coop-cloud/matrix-synapse
coop-cloud/matrix-synapse
4
0
Fork 2
Code Issues 4 Pull Requests 1 Releases Wiki Activity

Compare commits

base: coop-cloud:main
Branches Tags
coop-cloud:main
coop-cloud:old-signing-key
coop-cloud:added-env-vars
coop-cloud:addtional-env-vars
coop-cloud:homeserver-config-updates
coop-cloud:backupbot
coop-cloud:serve_server_wellknown
coop-cloud:coturn
coop-cloud:6.6.3+v1.124.0
coop-cloud:6.6.2+v1.124.0
coop-cloud:6.6.1+v1.124.0
coop-cloud:6.6.0+v1.124.0
coop-cloud:6.5.0+v1.117.0
coop-cloud:6.4.0+v1.116.0
coop-cloud:6.3.0+v1.113.0
coop-cloud:6.2.0+v1.113.0
coop-cloud:6.1.4+v1.112.0
coop-cloud:6.1.3+v1.111.1
coop-cloud:6.1.2+v1.111.0
coop-cloud:6.1.1+v1.110.0
coop-cloud:6.1.0+v1.110.0
coop-cloud:5.0.6+v1.100.0
coop-cloud:6.0.2+v1.100.0
coop-cloud:6.0.1+v1.100.0
coop-cloud:6.0.0+v1.100.0
coop-cloud:5.0.5+v1.100.0
coop-cloud:5.0.5+1.25.3
coop-cloud:5.0.4+v1.100.0
coop-cloud:5.0.3+v1.100.0
coop-cloud:5.0.2+v1.93.0
coop-cloud:5.0.1+v1.93.0
coop-cloud:5.0.0+v1.93.0
coop-cloud:4.0.0+v1.93.0
coop-cloud:3.9.1+v1.87.0
coop-cloud:3.9.0+v1.87.0
coop-cloud:3.8.0+v1.84.1
coop-cloud:3.7.0+v1.82.0
coop-cloud:3.6.0+v1.81.0
coop-cloud:3.5.0+v1.81.0
coop-cloud:3.4.0+v1.80.0
coop-cloud:3.3.0+v1.78.0
coop-cloud:3.2.0+v1.77.0
coop-cloud:3.1.0+v1.76.0
coop-cloud:3.0.0+v1.74.0
coop-cloud:2.6.0+v1.74.0
coop-cloud:2.5.0+v1.73.0
coop-cloud:2.4.0+v1.72.0
coop-cloud:2.3.0+v1.71.0
coop-cloud:2.2.0+v1.68.0
coop-cloud:2.1.0+v1.62.0
coop-cloud:2.0.0+v1.58.1
coop-cloud:1.3.0+v1.55.2
coop-cloud:1.2.0+v1.52.0
coop-cloud:1.1.0+v1.51.0
coop-cloud:1.0.1+1.48.0
..
compare: coop-cloud:serve_server_wellknown
Branches Tags
coop-cloud:main
coop-cloud:old-signing-key
coop-cloud:added-env-vars
coop-cloud:addtional-env-vars
coop-cloud:homeserver-config-updates
coop-cloud:backupbot
coop-cloud:serve_server_wellknown
coop-cloud:coturn
coop-cloud:6.6.3+v1.124.0
coop-cloud:6.6.2+v1.124.0
coop-cloud:6.6.1+v1.124.0
coop-cloud:6.6.0+v1.124.0
coop-cloud:6.5.0+v1.117.0
coop-cloud:6.4.0+v1.116.0
coop-cloud:6.3.0+v1.113.0
coop-cloud:6.2.0+v1.113.0
coop-cloud:6.1.4+v1.112.0
coop-cloud:6.1.3+v1.111.1
coop-cloud:6.1.2+v1.111.0
coop-cloud:6.1.1+v1.110.0
coop-cloud:6.1.0+v1.110.0
coop-cloud:5.0.6+v1.100.0
coop-cloud:6.0.2+v1.100.0
coop-cloud:6.0.1+v1.100.0
coop-cloud:6.0.0+v1.100.0
coop-cloud:5.0.5+v1.100.0
coop-cloud:5.0.5+1.25.3
coop-cloud:5.0.4+v1.100.0
coop-cloud:5.0.3+v1.100.0
coop-cloud:5.0.2+v1.93.0
coop-cloud:5.0.1+v1.93.0
coop-cloud:5.0.0+v1.93.0
coop-cloud:4.0.0+v1.93.0
coop-cloud:3.9.1+v1.87.0
coop-cloud:3.9.0+v1.87.0
coop-cloud:3.8.0+v1.84.1
coop-cloud:3.7.0+v1.82.0
coop-cloud:3.6.0+v1.81.0
coop-cloud:3.5.0+v1.81.0
coop-cloud:3.4.0+v1.80.0
coop-cloud:3.3.0+v1.78.0
coop-cloud:3.2.0+v1.77.0
coop-cloud:3.1.0+v1.76.0
coop-cloud:3.0.0+v1.74.0
coop-cloud:2.6.0+v1.74.0
coop-cloud:2.5.0+v1.73.0
coop-cloud:2.4.0+v1.72.0
coop-cloud:2.3.0+v1.71.0
coop-cloud:2.2.0+v1.68.0
coop-cloud:2.1.0+v1.62.0
coop-cloud:2.0.0+v1.58.1
coop-cloud:1.3.0+v1.55.2
coop-cloud:1.2.0+v1.52.0
coop-cloud:1.1.0+v1.51.0
coop-cloud:1.0.1+1.48.0

No commits in common. "main" and "serve_server_wellknown" have entirely different histories.
main ... serve_serv

37 changed files with 2555 additions and 2349 deletions
Show Stats Expand all files Collapse all files

53
.drone.yml
View File

@ -1,53 +0,0 @@
---
kind: pipeline
name: deploy to swarm-test.autonomic.zone
steps:
- name: deployment
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
settings:
host: swarm-test.autonomic.zone
stack: matrix-synapse
generate_secrets: true
purge: true
deploy_key:
from_secret: drone_ssh_swarm_test
networks:
- proxy
environment:
DOMAIN: matrix-synapse.swarm-test.autonomic.zone
STACK_NAME: matrix-synapse
LETS_ENCRYPT_ENV: production
DISCORD_BRIDGE_YAML_VERSION: v2
ENTRYPOINT_CONF_VERSION: v3
HOMESERVER_YAML_VERSION: v29
LOG_CONFIG_VERSION: v2
SHARED_SECRET_AUTH_VERSION: v2
SIGNAL_BRIDGE_YAML_VERSION: v5
TELEGRAM_BRIDGE_YAML_VERSION: v6
PG_BACKUP_VERSION: v1
WK_CLIENT_VERSION: v1
WK_SERVER_VERSION: v1
NGINX_CONFIG_VERSION: v8
SECRET_DB_PASSWORD_VERSION: v1
SECRET_FORM_SECRET_VERSION: v1
SECRET_MACAROON_VERSION: v1
SECRET_REGISTRATION_VERSION: v1
trigger:
branch:
- main
---
kind: pipeline
name: generate recipe catalogue
steps:
- name: release a new version
image: plugins/downstream
settings:
server: https://build.coopcloud.tech
token:
from_secret: drone_abra-bot_token
fork: true
repositories:
- toolshed/auto-recipes-catalogue-json
trigger:
event: tag

170
.env.sample
View File

@ -1,60 +1,35 @@
TYPE=matrix-synapse
DOMAIN=matrix-synapse.example.com
# SERVER_NAME=example.com
TIMEOUT=300
ENABLE_AUTO_UPDATE=true
DOMAIN=matrix.example.com
LETS_ENCRYPT_ENV=production
COMPOSE_FILE="compose.yml"
# POST_DEPLOY_CMDS="db set_admin"
ENABLE_BACKUPS=true
## Admin details
ADMIN_EMAIL=admin@example.com
## Secrets
SECRET_DB_PASSWORD_VERSION=v1
SECRET_FORM_SECRET_VERSION=v1
SECRET_MACAROON_VERSION=v1
SECRET_REGISTRATION_VERSION=v1
## Federation
SYNAPSE_ADMIN_EMAIL=admin@example.com
SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1
SECRET_MACAROON_SECRET_KEY_VERSION=v1
SECRET_FORM_SECRET_VERSION=v1
COMPOSE_FILE="compose.yml"
#DISABLE_FEDERATION=1
# Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server
SERVE_SERVER_WELLKNOWN=false
ALLOW_PUBLIC_ROOMS_FEDERATION=false
## Registration
SERVE_SERVER_WELLKNOWN=false
ENABLE_REGISTRATION=false
PASSWORD_LOGIN_ENABLED=true
# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
#REGISTRATION_REQUIRES_TOKEN=true
## Room auto-join
#AUTO_JOIN_ROOM_ENABLED=1
#AUTO_JOIN_ROOM="#example:example.com"
## Logging
# for the homserver
SQL_LOG_LEVEL=WARN
ROOT_LOG_LEVEL=WARN
# for nginx
NGINX_ACCESS_LOG_LOCATION="/dev/null"
NGINX_ERROR_LOG_LOCATION="/dev/null"
# Comment the previous two lines and uncomment these to enable logging
#NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
#NGINX_ERROR_LOG_LOCATION="/dev/stderr"
REDACTION_RETENTION_PERIOD=7d
## Privacy
RETENTION_MAX_LIFETIME=1m
ENABLE_3PID_LOOKUP=true
@ -65,72 +40,21 @@ ENCRYPTED_BY_DEFAULT=all
#ENABLE_ALLOWLIST=1
#FEDERATION_ALLOWLIST="[]"
# Set these to keyservers you trust - usually the same as your federation allowlist
#TRUSTED_KEYSERVERS="trusted_key_servers:\n - server_name: 'example.com'\n - server_name: 'example2.com'"
# some optional configs to increase privacy and security
#REQUIRE_AUTH_FOR_PROFILE_REQUESTS=true
#LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=true
#DELETE_STALE_DEVICES_AFTER=1y
#SESSION_LIFETIME=60d
#TRACK_PUPPETED_USER_IPS=true
## Retention
ALLOWED_LIFETIME_MAX=4w
REDACTION_RETENTION_PERIOD=7d
RETENTION_MAX_LIFETIME=4w
#MEDIA_RETENTION_LOCAL_LIFETIME=30d
#MEDIA_RETENTION_REMOTE_LIFETIME=14d
## Old Signing Key
#OLD_SIGNING_KEY_ID=a_OLDKEYID
#OLD_SIGNING_KEY=base64string
#OLD_SIGNING_KEY_EXPIRES=123456789123
## Ratelimit
#LOGIN_LIMIT_IP_PER_SECOND=5
#LOGIN_LIMIT_IP_BURST=15
#LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
#LOGIN_LIMIT_ACCOUNT_BURST=10
## Keycloak SSO
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
#KEYCLOAK_ENABLED=1
#KEYCLOAK_ID=keycloak
#KEYCLOAK_NAME=
#KEYCLOAK_URL=
#KEYCLOAK_CLIENT_ID=
#KEYCLOAK_CLIENT_DOMAIN=
#KEYCLOAK_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
## TURN
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
#KEYCLOAK3_ENABLED=1
#KEYCLOAK3_ID=keycloak3
#KEYCLOAK3_NAME=
#KEYCLOAK3_URL=
#KEYCLOAK3_CLIENT_ID=
#KEYCLOAK3_CLIENT_DOMAIN=
#KEYCLOAK3_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
#COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
#COMPOSE_FILE="compose.yml:compose.turn.yml"
#TURN_ENABLED=1
#TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
#TURN_ALLOW_GUESTS=true
#SECRET_TURN_SHARED_SECRET_VERSION=v1
## SMTP
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
#COMPOSE_FILE="compose.yml:compose.smtp.yml"
#SMTP_ENABLED=1
#SMTP_APP_NAME=
#SMTP_FROM=
@ -138,67 +62,3 @@ RETENTION_MAX_LIFETIME=4w
#SMTP_PORT=
#SMTP_USER=
#SECRET_SMTP_PASSWORD_VERSION=v1
## USER-DIRECTORY
#USER_DIRECTORY_ENABLED=true
#USER_DIRECTORY_SEARCH_ALL_USERS=true
#USER_DIRECTORY_PREFER_LOCAL_USERS=true
#USER_DIRECTORY_SHOW_LOCKED_USERS=false
## App services
#APP_SERVICES_ENABLED=1
#APP_SERVICE_CONFIGS="[\"...\"]"
## Telegram bridge
#COMPOSE_FILE="$COMPOSE_FILE:compose.telegram.yml"
#APP_SERVICE_BOT_USERNAME=telegrambot
#APP_SERVICE_DISPLAY_NAME="Telegram bridge bot"
#APP_SERVICE_ID=
#HOMESERVER_DOMAIN=$DOMAIN
#HOMESERVER_URL=https://$DOMAIN
#VERIFY_SSL=false
#ENABLE_ENCRYPTION=true
#TELEGRAM_APP_ID=
#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@foo:matrix.example.com\": \"admin\" }"
#TELEGRAM_SYNC_CHANNEL_MEMBERS=true
#SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1
#SECRET_TELEGRAM_API_HASH_VERSION=v1
#SECRET_TELEGRAM_BOT_TOKEN_VERSION=v1
#SECRET_TELEGRAM_AS_TOKEN_VERSION=v1
#SECRET_TELEGRAM_HS_TOKEN_VERSION=v1
## Discord bridge
#COMPOSE_FILE="$COMPOSE_FILE:compose.discord.yml"
#DISCORD_CLIENT_ID=
#DISCORD_BRIDGE_ADMIN=
#SECRET_DISCORD_BOT_TOKEN_VERSION=v1
#SECRET_DISCORD_DB_PASSWORD_VERSION=v1
## Signal bridge
#COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml"
#SIGNAL_ENABLE_ENCRYPTION=true
#SIGNAL_DEFAULT_ENCRYPTION=true
#SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }"
#SECRET_SIGNAL_AS_TOKEN_VERSION=v1
#SECRET_SIGNAL_DB_PASSWORD_VERSION=v1
#SECRET_SIGNAL_HS_TOKEN_VERSION=v1
#SECRET_SIGNAL_PICKLE_KEY_VERSION=v1
## Shared auth
#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
#SHARED_SECRET_AUTH_ENABLED=1
#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
## Web Client (Redirect)
#WEB_CLIENT_LOCATION=https://element-web.example.com
## Admin interface at /admin
#COMPOSE_FILE="$COMPOSE_FILE:compose.admin.yml"
#ADMIN_INTERFACE_ENABLED=1

160
README.md
View File

@ -18,130 +18,58 @@
1. Set up Docker Swarm and [`abra`](https://docs.coopcloud.tech/abra/)
2. Deploy [`coop-cloud/traefik`](https://git.coopcloud.tech/coop-cloud/traefik)
3. `abra app new matrix-synapse --secrets` (optionally with `--pass` if you'd like to save secrets in `pass`)
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to your Docker swarm box
5. `abra app deploy YOURAPPDOMAIN`
6. Create an initial user: `abra app run YOURAPPDOMAIN app register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to your Docker swarm box
5. `abra app YOURAPPDOMAIN deploy`
6. Create an initial user: `abra app YOURAPPDOMAIN run app register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
## Tips & Tricks
### Create User
`register_new_matrix_user -u <username> -k $(cat /var/run/secrets/registration) -p <password>`
### Set Admin User
`abra app cmd YOURAPPDOMAIN db set_admin <adminuser>`
### Disabling federation
- Use `DISABLE_FEDERATION=1` to turn off federation listeners
- Don't use [`compose.matrix.yml`](https://git.coopcloud.tech/coop-cloud/traefik/src/branch/master/compose.matrix.yml) in your traefik config to keep the federation ports closed
> We're not sure this does it exactly and there is still a discussion running
> upstrem about whether this is the right way to do it & whether it could be
> more convenient. We welcome issues / change sets to close up more federation
> functionality.
### Enabling federation
- use `DISABLE_FEDERATION=1` to turn off federation listeners
- don't use [`compose.matrix.yml`](https://git.coopcloud.tech/coop-cloud/traefik/src/branch/master/compose.matrix.yml) in your traefik config to keep the federation ports closed
See [`#27`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/27) for more. Depending on your setup, using `SERVE_SERVER_WELLKNOWN=true` might work to start federating. Make sure you don't leave `DISABLE_FEDERATION=1` set!
### Seeing what changed in `homeserver.yaml` between versions
Change the version range to suit your needs.
```
git clone https://github.com/matrix-org/synapse
cd synapse/docs
git log --follow -p v1.48.0..v1.51.0 sample_config.yaml
```
### Generating a new `homeserver.yaml`
The default is also available to see [here](https://matrix-org.github.io/synapse/latest/usage/configuration/homeserver_sample_config.html).
```
docker run -it \
--entrypoint="" \
-e SYNAPSE_SERVER_NAME=foo.com \
-e SYNAPSE_REPORT_STATS=no \
matrixdotorg/synapse:v1.48.0 \
sh -c '/start.py generate; cat /data/homeserver.yaml' > homeserver.yaml.tmpl`
```
### Generating a new `<server>.log.config`
```
docker run -it \
--entrypoint="" \
-e SYNAPSE_SERVER_NAME=foo.com \
-e SYNAPSE_REPORT_STATS=no \
matrixdotorg/synapse:v1.48.0 \
sh -c '/start.py generate; cat /data/foo.com.log.config' > log.config
```
### Getting client discovery on a custom domain
You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris). This could be implemented in this recipe but we haven't merged it in yet. Change sets are welcome.
You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris).
## Bridges
For all Bridges:
- Setting it up is a bit of a chicken/egg & chasing cats moment.
- Make sure to uncomment `APP_SERVICES_ENABLED`, `HOMESERVER_URL`, `HOMESERVER_DOMAIN`, `compose.shared_secret_auth.yml`, `SHARED_SECRET_AUTH_ENABLED` and `SECRET_SHARED_SECRET_AUTH_VERSION`
- include the registration in synapse, e.g. `APP_SERVICE_CONFIGS="[\"/telegram-data/registration.yaml\"]"`
- and set yourself as admin, e.g.: `TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@akadmin:example.com\": \"admin\"}"`
### Telegram bridging
You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
```
api_id: ...
api_hash: ...
telegram_bot_token: ...
```
Experimental script for a automated token replacement:
```
DOMAIN=<domain>
abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
abra app secret generate -a $DOMAIN
abra app deploy $DOMAIN
abra app cmd -l $DOMAIN set_bridge_tokens telegram
```
Alternatively a manual guide for the necessary steps:
```
DOMAIN=<domain>
abra app secret insert $DOMAIN telegram_api_hash v1 <secret>
abra app secret insert $DOMAIN telegram_bot_token v1 <secret>
abra app secret generate -a $DOMAIN
abra app deploy $DOMAIN
abra app run $DOMAIN telegrambridge cat /data/registration.yaml
abra app undeploy $DOMAIN
abra app secret rm $DOMAIN telegram_as_token
abra app secret insert $DOMAIN telegram_as_token v1 <secret>
abra app secret rm $DOMAIN telegram_hs_token
abra app secret insert $DOMAIN telegram_hs_token v1 <secret>
abra app deploy $DOMAIN
```
Some helpful documentation:
- [`docs.mau.fi`](https://docs.mau.fi/bridges/python/setup/docker.html?bridge=telegram)
- [`example-config.yaml`](https://mau.dev/mautrix/telegram/-/blob/master/mautrix_telegram/example-config.yaml)
### Discord bridging
> WIP docs
Just as messy as the Telegram bridging above! Rough guide:
- get a local copy of [`config.yaml`](https://github.com/matrix-org/matrix-appservice-discord/blob/develop/config/config.sample.yaml)
- fill it out with the values you need, all the discord token stuff, etc.
- run `mkdir -p data && cp config.yaml data/` then `docker run --rm -v data:/data halfshot/matrix-appservice-discord:v1.0.0 sh -c "cd /data && node /build/src/discordas.js -r -u "http://discordbridge:9005" -c config.yaml"`
- this generates the app service registration configuration you need to feed to the homeserver
- run secret generation for the `discord_db_password`, insert your `discord_bot_token`
- run `abra app cp <domain> discord-registration.yaml app:/discord-data` (it has to be called `discord-registration.yaml`)
- deploy the bridge & happy hacking
Some helpful documentation:
- [`matrix-org/matrix-appservice-discord` docs](https://github.com/matrix-org/matrix-appservice-discord#bridging-a-room)
- [`t2bot.io/discord`](https://t2bot.io/discord/)
### Signal bridging
Experimental script for a more automated token replacement:
```
DOMAIN=<domain>
abra app secret generate -a $DOMAIN
abra app deploy $DOMAIN
abra app cmd -l $DOMAIN set_bridge_tokens signal
```
Alternatively a manual guide for the necessary steps:
```
DOMAIN=<domain>
abra app secret insert $DOMAIN signal_hs_token v1 foo
abra app secret insert $DOMAIN signal_as_token v1 foo
abra app secret generate $DOMAIN -a
abra app deploy $DOMAIN
abra app run $DOMAIN signalbridge cat /data/registration.yaml
abra app secret rm $DOMAIN signal_as_token
abra app secret insert $DOMAIN signal_as_token v1 <secret>
abra app secret rm $DOMAIN signal_hs_token
abra app secret insert $DOMAIN signal_hs_token v1 <secret>
abra app deploy $DOMAIN
```
- message `@signalbot:example.com` to test
- See the [docs](https://docs.mau.fi/bridges/go/signal/authentication.html) for authentication
This could be implemented in this recipe but we haven't merged it in yet. Chang sets are welcome.

55
abra.sh
View File

@ -1,54 +1,3 @@
export DISCORD_BRIDGE_YAML_VERSION=v2
export ENTRYPOINT_CONF_VERSION=v3
export HOMESERVER_YAML_VERSION=v32
export ENTRYPOINT_CONF_VERSION=v1
export HOMESERVER_YAML_VERSION=v8
export LOG_CONFIG_VERSION=v2
export SHARED_SECRET_AUTH_VERSION=v2
export SIGNAL_BRIDGE_YAML_VERSION=v6
export TELEGRAM_BRIDGE_YAML_VERSION=v6
export NGINX_CONFIG_VERSION=v8
export WK_SERVER_VERSION=v1
export WK_CLIENT_VERSION=v1
export PG_BACKUP_VERSION=v1
export ADMIN_CONFIG_VERSION=v1
set_admin () {
admin=akadmin
if [ -n "$1" ]
then
admin=$1
fi
psql -U synapse -c "UPDATE users SET admin = 1 WHERE name = '@$admin:$DOMAIN'";
}
set_bridge_tokens() {
if [ -z "$1" ]; then
echo "Error: Missing parameter. Usage: set_bridge_tokens <BRIDGETYPE>"
return 1
fi
BRIDGETYPE=$1
echo "retrieve tokens from registration.yaml..."
output=$(abra app run $DOMAIN app cat /${BRIDGETYPE}-data/registration.yaml)
if [ $? -ne 0 ]; then
echo "Error: Failed to retrieve registration.yaml for ${BRIDGETYPE} bridge:"
echo "$output"
return 1
fi
hs_token=$(echo "$output" | sed -n 's/^hs_token:[[:space:]]*\(.*\)$/\1/p')
as_token=$(echo "$output" | sed -n 's/^as_token:[[:space:]]*\(.*\)$/\1/p')
echo "HS Token: $hs_token"
echo "AS Token: $as_token"
echo "UNDEPLOY $DOMAIN?"
abra app undeploy $DOMAIN
echo "Replacing tokens:"
abra app secret rm $DOMAIN ${BRIDGETYPE}_as_token
abra app secret insert $DOMAIN ${BRIDGETYPE}_as_token v1 $as_token
abra app secret rm $DOMAIN ${BRIDGETYPE}_hs_token
abra app secret insert $DOMAIN ${BRIDGETYPE}_hs_token v1 $hs_token
echo "Redeploying $DOMAIN..."
abra app deploy -n $DOMAIN
}

3
admin.conf.tmpl
View File

@ -1,3 +0,0 @@
{
"restrictBaseUrl": "https://{{ env "DOMAIN" }}"
}

15
alaconnect.yml
View File

@ -1,15 +0,0 @@
authentik:
env:
KEYCLOAK_ID: authentik
KEYCLOAK_NAME: sso
KEYCLOAK_URL: https://authentik.example.com/application/o/matrix/
KEYCLOAK_CLIENT_DOMAIN: https://element-web.example.com
KEYCLOAK_ALLOW_EXISTING_USERS: "true"
KEYCLOAK_CLIENT_ID: matrix
uncomment:
- compose.keycloak.yml
- KEYCLOAK_ENABLED
- KEYCLOAK_CLIENT_ID
- SECRET_KEYCLOAK_CLIENT_SECRET_VERSION
shared_secrets:
matrix_secret: keycloak_client_secret

46
compose.admin.yml
View File

@ -1,46 +0,0 @@
---
version: "3.8"
services:
admin:
image: awesometechnologies/synapse-admin:0.10.3
networks:
- proxy
deploy:
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.services.${STACK_NAME}_admin.loadbalancer.server.port=80"
- "traefik.http.routers.${STACK_NAME}_admin.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})&&PathPrefix(`/admin`)"
- "traefik.http.routers.${STACK_NAME}_admin.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}_admin.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "traefik.http.routers.${STACK_NAME}_admin.middlewares=admin,admin_path"
- "traefik.http.middlewares.admin.redirectregex.regex=^(.*)/admin/?"
- "traefik.http.middlewares.admin.redirectregex.replacement=$${1}/admin/"
- "traefik.http.middlewares.admin_path.stripprefix.prefixes=/admin"
environment:
- DOMAIN
configs:
- source: admin_config
target: /app/config.json
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
web:
environment:
- ADMIN_INTERFACE_ENABLED
networks:
proxy:
external: true
configs:
admin_config:
name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION}
file: admin.conf.tmpl
template_driver: golang

66
compose.discord.yml
View File

@ -1,66 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- APP_SERVICES_ENABLED
- APP_SERVICE_CONFIGS
volumes:
- discord-data:/discord-data
discordbridge:
image: halfshot/matrix-appservice-discord:v1.0.0
depends_on:
- discorddb
configs:
- source: discord_bridge_yaml
target: /data/config.yaml
environment:
- DISCORD_CLIENT_ID
- DISCORD_BRIDGE_ADMIN
- HOMESERVER_DOMAIN
- HOMESERVER_URL
secrets:
- discord_bot_token
- discord_db_password
volumes:
- discord-data:/data
networks:
- internal
discorddb:
image: postgres:13-alpine
secrets:
- discord_db_password
environment:
- LC_COLLATE=C
- LC_CTYPE=C
- POSTGRES_DB=discordbridge
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/discord_db_password
- POSTGRES_USER=discordbridge
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
volumes:
- discord-postgres:/var/lib/postgresql/data
configs:
discord_bridge_yaml:
name: ${STACK_NAME}_discord_bridge_yaml_${DISCORD_BRIDGE_YAML_VERSION}
file: discord_bridge.yaml.tmpl
template_driver: golang
volumes:
discord-data:
discord-postgres:
secrets:
discord_db_password:
external: true
name: ${STACK_NAME}_discord_db_password_${SECRET_DISCORD_DB_PASSWORD_VERSION}
discord_bot_token:
external: true
name: ${STACK_NAME}_discord_bot_token_${SECRET_DISCORD_BOT_TOKEN_VERSION}

6
compose.keycloak.yml
View File

@ -7,16 +7,14 @@ services:
- db_password
- form_secret
- keycloak_client_secret
- macaroon
- registration
- macaroon_secret_key
- registration_shared_secret
environment:
- KEYCLOAK_CLIENT_DOMAIN
- KEYCLOAK_CLIENT_ID
- KEYCLOAK_ENABLED
- KEYCLOAK_NAME
- KEYCLOAK_ID
- KEYCLOAK_URL
- KEYCLOAK_ALLOW_EXISTING_USERS
secrets:
keycloak_client_secret:

2
compose.keycloak2.yml
View File

@ -6,10 +6,8 @@ services:
secrets:
- keycloak2_client_secret
environment:
- KEYCLOAK2_ALLOW_EXISTING_USERS
- KEYCLOAK2_CLIENT_ID
- KEYCLOAK2_ENABLED
- KEYCLOAK2_ID
- KEYCLOAK2_NAME
- KEYCLOAK2_URL

19
compose.keycloak3.yml
View File

@ -1,19 +0,0 @@
---
version: "3.8"
services:
app:
secrets:
- keycloak3_client_secret
environment:
- KEYCLOAK3_ALLOW_EXISTING_USERS
- KEYCLOAK3_CLIENT_ID
- KEYCLOAK3_ENABLED
- KEYCLOAK3_ID
- KEYCLOAK3_NAME
- KEYCLOAK3_URL
secrets:
keycloak3_client_secret:
external: true
name: ${STACK_NAME}_keycloak3_client_secret_${SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION}

22
compose.shared_secret_auth.yml
View File

@ -1,22 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- SHARED_SECRET_AUTH_ENABLED
secrets:
- shared_secret_auth
configs:
- source: shared_secret_auth
target: /usr/local/lib/python3.12/site-packages/shared_secret_authenticator.py
configs:
shared_secret_auth:
name: ${STACK_NAME}_shared_secret_auth_${SHARED_SECRET_AUTH_VERSION}
file: shared_secret_authenticator.py
secrets:
shared_secret_auth:
external: true
name: ${STACK_NAME}_shared_secret_auth_${SECRET_SHARED_SECRET_AUTH_VERSION}

86
compose.signal.yml
View File

@ -1,86 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- APP_SERVICES_ENABLED
- APP_SERVICE_CONFIGS
volumes:
- signal-data:/signal-data
signalbridge:
image: dock.mau.dev/mautrix/signal:v0.7.5
depends_on:
- signaldb
configs:
- source: signal_bridge_yaml
target: /data/config.yaml
environment:
- HOMESERVER_DOMAIN
- HOMESERVER_URL
- SIGNAL_BRIDGE_PERMISSIONS
- SIGNAL_ENABLE_ENCRYPTION
- SIGNAL_DEFAULT_ENCRYPTION=${SIGNAL_DEFAULT_ENCRYPTION:-false}
- VERIFY_SSL
secrets:
- signal_as_token
- signal_db_password
- signal_hs_token
- shared_secret_auth
- signal_pickle_key
volumes:
- signal-data:/data
networks:
- internal
signaldb:
image: postgres:13-alpine
secrets:
- signal_db_password
environment:
- LC_COLLATE=C
- LC_CTYPE=C
- POSTGRES_DB=signalbridge
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/signal_db_password
- POSTGRES_USER=signalbridge
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
volumes:
- signal-postgres:/var/lib/postgresql/data
deploy:
labels:
backupbot.backup.pre-hook: "/pg_backup.sh backup"
backupbot.backup.volumes.signal-postgres.path: "backup.sql"
backupbot.restore.post-hook: '/pg_backup.sh restore'
configs:
- source: pg_backup
target: /pg_backup.sh
mode: 0555
configs:
signal_bridge_yaml:
name: ${STACK_NAME}_signal_bridge_yaml_${SIGNAL_BRIDGE_YAML_VERSION}
file: signal_bridge.yaml.tmpl
template_driver: golang
volumes:
signal-data:
signal-postgres:
secrets:
signal_db_password:
external: true
name: ${STACK_NAME}_signal_db_password_${SECRET_SIGNAL_DB_PASSWORD_VERSION}
signal_as_token:
external: true
name: ${STACK_NAME}_signal_as_token_${SECRET_SIGNAL_AS_TOKEN_VERSION}
signal_hs_token:
external: true
name: ${STACK_NAME}_signal_hs_token_${SECRET_SIGNAL_HS_TOKEN_VERSION}
signal_pickle_key:
external: true
name: ${STACK_NAME}_signal_pickle_key_${SECRET_SIGNAL_PICKLE_KEY_VERSION}

4
compose.smtp.yml
View File

@ -6,8 +6,8 @@ services:
secrets:
- db_password
- form_secret
- macaroon
- registration
- macaroon_secret_key
- registration_shared_secret
- smtp_password
environment:
- SMTP_APP_NAME

94
compose.telegram.yml
View File

@ -1,94 +0,0 @@
---
version: "3.8"
services:
app:
environment:
- APP_SERVICES_ENABLED
- APP_SERVICE_CONFIGS
volumes:
- telegram-data:/telegram-data
telegrambridge:
image: dock.mau.dev/mautrix/telegram:v0.15.2
depends_on:
- telegramdb
configs:
- source: telegram_bridge_yaml
target: /data/config.yaml
environment:
- APP_SERVICE_BOT_USERNAME
- APP_SERVICE_DISPLAY_NAME
- APP_SERVICE_ID
- ENABLE_ENCRYPTION
- HOMESERVER_DOMAIN
- HOMESERVER_URL
- TELEGRAM_APP_ID
- TELEGRAM_BRIDGE_PERMISSIONS
- TELEGRAM_SYNC_CHANNEL_MEMBERS
- VERIFY_SSL
secrets:
- telegram_api_hash
- telegram_as_token
- telegram_bot_token
- telegram_db_password
- telegram_hs_token
- shared_secret_auth
volumes:
- telegram-data:/data
networks:
- internal
telegramdb:
image: postgres:13-alpine
secrets:
- telegram_db_password
environment:
- LC_COLLATE=C
- LC_CTYPE=C
- POSTGRES_DB=telegrambridge
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/telegram_db_password
- POSTGRES_USER=telegrambridge
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
volumes:
- telegram-postgres:/var/lib/postgresql/data
deploy:
labels:
backupbot.backup.pre-hook: "/pg_backup.sh backup"
backupbot.backup.volumes.telegram-postgres.path: "backup.sql"
backupbot.restore.post-hook: '/pg_backup.sh restore'
configs:
- source: pg_backup
target: /pg_backup.sh
mode: 0555
configs:
telegram_bridge_yaml:
name: ${STACK_NAME}_telegram_bridge_yaml_${TELEGRAM_BRIDGE_YAML_VERSION}
file: telegram_bridge.yaml.tmpl
template_driver: golang
volumes:
telegram-data:
telegram-postgres:
secrets:
telegram_db_password:
external: true
name: ${STACK_NAME}_telegram_db_password_${SECRET_TELEGRAM_DB_PASSWORD_VERSION}
telegram_api_hash:
external: true
name: ${STACK_NAME}_telegram_api_hash_${SECRET_TELEGRAM_API_HASH_VERSION}
telegram_bot_token:
external: true
name: ${STACK_NAME}_telegram_bot_token_${SECRET_TELEGRAM_BOT_TOKEN_VERSION}
telegram_as_token:
external: true
name: ${STACK_NAME}_telegram_as_token_${SECRET_TELEGRAM_AS_TOKEN_VERSION}
telegram_hs_token:
external: true
name: ${STACK_NAME}_telegram_hs_token_${SECRET_TELEGRAM_HS_TOKEN_VERSION}

4
compose.turn.yml
View File

@ -6,8 +6,8 @@ services:
secrets:
- db_password
- form_secret
- macaroon
- registration
- macaroon_secret_key
- registration_shared_secret
- turn_shared_secret
environment:
- TURN_ALLOW_GUESTS

120
compose.yml
View File

@ -2,50 +2,17 @@
version: "3.8"
services:
web:
image: nginx:1.27.4
networks:
- proxy
- internal
environment:
- DOMAIN
- STACK_NAME
- NGINX_ACCESS_LOG_LOCATION
- NGINX_ERROR_LOG_LOCATION
configs:
- source: nginx_config
target: /etc/nginx/nginx.conf
- source: wk_server
target: /var/www/.well-known/matrix/server
- source: wk_client
target: /var/www/.well-known/matrix/client
deploy:
restart_policy:
condition: on-failure
labels:
- "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
healthcheck:
test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
interval: 20s
timeout: 15s
retries: 20
app:
image: "matrixdotorg/synapse:v1.124.0"
image: "matrixdotorg/synapse:v1.55.2"
volumes:
- "data:/data"
secrets:
- db_password
- registration
- macaroon
- registration_shared_secret
- macaroon_secret_key
- form_secret
environment:
- ALLOWED_LIFETIME_MAX
- ALLOW_PUBLIC_ROOMS_FEDERATION
- ENCRYPTED_BY_DEFAULT
- AUTO_JOIN_ROOM
- AUTO_JOIN_ROOM_ENABLED
- DISABLE_FEDERATION
@ -53,27 +20,10 @@ services:
- ENABLE_3PID_LOOKUP
- ENABLE_ALLOWLIST
- ENABLE_REGISTRATION
- REGISTRATION_REQUIRES_TOKEN
- ENCRYPTED_BY_DEFAULT
- OLD_SIGNING_KEY
- OLD_SIGNING_KEY_ID
- OLD_SIGNING_KEY_EXPIRES
- USER_DIRECTORY_ENABLED=${USER_DIRECTORY_ENABLED:-true}
- USER_DIRECTORY_SEARCH_ALL_USERS=${USER_DIRECTORY_SEARCH_ALL_USERS:-true}
- USER_DIRECTORY_PREFER_LOCAL_USERS=${USER_DIRECTORY_PREFER_LOCAL_USERS:-true}
- USER_DIRECTORY_SHOW_LOCKED_USERS=${USER_DIRECTORY_SHOW_LOCKED_USERS:-false}
- FEDERATION_ALLOWLIST
- REQUIRE_AUTH_FOR_PROFILE_REQUESTS=${REQUIRE_AUTH_FOR_PROFILE_REQUESTS:-false}
- LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS=${LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS:-false}
- DELETE_STALE_DEVICES_AFTER
- SESSION_LIFETIME
- TRACK_PUPPETED_USER_IPS=${TRACK_PUPPETED_USER_IPS:-false}
- LETSENCRYPT_HOST=${DOMAIN}
- MEDIA_RETENTION_LOCAL_LIFETIME
- MEDIA_RETENTION_REMOTE_LIFETIME
- PASSWORD_LOGIN_ENABLED
- REDACTION_RETENTION_PERIOD
- RETENTION_MAX_LIFETIME
- ROOT_LOG_LEVEL
- SERVE_SERVER_WELLKNOWN
- SQL_LOG_LEVEL
@ -84,12 +34,8 @@ services:
- USER_IPS_MAX_AGE
- VIRTUAL_HOST=${DOMAIN}
- VIRTUAL_PORT=8008
- LOGIN_LIMIT_IP_PER_SECOND=${LOGIN_LIMIT_IP_PER_SECOND:-0.003}
- LOGIN_LIMIT_IP_BURST=${LOGIN_LIMIT_IP_BURST:-5}
- LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
- LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
- WEB_CLIENT_LOCATION
networks:
- proxy
- internal
entrypoint: /docker-entrypoint.sh
configs:
@ -104,14 +50,12 @@ services:
restart_policy:
condition: on-failure
labels:
- "coop-cloud.${STACK_NAME}.version=6.6.3+v1.124.0"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
- "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "coop-cloud.${STACK_NAME}.version=1.3.0+v1.55.2"
db:
image: postgres:13-alpine
@ -124,27 +68,12 @@ services:
- POSTGRES_INITDB_ARGS="-E \"UTF8\""
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- POSTGRES_USER=synapse
- DOMAIN
networks:
- internal
healthcheck:
test: ["CMD", "pg_isready", "-U", "synapse"]
interval: 30s
timeout: 10s
retries: 10
start_period: 1m
volumes:
- postgres:/var/lib/postgresql/data
deploy:
labels:
backupbot.backup: "${ENABLE_BACKUPS:-true}"
backupbot.backup.pre-hook: "/pg_backup.sh backup"
backupbot.backup.volumes.postgres.path: "backup.sql"
backupbot.restore.post-hook: '/pg_backup.sh restore'
configs:
- source: pg_backup
target: /pg_backup.sh
mode: 0555
volumes:
data:
@ -161,39 +90,24 @@ configs:
file: entrypoint.sh.tmpl
template_driver: golang
homeserver_yaml:
name: ${STACK_NAME}_homeserver_yaml_${HOMESERVER_YAML_VERSION}
name: ${STACK_NAME}_homserver_yaml_${HOMESERVER_YAML_VERSION}
file: homeserver.yaml.tmpl
template_driver: golang
log_config:
name: ${STACK_NAME}_log_config_${LOG_CONFIG_VERSION}
file: log.config.tmpl
template_driver: golang
nginx_config:
name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
file: nginx.conf.tmpl
template_driver: golang
wk_server:
name: ${STACK_NAME}_wk_server_${WK_SERVER_VERSION}
file: well_known_server.conf.tmpl
template_driver: golang
wk_client:
name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION}
file: well_known_client.conf.tmpl
template_driver: golang
pg_backup:
name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
file: pg_backup.sh
secrets:
db_password:
external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
registration:
registration_shared_secret:
external: true
name: ${STACK_NAME}_registration_${SECRET_REGISTRATION_VERSION}
macaroon:
name: ${STACK_NAME}_db_password_${SECRET_REGISTRATION_SHARED_SECRET_VERSION}
macaroon_secret_key:
external: true
name: ${STACK_NAME}_macaroon_${SECRET_MACAROON_VERSION}
name: ${STACK_NAME}_db_password_${SECRET_MACAROON_SECRET_KEY_VERSION}
form_secret:
external: true
name: ${STACK_NAME}_form_secret_${SECRET_FORM_SECRET_VERSION}
name: ${STACK_NAME}_db_password_${SECRET_FORM_SECRET_VERSION}

123
discord_bridge.yaml.tmpl
View File

@ -1,123 +0,0 @@
bridge:
# Domain part of the bridge, e.g. matrix.org
domain: "{{ env "HOMESERVER_DOMAIN" }}"
# This should be your publicly-facing URL because Discord may use it to
# fetch media from the media store.
homeserverUrl: "{{ env "HOMESERVER_URL" }}"
# The TCP port on which the appservice runs on.
port: 9005
# Interval at which to process users in the 'presence queue'. If you have
# 5 users, one user will be processed every 500 milliseconds according to the
# value below. This has a minimum value of 250.
# WARNING: This has a high chance of spamming the homeserver with presence
# updates since it will send one each time somebody changes state or is online.
presenceInterval: 500
# Disable setting presence for 'ghost users' which means Discord users on Matrix
# will not be shown as away or online.
disablePresence: false
# Disable sending typing notifications when somebody on Discord types.
disableTypingNotifications: false
# Disable deleting messages on Discord if a message is redacted on Matrix.
disableDeletionForwarding: false
# Disable portal bridging, where Matrix users can search for unbridged Discord
# rooms on their Matrix server.
disablePortalBridging: false
# Enable users to bridge rooms using !discord commands. See
# https://t2bot.io/discord for instructions.
enableSelfServiceBridging: true
# Disable sending of read receipts for Matrix events which have been
# successfully bridged to Discord.
disableReadReceipts: false
# Disable Join Leave echos from matrix
disableJoinLeaveNotifications: false
# Disable Invite echos from matrix
disableInviteNotifications: false
# Auto-determine the language of code blocks (this can be CPU-intensive)
determineCodeLanguage: false
# MXID of an admin user that will be PMd if the bridge experiences problems. Optional
adminMxid: '{{ env "DISCORD_BRIDGE_ADMIN" }}'
# The message to send to the bridge admin if the Discord token is not valid
invalidTokenMessage: 'Your Discord bot token seems to be invalid, and the bridge cannot function. Please update it in your bridge settings and restart the bridge'
# Authentication configuration for the discord bot.
auth:
# This MUST be a string (wrapped in quotes)
clientID: "{{ env "DISCORD_CLIENT_ID" }}"
botToken: "{{ secret "discord_bot_token" }}"
# You must enable "Privileged Gateway Intents" in your bot settings on discord.com (e.g. https://discord.com/developers/applications/12345/bot)
# for this to work
usePrivilegedIntents: false
logging:
# What level should the logger output to the console at.
console: "error" #silly, verbose, info, http, warn, error, silent
lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
files:
- file: "debug.log"
disable:
- "PresenceHandler" # Will not capture presence logging
- file: "warn.log" # Will capture warnings
level: "warn"
- file: "botlogs.log" # Will capture logs from DiscordBot
level: "info"
enable:
- "DiscordBot"
database:
# You may either use SQLite or Postgresql for the bridge database, which contains
# important mappings for events and user puppeting configurations.
# Use the filename option for SQLite, or connString for Postgresql.
# If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
# WARNING: You will almost certainly be fine with sqlite unless your bridge
# is in heavy demand and you suffer from IO slowness.
connString: "postgres://discordbridge:{{ secret "discord_db_password" }}@discorddb/discordbridge"
room:
# Set the default visibility of alias rooms, defaults to "public".
# One of: "public", "private"
defaultVisibility: "public"
channel:
# Pattern of the name given to bridged rooms.
# Can use :guild for the guild name and :name for the channel name.
namePattern: "[Discord] :guild :name"
# Changes made to rooms when a channel is deleted.
deleteOptions:
# Prefix the room name with a string.
#namePrefix: "[Deleted]"
# Prefix the room topic with a string.
#topicPrefix: "This room has been deleted"
# Disable people from talking in the room by raising the event PL to 50
disableMessaging: false
# Remove the discord alias from the room.
unsetRoomAlias: true
# Remove the room from the directory.
unlistFromDirectory: true
# Set the room to be unavailable for joining without an invite.
setInviteOnly: true
# Make all the discord users leave the room.
ghostsLeave: true
limits:
# Delay in milliseconds between discord users joining a room.
roomGhostJoinDelay: 6000
# Lock timeout in milliseconds before sending messages to discord to avoid
# echos. Default is rather high as the lock will most likely time out
# before anyways.
# echos = (Copies of a sent message may arrive from discord before we've
# fininished handling it, causing us to echo it back to the room)
discordSendDelay: 1500
# Set a maximum of rooms to be bridged.
# roomCount: 20
ghosts:
# Pattern for the ghosts nick, available is :nick, :username, :tag and :id
nickPattern: ":nick"
# Pattern for the ghosts username, available is :username, :tag and :id
usernamePattern: ":username#:tag"
# Prometheus-compatible metrics endpoint
metrics:
enable: false
port: 9001
host: "127.0.0.1"

5
entrypoint.sh.tmpl
View File

@ -6,11 +6,6 @@ chown 991:991 /data
if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
/start.py generate
chown -R 991:991 /data/*.config /data/*.key
fi
if [[ -d /signal-data ]]; then
chown -R 991:991 /signal-data
fi
/start.py

2620
homeserver.yaml.tmpl
View File

File diff suppressed because it is too large Load Diff

55
nginx.conf.tmpl
View File

@ -1,55 +0,0 @@
user www-data;
events {
worker_connections 768;
}
http {
server {
listen 80;
access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }};
error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }};
server_name {{ env "DOMAIN" }};
location = / {
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
location /.well-known/matrix/ {
root /var/www/;
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }}
location ^~ /_synapse/admin {
if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
return 403;
}
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
{{ end }}
}
}

34
pg_backup.sh
View File

@ -1,34 +0,0 @@
#!/bin/bash
set -e
BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
function backup {
export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
}
function restore {
cd /var/lib/postgresql/data/
restore_config(){
# Restore allowed connections
cat pg_hba.conf.bak > pg_hba.conf
su postgres -c 'pg_ctl reload'
}
# Don't allow any other connections than local
cp pg_hba.conf pg_hba.conf.bak
echo "local all all trust" > pg_hba.conf
su postgres -c 'pg_ctl reload'
trap restore_config EXIT INT TERM
# Recreate Database
psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);"
createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
trap - EXIT INT TERM
restore_config
}
$@

9
release/2.0.0+v1.58.1
View File

@ -1,9 +0,0 @@
This upgrade adds new env variables for homeserver.yml, please add them to your .env file:
```
ENCRYPTED_BY_DEFAULT=all
SERVE_SERVER_WELLKNOWN=false
#KEYCLOAK_ID=keycloak
#KEYCLOAK_ALLOW_EXISTING_USERS=false
```

9
release/2.1.0+v1.62.0
View File

@ -1,9 +0,0 @@
If you're using the horrendous `compose.keycloak2.yml` (as creator of this
horrible hack, I am allowed to call it horrendous ;)), you will need to
re-check the new ~/.abra/recipes/matrix-synapse/.env.sample, there are some new
default env vars which you'll have to add in (e.g. KEYCLOAK2_ID=...).
You'll also need to add `KEYCLOAK_ID=keycloak` if using `compose.keycloak.yml`,
it isn't vendored any more.
@decentral1se

17
release/3.0.0+v1.74.0
View File

@ -1,17 +0,0 @@
WARNING: There are a lot of config breaking changes in this one, watch out!
* KEYCLOAK2* env vars have gone away, they were experimental.
* TELEGRAM_BRIDGE_ADMIN* is replaced by TELEGRAM_BRIDGE_PERMISSIONS.
* SIGNAL_BRIDGE_ADMIN* is replaced by SIGNAL_BRIDGE_PERMISSIONS.
* The homeserver config has been trimmed, see coop-cloud/matrix-synapse#33 for more.
* Bridge logging is only ERROR level now to minimise leaking plaintext.
* It is possible to use SSO & federation env vars in combination now.
* Media retention is now configurable with #MEDIA_RETENTION_* env vars.
@decentral1se

10
release/4.0.0+v1.93.0
View File

@ -1,10 +0,0 @@
We had to rename some secrets: https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/35
Copy the secrets:
* `registration_shared_secret` to `registration`
* `macaroon_secret_key` to `macaroon`
The easiest way to do this is to run `abra app run <matrix.example.com> app bash` BEFORE this upgrade, then `cat /run/secrets/registration_shared_secret`. If you haven't saved the secrets yet, and would like to, please Ctrl+C out of this upgrade and do that first.
Regeneration of these secrets should also work.

1
release/5.0.0+v1.93.0
View File

@ -1 +0,0 @@
It's recommended not to upgrade / downgrade directly to this version (or other 5.y.z versions), because of service renaming which was reverted in 6.0.0+v1.100.0.

6
release/5.0.1+v1.93.0
View File

@ -1,6 +0,0 @@
Logging is now disabled by default. If you want to reënable it, set these options:
```
NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
NGINX_ERROR_LOG_LOCATION="/dev/stderr"
```

1
release/6.0.0+v1.100.0
View File

@ -1 +0,0 @@
If you are upgrading from verison 5.y.z of this recipe, you will need to `undeploy` then `deploy`, because of a service rename which was reverted.

1
release/6.6.1+v1.124.0
View File

@ -1 +0,0 @@
added env REGISTRATION_REQUIRES_TOKEN

1
release/6.6.2+v1.124.0
View File

@ -1 +0,0 @@
new optional env vars for user_directory and privacy options

1
release/6.6.3+v1.124.0
View File

@ -1 +0,0 @@
added env for old-signing-keys

123
shared_secret_authenticator.py
View File

@ -1,123 +0,0 @@
# -*- coding: utf-8 -*-
#
# Shared Secret Authenticator module for Matrix Synapse
# Copyright (C) 2018 Slavi Pantaleev
#
# https://devture.com/
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
from typing import Awaitable, Callable, Optional, Tuple
import hashlib
import hmac
import logging
import synapse
from synapse import module_api
logger = logging.getLogger(__name__)
class SharedSecretAuthProvider:
def __init__(self, config: dict, api: module_api):
for k in ('shared_secret',):
if k not in config:
raise KeyError('Required `{0}` configuration key not found'.format(k))
m_login_password_support_enabled = bool(config['m_login_password_support_enabled']) if 'm_login_password_support_enabled' in config else False
com_devture_shared_secret_auth_support_enabled = bool(config['com_devture_shared_secret_auth_support_enabled']) if 'com_devture_shared_secret_auth_support_enabled' in config else True
self.api = api
self.shared_secret = config['shared_secret']
auth_checkers: Optional[Dict[Tuple[str, Tuple], CHECK_AUTH_CALLBACK]] = {}
if com_devture_shared_secret_auth_support_enabled:
auth_checkers[("com.devture.shared_secret_auth", ("token",))] = self.check_com_devture_shared_secret_auth
if m_login_password_support_enabled:
auth_checkers[("m.login.password", ("password",))] = self.check_m_login_password
enabled_login_types = [k[0] for k in auth_checkers]
if len(enabled_login_types) == 0:
raise RuntimeError('At least one login type must be enabled')
logger.info('Enabled login types: %s', enabled_login_types)
api.register_password_auth_provider_callbacks(
auth_checkers=auth_checkers,
)
async def check_com_devture_shared_secret_auth(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
if login_type != "com.devture.shared_secret_auth":
return None
return await self._log_in_username_with_token("com.devture.shared_secret_auth", username, login_dict.get("token"))
async def check_m_login_password(
self,
username: str,
login_type: str,
login_dict: "synapse.module_api.JsonDict",
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
if login_type != "m.login.password":
return None
return await self._log_in_username_with_token("m.login.password", username, login_dict.get("password"))
async def _log_in_username_with_token(
self,
login_type: str,
username: str,
token: str,
) -> Optional[
Tuple[
str,
Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
]
]:
logger.info('Authenticating user `%s` with login type `%s`', username, login_type)
full_user_id = self.api.get_qualified_user_id(username)
# The password (token) is supposed to be an HMAC of the full user id, keyed with the shared secret.
given_hmac = token.encode('utf-8')
h = hmac.new(self.shared_secret.encode('utf-8'), full_user_id.encode('utf-8'), hashlib.sha512)
computed_hmac = h.hexdigest().encode('utf-8')
if not hmac.compare_digest(computed_hmac, given_hmac):
logger.info('Bad hmac value for user: %s', full_user_id)
return None
user_info = await self.api.get_userinfo_by_id(full_user_id)
if user_info is None:
logger.info('Refusing to authenticate missing user: %s', full_user_id)
return None
logger.info('Authenticated user: %s', full_user_id)
return full_user_id, None

411
signal_bridge.yaml.tmpl
View File

@ -1,411 +0,0 @@
# Network-specific config options
network:
# Displayname template for Signal users.
# {{ "{{.ProfileName}}" }} - The Signal profile name set by the user.
# {{ "{{.ContactName}}" }} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
# {{ "{{.PhoneNumber}}" }} - The phone number of the user.
# {{ "{{.UUID}}" }} - The UUID of the Signal user.
# {{ "{{.AboutEmoji}}" }} - The emoji set by the user in their profile.
displayname_template: '{{ "{{or .ProfileName .PhoneNumber \"Unknown user\"}}" }}'
# Should avatars from the user's contact list be used? This is not safe on multi-user instances.
use_contact_avatars: false
# Should the bridge request the user's contact list from the phone on startup?
sync_contacts_on_startup: true
# Should the bridge sync ghost user info even if profile fetching fails? This is not safe on multi-user instances.
use_outdated_profiles: false
# Should the Signal user's phone number be included in the room topic in private chat portal rooms?
number_in_topic: true
# Default device name that shows up in the Signal app.
device_name: mautrix-signal
# Avatar image for the Note to Self room.
note_to_self_avatar: mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL
# Format for generating URLs from location messages for sending to Signal.
# Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
# OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
location_format: 'https://www.google.com/maps/place/%[1]s,%[2]s'
# Config options that affect the central bridge module.
bridge:
# The prefix for commands. Only required in non-management rooms.
command_prefix: '!signal'
# Should the bridge create a space for each login containing the rooms that account is in?
personal_filtering_spaces: true
# Whether the bridge should set names and avatars explicitly for DM portals.
# This is only necessary when using clients that don't support MSC4171.
private_chat_portal_meta: false
# Should leaving Matrix rooms be bridged as leaving groups on the remote network?
bridge_matrix_leave: false
# Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
# Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
tag_only_on_create: true
# Should room mute status only be synced when creating the portal?
# Like tags, mutes can't currently be synced back to the remote network.
mute_only_on_create: true
# What should be done to portal rooms when a user logs out or is logged out?
# Permitted values:
# nothing - Do nothing, let the user stay in the portals
# kick - Remove the user from the portal rooms, but don't delete them
# unbridge - Remove all ghosts in the room and disassociate it from the remote chat
# delete - Remove all ghosts and users from the room (i.e. delete it)
cleanup_on_logout:
# Should cleanup on logout be enabled at all?
enabled: false
# Settings for manual logouts (explicitly initiated by the Matrix user)
manual:
# Action for private portals which will never be shared with other Matrix users.
private: nothing
# Action for portals with a relay user configured.
relayed: nothing
# Action for portals which may be shared, but don't currently have any other Matrix users.
shared_no_users: nothing
# Action for portals which have other logged-in Matrix users.
shared_has_users: nothing
# Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
# Keys have the same meanings as in the manual section.
bad_credentials:
private: nothing
relayed: nothing
shared_no_users: nothing
shared_has_users: nothing
# Settings for relay mode
relay:
# Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: true
# Should only admins be allowed to set themselves as relay users?
# If true, non-admins can only set users listed in default_relays as relays in a room.
admin_only: true
# List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
default_relays: []
# The formats to use when sending messages via the relaybot.
# Available variables:
# .Sender.UserID - The Matrix user ID of the sender.
# .Sender.Displayname - The display name of the sender (if set).
# .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
# .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
# plus the user ID in parentheses if the displayname is not unique.
# If the displayname is not set, this is just the user ID.
# .Message - The `formatted_body` field of the message.
# .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
# .FileName - The name of the file being sent.
message_formats:
m.text: "{{`{{ .Sender.DisambiguatedName }}: {{ .Message }}`}}"
m.notice: "{{`{{ .Sender.DisambiguatedName }}: {{ .Message }}`}}"
m.emote: "{{`* {{ .Sender.DisambiguatedName }} {{ .Message }}`}}"
m.file: "{{`{{ .Sender.DisambiguatedName }} sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
m.image: "{{`{{ .Sender.DisambiguatedName }} sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
m.audio: "{{`{{ .Sender.DisambiguatedName }} sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
m.video: "{{`{{ .Sender.DisambiguatedName }} sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
m.location: "{{`{{ .Sender.DisambiguatedName }} sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}`}}"
# For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
# This has all the Sender variables available under message_formats (but without the .Sender prefix).
# Note that you need to manually remove the displayname from message_formats above.
displayname_format: "{{`{{ .DisambiguatedName }}`}}"
# Permissions for using the bridge.
# Permitted values:
# relay - Talk through the relaybot (if enabled), no access otherwise
# commands - Access to use commands in the bridge, but not login.
# user - Access to use the bridge with puppeting.
# admin - Full access, user level with some additional administration tools.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions: {{ env "SIGNAL_BRIDGE_PERMISSIONS" }}
# Config for the bridge's database.
database:
# The database type. "sqlite3-fk-wal" and "postgres" are supported.
type: postgres
# The database URI.
# SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
# https://github.com/mattn/go-sqlite3#connection-string
# Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
# To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
uri: postgres://signalbridge:{{ secret "signal_db_password" }}@signaldb/signalbridge?sslmode=disable
# Maximum number of connections.
max_open_conns: 5
max_idle_conns: 1
# Maximum connection idle time and lifetime before they're closed. Disabled if null.
# Parsed with https://pkg.go.dev/time#ParseDuration
max_conn_idle_time: null
max_conn_lifetime: null
# Homeserver details.
homeserver:
# The address that this appservice can use to connect to the homeserver.
# Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
# but https also works if they run on different machines.
address: {{ env "HOMESERVER_URL" }}
# The domain of the homeserver (also known as server_name, used for MXIDs, etc).
domain: {{ env "HOMESERVER_DOMAIN" }}
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
# If set, the bridge will make POST requests to this URL when processing a message from Matrix.
# It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
# (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
# The bridge will use the appservice as_token to authorize requests.
message_send_checkpoint_endpoint:
# Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
async_media: false
# Should the bridge use a websocket for connecting to the homeserver?
# The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
# mautrix-asmux (deprecated), and hungryserv (proprietary).
websocket: false
# How often should the websocket be pinged? Pinging will be disabled if this is zero.
ping_interval_seconds: 0
# Application service host/registration related details.
# Changing these values requires regeneration of the registration (except when noted otherwise)
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://signalbridge:29328
# A public address that external services can use to reach this appservice.
# This value doesn't affect the registration file.
public_address: https://bridge.example.com
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29328
# The unique ID of this appservice.
id: signal
# Appservice bot details.
bot:
# Username of the appservice bot.
username: signalbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
displayname: Signal bridge bot
avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
# Whether to receive ephemeral events via appservice transactions.
ephemeral_events: true
# Should incoming events be handled asynchronously?
# This may be necessary for large public instances with lots of messages going through.
# However, messages will not be guaranteed to be bridged in the same order they were sent in.
# This value doesn't affect the registration file.
async_transactions: false
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "{{ secret "signal_as_token" }}"
hs_token: "{{ secret "signal_hs_token" }}"
# Localpart template of MXIDs for remote users.
# {{ "{{.}}" }} is replaced with the internal ID of the user.
username_template: signal_{{ "{{.}}" }}
# Config options that affect the Matrix connector of the bridge.
matrix:
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Whether the bridge should send a read receipt after successfully bridging a message.
delivery_receipts: false
# Whether the bridge should send error notices via m.notice events when a message fails to bridge.
message_error_notices: true
# Whether the bridge should update the m.direct account data event when double puppeting is enabled.
sync_direct_chat_list: false
# Whether created rooms should have federation enabled. If false, created portal rooms
# will never be federated. Changing this option requires recreating rooms.
federate_rooms: true
# Settings for provisioning API
provisioning:
# Prefix for the provisioning API paths.
prefix: /_matrix/provision
# Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
# or if set to "disable", the provisioning API will be disabled.
shared_secret: generate
# Whether to allow provisioning API requests to be authed using Matrix access tokens.
# This follows the same rules as double puppeting to determine which server to contact to check the token,
# which means that by default, it only works for users on the same server as the bridge.
allow_matrix_auth: true
# Enable debug API at /debug with provisioning authentication.
debug_endpoints: false
# Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
# These settings control whether the bridge will provide such public media access.
public_media:
# Should public media be enabled at all?
# The public_address field under the appservice section MUST be set when enabling public media.
enabled: false
# A key for signing public media URLs.
# If set to "generate", a random key will be generated.
signing_key: generate
# Number of seconds that public media URLs are valid for.
# If set to 0, URLs will never expire.
expiry: 0
# Length of hash to use for public media URLs. Must be between 0 and 32.
hash_length: 32
# Settings for converting remote media to custom mxc:// URIs instead of reuploading.
# More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
direct_media:
# Should custom mxc:// URIs be used instead of reuploading media?
enabled: false
# The server name to use for the custom mxc:// URIs.
# This server name will effectively be a real Matrix server, it just won't implement anything other than media.
# You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
server_name: discord-media.example.com
# Optionally a custom .well-known response. This defaults to `server_name:443`
well_known_response:
# Optionally specify a custom prefix for the media ID part of the MXC URI.
media_id_prefix:
# If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
# media download redirects if the requester supports it. Optionally, you can force redirects
# and not allow proxying at all by setting this to false.
# This option does nothing if the remote network does not support media downloads over HTTP.
allow_proxy: true
# Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
# This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
server_key: generate
# Settings for backfilling messages.
# Note that the exact way settings are applied depends on the network connector.
# See https://docs.mau.fi/bridges/general/backfill.html for more details.
backfill:
# Whether to do backfilling at all.
enabled: false
# Maximum number of messages to backfill in empty rooms.
max_initial_messages: 50
# Maximum number of missed messages to backfill after bridge restarts.
max_catchup_messages: 500
# If a backfilled chat is older than this number of hours,
# mark it as read even if it's unread on the remote network.
unread_hours_threshold: 720
# Settings for backfilling threads within other backfills.
threads:
# Maximum number of messages to backfill in a new thread.
max_initial_messages: 50
# Settings for the backwards backfill queue. This only applies when connecting to
# Beeper as standard Matrix servers don't support inserting messages into history.
queue:
# Should the backfill queue be enabled?
enabled: false
# Number of messages to backfill in one batch.
batch_size: 100
# Delay between batches in seconds.
batch_delay: 20
# Maximum number of batches to backfill per portal.
# If set to -1, all available messages will be backfilled.
max_batches: -1
# Optional network-specific overrides for max batches.
# Interpretation of this field depends on the network connector.
max_batches_override: {}
# Settings for enabling double puppeting
double_puppet:
# Servers to always allow double puppeting from.
# This is only for other servers and should NOT contain the server the bridge is on.
servers:
{{ env "HOMESERVER_DOMAIN" }}: {{ env "HOMESERVER_URL" }}
# Whether to allow client API URL discovery for other servers. When using this option,
# users on other servers can use double puppeting even if their server URLs aren't
# explicitly added to the servers map above.
allow_discovery: false
# Shared secrets for automatic double puppeting.
# See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
secrets:
{{ env "HOMESERVER_DOMAIN" }}: {{ secret "shared_secret_auth" }}
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
allow: {{ env "SIGNAL_ENABLE_ENCRYPTION" }}
# Whether to force-enable encryption in all bridged rooms.
default: {{ env "SIGNAL_DEFAULT_ENCRYPTION" }}
# Whether to require all messages to be encrypted and drop any unencrypted messages.
require: false
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
# This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
appservice: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# Pickle key for encrypting encryption keys in the bridge database.
# If set to generate, a random key will be generated.
pickle_key: {{ secret "signal_pickle_key" }}
# Options for deleting megolm sessions from the bridge.
delete_keys:
# Beeper-specific: delete outbound sessions when hungryserv confirms
# that the user has uploaded the key to key backup.
delete_outbound_on_ack: false
# Don't store outbound sessions in the inbound table.
dont_store_outbound: false
# Ratchet megolm sessions forward after decrypting messages.
ratchet_on_decrypt: false
# Delete fully used keys (index >= max_messages) after decrypting messages.
delete_fully_used_on_decrypt: false
# Delete previous megolm sessions from same device when receiving a new one.
delete_prev_on_new_session: false
# Delete megolm sessions received from a device when the device is deleted.
delete_on_device_delete: false
# Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
periodically_delete_expired: false
# Delete inbound megolm sessions that don't have the received_at field used for
# automatic ratcheting and expired session deletion. This is meant as a migration
# to delete old keys prior to the bridge update.
delete_outdated_inbound: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
# See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Disable rotating keys when a user's devices change?
# You should not enable this option unless you understand all the implications.
disable_device_change_key_rotation: false
# Logging config. See https://github.com/tulir/zeroconfig for details.
logging:
min_level: debug
writers:
- type: stdout
format: pretty-colored
- type: file
format: json
filename: ./logs/bridge.log
max_size: 100
max_backups: 10
compress: false

544
telegram_bridge.yaml.tmpl
View File

@ -1,544 +0,0 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: {{ env "HOMESERVER_URL" }}
# The domain of the homeserver (for MXIDs, etc).
domain: {{ env "HOMESERVER_DOMAIN" }}
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: {{ env "VERIFY_SSL" }}
asmux: false
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://telegrambridge:29317
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29317
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: postgres://telegrambridge:{{ secret "telegram_db_password" }}@telegramdb/telegrambridge
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
database_opts:
min_size: 1
max_size: 10
# Public part of web server for out-of-Matrix interaction with the bridge.
# Used for things like login if the user wants to make sure the 2FA password isn't stored in
# the HS database.
public:
# Whether or not the public-facing endpoints should be enabled.
enabled: false
# The prefix to use in the public-facing endpoints.
prefix: /public
# The base URL where the public-facing endpoints are available. The prefix is not added
# implicitly.
external: https://example.com/public
# Provisioning API part of the web server for automated portal creation and fetching information.
# Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
provisioning:
# Whether or not the provisioning API should be enabled.
enabled: false
# The prefix to use in the provisioning API endpoints.
prefix: /_matrix/provision
# The shared secret to authorize users of the API.
# Set to "generate" to generate and save a new token.
shared_secret: generate
# The unique ID of this appservice.
id: {{ env "APP_SERVICE_ID" }}
# Username of the appservice bot.
bot_username: {{ env "APP_SERVICE_BOT_USERNAME" }}
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: {{ env "APP_SERVICE_DISPLAY_NAME" }}
bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: false
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "{{ secret "telegram_as_token" }}"
hs_token: "{{ secret "telegram_hs_token" }}"
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-telegram.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
# Bridge config
bridge:
# Localpart template of MXIDs for Telegram users.
# {userid} is replaced with the user ID of the Telegram user.
username_template: "telegram_{userid}"
# Localpart template of room aliases for Telegram portal rooms.
# {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
alias_template: "telegram_{groupname}"
# Displayname template for Telegram users.
# {displayname} is replaced with the display name of the Telegram user.
displayname_template: "{displayname} (Telegram)"
# Set the preferred order of user identifiers which to use in the Matrix puppet display name.
# In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
# ID is used.
#
# If the bridge is working properly, a phone number or an username should always be known, but
# the other one can very well be empty.
#
# Valid keys:
# "full name" (First and/or last name)
# "full name reversed" (Last and/or first name)
# "first name"
# "last name"
# "username"
# "phone number"
displayname_preference:
- full name
- username
- phone number
# Maximum length of displayname
displayname_max_length: 100
# Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
# as there's no way to determine whether an avatar is removed or just hidden from some users. If
# you're on a single-user instance, this should be safe to enable.
allow_avatar_remove: false
# Maximum number of members to sync per portal when starting up. Other members will be
# synced when they send messages. The maximum is 10000, after which the Telegram server
# will not send any more members.
# -1 means no limit (which means it's limited to 10000 by the server)
max_initial_member_sync: 100
# Whether or not to sync the member list in channels.
# If no channel admins have logged into the bridge, the bridge won't be able to sync the member
# list regardless of this setting.
sync_channel_members: {{ env "TELEGRAM_SYNC_CHANNEL_MEMBERS" }}
# Whether or not to skip deleted members when syncing members.
skip_deleted_members: true
# Whether or not to automatically synchronize contacts and chats of Matrix users logged into
# their Telegram account at startup.
startup_sync: true
# Number of most recently active dialogs to check when syncing chats.
# Set to 0 to remove limit.
sync_update_limit: 0
# Number of most recently active dialogs to create portals for when syncing chats.
# Set to 0 to remove limit.
sync_create_limit: 30
# Whether or not to sync and create portals for direct chats at startup.
sync_direct_chats: false
# The maximum number of simultaneous Telegram deletions to handle.
# A large number of simultaneous redactions could put strain on your homeserver.
max_telegram_delete: 10
# Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
# at startup and when creating a bridge.
sync_matrix_state: true
# Allow logging in within Matrix. If false, users can only log in using login-qr or the
# out-of-Matrix login website (see appservice.public config section)
allow_matrix_login: true
# Whether or not to bridge plaintext highlights.
# Only enable this if your displayname_template has some static part that the bridge can use to
# reliably identify what is a plaintext highlight.
plaintext_highlights: false
# Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
public_portals: true
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: true
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map:
{{ env "HOMESERVER_DOMAIN" }}: {{ env "HOMESERVER_URL" }}
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map:
{{ env "HOMESERVER_DOMAIN" }}: {{ secret "shared_secret_auth" }}
# Set to false to disable link previews in messages sent to Telegram.
telegram_link_preview: true
# Whether or not the !tg join command should do a HTTP request
# to resolve redirects in invite links.
invite_link_resolve: false
# Use inline images instead of a separate message for the caption.
# N.B. Inline images are not supported on all clients (e.g. Element iOS/Android).
inline_images: false
# Maximum size of image in megabytes before sending to Telegram as a document.
image_as_file_size: 10
# Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 1280x1280 = 1638400.
image_as_file_pixels: 1638400
# Enable experimental parallel file transfer, which makes uploads/downloads much faster by
# streaming from/to Matrix and using many connections for Telegram.
# Note that generating HQ thumbnails for videos is not possible with streamed transfers.
# This option uses internal Telethon implementation details and may break with minor updates.
parallel_file_transfer: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Settings for converting animated stickers.
animated_sticker:
# Format to which animated stickers should be converted.
# disable - No conversion, send as-is (gzipped lottie)
# png - converts to non-animated png (fastest),
# gif - converts to animated gif
# webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
target: gif
# Arguments for converter. All converters take width and height.
args:
width: 256
height: 256
fps: 25 # only for webm and gif (2, 5, 10, 20 or 25 recommended)
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ env "ENABLE_ENCRYPTION" }}
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Database for the encryption data. If set to `default`, will use the appservice database.
database: default
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.
require_cross_signing: false
# Require devices to be verified by the bridge?
# Verification by the bridge is not yet implemented.
require_verification: false
# Whether or not to explicitly set the avatar and room name for private
# chat portal rooms. This will be implicitly enabled if encryption.default is true.
private_chat_portal_meta: false
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Telegram.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
# The favorites tag is `m.favourite`.
pinned_tag: null
# Same as above for archived chats, the low priority tag is `m.lowpriority`.
archive_tag: null
# Whether or not mute status and tags should only be bridged when the portal room is created.
tag_only_on_create: true
# Should leaving the room on Matrix make the user leave on Telegram?
bridge_matrix_leave: true
# Should the user be kicked out of all portals when logging out of the bridge?
kick_on_logout: true
# Should the "* user joined Telegram" notice always be marked as read automatically?
always_read_joined_telegram_notice: true
# Settings for backfilling messages from Telegram.
backfill:
# Whether or not the Telegram ghosts of logged in Matrix users should be
# invited to private chats when backfilling history from Telegram. This is
# usually needed to prevent rate limits and to allow timestamp massaging.
invite_own_puppet: true
# Maximum number of messages to backfill without using a takeout.
# The first time a takeout is used, the user has to manually approve it from a different
# device. If initial_limit or missed_limit are higher than this value, the bridge will ask
# the user to accept the takeout after logging in before syncing any chats.
takeout_limit: 100
# Maximum number of messages to backfill initially.
# Set to 0 to disable backfilling when creating portal, or -1 to disable the limit.
#
# N.B. Initial backfill will only start after member sync. Make sure your
# max_initial_member_sync is set to a low enough value so it doesn't take forever.
initial_limit: 0
# Maximum number of messages to backfill if messages were missed while the bridge was
# disconnected. Note that this only works for logged in users and only if the chat isn't
# older than sync_update_limit
# Set to 0 to disable backfilling missed messages.
missed_limit: 50
# If using double puppeting, should notifications be disabled
# while the initial backfill is in progress?
disable_notifications: false
# Whether or not to enable backfilling in normal groups.
# Normal groups have numerous technical problems in Telegram, and backfilling normal groups
# will likely cause problems if there are multiple Matrix users in the group.
normal_groups: false
# Overrides for base power levels.
initial_power_level_overrides:
user: {}
group: {}
# Whether to bridge Telegram bot messages as m.notices or m.texts.
bot_messages_as_notices: true
bridge_notices:
# Whether or not Matrix bot messages (type m.notice) should be bridged.
default: false
# List of user IDs for whom the previous flag is flipped.
# e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
# notices from users listed here will be bridged.
exceptions: []
# An array of possible values for the $distinguisher variable in message formats.
# Each user gets one of the values here, based on a hash of their user ID.
# If the array is empty, the $distinguisher variable will also be empty.
relay_user_distinguishers: ["🟦", "🟣", "🟩", "⭕️", "🔶", "⬛️", "🔵", "🟢"]
# The formats to use when sending messages to Telegram via the relay bot.
# Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $distinguisher - A random string from the options in the relay_user_distinguishers array.
# $message - The message content
message_formats:
m.text: "$distinguisher <b>$sender_displayname</b>: $message"
m.notice: "$distinguisher <b>$sender_displayname</b>: $message"
m.emote: "* $distinguisher <b>$sender_displayname</b> $message"
m.file: "$distinguisher <b>$sender_displayname</b> sent a file: $message"
m.image: "$distinguisher <b>$sender_displayname</b> sent an image: $message"
m.audio: "$distinguisher <b>$sender_displayname</b> sent an audio file: $message"
m.video: "$distinguisher <b>$sender_displayname</b> sent a video: $message"
m.location: "$distinguisher <b>$sender_displayname</b> sent a location: $message"
# Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
# users are sent to telegram. All fields in message_formats are supported. Additionally, the
# Telegram user info is available in the following variables:
# $displayname - Telegram displayname
# $username - Telegram username (may not exist)
# $mention - Telegram @username or displayname mention (depending on which exists)
emote_format: "* $mention $formatted_body"
# The formats to use when sending state events to Telegram via the relay bot.
#
# Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
# In name_change events, `$prev_displayname` is the previous displayname.
#
# Set format to an empty string to disable the messages for that event.
state_event_formats:
join: "$distinguisher <b>$displayname</b> joined the room."
leave: "$distinguisher <b>$displayname</b> left the room."
name_change: "$distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>"
# Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
# `filter-mode` management commands.
#
# Filters do not affect direct chats.
# An empty blacklist will essentially disable the filter.
filter:
# Filter mode to use. Either "blacklist" or "whitelist".
# If the mode is "blacklist", the listed chats will never be bridged.
# If the mode is "whitelist", only the listed chats can be bridged.
mode: blacklist
# The list of group/channel IDs to filter.
list: []
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!tg"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Telegram bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relaybot - Only use the bridge via the relaybot, no access to commands.
# user - Relaybot level + access to commands to create bridges.
# puppeting - User level + logging in with a Telegram account.
# full - Full access to use the bridge, i.e. previous levels + Matrix login.
# admin - Full access to use the bridge and some extra administration commands.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions: {{ env "TELEGRAM_BRIDGE_PERMISSIONS" }}
# Options related to the message relay Telegram bot.
relaybot:
private_chat:
# List of users to invite to the portal when someone starts a private chat with the bot.
# If empty, private chats with the bot won't create a portal.
invite: []
# Whether or not to bridge state change messages in relaybot private chats.
state_changes: true
# When private_chat_invite is empty, this message is sent to users /starting the
# relaybot. Telegram's "markdown" is supported.
message: This is a Matrix bridge relaybot and does not support direct chats
# List of users to invite to all group chat portals created by the bridge.
group_chat_invite: []
# Whether or not the relaybot should not bridge events in unbridged group chats.
# If false, portals will be created when the relaybot receives messages, just like normal
# users. This behavior is usually not desirable, as it interferes with manually bridging
# the chat to another room.
ignore_unbridged_group_chat: true
# Whether or not to allow creating portals from Telegram.
authless_portals: true
# Whether or not to allow Telegram group admins to use the bot commands.
whitelist_group_admins: true
# Whether or not to ignore incoming events sent by the relay bot.
ignore_own_incoming_events: true
# List of usernames/user IDs who are also allowed to use the bot commands.
whitelist:
- myusername
- 12345678
# Telegram config
telegram:
# Get your own API keys at https://my.telegram.org/apps
api_id: {{ env "TELEGRAM_APP_ID" }}
api_hash: {{ secret "telegram_api_hash" }}
# (Optional) Create your own bot at https://t.me/BotFather
bot_token: {{ secret "telegram_bot_token" }}
# Telethon connection options.
connection:
# The timeout in seconds to be used when connecting.
timeout: 120
# How many times the reconnection should retry, either on the initial connection or when
# Telegram disconnects us. May be set to a negative or null value for infinite retries, but
# this is not recommended, since the program can get stuck in an infinite loop.
retries: 5
# The delay in seconds to sleep between automatic reconnections.
retry_delay: 1
# The threshold below which the library should automatically sleep on flood wait errors
# (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
# is 20s, the library will sleep automatically. If the error was for 21s, it would raise
# the error instead. Values larger than a day (86400) will be changed to a day.
flood_sleep_threshold: 60
# How many times a request should be retried. Request are retried when Telegram is having
# internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
# there's a migrate error. May take a negative or null value for infinite retries, but this
# is not recommended, since some requests can always trigger a call fail (such as searching
# for messages).
request_retries: 5
# Device info sent to Telegram.
device_info:
# "auto" = OS name+version.
device_model: auto
# "auto" = Telethon version.
system_version: auto
# "auto" = mautrix-telegram version.
app_version: auto
lang_code: en
system_lang_code: en
# Custom server to connect to.
server:
# Set to true to use these server settings. If false, will automatically
# use production server assigned by Telegram. Set to false in production.
enabled: false
# The DC ID to connect to.
dc: 2
# The IP to connect to.
ip: 149.154.167.40
# The port to connect to. 443 may not work, 80 is better and both are equally secure.
port: 80
# Telethon proxy configuration.
# You must install PySocks from pip for proxies to work.
proxy:
# Allowed types: disabled, socks4, socks5, http, mtproxy
type: disabled
# Proxy IP address and port.
address: 127.0.0.1
port: 1080
# Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
rdns: true
# Proxy authentication (optional). Put MTProxy secret in password field.
username: ""
password: ""
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_telegram.util.ColorFormatter
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
normal:
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: /data/mautrix-telegram.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: ERROR
telethon:
level: ERROR
aiohttp:
level: ERROR
root:
level: ERROR
handlers: [file, console]

5
well_known_client.conf.tmpl
View File

@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://{{ env "DOMAIN" }}"
}
}

3
well_known_server.conf.tmpl
View File

@ -1,3 +0,0 @@
{
"m.server": "{{ env "DOMAIN" }}:443"
}