From 7bcf928e85300eee6b26be73f5e9f6cc1e344771 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 26 Mar 2020 21:18:27 -0700 Subject: [PATCH 01/23] Save current changes --- homeserver.yaml | 2 +- matrix-appservice-irc/config.yaml | 506 ++++++++++++++++++++++++++++++ misc/well-known | 3 + 3 files changed, 510 insertions(+), 1 deletion(-) create mode 100644 matrix-appservice-irc/config.yaml create mode 100644 misc/well-known diff --git a/homeserver.yaml b/homeserver.yaml index fc395d3..a6f4646 100644 --- a/homeserver.yaml +++ b/homeserver.yaml @@ -7,7 +7,7 @@ # e.g. matrix.org, localhost:8080, etc. # This is also the last part of your UserID. # -server_name: "matrix.ocf.berkeley.edu" +server_name: "ocf.berkeley.edu" # When running as a daemon, the file to store the pid in # diff --git a/matrix-appservice-irc/config.yaml b/matrix-appservice-irc/config.yaml new file mode 100644 index 0000000..bcc449c --- /dev/null +++ b/matrix-appservice-irc/config.yaml @@ -0,0 +1,506 @@ +# Configuration specific to AS registration. Unless other marked, all fields +# are *REQUIRED*. +homeserver: + # The URL to the home server for client-server API calls, also used to form the + # media URLs as displayed in bridged IRC channels: + url: "https://matrix.ocf.berkeley.edu" + # + # The URL of the homeserver hosting media files. This is only used to transform + # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By + # default, this is the homeserver URL, specified above. + # + # media_url: "http://media.repo:8008" + + # Drop Matrix messages which are older than this number of seconds, according to + # the event's origin_server_ts. + # If the bridge is down for a while, the homeserver will attempt to send all missed + # events on reconnection. These events may be hours old, which can be confusing to + # IRC users if they are then bridged. This option allows these old messages to be + # dropped. + # CAUTION: This is a very coarse heuristic. Federated homeservers may have different + # clock times and hence produce different origin_server_ts values, which may be old + # enough to cause *all* events from the homeserver to be dropped. + # Default: 0 (don't ever drop) + # dropMatrixMessagesAfterSecs: 300 # 5 minutes + + # The 'domain' part for user IDs on this home server. Usually (but not always) + # is the "domain name" part of the HS URL. + domain: "ocf.berkeley.edu" + + # Should presence be enabled for matrix clients on this bridge. If disabled on the + # homeserver then it should also be disabled here to avoid excess traffic. + # Default: true + enablePresence: false + + # Which port should the appservice bind to. Takes priority over the one provided in the + # command line! Optional. + # bindPort: 9999 + + # Use this option to force the appservice to listen on another hostname for transactions. + # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional. + # bindHostname: 0.0.0.0 + +# Configuration specific to the IRC service +ircService: + servers: + # The address of the server to connect to. + irc.ocf.berkeley.edu: + # A human-readable short name. This is used to label IRC status rooms + # where matrix users control their connections. + # E.g. 'ExampleNet IRC Bridge status'. + # It is also used in the Third Party Lookup API as the instance `desc` + # property, where each server is an instance. + name: "OCF Matrix Bridge status" + + # additionalAddresses: [ "irc2.example.com" ] + # + # [DEPRECATED] Use `name`, above, instead. + # A human-readable description string + # description: "Example.com IRC network" + + # An ID for uniquely identifying this server amongst other servers being bridged. + # networkId: "example" + + # URL to an icon used as the network icon whenever this network appear in + # a network list. (Like in the riot room directory, for instance.) + # icon: https://example.com/images/hash.png + + # The port to connect to. Optional. + port: 6697 + # Whether to use SSL or not. Default: false. + ssl: true + # Whether or not IRC server is using a self-signed cert or not providing CA Chain + sslselfsign: false + # Should the connection attempt to identify via SASL (if a server or user password is given) + # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. + sasl: false + # Whether to allow expired certs when connecting to the IRC server. + # Usually this should be off. Default: false. + allowExpiredCerts: false + # A specific CA to trust instead of the default CAs. Optional. + #ca: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # + # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. + # password: 'pa$$w0rd' + # + # Whether or not to send connection/error notices to real Matrix users. Default: true. + sendConnectionMessages: true + + quitDebounce: + # Whether parts due to net-splits are debounced for delayMs, to allow + # time for the netsplit to resolve itself. A netsplit is detected as being + # a QUIT rate higher than quitsPerSecond. Default: false. + enabled: false + # The maximum number of quits per second acceptable above which a netsplit is + # considered ongoing. Default: 5. + quitsPerSecond: 5 + # The time window in which to wait before bridging a QUIT to Matrix that occurred during + # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS + # is not sent many requests to leave rooms all at once if a netsplit occurs and many + # people to not rejoin. + # If the user with the same IRC nick as the one who sent the quit rejoins a channel + # they are considered back online and the quit is not bridged, so long as the rejoin + # occurs before the randomly-jittered timeout is not reached. + # Default: 3600000, = 1h + delayMinMs: 3600000 # 1h + # Default: 7200000, = 2h + delayMaxMs: 7200000 # 2h + + # A map for conversion of IRC user modes to Matrix power levels. This enables bridging + # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has + # been given multiple modes, the one that maps to the highest power level will be used. + modePowerMap: + o: 50 + v: 1 + + botConfig: + # Enable the presence of the bot in IRC channels. The bot serves as the entity + # which maps from IRC -> Matrix. You can disable the bot entirely which + # means IRC -> Matrix chat will be shared by active "M-Nick" connections + # in the room. If there are no users in the room (or if there are users + # but their connections are not on IRC) then nothing will be bridged to + # Matrix. If you're concerned about the bot being treated as a "logger" + # entity, then you may want to disable the bot. If you want IRC->Matrix + # but don't want to have TCP connections to IRC unless a Matrix user speaks + # (because your client connection limit is low), then you may want to keep + # the bot enabled. Default: true. + # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned + # on, else there will be no users and no bot in a channel (meaning no + # messages to Matrix!) until a Matrix user speaks which makes a client + # join the target IRC channel. + # NBB: The bridge bot IRC client will still join the target IRC network so + # it can service bridge-specific queries from the IRC-side e.g. so + # real IRC clients have a way to change their Matrix display name. + # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 + enabled: true + # The nickname to give the AS bot. + nick: "ocfchan" + # The password to give to NickServ or IRC Server for this nick. Optional. + # password: "helloworld" + # + # Join channels even if there are no Matrix users on the other side of + # the bridge. Set to false to prevent the bot from joining channels which have no + # real matrix users in them, even if there is a mapping for the channel. + # Default: true + joinChannelsIfNoUsers: true + + # Configuration for PMs / private 1:1 communications between users. + privateMessages: + # Enable the ability for PMs to be sent to/from IRC/Matrix. + # Default: true. + enabled: true + # Prevent Matrix users from sending PMs to the following IRC nicks. + # Optional. Default: []. + # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED + + # Should created Matrix PM rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Optional. Default: true. + federate: true + + # Configuration for mappings not explicitly listed in the 'mappings' + # section. + dynamicChannels: + # Enable the ability for Matrix users to join *any* channel on this IRC + # network. + # Default: false. + enabled: false + # Should the AS create a room alias for the new Matrix room? The form of + # the alias can be modified via 'aliasTemplate'. Default: true. + createAlias: true + # Should the AS publish the new Matrix room to the public room list so + # anyone can see it? Default: true. + published: true + # What should the join_rule be for the new Matrix room? If 'public', + # anyone can join the room. If 'invite', only users with an invite can + # join the room. Note that if an IRC channel has +k or +i set on it, + # join_rules will be set to 'invite' until these modes are removed. + # Default: "public". + joinRule: public + # This will set the m.room.related_groups state event in newly created rooms + # with the given groupId. This means flares will show up on IRC users in those rooms. + # This should be set to the same thing as namespaces.users.group_id in irc_registration. + # This does not alter existing rooms. + # Leaving this option empty will not set the event. + groupId: +myircnetwork:localhost + # Should created Matrix rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Default: true. + federate: false + # Force this room version when creating IRC channels. Beware if the homeserver doesn't + # support the room version then the request will fail. By default, no version is requested. + # roomVersion: "1" + # The room alias template to apply when creating new aliases. This only + # applies if createAlias is 'true'. The following variables are exposed: + # $SERVER => The IRC server address (e.g. "irc.example.com") + # $CHANNEL => The IRC channel (e.g. "#python") + # This MUST have $CHANNEL somewhere in it. + # Default: '#irc_$SERVER_$CHANNEL' + aliasTemplate: "#irc_$CHANNEL" + # A list of user IDs which the AS bot will send invites to in response + # to a !join. Only applies if joinRule is 'invite'. Default: [] + # whitelist: + # - "@foo:example.com" + # - "@bar:example.com" + # + # Prevent the given list of channels from being mapped under any + # circumstances. + # exclude: ["#foo", "#bar"] + + # excludedUsers: + # - regex: "@.*:evilcorp.com" + # kickReason: "We don't like Evilcorp" + + # Configuration for controlling how Matrix and IRC membership lists are + # synced. + membershipLists: + # Enable the syncing of membership lists between IRC and Matrix. This + # can have a significant effect on performance on startup as the lists are + # synced. This must be enabled for anything else in this section to take + # effect. Default: false. + enabled: false + + # Syncing membership lists at startup can result in hundreds of members to + # process all at once. This timer drip feeds membership entries at the + # specified rate. Default: 10000. (10s) + floodDelayMs: 10000 + + global: + ircToMatrix: + # Get a snapshot of all real IRC users on a channel (via NAMES) and + # join their virtual matrix clients to the room. + initial: false + # Make virtual matrix clients join and leave rooms as their real IRC + # counterparts join/part channels. Default: false. + incremental: false + + matrixToIrc: + # Get a snapshot of all real Matrix users in the room and join all of + # them to the mapped IRC channel on startup. Default: false. + initial: false + # Make virtual IRC clients join and leave channels as their real Matrix + # counterparts join/leave rooms. Make sure your 'maxClients' value is + # high enough! Default: false. + incremental: false + + # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. + rooms: + - room: "!fuasirouddJoxtwfge:localhost" + matrixToIrc: + initial: false + incremental: false + + # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. + channels: + - channel: "#foo" + ircToMatrix: + initial: false + incremental: false + + mappings: + # 1:many mappings from IRC channels to room IDs on this IRC server. + # The matrix room must already exist. Your matrix client should expose + # the room ID in a "settings" page for the room. + "#thepub": + roomIds: ["!kieouiJuedJoxtVdaG:localhost"] + # Channel key/password to use. Optional. If provided, matrix users do + # not need to know the channel key in order to join the channel. + # key: "secret" + + # Configuration for virtual matrix users. The following variables are + # exposed: + # $NICK => The IRC nick + # $SERVER => The IRC server address (e.g. "irc.example.com") + matrixClients: + # The user ID template to use when creating virtual matrix users. This + # MUST have $NICK somewhere in it. + # Optional. Default: "@$SERVER_$NICK". + # Example: "@irc.example.com_Alice:example.com" + userTemplate: "@irc_$NICK" + # The display name to use for created matrix clients. This should have + # $NICK somewhere in it if it is specified. Can also use $SERVER to + # insert the IRC domain. + # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" + displayName: "$NICK (IRC)" + # Number of tries a client can attempt to join a room before the request + # is discarded. You can also use -1 to never retry or 0 to never give up. + # Optional. Default: -1 + joinAttempts: -1 + + # Configuration for virtual IRC users. The following variables are exposed: + # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) + # $USERID => The user ID + # $DISPLAY => The display name of this user, with excluded characters + # (e.g. space) removed. If the user has no display name, this + # falls back to $LOCALPART. + ircClients: + # The template to apply to every IRC client nick. This MUST have either + # $DISPLAY or $USERID or $LOCALPART somewhere in it. + # Optional. Default: "M-$DISPLAY". Example: "M-Alice". + nickTemplate: "$DISPLAY[m]" + # True to allow virtual IRC clients to change their nick on this server + # by issuing !nick commands to the IRC AS bot. + # This is completely freeform: it will NOT follow the nickTemplate. + allowNickChanges: false + # The max number of IRC clients that will connect. If the limit is + # reached, the client that spoke the longest time ago will be + # disconnected and replaced. + # Optional. Default: 30. + maxClients: 30 + # IPv6 configuration. + ipv6: + # Optional. Set to true to force IPv6 for outgoing connections. + only: false + # Optional. The IPv6 prefix to use for generating unique addresses for each + # connected user. If not specified, all users will connect from the same + # (default) address. This may require additional OS-specific work to allow + # for the node process to bind to multiple different source addresses + # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1 + # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library + # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. + # prefix: "2001:0db8:85a3::" # modify appropriately + # + # The maximum amount of time in seconds that the client can exist + # without sending another message before being disconnected. Use 0 to + # not apply an idle timeout. This value is ignored if this IRC server is + # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) + idleTimeout: 10800 + # The number of millseconds to wait between consecutive reconnections if a + # client gets disconnected. Setting to 0 will cause the scheduling to be + # disabled, i.e. it will be scheduled immediately (with jitter. + # Otherwise, the scheduling interval will be used such that one client + # reconnect for this server will be handled every reconnectIntervalMs ms using + # a FIFO queue. + # Default: 5000 (5 seconds) + reconnectIntervalMs: 5000 + # The number of concurrent reconnects if a user has been disconnected unexpectedly + # (e.g. a netsplit). You should set this to a reasonably high number so that + # bridges are not waiting an eternity to reconnect all its clients if + # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs + # setting above which is for connecting on restart of the bridge. Set to 0 to + # immediately try to reconnect all users. + # Default: 50 + concurrentReconnectLimit: 50 + # The number of lines to allow being sent by the IRC client that has received + # a large block of text to send from matrix. If the number of lines that would + # be sent is > lineLimit, the text will instead be uploaded to matrix and the + # resulting URI is treated as a file. As such, a link will be sent to the IRC + # side instead of potentially spamming IRC and getting the IRC client kicked. + # Default: 3. + lineLimit: 3 + # A list of user modes to set on every IRC client. For example, "RiG" would set + # +R, +i and +G on every IRC connection when they have successfully connected. + # User modes vary wildly depending on the IRC network you're connecting to, + # so check before setting this value. Some modes may not work as intended + # through the bridge e.g. caller ID as there is no way to /ACCEPT. + # Default: "" (no user modes) + # userModes: "R" + # Set information about the bridged channel in the room state, so that client's may + # present relevant UI to the user. MSC2346 + bridgeInfoState: + enabled: false + initial: false + # Configuration for an ident server. If you are running a public bridge it is + # advised you setup an ident server so IRC mods can ban specific matrix users + # rather than the application service itself. + ident: + # True to listen for Ident requests and respond with the + # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # Default: false. + enabled: false + # The port to listen on for incoming ident requests. + # Ports below 1024 require root to listen on, and you may not want this to + # run as root. Instead, you can get something like an Apache to yank up + # incoming requests to 113 to a high numbered port. Set the port to listen + # on instead of 113 here. + # Default: 113. + port: 1113 + # The address to listen on for incoming ident requests. + # Default: 0.0.0.0 + address: "::" + + # Configuration for logging. Optional. Default: console debug level logging + # only. + logging: + # Level to log on console/logfile. One of error|warn|info|debug + level: "debug" + # The file location to log to. This is relative to the project directory. + logfile: "debug.log" + # The file location to log errors to. This is relative to the project + # directory. + errfile: "errors.log" + # Whether to log to the console or not. + toConsole: true + # The max number of files to keep. Files will be overwritten eventually due + # to rotations. + maxFiles: 5 + + # Metrics will then be available via GET /metrics on the bridge listening port (-p). + metrics: + # Whether to actually enable the metric endpoint. Default: false + enabled: true + # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + + # Configuration options for the debug HTTP API. To access this API, you must + # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. + # + # The debug API exposes the following endpoints: + # + # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. + # + # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. + # Format: new line delimited commands as per IRC protocol. + # + debugApi: + # True to enable the HTTP API endpoint. Default: false. + enabled: false + # The port to host the HTTP API. + port: 11100 + + # Configuration for the provisioning API. + # + # GET /_matrix/provision/link + # GET /_matrix/provision/unlink + # GET /_matrix/provision/listlinks + # + provisioning: + # True to enable the provisioning HTTP endpoint. Default: false. + enabled: false + # The number of seconds to wait before giving up on getting a response from + # an IRC channel operator. If the channel operator does not respond within the + # allotted time period, the provisioning request will fail. + # Default: 300 seconds (5 mins) + requestTimeoutSeconds: 300 + # A file defining the provisioning rules for rooms. Format is documented + # in rules.sample.yaml. Leave undefined to not specify any rules. + ruleFile: "./provisioning.rules.yaml" + # Watch the file for changes, and apply the rules. Default: false + enableReload: true + + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # the database. + # + # To generate a .pem file: + # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # + # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # for storage in the database. Passwords are stored by using the admin room command + # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # the Matrix user, this password will be sent as the server password (PASS command). + passwordEncryptionKeyPath: "passkey.pem" + + # Config for Matrix -> IRC bridging + matrixHandler: + # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + eventCacheSize: 4096 + + ircHandler: + # How many /leave requests can be ongoing at a time. + # This is used to stem the flow of requests in case of a mass quit/leave, which might + # slow down the homeserver. + leaveConcurrency: 10 + # Should we attempt to match an IRC side mention (nickaname match) + # with the nickname's owner's matrixId, if we are bridging them? + # "on" - Defaults to enabled, users can choose to disable. + # "off" - Defaults to disabled, users can choose to enable. + # "force-off" - Disabled, cannot be enabled. + mapIrcMentionsToMatrix: "on" # This can be "on", "off", "force-off". +# Options here are generally only applicable to large-scale bridges and may have +# consequences greater than other options in this configuration file. +advanced: + # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited + # however for large bridges it is important to rate limit the bridge to avoid + # accidentally overloading the homeserver. Defaults to 1000, which should be + # enough for the vast majority of use cases. + maxHttpSockets: 1000 + # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb + maxTxnSize: 10000000 + +# Capture information to a sentry.io instance +sentry: + enabled: false + dsn: "https://@sentry.io/" + # Optional. A tag to specify the production environment. Not set by default + # environment: "" + # Optional. A tag to specify the server name. Not set by default + # serverName: "" + +# Use an external database to store bridge state. +database: + # database engine (must be 'postgres' or 'nedb'). Default: nedb + engine: "postgres" + # Either a PostgreSQL connection string, or a path to the NeDB storage directory. + # For postgres, it must start with postgres:// + # For NeDB, it must start with nedb://. The path is relative to the project directory. + connectionString: "postgres://username:password@host:port/databasename" + diff --git a/misc/well-known b/misc/well-known new file mode 100644 index 0000000..93af0a5 --- /dev/null +++ b/misc/well-known @@ -0,0 +1,3 @@ +{ + "m.server": "matrix.ocf.berkeley.edu:443" +} From ac2ae25fae22a81642d46be74984cbd7c9e03a80 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Tue, 14 Apr 2020 20:08:39 -0700 Subject: [PATCH 02/23] Add work on Matrix app service --- Dockerfile | 1 + homeserver.yaml | 5 +++-- irc-registration.yaml | 18 ++++++++++++++++++ matrix-appservice-irc/config.yaml | 18 ++++++++++-------- 4 files changed, 32 insertions(+), 10 deletions(-) create mode 100644 irc-registration.yaml diff --git a/Dockerfile b/Dockerfile index a3b29cd..09db941 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,3 +2,4 @@ ARG synapse_version=latest FROM matrixdotorg/synapse:${synapse_version} COPY homeserver.yaml /etc/matrix/homeserver.yaml +COPY irc-registration.yaml /etc/matrix/irc-registration.yaml diff --git a/homeserver.yaml b/homeserver.yaml index a6f4646..0f30d0d 100644 --- a/homeserver.yaml +++ b/homeserver.yaml @@ -7,7 +7,7 @@ # e.g. matrix.org, localhost:8080, etc. # This is also the last part of your UserID. # -server_name: "ocf.berkeley.edu" +server_name: "matrix.ocf.berkeley.edu" # When running as a daemon, the file to store the pid in # @@ -1095,7 +1095,8 @@ report_stats: false # A list of application service config files to use # -#app_service_config_files: +app_service_config_files: + - /etc/matrix/irc-registration.yaml # - app_service_1.yaml # - app_service_2.yaml diff --git a/irc-registration.yaml b/irc-registration.yaml new file mode 100644 index 0000000..6d6aec8 --- /dev/null +++ b/irc-registration.yaml @@ -0,0 +1,18 @@ +id: 7ead698a63c9378cf0ba8d28b610b7e1dbdbd0bc4a31d5a642339715856309f9 +hs_token: 1c98e59fc1131fb6e84c7906edee2bbc8deeed1f4a7474ce0871e1e2950b6561 +as_token: b87f533e0f273f5c62b56734a7d3ce01014345b394adba171f7953903c1fa794 +namespaces: + users: + - exclusive: true + regex: '@.*_irc:matrix\.ocf\.berkeley\.edu' + aliases: [] + rooms: + - exclusive: false + regex: '!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu' + - exclusive: false + regex: '!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu' +url: 'http://bolide.ocf.berkeley.edu:9999' +sender_localpart: ocfchan +rate_limited: false +protocols: + - irc diff --git a/matrix-appservice-irc/config.yaml b/matrix-appservice-irc/config.yaml index bcc449c..6ba437a 100644 --- a/matrix-appservice-irc/config.yaml +++ b/matrix-appservice-irc/config.yaml @@ -25,7 +25,7 @@ homeserver: # The 'domain' part for user IDs on this home server. Usually (but not always) # is the "domain name" part of the HS URL. - domain: "ocf.berkeley.edu" + domain: "matrix.ocf.berkeley.edu" # Should presence be enabled for matrix clients on this bridge. If disabled on the # homeserver then it should also be disabled here to avoid excess traffic. @@ -200,7 +200,7 @@ ircService: # $CHANNEL => The IRC channel (e.g. "#python") # This MUST have $CHANNEL somewhere in it. # Default: '#irc_$SERVER_$CHANNEL' - aliasTemplate: "#irc_$CHANNEL" + aliasTemplate: "#$CHANNEL" # A list of user IDs which the AS bot will send invites to in response # to a !join. Only applies if joinRule is 'invite'. Default: [] # whitelist: @@ -265,11 +265,13 @@ ircService: # 1:many mappings from IRC channels to room IDs on this IRC server. # The matrix room must already exist. Your matrix client should expose # the room ID in a "settings" page for the room. - "#thepub": - roomIds: ["!kieouiJuedJoxtVdaG:localhost"] + "#test-matrix": + roomIds: ["!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu"] # Channel key/password to use. Optional. If provided, matrix users do # not need to know the channel key in order to join the channel. # key: "secret" + "#matrix": + roomIds: ["!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu"] # Configuration for virtual matrix users. The following variables are # exposed: @@ -280,7 +282,7 @@ ircService: # MUST have $NICK somewhere in it. # Optional. Default: "@$SERVER_$NICK". # Example: "@irc.example.com_Alice:example.com" - userTemplate: "@irc_$NICK" + userTemplate: "@$NICK_irc" # The display name to use for created matrix clients. This should have # $NICK somewhere in it if it is specified. Can also use $SERVER to # insert the IRC domain. @@ -301,7 +303,7 @@ ircService: # The template to apply to every IRC client nick. This MUST have either # $DISPLAY or $USERID or $LOCALPART somewhere in it. # Optional. Default: "M-$DISPLAY". Example: "M-Alice". - nickTemplate: "$DISPLAY[m]" + nickTemplate: "$DISPLAY-matrix" # True to allow virtual IRC clients to change their nick on this server # by issuing !nick commands to the IRC AS bot. # This is completely freeform: it will NOT follow the nickTemplate. @@ -498,9 +500,9 @@ sentry: # Use an external database to store bridge state. database: # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: "postgres" + engine: "nedb" # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "postgres://username:password@host:port/databasename" + connectionString: "nedb://storage.db" From fc5c8efaf902c2774662e937cb2204785efc4695 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 23 Apr 2020 01:31:40 -0700 Subject: [PATCH 03/23] Add bridge (matrix-appservice-irc) to Kubernetes --- .gitignore | 1 + Dockerfile | 2 +- irc-registration.yaml | 18 -------------- kubernetes/synapse.yml.erb | 26 +++++++++++++++++++-- matrix-appservice-irc/Dockerfile | 6 +++++ matrix-appservice-irc/Makefile | 14 +++++++++++ matrix-appservice-irc/config.yaml | 14 +++++------ matrix-appservice-irc/irc-registration.yaml | 20 ++++++++++++++++ 8 files changed, 73 insertions(+), 28 deletions(-) create mode 100644 .gitignore delete mode 100644 irc-registration.yaml create mode 100644 matrix-appservice-irc/Dockerfile create mode 100644 matrix-appservice-irc/Makefile create mode 100644 matrix-appservice-irc/irc-registration.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cfaad76 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.pem diff --git a/Dockerfile b/Dockerfile index 09db941..a6d55fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,4 +2,4 @@ ARG synapse_version=latest FROM matrixdotorg/synapse:${synapse_version} COPY homeserver.yaml /etc/matrix/homeserver.yaml -COPY irc-registration.yaml /etc/matrix/irc-registration.yaml +COPY matrix-appservice-irc/irc-registration.yaml /etc/matrix/irc-registration.yaml diff --git a/irc-registration.yaml b/irc-registration.yaml deleted file mode 100644 index 6d6aec8..0000000 --- a/irc-registration.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: 7ead698a63c9378cf0ba8d28b610b7e1dbdbd0bc4a31d5a642339715856309f9 -hs_token: 1c98e59fc1131fb6e84c7906edee2bbc8deeed1f4a7474ce0871e1e2950b6561 -as_token: b87f533e0f273f5c62b56734a7d3ce01014345b394adba171f7953903c1fa794 -namespaces: - users: - - exclusive: true - regex: '@.*_irc:matrix\.ocf\.berkeley\.edu' - aliases: [] - rooms: - - exclusive: false - regex: '!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu' - - exclusive: false - regex: '!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu' -url: 'http://bolide.ocf.berkeley.edu:9999' -sender_localpart: ocfchan -rate_limited: false -protocols: - - irc diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index c13b69b..26f30c8 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -8,6 +8,8 @@ spec: ports: - port: 80 targetPort: 8008 + - port: 9995 + targetPort: 9995 --- apiVersion: apps/v1 kind: Deployment @@ -36,11 +38,20 @@ spec: env: - name: "SYNAPSE_CONFIG_PATH" value: "/etc/matrix/homeserver.yaml" + - name: matrix-appservice-irc + image: "docker.ocf.berkeley.edu/matrix-appservice-irc:latest" + ports: + - containerPort: 9995 + volumeMounts: + - mountPath: /data + name: bridge-vol volumes: - name: vol persistentVolumeClaim: claimName: matrix-vol - + - name: bridge-vol + persistentVolumeClaim: + claimName: matrix-bridge-vol --- apiVersion: extensions/v1beta1 kind: Ingress @@ -66,4 +77,15 @@ spec: requests: storage: 10Gi storageClassName: managed-nfs-storage - +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: matrix-bridge-vol +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: managed-nfs-storage diff --git a/matrix-appservice-irc/Dockerfile b/matrix-appservice-irc/Dockerfile new file mode 100644 index 0000000..14c5308 --- /dev/null +++ b/matrix-appservice-irc/Dockerfile @@ -0,0 +1,6 @@ +ARG bridge_version=latest +FROM matrixdotorg/matrix-appservice-irc:${bridge_version} + +COPY config.yaml /data/config.yaml +COPY irc-registration.yaml /data/appservice-registration-irc.yaml +COPY tempkey.pem /data/passkey.pem diff --git a/matrix-appservice-irc/Makefile b/matrix-appservice-irc/Makefile new file mode 100644 index 0000000..c866b73 --- /dev/null +++ b/matrix-appservice-irc/Makefile @@ -0,0 +1,14 @@ +DOCKER_REVISION ?= matrix-appservice-irc-testing-$(USER) +DOCKER_TAG = docker-push.ocf.berkeley.edu/matrix-appservice-irc:$(DOCKER_REVISION) +RANDOM_PORT := $(shell expr $$(( 8000 + (`id -u` % 1000) + 2 ))) + +BRIDGE_VERSION := release-0.17.0-rc3 + +.PHONY: cook-image +cook-image: + docker build --build-arg bridge_version=$(BRIDGE_VERSION) --pull -t $(DOCKER_TAG) . + +.PHONY: push-image +push-image: + docker push $(DOCKER_TAG) + diff --git a/matrix-appservice-irc/config.yaml b/matrix-appservice-irc/config.yaml index 6ba437a..e933d53 100644 --- a/matrix-appservice-irc/config.yaml +++ b/matrix-appservice-irc/config.yaml @@ -34,7 +34,7 @@ homeserver: # Which port should the appservice bind to. Takes priority over the one provided in the # command line! Optional. - # bindPort: 9999 + bindPort: 9995 # Use this option to force the appservice to listen on another hostname for transactions. # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional. @@ -50,7 +50,7 @@ ircService: # E.g. 'ExampleNet IRC Bridge status'. # It is also used in the Third Party Lookup API as the instance `desc` # property, where each server is an instance. - name: "OCF Matrix Bridge status" + name: "OCF Matrix" # additionalAddresses: [ "irc2.example.com" ] # @@ -138,7 +138,7 @@ ircService: # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 enabled: true # The nickname to give the AS bot. - nick: "ocfchan" + nick: "matrix-bridge" # The password to give to NickServ or IRC Server for this nick. Optional. # password: "helloworld" # @@ -168,7 +168,7 @@ ircService: # Enable the ability for Matrix users to join *any* channel on this IRC # network. # Default: false. - enabled: false + enabled: true # Should the AS create a room alias for the new Matrix room? The form of # the alias can be modified via 'aliasTemplate'. Default: true. createAlias: true @@ -190,7 +190,7 @@ ircService: # Should created Matrix rooms be federated? If false, only users on the # HS attached to this AS will be able to interact with this room. # Default: true. - federate: false + federate: true # Force this room version when creating IRC channels. Beware if the homeserver doesn't # support the room version then the request will fail. By default, no version is requested. # roomVersion: "1" @@ -459,7 +459,7 @@ ircService: # for storage in the database. Passwords are stored by using the admin room command # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of # the Matrix user, this password will be sent as the server password (PASS command). - passwordEncryptionKeyPath: "passkey.pem" + passwordEncryptionKeyPath: "/data/passkey.pem" # Config for Matrix -> IRC bridging matrixHandler: @@ -504,5 +504,5 @@ database: # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "nedb://storage.db" + connectionString: "nedb:///data/storage.db" diff --git a/matrix-appservice-irc/irc-registration.yaml b/matrix-appservice-irc/irc-registration.yaml new file mode 100644 index 0000000..9257ddf --- /dev/null +++ b/matrix-appservice-irc/irc-registration.yaml @@ -0,0 +1,20 @@ +id: 8932b3435f0dbb697307801fbcaedad2da2d29fa71c30d70ef433a21c0585db6 +hs_token: 711663d558bd4be0d41976a89347e86b14f7addcb15b661b14101e1f83196a53 +as_token: d81e0ccf5435cca28ee0140ccef48cf935810f95836865dc7014353c15e4a0fa +namespaces: + users: + - exclusive: true + regex: '@.*_irc:matrix\.ocf\.berkeley\.edu' + aliases: + - exclusive: true + regex: '#.*:matrix\.ocf\.berkeley\.edu' + rooms: + - exclusive: false + regex: '!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu' + - exclusive: false + regex: '!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu' +url: 'https://matrix.ocf.berkeley.edu:9999' +sender_localpart: matrix-bridge +rate_limited: false +protocols: + - irc From 3ac8c87149fddca56584a05915babd75d32e0394 Mon Sep 17 00:00:00 2001 From: encadyma Date: Thu, 23 Apr 2020 02:15:50 -0700 Subject: [PATCH 04/23] Switch to test deploys using testing versions --- kubernetes/synapse.yml.erb | 13 ++++++++----- matrix-appservice-irc/config.yaml | 2 +- matrix-appservice-irc/irc-registration.yaml | 2 +- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index 26f30c8..1b02339 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -6,9 +6,11 @@ spec: selector: app: matrix ports: - - port: 80 + - name: matrix-port + port: 80 targetPort: 8008 - - port: 9995 + - name: bridge-port + port: 9995 targetPort: 9995 --- apiVersion: apps/v1 @@ -29,7 +31,8 @@ spec: spec: containers: - name: matrix-synapse - image: "docker.ocf.berkeley.edu/synapse:<%= version %>" + # TODO: replace with versions + image: "docker.ocf.berkeley.edu/synapse:matrix-testing-kmo" ports: - containerPort: 8008 volumeMounts: @@ -39,11 +42,11 @@ spec: - name: "SYNAPSE_CONFIG_PATH" value: "/etc/matrix/homeserver.yaml" - name: matrix-appservice-irc - image: "docker.ocf.berkeley.edu/matrix-appservice-irc:latest" + image: "docker.ocf.berkeley.edu/matrix-appservice-irc:matrix-appservice-irc-testing-kmo" ports: - containerPort: 9995 volumeMounts: - - mountPath: /data + - mountPath: /db name: bridge-vol volumes: - name: vol diff --git a/matrix-appservice-irc/config.yaml b/matrix-appservice-irc/config.yaml index e933d53..9919c4f 100644 --- a/matrix-appservice-irc/config.yaml +++ b/matrix-appservice-irc/config.yaml @@ -504,5 +504,5 @@ database: # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "nedb:///data/storage.db" + connectionString: "nedb:///db/storage.db" diff --git a/matrix-appservice-irc/irc-registration.yaml b/matrix-appservice-irc/irc-registration.yaml index 9257ddf..d90a3b5 100644 --- a/matrix-appservice-irc/irc-registration.yaml +++ b/matrix-appservice-irc/irc-registration.yaml @@ -13,7 +13,7 @@ namespaces: regex: '!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu' - exclusive: false regex: '!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu' -url: 'https://matrix.ocf.berkeley.edu:9999' +url: 'https://matrix.ocf.berkeley.edu:9995' sender_localpart: matrix-bridge rate_limited: false protocols: From 07e63465809c0173abaf24c2c450ae7b2e4a32e1 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 23 Apr 2020 02:37:10 -0700 Subject: [PATCH 05/23] Change irc-registration to be internal --- matrix-appservice-irc/irc-registration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/matrix-appservice-irc/irc-registration.yaml b/matrix-appservice-irc/irc-registration.yaml index d90a3b5..cd8fa43 100644 --- a/matrix-appservice-irc/irc-registration.yaml +++ b/matrix-appservice-irc/irc-registration.yaml @@ -13,7 +13,7 @@ namespaces: regex: '!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu' - exclusive: false regex: '!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu' -url: 'https://matrix.ocf.berkeley.edu:9995' +url: 'http://localhost:9995' sender_localpart: matrix-bridge rate_limited: false protocols: From 111ecc285370f3d44333562a4b86a11addf7734b Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 23 Apr 2020 12:03:18 -0700 Subject: [PATCH 06/23] Retune IRC bridge configuration --- matrix-appservice-irc/config.yaml | 53 ++++++++++--------------------- 1 file changed, 17 insertions(+), 36 deletions(-) diff --git a/matrix-appservice-irc/config.yaml b/matrix-appservice-irc/config.yaml index 9919c4f..40ad7e6 100644 --- a/matrix-appservice-irc/config.yaml +++ b/matrix-appservice-irc/config.yaml @@ -50,7 +50,7 @@ ircService: # E.g. 'ExampleNet IRC Bridge status'. # It is also used in the Third Party Lookup API as the instance `desc` # property, where each server is an instance. - name: "OCF Matrix" + name: "OCF" # additionalAddresses: [ "irc2.example.com" ] # @@ -136,7 +136,7 @@ ircService: # it can service bridge-specific queries from the IRC-side e.g. so # real IRC clients have a way to change their Matrix display name. # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 - enabled: true + enabled: false # The nickname to give the AS bot. nick: "matrix-bridge" # The password to give to NickServ or IRC Server for this nick. Optional. @@ -181,12 +181,6 @@ ircService: # join_rules will be set to 'invite' until these modes are removed. # Default: "public". joinRule: public - # This will set the m.room.related_groups state event in newly created rooms - # with the given groupId. This means flares will show up on IRC users in those rooms. - # This should be set to the same thing as namespaces.users.group_id in irc_registration. - # This does not alter existing rooms. - # Leaving this option empty will not set the event. - groupId: +myircnetwork:localhost # Should created Matrix rooms be federated? If false, only users on the # HS attached to this AS will be able to interact with this room. # Default: true. @@ -222,44 +216,30 @@ ircService: # can have a significant effect on performance on startup as the lists are # synced. This must be enabled for anything else in this section to take # effect. Default: false. - enabled: false + enabled: true # Syncing membership lists at startup can result in hundreds of members to # process all at once. This timer drip feeds membership entries at the # specified rate. Default: 10000. (10s) - floodDelayMs: 10000 + floodDelayMs: 100 global: ircToMatrix: # Get a snapshot of all real IRC users on a channel (via NAMES) and # join their virtual matrix clients to the room. - initial: false + initial: true # Make virtual matrix clients join and leave rooms as their real IRC # counterparts join/part channels. Default: false. - incremental: false + incremental: true matrixToIrc: # Get a snapshot of all real Matrix users in the room and join all of # them to the mapped IRC channel on startup. Default: false. - initial: false + initial: true # Make virtual IRC clients join and leave channels as their real Matrix # counterparts join/leave rooms. Make sure your 'maxClients' value is # high enough! Default: false. - incremental: false - - # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. - rooms: - - room: "!fuasirouddJoxtwfge:localhost" - matrixToIrc: - initial: false - incremental: false - - # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. - channels: - - channel: "#foo" - ircToMatrix: - initial: false - incremental: false + incremental: true mappings: # 1:many mappings from IRC channels to room IDs on this IRC server. @@ -287,7 +267,7 @@ ircService: # $NICK somewhere in it if it is specified. Can also use $SERVER to # insert the IRC domain. # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" - displayName: "$NICK (IRC)" + displayName: "$NICK" # Number of tries a client can attempt to join a room before the request # is discarded. You can also use -1 to never retry or 0 to never give up. # Optional. Default: -1 @@ -303,16 +283,16 @@ ircService: # The template to apply to every IRC client nick. This MUST have either # $DISPLAY or $USERID or $LOCALPART somewhere in it. # Optional. Default: "M-$DISPLAY". Example: "M-Alice". - nickTemplate: "$DISPLAY-matrix" + nickTemplate: "$LOCALPART-matrix" # True to allow virtual IRC clients to change their nick on this server # by issuing !nick commands to the IRC AS bot. # This is completely freeform: it will NOT follow the nickTemplate. - allowNickChanges: false + allowNickChanges: true # The max number of IRC clients that will connect. If the limit is # reached, the client that spoke the longest time ago will be # disconnected and replaced. # Optional. Default: 30. - maxClients: 30 + maxClients: 100 # IPv6 configuration. ipv6: # Optional. Set to true to force IPv6 for outgoing connections. @@ -329,8 +309,9 @@ ircService: # The maximum amount of time in seconds that the client can exist # without sending another message before being disconnected. Use 0 to # not apply an idle timeout. This value is ignored if this IRC server is - # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) - idleTimeout: 10800 + # mirroring matrix membership lists to IRC. + # idleTimeout is set to 3 weeks (1814400) + idleTimeout: 1814400 # The number of millseconds to wait between consecutive reconnections if a # client gets disconnected. Setting to 0 will cause the scheduling to be # disabled, i.e. it will be scheduled immediately (with jitter. @@ -364,8 +345,8 @@ ircService: # Set information about the bridged channel in the room state, so that client's may # present relevant UI to the user. MSC2346 bridgeInfoState: - enabled: false - initial: false + enabled: true + initial: true # Configuration for an ident server. If you are running a public bridge it is # advised you setup an ident server so IRC mods can ban specific matrix users # rather than the application service itself. From 5127766e9da3284c7b9564437bff73c56466e3aa Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 23 Apr 2020 12:09:46 -0700 Subject: [PATCH 07/23] Bump up flood delay to 1000ms --- matrix-appservice-irc/config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/matrix-appservice-irc/config.yaml b/matrix-appservice-irc/config.yaml index 40ad7e6..618a7aa 100644 --- a/matrix-appservice-irc/config.yaml +++ b/matrix-appservice-irc/config.yaml @@ -221,7 +221,7 @@ ircService: # Syncing membership lists at startup can result in hundreds of members to # process all at once. This timer drip feeds membership entries at the # specified rate. Default: 10000. (10s) - floodDelayMs: 100 + floodDelayMs: 1000 global: ircToMatrix: From b71b4a0c07d266963d3ba55dbd5b64f5db5fdce6 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 23 Apr 2020 12:53:59 -0700 Subject: [PATCH 08/23] Restructure repository to separate server & bridge --- Dockerfile.bridge | 6 +++ Dockerfile => Dockerfile.matrix | 0 Makefile | 10 ++-- kubernetes/bridge.yml.erb | 52 +++++++++++++++++++++ kubernetes/synapse.yml.erb | 31 ++---------- matrix-appservice-irc/Dockerfile | 6 --- matrix-appservice-irc/Makefile | 14 ------ matrix-appservice-irc/irc-registration.yaml | 2 +- 8 files changed, 69 insertions(+), 52 deletions(-) create mode 100644 Dockerfile.bridge rename Dockerfile => Dockerfile.matrix (100%) create mode 100644 kubernetes/bridge.yml.erb delete mode 100644 matrix-appservice-irc/Dockerfile delete mode 100644 matrix-appservice-irc/Makefile diff --git a/Dockerfile.bridge b/Dockerfile.bridge new file mode 100644 index 0000000..a313662 --- /dev/null +++ b/Dockerfile.bridge @@ -0,0 +1,6 @@ +ARG bridge_version=latest +FROM matrixdotorg/matrix-appservice-irc:${bridge_version} + +COPY matrix-appservice-irc/config.yaml /data/config.yaml +COPY matrix-appservice-irc/irc-registration.yaml /data/appservice-registration-irc.yaml +COPY matrix-appservice-irc/tempkey.pem /data/passkey.pem diff --git a/Dockerfile b/Dockerfile.matrix similarity index 100% rename from Dockerfile rename to Dockerfile.matrix diff --git a/Makefile b/Makefile index 1b6afab..0c5270c 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,22 @@ DOCKER_REVISION ?= matrix-testing-$(USER) + SYNAPSE_DOCKER_TAG = docker-push.ocf.berkeley.edu/synapse:$(DOCKER_REVISION) +BRIDGE_DOCKER_TAG = docker-push.ocf.berkeley.edu/matrix-appservice-irc:$(DOCKER_REVISION) RIOT_DOCKER_TAG = docker-push.ocf.berkeley.edu/riot:$(DOCKER_REVISION) -RANDOM_PORT := $(shell expr $$(( 8000 + (`id -u` % 1000) + 2 ))) SYNAPSE_VERSION := v1.9.1-py3 RIOT_VERSION := v1.5.15 +BRIDGE_VERSION := release-0.17.0-rc3 .PHONY: cook-image cook-image: - docker build --build-arg synapse_version=$(SYNAPSE_VERSION) --pull -t $(SYNAPSE_DOCKER_TAG) . - docker build -f Dockerfile.riot --build-arg riot_version=$(RIOT_VERSION) --pull -t $(RIOT_DOCKER_TAG) . + docker build --build-arg synapse_version=$(SYNAPSE_VERSION) --pull -f Dockerfile.matrix -t $(SYNAPSE_DOCKER_TAG) . + docker build --build-arg bridge_version=$(BRIDGE_VERSION) --pull -f Dockerfile.bridge -t $(BRIDGE_DOCKER_TAG) . + docker build --build-arg riot_version=$(RIOT_VERSION) --pull -f Dockerfile.riot -t $(RIOT_DOCKER_TAG) . .PHONY: push-image push-image: docker push $(SYNAPSE_DOCKER_TAG) + docker push $(BRIDGE_DOCKER_TAG) docker push $(RIOT_DOCKER_TAG) diff --git a/kubernetes/bridge.yml.erb b/kubernetes/bridge.yml.erb new file mode 100644 index 0000000..89f78fe --- /dev/null +++ b/kubernetes/bridge.yml.erb @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-bridge-service +spec: + selector: + app: matrix-bridge + ports: + - name: matrix-bridge-port + port: 9995 + targetPort: 9995 +-- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-bridge-deployment + labels: + app: matrix-bridge +spec: + replicas: 1 + selector: + matchLabels: + app: matrix-bridge + template: + metadata: + labels: + app: matrix-bridge + spec: + containers: + - name: matrix-appservice-irc + image: "docker.ocf.berkeley.edu/matrix-appservice-irc:matrix-testing-kmo" + ports: + - containerPort: 9995 + volumeMounts: + - mountPath: /db + name: bridge-vol + volumes: + - name: bridge-vol + persistentVolumeClaim: + claimName: matrix-bridge-vol +-- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: matrix-bridge-vol +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: managed-nfs-storage diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index 1b02339..bd15c3b 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -9,10 +9,7 @@ spec: - name: matrix-port port: 80 targetPort: 8008 - - name: bridge-port - port: 9995 - targetPort: 9995 ---- +-- apiVersion: apps/v1 kind: Deployment metadata: @@ -41,21 +38,11 @@ spec: env: - name: "SYNAPSE_CONFIG_PATH" value: "/etc/matrix/homeserver.yaml" - - name: matrix-appservice-irc - image: "docker.ocf.berkeley.edu/matrix-appservice-irc:matrix-appservice-irc-testing-kmo" - ports: - - containerPort: 9995 - volumeMounts: - - mountPath: /db - name: bridge-vol - volumes: + volumes: - name: vol persistentVolumeClaim: claimName: matrix-vol - - name: bridge-vol - persistentVolumeClaim: - claimName: matrix-bridge-vol ---- +-- apiVersion: extensions/v1beta1 kind: Ingress metadata: @@ -80,15 +67,3 @@ spec: requests: storage: 10Gi storageClassName: managed-nfs-storage ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: matrix-bridge-vol -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 10Gi - storageClassName: managed-nfs-storage diff --git a/matrix-appservice-irc/Dockerfile b/matrix-appservice-irc/Dockerfile deleted file mode 100644 index 14c5308..0000000 --- a/matrix-appservice-irc/Dockerfile +++ /dev/null @@ -1,6 +0,0 @@ -ARG bridge_version=latest -FROM matrixdotorg/matrix-appservice-irc:${bridge_version} - -COPY config.yaml /data/config.yaml -COPY irc-registration.yaml /data/appservice-registration-irc.yaml -COPY tempkey.pem /data/passkey.pem diff --git a/matrix-appservice-irc/Makefile b/matrix-appservice-irc/Makefile deleted file mode 100644 index c866b73..0000000 --- a/matrix-appservice-irc/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -DOCKER_REVISION ?= matrix-appservice-irc-testing-$(USER) -DOCKER_TAG = docker-push.ocf.berkeley.edu/matrix-appservice-irc:$(DOCKER_REVISION) -RANDOM_PORT := $(shell expr $$(( 8000 + (`id -u` % 1000) + 2 ))) - -BRIDGE_VERSION := release-0.17.0-rc3 - -.PHONY: cook-image -cook-image: - docker build --build-arg bridge_version=$(BRIDGE_VERSION) --pull -t $(DOCKER_TAG) . - -.PHONY: push-image -push-image: - docker push $(DOCKER_TAG) - diff --git a/matrix-appservice-irc/irc-registration.yaml b/matrix-appservice-irc/irc-registration.yaml index cd8fa43..4c8c304 100644 --- a/matrix-appservice-irc/irc-registration.yaml +++ b/matrix-appservice-irc/irc-registration.yaml @@ -13,7 +13,7 @@ namespaces: regex: '!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu' - exclusive: false regex: '!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu' -url: 'http://localhost:9995' +url: 'http://matrix-bridge-service.app-matrix.svc.cluster.local:9995' sender_localpart: matrix-bridge rate_limited: false protocols: From 1e80bc26c9ddb84d03c941f25600384b61513adc Mon Sep 17 00:00:00 2001 From: encadyma Date: Thu, 23 Apr 2020 13:23:57 -0700 Subject: [PATCH 09/23] Fix indentations and separations --- kubernetes/bridge.yml.erb | 8 ++++---- kubernetes/synapse.yml.erb | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/kubernetes/bridge.yml.erb b/kubernetes/bridge.yml.erb index 89f78fe..94d7631 100644 --- a/kubernetes/bridge.yml.erb +++ b/kubernetes/bridge.yml.erb @@ -9,7 +9,7 @@ spec: - name: matrix-bridge-port port: 9995 targetPort: 9995 --- +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -27,7 +27,7 @@ spec: app: matrix-bridge spec: containers: - - name: matrix-appservice-irc + - name: matrix-appservice-irc image: "docker.ocf.berkeley.edu/matrix-appservice-irc:matrix-testing-kmo" ports: - containerPort: 9995 @@ -35,10 +35,10 @@ spec: - mountPath: /db name: bridge-vol volumes: - - name: bridge-vol + - name: bridge-vol persistentVolumeClaim: claimName: matrix-bridge-vol --- +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index bd15c3b..5d0f345 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -9,7 +9,7 @@ spec: - name: matrix-port port: 80 targetPort: 8008 --- +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -36,13 +36,13 @@ spec: - mountPath: /data name: vol env: - - name: "SYNAPSE_CONFIG_PATH" - value: "/etc/matrix/homeserver.yaml" - volumes: + - name: "SYNAPSE_CONFIG_PATH" + value: "/etc/matrix/homeserver.yaml" + volumes: - name: vol persistentVolumeClaim: claimName: matrix-vol --- +--- apiVersion: extensions/v1beta1 kind: Ingress metadata: From 979ca4210795a05412f8ae6099404e6a28120472 Mon Sep 17 00:00:00 2001 From: encadyma Date: Wed, 29 Apr 2020 22:08:41 -0700 Subject: [PATCH 10/23] Template out secrets in Matrix repository --- .gitignore | 2 + Dockerfile.bridge | 4 +- Dockerfile.matrix | 4 +- kubernetes/bridge.yml.erb | 17 ++- kubernetes/riot.yml.erb | 2 +- .../appservice-registration-irc.yaml.erb | 15 +++ .../secrets/bridge-config/config.yaml.erb | 108 ++++++++++++++++++ .../synapse-config/homeserver.yaml.erb | 78 +++++++++++++ kubernetes/synapse.yml.erb | 25 +++- misc/well-known | 3 - 10 files changed, 244 insertions(+), 14 deletions(-) create mode 100644 kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb create mode 100644 kubernetes/secrets/bridge-config/config.yaml.erb create mode 100644 kubernetes/secrets/synapse-config/homeserver.yaml.erb delete mode 100644 misc/well-known diff --git a/.gitignore b/.gitignore index cfaad76..1c0af2f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ *.pem +ocf-kubernetes-deploy-secret-*.erb +secret.yaml diff --git a/Dockerfile.bridge b/Dockerfile.bridge index a313662..d8fdbc7 100644 --- a/Dockerfile.bridge +++ b/Dockerfile.bridge @@ -1,6 +1,4 @@ ARG bridge_version=latest FROM matrixdotorg/matrix-appservice-irc:${bridge_version} -COPY matrix-appservice-irc/config.yaml /data/config.yaml -COPY matrix-appservice-irc/irc-registration.yaml /data/appservice-registration-irc.yaml -COPY matrix-appservice-irc/tempkey.pem /data/passkey.pem +# TODO: Deprecate this Dockerfile diff --git a/Dockerfile.matrix b/Dockerfile.matrix index a6d55fc..b761436 100644 --- a/Dockerfile.matrix +++ b/Dockerfile.matrix @@ -1,5 +1,5 @@ ARG synapse_version=latest FROM matrixdotorg/synapse:${synapse_version} -COPY homeserver.yaml /etc/matrix/homeserver.yaml -COPY matrix-appservice-irc/irc-registration.yaml /etc/matrix/irc-registration.yaml +# COPY homeserver.yaml /etc/matrix/homeserver.yaml +# COPY matrix-appservice-irc/irc-registration.yaml /etc/matrix/irc-registration.yaml diff --git a/kubernetes/bridge.yml.erb b/kubernetes/bridge.yml.erb index 94d7631..396b1fd 100644 --- a/kubernetes/bridge.yml.erb +++ b/kubernetes/bridge.yml.erb @@ -32,12 +32,25 @@ spec: ports: - containerPort: 9995 volumeMounts: - - mountPath: /db - name: bridge-vol + - name: bridge-vol + mountPath: /db + - name: matrix-secrets + mountPath: /etc/matrix-shared + readOnly: true + - name: bridge-config + mountPath: /data + readOnly: true volumes: - name: bridge-vol persistentVolumeClaim: claimName: matrix-bridge-vol + - name: matrix-secrets + hostPath: + path: /opt/share/kubernetes/secrets/matrix + type: Directory + - name: bridge-config + secret: + secretName: bridge-config --- apiVersion: v1 kind: PersistentVolumeClaim diff --git a/kubernetes/riot.yml.erb b/kubernetes/riot.yml.erb index a11f81a..b9cded6 100644 --- a/kubernetes/riot.yml.erb +++ b/kubernetes/riot.yml.erb @@ -31,7 +31,7 @@ spec: app: riot spec: containers: - - image: "docker.ocf.berkeley.edu/riot:<%= version %>" + - image: "docker.ocf.berkeley.edu/riot:matrix-testing-kmo" imagePullPolicy: IfNotPresent name: riot-web readinessProbe: diff --git a/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb b/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb new file mode 100644 index 0000000..148211a --- /dev/null +++ b/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb @@ -0,0 +1,15 @@ +id: <%= bridge_id %> +hs_token: <%= bridge_hs_token %> +as_token: <%= bridge_as_token %> +namespaces: + users: + - exclusive: true + regex: '@.*_irc:matrix\.ocf\.berkeley\.edu' + aliases: + - exclusive: true + regex: '#.*:matrix\.ocf\.berkeley\.edu' +url: 'http://matrix-bridge-service.app-matrix.svc.cluster.local:9995' +sender_localpart: matrix-bridge +rate_limited: false +protocols: + - irc diff --git a/kubernetes/secrets/bridge-config/config.yaml.erb b/kubernetes/secrets/bridge-config/config.yaml.erb new file mode 100644 index 0000000..9f970e6 --- /dev/null +++ b/kubernetes/secrets/bridge-config/config.yaml.erb @@ -0,0 +1,108 @@ +homeserver: + url: "https://matrix.ocf.berkeley.edu" + domain: "matrix.ocf.berkeley.edu" + enablePresence: false + bindPort: 9995 + +ircService: + servers: + irc.ocf.berkeley.edu: + name: "OCF" + port: 6697 + ssl: true + sslselfsign: false + sasl: false + allowExpiredCerts: false + sendConnectionMessages: true + quitDebounce: + enabled: false + quitsPerSecond: 5 + delayMinMs: 3600000 # 1h + delayMaxMs: 7200000 # 2h + modePowerMap: + o: 50 + v: 1 + botConfig: + enabled: false + nick: "matrix-bridge" + joinChannelsIfNoUsers: true + privateMessages: + enabled: true + federate: true + dynamicChannels: + enabled: true + createAlias: true + published: true + joinRule: public + federate: true + aliasTemplate: "#$CHANNEL" + membershipLists: + enabled: true + floodDelayMs: 1000 + global: + ircToMatrix: + initial: true + incremental: true + matrixToIrc: + initial: true + incremental: true + matrixClients: + userTemplate: "@$NICK_irc" + displayName: "$NICK" + joinAttempts: -1 + ircClients: + nickTemplate: "$LOCALPART-matrix" + allowNickChanges: true + maxClients: 400 + ipv6: + only: false + idleTimeout: 1814400 + reconnectIntervalMs: 5000 + concurrentReconnectLimit: 50 + lineLimit: 3 + bridgeInfoState: + enabled: true + initial: true + ident: + enabled: false + port: 1113 + address: "::" + logging: + level: "debug" + logfile: "debug.log" + errfile: "errors.log" + toConsole: true + maxFiles: 5 + metrics: + enabled: true + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + debugApi: + enabled: false + port: 11100 + provisioning: + enabled: false + requestTimeoutSeconds: 300 + ruleFile: "./provisioning.rules.yaml" + enableReload: true + passwordEncryptionKeyPath: "/etc/matrix-shared/bridge_passkey.pem" + matrixHandler: + eventCacheSize: 4096 + ircHandler: + leaveConcurrency: 10 + mapIrcMentionsToMatrix: "on" + +advanced: + maxHttpSockets: 1000 + maxTxnSize: 10000000 + +sentry: + enabled: false + dsn: "https://@sentry.io/" + +database: + engine: "nedb" + connectionString: "nedb:///db/storage.db" + diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb new file mode 100644 index 0000000..0120789 --- /dev/null +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -0,0 +1,78 @@ +server_name: "matrix.ocf.berkeley.edu" +pid_file: /data/homeserver.pid +public_baseurl: https://matrix.ocf.berkeley.edu/ + +federation_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation] + compress: false + +admin_contact: 'mailto:help@ocf.berkeley.edu' + +acme: + enabled: false + port: 80 + bind_addresses: ['::', '0.0.0.0'] + reprovision_threshold: 30 + # FIXME: is this acme section necessary? + domain: matrix.example.com + account_key_file: /etc/matrix-shared/acme_account.key + +# TODO: Change to Postgres +database: + name: "sqlite3" + args: + database: "/data/homeserver.db" + +log_config: "/data/matrix.ocf.berkeley.edu.log.config" + +media_store_path: "/data/media_store" +enable_registration: false + +registration_shared_secret: "<%= registration_shared_secret %>" +enable_metrics: true +report_stats: false + +app_service_config_files: + - /etc/matrix-bridge/appservice-registration-irc.yaml + +macaroon_secret_key: "<%= macaroon_secret_key %>" + +form_secret: "<%= form_secret %>" + +signing_key_path: "/etc/matrix-shared/matrix.ocf.berkeley.edu.signing.key" +old_signing_keys: + # TODO: populate this section with the old key + +trusted_key_servers: + - server_name: "matrix.org" + +saml2_config: + sp_config: + metadata: + remote: + - url: https://auth.ocf.berkeley.edu/auth/realms/ocf/protocol/saml/descriptor + +password_config: + enabled: false + +stats: + enabled: true + bucket_size: 1d + retention: 1y + diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index 5d0f345..c266aea 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -33,15 +33,34 @@ spec: ports: - containerPort: 8008 volumeMounts: - - mountPath: /data - name: vol + - name: vol + mountPath: /data + - name: synapse-config + mountPath: /etc/matrix-synapse + readOnly: true + - name: bridge-config + mountPath: /etc/matrix-bridge + readOnly: true + - name: matrix-secrets + mountPath: /etc/matrix-shared + readOnly: true env: - name: "SYNAPSE_CONFIG_PATH" - value: "/etc/matrix/homeserver.yaml" + value: "/etc/matrix-synapse/homeserver.yaml" volumes: - name: vol persistentVolumeClaim: claimName: matrix-vol + - name: synapse-config + secret: + secretName: synapse-config + - name: bridge-config + secret: + secretName: bridge-config + - name: matrix-secrets + hostPath: + path: /opt/share/kubernetes/secrets/matrix + type: Directory --- apiVersion: extensions/v1beta1 kind: Ingress diff --git a/misc/well-known b/misc/well-known deleted file mode 100644 index 93af0a5..0000000 --- a/misc/well-known +++ /dev/null @@ -1,3 +0,0 @@ -{ - "m.server": "matrix.ocf.berkeley.edu:443" -} From 884e898aedcd415591c75dd1257ba1302e31ea65 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Wed, 29 Apr 2020 22:21:38 -0700 Subject: [PATCH 11/23] Delete old template files --- homeserver.yaml | 1738 ------------------- matrix-appservice-irc/config.yaml | 489 ------ matrix-appservice-irc/irc-registration.yaml | 20 - 3 files changed, 2247 deletions(-) delete mode 100644 homeserver.yaml delete mode 100644 matrix-appservice-irc/config.yaml delete mode 100644 matrix-appservice-irc/irc-registration.yaml diff --git a/homeserver.yaml b/homeserver.yaml deleted file mode 100644 index 0f30d0d..0000000 --- a/homeserver.yaml +++ /dev/null @@ -1,1738 +0,0 @@ -# vim:ft=yaml - -## Server ## - -# The domain name of the server, with optional explicit port. -# This is used by remote servers to connect to this server, -# e.g. matrix.org, localhost:8080, etc. -# This is also the last part of your UserID. -# -server_name: "matrix.ocf.berkeley.edu" - -# When running as a daemon, the file to store the pid in -# -pid_file: /data/homeserver.pid - -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. -# -#web_client_location: "/path/to/web/root" - -# The public-facing base URL that clients use to access this HS -# (not including _matrix/...). This is the same URL a user would -# enter into the 'custom HS URL' field on their client. If you -# use synapse with a reverse proxy, this should be the URL to reach -# synapse via the proxy. -# -public_baseurl: https://matrix.ocf.berkeley.edu/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -# -#soft_file_limit: 0 - -# Set to false to disable presence tracking on this homeserver. -# -#use_presence: false - -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. Defaults to -# 'false'. Note that profile data is also available via the federation -# API, so this setting is of limited value if federation is enabled on -# the server. -# -#require_auth_for_profile_requests: true - -# Uncomment to require a user to share a room with another user in order -# to retrieve their profile information. Only checked on Client-Server -# requests. Profile requests from other servers should be checked by the -# requesting server. Defaults to 'false'. -# -#limit_profile_requests_to_users_who_share_rooms: true - -# If set to 'true', removes the need for authentication to access the server's -# public rooms directory through the client API, meaning that anyone can -# query the room directory. Defaults to 'false'. -# -#allow_public_rooms_without_auth: true - -# If set to 'true', allows any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'false'. -# -#allow_public_rooms_over_federation: true - -# The default room version for newly created rooms. -# -# Known room versions are listed here: -# https://matrix.org/docs/spec/#complete-list-of-room-versions -# -# For example, for room version 1, default_room_version should be set -# to "1". -# -#default_room_version: "5" - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# -#gc_thresholds: [700, 10, 10] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is -1, means no upper limit. -# -#filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# -#block_non_admin_invites: true - -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# -#enable_search: false - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com - -# Prevent federation requests from being sent to the following -# blacklist IP address CIDR ranges. If this option is not specified, or -# specified with an empty list, no ip range blacklist will be enforced. -# -# As of Synapse v1.4.0 this option also affects any outbound requests to identity -# servers provided by user input. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -federation_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -# -# Options for each listener include: -# -# port: the TCP port to bind to -# -# bind_addresses: a list of local addresses to listen on. The default is -# 'all local interfaces'. -# -# type: the type of listener. Normally 'http', but other valid options are: -# 'manhole' (see docs/manhole.md), -# 'metrics' (see docs/metrics-howto.md), -# 'replication' (see docs/workers.md). -# -# tls: set to true to enable TLS for this listener. Will use the TLS -# key/cert specified in tls_private_key_path / tls_certificate_path. -# -# x_forwarded: Only valid for an 'http' listener. Set to true to use the -# X-Forwarded-For header as the client IP. Useful when Synapse is -# behind a reverse-proxy. -# -# resources: Only valid for an 'http' listener. A list of resources to host -# on this port. Options for each resource are: -# -# names: a list of names of HTTP resources. See below for a list of -# valid resource names. -# -# compress: set to true to enable HTTP comression for this resource. -# -# additional_resources: Only valid for an 'http' listener. A map of -# additional endpoints which should be loaded via dynamic modules. -# -# Valid resource names are: -# -# client: the client-server API (/_matrix/client), and the synapse admin -# API (/_synapse/admin). Also implies 'media' and 'static'. -# -# consent: user consent forms (/_matrix/consent). See -# docs/consent_tracking.md. -# -# federation: the server-server API (/_matrix/federation). Also implies -# 'media', 'keys', 'openid' -# -# keys: the key discovery API (/_matrix/keys). -# -# media: the media API (/_matrix/media). -# -# metrics: the metrics interface. See docs/metrics-howto.md. -# -# openid: OpenID authentication. -# -# replication: the HTTP replication API (/_synapse/replication). See -# docs/workers.md. -# -# static: static resources under synapse/static (/_matrix/static). (Mostly -# useful for 'fallback authentication'.) -# -# webclient: A web client. Requires web_client_location to be set. -# -listeners: - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - # - # Disabled by default. To enable it, uncomment the following. (Note that you - # will also need to give Synapse a TLS key and certificate: see the TLS section - # below.) - # - #- port: 8448 - # type: http - # tls: true - # resources: - # - names: [client, federation] - - # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - # - # If you plan to use a reverse proxy, please see - # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. - # - - port: 8008 - tls: false - type: http - x_forwarded: true - - resources: - - names: [client, federation] - compress: false - - # example additional_resources: - # - #additional_resources: - # "/_matrix/my/custom/endpoint": - # module: my_module.CustomRequestHandler - # config: {} - - # Turn on the twisted ssh manhole service on localhost on the given - # port. - # - #- port: 9000 - # bind_addresses: ['::1', '127.0.0.1'] - # type: manhole - - -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# -admin_contact: 'mailto:help@ocf.berkeley.edu' - -# Global blocking -# -#hs_disabled: false -#hs_disabled_message: 'Human readable reason for why the HS is blocked' - -# Monthly Active User Blocking -# -# Used in cases where the admin or server owner wants to limit to the -# number of monthly active users. -# -# 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# anabled and a limit is reached the server returns a 'ResourceLimitError' -# with error type Codes.RESOURCE_LIMIT_EXCEEDED -# -# 'max_mau_value' is the hard limit of monthly active users above which -# the server will start blocking user actions. -# -# 'mau_trial_days' is a means to add a grace period for active users. It -# means that users must be active for this number of days before they -# can be considered active and guards against the case where lots of users -# sign up in a short space of time never to return after their initial -# session. -# -# 'mau_limit_alerting' is a means of limiting client side alerting -# should the mau limit be reached. This is useful for small instances -# where the admin has 5 mau seats (say) for 5 specific people and no -# interest increasing the mau limit further. Defaults to True, which -# means that alerting is enabled -# -#limit_usage_by_mau: false -#max_mau_value: 50 -#mau_trial_days: 2 -#mau_limit_alerting: false - -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# -#mau_stats_only: false - -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -#mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' - -# Used by phonehome stats to group together related servers. -#server_context: context - -# Resource-constrained homeserver Settings -# -# If limit_remote_rooms.enabled is True, the room complexity will be -# checked before a user joins a new remote room. If it is above -# limit_remote_rooms.complexity, it will disallow joining or -# instantly leave. -# -# limit_remote_rooms.complexity_error can be set to customise the text -# displayed to the user when a room above the complexity threshold has -# its join cancelled. -# -# Uncomment the below lines to enable: -#limit_remote_rooms: -# enabled: true -# complexity: 1.0 -# complexity_error: "This room is too complex." - -# Whether to require a user to be in the room to add an alias to it. -# Defaults to 'true'. -# -#require_membership_for_aliases: false - -# Whether to allow per-room membership profiles through the send of membership -# events with profile information that differ from the target's global profile. -# Defaults to 'true'. -# -#allow_per_room_profiles: false - -# How long to keep redacted events in unredacted form in the database. After -# this period redacted events get replaced with their redacted form in the DB. -# -# Defaults to `7d`. Set to `null` to disable. -# -#redaction_retention_period: 28d - -# How long to track users' last seen time and IPs in the database. -# -# Defaults to `28d`. Set to `null` to disable clearing out of old rows. -# -#user_ips_max_age: 14d - -# Message retention policy at the server level. -# -# Room admins and mods can define a retention period for their rooms using the -# 'm.room.retention' state event, and server admins can cap this period by setting -# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. -# -# If this feature is enabled, Synapse will regularly look for and purge events -# which are older than the room's maximum retention period. Synapse will also -# filter events received over federation so that events that should have been -# purged are ignored and not stored again. -# -retention: - # The message retention policies feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # Default retention policy. If set, Synapse will apply it to rooms that lack the - # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't - # matter much because Synapse doesn't take it into account yet. - # - #default_policy: - # min_lifetime: 1d - # max_lifetime: 1y - - # Retention policy limits. If set, a user won't be able to send a - # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' - # that's not within this range. This is especially useful in closed federations, - # in which server admins can make sure every federating server applies the same - # rules. - # - #allowed_lifetime_min: 1d - #allowed_lifetime_max: 1y - - # Server admins can define the settings of the background jobs purging the - # events which lifetime has expired under the 'purge_jobs' section. - # - # If no configuration is provided, a single job will be set up to delete expired - # events in every room daily. - # - # Each job's configuration defines which range of message lifetimes the job - # takes care of. For example, if 'shortest_max_lifetime' is '2d' and - # 'longest_max_lifetime' is '3d', the job will handle purging expired events in - # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and - # lower than or equal to 3 days. Both the minimum and the maximum value of a - # range are optional, e.g. a job with no 'shortest_max_lifetime' and a - # 'longest_max_lifetime' of '3d' will handle every room with a retention policy - # which 'max_lifetime' is lower than or equal to three days. - # - # The rationale for this per-job configuration is that some rooms might have a - # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a more frequent basis than for the rest of the rooms - # (e.g. every 12h), but not want that purge to be performed by a job that's - # iterating over every room it knows, which could be heavy on the server. - # - #purge_jobs: - # - shortest_max_lifetime: 1d - # longest_max_lifetime: 3d - # interval: 12h - # - shortest_max_lifetime: 3d - # longest_max_lifetime: 1y - # interval: 1d - - -## TLS ## - -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -# If supplying your own, be sure to use a `.pem` file that includes the -# full certificate chain including any intermediate certificates (for -# instance, if using certbot, use `fullchain.pem` as your certificate, -# not `cert.pem`). -# -#tls_certificate_path: "/data/matrix.ocf.berkeley.edu.tls.crt" - -# PEM-encoded private key for TLS -# -#tls_private_key_path: "/data/matrix.ocf.berkeley.edu.tls.key" - -# Whether to verify TLS server certificates for outbound federation requests. -# -# Defaults to `true`. To disable certificate verification, uncomment the -# following line. -# -#federation_verify_certificates: false - -# The minimum TLS version that will be used for outbound federation requests. -# -# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note -# that setting this value higher than `1.2` will prevent federation to most -# of the public Matrix network: only configure it to `1.3` if you have an -# entirely private federation setup and you can ensure TLS 1.3 support. -# -#federation_client_minimum_tls_version: 1.2 - -# Skip federation certificate verification on the following whitelist -# of domains. -# -# This setting should only be used in very specific cases, such as -# federation over Tor hidden services and similar. For private networks -# of homeservers, you likely want to use a private CA instead. -# -# Only effective if federation_verify_certicates is `true`. -# -#federation_certificate_verification_whitelist: -# - lon.example.com -# - *.domain.com -# - *.onion - -# List of custom certificate authorities for federation traffic. -# -# This setting should only normally be used within a private network of -# homeservers. -# -# Note that this list will replace those that are provided by your -# operating environment. Certificates must be in PEM format. -# -#federation_custom_ca_list: -# - myCA1.pem -# - myCA2.pem -# - myCA3.pem - -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Set this to `true` and uncomment - # tls_certificate_path and tls_private_key_path above to enable it. - # - enabled: false - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - account_key_file: /data/acme_account.key - -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - - - -## Database ## - -database: - # The database engine name - name: "sqlite3" - # Arguments to pass to the engine - args: - # Path to the database - database: "/data/homeserver.db" - -# Number of events to cache in memory. -# -#event_cache_size: 10K - - -## Logging ## - -# A yaml python logging config file as described by -# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema -# -log_config: "/data/matrix.ocf.berkeley.edu.log.config" - - -## Ratelimiting ## - -# Ratelimiting settings for client actions (registration, login, messaging). -# -# Each ratelimiting configuration is made of two parameters: -# - per_second: number of requests a client can send per second. -# - burst_count: number of requests a client can send before being throttled. -# -# Synapse currently uses the following configurations: -# - one for messages that ratelimits sending based on the account the client -# is using -# - one for registration that ratelimits registration requests based on the -# client's IP address. -# - one for login that ratelimits login requests based on the client's IP -# address. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into, based on the amount of failed login -# attempts for this account. -# - one for ratelimiting redactions by room admins. If this is not explicitly -# set then it uses the same ratelimiting as per rc_message. This is useful -# to allow room admins to deal with abuse quickly. -# -# The defaults are as shown below. -# -#rc_message: -# per_second: 0.2 -# burst_count: 10 -# -#rc_registration: -# per_second: 0.17 -# burst_count: 3 -# -#rc_login: -# address: -# per_second: 0.17 -# burst_count: 3 -# account: -# per_second: 0.17 -# burst_count: 3 -# failed_attempts: -# per_second: 0.17 -# burst_count: 3 -# -#rc_admin_redaction: -# per_second: 1 -# burst_count: 50 - - -# Ratelimiting settings for incoming federation -# -# The rc_federation configuration is made up of the following settings: -# - window_size: window size in milliseconds -# - sleep_limit: number of federation requests from a single server in -# a window before the server will delay processing the request. -# - sleep_delay: duration in milliseconds to delay processing events -# from remote servers by if they go over the sleep limit. -# - reject_limit: maximum number of concurrent federation requests -# allowed from a single server -# - concurrent: number of federation requests to concurrently process -# from a single server -# -# The defaults are as shown below. -# -#rc_federation: -# window_size: 1000 -# sleep_limit: 10 -# sleep_delay: 500 -# reject_limit: 50 -# concurrent: 3 - -# Target outgoing federation transaction frequency for sending read-receipts, -# per-room. -# -# If we end up trying to send out more read-receipts, they will get buffered up -# into fewer transactions. -# -#federation_rr_transactions_per_room_per_second: 50 - - - -## Media Store ## - -# Enable the media store service in the Synapse master. Uncomment the -# following if you are using a separate media store worker. -# -#enable_media_repo: false - -# Directory where uploaded images and attachments are stored. -# -media_store_path: "/data/media_store" - -# Media storage providers allow media to be stored in different -# locations. -# -#media_storage_providers: -# - module: file_system -# # Whether to write new local files. -# store_local: false -# # Whether to write new remote media -# store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory - -# The largest allowed upload size in bytes -# -#max_upload_size: 10M - -# Maximum number of pixels that will be thumbnailed -# -#max_image_pixels: 32M - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -# -#dynamic_thumbnails: false - -# List of thumbnails to precalculate when an image is uploaded. -# -#thumbnail_sizes: -# - width: 32 -# height: 32 -# method: crop -# - width: 96 -# height: 96 -# method: crop -# - width: 320 -# height: 240 -# method: scale -# - width: 640 -# height: 480 -# method: scale -# - width: 800 -# height: 600 -# method: scale - -# Is the preview URL API enabled? -# -# 'false' by default: uncomment the following to enable it (and specify a -# url_preview_ip_range_blacklist blacklist). -# -#url_preview_enabled: true - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This must be specified if url_preview_enabled is set. It is recommended that -# you uncomment the following list as a starting point. -# -#url_preview_ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '169.254.0.0/16' -# - '::1/128' -# - 'fe80::/64' -# - 'fc00::/7' - -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -#url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -#url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -# -#max_spider_size: 10M - - -## Captcha ## -# See docs/CAPTCHA_SETUP for full details of configuring this. - -# This homeserver's ReCAPTCHA public key. -# -#recaptcha_public_key: "YOUR_PUBLIC_KEY" - -# This homeserver's ReCAPTCHA private key. -# -#recaptcha_private_key: "YOUR_PRIVATE_KEY" - -# Enables ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. -# -#enable_registration_captcha: false - -# A secret key used to bypass the captcha test entirely. -# -#captcha_bypass_secret: "YOUR_SECRET_HERE" - -# The API endpoint to use for verifying m.login.recaptcha responses. -# -#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" - - -## TURN ## - -# The public URIs of the TURN server to give to clients -# -#turn_uris: [] - -# The shared secret used to compute passwords for the TURN server -# -#turn_shared_secret: "YOUR_SHARED_SECRET" - -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -# -#turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# -#turn_allow_guests: true - - -## Registration ## -# -# Registration can be rate-limited using the parameters in the "Ratelimiting" -# section of this file. - -# Enable registration for new users. -# -enable_registration: false - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - #template_dir: "res/templates" - - # File within 'template_dir' giving the HTML to be displayed to the user after - # they successfully renewed their account. If not set, default text is used. - # - #account_renewed_html_path: "account_renewed.html" - - # File within 'template_dir' giving the HTML to be displayed when the user - # tries to renew an account with an invalid renewal token. If not set, - # default text is used. - # - #invalid_token_html_path: "invalid_token.html" - -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h - -# The user must provide all of the below types of 3PID when registering. -# -#registrations_require_3pid: -# - email -# - msisdn - -# Explicitly disable asking for MSISDNs from the registration -# flow (overrides registrations_require_3pid if MSISDNs are set as required) -# -#disable_msisdn_registration: true - -# Mandate that users are only allowed to associate certain formats of -# 3PIDs with accounts on this server. -# -#allowed_local_3pids: -# - medium: email -# pattern: '.*@matrix\.org' -# - medium: email -# pattern: '.*@vector\.im' -# - medium: msisdn -# pattern: '\+44' - -# Enable 3PIDs lookup requests to identity servers from this server. -# -#enable_3pid_lookup: true - -# If set, allows registration of standard or admin accounts by anyone who -# has the shared secret, even if registration is otherwise disabled. -# -registration_shared_secret: "4KU_B~xFj,Xme:*nulQ4Q1Nrl1fUq=ikwxe*MN9YbM9H5~VRtE" - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number is 12 (which equates to 2^12 rounds). -# N.B. that increasing this will exponentially increase the time required -# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -# -#bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -# -#allow_guest_access: false - -# The identity server which we suggest that clients should use when users log -# in on this server. -# -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) -# -#default_identity_server: https://matrix.org - -# The list of identity servers trusted to verify third party -# identifiers by this server. -# -# Also defines the ID server which will be called when an account is -# deactivated (one will be picked arbitrarily). -# -# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity -# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a -# background migration script, informing itself that the identity server all of its -# 3PIDs have been bound to is likely one of the below. -# -# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and -# it is now solely used for the purposes of the background migration script, and can be -# removed once it has run. -#trusted_third_party_id_servers: -# - matrix.org -# - vector.im - -# Handle threepid (email/phone etc) registration and password resets through a set of -# *trusted* identity servers. Note that this allows the configured identity server to -# reset passwords for accounts! -# -# Be aware that if `email` is not set, and SMTP options have not been -# configured in the email config block, registration and user password resets via -# email will be globally disabled. -# -# Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless. This is due to Synapse currently not supporting any -# method of sending SMS messages on its own. -# -# To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server as shown in the -# examples below. -# -# Servers handling the these requests must answer the `/requestToken` endpoints defined -# by the Matrix Identity Service API specification: -# https://matrix.org/docs/spec/identity_service/latest -# -# If a delegate is specified, the config option public_baseurl must also be filled out. -# -account_threepid_delegates: - #email: https://example.com # Delegate email sending to example.com - #msisdn: http://localhost:8090 # Delegate SMS sending to this local process - -# Users who register on this homeserver will automatically be joined -# to these rooms -# -#auto_join_rooms: -# - "#example:example.com" - -# Where auto_join_rooms are specified, setting this flag ensures that the -# the rooms exist by creating them when the first user on the -# homeserver registers. -# Setting to false means that if the rooms are not manually created, -# users cannot be auto-joined since they do not exist. -# -#autocreate_auto_join_rooms: true - - -## Metrics ### - -# Enable collection and rendering of performance metrics -# -enable_metrics: true - -# Enable sentry integration -# NOTE: While attempts are made to ensure that the logs don't contain -# any sensitive information, this cannot be guaranteed. By enabling -# this option the sentry server may therefore receive sensitive -# information, and it in turn may then diseminate sensitive information -# through insecure notification channels if so configured. -# -#sentry: -# dsn: "..." - -# Flags to enable Prometheus metrics which are not suitable to be -# enabled by default, either for performance reasons or limited use. -# -metrics_flags: - # Publish synapse_federation_known_servers, a g auge of the number of - # servers this homeserver knows about, including itself. May cause - # performance problems on large homeservers. - # - #known_servers: true - -# Whether or not to report anonymized homeserver usage statistics. -report_stats: false - -# The endpoint to report the anonymized homeserver usage statistics to. -# Defaults to https://matrix.org/report-usage-stats/push -# -#report_stats_endpoint: https://example.com/report-usage-stats/push - - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -# -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" - - -# A list of application service config files to use -# -app_service_config_files: - - /etc/matrix/irc-registration.yaml -# - app_service_1.yaml -# - app_service_2.yaml - -# Uncomment to enable tracking of application service IP addresses. Implicitly -# enables MAU tracking for application service users. -# -#track_appservice_user_ips: true - - -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -# -macaroon_secret_key: "ZQqpgk*zu9x:CD8M5:0f_f;U9vQS^BKk8=NDHc&-cp6d0eWjZo" - -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -# -form_secret: "loG32N*yCgr;Pp.Ih1l_fuw#G:0ii@D8J0cuPbed#-o25:sKLX" - -## Signing Keys ## - -# Path to the signing key to sign messages with -# -signing_key_path: "/data/matrix.ocf.berkeley.edu.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. -# -old_signing_keys: - # For each key, `key` should be the base64-encoded public key, and - # `expired_ts`should be the time (in milliseconds since the unix epoch) that - # it was last used. - # - # It is possible to build an entry from an old signing.key file using the - # `export_signing_key` script which is provided with synapse. - # - # For example: - # - #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -# -#key_refresh_interval: 1d - -# The trusted servers to download signing keys from. -# -# When we need to fetch a signing key, each server is tried in parallel. -# -# Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a `verify key`, which -# will make synapse check that the response is signed by that key. -# -# This setting supercedes an older setting named `perspectives`. The old format -# is still supported for backwards-compatibility, but it is deprecated. -# -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start-up. To suppress this warning, set -# 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# -trusted_key_servers: - - server_name: "matrix.org" - -# Uncomment the following to disable the warning that is emitted when the -# trusted_key_servers include 'matrix.org'. See above. -# -#suppress_key_server_warning: true - -# The signing keys to use when acting as a trusted key server. If not specified -# defaults to the server signing key. -# -# Can contain multiple keys, one per line. -# -#key_server_signing_keys_path: "key_server_signing_keys.key" - - -# Enable SAML2 for registration and login. Uses pysaml2. -# -# At least one of `sp_config` or `config_path` must be set in this section to -# enable SAML login. -# -# (You will probably also want to set the following options to `false` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# -# Once SAML support is enabled, a metadata file will be exposed at -# https://:/_matrix/saml2/metadata.xml, which you may be able to -# use to configure your SAML IdP with. Alternatively, you can manually configure -# the IdP to use an ACS location of -# https://:/_matrix/saml2/authn_response. -# -saml2_config: - # `sp_config` is the configuration for the pysaml2 Service Provider. - # See pysaml2 docs for format of config. - # - # Default values will be used for the 'entityid' and 'service' settings, - # so it is not normally necessary to specify them unless you need to - # override them. - # - sp_config: - # # point this to the IdP's metadata. You can use either a local file or - # # (preferably) a URL. - metadata: - remote: - - url: https://auth.ocf.berkeley.edu/auth/realms/ocf/protocol/saml/descriptor - # #local: ["saml2/idp.xml"] - # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical - - # Instead of putting the config inline as above, you can specify a - # separate pysaml2 configuration file: - # - #config_path: "/data/sp_conf.py" - - # The lifetime of a SAML session. This defines how long a user has to - # complete the authentication process, if allow_unsolicited is unset. - # The default is 5 minutes. - # - #saml_session_lifetime: 5m - - # An external module can be provided here as a custom solution to - # mapping attributes returned from a saml provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # - #module: mapping_provider.SamlMappingProvider - - # Custom configuration values for the module. Below options are - # intended for the built-in provider, they should be changed if - # using a custom module. This section will be passed as a Python - # dictionary to the module's `parse_config` method. - # - config: - # The SAML attribute (after mapping via the attribute maps) to use - # to derive the Matrix ID from. 'uid' by default. - # - # Note: This used to be configured by the - # saml2_config.mxid_source_attribute option. If that is still - # defined, its value will be used instead. - # - #mxid_source_attribute: displayName - - # The mapping system to use for mapping the saml attribute onto a - # matrix ID. - # - # Options include: - # * 'hexencode' (which maps unpermitted characters to '=xx') - # * 'dotreplace' (which replaces unpermitted characters with - # '.'). - # The default is 'hexencode'. - # - # Note: This used to be configured by the - # saml2_config.mxid_mapping option. If that is still defined, its - # value will be used instead. - # - #mxid_mapping: dotreplace - - # In previous versions of synapse, the mapping from SAML attribute to - # MXID was always calculated dynamically rather than stored in a - # table. For backwards- compatibility, we will look for user_ids - # matching such a pattern before creating a new account. - # - # This setting controls the SAML attribute which will be used for this - # backwards-compatibility lookup. Typically it should be 'uid', but if - # the attribute maps are changed, it may be necessary to change it. - # - # The default is 'uid'. - # - #grandfathered_mxid_source_attribute: upn - - - -# Enable CAS for registration and login. -# -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homeserver.domain.com:8448" -# #displayname_attribute: name -# #required_attributes: -# # name: value - - -# The JWT needs to contain a globally unique "sub" (subject) claim. -# -#jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" - - -password_config: - # Uncomment to disable password login - # - enabled: false - - # Uncomment to disable authentication against the local password - # database. This is ignored if `enabled` is false, and is only useful - # if you have other password_providers. - # - #localdb_enabled: false - - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - # - #pepper: "EVEN_MORE_SECRET" - - -# Configuration for sending emails from Synapse. -# -email: - # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. - # - #smtp_host: mail.server - - # The port on the mail server for outgoing SMTP. Defaults to 25. - # - #smtp_port: 587 - - # Username/password for authentication to the SMTP server. By default, no - # authentication is attempted. - # - # smtp_user: "exampleusername" - # smtp_pass: "examplepassword" - - # Uncomment the following to require TLS transport security for SMTP. - # By default, Synapse will connect over plain text, and will then switch to - # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, - # Synapse will refuse to connect unless the server supports STARTTLS. - # - #require_transport_security: true - - # Enable sending emails for messages that the user has missed - # - #enable_notifs: false - - # notif_from defines the "From" address to use when sending emails. - # It must be set if email sending is enabled. - # - # The placeholder '%(app)s' will be replaced by the application name, - # which is normally 'app_name' (below), but may be overridden by the - # Matrix client application. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - #notif_from: "Your Friendly %(app)s homeserver " - - # app_name defines the default value for '%(app)s' in notif_from. It - # defaults to 'Matrix'. - # - #app_name: my_branded_matrix_server - - # Uncomment the following to disable automatic subscription to email - # notifications for new users. Enabled by default. - # - #notif_for_new_users: false - - # Custom URL for client links within the email notifications. By default - # links will be based on "https://matrix.to". - # - # (This setting used to be called riot_base_url; the old name is still - # supported for backwards-compatibility but is now deprecated.) - # - #client_base_url: "http://localhost/riot" - - # Configure the time that a validation email will expire after sending. - # Defaults to 1h. - # - #validation_token_lifetime: 15m - - # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. - # - # Synapse will look for the following templates in this directory: - # - # * The contents of email notifications of missed events: 'notif_mail.html' and - # 'notif_mail.txt'. - # - # * The contents of account expiry notice emails: 'notice_expiry.html' and - # 'notice_expiry.txt'. - # - # * The contents of password reset emails sent by the homeserver: - # 'password_reset.html' and 'password_reset.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in the password reset email: 'password_reset_success.html' and - # 'password_reset_failure.html' - # - # * The contents of address verification emails sent during registration: - # 'registration.html' and 'registration.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent during registration: - # 'registration_success.html' and 'registration_failure.html' - # - # * The contents of address verification emails sent when an address is added - # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent when an address is added - # to a Matrix account: 'add_threepid_success.html' and - # 'add_threepid_failure.html' - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -#password_providers: -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" - - - -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (`event_id_only`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For `event_id_only` push, it -# has no effect. -# -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. -# -#push: -# include_content: true - - -#spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' - - -# Uncomment to allow non-server-admin users to create groups on this server -# -#enable_group_creation: true - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# -#group_creation_prefix: "unofficial/" - - - -# User Directory configuration -# -# 'enabled' defines whether users can search the user directory. If -# false then empty responses are returned to all queries. Defaults to -# true. -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to -# rebuild the user_directory search indexes, see -# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md -# -#user_directory: -# enabled: true -# search_all_users: false - - -# User Consent configuration -# -# for detailed instructions, see -# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md -# -# Parts of this section are required if enabling the 'consent' resource under -# 'listeners', in particular 'template_dir' and 'version'. -# -# 'template_dir' gives the location of the templates for the HTML forms. -# This directory should contain one subdirectory per language (eg, 'en', 'fr'), -# and each language directory should contain the policy document (named as -# '.html') and a success page (success.html). -# -# 'version' specifies the 'current' version of the policy document. It defines -# the version to be served by the consent resource if there is no 'v' -# parameter. -# -# 'server_notice_content', if enabled, will send a user a "Server Notice" -# asking them to consent to the privacy policy. The 'server_notices' section -# must also be configured for this to work. Notices will *not* be sent to -# guest users unless 'send_server_notice_to_guests' is set to true. -# -# 'block_events_error', if set, will block any attempts to send events -# until the user consents to the privacy policy. The value of the setting is -# used as the text of the error. -# -# 'require_at_registration', if enabled, will add a step to the registration -# process, similar to how captcha works. Users will be required to accept the -# policy before their account is created. -# -# 'policy_name' is the display name of the policy users will see when registering -# for an account. Has no effect unless `require_at_registration` is enabled. -# Defaults to "Privacy Policy". -# -#user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: true -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: false -# policy_name: Privacy Policy -# - - - -# Local statistics collection. Used in populating the room directory. -# -# 'bucket_size' controls how large each statistics timeslice is. It can -# be defined in a human readable short form -- e.g. "1d", "1y". -# -# 'retention' controls how long historical statistics will be kept for. -# It can be defined in a human readable short form -- e.g. "1d", "1y". -# -# -stats: - enabled: true - bucket_size: 1d - retention: 1y - - -# Server Notices room configuration -# -# Uncomment this section to enable a room which can be used to send notices -# from the server to users. It is a special room which cannot be left; notices -# come from a special "notices" user id. -# -# If you uncomment this section, you *must* define the system_mxid_localpart -# setting, which defines the id of the user which will be used to send the -# notices. -# -# It's also possible to override the room name, the display name of the -# "notices" user, and the avatar for the user. -# -#server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" - - - -# Uncomment to disable searching the public room list. When disabled -# blocks searching local and remote room lists for local and remote -# users by always returning an empty list for all queries. -# -#enable_room_list_search: false - -# The `alias_creation` option controls who's allowed to create aliases -# on this server. -# -# The format of this option is a list of rules that contain globs that -# match against user_id, room_id and the new alias (fully qualified with -# server name). The action in the first rule that matches is taken, -# which can currently either be "allow" or "deny". -# -# Missing user_id/room_id/alias fields default to "*". -# -# If no rules match the request is denied. An empty list means no one -# can create aliases. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# alias: Matches against the alias being created -# room_id: Matches against the room ID the alias is being pointed at -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#alias_creation_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -# The `room_list_publication_rules` option controls who can publish and -# which rooms can be published in the public room list. -# -# The format of this option is the same as that for -# `alias_creation_rules`. -# -# If the room has one or more aliases associated with it, only one of -# the aliases needs to match the alias rule. If there are no aliases -# then only rules with `alias: *` match. -# -# If no rules match the request is denied. An empty list means no one -# can publish rooms. -# -# Options for the rules include: -# -# user_id: Matches agaisnt the creator of the alias -# room_id: Matches against the room ID being published -# alias: Matches against any current local or canonical aliases -# associated with the room -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#room_list_publication_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - - -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - -## Opentracing ## - -# These settings enable opentracing, which implements distributed tracing. -# This allows you to observe the causal chains of events across servers -# including requests, key lookups etc., across any server running -# synapse or any other other services which supports opentracing -# (specifically those implemented with Jaeger). -# -opentracing: - # tracing is disabled by default. Uncomment the following line to enable it. - # - #enabled: true - - # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst - # This is a list of regexes which are matched against the server_name of the - # homeserver. - # - # By defult, it is empty, so no servers are matched. - # - #homeserver_whitelist: - # - ".*" - - # Jaeger can be configured to sample traces at different rates. - # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which - # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. - # - #jaeger_config: - # sampler: - # type: const - # param: 1 - - # Logging whether spans were started and reported - # - # logging: - # false diff --git a/matrix-appservice-irc/config.yaml b/matrix-appservice-irc/config.yaml deleted file mode 100644 index 618a7aa..0000000 --- a/matrix-appservice-irc/config.yaml +++ /dev/null @@ -1,489 +0,0 @@ -# Configuration specific to AS registration. Unless other marked, all fields -# are *REQUIRED*. -homeserver: - # The URL to the home server for client-server API calls, also used to form the - # media URLs as displayed in bridged IRC channels: - url: "https://matrix.ocf.berkeley.edu" - # - # The URL of the homeserver hosting media files. This is only used to transform - # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By - # default, this is the homeserver URL, specified above. - # - # media_url: "http://media.repo:8008" - - # Drop Matrix messages which are older than this number of seconds, according to - # the event's origin_server_ts. - # If the bridge is down for a while, the homeserver will attempt to send all missed - # events on reconnection. These events may be hours old, which can be confusing to - # IRC users if they are then bridged. This option allows these old messages to be - # dropped. - # CAUTION: This is a very coarse heuristic. Federated homeservers may have different - # clock times and hence produce different origin_server_ts values, which may be old - # enough to cause *all* events from the homeserver to be dropped. - # Default: 0 (don't ever drop) - # dropMatrixMessagesAfterSecs: 300 # 5 minutes - - # The 'domain' part for user IDs on this home server. Usually (but not always) - # is the "domain name" part of the HS URL. - domain: "matrix.ocf.berkeley.edu" - - # Should presence be enabled for matrix clients on this bridge. If disabled on the - # homeserver then it should also be disabled here to avoid excess traffic. - # Default: true - enablePresence: false - - # Which port should the appservice bind to. Takes priority over the one provided in the - # command line! Optional. - bindPort: 9995 - - # Use this option to force the appservice to listen on another hostname for transactions. - # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional. - # bindHostname: 0.0.0.0 - -# Configuration specific to the IRC service -ircService: - servers: - # The address of the server to connect to. - irc.ocf.berkeley.edu: - # A human-readable short name. This is used to label IRC status rooms - # where matrix users control their connections. - # E.g. 'ExampleNet IRC Bridge status'. - # It is also used in the Third Party Lookup API as the instance `desc` - # property, where each server is an instance. - name: "OCF" - - # additionalAddresses: [ "irc2.example.com" ] - # - # [DEPRECATED] Use `name`, above, instead. - # A human-readable description string - # description: "Example.com IRC network" - - # An ID for uniquely identifying this server amongst other servers being bridged. - # networkId: "example" - - # URL to an icon used as the network icon whenever this network appear in - # a network list. (Like in the riot room directory, for instance.) - # icon: https://example.com/images/hash.png - - # The port to connect to. Optional. - port: 6697 - # Whether to use SSL or not. Default: false. - ssl: true - # Whether or not IRC server is using a self-signed cert or not providing CA Chain - sslselfsign: false - # Should the connection attempt to identify via SASL (if a server or user password is given) - # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. - sasl: false - # Whether to allow expired certs when connecting to the IRC server. - # Usually this should be off. Default: false. - allowExpiredCerts: false - # A specific CA to trust instead of the default CAs. Optional. - #ca: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - - # - # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. - # password: 'pa$$w0rd' - # - # Whether or not to send connection/error notices to real Matrix users. Default: true. - sendConnectionMessages: true - - quitDebounce: - # Whether parts due to net-splits are debounced for delayMs, to allow - # time for the netsplit to resolve itself. A netsplit is detected as being - # a QUIT rate higher than quitsPerSecond. Default: false. - enabled: false - # The maximum number of quits per second acceptable above which a netsplit is - # considered ongoing. Default: 5. - quitsPerSecond: 5 - # The time window in which to wait before bridging a QUIT to Matrix that occurred during - # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS - # is not sent many requests to leave rooms all at once if a netsplit occurs and many - # people to not rejoin. - # If the user with the same IRC nick as the one who sent the quit rejoins a channel - # they are considered back online and the quit is not bridged, so long as the rejoin - # occurs before the randomly-jittered timeout is not reached. - # Default: 3600000, = 1h - delayMinMs: 3600000 # 1h - # Default: 7200000, = 2h - delayMaxMs: 7200000 # 2h - - # A map for conversion of IRC user modes to Matrix power levels. This enables bridging - # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has - # been given multiple modes, the one that maps to the highest power level will be used. - modePowerMap: - o: 50 - v: 1 - - botConfig: - # Enable the presence of the bot in IRC channels. The bot serves as the entity - # which maps from IRC -> Matrix. You can disable the bot entirely which - # means IRC -> Matrix chat will be shared by active "M-Nick" connections - # in the room. If there are no users in the room (or if there are users - # but their connections are not on IRC) then nothing will be bridged to - # Matrix. If you're concerned about the bot being treated as a "logger" - # entity, then you may want to disable the bot. If you want IRC->Matrix - # but don't want to have TCP connections to IRC unless a Matrix user speaks - # (because your client connection limit is low), then you may want to keep - # the bot enabled. Default: true. - # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned - # on, else there will be no users and no bot in a channel (meaning no - # messages to Matrix!) until a Matrix user speaks which makes a client - # join the target IRC channel. - # NBB: The bridge bot IRC client will still join the target IRC network so - # it can service bridge-specific queries from the IRC-side e.g. so - # real IRC clients have a way to change their Matrix display name. - # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 - enabled: false - # The nickname to give the AS bot. - nick: "matrix-bridge" - # The password to give to NickServ or IRC Server for this nick. Optional. - # password: "helloworld" - # - # Join channels even if there are no Matrix users on the other side of - # the bridge. Set to false to prevent the bot from joining channels which have no - # real matrix users in them, even if there is a mapping for the channel. - # Default: true - joinChannelsIfNoUsers: true - - # Configuration for PMs / private 1:1 communications between users. - privateMessages: - # Enable the ability for PMs to be sent to/from IRC/Matrix. - # Default: true. - enabled: true - # Prevent Matrix users from sending PMs to the following IRC nicks. - # Optional. Default: []. - # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED - - # Should created Matrix PM rooms be federated? If false, only users on the - # HS attached to this AS will be able to interact with this room. - # Optional. Default: true. - federate: true - - # Configuration for mappings not explicitly listed in the 'mappings' - # section. - dynamicChannels: - # Enable the ability for Matrix users to join *any* channel on this IRC - # network. - # Default: false. - enabled: true - # Should the AS create a room alias for the new Matrix room? The form of - # the alias can be modified via 'aliasTemplate'. Default: true. - createAlias: true - # Should the AS publish the new Matrix room to the public room list so - # anyone can see it? Default: true. - published: true - # What should the join_rule be for the new Matrix room? If 'public', - # anyone can join the room. If 'invite', only users with an invite can - # join the room. Note that if an IRC channel has +k or +i set on it, - # join_rules will be set to 'invite' until these modes are removed. - # Default: "public". - joinRule: public - # Should created Matrix rooms be federated? If false, only users on the - # HS attached to this AS will be able to interact with this room. - # Default: true. - federate: true - # Force this room version when creating IRC channels. Beware if the homeserver doesn't - # support the room version then the request will fail. By default, no version is requested. - # roomVersion: "1" - # The room alias template to apply when creating new aliases. This only - # applies if createAlias is 'true'. The following variables are exposed: - # $SERVER => The IRC server address (e.g. "irc.example.com") - # $CHANNEL => The IRC channel (e.g. "#python") - # This MUST have $CHANNEL somewhere in it. - # Default: '#irc_$SERVER_$CHANNEL' - aliasTemplate: "#$CHANNEL" - # A list of user IDs which the AS bot will send invites to in response - # to a !join. Only applies if joinRule is 'invite'. Default: [] - # whitelist: - # - "@foo:example.com" - # - "@bar:example.com" - # - # Prevent the given list of channels from being mapped under any - # circumstances. - # exclude: ["#foo", "#bar"] - - # excludedUsers: - # - regex: "@.*:evilcorp.com" - # kickReason: "We don't like Evilcorp" - - # Configuration for controlling how Matrix and IRC membership lists are - # synced. - membershipLists: - # Enable the syncing of membership lists between IRC and Matrix. This - # can have a significant effect on performance on startup as the lists are - # synced. This must be enabled for anything else in this section to take - # effect. Default: false. - enabled: true - - # Syncing membership lists at startup can result in hundreds of members to - # process all at once. This timer drip feeds membership entries at the - # specified rate. Default: 10000. (10s) - floodDelayMs: 1000 - - global: - ircToMatrix: - # Get a snapshot of all real IRC users on a channel (via NAMES) and - # join their virtual matrix clients to the room. - initial: true - # Make virtual matrix clients join and leave rooms as their real IRC - # counterparts join/part channels. Default: false. - incremental: true - - matrixToIrc: - # Get a snapshot of all real Matrix users in the room and join all of - # them to the mapped IRC channel on startup. Default: false. - initial: true - # Make virtual IRC clients join and leave channels as their real Matrix - # counterparts join/leave rooms. Make sure your 'maxClients' value is - # high enough! Default: false. - incremental: true - - mappings: - # 1:many mappings from IRC channels to room IDs on this IRC server. - # The matrix room must already exist. Your matrix client should expose - # the room ID in a "settings" page for the room. - "#test-matrix": - roomIds: ["!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu"] - # Channel key/password to use. Optional. If provided, matrix users do - # not need to know the channel key in order to join the channel. - # key: "secret" - "#matrix": - roomIds: ["!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu"] - - # Configuration for virtual matrix users. The following variables are - # exposed: - # $NICK => The IRC nick - # $SERVER => The IRC server address (e.g. "irc.example.com") - matrixClients: - # The user ID template to use when creating virtual matrix users. This - # MUST have $NICK somewhere in it. - # Optional. Default: "@$SERVER_$NICK". - # Example: "@irc.example.com_Alice:example.com" - userTemplate: "@$NICK_irc" - # The display name to use for created matrix clients. This should have - # $NICK somewhere in it if it is specified. Can also use $SERVER to - # insert the IRC domain. - # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" - displayName: "$NICK" - # Number of tries a client can attempt to join a room before the request - # is discarded. You can also use -1 to never retry or 0 to never give up. - # Optional. Default: -1 - joinAttempts: -1 - - # Configuration for virtual IRC users. The following variables are exposed: - # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) - # $USERID => The user ID - # $DISPLAY => The display name of this user, with excluded characters - # (e.g. space) removed. If the user has no display name, this - # falls back to $LOCALPART. - ircClients: - # The template to apply to every IRC client nick. This MUST have either - # $DISPLAY or $USERID or $LOCALPART somewhere in it. - # Optional. Default: "M-$DISPLAY". Example: "M-Alice". - nickTemplate: "$LOCALPART-matrix" - # True to allow virtual IRC clients to change their nick on this server - # by issuing !nick commands to the IRC AS bot. - # This is completely freeform: it will NOT follow the nickTemplate. - allowNickChanges: true - # The max number of IRC clients that will connect. If the limit is - # reached, the client that spoke the longest time ago will be - # disconnected and replaced. - # Optional. Default: 30. - maxClients: 100 - # IPv6 configuration. - ipv6: - # Optional. Set to true to force IPv6 for outgoing connections. - only: false - # Optional. The IPv6 prefix to use for generating unique addresses for each - # connected user. If not specified, all users will connect from the same - # (default) address. This may require additional OS-specific work to allow - # for the node process to bind to multiple different source addresses - # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1 - # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library - # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. - # prefix: "2001:0db8:85a3::" # modify appropriately - # - # The maximum amount of time in seconds that the client can exist - # without sending another message before being disconnected. Use 0 to - # not apply an idle timeout. This value is ignored if this IRC server is - # mirroring matrix membership lists to IRC. - # idleTimeout is set to 3 weeks (1814400) - idleTimeout: 1814400 - # The number of millseconds to wait between consecutive reconnections if a - # client gets disconnected. Setting to 0 will cause the scheduling to be - # disabled, i.e. it will be scheduled immediately (with jitter. - # Otherwise, the scheduling interval will be used such that one client - # reconnect for this server will be handled every reconnectIntervalMs ms using - # a FIFO queue. - # Default: 5000 (5 seconds) - reconnectIntervalMs: 5000 - # The number of concurrent reconnects if a user has been disconnected unexpectedly - # (e.g. a netsplit). You should set this to a reasonably high number so that - # bridges are not waiting an eternity to reconnect all its clients if - # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs - # setting above which is for connecting on restart of the bridge. Set to 0 to - # immediately try to reconnect all users. - # Default: 50 - concurrentReconnectLimit: 50 - # The number of lines to allow being sent by the IRC client that has received - # a large block of text to send from matrix. If the number of lines that would - # be sent is > lineLimit, the text will instead be uploaded to matrix and the - # resulting URI is treated as a file. As such, a link will be sent to the IRC - # side instead of potentially spamming IRC and getting the IRC client kicked. - # Default: 3. - lineLimit: 3 - # A list of user modes to set on every IRC client. For example, "RiG" would set - # +R, +i and +G on every IRC connection when they have successfully connected. - # User modes vary wildly depending on the IRC network you're connecting to, - # so check before setting this value. Some modes may not work as intended - # through the bridge e.g. caller ID as there is no way to /ACCEPT. - # Default: "" (no user modes) - # userModes: "R" - # Set information about the bridged channel in the room state, so that client's may - # present relevant UI to the user. MSC2346 - bridgeInfoState: - enabled: true - initial: true - # Configuration for an ident server. If you are running a public bridge it is - # advised you setup an ident server so IRC mods can ban specific matrix users - # rather than the application service itself. - ident: - # True to listen for Ident requests and respond with the - # matrix user's user_id (converted to ASCII, respecting RFC 1413). - # Default: false. - enabled: false - # The port to listen on for incoming ident requests. - # Ports below 1024 require root to listen on, and you may not want this to - # run as root. Instead, you can get something like an Apache to yank up - # incoming requests to 113 to a high numbered port. Set the port to listen - # on instead of 113 here. - # Default: 113. - port: 1113 - # The address to listen on for incoming ident requests. - # Default: 0.0.0.0 - address: "::" - - # Configuration for logging. Optional. Default: console debug level logging - # only. - logging: - # Level to log on console/logfile. One of error|warn|info|debug - level: "debug" - # The file location to log to. This is relative to the project directory. - logfile: "debug.log" - # The file location to log errors to. This is relative to the project - # directory. - errfile: "errors.log" - # Whether to log to the console or not. - toConsole: true - # The max number of files to keep. Files will be overwritten eventually due - # to rotations. - maxFiles: 5 - - # Metrics will then be available via GET /metrics on the bridge listening port (-p). - metrics: - # Whether to actually enable the metric endpoint. Default: false - enabled: true - # When collecting remote user active times, which "buckets" should be used. Defaults are given below. - # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). - remoteUserAgeBuckets: - - "1h" - - "1d" - - "1w" - - # Configuration options for the debug HTTP API. To access this API, you must - # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. - # - # The debug API exposes the following endpoints: - # - # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. - # - # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. - # Format: new line delimited commands as per IRC protocol. - # - debugApi: - # True to enable the HTTP API endpoint. Default: false. - enabled: false - # The port to host the HTTP API. - port: 11100 - - # Configuration for the provisioning API. - # - # GET /_matrix/provision/link - # GET /_matrix/provision/unlink - # GET /_matrix/provision/listlinks - # - provisioning: - # True to enable the provisioning HTTP endpoint. Default: false. - enabled: false - # The number of seconds to wait before giving up on getting a response from - # an IRC channel operator. If the channel operator does not respond within the - # allotted time period, the provisioning request will fail. - # Default: 300 seconds (5 mins) - requestTimeoutSeconds: 300 - # A file defining the provisioning rules for rooms. Format is documented - # in rules.sample.yaml. Leave undefined to not specify any rules. - ruleFile: "./provisioning.rules.yaml" - # Watch the file for changes, and apply the rules. Default: false - enableReload: true - - # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot - # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in - # the database. - # - # To generate a .pem file: - # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - # - # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords - # for storage in the database. Passwords are stored by using the admin room command - # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of - # the Matrix user, this password will be sent as the server password (PASS command). - passwordEncryptionKeyPath: "/data/passkey.pem" - - # Config for Matrix -> IRC bridging - matrixHandler: - # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). - eventCacheSize: 4096 - - ircHandler: - # How many /leave requests can be ongoing at a time. - # This is used to stem the flow of requests in case of a mass quit/leave, which might - # slow down the homeserver. - leaveConcurrency: 10 - # Should we attempt to match an IRC side mention (nickaname match) - # with the nickname's owner's matrixId, if we are bridging them? - # "on" - Defaults to enabled, users can choose to disable. - # "off" - Defaults to disabled, users can choose to enable. - # "force-off" - Disabled, cannot be enabled. - mapIrcMentionsToMatrix: "on" # This can be "on", "off", "force-off". -# Options here are generally only applicable to large-scale bridges and may have -# consequences greater than other options in this configuration file. -advanced: - # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited - # however for large bridges it is important to rate limit the bridge to avoid - # accidentally overloading the homeserver. Defaults to 1000, which should be - # enough for the vast majority of use cases. - maxHttpSockets: 1000 - # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb - maxTxnSize: 10000000 - -# Capture information to a sentry.io instance -sentry: - enabled: false - dsn: "https://@sentry.io/" - # Optional. A tag to specify the production environment. Not set by default - # environment: "" - # Optional. A tag to specify the server name. Not set by default - # serverName: "" - -# Use an external database to store bridge state. -database: - # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: "nedb" - # Either a PostgreSQL connection string, or a path to the NeDB storage directory. - # For postgres, it must start with postgres:// - # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "nedb:///db/storage.db" - diff --git a/matrix-appservice-irc/irc-registration.yaml b/matrix-appservice-irc/irc-registration.yaml deleted file mode 100644 index 4c8c304..0000000 --- a/matrix-appservice-irc/irc-registration.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: 8932b3435f0dbb697307801fbcaedad2da2d29fa71c30d70ef433a21c0585db6 -hs_token: 711663d558bd4be0d41976a89347e86b14f7addcb15b661b14101e1f83196a53 -as_token: d81e0ccf5435cca28ee0140ccef48cf935810f95836865dc7014353c15e4a0fa -namespaces: - users: - - exclusive: true - regex: '@.*_irc:matrix\.ocf\.berkeley\.edu' - aliases: - - exclusive: true - regex: '#.*:matrix\.ocf\.berkeley\.edu' - rooms: - - exclusive: false - regex: '!YAkpfBukqCvewVzbVb:matrix.ocf.berkeley.edu' - - exclusive: false - regex: '!zEhTjofIhaNlSpzxlN:matrix.ocf.berkeley.edu' -url: 'http://matrix-bridge-service.app-matrix.svc.cluster.local:9995' -sender_localpart: matrix-bridge -rate_limited: false -protocols: - - irc From b46b3b4684653ea302eb8e98dfd2a7e14ebf90c3 Mon Sep 17 00:00:00 2001 From: encadyma Date: Wed, 29 Apr 2020 22:42:46 -0700 Subject: [PATCH 12/23] Clean up + template redundancies --- Dockerfile.bridge | 2 -- Dockerfile.matrix | 3 --- kubernetes/bridge.yml.erb | 2 +- kubernetes/riot.yml.erb | 2 +- kubernetes/synapse.yml.erb | 2 +- 5 files changed, 3 insertions(+), 8 deletions(-) diff --git a/Dockerfile.bridge b/Dockerfile.bridge index d8fdbc7..6c2092b 100644 --- a/Dockerfile.bridge +++ b/Dockerfile.bridge @@ -1,4 +1,2 @@ ARG bridge_version=latest FROM matrixdotorg/matrix-appservice-irc:${bridge_version} - -# TODO: Deprecate this Dockerfile diff --git a/Dockerfile.matrix b/Dockerfile.matrix index b761436..6427ebf 100644 --- a/Dockerfile.matrix +++ b/Dockerfile.matrix @@ -1,5 +1,2 @@ ARG synapse_version=latest FROM matrixdotorg/synapse:${synapse_version} - -# COPY homeserver.yaml /etc/matrix/homeserver.yaml -# COPY matrix-appservice-irc/irc-registration.yaml /etc/matrix/irc-registration.yaml diff --git a/kubernetes/bridge.yml.erb b/kubernetes/bridge.yml.erb index 396b1fd..9ebf43e 100644 --- a/kubernetes/bridge.yml.erb +++ b/kubernetes/bridge.yml.erb @@ -28,7 +28,7 @@ spec: spec: containers: - name: matrix-appservice-irc - image: "docker.ocf.berkeley.edu/matrix-appservice-irc:matrix-testing-kmo" + image: "docker.ocf.berkeley.edu/matrix-appservice-irc:<%= version %>" ports: - containerPort: 9995 volumeMounts: diff --git a/kubernetes/riot.yml.erb b/kubernetes/riot.yml.erb index b9cded6..a11f81a 100644 --- a/kubernetes/riot.yml.erb +++ b/kubernetes/riot.yml.erb @@ -31,7 +31,7 @@ spec: app: riot spec: containers: - - image: "docker.ocf.berkeley.edu/riot:matrix-testing-kmo" + - image: "docker.ocf.berkeley.edu/riot:<%= version %>" imagePullPolicy: IfNotPresent name: riot-web readinessProbe: diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index c266aea..f45a1b1 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -29,7 +29,7 @@ spec: containers: - name: matrix-synapse # TODO: replace with versions - image: "docker.ocf.berkeley.edu/synapse:matrix-testing-kmo" + image: "docker.ocf.berkeley.edu/synapse:<%= version %>" ports: - containerPort: 8008 volumeMounts: From 0a6da3fe43dbb56bc0e8de943a8ac16f10328dd6 Mon Sep 17 00:00:00 2001 From: encadyma Date: Thu, 30 Apr 2020 11:57:54 -0700 Subject: [PATCH 13/23] Explicitly give permissions for room publish/aliases --- kubernetes/secrets/synapse-config/homeserver.yaml.erb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb index 0120789..15c7393 100644 --- a/kubernetes/secrets/synapse-config/homeserver.yaml.erb +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -76,3 +76,14 @@ stats: bucket_size: 1d retention: 1y +alias_creation_rules: + - user_id: "*" + alias: "*" + room_id: "*" + action: allow + +room_list_publication_rules: + - user_id: "*" + alias: "*" + room_id: "*" + action: allow From 9da37abb479341e8ecadb3309646a7034952d6d6 Mon Sep 17 00:00:00 2001 From: encadyma Date: Thu, 30 Apr 2020 19:33:36 -0700 Subject: [PATCH 14/23] Check in log config, resolve YAML issues --- .gitignore | 4 +-- kubernetes/bridge.yml.erb | 2 +- .../synapse-config/homeserver.yaml.erb | 20 ++++--------- .../synapse-config/synapse.log.config.erb | 28 +++++++++++++++++++ kubernetes/synapse.yml.erb | 3 +- 5 files changed, 38 insertions(+), 19 deletions(-) create mode 100644 kubernetes/secrets/synapse-config/synapse.log.config.erb diff --git a/.gitignore b/.gitignore index 1c0af2f..b2ec6ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -*.pem -ocf-kubernetes-deploy-secret-*.erb +# Kubernetes deployment secrets +kubernetes/ocf-kubernetes-deploy-secret-*.erb secret.yaml diff --git a/kubernetes/bridge.yml.erb b/kubernetes/bridge.yml.erb index 9ebf43e..086538b 100644 --- a/kubernetes/bridge.yml.erb +++ b/kubernetes/bridge.yml.erb @@ -13,7 +13,7 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: matrix-bridge-deployment + name: matrix-bridge labels: app: matrix-bridge spec: diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb index 15c7393..7b33f2f 100644 --- a/kubernetes/secrets/synapse-config/homeserver.yaml.erb +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -25,13 +25,7 @@ listeners: admin_contact: 'mailto:help@ocf.berkeley.edu' acme: - enabled: false - port: 80 - bind_addresses: ['::', '0.0.0.0'] - reprovision_threshold: 30 - # FIXME: is this acme section necessary? - domain: matrix.example.com - account_key_file: /etc/matrix-shared/acme_account.key + enabled: false # TODO: Change to Postgres database: @@ -39,7 +33,7 @@ database: args: database: "/data/homeserver.db" -log_config: "/data/matrix.ocf.berkeley.edu.log.config" +log_config: "/etc/matrix-synapse/synapse.log.config" media_store_path: "/data/media_store" enable_registration: false @@ -49,15 +43,13 @@ enable_metrics: true report_stats: false app_service_config_files: - - /etc/matrix-bridge/appservice-registration-irc.yaml + - /etc/matrix-bridge/appservice-registration-irc.yaml macaroon_secret_key: "<%= macaroon_secret_key %>" form_secret: "<%= form_secret %>" signing_key_path: "/etc/matrix-shared/matrix.ocf.berkeley.edu.signing.key" -old_signing_keys: - # TODO: populate this section with the old key trusted_key_servers: - server_name: "matrix.org" @@ -72,9 +64,9 @@ password_config: enabled: false stats: - enabled: true - bucket_size: 1d - retention: 1y + enabled: true + bucket_size: 1d + retention: 1y alias_creation_rules: - user_id: "*" diff --git a/kubernetes/secrets/synapse-config/synapse.log.config.erb b/kubernetes/secrets/synapse-config/synapse.log.config.erb new file mode 100644 index 0000000..cbec180 --- /dev/null +++ b/kubernetes/secrets/synapse-config/synapse.log.config.erb @@ -0,0 +1,28 @@ +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.logging.context.LoggingContextFilter + request: "" + +handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + handlers: [console] + +disable_existing_loggers: false \ No newline at end of file diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index f45a1b1..165da0c 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -13,7 +13,7 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: matrix-deployment + name: matrix-synapse labels: app: matrix spec: @@ -28,7 +28,6 @@ spec: spec: containers: - name: matrix-synapse - # TODO: replace with versions image: "docker.ocf.berkeley.edu/synapse:<%= version %>" ports: - containerPort: 8008 From 0076237ec60e9edcbe6afd355fd36d620ea3f589 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 30 Apr 2020 20:06:02 -0700 Subject: [PATCH 15/23] Patch Dockerfiles Dockerfile.bridge -> ENTRYPOINT to CMD for more flexibility with the image later. Dockerfile.matrix -> Synapse log config has been patched into the image itself. --- Dockerfile.bridge | 4 ++++ Dockerfile.matrix | 2 ++ kubernetes/secrets/synapse-config/homeserver.yaml.erb | 2 +- .../synapse.log.config.erb => synapse.log.config | 0 4 files changed, 7 insertions(+), 1 deletion(-) rename kubernetes/secrets/synapse-config/synapse.log.config.erb => synapse.log.config (100%) diff --git a/Dockerfile.bridge b/Dockerfile.bridge index 6c2092b..c11edf3 100644 --- a/Dockerfile.bridge +++ b/Dockerfile.bridge @@ -1,2 +1,6 @@ ARG bridge_version=latest FROM matrixdotorg/matrix-appservice-irc:${bridge_version} + +# Unset ENTRYPOINT for easier operability in the image +ENTRYPOINT [] +CMD ["/app/docker/start.sh"] diff --git a/Dockerfile.matrix b/Dockerfile.matrix index 6427ebf..10f6f87 100644 --- a/Dockerfile.matrix +++ b/Dockerfile.matrix @@ -1,2 +1,4 @@ ARG synapse_version=latest FROM matrixdotorg/synapse:${synapse_version} + +COPY synapse.log.config /etc/matrix/synapse.log.config diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb index 7b33f2f..2e7aa04 100644 --- a/kubernetes/secrets/synapse-config/homeserver.yaml.erb +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -33,7 +33,7 @@ database: args: database: "/data/homeserver.db" -log_config: "/etc/matrix-synapse/synapse.log.config" +log_config: "/etc/matrix/synapse.log.config" media_store_path: "/data/media_store" enable_registration: false diff --git a/kubernetes/secrets/synapse-config/synapse.log.config.erb b/synapse.log.config similarity index 100% rename from kubernetes/secrets/synapse-config/synapse.log.config.erb rename to synapse.log.config From fa9b7bd3451f1e2fdaa2c52c61de2e6ddfaa6a46 Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Thu, 30 Apr 2020 22:47:35 -0700 Subject: [PATCH 16/23] Move appservice-registration.irc.yaml.erb -> synapse-config --- Jenkinsfile | 2 +- .../appservice-registration-irc.yaml.erb | 0 kubernetes/secrets/synapse-config/homeserver.yaml.erb | 2 +- kubernetes/synapse.yml.erb | 6 ------ 4 files changed, 2 insertions(+), 8 deletions(-) rename kubernetes/secrets/{bridge-config => synapse-config}/appservice-registration-irc.yaml.erb (100%) diff --git a/Jenkinsfile b/Jenkinsfile index 7dae52e..7b2d3f1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,5 +1,5 @@ servicePipeline( - upstreamProjects: ['dockers/master'], + upstreamProjects: [], ) // vim: ft=groovy diff --git a/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb b/kubernetes/secrets/synapse-config/appservice-registration-irc.yaml.erb similarity index 100% rename from kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb rename to kubernetes/secrets/synapse-config/appservice-registration-irc.yaml.erb diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb index 2e7aa04..98cf246 100644 --- a/kubernetes/secrets/synapse-config/homeserver.yaml.erb +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -43,7 +43,7 @@ enable_metrics: true report_stats: false app_service_config_files: - - /etc/matrix-bridge/appservice-registration-irc.yaml + - /etc/matrix-synapse/appservice-registration-irc.yaml macaroon_secret_key: "<%= macaroon_secret_key %>" diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index 165da0c..8bfeee9 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -37,9 +37,6 @@ spec: - name: synapse-config mountPath: /etc/matrix-synapse readOnly: true - - name: bridge-config - mountPath: /etc/matrix-bridge - readOnly: true - name: matrix-secrets mountPath: /etc/matrix-shared readOnly: true @@ -53,9 +50,6 @@ spec: - name: synapse-config secret: secretName: synapse-config - - name: bridge-config - secret: - secretName: bridge-config - name: matrix-secrets hostPath: path: /opt/share/kubernetes/secrets/matrix From 8593634d7e6c455f1edba53e1d49f235d73b85e7 Mon Sep 17 00:00:00 2001 From: encadyma Date: Thu, 30 Apr 2020 23:21:01 -0700 Subject: [PATCH 17/23] Enable federation on Matrix server Co-authored-by: Nikhil Jha --- config.riot.json | 6 +++--- kubernetes/secrets/synapse-config/homeserver.yaml.erb | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config.riot.json b/config.riot.json index bd6bd85..0ee78a5 100644 --- a/config.riot.json +++ b/config.riot.json @@ -2,7 +2,7 @@ "default_server_config": { "m.homeserver": { "base_url": "https://matrix.ocf.berkeley.edu", - "server_name": "matrix.ocf.berkeley.edu" + "server_name": "ocf.berkeley.edu" }, "m.identity_server": { "base_url": "https://vector.im" @@ -35,11 +35,11 @@ "default_theme": "dark", "roomDirectory": { "servers": [ - "matrix.ocf.berkeley.edu", + "ocf.berkeley.edu", "matrix.org" ] }, "enable_presence_by_hs_url": { "https://matrix.org": false } -} \ No newline at end of file +} diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb index 98cf246..758be2c 100644 --- a/kubernetes/secrets/synapse-config/homeserver.yaml.erb +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -1,4 +1,4 @@ -server_name: "matrix.ocf.berkeley.edu" +server_name: "ocf.berkeley.edu" pid_file: /data/homeserver.pid public_baseurl: https://matrix.ocf.berkeley.edu/ @@ -49,7 +49,7 @@ macaroon_secret_key: "<%= macaroon_secret_key %>" form_secret: "<%= form_secret %>" -signing_key_path: "/etc/matrix-shared/matrix.ocf.berkeley.edu.signing.key" +signing_key_path: "/etc/matrix-shared/ocf.berkeley.edu.signing.key" trusted_key_servers: - server_name: "matrix.org" From b3e56ab80f6dbdea5d9a73ee1ae9bb9e0ff4fbaf Mon Sep 17 00:00:00 2001 From: encadyma Date: Thu, 30 Apr 2020 23:58:54 -0700 Subject: [PATCH 18/23] Template in Postgres and add sample secrets file --- kubernetes/secrets/bridge-config/config.yaml.erb | 4 ++-- .../secrets/synapse-config/homeserver.yaml.erb | 11 ++++++++--- secret.sample.yaml | 14 ++++++++++++++ 3 files changed, 24 insertions(+), 5 deletions(-) create mode 100644 secret.sample.yaml diff --git a/kubernetes/secrets/bridge-config/config.yaml.erb b/kubernetes/secrets/bridge-config/config.yaml.erb index 9f970e6..48c4b0c 100644 --- a/kubernetes/secrets/bridge-config/config.yaml.erb +++ b/kubernetes/secrets/bridge-config/config.yaml.erb @@ -103,6 +103,6 @@ sentry: dsn: "https://@sentry.io/" database: - engine: "nedb" - connectionString: "nedb:///db/storage.db" + engine: "postgres" + connectionString: "postgres://<%= postgres_user %>:<%= postgres_password %>@<%= postgres_host %>:<%= postgres_port %>/<%= postgres_db_bridge %>" diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb index 758be2c..c6c34eb 100644 --- a/kubernetes/secrets/synapse-config/homeserver.yaml.erb +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -27,11 +27,16 @@ admin_contact: 'mailto:help@ocf.berkeley.edu' acme: enabled: false -# TODO: Change to Postgres database: - name: "sqlite3" + name: "psycopg2" args: - database: "/data/homeserver.db" + user: <%= postgres_user %> + password: <%= postgres_pass %> + database: <%= postgres_db_synapse %> + host: <%= postgres_host %> + port: <%= postgres_port %> + cp_min: 5 + cp_max: 10 log_config: "/etc/matrix/synapse.log.config" diff --git a/secret.sample.yaml b/secret.sample.yaml new file mode 100644 index 0000000..8ee5ac9 --- /dev/null +++ b/secret.sample.yaml @@ -0,0 +1,14 @@ +registration_shared_secret: "" +macaroon_secret_key: "" +form_secret: "" + +bridge_id: "" +bridge_hs_token: "" +bridge_as_token: "" + +postgres_user: "ocf_matrix" +postgres_host: "postgres.ocf.berkeley.edu" +postgres_port: 5432 +postgres_db_synapse: "ocf_synapse" +postgres_db_bridge: "ocf_matrix_bridge" +postgres_pass: "" From 4c0c9b532c319a601a97a0973c8e5997f4dababa Mon Sep 17 00:00:00 2001 From: Kevin Mo Date: Fri, 1 May 2020 00:39:03 -0700 Subject: [PATCH 19/23] Federation for bridge --- kubernetes/secrets/bridge-config/config.yaml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/secrets/bridge-config/config.yaml.erb b/kubernetes/secrets/bridge-config/config.yaml.erb index 48c4b0c..fe3d29c 100644 --- a/kubernetes/secrets/bridge-config/config.yaml.erb +++ b/kubernetes/secrets/bridge-config/config.yaml.erb @@ -1,6 +1,6 @@ homeserver: url: "https://matrix.ocf.berkeley.edu" - domain: "matrix.ocf.berkeley.edu" + domain: "ocf.berkeley.edu" enablePresence: false bindPort: 9995 From a1643a2a7fe7a37d26ce329233e3813e886ffd0a Mon Sep 17 00:00:00 2001 From: encadyma Date: Fri, 1 May 2020 00:46:25 -0700 Subject: [PATCH 20/23] Drop bridge volume --- kubernetes/bridge.yml.erb | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/kubernetes/bridge.yml.erb b/kubernetes/bridge.yml.erb index 086538b..ad0d13e 100644 --- a/kubernetes/bridge.yml.erb +++ b/kubernetes/bridge.yml.erb @@ -32,8 +32,6 @@ spec: ports: - containerPort: 9995 volumeMounts: - - name: bridge-vol - mountPath: /db - name: matrix-secrets mountPath: /etc/matrix-shared readOnly: true @@ -41,9 +39,6 @@ spec: mountPath: /data readOnly: true volumes: - - name: bridge-vol - persistentVolumeClaim: - claimName: matrix-bridge-vol - name: matrix-secrets hostPath: path: /opt/share/kubernetes/secrets/matrix @@ -51,15 +46,3 @@ spec: - name: bridge-config secret: secretName: bridge-config ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: matrix-bridge-vol -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 10Gi - storageClassName: managed-nfs-storage From 4f96a4b734f04adcfb26b56babeaa2e06e79d5c9 Mon Sep 17 00:00:00 2001 From: encadyma Date: Fri, 1 May 2020 02:12:08 -0700 Subject: [PATCH 21/23] Largest commit for Matrix yet --- kubernetes/bridge.yml.erb | 1 + .../appservice-registration-irc.yaml.erb | 0 .../secrets/bridge-config/config.yaml.erb | 2 +- .../synapse-config/homeserver.yaml.erb | 7 ++++--- kubernetes/synapse.yml.erb | 7 +++++++ secret.sample.yaml | 19 ++++++++++++------- 6 files changed, 25 insertions(+), 11 deletions(-) rename kubernetes/secrets/{synapse-config => bridge-config}/appservice-registration-irc.yaml.erb (100%) diff --git a/kubernetes/bridge.yml.erb b/kubernetes/bridge.yml.erb index ad0d13e..66190df 100644 --- a/kubernetes/bridge.yml.erb +++ b/kubernetes/bridge.yml.erb @@ -29,6 +29,7 @@ spec: containers: - name: matrix-appservice-irc image: "docker.ocf.berkeley.edu/matrix-appservice-irc:<%= version %>" + imagePullPolicy: Always ports: - containerPort: 9995 volumeMounts: diff --git a/kubernetes/secrets/synapse-config/appservice-registration-irc.yaml.erb b/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb similarity index 100% rename from kubernetes/secrets/synapse-config/appservice-registration-irc.yaml.erb rename to kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb diff --git a/kubernetes/secrets/bridge-config/config.yaml.erb b/kubernetes/secrets/bridge-config/config.yaml.erb index fe3d29c..0b0278d 100644 --- a/kubernetes/secrets/bridge-config/config.yaml.erb +++ b/kubernetes/secrets/bridge-config/config.yaml.erb @@ -104,5 +104,5 @@ sentry: database: engine: "postgres" - connectionString: "postgres://<%= postgres_user %>:<%= postgres_password %>@<%= postgres_host %>:<%= postgres_port %>/<%= postgres_db_bridge %>" + connectionString: "postgres://<%= postgres_user_bridge %>:<%= postgres_pass_bridge %>@<%= postgres_host %>:<%= postgres_port %>/<%= postgres_db_bridge %>?ssl=true" diff --git a/kubernetes/secrets/synapse-config/homeserver.yaml.erb b/kubernetes/secrets/synapse-config/homeserver.yaml.erb index c6c34eb..c9c8977 100644 --- a/kubernetes/secrets/synapse-config/homeserver.yaml.erb +++ b/kubernetes/secrets/synapse-config/homeserver.yaml.erb @@ -30,11 +30,12 @@ acme: database: name: "psycopg2" args: - user: <%= postgres_user %> - password: <%= postgres_pass %> + user: <%= postgres_user_synapse %> + password: <%= postgres_pass_synapse %> database: <%= postgres_db_synapse %> host: <%= postgres_host %> port: <%= postgres_port %> + sslmode: require cp_min: 5 cp_max: 10 @@ -48,7 +49,7 @@ enable_metrics: true report_stats: false app_service_config_files: - - /etc/matrix-synapse/appservice-registration-irc.yaml + - /etc/matrix-bridge/appservice-registration-irc.yaml macaroon_secret_key: "<%= macaroon_secret_key %>" diff --git a/kubernetes/synapse.yml.erb b/kubernetes/synapse.yml.erb index 8bfeee9..b7426fe 100644 --- a/kubernetes/synapse.yml.erb +++ b/kubernetes/synapse.yml.erb @@ -29,6 +29,7 @@ spec: containers: - name: matrix-synapse image: "docker.ocf.berkeley.edu/synapse:<%= version %>" + imagePullPolicy: Always ports: - containerPort: 8008 volumeMounts: @@ -40,6 +41,9 @@ spec: - name: matrix-secrets mountPath: /etc/matrix-shared readOnly: true + - name: bridge-config + mountPath: /etc/matrix-bridge + readOnly: true env: - name: "SYNAPSE_CONFIG_PATH" value: "/etc/matrix-synapse/homeserver.yaml" @@ -50,6 +54,9 @@ spec: - name: synapse-config secret: secretName: synapse-config + - name: bridge-config + secret: + secretName: bridge-config - name: matrix-secrets hostPath: path: /opt/share/kubernetes/secrets/matrix diff --git a/secret.sample.yaml b/secret.sample.yaml index 8ee5ac9..7b7ac72 100644 --- a/secret.sample.yaml +++ b/secret.sample.yaml @@ -1,14 +1,19 @@ +### SYNAPSE ### + registration_shared_secret: "" macaroon_secret_key: "" form_secret: "" -bridge_id: "" -bridge_hs_token: "" -bridge_as_token: "" +### BRIDGE ### +bridge_id: "" +bridge_hs_token: "" +bridge_as_token: "" -postgres_user: "ocf_matrix" +postgres_user_synapse: "ocfmatrix" +postgres_user_bridge: "ocfmatrixbridge" postgres_host: "postgres.ocf.berkeley.edu" postgres_port: 5432 -postgres_db_synapse: "ocf_synapse" -postgres_db_bridge: "ocf_matrix_bridge" -postgres_pass: "" +postgres_db_synapse: "ocfmatrix" +postgres_db_bridge: "ocfmatrixbridge" +postgres_pass_synapse: "" +postgres_pass_bridge: "" From 97065cb3ee8b8d2638d3bdfd893f453f96f960e3 Mon Sep 17 00:00:00 2001 From: encadyma Date: Fri, 1 May 2020 13:45:31 -0700 Subject: [PATCH 22/23] Update IRC bridge registration for federation --- .../bridge-config/appservice-registration-irc.yaml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb b/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb index 148211a..88fa1cb 100644 --- a/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb +++ b/kubernetes/secrets/bridge-config/appservice-registration-irc.yaml.erb @@ -4,10 +4,10 @@ as_token: <%= bridge_as_token %> namespaces: users: - exclusive: true - regex: '@.*_irc:matrix\.ocf\.berkeley\.edu' + regex: '@.*_irc:ocf\.berkeley\.edu' aliases: - exclusive: true - regex: '#.*:matrix\.ocf\.berkeley\.edu' + regex: '#.*:ocf\.berkeley\.edu' url: 'http://matrix-bridge-service.app-matrix.svc.cluster.local:9995' sender_localpart: matrix-bridge rate_limited: false From 5747034d57f21347c1234c0fa23d6a607e18aea7 Mon Sep 17 00:00:00 2001 From: encadyma Date: Fri, 1 May 2020 13:59:03 -0700 Subject: [PATCH 23/23] Upgrade Synapse + IRC Bridge --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 0c5270c..3d280a0 100644 --- a/Makefile +++ b/Makefile @@ -4,9 +4,9 @@ SYNAPSE_DOCKER_TAG = docker-push.ocf.berkeley.edu/synapse:$(DOCKER_REVISION) BRIDGE_DOCKER_TAG = docker-push.ocf.berkeley.edu/matrix-appservice-irc:$(DOCKER_REVISION) RIOT_DOCKER_TAG = docker-push.ocf.berkeley.edu/riot:$(DOCKER_REVISION) -SYNAPSE_VERSION := v1.9.1-py3 +SYNAPSE_VERSION := v1.12.4-py3 RIOT_VERSION := v1.5.15 -BRIDGE_VERSION := release-0.17.0-rc3 +BRIDGE_VERSION := release-0.17.0-rc4 .PHONY: cook-image cook-image: