magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-21 23:54:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add the Matrix containers

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-06-13 23:05:35 +02:00
parent b513a10c77
commit c1a727a699
16 changed files with 3899 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
flake.nix
View file

@ -47,6 +47,11 @@
nixos/systems/liveusb
nixos/systems/blowhole
nixng/containers/matrix/mautrix-signal
nixng/containers/matrix/mautrix-discord
nixng/containers/matrix/mautrix-facebook
nixng/containers/matrix/heisenbridge
nixng/containers/matrix/synapse
nixng/containers/website
nixng/containers/ds3os
overlays/udp-over-tcp.nix

36
nixng/containers/matrix/heisenbridge/default.nix Normal file
View file

@ -0,0 +1,36 @@
{ inputs, ... }:
{
flake.nixngConfigurations.heisenbridge = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "heisenbridge";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
getExe;
in
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.heisenbridge = {
enabled = true;
# heisenbridge needs to retry the connection and task restarting does not work currently
shutdownOnExit = false;
script = pkgs.writeShellScript "heisenbridge" ''
REGISTRATION_FILE="/var/lib/registrations/heisenbridge.yaml"
${getExe pkgs.heisenbridge} 'https://matrix.redalder.org/' \
-c "$REGISTRATION_FILE" \
$([ -e "$REGISTRATION_FILE" ] || echo "--generate") \
-l 127.0.0.1 \
-p 9898 \
-o @magic_rb:matrix.redalder.org
'';
};
};
};
}

41
nixng/containers/matrix/mautrix-discord/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ inputs, config, ... }:
{
flake.nixngConfigurations.mautrixDiscord = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-discord";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.mautrix-discord = {
enabled = true;
shutdownOnExit = true;
script =
let
inherit (lib)
getExe;
mautrix-discord = (pkgs.appendOverlays [ config.flake.overlays.mautrix-discord ]).mautrix-discord;
in
pkgs.writeShellScript "mautrix-discord"
''
DATA_DIR="/var/lib/mautrix-discord"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-discord.yaml"
DB_FILE="$DATA_DIR/sqlite.db"
${getExe pkgs.envsubst} < ${./mautrix-discord.yaml} > "$CONFIG_FILE"
chmod 755 "$CONFIG_FILE"
[ -e "$REGISTRATION_FILE" ] || \
${getExe mautrix-discord} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${getExe mautrix-discord} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
};
};
}

319
nixng/containers/matrix/mautrix-discord/mautrix-discord.yaml Normal file
View file

@ -0,0 +1,319 @@
# Homeserver details.
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://matrix.redalder.org
# Publicly accessible base URL for media, used for avatars in relay mode.
# If not set, the connection address above will be used.
public_address: null
# The domain of the homeserver (also known as server_name, used for MXIDs, etc).
domain: matrix.redalder.org
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
async_media: false
# Application service host/registration related details.
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://localhost:29334
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29334
# Database config.
database:
# The database type. "sqlite3-fk-wal" and "postgres" are supported.
type: postgres
# The database URI.
# SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
# https://github.com/mattn/go-sqlite3#connection-string
# Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
# To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
uri: postgres://mautrix-discord:${MAUTRIX_DISCORD_APPSERVICE_DATABASE_PASSWORD}@127.0.0.1/mautrix-discord?sslmode=disable
# Maximum number of connections. Mostly relevant for Postgres.
max_open_conns: 20
max_idle_conns: 2
# Maximum connection idle time and lifetime before they're closed. Disabled if null.
# Parsed with https://pkg.go.dev/time#ParseDuration
max_conn_idle_time: null
max_conn_lifetime: null
# The unique ID of this appservice.
id: mudiscord
# Appservice bot details.
bot:
# Username of the appservice bot.
username: mudiscordbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
displayname: Mautrix Discord bridge bot
avatar: mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
ephemeral_events: true
# Should incoming events be handled asynchronously?
# This may be necessary for large public instances with lots of messages going through.
# However, messages will not be guaranteed to be bridged in the same order they were sent in.
async_transactions: false
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: "${MAUTRIX_DISCORD_APPSERVICE_AS_TOKEN}"
hs_token: "${MAUTRIX_DISCORD_APPSERVICE_HS_TOKEN}"
# Bridge config
bridge:
# Localpart template of MXIDs for Discord users.
# {{.}} is replaced with the internal ID of the Discord user.
username_template: discord_{{.}}
# Displayname template for Discord users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
# Available variables:
# .ID - Internal user ID
# .Username - User's displayname on Discord
# .Discriminator - The 4 numbers after the name on Discord
# .Bot - Whether the user is a bot
# .System - Whether the user is an official system user
displayname_template: '{{.Username}}#{{.Discriminator}}{{if .Bot}} (bot){{end}}'
# Displayname template for Discord channels (bridged as rooms, or spaces when type=4).
# Available variables:
# .Name - Channel name, or user displayname (pre-formatted with displayname_template) in DMs.
# .ParentName - Parent channel name (used for categories).
# .GuildName - Guild name.
# .NSFW - Whether the channel is marked as NSFW.
# .Type - Channel type (see values at https://github.com/bwmarrin/discordgo/blob/v0.25.0/structs.go#L251-L267)
channel_name_template: '
{{- if or (eq .Type 3) (eq .Type 4) -}}
{{.Name -}}
{{- else if or (eq .Type 0) (eq .Type 2) -}}
{{ .Name}} - {{.ParentName}} - {{.GuildName}}
{{- else -}}
#{{.Name}}
{{- end -}}'
# Displayname template for Discord guilds (bridged as spaces).
# Available variables:
# .Name - Guild name
guild_name_template: '{{.Name}}'
# Whether to explicitly set the avatar and room name for private chat portal rooms.
# If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
# If set to `always`, all DM rooms will have explicit names and avatars set.
# If set to `never`, DM rooms will never have names and avatars set.
private_chat_portal_meta: default
portal_message_buffer: 128
# Number of private channel portals to create on bridge startup.
# Other portals will be created when receiving messages.
startup_private_channel_create_limit: 5
# Should the bridge send a read receipt from the bridge bot when a message has been sent to Discord?
delivery_receipts: false
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Whether the bridge should send error notices via m.notice events when a message fails to bridge.
message_error_notices: true
# Should the bridge use space-restricted join rules instead of invite-only for guild rooms?
# This can avoid unnecessary invite events in guild rooms when members are synced in.
restricted_rooms: true
# Should the bridge automatically join the user to threads on Discord when the thread is opened on Matrix?
# This only works with clients that support thread read receipts (MSC3771 added in Matrix v1.4).
autojoin_thread_on_open: true
# Should inline fields in Discord embeds be bridged as HTML tables to Matrix?
# Tables aren't supported in all clients, but are the only way to emulate the Discord inline field UI.
embed_fields_as_tables: true
# Should guild channels be muted when the portal is created? This only meant for single-user instances,
# it won't mute it for all users if there are multiple Matrix users in the same Discord guild.
mute_channels_on_create: false
# Should the bridge update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it, except if the config file is not writable.
resend_bridge_info: false
# Should incoming custom emoji reactions be bridged as mxc:// URIs?
# If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available.
custom_emoji_reactions: true
# Should the bridge attempt to completely delete portal rooms when a channel is deleted on Discord?
# If true, the bridge will try to kick Matrix users from the room. Otherwise, the bridge only makes ghosts leave.
delete_portal_on_channel_delete: false
# Should the bridge delete all portal rooms when you leave a guild on Discord?
# This only applies if the guild has no other Matrix users on this bridge instance.
delete_guild_on_leave: true
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: false
# Settings for converting animated stickers.
animated_sticker:
# Format to which animated stickers should be converted.
# disable - No conversion, send as-is (lottie JSON)
# png - converts to non-animated png (fastest)
# gif - converts to animated gif
# webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
# webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
target: webp
# Arguments for converter. All converters take width and height.
args:
width: 320
height: 320
fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
# Servers to always allow double puppeting from
double_puppet_server_map: {}
# example.com: https://example.com
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, double puppeting will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
login_shared_secret_map: {}
# example.com: foobar
# The prefix for commands. Only required in non-management rooms.
command_prefix: '!discord'
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Discord bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# Settings for backfilling messages.
backfill:
# Limits for forward backfilling.
forward_limits:
# Initial backfill (when creating portal). 0 means backfill is disabled.
# A special unlimited value is not supported, you must set a limit. Initial backfill will
# fetch all messages first before backfilling anything, so high limits can take a lot of time.
initial:
dm: 0
channel: 0
# Missed message backfill (on startup).
# 0 means backfill is disabled, -1 means fetch all messages since last bridged message.
# When using unlimited backfill (-1), messages are backfilled as they are fetched.
# With limits, all messages up to the limit are fetched first and backfilled afterwards.
missed:
dm: 0
channel: 0
# Maximum members in a guild to enable backfilling. Set to -1 to disable limit.
# This can be used as a rough heuristic to disable backfilling in channels that are too active.
# Currently only applies to missed message backfill.
max_guild_members: -1
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# Options for deleting megolm sessions from the bridge.
delete_keys:
# Beeper-specific: delete outbound sessions when hungryserv confirms
# that the user has uploaded the key to key backup.
delete_outbound_on_ack: false
# Don't store outbound sessions in the inbound table.
dont_store_outbound: false
# Ratchet megolm sessions forward after decrypting messages.
ratchet_on_decrypt: false
# Delete fully used keys (index >= max_messages) after decrypting messages.
delete_fully_used_on_decrypt: false
# Delete previous megolm sessions from same device when receiving a new one.
delete_prev_on_new_session: false
# Delete megolm sessions received from a device when the device is deleted.
delete_on_device_delete: false
# Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
periodically_delete_expired: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Settings for provisioning API
provisioning:
# Prefix for the provisioning API paths.
prefix: /_matrix/provision
# Shared secret for authentication. If set to "generate", a random secret will be generated,
# or if set to "disable", the provisioning API will be disabled.
shared_secret: generate
# Permissions for using the bridge.
# Permitted values:
# relay - Talk through the relaybot (if enabled), no access otherwise
# user - Access to use the bridge to chat with a Discord account.
# admin - User level and some additional administration tools
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": relay
"matrix.redalder.org": user
"@magic_rb:matrix.redalder.org": admin
# Logging config. See https://github.com/tulir/zeroconfig for details.
logging:
min_level: debug
writers:
- type: stdout
format: pretty-colored
- type: file
format: json
filename: ./logs/mautrix-discord.log
max_size: 100
max_backups: 10
compress: true

45
nixng/containers/matrix/mautrix-facebook/default.nix Normal file
View file

@ -0,0 +1,45 @@
{ inputs, ... }:
{
flake.nixngConfigurations.mautrixFacebook = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-facebook";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.mautrix-facebook = {
enabled = true;
shutdownOnExit = true;
script =
let
mautrix-facebook = pkgs.mautrix-facebook.overridePythonAttrs (old: {
propagatedBuildInputs = singleton pkgs.python3.pkgs.aiosqlite ++ old.propagatedBuildInputs;
});
in
pkgs.writeShellScript "mautrix-facebook"
''
DATA_DIR="/var/lib/mautrix-facebook"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-facebook.yaml"
DB_FILE="$DATA_DIR/sqlite.db"
cp ${./mautrix-facebook.yaml} "$CONFIG_FILE" ; chmod 755 "$CONFIG_FILE"
${pkgs.sqlite}/bin/sqlite3 $DB_FILE '.databases ; .quit'
[ -e "$REGISTRATION_FILE" ] || \
${mautrix-facebook}/bin/mautrix-facebook -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${mautrix-facebook}/bin/mautrix-facebook -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
};
};
}

433
nixng/containers/matrix/mautrix-facebook/mautrix-facebook.yaml Normal file
View file

@ -0,0 +1,433 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://matrix.redalder.org
# The domain of the homeserver (for MXIDs, etc).
domain: matrix.redalder.org
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: true
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Facebook MQTT connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://localhost:29319
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29319
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: sqlite:////var/lib/mautrix-facebook/sqlite.db
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
# Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
database_opts:
min_size: 1
max_size: 10
# Public part of web server for out-of-Matrix interaction with the bridge.
public:
# Whether or not the public-facing endpoints should be enabled.
enabled: true
# The prefix to use in the public-facing endpoints.
prefix: /mufb
# The base URL where the public-facing endpoints are available. The prefix is not added
# implicitly.
external: https://matrix.redalder.org/mufb
# Shared secret for integration managers such as mautrix-manager.
# If set to "generate", a random string will be generated on the next startup.
# If null, integration manager access to the API will not be possible.
shared_secret: generate
# Allow logging in within Matrix. If false, users can only log in using the web interface.
allow_matrix_login: true
# Segment API key to enable analytics tracking for web server endpoints. Set to null to disable.
# Currently the only events are login start, success and fail.
segment_key: null
# Optional user_id to use when sending Segment events. If null, defaults to using mxID.
segment_user_id: null
# The unique ID of this appservice.
id: mufacebook
# Username of the appservice bot.
bot_username: mufacebookbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Mautrix Facebook bridge bot
bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: true
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
# as_token: "This value is generated when generating the registration"
# hs_token: "This value is generated when generating the registration"
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-facebook.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
# Bridge config
bridge:
# Localpart template of MXIDs for Facebook users.
# {userid} is replaced with the user ID of the Facebook user.
username_template: "facebook_{userid}"
# Displayname template for Facebook users.
# {displayname} is replaced with the display name of the Facebook user
# as defined below in displayname_preference.
# Keys available for displayname_preference are also available here.
displayname_template: "{displayname} (FB)"
# Available keys:
# "name" (full name)
# "first_name"
# "last_name"
# "nickname"
# "own_nickname" (user-specific!)
displayname_preference:
- name
- first_name
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!fb"
# Whether or not the Facebook users of logged in Matrix users should be
# invited to private chats when the user sends a message from another client.
invite_own_puppet_to_pm: false
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: false
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map: {}
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map: {}
# Should presence from Facebook be bridged? This doesn't use the same API as the Android app,
# so it might be more suspicious to Facebook.
presence_from_facebook: false
# Whether or not to update avatars when syncing all contacts at startup.
update_avatar_initial_sync: true
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Facebook.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: true
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Whether to allow inviting arbitrary mxids to portal rooms
allow_invites: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Settings for backfilling messages from Facebook.
backfill:
# Allow backfilling at all?
enable: true
# Use MSC2716 for backfilling? If this is disabled, backfilling only happens when syncing threads,
# and the incremental settings below don't apply.
#
# This requires a server with MSC2716 support, which is currently an experimental feature in Synapse.
# It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml.
msc2716: false
# Use double puppets for backfilling?
#
# If using MSC2716, the double puppets must be in the appservice's user ID namespace
# (because the bridge can't use the double puppet access token with batch sending).
#
# Even without MSC2716, bridging old messages with correct timestamps requires the double
# puppets to be in an appservice namespace, or the server to be modified to allow
# overriding timestamps anyway.
double_puppet_backfill: false
# The maximum number of conversations that should be synced.
# Other conversations will be backfilled on demand when the start PM
# provisioning endpoint is used or when a message comes in from that
# chat.
# If set to -1, all conversations will by synced.
max_conversations: 20
# The minimum amount of time to wait between syncing each thread. This
# helps avoid situations where you sync too quickly.
min_sync_thread_delay: 5
# If this value is greater than 0, then if the conversation's last
# message was more than this number of hours ago, then the conversation
# will automatically be marked it as read.
# Conversations that have a last message that is less than this number
# of hours ago will have their unread status synced from Facebook.
unread_hours_threshold: 0
# Settings for how quickly to backoff when rate-limits are encountered
# while backfilling.
backoff:
# How many seconds to wait after getting rate limited during a
# thread list fetch.
thread_list: 300
# How many seconds to wait after getting rate limited during a
# message history fetch.
message_history: 300
# Settings for backfills.
#
# During initial/incremental sync, the entirety of the thread that is
# available will be backfilled. For example, on initial sync, about 20
# messages are included for each thread in the thread list returned by
# the server. After that, incremental backfills will be run for each of
# the portals in a round-robin fashion until all portals have been
# backfilled as configured below.
incremental:
# The maximum number of pages to backfill per batch.
max_pages: 10
# The maximum number of total pages to backfill per portal.
# If set to -1, infinite pages will be synced.
max_total_pages: -1
# The number of seconds to wait between backfilling each page.
page_delay: 5
# The number of seconds to wait after backfilling the batch of
# messages.
post_batch_delay: 20
periodic_reconnect:
# Interval in seconds in which to automatically reconnect all users.
# This can be used to automatically mitigate the bug where Facebook stops sending messages.
# Set to -1 to disable periodic reconnections entirely.
# Set to a list of two items to randomize the interval (min, max).
interval: -1
# What to do in periodic reconnects. Either "refresh" or "reconnect"
mode: refresh
# Should even disconnected users be reconnected?
always: false
# Only reconnect if the user has been connected for longer than this value
min_connected_time: 0
# The number of seconds that a disconnection can last without triggering an automatic re-sync
# and missed message backfilling when reconnecting.
# Set to 0 to always re-sync, or -1 to never re-sync automatically.
resync_max_disconnected_time: 5
# The maximum number of conversations that should be synced when we get a
# message sync error. In general, 1 page (20) is sufficient.
max_startup_thread_sync_count: 20
# Whether or not temporary disconnections should send notices to the notice room.
# If this is false, disconnections will never send messages and connections will only send
# messages if it was disconnected for more than resync_max_disconnected_time seconds.
temporary_disconnect_notices: false
# Disable bridge notices entirely
disable_bridge_notices: false
# Should Matrix m.notice-type messages be bridged to Facebook?
bridge_matrix_notices: true
on_reconnection_fail:
# What to do if a reconnection attempt fails? Options: reconnect, refresh, null
action: reconnect
# Seconds to wait before attempting to refresh the connection, set a list of two items to
# to randomize the interval (min, max).
wait_for: 0
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# Whether or not mute status and tags should only be bridged when the portal room is created.
tag_only_on_create: true
# If set to true, downloading media from the CDN will use a plain aiohttp client without the usual headers or
# other configuration. This may be useful if you don't want to use the default proxy for large files.
sandbox_media_download: false
# URL to call to retrieve a proxy URL from (defaults to the http_proxy environment variable).
get_proxy_api_url: null
# Whether to explicitly set the avatar and room name for private chat portal rooms.
# If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
# If set to `always`, all DM rooms will have explicit names and avatars set.
# If set to `never`, DM rooms will never have names and avatars set.
private_chat_portal_meta: default
# Disable generating reply fallbacks? Some extremely bad clients still rely on them,
# but they're being phased out and will be completely removed in the future.
disable_reply_fallbacks: false
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# Options for deleting megolm sessions from the bridge.
delete_keys:
# Beeper-specific: delete outbound sessions when hungryserv confirms
# that the user has uploaded the key to key backup.
delete_outbound_on_ack: false
# Don't store outbound sessions in the inbound table.
dont_store_outbound: false
# Ratchet megolm sessions forward after decrypting messages.
ratchet_on_decrypt: false
# Delete fully used keys (index >= max_messages) after decrypting messages.
delete_fully_used_on_decrypt: false
# Delete previous megolm sessions from same device when receiving a new one.
delete_prev_on_new_session: false
# Delete megolm sessions received from a device when the device is deleted.
delete_on_device_delete: false
# Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
periodically_delete_expired: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Permissions for using the bridge.
# Permitted values:
# relay - Allowed to be relayed through the bridge, no access to commands.
# user - Use the bridge with puppeting.
# admin - Use and administrate the bridge.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": "relay"
"matrix.redalder.org": "user"
"@magic_rb:matrix.redalder.org": "admin"
relay:
# Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# The formats to use when sending messages to Messenger via a relay user.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $message - The message content
message_formats:
m.text: '<b>$sender_displayname</b>: $message'
m.notice: '<b>$sender_displayname</b>: $message'
m.emote: '* <b>$sender_displayname</b> $message'
m.file: '<b>$sender_displayname</b> sent a file'
m.image: '<b>$sender_displayname</b> sent an image'
m.audio: '<b>$sender_displayname</b> sent an audio file'
m.video: '<b>$sender_displayname</b> sent a video'
m.location: '<b>$sender_displayname</b> sent a location'
facebook:
device_seed: generate
default_region_hint: ODN
connection_type: WIFI
carrier: Verizon
hni: 311390
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_facebook.util.ColorFormatter
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
normal:
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: ./mautrix-facebook.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: DEBUG
maufbapi:
level: DEBUG
paho:
level: INFO
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [file, console]

46
nixng/containers/matrix/mautrix-signal/default.nix Normal file
View file

@ -0,0 +1,46 @@
{ inputs, ... }:
{
flake.nixngConfigurations.mautrixSignal = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-signal";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.mautrix-signal = {
enabled = true;
shutdownOnExit = true;
script = pkgs.writeShellScript "mautrix-signal" ''
DATA_DIR="/var/lib/mautrix-signal"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-signal.yaml"
DB_FILE="$DATA_DIR/sqlite.db"
cp ${./mautrix-signal.yaml} "$CONFIG_FILE" ; chmod 755 "$CONFIG_FILE"
[ -e "$REGISTRATION_FILE" ] || \
${lib.getExe pkgs.mautrix-signal} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${lib.getExe pkgs.mautrix-signal} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
init.services.signald = {
enabled = true;
shutdownOnExit = true;
script = pkgs.writeShellScript "signald" ''
DATA_DIR="/var/lib/signald"
SOCKET_PATH="/var/run/signald/signald.sock"
mkdir -p $(dirname $SOCKET_PATH)
export LANG=en_US.UTF-8
${lib.getExe pkgs.signald} -d $DATA_DIR -s $SOCKET_PATH
'';
};
};
};
}

372
nixng/containers/matrix/mautrix-signal/mautrix-signal.yaml Normal file
View file

@ -0,0 +1,372 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://matrix.redalder.org
# The domain of the homeserver (also known as server_name, used for MXIDs, etc).
domain: matrix.redalder.org
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: true
# What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# Maximum number of simultaneous HTTP connections to the homeserver.
connection_limit: 100
# Whether asynchronous uploads via MSC2246 should be enabled for media.
# Requires a media repo that supports MSC2246.
async_media: false
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://localhost:29328
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29328
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: postgres://mautrix-signal@127.0.0.1/mautrix-signal
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
# Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs).
database_opts:
min_size: 1
max_size: 10
# The unique ID of this appservice.
id: musignal
# Username of the appservice bot.
bot_username: musignalbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Mautrix Signal bridge bot
bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: true
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
# as_token: "This value is generated when generating the registration"
# hs_token: "This value is generated when generating the registration"
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-signal.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
signal:
# Path to signald unix socket
socket_path: /var/run/signald/signald.sock
# Directory for temp files when sending files to Signal. This should be an
# absolute path that signald can read. For attachments in the other direction,
# make sure signald is configured to use an absolute path as the data directory.
outgoing_attachment_dir: /tmp
# Directory where signald stores avatars for groups.
avatar_dir: /var/lib/signald/avatars
# Directory where signald stores auth data. Used to delete data when logging out.
data_dir: /var/lib/signald/data
# Whether or not unknown signald accounts should be deleted when the bridge is started.
# When this is enabled, any UserInUse errors should be resolved by restarting the bridge.
delete_unknown_accounts_on_start: false
# Whether or not message attachments should be removed from disk after they're bridged.
remove_file_after_handling: true
# Whether or not users can register a primary device
registration_enabled: false
# Whether or not to enable disappearing messages in groups. If enabled, then the expiration
# time of the messages will be determined by the first users to read the message, rather
# than individually. If the bridge has a single user, this can be turned on safely.
enable_disappearing_messages_in_groups: false
# Bridge config
bridge:
# Localpart template of MXIDs for Signal users.
# {userid} is replaced with the UUID of the Signal user.
username_template: "signal_{userid}"
# Displayname template for Signal users.
# {displayname} is replaced with the displayname of the Signal user, which is the first
# available variable in displayname_preference. The variables in displayname_preference
# can also be used here directly.
displayname_template: "{displayname} (Signal)"
# Whether or not contact list displaynames should be used.
# Possible values: disallow, allow, prefer
#
# Multi-user instances are recommended to disallow contact list names, as otherwise there can
# be conflicts between names from different users' contact lists.
contact_list_names: disallow
# Available variables: full_name, first_name, last_name, phone, uuid
displayname_preference:
- full_name
- phone
# Whether or not to create portals for all groups on login/connect.
autocreate_group_portal: true
# Whether or not to create portals for all contacts on login/connect.
autocreate_contact_portal: false
# Whether or not to make portals of Signal groups in which joining via invite link does
# not need to be approved by an administrator publicly joinable on Matrix.
public_portals: false
# Whether or not to use /sync to get read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: false
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
double_puppet_server_map: {}
# example.com: https://example.com
# Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map: {}
# example.com: foo
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: false
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# Require encryption, drop any unencrypted messages.
require: false
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# Options for deleting megolm sessions from the bridge.
delete_keys:
# Beeper-specific: delete outbound sessions when hungryserv confirms
# that the user has uploaded the key to key backup.
delete_outbound_on_ack: false
# Don't store outbound sessions in the inbound table.
dont_store_outbound: false
# Ratchet megolm sessions forward after decrypting messages.
ratchet_on_decrypt: false
# Delete fully used keys (index >= max_messages) after decrypting messages.
delete_fully_used_on_decrypt: false
# Delete previous megolm sessions from same device when receiving a new one.
delete_prev_on_new_session: false
# Delete megolm sessions received from a device when the device is deleted.
delete_on_device_delete: false
# Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
periodically_delete_expired: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix.
receive: unverified
# Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# Whether to explicitly set the avatar and room name for private chat portal rooms.
# If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
# If set to `always`, all DM rooms will have explicit names and avatars set.
# If set to `never`, DM rooms will never have names and avatars set.
private_chat_portal_meta: default
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Signal. This let's you check manually whether the bridge is receiving your
# messages.
# Note that this is not related to Signal delivery receipts.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: true
# Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# Interval at which to resync contacts (in seconds).
periodic_sync: 0
# Should leaving the room on Matrix make the user leave on Signal?
bridge_matrix_leave: true
# Should the bridge auto-create a group chat on Signal when a ghost is invited to a room?
# Requires the user to have sufficient power level and double puppeting enabled.
create_group_on_invite: true
hacky_contact_name_mixup_detection: false
# Provisioning API part of the web server for automated portal creation and fetching information.
# Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
provisioning:
# Whether or not the provisioning API should be enabled.
enabled: true
# The prefix to use in the provisioning API endpoints.
prefix: /_matrix/provision
# The shared secret to authorize users of the API.
# Set to "generate" to generate and save a new token.
shared_secret: generate
# Segment API key to enable analytics tracking for web server
# endpoints. Set to null to disable.
# Currently the only events are login start, QR code scan, and login
# success/failure.
segment_key: null
# Optional user_id to use when sending Segment events. If null, defaults to using mxID.
segment_user_id: null
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!signal"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: "Hello, I'm a Signal bridge bot."
# Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `link` to log in."
# Optional extra text sent when joining a management room.
additional_help: ""
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relay - Allowed to be relayed through the bridge, no access to commands.
# user - Use the bridge with puppeting.
# admin - Use and administrate the bridge.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": "relay"
"matrix.redalder.org": "user"
"@magic_rb:matrix.redalder.org": "admin"
relay:
# Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# The formats to use when sending messages to Signal via a relay user.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $message - The message content
message_formats:
m.text: '$sender_displayname: $message'
m.notice: '$sender_displayname: $message'
m.emote: '* $sender_displayname $message'
m.file: '$sender_displayname sent a file'
m.image: '$sender_displayname sent an image'
m.audio: '$sender_displayname sent an audio file'
m.video: '$sender_displayname sent a video'
m.location: '$sender_displayname sent a location'
# Specify a dedicated relay account. Must be a regular matrix account logged into this bridge
# and double puppeting working to auto-accept invites. When this user is invited to a room
# it will automatically be set as the relay user. May be overridden with `set-relay` or `unset-relay`
relaybot: '@relaybot:example.com'
# Whether or not invites from non-logged-in users should be relayed
invite: true
# Format for generating URLs from location messages for sending to Signal
# Google Maps: 'https://www.google.com/maps/place/{lat},{long}'
# OpenStreetMap: 'https://www.openstreetmap.org/?mlat={lat}&mlon={long}'
location_format: 'https://www.google.com/maps/place/{lat},{long}'
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_signal.util.ColorFormatter
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
normal:
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: ./mautrix-signal.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: DEBUG
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [file, console]

21
nixng/containers/matrix/synapse/common_config.nix Normal file
View file

@ -0,0 +1,21 @@
{ logConfig }:
{
server_name = "matrix.redalder.org";
report_stats = "yes";
pid_file = "/homeserver.pid";
log_config = logConfig;
trusted_key_servers = [ {
server_name = "matrix.org";
} ];
media_store_path = "/var/lib/synapse/media_store";
signing_key_path = "/var/lib/synapse/signing.key";
enable_registration = false;
enable_registration_without_verification = false;
federation_sender_instances = [
"worker-federation-sender-0"
];
}

52
nixng/containers/matrix/synapse/default.nix Normal file
View file

@ -0,0 +1,52 @@
{ inputs, lib, ... }:
let
inherit (lib)
singleton;
commonConfig = pkgs:
(pkgs.formats.yaml {}).generate "common.yaml"
(import ./common_config.nix { logConfig = logConfig pkgs; });
logConfig = pkgs:
(pkgs.formats.yaml {}).generate "log.yaml"
(import ./log_config.nix {});
callPackage = lib.callPackageWith {
inherit (inputs)
nixpkgs;
inherit (inputs.nixng.nglib)
makeSystem;
inherit
commonConfig
logConfig;
};
in
{
flake.nixngConfigurations.synapseFederationSender = callPackage ./generic_worker.nix {
name = "generic";
listener_resources = singleton "health";
};
flake.nixngConfigurations.synapseFederationReceiver = callPackage ./generic_worker.nix {
name = "generic";
listener_resources = [
"health"
"federation"
];
};
flake.nixngConfigurations.synapseClient = callPackage ./generic_worker.nix {
name = "generic";
listener_resources = [
"client"
"health"
];
};
flake.nixngConfigurations.synapseSync = callPackage ./generic_worker.nix {
name = "generic";
listener_resources = [
"client"
"health"
];
};
flake.nixngConfigurations.synapseRedis = callPackage ./redis.nix {};
flake.nixngConfigurations.synapsePostgreSQL = callPackage ./postgresql.nix {};
flake.nixngConfigurations.synapse = callPackage ./synapse.nix {};
}

59
nixng/containers/matrix/synapse/generic_worker.nix Normal file
View file

@ -0,0 +1,59 @@
{ makeSystem
, nixpkgs
, listener_resources
, name
, logConfig
, commonConfig
}:
makeSystem {
system = "x86_64-linux";
name = "synapse-worker-${name}";
inherit nixpkgs;
config = ({ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
services.synapse.workers.${name} = {
settings = {
worker_app = "synapse.app.generic_worker";
# The replication listener on the main synapse process.
worker_replication_host = "127.0.0.1";
worker_replication_http_port = 9093;
worker_listeners = [
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = [ "0.0.0.0" ];
resources =
[
{
names = listener_resources;
compress = false;
}
];
}
];
worker_log_config = logConfig pkgs;
};
arguments = {
config-path = [
(commonConfig pkgs)
"/secrets/extra.yaml"
"/var/lib/registrations/extra.yaml"
];
keys-directory = [
"/var/lib/synapse/keys"
];
};
};
});
}

18
nixng/containers/matrix/synapse/log_config.nix Normal file
View file

@ -0,0 +1,18 @@
{ }:
{
version = 1;
formatters.precise.format = "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
handlers.console = {
class = "logging.StreamHandler";
formatter = "precise";
};
loggers."synapse.storage.SQL".level = "INFO";
root = {
level = "INFO";
handlers = [ "console" ];
};
disable_existing_loggers = false;
}

58
nixng/containers/matrix/synapse/postgresql.nix Normal file
View file

@ -0,0 +1,58 @@
{ makeSystem
, nixpkgs
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-synapse-postgresql";
inherit nixpkgs;
config =
{ pkgs, config, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = {};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/secrets/init.sql";
enableTCPIP = true;
authentication = "host all all all md5";
ensureDatabases = {
"synapse" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-facebook" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-signal" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-whatsapp" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-discord" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
};
ensureExtensions = {};
ensureUsers = [
{
name = "synapse";
ensurePermissions."DATABASE \"synapse\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-facebook";
ensurePermissions."DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-signal";
ensurePermissions."DATABASE \"mautrix-signal\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-whatsapp";
ensurePermissions."DATABASE \"mautrix-whatsapp\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-discord";
ensurePermissions."DATABASE \"mautrix-discord\"" = "ALL PRIVILEGES";
}
];
};
};
};
}

2276
nixng/containers/matrix/synapse/redis.conf Normal file
View file

File diff suppressed because it is too large Load diff

46
nixng/containers/matrix/synapse/redis.nix Normal file
View file

@ -0,0 +1,46 @@
{ makeSystem
, nixpkgs
}:
makeSystem {
system = "x86_64-linux";
name = "redis";
inherit nixpkgs;
config =
{ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
users.users."redis" = {
home = "/var/empty";
uid = 9001;
group = "redis";
};
users.groups."redis" = {
gid = 9001;
};
init.services.redis = {
enabled = true;
shutdownOnExit = true;
script = pkgs.writeShellScript "redis-run" ''
cd /var/lib/redis
chpst -U redis:redis ${pkgs.redis}/bin/redis-server ${./redis.conf}
'';
};
init.services.redis-setup = {
enabled = true;
script = pkgs.writeShellScript "redis-run" ''
export PATH="${pkgs.redis}/bin:$PATH"
nc -z 127.0.0.1 6379 -w 10 -v || exit 1
redis-cli acl setuser default on '>'"$(cat /secrets/redis_password)" allcommands allkeys
sleep 86400
'';
};
};
}

72
nixng/containers/matrix/synapse/synapse.nix Normal file
View file

@ -0,0 +1,72 @@
{ makeSystem
, nixpkgs
, commonConfig
}:
makeSystem {
system = "x86_64-linux";
name = "synapse";
inherit nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.synapse = {
enabled = true;
shutdownOnExit = true;
script =
let
synapseConfig = (pkgs.formats.yaml {}).generate "synapse.yaml"
{
listeners =
[
# The HTTP replication port
{
port = 9093;
bind_addresses = [ "0.0.0.0" ];
type = "http";
resources = [
{
names = [ "replication" ];
}
];
}
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = [ "0.0.0.0" ];
resources = singleton {
names = [ "client" "federation" ];
compress = false;
};
}
];
public_baseurl = "https://matrix.redalder.org/";
# Add a random shared secret to authenticate traffic.
worker_replication_secret = "";
};
in
pkgs.writeShellScript "synapse" ''
${pkgs.matrix-synapse}/bin/synapse_homeserver \
--config-path ${synapseConfig} \
--config-path ${commonConfig pkgs} \
--config-path /secrets/extra.yaml \
--config-path /var/lib/registrations/extra.yaml \
--keys-directory /var/lib/synapse/keys \
$([ -e /var/lib/synapse/signing.key ] || echo --generate-keys)
'';
};
};
}