add alakazam integration file alaconnect.yml

[ci skip]

.env.sample

@@ -1,7 +1,7 @@
 TYPE=matrix-synapse
 DOMAIN=matrix-synapse.example.com
-#TIMEOUT=300
-#ENABLE_AUTO_UPDATE=true
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
 LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
 # POST_DEPLOY_CMDS="db set_admin"
@@ -42,6 +42,13 @@ PASSWORD_LOGIN_ENABLED=true
 SQL_LOG_LEVEL=WARN
 ROOT_LOG_LEVEL=WARN
 
+# for nginx
+NGINX_ACCESS_LOG_LOCATION="/dev/null"
+NGINX_ERROR_LOG_LOCATION="/dev/null"
+# Comment the previous two lines and uncomment these to enable logging
+#NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
+#NGINX_ERROR_LOG_LOCATION="/dev/stderr"
+
 ## Privacy
 
 ENABLE_3PID_LOOKUP=true
@@ -66,6 +73,13 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d
 
+## Ratelimit
+
+#LOGIN_LIMIT_IP_PER_SECOND=5
+#LOGIN_LIMIT_IP_BURST=15
+#LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
+#LOGIN_LIMIT_ACCOUNT_BURST=10
+
 ## Keycloak SSO
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
@@ -118,12 +132,12 @@ RETENTION_MAX_LIFETIME=4w
 #APP_SERVICE_BOT_USERNAME=telegrambot
 #APP_SERVICE_DISPLAY_NAME="Telegram bridge bot"
 #APP_SERVICE_ID=
-#HOMESERVER_DOMAIN=
-#HOMESERVER_URL=
+#HOMESERVER_DOMAIN=$DOMAIN
+#HOMESERVER_URL=https://$DOMAIN
 #VERIFY_SSL=false
 #ENABLE_ENCRYPTION=true
 #TELEGRAM_APP_ID=
-#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\" }"
+#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@foo:matrix.example.com\": \"admin\" }"
 #TELEGRAM_SYNC_CHANNEL_MEMBERS=true
 #SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1
 #SECRET_TELEGRAM_API_HASH_VERSION=v1

README.md

@@ -47,7 +47,7 @@ You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa
 
 Setting it up is a bit of a chicken/egg & chasing cats moment.
 
-You need to get your bot setup on the telegram side first and have these values:
+You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
 
 ```
 api_id: ...
@@ -55,7 +55,12 @@ api_hash: ...
 telegram_bot_token: ...
 ```
 
-Here is a rough guide:
+Also: 
+- Make sure to uncomment `APP_SERVICES_ENABLED`
+- include the registration in synapse: `APP_SERVICE_CONFIGS="[\"/telegram-data/registration.yaml\"]"`
+- and set yourself as admin under `TELEGRAM_BRIDGE_PERMISSIONS`
+
+A rough guide for the following steps:
 
 ```
 abra app secret insert <domain> telegram_api_hash v1 <secret>

abra.sh

@@ -1,11 +1,11 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
-export ENTRYPOINT_CONF_VERSION=v1
-export HOMESERVER_YAML_VERSION=v25
+export ENTRYPOINT_CONF_VERSION=v2
+export HOMESERVER_YAML_VERSION=v28
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v1
 export SIGNAL_BRIDGE_YAML_VERSION=v4
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v4
+export NGINX_CONFIG_VERSION=v6
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1
 
@@ -13,7 +13,7 @@ set_admin () {
     admin=akadmin
     if [ -n "$1" ]
     then
-        admin=$1 
+        admin=$1
     fi
     psql -U synapse -c "UPDATE users SET admin = 1 WHERE name = '@$admin:$DOMAIN'";
 }

alaconnect.yml

@@ -0,0 +1,15 @@
+authentik:
+    env:
+        KEYCLOAK_ID: authentik
+        KEYCLOAK_NAME: sso
+        KEYCLOAK_URL: https://authentik.example.com/application/o/matrix/
+        KEYCLOAK_CLIENT_DOMAIN: https://element-web.example.com
+        KEYCLOAK_ALLOW_EXISTING_USERS: "true"
+        KEYCLOAK_CLIENT_ID: matrix
+    uncomment:
+        - compose.keycloak.yml
+        - KEYCLOAK_ENABLED
+        - KEYCLOAK_CLIENT_ID
+        - SECRET_KEYCLOAK_CLIENT_SECRET_VERSION
+    shared_secrets:
+        matrix_secret: keycloak_client_secret

compose.discord.yml

@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     environment:
       - APP_SERVICES_ENABLED
       - APP_SERVICE_CONFIGS

compose.keycloak.yml

@@ -2,13 +2,13 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     secrets:
       - db_password
       - form_secret
       - keycloak_client_secret
-      - macaroon_secret_key
-      - registration_shared_secret
+      - macaroon
+      - registration
     environment:
       - KEYCLOAK_CLIENT_DOMAIN
       - KEYCLOAK_CLIENT_ID

compose.keycloak2.yml

@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     secrets:
       - keycloak2_client_secret
     environment:

compose.keycloak3.yml

@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     secrets:
       - keycloak3_client_secret
     environment:

compose.shared_secret_auth.yml

@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     environment:
       - SHARED_SECRET_AUTH_ENABLED
     secrets:

compose.signal.yml

@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     environment:
       - APP_SERVICES_ENABLED
       - APP_SERVICE_CONFIGS

compose.smtp.yml

@@ -2,12 +2,12 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     secrets:
       - db_password
       - form_secret
-      - macaroon_secret_key
-      - registration_shared_secret
+      - macaroon
+      - registration
       - smtp_password
     environment:
       - SMTP_APP_NAME

compose.telegram.yml

@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     environment:
       - APP_SERVICES_ENABLED
       - APP_SERVICE_CONFIGS
@@ -10,7 +10,7 @@ services:
       - telegram-data:/telegram-data
 
   telegrambridge:
-    image: dock.mau.dev/mautrix/telegram:v0.14.2
+    image: dock.mau.dev/mautrix/telegram:v0.15.1
     depends_on:
       - telegramdb
     configs:

compose.turn.yml

@@ -2,12 +2,12 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
     secrets:
       - db_password
       - form_secret
-      - macaroon_secret_key
-      - registration_shared_secret
+      - macaroon
+      - registration
       - turn_shared_secret
     environment:
       - TURN_ALLOW_GUESTS

compose.yml

@@ -2,13 +2,16 @@
 version: "3.8"
 
 services:
-  app:
-    image: nginx:1.23.3
+  web:
+    image: nginx:1.25.3
     networks:
       - proxy
       - internal
     environment:
+      - DOMAIN
       - STACK_NAME
+      - NGINX_ACCESS_LOG_LOCATION
+      - NGINX_ERROR_LOG_LOCATION
     configs:
       - source: nginx_config
         target: /etc/nginx/nginx.conf
@@ -25,22 +28,20 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=5.0.0+v1.93.0"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
-      test: curl -f http://synapse:8008/health || exit 1
+      test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
       interval: 5s
       timeout: 3s
       retries: 20
 
-  synapse:
-    image: "matrixdotorg/synapse:v1.93.0"
+  app:
+    image: "matrixdotorg/synapse:v1.100.0"
     volumes:
       - "data:/data"
     secrets:
       - db_password
-      - registration_shared_secret
-      - macaroon_secret_key
+      - registration
+      - macaroon
       - form_secret
     environment:
       - ALLOWED_LIFETIME_MAX
@@ -70,6 +71,10 @@ services:
       - USER_IPS_MAX_AGE
       - VIRTUAL_HOST=${DOMAIN}
       - VIRTUAL_PORT=8008
+      - LOGIN_LIMIT_IP_PER_SECOND=${LOGIN_LIMIT_IP_PER_SECOND:-0.003}
+      - LOGIN_LIMIT_IP_BURST=${LOGIN_LIMIT_IP_BURST:-5}
+      - LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
+      - LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
     networks:
       - internal
     entrypoint: /docker-entrypoint.sh
@@ -81,6 +86,12 @@ services:
       - source: entrypoint_conf
         target: /docker-entrypoint.sh
         mode: 0555
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+        - "coop-cloud.${STACK_NAME}.version=6.0.2+v1.100.0"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
       interval: 30s
@@ -113,9 +124,9 @@ services:
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-          backupbot.backup.post-hook: "rm -rf /tmp/backup"
-          backupbot.backup.path: "/tmp/backup/"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.path: "/var/lib/postgresql/data"
 
 volumes:
   data:
@@ -156,10 +167,10 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  registration_shared_secret:
+  registration:
     external: true
     name: ${STACK_NAME}_registration_${SECRET_REGISTRATION_VERSION}
-  macaroon_secret_key:
+  macaroon:
     external: true
     name: ${STACK_NAME}_macaroon_${SECRET_MACAROON_VERSION}
   form_secret:

entrypoint.sh.tmpl

@@ -6,6 +6,7 @@ chown 991:991 /data
 
 if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
     /start.py generate
+    chown -R 991:991 /data/*.config /data/*.key
 fi
 
 /start.py

homeserver.yaml.tmpl

@@ -23,7 +23,7 @@ serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
 allow_public_rooms_without_auth: false
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
-allow_public_rooms_over_federation: {{ env "ALLOW_PUBLIC_ROOMS_FEDERATION" }}
+allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
 listeners:
@@ -139,7 +139,7 @@ enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
 allow_guest_access: false
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_shared_secret
-registration_shared_secret: {{ secret "registration_shared_secret" }}
+registration_shared_secret: {{ secret "registration" }}
 
 {{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms
@@ -156,7 +156,7 @@ app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#macaroon_secret_key
-macaroon_secret_key: "{{ secret "macaroon_secret_key" }}"
+macaroon_secret_key: "{{ secret "macaroon" }}"
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#form_secret
 form_secret: "{{ secret "form_secret" }}"
@@ -173,8 +173,8 @@ trusted_key_servers:
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers
+{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
 oidc_providers:
-  {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
   - idp_id: {{ env "KEYCLOAK_ID" }}
     idp_name: {{ env "KEYCLOAK_NAME" }}
     issuer: "{{ env "KEYCLOAK_URL" }}"
@@ -186,7 +186,6 @@ oidc_providers:
       config:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
         display_name_template: "{{ "{{ user.name }}" }}"
-  {{ end }}
 
   {{ if eq (env "KEYCLOAK2_ENABLED") "1" }}
   - idp_id: {{ env "KEYCLOAK2_ID" }}
@@ -215,22 +214,22 @@ oidc_providers:
         localpart_template: "{{ "{{ user.preferred_username }}" }}"
         display_name_template: "{{ "{{ user.name }}" }}"
   {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#sso 
+{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
 sso:
-    {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
-    client_whitelist:
-      - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
-    {{ end }}
-
+  client_whitelist:
+    - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
 password_config:
    enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
+{{ if eq (env "SMTP_ENABLED") "1" }}
 email:
-  {{ if eq (env "SMTP_ENABLED") "1" }}
   smtp_host: {{ env "SMTP_HOST" }}
   smtp_port: {{ env "SMTP_PORT" }}
   smtp_user: {{ env "SMTP_USER" }}
@@ -240,7 +239,7 @@ email:
   app_name: {{ env "SMTP_APP_NAME" }}
   enable_notifs: true
   client_base_url: https://{{ env "DOMAIN" }}
-  {{ end }}
+{{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type
 encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
@@ -268,3 +267,12 @@ forget_rooms_on_leave: true
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#opentracing-1
 opentracing:
   enabled: false
+
+# https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
+rc_login:
+  address:
+    per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
+    burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
+  account:
+    per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
+    burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}

nginx.conf.tmpl

@@ -8,15 +8,15 @@ http {
   server {
     listen 80;
 
-    access_log off;
-    error_log /dev/null;
+    access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }};
+    error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }};
 
     server_name {{ env "DOMAIN" }};
 
     location ~* ^(\/_matrix|\/_synapse\/client) {
-      proxy_pass http://{{ env "STACK_NAME"}}_synapse:8008;
+      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
       proxy_set_header X-Forwarded-For $remote_addr;
-      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Proto https;
       proxy_set_header Host $host;
       client_max_body_size 50M;
       proxy_http_version 1.1;

release/4.0.0+v1.93.0

@@ -5,4 +5,6 @@ Copy the secrets:
 * `registration_shared_secret` to `registration`
 * `macaroon_secret_key` to `macaroon`
 
+The easiest way to do this is to run `abra app run <matrix.example.com> app bash` BEFORE this upgrade, then `cat /run/secrets/registration_shared_secret`.  If you haven't saved the secrets yet, and would like to, please Ctrl+C out of this upgrade and do that first.
+
 Regeneration of these secrets should also work.

release/5.0.0+v1.93.0

@@ -1,17 +1 @@
-An Nginx proxy has been configured as the entrypoint for Synapse. This is not
-optional. This is done to counteract IP collection in Synapse itself. See more:
-
-!!! You MUST undeploy your Synapse install before upgrading to this version !!!
-
-This is because there have been a service rename in the recipe configuration:
-
-* `app` -> `synapse`
-
-This could break stuff in the recipe, so please report issues if you run into
-anything!
-
-    https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/38
-
-Thanks!
-
--- d1
+It's recommended not to upgrade / downgrade directly to this version (or other 5.y.z versions), because of service renaming which was reverted in 6.0.0+v1.100.0.

release/5.0.1+v1.93.0

@@ -0,0 +1,6 @@
+Logging is now disabled by default. If you want to reënable it, set these options:
+
+```
+NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
+NGINX_ERROR_LOG_LOCATION="/dev/stderr"
+```

release/6.0.0+v1.100.0

@@ -0,0 +1 @@
+If you are upgrading from verison 5.y.z of this recipe, you will need to `undeploy` then `deploy`, because of a service rename which was reverted.