chore: publish 3.9.0+v1.87.0 release

2023-07-18 21:33:23 +02:00
28 changed files with 984 additions and 1008 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -17,21 +17,17 @@ steps:
      DOMAIN: matrix-synapse.swarm-test.autonomic.zone
      STACK_NAME: matrix-synapse
      LETS_ENCRYPT_ENV: production
-      DISCORD_BRIDGE_YAML_VERSION: v2
+      DISCORD_BRIDGE_YAML_VERSION: v1
-      ENTRYPOINT_CONF_VERSION: v3
+      ENTRYPOINT_CONF_VERSION: v1
-      HOMESERVER_YAML_VERSION: v29
+      HOMESERVER_YAML_VERSION: v17
-      LOG_CONFIG_VERSION: v2
+      LOG_CONFIG_VERSION: v1
-      SHARED_SECRET_AUTH_VERSION: v2
+      SHARED_SECRET_AUTH_VERSION: v1
-      SIGNAL_BRIDGE_YAML_VERSION: v5
+      SIGNAL_BRIDGE_YAML_VERSION: v1
-      TELEGRAM_BRIDGE_YAML_VERSION: v6
+      TELEGRAM_BRIDGE_YAML_VERSION: v1
      PG_BACKUP_VERSION: v1
      WK_CLIENT_VERSION: v1
      WK_SERVER_VERSION: v1
      NGINX_CONFIG_VERSION: v8
      SECRET_DB_PASSWORD_VERSION: v1
      SECRET_FORM_SECRET_VERSION: v1
-      SECRET_MACAROON_VERSION: v1
+      SECRET_MACAROON_SECRET_KEY_VERSION: v1
-      SECRET_REGISTRATION_VERSION: v1
+      SECRET_REGISTRATION_SHARED_SECRET_VERSION: v1
 trigger:
  branch:
    - main
@ -47,7 +43,7 @@ steps:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,23 +1,18 @@
 TYPE=matrix-synapse
-DOMAIN=matrix-synapse.example.com
+DOMAIN=matrix.example.com
 # SERVER_NAME=example.com
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
 LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
 # POST_DEPLOY_CMDS="db set_admin"
 ENABLE_BACKUPS=true
 ## Admin details
-ADMIN_EMAIL=admin@example.com
+SYNAPSE_ADMIN_EMAIL=admin@example.com
 ## Secrets
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_FORM_SECRET_VERSION=v1
-SECRET_MACAROON_VERSION=v1
+SECRET_MACAROON_SECRET_KEY_VERSION=v1
-SECRET_REGISTRATION_VERSION=v1
+SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1
 ## Federation
@ -26,16 +21,11 @@ SECRET_REGISTRATION_VERSION=v1
 # Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server
 SERVE_SERVER_WELLKNOWN=false
 ALLOW_PUBLIC_ROOMS_FEDERATION=false
 ## Registration
 ENABLE_REGISTRATION=false
 PASSWORD_LOGIN_ENABLED=true
 # Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
 #REGISTRATION_REQUIRES_TOKEN=true
 ## Room auto-join
 #AUTO_JOIN_ROOM_ENABLED=1
@ -47,13 +37,6 @@ PASSWORD_LOGIN_ENABLED=true
 SQL_LOG_LEVEL=WARN
 ROOT_LOG_LEVEL=WARN
 # for nginx
 NGINX_ACCESS_LOG_LOCATION="/dev/null"
 NGINX_ERROR_LOG_LOCATION="/dev/null"
 # Comment the previous two lines and uncomment these to enable logging
 #NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
 #NGINX_ERROR_LOG_LOCATION="/dev/stderr"
 ## Privacy
 ENABLE_3PID_LOOKUP=true
@ -68,14 +51,6 @@ ENCRYPTED_BY_DEFAULT=all
 # Set these to keyservers you trust - usually the same as your federation allowlist
 #TRUSTED_KEYSERVERS="trusted_key_servers:\n  - server_name: 'example.com'\n  - server_name: 'example2.com'"
 # some optional configs to increase privacy and security
 #REQUIRE_AUTH_FOR_PROFILE_REQUESTS=true
 #LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=true
 #DELETE_STALE_DEVICES_AFTER=1y
 #SESSION_LIFETIME=60d
 #TRACK_PUPPETED_USER_IPS=true
 ## Retention
 ALLOWED_LIFETIME_MAX=4w
@ -86,18 +61,6 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d
 ## Old Signing Key
 #OLD_SIGNING_KEY_ID=a_OLDKEYID
 #OLD_SIGNING_KEY=base64string
 #OLD_SIGNING_KEY_EXPIRES=123456789123
 ## Ratelimit
 #LOGIN_LIMIT_IP_PER_SECOND=5
 #LOGIN_LIMIT_IP_BURST=15
 #LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
 #LOGIN_LIMIT_ACCOUNT_BURST=10
 ## Keycloak SSO
 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
@ -139,13 +102,6 @@ RETENTION_MAX_LIFETIME=4w
 #SMTP_USER=
 #SECRET_SMTP_PASSWORD_VERSION=v1
 ## USER-DIRECTORY
 #USER_DIRECTORY_ENABLED=true
 #USER_DIRECTORY_SEARCH_ALL_USERS=true
 #USER_DIRECTORY_PREFER_LOCAL_USERS=true
 #USER_DIRECTORY_SHOW_LOCKED_USERS=false
 ## App services
 #APP_SERVICES_ENABLED=1
@ -157,12 +113,12 @@ RETENTION_MAX_LIFETIME=4w
 #APP_SERVICE_BOT_USERNAME=telegrambot
 #APP_SERVICE_DISPLAY_NAME="Telegram bridge bot"
 #APP_SERVICE_ID=
-#HOMESERVER_DOMAIN=$DOMAIN
+#HOMESERVER_DOMAIN=
-#HOMESERVER_URL=https://$DOMAIN
+#HOMESERVER_URL=
 #VERIFY_SSL=false
 #ENABLE_ENCRYPTION=true
 #TELEGRAM_APP_ID=
-#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@foo:matrix.example.com\": \"admin\" }"
+#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\" }"
 #TELEGRAM_SYNC_CHANNEL_MEMBERS=true
 #SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1
 #SECRET_TELEGRAM_API_HASH_VERSION=v1
@ -182,23 +138,13 @@ RETENTION_MAX_LIFETIME=4w
 #COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml"
 #SIGNAL_ENABLE_ENCRYPTION=true
 #SIGNAL_DEFAULT_ENCRYPTION=true
 #SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }"
 #SECRET_SIGNAL_AS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_DB_PASSWORD_VERSION=v1
 #SECRET_SIGNAL_HS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_PICKLE_KEY_VERSION=v1
 ## Shared auth
 #COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
 #SHARED_SECRET_AUTH_ENABLED=1
 #SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
 ## Web Client (Redirect)
 #WEB_CLIENT_LOCATION=https://element-web.example.com
 ## Admin interface at /admin
 #COMPOSE_FILE="$COMPOSE_FILE:compose.admin.yml"
 #ADMIN_INTERFACE_ENABLED=1
--- a/README.md
+++ b/README.md
@ -24,14 +24,6 @@
 ## Tips & Tricks
 ### Create User
 `register_new_matrix_user -u <username> -k $(cat /var/run/secrets/registration) -p <password>`
 ### Set Admin User
 `abra app cmd YOURAPPDOMAIN db set_admin <adminuser>`
 ### Disabling federation
 - Use `DISABLE_FEDERATION=1` to turn off federation listeners
@ -45,52 +37,38 @@ See [`#27`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/27) for m
 You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris). This could be implemented in this recipe but we haven't merged it in yet. Change sets are welcome.
 ## Bridges
 For all Bridges:
 - Setting it up is a bit of a chicken/egg & chasing cats moment.
 - Make sure to uncomment `APP_SERVICES_ENABLED`, `HOMESERVER_URL`, `HOMESERVER_DOMAIN`, `compose.shared_secret_auth.yml`, `SHARED_SECRET_AUTH_ENABLED` and `SECRET_SHARED_SECRET_AUTH_VERSION`
 - include the registration in synapse, e.g. `APP_SERVICE_CONFIGS="[\"/telegram-data/registration.yaml\"]"`
 - and set yourself as admin, e.g.: `TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@akadmin:example.com\": \"admin\"}"`
 ### Telegram bridging
-You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
+> WIP docs
 Setting it up is a bit of a chicken/egg & chasing cats moment.
 You need to get your bot setup on the telegram side first and have these values:
 ```
 api_id: ...
 api_hash: ...
 telegram_bot_token: ...
 ```
 Experimental script for a automated token replacement:
 ```
 DOMAIN=<domain>
 abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
 abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
 abra app secret generate -a $DOMAIN
-abra app deploy $DOMAIN
+Here is a rough guide:
 abra app cmd -l $DOMAIN set_bridge_tokens telegram
 ```
 Alternatively a manual guide for the necessary steps:
 ```
-DOMAIN=<domain>
+abra app secret insert <domain> telegram_api_hash v1 <secret>
-abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
+abra app secret insert <domain> telegram_bot_token v1 <secret>
-abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
+abra app secret generate -a <domain>
 abra app secret generate -a $DOMAIN
-abra app deploy $DOMAIN
+abra app deploy <domain>
-abra app run $DOMAIN telegrambridge cat /data/registration.yaml
+abra app run matrix.fva.wtf telegram_bridge cat /data/registration.yaml
-abra app undeploy $DOMAIN
+abra app undeploy <domain>
-abra app secret rm $DOMAIN telegram_as_token
+abra app secret rm <domain> telegram_as_token
-abra app secret insert $DOMAIN telegram_as_token v1 <secret>
+abra app secret insert <domain> telegram_as_token v1 <secret>
-abra app secret rm $DOMAIN telegram_hs_token
+abra app secret rm <domain> telegram_as_token
-abra app secret insert $DOMAIN telegram_hs_token v1 <secret>
+abra app secret insert <domain> telegram_hs_token v1 <secret>
-abra app deploy $DOMAIN
+abra app deploy <domain>
 ```
 Some helpful documentation:
@ -119,29 +97,15 @@ Some helpful documentation:
 ### Signal bridging
-Experimental script for a more automated token replacement:
+> WIP docs
 ```
 DOMAIN=<domain>
 abra app secret generate -a $DOMAIN
 abra app deploy $DOMAIN
 abra app cmd -l $DOMAIN set_bridge_tokens signal
 ```
 Alternatively a manual guide for the necessary steps:
 ```
 DOMAIN=<domain>
 abra app secret insert $DOMAIN signal_hs_token v1 foo
 abra app secret insert $DOMAIN signal_as_token v1 foo
 abra app secret generate $DOMAIN -a
 abra app deploy $DOMAIN
 abra app run $DOMAIN signalbridge cat /data/registration.yaml
-abra app secret rm $DOMAIN signal_as_token
+OK, it's also awful to set this up. Do you see a pattern emerging :)
 abra app secret insert $DOMAIN signal_as_token v1 <secret>
 abra app secret rm $DOMAIN signal_hs_token
 abra app secret insert $DOMAIN signal_hs_token v1 <secret>
-abra app deploy $DOMAIN
+- fake that you have the required tokens:
-```
+  - `abra app secret insert example.com signal_hs_token v1 foo`
-
+  - `abra app secret insert example.com signal_as_token v1 foo`
- message `@signalbot:example.com` to test
+- generate the database password:
- See the [docs](https://docs.mau.fi/bridges/go/signal/authentication.html) for authentication
+  - `abra app secret generate example.com -a`
 - deploy the thing and then check the `/data/registration.yaml`
 - rm the fake `signal_hs/as_token` values and re-insert the new ones from `registration.yaml`
 - re-deploy the whole thing and then it should come up, message `@signalbot:example.com` to test
--- a/abra.sh
+++ b/abra.sh
@ -1,54 +1,7 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
-export ENTRYPOINT_CONF_VERSION=v3
+export ENTRYPOINT_CONF_VERSION=v1
-export HOMESERVER_YAML_VERSION=v32
+export HOMESERVER_YAML_VERSION=v22
 export LOG_CONFIG_VERSION=v2
-export SHARED_SECRET_AUTH_VERSION=v2
+export SHARED_SECRET_AUTH_VERSION=v1
-export SIGNAL_BRIDGE_YAML_VERSION=v6
+export SIGNAL_BRIDGE_YAML_VERSION=v4
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
 export NGINX_CONFIG_VERSION=v8
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1
 export PG_BACKUP_VERSION=v1
 export ADMIN_CONFIG_VERSION=v1
 set_admin () {
    admin=akadmin
    if [ -n "$1" ]
    then
        admin=$1
    fi
    psql -U synapse -c "UPDATE users SET admin = 1 WHERE name = '@$admin:$DOMAIN'";
 }
 set_bridge_tokens() {
    if [ -z "$1" ]; then
        echo "Error: Missing parameter. Usage: set_bridge_tokens <BRIDGETYPE>"
        return 1
    fi
    BRIDGETYPE=$1
    echo "retrieve tokens from registration.yaml..."
    output=$(abra app run $DOMAIN app cat /${BRIDGETYPE}-data/registration.yaml)
    if [ $? -ne 0 ]; then
        echo "Error: Failed to retrieve registration.yaml for ${BRIDGETYPE} bridge:"
        echo "$output"
        return 1
    fi
    hs_token=$(echo "$output" | sed -n 's/^hs_token:[[:space:]]*\(.*\)$/\1/p')
    as_token=$(echo "$output" | sed -n 's/^as_token:[[:space:]]*\(.*\)$/\1/p')
    echo "HS Token: $hs_token"
    echo "AS Token: $as_token"
    echo "UNDEPLOY $DOMAIN?"
    abra app undeploy $DOMAIN
    echo "Replacing tokens:"
    abra app secret rm $DOMAIN ${BRIDGETYPE}_as_token
    abra app secret insert $DOMAIN ${BRIDGETYPE}_as_token v1 $as_token
    abra app secret rm $DOMAIN ${BRIDGETYPE}_hs_token
    abra app secret insert $DOMAIN ${BRIDGETYPE}_hs_token v1 $hs_token
    echo "Redeploying $DOMAIN..."
    abra app deploy -n $DOMAIN
 }
--- a/admin.conf.tmpl
+++ b/admin.conf.tmpl
@ -1,3 +0,0 @@
 {
  "restrictBaseUrl": "https://{{ env "DOMAIN" }}"
 }
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,15 +0,0 @@
 authentik:
    env:
        KEYCLOAK_ID: authentik
        KEYCLOAK_NAME: sso
        KEYCLOAK_URL: https://authentik.example.com/application/o/matrix/
        KEYCLOAK_CLIENT_DOMAIN: https://element-web.example.com
        KEYCLOAK_ALLOW_EXISTING_USERS: "true"
        KEYCLOAK_CLIENT_ID: matrix
    uncomment:
        - compose.keycloak.yml
        - KEYCLOAK_ENABLED
        - KEYCLOAK_CLIENT_ID
        - SECRET_KEYCLOAK_CLIENT_SECRET_VERSION
    shared_secrets:
        matrix_secret: keycloak_client_secret
--- a/compose.admin.yml
+++ b/compose.admin.yml
@ -1,46 +0,0 @@
 ---
 version: "3.8"
 services:
  admin:
    image: awesometechnologies/synapse-admin:0.10.3
    networks:
      - proxy
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}_admin.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}_admin.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})&&PathPrefix(`/admin`)"
        - "traefik.http.routers.${STACK_NAME}_admin.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}_admin.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}_admin.middlewares=admin,admin_path"
        - "traefik.http.middlewares.admin.redirectregex.regex=^(.*)/admin/?"
        - "traefik.http.middlewares.admin.redirectregex.replacement=$${1}/admin/"
        - "traefik.http.middlewares.admin_path.stripprefix.prefixes=/admin"
    environment:
      - DOMAIN
    configs:
      - source: admin_config
        target: /app/config.json
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
  web:
    environment:
      - ADMIN_INTERFACE_ENABLED
 networks:
  proxy:
    external: true
 configs:
  admin_config:
    name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION}
    file: admin.conf.tmpl
    template_driver: golang
--- a/compose.keycloak.yml
+++ b/compose.keycloak.yml
@ -7,8 +7,8 @@ services:
      - db_password
      - form_secret
      - keycloak_client_secret
-      - macaroon
+      - macaroon_secret_key
-      - registration
+      - registration_shared_secret
    environment:
      - KEYCLOAK_CLIENT_DOMAIN
      - KEYCLOAK_CLIENT_ID
--- a/compose.shared_secret_auth.yml
+++ b/compose.shared_secret_auth.yml
@ -9,7 +9,7 @@ services:
      - shared_secret_auth
    configs:
      - source: shared_secret_auth
-        target: /usr/local/lib/python3.12/site-packages/shared_secret_authenticator.py
+        target: /usr/local/lib/python3.11/site-packages/shared_secret_authenticator.py
 configs:
  shared_secret_auth:
--- a/compose.signal.yml
+++ b/compose.signal.yml
@ -9,8 +9,15 @@ services:
    volumes:
      - signal-data:/signal-data
  signald:
    image: docker.io/signald/signald:0.23.2-non-root
    networks:
      - internal
    volumes:
      - signald-data:/signald
  signalbridge:
-    image: dock.mau.dev/mautrix/signal:v0.7.5
+    image: dock.mau.dev/mautrix/signal:v0.4.3
    depends_on:
      - signaldb
    configs:
@ -21,16 +28,15 @@ services:
      - HOMESERVER_URL
      - SIGNAL_BRIDGE_PERMISSIONS
      - SIGNAL_ENABLE_ENCRYPTION
      - SIGNAL_DEFAULT_ENCRYPTION=${SIGNAL_DEFAULT_ENCRYPTION:-false}
      - VERIFY_SSL
    secrets:
      - signal_as_token
      - signal_db_password
      - signal_hs_token
      - shared_secret_auth
      - signal_pickle_key
    volumes:
      - signal-data:/data
      - signald-data:/signald
    networks:
      - internal
@ -51,15 +57,6 @@ services:
      test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
    volumes:
      - signal-postgres:/var/lib/postgresql/data
    deploy:
      labels:
        backupbot.backup.pre-hook: "/pg_backup.sh backup"
        backupbot.backup.volumes.signal-postgres.path: "backup.sql"
        backupbot.restore.post-hook: '/pg_backup.sh restore'
    configs:
        - source: pg_backup
          target: /pg_backup.sh
          mode: 0555
 configs:
  signal_bridge_yaml:
@ -68,6 +65,7 @@ configs:
    template_driver: golang
 volumes:
  signald-data:
  signal-data:
  signal-postgres:
@ -81,6 +79,3 @@ secrets:
  signal_hs_token:
    external: true
    name: ${STACK_NAME}_signal_hs_token_${SECRET_SIGNAL_HS_TOKEN_VERSION}
  signal_pickle_key:
    external: true
    name: ${STACK_NAME}_signal_pickle_key_${SECRET_SIGNAL_PICKLE_KEY_VERSION}
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@ -6,8 +6,8 @@ services:
    secrets:
      - db_password
      - form_secret
-      - macaroon
+      - macaroon_secret_key
-      - registration
+      - registration_shared_secret
      - smtp_password
    environment:
      - SMTP_APP_NAME
--- a/compose.telegram.yml
+++ b/compose.telegram.yml
@ -10,7 +10,7 @@ services:
      - telegram-data:/telegram-data
  telegrambridge:
-    image: dock.mau.dev/mautrix/telegram:v0.15.2
+    image: dock.mau.dev/mautrix/telegram:v0.14.0
    depends_on:
      - telegramdb
    configs:
@ -56,15 +56,6 @@ services:
      test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
    volumes:
      - telegram-postgres:/var/lib/postgresql/data
    deploy:
      labels:
        backupbot.backup.pre-hook: "/pg_backup.sh backup"
        backupbot.backup.volumes.telegram-postgres.path: "backup.sql"
        backupbot.restore.post-hook: '/pg_backup.sh restore'
    configs:
        - source: pg_backup
          target: /pg_backup.sh
          mode: 0555
 configs:
  telegram_bridge_yaml:
--- a/compose.turn.yml
+++ b/compose.turn.yml
@ -6,8 +6,8 @@ services:
    secrets:
      - db_password
      - form_secret
-      - macaroon
+      - macaroon_secret_key
-      - registration
+      - registration_shared_secret
      - turn_shared_secret
    environment:
      - TURN_ALLOW_GUESTS
--- a/compose.yml
+++ b/compose.yml
@ -2,50 +2,19 @@
 version: "3.8"
 services:
  web:
    image: nginx:1.27.4
    networks:
      - proxy
      - internal
    environment:
      - DOMAIN
      - STACK_NAME
      - NGINX_ACCESS_LOG_LOCATION
      - NGINX_ERROR_LOG_LOCATION
    configs:
      - source: nginx_config
        target: /etc/nginx/nginx.conf
      - source: wk_server
        target: /var/www/.well-known/matrix/server
      - source: wk_client
        target: /var/www/.well-known/matrix/client
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
    healthcheck:
      test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
      interval: 20s
      timeout: 15s
      retries: 20
  app:
-    image: "matrixdotorg/synapse:v1.124.0"
+    image: "matrixdotorg/synapse:v1.87.0"
    volumes:
      - "data:/data"
    depends_on:
      - db
    secrets:
      - db_password
-      - registration
+      - registration_shared_secret
-      - macaroon
+      - macaroon_secret_key
      - form_secret
    environment:
      - ALLOWED_LIFETIME_MAX
      - ALLOW_PUBLIC_ROOMS_FEDERATION
      - AUTO_JOIN_ROOM
      - AUTO_JOIN_ROOM_ENABLED
      - DISABLE_FEDERATION
@ -53,21 +22,8 @@ services:
      - ENABLE_3PID_LOOKUP
      - ENABLE_ALLOWLIST
      - ENABLE_REGISTRATION
      - REGISTRATION_REQUIRES_TOKEN
      - ENCRYPTED_BY_DEFAULT
      - OLD_SIGNING_KEY
      - OLD_SIGNING_KEY_ID
      - OLD_SIGNING_KEY_EXPIRES
      - USER_DIRECTORY_ENABLED=${USER_DIRECTORY_ENABLED:-true}
      - USER_DIRECTORY_SEARCH_ALL_USERS=${USER_DIRECTORY_SEARCH_ALL_USERS:-true}
      - USER_DIRECTORY_PREFER_LOCAL_USERS=${USER_DIRECTORY_PREFER_LOCAL_USERS:-true}
      - USER_DIRECTORY_SHOW_LOCKED_USERS=${USER_DIRECTORY_SHOW_LOCKED_USERS:-false}
      - FEDERATION_ALLOWLIST
      - REQUIRE_AUTH_FOR_PROFILE_REQUESTS=${REQUIRE_AUTH_FOR_PROFILE_REQUESTS:-false}
      - LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=${LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS:-false}
      - DELETE_STALE_DEVICES_AFTER
      - SESSION_LIFETIME
      - TRACK_PUPPETED_USER_IPS=${TRACK_PUPPETED_USER_IPS:-false}
      - LETSENCRYPT_HOST=${DOMAIN}
      - MEDIA_RETENTION_LOCAL_LIFETIME
      - MEDIA_RETENTION_REMOTE_LIFETIME
@ -84,12 +40,8 @@ services:
      - USER_IPS_MAX_AGE
      - VIRTUAL_HOST=${DOMAIN}
      - VIRTUAL_PORT=8008
      - LOGIN_LIMIT_IP_PER_SECOND=${LOGIN_LIMIT_IP_PER_SECOND:-0.003}
      - LOGIN_LIMIT_IP_BURST=${LOGIN_LIMIT_IP_BURST:-5}
      - LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
      - LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
      - WEB_CLIENT_LOCATION
    networks:
      - proxy
      - internal
    entrypoint: /docker-entrypoint.sh
    configs:
@ -104,8 +56,12 @@ services:
      restart_policy:
        condition: on-failure
      labels:
-        - "coop-cloud.${STACK_NAME}.version=6.6.3+v1.124.0"
+        - "traefik.enable=true"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "coop-cloud.${STACK_NAME}.version=3.9.0+v1.87.0"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
      interval: 30s
@ -124,7 +80,6 @@ services:
      - POSTGRES_INITDB_ARGS="-E \"UTF8\""
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
      - POSTGRES_USER=synapse
      - DOMAIN
    networks:
      - internal
    healthcheck:
@ -137,14 +92,10 @@ services:
      - postgres:/var/lib/postgresql/data
    deploy:
      labels:
-        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+          backupbot.backup: "true"
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-        backupbot.backup.volumes.postgres.path: "backup.sql"
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
+          backupbot.backup.path: "/tmp/backup/"
    configs:
        - source: pg_backup
          target: /pg_backup.sh
          mode: 0555
 volumes:
  data:
@ -168,32 +119,17 @@ configs:
    name: ${STACK_NAME}_log_config_${LOG_CONFIG_VERSION}
    file: log.config.tmpl
    template_driver: golang
  nginx_config:
    name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
    file: nginx.conf.tmpl
    template_driver: golang
  wk_server:
    name: ${STACK_NAME}_wk_server_${WK_SERVER_VERSION}
    file: well_known_server.conf.tmpl
    template_driver: golang
  wk_client:
    name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION}
    file: well_known_client.conf.tmpl
    template_driver: golang
  pg_backup:
    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
    file: pg_backup.sh
 secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  registration:
+  registration_shared_secret:
    external: true
-    name: ${STACK_NAME}_registration_${SECRET_REGISTRATION_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_REGISTRATION_SHARED_SECRET_VERSION}
-  macaroon:
+  macaroon_secret_key:
    external: true
-    name: ${STACK_NAME}_macaroon_${SECRET_MACAROON_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_MACAROON_SECRET_KEY_VERSION}
  form_secret:
    external: true
-    name: ${STACK_NAME}_form_secret_${SECRET_FORM_SECRET_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_FORM_SECRET_VERSION}
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -6,11 +6,6 @@ chown 991:991 /data
 if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
    /start.py generate
    chown -R 991:991 /data/*.config /data/*.key
 fi
 if [[ -d /signal-data ]]; then
    chown -R 991:991 /signal-data
 fi
 /start.py
--- a/homeserver.yaml.tmpl
+++ b/homeserver.yaml.tmpl
@ -1,38 +1,92 @@
-# All configuration options are documented on the following link:
+## Modules ##
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
-{{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }}
+# Server admins can expand Synapse's functionality with external modules.
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#modules-1
+#
 # See https://matrix-org.github.io/synapse/latest/modules.html for more
 # documentation on how to configure or create custom modules for Synapse.
 #
 modules:
    # - module: my_super_module.MySuperClass
    #   config:
    #       do_thing: true
    # - module: my_other_super_module.SomeClass
    #   config: {}
    {{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }}
    - module: shared_secret_authenticator.SharedSecretAuthProvider
      config:
        shared_secret: {{ secret "shared_secret_auth" }}
        m_login_password_support_enabled: true
-{{ end }}
+    {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#server_name
+## Server ##
 # The public-facing domain of the server
 #
 # The server_name name will appear at the end of usernames and room addresses
 # created on this server. For example if the server_name was example.com,
 # usernames on this server would be in the format @user:example.com
 #
 # In most cases you should avoid using a matrix specific subdomain such as
 # matrix.example.com or synapse.example.com as the server_name for the same
 # reasons you wouldn't use user@email.example.com as your email address.
 # See https://matrix-org.github.io/synapse/latest/delegate.html
 # for information on how to host Synapse on a subdomain while preserving
 # a clean server_name.
 #
 # The server_name cannot be changed later so it is important to
 # configure this correctly before you start Synapse. It should be all
 # lowercase and may contain an explicit port.
 # Examples: matrix.org, localhost:8080
 #
 server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl
+# The public-facing base URL that clients use to access this Homeserver (not
 # including _matrix/...). This is the same URL a user might enter into the
 # 'Custom Homeserver URL' field on their client. If you use Synapse with a
 # reverse proxy, this should be the URL to reach Synapse via the proxy.
 # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
 # 'listeners' below).
 #
 # Defaults to 'https://<server_name>/'.
 #
 public_baseurl: https://{{ env "DOMAIN" }}/
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests
+# Uncomment the following to tell other servers to send federation traffic on
-require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }}
+# port 443.
-
+#
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms
+# By default, other servers will try to reach our server on port 8448, which can
-limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }}
+# be inconvenient in some environments.
-
+#
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
+# Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
 # option configures Synapse to serve a file at
 # 'https://<server_name>/.well-known/matrix/server'. This will tell other
 # servers to send traffic to port 443 instead.
 #
 # See https://matrix-org.github.io/synapse/latest/delegate.html for more
 # information.
 #
 # Defaults to 'false'.
 #
 serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth
+# If set to 'true', removes the need for authentication to access the server's
 # public rooms directory through the client API, meaning that anyone can
 # query the room directory. Defaults to 'false'.
 #
 allow_public_rooms_without_auth: false
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
+# If set to 'true', allows any other homeserver to fetch the server's public
-allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }}
+# rooms directory via federation. Defaults to 'false'.
 #
 allow_public_rooms_over_federation: false
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
 listeners:
  # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
  # that unwraps TLS.
  #
  # If you plan to use a reverse proxy, please see
  # https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
  #
  - port: 8008
    tls: false
    type: http
@ -58,56 +112,153 @@ listeners:
      {{ end }}
    {{ end }}
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#delete_stale_devices_after
+## Homeserver blocking ##
 {{ if (env "DELETE_STALE_DEVICES_AFTER") }}
 delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }}
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
+# How to reach the server admin, used in ResourceLimitError
 #
 admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms
+# Resource-constrained homeserver settings
 #
 # When this is enabled, the room "complexity" will be checked before a user
 # joins a new remote room. If it is above the complexity limit, the server will
 # disallow joining, or will instantly leave.
 #
 # Room complexity is an arbitrary measure based on factors such as the number of
 # users in the room.
 #
 limit_remote_rooms:
  # Uncomment to enable room complexity checking.
  #
  enabled: true
  # the limit above which rooms cannot be joined. The default is 1.0.
  #
  complexity: 200.0
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_avatar_size
+# The largest allowed file size for a user avatar. Defaults to no restriction.
 # Note that user avatar changes will not work if this is set without
 # using Synapse's media repository.
 #
 max_avatar_size: 10M
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forgotten_room_retention_period
+# How long to keep redacted events in unredacted form in the database. After
-forgotten_room_retention_period: 3d
+# this period redacted events get replaced with their redacted form in the DB.
-
+#
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#request_token_inhibit_3pid_errors
+# Defaults to `7d`. Set to `null` to disable.
-request_token_inhibit_3pid_errors: true
+#
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period
 redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age
+# How long to track users' last seen time and IPs in the database.
 #
 # Defaults to `28d`. Set to `null` to disable clearing out of old rows.
 #
 user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention
+# Message retention policy at the server level.
 #
 # Room admins and mods can define a retention period for their rooms using the
 # 'm.room.retention' state event, and server admins can cap this period by setting
 # the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options.
 #
 # If this feature is enabled, Synapse will regularly look for and purge events
 # which are older than the room's maximum retention period. Synapse will also
 # filter events received over federation so that events that should have been
 # purged are ignored and not stored again.
 #
 retention:
  # The message retention policies feature is disabled by default. Uncomment the
  # following line to enable it.
  #
  enabled: true
  # Default retention policy. If set, Synapse will apply it to rooms that lack the
  # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't
  # matter much because Synapse doesn't take it into account yet.
  #
  default_policy:
    min_lifetime: 1d
    max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }}
  # Retention policy limits. If set, and the state of a room contains a
  # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
  # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
  # to these limits when running purge jobs.
  #
  allowed_lifetime_min: 1d
  allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }}
  # Server admins can define the settings of the background jobs purging the
  # events which lifetime has expired under the 'purge_jobs' section.
  #
  # If no configuration is provided, a single job will be set up to delete expired
  # events in every room daily.
  #
  # Each job's configuration defines which range of message lifetimes the job
  # takes care of. For example, if 'shortest_max_lifetime' is '2d' and
  # 'longest_max_lifetime' is '3d', the job will handle purging expired events in
  # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and
  # lower than or equal to 3 days. Both the minimum and the maximum value of a
  # range are optional, e.g. a job with no 'shortest_max_lifetime' and a
  # 'longest_max_lifetime' of '3d' will handle every room with a retention policy
  # which 'max_lifetime' is lower than or equal to three days.
  #
  # The rationale for this per-job configuration is that some rooms might have a
  # retention policy with a low 'max_lifetime', where history needs to be purged
  # of outdated messages on a more frequent basis than for the rest of the rooms
  # (e.g. every 12h), but not want that purge to be performed by a job that's
  # iterating over every room it knows, which could be heavy on the server.
  #
  # If any purge job is configured, it is strongly recommended to have at least
  # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
  # set, or one job without 'shortest_max_lifetime' and one job without
  # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
  # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
  # room's policy to these values is done after the policies are retrieved from
  # Synapse's database (which is done using the range specified in a purge job's
  # configuration).
  #
  purge_jobs:
    - longest_max_lifetime: 3d
      interval: 12h
    - shortest_max_lifetime: 3d
      interval: 1d
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist
+## Federation ##
 # Restrict federation to the following whitelist of domains.
 # N.B. we recommend also firewalling your federation listener to limit
 # inbound federation traffic as early as possible, rather than relying
 # purely on this application-layer restriction.  If not specified, the
 # default is to whitelist everything.
 #
 #federation_domain_whitelist:
 #  - lon.example.com
 #  - nyc.example.com
 #  - syd.example.com
 {{ if eq (env "DISABLE_FEDERATION") "1" }}
 federation_domain_whitelist: []
 {{ else if eq (env "ENABLE_ALLOWLIST") "1" }}
 federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }}
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1
+## Database ##
 # The 'database' setting defines the database that synapse uses to store all of
 # its data.
 #
 # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
 # 'psycopg2' (for PostgreSQL).
 #
 # 'txn_limit' gives the maximum number of transactions to run per connection
 # before reconnecting. Defaults to 0, which means no limit.
 #
 # 'args' gives options which are passed through to the database engine,
 # except for options starting 'cp_', which are used to configure the Twisted
 # connection pool. For a reference to valid arguments, see:
 #   * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
 #   * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
 #   * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
 database:
  name: psycopg2
  txn_limit: 10000
@ -123,86 +274,327 @@ database:
    keepalives_interval: 10
    keepalives_count: 3
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#log_config
+## Logging ##
 # A yaml python logging config file as described by
 # https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
 #
 log_config: "/data/log.config"
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_store_path
+## Media Store ##
 # Enable the media store service in the Synapse master. Uncomment the
 # following if you are using a separate media store worker.
 #
 #enable_media_repo: false
 # Directory where uploaded images and attachments are stored.
 #
 media_store_path: "/data/media_store"
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_upload_size 
+# The largest allowed upload size in bytes
 #
 # If you are using a reverse proxy you may also need to set this value in
 # your reverse proxy's config. Notably Nginx has a small max body size by default.
 # See https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
 #
 max_upload_size: 50M
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn
 {{ if eq (env "TURN_ENABLED") "1" }}
 ## TURN ##
 # The public URIs of the TURN server to give to clients
 #
 turn_uris: {{ env "TURN_URIS" }}
 # The shared secret used to compute passwords for the TURN server
 #
 turn_shared_secret: "{{ secret "turn_shared_secret" }}"
 # How long generated TURN credentials last
 #
 turn_user_lifetime: 1h
 # Whether guests should be allowed to use the TURN server.
 # This defaults to True, otherwise VoIP will be unreliable for guests.
 # However, it does introduce a slight security risk as it allows users to
 # connect to arbitrary endpoints without having first signed up for a
 # valid account (e.g. by passing a CAPTCHA).
 #
 turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
+## Registration ##
 #
 # Registration can be rate-limited using the parameters in the "Ratelimiting"
 # section of this file.
 # Enable registration for new users.
 #
 enable_registration: {{ env "ENABLE_REGISTRATION" }}
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token
+# Enable 3PIDs lookup requests to identity servers from this server.
-registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
+#
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
 enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_guest_access
+# If set, allows registration of standard or admin accounts by anyone who
-allow_guest_access: false
+# has the shared secret, even if registration is otherwise disabled.
-
+#
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_shared_secret
+registration_shared_secret: {{ secret "registration_shared_secret" }}
 registration_shared_secret: {{ secret "registration" }}
 # Users who register on this homeserver will automatically be joined
 # to these rooms.
 #
 # By default, any room aliases included in this list will be created
 # as a publicly joinable room when the first user registers for the
 # homeserver. This behaviour can be customised with the settings below.
 # If the room already exists, make certain it is a publicly joinable
 # room. The join rule of the room must be set to 'public'.
 #
 {{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms
 auto_join_rooms:
  - "{{ env "AUTO_JOIN_ROOM" }}"
 {{ end }}
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#session_lifetime
+## Metrics ###
 {{ if (env "SESSION_LIFETIME") }}
 session_lifetime: {{ env "SESSION_LIFETIME" }}
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats
+# Whether or not to report anonymized homeserver usage statistics.
 #
 report_stats: false
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips
+## API Configuration ##
 track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }}
 # A list of application service config files to use
 #
 {{ if eq (env "APP_SERVICES_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
 app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#macaroon_secret_key
+# a secret which is used to sign access tokens. If none is specified,
-macaroon_secret_key: "{{ secret "macaroon" }}"
+# the registration_shared_secret is used, if one is given; otherwise,
 # a secret key is derived from the signing key.
 #
 macaroon_secret_key: "{{ secret "macaroon_secret_key" }}"
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#form_secret
+# a secret which is used to calculate HMACs for form values, to stop
 # falsification of values. Must be specified for the User Consent
 # forms to work.
 #
 form_secret: "{{ secret "form_secret" }}"
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
+## Signing Keys ##
 # Path to the signing key to sign messages with
 #
 signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#old_signing_keys
+# The trusted servers to download signing keys from.
-{{ if (and (env "OLD_SIGNING_KEY_ID") (env "OLD_SIGNING_KEY") (env "OLD_SIGNING_KEY_EXPIRES")) }}
+#
-old_signing_keys:
+# When we need to fetch a signing key, each server is tried in parallel.
-  "ed25519:{{ env "OLD_SIGNING_KEY_ID" }}": { key: "{{ env "OLD_SIGNING_KEY" }}", expired_ts: {{ env "OLD_SIGNING_KEY_EXPIRES" }} }
+#
-{{ end }}
+# Normally, the connection to the key server is validated via TLS certificates.
-
+# Additional security can be provided by configuring a `verify key`, which
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
+# will make synapse check that the response is signed by that key.
 #
 # This setting supercedes an older setting named `perspectives`. The old format
 # is still supported for backwards-compatibility, but it is deprecated.
 #
 # 'trusted_key_servers' defaults to matrix.org, but using it will generate a
 # warning on start-up. To suppress this warning, set
 # 'suppress_key_server_warning' to true.
 #
 # Options for each entry in the list include:
 #
 #    server_name: the name of the server. required.
 #
 #    verify_keys: an optional map from key id to base64-encoded public key.
 #       If specified, we will check that the response is signed by at least
 #       one of the given keys.
 #
 #    accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
 #       and federation_verify_certificates is not `true`, synapse will refuse
 #       to start, because this would allow anyone who can spoof DNS responses
 #       to masquerade as the trusted key server. If you know what you are doing
 #       and are sure that your network environment provides a secure connection
 #       to the key server, you can set this to `true` to override this
 #       behaviour.
 #
 # An example configuration might look like:
 #
 #trusted_key_servers:
 #  - server_name: "my_trusted_server.example.com"
 #    verify_keys:
 #      "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
 #  - server_name: "my_other_trusted_server.example.com"
 #
 {{ if eq (env "ENABLE_ALLOWLIST") "1" }}
-trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST
+{{ env "TRUSTED_KEYSERVERS" }}
 {{ else }}
 trusted_key_servers:
  - server_name: "matrix.org"
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers
+## Single sign-on integration ##
-{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+
 # List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
 # and login.
 #
 # Options for each entry include:
 #
 #   idp_id: a unique identifier for this identity provider. Used internally
 #       by Synapse; should be a single word such as 'github'.
 #
 #       Note that, if this is changed, users authenticating via that provider
 #       will no longer be recognised as the same user!
 #
 #       (Use "oidc" here if you are migrating from an old "oidc_config"
 #       configuration.)
 #
 #   idp_name: A user-facing name for this identity provider, which is used to
 #       offer the user a choice of login mechanisms.
 #
 #   idp_icon: An optional icon for this identity provider, which is presented
 #       by clients and Synapse's own IdP picker page. If given, must be an
 #       MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
 #       obtain such an MXC URI is to upload an image to an (unencrypted) room
 #       and then copy the "url" from the source of the event.)
 #
 #   idp_brand: An optional brand for this identity provider, allowing clients
 #       to style the login flow according to the identity provider in question.
 #       See the spec for possible options here.
 #
 #   discover: set to 'false' to disable the use of the OIDC discovery mechanism
 #       to discover endpoints. Defaults to true.
 #
 #   issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
 #       is enabled) to discover the provider's endpoints.
 #
 #   client_id: Required. oauth2 client id to use.
 #
 #   client_secret: oauth2 client secret to use. May be omitted if
 #        client_secret_jwt_key is given, or if client_auth_method is 'none'.
 #
 #   client_secret_jwt_key: Alternative to client_secret: details of a key used
 #      to create a JSON Web Token to be used as an OAuth2 client secret. If
 #      given, must be a dictionary with the following properties:
 #
 #          key: a pem-encoded signing key. Must be a suitable key for the
 #              algorithm specified. Required unless 'key_file' is given.
 #
 #          key_file: the path to file containing a pem-encoded signing key file.
 #              Required unless 'key' is given.
 #
 #          jwt_header: a dictionary giving properties to include in the JWT
 #              header. Must include the key 'alg', giving the algorithm used to
 #              sign the JWT, such as "ES256", using the JWA identifiers in
 #              RFC7518.
 #
 #          jwt_payload: an optional dictionary giving properties to include in
 #              the JWT payload. Normally this should include an 'iss' key.
 #
 #   client_auth_method: auth method to use when exchanging the token. Valid
 #       values are 'client_secret_basic' (default), 'client_secret_post' and
 #       'none'.
 #
 #   scopes: list of scopes to request. This should normally include the "openid"
 #       scope. Defaults to ["openid"].
 #
 #   authorization_endpoint: the oauth2 authorization endpoint. Required if
 #       provider discovery is disabled.
 #
 #   token_endpoint: the oauth2 token endpoint. Required if provider discovery is
 #       disabled.
 #
 #   userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
 #       disabled and the 'openid' scope is not requested.
 #
 #   jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
 #       the 'openid' scope is used.
 #
 #   skip_verification: set to 'true' to skip metadata verification. Use this if
 #       you are connecting to a provider that is not OpenID Connect compliant.
 #       Defaults to false. Avoid this in production.
 #
 #   user_profile_method: Whether to fetch the user profile from the userinfo
 #       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
 #
 #       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
 #       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
 #       userinfo endpoint.
 #
 #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to
 #       match a pre-existing account instead of failing. This could be used if
 #       switching from password logins to OIDC. Defaults to false.
 #
 #   user_mapping_provider: Configuration for how attributes returned from a OIDC
 #       provider are mapped onto a matrix user. This setting has the following
 #       sub-properties:
 #
 #       module: The class name of a custom mapping module. Default is
 #           'synapse.handlers.oidc.JinjaOidcMappingProvider'.
 #           See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers
 #           for information on implementing a custom mapping provider.
 #
 #       config: Configuration for the mapping provider module. This section will
 #           be passed as a Python dictionary to the user mapping provider
 #           module's `parse_config` method.
 #
 #           For the default provider, the following settings are available:
 #
 #             subject_claim: name of the claim containing a unique identifier
 #                 for the user. Defaults to 'sub', which OpenID Connect
 #                 compliant providers should provide.
 #
 #             localpart_template: Jinja2 template for the localpart of the MXID.
 #                 If this is not set, the user will be prompted to choose their
 #                 own username (see 'sso_auth_account_details.html' in the 'sso'
 #                 section of this file).
 #
 #             display_name_template: Jinja2 template for the display name to set
 #                 on first login. If unset, no displayname will be set.
 #
 #             email_template: Jinja2 template for the email address of the user.
 #                 If unset, no email address will be added to the account.
 #
 #             extra_attributes: a map of Jinja2 templates for extra attributes
 #                 to send back to the client during login.
 #                 Note that these are non-standard and clients will ignore them
 #                 without modifications.
 #
 #           When rendering, the Jinja2 templates are given a 'user' variable,
 #           which is set to the claims returned by the UserInfo Endpoint and/or
 #           in the ID Token.
 #
 #   It is possible to configure Synapse to only allow logins if certain attributes
 #   match particular values in the OIDC userinfo. The requirements can be listed under
 #   `attribute_requirements` as shown below. All of the listed attributes must
 #   match for the login to be permitted. Additional attributes can be added to
 #   userinfo by expanding the `scopes` section of the OIDC config to retrieve
 #   additional information from the OIDC provider.
 #
 #   If the OIDC claim is a list, then the attribute must match any value in the list.
 #   Otherwise, it must exactly match the value of the claim. Using the example
 #   below, the `family_name` claim MUST be "Stephensson", but the `groups`
 #   claim MUST contain "admin".
 #
 #   attribute_requirements:
 #     - attribute: family_name
 #       value: "Stephensson"
 #     - attribute: groups
 #       value: "admin"
 #
 # See https://matrix-org.github.io/synapse/latest/openid.html
 # for information on how to configure these options.
 #
 # For backwards compatibility, it is also possible to configure a single OIDC
 # provider via an 'oidc_config' setting. This is now deprecated and admins are
 # advised to migrate to the 'oidc_providers' format. (When doing that migration,
 # use 'oidc' for the idp_id to ensure that existing users continue to be
 # recognised.)
 #
 oidc_providers:
  {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
  - idp_id: {{ env "KEYCLOAK_ID" }}
    idp_name: {{ env "KEYCLOAK_NAME" }}
    issuer: "{{ env "KEYCLOAK_URL" }}"
@ -214,6 +606,7 @@ oidc_providers:
      config:
        localpart_template: "{{ "{{ user.preferred_username }}" }}"
        display_name_template: "{{ "{{ user.name }}" }}"
  {{ end }}
  {{ if eq (env "KEYCLOAK2_ENABLED") "1" }}
  - idp_id: {{ env "KEYCLOAK2_ID" }}
@ -242,69 +635,145 @@ oidc_providers:
        localpart_template: "{{ "{{ user.preferred_username }}" }}"
        display_name_template: "{{ "{{ user.name }}" }}"
  {{ end }}
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#sso 
+# Additional settings to use with single-sign on systems such as OpenID Connect,
-{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+# SAML2 and CAS.
 #
 # Server admins can configure custom templates for pages related to SSO. See
 # https://matrix-org.github.io/synapse/latest/templates.html for more information.
 #
 sso:
-  client_whitelist:
+    # A list of client URLs which are whitelisted so that the user does not
-    - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
+    # have to confirm giving access to their account to the URL. Any client
-{{ end }}
+    # whose URL starts with an entry in the following list will not be subject
    # to an additional confirmation step after the SSO login is completed.
    #
    # WARNING: An entry such as "https://my.client" is insecure, because it
    # will also match "https://my.client.evil.site", exposing your users to
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
    # The login fallback page (used by clients that don't natively support the
    # required login flows) is whitelisted in addition to any URLs in this list.
    #
    # By default, this list contains only the login fallback page.
    #
    #client_whitelist:
    #  - https://riot.im/develop
    #  - https://my.custom.client/
    {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
    client_whitelist:
      - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
    {{ end }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
 password_config:
   # Uncomment to disable password login
   #
   enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
+# Configuration for sending emails from Synapse.
-{{ if eq (env "SMTP_ENABLED") "1" }}
+#
 # Server admins can configure custom templates for email content. See
 # https://matrix-org.github.io/synapse/latest/templates.html for more information.
 #
 email:
  {{ if eq (env "SMTP_ENABLED") "1" }}
  # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
  #
  smtp_host: {{ env "SMTP_HOST" }}
  # The port on the mail server for outgoing SMTP. Defaults to 25.
  #
  smtp_port: {{ env "SMTP_PORT" }}
  # Username/password for authentication to the SMTP server. By default, no
  # authentication is attempted.
  #
  smtp_user: {{ env "SMTP_USER" }}
  smtp_pass: "{{ secret "smtp_password" }}"
  require_transport_security: true
  notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}>
  app_name: {{ env "SMTP_APP_NAME" }}
  enable_notifs: true
  client_base_url: https://{{ env "DOMAIN" }}
 {{ end }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type
+  # Uncomment the following to require TLS transport security for SMTP.
  # By default, Synapse will connect over plain text, and will then switch to
  # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
  # Synapse will refuse to connect unless the server supports STARTTLS.
  #
  require_transport_security: true
  # notif_from defines the "From" address to use when sending emails.
  # It must be set if email sending is enabled.
  #
  # The placeholder '%(app)s' will be replaced by the application name,
  # which is normally 'app_name' (below), but may be overridden by the
  # Matrix client application.
  #
  # Note that the placeholder must be written '%(app)s', including the
  # trailing 's'.
  #
  notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}>
  # app_name defines the default value for '%(app)s' in notif_from and email
  # subjects. It defaults to 'Matrix'.
  #
  app_name: {{ env "SMTP_APP_NAME" }}
  # Uncomment the following to enable sending emails for messages that the user
  # has missed. Disabled by default.
  #
  enable_notifs: true
  # Custom URL for client links within the email notifications. By default
  # links will be based on "https://matrix.to".
  #
  # (This setting used to be called riot_base_url; the old name is still
  # supported for backwards-compatibility but is now deprecated.)
  #
  client_base_url: https://{{ env "DOMAIN" }}
  {{ end }}
 ## Rooms ##
 # Controls whether locally-created rooms should be end-to-end encrypted by
 # default.
 #
 # Possible options are "all", "invite", and "off". They are defined as:
 #
 # * "all": any locally-created room
 # * "invite": any room created with the "private_chat" or "trusted_private_chat"
 #             room creation presets
 # * "off": this option will take no effect
 #
 # The default value is "off".
 #
 # Note that this option will only affect rooms created after it is set. It
 # will also not affect rooms created by other servers.
 #
 encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
+# User Directory configuration
 #
 user_directory:
-  enabled: {{ env "USER_DIRECTORY_ENABLED" }}
+    # Defines whether to search all users visible to your HS when searching
-  search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }}
+    # the user directory. If false, search results will only contain users
-  prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }}
+    # visible in public rooms and users sharing a room with the requester.
-  show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
+    # Defaults to false.
    #
    # NB. If you set this to true, and the last time the user_directory search
    # indexes were (re)built was before Synapse 1.44, you'll have to
    # rebuild the indexes in order to search through all known users.
    # These indexes are built the first time Synapse starts; admins can
    # manually trigger a rebuild via API following the instructions at
    #     https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
    #
    # Uncomment to return search results containing all known users, even if that
    # user does not share a room with the requester.
    #
    search_all_users: true
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
+## Media retention ##
 #
 # since https://github.com/matrix-org/synapse/releases/tag/v1.61.0
 media_retention:
  local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }}
  remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_metrics
 enable_metrics: false
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#track_appservice_user_ips
 track_appservice_user_ips: false
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forget_rooms_on_leave
 forget_rooms_on_leave: true
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#opentracing-1
 opentracing:
  enabled: false
 # https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
 rc_login:
  address:
    per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
    burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
  account:
    per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
    burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#web_client_location
 web_client_location: {{ env "WEB_CLIENT_LOCATION" }}
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
@ -1,55 +0,0 @@
 user www-data;
 events {
  worker_connections 768;
 }
 http {
  server {
    listen 80;
    access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }};
    error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }};
    server_name {{ env "DOMAIN" }};
    location = / {
      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $host;
      client_max_body_size 50M;
      proxy_http_version 1.1;
    }
    location ~* ^(\/_matrix|\/_synapse\/client) {
      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $host;
      client_max_body_size 50M;
      proxy_http_version 1.1;
    }
    location /.well-known/matrix/ {
      root /var/www/;
      default_type application/json;
      add_header Access-Control-Allow-Origin  *;
    }
 {{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }}
    location ^~ /_synapse/admin {
      if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
        return 403;
      }
      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $host;
      client_max_body_size 50M;
      proxy_http_version 1.1;
    }
 {{ end }}
  }
 }
--- a/pg_backup.sh
+++ b/pg_backup.sh
@ -1,34 +0,0 @@
 #!/bin/bash
 set -e
 BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
 function backup {
  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
 }
 function restore {
    cd /var/lib/postgresql/data/
    restore_config(){
        # Restore allowed connections
        cat pg_hba.conf.bak > pg_hba.conf
        su postgres -c 'pg_ctl reload'
    }
    # Don't allow any other connections than local
    cp pg_hba.conf pg_hba.conf.bak
    echo "local all all trust" > pg_hba.conf
    su postgres -c 'pg_ctl reload'
    trap restore_config EXIT INT TERM
    # Recreate Database
    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
    trap - EXIT INT TERM
    restore_config
 }
 $@
--- a/release/4.0.0+v1.93.0
+++ b/release/4.0.0+v1.93.0
@ -1,10 +0,0 @@
 We had to rename some secrets: https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/35
 Copy the secrets:
 * `registration_shared_secret` to `registration`
 * `macaroon_secret_key` to `macaroon`
 The easiest way to do this is to run `abra app run <matrix.example.com> app bash` BEFORE this upgrade, then `cat /run/secrets/registration_shared_secret`.  If you haven't saved the secrets yet, and would like to, please Ctrl+C out of this upgrade and do that first.
 Regeneration of these secrets should also work.
--- a/release/5.0.0+v1.93.0
+++ b/release/5.0.0+v1.93.0
@ -1 +0,0 @@
 It's recommended not to upgrade / downgrade directly to this version (or other 5.y.z versions), because of service renaming which was reverted in 6.0.0+v1.100.0.
--- a/release/5.0.1+v1.93.0
+++ b/release/5.0.1+v1.93.0
@ -1,6 +0,0 @@
 Logging is now disabled by default. If you want to reënable it, set these options:
 ```
 NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
 NGINX_ERROR_LOG_LOCATION="/dev/stderr"
 ```
--- a/release/6.0.0+v1.100.0
+++ b/release/6.0.0+v1.100.0
@ -1 +0,0 @@
 If you are upgrading from verison 5.y.z of this recipe, you will need to `undeploy` then `deploy`, because of a service rename which was reverted.
--- a/release/6.6.1+v1.124.0
+++ b/release/6.6.1+v1.124.0
@ -1 +0,0 @@
 added env REGISTRATION_REQUIRES_TOKEN
--- a/release/6.6.2+v1.124.0
+++ b/release/6.6.2+v1.124.0
@ -1 +0,0 @@
 new optional env vars for user_directory and privacy options
--- a/release/6.6.3+v1.124.0
+++ b/release/6.6.3+v1.124.0
@ -1 +0,0 @@
 added env for old-signing-keys
--- a/signal_bridge.yaml.tmpl
+++ b/signal_bridge.yaml.tmpl
@ -1,411 +1,324 @@
-# Network-specific config options
+# Homeserver details
-network:
+homeserver:
-    # Displayname template for Signal users.
+    # The address that this appservice can use to connect to the homeserver.
-    # {{ "{{.ProfileName}}" }} - The Signal profile name set by the user.
+    address: {{ env "HOMESERVER_URL" }}
-    # {{ "{{.ContactName}}" }} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
+    # The domain of the homeserver (for MXIDs, etc).
-    # {{ "{{.PhoneNumber}}" }} - The phone number of the user.
+    domain: {{ env "HOMESERVER_DOMAIN" }}
-    # {{ "{{.UUID}}" }} - The UUID of the Signal user.
+    # Whether or not to verify the SSL certificate of the homeserver.
-    # {{ "{{.AboutEmoji}}" }} - The emoji set by the user in their profile.
+    # Only applies if address starts with https://
-    displayname_template: '{{ "{{or .ProfileName .PhoneNumber \"Unknown user\"}}" }}'
+    verify_ssl: {{ env "VERIFY_SSL" }}
-    # Should avatars from the user's contact list be used? This is not safe on multi-user instances.
+    # What software is the homeserver running?
-    use_contact_avatars: false
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
-    # Should the bridge request the user's contact list from the phone on startup?
+    software: standard
-    sync_contacts_on_startup: true
+    # Number of retries for all HTTP requests if the homeserver isn't reachable.
-    # Should the bridge sync ghost user info even if profile fetching fails? This is not safe on multi-user instances.
+    http_retry_count: 4
-    use_outdated_profiles: false
+    # The URL to push real-time bridge status to.
-    # Should the Signal user's phone number be included in the room topic in private chat portal rooms?
+    # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
-    number_in_topic: true
+    # The bridge will use the appservice as_token to authorize requests.
-    # Default device name that shows up in the Signal app.
+    status_endpoint: null
-    device_name: mautrix-signal
+    # Endpoint for reporting per-message status.
-    # Avatar image for the Note to Self room.
+    message_send_checkpoint_endpoint: null
-    note_to_self_avatar: mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL
+    # Maximum number of simultaneous HTTP connections to the homeserver.
-    # Format for generating URLs from location messages for sending to Signal.
+    connection_limit: 100
-    # Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
+    # Whether asynchronous uploads via MSC2246 should be enabled for media.
-    # OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
+    # Requires a media repo that supports MSC2246.
-    location_format: 'https://www.google.com/maps/place/%[1]s,%[2]s'
+    async_media: false
-# Config options that affect the central bridge module.
+# Application service host/registration related details
 # Changing these values requires regeneration of the registration.
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: http://signalbridge:29328
    # When using https:// the TLS certificate and key files for the address.
    tls_cert: false
    tls_key: false
    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 29328
    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1
    # The full URI to the database. SQLite and Postgres are supported.
    # However, SQLite support is extremely experimental and should not be used.
    # Format examples:
    #   SQLite:   sqlite:///filename.db
    #   Postgres: postgres://username:password@hostname/dbname
    database: postgres://signalbridge:{{ secret "signal_db_password" }}@signaldb/signalbridge
    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
    # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
    database_opts:
        min_size: 1
        max_size: 10
    # The unique ID of this appservice.
    id: signal
    # Username of the appservice bot.
    bot_username: signalbot
    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
    # to leave display name/avatar as-is.
    bot_displayname: Signal bridge bot
    bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
    # Whether or not to receive ephemeral events via appservice transactions.
    # Requires MSC2409 support (i.e. Synapse 1.22+).
    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
    ephemeral_events: true
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: "{{ secret "signal_as_token" }}"
    hs_token: "{{ secret "signal_hs_token" }}"
 # Prometheus telemetry config. Requires prometheus-client to be installed.
 metrics:
    enabled: false
    listen_port: 8000
 # Manhole config.
 manhole:
    # Whether or not opening the manhole is allowed.
    enabled: false
    # The path for the unix socket.
    path: /var/tmp/mautrix-signal.manhole
    # The list of UIDs who can be added to the whitelist.
    # If empty, any UIDs can be specified in the open-manhole command.
    whitelist:
        - 0
 signal:
    # Path to signald unix socket
    socket_path: /signald/signald.sock
    # Directory for temp files when sending files to Signal. This should be an
    # absolute path that signald can read. For attachments in the other direction,
    # make sure signald is configured to use an absolute path as the data directory.
    outgoing_attachment_dir: /signald/attachments
    # Directory where signald stores avatars for groups.
    avatar_dir: /signald/avatars
    # Directory where signald stores auth data. Used to delete data when logging out.
    data_dir: /signald/data
    # Whether or not unknown signald accounts should be deleted when the bridge is started.
    # When this is enabled, any UserInUse errors should be resolved by restarting the bridge.
    delete_unknown_accounts_on_start: false
    # Whether or not message attachments should be removed from disk after they're bridged.
    remove_file_after_handling: true
    # Whether or not users can register a primary device
    registration_enabled: true
    # Whether or not to enable disappearing messages in groups. If enabled, then the expiration
    # time of the messages will be determined by the first users to read the message, rather
    # than individually. If the bridge has a single user, this can be turned on safely.
    enable_disappearing_messages_in_groups: false
 # Bridge config
 bridge:
-    # The prefix for commands. Only required in non-management rooms.
+    # Localpart template of MXIDs for Signal users.
-    command_prefix: '!signal'
+    # {userid} is replaced with an identifier for the Signal user.
-    # Should the bridge create a space for each login containing the rooms that account is in?
+    username_template: "signal_{userid}"
-    personal_filtering_spaces: true
+    # Displayname template for Signal users.
-    # Whether the bridge should set names and avatars explicitly for DM portals.
+    # {displayname} is replaced with the displayname of the Signal user, which is the first
-    # This is only necessary when using clients that don't support MSC4171.
+    # available variable in displayname_preference. The variables in displayname_preference
    # can also be used here directly.
    displayname_template: "{displayname} (Signal)"
    # Whether or not contact list displaynames should be used.
    # Possible values: disallow, allow, prefer
    #
    # Multi-user instances are recommended to disallow contact list names, as otherwise there can
    # be conflicts between names from different users' contact lists.
    contact_list_names: disallow
    # Available variables: full_name, first_name, last_name, phone, uuid
    displayname_preference:
        - full_name
        - phone
    # Whether or not to create portals for all groups on login/connect.
    autocreate_group_portal: true
    # Whether or not to create portals for all contacts on login/connect.
    autocreate_contact_portal: false
    # Whether or not to make portals of Signal groups in which joining via invite link does
    # not need to be approved by an administrator publicly joinable on Matrix.
    public_portals: false
    # Whether or not to use /sync to get read receipts and typing notifications
    # when double puppeting is enabled
    sync_with_custom_puppets: false
    # Whether or not to update the m.direct account data event when double puppeting is enabled.
    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
    # and is therefore prone to race conditions.
    sync_direct_chat_list: false
    # Allow using double puppeting from any server with a valid client .well-known file.
    double_puppet_allow_discovery: false
    # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
    double_puppet_server_map:
        {{ env "HOMESERVER_DOMAIN" }}: {{ env "HOMESERVER_URL" }}
    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    # If using this for other servers than the bridge's server,
    # you must also set the URL in the double_puppet_server_map.
    login_shared_secret_map:
        {{ env "HOMESERVER_DOMAIN" }}: {{ secret "shared_secret_auth" }}
    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: true
    # End-to-bridge encryption support options.
    #
    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: {{ env "SIGNAL_ENABLE_ENCRYPTION" }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: false
        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
        appservice: false
        # Require encryption, drop any unencrypted messages.
        require: false
        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
        # You must use a client that supports requesting keys from other users to use this feature.
        allow_key_sharing: false
        # What level of device verification should be required from users?
        #
        # Valid levels:
        #   unverified - Send keys to all device in the room.
        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
        #                           Note that creating user signatures from the bridge bot is not currently possible.
        #   verified - Require manual per-device verification
        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
        verification_levels:
            # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
            receive: unverified
            # Minimum level that the bridge should accept for incoming Matrix messages.
            send: unverified
            # Minimum level that the bridge should require for accepting key requests.
            share: cross-signed-tofu
        # Options for Megolm room key rotation. These options allow you to
        # configure the m.room.encryption event content. See:
        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
        # more information about that event.
        rotation:
            # Enable custom Megolm room key rotation settings. Note that these
            # settings will only apply to rooms created after this option is
            # set.
            enable_custom: false
            # The maximum number of milliseconds a session should be used
            # before changing it. The Matrix spec recommends 604800000 (a week)
            # as the default.
            milliseconds: 604800000
            # The maximum number of messages that should be sent with a given a
            # session before changing it. The Matrix spec recommends 100 as the
            # default.
            messages: 100
    # Whether or not to explicitly set the avatar and room name for private
    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
    private_chat_portal_meta: false
-
+    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
-    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
+    # been sent to Signal. This let's you check manually whether the bridge is receiving your
-    bridge_matrix_leave: false
+    # messages.
-    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
+    # Note that this is not related to Signal delivery receipts.
-    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
+    delivery_receipts: false
-    tag_only_on_create: true
+    # Whether or not delivery errors should be reported as messages in the Matrix room.
-    # Should room mute status only be synced when creating the portal?
+    delivery_error_reports: true
-    # Like tags, mutes can't currently be synced back to the remote network.
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
-    mute_only_on_create: true
+    message_status_events: false
-
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
-    # What should be done to portal rooms when a user logs out or is logged out?
+    # This field will automatically be changed back to false after it,
-    # Permitted values:
+    # except if the config file is not writable.
-    #   nothing - Do nothing, let the user stay in the portals
+    resend_bridge_info: false
-    #   kick - Remove the user from the portal rooms, but don't delete them
+    # Interval at which to resync contacts (in seconds).
-    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
+    periodic_sync: 0
-    #   delete - Remove all ghosts and users from the room (i.e. delete it)
+    # Should leaving the room on Matrix make the user leave on Signal?
-    cleanup_on_logout:
+    bridge_matrix_leave: true
-        # Should cleanup on logout be enabled at all?
+    # Provisioning API part of the web server for automated portal creation and fetching information.
-        enabled: false
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
-        # Settings for manual logouts (explicitly initiated by the Matrix user)
+    provisioning:
-        manual:
+        # Whether or not the provisioning API should be enabled.
            # Action for private portals which will never be shared with other Matrix users.
            private: nothing
            # Action for portals with a relay user configured.
            relayed: nothing
            # Action for portals which may be shared, but don't currently have any other Matrix users.
            shared_no_users: nothing
            # Action for portals which have other logged-in Matrix users.
            shared_has_users: nothing
        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
        # Keys have the same meanings as in the manual section.
        bad_credentials:
            private: nothing
            relayed: nothing
            shared_no_users: nothing
            shared_has_users: nothing
    # Settings for relay mode
    relay:
        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: true
-        # Should only admins be allowed to set themselves as relay users?
+        # The prefix to use in the provisioning API endpoints.
-        # If true, non-admins can only set users listed in default_relays as relays in a room.
+        prefix: /_matrix/provision
-        admin_only: true
+        # The shared secret to authorize users of the API.
-        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
+        # Set to "generate" to generate and save a new token.
-        default_relays: []
+        shared_secret: generate
-        # The formats to use when sending messages via the relaybot.
+        # Segment API key to enable analytics tracking for web server
-        # Available variables:
+        # endpoints. Set to null to disable.
-        #   .Sender.UserID - The Matrix user ID of the sender.
+        # Currently the only events are login start, QR code scan, and login
-        #   .Sender.Displayname - The display name of the sender (if set).
+        # success/failure.
-        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
+        segment_key: null
-        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
+    # The prefix for commands. Only required in non-management rooms.
-        #                               plus the user ID in parentheses if the displayname is not unique.
+    command_prefix: "!signal"
-        #                               If the displayname is not set, this is just the user ID.
+    # Messages sent upon joining a management room.
-        #   .Message - The `formatted_body` field of the message.
+    # Markdown is supported. The defaults are listed below.
-        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
+    management_room_text:
-        #   .FileName - The name of the file being sent.
+        # Sent when joining a room.
-        message_formats:
+        welcome: "Hello, I'm a Signal bridge bot."
-            m.text: "{{`{{ .Sender.DisambiguatedName }}: {{ .Message }}`}}"
+        # Sent when joining a management room and the user is already logged in.
-            m.notice: "{{`{{ .Sender.DisambiguatedName }}: {{ .Message }}`}}"
+        welcome_connected: "Use `help` for help."
-            m.emote: "{{`* {{ .Sender.DisambiguatedName }} {{ .Message }}`}}"
+        # Sent when joining a management room and the user is not logged in.
-            m.file: "{{`{{ .Sender.DisambiguatedName }} sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
+        welcome_unconnected: "Use `help` for help or `link` to log in."
-            m.image: "{{`{{ .Sender.DisambiguatedName }} sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
+        # Optional extra text sent when joining a management room.
-            m.audio: "{{`{{ .Sender.DisambiguatedName }} sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
+        additional_help: ""
-            m.video: "{{`{{ .Sender.DisambiguatedName }} sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
+    # Send each message separately (for readability in some clients)
-            m.location: "{{`{{ .Sender.DisambiguatedName }} sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
+    management_room_multiple_messages: false
        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
        # Note that you need to manually remove the displayname from message_formats above.
        displayname_format: "{{`{{ .DisambiguatedName }}`}}"
    # Permissions for using the bridge.
    # Permitted values:
-    #    relay - Talk through the relaybot (if enabled), no access otherwise
+    #      relay - Allowed to be relayed through the bridge, no access to commands.
-    # commands - Access to use commands in the bridge, but not login.
+    #       user - Use the bridge with puppeting.
-    #     user - Access to use the bridge with puppeting.
+    #      admin - Use and administrate the bridge.
    #    admin - Full access, user level with some additional administration tools.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ env "SIGNAL_BRIDGE_PERMISSIONS" }}
-# Config for the bridge's database.
+    relay:
-database:
+        # Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
-    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+        # authenticated user into a relaybot for that chat.
    type: postgres
    # The database URI.
    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
    #           https://github.com/mattn/go-sqlite3#connection-string
    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
    uri:  postgres://signalbridge:{{ secret "signal_db_password" }}@signaldb/signalbridge?sslmode=disable
    # Maximum number of connections.
    max_open_conns: 5
    max_idle_conns: 1
    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
    # Parsed with https://pkg.go.dev/time#ParseDuration
    max_conn_idle_time: null
    max_conn_lifetime: null
 # Homeserver details.
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
    # but https also works if they run on different machines.
    address: {{ env "HOMESERVER_URL" }}
    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
    domain: {{ env "HOMESERVER_DOMAIN" }}
    # What software is the homeserver running?
    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
    software: standard
    # The URL to push real-time bridge status to.
    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
    status_endpoint: null
    # Endpoint for reporting per-message status.
    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
    # The bridge will use the appservice as_token to authorize requests.
    message_send_checkpoint_endpoint:
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
    async_media: false
    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
    # mautrix-asmux (deprecated), and hungryserv (proprietary).
    websocket: false
    # How often should the websocket be pinged? Pinging will be disabled if this is zero.
    ping_interval_seconds: 0
 # Application service host/registration related details.
 # Changing these values requires regeneration of the registration (except when noted otherwise)
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: http://signalbridge:29328
    # A public address that external services can use to reach this appservice.
    # This value doesn't affect the registration file.
    public_address: https://bridge.example.com
    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 29328
    # The unique ID of this appservice.
    id: signal
    # Appservice bot details.
    bot:
        # Username of the appservice bot.
        username: signalbot
        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
        # to leave display name/avatar as-is.
        displayname: Signal bridge bot
        avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
    # Whether to receive ephemeral events via appservice transactions.
    ephemeral_events: true
    # Should incoming events be handled asynchronously?
    # This may be necessary for large public instances with lots of messages going through.
    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
    # This value doesn't affect the registration file.
    async_transactions: false
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: "{{ secret "signal_as_token" }}"
    hs_token: "{{ secret "signal_hs_token" }}"
    # Localpart template of MXIDs for remote users.
    # {{ "{{.}}" }} is replaced with the internal ID of the user.
    username_template: signal_{{ "{{.}}" }}
 # Config options that affect the Matrix connector of the bridge.
 matrix:
    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
    message_status_events: false
    # Whether the bridge should send a read receipt after successfully bridging a message.
    delivery_receipts: false
    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
    message_error_notices: true
    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
    sync_direct_chat_list: false
    # Whether created rooms should have federation enabled. If false, created portal rooms
    # will never be federated. Changing this option requires recreating rooms.
    federate_rooms: true
 # Settings for provisioning API
 provisioning:
    # Prefix for the provisioning API paths.
    prefix: /_matrix/provision
    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
    # or if set to "disable", the provisioning API will be disabled.
    shared_secret: generate
    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
    # This follows the same rules as double puppeting to determine which server to contact to check the token,
    # which means that by default, it only works for users on the same server as the bridge.
    allow_matrix_auth: true
    # Enable debug API at /debug with provisioning authentication.
    debug_endpoints: false
 # Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
 # These settings control whether the bridge will provide such public media access.
 public_media:
    # Should public media be enabled at all?
    # The public_address field under the appservice section MUST be set when enabling public media.
    enabled: false
    # A key for signing public media URLs.
    # If set to "generate", a random key will be generated.
    signing_key: generate
    # Number of seconds that public media URLs are valid for.
    # If set to 0, URLs will never expire.
    expiry: 0
    # Length of hash to use for public media URLs. Must be between 0 and 32.
    hash_length: 32
 # Settings for converting remote media to custom mxc:// URIs instead of reuploading.
 # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
 direct_media:
    # Should custom mxc:// URIs be used instead of reuploading media?
    enabled: false
    # The server name to use for the custom mxc:// URIs.
    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
    server_name: discord-media.example.com
    # Optionally a custom .well-known response. This defaults to `server_name:443`
    well_known_response:
    # Optionally specify a custom prefix for the media ID part of the MXC URI.
    media_id_prefix:
    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
    # media download redirects if the requester supports it. Optionally, you can force redirects
    # and not allow proxying at all by setting this to false.
    # This option does nothing if the remote network does not support media downloads over HTTP.
    allow_proxy: true
    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
    server_key: generate
 # Settings for backfilling messages.
 # Note that the exact way settings are applied depends on the network connector.
 # See https://docs.mau.fi/bridges/general/backfill.html for more details.
 backfill:
    # Whether to do backfilling at all.
    enabled: false
    # Maximum number of messages to backfill in empty rooms.
    max_initial_messages: 50
    # Maximum number of missed messages to backfill after bridge restarts.
    max_catchup_messages: 500
    # If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
    unread_hours_threshold: 720
    # Settings for backfilling threads within other backfills.
    threads:
        # Maximum number of messages to backfill in a new thread.
        max_initial_messages: 50
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
        # Should the backfill queue be enabled?
        enabled: false
-        # Number of messages to backfill in one batch.
+        # The formats to use when sending messages to Signal via a relay user.
-        batch_size: 100
+        #
-        # Delay between batches in seconds.
+        # Available variables:
-        batch_delay: 20
+        #   $sender_displayname - The display name of the sender (e.g. Example User)
-        # Maximum number of batches to backfill per portal.
+        #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
-        # If set to -1, all available messages will be backfilled.
+        #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
-        max_batches: -1
+        #   $message            - The message content
-        # Optional network-specific overrides for max batches.
+        message_formats:
-        # Interpretation of this field depends on the network connector.
+            m.text: '$sender_displayname: $message'
-        max_batches_override: {}
+            m.notice: '$sender_displayname: $message'
            m.emote: '* $sender_displayname $message'
            m.file: '$sender_displayname sent a file'
            m.image: '$sender_displayname sent an image'
            m.audio: '$sender_displayname sent an audio file'
            m.video: '$sender_displayname sent a video'
            m.location: '$sender_displayname sent a location'
        # Specify a dedicated relay account. Must be a regular matrix account logged into this bridge
        # and double puppeting working to auto-accept invites. When this user is invited to a room
        # it will automatically be set as the relay user. May be overridden with `set-relay` or `unset-relay`
        relaybot: '@relaybot:example.com'
    # Format for generting URLs from location messages for sending to Signal
    # Google Maps: 'https://www.google.com/maps/place/{lat},{long}'
    # OpenStreepMap: 'https://www.openstreetmap.org/?mlat={lat}&mlon={long}'
    location_format: 'https://www.google.com/maps/place/{lat},{long}'
-# Settings for enabling double puppeting
+# Python logging configuration.
 double_puppet:
    # Servers to always allow double puppeting from.
    # This is only for other servers and should NOT contain the server the bridge is on.
    servers:
        {{ env "HOMESERVER_DOMAIN" }}: {{ env "HOMESERVER_URL" }}
    # Whether to allow client API URL discovery for other servers. When using this option,
    # users on other servers can use double puppeting even if their server URLs aren't
    # explicitly added to the servers map above.
    allow_discovery: false
    # Shared secrets for automatic double puppeting.
    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
    secrets:
        {{ env "HOMESERVER_DOMAIN" }}: {{ secret "shared_secret_auth" }}
 # End-to-bridge encryption support options.
 #
-# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+# See section 16.7.2 of the Python documentation for more info:
-encryption:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
    allow: {{ env "SIGNAL_ENABLE_ENCRYPTION" }}
    # Whether to force-enable encryption in all bridged rooms.
    default: {{ env "SIGNAL_DEFAULT_ENCRYPTION" }}
    # Whether to require all messages to be encrypted and drop any unencrypted messages.
    require: false
    # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
    appservice: false
    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
    # You must use a client that supports requesting keys from other users to use this feature.
    allow_key_sharing: false
    # Pickle key for encrypting encryption keys in the bridge database.
    # If set to generate, a random key will be generated.
    pickle_key: {{ secret "signal_pickle_key" }}
    # Options for deleting megolm sessions from the bridge.
    delete_keys:
        # Beeper-specific: delete outbound sessions when hungryserv confirms
        # that the user has uploaded the key to key backup.
        delete_outbound_on_ack: false
        # Don't store outbound sessions in the inbound table.
        dont_store_outbound: false
        # Ratchet megolm sessions forward after decrypting messages.
        ratchet_on_decrypt: false
        # Delete fully used keys (index >= max_messages) after decrypting messages.
        delete_fully_used_on_decrypt: false
        # Delete previous megolm sessions from same device when receiving a new one.
        delete_prev_on_new_session: false
        # Delete megolm sessions received from a device when the device is deleted.
        delete_on_device_delete: false
        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
        periodically_delete_expired: false
        # Delete inbound megolm sessions that don't have the received_at field used for
        # automatic ratcheting and expired session deletion. This is meant as a migration
        # to delete old keys prior to the bridge update.
        delete_outdated_inbound: false
    # What level of device verification should be required from users?
    #
    # Valid levels:
    #   unverified - Send keys to all device in the room.
    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
    #                           Note that creating user signatures from the bridge bot is not currently possible.
    #   verified - Require manual per-device verification
    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
    verification_levels:
        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
        receive: unverified
        # Minimum level that the bridge should accept for incoming Matrix messages.
        send: unverified
        # Minimum level that the bridge should require for accepting key requests.
        share: cross-signed-tofu
    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
    rotation:
        # Enable custom Megolm room key rotation settings. Note that these
        # settings will only apply to rooms created after this option is set.
        enable_custom: false
        # The maximum number of milliseconds a session should be used
        # before changing it. The Matrix spec recommends 604800000 (a week)
        # as the default.
        milliseconds: 604800000
        # The maximum number of messages that should be sent with a given a
        # session before changing it. The Matrix spec recommends 100 as the
        # default.
        messages: 100
        # Disable rotating keys when a user's devices change?
        # You should not enable this option unless you understand all the implications.
        disable_device_change_key_rotation: false
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
-    min_level: debug
+    version: 1
-    writers:
+    formatters:
-        - type: stdout
+        colored:
-          format: pretty-colored
+            (): mautrix_signal.util.ColorFormatter
-        - type: file
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
-          format: json
+        normal:
-          filename: ./logs/bridge.log
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
-          max_size: 100
+    handlers:
-          max_backups: 10
+        console:
-          compress: false
+            class: logging.StreamHandler
            formatter: colored
    loggers:
        mau:
            level: ERROR
        aiohttp:
            level: ERROR
    root:
        level: ERROR
        handlers: [console]
--- a/well_known_client.conf.tmpl
+++ b/well_known_client.conf.tmpl
@ -1,5 +0,0 @@
 {
  "m.homeserver": {
    "base_url": "https://{{ env "DOMAIN" }}"
  }
 }
--- a/well_known_server.conf.tmpl
+++ b/well_known_server.conf.tmpl
@ -1,3 +0,0 @@
 {
  "m.server": "{{ env "DOMAIN" }}:443"
 }
		`@ -1 +0,0 @@`
			`It's recommended not to upgrade / downgrade directly to this version (or other 5.y.z versions), because of service renaming which was reverted in 6.0.0+v1.100.0.`
		`@ -1 +0,0 @@`
			If you are upgrading from verison 5.y.z of this recipe, you will need to `undeploy` then `deploy`, because of a service rename which was reverted.
		`@ -1 +0,0 @@`
			`new optional env vars for user_directory and privacy options`