chore: new v3 recipe release

fix: use correct user, role does exist
fix: quote YAML inline dicts correctly
2023-01-08 02:05:27 +01:00 · 2023-01-08 01:59:46 +01:00 · 2023-01-08 01:56:30 +01:00 · 2023-01-08 01:56:13 +01:00 · 2023-01-08 01:28:15 +01:00 · 2023-01-08 01:22:30 +01:00
12 changed files with 101 additions and 1990 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,35 +1,43 @@
 TYPE=matrix-synapse
-
 DOMAIN=matrix.example.com
 LETS_ENCRYPT_ENV=production
+COMPOSE_FILE="compose.yml"

-SECRET_DB_PASSWORD_VERSION=v1
+## Admin details

 SYNAPSE_ADMIN_EMAIL=admin@example.com

-SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1
-SECRET_MACAROON_SECRET_KEY_VERSION=v1
-SECRET_FORM_SECRET_VERSION=v1
+## Secrets

-COMPOSE_FILE="compose.yml"
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_FORM_SECRET_VERSION=v1
+SECRET_MACAROON_SECRET_KEY_VERSION=v1
+SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1
+
+## Federation

 #DISABLE_FEDERATION=1

 # Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server
 SERVE_SERVER_WELLKNOWN=false

+## Registration
+
 ENABLE_REGISTRATION=false
 PASSWORD_LOGIN_ENABLED=true

+## Room auto-join
+
 #AUTO_JOIN_ROOM_ENABLED=1
 #AUTO_JOIN_ROOM="#example:example.com"

+## Logging
+
+# for the homserver
 SQL_LOG_LEVEL=WARN
 ROOT_LOG_LEVEL=WARN

-REDACTION_RETENTION_PERIOD=7d
-
-RETENTION_MAX_LIFETIME=4w
+## Privacy

 ENABLE_3PID_LOOKUP=true

@ -37,11 +45,21 @@ USER_IPS_MAX_AGE=1d

 ENCRYPTED_BY_DEFAULT=all

-ALLOWED_LIFETIME_MAX=4w
-
 #ENABLE_ALLOWLIST=1
 #FEDERATION_ALLOWLIST="[]"

+## Retention
+
+ALLOWED_LIFETIME_MAX=4w
+
+REDACTION_RETENTION_PERIOD=7d
+RETENTION_MAX_LIFETIME=4w
+
+#MEDIA_RETENTION_LOCAL_LIFETIME=30d
+#MEDIA_RETENTION_REMOTE_LIFETIME=14d
+
+## Keycloak SSO
+
 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
 #KEYCLOAK_ENABLED=1
 #KEYCLOAK_ID=keycloak
@ -52,23 +70,16 @@ ALLOWED_LIFETIME_MAX=4w
 #KEYCLOAK_ALLOW_EXISTING_USERS=false
 #SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1

-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak2.yml"
-#KEYCLOAK2_ENABLED=1
-#KEYCLOAK2_ID=keycloak2
-#KEYCLOAK2_NAME=
-#KEYCLOAK2_URL=
-#KEYCLOAK2_CLIENT_ID=
-#KEYCLOAK2_CLIENT_DOMAIN=
-#KEYCLOAK2_ALLOW_EXISTING_USERS=false
-#SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION=v1
+## TURN

 #COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
 #TURN_ENABLED=1
 #TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
 #TURN_ALLOW_GUESTS=true
-#KEYCLOAK2_ALLOW_EXISTING_USERS=false
 #SECRET_TURN_SHARED_SECRET_VERSION=v1

+## SMTP
+
 #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SMTP_ENABLED=1
 #SMTP_APP_NAME=
@ -78,9 +89,13 @@ ALLOWED_LIFETIME_MAX=4w
 #SMTP_USER=
 #SECRET_SMTP_PASSWORD_VERSION=v1

+## App services
+
 #APP_SERVICES_ENABLED=1
 #APP_SERVICE_CONFIGS="[\"...\"]"

+## Telegram bridge
+
 #COMPOSE_FILE="$COMPOSE_FILE:compose.telegram.yml"
 #APP_SERVICE_BOT_USERNAME=telegrambot
 #APP_SERVICE_DISPLAY_NAME="Telegram bridge bot"
@ -90,28 +105,32 @@ ALLOWED_LIFETIME_MAX=4w
 #VERIFY_SSL=false
 #ENABLE_ENCRYPTION=true
 #TELEGRAM_APP_ID=
-#TELEGRAM_BRIDGE_ADMIN_1=
-#TELEGRAM_BRIDGE_ADMIN_2=
+#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\" }"
 #SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1
 #SECRET_TELEGRAM_API_HASH_VERSION=v1
 #SECRET_TELEGRAM_BOT_TOKEN_VERSION=v1
 #SECRET_TELEGRAM_AS_TOKEN_VERSION=v1
 #SECRET_TELEGRAM_HS_TOKEN_VERSION=v1

+## Discord bridge
+
 #COMPOSE_FILE="$COMPOSE_FILE:compose.discord.yml"
 #DISCORD_CLIENT_ID=
 #DISCORD_BRIDGE_ADMIN=
 #SECRET_DISCORD_BOT_TOKEN_VERSION=v1
 #SECRET_DISCORD_DB_PASSWORD_VERSION=v1

+## Signal bridge
+
 #COMPOSE_FILE="$COMPOSE_FILE:compose.signal.yml"
 #SIGNAL_ENABLE_ENCRYPTION=true
-#SIGNAL_BRIDGE_ADMIN_1="@foo:example.com"
-#SIGNAL_BRIDGE_ADMIN_2="@bar:example.com"
+#SIGNAL_BRIDGE_PERMISSIONS="{ \"*\": \"relay\" }"
 #SECRET_SIGNAL_AS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_DB_PASSWORD_VERSION=v1
 #SECRET_SIGNAL_HS_TOKEN_VERSION=v1

+## Shared auth
+
 #COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
 #SHARED_SECRET_AUTH_ENABLED=1
 #SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
--- a/abra.sh
+++ b/abra.sh
@ -1,7 +1,7 @@
+export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v1
-export HOMESERVER_YAML_VERSION=v13
+export HOMESERVER_YAML_VERSION=v17
 export LOG_CONFIG_VERSION=v2
-export TELEGRAM_BRIDGE_YAML_VERSION=v3
-export DISCORD_BRIDGE_YAML_VERSION=v1
-export SIGNAL_BRIDGE_YAML_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v1
+export SIGNAL_BRIDGE_YAML_VERSION=v4
+export TELEGRAM_BRIDGE_YAML_VERSION=v5
--- a/compose.discord.yml
+++ b/compose.discord.yml
@ -43,7 +43,7 @@ services:
    networks:
      - internal
    healthcheck:
-      test: ["CMD", "pg_isready", "-U", "synapse"]
+      test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
    volumes:
      - discord-postgres:/var/lib/postgresql/data

--- a/compose.keycloak2.yml
+++ b/compose.keycloak2.yml
@ -1,19 +0,0 @@
---
-version: "3.8"
-
-services:
-  app:
-    secrets:
-      - keycloak2_client_secret
-    environment:
-      - KEYCLOAK2_ALLOW_EXISTING_USERS
-      - KEYCLOAK2_CLIENT_ID
-      - KEYCLOAK2_ENABLED
-      - KEYCLOAK2_ID
-      - KEYCLOAK2_NAME
-      - KEYCLOAK2_URL
-
-secrets:
-  keycloak2_client_secret:
-    external: true
-    name: ${STACK_NAME}_keycloak2_client_secret_${SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION}
--- a/compose.signal.yml
+++ b/compose.signal.yml
@ -13,7 +13,7 @@ services:
    image: docker.io/signald/signald:0.23.0-non-root
    networks:
      - internal
-    volumes: 
+    volumes:
      - signald-data:/signald

  signalbridge:
@ -26,8 +26,7 @@ services:
    environment:
      - HOMESERVER_DOMAIN
      - HOMESERVER_URL
-      - SIGNAL_BRIDGE_ADMIN_1
-      - SIGNAL_BRIDGE_ADMIN_2
+      - SIGNAL_BRIDGE_PERMISSIONS
      - SIGNAL_ENABLE_ENCRYPTION
      - VERIFY_SSL
    secrets:
@ -55,7 +54,7 @@ services:
    networks:
      - internal
    healthcheck:
-      test: ["CMD", "pg_isready", "-U", "synapse"]
+      test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
    volumes:
      - signal-postgres:/var/lib/postgresql/data

--- a/compose.telegram.yml
+++ b/compose.telegram.yml
@ -24,8 +24,7 @@ services:
      - HOMESERVER_DOMAIN
      - HOMESERVER_URL
      - TELEGRAM_APP_ID
-      - TELEGRAM_BRIDGE_ADMIN_1
-      - TELEGRAM_BRIDGE_ADMIN_2
+      - TELEGRAM_BRIDGE_PERMISSIONS
      - VERIFY_SSL
    secrets:
      - telegram_api_hash
@ -53,7 +52,7 @@ services:
    networks:
      - internal
    healthcheck:
-      test: ["CMD", "pg_isready", "-U", "synapse"]
+      test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
    volumes:
      - telegram-postgres:/var/lib/postgresql/data

--- a/compose.yml
+++ b/compose.yml
@ -25,6 +25,8 @@ services:
      - ENCRYPTED_BY_DEFAULT
      - FEDERATION_ALLOWLIST
      - LETSENCRYPT_HOST=${DOMAIN}
+      - MEDIA_RETENTION_LOCAL_LIFETIME
+      - MEDIA_RETENTION_REMOTE_LIFETIME
      - PASSWORD_LOGIN_ENABLED
      - REDACTION_RETENTION_PERIOD
      - RETENTION_MAX_LIFETIME
@ -59,7 +61,7 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=2.6.0+v1.74.0"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+v1.74.0"

  db:
    image: postgres:13-alpine
@ -75,7 +77,7 @@ services:
    networks:
      - internal
    healthcheck:
-      test: ["CMD", "pg_isready", "-U", "synapse"]
+      test: ["CMD", "pg_isready", "-U", "$POSTGRES_USER" ]
    volumes:
      - postgres:/var/lib/postgresql/data
    deploy:
--- a/discord_bridge.yaml.tmpl
+++ b/discord_bridge.yaml.tmpl
@ -50,7 +50,7 @@ auth:

 logging:
  # What level should the logger output to the console at.
-  console: "warn" #silly, verbose, info, http, warn, error, silent
+  console: "error" #silly, verbose, info, http, warn, error, silent
  lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
  files:
    - file: "debug.log"
--- a/homeserver.yaml.tmpl
+++ b/homeserver.yaml.tmpl
--- a/release/3.0.0+v1.74.0
+++ b/release/3.0.0+v1.74.0
@ -0,0 +1,17 @@
+WARNING: There are a lot of config breaking changes in this one, watch out!
+
+* KEYCLOAK2* env vars have gone away, they were experimental.
+
+* TELEGRAM_BRIDGE_ADMIN* is replaced by TELEGRAM_BRIDGE_PERMISSIONS.
+
+* SIGNAL_BRIDGE_ADMIN* is replaced by SIGNAL_BRIDGE_PERMISSIONS.
+
+* The homeserver config has been trimmed, see coop-cloud/matrix-synapse#33 for more.
+
+* Bridge logging is only ERROR level now to minimise leaking plaintext.
+
+* It is possible to use SSO & federation env vars in combination now.
+
+* Media retention is now configurable with #MEDIA_RETENTION_* env vars.
+
+@decentral1se
--- a/signal_bridge.yaml.tmpl
+++ b/signal_bridge.yaml.tmpl
@ -267,10 +267,8 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-        "*": "relay"
-        "{{ env "SIGNAL_BRIDGE_ADMIN_1" }}": "admin"
-        "{{ env "SIGNAL_BRIDGE_ADMIN_2" }}": "admin"
+    permissions: {{ env "SIGNAL_BRIDGE_PERMISSIONS" }}
+
    relay:
        # Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
        # authenticated user into a relaybot for that chat.
@ -318,9 +316,9 @@ logging:
            formatter: colored
    loggers:
        mau:
-            level: DEBUG
+            level: ERROR
        aiohttp:
-            level: INFO
+            level: ERROR
    root:
-        level: DEBUG
+        level: ERROR
        handlers: [console]
--- a/telegram_bridge.yaml.tmpl
+++ b/telegram_bridge.yaml.tmpl
@ -412,10 +412,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-        "*": "relaybot"
-        "{{ env "TELEGRAM_BRIDGE_ADMIN_1" }}": "admin"
-        "{{ env "TELEGRAM_BRIDGE_ADMIN_2" }}": "admin"
+    permissions: {{ env "TELEGRAM_BRIDGE_PERMISSIONS" }}

    # Options related to the message relay Telegram bot.
    relaybot:
@ -537,11 +534,11 @@ logging:
            formatter: colored
    loggers:
        mau:
-            level: DEBUG
+            level: ERROR
        telethon:
-            level: INFO
+            level: ERROR
        aiohttp:
-            level: INFO
+            level: ERROR
    root:
-        level: DEBUG
+        level: ERROR
        handlers: [file, console]
Author	SHA1	Message	Date
decentral1se	89f5069aa2	chore: new v3 recipe release	2023-01-08 02:05:27 +01:00
decentral1se	77b3dbdaa9	fix: use correct user, role does exist	2023-01-08 01:59:46 +01:00
decentral1se	1a0211b743	fix: quote YAML inline dicts correctly	2023-01-08 01:56:30 +01:00
decentral1se	eb541c41ee	fix: consistent compression config	2023-01-08 01:56:13 +01:00
decentral1se	008ec1126b	docs: comments in env sample (getting large!)	2023-01-08 01:28:15 +01:00
decentral1se	0c26ea22f9	docs: write release notes	2023-01-08 01:22:30 +01:00
decentral1se	e3bf165da0	refactor!: remove KEYCLOAK2* env vars The experiment is over.	2023-01-08 01:15:36 +01:00
decentral1se	245e81e4bb	fix: make bridge logging ERROR only Decryption happens on the bridges (between systems) so in order to stop plaintext logging of chat messages, we default to ERROR. If people need more, they can submit changes for customisation.	2023-01-08 01:11:58 +01:00
decentral1se	9b12e4a0eb	refactor!: unlimited permissions bridge config	2023-01-08 01:04:52 +01:00
decentral1se	e7f81cb9ea	fix: support openid + federation Closes https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/30	2023-01-08 00:46:05 +01:00
decentral1se	88bcc2186b	chore: bump homeserver config version	2023-01-08 00:12:03 +01:00
decentral1se	9b3e1793e0	fix: reduce config to match upstream Closes https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/33	2023-01-08 00:10:28 +01:00
decentral1se	ee6d1e92f4	fix: media retention is configurable Closes https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/32	2023-01-08 00:10:03 +01:00
decentral1se	3e3c239c88	fix: drop missing role	2023-01-07 23:49:36 +01:00
decentral1se	e905c24eb2	style: sort config env vars	2023-01-07 23:44:56 +01:00