working version with secrets
This commit is contained in:
vdietrich
parent
9f5c0ee085
commit
12b9404360
10
.env.sample
10
.env.sample
@ -6,3 +6,13 @@ DOMAIN=maubot.example.com
|
||||
#EXTRA_DOMAINS=', `www.maubot.example.com`'
|
||||
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
HOMESERVER_HOST=matrix.org
|
||||
# Client-server API URL
|
||||
HOMESERVER_URL=https://matrix-client.matrix.org
|
||||
|
||||
ADMIN_USER_NAME=admin
|
||||
|
||||
## Secrets
|
||||
SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||
SECRET_HOMESERVER_REGISTRATION_VERSION=v1
|
||||
44
README.md
44
README.md
@ -1,12 +1,12 @@
|
||||
# maubot
|
||||
|
||||
> One line description of the recipe
|
||||
> deploy's an instance of the maubot-plugin-system for a matrix home server
|
||||
|
||||
<!-- metadata -->
|
||||
|
||||
* **Category**: Apps
|
||||
* **Status**: 0
|
||||
* **Image**: [`maubot`](https://hub.docker.com/r/maubot), 4, upstream
|
||||
* **Image**: [`maubot`](https://mau.dev/maubot/maubot/container_registry), 4, upstream
|
||||
* **Healthcheck**: No
|
||||
* **Backups**: No
|
||||
* **Email**: No
|
||||
@ -17,8 +17,42 @@
|
||||
|
||||
## Quick start
|
||||
|
||||
* `abra app new maubot --secrets`
|
||||
* `abra app config <app-name>`
|
||||
* `abra app new maubot`
|
||||
* `abra app config maubot`
|
||||
* `abra app secret insert <app-name> homeserver_registration v1 "your-homeserver-shared-registration-secret"`
|
||||
* `abra app secret generate <app-name> -a`
|
||||
* `abra app deploy <app-name>`
|
||||
|
||||
For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
|
||||
## Usage
|
||||
You can use maubot...
|
||||
|
||||
### via the web interface
|
||||
After deployment head to: `$DOMAIN/_matrix/maubot/` and login with your admin-user and password
|
||||
|
||||
### via the cli
|
||||
Bot users and plugins can be most easily be uploaded via cli.
|
||||
|
||||
General info on the cli: https://docs.mau.fi/maubot/usage/cli/index.html
|
||||
|
||||
You can install the cli locally or access it in the container:
|
||||
|
||||
`abra app run $DOMAIN app sh`
|
||||
|
||||
### Deploy a plugin and create a bot user via abra scripts
|
||||
Furthermore there are two useful scripts:
|
||||
|
||||
### 1. deploy plugin from git repro
|
||||
Most existing plugins are on github. Here you find links to the repos: https://plugins.mau.bot/ .
|
||||
To deploy it simply copy the URL to the ZIP of the repo (e.g. `https://github.com/maubot/reminder/archive/refs/heads/master.zip`) and then:
|
||||
|
||||
`abra app cmd maubot.dev.local-it.cloud app deploy_plugin <DOMAIN_OF_REPO_ZIP>`
|
||||
|
||||
### 2. assign an (existing) user as bot user via ssh
|
||||
`abra app cmd -C maubot.dev.local-it.cloud app assign_bot_user_via_sso`
|
||||
|
||||
This will show an url to sign in via ssh. After sso-login the user will be a bot user in maubot.
|
||||
|
||||
Now you are ready to go to create an instance (i.e. a plugin connected to a bot user) via web interface.
|
||||
|
||||
## More
|
||||
For more, see official documentation of maubot [`docs.mau.fi/maubot`](https://docs.mau.fi/maubot/).
|
||||
|
||||
16
abra.sh
Normal file
16
abra.sh
Normal file
@ -0,0 +1,16 @@
|
||||
export MAUBOT_CONFIG_VERSION=v4
|
||||
|
||||
# takes an url to the ZIP of a GITHUB-repo as (e.g. https://github.com/maubot/reminder/archive/refs/heads/master.zip)
|
||||
deploy_plugin () {
|
||||
rm -rf /tmp/maubot-plugin*
|
||||
wget -O /tmp/maubot-plugin.zip "$1" && unzip /tmp/maubot-plugin.zip -d /tmp/maubot-plugin
|
||||
mbc login -u $ADMIN_USER_NAME -p $(cat /run/secrets/admin_password) -s https://$DOMAIN -a $DOMAIN
|
||||
cd /tmp/maubot-plugin
|
||||
mv -- "$(ls -A | head -n1)" extracted
|
||||
mbc build -u /tmp/maubot-plugin/extracted
|
||||
}
|
||||
|
||||
assign_bot_user_via_sso () {
|
||||
mbc login -u $ADMIN_USER_NAME -p $(cat /run/secrets/admin_password) -s https://$DOMAIN -a $DOMAIN
|
||||
mbc auth -h $HOMESERVER_HOST --update-client --sso
|
||||
}
|
||||
47
compose.yml
47
compose.yml
@ -2,18 +2,30 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
maubot:
|
||||
app:
|
||||
image: dock.mau.dev/maubot/maubot:latest
|
||||
environment:
|
||||
- HOMESERVER_HOST
|
||||
- HOMESERVER_URL
|
||||
- ADMIN_USER_NAME
|
||||
|
||||
secrets:
|
||||
- admin_password
|
||||
- homeserver_registration
|
||||
|
||||
volumes:
|
||||
- ./data:/data:z
|
||||
- maubot_data:/data:rw
|
||||
networks:
|
||||
- proxy
|
||||
configs:
|
||||
- source: maubot_config
|
||||
target: /data/config.yaml
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=29316"
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
@ -22,13 +34,30 @@ services:
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- "coop-cloud.${STACK_NAME}.version="
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-f", "http://localhost"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 10
|
||||
start_period: 1m
|
||||
#healthcheck:
|
||||
#test: ["CMD", "curl", "-f", "http://localhost"]
|
||||
#interval: 30s
|
||||
#timeout: 10s
|
||||
#retries: 10
|
||||
#start_period: 1m
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
|
||||
configs:
|
||||
maubot_config:
|
||||
name: ${STACK_NAME}_config_yaml_${MAUBOT_CONFIG_VERSION}
|
||||
file: config.yaml.tmpl
|
||||
template_driver: golang
|
||||
|
||||
volumes:
|
||||
maubot_data:
|
||||
|
||||
secrets:
|
||||
admin_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
|
||||
homeserver_registration:
|
||||
external: true
|
||||
name: ${STACK_NAME}_homeserver_registration_${SECRET_HOMESERVER_REGISTRATION_VERSION}
|
||||
123
config.yaml.tmpl
Normal file
123
config.yaml.tmpl
Normal file
@ -0,0 +1,123 @@
|
||||
# The full URI to the database. SQLite and Postgres are fully supported.
|
||||
# Other DBMSes supported by SQLAlchemy may or may not work.
|
||||
# Format examples:
|
||||
# SQLite: sqlite:filename.db
|
||||
# Postgres: postgresql://username:password@hostname/dbname
|
||||
database: sqlite:/data/maubot.db
|
||||
# Separate database URL for the crypto database. "default" means use the same database as above.
|
||||
crypto_database: default
|
||||
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
|
||||
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
|
||||
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
|
||||
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
|
||||
database_opts:
|
||||
min_size: 1
|
||||
max_size: 10
|
||||
# Configuration for storing plugin .mbp files
|
||||
plugin_directories:
|
||||
# The directory where uploaded new plugins should be stored.
|
||||
upload: /data/plugins
|
||||
# The directories from which plugins should be loaded.
|
||||
# Duplicate plugin IDs will be moved to the trash.
|
||||
load:
|
||||
- /data/plugins
|
||||
# The directory where old plugin versions and conflicting plugins should be moved.
|
||||
# Set to "delete" to delete files immediately.
|
||||
trash: /data/trash
|
||||
# Configuration for storing plugin databases
|
||||
plugin_databases:
|
||||
# The directory where SQLite plugin databases should be stored.
|
||||
sqlite: /data/dbs
|
||||
# The connection URL for plugin databases. If null, all plugins will get SQLite databases.
|
||||
# If set, plugins using the new asyncpg interface will get a Postgres connection instead.
|
||||
# Plugins using the legacy SQLAlchemy interface will always get a SQLite connection.
|
||||
#
|
||||
# To use the same connection pool as the default database, set to "default"
|
||||
# (the default database above must be postgres to do this).
|
||||
#
|
||||
# When enabled, maubot will create separate Postgres schemas in the database for each plugin.
|
||||
# To view schemas in psql, use `\dn`. To view enter and interact with a specific schema,
|
||||
# use `SET search_path = name` (where `name` is the name found with `\dn`) and then use normal
|
||||
# SQL queries/psql commands.
|
||||
postgres: null
|
||||
# Maximum number of connections per plugin instance.
|
||||
postgres_max_conns_per_plugin: 3
|
||||
# Overrides for the default database_opts when using a non-"default" postgres connection string.
|
||||
postgres_opts: {}
|
||||
server:
|
||||
# The IP and port to listen to.
|
||||
hostname: 0.0.0.0
|
||||
port: 29316
|
||||
# Public base URL where the server is visible.
|
||||
public_url: https://{{ env "DOMAIN" }}
|
||||
# The base path for the UI.
|
||||
ui_base_path: /_matrix/maubot
|
||||
# The base path for plugin endpoints. The instance ID will be appended directly.
|
||||
plugin_base_path: /_matrix/maubot/plugin/
|
||||
# Override path from where to load UI resources.
|
||||
# Set to false to using pkg_resources to find the path.
|
||||
override_resource_path: /opt/maubot/frontend
|
||||
# The shared secret to sign API access tokens.
|
||||
# Set to "generate" to generate and save a new token at startup.
|
||||
unshared_secret: generate
|
||||
# Known homeservers. This is required for the `mbc auth` command and also allows
|
||||
# more convenient access from the management UI. This is not required to create
|
||||
# clients in the management UI, since you can also just type the homeserver URL
|
||||
# into the box there.
|
||||
homeservers:
|
||||
{{ env "HOMESERVER_HOST" }}:
|
||||
# Client-server API URL
|
||||
url: {{ env "HOMESERVER_URL" }}
|
||||
# registration_shared_secret from synapse config
|
||||
# You can leave this empty if you don't have access to the homeserver.
|
||||
# When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will.
|
||||
secret: {{ secret "homeserver_registration" }}
|
||||
# List of administrator users. Plaintext passwords will be bcrypted on startup. Set empty password
|
||||
# to prevent normal login. Root is a special user that can't have a password and will always exist.
|
||||
admins:
|
||||
root: ""
|
||||
{{ env "ADMIN_USER_NAME" }}: {{ secret "admin_password" }}
|
||||
# API feature switches.
|
||||
api_features:
|
||||
login: true
|
||||
plugin: true
|
||||
plugin_upload: true
|
||||
instance: true
|
||||
instance_database: true
|
||||
client: true
|
||||
client_proxy: true
|
||||
client_auth: true
|
||||
dev_open: true
|
||||
log: true
|
||||
# Python logging configuration.
|
||||
#
|
||||
# See section 16.7.2 of the Python documentation for more info:
|
||||
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
|
||||
logging:
|
||||
version: 1
|
||||
formatters:
|
||||
colored:
|
||||
(): maubot.lib.color_log.ColorFormatter
|
||||
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
|
||||
normal:
|
||||
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
|
||||
handlers:
|
||||
file:
|
||||
class: logging.handlers.RotatingFileHandler
|
||||
formatter: normal
|
||||
filename: /var/log/maubot.log
|
||||
maxBytes: 10485760
|
||||
backupCount: 10
|
||||
console:
|
||||
class: logging.StreamHandler
|
||||
formatter: colored
|
||||
loggers:
|
||||
maubot:
|
||||
level: DEBUG
|
||||
mau:
|
||||
level: DEBUG
|
||||
aiohttp:
|
||||
level: INFO
|
||||
root:
|
||||
level: DEBUG
|
||||
handlers: [file, console]
|
||||
Loading…
x
Reference in New Issue
Block a user