a service by default
 CapabilityBoundingSet=
 AmbientCapabilities=
 # Protect the following from modification:
 # - The entire filesystem
 # - sysctl settings and loaded kernel modules
 # - No modifications allowed to Control Groups
 # - Hostname
 # - System Clock
 ProtectSystem=strict
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 ProtectClock=true
 ProtectHostname=true
 # Prevent access to the following:
 # - /home directory
 # - Kernel logs
 ProtectHome=tmpfs
 ProtectKernelLogs=true
 # Make sure that the process can only see PIDs and process details of itself,
 # and the second option disables seeing details of things like system load and
 # I/O etc
 ProtectProc=invisible
 ProcSubset=pid
 # While not needed, we set these options explicitly
 # - This process has been given access to the host network
 # - It can also communicate with any IP Address
 PrivateNetwork=false
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 IPAddressAllow=any
 # Restrict system calls to a sane bunch
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged @resources @obsolete
 # Misc restrictions
 # - Since the process is a python process it needs to be able to write and
 #   execute memory regions, so we set MemoryDenyWriteExecute to false
 RestrictSUIDSGID=true
 RemoveIPC=true
 NoNewPrivileges=true
 RestrictRealtime=true
 RestrictNamespaces=true
 LockPersonality=true
 PrivateUsers=true
 MemoryDenyWriteExecute=false
--- a/debian/build_virtualenv
+++ b/debian/build_virtualenv
@@ -33,13 +33,11 @@ esac
 # Use --builtin-venv to use the better `venv` module from CPython 3.4+ rather
 # than the 2/3 compatible `virtualenv`.
 # Pin pip to 20.3.4 to fix breakage in 21.0 on py3.5 (xenial)
 dh_virtualenv \
    --install-suffix "matrix-synapse" \
    --builtin-venv \
    --python "$SNAKE" \
-    --upgrade-pip-to="20.3.4" \
+    --upgrade-pip \
    --preinstall="lxml" \
    --preinstall="mock" \
    --extra-pip-arg="--no-cache-dir" \
@@ -102,3 +100,18 @@ esac
 # add a dependency on the right version of python to substvars.
 PYPKG=`basename $SNAKE`
 echo "synapse:pydepends=$PYPKG" >> debian/matrix-synapse-py3.substvars
 # add a couple of triggers.  This is needed so that dh-virtualenv can rebuild
 # the venv when the system python changes (see
 # https://dh-virtualenv.readthedocs.io/en/latest/tutorial.html#step-2-set-up-packaging-for-your-project)
 #
 # we do it here rather than the more conventional way of just adding it to
 # debian/matrix-synapse-py3.triggers, because we need to add a trigger on the
 # right version of python.
 cat >>"debian/.debhelper/generated/matrix-synapse-py3/triggers" <<EOF
 # triggers for dh-virtualenv
 interest-noawait $SNAKE
 interest dh-virtualenv-interpreter-update
 EOF
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,163 @@
 matrix-synapse-py3 (1.43.0) stable; urgency=medium
  * New synapse release 1.43.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 21 Sep 2021 11:49:05 +0100
 matrix-synapse-py3 (1.43.0~rc2) stable; urgency=medium
  * New synapse release 1.43.0~rc2.
 -- Synapse Packaging team <packages@matrix.org>  Fri, 17 Sep 2021 10:43:21 +0100
 matrix-synapse-py3 (1.43.0~rc1) stable; urgency=medium
  * New synapse release 1.43.0~rc1.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 14 Sep 2021 11:39:46 +0100
 matrix-synapse-py3 (1.42.0) stable; urgency=medium
  * New synapse release 1.42.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Sep 2021 16:19:09 +0100
 matrix-synapse-py3 (1.42.0~rc2) stable; urgency=medium
  * New synapse release 1.42.0~rc2.
 -- Synapse Packaging team <packages@matrix.org>  Mon, 06 Sep 2021 15:25:13 +0100
 matrix-synapse-py3 (1.42.0~rc1) stable; urgency=medium
  * New synapse release 1.42.0rc1.
 -- Synapse Packaging team <packages@matrix.org>  Wed, 01 Sep 2021 11:37:48 +0100
 matrix-synapse-py3 (1.41.1) stable; urgency=high
  * New synapse release 1.41.1.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 31 Aug 2021 12:59:10 +0100
 matrix-synapse-py3 (1.41.0) stable; urgency=medium
  * New synapse release 1.41.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 24 Aug 2021 15:31:45 +0100
 matrix-synapse-py3 (1.41.0~rc1) stable; urgency=medium
  * New synapse release 1.41.0~rc1.
 -- Synapse Packaging team <packages@matrix.org>  Wed, 18 Aug 2021 15:52:00 +0100
 matrix-synapse-py3 (1.40.0) stable; urgency=medium
  * New synapse release 1.40.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 10 Aug 2021 13:50:48 +0100
 matrix-synapse-py3 (1.40.0~rc3) stable; urgency=medium
  * New synapse release 1.40.0~rc3.
 -- Synapse Packaging team <packages@matrix.org>  Mon, 09 Aug 2021 13:41:08 +0100
 matrix-synapse-py3 (1.40.0~rc2) stable; urgency=medium
  * New synapse release 1.40.0~rc2.
 -- Synapse Packaging team <packages@matrix.org>  Wed, 04 Aug 2021 17:08:55 +0100
 matrix-synapse-py3 (1.40.0~rc1) stable; urgency=medium
  [ Richard van der Hoff ]
  * Drop backwards-compatibility code that was required to support Ubuntu Xenial.
  * Update package triggers so that the virtualenv is correctly rebuilt
    when the system python is rebuilt, on recent Python versions.
  [ Synapse Packaging team ]
  * New synapse release 1.40.0~rc1.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 03 Aug 2021 11:31:49 +0100
 matrix-synapse-py3 (1.39.0) stable; urgency=medium
  * New synapse release 1.39.0.
 -- Synapse Packaging team <packages@matrix.org>  Thu, 29 Jul 2021 09:59:00 +0100
 matrix-synapse-py3 (1.39.0~rc3) stable; urgency=medium
  * New synapse release 1.39.0~rc3.
 -- Synapse Packaging team <packages@matrix.org>  Wed, 28 Jul 2021 13:30:58 +0100
 matrix-synapse-py3 (1.38.1) stable; urgency=medium
  * New synapse release 1.38.1.
 -- Synapse Packaging team <packages@matrix.org>  Thu, 22 Jul 2021 15:37:06 +0100
 matrix-synapse-py3 (1.39.0~rc1) stable; urgency=medium
  * New synapse release 1.39.0rc1.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 20 Jul 2021 14:28:34 +0100
 matrix-synapse-py3 (1.38.0) stable; urgency=medium
  * New synapse release 1.38.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 13 Jul 2021 13:20:56 +0100
 matrix-synapse-py3 (1.38.0rc3) prerelease; urgency=medium
  [ Erik Johnston ]
  * Add synapse_review_recent_signups script
  [ Synapse Packaging team ]
  * New synapse release 1.38.0rc3.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 13 Jul 2021 11:53:56 +0100
 matrix-synapse-py3 (1.37.1) stable; urgency=medium
  * New synapse release 1.37.1.
 -- Synapse Packaging team <packages@matrix.org>  Wed, 30 Jun 2021 12:24:06 +0100
 matrix-synapse-py3 (1.37.0) stable; urgency=medium
  * New synapse release 1.37.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 29 Jun 2021 10:15:25 +0100
 matrix-synapse-py3 (1.36.0) stable; urgency=medium
  * New synapse release 1.36.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 15 Jun 2021 15:41:53 +0100
 matrix-synapse-py3 (1.35.1) stable; urgency=medium
  * New synapse release 1.35.1.
 -- Synapse Packaging team <packages@matrix.org>  Thu, 03 Jun 2021 08:11:29 -0400
 matrix-synapse-py3 (1.35.0) stable; urgency=medium
  * New synapse release 1.35.0.
 -- Synapse Packaging team <packages@matrix.org>  Tue, 01 Jun 2021 13:23:35 +0100
 matrix-synapse-py3 (1.34.0) stable; urgency=medium
  * New synapse release 1.34.0.
 -- Synapse Packaging team <packages@matrix.org>  Mon, 17 May 2021 11:34:18 +0100
 matrix-synapse-py3 (1.33.2) stable; urgency=medium
  * New synapse release 1.33.2.
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-9
+10
--- a/debian/control
+++ b/debian/control
@@ -3,11 +3,8 @@ Section: contrib/python
 Priority: extra
 Maintainer: Synapse Packaging team <packages@matrix.org>
 # keep this list in sync with the build dependencies in docker/Dockerfile-dhvirtualenv.
 # TODO: Remove the dependency on dh-systemd after dropping support for Ubuntu xenial
 #       On all other supported releases, it's merely a transitional package which
 #       does nothing but depends on debhelper (> 9.20160709)
 Build-Depends:
- debhelper (>= 9.20160709) | dh-systemd,
+ debhelper (>= 10),
 dh-virtualenv (>= 1.1),
 libsystemd-dev,
 libpq-dev,
--- a/debian/hash_password.1
+++ b/debian/hash_password.1
@@ -1,90 +1,58 @@
-.\" generated with Ronn/v0.7.3
+.\" generated with Ronn-NG/v0.8.0
-.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.\" http://github.com/apjanke/ronn-ng/tree/0.8.0
-.
+.TH "HASH_PASSWORD" "1" "July 2021" "" ""
 .TH "HASH_PASSWORD" "1" "February 2017" "" ""
 .
 .SH "NAME"
 \fBhash_password\fR \- Calculate the hash of a new password, so that passwords can be reset
 .
 .SH "SYNOPSIS"
 \fBhash_password\fR [\fB\-p\fR|\fB\-\-password\fR [password]] [\fB\-c\fR|\fB\-\-config\fR \fIfile\fR]
 .
 .SH "DESCRIPTION"
 \fBhash_password\fR calculates the hash of a supplied password using bcrypt\.
 .
 .P
 \fBhash_password\fR takes a password as an parameter either on the command line or the \fBSTDIN\fR if not supplied\.
 .
 .P
 It accepts an YAML file which can be used to specify parameters like the number of rounds for bcrypt and password_config section having the pepper value used for the hashing\. By default \fBbcrypt_rounds\fR is set to \fB10\fR\.
 .
 .P
 The hashed password is written on the \fBSTDOUT\fR\.
 .
 .SH "FILES"
 A sample YAML file accepted by \fBhash_password\fR is described below:
 .
 .P
 bcrypt_rounds: 17 password_config: pepper: "random hashing pepper"
 .
 .SH "OPTIONS"
 .
 .TP
 \fB\-p\fR, \fB\-\-password\fR
 Read the password form the command line if [password] is supplied\. If not, prompt the user and read the password form the \fBSTDIN\fR\. It is not recommended to type the password on the command line directly\. Use the STDIN instead\.
 .
 .TP
 \fB\-c\fR, \fB\-\-config\fR
 Read the supplied YAML \fIfile\fR containing the options \fBbcrypt_rounds\fR and the \fBpassword_config\fR section containing the \fBpepper\fR value\.
 .
 .SH "EXAMPLES"
 Hash from the command line:
 .
 .IP "" 4
 .
 .nf
 $ hash_password \-p "p@ssw0rd"
 $2b$12$VJNqWQYfsWTEwcELfoSi4Oa8eA17movHqqi8\.X8fWFpum7SxZ9MFe
 .
 .fi
 .
 .IP "" 0
 .
 .P
 Hash from the STDIN:
 .
 .IP "" 4
 .
 .nf
 $ hash_password
 Password:
 Confirm password:
 $2b$12$AszlvfmJl2esnyhmn8m/kuR2tdXgROWtWxnX\.rcuAbM8ErLoUhybG
 .
 .fi
 .
 .IP "" 0
 .
 .P
 Using a config file:
 .
 .IP "" 4
 .
 .nf
 $ hash_password \-c config\.yml
 Password:
 Confirm password:
 $2b$12$CwI\.wBNr\.w3kmiUlV3T5s\.GT2wH7uebDCovDrCOh18dFedlANK99O
 .
 .fi
 .
 .IP "" 0
 .
 .SH "COPYRIGHT"
-This man page was written by Rahul De <\fIrahulde@swecha\.net\fR> for Debian GNU/Linux distribution\.
+This man page was written by Rahul De <\fI\%mailto:rahulde@swecha\.net\fR> for Debian GNU/Linux distribution\.
 .
 .SH "SEE ALSO"
-synctl(1), synapse_port_db(1), register_new_matrix_user(1)
+synctl(1), synapse_port_db(1), register_new_matrix_user(1), synapse_review_recent_signups(1)
--- a/debian/hash_password.ronn
+++ b/debian/hash_password.ronn
@@ -66,4 +66,4 @@ for Debian GNU/Linux distribution.
 ## SEE ALSO
-synctl(1), synapse_port_db(1), register_new_matrix_user(1)
+synctl(1), synapse_port_db(1), register_new_matrix_user(1), synapse_review_recent_signups(1)
--- a/debian/manpages
+++ b/debian/manpages
@@ -1,4 +1,5 @@
 debian/hash_password.1
 debian/register_new_matrix_user.1
 debian/synapse_port_db.1
 debian/synapse_review_recent_signups.1
 debian/synctl.1
--- a/debian/matrix-synapse-py3.links
+++ b/debian/matrix-synapse-py3.links
@@ -1,4 +1,5 @@
 opt/venvs/matrix-synapse/bin/hash_password usr/bin/hash_password
 opt/venvs/matrix-synapse/bin/register_new_matrix_user usr/bin/register_new_matrix_user
 opt/venvs/matrix-synapse/bin/synapse_port_db usr/bin/synapse_port_db
 opt/venvs/matrix-synapse/bin/synapse_review_recent_signups usr/bin/synapse_review_recent_signups
 opt/venvs/matrix-synapse/bin/synctl usr/bin/synctl
--- a/debian/matrix-synapse-py3.triggers
+++ b/debian/matrix-synapse-py3.triggers
@@ -1,9 +0,0 @@
 # Register interest in Python interpreter changes and
 # don't make the Python package dependent on the virtualenv package
 # processing (noawait)
 interest-noawait /usr/bin/python3.5
 interest-noawait /usr/bin/python3.6
 interest-noawait /usr/bin/python3.7
 # Also provide a symbolic trigger for all dh-virtualenv packages
 interest dh-virtualenv-interpreter-update
--- a/debian/register_new_matrix_user.1
+++ b/debian/register_new_matrix_user.1
@@ -1,72 +1,47 @@
-.\" generated with Ronn/v0.7.3
+.\" generated with Ronn-NG/v0.8.0
-.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.\" http://github.com/apjanke/ronn-ng/tree/0.8.0
-.
+.TH "REGISTER_NEW_MATRIX_USER" "1" "July 2021" "" ""
 .TH "REGISTER_NEW_MATRIX_USER" "1" "February 2017" "" ""
 .
 .SH "NAME"
 \fBregister_new_matrix_user\fR \- Used to register new users with a given home server when registration has been disabled
 .
 .SH "SYNOPSIS"
-\fBregister_new_matrix_user\fR options\.\.\.
+\fBregister_new_matrix_user\fR options\|\.\|\.\|\.
 .
 .SH "DESCRIPTION"
 \fBregister_new_matrix_user\fR registers new users with a given home server when registration has been disabled\. For this to work, the home server must be configured with the \'registration_shared_secret\' option set\.
 .
 .P
 This accepts the user credentials like the username, password, is user an admin or not and registers the user onto the homeserver database\. Also, a YAML file containing the shared secret can be provided\. If not, the shared secret can be provided via the command line\.
 .
 .P
 By default it assumes the home server URL to be \fBhttps://localhost:8448\fR\. This can be changed via the \fBserver_url\fR command line option\.
 .
 .SH "FILES"
 A sample YAML file accepted by \fBregister_new_matrix_user\fR is described below:
 .
 .IP "" 4
 .
 .nf
 registration_shared_secret: "s3cr3t"
 .
 .fi
 .
 .IP "" 0
 .
 .SH "OPTIONS"
 .
 .TP
 \fB\-u\fR, \fB\-\-user\fR
 Local part of the new user\. Will prompt if omitted\.
 .
 .TP
 \fB\-p\fR, \fB\-\-password\fR
 New password for user\. Will prompt if omitted\. Supplying the password on the command line is not recommended\. Use the STDIN instead\.
 .
 .TP
 \fB\-a\fR, \fB\-\-admin\fR
 Register new user as an admin\. Will prompt if omitted\.
 .
 .TP
 \fB\-c\fR, \fB\-\-config\fR
 Path to server config file containing the shared secret\.
 .
 .TP
 \fB\-k\fR, \fB\-\-shared\-secret\fR
 Shared secret as defined in server config file\. This is an optional parameter as it can be also supplied via the YAML file\.
 .
 .TP
 \fBserver_url\fR
 URL of the home server\. Defaults to \'https://localhost:8448\'\.
 .
 .SH "EXAMPLES"
 .
 .nf
 $ register_new_matrix_user \-u user1 \-p p@ssword \-a \-c config\.yaml
 .
 .fi
 .
 .SH "COPYRIGHT"
-This man page was written by Rahul De <\fIrahulde@swecha\.net\fR> for Debian GNU/Linux distribution\.
+This man page was written by Rahul De <\fI\%mailto:rahulde@swecha\.net\fR> for Debian GNU/Linux distribution\.
 .
 .SH "SEE ALSO"
-synctl(1), synapse_port_db(1), hash_password(1)
+synctl(1), synapse_port_db(1), hash_password(1), synapse_review_recent_signups(1)
--- a/debian/register_new_matrix_user.ronn
+++ b/debian/register_new_matrix_user.ronn
@@ -58,4 +58,4 @@ for Debian GNU/Linux distribution.
 ## SEE ALSO
-synctl(1), synapse_port_db(1), hash_password(1)
+synctl(1), synapse_port_db(1), hash_password(1), synapse_review_recent_signups(1)
--- a/debian/rules
+++ b/debian/rules
@@ -51,7 +51,5 @@ override_dh_shlibdeps:
 override_dh_virtualenv:
 	./debian/build_virtualenv
 # We are restricted to compat level 9 (because xenial), so have to
 # enable the systemd bits manually.
 %:
-	dh $@ --with python-virtualenv --with systemd
+	dh $@ --with python-virtualenv
--- a/debian/synapse_port_db.1
+++ b/debian/synapse_port_db.1
@@ -1,83 +1,56 @@
-.\" generated with Ronn/v0.7.3
+.\" generated with Ronn-NG/v0.8.0
-.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.\" http://github.com/apjanke/ronn-ng/tree/0.8.0
-.
+.TH "SYNAPSE_PORT_DB" "1" "July 2021" "" ""
 .TH "SYNAPSE_PORT_DB" "1" "February 2017" "" ""
 .
 .SH "NAME"
 \fBsynapse_port_db\fR \- A script to port an existing synapse SQLite database to a new PostgreSQL database\.
 .
 .SH "SYNOPSIS"
 \fBsynapse_port_db\fR [\-v] \-\-sqlite\-database=\fIdbfile\fR \-\-postgres\-config=\fIyamlconfig\fR [\-\-curses] [\-\-batch\-size=\fIbatch\-size\fR]
 .
 .SH "DESCRIPTION"
 \fBsynapse_port_db\fR ports an existing synapse SQLite database to a new PostgreSQL database\.
 .
 .P
 SQLite database is specified with \fB\-\-sqlite\-database\fR option and PostgreSQL configuration required to connect to PostgreSQL database is provided using \fB\-\-postgres\-config\fR configuration\. The configuration is specified in YAML format\.
 .
 .SH "OPTIONS"
 .
 .TP
 \fB\-v\fR
 Print log messages in \fBdebug\fR level instead of \fBinfo\fR level\.
 .
 .TP
 \fB\-\-sqlite\-database\fR
 The snapshot of the SQLite database file\. This must not be currently used by a running synapse server\.
 .
 .TP
 \fB\-\-postgres\-config\fR
 The database config file for the PostgreSQL database\.
 .
 .TP
 \fB\-\-curses\fR
 Display a curses based progress UI\.
 .
 .SH "CONFIG FILE"
 The postgres configuration file must be a valid YAML file with the following options\.
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBdatabase\fR: Database configuration section\. This section header can be ignored and the options below may be specified as top level keys\.
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBname\fR: Connector to use when connecting to the database\. This value must be \fBpsycopg2\fR\.
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBargs\fR: DB API 2\.0 compatible arguments to send to the \fBpsycopg2\fR module\.
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBdbname\fR \- the database name
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBuser\fR \- user name used to authenticate
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBpassword\fR \- password used to authenticate
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBhost\fR \- database host address (defaults to UNIX socket if not provided)
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBport\fR \- connection port number (defaults to 5432 if not provided)
 .
 .IP "" 0
-.
+.IP "\[ci]" 4
 .IP "\(bu" 4
 \fBsynchronous_commit\fR: Optional\. Default is True\. If the value is \fBFalse\fR, enable asynchronous commit and don\'t wait for the server to call fsync before ending the transaction\. See: https://www\.postgresql\.org/docs/current/static/wal\-async\-commit\.html
 .
 .IP "" 0
 .
 .IP "" 0
 .
 .P
 Following example illustrates the configuration file format\.
 .
 .IP "" 4
 .
 .nf
 database:
  name: psycopg2
  args:
@@ -86,13 +59,9 @@ database:
    password: ORohmi9Eet=ohphi
    host: localhost
  synchronous_commit: false
 .
 .fi
 .
 .IP "" 0
 .
 .SH "COPYRIGHT"
-This man page was written by Sunil Mohan Adapa <\fIsunil@medhas\.org\fR> for Debian GNU/Linux distribution\.
+This man page was written by Sunil Mohan Adapa <\fI\%mailto:sunil@medhas\.org\fR> for Debian GNU/Linux distribution\.
 .
 .SH "SEE ALSO"
-synctl(1), hash_password(1), register_new_matrix_user(1)
+synctl(1), hash_password(1), register_new_matrix_user(1), synapse_review_recent_signups(1)
--- a/debian/synapse_port_db.ronn
+++ b/debian/synapse_port_db.ronn
@@ -84,4 +84,4 @@ Debian GNU/Linux distribution.
 ## SEE ALSO
-synctl(1), hash_password(1), register_new_matrix_user(1)
+synctl(1), hash_password(1), register_new_matrix_user(1), synapse_review_recent_signups(1)
--- a/debian/synapse_review_recent_signups.1
+++ b/debian/synapse_review_recent_signups.1
@@ -0,0 +1,26 @@
 .\" generated with Ronn-NG/v0.8.0
 .\" http://github.com/apjanke/ronn-ng/tree/0.8.0
 .TH "SYNAPSE_REVIEW_RECENT_SIGNUPS" "1" "July 2021" "" ""
 .SH "NAME"
 \fBsynapse_review_recent_signups\fR \- Print users that have recently registered on Synapse
 .SH "SYNOPSIS"
 \fBsynapse_review_recent_signups\fR \fB\-c\fR|\fB\-\-config\fR \fIfile\fR [\fB\-s\fR|\fB\-\-since\fR \fIperiod\fR] [\fB\-e\fR|\fB\-\-exclude\-emails\fR] [\fB\-u\fR|\fB\-\-only\-users\fR]
 .SH "DESCRIPTION"
 \fBsynapse_review_recent_signups\fR prints out recently registered users on a Synapse server, as well as some basic information about the user\.
 .P
 \fBsynapse_review_recent_signups\fR must be supplied with the config of the Synapse server, so that it can fetch the database config and connect to the database\.
 .SH "OPTIONS"
 .TP
 \fB\-c\fR, \fB\-\-config\fR
 The config file(s) used by the Synapse server\.
 .TP
 \fB\-s\fR, \fB\-\-since\fR
 How far back to search for newly registered users\. Defaults to 7d, i\.e\. up to seven days in the past\. Valid units are \'s\', \'m\', \'h\', \'d\', \'w\', or \'y\'\.
 .TP
 \fB\-e\fR, \fB\-\-exclude\-emails\fR
 Do not print out users that have validated emails associated with their account\.
 .TP
 \fB\-u\fR, \fB\-\-only\-users\fR
 Only print out the user IDs of recently registered users, without any additional information
 .SH "SEE ALSO"
 synctl(1), synapse_port_db(1), register_new_matrix_user(1), hash_password(1)
--- a/debian/synapse_review_recent_signups.ronn
+++ b/debian/synapse_review_recent_signups.ronn
@@ -0,0 +1,37 @@
 synapse_review_recent_signups(1) -- Print users that have recently registered on Synapse
 ========================================================================================
 ## SYNOPSIS
 `synapse_review_recent_signups` `-c`|`--config` <file> [`-s`|`--since` <period>] [`-e`|`--exclude-emails`] [`-u`|`--only-users`]
 ## DESCRIPTION
 **synapse_review_recent_signups** prints out recently registered users on a
 Synapse server, as well as some basic information about the user.
 `synapse_review_recent_signups` must be supplied with the config of the Synapse
 server, so that it can fetch the database config and connect to the database.
 ## OPTIONS
  * `-c`, `--config`:
    The config file(s) used by the Synapse server.
  * `-s`, `--since`:
    How far back to search for newly registered users. Defaults to 7d, i.e. up
    to seven days in the past. Valid units are 's', 'm', 'h', 'd', 'w', or 'y'.
  * `-e`, `--exclude-emails`:
    Do not print out users that have validated emails associated with their
    account.
  * `-u`, `--only-users`:
    Only print out the user IDs of recently registered users, without any
    additional information
 ## SEE ALSO
 synctl(1), synapse_port_db(1), register_new_matrix_user(1), hash_password(1)
--- a/debian/synctl.1
+++ b/debian/synctl.1
@@ -1,63 +1,41 @@
-.\" generated with Ronn/v0.7.3
+.\" generated with Ronn-NG/v0.8.0
-.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.\" http://github.com/apjanke/ronn-ng/tree/0.8.0
-.
+.TH "SYNCTL" "1" "July 2021" "" ""
 .TH "SYNCTL" "1" "February 2017" "" ""
 .
 .SH "NAME"
 \fBsynctl\fR \- Synapse server control interface
 .
 .SH "SYNOPSIS"
 Start, stop or restart synapse server\.
 .
 .P
 \fBsynctl\fR {start|stop|restart} [configfile] [\-w|\-\-worker=\fIWORKERCONFIG\fR] [\-a|\-\-all\-processes=\fIWORKERCONFIGDIR\fR]
 .
 .SH "DESCRIPTION"
 \fBsynctl\fR can be used to start, stop or restart Synapse server\. The control operation can be done on all processes or a single worker process\.
 .
 .SH "OPTIONS"
 .
 .TP
 \fBaction\fR
 The value of action should be one of \fBstart\fR, \fBstop\fR or \fBrestart\fR\.
 .
 .TP
 \fBconfigfile\fR
 Optional path of the configuration file to use\. Default value is \fBhomeserver\.yaml\fR\. The configuration file must exist for the operation to succeed\.
 .
 .TP
 \fB\-w\fR, \fB\-\-worker\fR:
-.
+
 .IP
 Perform start, stop or restart operations on a single worker\. Incompatible with \fB\-a\fR|\fB\-\-all\-processes\fR\. Value passed must be a valid worker\'s configuration file\.
 .
 .TP
 \fB\-a\fR, \fB\-\-all\-processes\fR:
-.
+
 .IP
 Perform start, stop or restart operations on all the workers in the given directory and the main synapse process\. Incompatible with \fB\-w\fR|\fB\-\-worker\fR\. Value passed must be a directory containing valid work configuration files\. All files ending with \fB\.yaml\fR extension shall be considered as configuration files and all other files in the directory are ignored\.
 .
 .SH "CONFIGURATION FILE"
 Configuration file may be generated as follows:
 .
 .IP "" 4
 .
 .nf
 $ python \-m synapse\.app\.homeserver \-c config\.yaml \-\-generate\-config \-\-server\-name=<server name>
 .
 .fi
 .
 .IP "" 0
 .
 .SH "ENVIRONMENT"
 .
 .TP
 \fBSYNAPSE_CACHE_FACTOR\fR
-Synapse\'s architecture is quite RAM hungry currently \- a lot of recent room data and metadata is deliberately cached in RAM in order to speed up common requests\. This will be improved in future, but for now the easiest way to either reduce the RAM usage (at the risk of slowing things down) is to set the SYNAPSE_CACHE_FACTOR environment variable\. Roughly speaking, a SYNAPSE_CACHE_FACTOR of 1\.0 will max out at around 3\-4GB of resident memory \- this is what we currently run the matrix\.org on\. The default setting is currently 0\.1, which is probably around a ~700MB footprint\. You can dial it down further to 0\.02 if desired, which targets roughly ~512MB\. Conversely you can dial it up if you need performance for lots of users and have a box with a lot of RAM\.
+Synapse\'s architecture is quite RAM hungry currently \- we deliberately cache a lot of recent room data and metadata in RAM in order to speed up common requests\. We\'ll improve this in the future, but for now the easiest way to either reduce the RAM usage (at the risk of slowing things down) is to set the almost\-undocumented \fBSYNAPSE_CACHE_FACTOR\fR environment variable\. The default is 0\.5, which can be decreased to reduce RAM usage in memory constrained enviroments, or increased if performance starts to degrade\.
-.
+.IP
 However, degraded performance due to a low cache factor, common on machines with slow disks, often leads to explosions in memory use due backlogged requests\. In this case, reducing the cache factor will make things worse\. Instead, try increasing it drastically\. 2\.0 is a good starting value\.
 .SH "COPYRIGHT"
-This man page was written by Sunil Mohan Adapa <\fIsunil@medhas\.org\fR> for Debian GNU/Linux distribution\.
+This man page was written by Sunil Mohan Adapa <\fI\%mailto:sunil@medhas\.org\fR> for Debian GNU/Linux distribution\.
 .
 .SH "SEE ALSO"
-synapse_port_db(1), hash_password(1), register_new_matrix_user(1)
+synapse_port_db(1), hash_password(1), register_new_matrix_user(1), synapse_review_recent_signups(1)
--- a/debian/synctl.ronn
+++ b/debian/synctl.ronn
@@ -68,4 +68,4 @@ Debian GNU/Linux distribution.
 ## SEE ALSO
-synapse_port_db(1), hash_password(1), register_new_matrix_user(1)
+synapse_port_db(1), hash_password(1), register_new_matrix_user(1), synapse_review_recent_signups(1)
--- a/docker/Dockerfile-dhvirtualenv
+++ b/docker/Dockerfile-dhvirtualenv
@@ -15,6 +15,15 @@ ARG distro=""
 ###
 ### Stage 0: build a dh-virtualenv
 ###
 # This is only really needed on bionic and focal, since other distributions we
 # care about have a recent version of dh-virtualenv by default. Unfortunately,
 # it looks like focal is going to be with us for a while.
 #
 # (focal doesn't have a dh-virtualenv package at all. There is a PPA at
 # https://launchpad.net/~jyrki-pulliainen/+archive/ubuntu/dh-virtualenv, but
 # it's not obviously easier to use that than to build our own.)
 FROM ${distro} as builder
 RUN apt-get update -qq -o Acquire::Languages=none
@@ -27,7 +36,7 @@ RUN env DEBIAN_FRONTEND=noninteractive apt-get install \
        wget
 # fetch and unpack the package
-# TODO: Upgrade to 1.2.2 once xenial is dropped
+# TODO: Upgrade to 1.2.2 once bionic is dropped (1.2.2 requires debhelper 12; bionic has only 11)
 RUN mkdir /dh-virtualenv
 RUN wget -q -O /dh-virtualenv.tar.gz https://github.com/spotify/dh-virtualenv/archive/ac6e1b1.tar.gz
 RUN tar -xv --strip-components=1 -C /dh-virtualenv -f /dh-virtualenv.tar.gz
@@ -59,8 +68,6 @@ ENV LANG C.UTF-8
 #
 # NB: keep this list in sync with the list of build-deps in debian/control
 # TODO: it would be nice to do that automatically.
 # TODO: Remove the dh-systemd stanza after dropping support for Ubuntu xenial
 #       it's a transitional package on all other, more recent releases
 RUN apt-get update -qq -o Acquire::Languages=none \
    && env DEBIAN_FRONTEND=noninteractive apt-get install \
        -yqq --no-install-recommends -o Dpkg::Options::=--force-unsafe-io \
@@ -76,10 +83,7 @@ RUN apt-get update -qq -o Acquire::Languages=none \
        python3-venv \
        sqlite3 \
        libpq-dev \
-        xmlsec1 \
+        xmlsec1
    && ( env DEBIAN_FRONTEND=noninteractive apt-get install \
         -yqq --no-install-recommends -o Dpkg::Options::=--force-unsafe-io \
         dh-systemd || true )
 COPY --from=builder /dh-virtualenv_1.2~dev-1_all.deb /
--- a/docker/README.md
+++ b/docker/README.md
@@ -45,7 +45,7 @@ docker run -it --rm \
 ```
 For information on picking a suitable server name, see
-https://github.com/matrix-org/synapse/blob/master/INSTALL.md.
+https://matrix-org.github.io/synapse/latest/setup/installation.html.
 The above command will generate a `homeserver.yaml` in (typically)
 `/var/lib/docker/volumes/synapse-data/_data`. You should check this file, and
@@ -139,7 +139,7 @@ For documentation on using a reverse proxy, see
 https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md.
 For more information on enabling TLS support in synapse itself, see
-https://github.com/matrix-org/synapse/blob/master/INSTALL.md#tls-certificates. Of
+https://matrix-org.github.io/synapse/latest/setup/installation.html#tls-certificates. Of
 course, you will need to expose the TLS port from the container with a `-p`
 argument to `docker run`.
@@ -226,4 +226,4 @@ healthcheck:
 ## Using jemalloc
 Jemalloc is embedded in the image and will be used instead of the default allocator.
-You can read about jemalloc by reading the Synapse [README](../README.md).
+You can read about jemalloc by reading the Synapse [README](../README.rst).
--- a/docker/build_debian.sh
+++ b/docker/build_debian.sh
@@ -11,6 +11,19 @@ DIST=`cut -d ':' -f2 <<< $distro`
 cp -aT /synapse/source /synapse/build
 cd /synapse/build
 # if this is a prerelease, set the Section accordingly.
 #
 # When the package is later added to the package repo, reprepro will use the
 # Section to determine which "component" it should go into (see
 # https://manpages.debian.org/stretch/reprepro/reprepro.1.en.html#GUESSING)
 DEB_VERSION=`dpkg-parsechangelog -SVersion`
 case $DEB_VERSION in
    *~rc*|*~a*|*~b*|*~c*)
        sed -ie '/^Section:/c\Section: prerelease' debian/control
        ;;
 esac
 # add an entry to the changelog for this distribution
 dch -M -l "+$DIST" "build for $DIST"
 dch -M -r "" --force-distribution --distribution "$DIST"
--- a/docker/conf/homeserver.yaml
+++ b/docker/conf/homeserver.yaml
@@ -7,12 +7,6 @@
 tls_certificate_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.crt"
 tls_private_key_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.key"
 {% if SYNAPSE_ACME %}
 acme:
    enabled: true
    port: 8009
 {% endif %}
 {% endif %}
 ## Server ##
--- a/docker/conf/log.config
+++ b/docker/conf/log.config
@@ -9,26 +9,41 @@ formatters:
 {% endif %}
 handlers:
 {% if LOG_FILE_PATH %}
  file:
    class: logging.handlers.TimedRotatingFileHandler
    formatter: precise
-    filename: {{ LOG_FILE_PATH or "homeserver.log" }}
+    filename: {{ LOG_FILE_PATH }}
    when: "midnight"
    backupCount: 6  # Does not include the current log file.
    encoding: utf8
-  # Default to buffering writes to log file for efficiency. This means that
+  # Default to buffering writes to log file for efficiency.
-  # there will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
+  # WARNING/ERROR logs will still be flushed immediately, but there will be a
-  # logs will still be flushed immediately.
+  # delay (of up to `period` seconds, or until the buffer is full with
  # `capacity` messages) before INFO/DEBUG logs get written.
  buffer:
-    class: logging.handlers.MemoryHandler
+    class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
    target: file
-    # The capacity is the number of log lines that are buffered before
+
-    # being written to disk. Increasing this will lead to better
+    # The capacity is the maximum number of log lines that are buffered
    # before being written to disk. Increasing this will lead to better
    # performance, at the expensive of it taking longer for log lines to
    # be written to disk.
    # This parameter is required.
    capacity: 10
-    flushLevel: 30  # Flush for WARNING logs as well
+
    # Logs with a level at or above the flush level will cause the buffer to
    # be flushed immediately.
    # Default value: 40 (ERROR)
    # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG)
    flushLevel: 30  # Flush immediately for WARNING logs and higher
    # The period of time, in seconds, between forced flushes.
    # Messages will not be delayed for longer than this time.
    # Default value: 5 seconds
    period: 5
 {% endif %}
  console:
    class: logging.StreamHandler
--- a/docker/configure_workers_and_start.py
+++ b/docker/configure_workers_and_start.py
@@ -162,7 +162,7 @@ WORKERS_CONFIG = {
        "shared_extra_conf": {},
        "worker_extra_conf": (
            "worker_main_http_uri: http://127.0.0.1:%d"
-            % (MAIN_PROCESS_HTTP_LISTENER_PORT,),
+            % (MAIN_PROCESS_HTTP_LISTENER_PORT,)
        ),
    },
 }
@@ -184,18 +184,18 @@ stderr_logfile_maxbytes=0
 """
 NGINX_LOCATION_CONFIG_BLOCK = """
-    location ~* {endpoint} {
+    location ~* {endpoint} {{
        proxy_pass {upstream};
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
-    }
+    }}
 """
 NGINX_UPSTREAM_CONFIG_BLOCK = """
-upstream {upstream_worker_type} {
+upstream {upstream_worker_type} {{
 {body}
-}
+}}
 """
--- a/docs/.sample_config_header.yaml
+++ b/docs/.sample_config_header.yaml
@@ -8,7 +8,8 @@
 #
 # It is *not* intended to be copied and used as the basis for a real
 # homeserver.yaml. Instead, if you are starting from scratch, please generate
-# a fresh config using Synapse by following the instructions in INSTALL.md.
+# a fresh config using Synapse by following the instructions in
 # https://matrix-org.github.io/synapse/latest/setup/installation.html.
 # Configuration options that take a time period can be set using a number
 # followed by a letter. Letters have the following meanings:
--- a/docs/ACME.md
+++ b/docs/ACME.md
@@ -1,161 +0,0 @@
 # ACME
 From version 1.0 (June 2019) onwards, Synapse requires valid TLS
 certificates for communication between servers (by default on port
 `8448`) in addition to those that are client-facing (port `443`). To
 help homeserver admins fulfil this new requirement, Synapse v0.99.0
 introduced support for automatically provisioning certificates through 
 [Let's Encrypt](https://letsencrypt.org/) using the ACME protocol.
 ## Deprecation of ACME v1
 In [March 2019](https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430),
 Let's Encrypt announced that they were deprecating version 1 of the ACME
 protocol, with the plan to disable the use of it for new accounts in
 November 2019, for new domains in June 2020, and for existing accounts and
 domains in June 2021.
 Synapse doesn't currently support version 2 of the ACME protocol, which
 means that:
 * for existing installs, Synapse's built-in ACME support will continue
  to work until June 2021.
 * for new installs, this feature will not work at all.
 Either way, it is recommended to move from Synapse's ACME support
 feature to an external automated tool such as [certbot](https://github.com/certbot/certbot)
 (or browse [this list](https://letsencrypt.org/fr/docs/client-options/)
 for an alternative ACME client).
 It's also recommended to use a reverse proxy for the server-facing
 communications (more documentation about this can be found
 [here](/docs/reverse_proxy.md)) as well as the client-facing ones and
 have it serve the certificates.
 In case you can't do that and need Synapse to serve them itself, make
 sure to set the `tls_certificate_path` configuration setting to the path
 of the certificate (make sure to use the certificate containing the full
 certification chain, e.g. `fullchain.pem` if using certbot) and
 `tls_private_key_path` to the path of the matching private key. Note
 that in this case you will need to restart Synapse after each
 certificate renewal so that Synapse stops using the old certificate.
 If you still want to use Synapse's built-in ACME support, the rest of
 this document explains how to set it up. 
 ## Initial setup 
 In the case that your `server_name` config variable is the same as
 the hostname that the client connects to, then the same certificate can be
 used between client and federation ports without issue.
 If your configuration file does not already have an `acme` section, you can
 generate an example config by running the `generate_config` executable. For
 example:
 ```
 ~/synapse/env3/bin/generate_config
 ```
 You will need to provide Let's Encrypt (or another ACME provider) access to
 your Synapse ACME challenge responder on port 80, at the domain of your
 homeserver. This requires you to either change the port of the ACME listener
 provided by Synapse to a high port and reverse proxy to it, or use a tool
 like `authbind` to allow Synapse to listen on port 80 without root access.
 (Do not run Synapse with root permissions!) Detailed instructions are
 available under "ACME setup" below.
 If you already have certificates, you will need to back up or delete them
 (files `example.com.tls.crt` and `example.com.tls.key` in Synapse's root
 directory), Synapse's ACME implementation will not overwrite them.
 ## ACME setup
 The main steps for enabling ACME support in short summary are:
 1. Allow Synapse to listen for incoming ACME challenges.
 1. Enable ACME support in `homeserver.yaml`.
 1. Move your old certificates (files `example.com.tls.crt` and `example.com.tls.key` out of the way if they currently exist at the paths specified in `homeserver.yaml`.
 1. Restart Synapse.
 Detailed instructions for each step are provided below.
 ### Listening on port 80
 In order for Synapse to complete the ACME challenge to provision a
 certificate, it needs access to port 80. Typically listening on port 80 is
 only granted to applications running as root. There are thus two solutions to
 this problem.
 #### Using a reverse proxy
 A reverse proxy such as Apache or nginx allows a single process (the web
 server) to listen on port 80 and proxy traffic to the appropriate program
 running on your server. It is the recommended method for setting up ACME as
 it allows you to use your existing webserver while also allowing Synapse to
 provision certificates as needed.
 For nginx users, add the following line to your existing `server` block:
 ```
 location /.well-known/acme-challenge {
    proxy_pass http://localhost:8009;
 }
 ```
 For Apache, add the following to your existing webserver config:
 ```
 ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
 ```
 Make sure to restart/reload your webserver after making changes.
 Now make the relevant changes in `homeserver.yaml` to enable ACME support:
 ```
 acme:
    enabled: true
    port: 8009
 ```
 #### Authbind
 `authbind` allows a program which does not run as root to bind to
 low-numbered ports in a controlled way. The setup is simpler, but requires a
 webserver not to already be running on port 80. **This includes every time
 Synapse renews a certificate**, which may be cumbersome if you usually run a
 web server on port 80. Nevertheless, if you're sure port 80 is not being used
 for any other purpose then all that is necessary is the following:
 Install `authbind`. For example, on Debian/Ubuntu:
 ```
 sudo apt-get install authbind
 ```
 Allow `authbind` to bind port 80:
 ```
 sudo touch /etc/authbind/byport/80
 sudo chmod 777 /etc/authbind/byport/80
 ```
 When Synapse is started, use the following syntax:
 ```
 authbind --deep <synapse start command>
 ```
 Make the relevant changes in `homeserver.yaml` to enable ACME support:
 ```
 acme:
    enabled: true
 ```
 ### (Re)starting synapse
 Ensure that the certificate paths specified in `homeserver.yaml` (`tls_certificate_path` and `tls_private_key_path`) do not currently point to any files. Synapse will not provision certificates if files exist, as it does not want to overwrite existing certificates.
 Finally, start/restart Synapse.
--- a/docs/CAPTCHA_SETUP.md
+++ b/docs/CAPTCHA_SETUP.md
@@ -1,31 +1,37 @@
 # Overview
-Captcha can be enabled for this home server. This file explains how to do that.
+A captcha can be enabled on your homeserver to help prevent bots from registering
-The captcha mechanism used is Google's ReCaptcha. This requires API keys from Google.
+accounts. Synapse currently uses Google's reCAPTCHA service which requires API keys
 from Google.
-## Getting keys
+## Getting API keys
 Requires a site/secret key pair from:
 <https://developers.google.com/recaptcha/>
 Must be a reCAPTCHA v2 key using the "I'm not a robot" Checkbox option
 ## Setting ReCaptcha Keys
 The keys are a config option on the home server config. If they are not
 visible, you can generate them via `--generate-config`. Set the following value:
 1. Create a new site at <https://www.google.com/recaptcha/admin/create>
 1. Set the label to anything you want
 1. Set the type to reCAPTCHA v2 using the "I'm not a robot" Checkbox option.
 This is the only type of captcha that works with Synapse.
 1. Add the public hostname for your server, as set in `public_baseurl`
 in `homeserver.yaml`, to the list of authorized domains. If you have not set
 `public_baseurl`, use `server_name`.
 1. Agree to the terms of service and submit.
 1. Copy your site key and secret key and add them to your `homeserver.yaml`
 configuration file
    ```
    recaptcha_public_key: YOUR_SITE_KEY
    recaptcha_private_key: YOUR_SECRET_KEY
-
+    ```
-In addition, you MUST enable captchas via:
+1. Enable the CAPTCHA for new registrations
-
+    ```
    enable_registration_captcha: true
    ```
 1. Go to the settings page for the CAPTCHA you just created
 1. Uncheck the "Verify the origin of reCAPTCHA solutions" checkbox so that the
 captcha can be displayed in any client. If you do not disable this option then you
 must specify the domains of every client that is allowed to display the CAPTCHA.
 ## Configuring IP used for auth
-The ReCaptcha API requires that the IP address of the user who solved the
+The reCAPTCHA API requires that the IP address of the user who solved the
-captcha is sent. If the client is connecting through a proxy or load balancer,
+CAPTCHA is sent. If the client is connecting through a proxy or load balancer,
 it may be required to use the `X-Forwarded-For` (XFF) header instead of the origin
 IP address. This can be configured using the `x_forwarded` directive in the
-listeners section of the homeserver.yaml configuration file.
+listeners section of the `homeserver.yaml` configuration file.
--- a/docs/MSC1711_certificates_FAQ.md
+++ b/docs/MSC1711_certificates_FAQ.md
@@ -14,7 +14,7 @@ upgraded, however it may be of use to those with old installs returning to the
 project.
 If you are setting up a server from scratch you almost certainly should look at
-the [installation guide](../INSTALL.md) instead.
+the [installation guide](setup/installation.md) instead.
 ## Introduction
 The goal of Synapse 0.99.0 is to act as a stepping stone to Synapse 1.0.0. It
@@ -101,15 +101,6 @@ In this case, your `server_name` points to the host where your Synapse is
 running. There is no need to create a `.well-known` URI or an SRV record, but
 you will need to give Synapse a valid, signed, certificate.
 The easiest way to do that is with Synapse's built-in ACME (Let's Encrypt)
 support. Full details are in [ACME.md](./ACME.md) but, in a nutshell:
 1. Allow Synapse to listen on port 80 with `authbind`, or forward it from a
    reverse proxy.
 2. Enable acme support in `homeserver.yaml`.
 3. Move your old certificates out of the way.
 4. Restart Synapse.
 ### If you do have an SRV record currently
 If you are using an SRV record, your matrix domain (`server_name`) may not
@@ -130,15 +121,9 @@ In this situation, you have three choices for how to proceed:
 #### Option 1: give Synapse a certificate for your matrix domain
 Synapse 1.0 will expect your server to present a TLS certificate for your
-`server_name` (`example.com` in the above example). You can achieve this by
+`server_name` (`example.com` in the above example). You can achieve this by acquiring a
-doing one of the following:
+certificate for the `server_name` yourself (for example, using `certbot`), and giving it
-
+and the key to Synapse via `tls_certificate_path` and `tls_private_key_path`.
 * Acquire a certificate for the `server_name` yourself (for example, using
   `certbot`), and give it and the key to Synapse via `tls_certificate_path`
   and `tls_private_key_path`, or:
 * Use Synapse's [ACME support](./ACME.md), and forward port 80 on the
   `server_name` domain to your Synapse instance.
 #### Option 2: run Synapse behind a reverse proxy
@@ -147,7 +132,7 @@ your domain, you can simply route all traffic through the reverse proxy by
 updating the SRV record appropriately (or removing it, if the proxy listens on
 8448).
-See [reverse_proxy.md](reverse_proxy.md) for information on setting up a
+See [the reverse proxy documentation](reverse_proxy.md) for information on setting up a
 reverse proxy.
 #### Option 3: add a .well-known file to delegate your matrix traffic
@@ -161,10 +146,9 @@ You can do this with a `.well-known` file as follows:
    with Synapse 0.34 and earlier.
  2. Give Synapse a certificate corresponding to the target domain
-    (`customer.example.net` in the above example). You can either use Synapse's
+    (`customer.example.net` in the above example). You can do this by acquire a 
-    built-in [ACME support](./ACME.md) for this (via the `domain` parameter in
+    certificate for the target domain and giving it to Synapse via `tls_certificate_path`
-    the `acme` section), or acquire a certificate yourself and give it to
+    and `tls_private_key_path`.
    Synapse via `tls_certificate_path` and `tls_private_key_path`.
 3. Restart Synapse to ensure the new certificate is loaded.
@@ -319,7 +303,7 @@ We no longer actively recommend against using a reverse proxy. Many admins will
 find it easier to direct federation traffic to a reverse proxy and manage their
 own TLS certificates, and this is a supported configuration.
-See [reverse_proxy.md](reverse_proxy.md) for information on setting up a
+See [the reverse proxy documentation](reverse_proxy.md) for information on setting up a
 reverse proxy.
 ### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,7 +1,72 @@
 # Synapse Documentation
-This directory contains documentation specific to the `synapse` homeserver.
+**The documentation is currently hosted [here](https://matrix-org.github.io/synapse).**
 Please update any links to point to the new website instead.
-All matrix-generic documentation now lives in its own project, located at [matrix-org/matrix-doc](https://github.com/matrix-org/matrix-doc)
+## About
-(Note:  some items here may be moved to [matrix-org/matrix-doc](https://github.com/matrix-org/matrix-doc) at some point in the future.)
+This directory currently holds a series of markdown files documenting how to install, use
 and develop Synapse, the reference Matrix homeserver. The documentation is readable directly
 from this repository, but it is recommended to instead browse through the
 [website](https://matrix-org.github.io/synapse) for easier discoverability.
 ## Adding to the documentation
 Most of the documentation currently exists as top-level files, as when organising them into
 a structured website, these files were kept in place so that existing links would not break.
 The rest of the documentation is stored in folders, such as `setup`, `usage`, and `development`
 etc. **All new documentation files should be placed in structured folders.** For example:
 To create a new user-facing documentation page about a new Single Sign-On protocol named
 "MyCoolProtocol", one should create a new file with a relevant name, such as "my_cool_protocol.md".
 This file might fit into the documentation structure at:
 - Usage
  - Configuration
    - User Authentication
      - Single Sign-On
        - **My Cool Protocol**
 Given that, one would place the new file under
 `usage/configuration/user_authentication/single_sign_on/my_cool_protocol.md`.
 Note that the structure of the documentation (and thus the left sidebar on the website) is determined
 by the list in [SUMMARY.md](SUMMARY.md). The final thing to do when adding a new page is to add a new
 line linking to the new documentation file:
 ```markdown
 - [My Cool Protocol](usage/configuration/user_authentication/single_sign_on/my_cool_protocol.md)
 ```
 ## Building the documentation
 The documentation is built with [mdbook](https://rust-lang.github.io/mdBook/), and the outline of the
 documentation is determined by the structure of [SUMMARY.md](SUMMARY.md).
 First, [get mdbook](https://github.com/rust-lang/mdBook#installation). Then, **from the root of the repository**,
 build the documentation with:
 ```sh
 mdbook build
 ```
 The rendered contents will be outputted to a new `book/` directory at the root of the repository. You can
 browse the book by opening `book/index.html` in a web browser.
 You can also have mdbook host the docs on a local webserver with hot-reload functionality via:
 ```sh
 mdbook serve
 ```
 The URL at which the docs can be viewed at will be logged.
 ## Configuration and theming
 The look and behaviour of the website is configured by the [book.toml](../book.toml) file
 at the root of the repository. See
 [mdbook's documentation on configuration](https://rust-lang.github.io/mdBook/format/config.html)
 for available options.
 The site can be themed and additionally extended with extra UI and features. See
 [website_files/README.md](website_files/README.md) for details.
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -0,0 +1,93 @@
 # Summary
 # Introduction
 - [Welcome and Overview](welcome_and_overview.md)
 # Setup
  - [Installation](setup/installation.md)
  - [Using Postgres](postgres.md)
  - [Configuring a Reverse Proxy](reverse_proxy.md)
  - [Configuring a Forward/Outbound Proxy](setup/forward_proxy.md)
  - [Configuring a Turn Server](turn-howto.md)
  - [Delegation](delegate.md)
 # Upgrading
  - [Upgrading between Synapse Versions](upgrade.md)
  - [Upgrading from pre-Synapse 1.0](MSC1711_certificates_FAQ.md)
 # Usage
  - [Federation](federate.md)
  - [Configuration](usage/configuration/README.md)
    - [Homeserver Sample Config File](usage/configuration/homeserver_sample_config.md)
    - [Logging Sample Config File](usage/configuration/logging_sample_config.md)
    - [Structured Logging](structured_logging.md)
    - [Templates](templates.md)
    - [User Authentication](usage/configuration/user_authentication/README.md)
      - [Single-Sign On]()
        - [OpenID Connect](openid.md)
        - [SAML]()
        - [CAS]()
        - [SSO Mapping Providers](sso_mapping_providers.md)
      - [Password Auth Providers](password_auth_providers.md)
      - [JSON Web Tokens](jwt.md)
    - [Registration Captcha](CAPTCHA_SETUP.md)
    - [Application Services](application_services.md)
    - [Server Notices](server_notices.md)
    - [Consent Tracking](consent_tracking.md)
    - [URL Previews](development/url_previews.md)
    - [User Directory](user_directory.md)
    - [Message Retention Policies](message_retention_policies.md)
    - [Pluggable Modules](modules/index.md)
      - [Writing a module](modules/writing_a_module.md)
        - [Spam checker callbacks](modules/spam_checker_callbacks.md)
        - [Third-party rules callbacks](modules/third_party_rules_callbacks.md)
        - [Presence router callbacks](modules/presence_router_callbacks.md)
        - [Account validity callbacks](modules/account_validity_callbacks.md)
        - [Porting a legacy module to the new interface](modules/porting_legacy_module.md)
    - [Workers](workers.md)
      - [Using `synctl` with Workers](synctl_workers.md)
      - [Systemd](systemd-with-workers/README.md)
  - [Administration](usage/administration/README.md)
    - [Admin API](usage/administration/admin_api/README.md)
      - [Account Validity](admin_api/account_validity.md)
      - [Delete Group](admin_api/delete_group.md)
      - [Event Reports](admin_api/event_reports.md)
      - [Media](admin_api/media_admin_api.md)
      - [Purge History](admin_api/purge_history_api.md)
      - [Register Users](admin_api/register_api.md)
      - [Registration Tokens](usage/administration/admin_api/registration_tokens.md)
      - [Manipulate Room Membership](admin_api/room_membership.md)
      - [Rooms](admin_api/rooms.md)
      - [Server Notices](admin_api/server_notices.md)
      - [Statistics](admin_api/statistics.md)
      - [Users](admin_api/user_admin_api.md)
      - [Server Version](admin_api/version_api.md)
    - [Manhole](manhole.md)
    - [Monitoring](metrics-howto.md)
    - [Request log format](usage/administration/request_log.md)
    - [Scripts]()
 # Development
  - [Contributing Guide](development/contributing_guide.md)
  - [Code Style](code_style.md)
  - [Git Usage](development/git.md)
  - [Testing]()
  - [OpenTracing](opentracing.md)
  - [Database Schemas](development/database_schema.md)
  - [Synapse Architecture]()
    - [Log Contexts](log_contexts.md)
    - [Replication](replication.md)
    - [TCP Replication](tcp_replication.md)
  - [Internal Documentation](development/internal_documentation/README.md)
    - [Single Sign-On]()
      - [SAML](development/saml.md)
      - [CAS](development/cas.md)
    - [Room DAG concepts](development/room-dag-concepts.md)
    - [State Resolution]()
      - [The Auth Chain Difference Algorithm](auth_chain_difference_algorithm.md)
    - [Media Repository](media_repository.md)
    - [Room and User Statistics](room_and_user_statistics.md)
  - [Scripts]()
 # Other
  - [Dependency Deprecation Policy](deprecation_policy.md)
--- a/docs/admin_api/README.rst
+++ b/docs/admin_api/README.rst
@@ -1,28 +1,14 @@
 Admin APIs
 ==========
 **Note**: The latest documentation can be viewed `here <https://matrix-org.github.io/synapse>`_.
 See `docs/README.md <../README.md>`_ for more information.
 **Please update links to point to the website instead.** Existing files in this directory
 are preserved to maintain historical links, but may be moved in the future.
 This directory includes documentation for the various synapse specific admin
-APIs available.
+APIs available. Updates to the existing Admin API documentation should still
 be made to these files, but any new documentation files should instead be placed under
 `docs/usage/administration/admin_api <../usage/administration/admin_api>`_.
 Authenticating as a server admin
 --------------------------------
 Many of the API calls in the admin api will require an `access_token` for a
 server admin. (Note that a server admin is distinct from a room admin.)
 A user can be marked as a server admin by updating the database directly, e.g.:
 .. code-block:: sql
    UPDATE users SET admin = 1 WHERE name = '@foo:bar.com';
 A new server admin user can also be created using the
 ``register_new_matrix_user`` script.
 Finding your user's `access_token` is client-dependent, but will usually be shown in the client's settings.
 Once you have your `access_token`, to include it in a request, the best option is to add the token to a request header:
 ``curl --header "Authorization: Bearer <access_token>" <the_rest_of_your_API_request>``
 Fore more details, please refer to the complete `matrix spec documentation <https://matrix.org/docs/spec/client_server/r0.5.0#using-access-tokens>`_.
--- a/docs/admin_api/account_validity.md
+++ b/docs/admin_api/account_validity.md
@@ -0,0 +1,42 @@
 # Account validity API
 This API allows a server administrator to manage the validity of an account. To
 use it, you must enable the account validity feature (under
 `account_validity`) in Synapse's configuration.
 ## Renew account
 This API extends the validity of an account by as much time as configured in the
 `period` parameter from the `account_validity` configuration.
 The API is:
 ```
 POST /_synapse/admin/v1/account_validity/validity
 ```
 with the following body:
 ```json
 {
    "user_id": "<user ID for the account to renew>",
    "expiration_ts": 0,
    "enable_renewal_emails": true
 }
 ```
 `expiration_ts` is an optional parameter and overrides the expiration date,
 which otherwise defaults to now + validity period.
 `enable_renewal_emails` is also an optional parameter and enables/disables
 sending renewal emails to the user. Defaults to true.
 The API returns with the new expiration date for this account, as a timestamp in
 milliseconds since epoch:
 ```json
 {
    "expiration_ts": 0
 }
 ```
--- a/docs/admin_api/account_validity.rst
+++ b/docs/admin_api/account_validity.rst
@@ -1,42 +0,0 @@
 Account validity API
 ====================
 This API allows a server administrator to manage the validity of an account. To
 use it, you must enable the account validity feature (under
 ``account_validity``) in Synapse's configuration.
 Renew account
 -------------
 This API extends the validity of an account by as much time as configured in the
 ``period`` parameter from the ``account_validity`` configuration.
 The API is::
    POST /_synapse/admin/v1/account_validity/validity
 with the following body:
 .. code:: json
    {
        "user_id": "<user ID for the account to renew>",
        "expiration_ts": 0,
        "enable_renewal_emails": true
    }
 ``expiration_ts`` is an optional parameter and overrides the expiration date,
 which otherwise defaults to now + validity period.
 ``enable_renewal_emails`` is also an optional parameter and enables/disables
 sending renewal emails to the user. Defaults to true.
 The API returns with the new expiration date for this account, as a timestamp in
 milliseconds since epoch:
 .. code:: json
    {
        "expiration_ts": 0
    }
--- a/docs/admin_api/delete_group.md
+++ b/docs/admin_api/delete_group.md
@@ -11,4 +11,4 @@ POST /_synapse/admin/v1/delete_group/<group_id>
 ```
 To use it, you will need to authenticate by providing an `access_token` for a
-server admin: see [README.rst](README.rst).
+server admin: see [Admin API](../usage/administration/admin_api).
--- a/docs/admin_api/event_reports.md
+++ b/docs/admin_api/event_reports.md
@@ -7,7 +7,7 @@ The api is:
 GET /_synapse/admin/v1/event_reports?from=0&limit=10
 ```
 To use it, you will need to authenticate by providing an `access_token` for a
-server admin: see [README.rst](README.rst).
+server admin: see [Admin API](../usage/administration/admin_api).
 It returns a JSON body like the following:
@@ -75,9 +75,9 @@ The following fields are returned in the JSON response body:
 * `name`: string - The name of the room.
 * `event_id`: string - The ID of the reported event.
 * `user_id`: string - This is the user who reported the event and wrote the reason.
-* `reason`: string - Comment made by the `user_id` in this report. May be blank.
+* `reason`: string - Comment made by the `user_id` in this report. May be blank or `null`.
 * `score`: integer - Content is reported based upon a negative score, where -100 is
-  "most offensive" and 0 is "inoffensive".
+  "most offensive" and 0 is "inoffensive". May be `null`.
 * `sender`: string - This is the ID of the user who sent the original message/event that
  was reported.
 * `canonical_alias`: string - The canonical alias of the room. `null` if the room does not
@@ -95,7 +95,7 @@ The api is:
 GET /_synapse/admin/v1/event_reports/<report_id>
 ```
 To use it, you will need to authenticate by providing an `access_token` for a
-server admin: see [README.rst](README.rst).
+server admin: see [Admin API](../usage/administration/admin_api).
 It returns a JSON body like the following:
--- a/docs/admin_api/media_admin_api.md
+++ b/docs/admin_api/media_admin_api.md
@@ -4,12 +4,15 @@
  * [List all media uploaded by a user](#list-all-media-uploaded-by-a-user)
 - [Quarantine media](#quarantine-media)
  * [Quarantining media by ID](#quarantining-media-by-id)
  * [Remove media from quarantine by ID](#remove-media-from-quarantine-by-id)
  * [Quarantining media in a room](#quarantining-media-in-a-room)
  * [Quarantining all media of a user](#quarantining-all-media-of-a-user)
  * [Protecting media from being quarantined](#protecting-media-from-being-quarantined)
  * [Unprotecting media from being quarantined](#unprotecting-media-from-being-quarantined)
 - [Delete local media](#delete-local-media)
  * [Delete a specific local media](#delete-a-specific-local-media)
  * [Delete local media by date or size](#delete-local-media-by-date-or-size)
  * [Delete media uploaded by a user](#delete-media-uploaded-by-a-user)
 - [Purge Remote Media API](#purge-remote-media-api)
 # Querying media
@@ -26,7 +29,7 @@ The API is:
 GET /_synapse/admin/v1/room/<room_id>/media
 ```
 To use it, you will need to authenticate by providing an `access_token` for a
-server admin: see [README.rst](README.rst).
+server admin: see [Admin API](../usage/administration/admin_api).
 The API returns a JSON body like the following:
 ```json
@@ -45,7 +48,8 @@ The API returns a JSON body like the following:
 ## List all media uploaded by a user
 Listing all media that has been uploaded by a local user can be achieved through
-the use of the [List media of a user](user_admin_api.rst#list-media-of-a-user)
+the use of the
 [List media uploaded by a user](user_admin_api.md#list-media-uploaded-by-a-user)
 Admin API.
 # Quarantine media
@@ -76,6 +80,27 @@ Response:
 {}
 ```
 ## Remove media from quarantine by ID
 This API removes a single piece of local or remote media from quarantine.
 Request:
 ```
 POST /_synapse/admin/v1/media/unquarantine/<server_name>/<media_id>
 {}
 ```
 Where `server_name` is in the form of `example.org`, and `media_id` is in the
 form of `abcdefg12345...`.
 Response:
 ```json
 {}
 ```
 ## Quarantining media in a room
 This API quarantines all local and remote media in a room.
@@ -159,6 +184,26 @@ Response:
 {}
 ```
 ## Unprotecting media from being quarantined
 This API reverts the protection of a media.
 Request:
 ```
 POST /_synapse/admin/v1/media/unprotect/<media_id>
 {}
 ```
 Where `media_id` is in the  form of `abcdefg12345...`.
 Response:
 ```json
 {}
 ```
 # Delete local media
 This API deletes the *local* media from the disk of your own server.
 This includes any local thumbnails and copies of media downloaded from
@@ -238,6 +283,11 @@ The following fields are returned in the JSON response body:
 * `deleted_media`: an array of strings - List of deleted `media_id`
 * `total`: integer - Total number of deleted `media_id`
 ## Delete media uploaded by a user
 You can find details of how to delete multiple media uploaded by a user in
 [User Admin API](user_admin_api.md#delete-media-uploaded-by-a-user).
 # Purge Remote Media API
 The purge remote media API allows server admins to purge old cached remote media.
@@ -268,7 +318,7 @@ The following fields are returned in the JSON response body:
 * `deleted`: integer - The number of media items successfully deleted
 To use it, you will need to authenticate by providing an `access_token` for a
-server admin: see [README.rst](README.rst).
+server admin: see [Admin API](../usage/administration/admin_api).
 If the user re-requests purged remote media, synapse will re-request the media
 from the originating server.
--- a/docs/admin_api/purge_history_api.rst
+++ b/docs/admin_api/purge_history_api.rst
@@ -1,5 +1,4 @@
-Purge History API
+# Purge History API
 =================
 The purge history API allows server admins to purge historic events from their
 database, reclaiming disk space.
@@ -13,10 +12,12 @@ delete the last message in a room.
 The API is:
-``POST /_synapse/admin/v1/purge_history/<room_id>[/<event_id>]``
+```
 POST /_synapse/admin/v1/purge_history/<room_id>[/<event_id>]
 ```
-To use it, you will need to authenticate by providing an ``access_token`` for a
+To use it, you will need to authenticate by providing an `access_token` for a
-server admin: see `README.rst <README.rst>`_.
+server admin: [Admin API](../usage/administration/admin_api)
 By default, events sent by local users are not deleted, as they may represent
 the only copies of this content in existence. (Events sent by remote users are
@@ -24,54 +25,54 @@ deleted.)
 Room state data (such as joins, leaves, topic) is always preserved.
-To delete local message events as well, set ``delete_local_events`` in the body:
+To delete local message events as well, set `delete_local_events` in the body:
-.. code:: json
+```
-
+{
   {
   "delete_local_events": true
-   }
+}
 ```
 The caller must specify the point in the room to purge up to. This can be
 specified by including an event_id in the URI, or by setting a
-``purge_up_to_event_id`` or ``purge_up_to_ts`` in the request body. If an event
+`purge_up_to_event_id` or `purge_up_to_ts` in the request body. If an event
 id is given, that event (and others at the same graph depth) will be retained.
-If ``purge_up_to_ts`` is given, it should be a timestamp since the unix epoch,
+If `purge_up_to_ts` is given, it should be a timestamp since the unix epoch,
 in milliseconds.
 The API starts the purge running, and returns immediately with a JSON body with
 a purge id:
-.. code:: json
+```json
-
+{
    {
    "purge_id": "<opaque id>"
-    }
+}
 ```
-Purge status query
+## Purge status query
 ------------------
 It is possible to poll for updates on recent purges with a second API;
-``GET /_synapse/admin/v1/purge_history_status/<purge_id>``
+```
 GET /_synapse/admin/v1/purge_history_status/<purge_id>
 ```
-Again, you will need to authenticate by providing an ``access_token`` for a
+Again, you will need to authenticate by providing an `access_token` for a
 server admin.
 This API returns a JSON body like the following:
-.. code:: json
+```json
-
+{
    {
    "status": "active"
-    }
+}
 ```
-The status will be one of ``active``, ``complete``, or ``failed``.
+The status will be one of `active`, `complete`, or `failed`.
-Reclaim disk space (Postgres)
+## Reclaim disk space (Postgres)
 -----------------------------
 To reclaim the disk space and return it to the operating system, you need to run
 `VACUUM FULL;` on the database.
-https://www.postgresql.org/docs/current/sql-vacuum.html
+<https://www.postgresql.org/docs/current/sql-vacuum.html>
--- a/docs/admin_api/purge_room.md
+++ b/docs/admin_api/purge_room.md
@@ -1,21 +0,0 @@
 Deprecated: Purge room API
 ==========================
 **The old Purge room API is deprecated and will be removed in a future release.
 See the new [Delete Room API](rooms.md#delete-room-api) for more details.**
 This API will remove all trace of a room from your database.
 All local users must have left the room before it can be removed.
 The API is:
 ```
 POST /_synapse/admin/v1/purge_room
 {
    "room_id": "!room:id"
 }
 ```
 You must authenticate using the access token of an admin user.
--- a/docs/admin_api/register_api.md
+++ b/docs/admin_api/register_api.md
@@ -0,0 +1,73 @@
 # Shared-Secret Registration
 This API allows for the creation of users in an administrative and
 non-interactive way. This is generally used for bootstrapping a Synapse
 instance with administrator accounts.
 To authenticate yourself to the server, you will need both the shared secret
 (`registration_shared_secret` in the homeserver configuration), and a
 one-time nonce. If the registration shared secret is not configured, this API
 is not enabled.
 To fetch the nonce, you need to request one from the API:
 ```
 > GET /_synapse/admin/v1/register
 < {"nonce": "thisisanonce"}
 ```
 Once you have the nonce, you can make a `POST` to the same URL with a JSON
 body containing the nonce, username, password, whether they are an admin
 (optional, False by default), and a HMAC digest of the content. Also you can
 set the displayname (optional, `username` by default).
 As an example:
 ```
 > POST /_synapse/admin/v1/register
 > {
   "nonce": "thisisanonce",
   "username": "pepper_roni",
   "displayname": "Pepper Roni",
   "password": "pizza",
   "admin": true,
   "mac": "mac_digest_here"
  }
 < {
   "access_token": "token_here",
   "user_id": "@pepper_roni:localhost",
   "home_server": "test",
   "device_id": "device_id_here"
  }
 ```
 The MAC is the hex digest output of the HMAC-SHA1 algorithm, with the key being
 the shared secret and the content being the nonce, user, password, either the
 string "admin" or "notadmin", and optionally the user_type
 each separated by NULs. For an example of generation in Python:
 ```python
 import hmac, hashlib
 def generate_mac(nonce, user, password, admin=False, user_type=None):
    mac = hmac.new(
      key=shared_secret,
      digestmod=hashlib.sha1,
    )
    mac.update(nonce.encode('utf8'))
    mac.update(b"\x00")
    mac.update(user.encode('utf8'))
    mac.update(b"\x00")
    mac.update(password.encode('utf8'))
    mac.update(b"\x00")
    mac.update(b"admin" if admin else b"notadmin")
    if user_type:
        mac.update(b"\x00")
        mac.update(user_type.encode('utf8'))
    return mac.hexdigest()
 ```
--- a/docs/admin_api/register_api.rst
+++ b/docs/admin_api/register_api.rst
@@ -1,68 +0,0 @@
 Shared-Secret Registration
 ==========================
 This API allows for the creation of users in an administrative and
 non-interactive way. This is generally used for bootstrapping a Synapse
 instance with administrator accounts.
 To authenticate yourself to the server, you will need both the shared secret
 (``registration_shared_secret`` in the homeserver configuration), and a
 one-time nonce. If the registration shared secret is not configured, this API
 is not enabled.
 To fetch the nonce, you need to request one from the API::
  > GET /_synapse/admin/v1/register
  < {"nonce": "thisisanonce"}
 Once you have the nonce, you can make a ``POST`` to the same URL with a JSON
 body containing the nonce, username, password, whether they are an admin
 (optional, False by default), and a HMAC digest of the content. Also you can
 set the displayname (optional, ``username`` by default).
 As an example::
  > POST /_synapse/admin/v1/register
  > {
     "nonce": "thisisanonce",
     "username": "pepper_roni",
     "displayname": "Pepper Roni",
     "password": "pizza",
     "admin": true,
     "mac": "mac_digest_here"
    }
  < {
     "access_token": "token_here",
     "user_id": "@pepper_roni:localhost",
     "home_server": "test",
     "device_id": "device_id_here"
    }
 The MAC is the hex digest output of the HMAC-SHA1 algorithm, with the key being
 the shared secret and the content being the nonce, user, password, either the
 string "admin" or "notadmin", and optionally the user_type
 each separated by NULs. For an example of generation in Python::
  import hmac, hashlib
  def generate_mac(nonce, user, password, admin=False, user_type=None):
      mac = hmac.new(
        key=shared_secret,
        digestmod=hashlib.sha1,
      )
      mac.update(nonce.encode('utf8'))
      mac.update(b"\x00")
      mac.update(user.encode('utf8'))
      mac.update(b"\x00")
      mac.update(password.encode('utf8'))
      mac.update(b"\x00")
      mac.update(b"admin" if admin else b"notadmin")
      if user_type:
          mac.update(b"\x00")
          mac.update(user_type.encode('utf8'))
      return mac.hexdigest()
--- a/docs/admin_api/room_membership.md
+++ b/docs/admin_api/room_membership.md
@@ -24,7 +24,7 @@ POST /_synapse/admin/v1/join/<room_id_or_alias>
 ```
 To use it, you will need to authenticate by providing an `access_token` for a
-server admin: see [README.rst](README.rst).
+server admin: see [Admin API](../usage/administration/admin_api).
 Response:
--- a/docs/admin_api/rooms.md
+++ b/docs/admin_api/rooms.md
@@ -1,12 +1,9 @@
 # Contents
 - [List Room API](#list-room-api)
  * [Parameters](#parameters)
  * [Usage](#usage)
 - [Room Details API](#room-details-api)
 - [Room Members API](#room-members-api)
 - [Room State API](#room-state-api)
 - [Delete Room API](#delete-room-api)
  * [Parameters](#parameters-1)
  * [Response](#response)
  * [Undoing room shutdowns](#undoing-room-shutdowns)
 - [Make Room Admin API](#make-room-admin-api)
 - [Forward Extremities Admin API](#forward-extremities-admin-api)
@@ -18,7 +15,7 @@ The List Room admin API allows server admins to get a list of rooms on their
 server. There are various parameters available that allow for filtering and
 sorting the returned list. This API supports pagination.
-## Parameters
+**Parameters**
 The following query parameters are available:
@@ -45,6 +42,8 @@ The following query parameters are available:
 * `search_term` - Filter rooms by their room name. Search term can be contained in any
                  part of the room name. Defaults to no filtering.
 **Response**
 The following fields are possible in the JSON response body:
 * `rooms` - An array of objects, each containing information about a room.
@@ -78,17 +77,15 @@ The following fields are possible in the JSON response body:
                 Use `prev_batch` for the `from` value in the next request to
                 get the "previous page" of results.
-## Usage
+The API is:
 A standard request with no filtering:
 ```
 GET /_synapse/admin/v1/rooms
 {}
 ```
-Response:
+A response body like the following is returned:
 ```jsonc
 {
@@ -136,11 +133,9 @@ Filtering by room name:
 ```
 GET /_synapse/admin/v1/rooms?search_term=TWIM
 {}
 ```
-Response:
+A response body like the following is returned:
 ```json
 {
@@ -171,11 +166,9 @@ Paginating through a list of rooms:
 ```
 GET /_synapse/admin/v1/rooms?order_by=size
 {}
 ```
-Response:
+A response body like the following is returned:
 ```jsonc
 {
@@ -227,11 +220,9 @@ parameter to the value of `next_token`.
 ```
 GET /_synapse/admin/v1/rooms?order_by=size&from=100
 {}
 ```
-Response:
+A response body like the following is returned:
 ```jsonc
 {
@@ -303,17 +294,13 @@ The following fields are possible in the JSON response body:
 * `history_visibility` - Who can see the room history. One of: ["invited", "joined", "shared", "world_readable"].
 * `state_events` - Total number of state_events of a room. Complexity of the room.
-## Usage
+The API is:
 A standard request:
 ```
 GET /_synapse/admin/v1/rooms/<room_id>
 {}
 ```
-Response:
+A response body like the following is returned:
 ```json
 {
@@ -346,17 +333,13 @@ The response includes the following fields:
 * `members` - A list of all the members that are present in the room, represented by their ids.
 * `total` - Total number of members in the room.
-## Usage
+The API is:
 A standard request:
 ```
 GET /_synapse/admin/v1/rooms/<room_id>/members
 {}
 ```
-Response:
+A response body like the following is returned:
 ```json
 {
@@ -377,17 +360,13 @@ The response includes the following fields:
 * `state` - The current state of the room at the time of request.
-## Usage
+The API is:
 A standard request:
 ```
 GET /_synapse/admin/v1/rooms/<room_id>/state
 {}
 ```
-Response:
+A response body like the following is returned:
 ```json
 {
@@ -431,6 +410,7 @@ DELETE /_synapse/admin/v1/rooms/<room_id>
 ```
 with a body of:
 ```json
 {
    "new_room_user_id": "@someuser:example.com",
@@ -442,7 +422,7 @@ with a body of:
 ```
 To use it, you will need to authenticate by providing an ``access_token`` for a
-server admin: see [README.rst](README.rst).
+server admin: see [Admin API](../usage/administration/admin_api).
 A response body like the following is returned:
@@ -460,7 +440,7 @@ A response body like the following is returned:
 }
 ```
-## Parameters
+**Parameters**
 The following parameters should be set in the URL:
@@ -490,7 +470,7 @@ The following JSON body parameters are available:
 The JSON body must not be empty. The body must be at least `{}`.
-## Response
+**Response**
 The following fields are returned in the JSON response body:
@@ -501,32 +481,44 @@ The following fields are returned in the JSON response body:
 * `new_room_id` - A string representing the room ID of the new room.
-## Undoing room shutdowns
+## Undoing room deletions
-*Note*: This guide may be outdated by the time you read it. By nature of room shutdowns being performed at the database level,
+*Note*: This guide may be outdated by the time you read it. By nature of room deletions being performed at the database level,
 the structure can and does change without notice.
-First, it's important to understand that a room shutdown is very destructive. Undoing a shutdown is not as simple as pretending it
+First, it's important to understand that a room deletion is very destructive. Undoing a deletion is not as simple as pretending it
 never happened - work has to be done to move forward instead of resetting the past. In fact, in some cases it might not be possible
 to recover at all:
 * If the room was invite-only, your users will need to be re-invited.
 * If the room no longer has any members at all, it'll be impossible to rejoin.
-* The first user to rejoin will have to do so via an alias on a different server.
+* The first user to rejoin will have to do so via an alias on a different
  server (or receive an invite from a user on a different server).
 With all that being said, if you still want to try and recover the room:
-1. For safety reasons, shut down Synapse.
+1. If the room was `block`ed, you must unblock it on your server. This can be
-2. In the database, run `DELETE FROM blocked_rooms WHERE room_id = '!example:example.org';`
+   accomplished as follows:
   1. For safety reasons, shut down Synapse.
   2. In the database, run `DELETE FROM blocked_rooms WHERE room_id = '!example:example.org';`
      * For caution: it's recommended to run this in a transaction: `BEGIN; DELETE ...;`, verify you got 1 result, then `COMMIT;`.
-   * The room ID is the same one supplied to the shutdown room API, not the Content Violation room.
+      * The room ID is the same one supplied to the delete room API, not the Content Violation room.
-3. Restart Synapse.
+   3. Restart Synapse.
-You will have to manually handle, if you so choose, the following:
+   This step is unnecessary if `block` was not set.
-* Aliases that would have been redirected to the Content Violation room.
+2. Any room aliases on your server that pointed to the deleted room may have
-* Users that would have been booted from the room (and will have been force-joined to the Content Violation room).
+   been deleted, or redirected to the Content Violation room. These will need
-* Removal of the Content Violation room if desired.
+   to be restored manually.
 3. Users on your server that were in the deleted room will have been kicked
   from the room. Consider whether you want to update their membership
   (possibly via the [Edit Room Membership API](room_membership.md)) or let
   them handle rejoining themselves.
 4. If `new_room_user_id` was given, a 'Content Violation' will have been
   created. Consider whether you want to delete that roomm.
 ## Deprecated endpoint
@@ -547,10 +539,10 @@ By default the server admin (the caller) is granted power, but another user can
 optionally be specified, e.g.:
 ```
-    POST /_synapse/admin/v1/rooms/<room_id_or_alias>/make_room_admin
+POST /_synapse/admin/v1/rooms/<room_id_or_alias>/make_room_admin
-    {
+{
    "user_id": "@foo:example.com"
-    }
+}
 ```
 # Forward Extremities Admin API
@@ -564,7 +556,7 @@ extremities accumulate in a room, performance can become degraded. For details,
 To check the status of forward extremities for a room:
 ```
-    GET /_synapse/admin/v1/rooms/<room_id_or_alias>/forward_extremities
+GET /_synapse/admin/v1/rooms/<room_id_or_alias>/forward_extremities
 ```
 A response as follows will be returned:
@@ -593,7 +585,7 @@ If a room has lots of forward extremities, the extra can be
 deleted as follows:
 ```
-    DELETE /_synapse/admin/v1/rooms/<room_id_or_alias>/forward_extremities
+DELETE /_synapse/admin/v1/rooms/<room_id_or_alias>/forward_extremities
 ```
 A response as follows will be returned, indicating the amount of forward extremities
--- a/docs/admin_api/server_notices.md
+++ b/docs/admin_api/server_notices.md
@@ -45,4 +45,4 @@ Once the notice has been sent, the API will return the following response:
 ```
 Note that server notices must be enabled in `homeserver.yaml` before this API
-can be used. See [server_notices.md](../server_notices.md) for more information.
+can be used. See [the server notices documentation](../server_notices.md) for more information.
--- a/docs/admin_api/shutdown_room.md
+++ b/docs/admin_api/shutdown_room.md
@@ -1,102 +0,0 @@
 # Deprecated: Shutdown room API
 **The old Shutdown room API is deprecated and will be removed in a future release.
 See the new [Delete Room API](rooms.md#delete-room-api) for more details.**
 Shuts down a room, preventing new joins and moves local users and room aliases automatically
 to a new room. The new room will be created with the user specified by the
 `new_room_user_id` parameter as room administrator and will contain a message
 explaining what happened. Users invited to the new room will have power level
 -10 by default, and thus be unable to speak. The old room's power levels will be changed to
 disallow any further invites or joins.
 The local server will only have the power to move local user and room aliases to
 the new room. Users on other servers will be unaffected.
 ## API
 You will need to authenticate with an access token for an admin user.
 ### URL
 `POST /_synapse/admin/v1/shutdown_room/{room_id}`
 ### URL Parameters
 * `room_id` - The ID of the room (e.g `!someroom:example.com`)
 ### JSON Body Parameters
 * `new_room_user_id` - Required. A string representing the user ID of the user that will admin
                       the new room that all users in the old room will be moved to.
 * `room_name` - Optional. A string representing the name of the room that new users will be
                invited to.
 * `message` - Optional. A string containing the first message that will be sent as
              `new_room_user_id` in the new room. Ideally this will clearly convey why the
               original room was shut down.
 If not specified, the default value of `room_name` is "Content Violation
 Notification". The default value of `message` is "Sharing illegal content on
 othis server is not permitted and rooms in violation will be blocked."
 ### Response Parameters
 * `kicked_users` - An integer number representing the number of users that
                   were kicked.
 * `failed_to_kick_users` - An integer number representing the number of users
                           that were not kicked.
 * `local_aliases` - An array of strings representing the local aliases that were migrated from
                    the old room to the new.
 * `new_room_id` - A string representing the room ID of the new room.
 ## Example
 Request:
 ```
 POST /_synapse/admin/v1/shutdown_room/!somebadroom%3Aexample.com
 {
    "new_room_user_id": "@someuser:example.com",
    "room_name": "Content Violation Notification",
    "message": "Bad Room has been shutdown due to content violations on this server. Please review our Terms of Service."
 }
 ```
 Response:
 ```
 {
    "kicked_users": 5,
    "failed_to_kick_users": 0,
    "local_aliases": ["#badroom:example.com", "#evilsaloon:example.com],
    "new_room_id": "!newroomid:example.com",
 },
 ```
 ## Undoing room shutdowns
 *Note*: This guide may be outdated by the time you read it. By nature of room shutdowns being performed at the database level,
 the structure can and does change without notice.
 First, it's important to understand that a room shutdown is very destructive. Undoing a shutdown is not as simple as pretending it
 never happened - work has to be done to move forward instead of resetting the past. In fact, in some cases it might not be possible
 to recover at all:
 * If the room was invite-only, your users will need to be re-invited.
 * If the room no longer has any members at all, it'll be impossible to rejoin.
 * The first user to rejoin will have to do so via an alias on a different server.
 With all that being said, if you still want to try and recover the room:
 1. For safety reasons, shut down Synapse.
 2. In the database, run `DELETE FROM blocked_rooms WHERE room_id = '!example:example.org';`
   * For caution: it's recommended to run this in a transaction: `BEGIN; DELETE ...;`, verify you got 1 result, then `COMMIT;`.
   * The room ID is the same one supplied to the shutdown room API, not the Content Violation room.
 3. Restart Synapse.
 You will have to manually handle, if you so choose, the following:
 * Aliases that would have been redirected to the Content Violation room.
 * Users that would have been booted from the room (and will have been force-joined to the Content Violation room).
 * Removal of the Content Violation room if desired.
--- a/docs/admin_api/statistics.md
+++ b/docs/admin_api/statistics.md
@@ -10,7 +10,7 @@ GET /_synapse/admin/v1/statistics/users/media
 ```
 To use it, you will need to authenticate by providing an `access_token`
-for a server admin: see [README.rst](README.rst).
+for a server admin: see [Admin API](../usage/administration/admin_api).
 A response body like the following is returned:
--- a/docs/admin_api/user_admin_api.md
+++ b/docs/admin_api/user_admin_api.md
--- a/docs/admin_api/user_admin_api.rst
+++ b/docs/admin_api/user_admin_api.rst
@@ -1,981 +0,0 @@
 .. contents::
 Query User Account
 ==================
 This API returns information about a specific user account.
 The api is::
    GET /_synapse/admin/v2/users/<user_id>
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 It returns a JSON body like the following:
 .. code:: json
    {
        "displayname": "User",
        "threepids": [
            {
                "medium": "email",
                "address": "<user_mail_1>"
            },
            {
                "medium": "email",
                "address": "<user_mail_2>"
            }
        ],
        "avatar_url": "<avatar_url>",
        "admin": 0,
        "deactivated": 0,
        "shadow_banned": 0,
        "password_hash": "$2b$12$p9B4GkqYdRTPGD",
        "creation_ts": 1560432506,
        "appservice_id": null,
        "consent_server_notice_sent": null,
        "consent_version": null
    }
 URL parameters:
 - ``user_id``: fully-qualified user id: for example, ``@user:server.com``.
 Create or modify Account
 ========================
 This API allows an administrator to create or modify a user account with a
 specific ``user_id``.
 This api is::
    PUT /_synapse/admin/v2/users/<user_id>
 with a body of:
 .. code:: json
    {
        "password": "user_password",
        "displayname": "User",
        "threepids": [
            {
                "medium": "email",
                "address": "<user_mail_1>"
            },
            {
                "medium": "email",
                "address": "<user_mail_2>"
            }
        ],
        "avatar_url": "<avatar_url>",
        "admin": false,
        "deactivated": false
    }
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 URL parameters:
 - ``user_id``: fully-qualified user id: for example, ``@user:server.com``.
 Body parameters:
 - ``password``, optional. If provided, the user's password is updated and all
  devices are logged out.
 - ``displayname``, optional, defaults to the value of ``user_id``.
 - ``threepids``, optional, allows setting the third-party IDs (email, msisdn)
  belonging to a user.
 - ``avatar_url``, optional, must be a
  `MXC URI <https://matrix.org/docs/spec/client_server/r0.6.0#matrix-content-mxc-uris>`_.
 - ``admin``, optional, defaults to ``false``.
 - ``deactivated``, optional. If unspecified, deactivation state will be left
  unchanged on existing accounts and set to ``false`` for new accounts.
  A user cannot be erased by deactivating with this API. For details on deactivating users see
  `Deactivate Account <#deactivate-account>`_.
 If the user already exists then optional parameters default to the current value.
 In order to re-activate an account ``deactivated`` must be set to ``false``. If
 users do not login via single-sign-on, a new ``password`` must be provided.
 List Accounts
 =============
 This API returns all local user accounts.
 By default, the response is ordered by ascending user ID.
 The API is::
    GET /_synapse/admin/v2/users?from=0&limit=10&guests=false
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
        "users": [
            {
                "name": "<user_id1>",
                "is_guest": 0,
                "admin": 0,
                "user_type": null,
                "deactivated": 0,
                "shadow_banned": 0,
                "displayname": "<User One>",
                "avatar_url": null
            }, {
                "name": "<user_id2>",
                "is_guest": 0,
                "admin": 1,
                "user_type": null,
                "deactivated": 0,
                "shadow_banned": 0,
                "displayname": "<User Two>",
                "avatar_url": "<avatar_url>"
            }
        ],
        "next_token": "100",
        "total": 200
    }
 To paginate, check for ``next_token`` and if present, call the endpoint again
 with ``from`` set to the value of ``next_token``. This will return a new page.
 If the endpoint does not return a ``next_token`` then there are no more users
 to paginate through.
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - Is optional and filters to only return users with user IDs
  that contain this value. This parameter is ignored when using the ``name`` parameter.
 - ``name`` - Is optional and filters to only return users with user ID localparts
  **or** displaynames that contain this value.
 - ``guests`` - string representing a bool - Is optional and if ``false`` will **exclude** guest users.
  Defaults to ``true`` to include guest users.
 - ``deactivated`` - string representing a bool - Is optional and if ``true`` will **include** deactivated users.
  Defaults to ``false`` to exclude deactivated users.
 - ``limit`` - string representing a positive integer - Is optional but is used for pagination,
  denoting the maximum number of items to return in this call. Defaults to ``100``.
 - ``from`` - string representing a positive integer - Is optional but used for pagination,
  denoting the offset in the returned results. This should be treated as an opaque value and
  not explicitly set to anything other than the return value of ``next_token`` from a previous call.
  Defaults to ``0``.
 - ``order_by`` - The method by which to sort the returned list of users.
  If the ordered field has duplicates, the second order is always by ascending ``name``,
  which guarantees a stable ordering. Valid values are:
  - ``name`` - Users are ordered alphabetically by ``name``. This is the default.
  - ``is_guest`` - Users are ordered by ``is_guest`` status.
  - ``admin`` - Users are ordered by ``admin`` status.
  - ``user_type`` - Users are ordered alphabetically by ``user_type``.
  - ``deactivated`` - Users are ordered by ``deactivated`` status.
  - ``shadow_banned`` - Users are ordered by ``shadow_banned`` status.
  - ``displayname`` - Users are ordered alphabetically by ``displayname``.
  - ``avatar_url`` - Users are ordered alphabetically by avatar URL.
 - ``dir`` - Direction of media order. Either ``f`` for forwards or ``b`` for backwards.
  Setting this value to ``b`` will reverse the above sort order. Defaults to ``f``.
 Caution. The database only has indexes on the columns ``name`` and ``created_ts``.
 This means that if a different sort order is used (``is_guest``, ``admin``,
 ``user_type``, ``deactivated``, ``shadow_banned``, ``avatar_url`` or ``displayname``),
 this can cause a large load on the database, especially for large environments.
 **Response**
 The following fields are returned in the JSON response body:
 - ``users`` - An array of objects, each containing information about an user.
  User objects contain the following fields:
  - ``name`` - string - Fully-qualified user ID (ex. ``@user:server.com``).
  - ``is_guest`` - bool - Status if that user is a guest account.
  - ``admin`` - bool - Status if that user is a server administrator.
  - ``user_type`` - string - Type of the user. Normal users are type ``None``.
    This allows user type specific behaviour. There are also types ``support`` and ``bot``. 
  - ``deactivated`` - bool - Status if that user has been marked as deactivated.
  - ``shadow_banned`` - bool - Status if that user has been marked as shadow banned.
  - ``displayname`` - string - The user's display name if they have set one.
  - ``avatar_url`` - string -  The user's avatar URL if they have set one.
 - ``next_token``: string representing a positive integer - Indication for pagination. See above.
 - ``total`` - integer - Total number of media.
 Query current sessions for a user
 =================================
 This API returns information about the active sessions for a specific user.
 The api is::
    GET /_synapse/admin/v1/whois/<user_id>
 and::
    GET /_matrix/client/r0/admin/whois/<userId>
 See also: `Client Server API Whois
 <https://matrix.org/docs/spec/client_server/r0.6.1#get-matrix-client-r0-admin-whois-userid>`_
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 It returns a JSON body like the following:
 .. code:: json
    {
        "user_id": "<user_id>",
        "devices": {
            "": {
                "sessions": [
                    {
                        "connections": [
                            {
                                "ip": "1.2.3.4",
                                "last_seen": 1417222374433,
                                "user_agent": "Mozilla/5.0 ..."
                            },
                            {
                                "ip": "1.2.3.10",
                                "last_seen": 1417222374500,
                                "user_agent": "Dalvik/2.1.0 ..."
                            }
                        ]
                    }
                ]
            }
        }
    }
 ``last_seen`` is measured in milliseconds since the Unix epoch.
 Deactivate Account
 ==================
 This API deactivates an account. It removes active access tokens, resets the
 password, and deletes third-party IDs (to prevent the user requesting a
 password reset).
 It can also mark the user as GDPR-erased. This means messages sent by the
 user will still be visible by anyone that was in the room when these messages
 were sent, but hidden from users joining the room afterwards.
 The api is::
    POST /_synapse/admin/v1/deactivate/<user_id>
 with a body of:
 .. code:: json
    {
        "erase": true
    }
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 The erase parameter is optional and defaults to ``false``.
 An empty body may be passed for backwards compatibility.
 The following actions are performed when deactivating an user:
 - Try to unpind 3PIDs from the identity server
 - Remove all 3PIDs from the homeserver
 - Delete all devices and E2EE keys
 - Delete all access tokens
 - Delete the password hash
 - Removal from all rooms the user is a member of
 - Remove the user from the user directory
 - Reject all pending invites
 - Remove all account validity information related to the user
 The following additional actions are performed during deactivation if ``erase``
 is set to ``true``:
 - Remove the user's display name
 - Remove the user's avatar URL
 - Mark the user as erased
 Reset password
 ==============
 Changes the password of another user. This will automatically log the user out of all their devices.
 The api is::
    POST /_synapse/admin/v1/reset_password/<user_id>
 with a body of:
 .. code:: json
   {
       "new_password": "<secret>",
       "logout_devices": true
   }
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 The parameter ``new_password`` is required.
 The parameter ``logout_devices`` is optional and defaults to ``true``.
 Get whether a user is a server administrator or not
 ===================================================
 The api is::
    GET /_synapse/admin/v1/users/<user_id>/admin
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
        "admin": true
    }
 Change whether a user is a server administrator or not
 ======================================================
 Note that you cannot demote yourself.
 The api is::
    PUT /_synapse/admin/v1/users/<user_id>/admin
 with a body of:
 .. code:: json
    {
        "admin": true
    }
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 List room memberships of an user
 ================================
 Gets a list of all ``room_id`` that a specific ``user_id`` is member.
 The API is::
  GET /_synapse/admin/v1/users/<user_id>/joined_rooms
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
        "joined_rooms": [
            "!DuGcnbhHGaSZQoNQR:matrix.org",
            "!ZtSaPCawyWtxfWiIy:matrix.org"
        ],
        "total": 2
    }
 The server returns the list of rooms of which the user and the server
 are member. If the user is local, all the rooms of which the user is
 member are returned.
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - fully qualified: for example, ``@user:server.com``.
 **Response**
 The following fields are returned in the JSON response body:
 - ``joined_rooms`` - An array of ``room_id``.
 - ``total`` - Number of rooms.
 List media of a user
 ====================
 Gets a list of all local media that a specific ``user_id`` has created.
 By default, the response is ordered by descending creation date and ascending media ID.
 The newest media is on top. You can change the order with parameters
 ``order_by`` and ``dir``.
 The API is::
  GET /_synapse/admin/v1/users/<user_id>/media
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
      "media": [
        {
          "created_ts": 100400,
          "last_access_ts": null,
          "media_id": "qXhyRzulkwLsNHTbpHreuEgo",
          "media_length": 67,
          "media_type": "image/png",
          "quarantined_by": null,
          "safe_from_quarantine": false,
          "upload_name": "test1.png"
        },
        {
          "created_ts": 200400,
          "last_access_ts": null,
          "media_id": "FHfiSnzoINDatrXHQIXBtahw",
          "media_length": 67,
          "media_type": "image/png",
          "quarantined_by": null,
          "safe_from_quarantine": false,
          "upload_name": "test2.png"
        }
      ],
      "next_token": 3,
      "total": 2
    }
 To paginate, check for ``next_token`` and if present, call the endpoint again
 with ``from`` set to the value of ``next_token``. This will return a new page.
 If the endpoint does not return a ``next_token`` then there are no more
 reports to paginate through.
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - string - fully qualified: for example, ``@user:server.com``.
 - ``limit``: string representing a positive integer - Is optional but is used for pagination,
  denoting the maximum number of items to return in this call. Defaults to ``100``.
 - ``from``: string representing a positive integer - Is optional but used for pagination,
  denoting the offset in the returned results. This should be treated as an opaque value and
  not explicitly set to anything other than the return value of ``next_token`` from a previous call.
  Defaults to ``0``.
 - ``order_by`` - The method by which to sort the returned list of media.
  If the ordered field has duplicates, the second order is always by ascending ``media_id``,
  which guarantees a stable ordering. Valid values are:
  - ``media_id`` - Media are ordered alphabetically by ``media_id``.
  - ``upload_name`` - Media are ordered alphabetically by name the media was uploaded with.
  - ``created_ts`` - Media are ordered by when the content was uploaded in ms.
    Smallest to largest. This is the default.
  - ``last_access_ts`` - Media are ordered by when the content was last accessed in ms.
    Smallest to largest.
  - ``media_length`` - Media are ordered by length of the media in bytes.
    Smallest to largest.
  - ``media_type`` - Media are ordered alphabetically by MIME-type.
  - ``quarantined_by`` - Media are ordered alphabetically by the user ID that
    initiated the quarantine request for this media.
  - ``safe_from_quarantine`` - Media are ordered by the status if this media is safe
    from quarantining.
 - ``dir`` - Direction of media order. Either ``f`` for forwards or ``b`` for backwards.
  Setting this value to ``b`` will reverse the above sort order. Defaults to ``f``.
 If neither ``order_by`` nor ``dir`` is set, the default order is newest media on top
 (corresponds to ``order_by`` = ``created_ts`` and ``dir`` = ``b``).
 Caution. The database only has indexes on the columns ``media_id``,
 ``user_id`` and ``created_ts``. This means that if a different sort order is used
 (``upload_name``, ``last_access_ts``, ``media_length``, ``media_type``,
 ``quarantined_by`` or ``safe_from_quarantine``), this can cause a large load on the
 database, especially for large environments.
 **Response**
 The following fields are returned in the JSON response body:
 - ``media`` - An array of objects, each containing information about a media.
  Media objects contain the following fields:
  - ``created_ts`` - integer - Timestamp when the content was uploaded in ms.
  - ``last_access_ts`` - integer - Timestamp when the content was last accessed in ms.
  - ``media_id`` - string - The id used to refer to the media.
  - ``media_length`` - integer - Length of the media in bytes.
  - ``media_type`` - string - The MIME-type of the media.
  - ``quarantined_by`` - string - The user ID that initiated the quarantine request
    for this media.
  - ``safe_from_quarantine`` - bool - Status if this media is safe from quarantining.
  - ``upload_name`` - string - The name the media was uploaded with.
 - ``next_token``: integer - Indication for pagination. See above.
 - ``total`` - integer - Total number of media.
 Login as a user
 ===============
 Get an access token that can be used to authenticate as that user. Useful for
 when admins wish to do actions on behalf of a user.
 The API is::
    POST /_synapse/admin/v1/users/<user_id>/login
    {}
 An optional ``valid_until_ms`` field can be specified in the request body as an
 integer timestamp that specifies when the token should expire. By default tokens
 do not expire.
 A response body like the following is returned:
 .. code:: json
    {
        "access_token": "<opaque_access_token_string>"
    }
 This API does *not* generate a new device for the user, and so will not appear
 their ``/devices`` list, and in general the target user should not be able to
 tell they have been logged in as.
 To expire the token call the standard ``/logout`` API with the token.
 Note: The token will expire if the *admin* user calls ``/logout/all`` from any
 of their devices, but the token will *not* expire if the target user does the
 same.
 User devices
 ============
 List all devices
 ----------------
 Gets information about all devices for a specific ``user_id``.
 The API is::
  GET /_synapse/admin/v2/users/<user_id>/devices
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
      "devices": [
        {
          "device_id": "QBUAZIFURK",
          "display_name": "android",
          "last_seen_ip": "1.2.3.4",
          "last_seen_ts": 1474491775024,
          "user_id": "<user_id>"
        },
        {
          "device_id": "AUIECTSRND",
          "display_name": "ios",
          "last_seen_ip": "1.2.3.5",
          "last_seen_ts": 1474491775025,
          "user_id": "<user_id>"
        }
      ],
      "total": 2
    }
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - fully qualified: for example, ``@user:server.com``.
 **Response**
 The following fields are returned in the JSON response body:
 - ``devices`` - An array of objects, each containing information about a device.
  Device objects contain the following fields:
  - ``device_id`` - Identifier of device.
  - ``display_name`` - Display name set by the user for this device.
    Absent if no name has been set.
  - ``last_seen_ip`` - The IP address where this device was last seen.
    (May be a few minutes out of date, for efficiency reasons).
  - ``last_seen_ts`` - The timestamp (in milliseconds since the unix epoch) when this
    devices was last seen. (May be a few minutes out of date, for efficiency reasons).
  - ``user_id`` - Owner of  device.
 - ``total`` - Total number of user's devices.
 Delete multiple devices
 ------------------
 Deletes the given devices for a specific ``user_id``, and invalidates
 any access token associated with them.
 The API is::
    POST /_synapse/admin/v2/users/<user_id>/delete_devices
    {
      "devices": [
        "QBUAZIFURK",
        "AUIECTSRND"
      ],
    }
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 An empty JSON dict is returned.
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - fully qualified: for example, ``@user:server.com``.
 The following fields are required in the JSON request body:
 - ``devices`` - The list of device IDs to delete.
 Show a device
 ---------------
 Gets information on a single device, by ``device_id`` for a specific ``user_id``.
 The API is::
    GET /_synapse/admin/v2/users/<user_id>/devices/<device_id>
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
      "device_id": "<device_id>",
      "display_name": "android",
      "last_seen_ip": "1.2.3.4",
      "last_seen_ts": 1474491775024,
      "user_id": "<user_id>"
    }
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - fully qualified: for example, ``@user:server.com``.
 - ``device_id`` - The device to retrieve.
 **Response**
 The following fields are returned in the JSON response body:
 - ``device_id`` - Identifier of device.
 - ``display_name`` - Display name set by the user for this device.
  Absent if no name has been set.
 - ``last_seen_ip`` - The IP address where this device was last seen.
  (May be a few minutes out of date, for efficiency reasons).
 - ``last_seen_ts`` - The timestamp (in milliseconds since the unix epoch) when this
  devices was last seen. (May be a few minutes out of date, for efficiency reasons).
 - ``user_id`` - Owner of  device.
 Update a device
 ---------------
 Updates the metadata on the given ``device_id`` for a specific ``user_id``.
 The API is::
    PUT /_synapse/admin/v2/users/<user_id>/devices/<device_id>
    {
      "display_name": "My other phone"
    }
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 An empty JSON dict is returned.
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - fully qualified: for example, ``@user:server.com``.
 - ``device_id`` - The device to update.
 The following fields are required in the JSON request body:
 - ``display_name`` - The new display name for this device. If not given,
  the display name is unchanged.
 Delete a device
 ---------------
 Deletes the given ``device_id`` for a specific ``user_id``,
 and invalidates any access token associated with it.
 The API is::
    DELETE /_synapse/admin/v2/users/<user_id>/devices/<device_id>
    {}
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 An empty JSON dict is returned.
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - fully qualified: for example, ``@user:server.com``.
 - ``device_id`` - The device to delete.
 List all pushers
 ================
 Gets information about all pushers for a specific ``user_id``.
 The API is::
  GET /_synapse/admin/v1/users/<user_id>/pushers
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
      "pushers": [
        {
          "app_display_name":"HTTP Push Notifications",
          "app_id":"m.http",
          "data": {
            "url":"example.com"
          },
          "device_display_name":"pushy push",
          "kind":"http",
          "lang":"None",
          "profile_tag":"",
          "pushkey":"a@example.com"
        }
      ],
      "total": 1
    }
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - fully qualified: for example, ``@user:server.com``.
 **Response**
 The following fields are returned in the JSON response body:
 - ``pushers`` - An array containing the current pushers for the user
  - ``app_display_name`` - string - A string that will allow the user to identify
    what application owns this pusher.
  - ``app_id`` - string - This is a reverse-DNS style identifier for the application.
    Max length, 64 chars.
  - ``data`` - A dictionary of information for the pusher implementation itself.
    - ``url`` - string - Required if ``kind`` is ``http``. The URL to use to send
      notifications to.
    - ``format`` - string - The format to use when sending notifications to the
      Push Gateway.
  - ``device_display_name`` - string -  A string that will allow the user to identify
    what device owns this pusher.
  - ``profile_tag`` - string - This string determines which set of device specific rules
    this pusher executes.
  - ``kind`` - string -  The kind of pusher. "http" is a pusher that sends HTTP pokes.
  - ``lang`` - string - The preferred language for receiving notifications
    (e.g. 'en' or 'en-US')
  - ``profile_tag`` - string - This string determines which set of device specific rules
    this pusher executes.
  - ``pushkey`` - string - This is a unique identifier for this pusher.
    Max length, 512 bytes.
 - ``total`` - integer - Number of pushers.
 See also `Client-Server API Spec <https://matrix.org/docs/spec/client_server/latest#get-matrix-client-r0-pushers>`_
 Shadow-banning users
 ====================
 Shadow-banning is a useful tool for moderating malicious or egregiously abusive users.
 A shadow-banned users receives successful responses to their client-server API requests,
 but the events are not propagated into rooms. This can be an effective tool as it
 (hopefully) takes longer for the user to realise they are being moderated before
 pivoting to another account.
 Shadow-banning a user should be used as a tool of last resort and may lead to confusing
 or broken behaviour for the client. A shadow-banned user will not receive any
 notification and it is generally more appropriate to ban or kick abusive users.
 A shadow-banned user will be unable to contact anyone on the server.
 The API is::
  POST /_synapse/admin/v1/users/<user_id>/shadow_ban
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 An empty JSON dict is returned.
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - The fully qualified MXID: for example, ``@user:server.com``. The user must
  be local.
 Override ratelimiting for users
 ===============================
 This API allows to override or disable ratelimiting for a specific user.
 There are specific APIs to set, get and delete a ratelimit.
 Get status of ratelimit
 -----------------------
 The API is::
  GET /_synapse/admin/v1/users/<user_id>/override_ratelimit
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
      "messages_per_second": 0,
      "burst_count": 0
    }
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - The fully qualified MXID: for example, ``@user:server.com``. The user must
  be local.
 **Response**
 The following fields are returned in the JSON response body:
 - ``messages_per_second`` - integer - The number of actions that can
  be performed in a second. `0` mean that ratelimiting is disabled for this user.
 - ``burst_count`` - integer - How many actions that can be performed before
  being limited.
 If **no** custom ratelimit is set, an empty JSON dict is returned.
 .. code:: json
    {}
 Set ratelimit
 -------------
 The API is::
  POST /_synapse/admin/v1/users/<user_id>/override_ratelimit
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 A response body like the following is returned:
 .. code:: json
    {
      "messages_per_second": 0,
      "burst_count": 0
    }
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - The fully qualified MXID: for example, ``@user:server.com``. The user must
  be local.
 Body parameters:
 - ``messages_per_second`` - positive integer, optional. The number of actions that can
  be performed in a second. Defaults to ``0``.
 - ``burst_count`` - positive integer, optional. How many actions that can be performed
  before being limited. Defaults to ``0``.
 To disable users' ratelimit set both values to ``0``.
 **Response**
 The following fields are returned in the JSON response body:
 - ``messages_per_second`` - integer - The number of actions that can
  be performed in a second.
 - ``burst_count`` - integer - How many actions that can be performed before
  being limited.
 Delete ratelimit
 ----------------
 The API is::
  DELETE /_synapse/admin/v1/users/<user_id>/override_ratelimit
 To use it, you will need to authenticate by providing an ``access_token`` for a
 server admin: see `README.rst <README.rst>`_.
 An empty JSON dict is returned.
 .. code:: json
    {}
 **Parameters**
 The following parameters should be set in the URL:
 - ``user_id`` - The fully qualified MXID: for example, ``@user:server.com``. The user must
  be local.
--- a/docs/admin_api/version_api.rst
+++ b/docs/admin_api/version_api.rst
@@ -1,20 +1,21 @@
-Version API
+# Version API
 ===========
 This API returns the running Synapse version and the Python version
 on which Synapse is being run. This is useful when a Synapse instance
 is behind a proxy that does not forward the 'Server' header (which also
 contains Synapse version information).
-The api is::
+The api is:
-    GET /_synapse/admin/v1/server_version
+```
 GET /_synapse/admin/v1/server_version
 ```
 It returns a JSON body like the following:
-.. code:: json
+```json
-
+{
    {
    "server_version": "0.99.2rc1 (b=develop, abcdef123)",
    "python_version": "3.6.8"
-    }
+}
 ```
--- a/docs/consent_tracking.md
+++ b/docs/consent_tracking.md
@@ -24,8 +24,8 @@ To enable this, first create templates for the policy and success pages.
 These should be stored on the local filesystem.
 These templates use the [Jinja2](http://jinja.pocoo.org) templating language,
-and [docs/privacy_policy_templates](privacy_policy_templates) gives
+and [docs/privacy_policy_templates](https://github.com/matrix-org/synapse/tree/develop/docs/privacy_policy_templates/)
-examples of the sort of thing that can be done.
+gives examples of the sort of thing that can be done.
 Note that the templates must be stored under a name giving the language of the
 template - currently this must always be `en` (for "English");
@@ -152,7 +152,7 @@ version of the policy. To do so:
 * ensure that the consent resource is configured, as in the previous section
- * ensure that server notices are configured, as in [server_notices.md](server_notices.md).
+ * ensure that server notices are configured, as in [the server notice documentation](server_notices.md).
 * Add `server_notice_content` under `user_consent` in `homeserver.yaml`. For
   example:
--- a/docs/delegate.md
+++ b/docs/delegate.md
@@ -74,7 +74,7 @@ We no longer actively recommend against using a reverse proxy. Many admins will
 find it easier to direct federation traffic to a reverse proxy and manage their
 own TLS certificates, and this is a supported configuration.
-See [reverse_proxy.md](reverse_proxy.md) for information on setting up a
+See [the reverse proxy documentation](reverse_proxy.md) for information on setting up a
 reverse proxy.
 ### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
--- a/docs/development/cas.md
+++ b/docs/development/cas.md
--- a/docs/development/contributing_guide.md
+++ b/docs/development/contributing_guide.md
@@ -0,0 +1,427 @@
 # Contributing
 This document aims to get you started with contributing to Synapse!
 # 1. Who can contribute to Synapse?
 Everyone is welcome to contribute code to [matrix.org
 projects](https://github.com/matrix-org), provided that they are willing to
 license their contributions under the same license as the project itself. We
 follow a simple 'inbound=outbound' model for contributions: the act of
 submitting an 'inbound' contribution means that the contributor agrees to
 license the code under the same terms as the project's overall 'outbound'
 license - in our case, this is almost always Apache Software License v2 (see
 [LICENSE](https://github.com/matrix-org/synapse/blob/develop/LICENSE)).
 # 2. What do I need?
 The code of Synapse is written in Python 3. To do pretty much anything, you'll need [a recent version of Python 3](https://wiki.python.org/moin/BeginnersGuide/Download).
 The source code of Synapse is hosted on GitHub. You will also need [a recent version of git](https://github.com/git-guides/install-git).
 For some tests, you will need [a recent version of Docker](https://docs.docker.com/get-docker/).
 # 3. Get the source.
 The preferred and easiest way to contribute changes is to fork the relevant
 project on GitHub, and then [create a pull request](
 https://help.github.com/articles/using-pull-requests/) to ask us to pull your
 changes into our repo.
 Please base your changes on the `develop` branch.
 ```sh
 git clone git@github.com:YOUR_GITHUB_USER_NAME/synapse.git
 git checkout develop
 ```
 If you need help getting started with git, this is beyond the scope of the document, but you
 can find many good git tutorials on the web.
 # 4. Install the dependencies
 ## Under Unix (macOS, Linux, BSD, ...)
 Once you have installed Python 3 and added the source, please open a terminal and
 setup a *virtualenv*, as follows:
 ```sh
 cd path/where/you/have/cloned/the/repository
 python3 -m venv ./env
 source ./env/bin/activate
 pip install -e ".[all,lint,mypy,test]"
 pip install tox
 ```
 This will install the developer dependencies for the project.
 ## Under Windows
 TBD
 # 5. Get in touch.
 Join our developer community on Matrix: #synapse-dev:matrix.org !
 # 6. Pick an issue.
 Fix your favorite problem or perhaps find a [Good First Issue](https://github.com/matrix-org/synapse/issues?q=is%3Aopen+is%3Aissue+label%3A%22Good+First+Issue%22)
 to work on.
 # 7. Turn coffee into code and documentation!
 There is a growing amount of documentation located in the
 [`docs`](https://github.com/matrix-org/synapse/tree/develop/docs)
 directory, with a rendered version [available online](https://matrix-org.github.io/synapse).
 This documentation is intended primarily for sysadmins running their
 own Synapse instance, as well as developers interacting externally with
 Synapse.
 [`docs/development`](https://github.com/matrix-org/synapse/tree/develop/docs/development)
 exists primarily to house documentation for
 Synapse developers.
 [`docs/admin_api`](https://github.com/matrix-org/synapse/tree/develop/docs/admin_api) houses documentation
 regarding Synapse's Admin API, which is used mostly by sysadmins and external
 service developers.
 Synapse's code style is documented [here](../code_style.md). Please follow
 it, including the conventions for the [sample configuration
 file](../code_style.md#configuration-file-format).
 We welcome improvements and additions to our documentation itself! When
 writing new pages, please
 [build `docs` to a book](https://github.com/matrix-org/synapse/tree/develop/docs#adding-to-the-documentation)
 to check that your contributions render correctly. The docs are written in
 [GitHub-Flavoured Markdown](https://guides.github.com/features/mastering-markdown/).
 Some documentation also exists in [Synapse's GitHub
 Wiki](https://github.com/matrix-org/synapse/wiki), although this is primarily
 contributed to by community authors.
 # 8. Test, test, test!
 <a name="test-test-test"></a>
 While you're developing and before submitting a patch, you'll
 want to test your code.
 ## Run the linters.
 The linters look at your code and do two things:
 - ensure that your code follows the coding style adopted by the project;
 - catch a number of errors in your code.
 They're pretty fast, don't hesitate!
 ```sh
 source ./env/bin/activate
 ./scripts-dev/lint.sh
 ```
 Note that this script *will modify your files* to fix styling errors.
 Make sure that you have saved all your files.
 If you wish to restrict the linters to only the files changed since the last commit
 (much faster!), you can instead run:
 ```sh
 source ./env/bin/activate
 ./scripts-dev/lint.sh -d
 ```
 Or if you know exactly which files you wish to lint, you can instead run:
 ```sh
 source ./env/bin/activate
 ./scripts-dev/lint.sh path/to/file1.py path/to/file2.py path/to/folder
 ```
 ## Run the unit tests (Twisted trial).
 The unit tests run parts of Synapse, including your changes, to see if anything
 was broken. They are slower than the linters but will typically catch more errors.
 ```sh
 source ./env/bin/activate
 trial tests
 ```
 If you wish to only run *some* unit tests, you may specify
 another module instead of `tests` - or a test class or a method:
 ```sh
 source ./env/bin/activate
 trial tests.rest.admin.test_room tests.handlers.test_admin.ExfiltrateData.test_invite
 ```
 If your tests fail, you may wish to look at the logs (the default log level is `ERROR`):
 ```sh
 less _trial_temp/test.log
 ```
 To increase the log level for the tests, set `SYNAPSE_TEST_LOG_LEVEL`:
 ```sh
 SYNAPSE_TEST_LOG_LEVEL=DEBUG trial tests
 ```
 ## Run the integration tests ([Sytest](https://github.com/matrix-org/sytest)).
 The integration tests are a more comprehensive suite of tests. They
 run a full version of Synapse, including your changes, to check if
 anything was broken. They are slower than the unit tests but will
 typically catch more errors.
 The following command will let you run the integration test with the most common
 configuration:
 ```sh
 $ docker run --rm -it -v /path/where/you/have/cloned/the/repository\:/src:ro -v /path/to/where/you/want/logs\:/logs matrixdotorg/sytest-synapse:buster
 ```
 This configuration should generally cover  your needs. For more details about other configurations, see [documentation in the SyTest repo](https://github.com/matrix-org/sytest/blob/develop/docker/README.md).
 ## Run the integration tests ([Complement](https://github.com/matrix-org/complement)).
 [Complement](https://github.com/matrix-org/complement) is a suite of black box tests that can be run on any homeserver implementation. It can also be thought of as end-to-end (e2e) tests.
 It's often nice to develop on Synapse and write Complement tests at the same time.
 Here is how to run your local Synapse checkout against your local Complement checkout.
 (checkout [`complement`](https://github.com/matrix-org/complement) alongside your `synapse` checkout)
 ```sh
 COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh
 ```
 To run a specific test file, you can pass the test name at the end of the command. The name passed comes from the naming structure in your Complement tests. If you're unsure of the name, you can do a full run and copy it from the test output:
 ```sh
 COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh TestBackfillingHistory
 ```
 To run a specific test, you can specify the whole name structure:
 ```sh
 COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh TestBackfillingHistory/parallel/Backfilled_historical_events_resolve_with_proper_state_in_correct_order
 ```
 ### Access database for homeserver after Complement test runs.
 If you're curious what the database looks like after you run some tests, here are some steps to get you going in Synapse:
 1. In your Complement test comment out `defer deployment.Destroy(t)` and replace with `defer time.Sleep(2 * time.Hour)` to keep the homeserver running after the tests complete
 1. Start the Complement tests
 1. Find the name of the container, `docker ps -f name=complement_` (this will filter for just the Compelement related Docker containers)
 1. Access the container replacing the name with what you found in the previous step: `docker exec -it complement_1_hs_with_application_service.hs1_2 /bin/bash`
 1. Install sqlite (database driver), `apt-get update && apt-get install -y sqlite3`
 1. Then run `sqlite3` and open the database `.open /conf/homeserver.db` (this db path comes from the Synapse homeserver.yaml)
 # 9. Submit your patch.
 Once you're happy with your patch, it's time to prepare a Pull Request.
 To prepare a Pull Request, please:
 1. verify that [all the tests pass](#test-test-test), including the coding style;
 2. [sign off](#sign-off) your contribution;
 3. `git push` your commit to your fork of Synapse;
 4. on GitHub, [create the Pull Request](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request);
 5. add a [changelog entry](#changelog) and push it to your Pull Request;
 6. for most contributors, that's all - however, if you are a member of the organization `matrix-org`, on GitHub, please request a review from `matrix.org / Synapse Core`.
 7. if you need to update your PR, please avoid rebasing and just add new commits to your branch.
 ## Changelog
 All changes, even minor ones, need a corresponding changelog / newsfragment
 entry. These are managed by [Towncrier](https://github.com/hawkowl/towncrier).
 To create a changelog entry, make a new file in the `changelog.d` directory named
 in the format of `PRnumber.type`. The type can be one of the following:
 * `feature`
 * `bugfix`
 * `docker` (for updates to the Docker image)
 * `doc` (for updates to the documentation)
 * `removal` (also used for deprecations)
 * `misc` (for internal-only changes)
 This file will become part of our [changelog](
 https://github.com/matrix-org/synapse/blob/master/CHANGES.md) at the next
 release, so the content of the file should be a short description of your
 change in the same style as the rest of the changelog. The file can contain Markdown
 formatting, and should end with a full stop (.) or an exclamation mark (!) for
 consistency.
 Adding credits to the changelog is encouraged, we value your
 contributions and would like to have you shouted out in the release notes!
 For example, a fix in PR #1234 would have its changelog entry in
 `changelog.d/1234.bugfix`, and contain content like:
 > The security levels of Florbs are now validated when received
 > via the `/federation/florb` endpoint. Contributed by Jane Matrix.
 If there are multiple pull requests involved in a single bugfix/feature/etc,
 then the content for each `changelog.d` file should be the same. Towncrier will
 merge the matching files together into a single changelog entry when we come to
 release.
 ### How do I know what to call the changelog file before I create the PR?
 Obviously, you don't know if you should call your newsfile
 `1234.bugfix` or `5678.bugfix` until you create the PR, which leads to a
 chicken-and-egg problem.
 There are two options for solving this:
 1. Open the PR without a changelog file, see what number you got, and *then*
   add the changelog file to your branch (see [Updating your pull
   request](#updating-your-pull-request)), or:
 1. Look at the [list of all
   issues/PRs](https://github.com/matrix-org/synapse/issues?q=), add one to the
   highest number you see, and quickly open the PR before somebody else claims
   your number.
   [This
   script](https://github.com/richvdh/scripts/blob/master/next_github_number.sh)
   might be helpful if you find yourself doing this a lot.
 Sorry, we know it's a bit fiddly, but it's *really* helpful for us when we come
 to put together a release!
 ### Debian changelog
 Changes which affect the debian packaging files (in `debian`) are an
 exception to the rule that all changes require a `changelog.d` file.
 In this case, you will need to add an entry to the debian changelog for the
 next release. For this, run the following command:
 ```
 dch
 ```
 This will make up a new version number (if there isn't already an unreleased
 version in flight), and open an editor where you can add a new changelog entry.
 (Our release process will ensure that the version number and maintainer name is
 corrected for the release.)
 If your change affects both the debian packaging *and* files outside the debian
 directory, you will need both a regular newsfragment *and* an entry in the
 debian changelog. (Though typically such changes should be submitted as two
 separate pull requests.)
 ## Sign off
 In order to have a concrete record that your contribution is intentional
 and you agree to license it under the same terms as the project's license, we've adopted the
 same lightweight approach that the Linux Kernel
 [submitting patches process](
 https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin>),
 [Docker](https://github.com/docker/docker/blob/master/CONTRIBUTING.md), and many other
 projects use: the DCO (Developer Certificate of Origin:
 http://developercertificate.org/). This is a simple declaration that you wrote
 the contribution or otherwise have the right to contribute it to Matrix:
 ```
 Developer Certificate of Origin
 Version 1.1
 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 660 York Street, Suite 102,
 San Francisco, CA 94110 USA
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 Developer's Certificate of Origin 1.1
 By making a contribution to this project, I certify that:
 (a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or
 (b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or
 (c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.
 (d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.
 ```
 If you agree to this for your contribution, then all that's needed is to
 include the line in your commit or pull request comment:
 ```
 Signed-off-by: Your Name <your@email.example.org>
 ```
 We accept contributions under a legally identifiable name, such as
 your name on government documentation or common-law names (names
 claimed by legitimate usage or repute). Unfortunately, we cannot
 accept anonymous contributions at this time.
 Git allows you to add this signoff automatically when using the `-s`
 flag to `git commit`, which uses the name and email set in your
 `user.name` and `user.email` git configs.
 # 10. Turn feedback into better code.
 Once the Pull Request is opened, you will see a few things:
 1. our automated CI (Continuous Integration) pipeline will run (again) the linters, the unit tests, the integration tests and more;
 2. one or more of the developers will take a look at your Pull Request and offer feedback.
 From this point, you should:
 1. Look at the results of the CI pipeline.
    - If there is any error, fix the error.
 2. If a developer has requested changes, make these changes and let us know if it is ready for a developer to review again.
 3. Create a new commit with the changes.
    - Please do NOT overwrite the history. New commits make the reviewer's life easier.
    - Push this commits to your Pull Request.
 4. Back to 1.
 Once both the CI and the developers are happy, the patch will be merged into Synapse and released shortly!
 # 11. Find a new issue.
 By now, you know the drill!
 # Notes for maintainers on merging PRs etc
 There are some notes for those with commit access to the project on how we
 manage git [here](git.md).
 # Conclusion
 That's it! Matrix is a very open and collaborative project as you might expect
 given our obsession with open communication. If we're going to successfully
 matrix together all the fragmented communication technologies out there we are
 reliant on contributions and collaboration from the community to do so. So
 please get involved - and we hope you have as much fun hacking on Matrix as we
 do!
--- a/docs/development/database_schema.md
+++ b/docs/development/database_schema.md
@@ -0,0 +1,137 @@
 # Synapse database schema files
 Synapse's database schema is stored in the `synapse.storage.schema` module.
 ## Logical databases
 Synapse supports splitting its datastore across multiple physical databases (which can
 be useful for large installations), and the schema files are therefore split according
 to the logical database they apply to.
 At the time of writing, the following "logical" databases are supported:
 * `state` - used to store Matrix room state (more specifically, `state_groups`,
  their relationships and contents).
 * `main` - stores everything else.
 Additionally, the `common` directory contains schema files for tables which must be
 present on *all* physical databases.
 ## Synapse schema versions
 Synapse manages its database schema via "schema versions". These are mainly used to
 help avoid confusion if the Synapse codebase is rolled back after the database is
 updated. They work as follows:
 * The Synapse codebase defines a constant `synapse.storage.schema.SCHEMA_VERSION`
   which represents the expectations made about the database by that version. For
   example, as of Synapse v1.36, this is `59`.
 * The database stores a "compatibility version" in
   `schema_compat_version.compat_version` which defines the `SCHEMA_VERSION` of the
   oldest version of Synapse which will work with the database. On startup, if
   `compat_version` is found to be newer than `SCHEMA_VERSION`, Synapse will refuse to
   start.
   Synapse automatically updates this field from
   `synapse.storage.schema.SCHEMA_COMPAT_VERSION`.
 * Whenever a backwards-incompatible change is made to the database format (normally
   via a `delta` file), `synapse.storage.schema.SCHEMA_COMPAT_VERSION` is also updated
   so that administrators can not accidentally roll back to a too-old version of Synapse.
 Generally, the goal is to maintain compatibility with at least one or two previous
 releases of Synapse, so any substantial change tends to require multiple releases and a
 bit of forward-planning to get right.
 As a worked example: we want to remove the `room_stats_historical` table. Here is how it
 might pan out.
 1. Replace any code that *reads* from `room_stats_historical` with alternative
    implementations, but keep writing to it in case of rollback to an earlier version.
    Also, increase `synapse.storage.schema.SCHEMA_VERSION`.  In this
    instance, there is no existing code which reads from `room_stats_historical`, so
    our starting point is:
    v1.36.0: `SCHEMA_VERSION=59`, `SCHEMA_COMPAT_VERSION=59`
 2. Next (say in Synapse v1.37.0): remove the code that *writes* to
    `room_stats_historical`, but don’t yet remove the table in case of rollback to
    v1.36.0. Again, we increase `synapse.storage.schema.SCHEMA_VERSION`, but
    because we have not broken compatibility with v1.36, we do not yet update
    `SCHEMA_COMPAT_VERSION`. We now have:
    v1.37.0: `SCHEMA_VERSION=60`, `SCHEMA_COMPAT_VERSION=59`.
 3. Later (say in Synapse v1.38.0): we can remove the table altogether. This will
    break compatibility with v1.36.0, so we must update `SCHEMA_COMPAT_VERSION` accordingly.
    There is no need to update `synapse.storage.schema.SCHEMA_VERSION`, since there is no
    change to the Synapse codebase here. So we end up with:
    v1.38.0: `SCHEMA_VERSION=60`, `SCHEMA_COMPAT_VERSION=60`.
 If in doubt about whether to update `SCHEMA_VERSION` or not, it is generally best to
 lean towards doing so.
 ## Full schema dumps
 In the `full_schemas` directories, only the most recently-numbered snapshot is used
 (`54` at the time of writing). Older snapshots (eg, `16`) are present for historical
 reference only.
 ### Building full schema dumps
 If you want to recreate these schemas, they need to be made from a database that
 has had all background updates run.
 To do so, use `scripts-dev/make_full_schema.sh`. This will produce new
 `full.sql.postgres` and `full.sql.sqlite` files.
 Ensure postgres is installed, then run:
    ./scripts-dev/make_full_schema.sh -p postgres_username -o output_dir/
 NB at the time of writing, this script predates the split into separate `state`/`main`
 databases so will require updates to handle that correctly.
 ## Boolean columns
 Boolean columns require special treatment, since SQLite treats booleans the
 same as integers.
 There are three separate aspects to this:
 * Any new boolean column must be added to the `BOOLEAN_COLUMNS` list in
   `scripts/synapse_port_db`. This tells the port script to cast the integer
   value from SQLite to a boolean before writing the value to the postgres
   database.
 * Before SQLite 3.23, `TRUE` and `FALSE` were not recognised as constants by
   SQLite, and the `IS [NOT] TRUE`/`IS [NOT] FALSE` operators were not
   supported. This makes it necessary to avoid using `TRUE` and `FALSE`
   constants in SQL commands.
   For example, to insert a `TRUE` value into the database, write:
   ```python
   txn.execute("INSERT INTO tbl(col) VALUES (?)", (True, ))
   ```
 * Default values for new boolean columns present a particular
   difficulty. Generally it is best to create separate schema files for
   Postgres and SQLite. For example:
   ```sql
   # in 00delta.sql.postgres:
   ALTER TABLE tbl ADD COLUMN col BOOLEAN DEFAULT FALSE;
   ```
   ```sql
   # in 00delta.sql.sqlite:
   ALTER TABLE tbl ADD COLUMN col BOOLEAN DEFAULT 0;
   ```
   Note that there is a particularly insidious failure mode here: the Postgres
   flavour will be accepted by SQLite 3.22, but will give a column whose
   default value is the **string** `"FALSE"` - which, when cast back to a boolean
   in Python, evaluates to `True`.
--- a/docs/development/git.md
+++ b/docs/development/git.md
@@ -9,7 +9,7 @@ commits each of which contains a single change building on what came
 before. Here, by way of an arbitrary example, is the top of `git log --graph
 b2dba0607`:
-<img src="git/clean.png" alt="clean git graph" width="500px">
+<img src="img/git/clean.png" alt="clean git graph" width="500px">
 Note how the commit comment explains clearly what is changing and why. Also
 note the *absence* of merge commits, as well as the absence of commits called
@@ -61,7 +61,7 @@ Ok, so that's what we'd like to achieve. How do we achieve it?
 The TL;DR is: when you come to merge a pull request, you *probably* want to
 “squash and merge”:
-![squash and merge](git/squash.png).
+![squash and merge](img/git/squash.png).
 (This applies whether you are merging your own PR, or that of another
 contributor.)
@@ -105,7 +105,7 @@ complicated. Here's how we do it.
 Let's start with a picture:
-![branching model](git/branches.jpg)
+![branching model](img/git/branches.jpg)
 It looks complicated, but it's really not. There's one basic rule: *anyone* is
 free to merge from *any* more-stable branch to *any* less-stable branch at
@@ -122,15 +122,15 @@ So, what counts as a more- or less-stable branch? A little reflection will show
 that our active branches are ordered thus, from more-stable to less-stable:
 * `master` (tracks our last release).
- * `release-vX.Y.Z` (the branch where we prepare the next release)<sup
+ * `release-vX.Y` (the branch where we prepare the next release)<sup
   id="a3">[3](#f3)</sup>.
 * PR branches which are targeting the release.
 * `develop` (our "mainline" branch containing our bleeding-edge).
 * regular PR branches.
 The corollary is: if you have a bugfix that needs to land in both
-`release-vX.Y.Z` *and* `develop`, then you should base your PR on
+`release-vX.Y` *and* `develop`, then you should base your PR on
-`release-vX.Y.Z`, get it merged there, and then merge from `release-vX.Y.Z` to
+`release-vX.Y`, get it merged there, and then merge from `release-vX.Y` to
 `develop`. (If a fix lands in `develop` and we later need it in a
 release-branch, we can of course cherry-pick it, but landing it in the release
 branch first helps reduce the chance of annoying conflicts.)
@@ -145,4 +145,4 @@ most intuitive name. [^](#a1)
 <b id="f3">[3]</b>: Very, very occasionally (I think this has happened once in
 the history of Synapse), we've had two releases in flight at once. Obviously,
-`release-v1.2.3` is more-stable than `release-v1.3.0`. [^](#a3)
+`release-v1.2` is more-stable than `release-v1.3`. [^](#a3)
--- a/docs/development/img/git/branches.jpg
+++ b/docs/development/img/git/branches.jpg
--- a/docs/development/img/git/clean.png
+++ b/docs/development/img/git/clean.png
--- a/docs/development/img/git/squash.png
+++ b/docs/development/img/git/squash.png
--- a/docs/development/internal_documentation/README.md
+++ b/docs/development/internal_documentation/README.md
@@ -0,0 +1,12 @@
 # Internal Documentation
 This section covers implementation documentation for various parts of Synapse.
 If a developer is planning to make a change to a feature of Synapse, it can be useful for
 general documentation of how that feature is implemented to be available. This saves the
 developer time in place of needing to understand how the feature works by reading the
 code.
 Documentation that would be more useful for the perspective of a system administrator,
 rather than a developer who's intending to change to code, should instead be placed
 under the Usage section of the documentation.
--- a/docs/development/room-dag-concepts.md
+++ b/docs/development/room-dag-concepts.md
@@ -0,0 +1,79 @@
 # Room DAG concepts
 ## Edges
 The word "edge" comes from graph theory lingo. An edge is just a connection
 between two events. In Synapse, we connect events by specifying their
 `prev_events`. A subsequent event points back at a previous event.
 ```
 A (oldest) <---- B <---- C (most recent)
 ```
 ## Depth and stream ordering
 Events are normally sorted by `(topological_ordering, stream_ordering)` where
 `topological_ordering` is just `depth`. In other words, we first sort by `depth`
 and then tie-break based on `stream_ordering`. `depth` is incremented as new
 messages are added to the DAG. Normally, `stream_ordering` is an auto
 incrementing integer, but backfilled events start with `stream_ordering=-1` and decrement.
 ---
 - `/sync` returns things in the order they arrive at the server (`stream_ordering`).
 - `/messages` (and `/backfill` in the federation API) return them in the order determined by the event graph `(topological_ordering, stream_ordering)`.
 The general idea is that, if you're following a room in real-time (i.e.
 `/sync`), you probably want to see the messages as they arrive at your server,
 rather than skipping any that arrived late; whereas if you're looking at a
 historical section of timeline (i.e. `/messages`), you want to see the best
 representation of the state of the room as others were seeing it at the time.
 ## Forward extremity
 Most-recent-in-time events in the DAG which are not referenced by any other events' `prev_events` yet.
 The forward extremities of a room are used as the `prev_events` when the next event is sent.
 ## Backwards extremity
 The current marker of where we have backfilled up to and will generally be the
 oldest-in-time events we know of in the DAG.
 This is an event where we haven't fetched all of the `prev_events` for.
 Once we have fetched all of its `prev_events`, it's unmarked as a backwards
 extremity (although we may have formed new backwards extremities from the prev
 events during the backfilling process).
 ## Outliers
 We mark an event as an `outlier` when we haven't figured out the state for the
 room at that point in the DAG yet.
 We won't *necessarily* have the `prev_events` of an `outlier` in the database,
 but it's entirely possible that we *might*. The status of whether we have all of
 the `prev_events` is marked as a [backwards extremity](#backwards-extremity).
 For example, when we fetch the event auth chain or state for a given event, we
 mark all of those claimed auth events as outliers because we haven't done the
 state calculation ourself.
 ## State groups
 For every non-outlier event we need to know the state at that event. Instead of
 storing the full state for each event in the DB (i.e. a `event_id -> state`
 mapping), which is *very* space inefficient when state doesn't change, we
 instead assign each different set of state a "state group" and then have
 mappings of `event_id -> state_group` and `state_group -> state`.
 ### Stage group edges
 TODO: `state_group_edges` is a further optimization...
      notes from @Azrenbeth, https://pastebin.com/seUGVGeT
--- a/docs/development/saml.md
+++ b/docs/development/saml.md
--- a/docs/development/url_previews.md
+++ b/docs/development/url_previews.md
@@ -0,0 +1,51 @@
 URL Previews
 ============
 The `GET /_matrix/media/r0/preview_url` endpoint provides a generic preview API
 for URLs which outputs [Open Graph](https://ogp.me/) responses (with some Matrix
 specific additions).
 This does have trade-offs compared to other designs:
 * Pros:
  * Simple and flexible; can be used by any clients at any point
 * Cons:
  * If each homeserver provides one of these independently, all the HSes in a
    room may needlessly DoS the target URI
  * The URL metadata must be stored somewhere, rather than just using Matrix
    itself to store the media.
  * Matrix cannot be used to distribute the metadata between homeservers.
 When Synapse is asked to preview a URL it does the following:
 1. Checks against a URL blacklist (defined as `url_preview_url_blacklist` in the
   config).
 2. Checks the in-memory cache by URLs and returns the result if it exists. (This
   is also used to de-duplicate processing of multiple in-flight requests at once.)
 3. Kicks off a background process to generate a preview:
   1. Checks the database cache by URL and timestamp and returns the result if it
      has not expired and was successful (a 2xx return code).
   2. Checks if the URL matches an oEmbed pattern. If it does, fetch the oEmbed
      response. If this is an image, replace the URL to fetch and continue. If
      if it is HTML content, use the HTML as the document and continue.
   3. If it doesn't match an oEmbed pattern, downloads the URL and stores it
      into a file via the media storage provider and saves the local media
      metadata.
   5. If the media is an image:
      1. Generates thumbnails.
      2. Generates an Open Graph response based on image properties.
   6. If the media is HTML:
      1. Decodes the HTML via the stored file.
      2. Generates an Open Graph response from the HTML.
      3. If an image exists in the Open Graph response:
         1. Downloads the URL and stores it into a file via the media storage
            provider and saves the local media metadata.
         2. Generates thumbnails.
         3. Updates the Open Graph response based on image properties.
   7. Stores the result in the database cache.
 4. Returns the result.
 The in-memory cache expires after 1 hour.
 Expired entries in the database cache (and their associated media files) are
 deleted every 10 seconds. The default expiration time is 1 hour from download.
--- a/docs/favicon.png
+++ b/docs/favicon.png
--- a/docs/favicon.svg
+++ b/docs/favicon.svg
@@ -0,0 +1,58 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   viewBox="0 0 199.7 184.2"
   version="1.1"
   id="svg62"
   sodipodi:docname="mdbook-favicon.svg"
   inkscape:version="1.0.2 (e86c870879, 2021-01-15, custom)">
  <metadata
     id="metadata68">
    <rdf:RDF>
      <cc:Work
         rdf:about="">
        <dc:format>image/svg+xml</dc:format>
        <dc:type
           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
      </cc:Work>
    </rdf:RDF>
  </metadata>
  <defs
     id="defs66" />
  <sodipodi:namedview
     pagecolor="#ffffff"
     bordercolor="#666666"
     borderopacity="1"
     objecttolerance="10"
     gridtolerance="10"
     guidetolerance="10"
     inkscape:pageopacity="0"
     inkscape:pageshadow="2"
     inkscape:window-width="1920"
     inkscape:window-height="1026"
     id="namedview64"
     showgrid="false"
     inkscape:zoom="3.2245912"
     inkscape:cx="84.790185"
     inkscape:cy="117.96478"
     inkscape:window-x="0"
     inkscape:window-y="0"
     inkscape:window-maximized="1"
     inkscape:current-layer="svg62" />
  <style
     id="style58">
    @media (prefers-color-scheme: dark) {
      svg { fill: white; }
    }
  </style>
  <path
     d="m 189.5,36.8 c 0.2,2.8 0,5.1 -0.6,6.8 L 153,162 c -0.6,2.1 -2,3.7 -4.2,5 -2.2,1.2 -4.4,1.9 -6.7,1.9 H 31.4 c -9.6,0 -15.3,-2.8 -17.3,-8.4 -0.8,-2.2 -0.8,-3.9 0.1,-5.2 0.9,-1.2 2.4,-1.8 4.6,-1.8 H 123 c 7.4,0 12.6,-1.4 15.4,-4.1 2.8,-2.7 5.7,-8.9 8.6,-18.4 L 179.9,22.4 c 1.8,-5.9 1,-11.1 -2.2,-15.6 C 174.5,2.3 169.9,0 164,0 H 72.7 c -1,0 -3.1,0.4 -6.1,1.1 L 66.7,0.7 C 64.5,0.2 62.6,0 61,0.1 c -1.6,0.1 -3,0.5 -4.3,1.4 -1.3,0.9 -2.4,1.8 -3.2,2.8 -0.8,1 -1.5,2.2 -2.3,3.8 -0.8,1.6 -1.4,3 -1.9,4.3 -0.5,1.3 -1.1,2.7 -1.8,4.2 -0.7,1.5 -1.3,2.7 -2,3.7 -0.5,0.6 -1.2,1.5 -2,2.5 -0.8,1 -1.6,2 -2.2,2.8 -0.6,0.8 -0.9,1.5 -1.1,2.2 -0.2,0.7 -0.1,1.8 0.2,3.2 0.3,1.4 0.4,2.4 0.4,3.1 -0.3,3 -1.4,6.9 -3.3,11.6 -1.9,4.7 -3.6,8.1 -5.1,10.1 -0.3,0.4 -1.2,1.3 -2.6,2.7 -1.4,1.4 -2.3,2.6 -2.6,3.7 -0.3,0.4 -0.3,1.5 -0.1,3.4 0.3,1.8 0.4,3.1 0.3,3.8 -0.3,2.7 -1.3,6.3 -3,10.8 -2.406801,6.370944 -3.4,8.2 -5,11 -0.2,0.5 -0.9,1.4 -2,2.8 -1.1,1.4 -1.8,2.5 -2,3.4 -0.2,0.6 -0.1,1.8 0.1,3.4 0.2,1.6 0.2,2.8 -0.1,3.6 -0.6,3 -1.8,6.7 -3.6,11 -1.8,4.3 -3.6,7.9 -5.4,11 -0.5,0.8 -1.1,1.7 -2,2.8 -0.8,1.1 -1.5,2 -2,2.8 -0.5,0.8 -0.8,1.6 -1,2.5 -0.1,0.5 0,1.3 0.4,2.3 0.3,1.1 0.4,1.9 0.4,2.6 -0.1,1.1 -0.2,2.6 -0.5,4.4 -0.2,1.8 -0.4,2.9 -0.4,3.2 -1.8,4.8 -1.7,9.9 0.2,15.2 2.2,6.2 6.2,11.5 11.9,15.8 5.7,4.3 11.7,6.4 17.8,6.4 h 110.7 c 5.2,0 10.1,-1.7 14.7,-5.2 4.6,-3.5 7.7,-7.8 9.2,-12.9 l 33,-108.6 c 1.8,-5.8 1,-10.9 -2.2,-15.5 -1.7,-2.5 -4,-4.2 -7.1,-5.4 z M 38.14858,105.59813 60.882735,41.992545 h 10.8 c 6.340631,0 33.351895,0.778957 70.804135,0.970479 -18.18245,63.254766 0,0 -18.18245,63.254766 -23.00947,-0.10382 -63.362955,-0.6218 -72.55584,-0.51966 -18,0.2 -13.6,-0.1 -13.6,-0.1 z m 80.621,-5.891206 c 15.19043,-50.034423 0,1e-5 15.19043,-50.034423 l -11.90624,-0.13228 2.73304,-9.302941 -44.32863,0.07339 -2.532953,8.036036 -11.321128,-0.18864 -17.955519,51.440073 c 0.02698,0.027 4.954586,0.0514 12.187488,0.0717 l -2.997994,9.804886 c 11.36463,0.0271 1.219679,-0.0736 46.117666,-0.31499 l 2.65246,-9.571696 c 7.08021,0.14819 11.59705,0.13117 12.16138,0.1189 z m -56.149615,-3.855606 13.7,-42.5 h 9.8 l 1.194896,32.99936 23.205109,-32.99936 h 9.9 l -13.6,42.5 h -7.099996 l 12.499996,-35.4 -24.50001,35.4 h -6.799995 l -0.8,-35 -10.8,35 z"
     id="path60"
     sodipodi:nodetypes="ccccssccsssccsssccsssssscsssscssscccscscscsccsccccccssssccccccsccsccccccccccccccccccccccccccccc" />
 </svg>
--- a/docs/federate.md
+++ b/docs/federate.md
@@ -14,7 +14,7 @@ you set the `server_name` to match your machine's public DNS hostname.
 For this default configuration to work, you will need to listen for TLS
 connections on port 8448. The preferred way to do that is by using a
-reverse proxy: see [reverse_proxy.md](<reverse_proxy.md>) for instructions
+reverse proxy: see [the reverse proxy documentation](reverse_proxy.md) for instructions
 on how to correctly set one up.
 In some cases you might not want to run Synapse on the machine that has
@@ -23,7 +23,7 @@ traffic to use a different port than 8448. For example, you might want to
 have your user names look like `@user:example.com`, but you want to run
 Synapse on `synapse.example.com` on port 443. This can be done using
 delegation, which allows an admin to control where federation traffic should
-be sent. See [delegate.md](delegate.md) for instructions on how to set this up.
+be sent. See [the delegation documentation](delegate.md) for instructions on how to set this up.
 Once federation has been configured, you should be able to join a room over
 federation. A good place to start is `#synapse:matrix.org` - a room for
@@ -44,8 +44,8 @@ a complicated dance which requires connections in both directions).
 Another common problem is that people on other servers can't join rooms that
 you invite them to. This can be caused by an incorrectly-configured reverse
-proxy: see [reverse_proxy.md](<reverse_proxy.md>) for instructions on how to correctly
+proxy: see [the reverse proxy documentation](reverse_proxy.md) for instructions on how
-configure a reverse proxy.
+to correctly configure a reverse proxy.
 ### Known issues
@@ -63,4 +63,4 @@ release of Synapse.
 If you want to get up and running quickly with a trio of homeservers in a
 private federation, there is a script in the `demo` directory. This is mainly
-useful just for development purposes. See [demo/README](<../demo/README>).
+useful just for development purposes. See [demo/README](https://github.com/matrix-org/synapse/tree/develop/demo/).
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`# This file serves as a blacklist for SyTest tests that we expect will fail in`
							`# Synapse when run under worker mode. For more details, see sytest-blacklist.`
`@@ -66,4 +66,4 @@ for Debian GNU/Linux distribution.`

	`## SEE ALSO`	`## SEE ALSO`

	`synctl(1), synapse_port_db(1), register_new_matrix_user(1)`	`synctl(1), synapse_port_db(1), register_new_matrix_user(1), synapse_review_recent_signups(1)`
`@@ -58,4 +58,4 @@ for Debian GNU/Linux distribution.`

	`## SEE ALSO`	`## SEE ALSO`

	`synctl(1), synapse_port_db(1), hash_password(1)`	`synctl(1), synapse_port_db(1), hash_password(1), synapse_review_recent_signups(1)`
`@@ -84,4 +84,4 @@ Debian GNU/Linux distribution.`

	`## SEE ALSO`	`## SEE ALSO`

	`synctl(1), hash_password(1), register_new_matrix_user(1)`	`synctl(1), hash_password(1), register_new_matrix_user(1), synapse_review_recent_signups(1)`
`@@ -68,4 +68,4 @@ Debian GNU/Linux distribution.`

	`## SEE ALSO`	`## SEE ALSO`

	`synapse_port_db(1), hash_password(1), register_new_matrix_user(1)`	`synapse_port_db(1), hash_password(1), register_new_matrix_user(1), synapse_review_recent_signups(1)`