chore: publish 6.6.3+v1.124.0 release

Reviewed-on: #50
Reviewed-by: 3wordchant <3wordchant@noreply.git.coopcloud.tech>

.drone.yml

@@ -17,17 +17,21 @@ steps:
       DOMAIN: matrix-synapse.swarm-test.autonomic.zone
       STACK_NAME: matrix-synapse
       LETS_ENCRYPT_ENV: production
-      DISCORD_BRIDGE_YAML_VERSION: v1
+      DISCORD_BRIDGE_YAML_VERSION: v2
-      ENTRYPOINT_CONF_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v3
-      HOMESERVER_YAML_VERSION: v17
+      HOMESERVER_YAML_VERSION: v29
-      LOG_CONFIG_VERSION: v1
+      LOG_CONFIG_VERSION: v2
-      SHARED_SECRET_AUTH_VERSION: v1
+      SHARED_SECRET_AUTH_VERSION: v2
-      SIGNAL_BRIDGE_YAML_VERSION: v1
+      SIGNAL_BRIDGE_YAML_VERSION: v5
-      TELEGRAM_BRIDGE_YAML_VERSION: v1
+      TELEGRAM_BRIDGE_YAML_VERSION: v6
+      PG_BACKUP_VERSION: v1
+      WK_CLIENT_VERSION: v1
+      WK_SERVER_VERSION: v1
+      NGINX_CONFIG_VERSION: v8
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_FORM_SECRET_VERSION: v1
-      SECRET_MACAROON_SECRET_KEY_VERSION: v1
+      SECRET_MACAROON_VERSION: v1
-      SECRET_REGISTRATION_SHARED_SECRET_VERSION: v1
+      SECRET_REGISTRATION_VERSION: v1
 trigger:
   branch:
     - main
@@ -43,7 +47,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -6,6 +6,7 @@ ENABLE_AUTO_UPDATE=true
 LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
 # POST_DEPLOY_CMDS="db set_admin"
+ENABLE_BACKUPS=true
 
 ## Admin details
 
@@ -32,6 +33,9 @@ ALLOW_PUBLIC_ROOMS_FEDERATION=false
 ENABLE_REGISTRATION=false
 PASSWORD_LOGIN_ENABLED=true
 
+# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
+#REGISTRATION_REQUIRES_TOKEN=true
+
 ## Room auto-join
 
 #AUTO_JOIN_ROOM_ENABLED=1
@@ -64,6 +68,14 @@ ENCRYPTED_BY_DEFAULT=all
 # Set these to keyservers you trust - usually the same as your federation allowlist
 #TRUSTED_KEYSERVERS="trusted_key_servers:\n  - server_name: 'example.com'\n  - server_name: 'example2.com'"
 
+# some optional configs to increase privacy and security
+#REQUIRE_AUTH_FOR_PROFILE_REQUESTS=true
+#LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=true
+#DELETE_STALE_DEVICES_AFTER=1y
+#SESSION_LIFETIME=60d
+#TRACK_PUPPETED_USER_IPS=true
+
+
 ## Retention
 
 ALLOWED_LIFETIME_MAX=4w
@@ -74,6 +86,11 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d
 
+## Old Signing Key
+#OLD_SIGNING_KEY_ID=a_OLDKEYID
+#OLD_SIGNING_KEY=base64string
+#OLD_SIGNING_KEY_EXPIRES=123456789123
+
 ## Ratelimit
 
 #LOGIN_LIMIT_IP_PER_SECOND=5
@@ -122,6 +139,13 @@ RETENTION_MAX_LIFETIME=4w
 #SMTP_USER=
 #SECRET_SMTP_PASSWORD_VERSION=v1
 
+## USER-DIRECTORY
+
+#USER_DIRECTORY_ENABLED=true
+#USER_DIRECTORY_SEARCH_ALL_USERS=true
+#USER_DIRECTORY_PREFER_LOCAL_USERS=true
+#USER_DIRECTORY_SHOW_LOCKED_USERS=false
+
 ## App services
 
 #APP_SERVICES_ENABLED=1
@@ -158,6 +182,7 @@ RETENTION_MAX_LIFETIME=4w
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml"
 #SIGNAL_ENABLE_ENCRYPTION=true
+#SIGNAL_DEFAULT_ENCRYPTION=true
 #SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }"
 #SECRET_SIGNAL_AS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_DB_PASSWORD_VERSION=v1
@@ -172,3 +197,8 @@ RETENTION_MAX_LIFETIME=4w
 
 ## Web Client (Redirect)
 #WEB_CLIENT_LOCATION=https://element-web.example.com
+
+
+## Admin interface at /admin
+#COMPOSE_FILE="$COMPOSE_FILE:compose.admin.yml"
+#ADMIN_INTERFACE_ENABLED=1

README.md

@@ -54,8 +54,6 @@ For all Bridges:
 
 ### Telegram bridging
 
-> WIP docs
-
 You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
 
 ```
@@ -63,25 +61,36 @@ api_id: ...
 api_hash: ...
 telegram_bot_token: ...
 ```
+Experimental script for a automated token replacement:
+```
+DOMAIN=<domain>
+abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
+abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
+abra app secret generate -a $DOMAIN
 
-A rough guide for the following steps:
+abra app deploy $DOMAIN
+abra app cmd -l $DOMAIN set_bridge_tokens telegram
+```
+
+Alternatively a manual guide for the necessary steps:
 
 ```
-abra app secret insert <domain> telegram_api_hash v1 <secret>
+DOMAIN=<domain>
-abra app secret insert <domain> telegram_bot_token v1 <secret>
+abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
-abra app secret generate -a <domain>
+abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
+abra app secret generate -a $DOMAIN
 
-abra app deploy <domain>
+abra app deploy $DOMAIN
-abra app run matrix.fva.wtf telegram_bridge cat /data/registration.yaml
+abra app run $DOMAIN telegrambridge cat /data/registration.yaml
-abra app undeploy <domain>
+abra app undeploy $DOMAIN
 
-abra app secret rm <domain> telegram_as_token
+abra app secret rm $DOMAIN telegram_as_token
-abra app secret insert <domain> telegram_as_token v1 <secret>
+abra app secret insert $DOMAIN telegram_as_token v1 <secret>
 
-abra app secret rm <domain> telegram_as_token
+abra app secret rm $DOMAIN telegram_hs_token
-abra app secret insert <domain> telegram_hs_token v1 <secret>
+abra app secret insert $DOMAIN telegram_hs_token v1 <secret>
 
-abra app deploy <domain>
+abra app deploy $DOMAIN
 ```
 
 Some helpful documentation:
@@ -110,16 +119,29 @@ Some helpful documentation:
 
 ### Signal bridging
 
-> WIP docs
+Experimental script for a more automated token replacement:
+```
+DOMAIN=<domain>
+abra app secret generate -a $DOMAIN
+abra app deploy $DOMAIN
+abra app cmd -l $DOMAIN set_bridge_tokens signal
+```
+Alternatively a manual guide for the necessary steps:
+```
+DOMAIN=<domain>
+abra app secret insert $DOMAIN signal_hs_token v1 foo
+abra app secret insert $DOMAIN signal_as_token v1 foo
+abra app secret generate $DOMAIN -a
+abra app deploy $DOMAIN
+abra app run $DOMAIN signalbridge cat /data/registration.yaml
 
-OK, it's also awful to set this up. Do you see a pattern emerging :)
+abra app secret rm $DOMAIN signal_as_token
+abra app secret insert $DOMAIN signal_as_token v1 <secret>
+abra app secret rm $DOMAIN signal_hs_token
+abra app secret insert $DOMAIN signal_hs_token v1 <secret>
 
-- fake that you have the required tokens:
+abra app deploy $DOMAIN
-  - `abra app secret insert example.com signal_hs_token v1 foo`
+```
-  - `abra app secret insert example.com signal_as_token v1 foo`
+
-- generate the database password:
+- message `@signalbot:example.com` to test
-  - `abra app secret generate example.com -a`
-- deploy the thing and then check the `/data/registration.yaml`
-- rm the fake `signal_hs/as_token` values and re-insert the new ones from `registration.yaml`
-- re-deploy the whole thing and then it should come up, message `@signalbot:example.com` to test
 - See the [docs](https://docs.mau.fi/bridges/go/signal/authentication.html) for authentication

abra.sh

@@ -1,13 +1,15 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v3
-export HOMESERVER_YAML_VERSION=v29
+export HOMESERVER_YAML_VERSION=v32
 export LOG_CONFIG_VERSION=v2
-export SHARED_SECRET_AUTH_VERSION=v1
+export SHARED_SECRET_AUTH_VERSION=v2
-export SIGNAL_BRIDGE_YAML_VERSION=v5
+export SIGNAL_BRIDGE_YAML_VERSION=v6
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v7
+export NGINX_CONFIG_VERSION=v8
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1
+export PG_BACKUP_VERSION=v1
+export ADMIN_CONFIG_VERSION=v1
 
 set_admin () {
     admin=akadmin
@@ -17,3 +19,36 @@ set_admin () {
     fi
     psql -U synapse -c "UPDATE users SET admin = 1 WHERE name = '@$admin:$DOMAIN'";
 }
+
+set_bridge_tokens() {
+    if [ -z "$1" ]; then
+        echo "Error: Missing parameter. Usage: set_bridge_tokens <BRIDGETYPE>"
+        return 1
+    fi
+
+    BRIDGETYPE=$1
+    echo "retrieve tokens from registration.yaml..."
+    output=$(abra app run $DOMAIN app cat /${BRIDGETYPE}-data/registration.yaml)
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to retrieve registration.yaml for ${BRIDGETYPE} bridge:"
+        echo "$output"
+        return 1
+    fi
+
+    hs_token=$(echo "$output" | sed -n 's/^hs_token:[[:space:]]*\(.*\)$/\1/p')
+    as_token=$(echo "$output" | sed -n 's/^as_token:[[:space:]]*\(.*\)$/\1/p')
+
+    echo "HS Token: $hs_token"
+    echo "AS Token: $as_token"
+    echo "UNDEPLOY $DOMAIN?"
+    abra app undeploy $DOMAIN
+
+    echo "Replacing tokens:"
+    abra app secret rm $DOMAIN ${BRIDGETYPE}_as_token
+    abra app secret insert $DOMAIN ${BRIDGETYPE}_as_token v1 $as_token
+    abra app secret rm $DOMAIN ${BRIDGETYPE}_hs_token
+    abra app secret insert $DOMAIN ${BRIDGETYPE}_hs_token v1 $hs_token
+
+    echo "Redeploying $DOMAIN..."
+    abra app deploy -n $DOMAIN
+}

admin.conf.tmpl

@@ -0,0 +1,3 @@
+{
+  "restrictBaseUrl": "https://{{ env "DOMAIN" }}"
+}

compose.admin.yml

@@ -0,0 +1,46 @@
+---
+version: "3.8"
+
+services:
+  admin:
+    image: awesometechnologies/synapse-admin:0.10.3
+    networks:
+      - proxy
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.services.${STACK_NAME}_admin.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}_admin.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})&&PathPrefix(`/admin`)"
+        - "traefik.http.routers.${STACK_NAME}_admin.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}_admin.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}_admin.middlewares=admin,admin_path"
+        - "traefik.http.middlewares.admin.redirectregex.regex=^(.*)/admin/?"
+        - "traefik.http.middlewares.admin.redirectregex.replacement=$${1}/admin/"
+        - "traefik.http.middlewares.admin_path.stripprefix.prefixes=/admin"
+    environment:
+      - DOMAIN
+    configs:
+      - source: admin_config
+        target: /app/config.json
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+  web:
+    environment:
+      - ADMIN_INTERFACE_ENABLED
+
+
+networks:
+  proxy:
+    external: true
+
+configs:
+  admin_config:
+    name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION}
+    file: admin.conf.tmpl
+    template_driver: golang
+

compose.shared_secret_auth.yml

@@ -9,7 +9,7 @@ services:
       - shared_secret_auth
     configs:
       - source: shared_secret_auth
-        target: /usr/local/lib/python3.11/site-packages/shared_secret_authenticator.py
+        target: /usr/local/lib/python3.12/site-packages/shared_secret_authenticator.py
 
 configs:
   shared_secret_auth:

compose.signal.yml

@@ -10,7 +10,7 @@ services:
       - signal-data:/signal-data
 
   signalbridge:
-    image: dock.mau.dev/mautrix/signal:v0.7.1
+    image: dock.mau.dev/mautrix/signal:v0.7.5
     depends_on:
       - signaldb
     configs:
@@ -21,6 +21,7 @@ services:
       - HOMESERVER_URL
       - SIGNAL_BRIDGE_PERMISSIONS
       - SIGNAL_ENABLE_ENCRYPTION
+      - SIGNAL_DEFAULT_ENCRYPTION=${SIGNAL_DEFAULT_ENCRYPTION:-false}
       - VERIFY_SSL
     secrets:
       - signal_as_token
@@ -32,10 +33,6 @@ services:
       - signal-data:/data
     networks:
       - internal
-    deploy:
-      labels:
-          backupbot.backup: "true"
-          backupbot.backup.path: "/data"
 
   signaldb:
     image: postgres:13-alpine
@@ -56,10 +53,13 @@ services:
       - signal-postgres:/var/lib/postgresql/data
     deploy:
       labels:
-          backupbot.backup: "true"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.volumes.signal-postgres.path: "backup.sql"
-          backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
-          backupbot.backup.path: "/var/lib/postgresql/data"
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
 
 configs:
   signal_bridge_yaml:

compose.telegram.yml

@@ -56,6 +56,15 @@ services:
       test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
     volumes:
       - telegram-postgres:/var/lib/postgresql/data
+    deploy:
+      labels:
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.telegram-postgres.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
 
 configs:
   telegram_bridge_yaml:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   web:
-    image: nginx:1.27.1
+    image: nginx:1.27.4
     networks:
       - proxy
       - internal
@@ -30,12 +30,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
     healthcheck:
       test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
-      interval: 5s
+      interval: 20s
-      timeout: 3s
+      timeout: 15s
       retries: 20
 
   app:
-    image: "matrixdotorg/synapse:v1.116.0"
+    image: "matrixdotorg/synapse:v1.124.0"
     volumes:
       - "data:/data"
     secrets:
@@ -53,8 +53,21 @@ services:
       - ENABLE_3PID_LOOKUP
       - ENABLE_ALLOWLIST
       - ENABLE_REGISTRATION
+      - REGISTRATION_REQUIRES_TOKEN
       - ENCRYPTED_BY_DEFAULT
+      - OLD_SIGNING_KEY
+      - OLD_SIGNING_KEY_ID
+      - OLD_SIGNING_KEY_EXPIRES
+      - USER_DIRECTORY_ENABLED=${USER_DIRECTORY_ENABLED:-true}
+      - USER_DIRECTORY_SEARCH_ALL_USERS=${USER_DIRECTORY_SEARCH_ALL_USERS:-true}
+      - USER_DIRECTORY_PREFER_LOCAL_USERS=${USER_DIRECTORY_PREFER_LOCAL_USERS:-true}
+      - USER_DIRECTORY_SHOW_LOCKED_USERS=${USER_DIRECTORY_SHOW_LOCKED_USERS:-false}
       - FEDERATION_ALLOWLIST
+      - REQUIRE_AUTH_FOR_PROFILE_REQUESTS=${REQUIRE_AUTH_FOR_PROFILE_REQUESTS:-false}
+      - LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=${LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS:-false}
+      - DELETE_STALE_DEVICES_AFTER
+      - SESSION_LIFETIME
+      - TRACK_PUPPETED_USER_IPS=${TRACK_PUPPETED_USER_IPS:-false}
       - LETSENCRYPT_HOST=${DOMAIN}
       - MEDIA_RETENTION_LOCAL_LIFETIME
       - MEDIA_RETENTION_REMOTE_LIFETIME
@@ -91,7 +104,7 @@ services:
       restart_policy:
         condition: on-failure
       labels:
-        - "coop-cloud.${STACK_NAME}.version=6.4.0+v1.116.0"
+        - "coop-cloud.${STACK_NAME}.version=6.6.3+v1.124.0"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
@@ -124,10 +137,14 @@ services:
       - postgres:/var/lib/postgresql/data
     deploy:
       labels:
-          backupbot.backup: "true"
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-          backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.volumes.postgres.path: "backup.sql"
-          backupbot.backup.path: "/var/lib/postgresql/data"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
 
 volumes:
   data:
@@ -163,6 +180,9 @@ configs:
     name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION}
     file: well_known_client.conf.tmpl
     template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
 
 secrets:
   db_password:

homeserver.yaml.tmpl

@@ -16,6 +16,12 @@ server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl
 public_baseurl: https://{{ env "DOMAIN" }}/
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests
+require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }}
+
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms
+limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
 serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
 
@@ -52,6 +58,11 @@ listeners:
       {{ end }}
     {{ end }}
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#delete_stale_devices_after
+{{ if (env "DELETE_STALE_DEVICES_AFTER") }}
+delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }}
+{{ end }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
 admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
 
@@ -132,6 +143,9 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
 enable_registration: {{ env "ENABLE_REGISTRATION" }}
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token
+registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
 enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
 
@@ -147,9 +161,17 @@ auto_join_rooms:
   - "{{ env "AUTO_JOIN_ROOM" }}"
 {{ end }}
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#session_lifetime
+{{ if (env "SESSION_LIFETIME") }}
+session_lifetime: {{ env "SESSION_LIFETIME" }}
+{{ end }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats
 report_stats: false
 
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips
+track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }}
+
 {{ if eq (env "APP_SERVICES_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
 app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
@@ -164,6 +186,12 @@ form_secret: "{{ secret "form_secret" }}"
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
 signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
 
+# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#old_signing_keys
+{{ if (and (env "OLD_SIGNING_KEY_ID") (env "OLD_SIGNING_KEY") (env "OLD_SIGNING_KEY_EXPIRES")) }}
+old_signing_keys:
+  "ed25519:{{ env "OLD_SIGNING_KEY_ID" }}": { key: "{{ env "OLD_SIGNING_KEY" }}", expired_ts: {{ env "OLD_SIGNING_KEY_EXPIRES" }} }
+{{ end }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
 {{ if eq (env "ENABLE_ALLOWLIST") "1" }}
 trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST
@@ -246,9 +274,10 @@ encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
 user_directory:
-  enabled: true
+  enabled: {{ env "USER_DIRECTORY_ENABLED" }}
-  search_all_users: true
+  search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }}
-  prefer_local_users: true
+  prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }}
+  show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
 media_retention:

nginx.conf.tmpl

@@ -36,5 +36,20 @@ http {
       default_type application/json;
       add_header Access-Control-Allow-Origin  *;
     }
+
+{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }}
+    location ^~ /_synapse/admin {
+      if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
+        return 403;
+      }
+      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_set_header Host $host;
+      client_max_body_size 50M;
+      proxy_http_version 1.1;
+    }
+{{ end }}
+
   }
 }

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/6.6.1+v1.124.0

@@ -0,0 +1 @@
+added env REGISTRATION_REQUIRES_TOKEN

release/6.6.2+v1.124.0

@@ -0,0 +1 @@
+new optional env vars for user_directory and privacy options

release/6.6.3+v1.124.0

@@ -0,0 +1 @@
+added env for old-signing-keys

signal_bridge.yaml.tmpl

@@ -329,7 +329,7 @@ encryption:
     # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
     allow: {{ env "SIGNAL_ENABLE_ENCRYPTION" }}
     # Whether to force-enable encryption in all bridged rooms.
-    default: false
+    default: {{ env "SIGNAL_DEFAULT_ENCRYPTION" }}
     # Whether to require all messages to be encrypted and drop any unencrypted messages.
     require: false
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.