netshade/matrix-synapse-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
twicechild 2022-02-17 13:30:15 +00:00
commit 2d8028161a
19 changed files with 6018 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.env Normal file
View File

@ -0,0 +1,4 @@
DOMAIN=ms.local
CONF_PATH=/mnt/configs
DATA_PATH=/mnt/data
CERT_PATH=/mnt/certs

419
README.md Normal file
View File

@ -0,0 +1,419 @@
# A Matrix (Synapse) Stack with coturn, bots, bridges and more
A docker-compose stack with Synapse, Postgres, Element-Web, Turn and more
This is how I was "serving" a small chat server on an Ubuntu virtual machine.
The stack follows some specific logic concerning the file organization and a couple "bad practices" (exposing ports and folders) that should not be a problem for a non production environment.
# Compoments (and images used)
- Postgres - `postgres:latest`
- Synapse homeserver - `matrixdotorg/synapse:latest`
- Element Web Client - `vectorim/element-web`
- Synapse Admin - `awesometechnologies/synapse-admin`
- Turn Server - `instrumentisto/coturn`
- Telegram Bridge - `dock.mau.dev/tulir/mautrix-telegram:latest`
- Facebook Bridge - `dock.mau.dev/tulir/mautrix-facebook:latest`
- Maubot bot manager - `dock.mau.dev/maubot/maubot:latest`
- Webhook Appservice - `turt2live/matrix-appservice-webhooks`
# Assuptions
## Domain and subdomains
You should have a locally (at least) resolved domain (During the instructions we will use `domain.ltd`). We also use the following subdomains at various points:
- matrix.ms.local
- turn.ms.local
- webhooks.ms.local
- proxy.ms.local
- maubot.ms.local
## Certificates
The guide assumes you have a wildcard ceritificate for your domain name (`WILDCARD.ms.local`) in `CERT_PATH` folder.
```
/mnt/
certs/
WILDCARD.domain.ltd.crt
WILDCARD.domain.ltd.key
```
You can ofcource use diffrent certificates for every service.
_Certificate generation is outside of the scope of this guide, for now._
## Folder hiercacy
The docker-compose.yaml file assumes the following hiecrasy:
```
/BASE_FOLDER/
configs/
db/
homeserver/
webchat/
turn/
telegram-bridge/
facebook-bridge/
webhook-service/
maubot/
data/
homeserver_media-store
turn
certs/
```
- `/configs/` : configuration persistent data
- `/certs/` : certificates
- `/data/` : other kind of persistent data (like synapse media store etc.)
## Docker volumes and networks
- Create a docker volume for postgres: `sudo docker volume create db-data`
- The three required networks (`db`,`bots` and `ms`) will be created automatically. If the names overlap with anything already running, you should edit `docker-compose.yaml`
# Initialization
## Expsose ENV
Edit `.env` file to your liking. Then expose each ENV with `export VAR=VAL`. You will need:
```
export DOMAIN=ms.local
export CONF_PATH=/mnt/configs
```
Some of the services need to initialize some config files before you can finally start them. Below are the steps and a reasoning behind them:
## Synapse
Use the following command to generate a `homeserver.yaml` file in `${CONF_PATH}/homeserver/`. __IMPORTANT: the subdomain (`matrix.${DOMAIN}`) CANNOT be changed later. Make sure you have decided correctly.__
```
sudo docker run -it --rm \
-v=${CONF_PATH}/homeserver:/data \
-e SYNAPSE_SERVER_NAME=matrix.${DOMAIN} \
-e SYNAPSE_REPORT_STATS=yes \
matrixdotorg/synapse:latest generate
```
After that you can edit the file however you want. Some important fields are:
- `server_name` will be autofilled
```
server_name: "matrix.ms.local"
```
- We add an https listener for secure connections, bind it to all addresses and enable federation.
```
listeners:
- port: 8448
type: http
tls: true
bind_addresses: ['0.0.0.0']
x_forwarded: true
resources:
- names: [client]
compress: true
- names: [federation]
compress: false
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses: ['0.0.0.0']
resources:
- names: [client]
compress: true
```
- Add the postgress info to connect to `db` container
```
database:
name: psycopg2
args:
user: synapse
password: 12345
database: synapse_db
host: db
cp_min: 5
cp_max: 10
```
- Change the default `media_store` path to the that will be mounted in `docker-compose.yaml`
```
media_store_path: "/media_store"
```
- Specify the path to our certificate
```
tls_certificate_path: "/certs/WILDCARD.ms.local.crt"
tls_private_key_path: "/certs/WILDCARD.ms.local.key"
```
- Finally, enable registrations
```
enable_registration: true
```
- Save the file (_We will edit more while configuring Turn, Bridges and Bots_)
## Bridges and Bots
### Telegram Brige
_Source_: https://docs.mau.fi/bridges/python/setup/docker.html?bridge=telegram
1. Run:
```
sudo docker run --rm -v ${CONF_PATH}/telegram-bridge:/data:z dock.mau.dev/mautrix/telegram:latest
```
This will generate a `config.yaml` that you should edit.
2. You need to set at least the following:
- Main connection configurations (_Since this is a dev/testing server we will use HTTPS but we won't verify any certificates between the bridge and the homeserver. Same goes for othe bridges and services_)
```
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://homeserver:8448
# The domain of the homeserver (for MXIDs, etc).
domain: matrix.ms.local
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: false
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://telegram-bridge:29317
database: sqlite:////data/telegram-bridge.db
```
- Bridge permissions
We should also give permission to some users to use the bridge. Since we don't even have a homeserver yet we will give admin permissions to all users that share the domain `matrix.ms.local` . Edit the following:
```
permissions:
"*": relaybot
"matrix.ms.local": admin
```
- Telegram API key
```
telegram:
# Get your own API keys at https://my.telegram.org/apps
api_id: 12345
api_hash: tjyd5yge35lbodk1xwzw2jstp90k55qz
```
3. Run the docker command again to generate a 'registration.yaml'
```
sudo docker run --rm -v ${CONF_PATH}/telegram-bridge:/data:z dock.mau.dev/mautrix/telegram:latest
```
The `registration.yaml` file is mounted on the `homeserver` cotainer.
### Facebook Bridge (Almost identical to Telegram bridge)
_Source_: https://docs.mau.fi/bridges/python/setup/docker.html?bridge=facebook
Run:
```
docker run --rm -v ${CONF_PATH}/facebook-bridge:/data:z dock.mau.dev/mautrix/facebook:latest
```
This will generate a `config.yaml` that you should edit. You need to set at least the following:
- Main connection configurations (_Since this is a dev/testing server we will use HTTPS but we won't verify any certificates between the bridge and the homeserver. Same goes for othe bridges and services_)
```
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://homeserver:8448
# The domain of the homeserver (for MXIDs, etc).
domain: matrix.ms.local
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: false
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://facebook-bridge:29317
database: sqlite:////data/facebook-bridge.db
```
- Bridge permissions
We should also give permission to some users to use the bridge. Since we don't even have a homeserver yet we will give admin permissions to all users that share the domain `matrix.ms.local` . Edit the following:
```
permissions:
"*": "relay"
"matrix.ms.local": "admin"
```
Run the docker command again to generate a 'registration.yaml'
```
sudo docker run --rm -v ${CONF_PATH}/facebook-bridge:/data:z dock.mau.dev/mautrix/facebook:latest
```
The `registration.yaml` file is mounted on the `homeserver` cotainer.
### Webhook App Service
Source: https://github.com/turt2live/matrix-appservice-webhooks#docker
1. Create an `appservice-registration-webhooks.yaml` file in `${CONF_PATH}/webhooks` and copy the following (make sure you generate `hs_token` and `as_token`):
```
id: webhooks
hs_token: A_RANDOM_ALPHANUMERIC_STRING # CHANGE THIS
as_token: ANOTHER_RANDOM_ALPHANUMERIC_STRING # CHANGE THIS
namespaces:
users:
- exclusive: true
regex: '@_webhook.*'
url: 'http://webhook-service:9000'
sender_localpart: webhooks
rate_limited: false
```
2. Create an `config.yaml` file in `${CONF_PATH}/webhooks` and copy/edit the following:
```
# Configuration specific to the application service. All fields (unless otherwise marked) are required.
homeserver:
# The domain for the client-server API calls.
url: "http://homeserver:8008"
# The domain part for user IDs on this home server. Usually, but not always, this is the same as the
# home server's URL.
domain: "matrix.ms.local"
# Configuration specific to the bridge. All fields (unless otherwise marked) are required.
webhookBot:
# The localpart to use for the bot. May require re-registering the application service.
localpart: "webhooks"
# Appearance options for the Matrix bot
appearance:
displayName: "Webhook Bridge"
avatarUrl: "http://i.imgur.com/IDOBtEJ.png" # webhook icon
# Provisioning API options
provisioning:
# Your secret for the API. Required for all provisioning API requests.
secret: 'CHANGE_ME'
# Configuration related to the web portion of the bridge. Handles the inbound webhooks
web:
hookUrlBase: 'https://webhooks.domain.ltd'
logging:
file: logs/webhook.log
console: true
consoleLevel: debug
fileLevel: verbose
writeFiles: true
rotate:
size: 52428800 # bytes, default is 50mb
count: 5
```
3. Create a `database.json` file in `${CONF_PATH}/webhooks` and copy the following:
```
{
"defaultEnv": {
"ENV": "NODE_ENV"
},
"development": {
"driver": "sqlite3",
"filename": "/data/development.db"
},
"production": {
"driver": "sqlite3",
"filename": "/data/production.db"
}
}
```
4. Run:
```
sudo docker run --rm -v ${CONF_PATH}/webhooks:/data turt2live/matrix-appservice-webhooks
```
Check the logs for any errors. If you get an `[ERROR] ConnectionError: request failed: getaddrinfo ENOTFOUND homeserver homeserver:8008`, this is normal since we don't have a working homeserver yet.
### Maubot Manager
_Source_: https://docs.mau.fi/maubot/usage/setup/docker.html
1. Run:
```
sudo docker run --rm -v ${CONF_PATH}/maubot:/data:z dock.mau.dev/maubot/maubot:latest
```
This will generate a `config.yaml` file.
2. Update the file to your liking. You should at least add your homeserver:
```
homeservers:
matrix.ms.local
url: https://homeserver:8448
secret: <THE registration_shared_secret FROM homeserver.yaml>
```
3. Save the file
### Registering the new services to the home server:
Edit `homeserver.yaml` and add the following:
```
app_service_config_files:
- /app_services/telegram-registration.yaml
- /app_services/facebook-registration.yaml
- /app_services/webhooks-registration.yaml
```
(in the docker-compose file we have mounted each file in the `homeserver` container)
## Turn server (for audio and video calls)
Create a new file `turnserver.conf` in `${CONF_PATH}/turn/`. Copy and paste the sample file from: https://github.com/coturn/coturn/blob/master/docker/coturn/turnserver.conf
Edit the following in the file:
- Specify and external ip
```
external-ip=<YOUR PUBLIC IP, IF YOU PLAN TO USE IT FROM THE INTERNET>
external-ip=<YOUR DOCKER HOST IP>
```
- Specify a port range
```
min-port=64000
max-port=65535
```
This range worked perfectly for me but you should define your own depending on your network setup
- Certificates:
```
cert=/certs/WILDCARD.ms.local.crt
pkey=/certs/WILDCARD.ms.local.key
```
- Define a realm
```
realm=turn.domain.ltd
```
- Uncomment `use-auth-secret`. Generate a alphanumeric and fill `static-auth-secret=`.
- In `homeserver.yaml` in `##TURN##` secrion paste the same alpanumeric at `turn_shared_secret: "ALPHANUMERIC"` and add the following `turn_uris`
```
turn_uris:
- "turn:turn.domain.ltd?transport=udp"
- "turn:turn.domain.ltd?transport=tcp"
- "turns:turn.domain.ltd:5349?transport=udp"
- "turns:turn.domain.ltd:5349?transport=tcp"
```
# Bringing up the Chat Server
If everything is correctly initialized we can bring up the stack with `sudo docker-compose up`
After a while we should be able to visit the web element UI at `http://<DOCKER-HOST-IP>:10000`, and register a new user.

6
db.env Normal file
View File

@ -0,0 +1,6 @@
POSTGRES_PASSWORD=12345
POSTGRES_USER=synapse
POSTGRES_DB=synapse_db
PGDATA=/var/lib/postgresql/data/synapse
TZ=Europe/Athens
POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C

198
docker-compose.yml Normal file
View File

@ -0,0 +1,198 @@
version: "3"
networks:
db:
proxy:
bots:
volumes:
db-data:
external: true
services:
## PROXY
proxy:
image: traefik:v2.4
container_name: proxy
restart: unless-stopped
command:
- --providers.docker=true
- --api.insecure=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --providers.file.filename=/root/.config/ssl.toml
- --entrypoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
- --serverstransport.insecureskipverify=true
volumes:
- ${CONF_PATH}/proxy/traefik-ssl.toml:/root/.config/ssl.toml
- ${CERT_PATH}:/certs
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.proxy.middlewares=proxy-https
- traefik.http.middlewares.proxy-https.redirectscheme.scheme=https
- traefik.http.routers.proxy.rule=Host(`proxy.${DOMAIN}`)
- traefik.http.services.proxy.loadbalancer.server.port=8080
- traefik.http.routers.proxy.tls=true
## DATABASE
db:
image: postgres:latest
container_name: db
restart: always
env_file:
- db.env
volumes:
- db-data:/var/lib/postgresql/data/synapse
networks:
- db
labels:
- traefik.enable=false
## HOMESERVER
homeserver:
image: matrixdotorg/synapse:latest
container_name: homeserver
restart: always
depends_on:
- db
env_file:
- synapse.env
volumes:
- ${CONF_PATH}/homeserver:/data
- ${DATA_PATH}/homeserver-media_store:/media_store
- ${CERT_PATH}:/certs
- ${CONF_PATH}/telegram-bridge/registration.yaml:/app_services/telegram-registration.yaml
- ${CONF_PATH}/facebook-bridge/registration.yaml:/app_services/facebook-registration.yaml
- ${CONF_PATH}/webhooks/appservice-registration-webhooks.yaml:/app_services/webhooks-registration.yaml
networks:
- db
- proxy
- bots
labels:
- traefik.docker.network=proxy
- traefik.http.routers.homeserver.rule=Host(`matrix.${DOMAIN}`)
- traefik.http.services.homeserver.loadbalancer.server.port=8448
- traefik.http.services.homeserver.loadbalancer.server.scheme=https
- traefik.http.middlewares.homeserver.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.homeserver.middlewares=homeserver
- traefik.http.routers.homeserver.tls=true
## ELEMENT WEB CLIENT
webchat:
image: vectorim/element-web
container_name: webchat
restart: always
depends_on:
- homeserver
networks:
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.webchat.rule=Host(`webchat.${DOMAIN}`)
- traefik.http.services.webchat.loadbalancer.server.port=80
- traefik.http.middlewares.webchat.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.webchat.middlewares=webchat
- traefik.http.routers.webchat.tls=true
##SYNAPSE ADMIN
admin:
image: awesometechnologies/synapse-admin
container_name: admin
restart: always
networks:
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.admin.rule=Host(`admin.${DOMAIN}`)
- traefik.http.services.admin.loadbalancer.server.port=80
- traefik.http.middlewares.admin.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.admin.middlewares=admin
- traefik.http.routers.admin.tls=true
## TURN SERVER
turn:
image: instrumentisto/coturn
container_name: turn
restart: always
network_mode: host
volumes:
- ${CONF_PATH}/turn/turnserver.conf:/etc/coturn/turnserver.conf
- ${DATA_PATH}/coturn:/var/lib/coturn
- ${CERT_PATH}:/certs
labels:
- traefik.enable=false
# BRIDGES
telegram-bridge:
container_name: telegram-bridge
image: dock.mau.dev/mautrix/telegram:latest
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/telegram-bridge:/data
networks:
- bots
labels:
- traefik.enable=false
facebook-bridge:
container_name: facebook-bridge
image: dock.mau.dev/mautrix/facebook:latest
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/facebook-bridge:/data
networks:
- bots
labels:
- traefik.enable=false
##WEBHOOKS
webhook-service:
container_name: webhook-service
image: turt2live/matrix-appservice-webhooks
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/webhooks:/data
networks:
- bots
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.webhook-service.rule=Host(`webhooks.${DOMAIN}`)
- traefik.http.services.webhook-service.loadbalancer.server.port=29316
- traefik.http.middlewares.webhook-service.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.webhook-service.middlewares=webhook-service
- traefik.http.routers.webhook-service.tls=true
## BOTS
maubot:
image: dock.mau.dev/maubot/maubot:latest
container_name: maubot
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/maubot:/data
networks:
- bots
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.maubot.rule=Host(`maubot.${DOMAIN}`)
- traefik.http.services.maubot.loadbalancer.server.port=29316
- traefik.http.middlewares.maubot.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.maubot.middlewares=maubot
- traefik.http.routers.maubot.tls=true

196
docker-compose.yml.save Normal file
View File

@ -0,0 +1,196 @@
version: "3"
networks:
db:
proxy:
bots:
volumes:
db-data:
external: true
services:
## PROXY
proxy:
image: traefik:v2.4
container_name: proxy
restart: unless-stopped
command:
- --providers.docker=true
- --api.insecure=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --providers.file.filename=/root/.config/ssl.toml
volumes:
- ${CONF_PATH}/proxy/traefik-ssl.toml:/root/.config/ssl.toml
- ${CERT_PATH}:/certs
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.proxy.middlewares=proxy-https
- traefik.http.middlewares.proxy-https.redirectscheme.scheme=https
- traefik.http.routers.proxy.rule=Host(`proxy.${DOMAIN}`)
- traefik.http.services.proxy.loadbalancer.server.port=8080
- traefik.http.routers.proxy.tls=true
## DATABASE
db:
image: postgres:latest
container_name: db
restart: always
env_file:
- db.env
volumes:
- db-data:/var/lib/postgresql/data/synapse
networks:
- db
labels:
- traefik.enable=false
## HOMESERVER
homeserver:
image: matrixdotorg/synapse:latest
container_name: homeserver
restart: always
depends_on:
- db
env_file:
- synapse.env
volumes:
- ${CONF_PATH}/homeserver:/data
- ${DATA_PATH}/homeserver-media_store:/media_store
- ${CERT_PATH}:/certs
- ${CONF_PATH}/telegram-bridge/registration.yaml:/app_services/telegram-registration.yaml
- ${CONF_PATH}/facebook-bridge/registration.yaml:/app_services/facebook-registration.yaml
- ${CONF_PATH}/webhooks/appservice-registration-webhooks.yaml:/app_services/webhooks-registration.yaml
networks:
- db
- proxy
- bots
labels:
- traefik.docker.network=proxy
- traefik.http.routers.homeserver.rule=Host(`matrix.${DOMAIN}`)
- traefik.http.services.homeserver.loadbalancer.server.port=8008
#- traefik.http.middlewares.homeserver.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.middlewares.homeserver.redirectscheme.scheme=https
- traefik.http.routers.homeserver.middlewares=homeserver
- traefik.http.routers.homeserver.tls=true
## ELEMENT WEB CLIENT
webchat:
image: vectorim/element-web
container_name: webchat
restart: always
depends_on:
- homeserver
networks:
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.webchat.rule=Host(`webchat.${DOMAIN}`)
- traefik.http.services.webchat.loadbalancer.server.port=80
- traefik.http.middlewares.webchat.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.webchat.middlewares=webchat
- traefik.http.routers.webchat.tls=true
##SYNAPSE ADMIN
admin:
image: awesometechnologies/synapse-admin
container_name: admin
restart: always
networks:
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.admin.rule=Host(`admin.${DOMAIN}`)
- traefik.http.services.admin.loadbalancer.server.port=80
- traefik.http.middlewares.admin.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.admin.middlewares=admin
- traefik.http.routers.admin.tls=true
## TURN SERVER
turn:
image: instrumentisto/coturn
container_name: turn
restart: always
network_mode: host
volumes:
- ${CONF_PATH}/turn/turnserver.conf:/etc/coturn/turnserver.conf
- ${DATA_PATH}/coturn:/var/lib/coturn
- ${CERT_PATH}:/certs
labels:
- traefik.enable=false
# BRIDGES
telegram-bridge:
container_name: telegram-bridge
image: dock.mau.dev/mautrix/telegram:latest
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/telegram-bridge:/data
networks:
- bots
labels:
- traefik.enable=false
facebook-bridge:
container_name: facebook-bridge
image: dock.mau.dev/mautrix/facebook:latest
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/facebook-bridge:/data
networks:
- bots
labels:
- traefik.enable=false
##WEBHOOKS
webhook-service:
container_name: webhook-service
image: turt2live/matrix-appservice-webhooks
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/webhooks:/data
networks:
- bots
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.webhook-service.rule=Host(`webhooks.${DOMAIN}`)
- traefik.http.services.webhook-service.loadbalancer.server.port=29316
- traefik.http.middlewares.webhook-service.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.webhook-service.middlewares=webhook-service
- traefik.http.routers.webhook-service.tls=true
## BOTS
maubot:
image: dock.mau.dev/maubot/maubot:latest
container_name: maubot
restart: always
depends_on:
- homeserver
volumes:
- ${CONF_PATH}/maubot:/data
networks:
- bots
- proxy
labels:
- traefik.docker.network=proxy
- traefik.http.routers.maubot.rule=Host(`maubot.${DOMAIN}`)
- traefik.http.services.maubot.loadbalancer.server.port=29316
- traefik.http.middlewares.maubot.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.maubot.middlewares=maubot
- traefik.http.routers.maubot.tls=true

8
proxy.env Normal file
View File

@ -0,0 +1,8 @@
TRAEFIK_ENTRYPOINTS_WEB=true
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=:80
TRAEFIK_ENTRYPOINTS_WEBSEC=true
TRAEFIK_ENTRYPOINTS_WEBSEC_ADDRESS=:443
TRAEFIK_PROVIDERS_DOCKER=true
TRAEFIK_API=true
TRAEFIK_API_DASHBOARD=true
TRAEFIK_API_INSECURE=true

308
sample_configs/facebook-bridge/config.yaml Normal file
View File

@ -0,0 +1,308 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://homeserver:8448
# The domain of the homeserver (for MXIDs, etc).
domain: matrix.ms.local
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: false
# Whether or not the homeserver supports asmux-specific endpoints,
# such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically
# updating m.direct.
asmux: false
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Facebook MQTT connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint:
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint:
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://facebook-bridge:29319
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29319
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: sqlite:////data/facebook-bridge.db
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
database_opts:
min_size: 5
max_size: 10
public:
# Whether or not the public-facing endpoints should be enabled.
enabled: false
# The prefix to use in the public-facing endpoints.
prefix: /public
# The base URL where the public-facing endpoints are available. The prefix is not added
# implicitly.
external: https://example.com/public
# Shared secret for integration managers such as mautrix-manager.
# If set to "generate", a random string will be generated on the next startup.
# If null, integration manager access to the API will not be possible.
shared_secret: miGugZSRxldY1l35HEOGKmqV7EfpAIszy7_xn1iaKe6wzFsiXlE4uJ_4kyegV8PJ
# Allow logging in within Matrix. If false, users can only log in using the web interface.
allow_matrix_login: true
# Segment API key to enable analytics tracking for web server endpoints. Set to null to disable.
# Currently the only events are login start, success and fail.
segment_key:
# The unique ID of this appservice.
id: facebook
# Username of the appservice bot.
bot_username: facebookbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Facebook bridge bot
bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: false
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: G5yTjMjB9WzAAy9QxpaQvr5kikAV2yybkUbB0Wfi0l0Pq62W_xopdp-GRX_Ysgfv
hs_token: NzUfinOQ0V9hNjNG11OH_K5ZmAg3nqfeFSORwgYgeCCgRDb_GWRtmA3MqlBCDaHZ
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-facebook.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
bridge:
# Localpart template of MXIDs for Facebook users.
# {userid} is replaced with the user ID of the Facebook user.
username_template: facebook_{userid}
# Displayname template for Facebook users.
# {displayname} is replaced with the display name of the Facebook user
# as defined below in displayname_preference.
# Keys available for displayname_preference are also available here.
displayname_template: '{displayname} (FB)'
# Available keys:
# "name" (full name)
# "first_name"
# "last_name"
# "nickname"
# "own_nickname" (user-specific!)
displayname_preference:
- name
- first_name
command_prefix: '!fb'
# Number of chats to sync (and create portals for) on startup/login.
# Set 0 to disable automatic syncing.
initial_chat_sync: 20
# Whether or not the Facebook users of logged in Matrix users should be
# invited to private chats when the user sends a message from another client.
invite_own_puppet_to_pm: false
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: true
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map:
example.com: https://example.com
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map:
example.com: foobar
presence_from_facebook: false
# Whether or not to update avatars when syncing all contacts at startup.
update_avatar_initial_sync: true
# End-to-bridge encryption support options. These require matrix-nio to be installed with pip
# and login_shared_secret to be configured in order to get a device for the bridge bot.
#
# Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
# application service.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.
require_cross_signing: false
# Require devices to be verified by the bridge?
# Verification by the bridge is not yet implemented.
require_verification: true
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Facebook.
delivery_receipts: false
# Whether to allow inviting arbitrary mxids to portal rooms
allow_invites: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Settings for backfilling messages from Facebook.
backfill:
# Whether or not the Facebook users of logged in Matrix users should be
# invited to private chats when backfilling history from Facebook. This is
# usually needed to prevent rate limits and to allow timestamp massaging.
invite_own_puppet: true
# Maximum number of messages to backfill initially.
# Set to 0 to disable backfilling when creating portal.
initial_limit: 0
# Maximum number of messages to backfill if messages were missed while
# the bridge was disconnected.
# Set to 0 to disable backfilling missed messages.
missed_limit: 1000
# If using double puppeting, should notifications be disabled
# while the initial backfill is in progress?
disable_notifications: false
periodic_reconnect:
# Interval in seconds in which to automatically reconnect all users.
# This can be used to automatically mitigate the bug where Facebook stops sending messages.
# Set to -1 to disable periodic reconnections entirely.
# Set to a list of two items to randomize the interval (min, max).
interval: -1
# What to do in periodic reconnects. Either "refresh" or "reconnect"
mode: refresh
# Should even disconnected users be reconnected?
always: false
# Only reconnect if the user has been connected for longer than this value
min_connected_time: 0
# The number of seconds that a disconnection can last without triggering an automatic re-sync
# and missed message backfilling when reconnecting.
# Set to 0 to always re-sync, or -1 to never re-sync automatically.
resync_max_disconnected_time: 5
# Should the bridge do a resync on startup?
sync_on_startup: true
# Whether or not temporary disconnections should send notices to the notice room.
# If this is false, disconnections will never send messages and connections will only send
# messages if it was disconnected for more than resync_max_disconnected_time seconds.
temporary_disconnect_notices: false
# Disable bridge notices entirely
disable_bridge_notices: false
on_reconnection_fail:
# What to do if a reconnection attempt fails? Options: reconnect, refresh, null
action: reconnect
# Seconds to wait before attempting to refresh the connection, set a list of two items to
# to randomize the interval (min, max).
wait_for: 0
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# Whether or not mute status and tags should only be bridged when the portal room is created.
tag_only_on_create: true
# If set to true, downloading media from the CDN will use a plain aiohttp client without the usual headers or
# other configuration. This may be useful if you don't want to use the default proxy for large files.
sandbox_media_download: false
# Permissions for using the bridge.
# Permitted values:
# relay - Allowed to be relayed through the bridge, no access to commands.
# user - Use the bridge with puppeting.
# admin - Use and administrate the bridge.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
'*': relay
matrix.ms.local: admin
relay:
# Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# The formats to use when sending messages to Messenger via a relay user.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $message - The message content
message_formats:
m.text: '<b>$sender_displayname</b>: $message'
m.notice: '<b>$sender_displayname<b>: $message'
m.emote: '* <b>$sender_displayname<b> $message'
m.file: <b>$sender_displayname</b> sent a file
m.image: <b>$sender_displayname</b> sent an image
m.audio: <b>$sender_displayname</b> sent an audio file
m.video: <b>$sender_displayname</b> sent a video
m.location: <b>$sender_displayname</b> sent a location
facebook:
device_seed: -Z_CWn7ssS67iEADiyECe0fLQvs1jLKd5sQEKA9WnOmWevwQm8a0UiURU3BdjLRQ
default_region_hint: ODN
connection_type: WIFI
carrier: Verizon
hni: 311390
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_facebook.util.ColorFormatter
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
normal:
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: ./mautrix-facebook.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: DEBUG
paho:
level: INFO
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [file, console]

2724
sample_configs/homeserver/homeserver.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

106
sample_configs/maubot/config.yaml Normal file
View File

@ -0,0 +1,106 @@
# The full URI to the database. SQLite and Postgres are fully supported.
# Other DBMSes supported by SQLAlchemy may or may not work.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgresql://username:password@hostname/dbname
database: sqlite:////data/maubot.db
# Separate database URL for the crypto database. "default" means use the same database as above.
crypto_database: default
plugin_directories:
# The directory where uploaded new plugins should be stored.
upload: /data/plugins
# The directories from which plugins should be loaded.
# Duplicate plugin IDs will be moved to the trash.
load:
- /data/plugins
# The directory where old plugin versions and conflicting plugins should be moved.
# Set to "delete" to delete files immediately.
trash: /data/trash
# The directory where plugin databases should be stored.
db: /data/dbs
server:
# The IP and port to listen to.
hostname: 0.0.0.0
port: 29316
# Public base URL where the server is visible.
public_url: https://maubot.ms.local
# The base management API path.
base_path: /_matrix/maubot/v1
# The base path for the UI.
ui_base_path: /_matrix/maubot
# The base path for plugin endpoints. The instance ID will be appended directly.
plugin_base_path: /_matrix/maubot/plugin/
# Override path from where to load UI resources.
# Set to false to using pkg_resources to find the path.
override_resource_path: /opt/maubot/frontend
# The base appservice API path. Use / for legacy appservice API and /_matrix/app/v1 for v1.
appservice_base_path: /_matrix/app/v1
# The shared secret to sign API access tokens.
# Set to "generate" to generate and save a new token at startup.
unshared_secret: ep01teidiaesdwvk4ybuew2ytwlmicnvbe9gnubigh4yettvhmkp6c4ep3pvils9
# Known homeservers. This is required for the `mbc auth` command and also allows
# more convenient access from the management UI. This is not required to create
# clients in the management UI, since you can also just type the homeserver URL
# into the box there.
homeservers:
matrix.ms.local:
# Client-server API URL
url: https://homeserver:8448
# registration_shared_secret from synapse config
# You can leave this empty if you don't have access to the homeserver.
# When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will.
secret: TT09R*PTB*oScj^XnSm=g,OtQ3R@.kVT&CCyNA2Cj8jt=5cEhe
# List of administrator users. Plaintext passwords will be bcrypted on startup. Set empty password
# to prevent normal login. Root is a special user that can't have a password and will always exist.
admins:
root: ''
admin: $2b$12$TVJXArqxcL6/1v.X5BHD3.sB0VbGtHjuH/dBQOdbFkEzXEynU7Uoi
# API feature switches.
api_features:
login: true
plugin: true
plugin_upload: true
instance: true
instance_database: true
client: true
client_proxy: true
client_auth: true
dev_open: true
log: true
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): maubot.lib.color_log.ColorFormatter
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
normal:
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: /var/log/maubot.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
maubot:
level: DEBUG
mau:
level: DEBUG
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [file, console]

6
sample_configs/proxy/traefik-ssl.toml Normal file
View File

@ -0,0 +1,6 @@
[tls]
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/certs/WILDCARD.ms.local.crt"
keyFile = "/certs/WILDCARD.ms.local.key"

530
sample_configs/telegram-bridge/config.yaml Normal file
View File

@ -0,0 +1,530 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://homeserver:8448
# The domain of the homeserver (for MXIDs, etc).
domain: matrix.ms.local
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: false
asmux: false
# Number of retries for all HTTP requests if the homeserver isn't reachable.
http_retry_count: 4
# The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint:
# Endpoint for reporting per-message status.
message_send_checkpoint_endpoint:
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://telegram-bridge:29317
# When using https:// the TLS certificate and key files for the address.
tls_cert: false
tls_key: false
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29317
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are supported.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: sqlite:////data/telegram-bridge.db
# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
database_opts:
min_size: 1
max_size: 10
public:
# Whether or not the public-facing endpoints should be enabled.
enabled: false
# The prefix to use in the public-facing endpoints.
prefix: /public
# The base URL where the public-facing endpoints are available. The prefix is not added
# implicitly.
external: https://example.com/public
# Provisioning API part of the web server for automated portal creation and fetching information.
# Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
provisioning:
# Whether or not the provisioning API should be enabled.
enabled: true
# The prefix to use in the provisioning API endpoints.
prefix: /_matrix/provision/v1
# The shared secret to authorize users of the API.
# Set to "generate" to generate and save a new token.
shared_secret: 7GZB-OeVY8kbmq10e6WdGnZsTmAIABre_YdLFRITIbQDRVgkdLnuLklqMdS9hfWY
# The unique ID of this appservice.
id: telegram
# Username of the appservice bot.
bot_username: telegrambot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Telegram bridge bot
bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
# Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
# You should disable bridge -> sync_with_custom_puppets when this is enabled.
ephemeral_events: false
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: zksgVW2K5BiOsV_4INuC9qhYR6-wUmv4YbycjDzEfrbZiRvfDSBnAE6KZYklusLp
hs_token: q9zI3F4z8Jr7mG2IN7g4-2jkgaeczYNScHlXgAXwlbrZw5VEgNtXRCQf1jk0Xe9S
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
listen_port: 8000
# Manhole config.
manhole:
# Whether or not opening the manhole is allowed.
enabled: false
# The path for the unix socket.
path: /var/tmp/mautrix-telegram.manhole
# The list of UIDs who can be added to the whitelist.
# If empty, any UIDs can be specified in the open-manhole command.
whitelist:
- 0
bridge:
# Localpart template of MXIDs for Telegram users.
# {userid} is replaced with the user ID of the Telegram user.
username_template: telegram_{userid}
# Localpart template of room aliases for Telegram portal rooms.
# {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
alias_template: telegram_{groupname}
# Displayname template for Telegram users.
# {displayname} is replaced with the display name of the Telegram user.
displayname_template: '{displayname} (Telegram)'
# Set the preferred order of user identifiers which to use in the Matrix puppet display name.
# In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
# ID is used.
#
# If the bridge is working properly, a phone number or an username should always be known, but
# the other one can very well be empty.
#
# Valid keys:
# "full name" (First and/or last name)
# "full name reversed" (Last and/or first name)
# "first name"
# "last name"
# "username"
# "phone number"
displayname_preference:
- full name
- username
- phone number
displayname_max_length: 100
# Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default
# as there's no way to determine whether an avatar is removed or just hidden from some users. If
# you're on a single-user instance, this should be safe to enable.
allow_avatar_remove: false
# Maximum number of members to sync per portal when starting up. Other members will be
# synced when they send messages. The maximum is 10000, after which the Telegram server
# will not send any more members.
# -1 means no limit (which means it's limited to 10000 by the server)
max_initial_member_sync: 100
# Whether or not to sync the member list in channels.
# If no channel admins have logged into the bridge, the bridge won't be able to sync the member
# list regardless of this setting.
sync_channel_members: true
# Whether or not to skip deleted members when syncing members.
skip_deleted_members: true
# Whether or not to automatically synchronize contacts and chats of Matrix users logged into
# their Telegram account at startup.
startup_sync: true
# Number of most recently active dialogs to check when syncing chats.
# Set to 0 to remove limit.
sync_update_limit: 0
# Number of most recently active dialogs to create portals for when syncing chats.
# Set to 0 to remove limit.
sync_create_limit: 30
# Whether or not to sync and create portals for direct chats at startup.
sync_direct_chats: false
# The maximum number of simultaneous Telegram deletions to handle.
# A large number of simultaneous redactions could put strain on your homeserver.
max_telegram_delete: 10
# Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
# at startup and when creating a bridge.
sync_matrix_state: true
# Allow logging in within Matrix. If false, users can only log in using login-qr or the
# out-of-Matrix login website (see appservice.public config section)
allow_matrix_login: true
# Whether or not to bridge plaintext highlights.
# Only enable this if your displayname_template has some static part that the bridge can use to
# reliably identify what is a plaintext highlight.
plaintext_highlights: false
# Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
public_portals: true
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: true
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map:
example.com: https://example.com
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map:
example.com: foobar
telegram_link_preview: true
# Whether or not the !tg join command should do a HTTP request
# to resolve redirects in invite links.
invite_link_resolve: false
# Use inline images instead of a separate message for the caption.
# N.B. Inline images are not supported on all clients (e.g. Element iOS/Android).
inline_images: false
# Maximum size of image in megabytes before sending to Telegram as a document.
image_as_file_size: 10
# Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 1280x1280 = 1638400.
image_as_file_pixels: 1638400
# Maximum size of Telegram documents in megabytes to bridge.
max_document_size: 100
# Enable experimental parallel file transfer, which makes uploads/downloads much faster by
# streaming from/to Matrix and using many connections for Telegram.
# Note that generating HQ thumbnails for videos is not possible with streamed transfers.
# This option uses internal Telethon implementation details and may break with minor updates.
parallel_file_transfer: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Settings for converting animated stickers.
animated_sticker:
# Format to which animated stickers should be converted.
# disable - No conversion, send as-is (gzipped lottie)
# png - converts to non-animated png (fastest),
# gif - converts to animated gif
# webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
target: gif
# Arguments for converter. All converters take width and height.
args:
width: 256
height: 256
fps: 25 # only for webm and gif (2, 5, 10, 20 or 25 recommended)
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# Database for the encryption data. If set to `default`, will use the appservice database.
database: default
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.
require_cross_signing: false
# Require devices to be verified by the bridge?
# Verification by the bridge is not yet implemented.
require_verification: true
# Whether or not to explicitly set the avatar and room name for private
# chat portal rooms. This will be implicitly enabled if encryption.default is true.
private_chat_portal_meta: false
# Whether or not the bridge should send a read receipt from the bridge bot when a message has
# been sent to Telegram.
delivery_receipts: false
# Whether or not delivery errors should be reported as messages in the Matrix room.
delivery_error_reports: false
# Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it,
# except if the config file is not writable.
resend_bridge_info: false
# When using double puppeting, should muted chats be muted in Matrix?
mute_bridging: false
# When using double puppeting, should pinned chats be moved to a specific tag in Matrix?
# The favorites tag is `m.favourite`.
pinned_tag:
# Same as above for archived chats, the low priority tag is `m.lowpriority`.
archive_tag:
# Whether or not mute status and tags should only be bridged when the portal room is created.
tag_only_on_create: true
# Should leaving the room on Matrix make the user leave on Telegram?
bridge_matrix_leave: true
# Should the user be kicked out of all portals when logging out of the bridge?
kick_on_logout: true
# Settings for backfilling messages from Telegram.
backfill:
# Whether or not the Telegram ghosts of logged in Matrix users should be
# invited to private chats when backfilling history from Telegram. This is
# usually needed to prevent rate limits and to allow timestamp massaging.
invite_own_puppet: true
# Maximum number of messages to backfill without using a takeout.
# The first time a takeout is used, the user has to manually approve it from a different
# device. If initial_limit or missed_limit are higher than this value, the bridge will ask
# the user to accept the takeout after logging in before syncing any chats.
takeout_limit: 100
# Maximum number of messages to backfill initially.
# Set to 0 to disable backfilling when creating portal, or -1 to disable the limit.
#
# N.B. Initial backfill will only start after member sync. Make sure your
# max_initial_member_sync is set to a low enough value so it doesn't take forever.
initial_limit: 0
# Maximum number of messages to backfill if messages were missed while the bridge was
# disconnected. Note that this only works for logged in users and only if the chat isn't
# older than sync_update_limit
# Set to 0 to disable backfilling missed messages.
missed_limit: 50
# If using double puppeting, should notifications be disabled
# while the initial backfill is in progress?
disable_notifications: false
# Whether or not to enable backfilling in normal groups.
# Normal groups have numerous technical problems in Telegram, and backfilling normal groups
# will likely cause problems if there are multiple Matrix users in the group.
normal_groups: false
# Overrides for base power levels.
initial_power_level_overrides:
user: {}
group: {}
# Whether to bridge Telegram bot messages as m.notices or m.texts.
bot_messages_as_notices: true
bridge_notices:
# Whether or not Matrix bot messages (type m.notice) should be bridged.
default: false
# List of user IDs for whom the previous flag is flipped.
# e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
# notices from users listed here will be bridged.
exceptions: []
# An array of possible values for the $distinguisher variable in message formats.
# Each user gets one of the values here, based on a hash of their user ID.
# If the array is empty, the $distinguisher variable will also be empty.
relay_user_distinguishers: [🟦, 🟣, 🟩, ⭕️, 🔶, ⬛️, 🔵, 🟢]
# The formats to use when sending messages to Telegram via the relay bot.
# Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't.
#
# Available variables:
# $sender_displayname - The display name of the sender (e.g. Example User)
# $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
# $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
# $distinguisher - A random string from the options in the relay_user_distinguishers array.
# $message - The message content
message_formats:
m.text: '$distinguisher <b>$sender_displayname</b>: $message'
m.notice: '$distinguisher <b>$sender_displayname</b>: $message'
m.emote: '* $distinguisher <b>$sender_displayname</b> $message'
m.file: '$distinguisher <b>$sender_displayname</b> sent a file: $message'
m.image: '$distinguisher <b>$sender_displayname</b> sent an image: $message'
m.audio: '$distinguisher <b>$sender_displayname</b> sent an audio file: $message'
m.video: '$distinguisher <b>$sender_displayname</b> sent a video: $message'
m.location: '$distinguisher <b>$sender_displayname</b> sent a location: $message'
# Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
# users are sent to telegram. All fields in message_formats are supported. Additionally, the
# Telegram user info is available in the following variables:
# $displayname - Telegram displayname
# $username - Telegram username (may not exist)
# $mention - Telegram @username or displayname mention (depending on which exists)
emote_format: '* $mention $formatted_body'
# The formats to use when sending state events to Telegram via the relay bot.
#
# Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
# In name_change events, `$prev_displayname` is the previous displayname.
#
# Set format to an empty string to disable the messages for that event.
state_event_formats:
join: $distinguisher <b>$displayname</b> joined the room.
leave: $distinguisher <b>$displayname</b> left the room.
name_change: $distinguisher <b>$prev_displayname</b> changed their name to $distinguisher <b>$displayname</b>
# Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
# `filter-mode` management commands.
#
# Filters do not affect direct chats.
# An empty blacklist will essentially disable the filter.
filter:
# Filter mode to use. Either "blacklist" or "whitelist".
# If the mode is "blacklist", the listed chats will never be bridged.
# If the mode is "whitelist", only the listed chats can be bridged.
mode: blacklist
# The list of group/channel IDs to filter.
list: []
# The prefix for commands. Only required in non-management rooms.
command_prefix: '!tg'
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# Sent when joining a room.
welcome: Hello, I'm a Telegram bridge bot.
# Sent when joining a management room and the user is already logged in.
welcome_connected: Use `help` for help.
# Sent when joining a management room and the user is not logged in.
welcome_unconnected: Use `help` for help or `login` to log in.
# Optional extra text sent when joining a management room.
additional_help: ''
# Send each message separately (for readability in some clients)
management_room_multiple_messages: false
# Permissions for using the bridge.
# Permitted values:
# relaybot - Only use the bridge via the relaybot, no access to commands.
# user - Relaybot level + access to commands to create bridges.
# puppeting - User level + logging in with a Telegram account.
# full - Full access to use the bridge, i.e. previous levels + Matrix login.
# admin - Full access to use the bridge and some extra administration commands.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
'*': relaybot
matrix.ms.local: admin
relaybot:
private_chat:
# List of users to invite to the portal when someone starts a private chat with the bot.
# If empty, private chats with the bot won't create a portal.
invite: []
# Whether or not to bridge state change messages in relaybot private chats.
state_changes: true
# When private_chat_invite is empty, this message is sent to users /starting the
# relaybot. Telegram's "markdown" is supported.
message: This is a Matrix bridge relaybot and does not support direct chats
# List of users to invite to all group chat portals created by the bridge.
group_chat_invite: []
# Whether or not the relaybot should not bridge events in unbridged group chats.
# If false, portals will be created when the relaybot receives messages, just like normal
# users. This behavior is usually not desirable, as it interferes with manually bridging
# the chat to another room.
ignore_unbridged_group_chat: true
# Whether or not to allow creating portals from Telegram.
authless_portals: true
# Whether or not to allow Telegram group admins to use the bot commands.
whitelist_group_admins: true
# Whether or not to ignore incoming events sent by the relay bot.
ignore_own_incoming_events: true
# List of usernames/user IDs who are also allowed to use the bot commands.
whitelist:
- myusername
- 12345678
telegram:
# Get your own API keys at https://my.telegram.org/apps
api_id: 1921940
api_hash: f2d1cc19e30ec195165b4f5f6b27ae15
# (Optional) Create your own bot at https://t.me/BotFather
bot_token: disabled
# Telethon connection options.
connection:
# The timeout in seconds to be used when connecting.
timeout: 120
# How many times the reconnection should retry, either on the initial connection or when
# Telegram disconnects us. May be set to a negative or null value for infinite retries, but
# this is not recommended, since the program can get stuck in an infinite loop.
retries: 5
# The delay in seconds to sleep between automatic reconnections.
retry_delay: 1
# The threshold below which the library should automatically sleep on flood wait errors
# (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
# is 20s, the library will sleep automatically. If the error was for 21s, it would raise
# the error instead. Values larger than a day (86400) will be changed to a day.
flood_sleep_threshold: 60
# How many times a request should be retried. Request are retried when Telegram is having
# internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
# there's a migrate error. May take a negative or null value for infinite retries, but this
# is not recommended, since some requests can always trigger a call fail (such as searching
# for messages).
request_retries: 5
# Device info sent to Telegram.
device_info:
# "auto" = OS name+version.
device_model: auto
# "auto" = Telethon version.
system_version: auto
# "auto" = mautrix-telegram version.
app_version: auto
lang_code: en
system_lang_code: en
# Custom server to connect to.
server:
# Set to true to use these server settings. If false, will automatically
# use production server assigned by Telegram. Set to false in production.
enabled: false
# The DC ID to connect to.
dc: 2
# The IP to connect to.
ip: 149.154.167.40
# The port to connect to. 443 may not work, 80 is better and both are equally secure.
port: 80
# Telethon proxy configuration.
# You must install PySocks from pip for proxies to work.
proxy:
# Allowed types: disabled, socks4, socks5, http, mtproxy
type: disabled
# Proxy IP address and port.
address: 127.0.0.1
port: 1080
# Whether or not to perform DNS resolving remotely. Only for socks/http proxies.
rdns: true
# Proxy authentication (optional). Put MTProxy secret in password field.
username: ''
password: ''
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_telegram.util.ColorFormatter
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
normal:
format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: ./mautrix-telegram.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: DEBUG
telethon:
level: INFO
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [file, console]

1451
sample_configs/turn/turnserver.conf Normal file
View File

File diff suppressed because it is too large Load Diff

10
sample_configs/webhook-service/appservice-registration-webhooks.yaml Normal file
View File

@ -0,0 +1,10 @@
id: webhooks
hs_token: oWZdX2TBb3z8t9TGAtG28aUFAXCW8p4X9U2ovuFXAQuDitx5dd8d8tPWiqkZrca8
as_token: tfBQmLm5UUas2wxNiLR6Z7vBSf9vdKCq9eTjZ6noAHB9gstiwWFzdsdfMW3UvjZ3
namespaces:
users:
- exclusive: true
regex: '@_webhook.*'
url: 'http://webhook-service:9000'
sender_localpart: webhooks
rate_limited: false

37
sample_configs/webhook-service/config.yaml Normal file
View File

@ -0,0 +1,37 @@
# Configuration specific to the application service. All fields (unless otherwise marked) are required.
homeserver:
# The domain for the client-server API calls.
url: "http://homeserver:8008"
# The domain part for user IDs on this home server. Usually, but not always, this is the same as the
# home server's URL.
domain: "matrix.ms.local"
# Configuration specific to the bridge. All fields (unless otherwise marked) are required.
webhookBot:
# The localpart to use for the bot. May require re-registering the application service.
localpart: "webhooks"
# Appearance options for the Matrix bot
appearance:
displayName: "Webhook Bridge"
avatarUrl: "http://i.imgur.com/IDOBtEJ.png" # webhook icon
# Provisioning API options
provisioning:
# Your secret for the API. Required for all provisioning API requests.
secret: 8sRqS76LUNRM6W6Z8p5syJMqdBUajcxM2wTC9hpZXh3N8ZKh8Es3oGoGHbPM853j
# Configuration related to the web portion of the bridge. Handles the inbound webhooks
web:
hookUrlBase: 'https://webhooks.ms.local'
logging:
file: logs/webhook.log
console: true
consoleLevel: debug
fileLevel: verbose
writeFiles: true
rotate:
size: 52428800 # bytes, default is 50mb
count: 5

13
sample_configs/webhook-service/database.json Normal file
View File

@ -0,0 +1,13 @@
{
"defaultEnv": {
"ENV": "NODE_ENV"
},
"development": {
"driver": "sqlite3",
"filename": "/data/development.db"
},
"production": {
"driver": "sqlite3",
"filename": "/data/production.db"
}
}

BIN
sample_configs/webhook-service/production.db Normal file
View File

Binary file not shown.

0
sample_configs/webhook-service/room-store.db Normal file
View File

0
sample_configs/webhook-service/user-store.db Normal file
View File

2
synapse.env Normal file
View File

@ -0,0 +1,2 @@
SYNAPSE_SERVER_NAME=matrix.ms.local
TZ=Europe/Athens