.drone.yml

@@ -17,21 +17,17 @@ steps:
       DOMAIN: matrix-synapse.swarm-test.autonomic.zone
       STACK_NAME: matrix-synapse
       LETS_ENCRYPT_ENV: production
-      DISCORD_BRIDGE_YAML_VERSION: v2
-      ENTRYPOINT_CONF_VERSION: v3
-      HOMESERVER_YAML_VERSION: v29
-      LOG_CONFIG_VERSION: v2
-      SHARED_SECRET_AUTH_VERSION: v2
-      SIGNAL_BRIDGE_YAML_VERSION: v5
-      TELEGRAM_BRIDGE_YAML_VERSION: v6
-      PG_BACKUP_VERSION: v1
-      WK_CLIENT_VERSION: v1
-      WK_SERVER_VERSION: v1
-      NGINX_CONFIG_VERSION: v8
+      DISCORD_BRIDGE_YAML_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v1
+      HOMESERVER_YAML_VERSION: v17
+      LOG_CONFIG_VERSION: v1
+      SHARED_SECRET_AUTH_VERSION: v1
+      SIGNAL_BRIDGE_YAML_VERSION: v1
+      TELEGRAM_BRIDGE_YAML_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_FORM_SECRET_VERSION: v1
-      SECRET_MACAROON_VERSION: v1
-      SECRET_REGISTRATION_VERSION: v1
+      SECRET_MACAROON_SECRET_KEY_VERSION: v1
+      SECRET_REGISTRATION_SHARED_SECRET_VERSION: v1
 trigger:
   branch:
     - main
@@ -47,7 +43,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -6,7 +6,6 @@ ENABLE_AUTO_UPDATE=true
 LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
 # POST_DEPLOY_CMDS="db set_admin"
-ENABLE_BACKUPS=true
 
 ## Admin details
 
@@ -33,9 +32,6 @@ ALLOW_PUBLIC_ROOMS_FEDERATION=false
 ENABLE_REGISTRATION=false
 PASSWORD_LOGIN_ENABLED=true
 
-# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
-#REGISTRATION_REQUIRES_TOKEN=true
-
 ## Room auto-join
 
 #AUTO_JOIN_ROOM_ENABLED=1
@@ -68,14 +64,6 @@ ENCRYPTED_BY_DEFAULT=all
 # Set these to keyservers you trust - usually the same as your federation allowlist
 #TRUSTED_KEYSERVERS="trusted_key_servers:\n  - server_name: 'example.com'\n  - server_name: 'example2.com'"
 
-# some optional configs to increase privacy and security
-#REQUIRE_AUTH_FOR_PROFILE_REQUESTS=true
-#LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=true
-#DELETE_STALE_DEVICES_AFTER=1y
-#SESSION_LIFETIME=60d
-#TRACK_PUPPETED_USER_IPS=true
-
-
 ## Retention
 
 ALLOWED_LIFETIME_MAX=4w
@@ -86,11 +74,6 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d
 
-## Old Signing Key
-#OLD_SIGNING_KEY_ID=a_OLDKEYID
-#OLD_SIGNING_KEY=base64string
-#OLD_SIGNING_KEY_EXPIRES=123456789123
-
 ## Ratelimit
 
 #LOGIN_LIMIT_IP_PER_SECOND=5
@@ -139,13 +122,6 @@ RETENTION_MAX_LIFETIME=4w
 #SMTP_USER=
 #SECRET_SMTP_PASSWORD_VERSION=v1
 
-## USER-DIRECTORY
-
-#USER_DIRECTORY_ENABLED=true
-#USER_DIRECTORY_SEARCH_ALL_USERS=true
-#USER_DIRECTORY_PREFER_LOCAL_USERS=true
-#USER_DIRECTORY_SHOW_LOCKED_USERS=false
-
 ## App services
 
 #APP_SERVICES_ENABLED=1
@@ -182,7 +158,6 @@ RETENTION_MAX_LIFETIME=4w
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml"
 #SIGNAL_ENABLE_ENCRYPTION=true
-#SIGNAL_DEFAULT_ENCRYPTION=true
 #SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }"
 #SECRET_SIGNAL_AS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_DB_PASSWORD_VERSION=v1
@@ -197,8 +172,3 @@ RETENTION_MAX_LIFETIME=4w
 
 ## Web Client (Redirect)
 #WEB_CLIENT_LOCATION=https://element-web.example.com
-
-
-## Admin interface at /admin
-#COMPOSE_FILE="$COMPOSE_FILE:compose.admin.yml"
-#ADMIN_INTERFACE_ENABLED=1

README.md

@@ -54,6 +54,8 @@ For all Bridges:
 
 ### Telegram bridging
 
+> WIP docs
+
 You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
 
 ```
@@ -61,36 +63,25 @@ api_id: ...
 api_hash: ...
 telegram_bot_token: ...
 ```
-Experimental script for a automated token replacement:
-```
-DOMAIN=<domain>
-abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
-abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
-abra app secret generate -a $DOMAIN
 
-abra app deploy $DOMAIN
-abra app cmd -l $DOMAIN set_bridge_tokens telegram
-```
-
-Alternatively a manual guide for the necessary steps:
+A rough guide for the following steps:
 
 ```
-DOMAIN=<domain>
-abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
-abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
-abra app secret generate -a $DOMAIN
+abra app secret insert <domain> telegram_api_hash v1 <secret>
+abra app secret insert <domain> telegram_bot_token v1 <secret>
+abra app secret generate -a <domain>
 
-abra app deploy $DOMAIN
-abra app run $DOMAIN telegrambridge cat /data/registration.yaml
-abra app undeploy $DOMAIN
+abra app deploy <domain>
+abra app run matrix.fva.wtf telegram_bridge cat /data/registration.yaml
+abra app undeploy <domain>
 
-abra app secret rm $DOMAIN telegram_as_token
-abra app secret insert $DOMAIN telegram_as_token v1 <secret>
+abra app secret rm <domain> telegram_as_token
+abra app secret insert <domain> telegram_as_token v1 <secret>
 
-abra app secret rm $DOMAIN telegram_hs_token
-abra app secret insert $DOMAIN telegram_hs_token v1 <secret>
+abra app secret rm <domain> telegram_as_token
+abra app secret insert <domain> telegram_hs_token v1 <secret>
 
-abra app deploy $DOMAIN
+abra app deploy <domain>
 ```
 
 Some helpful documentation:
@@ -119,29 +110,16 @@ Some helpful documentation:
 
 ### Signal bridging
 
-Experimental script for a more automated token replacement:
-```
-DOMAIN=<domain>
-abra app secret generate -a $DOMAIN
-abra app deploy $DOMAIN
-abra app cmd -l $DOMAIN set_bridge_tokens signal
-```
-Alternatively a manual guide for the necessary steps:
-```
-DOMAIN=<domain>
-abra app secret insert $DOMAIN signal_hs_token v1 foo
-abra app secret insert $DOMAIN signal_as_token v1 foo
-abra app secret generate $DOMAIN -a
-abra app deploy $DOMAIN
-abra app run $DOMAIN signalbridge cat /data/registration.yaml
+> WIP docs
 
-abra app secret rm $DOMAIN signal_as_token
-abra app secret insert $DOMAIN signal_as_token v1 <secret>
-abra app secret rm $DOMAIN signal_hs_token
-abra app secret insert $DOMAIN signal_hs_token v1 <secret>
+OK, it's also awful to set this up. Do you see a pattern emerging :)
 
-abra app deploy $DOMAIN
-```
-
-- message `@signalbot:example.com` to test
+- fake that you have the required tokens:
+  - `abra app secret insert example.com signal_hs_token v1 foo`
+  - `abra app secret insert example.com signal_as_token v1 foo`
+- generate the database password:
+  - `abra app secret generate example.com -a`
+- deploy the thing and then check the `/data/registration.yaml`
+- rm the fake `signal_hs/as_token` values and re-insert the new ones from `registration.yaml`
+- re-deploy the whole thing and then it should come up, message `@signalbot:example.com` to test
 - See the [docs](https://docs.mau.fi/bridges/go/signal/authentication.html) for authentication

abra.sh

@@ -1,15 +1,13 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v3
-export HOMESERVER_YAML_VERSION=v32
+export HOMESERVER_YAML_VERSION=v29
 export LOG_CONFIG_VERSION=v2
-export SHARED_SECRET_AUTH_VERSION=v2
-export SIGNAL_BRIDGE_YAML_VERSION=v6
+export SHARED_SECRET_AUTH_VERSION=v1
+export SIGNAL_BRIDGE_YAML_VERSION=v5
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v8
+export NGINX_CONFIG_VERSION=v7
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1
-export PG_BACKUP_VERSION=v1
-export ADMIN_CONFIG_VERSION=v1
 
 set_admin () {
     admin=akadmin
@@ -19,36 +17,3 @@ set_admin () {
     fi
     psql -U synapse -c "UPDATE users SET admin = 1 WHERE name = '@$admin:$DOMAIN'";
 }
-
-set_bridge_tokens() {
-    if [ -z "$1" ]; then
-        echo "Error: Missing parameter. Usage: set_bridge_tokens <BRIDGETYPE>"
-        return 1
-    fi
-
-    BRIDGETYPE=$1
-    echo "retrieve tokens from registration.yaml..."
-    output=$(abra app run $DOMAIN app cat /${BRIDGETYPE}-data/registration.yaml)
-    if [ $? -ne 0 ]; then
-        echo "Error: Failed to retrieve registration.yaml for ${BRIDGETYPE} bridge:"
-        echo "$output"
-        return 1
-    fi
-
-    hs_token=$(echo "$output" | sed -n 's/^hs_token:[[:space:]]*\(.*\)$/\1/p')
-    as_token=$(echo "$output" | sed -n 's/^as_token:[[:space:]]*\(.*\)$/\1/p')
-
-    echo "HS Token: $hs_token"
-    echo "AS Token: $as_token"
-    echo "UNDEPLOY $DOMAIN?"
-    abra app undeploy $DOMAIN
-
-    echo "Replacing tokens:"
-    abra app secret rm $DOMAIN ${BRIDGETYPE}_as_token
-    abra app secret insert $DOMAIN ${BRIDGETYPE}_as_token v1 $as_token
-    abra app secret rm $DOMAIN ${BRIDGETYPE}_hs_token
-    abra app secret insert $DOMAIN ${BRIDGETYPE}_hs_token v1 $hs_token
-
-    echo "Redeploying $DOMAIN..."
-    abra app deploy -n $DOMAIN
-}

admin.conf.tmpl

@@ -1,3 +0,0 @@
-{
-  "restrictBaseUrl": "https://{{ env "DOMAIN" }}"
-}

compose.admin.yml

@@ -1,46 +0,0 @@
----
-version: "3.8"
-
-services:
-  admin:
-    image: awesometechnologies/synapse-admin:0.10.3
-    networks:
-      - proxy
-    deploy:
-      labels:
-        - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
-        - "traefik.http.services.${STACK_NAME}_admin.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}_admin.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})&&PathPrefix(`/admin`)"
-        - "traefik.http.routers.${STACK_NAME}_admin.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}_admin.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}_admin.middlewares=admin,admin_path"
-        - "traefik.http.middlewares.admin.redirectregex.regex=^(.*)/admin/?"
-        - "traefik.http.middlewares.admin.redirectregex.replacement=$${1}/admin/"
-        - "traefik.http.middlewares.admin_path.stripprefix.prefixes=/admin"
-    environment:
-      - DOMAIN
-    configs:
-      - source: admin_config
-        target: /app/config.json
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
-  web:
-    environment:
-      - ADMIN_INTERFACE_ENABLED
-
-
-networks:
-  proxy:
-    external: true
-
-configs:
-  admin_config:
-    name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION}
-    file: admin.conf.tmpl
-    template_driver: golang
-

compose.shared_secret_auth.yml

@@ -9,7 +9,7 @@ services:
       - shared_secret_auth
     configs:
       - source: shared_secret_auth
-        target: /usr/local/lib/python3.12/site-packages/shared_secret_authenticator.py
+        target: /usr/local/lib/python3.11/site-packages/shared_secret_authenticator.py
 
 configs:
   shared_secret_auth:

compose.signal.yml

@@ -10,7 +10,7 @@ services:
       - signal-data:/signal-data
 
   signalbridge:
-    image: dock.mau.dev/mautrix/signal:v0.7.5
+    image: dock.mau.dev/mautrix/signal:v0.7.1
     depends_on:
       - signaldb
     configs:
@@ -21,7 +21,6 @@ services:
       - HOMESERVER_URL
       - SIGNAL_BRIDGE_PERMISSIONS
       - SIGNAL_ENABLE_ENCRYPTION
-      - SIGNAL_DEFAULT_ENCRYPTION=${SIGNAL_DEFAULT_ENCRYPTION:-false}
       - VERIFY_SSL
     secrets:
       - signal_as_token
@@ -33,6 +32,10 @@ services:
       - signal-data:/data
     networks:
       - internal
+    deploy:
+      labels:
+          backupbot.backup: "true"
+          backupbot.backup.path: "/data"
 
   signaldb:
     image: postgres:13-alpine
@@ -53,13 +56,10 @@ services:
       - signal-postgres:/var/lib/postgresql/data
     deploy:
       labels:
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.backup.volumes.signal-postgres.path: "backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.path: "/var/lib/postgresql/data"
 
 configs:
   signal_bridge_yaml:

compose.telegram.yml

@@ -56,15 +56,6 @@ services:
       test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
     volumes:
       - telegram-postgres:/var/lib/postgresql/data
-    deploy:
-      labels:
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.backup.volumes.telegram-postgres.path: "backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
 
 configs:
   telegram_bridge_yaml:

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   web:
-    image: nginx:1.27.4
+    image: nginx:1.27.1
     networks:
       - proxy
       - internal
@@ -30,12 +30,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
     healthcheck:
       test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
-      interval: 20s
-      timeout: 15s
+      interval: 5s
+      timeout: 3s
       retries: 20
 
   app:
-    image: "matrixdotorg/synapse:v1.124.0"
+    image: "matrixdotorg/synapse:v1.116.0"
     volumes:
       - "data:/data"
     secrets:
@@ -53,21 +53,8 @@ services:
       - ENABLE_3PID_LOOKUP
       - ENABLE_ALLOWLIST
       - ENABLE_REGISTRATION
-      - REGISTRATION_REQUIRES_TOKEN
       - ENCRYPTED_BY_DEFAULT
-      - OLD_SIGNING_KEY
-      - OLD_SIGNING_KEY_ID
-      - OLD_SIGNING_KEY_EXPIRES
-      - USER_DIRECTORY_ENABLED=${USER_DIRECTORY_ENABLED:-true}
-      - USER_DIRECTORY_SEARCH_ALL_USERS=${USER_DIRECTORY_SEARCH_ALL_USERS:-true}
-      - USER_DIRECTORY_PREFER_LOCAL_USERS=${USER_DIRECTORY_PREFER_LOCAL_USERS:-true}
-      - USER_DIRECTORY_SHOW_LOCKED_USERS=${USER_DIRECTORY_SHOW_LOCKED_USERS:-false}
       - FEDERATION_ALLOWLIST
-      - REQUIRE_AUTH_FOR_PROFILE_REQUESTS=${REQUIRE_AUTH_FOR_PROFILE_REQUESTS:-false}
-      - LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=${LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS:-false}
-      - DELETE_STALE_DEVICES_AFTER
-      - SESSION_LIFETIME
-      - TRACK_PUPPETED_USER_IPS=${TRACK_PUPPETED_USER_IPS:-false}
       - LETSENCRYPT_HOST=${DOMAIN}
       - MEDIA_RETENTION_LOCAL_LIFETIME
       - MEDIA_RETENTION_REMOTE_LIFETIME
@@ -104,7 +91,7 @@ services:
       restart_policy:
         condition: on-failure
       labels:
-        - "coop-cloud.${STACK_NAME}.version=6.6.3+v1.124.0"
+        - "coop-cloud.${STACK_NAME}.version=6.4.0+v1.116.0"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
@@ -137,14 +124,10 @@ services:
       - postgres:/var/lib/postgresql/data
     deploy:
       labels:
-        backupbot.backup: "${ENABLE_BACKUPS:-true}"
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.backup.volumes.postgres.path: "backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.path: "/var/lib/postgresql/data"
 
 volumes:
   data:
@@ -180,9 +163,6 @@ configs:
     name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION}
     file: well_known_client.conf.tmpl
     template_driver: golang
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh
 
 secrets:
   db_password:

homeserver.yaml.tmpl

@@ -16,12 +16,6 @@ server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl
 public_baseurl: https://{{ env "DOMAIN" }}/
 
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests
-require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }}
-
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms
-limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }}
-
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
 serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
 
@@ -58,11 +52,6 @@ listeners:
       {{ end }}
     {{ end }}
 
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#delete_stale_devices_after
-{{ if (env "DELETE_STALE_DEVICES_AFTER") }}
-delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }}
-{{ end }}
-
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
 admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
 
@@ -143,9 +132,6 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
 enable_registration: {{ env "ENABLE_REGISTRATION" }}
 
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token
-registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
-
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
 enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
 
@@ -161,17 +147,9 @@ auto_join_rooms:
   - "{{ env "AUTO_JOIN_ROOM" }}"
 {{ end }}
 
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#session_lifetime
-{{ if (env "SESSION_LIFETIME") }}
-session_lifetime: {{ env "SESSION_LIFETIME" }}
-{{ end }}
-
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats
 report_stats: false
 
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips
-track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }}
-
 {{ if eq (env "APP_SERVICES_ENABLED") "1" }}
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
 app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
@@ -186,12 +164,6 @@ form_secret: "{{ secret "form_secret" }}"
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
 signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
 
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#old_signing_keys
-{{ if (and (env "OLD_SIGNING_KEY_ID") (env "OLD_SIGNING_KEY") (env "OLD_SIGNING_KEY_EXPIRES")) }}
-old_signing_keys:
-  "ed25519:{{ env "OLD_SIGNING_KEY_ID" }}": { key: "{{ env "OLD_SIGNING_KEY" }}", expired_ts: {{ env "OLD_SIGNING_KEY_EXPIRES" }} }
-{{ end }}
-
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
 {{ if eq (env "ENABLE_ALLOWLIST") "1" }}
 trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST
@@ -274,10 +246,9 @@ encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
 user_directory:
-  enabled: {{ env "USER_DIRECTORY_ENABLED" }}
-  search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }}
-  prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }}
-  show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
+  enabled: true
+  search_all_users: true
+  prefer_local_users: true
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
 media_retention:

nginx.conf.tmpl

@@ -36,20 +36,5 @@ http {
       default_type application/json;
       add_header Access-Control-Allow-Origin  *;
     }
-
-{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }}
-    location ^~ /_synapse/admin {
-      if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
-        return 403;
-      }
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
-      proxy_set_header X-Forwarded-For $remote_addr;
-      proxy_set_header X-Forwarded-Proto https;
-      proxy_set_header Host $host;
-      client_max_body_size 50M;
-      proxy_http_version 1.1;
-    }
-{{ end }}
-
   }
 }

pg_backup.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
-
-function backup {
-  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
-}
-
-function restore {
-    cd /var/lib/postgresql/data/
-    restore_config(){
-        # Restore allowed connections
-        cat pg_hba.conf.bak > pg_hba.conf
-        su postgres -c 'pg_ctl reload'
-    }
-    # Don't allow any other connections than local
-    cp pg_hba.conf pg_hba.conf.bak
-    echo "local all all trust" > pg_hba.conf
-    su postgres -c 'pg_ctl reload'
-    trap restore_config EXIT INT TERM
-
-    # Recreate Database
-    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
-    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
-
-    trap - EXIT INT TERM
-    restore_config
-}
-
-$@

release/6.6.1+v1.124.0

@@ -1 +0,0 @@
-added env REGISTRATION_REQUIRES_TOKEN

release/6.6.2+v1.124.0

@@ -1 +0,0 @@
-new optional env vars for user_directory and privacy options

release/6.6.3+v1.124.0

@@ -1 +0,0 @@
-added env for old-signing-keys

signal_bridge.yaml.tmpl

@@ -329,7 +329,7 @@ encryption:
     # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
     allow: {{ env "SIGNAL_ENABLE_ENCRYPTION" }}
     # Whether to force-enable encryption in all bridged rooms.
-    default: {{ env "SIGNAL_DEFAULT_ENCRYPTION" }}
+    default: false
     # Whether to require all messages to be encrypted and drop any unencrypted messages.
     require: false
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.