chore: publish 5.0.5+v1.100.0 release

This reverts commit bdf8e11dc5.

.env.sample

@@ -42,6 +42,13 @@ PASSWORD_LOGIN_ENABLED=true
 SQL_LOG_LEVEL=WARN
 ROOT_LOG_LEVEL=WARN
 
+# for nginx
+NGINX_ACCESS_LOG_LOCATION="/dev/null"
+NGINX_ERROR_LOG_LOCATION="/dev/null"
+# Comment the previous two lines and uncomment these to enable logging
+#NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
+#NGINX_ERROR_LOG_LOCATION="/dev/stderr"
+
 ## Privacy
 
 ENABLE_3PID_LOOKUP=true
@@ -66,6 +73,13 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d
 
+## Ratelimit
+
+#LOGIN_LIMIT_IP_PER_SECOND=5
+#LOGIN_LIMIT_IP_BURST=15
+#LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
+#LOGIN_LIMIT_ACCOUNT_BURST=10
+
 ## Keycloak SSO
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
@@ -118,12 +132,12 @@ RETENTION_MAX_LIFETIME=4w
 #APP_SERVICE_BOT_USERNAME=telegrambot
 #APP_SERVICE_DISPLAY_NAME="Telegram bridge bot"
 #APP_SERVICE_ID=
-#HOMESERVER_DOMAIN=
+#HOMESERVER_DOMAIN=$DOMAIN
-#HOMESERVER_URL=
+#HOMESERVER_URL=https://$DOMAIN
 #VERIFY_SSL=false
 #ENABLE_ENCRYPTION=true
 #TELEGRAM_APP_ID=
-#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\" }"
+#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@foo:matrix.example.com\": \"admin\" }"
 #TELEGRAM_SYNC_CHANNEL_MEMBERS=true
 #SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1
 #SECRET_TELEGRAM_API_HASH_VERSION=v1

README.md

@@ -47,7 +47,7 @@ You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa
 
 Setting it up is a bit of a chicken/egg & chasing cats moment.
 
-You need to get your bot setup on the telegram side first and have these values:
+You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
 
 ```
 api_id: ...
@@ -55,7 +55,12 @@ api_hash: ...
 telegram_bot_token: ...
 ```
 
-Here is a rough guide:
+Also: 
+- Make sure to uncomment `APP_SERVICES_ENABLED`
+- include the registration in synapse: `APP_SERVICE_CONFIGS="[\"/telegram-data/registration.yaml\"]"`
+- and set yourself as admin under `TELEGRAM_BRIDGE_PERMISSIONS`
+
+A rough guide for the following steps:
 
 ```
 abra app secret insert <domain> telegram_api_hash v1 <secret>

abra.sh

@@ -1,11 +1,11 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
-export ENTRYPOINT_CONF_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v2
-export HOMESERVER_YAML_VERSION=v26
+export HOMESERVER_YAML_VERSION=v27
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v1
 export SIGNAL_BRIDGE_YAML_VERSION=v4
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v4
+export NGINX_CONFIG_VERSION=v5
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1
 

compose.telegram.yml

@@ -10,7 +10,7 @@ services:
       - telegram-data:/telegram-data
 
   telegrambridge:
-    image: dock.mau.dev/mautrix/telegram:v0.14.2
+    image: dock.mau.dev/mautrix/telegram:v0.15.1
     depends_on:
       - telegramdb
     configs:

compose.yml

@@ -3,12 +3,14 @@ version: "3.8"
 
 services:
   app:
-    image: nginx:1.23.3
+    image: nginx:1.25.3
     networks:
       - proxy
       - internal
     environment:
       - STACK_NAME
+      - NGINX_ACCESS_LOG_LOCATION
+      - NGINX_ERROR_LOG_LOCATION
     configs:
       - source: nginx_config
         target: /etc/nginx/nginx.conf
@@ -25,7 +27,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=5.0.0+v1.93.0"
+        - "coop-cloud.${STACK_NAME}.version=5.0.5+v1.100.0"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: curl -f http://synapse:8008/health || exit 1
@@ -34,7 +36,7 @@ services:
       retries: 20
 
   synapse:
-    image: "matrixdotorg/synapse:v1.93.0"
+    image: "matrixdotorg/synapse:v1.100.0"
     volumes:
       - "data:/data"
     secrets:
@@ -70,6 +72,10 @@ services:
       - USER_IPS_MAX_AGE
       - VIRTUAL_HOST=${DOMAIN}
       - VIRTUAL_PORT=8008
+      - LOGIN_LIMIT_IP_PER_SECOND=${LOGIN_LIMIT_IP_PER_SECOND:-0.003}
+      - LOGIN_LIMIT_IP_BURST=${LOGIN_LIMIT_IP_BURST:-5}
+      - LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
+      - LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
     networks:
       - internal
     entrypoint: /docker-entrypoint.sh

entrypoint.sh.tmpl

@@ -6,6 +6,7 @@ chown 991:991 /data
 
 if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
     /start.py generate
+    chown -R 991:991 /data/*.config /data/*.key
 fi
 
 /start.py

homeserver.yaml.tmpl

@@ -267,3 +267,12 @@ forget_rooms_on_leave: true
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#opentracing-1
 opentracing:
   enabled: false
+
+# https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
+rc_login:
+  address:
+    per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
+    burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
+  account:
+    per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
+    burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}

nginx.conf.tmpl

@@ -8,15 +8,15 @@ http {
   server {
     listen 80;
 
-    access_log off;
+    access_log {{ env "NGINX_ACCESS_LOG_LOCATION" }};
-    error_log /dev/null;
+    error_log {{ env "NGINX_ERROR_LOG_LOCATION" }};
 
     server_name {{ env "DOMAIN" }};
 
     location ~* ^(\/_matrix|\/_synapse\/client) {
       proxy_pass http://{{ env "STACK_NAME"}}_synapse:8008;
       proxy_set_header X-Forwarded-For $remote_addr;
-      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;
       client_max_body_size 50M;
       proxy_http_version 1.1;

release/5.0.1+v1.93.0

@@ -0,0 +1,8 @@
+take care when upgrading! You need to add two variables to your .env file:
+use the following if you don't want any access logs (including users' IP addresses):
+NGINX_ACCESS_LOG_LOCATION="/dev/null"
+NGINX_ERROR_LOG_LOCATION="/dev/null"
+
+use the following if you want logs:
+NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
+NGINX_ERROR_LOG_LOCATION="/dev/stderr"