Compare commits
14 Commits
6.5.0+v1.1
...
6.6.1+v1.1
Author | SHA1 | Date | |
---|---|---|---|
61222baaa0 | |||
32721ace23 | |||
5a7b7f04ed | |||
8809f25ab1 | |||
0645a9f487
|
|||
a1d7fdad2d
|
|||
a90ccaa65b | |||
7c0e822940 | |||
d6178fd380 | |||
2a18291f48 | |||
943ed58db4 | |||
09b60947ee | |||
bff6fe9b09 | |||
6f4efd64e8 |
@ -21,13 +21,13 @@ steps:
|
||||
ENTRYPOINT_CONF_VERSION: v3
|
||||
HOMESERVER_YAML_VERSION: v29
|
||||
LOG_CONFIG_VERSION: v2
|
||||
SHARED_SECRET_AUTH_VERSION: v1
|
||||
SHARED_SECRET_AUTH_VERSION: v2
|
||||
SIGNAL_BRIDGE_YAML_VERSION: v5
|
||||
TELEGRAM_BRIDGE_YAML_VERSION: v6
|
||||
PG_BACKUP_VERSION: v1
|
||||
WK_CLIENT_VERSION: v1
|
||||
WK_SERVER_VERSION: v1
|
||||
NGINX_CONFIG_VERSION: v7
|
||||
NGINX_CONFIG_VERSION: v8
|
||||
SECRET_DB_PASSWORD_VERSION: v1
|
||||
SECRET_FORM_SECRET_VERSION: v1
|
||||
SECRET_MACAROON_VERSION: v1
|
||||
@ -47,7 +47,7 @@ steps:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- coop-cloud/auto-recipes-catalogue-json
|
||||
- toolshed/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
||||
|
@ -33,6 +33,9 @@ ALLOW_PUBLIC_ROOMS_FEDERATION=false
|
||||
ENABLE_REGISTRATION=false
|
||||
PASSWORD_LOGIN_ENABLED=true
|
||||
|
||||
# Token based registration. Enable ADMIN_INTERFACE_ENABLED=1 (below) to use the admin interface to generate tokens.
|
||||
#REGISTRATION_REQUIRES_TOKEN=true
|
||||
|
||||
## Room auto-join
|
||||
|
||||
#AUTO_JOIN_ROOM_ENABLED=1
|
||||
@ -159,6 +162,7 @@ RETENTION_MAX_LIFETIME=4w
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml"
|
||||
#SIGNAL_ENABLE_ENCRYPTION=true
|
||||
#SIGNAL_DEFAULT_ENCRYPTION=true
|
||||
#SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }"
|
||||
#SECRET_SIGNAL_AS_TOKEN_VERSION=v1
|
||||
#SECRET_SIGNAL_DB_PASSWORD_VERSION=v1
|
||||
@ -173,3 +177,8 @@ RETENTION_MAX_LIFETIME=4w
|
||||
|
||||
## Web Client (Redirect)
|
||||
#WEB_CLIENT_LOCATION=https://element-web.example.com
|
||||
|
||||
|
||||
## Admin interface at /admin
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.admin.yml"
|
||||
#ADMIN_INTERFACE_ENABLED=1
|
||||
|
70
README.md
70
README.md
@ -54,8 +54,6 @@ For all Bridges:
|
||||
|
||||
### Telegram bridging
|
||||
|
||||
> WIP docs
|
||||
|
||||
You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
|
||||
|
||||
```
|
||||
@ -63,25 +61,36 @@ api_id: ...
|
||||
api_hash: ...
|
||||
telegram_bot_token: ...
|
||||
```
|
||||
Experimental script for a automated token replacement:
|
||||
```
|
||||
DOMAIN=<domain>
|
||||
abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
|
||||
abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
|
||||
abra app secret generate -a $DOMAIN
|
||||
|
||||
A rough guide for the following steps:
|
||||
abra app deploy $DOMAIN
|
||||
abra app cmd -l $DOMAIN set_bridge_tokens telegram
|
||||
```
|
||||
|
||||
Alternatively a manual guide for the necessary steps:
|
||||
|
||||
```
|
||||
abra app secret insert <domain> telegram_api_hash v1 <secret>
|
||||
abra app secret insert <domain> telegram_bot_token v1 <secret>
|
||||
abra app secret generate -a <domain>
|
||||
DOMAIN=<domain>
|
||||
abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
|
||||
abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
|
||||
abra app secret generate -a $DOMAIN
|
||||
|
||||
abra app deploy <domain>
|
||||
abra app run matrix.fva.wtf telegram_bridge cat /data/registration.yaml
|
||||
abra app undeploy <domain>
|
||||
abra app deploy $DOMAIN
|
||||
abra app run $DOMAIN telegrambridge cat /data/registration.yaml
|
||||
abra app undeploy $DOMAIN
|
||||
|
||||
abra app secret rm <domain> telegram_as_token
|
||||
abra app secret insert <domain> telegram_as_token v1 <secret>
|
||||
abra app secret rm $DOMAIN telegram_as_token
|
||||
abra app secret insert $DOMAIN telegram_as_token v1 <secret>
|
||||
|
||||
abra app secret rm <domain> telegram_as_token
|
||||
abra app secret insert <domain> telegram_hs_token v1 <secret>
|
||||
abra app secret rm $DOMAIN telegram_hs_token
|
||||
abra app secret insert $DOMAIN telegram_hs_token v1 <secret>
|
||||
|
||||
abra app deploy <domain>
|
||||
abra app deploy $DOMAIN
|
||||
```
|
||||
|
||||
Some helpful documentation:
|
||||
@ -110,16 +119,29 @@ Some helpful documentation:
|
||||
|
||||
### Signal bridging
|
||||
|
||||
> WIP docs
|
||||
Experimental script for a more automated token replacement:
|
||||
```
|
||||
DOMAIN=<domain>
|
||||
abra app secret generate -a $DOMAIN
|
||||
abra app deploy $DOMAIN
|
||||
abra app cmd -l $DOMAIN set_bridge_tokens signal
|
||||
```
|
||||
Alternatively a manual guide for the necessary steps:
|
||||
```
|
||||
DOMAIN=<domain>
|
||||
abra app secret insert $DOMAIN signal_hs_token v1 foo
|
||||
abra app secret insert $DOMAIN signal_as_token v1 foo
|
||||
abra app secret generate $DOMAIN -a
|
||||
abra app deploy $DOMAIN
|
||||
abra app run $DOMAIN signalbridge cat /data/registration.yaml
|
||||
|
||||
OK, it's also awful to set this up. Do you see a pattern emerging :)
|
||||
abra app secret rm $DOMAIN signal_as_token
|
||||
abra app secret insert $DOMAIN signal_as_token v1 <secret>
|
||||
abra app secret rm $DOMAIN signal_hs_token
|
||||
abra app secret insert $DOMAIN signal_hs_token v1 <secret>
|
||||
|
||||
- fake that you have the required tokens:
|
||||
- `abra app secret insert example.com signal_hs_token v1 foo`
|
||||
- `abra app secret insert example.com signal_as_token v1 foo`
|
||||
- generate the database password:
|
||||
- `abra app secret generate example.com -a`
|
||||
- deploy the thing and then check the `/data/registration.yaml`
|
||||
- rm the fake `signal_hs/as_token` values and re-insert the new ones from `registration.yaml`
|
||||
- re-deploy the whole thing and then it should come up, message `@signalbot:example.com` to test
|
||||
abra app deploy $DOMAIN
|
||||
```
|
||||
|
||||
- message `@signalbot:example.com` to test
|
||||
- See the [docs](https://docs.mau.fi/bridges/go/signal/authentication.html) for authentication
|
||||
|
42
abra.sh
42
abra.sh
@ -1,14 +1,15 @@
|
||||
export DISCORD_BRIDGE_YAML_VERSION=v2
|
||||
export ENTRYPOINT_CONF_VERSION=v3
|
||||
export HOMESERVER_YAML_VERSION=v29
|
||||
export HOMESERVER_YAML_VERSION=v30
|
||||
export LOG_CONFIG_VERSION=v2
|
||||
export SHARED_SECRET_AUTH_VERSION=v1
|
||||
export SIGNAL_BRIDGE_YAML_VERSION=v5
|
||||
export SHARED_SECRET_AUTH_VERSION=v2
|
||||
export SIGNAL_BRIDGE_YAML_VERSION=v6
|
||||
export TELEGRAM_BRIDGE_YAML_VERSION=v6
|
||||
export NGINX_CONFIG_VERSION=v7
|
||||
export NGINX_CONFIG_VERSION=v8
|
||||
export WK_SERVER_VERSION=v1
|
||||
export WK_CLIENT_VERSION=v1
|
||||
export PG_BACKUP_VERSION=v1
|
||||
export ADMIN_CONFIG_VERSION=v1
|
||||
|
||||
set_admin () {
|
||||
admin=akadmin
|
||||
@ -18,3 +19,36 @@ set_admin () {
|
||||
fi
|
||||
psql -U synapse -c "UPDATE users SET admin = 1 WHERE name = '@$admin:$DOMAIN'";
|
||||
}
|
||||
|
||||
set_bridge_tokens() {
|
||||
if [ -z "$1" ]; then
|
||||
echo "Error: Missing parameter. Usage: set_bridge_tokens <BRIDGETYPE>"
|
||||
return 1
|
||||
fi
|
||||
|
||||
BRIDGETYPE=$1
|
||||
echo "retrieve tokens from registration.yaml..."
|
||||
output=$(abra app run $DOMAIN app cat /${BRIDGETYPE}-data/registration.yaml)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error: Failed to retrieve registration.yaml for ${BRIDGETYPE} bridge:"
|
||||
echo "$output"
|
||||
return 1
|
||||
fi
|
||||
|
||||
hs_token=$(echo "$output" | sed -n 's/^hs_token:[[:space:]]*\(.*\)$/\1/p')
|
||||
as_token=$(echo "$output" | sed -n 's/^as_token:[[:space:]]*\(.*\)$/\1/p')
|
||||
|
||||
echo "HS Token: $hs_token"
|
||||
echo "AS Token: $as_token"
|
||||
echo "UNDEPLOY $DOMAIN?"
|
||||
abra app undeploy $DOMAIN
|
||||
|
||||
echo "Replacing tokens:"
|
||||
abra app secret rm $DOMAIN ${BRIDGETYPE}_as_token
|
||||
abra app secret insert $DOMAIN ${BRIDGETYPE}_as_token v1 $as_token
|
||||
abra app secret rm $DOMAIN ${BRIDGETYPE}_hs_token
|
||||
abra app secret insert $DOMAIN ${BRIDGETYPE}_hs_token v1 $hs_token
|
||||
|
||||
echo "Redeploying $DOMAIN..."
|
||||
abra app deploy -n $DOMAIN
|
||||
}
|
||||
|
3
admin.conf.tmpl
Normal file
3
admin.conf.tmpl
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
"restrictBaseUrl": "https://{{ env "DOMAIN" }}"
|
||||
}
|
46
compose.admin.yml
Normal file
46
compose.admin.yml
Normal file
@ -0,0 +1,46 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
admin:
|
||||
image: awesometechnologies/synapse-admin:0.10.3
|
||||
networks:
|
||||
- proxy
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=proxy"
|
||||
- "traefik.http.services.${STACK_NAME}_admin.loadbalancer.server.port=80"
|
||||
- "traefik.http.routers.${STACK_NAME}_admin.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})&&PathPrefix(`/admin`)"
|
||||
- "traefik.http.routers.${STACK_NAME}_admin.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}_admin.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.${STACK_NAME}_admin.middlewares=admin,admin_path"
|
||||
- "traefik.http.middlewares.admin.redirectregex.regex=^(.*)/admin/?"
|
||||
- "traefik.http.middlewares.admin.redirectregex.replacement=$${1}/admin/"
|
||||
- "traefik.http.middlewares.admin_path.stripprefix.prefixes=/admin"
|
||||
environment:
|
||||
- DOMAIN
|
||||
configs:
|
||||
- source: admin_config
|
||||
target: /app/config.json
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-f", "http://localhost"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 10
|
||||
start_period: 1m
|
||||
web:
|
||||
environment:
|
||||
- ADMIN_INTERFACE_ENABLED
|
||||
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
|
||||
configs:
|
||||
admin_config:
|
||||
name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION}
|
||||
file: admin.conf.tmpl
|
||||
template_driver: golang
|
||||
|
@ -9,7 +9,7 @@ services:
|
||||
- shared_secret_auth
|
||||
configs:
|
||||
- source: shared_secret_auth
|
||||
target: /usr/local/lib/python3.11/site-packages/shared_secret_authenticator.py
|
||||
target: /usr/local/lib/python3.12/site-packages/shared_secret_authenticator.py
|
||||
|
||||
configs:
|
||||
shared_secret_auth:
|
||||
|
@ -10,7 +10,7 @@ services:
|
||||
- signal-data:/signal-data
|
||||
|
||||
signalbridge:
|
||||
image: dock.mau.dev/mautrix/signal:v0.7.2
|
||||
image: dock.mau.dev/mautrix/signal:v0.7.5
|
||||
depends_on:
|
||||
- signaldb
|
||||
configs:
|
||||
@ -21,6 +21,7 @@ services:
|
||||
- HOMESERVER_URL
|
||||
- SIGNAL_BRIDGE_PERMISSIONS
|
||||
- SIGNAL_ENABLE_ENCRYPTION
|
||||
- SIGNAL_DEFAULT_ENCRYPTION=${SIGNAL_DEFAULT_ENCRYPTION:-false}
|
||||
- VERIFY_SSL
|
||||
secrets:
|
||||
- signal_as_token
|
||||
|
@ -3,7 +3,7 @@ version: "3.8"
|
||||
|
||||
services:
|
||||
web:
|
||||
image: nginx:1.27.2
|
||||
image: nginx:1.27.4
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
@ -35,7 +35,7 @@ services:
|
||||
retries: 20
|
||||
|
||||
app:
|
||||
image: "matrixdotorg/synapse:v1.117.0"
|
||||
image: "matrixdotorg/synapse:v1.124.0"
|
||||
volumes:
|
||||
- "data:/data"
|
||||
secrets:
|
||||
@ -53,6 +53,7 @@ services:
|
||||
- ENABLE_3PID_LOOKUP
|
||||
- ENABLE_ALLOWLIST
|
||||
- ENABLE_REGISTRATION
|
||||
- REGISTRATION_REQUIRES_TOKEN
|
||||
- ENCRYPTED_BY_DEFAULT
|
||||
- FEDERATION_ALLOWLIST
|
||||
- LETSENCRYPT_HOST=${DOMAIN}
|
||||
@ -91,7 +92,7 @@ services:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
labels:
|
||||
- "coop-cloud.${STACK_NAME}.version=6.5.0+v1.117.0"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.6.1+v1.124.0"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
|
||||
|
@ -132,6 +132,8 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
|
||||
enable_registration: {{ env "ENABLE_REGISTRATION" }}
|
||||
|
||||
registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
|
||||
|
||||
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
|
||||
enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
|
||||
|
||||
|
@ -36,5 +36,20 @@ http {
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }}
|
||||
location ^~ /_synapse/admin {
|
||||
if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
|
||||
return 403;
|
||||
}
|
||||
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 50M;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
}
|
||||
}
|
||||
|
1
release/6.6.1+v1.124.0
Normal file
1
release/6.6.1+v1.124.0
Normal file
@ -0,0 +1 @@
|
||||
added env REGISTRATION_REQUIRES_TOKEN
|
@ -329,7 +329,7 @@ encryption:
|
||||
# Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
|
||||
allow: {{ env "SIGNAL_ENABLE_ENCRYPTION" }}
|
||||
# Whether to force-enable encryption in all bridged rooms.
|
||||
default: false
|
||||
default: {{ env "SIGNAL_DEFAULT_ENCRYPTION" }}
|
||||
# Whether to require all messages to be encrypted and drop any unencrypted messages.
|
||||
require: false
|
||||
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
|
||||
|
Reference in New Issue
Block a user