diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..e98cc4a --- /dev/null +++ b/.env.example @@ -0,0 +1,3 @@ +TUNNEL_TOKEN= +PG_PASSWORD=_PG_PASSWORD_ +DOMAIN_NAME=example.org diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3cc6302 --- /dev/null +++ b/.gitignore @@ -0,0 +1,21 @@ +/pantalaimon +/.env +/data/pantalaimon/pan.db +/data/postgres +/data/synapse/media_store +/data/synapse/signing.key +/data/synapse/media_store +/data/signald/** +/data/bridges/**/*-mautrix.db* +/data/bridges/steam/database.db +/data/bridges/discord/registration.yaml +/data/bridges/facebook/registration.yaml +/data/bridges/gmessages/registration.yaml +/data/bridges/googlechat/registration.yaml +/data/bridges/instagram/registration.yaml +/data/bridges/linkedin/registration.yaml +/data/bridges/signal/registration.yaml +/data/bridges/slack/registration.yaml +/data/bridges/telegram/registration.yaml +/data/bridges/twitter/registration.yaml +/data/bridges/whatsapp/registration.yaml diff --git a/README.md b/README.md index 6c974bd..1d0cfdc 100644 --- a/README.md +++ b/README.md @@ -1 +1,199 @@ -# matrix-compose \ No newline at end of file +# matrix-compose + +## What is it? + +matrix-compose is a collection of scripts and config files intended to make setting up and configuring a small/personal [Matrix](https://matrix.org/) homeserver easier. + + +Included in the docker-compose services are, along with a working homeserver (Synapse) setup, various social media bridges (Discord, Facebook, Google Messages, Google Chat, Instagram, LinkedIn, Signal, Slack, Steam, Telegram, Twitter, WhatsApp), as well as utilitarian bots such as [Hookshot](https://github.com/matrix-org/matrix-hookshot) and [Draupnir](https://github.com/the-draupnir-project/Draupnir) + +## Motivation and goals of this project + +As someone with very basic docker-compose experience who wanted to get into the matrix "ecosystem", I found it difficult to find such easy setups such as this available. + +For this reason (and because constructing my own docker-compose with ~35 services for my own HS took weeks), I wanted to provide a slightly easier way to selfhost your own Matrix HS without needing a sysadmin bachelor's degree. + + +The goals of matrix-compose are not to be a full-fledged and perfect production HS, but more-so a personal, small HS that people can experiment with, and learn about the matrix ecosystem with. + +**If you are trying to host a production-grade large matrix HS, this is the wrong place!** + + + +# Setup Guide + +## Pre-requisites + +* A Linux Server with at least 10Gb free disk space and ~2Gb RAM +> Resource usage will mostly depend on your usage + +* A available domain behind a reverse proxy such as Cloudflare + +* Linux, Docker, Docker-Compose and Git experience or willingless to google issues that arise + + + +## Getting everything ready + + +### Dependencies + +You need to install all the relevant tooling for the setup process, though the bulk of the services run on Docker, your host requires some setup. + +install git, openssl, dig, curl +```sh +sudo apt-get update +sudo apt-get install -y openssl dig curl git +``` + +### Setup DNS and Routing + +Before you proceed, it's best to decide how your DNS/Reverse Proxying will connect to your matrix HS. + +matrix-compose was designed to be put behind a reverse proxy and will NOT be secure at all if not behind one. + +[Cloudflare Tunnels](https://www.cloudflare.com/products/tunnel/) are recommended and supported for high flexibility and security environments. + +#### Cloudflare Tunnels + +If using Cloudflare Tunnels, simply create a new tunnel, copy the token shown on the "Install Connector" page and save it for later. + +Add a single public hostname of `HTTPS://` `nginx:443` for the URL you are configuring your matrix HS to be available at. + +__**Make sure to enable "No TLS Verify" on the tunnel settings**__ (or replace the self-signed generated certs at the end of the setup with Cloudflare Certs), otherwise the tunnel will refuse to connect to your Nginx backend. + +#### DNS Records + +Set the following DNS records on your domain's DNS management dashboard: + +* **A** `example.org.` - ipv4 (if not using tunnels) + +* **A** `turn.example.org.` - your server's IPv4 address (for VoIP) + +* **AAAA** `turn.example.org.` - your server's IPv6 address (for VoIP) + + + + +## Installation + +### Clone the repo + +```sh +git clone https://github.com/metal0/matrix-compose.git +``` + +### Install Docker Engine (and Docker Compose) + + +Refer to the following guide on how to install these for your OS/Distro: +[https://docs.docker.com/engine/install/#server] + +__Make sure to test your docker installation as mentioned in the guides before proceeding!__ + +### Setup Env Variables + +Copy the `.env` file +```sh +cp .env.example .env +``` + + +Then edit it with your favorite text editor, making sure to ONLY filling in `DOMAIN_NAME` (and `TUNNEL_TOKEN` if using Cloudflare Tunnels). +```bash +nano .env +``` + +### Run the Initialization Script + +Finally, you need to run the initialization script `init.sh` which will setup everything else for you automatically. + + +```bash +chmod +x init.sh && ./init.sh +``` + +This will take several minutes to run and fully setup all services, don't panic. + +> [!INFO] +> Some bridges and bots require additional setup post-install, refer to the guides below after everything is functional + + + +## Firewalling + +> Ports: +### Nginx + +Nginx needs only port `443` allowed (if not using cloudflare tunnels) + +### Eturnal (VoIP) + +If you wish to use VoIP with Eturnal, you will need to allow the following ports: +> `3478` +> `5349` +> `49152-65535` +In addition, you should add your server's IPv6 address to `/data/eturnal/eturnal.yml`, and verify that VoIP is working using a tool such as [https://test.voip.librepush.net/] + + +## Customizing the Web Client + +In order to customize the web-client to your liking, please refer to [Element Web's Documentation](https://github.com/vector-im/element-web/blob/develop/docs/config.md). +(Relevant config file is @ `/data/web-client/web-client.config.json`) + +## Synapse Configuration + +Synapse's config is found @ `/data/synapse/config.yaml` + +### Enabling Public Registration + +In order to safely enable public registration you will likely want to add either recaptcha or email verification (to prevent abuse). + +> [!WARN] +> The Mautrix bridges are not configured for a multi-user setup (though they will allow anyone registered on your HS to use them) +> For this reason it's highly recommended to review your Mautrix bridge bots' configuration before enabling public registration + + +## Bot Setup + +### Draupnir + + +Create a management room for Draupnir, make sure it's set to invite-only. (As anyone who joins the room can use the bot) +Give it the local alias `#draupnir` +Invite the bot to the room (`@draupnir:example.org`) +Restart the draupnir docker container `docker restart draupnir` +You should see it join the room! +[Quick-start guide](https://github.com/the-draupnir-project/Draupnir#quickstart-guide) + + +### Hookshot + + +Only Generic Webhooks and RSS/Atom feeds are configured and enabled by default +Bot: `@hookshot:example.org` + +Check [hookshot documentation](https://matrix-org.github.io/matrix-hookshot/latest/hookshot.html) for usage/configuration guides. + + +### Bridges + +Check the [mautrix bridge docs](https://docs.mau.fi/bridges/) to learn how to use & configure each mautrix bridge + + +#### Telegram Bridge + +Create API keys at https://my.telegram.org/apps and optionally create a bot account for relaying at https://t.me/BotFather +Input the respective values @ `data/bridges/telegram/config.yaml` (`telegram.api_id`, `telegram.api_hash`, `telegram.bot_token`) + +If using the bot relay, also add yourself to the `relaybot.whitelist` array in the config file. + +After configuring, uncomment the line on synapse's config `app_service_config_files` relevant to the telegram registration file. + + + + + +#### Guide TBD + +increase unix file handles diff --git a/data/bridges/discord/config.yaml b/data/bridges/discord/config.yaml new file mode 100644 index 0000000..7716c3e --- /dev/null +++ b/data/bridges/discord/config.yaml @@ -0,0 +1,349 @@ +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # Publicly accessible base URL for media, used for avatars in relay mode. + # If not set, the connection address above will be used. + public_address: https://example.org + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: example.org + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-discord:80 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: sqlite3-fk-wal + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: file:discord-mautrix.db?_txlock=immediate + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: discord + # Appservice bot details. + bot: + # Username of the appservice bot. + username: mautrix-discordbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Discord + avatar: mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Bridge config +bridge: + # Localpart template of MXIDs for Discord users. + # {{.}} is replaced with the internal ID of the Discord user. + username_template: discord_{{.}} + # Displayname template for Discord users. This is also used as the room name in DMs if private_chat_portal_meta is enabled. + # Available variables: + # .ID - Internal user ID + # .Username - Legacy display/username on Discord + # .GlobalName - New displayname on Discord + # .Discriminator - The 4 numbers after the name on Discord + # .Bot - Whether the user is a bot + # .System - Whether the user is an official system user + # .Webhook - Whether the user is a webhook and is not an application + # .Application - Whether the user is an application + displayname_template: '{{or .GlobalName .Username}}{{if .Webhook}} (webhook){{end}}{{if .Bot}} (bot){{else}} (Disc){{end}}' + # Displayname template for Discord channels (bridged as rooms, or spaces when type=4). + # Available variables: + # .Name - Channel name, or user displayname (pre-formatted with displayname_template) in DMs. + # .ParentName - Parent channel name (used for categories). + # .GuildName - Guild name. + # .NSFW - Whether the channel is marked as NSFW. + # .Type - Channel type (see values at https://github.com/bwmarrin/discordgo/blob/v0.25.0/structs.go#L251-L267) + channel_name_template: '{{if or (eq .Type 3) (eq .Type 4)}}{{.Name}}{{else}}#{{.Name}}{{end}}{{if or eq (eq .Type 3) (eq .Type 1)}} (Disc){{end}}' + # Displayname template for Discord guilds (bridged as spaces). + # Available variables: + # .Name - Guild name + guild_name_template: '{{.Name}}' + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + portal_message_buffer: 128 + # Number of private channel portals to create on bridge startup. + # Other portals will be created when receiving messages. + startup_private_channel_create_limit: 5 + # Should the bridge send a read receipt from the bridge bot when a message has been sent to Discord? + delivery_receipts: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + # Should the bridge use space-restricted join rules instead of invite-only for guild rooms? + # This can avoid unnecessary invite events in guild rooms when members are synced in. + restricted_rooms: true + # Should the bridge automatically join the user to threads on Discord when the thread is opened on Matrix? + # This only works with clients that support thread read receipts (MSC3771 added in Matrix v1.4). + autojoin_thread_on_open: true + # Should inline fields in Discord embeds be bridged as HTML tables to Matrix? + # Tables aren't supported in all clients, but are the only way to emulate the Discord inline field UI. + embed_fields_as_tables: true + # Should guild channels be muted when the portal is created? This only meant for single-user instances, + # it won't mute it for all users if there are multiple Matrix users in the same Discord guild. + mute_channels_on_create: true + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # Should incoming custom emoji reactions be bridged as mxc:// URIs? + # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available. + custom_emoji_reactions: true + # Should the bridge attempt to completely delete portal rooms when a channel is deleted on Discord? + # If true, the bridge will try to kick Matrix users from the room. Otherwise, the bridge only makes ghosts leave. + delete_portal_on_channel_delete: true + # Should the bridge delete all portal rooms when you leave a guild on Discord? + # This only applies if the guild has no other Matrix users on this bridge instance. + delete_guild_on_leave: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Prefix messages from webhooks with the profile info? This can be used along with a custom displayname_template + # to better handle webhooks that change their name all the time (like ones used by bridges). + prefix_webhook_messages: true + # Bridge webhook avatars? + enable_webhook_avatars: true + # Should the bridge upload media to the Discord CDN directly before sending the message when using a user token, + # like the official client does? The other option is sending the media in the message send request as a form part + # (which is always used by bots and webhooks). + use_discord_cdn_upload: true + # Should mxc uris copied from Discord be cached? + # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything. + # If you have a media repo that generates non-unique mxc uris, you should set this to never. + cache_media: unencrypted + # Patterns for converting Discord media to custom mxc:// URIs instead of reuploading. + # Each of the patterns can be set to null to disable custom URIs for that type of media. + # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html + media_patterns: + # Should custom mxc:// URIs be used instead of reuploading media? + enabled: false + # Pattern for normal message attachments. + attachments: mxc://discord-media.mau.dev/attachments|{{.ChannelID}}|{{.AttachmentID}}|{{.FileName}} + # Pattern for custom emojis. + emojis: mxc://discord-media.mau.dev/emojis|{{.ID}}.{{.Ext}} + # Pattern for stickers. Note that animated lottie stickers will not be converted if this is enabled. + stickers: mxc://discord-media.mau.dev/stickers|{{.ID}}.{{.Ext}} + # Pattern for static user avatars. + avatars: mxc://discord-media.mau.dev/avatars|{{.UserID}}|{{.AvatarID}}.{{.Ext}} + # Settings for converting animated stickers. + animated_sticker: + # Format to which animated stickers should be converted. + # disable - No conversion, send as-is (lottie JSON) + # png - converts to non-animated png (fastest) + # gif - converts to animated gif + # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support + # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support + target: webp + # Arguments for converter. All converters take width and height. + args: + width: 320 + height: 320 + fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended) + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. +# login_shared_secret_map: +# example.org: foobar + + # The prefix for commands. Only required in non-management rooms. + command_prefix: '!discord' + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Discord bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + # Settings for backfilling messages. + backfill: + # Limits for forward backfilling. + forward_limits: + # Initial backfill (when creating portal). 0 means backfill is disabled. + # A special unlimited value is not supported, you must set a limit. Initial backfill will + # fetch all messages first before backfilling anything, so high limits can take a lot of time. + initial: + dm: 100 + channel: 100 + thread: 100 + # Missed message backfill (on startup). + # 0 means backfill is disabled, -1 means fetch all messages since last bridged message. + # When using unlimited backfill (-1), messages are backfilled as they are fetched. + # With limits, all messages up to the limit are fetched first and backfilled afterwards. + missed: + dm: 2000 + channel: 1000 + thread: 10 + # Maximum members in a guild to enable backfilling. Set to -1 to disable limit. + # This can be used as a rough heuristic to disable backfilling in channels that are too active. + # Currently only applies to missed message backfill. + max_guild_members: 1000 + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Should users mentions be in the event wire content to enable the server to send push notifications? + plaintext_mentions: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: true + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a Discord account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relay + "example.org": user + "@admin:example.org": admin + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: info + writers: + - type: stdout + format: pretty-colored diff --git a/data/bridges/facebook/config.yaml b/data/bridges/facebook/config.yaml new file mode 100644 index 0000000..97cd5fb --- /dev/null +++ b/data/bridges/facebook/config.yaml @@ -0,0 +1,433 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (for MXIDs, etc). + domain: example.org + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Facebook MQTT connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-facebook:80 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:gmessages-mautrix.db + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). + database_opts: + min_size: 1 + max_size: 10 + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: false + # The prefix to use in the public-facing endpoints. + prefix: /public + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: https://example.org/public + # Shared secret for integration managers such as mautrix-manager. + # If set to "generate", a random string will be generated on the next startup. + # If null, integration manager access to the API will not be possible. + shared_secret: generate + # Allow logging in within Matrix. If false, users can only log in using the web interface. + allow_matrix_login: true + + # The unique ID of this appservice. + id: mautrix-facebook + # Username of the appservice bot. + bot_username: mautrix-facebookbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook + bot_avatar: mxc://i0.tf/QZKSDNRXdjUXkczSoKdNJsyR + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors. +analytics: + # Hostname of the tracking server. The path is hardcoded to /v1/track + host: api.segment.io + # API key to send with tracking requests. Tracking is disabled if this is null. + token: + # Optional user ID for tracking events. If null, defaults to using Matrix user ID. + user_id: + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-facebook.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: facebook_{userid} + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{displayname} (FB)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + - first_name + command_prefix: '!fb' + + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: true + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: false + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + double_puppet_allow_discovery: true + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + #login_shared_secret_map: + # example.org: foobar + presence_from_facebook: true + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Facebook. + delivery_receipts: true + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether to allow inviting arbitrary mxids to portal rooms + allow_invites: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Facebook. + backfill: + # Allow backfilling at all? + enable: true + # Use MSC2716 for backfilling? If this is disabled, backfilling only happens when syncing threads, + # and the incremental settings below don't apply. + # + # This requires a server with MSC2716 support, which is currently an experimental feature in Synapse. + # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml. + msc2716: false + # Use double puppets for backfilling? + # + # If using MSC2716, the double puppets must be in the appservice's user ID namespace + # (because the bridge can't use the double puppet access token with batch sending). + # + # Even without MSC2716, bridging old messages with correct timestamps requires the double + # puppets to be in an appservice namespace, or the server to be modified to allow + # overriding timestamps anyway. + double_puppet_backfill: false + # The maximum number of conversations that should be synced. + # Other conversations will be backfilled on demand when the start PM + # provisioning endpoint is used or when a message comes in from that + # chat. + # If set to -1, all conversations will by synced. + max_conversations: 10 + # The minimum amount of time to wait between syncing each thread. This + # helps avoid situations where you sync too quickly. + min_sync_thread_delay: 5 + # If this value is greater than 0, then if the conversation's last + # message was more than this number of hours ago, then the conversation + # will automatically be marked it as read. + # Conversations that have a last message that is less than this number + # of hours ago will have their unread status synced from Facebook. + unread_hours_threshold: 0 + + # Settings for how quickly to backoff when rate-limits are encountered + # while backfilling. + backoff: + # How many seconds to wait after getting rate limited during a + # thread list fetch. + thread_list: 300 + # How many seconds to wait after getting rate limited during a + # message history fetch. + message_history: 300 + + # Settings for backfills. + # + # During initial/incremental sync, the entirety of the thread that is + # available will be backfilled. For example, on initial sync, about 20 + # messages are included for each thread in the thread list returned by + # the server. After that, incremental backfills will be run for each of + # the portals in a round-robin fashion until all portals have been + # backfilled as configured below. + incremental: + # The maximum number of pages to backfill per batch. + max_pages: 10 + # The maximum number of total pages to backfill per portal. + # If set to -1, infinite pages will be synced. + max_total_pages: -1 + # The number of seconds to wait between backfilling each page. + page_delay: 5 + # The number of seconds to wait after backfilling the batch of + # messages. + post_batch_delay: 20 + + periodic_reconnect: + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + # Set to a list of two items to randomize the interval (min, max). + interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + mode: refresh + # Should even disconnected users be reconnected? + always: false + # Only reconnect if the user has been connected for longer than this value + min_connected_time: 0 + # The number of seconds that a disconnection can last without triggering an automatic re-sync + # and missed message backfilling when reconnecting. + # Set to 0 to always re-sync, or -1 to never re-sync automatically. + resync_max_disconnected_time: 5 + # The maximum number of conversations that should be synced when we get a + # message sync error. In general, 1 page (20) is sufficient. + max_startup_thread_sync_count: 20 + # Whether or not temporary disconnections should send notices to the notice room. + # If this is false, disconnections will never send messages and connections will only send + # messages if it was disconnected for more than resync_max_disconnected_time seconds. + temporary_disconnect_notices: true + # Disable bridge notices entirely + disable_bridge_notices: false + # Should Matrix m.notice-type messages be bridged to Facebook? + bridge_matrix_notices: false + on_reconnection_fail: + # What to do if a reconnection attempt fails? Options: reconnect, refresh, null + action: reconnect + # Seconds to wait before attempting to refresh the connection, set a list of two items to + # to randomize the interval (min, max). + wait_for: 0 + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: true + # Whether or not mute status and tags should only be bridged when the portal room is created. + tag_only_on_create: true + # If set to true, downloading media from the CDN will use a plain aiohttp client without the usual headers or + # other configuration. This may be useful if you don't want to use the default proxy for large files. + sandbox_media_download: false + # URL to call to retrieve a proxy URL from (defaults to the http_proxy environment variable). + get_proxy_api_url: + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: true + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Permissions for using the bridge. + # Permitted values: + # relay - Allowed to be relayed through the bridge, no access to commands. + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relay + "example.org": user + "@admin:example.org": admin + relay: + # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: true + # The formats to use when sending messages to Messenger via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.org) + # $message - The message content + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' + m.file: $sender_displayname sent a file + m.image: $sender_displayname sent an image + m.audio: $sender_displayname sent an audio file + m.video: $sender_displayname sent a video + m.location: $sender_displayname sent a location + +facebook: + device_seed: generate + default_region_hint: ODN + connection_type: WIFI + carrier: Verizon + hni: 311390 + + mqtt_keepalive: 60 + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + normal: + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + maufbapi: + level: DEBUG + paho: + level: INFO + aiohttp: + level: INFO + root: + level: WARN + handlers: [console] diff --git a/data/bridges/gmessages/config.yaml b/data/bridges/gmessages/config.yaml new file mode 100644 index 0000000..6ba555d --- /dev/null +++ b/data/bridges/gmessages/config.yaml @@ -0,0 +1,289 @@ +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: example.org + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's google messages connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-gmessages:80 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: sqlite3-fk-wal + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: file:gmessages-mautrix.db?_txlock=immediate + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: gmessages + # Appservice bot details. + bot: + # Username of the appservice bot. + username: mautrix-gmessagesbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Google Messages + avatar: mxc://maunium.net/yGOdcrJcwqARZqdzbfuxfhzb + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors. +analytics: + # Hostname of the tracking server. The path is hardcoded to /v1/track + host: api.segment.io + # API key to send with tracking requests. Tracking is disabled if this is null. + token: null + # Optional user ID for tracking events. If null, defaults to using Matrix user ID. + user_id: null + +google_messages: + # OS name to tell the phone. This is the name that shows up in the paired devices list. + os: mautrix-gmessages + # Browser type to tell the phone. This decides which icon is shown. + # Valid types: OTHER, CHROME, FIREFOX, SAFARI, OPERA, IE, EDGE + browser: OTHER + # Device type to tell the phone. This also affects the icon, as well as how many sessions are allowed simultaneously. + # One web, two tablets and one PWA should be able to connect at the same time. + # Valid types: WEB, TABLET, PWA + device: TABLET + # Should the bridge aggressively set itself as the active device if the user opens Google Messages in a browser? + # If this is disabled, the user must manually use the `set-active` command to reactivate the bridge. + aggressive_reconnect: false + +# Bridge config +bridge: + # Localpart template of MXIDs for SMS users. + # {{.}} is replaced with an identifier of the recipient. + username_template: gmessages_{{.}} + # Displayname template for SMS users. + # {{.FullName}} - Full name provided by the phone + # {{.FirstName}} - First name provided by the phone + # {{.PhoneNumber}} - Formatted phone number provided by the phone + displayname_template: "{{or .FullName .PhoneNumber}}" + # Should the bridge create a space for each logged-in user and add bridged rooms to it? + personal_filtering_spaces: true + # Should the bridge send a read receipt from the bridge bot when a message has been sent to the phone? + delivery_receipts: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + portal_message_buffer: 128 + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Number of chats to sync when connecting to Google Messages. + initial_chat_sync_count: 5 + # Backfill settings + backfill: + # Number of messages to backfill in new chats. + initial_limit: 50 + # Number of messages to backfill on startup if the last message ID in the chat sync doesn't match the last bridged message. + missed_limit: 100 + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + #login_shared_secret_map: + # example.org: foobar + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: true + # When using double puppeting, should archived chats be moved to a specific tag in Matrix? + # This can be set to a tag (e.g. m.lowpriority), or null to disable. + archive_tag: m.lowpriority + # Same as above, but for pinned chats. The favorite tag is called m.favourite + pinned_tag: m.favourite + # Should mute status and tags only be bridged when the portal room is created? + tag_only_on_create: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Should the bridge never send alerts to the bridge management room? + # These are mostly things like the user being logged out. + disable_bridge_alerts: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + # Send galleries as a single event? This is not an MSC (yet). + beeper_galleries: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!gm" + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Google Messages bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from SMS to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to link their own Google Messages on android. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relay + "example.org": user + "@admin:example.org": admin + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: debug + writers: + - type: stdout + format: pretty-colored diff --git a/data/bridges/googlechat/config.yaml b/data/bridges/googlechat/config.yaml new file mode 100644 index 0000000..0ab6ef5 --- /dev/null +++ b/data/bridges/googlechat/config.yaml @@ -0,0 +1,281 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (for MXIDs, etc). + domain: example.org + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Google Chat connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-googlechat:80 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:googlechat-mautrix.db + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). + database_opts: + min_size: 1 + max_size: 10 + id: googlechat + # Username of the appservice bot. + bot_username: mautrix-googlechatbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Google Chat + bot_avatar: mxc://maunium.net/BDIWAQcbpPGASPUUBuEGWXnQ + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: This value is generated when generating the registration + hs_token: This value is generated when generating the registration + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-googlechat.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 +bridge: + # Localpart template of MXIDs for Google Chat users. + # {userid} is replaced with the user ID of the Google Chat user. + username_template: googlechat_{userid} + # Displayname template for Google Chat users. + # {full_name}, {first_name}, {last_name} and {email} are replaced with names. + displayname_template: '{full_name} (Google Chat)' + + # The prefix for commands. Only required in non-management rooms. + command_prefix: '!gc' + + # Number of chats to sync (and create portals for) on startup/login. + # Set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Google Chat users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: true + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + double_puppet_allow_discovery: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + #login_shared_secret_map: + # example.org: foobar + update_avatar_initial_sync: true + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Google Chat. + delivery_receipts: true + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Google Chat. + backfill: + # Whether or not the Google Chat users of logged in Matrix users should be + # invited to private chats when backfilling history from Google Chat. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Number of threads to backfill in threaded spaces in initial backfill. + initial_thread_limit: 10 + # Number of replies to backfill in each thread in initial backfill. + initial_thread_reply_limit: 500 + # Number of messages to backfill in non-threaded spaces and DMs in initial backfill. + initial_nonthread_limit: 100 + # Number of events to backfill in catchup backfill. + missed_event_limit: 5000 + # How many events to request from Google Chat at once in catchup backfill? + missed_event_page_size: 100 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # Whether or not unimportant bridge notices should be sent to the bridge notice room. + unimportant_bridge_notices: false + # Whether or not bridge notices should be disabled entirely. + disable_bridge_notices: false + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + + provisioning: + # Internal prefix in the appservice web server for the login endpoints. + prefix: /_matrix/provision + # Shared secret for integration managers such as mautrix-manager. + # If set to "generate", a random string will be generated on the next startup. + # If null, integration manager access to the API will not be possible. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + example.org: user + '@admin:example.org': admin +logging: + version: 1 + formatters: + colored: + (): mautrix_googlechat.util.ColorFormatter + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + normal: + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + maugclib: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/data/bridges/instagram/config.yaml b/data/bridges/instagram/config.yaml new file mode 100644 index 0000000..6047354 --- /dev/null +++ b/data/bridges/instagram/config.yaml @@ -0,0 +1,410 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (for MXIDs, etc). + domain: example.org + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Instagram MQTT connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-instagram:29330 + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:instagram-mautrix.db + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). + database_opts: + min_size: 1 + max_size: 10 + + # The unique ID of this appservice. + id: instagram + # Username of the appservice bot. + bot_username: mautrix-instagrambot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Instagram + bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors. +analytics: + # Hostname of the tracking server. The path is hardcoded to /v1/track + host: api.segment.io + # API key to send with tracking requests. Tracking is disabled if this is null. + token: null + # Optional user ID for tracking events. If null, defaults to using Matrix user ID. + user_id: null + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-instagram.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + +instagram: + # Seed for generating devices. This is secret because the seed is used to generate + # device IDs, which can apparently be used to bypass two-factor authentication after + # logging out, because Instagram is insecure. + device_seed: generate + + mqtt_keepalive: 60 + +# Bridge config +bridge: + # Localpart template of MXIDs for Instagram users. + # {userid} is replaced with the user ID of the Instagram user. + username_template: "instagram_{userid}" + # Displayname template for Instagram users. + # {displayname} is replaced with the display name of the Instagram user. + # {username} is replaced with the username of the Instagram user. + displayname_template: "{displayname} (Instagram)" + # Displayname template for 1:1 chat portals. Same variables as displayname_template. + private_chat_name_template: "{displayname}" + # Displayname template for group chat portals. Only {name} is available. + group_chat_name_template: "{name}" + + # Maximum length of displayname + displayname_max_length: 100 + + # The maximum number of conversations that should be synced when we get a + # message sync error. In general, 1 page (20) is sufficient. + max_startup_thread_sync_count: 20 + # Whether or not to use /sync to get read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: + example.org: https://example.org + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + #login_shared_secret_map: + # example.org: foo + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Instagram. + backfill: + # Enable initial backfill (~10 messages after creating portal)? + enable_initial: true + # Enable backfill queue? This is used for backfilling additional threads after the initial sync, + # and when MSC2716 is enabled, to backfill message history going backwards. + enable: false + # Use MSC2716 for backfilling? If this is disabled, backfilling only happens when syncing threads, + # and the incremental settings below don't apply. + # + # This requires a server with MSC2716 support, which is currently an experimental feature in Synapse. + # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml. + msc2716: false + # Use double puppets for backfilling? + # In order to use this, the double puppets must be in the appservice's user ID namespace + # (because the bridge can't use the double puppet access token with batch sending). + # This only affects double puppets on the local server, double puppets on other servers will never be used. + double_puppet_backfill: false + # The maximum number of conversations that should be synced. + # Other conversations will be backfilled on demand when the start PM + # provisioning endpoint is used or when a message comes in from that + # chat. + # If set to -1, all conversations will by synced. + max_conversations: 20 + # The minimum amount of time to wait between syncing each thread. This + # helps avoid situations where you sync too quickly. + min_sync_thread_delay: 5 + # If this value is greater than 0, then if the conversation's last + # message was more than this number of hours ago, then the conversation + # will automatically be marked it as read. + # Conversations that have a last message that is less than this number + # of hours ago will have their unread status synced from Instagram. + unread_hours_threshold: 0 + + # Settings for how quickly to backoff when rate-limits are encountered + # while backfilling. + backoff: + # How many seconds to wait after getting rate limited during a + # thread list fetch. + thread_list: 300 + # How many seconds to wait after getting rate limited during a + # message history fetch. + message_history: 300 + + # Settings for backfills. + # + # During initial/incremental sync, the entirety of the thread that is + # available will be backfilled. For example, on initial sync, about 20 + # messages are included for each thread in the thread list returned by + # the server. After that, incremental backfills will be run for each of + # the portals in a round-robin fashion until all portals have been + # backfilled as configured below. + incremental: + # The maximum number of pages to backfill per batch. + max_pages: 10 + # The maximum number of total pages to backfill per portal. + # If set to -1, infinite pages will be synced. + max_total_pages: -1 + # The number of seconds to wait between backfilling each page. + page_delay: 5 + # The number of seconds to wait after backfilling the batch of + # messages. + post_batch_delay: 20 + + periodic_reconnect: + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Instagram stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # Whether or not the bridge should backfill chats when reconnecting. + resync: true + # Should even disconnected users be reconnected? + always: false + + # URL to call to retrieve a proxy URL from (defaults to the http_proxy environment variable). + get_proxy_api_url: null + # Whether to use proxy for downloading media from Instagram. + use_proxy_for_media: true + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Instagram. + delivery_receipts: true + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # Whether or not unimportant bridge notices should be sent to the user. + # (e.g. connected, disconnected but will retry) + unimportant_bridge_notices: true + # Disable bridge notices entirely + disable_bridge_notices: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + + # Should Matrix typing notices be sent to Instagram? Typing notifications + # from Instagram will still be bridged. + bridge_matrix_typing: true + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!ig" + + # Permissions for using the bridge. + # Permitted values: + # relay - Allowed to be relayed through the bridge, no access to commands. + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": "relay" + "example.org": "user" + "@admin:example.org": "admin" + + relay: + # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: false + # The formats to use when sending messages to Instagram via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.org) + # $message - The message content + # + # Note that Instagram doesn't support captions for images, so images won't include any indication of being relayed. + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_instagram.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + mauigpapi: + level: DEBUG + aiohttp: + level: INFO + paho.mqtt: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/data/bridges/linkedin/config.yaml b/data/bridges/linkedin/config.yaml new file mode 100644 index 0000000..103717a --- /dev/null +++ b/data/bridges/linkedin/config.yaml @@ -0,0 +1,329 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (for MXIDs, etc). + domain: example.org + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://beeper-linkedin:80 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:linkedin-mautrix.db + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). + database_opts: + min_size: 1 + max_size: 10 + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: linkedin + # Username of the appservice bot. + bot_username: beeper-linkedinbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: LinkedIn + bot_avatar: mxc://nevarro.space/cwsWnmeMpWSMZLUNblJHaIvP + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: This value is generated when generating the registration + hs_token: This value is generated when generating the registration + +# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors. +analytics: + # Hostname of the tracking server. The path is hardcoded to /v1/track + host: api.segment.io + # API key to send with tracking requests. Tracking is disabled if this is null. + token: + # Optional user ID for tracking events. If null, defaults to using Matrix user ID. + user_id: + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/linkedin-matrix.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 +bridge: + # Localpart template of MXIDs for LinkedIn users. + # {userid} is replaced with the user ID of the LinkedIn user. + username_template: linkedin_{userid} + # Settings for creating a space for every user. + space_support: + # Whether or not to enable creating a space per user and inviting the + # user (as well as all of the puppets) to that space. + enable: false + # The name of the space + name: LinkedIn + # Displayname template for LinkedIn users. + # {displayname} is replaced with the display name of the LinkedIn user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{displayname} (LinkedIn)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + displayname_preference: + - name + - first_name + set_topic_on_dms: true + + # The prefix for commands. Only required in non-management rooms. + command_prefix: '!li' + + # Number of chats to sync (and create portals for) on startup/login. + # Set 0 to disable automatic syncing. + initial_chat_sync: 20 + # Whether or not the LinkedIn users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: true + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + double_puppet_allow_discovery: true + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + #login_shared_secret_map: + # example.org: foobar + presence: true + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to LinkedIn. + delivery_receipts: true + # Whether to allow inviting arbitrary mxids to portal rooms + allow_invites: false + # Settings for backfilling messages from LinkedIn. + backfill: + # Whether or not the LinkedIn users of logged in Matrix users should be + # invited to private chats when backfilling history from LinkedIn. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # Maximum number of messages to backfill if messages were missed while + # the bridge was disconnected. + # Set to 0 to disable backfilling missed messages. + missed_limit: 1000 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: true + # If this value is greater than 0, then (on backfill) if the + # conversation's last message was more than this number of hours ago, + # then the conversation will automatically be marked it as read. + unread_hours_threshold: 0 + periodic_reconnect: + # TODO needed? + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Linkedin stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + mode: refresh + # Should even disconnected users be reconnected? + always: false + # The number of seconds that a disconnection can last without triggering an automatic re-sync + # and missed message backfilling when reconnecting. + # Set to 0 to always re-sync, or -1 to never re-sync automatically. + resync_max_disconnected_time: 5 + # Whether or not temporary disconnections should send notices to the notice room. + # If this is false, disconnections will never send messages and connections will only send + # messages if it was disconnected for more than resync_max_disconnected_time seconds. + temporary_disconnect_notices: true + # Whether or not the bridge should try to "refresh" the connection if a normal reconnection + # attempt fails. + refresh_on_reconnection_fail: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: true + # Whether or not mute status and tags should only be bridged when the portal room is created. + tag_only_on_create: true + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + example.org: user + '@admin:example.org': admin +logging: + version: 1 + formatters: + colored: + (): mautrix.util.logging.color.ColorFormatter + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + normal: + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/data/bridges/signal/config.yaml b/data/bridges/signal/config.yaml new file mode 100644 index 0000000..c2ecb78 --- /dev/null +++ b/data/bridges/signal/config.yaml @@ -0,0 +1,352 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: example.org + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: + # Maximum number of simultaneous HTTP connections to the homeserver. + connection_limit: 100 + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://localhost:80 + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: sqlite3-fk-wal + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: file:signal-mautrix.db?_txlock=immediate + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 5 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + id: signal + # Username of the appservice bot. + bot_username: mautrix-signalbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Signal + bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: This value is generated when generating the registration + hs_token: This value is generated when generating the registration + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-signal.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 +signal: + # Path to signald unix socket + socket_path: /signald/signald.sock + # Directory for temp files when sending files to Signal. This should be an + # absolute path that signald can read. For attachments in the other direction, + # make sure signald is configured to use an absolute path as the data directory. + outgoing_attachment_dir: /signald/attachments + # Directory where signald stores avatars for groups. + avatar_dir: /signald/avatars + # Directory where signald stores auth data. Used to delete data when logging out. + data_dir: /signald/data + # Whether or not unknown signald accounts should be deleted when the bridge is started. + # When this is enabled, any UserInUse errors should be resolved by restarting the bridge. + delete_unknown_accounts_on_start: false + # Whether or not message attachments should be removed from disk after they're bridged. + remove_file_after_handling: true + # Whether or not users can register a primary device + registration_enabled: true + # Whether or not to enable disappearing messages in groups. If enabled, then the expiration + # time of the messages will be determined by the first users to read the message, rather + # than individually. If the bridge has a single user, this can be turned on safely. + enable_disappearing_messages_in_groups: true + +# Bridge config +bridge: + # Localpart template of MXIDs for Signal users. + # {userid} is replaced with the UUID of the Signal user. + username_template: signal_{userid} + # Displayname template for Signal users. + # {displayname} is replaced with the displayname of the Signal user, which is the first + # available variable in displayname_preference. The variables in displayname_preference + # can also be used here directly. + displayname_template: '{displayname} (Signal)' + # Whether or not contact list displaynames should be used. + # Possible values: disallow, allow, prefer + # + # Multi-user instances are recommended to disallow contact list names, as otherwise there can + # be conflicts between names from different users' contact lists. + contact_list_names: prefer + # Available variables: full_name, first_name, last_name, phone, uuid + displayname_preference: + - full_name + - phone + autocreate_group_portal: true + # Whether or not to create portals for all contacts on login/connect. + autocreate_contact_portal: true + # Whether or not to make portals of Signal groups in which joining via invite link does + # not need to be approved by an administrator publicly joinable on Matrix. + public_portals: false + # Whether or not to use /sync to get read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: + example.org: https://example.org + #login_shared_secret_map: + # example.org: foo + federate_rooms: true + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Signal. This let's you check manually whether the bridge is receiving your + # messages. + # Note that this is not related to Signal delivery receipts. + delivery_receipts: true + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # Interval at which to resync contacts (in seconds). + periodic_sync: 0 + # Should leaving the room on Matrix make the user leave on Signal? + bridge_matrix_leave: true + # Should the bridge auto-create a group chat on Signal when a ghost is invited to a room? + # Requires the user to have sufficient power level and double puppeting enabled. + create_group_on_invite: true + hacky_contact_name_mixup_detection: false + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + # Segment API key to enable analytics tracking for web server + # endpoints. Set to null to disable. + # Currently the only events are login start, QR code scan, and login + # success/failure. + segment_key: + # Optional user_id to use when sending Segment events. If null, defaults to using mxID. + segment_user_id: + + # The prefix for commands. Only required in non-management rooms. + command_prefix: '!signal' + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: Hello, I'm a Signal bridge bot. + # Sent when joining a management room and the user is already logged in. + welcome_connected: Use `help` for help. + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: Use `help` for help or `link` to log in. + # Optional extra text sent when joining a management room. + additional_help: '' + + # Send each message separately (for readability in some clients) + management_room_multiple_messages: true + + # Permissions for using the bridge. + # Permitted values: + # relay - Allowed to be relayed through the bridge, no access to commands. + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '*': relay + example.org: user + '@admin:example.org': admin + relay: + # Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: false + # The formats to use when sending messages to Signal via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.org) + # $message - The message content + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' + m.file: $sender_displayname sent a file + m.image: $sender_displayname sent an image + m.audio: $sender_displayname sent an audio file + m.video: $sender_displayname sent a video + m.location: $sender_displayname sent a location + relaybot: '@relaybot:example.org' + # Whether or not invites from non-logged-in users should be relayed + invite: true + + # Format for generating URLs from location messages for sending to Signal + # Google Maps: 'https://www.google.com/maps/place/{lat},{long}' + # OpenStreetMap: 'https://www.openstreetmap.org/?mlat={lat}&mlon={long}' + location_format: https://www.google.com/maps/place/{lat},{long} + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_signal.util.ColorFormatter + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + normal: + format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s' + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/data/bridges/slack/config.yaml b/data/bridges/slack/config.yaml new file mode 100644 index 0000000..c44b188 --- /dev/null +++ b/data/bridges/slack/config.yaml @@ -0,0 +1,288 @@ +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (for MXIDs, etc). + domain: example.org + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-slack:80 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: sqlite3-fk-wal + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: file:slack-mautrix.db?_txlock=immediate + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: slack + # Appservice bot details. + bot: + # Username of the appservice bot. + username: mautrix-slackbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Slack + avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Bridge config +bridge: + # Localpart template of MXIDs for Slack users. + # {{.}} is replaced with the internal ID of the Slack user. + username_template: slack_{{.}} + # Displayname template for Slack users. + # TODO: document variables + displayname_template: '{{.RealName}} (S)' + bot_displayname_template: '{{.Name}} (bot)' + channel_name_template: '#{{.Name}}' + + portal_message_buffer: 128 + + # Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack? + delivery_receipts: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + # Should incoming custom emoji reactions be bridged as mxc:// URIs? + # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available. + custom_emoji_reactions: true + + # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices. + sync_with_custom_puppets: true + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + #login_shared_secret_map: + # example.org: foobar + + message_handling_timeout: + # Send an error message after this timeout, but keep waiting for the response until the deadline. + # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay. + # If the message is older than this when it reaches the bridge, the message won't be handled at all. + error_after: 10s + # Drop messages after this timeout. They may still go through if the message got sent to the servers. + # This is counted from the time the bridge starts handling the message. + deadline: 60s + + # The prefix for commands. Only required in non-management rooms. + command_prefix: '!slack' + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Slack bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + backfill: + # Allow backfilling at all? Requires MSC2716 support on homeserver. + enable: true + + # Maximum number of conversations to fetch from Slack when syncing team from Slack. + # Must be 0-999 + conversations_count: 200 + + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + + # Number of messages to immediately backfill when creating a portal. + immediate_messages: 10 + + # Settings for incremental backfill of history. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of messages to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_messages: + # Channels + channel: 200 + # Group direct messages + group_dm: 500 + # 1:1 direct messages + dm: 500 + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a Slack account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relay + "example.org": user + "@admin:example.org": admin + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: debug + writers: + - type: stdout + format: pretty-colored diff --git a/data/bridges/steam/config.yaml b/data/bridges/steam/config.yaml new file mode 100644 index 0000000..fad037d --- /dev/null +++ b/data/bridges/steam/config.yaml @@ -0,0 +1,31 @@ +bridge: + # Port to host the bridge on which your homeserver will connect to + port: 80 + # Address for the bridge to bind to; if running as a Docker container, you + # probably want 0.0.0.0 here + bindAddress: 0.0.0.0 + # Name of your homeserver + domain: example.org + # URL where the bridge can connect to your homeserver + homeserverUrl: http://synapse:80 + +provisioning: + # Which users are allowed to issue commands to @_steampuppet_bot + whitelist: + - "@*:example.org" + # A blacklist can be used instead: + # blacklist: + # - "@username:matrix\\.myhomeserver\\.com" + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + +presence: + # Bridge Steam online/offline status + enabled: false + + # How often to send status to the homeserver in milliseconds + interval: 5000 diff --git a/data/bridges/steam/registration.yaml b/data/bridges/steam/registration.yaml new file mode 100644 index 0000000..e492f50 --- /dev/null +++ b/data/bridges/steam/registration.yaml @@ -0,0 +1,16 @@ +as_token: _STEAM_AS_TOKEN_ +hs_token: _STEAM_HS_TOKEN_ +id: steam-puppet +namespaces: + users: + - exclusive: true + regex: '@_steampuppet_.*' + rooms: [] + aliases: + - exclusive: true + regex: '#_steampuppet_.*' +protocols: [] +rate_limited: false +sender_localpart: _steampuppet_bot +url: 'http://mx-puppet-steam:80' +de.sorunome.msc2409.push_ephemeral: true diff --git a/data/bridges/telegram/config.yaml b/data/bridges/telegram/config.yaml new file mode 100644 index 0000000..79dd164 --- /dev/null +++ b/data/bridges/telegram/config.yaml @@ -0,0 +1,665 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (for MXIDs, etc). + domain: example.org + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-telegram:80 + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 5 + + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:telegram-mautrix.db + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). + database_opts: + min_size: 1 + max_size: 10 + + # Public part of web server for out-of-Matrix interaction with the bridge. + # Used for things like login if the user wants to make sure the 2FA password isn't stored in + # the HS database. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: false + # The prefix to use in the public-facing endpoints. + prefix: /public + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: https://example.org/public + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: telegram + # Username of the appservice bot. + bot_username: mautrix-telegrambot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Telegram + bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-telegram.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + +# Bridge config +bridge: + # Localpart template of MXIDs for Telegram users. + # {userid} is replaced with the user ID of the Telegram user. + username_template: "telegram_{userid}" + # Localpart template of room aliases for Telegram portal rooms. + # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) + alias_template: "telegram_{groupname}" + # Displayname template for Telegram users. + # {displayname} is replaced with the display name of the Telegram user. + displayname_template: "{displayname} (Telegram)" + + # Set the preferred order of user identifiers which to use in the Matrix puppet display name. + # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user + # ID is used. + # + # If the bridge is working properly, a phone number or an username should always be known, but + # the other one can very well be empty. + # + # Valid keys: + # "full name" (First and/or last name) + # "full name reversed" (Last and/or first name) + # "first name" + # "last name" + # "username" + # "phone number" + displayname_preference: + - full name + - username + - phone number + # Maximum length of displayname + displayname_max_length: 100 + # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default + # as there's no way to determine whether an avatar is removed or just hidden from some users. If + # you're on a single-user instance, this should be safe to enable. + allow_avatar_remove: false + # Should contact names and profile pictures be allowed? + # This is only safe to enable on single-user instances. + allow_contact_info: true + + # Maximum number of members to sync per portal when starting up. Other members will be + # synced when they send messages. The maximum is 10000, after which the Telegram server + # will not send any more members. + # -1 means no limit (which means it's limited to 10000 by the server) + max_initial_member_sync: 15 + # Maximum number of participants in chats to bridge. Only applies when the portal is being created. + # If there are more members when trying to create a room, the room creation will be cancelled. + # -1 means no limit (which means all chats can be bridged) + max_member_count: 100 + # Whether or not to sync the member list in channels. + # If no channel admins have logged into the bridge, the bridge won't be able to sync the member + # list regardless of this setting. + sync_channel_members: true + # Whether or not to skip deleted members when syncing members. + skip_deleted_members: true + # Whether or not to automatically synchronize contacts and chats of Matrix users logged into + # their Telegram account at startup. + startup_sync: true + # Number of most recently active dialogs to check when syncing chats. + # Set to 0 to remove limit. + sync_update_limit: 0 + # Number of most recently active dialogs to create portals for when syncing chats. + # Set to 0 to remove limit. + sync_create_limit: 5 + # Should all chats be scheduled to be created later? + # This is best used in combination with MSC2716 infinite backfill. + sync_deferred_create_all: false + # Whether or not to sync and create portals for direct chats at startup. + sync_direct_chats: true + # The maximum number of simultaneous Telegram deletions to handle. + # A large number of simultaneous redactions could put strain on your homeserver. + max_telegram_delete: 10 + # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames) + # at startup and when creating a bridge. + sync_matrix_state: true + # Allow logging in within Matrix. If false, users can only log in using login-qr or the + # out-of-Matrix login website (see appservice.public config section) + allow_matrix_login: true + # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. + public_portals: true + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + #login_shared_secret_map: + # example.org: foobar + # Set to false to disable link previews in messages sent to Telegram. + telegram_link_preview: true + # Whether or not the !tg join command should do a HTTP request + # to resolve redirects in invite links. + invite_link_resolve: true + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + # Maximum size of image in megabytes before sending to Telegram as a document. + image_as_file_size: 10 + # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216. + image_as_file_pixels: 16777216 + # Enable experimental parallel file transfer, which makes uploads/downloads much faster by + # streaming from/to Matrix and using many connections for Telegram. + # Note that generating HQ thumbnails for videos is not possible with streamed transfers. + # This option uses internal Telethon implementation details and may break with minor updates. + parallel_file_transfer: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Should the bridge send all unicode reactions as custom emoji reactions to Telegram? + # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions. + always_custom_emoji_reaction: false + # Settings for converting animated stickers. + animated_sticker: + # Format to which animated stickers should be converted. + # disable - No conversion, send as-is (gzipped lottie) + # png - converts to non-animated png (fastest), + # gif - converts to animated gif + # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support + # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support + target: gif + # Should video stickers be converted to the specified format as well? + convert_from_webm: false + # Arguments for converter. All converters take width and height. + args: + width: 256 + height: 256 + fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended) + # Settings for converting animated emoji. + # Same as animated_sticker, but webm is not supported as the target + # (because inline images can only contain images, not videos). + animated_emoji: + target: webp + args: + width: 64 + height: 64 + fps: 25 + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false + # Should cross-chat replies from Telegram be bridged? Most servers and clients don't support this. + cross_room_replies: true + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Telegram. + delivery_receipts: true + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Should errors in incoming message handling send a message to the Matrix room? + incoming_bridge_error_reports: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: false + # When using double puppeting, should pinned chats be moved to a specific tag in Matrix? + # The favorites tag is `m.favourite`. + pinned_tag: m.favourite + # Same as above for archived chats, the low priority tag is `m.lowpriority`. + archive_tag: m.lowpriority + # Whether or not mute status and tags should only be bridged when the portal room is created. + tag_only_on_create: true + # Should leaving the room on Matrix make the user leave on Telegram? + bridge_matrix_leave: true + # Should the user be kicked out of all portals when logging out of the bridge? + kick_on_logout: true + # Should the "* user joined Telegram" notice always be marked as read automatically? + always_read_joined_telegram_notice: true + # Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room? + # Requires the user to have sufficient power level and double puppeting enabled. + create_group_on_invite: true + # Settings for backfilling messages from Telegram. + backfill: + # Allow backfilling at all? + enable: true + # Whether or not to enable backfilling in normal groups. + # Normal groups have numerous technical problems in Telegram, and backfilling normal groups + # will likely cause problems if there are multiple Matrix users in the group. + normal_groups: false + + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + + # Forward backfilling limits. + # + # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch. + forward_limits: + # Number of messages to backfill immediately after creating a portal. + initial: + user: 50 + normal_group: 100 + supergroup: 10 + channel: 10 + # Number of messages to backfill when syncing chats. + sync: + user: 100 + normal_group: 100 + supergroup: 100 + channel: 100 + # Timeout for forward backfills in seconds. If you have a high limit, you'll have to increase this too. + forward_timeout: 900 + + # Settings for incremental backfill of history. These only apply to Beeper, as upstream abandoned MSC2716. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of batches to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_batches: + # Direct chats + user: -1 + # Normal groups. Note that the normal_groups option above must be enabled + # for these to be backfilled. + normal_group: -1 + # Supergroups + supergroup: 10 + # Broadcast channels + channel: -1 + + # Overrides for base power levels. + initial_power_level_overrides: + user: {} + group: {} + + # Whether to bridge Telegram bot messages as m.notices or m.texts. + bot_messages_as_notices: true + bridge_notices: + # Whether or not Matrix bot messages (type m.notice) should be bridged. + default: false + # List of user IDs for whom the previous flag is flipped. + # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but + # notices from users listed here will be bridged. + exceptions: [] + + # An array of possible values for the $distinguisher variable in message formats. + # Each user gets one of the values here, based on a hash of their user ID. + # If the array is empty, the $distinguisher variable will also be empty. + relay_user_distinguishers: ["🟦", "🟣", "🟩", "⭕️", "🔶", "⬛️", "🔵", "🟢"] + # The formats to use when sending messages to Telegram via the relay bot. + # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.org) + # $distinguisher - A random string from the options in the relay_user_distinguishers array. + # $message - The message content + message_formats: + m.text: "$distinguisher $sender_displayname: $message" + m.notice: "$distinguisher $sender_displayname: $message" + m.emote: "* $distinguisher $sender_displayname $message" + m.file: "$distinguisher $sender_displayname sent a file: $message" + m.image: "$distinguisher $sender_displayname sent an image: $message" + m.audio: "$distinguisher $sender_displayname sent an audio file: $message" + m.video: "$distinguisher $sender_displayname sent a video: $message" + m.location: "$distinguisher $sender_displayname sent a location: $message" + # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated + # users are sent to telegram. All fields in message_formats are supported. Additionally, the + # Telegram user info is available in the following variables: + # $displayname - Telegram displayname + # $username - Telegram username (may not exist) + # $mention - Telegram @username or displayname mention (depending on which exists) + emote_format: "* $mention $formatted_body" + + # The formats to use when sending state events to Telegram via the relay bot. + # + # Variables from `message_formats` that have the `sender_` prefix are available without the prefix. + # In name_change events, `$prev_displayname` is the previous displayname. + # + # Set format to an empty string to disable the messages for that event. + state_event_formats: + join: "$distinguisher $displayname joined the room." + leave: "$distinguisher $displayname left the room." + name_change: "$distinguisher $prev_displayname changed their name to $distinguisher $displayname" + + # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and + # `filter-mode` management commands. + # + # An empty blacklist will essentially disable the filter. + filter: + # Filter mode to use. Either "blacklist" or "whitelist". + # If the mode is "blacklist", the listed chats will never be bridged. + # If the mode is "whitelist", only the listed chats can be bridged. + mode: blacklist + # The list of group/channel IDs to filter. + list: [] + # How to handle direct chats: + # If users is "null", direct chats will follow the previous settings. + # If users is "true", direct chats will always be bridged. + # If users is "false", direct chats will never be bridged. + users: true + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tg" + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Telegram bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # Send each message separately (for readability in some clients) + management_room_multiple_messages: true + + # Permissions for using the bridge. + # Permitted values: + # relaybot - Only use the bridge via the relaybot, no access to commands. + # user - Relaybot level + access to commands to create bridges. + # puppeting - User level + logging in with a Telegram account. + # full - Full access to use the bridge, i.e. previous levels + Matrix login. + # admin - Full access to use the bridge and some extra administration commands. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": "relaybot" + "example.org": "full" + "@admin:example.org": "admin" + + # Options related to the message relay Telegram bot. + relaybot: + private_chat: + # List of users to invite to the portal when someone starts a private chat with the bot. + # If empty, private chats with the bot won't create a portal. + invite: [] + # Whether or not to bridge state change messages in relaybot private chats. + state_changes: true + # When private_chat_invite is empty, this message is sent to users /starting the + # relaybot. Telegram's "markdown" is supported. + message: This is a Matrix bridge relaybot and does not support direct chats + # List of users to invite to all group chat portals created by the bridge. + group_chat_invite: [] + # Whether or not the relaybot should not bridge events in unbridged group chats. + # If false, portals will be created when the relaybot receives messages, just like normal + # users. This behavior is usually not desirable, as it interferes with manually bridging + # the chat to another room. + ignore_unbridged_group_chat: true + # Whether or not to allow creating portals from Telegram. + authless_portals: true + # Whether or not to allow Telegram group admins to use the bot commands. + whitelist_group_admins: true + # Whether or not to ignore incoming events sent by the relay bot. + ignore_own_incoming_events: true + # List of usernames/user IDs who are also allowed to use the bot commands. + whitelist: + - myusername + - 12345678 + +# Telegram config +telegram: + # Get your own API keys at https://my.telegram.org/apps + api_id: 12345 + api_hash: tjyd5yge35lbodk1xwzw2jstp90k55qz + # (Optional) Create your own bot at https://t.me/BotFather + bot_token: disabled + + # Should the bridge request missed updates from Telegram when restarting? + catch_up: true + # Should incoming updates be handled sequentially to make sure order is preserved on Matrix? + sequential_updates: true + exit_on_update_error: false + + # Telethon connection options. + connection: + # The timeout in seconds to be used when connecting. + timeout: 120 + # How many times the reconnection should retry, either on the initial connection or when + # Telegram disconnects us. May be set to a negative or null value for infinite retries, but + # this is not recommended, since the program can get stuck in an infinite loop. + retries: 5 + # The delay in seconds to sleep between automatic reconnections. + retry_delay: 1 + # The threshold below which the library should automatically sleep on flood wait errors + # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold + # is 20s, the library will sleep automatically. If the error was for 21s, it would raise + # the error instead. Values larger than a day (86400) will be changed to a day. + flood_sleep_threshold: 60 + # How many times a request should be retried. Request are retried when Telegram is having + # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when + # there's a migrate error. May take a negative or null value for infinite retries, but this + # is not recommended, since some requests can always trigger a call fail (such as searching + # for messages). + request_retries: 5 + # Use IPv6 for Telethon connection + use_ipv6: false + + # Device info sent to Telegram. + device_info: + # "auto" = OS name+version. + device_model: mautrix-telegram + # "auto" = Telethon version. + system_version: auto + # "auto" = mautrix-telegram version. + app_version: auto + lang_code: en + system_lang_code: en + + # Custom server to connect to. + server: + # Set to true to use these server settings. If false, will automatically + # use production server assigned by Telegram. Set to false in production. + enabled: false + # The DC ID to connect to. + dc: 2 + # The IP to connect to. + ip: 149.154.167.40 + # The port to connect to. 443 may not work, 80 is better and both are equally secure. + port: 80 + + # Telethon proxy configuration. + # You must install PySocks from pip for proxies to work. + proxy: + # Allowed types: disabled, socks4, socks5, http, mtproxy + type: disabled + # Proxy IP address and port. + address: 127.0.0.1 + port: 1080 + # Whether or not to perform DNS resolving remotely. Only for socks/http proxies. + rdns: true + # Proxy authentication (optional). Put MTProxy secret in password field. + username: "" + password: "" + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_telegram.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + telethon: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/data/bridges/twitter/config.yaml b/data/bridges/twitter/config.yaml new file mode 100644 index 0000000..71489c8 --- /dev/null +++ b/data/bridges/twitter/config.yaml @@ -0,0 +1,307 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (for MXIDs, etc). + domain: example.org + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Twitter connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-twitter:80 + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:twitter-mautrix.db + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). + database_opts: + min_size: 1 + max_size: 10 + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: twitter + # Username of the appservice bot. + bot_username: mautrix-twitterbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Twitter + bot_avatar: mxc://maunium.net/HVHcnusJkQcpVcsVGZRELLCn + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-twitter.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + +# Bridge config +bridge: + # Localpart template of MXIDs for Twitter users. + # {userid} is replaced with the user ID of the Twitter user. + username_template: "twitter_{userid}" + # Displayname template for Twitter users. + # {displayname} is replaced with the display name of the Twitter user. + # {username} is replaced with the username of the Twitter user. + displayname_template: "{displayname} (Twitter)" + + # Maximum length of displayname + displayname_max_length: 100 + + # Number of conversations to sync (and create portals for) on login. + # Set 0 to disable automatic syncing. + initial_conversation_sync: 10 + # Whether or not to use /sync to get read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # When using double puppeting, should low quality DMs be moved to a specific tag in Matrix? + # The low priority tag is `m.lowpriority`. + low_quality_tag: m.lowpriority + # When using double puppeting, mute low quality DMs (by changing the user's push rules)? + low_quality_mute: true + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: + example.org: https://example.org + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + #login_shared_secret_map: + # example.org: foo + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Twitter. + # + # Missed message backfilling is currently based on receiving them from the Twitter polling API, + # rather than manually asking for messages in each conversation. Due to this, there's no way to + # set a limit for missed message backfilling. + backfill: + # Whether or not the Twitter users of logged in Matrix users should be + # invited to private chats when backfilling history from Twitter. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + # Backfill backwards after the initial batch (requires MSC2716 support on homeserver) + backwards: false + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: false + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Twitter. + delivery_receipts: false + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether or not non-fatal polling errors should send notices to the notice room. + temporary_disconnect_notices: true + # Disable bridge notices entirely + disable_bridge_notices: false + # Number of seconds to sleep more than the previous error when a polling error occurs. + # Growth is capped at 15 minutes. + error_sleep: 5 + # Maximum number of polling errors before giving up. Set to -1 to retry forever. + max_poll_errors: 12 + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # Send captions in the same message as images. This will send data compatible with MSC2530. + # This is currently not supported in most clients. + caption_in_message: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tw" + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "example.org": "user" + "@admin:example.org": "admin" + + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_twitter.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/data/bridges/whatsapp/config.yaml b/data/bridges/whatsapp/config.yaml new file mode 100644 index 0000000..f70965b --- /dev/null +++ b/data/bridges/whatsapp/config.yaml @@ -0,0 +1,465 @@ +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://synapse:80 + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: example.org + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://mautrix-whatsapp:80 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 80 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: sqlite3-fk-wal + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: file:whatsapp-mautrix.db?_txlock=immediate + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: whatsapp + # Appservice bot details. + bot: + # Username of the appservice bot. + username: mautrix-whatsappbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: WhatsApp + avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors. +analytics: + # Hostname of the tracking server. The path is hardcoded to /v1/track + host: api.segment.io + # API key to send with tracking requests. Tracking is disabled if this is null. + token: null + # Optional user ID for tracking events. If null, defaults to using Matrix user ID. + user_id: null + +# Prometheus config. +metrics: + # Enable prometheus metrics? + enabled: false + # IP and port where the metrics listener should be. The path is always /metrics + listen: 127.0.0.1:8001 + +# Config for things that are directly sent to WhatsApp. +whatsapp: + # Device name that's shown in the "WhatsApp Web" section in the mobile app. + os_name: Mautrix-WhatsApp bridge + # Browser name that determines the logo shown in the mobile app. + # Must be "unknown" for a generic icon or a valid browser name if you want a specific icon. + # List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 + browser_name: unknown + +# Bridge config +bridge: + # Localpart template of MXIDs for WhatsApp users. + # {{.}} is replaced with the phone number of the WhatsApp user. + username_template: whatsapp_{{.}} + # Displayname template for WhatsApp users. + # {{.PushName}} - nickname set by the WhatsApp user + # {{.BusinessName}} - validated WhatsApp business name + # {{.Phone}} - phone number (international format) + # The following variables are also available, but will cause problems on multi-user instances: + # {{.FullName}} - full name from contact list + # {{.FirstName}} - first name from contact list + displayname_template: "{{or .FullName .BusinessName .PushName .JID}} (WA)" + # Should the bridge create a space for each logged-in user and add bridged rooms to it? + # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time. + personal_filtering_spaces: true + # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp? + delivery_receipts: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + # Should incoming calls send a message to the Matrix room? + call_start_notices: true + # Should another user's cryptographic identity changing send a message to Matrix? + identity_change_notices: true + portal_message_buffer: 128 + # Settings for handling history sync payloads. + history_sync: + # Enable backfilling history sync payloads from WhatsApp? + backfill: true + # The maximum number of initial conversations that should be synced. + # Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat. + max_initial_conversations: 10 + # Maximum number of messages to backfill in each conversation. + # Set to -1 to disable limit. + message_count: 250 + # Should the bridge request a full sync from the phone when logging in? + # This bumps the size of history syncs from 3 months to 1 year. + request_full_sync: true + # Configuration parameters that are sent to the phone along with the request full sync flag. + # By default (when the values are null or 0), the config isn't sent at all. + full_sync_config: + # Number of days of history to request. + # The limit seems to be around 3 years, but using higher values doesn't break. + days_limit: 365 + # This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob. + size_mb_limit: 1500 + # This is presumably the local storage quota, which may affect what the phone includes in the history sync blob. + storage_quota_mb: 5000 + # If this value is greater than 0, then if the conversation's last message was more than + # this number of hours ago, then the conversation will automatically be marked it as read. + # Conversations that have a last message that is less than this number of hours ago will + # have their unread status synced from WhatsApp. + unread_hours_threshold: 0 + + ############################################################################### + # The settings below are only applicable for backfilling using batch sending, # + # which is no longer supported in Synapse. # + ############################################################################### + + # Settings for media requests. If the media expired, then it will not be on the WA servers. + # Media can always be requested by reacting with the ♻️ (recycle) emoji. + # These settings determine if the media requests should be done automatically during or after backfill. + media_requests: + # Should expired media be automatically requested from the server as part of the backfill process? + auto_request_media: true + # Whether to request the media immediately after the media message is backfilled ("immediate") + # or at a specific time of the day ("local_time"). + request_method: immediate + # If request_method is "local_time", what time should the requests be sent (in minutes after midnight)? + request_local_time: 120 + # Settings for immediate backfills. These backfills should generally be small and their main purpose is + # to populate each of the initial chats (as configured by max_initial_conversations) with a few messages + # so that you can continue conversations without losing context. + immediate: + # The number of concurrent backfill workers to create for immediate backfills. + # Note that using more than one worker could cause the room list to jump around + # since there are no guarantees about the order in which the backfills will complete. + worker_count: 1 + # The maximum number of events to backfill initially. + max_events: 10 + # Settings for deferred backfills. The purpose of these backfills are to fill in the rest of + # the chat history that was not covered by the immediate backfills. + # These backfills generally should happen at a slower pace so as not to overload the homeserver. + # Each deferred backfill config should define a "stage" of backfill (i.e. the last week of messages). + # The fields are as follows: + # - start_days_ago: the number of days ago to start backfilling from. + # To indicate the start of time, use -1. For example, for a week ago, use 7. + # - max_batch_events: the number of events to send per batch. + # - batch_delay: the number of seconds to wait before backfilling each batch. + deferred: + # Last Week + - start_days_ago: 7 + max_batch_events: 20 + batch_delay: 5 + # Last Month + - start_days_ago: 30 + max_batch_events: 50 + batch_delay: 10 + # Last 3 months + - start_days_ago: 90 + max_batch_events: 100 + batch_delay: 10 + # The start of time + - start_days_ago: -1 + max_batch_events: 500 + batch_delay: 10 + + # Should puppet avatars be fetched from the server even if an avatar is already set? + user_avatar_sync: true + # Should Matrix users leaving groups be bridged to WhatsApp? + bridge_matrix_leave: true + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: true + # Should the bridge use MSC2867 to bridge manual "mark as unread"s from + # WhatsApp and set the unread status on initial backfill? + # This will only work on clients that support the m.marked_unread or + # com.famedly.marked_unread room account data. + sync_manual_marked_unread: true + # When double puppeting is enabled, users can use `!wa toggle` to change whether + # presence is bridged. This setting sets the default value. + # Existing users won't be affected when these are changed. + default_bridge_presence: true + # Send the presence as "available" to whatsapp when users start typing on a portal. + # This works as a workaround for homeservers that do not support presence, and allows + # users to see when the whatsapp user on the other side is typing during a conversation. + send_presence_on_typing: true + # Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp) + # even if the user isn't marked as online (e.g. when presence bridging isn't enabled)? + # + # By default, the bridge acts like WhatsApp web, which only sends active delivery + # receipts when it's in the foreground. + force_active_delivery_receipts: false + # Servers to always allow double puppeting from + double_puppet_server_map: + example.org: https://example.org + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: true + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + #login_shared_secret_map: + # example.org: foobar + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Should group members be synced in parallel? This makes member sync faster + parallel_member_sync: true + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: true + # When using double puppeting, should archived chats be moved to a specific tag in Matrix? + # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix. + # This can be set to a tag (e.g. m.lowpriority), or null to disable. + archive_tag: m.lowpriority + # Same as above, but for pinned chats. The favorite tag is called m.favourite + pinned_tag: m.favourite + # Should mute status and tags only be bridged when the portal room is created? + tag_only_on_create: true + # Should WhatsApp status messages be bridged into a Matrix room? + # Disabling this won't affect already created status broadcast rooms. + enable_status_broadcast: true + # Should sending WhatsApp status messages be allowed? + # This can cause issues if the user has lots of contacts, so it's disabled by default. + disable_status_broadcast_send: true + # Should the status broadcast room be muted and moved into low priority by default? + # This is only applied when creating the room, the user can unmute it later. + mute_status_broadcast: true + # Tag to apply to the status broadcast room. + status_broadcast_tag: m.lowpriority + # Should the bridge use thumbnails from WhatsApp? + # They're disabled by default due to very low resolution. + whatsapp_thumbnail: true + # Allow invite permission for user. User can invite any bots to room with whatsapp + # users (private chat and groups) + allow_user_invite: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Should the bridge never send alerts to the bridge management room? + # These are mostly things like the user being logged out. + disable_bridge_alerts: false + # Should the bridge stop if the WhatsApp server says another user connected with the same session? + # This is only safe on single-user bridges. + crash_on_stream_replaced: true + # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview, + # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews` + # key in the event content even if this is disabled. + url_previews: true + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + # Send galleries as a single event? This is not an MSC (yet). + beeper_galleries: false + # Should polls be sent using MSC3381 event types? + extev_polls: false + # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this. + cross_room_replies: true + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false + # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration + # Null means there's no enforced timeout. + message_handling_timeout: + # Send an error message after this timeout, but keep waiting for the response until the deadline. + # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay. + # If the message is older than this when it reaches the bridge, the message won't be handled at all. + error_after: null + # Drop messages after this timeout. They may still go through if the message got sent to the servers. + # This is counted from the time the bridge starts handling the message. + deadline: 120s + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!wa" + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a WhatsApp bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: true + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: true + # Should users mentions be in the event wire content to enable the server to send push notifications? + plaintext_mentions: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: true + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: true + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: true + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix. + receive: cross-signed-untrusted + # Minimum level that the bridge should accept for incoming Matrix messages. + send: cross-signed-untrusted + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a WhatsApp account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relay + "example.org": user + "@admin:example.org": admin + + # Settings for relay mode + relay: + # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: false + # Should only admins be allowed to set themselves as relay users? + admin_only: true + # The formats to use when sending messages to WhatsApp via the relaybot. + message_formats: + m.text: "{{ .Sender.Displayname }}: {{ .Message }}" + m.notice: "{{ .Sender.Displayname }}: {{ .Message }}" + m.emote: "* {{ .Sender.Displayname }} {{ .Message }}" + m.file: "{{ .Sender.Displayname }} sent a file" + m.image: "{{ .Sender.Displayname }} sent an image" + m.audio: "{{ .Sender.Displayname }} sent an audio file" + m.video: "{{ .Sender.Displayname }} sent a video" + m.location: "{{ .Sender.Displayname }} sent a location" + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: debug + writers: + - type: stdout + format: pretty-colored diff --git a/data/draupnir/config/production.yaml b/data/draupnir/config/production.yaml new file mode 100644 index 0000000..d5ed4c6 --- /dev/null +++ b/data/draupnir/config/production.yaml @@ -0,0 +1,267 @@ +# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API), +# set this to the pantalaimon URL if you're using that. +homeserverUrl: "http://pantalaimon:80" + +# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/), +# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. +rawHomeserverUrl: "https://example.org" + +# Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false. +#accessToken: "YOUR_TOKEN_HERE" + +# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) +pantalaimon: + # Whether or not Draupnir will use pantalaimon to access the matrix homeserver, + # set to `true` if you're using pantalaimon. + # + # Be sure to point homeserverUrl to the pantalaimon instance. + # + # Draupnir will log in using the given username and password once, + # then store the resulting access token in a file under dataPath. + use: true + + # The username to login with. + username: draupnir + + # The password Draupnir will login with. + # + # After successfully logging in once, this will be ignored, so this value can be blanked after first startup. + password: "_DRAUPNIR_PASSWORD_" + +# The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers. +dataPath: "/data/storage" + +# If true (the default), Draupnir will only accept invites from users present in managementRoom. +autojoinOnlyIfManager: true + +# If `autojoinOnlyIfManager` is false, only the members in this space can invite +# the bot to new rooms. +#acceptInvitesFromSpace: "!admin:example.org" + +# Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +recordIgnoredInvites: true + +# The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir. +# +# Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# +# This should be a room alias or room ID - not a matrix.to URL. +# +# Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room. +# (see verboseLogging to adjust this a bit.) +managementRoom: "#draupnir:example.org" + +# Whether Draupnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room. +verboseLogging: false + +# The log level of terminal (or container) output, +# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. +# +# This should be at INFO or DEBUG in order to get support for Draupnir problems. +logLevel: "INFO" + +# Whether or not Draupnir should synchronize policy lists immediately after startup. +# Equivalent to running '!draupnir sync'. +syncOnStartup: true + +# Whether or not Draupnir should check moderation permissions in all protected rooms on startup. +# Equivalent to running `!draupnir verify`. +verifyPermissionsOnStartup: true + +# Whether or not Draupnir should actually apply bans and policy lists, +# turn on to trial some untrusted configuration or lists. +noop: false + +# Whether Draupnir should check member lists quicker (by using a different endpoint), +# keep in mind that enabling this will miss invited (but not joined) users. +# +# Turn on if your bot is in (very) large rooms, or in large amounts of rooms. +fasterMembershipChecks: false + +# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for. +# +# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list, +# it will also remove the user's messages automatically. +# +# Typically this is useful to avoid having to give two commands to the bot. +# Advanced: Use asterisks to have the reason match using "globs" +# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting"). +# +# See here for more info: https://www.digitalocean.com/community/tools/glob +# Note: Keep in mind that glob is NOT regex! +automaticallyRedactForReasons: + - "spam" + - "advertising" + +# A list of rooms to protect. Draupnir will add this to the list it knows from its account data. +# +# It won't, however, add it to the account data. +# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes. +# +# Note: These must be matrix.to URLs +#protectedRooms: + +# Whether or not to add all joined rooms to the "protected rooms" list +# (excluding the management room and watched policy list rooms, see below). +# +# Note that this effectively makes the protectedRooms and associated commands useless +# for regular rooms. +# +# Note: the management room is *excluded* from this condition. +# Explicitly add it as a protected room to protect it. +# +# Note: Ban list rooms the bot is watching but didn't create will not be protected. +# Explicitly add these rooms as a protected room list if you want them protected. +protectAllJoinedRooms: true + +# Increase this delay to have Draupnir wait longer between two consecutive backgrounded +# operations. The total duration of operations will be longer, but the homeserver won't +# be affected as much. Conversely, decrease this delay to have Draupnir chain operations +# faster. The total duration of operations will generally be shorter, but the performance +# of the homeserver may be more impacted. +backgroundDelayMS: 500 + +# Server administration commands, these commands will only work if Draupnir is +# a global server administrator, and the bot's server is a Synapse instance. +admin: + # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room + # (with enough permissions) to "make" a user an admin. + # + # This only works if a local user with enough admin permissions is present in the room. + enableMakeRoomAdminCommand: true + +# Misc options for command handling and commands +commands: + # Whether or not the `!draupnir` prefix is necessary to submit commands. + # + # If `true`, will allow commands like `!ban`, `!help`, etc. + # + # Note: Draupnir can also be pinged by display name instead of having to use + # the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" + # will address only my_moderator_bot. + allowNoPrefix: true + + # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`. + additionalPrefixes: + - "draupnir" + + # Whether or not commands with a wildcard (*) will require an additional `--force` argument + # in the command to be able to be submitted. + confirmWildcardBan: true + + # The default reasons to be prompted with if the reason is missing from a ban command. + ban: + defaultReasons: + - "spam" + - "brigading" + - "harassment" + - "disagreement" + +# Configuration specific to certain toggle-able protections +protections: + # Configuration for the wordlist plugin, which can ban users based if they say certain + # blocked words shortly after joining. + wordlist: + # A list of case-insensitive keywords that the WordList protection will watch for from new users. + # + # WordList will ban users who use these words when first joining a room, so take caution when selecting them. + # + # For advanced usage, regex can also be used, see the following links for more information; + # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions + # - https://regexr.com/ + # - https://regexone.com/ + words: + - "LoReM" + - "IpSuM" + - "DoLoR" + - "aMeT" + + # For how long (in minutes) the user is "new" to the WordList plugin. + # + # After this time, the user will no longer be banned for using a word in the above wordlist. + # + # Set to zero to disable the timeout and make users *always* appear "new". + # (users will always be banned if they say a bad word) + minutesBeforeTrusting: 20 + +# Options for advanced monitoring of the health of the bot. +health: + # healthz options. These options are best for use in container environments + # like Kubernetes to detect how healthy the service is. The bot will report + # that it is unhealthy until it is able to process user requests. Typically + # this means that it'll flag itself as unhealthy for a number of minutes + # before saying "Now monitoring rooms" and flagging itself healthy. + # + # Health is flagged through HTTP status codes, defined below. + healthz: + # Whether the healthz integration should be enabled (default false) + enabled: true + + # The port to expose the webserver on. Defaults to 8080. + port: 80 + + # The address to listen for requests on. Defaults to all addresses. + address: "0.0.0.0" + + # The path to expose the monitoring endpoint at. Defaults to `/healthz` + endpoint: "/health" + + # The HTTP status code which reports that the bot is healthy/ready to + # process requests. Typically this should not be changed. Defaults to + # 200. + healthyStatus: 200 + + # The HTTP status code which reports that the bot is not healthy/ready. + # Defaults to 418. + unhealthyStatus: 418 + + # Sentry options. Sentry is a tool used to receive/collate/triage runtime + # errors and performance issues. Skip this section if you do not wish to use + # Sentry. + sentry: + # The key used to upload Sentry data to the server. + # dsn: "https://XXXXXXXXX@example.org/YYY + + # Frequency of performance monitoring. + # A number in [0.0, 1.0], where 0.0 means "don't bother with tracing" + # and 1.0 means "trace performance at every opportunity". + # tracesSampleRate: 0.5 + + + +# Options for exposing web APIs. +web: + # Whether to enable web APIs. + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to only the current + # computer. + address: localhost + + # Alternative setting to open to the entire web. Be careful, + # as this will increase your security perimeter: + # + # address: "0.0.0.0" + + # A web API designed to intercept Matrix API + # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId} + # and display readable abuse reports in the moderation room. + # + # If you wish to take advantage of this feature, you will need + # to configure a reverse proxy, see e.g. test/nginx.conf + abuseReporting: + # Whether to enable this feature. + enabled: false + +# Whether or not to actively poll synapse for abuse reports, to be used +# instead of intercepting client calls to synapse's abuse endpoint, when that +# isn't possible/practical. +pollReports: false + +# Whether or not new reports, received either by webapi or polling, +# should be printed to our managementRoom. +displayReports: false diff --git a/data/eturnal/eturnal.yml b/data/eturnal/eturnal.yml new file mode 100644 index 0000000..97b2e3b --- /dev/null +++ b/data/eturnal/eturnal.yml @@ -0,0 +1,27 @@ +eturnal: + listen: + - ip: "::" + port: 3478 + transport: udp + - ip: "::" + port: 3478 + transport: tcp + - ip: "::" + port: 5349 + transport: tls + relay_min_port: 49152 # This is the default. + relay_max_port: 65535 # This is the default. + strict_expiry: false # This is the default. + log_dir: "stdout" + log_level: info # critical | error | warning | notice | info | debug + log_rotate_size: 10485760 # 10 MiB (default: unlimited, i.e., no rotation). + log_rotate_count: 1 # Keep 10 rotated log files. + secret: "_ETURNAL_SECRET_" + relay_ipv4_addr: "_IPV4_" + relay_ipv6_addr: "100::" # CHANGE_ME + blacklist: # This is the default blacklist. + - "127.0.0.0/8" # IPv4 loopback. + - "::1" # IPv6 loopback. + - recommended +# whitelist: +# - "172.19.0.0/16" diff --git a/data/hookshot/config.yml b/data/hookshot/config.yml new file mode 100644 index 0000000..7c21fd1 --- /dev/null +++ b/data/hookshot/config.yml @@ -0,0 +1,175 @@ +# This is an example configuration file + +bridge: + # Basic homeserver configuration + domain: example.org + url: http://synapse:80 + mediaUrl: https://example.org + port: 9993 + bindAddress: 0.0.0.0 +passFile: /data/passkey.pem +logging: + # Logging settings. You can have a severity debug,info,warn,error + level: info + colorize: true + json: false + timestampFormat: HH:mm:ss:SSS +listeners: + # HTTP Listener configuration. + # Bind resource endpoints to ports and addresses. + # 'port' must be specified. Each listener must listen on a unique port. + # 'bindAddress' will default to '127.0.0.1' if not specified, which may not be suited to Docker environments. + # 'resources' may be any of webhooks, widgets, metrics, provisioning + - port: 9000 + bindAddress: 0.0.0.0 + resources: + - webhooks + - widgets + +#github: +# # (Optional) Configure this to enable GitHub support +# auth: +# # Authentication for the GitHub App. +# id: 123 +# privateKeyFile: github-key.pem +# webhook: +# # Webhook settings for the GitHub app. +# secret: secrettoken +# oauth: +# # (Optional) Settings for allowing users to sign in via OAuth. +# client_id: foo +# client_secret: bar +# redirect_uri: https://example.org/bridge_oauth/ +# defaultOptions: +# # (Optional) Default options for GitHub connections. +# showIssueRoomLink: false +# hotlinkIssues: +# prefix: "#" +# userIdPrefix: +# # (Optional) Prefix used when creating ghost users for GitHub accounts. +# _github_ + +#gitlab: +# # (Optional) Configure this to enable GitLab support +# instances: +# gitlab.com: +# url: https://gitlab.com +# webhook: +# secret: secrettoken +# publicUrl: https://example.org/hookshot/ +# userIdPrefix: +# # (Optional) Prefix used when creating ghost users for GitLab accounts. +# _gitlab_ +# commentDebounceMs: +# # (Optional) Aggregate comments by waiting this many miliseconds before posting them to Matrix. Defaults to 5000 (5 seconds) +# 5000 + +#figma: +# # (Optional) Configure this to enable Figma support +# publicUrl: https://example.org/hookshot/ +# instances: +# your-instance: +# teamId: your-team-id +# accessToken: your-personal-access-token +# passcode: your-webhook-passcode + +#jira: +# # (Optional) Configure this to enable Jira support. Only specify `url` if you are using a On Premise install (i.e. not atlassian.com) +# webhook: +# # Webhook settings for JIRA +# secret: secrettoken +# oauth: +# # (Optional) OAuth settings for connecting users to JIRA. See documentation for more information +# client_id: foo +# client_secret: bar +# redirect_uri: https://example.org/bridge_oauth/ + +generic: +# # (Optional) Support for generic webhook events. +# #'allowJsTransformationFunctions' will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments + + enabled: true + enableHttpGet: true + urlPrefix: https://example.org/hookshot/webhook/ + userIdPrefix: _webhooks_ + allowJsTransformationFunctions: false + waitForComplete: true + +feeds: + # (Optional) Configure this to enable RSS/Atom feed support + enabled: true + pollConcurrency: 4 + pollIntervalSeconds: 600 + pollTimeoutSeconds: 30 + +#provisioning: +# # (Optional) Provisioning API for integration managers +# secret: "!secretToken" + +bot: +# # (Optional) Define profile information for the bot user + displayname: Hookshot +# avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d + +#serviceBots: +# # (Optional) Define additional bot users for specific services +# - localpart: feeds +# displayname: Feeds +# avatar: ./assets/feeds_avatar.png +# prefix: "!feeds" +# service: feeds + +metrics: +# # (Optional) Prometheus metrics support + enabled: false + +queue: +# # (Optional) Message queue / cache configuration options for large scale deployments. +# # For encryption to work, must be set to monolithic mode and have a host & port specified. + monolithic: true + port: 6379 + host: redis + +widgets: + # (Optional) EXPERIMENTAL support for complimentary widgets + addToAdminRooms: false + disallowedIpRanges: + - 127.0.0.0/8 + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 100.64.0.0/10 + - 192.0.0.0/24 + - 169.254.0.0/16 + - 192.88.99.0/24 + - 198.18.0.0/15 + - 192.0.2.0/24 + - 198.51.100.0/24 + - 203.0.113.0/24 + - 224.0.0.0/4 + - ::1/128 + - fe80::/10 + - fc00::/7 + - 2001:db8::/32 + - ff00::/8 + - fec0::/10 + roomSetupWidget: + addOnInvite: true + publicUrl: https://example.org/hookshot/widgetapi/v1/static/ + branding: + widgetTitle: Hookshot Configuration + +#sentry: +# # (Optional) Configure Sentry error reporting +# dsn: https://examplePublicKey@o0.ingest.sentry.io/0 +# environment: production + +permissions: + # (Optional) Permissions for using the bridge. See docs/setup.md#permissions for help + - actor: example.org + services: + - service: "*" + level: admin + + + diff --git a/data/hookshot/registration.yml b/data/hookshot/registration.yml new file mode 100644 index 0000000..d5bf03a --- /dev/null +++ b/data/hookshot/registration.yml @@ -0,0 +1,28 @@ +id: matrix-hookshot # This can be anything, but must be unique within your homeserver +as_token: _HOOKSHOT_AS_TOKEN_ # This again can be a random string +hs_token: _HOOKSHOT_HS_TOKEN_ # ..as can this +namespaces: + rooms: [] + users: # In the following, foobar is your homeserver's domain + - regex: "@_github_.*:example.org" + exclusive: true + - regex: "@_gitlab_.*:example.org" + exclusive: true + - regex: "@_jira_.*:example.org" + exclusive: true + - regex: "@_webhooks_.*:example.org" # Where _webhooks_ is set by userIdPrefix in config.yml + exclusive: true + - regex: "@feeds:example.org" # Matches the localpart of all serviceBots in config.yml + exclusive: true + aliases: + - regex: "#github_.+:example.org" # Where foobar is your homeserver's domain + exclusive: true + +sender_localpart: hookshot +url: "http://hookshot:9993" # This should match the bridge.port in your config file +rate_limited: false + +# If enabling encryption +de.sorunome.msc2409.push_ephemeral: true +push_ephemeral: true +org.matrix.msc3202: true diff --git a/data/nginx/nginx.conf b/data/nginx/nginx.conf new file mode 100644 index 0000000..474402c --- /dev/null +++ b/data/nginx/nginx.conf @@ -0,0 +1,90 @@ +events { + worker_connections 1024; +} + + + +http { + resolver 127.0.0.11 ipv6=off valid=60s; + + upstream web-client { + server web-client:80; + } + + + upstream synapse { + server synapse:80; + } + + upstream hookshot { + server hookshot:9000; + } + + + map $remote_addr $proxy_forwarded_elem { + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; + } + + map $request_uri $backend { + # Defaults + "~^/(_matrix|_synapse)" synapse; + "~^/.well-known" synapse; + default web-client; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name example.org; + client_max_body_size 150M; + + proxy_redirect off; + port_in_redirect off; + proxy_set_header Host $host; + + # If not running this behind a reverse proxy, yeet these lines: + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme"; + proxy_set_header Range $http_range; + proxy_set_header If-Range $http_if_range; + + + # Hookshot + location ^~ /hookshot { + rewrite ^/hookshot(/.*)$ $1 break; + proxy_pass http://hookshot; + } + + ssl_certificate /etc/ssl/certs/cert.pem; + ssl_certificate_key /etc/ssl/private/cert.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + location / { + add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'"; + proxy_pass http://$backend; + } + } +} diff --git a/data/pantalaimon/pantalaimon.conf b/data/pantalaimon/pantalaimon.conf new file mode 100644 index 0000000..fe1770f --- /dev/null +++ b/data/pantalaimon/pantalaimon.conf @@ -0,0 +1,11 @@ +[Default] +LogLevel = Debug +SSL = True + +[local-matrix] +Homeserver = http://synapse:80 +ListenAddress = 0.0.0.0 +ListenPort = 80 +SSL = False +UseKeyring = False +IgnoreVerification = True \ No newline at end of file diff --git a/data/synapse/config.yaml b/data/synapse/config.yaml new file mode 100644 index 0000000..f33a10f --- /dev/null +++ b/data/synapse/config.yaml @@ -0,0 +1,334 @@ +#################################################### +# # +# MAIN # +# # +# # +#################################################### + +# CHANGE_ME +# Copy these values from config.yaml.example +registration_shared_secret: _REGISTRATION_SECRET_ +macaroon_secret_key: _MACAROON_SECRET_ +form_secret: _FORM_SECRET_ +server_name: "example.org" + + +web_client_location: "https://example.org" # Web client location +public_baseurl: "https://example.org" +admin_contact: 'mailto:admin@example.org' + + +pid_file: /data/homeserver.pid +signing_key_path: /data/signing.key +serve_server_wellknown: true +report_stats: false + +key_refresh_interval: 1d +trusted_key_servers: + - server_name: "matrix.org" +suppress_key_server_warning: true +enable_metrics: true +log_config: "/data/log.config" +server_notices: + system_mxid_localpart: server + system_mxid_display_name: "Server Notices" + room_name: "Server Notices" + + + +app_service_config_files: +- /opt/appsvc/hookshot.registration.yml +- /data/appsvc/bridges/discord.registration.yaml +# - /data/appsvc/bridges/telegram.registration.yaml +- /data/appsvc/bridges/signal.registration.yaml +- /data/appsvc/bridges/instagram.registration.yaml +- /data/appsvc/bridges/twitter.registration.yaml +- /data/appsvc/bridges/googlechat.registration.yaml +- /data/appsvc/bridges/gmessages.registration.yaml +- /data/appsvc/bridges/linkedin.registration.yaml +- /data/appsvc/bridges/slack.registration.yaml +- /data/appsvc/bridges/whatsapp.registration.yaml +- /data/appsvc/bridges/facebook.registration.yaml +- /data/appsvc/bridges/steam.registration.yaml + +listeners: + - port: 80 + tls: false + type: http + x_forwarded: true + resources: + - names: [client] + compress: true + - names: [federation] + compress: true +# - names: [consent] +# compress: false + - port: 8009 + type: metrics + resources: + - names: [metrics] + compress: false + - port: 8011 + tls: false + type: http + resources: + - names: [health] + compress: false +database: + name: psycopg2 + args: + user: postgres + password: _PG_PASSWORD_ + database: synapse + host: postgres + port: 5432 + cp_min: 5 + cp_max: 10 + + +turn_uris: [ "turn:turn.example.org?transport=udp", "turn:turn.example.org?transport=tcp" ] +turn_shared_secret: "_ETURNAL_SECRET_" +turn_user_lifetime: 86400000 +turn_allow_guests: false + +# CHANGE_ME: if you have a SMTP sender server +email: + smtp_host: "smtp.example.org" + smtp_port: 587 + smtp_user: "admin@example.org" + smtp_pass: "12345" + force_tls: false + require_transport_security: false + enable_tls: true + notif_from: "example.org " + app_name: example.org + enable_notifs: true + notif_for_new_users: false + validation_token_lifetime: 1h + invite_client_location: https://example.org # Web-client location + + + +#################################################### +# # +# MEDIA # +# # +# # +#################################################### +media_store_path: /data/media_store +media_retention: + local_media_lifetime: 60d + remote_media_lifetime: 7d +dynamic_thumbnails: true +max_avatar_size: 15M +max_upload_size: 40M +max_image_pixels: 8M +allowed_avatar_mimetypes: ["image/png", "image/jpeg", "image/gif"] +url_preview_enabled: true +max_spider_size: 15M +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' + +url_preview_url_blacklist: + # blacklist any URL with a username in its URI + - username: '*' + + # blacklist all *.google.com URLs + - netloc: 'google.com' + - netloc: '*.google.com' + + # blacklist all plain HTTP URLs + - scheme: 'http' + + # blacklist http(s)://www.acme.com/foo + - netloc: 'www.acme.com' + path: '/foo' + + # blacklist any URL with a literal IPv4 address + - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +url_preview_accept_language: + - 'en-UK' + - 'en-US;q=0.9' + - 'fr;q=0.8' + - '*;q=0.7' + +#registration_shared_secret: "w4KM1-xy8.-YhVF3.uYDxiA8+Yv*x-2bsH*r&.EXVSkV=E_l@b" + + + + + + + + +#################################################### +# # +# USER SETTINGS # +# # +# # +#################################################### +# Sessions +session_lifetime: 14d +refresh_token_lifetime: 12h +nonrefreshable_access_token_lifetime: 7d +ui_auth: + session_timeout: "1m" +delete_stale_devices_after: 30d +login_via_existing_session: + enabled: true + require_ui_auth: true + token_timeout: "5m" +user_ips_max_age: 30d +default_identity_server: https://vector.im + +# Push Notifs +push: + enabled: true + include_content: true + group_unread_count_by_room: true + jitter_delay: "2s" + +# Registration requirements + +# CHANGE_ME: Captchas +# https://matrix-org.github.io/synapse/latest/CAPTCHA_SETUP.html +#recaptcha_public_key: +#recaptcha_private_key: +#enable_registration_captcha: true + +enable_registration: false # CHANGE_ME: If you want to enable public registration for your server +registration_requires_token: false # CHANGE_ME: If you want registration to require a admin-provisioned token +disable_msisdn_registration: true # Allows users to set an 3pid later after registering +allow_guest_access: false +#registrations_require_3pid: # CHANGE_ME +# - email +password_config: + enabled: true + localdb_enabled: true + pepper: "_PASSWORD_SALT_" + policy: + enabled: true + minimum_length: 10 + require_digit: true + require_symbol: true + require_lowercase: true + require_uppercase: true + +# Perms +enable_set_displayname: true +require_auth_for_profile_requests: true +allow_public_rooms_without_auth: false +allow_public_rooms_over_federation: false +require_membership_for_aliases: true +limit_profile_requests_to_users_who_share_rooms: false +allow_per_room_profiles: true +enable_search: true +user_directory: + enabled: true + search_all_users: true + prefer_local_users: true +enable_room_list_search: true + +# Limit complexity +limit_remote_rooms: + enabled: true + complexity: 40.0 + complexity_error: "This room is a bit too complex for this homeserver to handle, sorry." + admins_can_join: false + +# Auto Join Rooms +autocreate_auto_join_room_preset: public_chat +autocreate_auto_join_rooms: true +auto_join_rooms: + - "#general:example.org" +autocreate_auto_join_rooms_federated: false +auto_join_mxid_localpart: system +auto_join_rooms_for_guests: false + +# Retention policies +retention: + enabled: true + default_policy: + min_lifetime: 1d + max_lifetime: 1y + allowed_lifetime_min: 1d + allowed_lifetime_max: 1y + purge_jobs: + - longest_max_lifetime: 3d + interval: 12h + - shortest_max_lifetime: 3d + interval: 1d + +# Consent +#user_consent: +# block_events_error: >- +# You can't send any messages until you consent to the privacy policy at +# %(consent_uri)s. +# server_notice_content: +# msgtype: m.text +# body: >- +# Please give your consent to the privacy policy at %(consent_uri)s. +# require_at_registration: true +# template_dir: /data/privacy_policy_templates +# version: 1.0 + + +#################################################### +# # +# NETWORKING # +# # +# # +#################################################### + +presence: + enabled: false # CHANGE_ME: Higher resource usage if enabled, recommended to keep disabled +filter_timeline_limit: 5000 +event_cache_size: 10K +caches: + global_factor: 2.0 +# per_cache_factors: +# get_users_who_share_room_with_user: 1.5 + sync_response_cache_duration: 4m +# cache_autotuning: +# max_cache_memory_usage: 512M +# target_cache_memory_usage: 210M +# min_cache_ttl: 5m + +# Federation +federation: + client_timeout: 60s + max_short_retry_delay: 6s + max_long_retry_delay: 40s + max_short_retries: 10 + max_long_retries: 20 +federation_metrics_domains: + - matrix.org +rc_federation: + window_size: 700 + sleep_limit: 15 + sleep_delay: 400 + reject_limit: 30 + concurrent: 6 +federation_rr_transactions_per_room_per_second: 35 +allow_public_rooms_over_federation: true +allow_profile_lookup_over_federation: true +allow_device_name_lookup_over_federation: false diff --git a/data/synapse/log.config b/data/synapse/log.config new file mode 100644 index 0000000..46665ee --- /dev/null +++ b/data/synapse/log.config @@ -0,0 +1,38 @@ +version: 1 + +formatters: + precise: + + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + +handlers: + + console: + class: logging.StreamHandler + formatter: precise + +loggers: + # This is just here so we can leave `loggers` in the config regardless of whether + # we configure other loggers below (avoid empty yaml dict error). + _placeholder: + level: "INFO" + + + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + + + + +root: + level: WARN + + + handlers: [console] + + +disable_existing_loggers: false \ No newline at end of file diff --git a/data/synapse/privacy_policy_templates/en/1.0.html b/data/synapse/privacy_policy_templates/en/1.0.html new file mode 100644 index 0000000..321c7e4 --- /dev/null +++ b/data/synapse/privacy_policy_templates/en/1.0.html @@ -0,0 +1,26 @@ + + + + Matrix.org Privacy policy + + + {% if has_consented %} +

+ Your base already belong to us. +

+ {% else %} +

+ All your base are belong to us. +

+ {% if not public_version %} + +
+ + + + +
+ {% endif %} + {% endif %} + + diff --git a/data/synapse/privacy_policy_templates/en/success.html b/data/synapse/privacy_policy_templates/en/success.html new file mode 100644 index 0000000..d55e90c --- /dev/null +++ b/data/synapse/privacy_policy_templates/en/success.html @@ -0,0 +1,11 @@ + + + + Matrix.org Privacy policy + + +

+ Sweet. +

+ + diff --git a/data/web-client/web-client.config.json b/data/web-client/web-client.config.json new file mode 100644 index 0000000..0d82f9b --- /dev/null +++ b/data/web-client/web-client.config.json @@ -0,0 +1,55 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://example.org", + "server_name": "example.org" + }, + "m.identity_server": { + "base_url": "https://vector.im" + } + }, + "disable_custom_urls": true, + "disable_guests": true, + "disable_login_language_selector": false, + "disable_3pid_login": true, + "brand": "Schildi", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_widgets_urls": [ + "https://scalar.vector.im/_matrix/integrations/v1", + "https://scalar.vector.im/api", + "https://scalar-staging.vector.im/_matrix/integrations/v1", + "https://scalar-staging.vector.im/api", + "https://scalar-staging.riot.im/scalar/api" + ], + "bug_report_endpoint_url": "https://element.io/bugreports/submit", + "uisi_autorageshake_app": "element-auto-uisi", + "default_country_code": "GB", + "show_labs_settings": true, + "features": { + "feature_report_to_moderators": true, + "feature_pinning": true, + "feature_bridge_state": true + }, + "default_federate": true, + "default_theme": "dark", + "room_directory": { + "servers": ["matrix.org", "libera.chat", "gitter.im"] + }, + "enable_presence_by_hs_url": { + "https://matrix.org": true + }, + "setting_defaults": { + "breadcrumbs": true, + "UIFeature.registration": false + }, + "jitsi": { + "preferred_domain": "meet.jit.si" + }, + "element_call": { + "url": "https://call.element.io", + "participant_limit": 8, + "brand": "Element Call" + }, + "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx" +} diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..b15df95 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,446 @@ +version: '3' +services: + nginx: + container_name: nginx + image: nginx:stable-alpine + restart: unless-stopped + logging: + options: + max-size: "10m" + max-file: "3" + volumes: + - ./data/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./cert.key:/etc/ssl/private/cert.key:ro + - ./cert.pem:/etc/ssl/certs/cert.pem:ro + ports: + - 443:443 + networks: + - matrix + - client + depends_on: + web-client: + condition: service_started + cloudflared: + condition: service_started + synapse: + condition: service_healthy + hookshot: + condition: service_started + + web-client: + image: tcpipuk/schildichat-web:latest #@sha256:313cbb80d1fa394d595ccdd79be78db4ab97ab341897eb48acb0e818c9fff024 + # This is a community image, take note. + # Alternatively, use element, > vectorim/element-web:latest + container_name: web-client + restart: unless-stopped + logging: + options: + max-size: "10m" + max-file: "3" + volumes: +# - ./data/web-client/web-client.config.json:/app/config.json:Z # ELEMENT + - ./data/web-client/web-client.config.json:/usr/share/nginx/html/config.json:Z # SCHILDI + networks: + - client + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + - CAP_NET_BIND_SERVICE + tmpfs: + - /var/run:size=50M,mode=0770,noexec,nosuid,nodev + - /var/cache/nginx:size=50M,mode=0770,noexec,nosuid,nodev + + postgres: + container_name: postgres + image: postgres:15-alpine + restart: unless-stopped + logging: + options: + max-size: "10m" + max-file: "3" + networks: + - matrix + healthcheck: + test: ["CMD", "pg_isready", "-U", "postgres"] + interval: 5s + timeout: 2s + environment: + - POSTGRES_PASSWORD=${PG_PASSWORD} + - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C + - POSTGRES_USER=postgres + - POSTGRES_DB=synapse + shm_size: 1g + runtime: runc + volumes: + - ./data/postgres:/var/lib/postgresql/data + + redis: + container_name: redis + image: redis:latest + restart: unless-stopped + logging: + options: + max-size: "10m" + max-file: "3" + healthcheck: + test: ["CMD", "redis-cli","ping"] + interval: 3s + timeout: 3s + networks: + - matrix + + synapse: + container_name: synapse + runtime: runc + image: matrixdotorg/synapse:latest + # Community image (https://mau.dev/maunium/synapse) + # Official image: matrixdotorg/synapse:latest + user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + environment: + - SYNAPSE_REPORT_STATS=no + - SYNAPSE_CONFIG_PATH=/data/config.yaml + - TZ=Lisbon/Europe + healthcheck: + test: ["CMD", "curl", "-fSs", "http://localhost:8011/health"] + interval: 2s + timeout: 3s + retries: 15 + start_period: 5s + networks: + - matrix + volumes: + - ./data/synapse:/data + - ./data/hookshot/registration.yml:/opt/appsvc/hookshot.registration.yml:ro + - ./data/bridges/discord/registration.yaml:/opt/appsvc/bridges/discord.registration.yaml:ro + - ./data/bridges/telegram/registration.yaml:/opt/appsvc/bridges/telegram.registration.yaml:ro + - ./data/bridges/signal/registration.yaml:/opt/appsvc/bridges/signal.registration.yaml:ro + - ./data/bridges/instagram/registration.yaml:/opt/appsvc/bridges/instagram.registration.yaml:ro + - ./data/bridges/twitter/registration.yaml:/opt/appsvc/bridges/twitter.registration.yaml:ro + - ./data/bridges/googlechat/registration.yaml:/opt/appsvc/bridges/googlechat.registration.yaml:ro + - ./data/bridges/gmessages/registration.yaml:/opt/appsvc/bridges/gmessages.registration.yaml:ro + - ./data/bridges/linkedin/registration.yaml:/opt/appsvc/bridges/linkedin.registration.yaml:ro + - ./data/bridges/slack/registration.yaml:/opt/appsvc/bridges/slack.registration.yaml:ro + - ./data/bridges/whatsapp/registration.yaml:/opt/appsvc/bridges/whatsapp.registration.yaml:ro + - ./data/bridges/facebook/registration.yaml:/opt/appsvc/bridges/facebook.registration.yaml:ro + - ./data/bridges/steam/registration.yaml:/opt/appsvc/bridges/steam.registration.yaml:ro + + depends_on: + postgres: + condition: service_healthy + redis: + condition: service_healthy + + draupnir: + container_name: draupnir + image: gnuxie/draupnir:latest + restart: unless-stopped + user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + privileged: true + healthcheck: + test: ["CMD", "curl", "-fSs", "http://localhost:80/health"] + interval: 2s + timeout: 3s + retries: 15 + start_period: 5s + networks: + - matrix + volumes: + - ./data/draupnir:/data + depends_on: + synapse: + condition: service_healthy + pantalaimon: + condition: service_started + + hookshot: + container_name: hookshot + image: halfshot/matrix-hookshot:latest + restart: unless-stopped + user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + networks: + - matrix + volumes: + - ./data/hookshot:/data + depends_on: + synapse: + condition: service_healthy + redis: + condition: service_healthy + + pantalaimon: + container_name: pantalaimon + build: ./pantalaimon + restart: unless-stopped + user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + networks: + - matrix + volumes: + - ./data/pantalaimon:/data + depends_on: + synapse: + condition: service_healthy + + eturnal: + container_name: eturnal + image: ghcr.io/processone/eturnal:latest + restart: unless-stopped + volumes: + - ./data/eturnal/eturnal.yml:/etc/eturnal.yml:ro + user: 9000:9000 + logging: + options: + max-size: "10m" + max-file: "3" + read_only: true + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE + security_opt: + - no-new-privileges:true + network_mode: "host" + depends_on: + synapse: + condition: service_healthy + + signald: + container_name: signald + image: docker.io/signald/signald + user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + networks: + - matrix + volumes: + - ./data/signald:/signald + + mautrix-discord: + container_name: mautrix-discord + image: dock.mau.dev/mautrix/discord:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/discord:/data + networks: + - matrix + + mautrix-facebook: + container_name: mautrix-facebook + image: dock.mau.dev/mautrix/facebook:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/facebook:/data + networks: + - matrix + + mautrix-gmessages: + container_name: mautrix-gmessages + image: dock.mau.dev/mautrix/gmessages:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/gmessages:/data + networks: + - matrix + + mautrix-googlechat: + container_name: mautrix-googlechat + image: dock.mau.dev/mautrix/googlechat:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/googlechat:/data + networks: + - matrix + + mautrix-instagram: + container_name: mautrix-instagram + image: dock.mau.dev/mautrix/instagram:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/instagram:/data + networks: + - matrix + + beeper-linkedin: + container_name: beeper-linkedin + image: ghcr.io/beeper/linkedin:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/linkedin:/data + networks: + - matrix + + mautrix-signal: + container_name: mautrix-signal + image: dock.mau.dev/mautrix/signal:latest + restart: unless-stopped + privileged: true # /shrug + #user: 991:991 + volumes: + - ./data/bridges/signal:/data + - ./data/signald:/signald + logging: + options: + max-size: "10m" + max-file: "3" + networks: + - matrix + depends_on: + signald: + condition: service_started + + mautrix-slack: + container_name: mautrix-slack + image: dock.mau.dev/mautrix/slack:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/slack:/data + networks: + - matrix + + mx-puppet-steam: + container_name: mx-puppet-steam + image: ghcr.io/icewind1991/mx-puppet-steam:master + restart: unless-stopped + user: 991:991 + volumes: + - ./data/bridges/steam:/data + logging: + options: + max-size: "10m" + max-file: "3" + networks: + - matrix + + mautrix-telegram: + container_name: mautrix-telegram + image: dock.mau.dev/mautrix/telegram:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/telegram:/data + networks: + - matrix + + mautrix-twitter: + container_name: mautrix-twitter + image: dock.mau.dev/mautrix/twitter:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/twitter:/data + networks: + - matrix + + mautrix-whatsapp: + container_name: mautrix-whatsapp + image: dock.mau.dev/mautrix/whatsapp:latest + privileged: true # /shrug + #user: 991:991 + logging: + options: + max-size: "10m" + max-file: "3" + restart: unless-stopped + volumes: + - ./data/bridges/whatsapp:/data + networks: + - matrix + + cloudflared: + container_name: cloudflared + image: erisamoe/cloudflared + restart: always + command: tunnel run + logging: + options: + max-size: "10m" + max-file: "3" + networks: + - matrix + environment: + - TUNNEL_TOKEN=${TUNNEL_TOKEN} + +networks: + client: + name: client + driver: bridge + matrix: + name: matrix + driver: bridge diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..8c93137 --- /dev/null +++ b/init.sh @@ -0,0 +1,95 @@ +#/bin/bash +set -x + +export $(cat .env | xargs) + +sudo apt-get update && apt-get install -y openssl dig +openssl req -x509 -newkey rsa:4096 -keyout ./cert.key -out ./cert.pem -days 3650 -subj "/CN=${DOMAIN_NAME}" -nodes + +git clone https://github.com/matrix-org/pantalaimon.git pantalaimon + +docker compose pull + +docker compose build + +docker run --rm --name synapse-generate -v ./data/synapse:/data -e SYNAPSE_REPORT_STATS=no -e SYNAPSE_CONFIG_PATH=/data/config.yaml.example -e SYNAPSE_SERVER_NAME=google.com matrixdotorg/synapse:latest generate + +SALT=$(openssl rand -hex 512) +PG_PASSWORD=$(openssl rand -hex 32) +ETURNAL_SECRET=$(openssl rand -hex 512) +IPV4=$(dig @1.1.1.1 ch txt whoami.Cloudflare +short) +DRAUPNIR_PW=$(openssl rand -hex 64) +REGISTRATION_SECRET=$(awk '/registration_shared_secret:/{gsub(/"/,""); print $2}' ./data/synapse/config.yaml.example) +MACAROON_SECRET=$(awk '/macaroon_secret_key:/{gsub(/"/,""); print $2}' ./data/synapse/config.yaml.example) +FORM_SECRET=$(awk '/form_secret:/{gsub(/"/,""); print $2}' ./data/synapse/config.yaml.example) +ESCAPED_REGISTRATION_SECRET=$(printf '%s\n' "$REGISTRATION_SECRET" | sed -e 's/[]\/$*.^[]/\\&/g'); +ESCAPED_FORM_SECRET=$(printf '%s\n' "$FORM_SECRET" | sed -e 's/[]\/$*.^[]/\\&/g'); +ESCAPED_MACAROON_SECRET=$(printf '%s\n' "$MACAROON_SECRET" | sed -e 's/[]\/$*.^[]/\\&/g'); + +find ./ -type f -exec sed -i -e "s|example.org|${DOMAIN_NAME}|g" {} \; +find ./ -type f -exec sed -i -e "s|_PASSWORD_SALT_|${SALT}|g" {} \; +find ./ -type f -exec sed -i -e "s|_ETURNAL_SECRET_|${ETURNAL_SECRET}|g" {} \; +find ./ -type f -exec sed -i -e "s|_PG_PASSWORD_|${PG_PASSWORD}|g" {} \; +find ./ -type f -exec sed -i -e "s|\"_IPV4_\"|${IPV4}|g" {} \; +find ./ -type f -exec sed -i -e "s|_DRAUPNIR_PASSWORD_|${DRAUPNIR_PW}|g" {} \; +find ./ -type f -exec sed -i -e "s|_REGISTRATION_SECRET_|\"${ESCAPED_REGISTRATION_SECRET}\"|g" {} \; +find ./ -type f -exec sed -i -e "s|_MACAROON_SECRET_|\"${ESCAPED_MACAROON_SECRET}\"|g" {} \; +find ./ -type f -exec sed -i -e "s|_FORM_SECRET_|\"${ESCAPED_FORM_SECRET}\"|g" {} \; + +# Cleanup Synapse files +mv ./data/synapse/*.signing.key ./data/synapse/signing.key +mv ./data/synapse/log.config ./data/synapse/log +rm ./data/synapse/*.log.config +mv ./data/synapse/log ./data/synapse/log.config +rm ./data/synapse/config.yaml.example + + +# Bridges +openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 +chmod 0770 passkey.pem +mv passkey.pem ./data/hookshot/passkey.pem +HOOKSHOT_AS_TOKEN=$(openssl rand -hex 32) +find ./ -type f -exec sed -i -e "s|_HOOKSHOT_AS_TOKEN_|${HOOKSHOT_AS_TOKEN}|g" {} \; +HOOKSHOT_HS_TOKEN=$(openssl rand -hex 32) +find ./ -type f -exec sed -i -e "s|_HOOKSHOT_HS_TOKEN_|${HOOKSHOT_HS_TOKEN}|g" {} \; +STEAM_AS_TOKEN=$(openssl rand -hex 32) +find ./ -type f -exec sed -i -e "s|_STEAM_AS_TOKEN_|${STEAM_AS_TOKEN}|g" {} \; +STEAM_HS_TOKEN=$(openssl rand -hex 32) +find ./ -type f -exec sed -i -e "s|_STEAM_HS_TOKEN_|${STEAM_HS_TOKEN}|g" {} \; +chown -R 991:991 ./data +chown -R 991:1337 ./data/bridges # why is this required :joy: +chmod -R 0770 ./data + +# Create registration files for mautrix bridges +docker compose up mautrix-discord -d +docker compose up mautrix-facebook -d +docker compose up mautrix-gmessages -d +docker compose up mautrix-googlechat -d +docker compose up mautrix-instagram -d +docker compose up beeper-linkedin -d +docker compose up mautrix-signal -d +docker compose up mautrix-slack -d +docker compose up mautrix-telegram -d +docker compose up mautrix-twitter -d +docker compose up mautrix-whatsapp # hacky + +sleep 5 + +docker compose down + +# Start everything up +docker compose up -d + + + +# After init stuff +docker exec -it synapse register_new_matrix_user http://localhost:80 -c /data/config.yaml -u draupnir -p ${DRAUPNIR_PW} -t bot --no-admin + +ADMIN_PW=$(openssl rand -hex 16) +docker exec -it synapse register_new_matrix_user http://localhost:80 -c /data/config.yaml -u admin -p ${ADMIN_PW} -t support -a + +echo "Done! Feel free to login with username \"admin\" and password \"${ADMIN_PW}\"" +echo "Please copy your admin password now as it won't be visible again, and change it on first login." + +# Prevent re-running this, lol +chmod -x ./init.sh diff --git a/todo.md b/todo.md new file mode 100644 index 0000000..a6cc5b9 --- /dev/null +++ b/todo.md @@ -0,0 +1,5 @@ +#### Guide TBD + +increase unix file handles +add swap ram space (maybe) +