coop-cloud/matrix-synapse
coop-cloud
/
matrix-synapse
4
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Compare commits

base: coop-cloud:main
Branches Tags
coop-cloud:main
coop-cloud:homeserver-config-updates
coop-cloud:backupbot
coop-cloud:serve_server_wellknown
coop-cloud:coturn
coop-cloud:5.0.6+v1.100.0
coop-cloud:6.0.2+v1.100.0
coop-cloud:6.0.1+v1.100.0
coop-cloud:6.0.0+v1.100.0
coop-cloud:5.0.5+v1.100.0
coop-cloud:5.0.4+v1.100.0
coop-cloud:5.0.3+v1.100.0
coop-cloud:5.0.2+v1.93.0
coop-cloud:5.0.1+v1.93.0
coop-cloud:5.0.0+v1.93.0
coop-cloud:4.0.0+v1.93.0
coop-cloud:3.9.1+v1.87.0
coop-cloud:3.9.0+v1.87.0
coop-cloud:3.8.0+v1.84.1
coop-cloud:3.7.0+v1.82.0
coop-cloud:3.6.0+v1.81.0
coop-cloud:3.5.0+v1.81.0
coop-cloud:3.4.0+v1.80.0
coop-cloud:3.3.0+v1.78.0
coop-cloud:3.2.0+v1.77.0
coop-cloud:3.1.0+v1.76.0
coop-cloud:3.0.0+v1.74.0
coop-cloud:2.6.0+v1.74.0
coop-cloud:2.5.0+v1.73.0
coop-cloud:2.4.0+v1.72.0
coop-cloud:2.3.0+v1.71.0
coop-cloud:2.2.0+v1.68.0
coop-cloud:2.1.0+v1.62.0
coop-cloud:2.0.0+v1.58.1
coop-cloud:1.3.0+v1.55.2
coop-cloud:1.2.0+v1.52.0
coop-cloud:1.1.0+v1.51.0
coop-cloud:1.0.1+1.48.0
..
compare: coop-cloud:coturn
Branches Tags
coop-cloud:main
coop-cloud:homeserver-config-updates
coop-cloud:backupbot
coop-cloud:serve_server_wellknown
coop-cloud:coturn
coop-cloud:5.0.6+v1.100.0
coop-cloud:6.0.2+v1.100.0
coop-cloud:6.0.1+v1.100.0
coop-cloud:6.0.0+v1.100.0
coop-cloud:5.0.5+v1.100.0
coop-cloud:5.0.4+v1.100.0
coop-cloud:5.0.3+v1.100.0
coop-cloud:5.0.2+v1.93.0
coop-cloud:5.0.1+v1.93.0
coop-cloud:5.0.0+v1.93.0
coop-cloud:4.0.0+v1.93.0
coop-cloud:3.9.1+v1.87.0
coop-cloud:3.9.0+v1.87.0
coop-cloud:3.8.0+v1.84.1
coop-cloud:3.7.0+v1.82.0
coop-cloud:3.6.0+v1.81.0
coop-cloud:3.5.0+v1.81.0
coop-cloud:3.4.0+v1.80.0
coop-cloud:3.3.0+v1.78.0
coop-cloud:3.2.0+v1.77.0
coop-cloud:3.1.0+v1.76.0
coop-cloud:3.0.0+v1.74.0
coop-cloud:2.6.0+v1.74.0
coop-cloud:2.5.0+v1.73.0
coop-cloud:2.4.0+v1.72.0
coop-cloud:2.3.0+v1.71.0
coop-cloud:2.2.0+v1.68.0
coop-cloud:2.1.0+v1.62.0
coop-cloud:2.0.0+v1.58.1
coop-cloud:1.3.0+v1.55.2
coop-cloud:1.2.0+v1.52.0
coop-cloud:1.1.0+v1.51.0
coop-cloud:1.0.1+1.48.0

7 Commits
main ... coturn

Author SHA1 Message Date
3wc e9f84f8fd8 Pin docker image tag 2021-04-03 14:38:46 +02:00
3wc ef719bcee4 Update for COTURN 2020-10-29 19:45:42 +02:00
3wc 309122240a SERVICE -> APP 2020-10-29 19:42:05 +02:00
3wc fd3c7a606a Rejig .envrc.sample 
[ci skip]
 2020-10-06 01:52:00 +02:00
3wc ad6a1c87dd Simplify set-up using custom abra command 2020-09-11 18:14:16 +02:00
3wc cfbd809761 Working(?) TURN server 2020-09-11 18:14:02 +02:00
3wc 2d78fff08f Add initial coturn server 2020-09-11 00:10:21 +02:00
38 changed files with 119 additions and 2380 deletions
Show Stats Expand all files Collapse all files

49
.drone.yml
View File

@ -1,49 +0,0 @@
---
kind: pipeline
name: deploy to swarm-test.autonomic.zone
steps:
- name: deployment
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
settings:
host: swarm-test.autonomic.zone
stack: matrix-synapse
generate_secrets: true
purge: true
deploy_key:
from_secret: drone_ssh_swarm_test
networks:
- proxy
environment:
DOMAIN: matrix-synapse.swarm-test.autonomic.zone
STACK_NAME: matrix-synapse
LETS_ENCRYPT_ENV: production
DISCORD_BRIDGE_YAML_VERSION: v1
ENTRYPOINT_CONF_VERSION: v1
HOMESERVER_YAML_VERSION: v17
LOG_CONFIG_VERSION: v1
SHARED_SECRET_AUTH_VERSION: v1
SIGNAL_BRIDGE_YAML_VERSION: v1
TELEGRAM_BRIDGE_YAML_VERSION: v1
SECRET_DB_PASSWORD_VERSION: v1
SECRET_FORM_SECRET_VERSION: v1
SECRET_MACAROON_SECRET_KEY_VERSION: v1
SECRET_REGISTRATION_SHARED_SECRET_VERSION: v1
trigger:
branch:
- main
---
kind: pipeline
name: generate recipe catalogue
steps:
- name: release a new version
image: plugins/downstream
settings:
server: https://build.coopcloud.tech
token:
from_secret: drone_abra-bot_token
fork: true
repositories:
- coop-cloud/auto-recipes-catalogue-json
trigger:
event: tag

169
.env.sample
View File

@ -1,169 +0,0 @@
TYPE=matrix-synapse
DOMAIN=matrix-synapse.example.com
TIMEOUT=300
ENABLE_AUTO_UPDATE=true
LETS_ENCRYPT_ENV=production
COMPOSE_FILE="compose.yml"
# POST_DEPLOY_CMDS="db set_admin"
## Admin details
ADMIN_EMAIL=admin@example.com
## Secrets
SECRET_DB_PASSWORD_VERSION=v1
SECRET_FORM_SECRET_VERSION=v1
SECRET_MACAROON_VERSION=v1
SECRET_REGISTRATION_VERSION=v1
## Federation
#DISABLE_FEDERATION=1
# Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server
SERVE_SERVER_WELLKNOWN=false
ALLOW_PUBLIC_ROOMS_FEDERATION=false
## Registration
ENABLE_REGISTRATION=false
PASSWORD_LOGIN_ENABLED=true
## Room auto-join
#AUTO_JOIN_ROOM_ENABLED=1
#AUTO_JOIN_ROOM="#example:example.com"
## Logging
# for the homserver
SQL_LOG_LEVEL=WARN
ROOT_LOG_LEVEL=WARN
# for nginx
NGINX_ACCESS_LOG_LOCATION="/dev/null"
NGINX_ERROR_LOG_LOCATION="/dev/null"
# Comment the previous two lines and uncomment these to enable logging
#NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
#NGINX_ERROR_LOG_LOCATION="/dev/stderr"
## Privacy
ENABLE_3PID_LOOKUP=true
USER_IPS_MAX_AGE=1d
ENCRYPTED_BY_DEFAULT=all
#ENABLE_ALLOWLIST=1
#FEDERATION_ALLOWLIST="[]"
# Set these to keyservers you trust - usually the same as your federation allowlist
#TRUSTED_KEYSERVERS="trusted_key_servers:\n - server_name: 'example.com'\n - server_name: 'example2.com'"
## Retention
ALLOWED_LIFETIME_MAX=4w
REDACTION_RETENTION_PERIOD=7d
RETENTION_MAX_LIFETIME=4w
#MEDIA_RETENTION_LOCAL_LIFETIME=30d
#MEDIA_RETENTION_REMOTE_LIFETIME=14d
## Ratelimit
#LOGIN_LIMIT_IP_PER_SECOND=5
#LOGIN_LIMIT_IP_BURST=15
#LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
#LOGIN_LIMIT_ACCOUNT_BURST=10
## Keycloak SSO
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
#KEYCLOAK_ENABLED=1
#KEYCLOAK_ID=keycloak
#KEYCLOAK_NAME=
#KEYCLOAK_URL=
#KEYCLOAK_CLIENT_ID=
#KEYCLOAK_CLIENT_DOMAIN=
#KEYCLOAK_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
## TURN
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
#KEYCLOAK3_ENABLED=1
#KEYCLOAK3_ID=keycloak3
#KEYCLOAK3_NAME=
#KEYCLOAK3_URL=
#KEYCLOAK3_CLIENT_ID=
#KEYCLOAK3_CLIENT_DOMAIN=
#KEYCLOAK3_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
#COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
#TURN_ENABLED=1
#TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
#TURN_ALLOW_GUESTS=true
#SECRET_TURN_SHARED_SECRET_VERSION=v1
## SMTP
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
#SMTP_ENABLED=1
#SMTP_APP_NAME=
#SMTP_FROM=
#SMTP_HOST=
#SMTP_PORT=
#SMTP_USER=
#SECRET_SMTP_PASSWORD_VERSION=v1
## App services
#APP_SERVICES_ENABLED=1
#APP_SERVICE_CONFIGS="[\"...\"]"
## Telegram bridge
#COMPOSE_FILE="$COMPOSE_FILE:compose.telegram.yml"
#APP_SERVICE_BOT_USERNAME=telegrambot
#APP_SERVICE_DISPLAY_NAME="Telegram bridge bot"
#APP_SERVICE_ID=
#HOMESERVER_DOMAIN=$DOMAIN
#HOMESERVER_URL=https://$DOMAIN
#VERIFY_SSL=false
#ENABLE_ENCRYPTION=true
#TELEGRAM_APP_ID=
#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@foo:matrix.example.com\": \"admin\" }"
#TELEGRAM_SYNC_CHANNEL_MEMBERS=true
#SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1
#SECRET_TELEGRAM_API_HASH_VERSION=v1
#SECRET_TELEGRAM_BOT_TOKEN_VERSION=v1
#SECRET_TELEGRAM_AS_TOKEN_VERSION=v1
#SECRET_TELEGRAM_HS_TOKEN_VERSION=v1
## Discord bridge
#COMPOSE_FILE="$COMPOSE_FILE:compose.discord.yml"
#DISCORD_CLIENT_ID=
#DISCORD_BRIDGE_ADMIN=
#SECRET_DISCORD_BOT_TOKEN_VERSION=v1
#SECRET_DISCORD_DB_PASSWORD_VERSION=v1
## Signal bridge
#COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml"
#SIGNAL_ENABLE_ENCRYPTION=true
#SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }"
#SECRET_SIGNAL_AS_TOKEN_VERSION=v1
#SECRET_SIGNAL_DB_PASSWORD_VERSION=v1
#SECRET_SIGNAL_HS_TOKEN_VERSION=v1
## Shared auth
#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
#SHARED_SECRET_AUTH_ENABLED=1
#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128

11
.envrc.sample Normal file
View File

@ -0,0 +1,11 @@
export STACK_NAME=matrix
export APP=matrix
export DOMAIN=matrix.example.com
export LETS_ENCRYPT_ENV=production
export ENTRYPOINT_CONF_VERSION=v1
## TURN server
#export TURNSERVER_CONF_VERSION=v1
#export COTURN_SHARED_SECRET_VERSION=v1

3
.gitignore vendored
View File

@ -1,2 +1 @@
.envrc
synapse
/.envrc

133
README.md
View File

@ -1,120 +1,19 @@
# Matrix (Synapse)
# Matrix Synapse
<!-- metadata -->
Matrix Synapse, based on the [official `matrixdotorg/synapse`
image][synapse-docker].
* **Category**: Apps
* **Status**: 0, work-in-progress
* **Image**: [`matrixdotorg/synapse`](https://hub.docker.com/r/matrixdotorg/synapse), 4, upstream
* **Healthcheck**: Yes
* **Backups**: No
* **Email**: Yes
* **Tests**: No
* **SSO**: Yes
1. Set up Docker Swarm and [`abra`][abra]
2. Deploy [`compose-stacks/traefik`][compose-traefik]
2. `cp .envrc.sample .envrc`
3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
your Docker swarm box
4. `direnv allow` (or `. .envrc`)
4. `abra secret_generate coturn_shared_secret`
5. `abra deploy`
6. `abra service_run synapse` to open a shell
7. `abra register_new_matrix_user`
<!-- endmetadata -->
## Basic usage
1. Set up Docker Swarm and [`abra`](https://docs.coopcloud.tech/abra/)
2. Deploy [`coop-cloud/traefik`](https://git.coopcloud.tech/coop-cloud/traefik)
3. `abra app new matrix-synapse --secrets` (optionally with `--pass` if you'd like to save secrets in `pass`)
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to your Docker swarm box
5. `abra app deploy YOURAPPDOMAIN`
6. Create an initial user: `abra app run YOURAPPDOMAIN app register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
## Tips & Tricks
### Set Admin User
`abra app cmd YOURAPPDOMAIN db set_admin <adminuser>`
### Disabling federation
- Use `DISABLE_FEDERATION=1` to turn off federation listeners
- Don't use [`compose.matrix.yml`](https://git.coopcloud.tech/coop-cloud/traefik/src/branch/master/compose.matrix.yml) in your traefik config to keep the federation ports closed
### Enabling federation
See [`#27`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/27) for more. Depending on your setup, using `SERVE_SERVER_WELLKNOWN=true` might work to start federating. Make sure you don't leave `DISABLE_FEDERATION=1` set!
### Getting client discovery on a custom domain
You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris). This could be implemented in this recipe but we haven't merged it in yet. Change sets are welcome.
### Telegram bridging
> WIP docs
Setting it up is a bit of a chicken/egg & chasing cats moment.
You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
```
api_id: ...
api_hash: ...
telegram_bot_token: ...
```
Also:
- Make sure to uncomment `APP_SERVICES_ENABLED`
- include the registration in synapse: `APP_SERVICE_CONFIGS="[\"/telegram-data/registration.yaml\"]"`
- and set yourself as admin under `TELEGRAM_BRIDGE_PERMISSIONS`
A rough guide for the following steps:
```
abra app secret insert <domain> telegram_api_hash v1 <secret>
abra app secret insert <domain> telegram_bot_token v1 <secret>
abra app secret generate -a <domain>
abra app deploy <domain>
abra app run matrix.fva.wtf telegram_bridge cat /data/registration.yaml
abra app undeploy <domain>
abra app secret rm <domain> telegram_as_token
abra app secret insert <domain> telegram_as_token v1 <secret>
abra app secret rm <domain> telegram_as_token
abra app secret insert <domain> telegram_hs_token v1 <secret>
abra app deploy <domain>
```
Some helpful documentation:
- [`docs.mau.fi`](https://docs.mau.fi/bridges/python/setup/docker.html?bridge=telegram)
- [`example-config.yaml`](https://mau.dev/mautrix/telegram/-/blob/master/mautrix_telegram/example-config.yaml)
### Discord bridging
> WIP docs
Just as messy as the Telegram bridging above! Rough guide:
- get a local copy of [`config.yaml`](https://github.com/matrix-org/matrix-appservice-discord/blob/develop/config/config.sample.yaml)
- fill it out with the values you need, all the discord token stuff, etc.
- run `mkdir -p data && cp config.yaml data/` then `docker run --rm -v data:/data halfshot/matrix-appservice-discord:v1.0.0 sh -c "cd /data && node /build/src/discordas.js -r -u "http://discordbridge:9005" -c config.yaml"`
- this generates the app service registration configuration you need to feed to the homeserver
- run secret generation for the `discord_db_password`, insert your `discord_bot_token`
- run `abra app cp <domain> discord-registration.yaml app:/discord-data` (it has to be called `discord-registration.yaml`)
- deploy the bridge & happy hacking
Some helpful documentation:
- [`matrix-org/matrix-appservice-discord` docs](https://github.com/matrix-org/matrix-appservice-discord#bridging-a-room)
- [`t2bot.io/discord`](https://t2bot.io/discord/)
### Signal bridging
> WIP docs
OK, it's also awful to set this up. Do you see a pattern emerging :)
- fake that you have the required tokens:
- `abra app secret insert example.com signal_hs_token v1 foo`
- `abra app secret insert example.com signal_as_token v1 foo`
- generate the database password:
- `abra app secret generate example.com -a`
- deploy the thing and then check the `/data/registration.yaml`
- rm the fake `signal_hs/as_token` values and re-insert the new ones from `registration.yaml`
- re-deploy the whole thing and then it should come up, message `@signalbot:example.com` to test
[synapse-docker]: https://hub.docker.com/r/matrixdotorg/synapse
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik

3
abra-commands.sh Normal file
View File

@ -0,0 +1,3 @@
sub_register_new_matrix_user() {
abra run synapse register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
}

19
abra.sh
View File

@ -1,19 +0,0 @@
export DISCORD_BRIDGE_YAML_VERSION=v2
export ENTRYPOINT_CONF_VERSION=v2
export HOMESERVER_YAML_VERSION=v28
export LOG_CONFIG_VERSION=v2
export SHARED_SECRET_AUTH_VERSION=v1
export SIGNAL_BRIDGE_YAML_VERSION=v4
export TELEGRAM_BRIDGE_YAML_VERSION=v6
export NGINX_CONFIG_VERSION=v6
export WK_SERVER_VERSION=v1
export WK_CLIENT_VERSION=v1
set_admin () {
admin=akadmin
if [ -n "$1" ]
then
admin=$1
fi
psql -U synapse -c "UPDATE users SET admin = 1 WHERE name = '@$admin:$DOMAIN'";
}

35
compose.coturn.yml Normal file
View File

@ -0,0 +1,35 @@
services:
app:
environment:
- TURN_SERVER=${DOMAIN}
- TURN_PORT=3478
secrets:
- coturn_shared_secret
coturn:
image: instrumentisto/coturn:latest
networks:
- swarm_host
secrets:
- coturn_shared_secret
configs:
- source: turnserver_conf
target: /etc/coturn/turnserver.conf
configs:
turnserver_conf:
name: ${STACK_NAME}_turnserver_conf_${TURNSERVER_CONF_VERSION}
file: turnserver.conf.tmpl
template_driver: golang
secrets:
coturn_shared_secret:
external: true
name: ${STACK_NAME}_coturn_shared_secret_${COTURN_SHARED_SECRET_VERSION}
networks:
# use host-mode networking until Docker can handle mass port-forwards:
# https://github.com/moby/moby/issues/11185
swarm_host:
external:
name: 'host'

66
compose.discord.yml
View File

@ -1,66 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- APP_SERVICES_ENABLED
- APP_SERVICE_CONFIGS
volumes:
- discord-data:/discord-data
discordbridge:
image: halfshot/matrix-appservice-discord:v1.0.0
depends_on:
- discorddb
configs:
- source: discord_bridge_yaml
target: /data/config.yaml
environment:
- DISCORD_CLIENT_ID
- DISCORD_BRIDGE_ADMIN
- HOMESERVER_DOMAIN
- HOMESERVER_URL
secrets:
- discord_bot_token
- discord_db_password
volumes:
- discord-data:/data
networks:
- internal
discorddb:
image: postgres:13-alpine
secrets:
- discord_db_password
environment:
- LC_COLLATE=C
- LC_CTYPE=C
- POSTGRES_DB=discordbridge
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/discord_db_password
- POSTGRES_USER=discordbridge
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
volumes:
- discord-postgres:/var/lib/postgresql/data
configs:
discord_bridge_yaml:
name: ${STACK_NAME}_discord_bridge_yaml_${DISCORD_BRIDGE_YAML_VERSION}
file: discord_bridge.yaml.tmpl
template_driver: golang
volumes:
discord-data:
discord-postgres:
secrets:
discord_db_password:
external: true
name: ${STACK_NAME}_discord_db_password_${SECRET_DISCORD_DB_PASSWORD_VERSION}
discord_bot_token:
external: true
name: ${STACK_NAME}_discord_bot_token_${SECRET_DISCORD_BOT_TOKEN_VERSION}

24
compose.keycloak.yml
View File

@ -1,24 +0,0 @@
---
version: "3.8"
services:
app:
secrets:
- db_password
- form_secret
- keycloak_client_secret
- macaroon
- registration
environment:
- KEYCLOAK_CLIENT_DOMAIN
- KEYCLOAK_CLIENT_ID
- KEYCLOAK_ENABLED
- KEYCLOAK_NAME
- KEYCLOAK_ID
- KEYCLOAK_URL
- KEYCLOAK_ALLOW_EXISTING_USERS
secrets:
keycloak_client_secret:
external: true
name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET_VERSION}

19
compose.keycloak2.yml
View File

@ -1,19 +0,0 @@
---
version: "3.8"
services:
app:
secrets:
- keycloak2_client_secret
environment:
- KEYCLOAK2_ALLOW_EXISTING_USERS
- KEYCLOAK2_CLIENT_ID
- KEYCLOAK2_ENABLED
- KEYCLOAK2_ID
- KEYCLOAK2_NAME
- KEYCLOAK2_URL
secrets:
keycloak2_client_secret:
external: true
name: ${STACK_NAME}_keycloak2_client_secret_${SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION}

19
compose.keycloak3.yml
View File

@ -1,19 +0,0 @@
---
version: "3.8"
services:
app:
secrets:
- keycloak3_client_secret
environment:
- KEYCLOAK3_ALLOW_EXISTING_USERS
- KEYCLOAK3_CLIENT_ID
- KEYCLOAK3_ENABLED
- KEYCLOAK3_ID
- KEYCLOAK3_NAME
- KEYCLOAK3_URL
secrets:
keycloak3_client_secret:
external: true
name: ${STACK_NAME}_keycloak3_client_secret_${SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION}

22
compose.shared_secret_auth.yml
View File

@ -1,22 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- SHARED_SECRET_AUTH_ENABLED
secrets:
- shared_secret_auth
configs:
- source: shared_secret_auth
target: /usr/local/lib/python3.11/site-packages/shared_secret_authenticator.py
configs:
shared_secret_auth:
name: ${STACK_NAME}_shared_secret_auth_${SHARED_SECRET_AUTH_VERSION}
file: shared_secret_authenticator.py
secrets:
shared_secret_auth:
external: true
name: ${STACK_NAME}_shared_secret_auth_${SECRET_SHARED_SECRET_AUTH_VERSION}

81
compose.signal.yml
View File

@ -1,81 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- APP_SERVICES_ENABLED
- APP_SERVICE_CONFIGS
volumes:
- signal-data:/signal-data
signald:
image: docker.io/signald/signald:0.23.2-non-root
networks:
- internal
volumes:
- signald-data:/signald
signalbridge:
image: dock.mau.dev/mautrix/signal:v0.4.3
depends_on:
- signaldb
configs:
- source: signal_bridge_yaml
target: /data/config.yaml
environment:
- HOMESERVER_DOMAIN
- HOMESERVER_URL
- SIGNAL_BRIDGE_PERMISSIONS
- SIGNAL_ENABLE_ENCRYPTION
- VERIFY_SSL
secrets:
- signal_as_token
- signal_db_password
- signal_hs_token
- shared_secret_auth
volumes:
- signal-data:/data
- signald-data:/signald
networks:
- internal
signaldb:
image: postgres:13-alpine
secrets:
- signal_db_password
environment:
- LC_COLLATE=C
- LC_CTYPE=C
- POSTGRES_DB=signalbridge
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/signal_db_password
- POSTGRES_USER=signalbridge
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
volumes:
- signal-postgres:/var/lib/postgresql/data
configs:
signal_bridge_yaml:
name: ${STACK_NAME}_signal_bridge_yaml_${SIGNAL_BRIDGE_YAML_VERSION}
file: signal_bridge.yaml.tmpl
template_driver: golang
volumes:
signald-data:
signal-data:
signal-postgres:
secrets:
signal_db_password:
external: true
name: ${STACK_NAME}_signal_db_password_${SECRET_SIGNAL_DB_PASSWORD_VERSION}
signal_as_token:
external: true
name: ${STACK_NAME}_signal_as_token_${SECRET_SIGNAL_AS_TOKEN_VERSION}
signal_hs_token:
external: true
name: ${STACK_NAME}_signal_hs_token_${SECRET_SIGNAL_HS_TOKEN_VERSION}

23
compose.smtp.yml
View File

@ -1,23 +0,0 @@
---
version: "3.8"
services:
app:
secrets:
- db_password
- form_secret
- macaroon
- registration
- smtp_password
environment:
- SMTP_APP_NAME
- SMTP_ENABLED
- SMTP_FROM
- SMTP_HOST
- SMTP_PORT
- SMTP_USER
secrets:
smtp_password:
external: true
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

85
compose.telegram.yml
View File

@ -1,85 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- APP_SERVICES_ENABLED
- APP_SERVICE_CONFIGS
volumes:
- telegram-data:/telegram-data
telegrambridge:
image: dock.mau.dev/mautrix/telegram:v0.15.1
depends_on:
- telegramdb
configs:
- source: telegram_bridge_yaml
target: /data/config.yaml
environment:
- APP_SERVICE_BOT_USERNAME
- APP_SERVICE_DISPLAY_NAME
- APP_SERVICE_ID
- ENABLE_ENCRYPTION
- HOMESERVER_DOMAIN
- HOMESERVER_URL
- TELEGRAM_APP_ID
- TELEGRAM_BRIDGE_PERMISSIONS
- TELEGRAM_SYNC_CHANNEL_MEMBERS
- VERIFY_SSL
secrets:
- telegram_api_hash
- telegram_as_token
- telegram_bot_token
- telegram_db_password
- telegram_hs_token
- shared_secret_auth
volumes:
- telegram-data:/data
networks:
- internal
telegramdb:
image: postgres:13-alpine
secrets:
- telegram_db_password
environment:
- LC_COLLATE=C
- LC_CTYPE=C
- POSTGRES_DB=telegrambridge
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/telegram_db_password
- POSTGRES_USER=telegrambridge
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
volumes:
- telegram-postgres:/var/lib/postgresql/data
configs:
telegram_bridge_yaml:
name: ${STACK_NAME}_telegram_bridge_yaml_${TELEGRAM_BRIDGE_YAML_VERSION}
file: telegram_bridge.yaml.tmpl
template_driver: golang
volumes:
telegram-data:
telegram-postgres:
secrets:
telegram_db_password:
external: true
name: ${STACK_NAME}_telegram_db_password_${SECRET_TELEGRAM_DB_PASSWORD_VERSION}
telegram_api_hash:
external: true
name: ${STACK_NAME}_telegram_api_hash_${SECRET_TELEGRAM_API_HASH_VERSION}
telegram_bot_token:
external: true
name: ${STACK_NAME}_telegram_bot_token_${SECRET_TELEGRAM_BOT_TOKEN_VERSION}
telegram_as_token:
external: true
name: ${STACK_NAME}_telegram_as_token_${SECRET_TELEGRAM_AS_TOKEN_VERSION}
telegram_hs_token:
external: true
name: ${STACK_NAME}_telegram_hs_token_${SECRET_TELEGRAM_HS_TOKEN_VERSION}

20
compose.turn.yml
View File

@ -1,20 +0,0 @@
---
version: "3.8"
services:
app:
secrets:
- db_password
- form_secret
- macaroon
- registration
- turn_shared_secret
environment:
- TURN_ALLOW_GUESTS
- TURN_ENABLED
- TURN_URIS
secrets:
turn_shared_secret:
external: true
name: ${STACK_NAME}_turn_shared_secret_${SECRET_TURN_SHARED_SECRET_VERSION}

169
compose.yml
View File

@ -2,177 +2,48 @@
version: "3.8"
services:
web:
image: nginx:1.25.3
networks:
- proxy
- internal
environment:
- DOMAIN
- STACK_NAME
- NGINX_ACCESS_LOG_LOCATION
- NGINX_ERROR_LOG_LOCATION
configs:
- source: nginx_config
target: /etc/nginx/nginx.conf
- source: wk_server
target: /var/www/.well-known/matrix/server
- source: wk_client
target: /var/www/.well-known/matrix/client
deploy:
restart_policy:
condition: on-failure
labels:
- "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
healthcheck:
test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
interval: 5s
timeout: 3s
retries: 20
app:
image: "matrixdotorg/synapse:v1.100.0"
image: "matrixdotorg/synapse:v1.9.1"
volumes:
- "data:/data"
secrets:
- db_password
- registration
- macaroon
- form_secret
- "synapse:/data"
environment:
- ALLOWED_LIFETIME_MAX
- ALLOW_PUBLIC_ROOMS_FEDERATION
- AUTO_JOIN_ROOM
- AUTO_JOIN_ROOM_ENABLED
- DISABLE_FEDERATION
- DOMAIN
- ENABLE_3PID_LOOKUP
- ENABLE_ALLOWLIST
- ENABLE_REGISTRATION
- ENCRYPTED_BY_DEFAULT
- FEDERATION_ALLOWLIST
- LETSENCRYPT_HOST=${DOMAIN}
- MEDIA_RETENTION_LOCAL_LIFETIME
- MEDIA_RETENTION_REMOTE_LIFETIME
- PASSWORD_LOGIN_ENABLED
- REDACTION_RETENTION_PERIOD
- RETENTION_MAX_LIFETIME
- ROOT_LOG_LEVEL
- SERVE_SERVER_WELLKNOWN
- SQL_LOG_LEVEL
- STACK_NAME
- SYNAPSE_ADMIN_EMAIL
- SYNAPSE_REPORT_STATS=no
- SYNAPSE_SERVER_NAME=${DOMAIN}
- USER_IPS_MAX_AGE
- VIRTUAL_HOST=${DOMAIN}
- VIRTUAL_PORT=8008
- LOGIN_LIMIT_IP_PER_SECOND=${LOGIN_LIMIT_IP_PER_SECOND:-0.003}
- LOGIN_LIMIT_IP_BURST=${LOGIN_LIMIT_IP_BURST:-5}
- LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
- LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
networks:
- internal
entrypoint: /docker-entrypoint.sh
- LETSENCRYPT_HOST=${DOMAIN}
- SYNAPSE_SERVER_NAME=${DOMAIN}
- SYNAPSE_REPORT_STATS=no
networks:
- proxy
configs:
- source: homeserver_yaml
target: /data/homeserver.yaml
- source: log_config
target: /data/log.config
- source: entrypoint_conf
target: /docker-entrypoint.sh
mode: 0555
entrypoint: /docker-entrypoint.sh
deploy:
restart_policy:
condition: on-failure
delay: "60s"
max_attempts: 3
window: 120s
labels:
- "coop-cloud.${STACK_NAME}.version=6.0.2+v1.100.0"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
db:
image: postgres:13-alpine
secrets:
- db_password
environment:
- LC_COLLATE=C
- LC_CTYPE=C
- POSTGRES_DB=synapse
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- POSTGRES_USER=synapse
- DOMAIN
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "synapse"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
volumes:
- postgres:/var/lib/postgresql/data
deploy:
labels:
backupbot.backup: "true"
backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
backupbot.backup.path: "/var/lib/postgresql/data"
- "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
volumes:
data:
postgres:
synapse:
networks:
proxy:
external: true
internal:
configs:
entrypoint_conf:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
homeserver_yaml:
name: ${STACK_NAME}_homeserver_yaml_${HOMESERVER_YAML_VERSION}
file: homeserver.yaml.tmpl
template_driver: golang
log_config:
name: ${STACK_NAME}_log_config_${LOG_CONFIG_VERSION}
file: log.config.tmpl
template_driver: golang
nginx_config:
name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
file: nginx.conf.tmpl
template_driver: golang
wk_server:
name: ${STACK_NAME}_wk_server_${WK_SERVER_VERSION}
file: well_known_server.conf.tmpl
template_driver: golang
wk_client:
name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION}
file: well_known_client.conf.tmpl
template_driver: golang
secrets:
db_password:
external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
registration:
external: true
name: ${STACK_NAME}_registration_${SECRET_REGISTRATION_VERSION}
macaroon:
external: true
name: ${STACK_NAME}_macaroon_${SECRET_MACAROON_VERSION}
form_secret:
external: true
name: ${STACK_NAME}_form_secret_${SECRET_FORM_SECRET_VERSION}

123
discord_bridge.yaml.tmpl
View File

@ -1,123 +0,0 @@
bridge:
# Domain part of the bridge, e.g. matrix.org
domain: "{{ env "HOMESERVER_DOMAIN" }}"
# This should be your publicly-facing URL because Discord may use it to
# fetch media from the media store.
homeserverUrl: "{{ env "HOMESERVER_URL" }}"
# The TCP port on which the appservice runs on.
port: 9005
# Interval at which to process users in the 'presence queue'. If you have
# 5 users, one user will be processed every 500 milliseconds according to the
# value below. This has a minimum value of 250.
# WARNING: This has a high chance of spamming the homeserver with presence
# updates since it will send one each time somebody changes state or is online.
presenceInterval: 500
# Disable setting presence for 'ghost users' which means Discord users on Matrix
# will not be shown as away or online.
disablePresence: false
# Disable sending typing notifications when somebody on Discord types.
disableTypingNotifications: false
# Disable deleting messages on Discord if a message is redacted on Matrix.
disableDeletionForwarding: false
# Disable portal bridging, where Matrix users can search for unbridged Discord
# rooms on their Matrix server.
disablePortalBridging: false
# Enable users to bridge rooms using !discord commands. See
# https://t2bot.io/discord for instructions.
enableSelfServiceBridging: true
# Disable sending of read receipts for Matrix events which have been
# successfully bridged to Discord.
disableReadReceipts: false
# Disable Join Leave echos from matrix
disableJoinLeaveNotifications: false
# Disable Invite echos from matrix
disableInviteNotifications: false
# Auto-determine the language of code blocks (this can be CPU-intensive)
determineCodeLanguage: false
# MXID of an admin user that will be PMd if the bridge experiences problems. Optional
adminMxid: '{{ env "DISCORD_BRIDGE_ADMIN" }}'
# The message to send to the bridge admin if the Discord token is not valid
invalidTokenMessage: 'Your Discord bot token seems to be invalid, and the bridge cannot function. Please update it in your bridge settings and restart the bridge'
# Authentication configuration for the discord bot.
auth:
# This MUST be a string (wrapped in quotes)
clientID: "{{ env "DISCORD_CLIENT_ID" }}"
botToken: "{{ secret "discord_bot_token" }}"
# You must enable "Privileged Gateway Intents" in your bot settings on discord.com (e.g. https://discord.com/developers/applications/12345/bot)
# for this to work
usePrivilegedIntents: false
logging:
# What level should the logger output to the console at.
console: "error" #silly, verbose, info, http, warn, error, silent
lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
files:
- file: "debug.log"
disable:
- "PresenceHandler" # Will not capture presence logging
- file: "warn.log" # Will capture warnings
level: "warn"
- file: "botlogs.log" # Will capture logs from DiscordBot
level: "info"
enable:
- "DiscordBot"
database:
# You may either use SQLite or Postgresql for the bridge database, which contains
# important mappings for events and user puppeting configurations.
# Use the filename option for SQLite, or connString for Postgresql.
# If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
# WARNING: You will almost certainly be fine with sqlite unless your bridge
# is in heavy demand and you suffer from IO slowness.
connString: "postgres://discordbridge:{{ secret "discord_db_password" }}@discorddb/discordbridge"
room:
# Set the default visibility of alias rooms, defaults to "public".
# One of: "public", "private"
defaultVisibility: "public"
channel:
# Pattern of the name given to bridged rooms.
# Can use :guild for the guild name and :name for the channel name.
namePattern: "[Discord] :guild :name"
# Changes made to rooms when a channel is deleted.
deleteOptions:
# Prefix the room name with a string.
#namePrefix: "[Deleted]"
# Prefix the room topic with a string.
#topicPrefix: "This room has been deleted"
# Disable people from talking in the room by raising the event PL to 50
disableMessaging: false
# Remove the discord alias from the room.
unsetRoomAlias: true
# Remove the room from the directory.
unlistFromDirectory: true
# Set the room to be unavailable for joining without an invite.
setInviteOnly: true
# Make all the discord users leave the room.
ghostsLeave: true
limits:
# Delay in milliseconds between discord users joining a room.
roomGhostJoinDelay: 6000
# Lock timeout in milliseconds before sending messages to discord to avoid
# echos. Default is rather high as the lock will most likely time out
# before anyways.
# echos = (Copies of a sent message may arrive from discord before we've
# fininished handling it, causing us to echo it back to the room)
discordSendDelay: 1500
# Set a maximum of rooms to be bridged.
# roomCount: 20
ghosts:
# Pattern for the ghosts nick, available is :nick, :username, :tag and :id
nickPattern: ":nick"
# Pattern for the ghosts username, available is :username, :tag and :id
usernamePattern: ":username#:tag"
# Prometheus-compatible metrics endpoint
metrics:
enable: false
port: 9001
host: "127.0.0.1"

18
entrypoint.sh.tmpl
View File

@ -1,12 +1,18 @@
#!/bin/bash
# https://github.com/matrix-org/synapse/tree/develop/docker#running-synapse
# default user permissions for the synapse user
chown 991:991 /data
if [[ ! -f /data/homeserver.yaml ]]; then
/start.py generate
if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
/start.py generate
chown -R 991:991 /data/*.config /data/*.key
apt update && apt install -y wget
wget https://github.com/mikefarah/yq/releases/download/3.3.2/yq_linux_amd64 && \
chmod +x yq_linux_amd64 && \
mv yq_linux_amd64 /bin/yq
# turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
yq w -i /data/homeserver.yaml turn_uris "[]"
yq w -i /data/homeserver.yaml turn_uris\[0\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=udp"
yq w -i /data/homeserver.yaml turn_uris\[1\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=tcp"
yq w -i /data/homeserver.yaml coturn_shared_secret "$(tr -d \"\n\" < /run/secrets/coturn_shared_secret)"
fi
/start.py

6
gen.sh Executable file
View File

@ -0,0 +1,6 @@
secret="screw\$naval5seem!herb" && \
time=$(date +%s) && \
expiry=8400 && \
username=$(( $time + $expiry )) &&\
echo username:$username && \
echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $secret | openssl base64)

278
homeserver.yaml.tmpl
View File

@ -1,278 +0,0 @@
# All configuration options are documented on the following link:
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
{{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#modules-1
modules:
- module: shared_secret_authenticator.SharedSecretAuthProvider
config:
shared_secret: {{ secret "shared_secret_auth" }}
m_login_password_support_enabled: true
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#server_name
server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl
public_baseurl: https://{{ env "DOMAIN" }}/
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth
allow_public_rooms_without_auth: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
{{ if eq (env "DISABLE_FEDERATION") "1" }}
resources:
{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
- names: [client, openid]
compress: true
{{ else }}
- names: [client]
compress: true
{{ end }}
{{ else }}
resources:
{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
- names: [client, openid, federation]
compress: true
{{ else }}
- names: [client, federation]
compress: true
{{ end }}
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms
limit_remote_rooms:
enabled: true
complexity: 200.0
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_avatar_size
max_avatar_size: 10M
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forgotten_room_retention_period
forgotten_room_retention_period: 3d
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#request_token_inhibit_3pid_errors
request_token_inhibit_3pid_errors: true
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period
redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age
user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention
retention:
enabled: true
default_policy:
min_lifetime: 1d
max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }}
allowed_lifetime_min: 1d
allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }}
purge_jobs:
- longest_max_lifetime: 3d
interval: 12h
- shortest_max_lifetime: 3d
interval: 1d
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist
{{ if eq (env "DISABLE_FEDERATION") "1" }}
federation_domain_whitelist: []
{{ else if eq (env "ENABLE_ALLOWLIST") "1" }}
federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }}
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1
database:
name: psycopg2
txn_limit: 10000
args:
user: synapse
password: "{{ secret "db_password" }}"
database: synapse
host: "{{ env "STACK_NAME" }}_db"
port: 5432
cp_min: 5
cp_max: 10
keepalives_idle: 10
keepalives_interval: 10
keepalives_count: 3
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#log_config
log_config: "/data/log.config"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_store_path
media_store_path: "/data/media_store"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_upload_size
max_upload_size: 50M
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn
{{ if eq (env "TURN_ENABLED") "1" }}
turn_uris: {{ env "TURN_URIS" }}
turn_shared_secret: "{{ secret "turn_shared_secret" }}"
turn_user_lifetime: 1h
turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
enable_registration: {{ env "ENABLE_REGISTRATION" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_guest_access
allow_guest_access: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_shared_secret
registration_shared_secret: {{ secret "registration" }}
{{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms
auto_join_rooms:
- "{{ env "AUTO_JOIN_ROOM" }}"
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats
report_stats: false
{{ if eq (env "APP_SERVICES_ENABLED") "1" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#macaroon_secret_key
macaroon_secret_key: "{{ secret "macaroon" }}"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#form_secret
form_secret: "{{ secret "form_secret" }}"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
{{ if eq (env "ENABLE_ALLOWLIST") "1" }}
trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST
{{ else }}
trusted_key_servers:
- server_name: "matrix.org"
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers
{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
oidc_providers:
- idp_id: {{ env "KEYCLOAK_ID" }}
idp_name: {{ env "KEYCLOAK_NAME" }}
issuer: "{{ env "KEYCLOAK_URL" }}"
client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}"
client_secret: "{{ secret "keycloak_client_secret" }}"
scopes: ["openid", "profile"]
allow_existing_users: {{ env "KEYCLOAK_ALLOW_EXISTING_USERS" }}
user_mapping_provider:
config:
localpart_template: "{{ "{{ user.preferred_username }}" }}"
display_name_template: "{{ "{{ user.name }}" }}"
{{ if eq (env "KEYCLOAK2_ENABLED") "1" }}
- idp_id: {{ env "KEYCLOAK2_ID" }}
idp_name: {{ env "KEYCLOAK2_NAME" }}
issuer: "{{ env "KEYCLOAK2_URL" }}"
client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}"
client_secret: "{{ secret "keycloak2_client_secret" }}"
scopes: ["openid", "profile"]
allow_existing_users: {{ env "KEYCLOAK2_ALLOW_EXISTING_USERS" }}
user_mapping_provider:
config:
localpart_template: "{{ "{{ user.preferred_username }}" }}"
display_name_template: "{{ "{{ user.name }}" }}"
{{ end }}
{{ if eq (env "KEYCLOAK3_ENABLED") "1" }}
- idp_id: {{ env "KEYCLOAK3_ID" }}
idp_name: {{ env "KEYCLOAK3_NAME" }}
issuer: "{{ env "KEYCLOAK3_URL" }}"
client_id: "{{ env "KEYCLOAK3_CLIENT_ID" }}"
client_secret: "{{ secret "keycloak3_client_secret" }}"
scopes: ["openid", "profile"]
allow_existing_users: {{ env "KEYCLOAK3_ALLOW_EXISTING_USERS" }}
user_mapping_provider:
config:
localpart_template: "{{ "{{ user.preferred_username }}" }}"
display_name_template: "{{ "{{ user.name }}" }}"
{{ end }}
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#sso
{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
sso:
client_whitelist:
- https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
password_config:
enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
{{ if eq (env "SMTP_ENABLED") "1" }}
email:
smtp_host: {{ env "SMTP_HOST" }}
smtp_port: {{ env "SMTP_PORT" }}
smtp_user: {{ env "SMTP_USER" }}
smtp_pass: "{{ secret "smtp_password" }}"
require_transport_security: true
notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}>
app_name: {{ env "SMTP_APP_NAME" }}
enable_notifs: true
client_base_url: https://{{ env "DOMAIN" }}
{{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type
encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
user_directory:
enabled: true
search_all_users: true
prefer_local_users: true
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
media_retention:
local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }}
remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_metrics
enable_metrics: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#track_appservice_user_ips
track_appservice_user_ips: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forget_rooms_on_leave
forget_rooms_on_leave: true
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#opentracing-1
opentracing:
enabled: false
# https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
rc_login:
address:
per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
account:
per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}

20
log.config.tmpl
View File

@ -1,20 +0,0 @@
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: precise
loggers:
synapse.storage.SQL:
level: {{ env "SQL_LOG_LEVEL" }}
root:
level: {{ env "ROOT_LOG_LEVEL" }}
handlers: [console]
disable_existing_loggers: false

31
nginx.conf.tmpl
View File

@ -1,31 +0,0 @@
user www-data;
events {
worker_connections 768;
}
http {
server {
listen 80;
access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }};
error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }};
server_name {{ env "DOMAIN" }};
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
location /.well-known/matrix/ {
root /var/www/;
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
}
}

6
release/1.3.0+v1.55.2
View File

@ -1,6 +0,0 @@
The deployment failed due to the app/db getting confused. I think this is just
due to the recipe not having good healthcheck config. After the app container
flapped a bit, everything came up nicely. d1 @ autonomic co-op.
Same thing happened to me when deploying this for another instance. Also d1 @
autonomic co-op.

9
release/2.0.0+v1.58.1
View File

@ -1,9 +0,0 @@
This upgrade adds new env variables for homeserver.yml, please add them to your .env file:
```
ENCRYPTED_BY_DEFAULT=all
SERVE_SERVER_WELLKNOWN=false
#KEYCLOAK_ID=keycloak
#KEYCLOAK_ALLOW_EXISTING_USERS=false
```

9
release/2.1.0+v1.62.0
View File

@ -1,9 +0,0 @@
If you're using the horrendous `compose.keycloak2.yml` (as creator of this
horrible hack, I am allowed to call it horrendous ;)), you will need to
re-check the new ~/.abra/recipes/matrix-synapse/.env.sample, there are some new
default env vars which you'll have to add in (e.g. KEYCLOAK2_ID=...).
You'll also need to add `KEYCLOAK_ID=keycloak` if using `compose.keycloak.yml`,
it isn't vendored any more.
@decentral1se

17
release/3.0.0+v1.74.0
View File

@ -1,17 +0,0 @@
WARNING: There are a lot of config breaking changes in this one, watch out!
* KEYCLOAK2* env vars have gone away, they were experimental.
* TELEGRAM_BRIDGE_ADMIN* is replaced by TELEGRAM_BRIDGE_PERMISSIONS.
* SIGNAL_BRIDGE_ADMIN* is replaced by SIGNAL_BRIDGE_PERMISSIONS.
* The homeserver config has been trimmed, see coop-cloud/matrix-synapse#33 for more.
* Bridge logging is only ERROR level now to minimise leaking plaintext.
* It is possible to use SSO & federation env vars in combination now.
* Media retention is now configurable with #MEDIA_RETENTION_* env vars.
@decentral1se

10
release/4.0.0+v1.93.0
View File

@ -1,10 +0,0 @@
We had to rename some secrets: https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/35
Copy the secrets:
* `registration_shared_secret` to `registration`
* `macaroon_secret_key` to `macaroon`
The easiest way to do this is to run `abra app run <matrix.example.com> app bash` BEFORE this upgrade, then `cat /run/secrets/registration_shared_secret`. If you haven't saved the secrets yet, and would like to, please Ctrl+C out of this upgrade and do that first.
Regeneration of these secrets should also work.

1
release/5.0.0+v1.93.0
View File

@ -1 +0,0 @@
It's recommended not to upgrade / downgrade directly to this version (or other 5.y.z versions), because of service renaming which was reverted in 6.0.0+v1.100.0.

6
release/5.0.1+v1.93.0
View File

@ -1,6 +0,0 @@
Logging is now disabled by default. If you want to reënable it, set these options:
```
NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
NGINX_ERROR_LOG_LOCATION="/dev/stderr"
```

1
release/6.0.0+v1.100.0
View File

@ -1 +0,0 @@
If you are upgrading from verison 5.y.z of this recipe, you will need to `undeploy` then `deploy`, because of a service rename which was reverted.

123
shared_secret_authenticator.py
View File

@ -1,123 +0,0 @@
# -*- coding: utf-8 -*-
#
# Shared Secret Authenticator module for Matrix Synapse
# Copyright (C) 2018 Slavi Pantaleev
#
# https://devture.com/
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
from typing import Awaitable, Callable, Optional, Tuple
import hashlib
import hmac
import logging
import synapse
from synapse import module_api
logger = logging.getLogger(__name__)
class SharedSecretAuthProvider:
def __init__(self, config: dict, api: module_api):
for k in ('shared_secret',):
if k not in config:
raise KeyError('Required `{0}` configuration key not found'.format(k))
m_login_password_support_enabled = bool(config['m_login_password_support_enabled']) if 'm_login_password_support_enabled' in config else False
com_devture_shared_secret_auth_support_enabled = bool(config['com_devture_shared_secret_auth_support_enabled']) if 'com_devture_shared_secret_auth_support_enabled' in config else True
self.api = api
self.shared_secret = config['shared_secret']
auth_checkers: Optional[Dict[Tuple[str, Tuple], CHECK_AUTH_CALLBACK]] = {}
if com_devture_shared_secret_auth_support_enabled:
auth_checkers[("com.devture.shared_secret_auth", ("token",))] = self.check_com_devture_shared_secret_auth
if m_login_password_support_enabled:
auth_checkers[("m.login.password", ("password",))] = self.check_m_login_password
enabled_login_types = [k[0] for k in auth_checkers]
if len(enabled_login_types) == 0:
raise RuntimeError('At least one login type must be enabled')
logger.info('Enabled login types: %s', enabled_login_types)
api.register_password_auth_provider_callbacks(
auth_checkers=auth_checkers,
)
async def check_com_devture_shared_secret_auth(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
if login_type != "com.devture.shared_secret_auth":
return None
return await self._log_in_username_with_token("com.devture.shared_secret_auth", username, login_dict.get("token"))
async def check_m_login_password(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
if login_type != "m.login.password":
return None
return await self._log_in_username_with_token("m.login.password", username, login_dict.get("password"))
async def _log_in_username_with_token(
self,
login_type: str,
username: str,
token: str,
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
logger.info('Authenticating user `%s` with login type `%s`', username, login_type)
full_user_id = self.api.get_qualified_user_id(username)
# The password (token) is supposed to be an HMAC of the full user id, keyed with the shared secret.
given_hmac = token.encode('utf-8')
h = hmac.new(self.shared_secret.encode('utf-8'), full_user_id.encode('utf-8'), hashlib.sha512)
computed_hmac = h.hexdigest().encode('utf-8')
if not hmac.compare_digest(computed_hmac, given_hmac):
logger.info('Bad hmac value for user: %s', full_user_id)
return None
user_info = await self.api.get_userinfo_by_id(full_user_id)
if user_info is None:
logger.info('Refusing to authenticate missing user: %s', full_user_id)
return None
logger.info('Authenticated user: %s', full_user_id)
return full_user_id, None

324
signal_bridge.yaml.tmpl
View File

@ -1,324 +0,0 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: {{ env "HOMESERVER_URL" }}
# The domain of the homeserver (for MXIDs, etc).
domain: {{ env "HOMESERVER_DOMAIN" }}
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: {{ env "VERIFY_SSL" }}
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Maximum number of simultaneous HTTP connections to the homeserver.
connection_limit: 100
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://signalbridge:29328
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29328
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# However, SQLite support is extremely experimental and should not be used.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: postgres://signalbridge:{{ secret "signal_db_password" }}@signaldb/signalbridge
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
# Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
database_opts:
min_size: 1
max_size: 10
# The unique ID of this appservice.
id: signal
# Username of the appservice bot.
bot_username: signalbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Signal bridge bot
bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: true
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "{{ secret "signal_as_token" }}"
hs_token: "{{ secret "signal_hs_token" }}"
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-signal.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
signal:
# Path to signald unix socket
socket_path: /signald/signald.sock
# Directory for temp files when sending files to Signal. This should be an
# absolute path that signald can read. For attachments in the other direction,
# make sure signald is configured to use an absolute path as the data directory.
outgoing_attachment_dir: /signald/attachments
# Directory where signald stores avatars for groups.
avatar_dir: /signald/avatars
# Directory where signald stores auth data. Used to delete data when logging out.
data_dir: /signald/data
# Whether or not unknown signald accounts should be deleted when the bridge is started.
# When this is enabled, any UserInUse errors should be resolved by restarting the bridge.
delete_unknown_accounts_on_start: false
# Whether or not message attachments should be removed from disk after they're bridged.
remove_file_after_handling: true
# Whether or not users can register a primary device
registration_enabled: true
# Whether or not to enable disappearing messages in groups. If enabled, then the expiration
# time of the messages will be determined by the first users to read the message, rather
# than individually. If the bridge has a single user, this can be turned on safely.
enable_disappearing_messages_in_groups: false
# Bridge config
bridge:
# Localpart template of MXIDs for Signal users.
# {userid} is replaced with an identifier for the Signal user.
username_template: "signal_{userid}"
# Displayname template for Signal users.
# {displayname} is replaced with the displayname of the Signal user, which is the first
# available variable in displayname_preference. The variables in displayname_preference
# can also be used here directly.
displayname_template: "{displayname} (Signal)"
# Whether or not contact list displaynames should be used.
# Possible values: disallow, allow, prefer
#
# Multi-user instances are recommended to disallow contact list names, as otherwise there can
# be conflicts between names from different users' contact lists.
contact_list_names: disallow
# Available variables: full_name, first_name, last_name, phone, uuid
displayname_preference:
- full_name
- phone
# Whether or not to create portals for all groups on login/connect.
autocreate_group_portal: true
# Whether or not to create portals for all contacts on login/connect.
autocreate_contact_portal: false
# Whether or not to make portals of Signal groups in which joining via invite link does
# not need to be approved by an administrator publicly joinable on Matrix.
public_portals: false
# Whether or not to use /sync to get read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: false
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
double_puppet_server_map:
{{ env "HOMESERVER_DOMAIN" }}: {{ env "HOMESERVER_URL" }}
# Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map:
{{ env "HOMESERVER_DOMAIN" }}: {{ secret "shared_secret_auth" }}
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ env "SIGNAL_ENABLE_ENCRYPTION" }}
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Whether or not to explicitly set the avatar and room name for private
# chat portal rooms. This will be implicitly enabled if encryption.default is true.
private_chat_portal_meta: false
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Signal. This let's you check manually whether the bridge is receiving your
# messages.
# Note that this is not related to Signal delivery receipts.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: true
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# Interval at which to resync contacts (in seconds).
periodic_sync: 0
# Should leaving the room on Matrix make the user leave on Signal?
bridge_matrix_leave: true
# Provisioning API part of the web server for automated portal creation and fetching information.
# Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
provisioning:
# Whether or not the provisioning API should be enabled.
enabled: true
# The prefix to use in the provisioning API endpoints.
prefix: /_matrix/provision
# The shared secret to authorize users of the API.
# Set to "generate" to generate and save a new token.
shared_secret: generate
# Segment API key to enable analytics tracking for web server
# endpoints. Set to null to disable.
# Currently the only events are login start, QR code scan, and login
# success/failure.
segment_key: null
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!signal"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Signal bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `link` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relay - Allowed to be relayed through the bridge, no access to commands.
# user - Use the bridge with puppeting.
# admin - Use and administrate the bridge.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions: {{ env "SIGNAL_BRIDGE_PERMISSIONS" }}
relay:
# Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# The formats to use when sending messages to Signal via a relay user.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $message - The message content
message_formats:
m.text: '$sender_displayname: $message'
m.notice: '$sender_displayname: $message'
m.emote: '* $sender_displayname $message'
m.file: '$sender_displayname sent a file'
m.image: '$sender_displayname sent an image'
m.audio: '$sender_displayname sent an audio file'
m.video: '$sender_displayname sent a video'
m.location: '$sender_displayname sent a location'
# Specify a dedicated relay account. Must be a regular matrix account logged into this bridge
# and double puppeting working to auto-accept invites. When this user is invited to a room
# it will automatically be set as the relay user. May be overridden with `set-relay` or `unset-relay`
relaybot: '@relaybot:example.com'
# Format for generting URLs from location messages for sending to Signal
# Google Maps: 'https://www.google.com/maps/place/{lat},{long}'
# OpenStreepMap: 'https://www.openstreetmap.org/?mlat={lat}&mlon={long}'
location_format: 'https://www.google.com/maps/place/{lat},{long}'
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_signal.util.ColorFormatter
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
normal:
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
handlers:
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: ERROR
aiohttp:
level: ERROR
root:
level: ERROR
handlers: [console]

544
telegram_bridge.yaml.tmpl
View File

@ -1,544 +0,0 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: {{ env "HOMESERVER_URL" }}
# The domain of the homeserver (for MXIDs, etc).
domain: {{ env "HOMESERVER_DOMAIN" }}
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: {{ env "VERIFY_SSL" }}
asmux: false
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://telegrambridge:29317
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29317
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: postgres://telegrambridge:{{ secret "telegram_db_password" }}@telegramdb/telegrambridge
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
database_opts:
min_size: 1
max_size: 10
# Public part of web server for out-of-Matrix interaction with the bridge.
# Used for things like login if the user wants to make sure the 2FA password isn't stored in
# the HS database.
public:
# Whether or not the public-facing endpoints should be enabled.
enabled: false
# The prefix to use in the public-facing endpoints.
prefix: /public
# The base URL where the public-facing endpoints are available. The prefix is not added
# implicitly.
external: https://example.com/public
# Provisioning API part of the web server for automated portal creation and fetching information.
# Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
provisioning:
# Whether or not the provisioning API should be enabled.
enabled: false
# The prefix to use in the provisioning API endpoints.
prefix: /_matrix/provision
# The shared secret to authorize users of the API.
# Set to "generate" to generate and save a new token.
shared_secret: generate
# The unique ID of this appservice.
id: {{ env "APP_SERVICE_ID" }}
# Username of the appservice bot.
bot_username: {{ env "APP_SERVICE_BOT_USERNAME" }}
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: {{ env "APP_SERVICE_DISPLAY_NAME" }}
bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: false
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "{{ secret "telegram_as_token" }}"
hs_token: "{{ secret "telegram_hs_token" }}"
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-telegram.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
# Bridge config
bridge:
# Localpart template of MXIDs for Telegram users.
# {userid} is replaced with the user ID of the Telegram user.
username_template: "telegram_{userid}"
# Localpart template of room aliases for Telegram portal rooms.
# {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
alias_template: "telegram_{groupname}"
# Displayname template for Telegram users.
# {displayname} is replaced with the display name of the Telegram user.
displayname_template: "{displayname} (Telegram)"
# Set the preferred order of user identifiers which to use in the Matrix puppet display name.
# In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
# ID is used.
#
# If the bridge is working properly, a phone number or an username should always be known, but
# the other one can very well be empty.
#
# Valid keys:
# "full name" (First and/or last name)
# "full name reversed" (Last and/or first name)
# "first name"
# "last name"
# "username"
# "phone number"
displayname_preference:
- full name
- username
- phone number
# Maximum length of displayname
displayname_max_length: 100
# Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
# as there's no way to determine whether an avatar is removed or just hidden from some users. If
# you're on a single-user instance, this should be safe to enable.
allow_avatar_remove: false
# Maximum number of members to sync per portal when starting up. Other members will be
# synced when they send messages. The maximum is 10000, after which the Telegram server
# will not send any more members.
# -1 means no limit (which means it's limited to 10000 by the server)
max_initial_member_sync: 100
# Whether or not to sync the member list in channels.
# If no channel admins have logged into the bridge, the bridge won't be able to sync the member
# list regardless of this setting.
sync_channel_members: {{ env "TELEGRAM_SYNC_CHANNEL_MEMBERS" }}
# Whether or not to skip deleted members when syncing members.
skip_deleted_members: true
# Whether or not to automatically synchronize contacts and chats of Matrix users logged into
# their Telegram account at startup.
startup_sync: true
# Number of most recently active dialogs to check when syncing chats.
# Set to 0 to remove limit.
sync_update_limit: 0
# Number of most recently active dialogs to create portals for when syncing chats.
# Set to 0 to remove limit.
sync_create_limit: 30
# Whether or not to sync and create portals for direct chats at startup.
sync_direct_chats: false
# The maximum number of simultaneous Telegram deletions to handle.
# A large number of simultaneous redactions could put strain on your homeserver.
max_telegram_delete: 10
# Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
# at startup and when creating a bridge.
sync_matrix_state: true
# Allow logging in within Matrix. If false, users can only log in using login-qr or the
# out-of-Matrix login website (see appservice.public config section)
allow_matrix_login: true
# Whether or not to bridge plaintext highlights.
# Only enable this if your displayname_template has some static part that the bridge can use to
# reliably identify what is a plaintext highlight.
plaintext_highlights: false
# Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
public_portals: true
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: true
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map:
{{ env "HOMESERVER_DOMAIN" }}: {{ env "HOMESERVER_URL" }}
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map:
{{ env "HOMESERVER_DOMAIN" }}: {{ secret "shared_secret_auth" }}
# Set to false to disable link previews in messages sent to Telegram.
telegram_link_preview: true
# Whether or not the !tg join command should do a HTTP request
# to resolve redirects in invite links.
invite_link_resolve: false
# Use inline images instead of a separate message for the caption.
# N.B. Inline images are not supported on all clients (e.g. Element iOS/Android).
inline_images: false
# Maximum size of image in megabytes before sending to Telegram as a document.
image_as_file_size: 10
# Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 1280x1280 = 1638400.
image_as_file_pixels: 1638400
# Enable experimental parallel file transfer, which makes uploads/downloads much faster by
# streaming from/to Matrix and using many connections for Telegram.
# Note that generating HQ thumbnails for videos is not possible with streamed transfers.
# This option uses internal Telethon implementation details and may break with minor updates.
parallel_file_transfer: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Settings for converting animated stickers.
animated_sticker:
# Format to which animated stickers should be converted.
# disable - No conversion, send as-is (gzipped lottie)
# png - converts to non-animated png (fastest),
# gif - converts to animated gif
# webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
target: gif
# Arguments for converter. All converters take width and height.
args:
width: 256
height: 256
fps: 25 # only for webm and gif (2, 5, 10, 20 or 25 recommended)
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ env "ENABLE_ENCRYPTION" }}
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Database for the encryption data. If set to `default`, will use the appservice database.
database: default
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.
require_cross_signing: false
# Require devices to be verified by the bridge?
# Verification by the bridge is not yet implemented.
require_verification: false
# Whether or not to explicitly set the avatar and room name for private
# chat portal rooms. This will be implicitly enabled if encryption.default is true.
private_chat_portal_meta: false
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Telegram.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
# The favorites tag is `m.favourite`.
pinned_tag: null
# Same as above for archived chats, the low priority tag is `m.lowpriority`.
archive_tag: null
# Whether or not mute status and tags should only be bridged when the portal room is created.
tag_only_on_create: true
# Should leaving the room on Matrix make the user leave on Telegram?
bridge_matrix_leave: true
# Should the user be kicked out of all portals when logging out of the bridge?
kick_on_logout: true
# Should the "* user joined Telegram" notice always be marked as read automatically?
always_read_joined_telegram_notice: true
# Settings for backfilling messages from Telegram.
backfill:
# Whether or not the Telegram ghosts of logged in Matrix users should be
# invited to private chats when backfilling history from Telegram. This is
# usually needed to prevent rate limits and to allow timestamp massaging.
invite_own_puppet: true
# Maximum number of messages to backfill without using a takeout.
# The first time a takeout is used, the user has to manually approve it from a different
# device. If initial_limit or missed_limit are higher than this value, the bridge will ask
# the user to accept the takeout after logging in before syncing any chats.
takeout_limit: 100
# Maximum number of messages to backfill initially.
# Set to 0 to disable backfilling when creating portal, or -1 to disable the limit.
#
# N.B. Initial backfill will only start after member sync. Make sure your
# max_initial_member_sync is set to a low enough value so it doesn't take forever.
initial_limit: 0
# Maximum number of messages to backfill if messages were missed while the bridge was
# disconnected. Note that this only works for logged in users and only if the chat isn't
# older than sync_update_limit
# Set to 0 to disable backfilling missed messages.
missed_limit: 50
# If using double puppeting, should notifications be disabled
# while the initial backfill is in progress?
disable_notifications: false
# Whether or not to enable backfilling in normal groups.
# Normal groups have numerous technical problems in Telegram, and backfilling normal groups
# will likely cause problems if there are multiple Matrix users in the group.
normal_groups: false
# Overrides for base power levels.
initial_power_level_overrides:
user: {}
group: {}
# Whether to bridge Telegram bot messages as m.notices or m.texts.
bot_messages_as_notices: true
bridge_notices:
# Whether or not Matrix bot messages (type m.notice) should be bridged.
default: false
# List of user IDs for whom the previous flag is flipped.
# e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
# notices from users listed here will be bridged.
exceptions: []
# An array of possible values for the $distinguisher variable in message formats.
# Each user gets one of the values here, based on a hash of their user ID.
# If the array is empty, the $distinguisher variable will also be empty.
relay_user_distinguishers: ["🟦", "🟣", "🟩", "⭕️", "🔶", "⬛️", "🔵", "🟢"]
# The formats to use when sending messages to Telegram via the relay bot.
# Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $distinguisher - A random string from the options in the relay_user_distinguishers array.
# $message - The message content
message_formats:
m.text: "$distinguisher <b>$sender_displayname</b>: $message"
m.notice: "$distinguisher <b>$sender_displayname</b>: $message"
m.emote: "* $distinguisher <b>$sender_displayname</b> $message"
m.file: "$distinguisher <b>$sender_displayname</b> sent a file: $message"
m.image: "$distinguisher <b>$sender_displayname</b> sent an image: $message"
m.audio: "$distinguisher <b>$sender_displayname</b> sent an audio file: $message"
m.video: "$distinguisher <b>$sender_displayname</b> sent a video: $message"
m.location: "$distinguisher <b>$sender_displayname</b> sent a location: $message"
# Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
# users are sent to telegram. All fields in message_formats are supported. Additionally, the
# Telegram user info is available in the following variables:
# $displayname - Telegram displayname
# $username - Telegram username (may not exist)
# $mention - Telegram @username or displayname mention (depending on which exists)
emote_format: "* $mention $formatted_body"
# The formats to use when sending state events to Telegram via the relay bot.
#
# Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
# In name_change events, `$prev_displayname` is the previous displayname.
#
# Set format to an empty string to disable the messages for that event.
state_event_formats:
join: "$distinguisher <b>$displayname</b> joined the room."
leave: "$distinguisher <b>$displayname</b> left the room."
name_change: "$distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>"
# Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
# `filter-mode` management commands.
#
# Filters do not affect direct chats.
# An empty blacklist will essentially disable the filter.
filter:
# Filter mode to use. Either "blacklist" or "whitelist".
# If the mode is "blacklist", the listed chats will never be bridged.
# If the mode is "whitelist", only the listed chats can be bridged.
mode: blacklist
# The list of group/channel IDs to filter.
list: []
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!tg"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Telegram bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relaybot - Only use the bridge via the relaybot, no access to commands.
# user - Relaybot level + access to commands to create bridges.
# puppeting - User level + logging in with a Telegram account.
# full - Full access to use the bridge, i.e. previous levels + Matrix login.
# admin - Full access to use the bridge and some extra administration commands.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions: {{ env "TELEGRAM_BRIDGE_PERMISSIONS" }}
# Options related to the message relay Telegram bot.
relaybot:
private_chat:
# List of users to invite to the portal when someone starts a private chat with the bot.
# If empty, private chats with the bot won't create a portal.
invite: []
# Whether or not to bridge state change messages in relaybot private chats.
state_changes: true
# When private_chat_invite is empty, this message is sent to users /starting the
# relaybot. Telegram's "markdown" is supported.
message: This is a Matrix bridge relaybot and does not support direct chats
# List of users to invite to all group chat portals created by the bridge.
group_chat_invite: []
# Whether or not the relaybot should not bridge events in unbridged group chats.
# If false, portals will be created when the relaybot receives messages, just like normal
# users. This behavior is usually not desirable, as it interferes with manually bridging
# the chat to another room.
ignore_unbridged_group_chat: true
# Whether or not to allow creating portals from Telegram.
authless_portals: true
# Whether or not to allow Telegram group admins to use the bot commands.
whitelist_group_admins: true
# Whether or not to ignore incoming events sent by the relay bot.
ignore_own_incoming_events: true
# List of usernames/user IDs who are also allowed to use the bot commands.
whitelist:
- myusername
- 12345678
# Telegram config
telegram:
# Get your own API keys at https://my.telegram.org/apps
api_id: {{ env "TELEGRAM_APP_ID" }}
api_hash: {{ secret "telegram_api_hash" }}
# (Optional) Create your own bot at https://t.me/BotFather
bot_token: {{ secret "telegram_bot_token" }}
# Telethon connection options.
connection:
# The timeout in seconds to be used when connecting.
timeout: 120
# How many times the reconnection should retry, either on the initial connection or when
# Telegram disconnects us. May be set to a negative or null value for infinite retries, but
# this is not recommended, since the program can get stuck in an infinite loop.
retries: 5
# The delay in seconds to sleep between automatic reconnections.
retry_delay: 1
# The threshold below which the library should automatically sleep on flood wait errors
# (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
# is 20s, the library will sleep automatically. If the error was for 21s, it would raise
# the error instead. Values larger than a day (86400) will be changed to a day.
flood_sleep_threshold: 60
# How many times a request should be retried. Request are retried when Telegram is having
# internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
# there's a migrate error. May take a negative or null value for infinite retries, but this
# is not recommended, since some requests can always trigger a call fail (such as searching
# for messages).
request_retries: 5
# Device info sent to Telegram.
device_info:
# "auto" = OS name+version.
device_model: auto
# "auto" = Telethon version.
system_version: auto
# "auto" = mautrix-telegram version.
app_version: auto
lang_code: en
system_lang_code: en
# Custom server to connect to.
server:
# Set to true to use these server settings. If false, will automatically
# use production server assigned by Telegram. Set to false in production.
enabled: false
# The DC ID to connect to.
dc: 2
# The IP to connect to.
ip: 149.154.167.40
# The port to connect to. 443 may not work, 80 is better and both are equally secure.
port: 80
# Telethon proxy configuration.
# You must install PySocks from pip for proxies to work.
proxy:
# Allowed types: disabled, socks4, socks5, http, mtproxy
type: disabled
# Proxy IP address and port.
address: 127.0.0.1
port: 1080
# Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
rdns: true
# Proxy authentication (optional). Put MTProxy secret in password field.
username: ""
password: ""
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_telegram.util.ColorFormatter
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
normal:
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: /data/mautrix-telegram.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: ERROR
telethon:
level: ERROR
aiohttp:
level: ERROR
root:
level: ERROR
handlers: [file, console]

15
turnserver.conf.tmpl Normal file
View File

@ -0,0 +1,15 @@
use-auth-secret
static-auth-secret={{ secret "coturn_shared_secret" }}
realm=turn.{{ env "DOMAIN" }}
log-file=stdout
pidfile=/var/tmp/turnserver.pid
userdb=/var/tmp/turnserver.db
no-cli
no-tls
no-dtls
prod
no-tcp-relay

5
well_known_client.conf.tmpl
View File

@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://{{ env "DOMAIN" }}"
}
}

3
well_known_server.conf.tmpl
View File

@ -1,3 +0,0 @@
{
"m.server": "{{ env "DOMAIN" }}:443"
}