matrix
Contents
About
An open network for secure, decentralized communication
Preparation
- Assign ip, make it reachable (routing, firewalling).
- Create DNS-Records
sydent
Reference implementation of the matrix identity service is sydent and you can run your own ID server cluster that tracks 3rd party to Matrix ID mappings.
Not useful, yet.
matrix-synapse
Installation
Download the keyring
/etc/apt/sources.list.d/matrix-org.list
1 deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ buster main
2 deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ bullseye main
3 deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ bookworm main
Configure
1 ### Move distribution config to the side
2 mv /etc/matrix-synapse/homeserver.yaml{,_dist}
3 ### Generate a new configuration
4 /bin/generate_config \
5 --config-dir "/etc/matrix-synapse" \
6 --data-dir "/var/lib/matrix-synapse" \
7 --server-name "matrix.rockstable.it" \
8 --report-stats yes --generate-secrets \
9 |tee /etc/matrix-synapse/homeserver.yaml
Create and set registration_shared_secret and disable registration:
/etc/matrix-synapse/homeserver.yaml
1 # vim:ft=yaml,et
2
3 ## Server ##
4
5 # The domain name of the server, with optional explicit port.
6 # This is used by remote servers to connect to this server,
7 # e.g. matrix.org, localhost:8080, etc.
8 # This is also the last part of your UserID.
9 #
10 server_name: "matrix.rockstable.it"
11
12 # When running as a daemon, the file to store the pid in
13 pid_file: "/run/matrix-synapse/matrix-synapse.pid"
14
15 # The path to the web client which will be served at /_matrix/client/
16 # if 'webclient' is configured under the 'listeners' configuration.
17 #
18 #web_client_location: "/path/to/web/root"
19
20 # The public-facing base URL that clients use to access this HS
21 # (not including _matrix/...). This is the same URL a user would
22 # enter into the 'custom HS URL' field on their client. If you
23 # use synapse with a reverse proxy, this should be the URL to reach
24 # synapse via the proxy.
25 #public_baseurl: https://example.com/
26
27 # Set the soft limit on the number of file descriptors synapse can use
28 # Zero is used to indicate synapse should set the soft limit to the
29 # hard limit.
30 soft_file_limit: 0
31
32 # CPU affinity mask. Setting this restricts the CPUs on which the
33 # process will be scheduled. It is represented as a bitmask, with the
34 # lowest order bit corresponding to the first logical CPU and the
35 # highest order bit corresponding to the last logical CPU. Not all CPUs
36 # may exist on a given system but a mask may specify more CPUs than are
37 # present.
38 #
39 # For example:
40 # 0x00000001 is processor #0,
41 # 0x00000003 is processors #0 and #1,
42 # 0xFFFFFFFF is all processors (#0 through #31).
43 #
44 # Pinning a Python process to a single CPU is desirable, because Python
45 # is inherently single-threaded due to the GIL, and can suffer a
46 # 30-40% slowdown due to cache blow-out and thread context switching
47 # if the scheduler happens to schedule the underlying threads across
48 # different cores. See
49 # https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/.
50 #
51 # cpu_affinity: 0xFFFFFFFF
52
53 # Set to false to disable presence tracking on this homeserver.
54 #
55 #use_presence: False
56
57 # Whether to require authentication to retrieve profile data (avatars,
58 # display names) of other users through the client API. Defaults to
59 # 'false'. Note that profile data is also available via the federation
60 # API, so this setting is of limited value if federation is enabled on
61 # the server.
62 #
63 #require_auth_for_profile_requests: True
64
65 # If set to 'False', requires authentication to access the server's public rooms
66 # directory through the client API. Defaults to 'True'.
67 #
68 #allow_public_rooms_without_auth: False
69
70 # If set to 'False', forbids any other homeserver to fetch the server's public
71 # rooms directory via federation. Defaults to 'True'.
72 #
73 #allow_public_rooms_over_federation: False
74
75 # The default room version for newly created rooms.
76 #
77 # Known room versions are listed here:
78 # https://matrix.org/docs/spec/#complete-list-of-room-versions
79 #
80 # For example, for room version 1, default_room_version should be set
81 # to "1".
82 #
83 #default_room_version: "4"
84
85 # The GC threshold parameters to pass to `gc.set_threshold`, if defined
86 #gc_thresholds: [700, 10, 10]
87
88 # Set the limit on the returned events in the timeline in the get
89 # and sync operations. The default value is -1, means no upper limit.
90 #filter_timeline_limit: 5000
91
92 # Whether room invites to users on this server should be blocked
93 # (except those sent by local server admins). The default is False.
94 #block_non_admin_invites: True
95
96 # Room searching
97 #
98 # If disabled, new messages will not be indexed for searching and users
99 # will receive errors when searching for messages. Defaults to enabled.
100 #
101 #enable_search: False
102
103 # Restrict federation to the following whitelist of domains.
104 # N.B. we recommend also firewalling your federation listener to limit
105 # inbound federation traffic as early as possible, rather than relying
106 # purely on this application-layer restriction. If not specified, the
107 # default is to whitelist everything.
108 #
109 #federation_domain_whitelist:
110 # - lon.example.com
111 # - nyc.example.com
112 # - syd.example.com
113
114 # Prevent federation requests from being sent to the following
115 # blacklist IP address CIDR ranges. If this option is not specified, or
116 # specified with an empty list, no ip range blacklist will be enforced.
117 #
118 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
119 # listed here, since they correspond to unroutable addresses.)
120 #
121 federation_ip_range_blacklist:
122 - '127.0.0.0/8'
123 - '10.0.0.0/8'
124 - '172.16.0.0/12'
125 - '192.168.0.0/16'
126 - '100.64.0.0/10'
127 - '169.254.0.0/16'
128 - '::1/128'
129 - 'fe80::/64'
130 - 'fc00::/7'
131
132 # List of ports that Synapse should listen on, their purpose and their
133 # configuration.
134 #
135 # Options for each listener include:
136 #
137 # port: the TCP port to bind to
138 #
139 # bind_addresses: a list of local addresses to listen on. The default is
140 # 'all local interfaces'.
141 #
142 # type: the type of listener. Normally 'http', but other valid options are:
143 # 'manhole' (see docs/manhole.md),
144 # 'metrics' (see docs/metrics-howto.rst),
145 # 'replication' (see docs/workers.rst).
146 #
147 # tls: set to True to enable TLS for this listener. Will use the TLS
148 # key/cert specified in tls_private_key_path / tls_certificate_path.
149 #
150 # x_forwarded: Only valid for an 'http' listener. Set to True to use the
151 # X-Forwarded-For header as the client IP. Useful when Synapse is
152 # behind a reverse-proxy.
153 #
154 # resources: Only valid for an 'http' listener. A list of resources to host
155 # on this port. Options for each resource are:
156 #
157 # names: a list of names of HTTP resources. See below for a list of
158 # valid resource names.
159 #
160 # compress: set to True to enable HTTP comression for this resource.
161 #
162 # additional_resources: Only valid for an 'http' listener. A map of
163 # additional endpoints which should be loaded via dynamic modules.
164 #
165 # Valid resource names are:
166 #
167 # client: the client-server API (/_matrix/client), and the synapse admin
168 # API (/_synapse/admin). Also implies 'media' and 'static'.
169 #
170 # consent: user consent forms (/_matrix/consent). See
171 # docs/consent_tracking.md.
172 #
173 # federation: the server-server API (/_matrix/federation). Also implies
174 # 'media', 'keys', 'openid'
175 #
176 # keys: the key discovery API (/_matrix/keys).
177 #
178 # media: the media API (/_matrix/media).
179 #
180 # metrics: the metrics interface. See docs/metrics-howto.rst.
181 #
182 # openid: OpenID authentication.
183 #
184 # replication: the HTTP replication API (/_synapse/replication). See
185 # docs/workers.rst.
186 #
187 # static: static resources under synapse/static (/_matrix/static). (Mostly
188 # useful for 'fallback authentication'.)
189 #
190 # webclient: A web client. Requires web_client_location to be set.
191 #
192 listeners:
193 # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
194 #
195 # Disabled by default. To enable it, uncomment the following. (Note that you
196 # will also need to give Synapse a TLS key and certificate: see the TLS section
197 # below.)
198 #
199 #- port: 8448
200 # # This is a 'http' listener, allows us to specify 'resources'.
201 # type: http
202 # tls: True
203
204 # # Local addresses to listen on.
205 # # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6
206 # # addresses by default. For most other OSes, this will only listen
207 # # on IPv6.
208 # bind_addresses:
209 # - '::1'
210 # - '127.0.0.1'
211 # # - '::'
212 # # - '0.0.0.0'
213
214 # # Use the X-Forwarded-For (XFF) header as the client IP and not the
215 # # actual client IP.
216 # x_forwarded: False
217
218 # # List of HTTP resources to serve on this listener.
219 # resources:
220 # - names: federation
221 # compress: False
222
223 # Unsecure HTTP listener:
224 # For when matrix traffic passes through a reverse proxy that unwraps TLS.
225 #
226 # If you plan to use a reverse proxy, please see
227 # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst.
228 #
229 - port: 8008
230 tls: False
231 bind_addresses:
232 - '::1'
233 - '127.0.0.1'
234 # - '::'
235 # - '0.0.0.0'
236 type: http
237 # Use the X-Forwarded-For (XFF) header as the client IP and not the
238 # actual client IP.
239 x_forwarded: True
240
241 # List of HTTP resources to serve on this listener.
242 resources:
243 - names: [client, federation]
244 compress: True
245
246 # example additional_resources:
247 #
248 #additional_resources:
249 # "/_matrix/my/custom/endpoint":
250 # module: my_module.CustomRequestHandler
251 # config: {}
252
253 # Turn on the twisted ssh manhole service on localhost on the given
254 # port.
255 #- port: 9000
256 # bind_addresses:
257 # - '::1'
258 # - '127.0.0.1'
259 # type: manhole
260
261
262 ## Homeserver blocking ##
263
264 # How to reach the server admin, used in ResourceLimitError
265 #
266 #admin_contact: 'mailto:root@rockstable.it'
267
268 # Global blocking
269 #
270 #hs_disabled: False
271 #hs_disabled_message: 'Human readable reason for why the HS is blocked'
272 #hs_disabled_limit_type: 'error code(str), to help clients decode reason'
273
274 # Monthly Active User Blocking
275 #
276 # Used in cases where the admin or server owner wants to limit to the
277 # number of monthly active users.
278 #
279 # 'limit_usage_by_mau' disables/enables monthly active user blocking. When
280 # anabled and a limit is reached the server returns a 'ResourceLimitError'
281 # with error type Codes.RESOURCE_LIMIT_EXCEEDED
282 #
283 # 'max_mau_value' is the hard limit of monthly active users above which
284 # the server will start blocking user actions.
285 #
286 # 'mau_trial_days' is a means to add a grace period for active users. It
287 # means that users must be active for this number of days before they
288 # can be considered active and guards against the case where lots of users
289 # sign up in a short space of time never to return after their initial
290 # session.
291 #
292 #limit_usage_by_mau: False
293 #max_mau_value: 50
294 #mau_trial_days: 2
295
296 # If enabled, the metrics for the number of monthly active users will
297 # be populated, however no one will be limited. If limit_usage_by_mau
298 # is True, this is implied to be true.
299 #
300 #mau_stats_only: False
301
302 # Sometimes the server admin will want to ensure certain accounts are
303 # never blocked by mau checking. These accounts are specified here.
304 #
305 #mau_limit_reserved_threepids:
306 # - medium: 'email'
307 # address: 'reserved_user@example.com'
308
309 # Used by phonehome stats to group together related servers.
310 #server_context: context
311
312 # Whether to require a user to be in the room to add an alias to it.
313 # Defaults to 'True'.
314 #
315 #require_membership_for_aliases: False
316
317 # Whether to allow per-room membership profiles through the send of membership
318 # events with profile information that differ from the target's global profile.
319 # Defaults to 'True'.
320 #
321 #allow_per_room_profiles: False
322
323
324 ## TLS ##
325
326 # PEM-encoded X509 certificate for TLS.
327 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
328 # certificate, signed by a recognised Certificate Authority.
329 #
330 # See 'ACME support' below to enable auto-provisioning this certificate via
331 # Let's Encrypt.
332 #
333 # If supplying your own, be sure to use a `.pem` file that includes the
334 # full certificate chain including any intermediate certificates (for
335 # instance, if using certbot, use `fullchain.pem` as your certificate,
336 # not `cert.pem`).
337 #
338 tls_certificate_path: "/etc/letsencrypt/live/matrix.rockstable.it/fullchain.pem"
339
340 # PEM-encoded private key for TLS
341 tls_private_key_path: "/etc/letsencrypt/live/matrix.rockstable.it/privkey.pem"
342
343 # PEM dh parameters for ephemeral keys
344 tls_dh_params_path: "/etc/ssl/dhparam/dhparam_4096.pem"
345
346 # Don't bind to the https port
347 no_tls: False
348
349 # Whether to verify TLS server certificates for outbound federation requests.
350 #
351 # Defaults to `True`. To disable certificate verification, uncomment the
352 # following line.
353 #
354 #federation_verify_certificates: False
355
356 # The minimum TLS version that will be used for outbound federation requests.
357 #
358 # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
359 # that setting this value higher than `1.2` will prevent federation to most
360 # of the public Matrix network: only configure it to `1.3` if you have an
361 # entirely private federation setup and you can ensure TLS 1.3 support.
362 #
363 #federation_client_minimum_tls_version: 1.2
364
365 # Skip federation certificate verification on the following whitelist
366 # of domains.
367 #
368 # This setting should only be used in very specific cases, such as
369 # federation over Tor hidden services and similar. For private networks
370 # of homeservers, you likely want to use a private CA instead.
371 #
372 # Only effective if federation_verify_certicates is `True`.
373 #
374 #federation_certificate_verification_whitelist:
375 # - lon.example.com
376 # - *.domain.com
377 # - *.onion
378
379 # List of custom certificate authorities for federation traffic.
380 #
381 # This setting should only normally be used within a private network of
382 # homeservers.
383 #
384 # Note that this list will replace those that are provided by your
385 # operating environment. Certificates must be in PEM format.
386 #
387 #federation_custom_ca_list:
388 # - myCA1.pem
389 # - myCA2.pem
390 # - myCA3.pem
391
392 # ACME support: This will configure Synapse to request a valid TLS certificate
393 # for your configured `server_name` via Let's Encrypt.
394 #
395 # Note that provisioning a certificate in this way requires port 80 to be
396 # routed to Synapse so that it can complete the http-01 ACME challenge.
397 # By default, if you enable ACME support, Synapse will attempt to listen on
398 # port 80 for incoming http-01 challenges - however, this will likely fail
399 # with 'Permission denied' or a similar error.
400 #
401 # There are a couple of potential solutions to this:
402 #
403 # * If you already have an Apache, Nginx, or similar listening on port 80,
404 # you can configure Synapse to use an alternate port, and have your web
405 # server forward the requests. For example, assuming you set 'port: 8009'
406 # below, on Apache, you would write:
407 #
408 # ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
409 #
410 # * Alternatively, you can use something like `authbind` to give Synapse
411 # permission to listen on port 80.
412 #
413 acme:
414 # ACME support is disabled by default. Uncomment the following line
415 # (and tls_certificate_path and tls_private_key_path above) to enable it.
416 #
417 #enabled: True
418
419 # Endpoint to use to request certificates. If you only want to test,
420 # use Let's Encrypt's staging url:
421 # https://acme-staging.api.letsencrypt.org/directory
422 #
423 #url: https://acme-v01.api.letsencrypt.org/directory
424
425 # Port number to listen on for the HTTP-01 challenge. Change this if
426 # you are forwarding connections through Apache/Nginx/etc.
427 #
428 #port: 80
429
430 # Local addresses to listen on for incoming connections.
431 # Again, you may want to change this if you are forwarding connections
432 # through Apache/Nginx/etc.
433 #
434 #bind_addresses: ['::', '0.0.0.0']
435
436 # How many days remaining on a certificate before it is renewed.
437 #
438 #reprovision_threshold: 30
439
440 # The domain that the certificate should be for. Normally this
441 # should be the same as your Matrix domain (i.e., 'server_name'), but,
442 # by putting a file at 'https://<server_name>/.well-known/matrix/server',
443 # you can delegate incoming traffic to another server. If you do that,
444 # you should give the target of the delegation here.
445 #
446 # For example: if your 'server_name' is 'example.com', but
447 # 'https://example.com/.well-known/matrix/server' delegates to
448 # 'matrix.example.com', you should put 'matrix.example.com' here.
449 #
450 # If not set, defaults to your 'server_name'.
451 #
452 #domain: matrix.example.com
453
454 # file to use for the account key. This will be generated if it doesn't
455 # exist.
456 #
457 # If unspecified, we will use CONFDIR/client.key.
458 #
459 account_key_file: /var/lib/matrix-synapse/acme_account.key
460
461 # List of allowed TLS fingerprints for this server to publish along
462 # with the signing keys for this server. Other matrix servers that
463 # make HTTPS requests to this server will check that the TLS
464 # certificates returned by this server match one of the fingerprints.
465 #
466 # Synapse automatically adds the fingerprint of its own certificate
467 # to the list. So if federation traffic is handled directly by synapse
468 # then no modification to the list is required.
469 #
470 # If synapse is run behind a load balancer that handles the TLS then it
471 # will be necessary to add the fingerprints of the certificates used by
472 # the loadbalancers to this list if they are different to the one
473 # synapse is using.
474 #
475 # Homeservers are permitted to cache the list of TLS fingerprints
476 # returned in the key responses up to the "valid_until_ts" returned in
477 # key. It may be necessary to publish the fingerprints of a new
478 # certificate and wait until the "valid_until_ts" of the previous key
479 # responses have passed before deploying it.
480 #
481 # You can calculate a fingerprint from a given TLS listener via:
482 # openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
483 # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
484 # or by checking matrix.org/federationtester/api/report?server_name=$host
485 #
486 #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
487
488
489 ## Database ##
490
491 database:
492 # The database engine name
493 name: "sqlite3"
494 # Arguments to pass to the engine
495 args:
496 # Path to the database
497 database: "/var/lib/matrix-synapse/homeserver.db"
498
499 # Number of events to cache in memory.
500 event_cache_size: "10K"
501
502
503 ## Logging ##
504
505 # A yaml python logging config file
506 log_config: "/etc/matrix-synapse/log.yaml"
507
508
509 ## Ratelimiting ##
510
511 # Ratelimiting settings for client actions (registration, login, messaging).
512 #
513 # Each ratelimiting configuration is made of two parameters:
514 # - per_second: number of requests a client can send per second.
515 # - burst_count: number of requests a client can send before being throttled.
516 #
517 # Synapse currently uses the following configurations:
518 # - one for messages that ratelimits sending based on the account the client
519 # is using
520 # - one for registration that ratelimits registration requests based on the
521 # client's IP address.
522 # - one for login that ratelimits login requests based on the client's IP
523 # address.
524 # - one for login that ratelimits login requests based on the account the
525 # client is attempting to log into.
526 # - one for login that ratelimits login requests based on the account the
527 # client is attempting to log into, based on the amount of failed login
528 # attempts for this account.
529 #
530 # The defaults are as shown below.
531 #
532 #rc_message:
533 # per_second: 0.2
534 # burst_count: 10
535 #
536 #rc_registration:
537 # per_second: 0.17
538 # burst_count: 3
539 #
540 #rc_login:
541 # address:
542 # per_second: 0.17
543 # burst_count: 3
544 # account:
545 # per_second: 0.17
546 # burst_count: 3
547 # failed_attempts:
548 # per_second: 0.17
549 # burst_count: 3
550
551
552 # Ratelimiting settings for incoming federation
553 #
554 # The rc_federation configuration is made up of the following settings:
555 # - window_size: window size in milliseconds
556 # - sleep_limit: number of federation requests from a single server in
557 # a window before the server will delay processing the request.
558 # - sleep_delay: duration in milliseconds to delay processing events
559 # from remote servers by if they go over the sleep limit.
560 # - reject_limit: maximum number of concurrent federation requests
561 # allowed from a single server
562 # - concurrent: number of federation requests to concurrently process
563 # from a single server
564 #
565 # The defaults are as shown below.
566 #
567 #rc_federation:
568 # window_size: 1000
569 # sleep_limit: 10
570 # sleep_delay: 500
571 # reject_limit: 50
572 # concurrent: 3
573
574 # Target outgoing federation transaction frequency for sending read-receipts,
575 # per-room.
576 #
577 # If we end up trying to send out more read-receipts, they will get buffered up
578 # into fewer transactions.
579 #
580 #federation_rr_transactions_per_room_per_second: 50
581
582
583 # Directory where uploaded images and attachments are stored.
584 media_store_path: "/var/lib/matrix-synapse/media"
585 #media_store_path: "/var/lib/matrix-synapse/media_store"
586
587 # Media storage providers allow media to be stored in different
588 # locations.
589 #media_storage_providers:
590 # - module: file_system
591 # # Whether to write new local files.
592 # store_local: False
593 # # Whether to write new remote media
594 # store_remote: False
595 # # Whether to block upload requests waiting for write to this
596 # # provider to complete
597 # store_synchronous: False
598 # config:
599 # directory: /mnt/some/other/directory
600
601 # Directory where in-progress uploads are stored.
602 uploads_path: "/var/lib/matrix-synapse/uploads"
603
604 # The largest allowed upload size in bytes
605 max_upload_size: "20M"
606
607 # Maximum number of pixels that will be thumbnailed
608 max_image_pixels: "32M"
609
610 # Whether to generate new thumbnails on the fly to precisely match
611 # the resolution requested by the client. If True then whenever
612 # a new resolution is requested by the client the server will
613 # generate a new thumbnail. If False the server will pick a thumbnail
614 # from a precalculated list.
615 dynamic_thumbnails: False
616
617 # List of thumbnails to precalculate when an image is uploaded.
618 thumbnail_sizes:
619 - width: 32
620 height: 32
621 method: crop
622 - width: 96
623 height: 96
624 method: crop
625 - width: 320
626 height: 240
627 method: scale
628 - width: 640
629 height: 480
630 method: scale
631 - width: 800
632 height: 600
633 method: scale
634
635 # Is the preview URL API enabled?
636 # 'False' by default: uncomment the following to enable it (and specify a
637 # url_preview_ip_range_blacklist blacklist).
638 url_preview_enabled: False
639
640 # List of IP address CIDR ranges that the URL preview spider is denied
641 # from accessing. There are no defaults: you must explicitly
642 # specify a list for URL previewing to work. You should specify any
643 # internal services in your network that you do not want synapse to try
644 # to connect to, otherwise anyone in any Matrix room could cause your
645 # synapse to issue arbitrary GET requests to your internal services,
646 # causing serious security issues.
647 #
648 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
649 # listed here, since they correspond to unroutable addresses.)
650 #
651 # This must be specified if url_preview_enabled is set. It is recommended that
652 # you uncomment the following list as a starting point.
653 #
654 url_preview_ip_range_blacklist:
655 - '127.0.0.0/8'
656 - '10.0.0.0/8'
657 - '172.16.0.0/12'
658 - '192.168.0.0/16'
659 - '100.64.0.0/10'
660 - '169.254.0.0/16'
661 - '::1/128'
662 - 'fe80::/64'
663 - 'fc00::/7'
664
665 # List of IP address CIDR ranges that the URL preview spider is allowed
666 # to access even if they are specified in url_preview_ip_range_blacklist.
667 # This is useful for specifying exceptions to wide-ranging blacklisted
668 # target IP ranges - e.g. for enabling URL previews for a specific private
669 # website only visible in your network.
670 #
671 #url_preview_ip_range_whitelist:
672 # - '192.168.1.1'
673
674 # Optional list of URL matches that the URL preview spider is
675 # denied from accessing. You should use url_preview_ip_range_blacklist
676 # in preference to this, otherwise someone could define a public DNS
677 # entry that points to a private IP address and circumvent the blacklist.
678 # This is more useful if you know there is an entire shape of URL that
679 # you know that will never want synapse to try to spider.
680 #
681 # Each list entry is a dictionary of url component attributes as returned
682 # by urlparse.urlsplit as applied to the absolute form of the URL. See
683 # https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
684 # The values of the dictionary are treated as an filename match pattern
685 # applied to that component of URLs, unless they start with a ^ in which
686 # case they are treated as a regular expression match. If all the
687 # specified component matches for a given list item succeed, the URL is
688 # blacklisted.
689 #
690 #url_preview_url_blacklist:
691 # # blacklist any URL with a username in its URI
692 # - username: '*'
693 #
694 # # blacklist all *.google.com URLs
695 # - netloc: 'google.com'
696 # - netloc: '*.google.com'
697 #
698 # # blacklist all plain HTTP URLs
699 # - scheme: 'http'
700 #
701 # # blacklist http(s)://www.acme.com/foo
702 # - netloc: 'www.acme.com'
703 # path: '/foo'
704 #
705 # # blacklist any URL with a literal IPv4 address
706 # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
707
708 # The largest allowed URL preview spidering size in bytes
709 max_spider_size: "10M"
710
711
712 ## Captcha ##
713 # See docs/CAPTCHA_SETUP for full details of configuring this.
714
715 # This Home Server's ReCAPTCHA public key.
716 #recaptcha_public_key: "YOUR_PUBLIC_KEY"
717
718 # This Home Server's ReCAPTCHA private key.
719 #recaptcha_private_key: "YOUR_PRIVATE_KEY"
720
721 # Enables ReCaptcha checks when registering, preventing signup
722 # unless a captcha is answered. Requires a valid ReCaptcha
723 # public/private key.
724 enable_registration_captcha: False
725
726 # A secret key used to bypass the captcha test entirely.
727 #captcha_bypass_secret: "YOUR_SECRET_HERE"
728
729 # The API endpoint to use for verifying m.login.recaptcha responses.
730 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
731 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify"
732
733
734 ## TURN ##
735
736 # The public URIs of the TURN server to give to clients
737 turn_uris: [
738 "turn:coturn.rockstable.it:3478?transport=udp",
739 "turn:coturn.rockstable.it:3478?transport=tcp",
740 "turns:coturn.rockstable.it:5349?transport=udp",
741 "turns:coturn.rockstable.it:5349?transport=tcp"
742 ]
743
744 # The shared secret used to compute passwords for the TURN server
745 turn_shared_secret: "YOUR_SHARED_SECRET"
746
747 # The Username and password if the TURN server needs them and
748 # does not use a token
749 #turn_username: "TURNSERVER_USERNAME"
750 #turn_password: "TURNSERVER_PASSWORD"
751
752 # How long generated TURN credentials last
753 turn_user_lifetime: "1h"
754
755 # Whether guests should be allowed to use the TURN server.
756 # This defaults to True, otherwise VoIP will be unreliable for guests.
757 # However, it does introduce a slight security risk as it allows users to
758 # connect to arbitrary endpoints without having first signed up for a
759 # valid account (e.g. by passing a CAPTCHA).
760 turn_allow_guests: False
761
762
763 ## Registration ##
764 #
765 # Registration can be rate-limited using the parameters in the "Ratelimiting"
766 # section of this file.
767
768 # Enable registration for new users.
769 enable_registration: False
770
771 # Optional account validity configuration. This allows for accounts to be denied
772 # any request after a given period.
773 #
774 # ``enabled`` defines whether the account validity feature is enabled. Defaults
775 # to False.
776 #
777 # ``period`` allows setting the period after which an account is valid
778 # after its registration. When renewing the account, its validity period
779 # will be extended by this amount of time. This parameter is required when using
780 # the account validity feature.
781 #
782 # ``renew_at`` is the amount of time before an account's expiry date at which
783 # Synapse will send an email to the account's email address with a renewal link.
784 # This needs the ``email`` and ``public_baseurl`` configuration sections to be
785 # filled.
786 #
787 # ``renew_email_subject`` is the subject of the email sent out with the renewal
788 # link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter
789 # from the ``email`` section.
790 #
791 # Once this feature is enabled, Synapse will look for registered users without an
792 # expiration date at startup and will add one to every account it found using the
793 # current settings at that time.
794 # This means that, if a validity period is set, and Synapse is restarted (it will
795 # then derive an expiration date from the current validity period), and some time
796 # after that the validity period changes and Synapse is restarted, the users'
797 # expiration dates won't be updated unless their account is manually renewed. This
798 # date will be randomly selected within a range [now + period - d ; now + period],
799 # where d is equal to 10% of the validity period.
800 #
801 #account_validity:
802 # enabled: True
803 # period: 6w
804 # renew_at: 1w
805 # renew_email_subject: "Renew your %(app)s account"
806
807 # Time that a user's session remains valid for, after they log in.
808 #
809 # Note that this is not currently compatible with guest logins.
810 #
811 # Note also that this is calculated at login time: changes are not applied
812 # retrospectively to users who have already logged in.
813 #
814 # By default, this is infinite.
815 #
816 #session_lifetime: 24h
817
818 # The user must provide all of the below types of 3PID when registering.
819 #
820 #registrations_require_3pid:
821 # - email
822 # - msisdn
823
824 # Explicitly disable asking for MSISDNs from the registration
825 # flow (overrides registrations_require_3pid if MSISDNs are set as required)
826 #
827 #disable_msisdn_registration: True
828
829 # Mandate that users are only allowed to associate certain formats of
830 # 3PIDs with accounts on this server.
831 #
832 #allowed_local_3pids:
833 # - medium: email
834 # pattern: '.*@matrix\.org'
835 # - medium: email
836 # pattern: '.*@vector\.im'
837 # - medium: msisdn
838 # pattern: '\+44'
839
840 # Enable 3PIDs lookup requests to identity servers from this server.
841 #
842 #enable_3pid_lookup: True
843
844 # If set, allows registration of standard or admin accounts by anyone who
845 # has the shared secret, even if registration is otherwise disabled.
846 registration_shared_secret: "<REGISTRATION_SECRET>"
847
848 # Set the number of bcrypt rounds used to generate password hash.
849 # Larger numbers increase the work factor needed to generate the hash.
850 # The default number is 12 (which equates to 2^12 rounds).
851 # N.B. that increasing this will exponentially increase the time required
852 # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
853 bcrypt_rounds: 12
854
855 # Allows users to register as guests without a password/email/etc, and
856 # participate in rooms hosted on this server which have been made
857 # accessible to anonymous users.
858 allow_guest_access: False
859
860 # The identity server which we suggest that clients should use when users log
861 # in on this server.
862 #
863 # (By default, no suggestion is made, so it is left up to the client.
864 # This setting is ignored unless public_baseurl is also set.)
865 #
866 #default_identity_server: https://matrix.org
867
868 # The list of identity servers trusted to verify third party
869 # identifiers by this server.
870 #
871 # Also defines the ID server which will be called when an account is
872 # deactivated (one will be picked arbitrarily).
873 #
874 trusted_third_party_id_servers:
875 - matrix.org
876 - vector.im
877 - riot.im
878
879 # Users who register on this homeserver will automatically be joined
880 # to these rooms
881 #auto_join_rooms:
882 # - "#example:example.com"
883
884 # Where auto_join_rooms are specified, setting this flag ensures that the
885 # the rooms exist by creating them when the first user on the
886 # homeserver registers.
887 # Setting to False means that if the rooms are not manually created,
888 # users cannot be auto-joined since they do not exist.
889 #
890 #autocreate_auto_join_rooms: True
891
892
893 ## Metrics ###
894
895 # Enable collection and rendering of performance metrics
896 enable_metrics: False
897
898 # Enable sentry integration
899 # NOTE: While attempts are made to ensure that the logs don't contain
900 # any sensitive information, this cannot be guaranteed. By enabling
901 # this option the sentry server may therefore receive sensitive
902 # information, and it in turn may then diseminate sensitive information
903 # through insecure notification channels if so configured.
904 #
905 #sentry:
906 # dsn: "..."
907
908 # Whether or not to report anonymized homeserver usage statistics.
909 report_stats: True
910
911
912 ## API Configuration ##
913
914 # A list of event types that will be included in the room_invite_state
915 room_invite_state_types:
916 - "m.room.join_rules"
917 - "m.room.canonical_alias"
918 - "m.room.avatar"
919 - "m.room.name"
920 - "m.room.encryption"
921
922
923 # A list of application service config files to use
924 app_service_config_files:
925 - /etc/mautrix-telegram/registration.yaml
926
927 # Uncomment to enable tracking of application service IP addresses. Implicitly
928 # enables MAU tracking for application service users.
929 #
930 #track_appservice_user_ips: True
931
932
933 # a secret which is used to sign access tokens. If none is specified,
934 # the registration_shared_secret is used, if one is given; otherwise,
935 # a secret key is derived from the signing key.
936 #
937 #macaroon_secret_key: <PRIVATE STRING>
938 macaroon_secret_key: "<MACAROON_SECRET>"
939
940 # Used to enable access token expiration.
941 expire_access_token: False
942
943 # a secret which is used to calculate HMACs for form values, to stop
944 # falsification of values. Must be specified for the User Consent
945 # forms to work.
946 #
947 form_secret: "<FORM_SECRET>"
948
949 ## Signing Keys ##
950
951 # Path to the signing key to sign messages with
952 signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
953 #signing_key_path: "/etc/matrix-synapse/matrix.rockstable.it.signing.key"
954
955 # The keys that the server used to sign messages with but won't use
956 # to sign new messages. E.g. it has lost its private key
957 old_signing_keys: {}
958 #old_signing_keys:
959 # "ed25519:auto":
960 # # Base64 encoded public key
961 # key: "The public part of your old signing key."
962 # # Millisecond POSIX timestamp when the key expired.
963 # expired_ts: 123456789123
964
965 # How long key response published by this server is valid for.
966 # Used to set the valid_until_ts in /key/v2 APIs.
967 # Determines how quickly servers will query to check which keys
968 # are still valid.
969 key_refresh_interval: "1d"
970
971 # The trusted servers to download signing keys from.
972 #
973 # When we need to fetch a signing key, each server is tried in parallel.
974 #
975 # Normally, the connection to the key server is validated via TLS certificates.
976 # Additional security can be provided by configuring a `verify key`, which
977 # will make synapse check that the response is signed by that key.
978 #
979 # This setting supercedes an older setting named `perspectives`. The old format
980 # is still supported for backwards-compatibility, but it is deprecated.
981 #
982 # Options for each entry in the list include:
983 #
984 # server_name: the name of the server. required.
985 #
986 # verify_keys: an optional map from key id to base64-encoded public key.
987 # If specified, we will check that the response is signed by at least
988 # one of the given keys.
989 #
990 # accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
991 # and federation_verify_certificates is not `True`, synapse will refuse
992 # to start, because this would allow anyone who can spoof DNS responses
993 # to masquerade as the trusted key server. If you know what you are doing
994 # and are sure that your network environment provides a secure connection
995 # to the key server, you can set this to `True` to override this
996 # behaviour.
997 #
998 # An example configuration might look like:
999 #
1000 #trusted_key_servers:
1001 # - server_name: "my_trusted_server.example.com"
1002 # verify_keys:
1003 # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
1004 # - server_name: "my_other_trusted_server.example.com"
1005 #
1006 # The default configuration is:
1007 #
1008 #trusted_key_servers:
1009 # - server_name: "matrix.org"
1010
1011
1012 # Enable SAML2 for registration and login. Uses pysaml2.
1013 #
1014 # `sp_config` is the configuration for the pysaml2 Service Provider.
1015 # See pysaml2 docs for format of config.
1016 #
1017 # Default values will be used for the 'entityid' and 'service' settings,
1018 # so it is not normally necessary to specify them unless you need to
1019 # override them.
1020 #
1021 # Once SAML support is enabled, a metadata file will be exposed at
1022 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
1023 # use to configure your SAML IdP with. Alternatively, you can manually configure
1024 # the IdP to use an ACS location of
1025 # https://<server>:<port>/_matrix/saml2/authn_response.
1026 #
1027 #saml2_config:
1028 # sp_config:
1029 # # point this to the IdP's metadata. You can use either a local file or
1030 # # (preferably) a URL.
1031 # metadata:
1032 # #local: ["saml2/idp.xml"]
1033 # remote:
1034 # - url: https://our_idp/metadata.xml
1035 #
1036 # # By default, the user has to go to our login page first. If you'd like to
1037 # # allow IdP-initiated login, set 'allow_unsolicited: True' in a
1038 # # 'service.sp' section:
1039 # #
1040 # #service:
1041 # # sp:
1042 # # allow_unsolicited: True
1043 #
1044 # # The examples below are just used to generate our metadata xml, and you
1045 # # may well not need it, depending on your setup. Alternatively you
1046 # # may need a whole lot more detail - see the pysaml2 docs!
1047 #
1048 # description: ["My awesome SP", "en"]
1049 # name: ["Test SP", "en"]
1050 #
1051 # organization:
1052 # name: Example com
1053 # display_name:
1054 # - ["Example co", "en"]
1055 # url: "http://example.com"
1056 #
1057 # contact_person:
1058 # - given_name: Bob
1059 # sur_name: "the Sysadmin"
1060 # email_address": ["admin@example.com"]
1061 # contact_type": technical
1062 #
1063 # # Instead of putting the config inline as above, you can specify a
1064 # # separate pysaml2 configuration file:
1065 # #
1066 # config_path: "/etc/matrix-synapse/sp_conf.py"
1067 #
1068 # # the lifetime of a SAML session. This defines how long a user has to
1069 # # complete the authentication process, if allow_unsolicited is unset.
1070 # # The default is 5 minutes.
1071 # #
1072 # # saml_session_lifetime: 5m
1073
1074
1075 # Enable CAS for registration and login.
1076 #cas_config:
1077 # enabled: True
1078 # server_url: "https://cas-server.com"
1079 # service_url: "https://homeserver.domain.com:8448"
1080 # #required_attributes:
1081 # # name: value
1082
1083
1084 # The JWT needs to contain a globally unique "sub" (subject) claim.
1085 #
1086 #jwt_config:
1087 # enabled: True
1088 # secret: "a secret"
1089 # algorithm: "HS256"
1090
1091
1092 password_config:
1093 # Uncomment to disable password login
1094 #
1095 #enabled: False
1096
1097 # Uncomment to disable authentication against the local password
1098 # database. This is ignored if `enabled` is False, and is only useful
1099 # if you have other password_providers.
1100 #
1101 #localdb_enabled: False
1102
1103 # Uncomment and change to a secret random string for extra security.
1104 # DO NOT CHANGE THIS AFTER INITIAL SETUP!
1105 #pepper: "EVEN_MORE_SECRET"
1106
1107
1108 # Enable sending emails for password resets, notification events or
1109 # account expiry notices
1110 #
1111 # If your SMTP server requires authentication, the optional smtp_user &
1112 # smtp_pass variables should be used
1113 #
1114 #email:
1115 # enable_notifs: False
1116 # smtp_host: "localhost"
1117 # smtp_port: 25 # SSL: 465, STARTTLS: 587
1118 # smtp_user: "exampleusername"
1119 # smtp_pass: "examplepassword"
1120 # require_transport_security: False
1121 # notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
1122 # app_name: Matrix
1123 #
1124 # # Enable email notifications by default
1125 # #
1126 # notif_for_new_users: True
1127 #
1128 # # Defining a custom URL for Riot is only needed if email notifications
1129 # # should contain links to a self-hosted installation of Riot; when set
1130 # # the "app_name" setting is ignored
1131 # #
1132 # riot_base_url: "http://localhost/riot"
1133 #
1134 # # Enable sending password reset emails via the configured, trusted
1135 # # identity servers
1136 # #
1137 # # IMPORTANT! This will give a malicious or overtaken identity server
1138 # # the ability to reset passwords for your users! Make absolutely sure
1139 # # that you want to do this! It is strongly recommended that password
1140 # # reset emails be sent by the homeserver instead
1141 # #
1142 # # If this option is set to False and SMTP options have not been
1143 # # configured, resetting user passwords via email will be disabled
1144 # #
1145 # #trust_identity_server_for_password_resets: False
1146 #
1147 # # Configure the time that a validation email or text message code
1148 # # will expire after sending
1149 # #
1150 # # This is currently used for password resets
1151 # #
1152 # #validation_token_lifetime: 1h
1153 #
1154 # # Template directory. All template files should be stored within this
1155 # # directory. If not set, default templates from within the Synapse
1156 # # package will be used
1157 # #
1158 # # For the list of default templates, please see
1159 # # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
1160 # #
1161 # #template_dir: res/templates
1162 #
1163 # # Templates for email notifications
1164 # #
1165 # notif_template_html: notif_mail.html
1166 # notif_template_text: notif_mail.txt
1167 #
1168 # # Templates for account expiry notices
1169 # #
1170 # expiry_template_html: notice_expiry.html
1171 # expiry_template_text: notice_expiry.txt
1172 #
1173 # # Templates for password reset emails sent by the homeserver
1174 # #
1175 # #password_reset_template_html: password_reset.html
1176 # #password_reset_template_text: password_reset.txt
1177 #
1178 # # Templates for password reset success and failure pages that a user
1179 # # will see after attempting to reset their password
1180 # #
1181 # #password_reset_template_success_html: password_reset_success.html
1182 # #password_reset_template_failure_html: password_reset_failure.html
1183
1184
1185 #password_providers:
1186 # - module: "ldap_auth_provider.LdapAuthProvider"
1187 # config:
1188 # enabled: True
1189 # uri: "ldap://ldap.example.com:389"
1190 # start_tls: True
1191 # base: "ou=users,dc=example,dc=com"
1192 # attributes:
1193 # uid: "cn"
1194 # mail: "email"
1195 # name: "givenName"
1196 # #bind_dn:
1197 # #bind_password:
1198 # #filter: "(objectClass=posixAccount)"
1199
1200
1201
1202 # Clients requesting push notifications can either have the body of
1203 # the message sent in the notification poke along with other details
1204 # like the sender, or just the event ID and room ID (`event_id_only`).
1205 # If clients choose the former, this option controls whether the
1206 # notification request includes the content of the event (other details
1207 # like the sender are still included). For `event_id_only` push, it
1208 # has no effect.
1209 #
1210 # For modern android devices the notification content will still appear
1211 # because it is loaded by the app. iPhone, however will send a
1212 # notification saying only that a message arrived and who it came from.
1213 #
1214 #push:
1215 # include_content: True
1216
1217
1218 #spam_checker:
1219 # module: "my_custom_project.SuperSpamChecker"
1220 # config:
1221 # example_option: 'things'
1222
1223
1224 # Uncomment to allow non-server-admin users to create groups on this server
1225 enable_group_creation: True
1226
1227 # If enabled, non server admins can only create groups with local parts
1228 # starting with this prefix
1229 #group_creation_prefix: "unofficial/"
1230
1231
1232
1233 # User Directory configuration
1234 #
1235 # 'enabled' defines whether users can search the user directory. If
1236 # False then empty responses are returned to all queries. Defaults to
1237 # True.
1238 #
1239 # 'search_all_users' defines whether to search all users visible to your HS
1240 # when searching the user directory, rather than limiting to users visible
1241 # in public rooms. Defaults to False. If you set it True, you'll have to
1242 # rebuild the user_directory search indexes, see
1243 # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
1244 #
1245 #user_directory:
1246 # enabled: True
1247 # search_all_users: False
1248
1249
1250 # User Consent configuration
1251 #
1252 # for detailed instructions, see
1253 # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
1254 #
1255 # Parts of this section are required if enabling the 'consent' resource under
1256 # 'listeners', in particular 'template_dir' and 'version'.
1257 #
1258 # 'template_dir' gives the location of the templates for the HTML forms.
1259 # This directory should contain one subdirectory per language (eg, 'en', 'fr'),
1260 # and each language directory should contain the policy document (named as
1261 # '<version>.html') and a success page (success.html).
1262 #
1263 # 'version' specifies the 'current' version of the policy document. It defines
1264 # the version to be served by the consent resource if there is no 'v'
1265 # parameter.
1266 #
1267 # 'server_notice_content', if enabled, will send a user a "Server Notice"
1268 # asking them to consent to the privacy policy. The 'server_notices' section
1269 # must also be configured for this to work. Notices will *not* be sent to
1270 # guest users unless 'send_server_notice_to_guests' is set to True.
1271 #
1272 # 'block_events_error', if set, will block any attempts to send events
1273 # until the user consents to the privacy policy. The value of the setting is
1274 # used as the text of the error.
1275 #
1276 # 'require_at_registration', if enabled, will add a step to the registration
1277 # process, similar to how captcha works. Users will be required to accept the
1278 # policy before their account is created.
1279 #
1280 # 'policy_name' is the display name of the policy users will see when registering
1281 # for an account. Has no effect unless `require_at_registration` is enabled.
1282 # Defaults to "Privacy Policy".
1283 #
1284 #user_consent:
1285 # template_dir: res/templates/privacy
1286 # version: 1.0
1287 # server_notice_content:
1288 # msgtype: m.text
1289 # body: >-
1290 # To continue using this homeserver you must review and agree to the
1291 # terms and conditions at %(consent_uri)s
1292 # send_server_notice_to_guests: True
1293 # block_events_error: >-
1294 # To continue using this homeserver you must review and agree to the
1295 # terms and conditions at %(consent_uri)s
1296 # require_at_registration: False
1297 # policy_name: Privacy Policy
1298 #
1299
1300
1301
1302 # Local statistics collection. Used in populating the room directory.
1303 #
1304 # 'bucket_size' controls how large each statistics timeslice is. It can
1305 # be defined in a human readable short form -- e.g. "1d", "1y".
1306 #
1307 # 'retention' controls how long historical statistics will be kept for.
1308 # It can be defined in a human readable short form -- e.g. "1d", "1y".
1309 #
1310 #
1311 #stats:
1312 # enabled: True
1313 # bucket_size: 1d
1314 # retention: 1y
1315
1316
1317 # Server Notices room configuration
1318 #
1319 # Uncomment this section to enable a room which can be used to send notices
1320 # from the server to users. It is a special room which cannot be left; notices
1321 # come from a special "notices" user id.
1322 #
1323 # If you uncomment this section, you *must* define the system_mxid_localpart
1324 # setting, which defines the id of the user which will be used to send the
1325 # notices.
1326 #
1327 # It's also possible to override the room name, the display name of the
1328 # "notices" user, and the avatar for the user.
1329 #
1330 #server_notices:
1331 # system_mxid_localpart: notices
1332 # system_mxid_display_name: "Server Notices"
1333 # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ"
1334 # room_name: "Server Notices"
1335
1336
1337
1338 # Uncomment to disable searching the public room list. When disabled
1339 # blocks searching local and remote room lists for local and remote
1340 # users by always returning an empty list for all queries.
1341 #
1342 #enable_room_list_search: False
1343
1344 # The `alias_creation` option controls who's allowed to create aliases
1345 # on this server.
1346 #
1347 # The format of this option is a list of rules that contain globs that
1348 # match against user_id, room_id and the new alias (fully qualified with
1349 # server name). The action in the first rule that matches is taken,
1350 # which can currently either be "allow" or "deny".
1351 #
1352 # Missing user_id/room_id/alias fields default to "*".
1353 #
1354 # If no rules match the request is denied. An empty list means no one
1355 # can create aliases.
1356 #
1357 # Options for the rules include:
1358 #
1359 # user_id: Matches against the creator of the alias
1360 # alias: Matches against the alias being created
1361 # room_id: Matches against the room ID the alias is being pointed at
1362 # action: Whether to "allow" or "deny" the request if the rule matches
1363 #
1364 # The default is:
1365 #
1366 #alias_creation_rules:
1367 # - user_id: "*"
1368 # alias: "*"
1369 # room_id: "*"
1370 # action: allow
1371
1372 # The `room_list_publication_rules` option controls who can publish and
1373 # which rooms can be published in the public room list.
1374 #
1375 # The format of this option is the same as that for
1376 # `alias_creation_rules`.
1377 #
1378 # If the room has one or more aliases associated with it, only one of
1379 # the aliases needs to match the alias rule. If there are no aliases
1380 # then only rules with `alias: *` match.
1381 #
1382 # If no rules match the request is denied. An empty list means no one
1383 # can publish rooms.
1384 #
1385 # Options for the rules include:
1386 #
1387 # user_id: Matches agaisnt the creator of the alias
1388 # room_id: Matches against the room ID being published
1389 # alias: Matches against any current local or canonical aliases
1390 # associated with the room
1391 # action: Whether to "allow" or "deny" the request if the rule matches
1392 #
1393 # The default is:
1394 #
1395 #room_list_publication_rules:
1396 # - user_id: "*"
1397 # alias: "*"
1398 # room_id: "*"
1399 # action: allow
1400
1401
1402 # Server admins can define a Python module that implements extra rules for
1403 # allowing or denying incoming events. In order to work, this module needs to
1404 # override the methods defined in synapse/events/third_party_rules.py.
1405 #
1406 # This feature is designed to be used in closed federations only, where each
1407 # participating server enforces the same rules.
1408 #
1409 #third_party_event_rules:
1410 # module: "my_custom_project.SuperRulesSet"
1411 # config:
1412 # example_option: 'things'
1413
1414
1415 ## Opentracing ##
1416
1417 # These settings enable opentracing, which implements distributed tracing.
1418 # This allows you to observe the causal chains of events across servers
1419 # including requests, key lookups etc., across any server running
1420 # synapse or any other other services which supports opentracing
1421 # (specifically those implemented with Jaeger).
1422 #
1423 opentracing:
1424 # tracing is disabled by default. Uncomment the following line to enable it.
1425 #
1426 #enabled: True
1427
1428 # The list of homeservers we wish to send and receive span contexts and span baggage.
1429 # See docs/opentracing.rst
1430 # This is a list of regexes which are matched against the server_name of the
1431 # homeserver.
1432 #
1433 # By defult, it is empty, so no servers are matched.
1434 #
1435 #homeserver_whitelist:
1436 # - ".*"
Migration to postgres
Matrix-synapse, the mautrix-bridges were relatively slow when using Riot. For example joining a room took too long for me. Let's try to speed it up using postgres.
https://github.com/matrix-org/synapse/blob/master/docs/postgres.rst
Preparation
[postgres#Create database]
Make sure python3 postgres-driver is installed
1 apt install python3-psycopg2
Create some copies of your homeserver.yaml.
Adjust the matrix config to use a postgres database: /etc/matrix-synapse/homeserver-postgres.yaml
1 ## Database ##
2
3 #database:
4 # # The database engine name
5 # name: "sqlite3"
6 # # Arguments to pass to the engine
7 # args:
8 # # Path to the database
9 # database: "/var/lib/matrix-synapse/homeserver.db"
10
11 database:
12 name: psycopg2
13 args:
14 user: matrix-synapse
15 password: password_redacted
16 database: matrix-synapse
17 host: localhost
18 cp_min: 5
19 cp_max: 10
Migrate
Stop Matrix-Synapse to get a clean version of the database. And start it afterwards.
1 systemctl stop mautrix-telegram.service
2 systemctl stop mautrix-whatsapp.service
3 systemctl stop matrix-synapse.service
4 cp /var/lib/matrix-synapse/homeserver.db{,.snapshot}
5 systemctl start matrix-synapse.service
6 systemctl start mautrix-whatsapp.service
7 systemctl start mautrix-telegram.service
Continuosly migrate the databases from newer and newer snapshots. The flag --curses gives a progress ui.
When the database is up to date, exchange the configurations.
1 systemctl stop mautrix-telegram.service
2 systemctl stop mautrix-whatsapp.service
3 systemctl stop matrix-synapse.service
4 synapse_port_db \
5 --sqlite-database "/var/lib/matrix-synapse/homeserver.db.snapshot" \
6 --postgres-config "/etc/matrix-synapse/homeserver-postgres.yaml"
7 cp /etc/matrix-synapse/homeserver{,-sqlite3}.yaml
8 cp /etc/matrix-synapse/homeserver{-postgres,}.yaml
9 systemctl start matrix-synapse.service
10 systemctl start mautrix-whatsapp.service
11 systemctl start mautrix-telegram.service
Password reset
Github matrix-org/synapse password-reset
Read or generate a new password and store it in variable PASSWORD
oneliners#Ask for password
Reset the password
1 ### DEPENDS ON YOUR INSTALLATION
2 #su - postgres
3 su - matrix-synapse -s /bin/bash
4 MATRIX_NAME="@user:domain.tld"
5 PASSWORD="$(pwgen 16 1)"
6 echo "$PASSWORD"
7
8 MATRIX_HASH="$(hash_password -p "$PASSWORD")"
9
10 psql -U matrix-synapse -d matrix-synapse <<-EOS
11 UPDATE users
12 SET password_hash='$MATRIX_HASH'
13 WHERE name='$MATRIX_NAME';
14 EOS
I think this UX could be designed somewhat more usable. 
Manhole
/etc/matrix-synapse/homeserver.yaml
1 # Turn on the twisted ssh manhole service on localhost on the given
2 # port.
3 #
4 - port: 9000
5 bind_addresses: ['::1', '127.0.0.1']
6 type: manhole
7
8 # Connection settings for the manhole
9 #
10 manhole_settings:
11 # The username for the manhole. This defaults to 'matrix'.
12 #
13 #username: manhole
14
15 # The password for the manhole. This defaults to 'rabbithole'.
16 #
17 #password: mypassword
18
19 # The private and public SSH key pair used to encrypt the manhole traffic.
20 # If these are left unset, then hardcoded and non-secret keys are used,
21 # which could allow traffic to be intercepted if sent over a public network.
22 #
23 #ssh_priv_key_path: /etc/matrix-synapse/id_rsa
24 #ssh_pub_key_path: /etc/matrix-synapse/id_rsa.pub
25
Connect to manhole via ssh
Nginx
Serves as:
- Reverse proxy for matrix-synapse
- Webserver for Riot
- Service-Discovery for Matrix (Servers and Clients)
- (Optionally) As proxy for acme to matrix-synapse
Install
1 aptitude install python-certbot-nginx nginx
Configure
/etc/nginx/sites-available/matrix.conf
1 # generated 2019-08-09, https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=modern
2 server {
3 listen 80 default_server;
4 listen [::]:80 default_server;
5
6 # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
7 return 301 https://$host$request_uri;
8 }
9
10 server {
11 listen 443 ssl http2;
12 listen [::]:443 ssl http2;
13
14 include include/matrix.include;
15 }
16
17 server {
18 listen 8448 ssl default_server;
19 listen [::]:8448 ssl default_server;
20
21 include include/matrix.include;
22 }
/etc/nginx/include/matrix.include
1 server_name
2 matrix.rockstable.it
3 matrix1.rockstable.it
4 matrix.rockstable.org
5 matrix1.rockstable.org;
6
7 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
8 ssl_certificate /etc/letsencrypt/live/matrix.rockstable.it/fullchain.pem;
9 ssl_certificate_key /etc/letsencrypt/live/matrix.rockstable.it/privkey.pem;
10 ssl_session_timeout 1d;
11 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
12 ssl_session_tickets off;
13
14 ssl_dhparam /etc/ssl/dhparam/dhparam_4096.pem;
15 #ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
16
17 # modern configuration
18 ssl_protocols TLSv1.3 TLSv1.2;
19 ssl_prefer_server_ciphers off;
20
21 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
22
23 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
24 add_header Strict-Transport-Security "max-age=63072000" always;
25 add_header X-Frame-Options SAMEORIGIN;
26
27 # OCSP stapling
28 ssl_stapling on;
29 ssl_stapling_verify on;
30
31 # verify chain of trust of OCSP response using Root CA and Intermediate certs
32 ssl_trusted_certificate /etc/letsencrypt/live/matrix.rockstable.it/chain.pem;
33
34 # replace with the IP address of your resolver
35 resolver 127.0.0.1;
36
37 location ~ ^(/_matrix|/_synapse/client) {
38 # note: do not add a path (even a single /) after the port in `proxy_pass`,
39 # otherwise nginx will canonicalise the URI and cause signature verification
40 # errors.
41 proxy_pass http://localhost:8008;
42 proxy_set_header X-Forwarded-For $remote_addr;
43 proxy_set_header X-Forwarded-Proto $scheme;
44 proxy_set_header Host $host;
45
46 # Nginx by default only allows file uploads up to 1M in size
47 # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
48 client_max_body_size 50M;
49 }
50
51 location /public/telegram {
52 proxy_pass http://localhost:8081;
53 proxy_set_header X-Forwarded-For $remote_addr;
54 proxy_set_header X-Forwarded-Proto $scheme;
55 }
56
57 #location /.well-known/acme-challenge {
58 # proxy_pass http://localhost:8009;
59 #}
60
61 ### Serve files "client" and "server"
62 location /.well-known/matrix {
63 alias /var/www/html/.well-known/matrix;
64 default_type "application/json; charset=utf-8";
65 }
66
67 ### RIOT-WEB
68 root /opt/Riot/resources/webapp;
69 index index.html index.htm;
70
71 location / {
72 try_files $uri $uri/ =404;
73 }
74
75 access_log /var/log/nginx/riot_access.log;
76 ### INCREASE TO "max_upload_size" OF MATRIX-SYNAPSE
77 client_max_body_size 20M;
Adjust boot order
Nginx won't start if the upstream server can't be reached. So matrix-synapse.service must be started before nginx.service This can easily be achieved by adding the line
Before=nginx.service
to /etc/systemd/system/multi-user.target.wants/matrix-synapse.service
1 [Unit]
2 Description=Synapse Matrix homeserver
3 ConditionPathExists=/etc/matrix-synapse/conf.d/server_name.yaml
4 Before=nginx.service
5
6 [Service]
7 Type=simple
8 User=matrix-synapse
9 WorkingDirectory=/var/lib/matrix-synapse
10 EnvironmentFile=/etc/default/matrix-synapse
11 ExecStartPre=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys
12 ExecStart=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/
13 Restart=on-failure
14 RestartSec=3
15
16 [Install]
17 WantedBy=multi-user.target
.well-known
https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
1 mkdir -p /var/www/html/.well-known/matrix
/var/www/html/.well-known/matrix/client
/var/www/html/.well-known/matrix/server
Riot
Element (formerly known as Vector and Riot) is a Matrix web client built using the Matrix React SDK.
About
riot has been rebranded to element
1 wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg \
2 "https://packages.riot.im/debian/riot-im-archive-keyring.gpg;"
3 echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg]" \
4 "https://packages.riot.im/debian/ $(lsb_release -cs) main" \
5 |tee /etc/apt/sources.list.d/riot-im.list
6 apt update
7 apt install riot-web
8 #apt install element-desktop
9
Install Riot
Add a more "current" repository to your package management
1 wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg \
2 "https://packages.riot.im/debian/riot-im-archive-keyring.gpg;"
3 echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg]" \
4 "https://packages.riot.im/debian/ $(lsb_release -cs) main" \
5 |tee /etc/apt/sources.list.d/riot-im.list
6 apt update
7 apt install riot-web
8 #apt install element-desktop
9
Configure
Configure riot-web to your needs /opt/Riot/resources/webapp/config.json
1 {
2 "default_server_config": {
3 "m.homeserver": {
4 "base_url": "https://matrix.rockstable.it",
5 "server_name": "matrix.rockstable.it"
6 },
7 "m.identity_server": {
8 "base_url": "https://vector.im"
9 }
10 },
11 "disable_custom_urls": false,
12 "disable_guests": true,
13 "disable_login_language_selector": false,
14 "disable_3pid_login": false,
15 "update_base_url": "https://packages.riot.im/desktop/update/",
16 "brand": "Rockstable Chat - Riot",
17 "default_federate": true,
18 "default_theme": "light",
19 "integrations_ui_url": "https://scalar.vector.im/",
20 "integrations_rest_url": "https://scalar.vector.im/api",
21 "integrations_widgets_urls": [
22 "https://scalar-staging.vector.im/api",
23 "https://scalar-staging.riot.im/scalar/api",
24 "https://scalar.vector.im/api"
25 ],
26 "hosting_signup_link": "https://modular.im/?utm_source=riot-web&utm_medium=web",
27 "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
28 "welcomeUserId": "@riot-bot:matrix.rockstable.it",
29 "roomDirectory": {
30 "servers": [
31 "matrix.rockstable.it",
32 "matrix.org"
33 ]
34 },
35 "piwik": {
36 "url": "https://piwik.riot.im/",
37 "siteId": 1,
38 "policyUrl": "https://matrix.org/docs/guides/riot_im_cookie_policy"
39 },
40 "phasedRollOut": {
41 "feature_lazyloading": {
42 "offset": 1539684000000,
43 "period": 604800000
44 }
45 },
46 "showLabsSettings": true,
47 "features": {
48 "feature_dnd": true,
49 "feature_new_spinner": true,
50 "feature_pinning": true,
51 "feature_mjolnir": true,
52 "feature_jitsi": true,
53 "feature_latex_maths": true,
54 "feature_tag_panel": true
55 },
56 "enable_presence_by_hs_url": {
57 "https://matrix.org": false
58 },
59 "terms_and_conditions_links": [
60 {
61 "url": "https://riot.im/privacy",
62 "text": "Privacy Policy"
63 },
64 {
65 "url": "https://matrix.org/docs/guides/riot_im_cookie_policy",
66 "text": "Cookie Policy"
67 }
68 ]
69 }
Point old nginx riot-web config to the element directories. /etc/nginx/include/matrix.include
1 server_name
2 matrix.rockstable.it
3 matrix1.rockstable.it
4 matrix.rockstable.org
5 matrix1.rockstable.org;
6
7 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
8 ssl_certificate /etc/letsencrypt/live/matrix.rockstable.it/fullchain.pem;
9 ssl_certificate_key /etc/letsencrypt/live/matrix.rockstable.it/privkey.pem;
10 ssl_session_timeout 1d;
11 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
12 ssl_session_tickets off;
13
14 ssl_dhparam /etc/ssl/dhparam/dhparam_4096.pem;
15 #ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
16
17 # modern configuration
18 ssl_protocols TLSv1.3 TLSv1.2;
19 ssl_prefer_server_ciphers off;
20
21 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
22
23 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
24 add_header Strict-Transport-Security "max-age=63072000" always;
25 add_header X-Frame-Options SAMEORIGIN;
26
27 # OCSP stapling
28 ssl_stapling on;
29 ssl_stapling_verify on;
30
31 # verify chain of trust of OCSP response using Root CA and Intermediate certs
32 ssl_trusted_certificate /etc/letsencrypt/live/matrix.rockstable.it/chain.pem;
33
34 # replace with the IP address of your resolver
35 resolver 127.0.0.1;
36
37 location /_matrix {
38 proxy_pass http://localhost:8008;
39 proxy_set_header X-Forwarded-For $remote_addr;
40 }
41
42 location /public/telegram {
43 proxy_pass http://localhost:8081;
44 proxy_set_header X-Forwarded-For $remote_addr;
45 }
46
47 #location /.well-known/acme-challenge {
48 # proxy_pass http://localhost:8009;
49 #}
50
51 ### Serve files "client" and "server"
52 location /.well-known/matrix {
53 alias /var/www/html/.well-known/matrix;
54 default_type "application/json; charset=utf-8";
55 }
56
57 ### ELEMENT-WEB
58 root /opt/element-web/webapp;
59 index index.html index.htm;
60
61 location / {
62 try_files $uri $uri/ =404;
63 }
64
65 access_log /var/log/nginx/element_access.log;
66 client_max_body_size 20M;
Element
Element (formerly known as Vector and Riot) is a Matrix web client built using the Matrix React SDK.
About
- For a developer it might be a good idea
to install node.js in the respective home directory with nvm
https://github.com/nvm-sh/nvm
Install node.js
You need a current node.js to build element.
When I tried building the current element with the classic yarn (version<2.0) I received errors during the build like
yarn "SyntaxError: Unexpected token '?'".
Install node.js by script
Install node.js from nodesource.com via script
The script ist pretty straight forward and a good option. Please mind that this script will also configure apt preferences to git nsolid and nodejs from this repo a priority of 600.
Install node.js manually
Add the NodeSource signing key to your keyring
/etc/apt/sources.list.d/nodesource.list
Install nodejs
Install node.js with tar archive
Download and unpack node.js
Well … not really a good idea.
Prepare yarn
Current yarn (v≥2.0)
There a several ways to install node.js
https://nodejs.dev/download/package-manager/
I decided to go with a binary distribution from nodesource.
- It's packaged and signed
Install npm and yarn
Classic yarn (v<2.0)
Deprecated
Install yarn and node.js
1 curl -sS 'https://dl.yarnpkg.com/debian/pubkey.gpg' \
2 |sh -c 'gpg --dearmor \
3 > /usr/share/keyrings/yarn-keyring.gpg'
4 ln -s "/usr/share/keyrings/yarn-keyring.gpg" \
5 "/etc/apt/trusted.gpg.d/"
6 echo "deb https://dl.yarnpkg.com/debian/ stable main" \
7 |tee /etc/apt/sources.list.d/yarn.list
8 sudo apt update && \
9 sudo aptitude install yarn
Install Element
There is no package for element-web in the repository. So we start from source.
Initially clone the repository
Build the client with yarn
1 ### UPDATE THE REPOSITORY
2 git pull
3 ### DETERMINE AND CHECKOUT LATEST VERSION
4 LATEST="$(git tag |grep -v rc |sort -V |tail -n1)"
5 git checkout "$LATEST"
6 #CREATE A "config.json" E.G. FROM "config.sample.json" OR OLD CONFIG
7 ### INSTALL DEPENDENCIES
8 yarn install
9 ### CREATE DIRECTORY "webapp" FOR USAGE WITH WEBSERVER
10 yarn build
11 #yarn dist
12
Configuration Element
Video Conferencing
Stream of Desktop
This kind of desktop streaming is highly unrelieable and unflexible with Riot Try Nextcloud Talk instead.
Install v4l2loopback
1 aptitude install v4l2loopback-utils
Load kernel module
1 modprobe v4l2loopback
Grab video from X11 and stream it to /dev/video0
TURN Server
Traversal UDP Relay NAT
To debug use in
Firefox: about:webrtc
Chrome: chrome://webrtc-internals/
Turnserver Firewalling
Src |
Dst |
Dst-Port |
Rationale |
ANY |
TURNSERVER |
tcp/80, tcp/443 |
|
ANY |
TURNSERVER |
udp/3478, tcp/3478 |
STUN/TURN tcp/udp |
ANY |
TURNSERVER |
udp/5349, tcp/5349 |
STUNs/TURNs tcp/udp |
ANY |
TURNSERVER |
udp/10000 |
Jitsi-Videobridge P2P Port (no STUN/TURN) |
ANY |
TURNSERVER |
udp/49152-65535, tcp/49152-65535 |
TURN(s) Firewall Window |
STUN and TURN are on the same port, because coturn uses Application Layer Protocol Negotiation (ALPN).
Prepare certificates
Install certbot and create certificate LetsEncrypt, which can be used with TLS and DTLS.
Install Turnserver
Install coturn
1 aptitude install coturn ssl-cert
Protect secrets and make sure turnserver can read it (via group rights).
With coturn comes as a tool for administration turnadmin.
Configure coturn in
/etc/turnserver.conf
1 # Coturn TURN SERVER configuration file
2 #
3 # Boolean values note: where boolean value is supposed to be used,
4 # you can use '0', 'off', 'no', 'false', 'f' as 'false,
5 # and you can use '1', 'on', 'yes', 'true', 't' as 'true'
6 # If the value is missed, then it means 'true'.
7 #
8
9 # Listener interface device (optional, Linux only).
10 # NOT RECOMMENDED.
11 #
12 #listening-device=eth0
13
14 # TURN listener port for UDP and TCP (Default: 3478).
15 # Note: actually, TLS & DTLS sessions can connect to the
16 # "plain" TCP & UDP port(s), too - if allowed by configuration.
17 #
18 #listening-port=3478
19
20 # TURN listener port for TLS (Default: 5349).
21 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
22 # port(s), too - if allowed by configuration. The TURN server
23 # "automatically" recognizes the type of traffic. Actually, two listening
24 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
25 # functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
26 # For secure TCP connections, we currently support SSL version 3 and
27 # TLS version 1.0, 1.1 and 1.2.
28 # For secure UDP connections, we support DTLS version 1.
29 #
30 #tls-listening-port=5349
31
32 # Alternative listening port for UDP and TCP listeners;
33 # default (or zero) value means "listening port plus one".
34 # This is needed for RFC 5780 support
35 # (STUN extension specs, NAT behavior discovery). The TURN Server
36 # supports RFC 5780 only if it is started with more than one
37 # listening IP address of the same family (IPv4 or IPv6).
38 # RFC 5780 is supported only by UDP protocol, other protocols
39 # are listening to that endpoint only for "symmetry".
40 #
41 #alt-listening-port=0
42
43 # Alternative listening port for TLS and DTLS protocols.
44 # Default (or zero) value means "TLS listening port plus one".
45 #
46 #alt-tls-listening-port=0
47
48 # Listener IP address of relay server. Multiple listeners can be specified.
49 # If no IP(s) specified in the config file or in the command line options,
50 # then all IPv4 and IPv6 system IPs will be used for listening.
51 #
52 #listening-ip=172.17.19.101
53 #listening-ip=10.207.21.238
54 #listening-ip=2607:f0d0:1002:51::4
55
56 # Auxiliary STUN/TURN server listening endpoint.
57 # Aux servers have almost full TURN and STUN functionality.
58 # The (minor) limitations are:
59 #
60 # 1) Auxiliary servers do not have alternative ports and
61 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
62 #
63 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
64 #
65 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
66 #
67 # There may be multiple aux-server options, each will be used for listening
68 # to client requests.
69 #
70 #aux-server=172.17.19.110:33478
71 #aux-server=[2607:f0d0:1002:51::4]:33478
72
73 # (recommended for older Linuxes only)
74 # Automatically balance UDP traffic over auxiliary servers (if configured).
75 # The load balancing is using the ALTERNATE-SERVER mechanism.
76 # The TURN client must support 300 ALTERNATE-SERVER response for this
77 # functionality.
78 #
79 #udp-self-balance
80
81 # Relay interface device for relay sockets (optional, Linux only).
82 # NOT RECOMMENDED.
83 #
84 #relay-device=eth1
85
86 # Relay address (the local IP address that will be used to relay the
87 # packets to the peer).
88 # Multiple relay addresses may be used.
89 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
90 #
91 # If no relay IP(s) specified, then the turnserver will apply the default
92 # policy: it will decide itself which relay addresses to be used, and it
93 # will always be using the client socket IP address as the relay IP address
94 # of the TURN session (if the requested relay address family is the same
95 # as the family of the client socket).
96 #
97 #relay-ip=172.17.19.105
98 #relay-ip=2607:f0d0:1002:51::5
99
100 # For Amazon EC2 users:
101 #
102 # TURN Server public/private address mapping, if the server is behind NAT.
103 # In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
104 # as relay IP address of all allocations. This scenario works only in a simple case
105 # when one single relay address is be used, and no RFC5780 functionality is required.
106 # That single relay address must be mapped by NAT to the 'external' IP.
107 # The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
108 # For that 'external' IP, NAT must forward ports directly (relayed port 12345
109 # must be always mapped to the same 'external' port 12345).
110 #
111 # In more complex case when more than one IP address is involved,
112 # that option must be used several times, each entry must
113 # have form "-X <public-ip/private-ip>", to map all involved addresses.
114 # RFC5780 NAT discovery STUN functionality will work correctly,
115 # if the addresses are mapped properly, even when the TURN server itself
116 # is behind A NAT.
117 #
118 # By default, this value is empty, and no address mapping is used.
119 #
120 #external-ip=60.70.80.91
121 #
122 #OR:
123 #
124 #external-ip=60.70.80.91/172.17.19.101
125 #external-ip=60.70.80.92/172.17.19.102
126
127
128 # Number of the relay threads to handle the established connections
129 # (in addition to authentication thread and the listener thread).
130 # If explicitly set to 0 then application runs relay process in a
131 # single thread, in the same thread with the listener process
132 # (the authentication thread will still be a separate thread).
133 #
134 # If this parameter is not set, then the default OS-dependent
135 # thread pattern algorithm will be employed. Usually the default
136 # algorithm is the most optimal, so you have to change this option
137 # only if you want to make some fine tweaks.
138 #
139 # In the older systems (Linux kernel before 3.9),
140 # the number of UDP threads is always one thread per network listening
141 # endpoint - including the auxiliary endpoints - unless 0 (zero) or
142 # 1 (one) value is set.
143 #
144 #relay-threads=0
145
146 # Lower and upper bounds of the UDP relay endpoints:
147 # (default values are 49152 and 65535)
148 #
149 #min-port=49152
150 #max-port=65535
151
152 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
153 # By default the verbose mode is off.
154 #verbose
155
156 # Uncomment to run TURN server in 'extra' verbose mode.
157 # This mode is very annoying and produces lots of output.
158 # Not recommended under any normal circumstances.
159 #
160 #Verbose
161
162 # Uncomment to use fingerprints in the TURN messages.
163 # By default the fingerprints are off.
164 #
165 #fingerprint
166
167 # Uncomment to use long-term credential mechanism.
168 # By default no credentials mechanism is used (any user allowed).
169 #
170 #lt-cred-mech
171
172 # This option is opposite to lt-cred-mech.
173 # (TURN Server with no-auth option allows anonymous access).
174 # If neither option is defined, and no users are defined,
175 # then no-auth is default. If at least one user is defined,
176 # in this file or in command line or in usersdb file, then
177 # lt-cred-mech is default.
178 #
179 #no-auth
180
181 # TURN REST API flag.
182 # (Time Limited Long Term Credential)
183 # Flag that sets a special authorization option that is based upon authentication secret.
184 #
185 # This feature's purpose is to support "TURN Server REST API", see
186 # "TURN REST API" link in the project's page
187 # https://github.com/coturn/coturn/
188 #
189 # This option is used with timestamp:
190 #
191 # usercombo -> "timestamp:userid"
192 # turn user -> usercombo
193 # turn password -> base64(hmac(secret key, usercombo))
194 #
195 # This allows TURN credentials to be accounted for a specific user id.
196 # If you don't have a suitable id, the timestamp alone can be used.
197 # This option is just turning on secret-based authentication.
198 # The actual value of the secret is defined either by option static-auth-secret,
199 # or can be found in the turn_secret table in the database (see below).
200 #
201 # Read more about it:
202 # - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
203 # - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
204 #
205 # Be aware that use-auth-secret overrides some part of lt-cred-mech.
206 # Notice that this feature depends internally on lt-cred-mech, so if you set
207 # use-auth-secret then it enables internally automatically lt-cred-mech option
208 # like if you enable both.
209 #
210 # You can use only one of the to auth mechanisms in the same time because,
211 # both mechanism use the username and password validation in different way.
212 #
213 # This way be aware that you can't use both auth mechnaism in the same time!
214 # Use in config either the lt-cred-mech or the use-auth-secret
215 # to avoid any confusion.
216 #
217 use-auth-secret
218
219 # 'Static' authentication secret value (a string) for TURN REST API only.
220 # If not set, then the turn server
221 # will try to use the 'dynamic' value in turn_secret table
222 # in user database (if present). The database-stored value can be changed on-the-fly
223 # by a separate program, so this is why that other mode is 'dynamic'.
224 #
225 static-auth-secret=EiCh8Ohhah3sheang1miel2ooliaNohM
226
227 # Server name used for
228 # the oAuth authentication purposes.
229 # The default value is the realm name.
230 #
231 #server-name=blackdow.carleon.gov
232
233 # Flag that allows oAuth authentication.
234 #
235 #oauth
236
237 # 'Static' user accounts for long term credentials mechanism, only.
238 # This option cannot be used with TURN REST API.
239 # 'Static' user accounts are NOT dynamically checked by the turnserver process,
240 # so that they can NOT be changed while the turnserver is running.
241 #
242 #user=username1:key1
243 #user=username2:key2
244 # OR:
245 #user=username1:password1
246 #user=username2:password2
247 #
248 # Keys must be generated by turnadmin utility. The key value depends
249 # on user name, realm, and password:
250 #
251 # Example:
252 # $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
253 # Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
254 # ('0x' in the beginning of the key is what differentiates the key from
255 # password. If it has 0x then it is a key, otherwise it is a password).
256 #
257 # The corresponding user account entry in the config file will be:
258 #
259 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
260 # Or, equivalently, with open clear password (less secure):
261 #user=ninefingers:youhavetoberealistic
262 #
263
264 # SQLite database file name.
265 #
266 # Default file name is /var/db/turndb or /usr/local/var/db/turndb or
267 # /var/lib/turn/turndb.
268 #
269 #userdb=/var/db/turndb
270
271 # PostgreSQL database connection string in the case that we are using PostgreSQL
272 # as the user database.
273 # This database can be used for long-term credential mechanism
274 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
275 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
276 # versions connection string format, see
277 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
278 # for 9.x and newer connection string formats.
279 #
280 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
281
282 # MySQL database connection string in the case that we are using MySQL
283 # as the user database.
284 # This database can be used for long-term credential mechanism
285 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
286 #
287 # Optional connection string parameters for the secure communications (SSL):
288 # ca, capath, cert, key, cipher
289 # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
290 # command options description).
291 #
292 # Use string format as below (space separated parameters, all optional):
293 #
294 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
295
296 # If you want to use in the MySQL connection string the password in encrypted format,
297 # then set in this option the MySQL password encryption secret key file.
298 #
299 # Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
300 # If you want to use cleartext password then do not set this option!
301 #
302 # This is the file path which contain secret key of aes encryption while using password encryption.
303 #
304 #secret-key-file=/path/
305
306 # MongoDB database connection string in the case that we are using MongoDB
307 # as the user database.
308 # This database can be used for long-term credential mechanism
309 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
310 # Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
311 #
312 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
313
314 # Redis database connection string in the case that we are using Redis
315 # as the user database.
316 # This database can be used for long-term credential mechanism
317 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
318 # Use string format as below (space separated parameters, all optional):
319 #
320 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
321
322 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
323 # This database keeps allocations status information, and it can be also used for publishing
324 # and delivering traffic and allocation event notifications.
325 # The connection string has the same parameters as redis-userdb connection string.
326 # Use string format as below (space separated parameters, all optional):
327 #
328 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
329
330 # The default realm to be used for the users when no explicit
331 # origin/realm relationship was found in the database, or if the TURN
332 # server is not using any database (just the commands-line settings
333 # and the userdb file). Must be used with long-term credentials
334 # mechanism or with TURN REST API.
335 #
336 # Note: If default realm is not specified at all, then realm falls back to the host domain name.
337 # If domain name is empty string, or '(None)', then it is initialized to am empty string.
338 #
339 realm=rockstable.it
340
341 # The flag that sets the origin consistency
342 # check: across the session, all requests must have the same
343 # main ORIGIN attribute value (if the ORIGIN was
344 # initially used by the session).
345 #
346 #check-origin-consistency
347
348 # Per-user allocation quota.
349 # default value is 0 (no quota, unlimited number of sessions per user).
350 # This option can also be set through the database, for a particular realm.
351 #
352 #user-quota=0
353
354 # Total allocation quota.
355 # default value is 0 (no quota).
356 # This option can also be set through the database, for a particular realm.
357 #
358 #total-quota=0
359
360 # Max bytes-per-second bandwidth a TURN session is allowed to handle
361 # (input and output network streams are treated separately). Anything above
362 # that limit will be dropped or temporary suppressed (within
363 # the available buffer limits).
364 # This option can also be set through the database, for a particular realm.
365 #
366 #max-bps=0
367
368 #
369 # Maximum server capacity.
370 # Total bytes-per-second bandwidth the TURN server is allowed to allocate
371 # for the sessions, combined (input and output network streams are treated separately).
372 #
373 # bps-capacity=0
374
375 # Uncomment if no UDP client listener is desired.
376 # By default UDP client listener is always started.
377 #
378 #no-udp
379
380 # Uncomment if no TCP client listener is desired.
381 # By default TCP client listener is always started.
382 #
383 #no-tcp
384
385 # Uncomment if no TLS client listener is desired.
386 # By default TLS client listener is always started.
387 #
388 #no-tls
389
390 # Uncomment if no DTLS client listener is desired.
391 # By default DTLS client listener is always started.
392 #
393 #no-dtls
394
395 # Uncomment if no UDP relay endpoints are allowed.
396 # By default UDP relay endpoints are enabled (like in RFC 5766).
397 #
398 #no-udp-relay
399
400 # Uncomment if no TCP relay endpoints are allowed.
401 # By default TCP relay endpoints are enabled (like in RFC 6062).
402 #
403 #no-tcp-relay
404
405 # Uncomment if extra security is desired,
406 # with nonce value having limited lifetime.
407 # By default, the nonce value is unique for a session,
408 # and has unlimited lifetime.
409 # Set this option to limit the nonce lifetime.
410 # It defaults to 600 secs (10 min) if no value is provided. After that delay,
411 # the client will get 438 error and will have to re-authenticate itself.
412 #
413 #stale-nonce=600
414
415 # Uncomment if you want to set the maximum allocation
416 # time before it has to be refreshed.
417 # Default is 3600s.
418 #
419 #max-allocate-lifetime=3600
420
421
422 # Uncomment to set the lifetime for the channel.
423 # Default value is 600 secs (10 minutes).
424 # This value MUST not be changed for production purposes.
425 #
426 #channel-lifetime=600
427
428 # Uncomment to set the permission lifetime.
429 # Default to 300 secs (5 minutes).
430 # In production this value MUST not be changed,
431 # however it can be useful for test purposes.
432 #
433 #permission-lifetime=300
434
435 # Certificate file.
436 # Use an absolute path or path relative to the
437 # configuration file.
438 #
439 cert=/etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
440
441 # Private key file.
442 # Use an absolute path or path relative to the
443 # configuration file.
444 # Use PEM file format.
445 #
446 pkey=/etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
447
448 # Private key file password, if it is in encoded format.
449 # This option has no default value.
450 #
451 #pkey-pwd=...
452
453 # Allowed OpenSSL cipher list for TLS/DTLS connections.
454 # Default value is "DEFAULT".
455 #
456 #cipher-list="DEFAULT"
457
458 # CA file in OpenSSL format.
459 # Forces TURN server to verify the client SSL certificates.
460 # By default it is not set: there is no default value and the client
461 # certificate is not checked.
462 #
463 # Example:
464 #CA-file=/etc/ssh/id_rsa.cert
465
466 # Curve name for EC ciphers, if supported by OpenSSL
467 # library (TLS and DTLS). The default value is prime256v1,
468 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
469 # an optimal curve will be automatically calculated, if not defined
470 # by this option.
471 #
472 #ec-curve-name=prime256v1
473
474 # Use 566 bits predefined DH TLS key. Default size of the key is 1066.
475 #
476 #dh566
477
478 # Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
479 #
480 #dh2066
481
482 # Use custom DH TLS key, stored in PEM format in the file.
483 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
484 #
485 #dh-file=<DH-PEM-file-name>
486
487 # Flag to prevent stdout log messages.
488 # By default, all log messages are going to both stdout and to
489 # the configured log file. With this option everything will be
490 # going to the configured log only (unless the log file itself is stdout).
491 #
492 #no-stdout-log
493
494 # Option to set the log file name.
495 # By default, the turnserver tries to open a log file in
496 # /var/log, /var/tmp, /tmp and current directories directories
497 # (which open operation succeeds first that file will be used).
498 # With this option you can set the definite log file name.
499 # The special names are "stdout" and "-" - they will force everything
500 # to the stdout. Also, the "syslog" name will force everything to
501 # the system log (syslog).
502 # In the runtime, the logfile can be reset with the SIGHUP signal
503 # to the turnserver process.
504 #
505 #log-file=/var/tmp/turn.log
506
507 # Option to redirect all log output into system log (syslog).
508 #
509 syslog
510
511 # This flag means that no log file rollover will be used, and the log file
512 # name will be constructed as-is, without PID and date appendage.
513 # This option can be used, for example, together with the logrotate tool.
514 #
515 #simple-log
516
517 # Option to set the "redirection" mode. The value of this option
518 # will be the address of the alternate server for UDP & TCP service in form of
519 # <ip>[:<port>]. The server will send this value in the attribute
520 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
521 # Client will receive only values with the same address family
522 # as the client network endpoint address family.
523 # See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
524 # The client must use the obtained value for subsequent TURN communications.
525 # If more than one --alternate-server options are provided, then the functionality
526 # can be more accurately described as "load-balancing" than a mere "redirection".
527 # If the port number is omitted, then the default port
528 # number 3478 for the UDP/TCP protocols will be used.
529 # Colon (:) characters in IPv6 addresses may conflict with the syntax of
530 # the option. To alleviate this conflict, literal IPv6 addresses are enclosed
531 # in square brackets in such resource identifiers, for example:
532 # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
533 # Multiple alternate servers can be set. They will be used in the
534 # round-robin manner. All servers in the pool are considered of equal weight and
535 # the load will be distributed equally. For example, if we have 4 alternate servers,
536 # then each server will receive 25% of ALLOCATE requests. A alternate TURN server
537 # address can be used more than one time with the alternate-server option, so this
538 # can emulate "weighting" of the servers.
539 #
540 # Examples:
541 #alternate-server=1.2.3.4:5678
542 #alternate-server=11.22.33.44:56789
543 #alternate-server=5.6.7.8
544 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
545
546 # Option to set alternative server for TLS & DTLS services in form of
547 # <ip>:<port>. If the port number is omitted, then the default port
548 # number 5349 for the TLS/DTLS protocols will be used. See the previous
549 # option for the functionality description.
550 #
551 # Examples:
552 #tls-alternate-server=1.2.3.4:5678
553 #tls-alternate-server=11.22.33.44:56789
554 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
555
556 # Option to suppress TURN functionality, only STUN requests will be processed.
557 # Run as STUN server only, all TURN requests will be ignored.
558 # By default, this option is NOT set.
559 #
560 #stun-only
561
562 # Option to suppress STUN functionality, only TURN requests will be processed.
563 # Run as TURN server only, all STUN requests will be ignored.
564 # By default, this option is NOT set.
565 #
566 #no-stun
567
568 # This is the timestamp/username separator symbol (character) in TURN REST API.
569 # The default value is ':'.
570 # rest-api-separator=:
571
572 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
573 # This is an extra security measure.
574 #
575 # (To avoid any security issue that allowing loopback access may raise,
576 # the no-loopback-peers option is replaced by allow-loopback-peers.)
577 #
578 # Allow it only for testing in a development environment!
579 # In production it adds a possible security vulnerability, so for security reasons
580 # it is not allowed using it together with empty cli-password.
581 #
582 #allow-loopback-peers
583
584 # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
585 # This is an extra security measure.
586 #
587 #no-multicast-peers
588
589 # Option to set the max time, in seconds, allowed for full allocation establishment.
590 # Default is 60 seconds.
591 #
592 #max-allocate-timeout=60
593
594 # Option to allow or ban specific ip addresses or ranges of ip addresses.
595 # If an ip address is specified as both allowed and denied, then the ip address is
596 # considered to be allowed. This is useful when you wish to ban a range of ip
597 # addresses, except for a few specific ips within that range.
598 #
599 # This can be used when you do not want users of the turn server to be able to access
600 # machines reachable by the turn server, but would otherwise be unreachable from the
601 # internet (e.g. when the turn server is sitting behind a NAT)
602 #
603 # Examples:
604 # denied-peer-ip=83.166.64.0-83.166.95.255
605 # allowed-peer-ip=83.166.68.45
606
607 # File name to store the pid of the process.
608 # Default is /var/run/turnserver.pid (if superuser account is used) or
609 # /var/tmp/turnserver.pid .
610 #
611 #pidfile="/var/run/turnserver.pid"
612
613 # Require authentication of the STUN Binding request.
614 # By default, the clients are allowed anonymous access to the STUN Binding functionality.
615 #
616 #secure-stun
617
618 # Mobility with ICE (MICE) specs support.
619 #
620 #mobility
621
622 # Allocate Address Family according
623 # If enabled then TURN server allocates address family according the TURN
624 # Client <=> Server communication address family.
625 # (By default coTURN works according RFC 6156.)
626 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
627 #
628 #keep-address-family
629
630
631 # User name to run the process. After the initialization, the turnserver process
632 # will make an attempt to change the current user ID to that user.
633 #
634 #proc-user=<user-name>
635
636 # Group name to run the process. After the initialization, the turnserver process
637 # will make an attempt to change the current group ID to that group.
638 #
639 #proc-group=<group-name>
640
641 # Turn OFF the CLI support.
642 # By default it is always ON.
643 # See also options cli-ip and cli-port.
644 #
645 #no-cli
646
647 #Local system IP address to be used for CLI server endpoint. Default value
648 # is 127.0.0.1.
649 #
650 #cli-ip=127.0.0.1
651
652 # CLI server port. Default is 5766.
653 #
654 #cli-port=5766
655
656 # CLI access password. Default is empty (no password).
657 # For the security reasons, it is recommended to use the encrypted
658 # for of the password (see the -P command in the turnadmin utility).
659 #
660 # Secure form for password 'qwerty':
661 #
662 #cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
663 #
664 # Or unsecure form for the same password:
665 #
666 #cli-password=qwerty
667
668 # Enable Web-admin support on https. By default it is Disabled.
669 # If it is enabled it also enables a http a simple static banner page
670 # with a small reminder that the admin page is available only on https.
671 #
672 #web-admin
673
674 # Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
675 #
676 #web-admin-ip=127.0.0.1
677
678 # Web-admin server port. Default is 8080.
679 #
680 #web-admin-port=8080
681
682 # Web-admin server listen on STUN/TURN worker threads
683 # By default it is disabled for security resons! (Not recommended in any production environment!)
684 #
685 #web-admin-listen-on-workers
686
687 # Server relay. NON-STANDARD AND DANGEROUS OPTION.
688 # Only for those applications when we want to run
689 # server applications on the relay endpoints.
690 # This option eliminates the IP permissions check on
691 # the packets incoming to the relay endpoints.
692 #
693 #server-relay
694
695 # Maximum number of output sessions in ps CLI command.
696 # This value can be changed on-the-fly in CLI. The default value is 256.
697 #
698 #cli-max-output-sessions
699
700 # Set network engine type for the process (for internal purposes).
701 #
702 #ne=[1|2|3]
703
704 # Do not allow an TLS/DTLS version of protocol
705 #
706 no-tlsv1
707 no-tlsv1_1
708 #no-tlsv1_2
709
Firewalling
Open
- udp-tcp/3478 STUN/TURN
- udp-tcp/5349 STUNS/TURNS
- udp/10000 STUNS/TURNS Jitsi
[[https://datatracker.ietf.org/doc/html/rfc5766|IETF RFC5766 Traversal Using Relays around NAT (TURN):
- Relay Extensions to Session Traversal Utilities for NAT (STUN)]] suggests
- udp-tcp/49192-65535 (coturn default)
DNS Records
Coturn is (in comparision to ejabberd) also capable of DTLS. So udp/5349 can be advertized.
1 ;_service._proto.name TTL class SRV priority weight port target
2
3 $ORIGIN _tcp.rockstable.it.
4 ;SIMPLE TRAVERSAL UDP NAT OVER TCP
5 _stun SRV 5 0 3478 coturn.rockstable.it.
6 _stuns SRV 5 0 5349 coturn.rockstable.it.
7 ; TRAVERSAL UDP RELAY NAT OVER TCP
8 _turn SRV 5 0 3478 coturn.rockstable.it.
9 _turns SRV 5 0 5349 coturn.rockstable.it.
10
11 $ORIGIN _udp.rockstable.it.
12 ;SIMPLE TRAVERSAL UDP NAT OVER UDP
13 _stun SRV 5 0 3478 coturn.rockstable.it.
14 _stuns SRV 5 0 5349 coturn.rockstable.it.
15 ; TRAVERSAL UDP RELAY NAT OVER UDP
16 _turn SRV 5 0 3478 coturn.rockstable.it.
17 _turns SRV 5 0 5349 coturn.rockstable.it.
18
19 $ORIGIN rockstable.it.
20 ; CANONICAL HOSTNAME
21 coturn CNAME coturn1
22 ; REAL HOSTNAME
23 coturn1 A 178.63.149.236
Matrix turn_uris
Turn URIs are defined in RFC 7065 - Traversal Using Relays around NAT (TURN) Uniform Resource Identifiers
My turn section in
/etc/matrix-synapse/homeserver.yaml
1 …
2
3 ## TURN ##
4
5 # The public URIs of the TURN server to give to clients
6 turn_uris: [
7 "turn:coturn.rockstable.it:3478?transport=udp",
8 "turn:coturn.rockstable.it:3478?transport=tcp",
9 "turns:coturn.rockstable.it:5349?transport=udp",
10 "turns:coturn.rockstable.it:5349?transport=tcp"
11 ]
12
13 # The shared secret used to compute passwords for the TURN server
14 turn_shared_secret: "YOUR_SHARED_SECRET"
15
16 # The Username and password if the TURN server needs them and
17 # does not use a token
18 #turn_username: "TURNSERVER_USERNAME"
19 #turn_password: "TURNSERVER_PASSWORD"
20
21 # How long generated TURN credentials last
22 turn_user_lifetime: "1h"
23
24 # Whether guests should be allowed to use the TURN server.
25 # This defaults to True, otherwise VoIP will be unreliable for guests.
26 # However, it does introduce a slight security risk as it allows users to
27 # connect to arbitrary endpoints without having first signed up for a
28 # valid account (e.g. by passing a CAPTCHA).
29 turn_allow_guests: False
30
31 …
Bridges
- Always make sure,
that the credentials in app-service's registration.yaml matches homeservers config.yaml.
Mautrix-Telegram
About
A Matrix-Telegram hybrid puppeting/relaybot bridge
Prerequisites
Install virtualenv (python3) to satisfy python dependencies and not clash with your distribution.
1 aptitude install virtualenv python3-dev build-essential
Setup
The installed python version should be python3. You may need to install package python-is-python2
1 readlink -f $(which python)
Create a directory containing a fresh virtual python3 environment
1 mkdir /opt/mautrix-telegram
2 cd /opt/mautrix-telegram
3 ### INITIALIZE THE VIRTUALENV
4 virtualenv -p /usr/bin/python3 .
5 ### RESET THE VIRTUALENV (SELECT THE CORRECT DIRECTORY)
6 ### USEFUL AFTER DIST-UPGRADES
7 #virtualenv -p /usr/bin/python3 --clear .
8 ### ACTIVATE THE VIRTUALENV IN YOUR CURRENT SHELL
9 source "./bin/activate"
10 ### INSTALL THE BRIDGE WITH "[all]" OPTIONAL DEPENDENCIES
11 pip install --upgrade 'mautrix-telegram[all]'
Create daemon-user, -group and it's home directory, to separate persistent variable data from the source code (e.g. sqlite-db).
1 DAEMON_USER="mautrix-telegram"
2 addgroup --system "$DAEMON_USER"
3 adduser --system \
4 --ingroup "$DAEMON_USER" \
5 --home /var/lib/"$DAEMON_USER" \
6 --gecos "Matrix Telegram Bridge,," \
7 "$DAEMON_USER"
8 chmod 2750 /var/lib/"$DAEMON_USER"
9 ### Create log directory
10 install -o "$DAEMON_USER" -g adm \
11 -m 2750 -d \
12 /var/log/"$DAEMON_USER"
13 ### Create configuration directory
14 install -o root -g "$DAEMON_USER" \
15 -m 750 -d /etc/"$DAEMON_USER"
Configure
Make a copy of the example-config.yaml and adjust it to your needs.
At least configure
- Mandatory:
- homeserver
- app_id, api_hash
- optionally
- bot_token
Generate the appservice registration
1 DAEMON_USER="mautrix-telegram"
2 source "/opt/$DAEMON_USER/bin/activate"
3 python3 -m "${DAEMON_USER/-/_}" -g \
4 -c /etc/"$DAEMON_USER"/config.yaml \
5 -r /etc/"$DAEMON_USER"/registration.yaml
6 chown root."$DAEMON_USER" /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
7 chmod 640 /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
8 adduser matrix-synapse "$DAEMON_USER"
Add the path to the registration file to your Synapse's /etc/matrix-synapse/homeserver.yaml under app_service_config_files. Restart Synapse to apply changes.
Create the database with alembic upgrade head. If you have a custom config path, use
1 alembic -x config=/path/to/config.yaml upgrade head
Be careful on permissions, when your create the sqlite database. The user mautrix-telegram must be able to write to this file.
/etc/mautrix-telegram/config.yaml
1 # Homeserver details
2 homeserver:
3 # The address that this appservice can use to connect to the homeserver.
4 address: https://matrix.rockstable.it
5 # The domain of the homeserver (for MXIDs, etc).
6 domain: matrix.rockstable.it
7 # Whether or not to verify the SSL certificate of the homeserver.
8 # Only applies if address starts with https://
9 verify_ssl: true
10
11 # Application service host/registration related details
12 # Changing these values requires regeneration of the registration.
13 appservice:
14 # The address that the homeserver can use to connect to this appservice.
15 address: http://localhost:8081
16
17 # The hostname and port where this appservice should listen.
18 hostname: 127.0.0.1
19 port: 8081
20 # The maximum body size of appservice API requests (from the homeserver) in mebibytes
21 # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
22 max_body_size: 2
23
24 # The full URI to the database. SQLite and Postgres are fully supported.
25 # Other DBMSes supported by SQLAlchemy may or may not work.
26 # Format examples:
27 # SQLite: sqlite:///filename.db
28 # Postgres: postgres://username:password@hostname/dbname
29 database: sqlite:////var/lib/mautrix-telegram/mautrix-telegram.db
30
31 # Public part of web server for out-of-Matrix interaction with the bridge.
32 # Used for things like login if the user wants to make sure the 2FA password isn't stored in
33 # the HS database.
34 public:
35 # Whether or not the public-facing endpoints should be enabled.
36 enabled: true
37 # The prefix to use in the public-facing endpoints.
38 prefix: /public/telegram
39 # The base URL where the public-facing endpoints are available. The prefix is not added
40 # implicitly.
41 external: https://matrix.rockstable.it/public/telegram
42
43 # Provisioning API part of the web server for automated portal creation and fetching information.
44 # Used by things like Dimension (https://dimension.t2bot.io/).
45 provisioning:
46 # Whether or not the provisioning API should be enabled.
47 enabled: true
48 # The prefix to use in the provisioning API endpoints.
49 prefix: /_matrix/provision/v1
50 # The shared secret to authorize users of the API.
51 # Set to "generate" to generate and save a new token.
52 shared_secret: <SHARED_SECRET>
53
54 # The unique ID of this appservice.
55 id: telegram
56 # Username of the appservice bot.
57 bot_username: telegrambot
58 # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
59 # to leave display name/avatar as-is.
60 bot_displayname: Telegram bridge bot
61 bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX
62
63 # Community ID for bridged users (changes registration file) and rooms.
64 # Must be created manually.
65 community_id: false
66
67 # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
68 as_token: <AS_TOKEN>
69 hs_token: <HS_TOKEN>
70
71 # Prometheus telemetry config. Requires prometheus-client to be installed.
72 metrics:
73 enabled: false
74 listen_port: 8000
75
76 # Bridge config
77 bridge:
78 # Localpart template of MXIDs for Telegram users.
79 # {userid} is replaced with the user ID of the Telegram user.
80 username_template: telegram_{userid}
81 # Localpart template of room aliases for Telegram portal rooms.
82 # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
83 alias_template: telegram_{groupname}
84 # Displayname template for Telegram users.
85 # {displayname} is replaced with the display name of the Telegram user.
86 displayname_template: '{displayname} (Telegram)'
87
88 # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
89 # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
90 # ID is used.
91 #
92 # If the bridge is working properly, a phone number or an username should always be known, but
93 # the other one can very well be empty.
94 #
95 # Valid keys:
96 # "full name" (First and/or last name)
97 # "full name reversed" (Last and/or first name)
98 # "first name"
99 # "last name"
100 # "username"
101 # "phone number"
102 displayname_preference:
103 - full name
104 - username
105 - phone number
106
107 # Maximum number of members to sync per portal when starting up. Other members will be
108 # synced when they send messages. The maximum is 10000, after which the Telegram server
109 # will not send any more members.
110 # Defaults to no local limit (-> limited to 10000 by server)
111 max_initial_member_sync: -1
112 # Whether or not to sync the member list in channels.
113 # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
114 # list regardless of this setting.
115 sync_channel_members: true
116 # Whether or not to skip deleted members when syncing members.
117 skip_deleted_members: true
118 # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
119 # their Telegram account at startup.
120 startup_sync: true
121 # Number of most recently active dialogs to check when syncing chats.
122 # Dialogs include groups and private chats, but only groups are synced.
123 # Set to 0 to remove limit.
124 sync_dialog_limit: 30
125 # The maximum number of simultaneous Telegram deletions to handle.
126 # A large number of simultaneous redactions could put strain on your homeserver.
127 max_telegram_delete: 10
128 # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
129 # at startup and when creating a bridge.
130 sync_matrix_state: true
131 # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix
132 # login website (see appservice.public config section)
133 allow_matrix_login: true
134 # Whether or not to bridge plaintext highlights.
135 # Only enable this if your displayname_template has some static part that the bridge can use to
136 # reliably identify what is a plaintext highlight.
137 plaintext_highlights: false
138 # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
139 public_portals: true
140 # Whether or not to fetch and handle Telegram updates at startup from the time the bridge was down.
141 # Currently only works for private chats and normal groups.
142 # WARNING: This feature seems to be broken in the telegram library.
143 catch_up: false
144 # Whether or not to use /sync to get presence, read receipts and typing notifications when using
145 # your own Matrix account as the Matrix puppet for your Telegram account.
146 sync_with_custom_puppets: true
147 # Set to false to disable link previews in messages sent to Telegram.
148 telegram_link_preview: true
149 # Use inline images instead of a separate message for the caption.
150 # N.B. Inline images are not supported on all clients (e.g. Riot iOS).
151 inline_images: false
152 # Maximum size of image in megabytes before sending to Telegram as a document.
153 image_as_file_size: 10
154 # Maximum size of Telegram documents in megabytes to bridge.
155 max_document_size: 100
156
157 # Whether to bridge Telegram bot messages as m.notices or m.texts.
158 bot_messages_as_notices: true
159 bridge_notices:
160 # Whether or not Matrix bot messages (type m.notice) should be bridged.
161 default: false
162 # List of user IDs for whom the previous flag is flipped.
163 # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
164 # notices from users listed here will be bridged.
165 exceptions:
166 #- "@importantbot:example.com"
167 - '@importantbot:matrix.rockstable.it'
168
169 # Some config options related to Telegram message deduplication.
170 # The default values are usually fine, but some debug messages/warnings might recommend you
171 # change these.
172 deduplication:
173 # Whether or not to check the database if the message about to be sent is a duplicate.
174 pre_db_check: false
175 # The number of latest events to keep when checking for duplicates.
176 # You might need to increase this on high-traffic bridge instances.
177 cache_queue_length: 20
178
179
180 # The formats to use when sending messages to Telegram via the relay bot.
181 #
182 # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users.
183 #
184 # Available variables:
185 # $sender_displayname - The display name of the sender (e.g. Example User)
186 # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
187 # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com)
188 # $message - The message content as HTML
189 message_formats:
190 m.text: '<b>$sender_displayname</b>: $message'
191 m.emote: '* <b>$sender_displayname</b> $message'
192 m.file: '<b>$sender_displayname</b> sent a file: $message'
193 m.image: '<b>$sender_displayname</b> sent an image: $message'
194 m.audio: '<b>$sender_displayname</b> sent an audio file: $message'
195 m.video: '<b>$sender_displayname</b> sent a video: $message'
196 m.location: '<b>$sender_displayname</b> sent a location: $message'
197
198 # The formats to use when sending state events to Telegram via the relay bot.
199 #
200 # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
201 # In name_change events, `$prev_displayname` is the previous displayname.
202 #
203 # Set format to an empty string to disable the messages for that event.
204 state_event_formats:
205 join: <b>$displayname</b> joined the room.
206 leave: <b>$displayname</b> left the room.
207 name_change: <b>$prev_displayname</b> changed their name to <b>$displayname</b>
208
209 # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
210 # `filter-mode` management commands.
211 #
212 # Filters do not affect direct chats.
213 # An empty blacklist will essentially disable the filter.
214 filter:
215 # Filter mode to use. Either "blacklist" or "whitelist".
216 # If the mode is "blacklist", the listed chats will never be bridged.
217 # If the mode is "whitelist", only the listed chats can be bridged.
218 mode: blacklist
219 # The list of group/channel IDs to filter.
220 list: []
221
222 # The prefix for commands. Only required in non-management rooms.
223 command_prefix: '!tg'
224
225 # Permissions for using the bridge.
226 # Permitted values:
227 # relaybot - Only use the bridge via the relaybot, no access to commands.
228 # user - Relaybot level + access to commands to create bridges.
229 # puppeting - User level + logging in with a Telegram account.
230 # full - Full access to use the bridge, i.e. previous levels + Matrix login.
231 # admin - Full access to use the bridge and some extra administration commands.
232 # Permitted keys:
233 # * - All Matrix users
234 # domain - All users on that homeserver
235 # mxid - Specific user
236 permissions:
237 '*': relaybot
238 public.matrix.rockstable.it: user
239 matrix.rockstable.it: full
240 '@rockstable:matrix.rockstable.it': admin
241 relaybot:
242 # Whether or not to allow creating portals from Telegram.
243 authless_portals: true
244 # Whether or not to allow Telegram group admins to use the bot commands.
245 whitelist_group_admins: true
246 # Whether or not to ignore incoming events sent by the relay bot.
247 ignore_own_incoming_events: true
248 # List of usernames/user IDs who are also allowed to use the bot commands.
249 whitelist:
250 #- myusername
251 #- 12345678
252 - rockstable
253
254 # Telegram config
255 telegram:
256 # Get your own API keys at https://my.telegram.org/apps
257 api_id: <API_ID>
258 api_hash: '<API_HASH>'
259 # (Optional) Create your own bot at https://t.me/BotFather
260 bot_token: '<BOT_TOKEN>'
261
262 # Telethon connection options.
263 connection:
264 # The timeout in seconds to be used when connecting.
265 timeout: 120
266 # How many times the reconnection should retry, either on the initial connection or when
267 # Telegram disconnects us. May be set to a negative or null value for infinite retries, but
268 # this is not recommended, since the program can get stuck in an infinite loop.
269 retries: 5
270 # The delay in seconds to sleep between automatic reconnections.
271 retry_delay: 1
272 # The threshold below which the library should automatically sleep on flood wait errors
273 # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
274 # is 20s, the library will sleep automatically. If the error was for 21s, it would raise
275 # the error instead. Values larger than a day (86400) will be changed to a day.
276 flood_sleep_threshold: 60
277 # How many times a request should be retried. Request are retried when Telegram is having
278 # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
279 # there's a migrate error. May take a negative or null value for infinite retries, but this
280 # is not recommended, since some requests can always trigger a call fail (such as searching
281 # for messages).
282 request_retries: 5
283
284 # Device info sent to Telegram.
285 device_info:
286 # "auto" = OS name+version.
287 device_model: auto
288 # "auto" = Telethon version.
289 system_version: auto
290 # "auto" = mautrix-telegram version.
291 app_version: auto
292 lang_code: en
293 system_lang_code: en
294
295 # Custom server to connect to.
296 server:
297 # Set to true to use these server settings. If false, will automatically
298 # use production server assigned by Telegram. Set to false in production.
299 enabled: true
300 # The DC ID to connect to.
301 dc: 2
302 # The IP to connect to.
303 ip: 149.154.167.50
304 # The port to connect to. 443 may not work, 80 is better and both are equally secure.
305 port: 443
306
307 # Telethon proxy configuration.
308 # You must install PySocks from pip for proxies to work.
309 proxy:
310 # Allowed types: disabled, socks4, socks5, http
311 type: disabled
312 # Proxy IP address and port.
313 address: 127.0.0.1
314 port: 1080
315 # Whether or not to perform DNS resolving remotely.
316 rdns: true
317 # Proxy authentication (optional).
318 username: ''
319 password: ''
320
321 # Python logging configuration.
322 #
323 # See section 16.7.2 of the Python documentation for more info:
324 # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
325 logging:
326 version: 1
327 formatters:
328 precise:
329 format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
330 handlers:
331 file:
332 class: logging.handlers.RotatingFileHandler
333 formatter: precise
334 #filename: ./mautrix-telegram.log
335 filename: /var/log/mautrix-telegram/mautrix-telegram.log
336 maxBytes: 10485760
337 backupCount: 10
338 console:
339 class: logging.StreamHandler
340 formatter: precise
341 loggers:
342 mau:
343 level: DEBUG
344 telethon:
345 level: DEBUG
346 aiohttp:
347 level: INFO
348 root:
349 level: DEBUG
350 handlers: [file, console]
SystemD integration of mautrix-telegram
Create a file that defines environment variables
Create a systemd-unit /lib/systemd/system/mautrix-telegram.service
1 [Unit]
2 Description=Mautrix Telegram Bridge
3 ConditionPathExists=/etc/mautrix-telegram/config.yaml
4 After=matrix-synapse.service
5 After=syslog.target
6
7 [Service]
8 Type=simple
9 User=mautrix-telegram
10 Group=mautrix-telegram
11 WorkingDirectory=/var/lib/mautrix-telegram
12 EnvironmentFile=/etc/default/mautrix-telegram
13 ExecStart=/opt/mautrix-telegram/bin/python -m mautrix_telegram -c /etc/mautrix-telegram/config.yaml -r /etc/mautrix-telegram/registration.yaml
14 Restart=on-failure
15 RestartSec=3
16 SyslogIdentifier=mautrix-telegram
17 StandardOutput=syslog
18 StandardError=syslog
19
20 [Install]
21 WantedBy=multi-user.target
Use
Create a channel and invite the Telegram-Bridge @telegrambot:matrix.rockstable.it
this will become your management channel .> Prefix !tg not required and privileged commands may be used.
Check your bot with ping and ping-bot
login to your telegram account
- Get invited to your new portal rooms in matrix (patience please)
- Like it!
Migration to postgres
Prepare database
Install optional dependencies
Adjust database configuation /etc/mautrix-telegram/config.yaml
1 appservice:
2 # The full URI to the database. SQLite and Postgres are fully supported.
3 # Other DBMSes supported by SQLAlchemy may or may not work.
4 # Format examples:
5 # SQLite: sqlite:///filename.db
6 # Postgres: postgres://username:password@hostname/dbname
7 database: postgres://mautrix-telegram:password_redacted@localhost/mautrix-telegram
8 #database: sqlite:////var/lib/mautrix-telegram/mautrix-telegram.db
Migrate database
Mautrix-WhatsApp
About
A Matrix-WhatsApp puppeting bridge
Build
Install golang-go (from backports v1.14+) and libolm3 to build the project
Clone and build the project
Create daemon-user, -group and it's home directory, to separate persistent variable data from the source code (e.g. sqlite-db).
1 DAEMON_USER="mautrix-whatsapp"
2 addgroup --system "$DAEMON_USER"
3 adduser --system \
4 --ingroup "$DAEMON_USER" \
5 --home /var/lib/"$DAEMON_USER" \
6 --gecos "Matrix WhatsApp Bridge,," \
7 "$DAEMON_USER"
8 chmod 2750 /var/lib/"$DAEMON_USER"
9 ### Create log directory
10 install -o "$DAEMON_USER" -g adm \
11 -m 2750 -d \
12 /var/log/"$DAEMON_USER"
13 ### Create configuration directory
14 install -o root -g "$DAEMON_USER" \
15 -m 750 -d /etc/"$DAEMON_USER"
Upgrade
Configure
Make a copy of the example-config.yaml and adjust it to your needs.
At least configure
- Mandatory:
- homeserver
- app_id, api_hash
- optionally
- bot_token
Generate the appservice registration
1 DAEMON_USER="mautrix-whatsapp"
2 "./$DAEMON_USER" -g \
3 -c /etc/"$DAEMON_USER"/config.yaml \
4 -r /etc/"$DAEMON_USER"/registration.yaml
5 chown root."$DAEMON_USER" /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
6 chmod 640 /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
7 adduser matrix-synapse "$DAEMON_USER"
Add the path to the registration file to your Synapse's /etc/matrix-synapse/homeserver.yaml under app_service_config_files. Restart Synapse to apply changes.
SystemD integration of mautrix-whatsapp
Create a file that defines environment variables
Create a systemd-unit /lib/systemd/system/mautrix-whatsapp.service
1 [Unit]
2 Description=Mautrix WhatsApp Bridge
3 ConditionPathExists=/etc/mautrix-whatsapp/config.yaml
4 After=matrix-synapse.service
5 After=syslog.target
6
7 [Service]
8 Type=simple
9 User=mautrix-whatsapp
10 Group=mautrix-whatsapp
11 WorkingDirectory=/var/lib/mautrix-whatsapp
12 EnvironmentFile=/etc/default/mautrix-whatsapp
13 ExecStart=/opt/mautrix-whatsapp/mautrix-whatsapp -c /etc/mautrix-whatsapp/config.yaml -r /etc/mautrix-whatsapp/registration.yaml
14 Restart=on-failure
15 RestartSec=3
16 SyslogIdentifier=mautrix-whatsapp
17 StandardOutput=syslog
18 StandardError=syslog
19
20 [Install]
21 WantedBy=multi-user.target
Migration to postgres
There is currently no database-migration script like in mautrix-telegram. So you'll lose anything that is store in the sqlite3 database. Initializing the database means losing room memberships, contacts and their pictures. But they will be resynced when you start the bridge after the migration. I guess, chats that have already been closed in WhatsApp, will be terminally lost. If you're in the very beginning of building up your server, this shouldn't be a problem. Otherwise you still have have the option to perform a manual migration from sqlite to postgres, which is not described here.
Adjust database configuation /etc/mautrix-whatsapp/config.yaml
Stop and Start mautrix-whatsapp.
Android Virtual Device (AVD)
- In Matrix create a Bridge management channel by in inviting the bot to a channel.
Install Android-Studio
- Create an AVD with a new Google-Play-enabled Android
- Link your webcam to the Backcamer of the AVD
- Start the AVD
Install WhatsApp
In WhatsApp
- Register
- Enter number of phone
- Verify your account by typing the 6-digit code you received by SMS
- Adjust permissions
Allow WhatsApp access to the camera
- (optionally) Make Sure to block access to contacts
- Register
Login mautrix-whatsapp as WhatsApp-Web
Type login in your Matrix-WhatsApp-Management-Channel and a QR-code will come up.
In WhatsApp
Go to the homescreen-menu in the top-right (three dots) and select WhatsApp-Web and the picture of your webcam should come to the screen
- Scan the QR-Code and the whatsapp-bridge gets logged in and starts synchronizing your contacts and chats.
This Android Virtual Device must stay connected to the WhatsApp networks for your bridge authentication and authorization to stay valid. There are ways to run this headless on a server, but it's challenging. So making this AVD bullet-proof remains a task to be solved, later.
Mautrix-Signal
About
A Matrix-Signal puppeting bridge.
signald
Prerequisites
Install virtualenv (python3) to satisfy python dependencies and not clash with your distribution.
1 aptitude install virtualenv python3-dev build-essential
Signald
/etc/apt/sources.list.d/signald.list
1 deb https://updates.signald.org unstable main
Verify it is running
1 signaldctl version
Setup
Create a directory containing a fresh virtual python3 environment
Create daemon-user, -group and it's home directory, to separate persistent variable data from the source code (e.g. sqlite-db).
1 DAEMON_USER="mautrix-signal"
2 addgroup --system "$DAEMON_USER"
3 adduser --system \
4 --ingroup "$DAEMON_USER" \
5 --home /var/lib/"$DAEMON_USER" \
6 --gecos "Matrix Signal Bridge,," \
7 "$DAEMON_USER"
8 chmod 2750 /var/lib/"$DAEMON_USER"
9 ### Create log directory
10 install -o "$DAEMON_USER" -g adm \
11 -m 2750 -d \
12 /var/log/"$DAEMON_USER"
13 ### Create configuration directory
14 install -o root -g "$DAEMON_USER" \
15 -m 750 -d /etc/"$DAEMON_USER"
At least configure
- Mandatory:
- homeserver
- database
- permissions
- optionally:
- community_id
- Logging path
- path to /run
Prepare database
/etc/mautrix-signal/config.yaml
1 # Homeserver details
2 homeserver:
3 # The address that this appservice can use to connect to the homeserver.
4 address: "https://matrix.rockstable.it"
5 # The domain of the homeserver (for MXIDs, etc).
6 domain: "matrix.rockstable.it"
7 # Whether or not to verify the SSL certificate of the homeserver.
8 # Only applies if address starts with https://
9 verify_ssl: true
10 asmux: false
11
12 # Application service host/registration related details
13 # Changing these values requires regeneration of the registration.
14 appservice:
15 # The address that the homeserver can use to connect to this appservice.
16 address: http://localhost:29328
17 # When using https:// the TLS certificate and key files for the address.
18 tls_cert: false
19 tls_key: false
20
21 # The hostname and port where this appservice should listen.
22 hostname: 127.0.0.1
23 port: 29328
24 # The maximum body size of appservice API requests (from the homeserver) in mebibytes
25 # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
26 max_body_size: 1
27
28 # The full URI to the database. Only Postgres is currently supported.
29 database: postgres://mautrix-signal:_secure_long_password_@localhost/mautrix-signal
30 # Additional arguments for asyncpg.create_pool()
31 # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
32 database_opts:
33 min_size: 5
34 max_size: 10
35
36 # The unique ID of this appservice.
37 id: signal
38 # Username of the appservice bot.
39 bot_username: signalbot
40 # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
41 # to leave display name/avatar as-is.
42 bot_displayname: Signal bridge bot
43 bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
44
45 # Community ID for bridged users (changes registration file) and rooms.
46 # Must be created manually.
47 #
48 # Example: "+signal:example.com". Set to false to disable.
49 community_id: +signal:matrix.rockstable.it
50
51 # Whether or not to receive ephemeral events via appservice transactions.
52 # Requires MSC2409 support (i.e. Synapse 1.22+).
53 # You should disable bridge -> sync_with_custom_puppets when this is enabled.
54 ephemeral_events: false
55
56 # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
57 as_token: "This value is generated when generating the registration"
58 hs_token: "This value is generated when generating the registration"
59
60 # Prometheus telemetry config. Requires prometheus-client to be installed.
61 metrics:
62 enabled: false
63 listen_port: 8000
64
65 signal:
66 # Path to signald unix socket
67 #socket_path: /var/run/signald/signald.sock
68 socket_path: /run/signald/signald.sock
69 # Directory for temp files when sending files to Signal. This should be an
70 # absolute path that signald can read. For attachments in the other direction,
71 # make sure signald is configured to use an absolute path as the data directory.
72 outgoing_attachment_dir: /tmp
73 # Directory where signald stores avatars for groups.
74 avatar_dir: ~/.config/signald/avatars
75 # Directory where signald stores auth data. Used to delete data when logging out.
76 data_dir: ~/.config/signald/data
77 # Whether or not message attachments should be removed from disk after they're bridged.
78 remove_file_after_handling: true
79
80 # Bridge config
81 bridge:
82 # Localpart template of MXIDs for Signal users.
83 # {userid} is replaced with an identifier for the Signal user.
84 username_template: signal_{userid}
85 # Displayname template for Signal users.
86 # {displayname} is replaced with the displayname of the Signal user, which is the first
87 # available variable in displayname_preference. The variables in displayname_preference
88 # can also be used here directly.
89 displayname_template: '{displayname} (Signal)'
90 # Whether or not contact list displaynames should be used.
91 # Possible values: disallow, allow, prefer
92 #
93 # Multi-user instances are recommended to disallow contact list names, as otherwise there can
94 # be conflicts between names from different users' contact lists.
95 contact_list_names: disallow
96 # Available variables: full_name, first_name, last_name, phone, uuid
97 displayname_preference:
98 - full_name
99 - phone
100
101 # Whether or not to create portals for all groups on login/connect.
102 autocreate_group_portal: true
103 # Whether or not to create portals for all contacts on login/connect.
104 autocreate_contact_portal: false
105 # Whether or not to use /sync to get read receipts and typing notifications
106 # when double puppeting is enabled
107 sync_with_custom_puppets: true
108 # Whether or not to update the m.direct account data event when double puppeting is enabled.
109 # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
110 # and is therefore prone to race conditions.
111 sync_direct_chat_list: false
112 # Allow using double puppeting from any server with a valid client .well-known file.
113 double_puppet_allow_discovery: false
114 # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
115 double_puppet_server_map:
116 example.com: https://example.com
117 # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
118 #
119 # If set, custom puppets will be enabled automatically for local users
120 # instead of users having to find an access token and run `login-matrix`
121 # manually.
122 # If using this for other servers than the bridge's server,
123 # you must also set the URL in the double_puppet_server_map.
124 login_shared_secret_map:
125 example.com: foo
126 # Whether or not created rooms should have federation enabled.
127 # If false, created portal rooms will never be federated.
128 federate_rooms: true
129 # End-to-bridge encryption support options. You must install the e2be optional dependency for
130 # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption
131 encryption:
132 # Allow encryption, work in group chat rooms with e2ee enabled
133 allow: false
134 # Default to encryption, force-enable encryption in all portals the bridge creates
135 # This will cause the bridge bot to be in private chats for the encryption to work properly.
136 default: false
137 # Options for automatic key sharing.
138 key_sharing:
139 # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
140 # You must use a client that supports requesting keys from other users to use this feature.
141 allow: false
142 # Require the requesting device to have a valid cross-signing signature?
143 # This doesn't require that the bridge has verified the device, only that the user has verified it.
144 # Not yet implemented.
145 require_cross_signing: false
146 # Require devices to be verified by the bridge?
147 # Verification by the bridge is not yet implemented.
148 require_verification: true
149 # Whether or not to explicitly set the avatar and room name for private
150 # chat portal rooms. This will be implicitly enabled if encryption.default is true.
151 private_chat_portal_meta: false
152 # Whether or not the bridge should send a read receipt from the bridge bot when a message has
153 # been sent to Signal. This let's you check manually whether the bridge is receiving your
154 # messages.
155 # Note that this is not related to Signal delivery receipts.
156 delivery_receipts: false
157 # Whether or not delivery errors should be reported as messages in the Matrix room. (not yet implemented)
158 delivery_error_reports: false
159 # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
160 # This field will automatically be changed back to false after it,
161 # except if the config file is not writable.
162 resend_bridge_info: false
163
164 # Provisioning API part of the web server for automated portal creation and fetching information.
165 # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
166 provisioning:
167 # Whether or not the provisioning API should be enabled.
168 enabled: true
169 # The prefix to use in the provisioning API endpoints.
170 prefix: /_matrix/provision/v1
171 # The shared secret to authorize users of the API.
172 # Set to "generate" to generate and save a new token.
173 shared_secret: generate
174
175 # The prefix for commands. Only required in non-management rooms.
176 command_prefix: '!signal'
177
178 # Permissions for using the bridge.
179 # Permitted values:
180 # user - Use the bridge with puppeting.
181 # admin - Use and administrate the bridge.
182 # Permitted keys:
183 # * - All Matrix users
184 # domain - All users on that homeserver
185 # mxid - Specific user
186 permissions:
187 '@rockstable:matrix.rockstable.it': admin
188 matrix.rockstable.it: user
189 logging:
190 version: 1
191 formatters:
192 colored:
193 (): mautrix_signal.util.ColorFormatter
194 format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
195 normal:
196 format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
197 handlers:
198 file:
199 class: logging.handlers.RotatingFileHandler
200 formatter: normal
201 filename: /var/log/mautrix-signal/mautrix-signal.log
202 maxBytes: 10485760
203 backupCount: 10
204 console:
205 class: logging.StreamHandler
206 formatter: colored
207 loggers:
208 mau:
209 level: DEBUG
210 aiohttp:
211 level: INFO
212 root:
213 level: DEBUG
214 handlers: [file, console]
Generate the appservice registration (Please mind the underscore in the python-module).
1 DAEMON_USER="mautrix-signal"
2 python -m "mautrix_signal" -g \
3 -c /etc/"$DAEMON_USER"/config.yaml \
4 -r /etc/"$DAEMON_USER"/registration.yaml
5 chown root."$DAEMON_USER" /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
6 chmod 640 /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
7 adduser matrix-synapse "$DAEMON_USER"
8 adduser "$DAEMON_USER" signald
9 ### FIX SOME PERMISSIONS
10 chmod 660 "/etc/"$DAEMON_USER"/config.yaml"
11 chmod 770 /var/lib/signald/avatars
Add the path to the registration file to your Synapse's /etc/matrix-synapse/homeserver.yaml under app_service_config_files. Restart Synapse to apply changes.
SystemD integration of mautrix-signal
Create a file that defines environment variables
Create a systemd-unit /lib/systemd/system/mautrix-signal.service
1 [Unit]
2 Description=Mautrix Signal Bridge
3 ConditionPathExists=/etc/mautrix-signal/config.yaml
4 After=matrix-synapse.service signald.service
5 After=syslog.target
6
7 [Service]
8 Type=simple
9 User=mautrix-signal
10 Group=mautrix-signal
11 WorkingDirectory=/var/lib/mautrix-signal
12 EnvironmentFile=/etc/default/mautrix-signal
13 ExecStart=/opt/mautrix-signal/bin/python -m mautrix_signal -c /etc/mautrix-signal/config.yaml -r /etc/mautrix-signal/registration.yaml
14 Restart=on-failure
15 RestartSec=3
16 SyslogIdentifier=mautrix-signal
17 StandardOutput=syslog
18 StandardError=syslog
19
20 [Install]
21 WantedBy=multi-user.target
Reload SystemD, enable the service on boot and start the service
Use mautrix-signal
https://docs.mau.fi/bridges/python/signal/authentication.html
1. Open a private chat with @signalbot:matrix.rockstable.it
Type link and a QRcode will appear
1. In your mobile signal app goto Linked devices
- Scan the QRcode and allow the connection.
matrix-appservice-irc
About
There are multiple bridges to IRC
I'll test matrix-org/matrix-appservice-irc first.
Setup
Download the source from github
Install npm from the backports and build the project
Create a user
1 DAEMON_USER="matrix-appservice-irc"
2 addgroup --system "$DAEMON_USER"
3 adduser --system \
4 --ingroup "$DAEMON_USER" \
5 --home /var/lib/"$DAEMON_USER" \
6 --gecos "Matrix IRC Bridge,," \
7 "$DAEMON_USER"
8 chmod 2750 /var/lib/"$DAEMON_USER"
9 ### Create log directory
10 install -o "$DAEMON_USER" -g adm \
11 -m 2750 -d \
12 /var/log/"$DAEMON_USER"
13 ### Create configuration directory
14 install -o root -g "$DAEMON_USER" \
15 -m 750 -d /etc/"$DAEMON_USER"
Prepare database
Configure the bridge
Create a PEM-encoded RSAkeypair to be used to encrypt IRC-passwords in the database passwordEncryptionKeyPath
/etc/matrix-appservice-irc/config.yaml
1 # Configuration specific to AS registration. Unless other marked, all fields
2 # are *REQUIRED*.
3 # Unless otherwise specified, these keys CANNOT be hot-reloaded.
4 homeserver:
5 # The URL to the home server for client-server API calls, also used to form the
6 # media URLs as displayed in bridged IRC channels:
7 #url: "http://localhost:8008"
8 url: "https://matrix.rockstable.it"
9 #
10 # The URL of the homeserver hosting media files. This is only used to transform
11 # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
12 # default, this is the homeserver URL, specified above.
13 # This key CAN be hot-reloaded.
14 # media_url: "http://media.repo:8008"
15
16 # Drop Matrix messages which are older than this number of seconds, according to
17 # the event's origin_server_ts.
18 # If the bridge is down for a while, the homeserver will attempt to send all missed
19 # events on reconnection. These events may be hours old, which can be confusing to
20 # IRC users if they are then bridged. This option allows these old messages to be
21 # dropped.
22 # CAUTION: This is a very coarse heuristic. Federated homeservers may have different
23 # clock times and hence produce different origin_server_ts values, which may be old
24 # enough to cause *all* events from the homeserver to be dropped.
25 # Default: 0 (don't ever drop)
26 # This key CAN be hot-reloaded.
27 # dropMatrixMessagesAfterSecs: 300 # 5 minutes
28
29 # The 'domain' part for user IDs on this home server. Usually (but not always)
30 # is the "domain name" part of the HS URL.
31 domain: "matrix.rockstable.it"
32
33 # Should presence be enabled for matrix clients on this bridge. If disabled on the
34 # homeserver then it should also be disabled here to avoid excess traffic.
35 # Default: true
36 enablePresence: true
37
38 # Which port should the appservice bind to. Can be overriden by the one provided in the
39 # command line! Optional.
40 bindPort: 9999
41
42 # Use this option to force the appservice to listen on another hostname for transactions.
43 # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional.
44 bindHostname: 127.0.0.1
45
46 # Configuration specific to the IRC service
47 ircService:
48 # All server keys can be hot-reloaded, however existing IRC connections
49 # will not have changes applied to them.
50 servers:
51 # The address of the server to connect to.
52 chat.freenode.net:
53 # A human-readable short name. This is used to label IRC status rooms
54 # where matrix users control their connections.
55 # E.g. 'ExampleNet IRC Bridge status'.
56 # It is also used in the Third Party Lookup API as the instance `desc`
57 # property, where each server is an instance.
58 name: "chat.freenode.net"
59 # Additional addresses to connect to, used for load balancing between IRCDs.
60 #additionalAddresses: [ "irc2.example.com" ]
61 # Typically additionalAddresses would be in addition to the address key given above,
62 # but some configurations wish to exclusively use additional addresses while reserving
63 # the top key for identification purposes. Set this to true to exclusively use the
64 # additionalAddresses array when connecting to servers.
65 onlyAdditionalAddresses: false
66 #
67 # [DEPRECATED] Use `name`, above, instead.
68 # A human-readable description string
69 # description: "Example.com IRC network"
70
71 # An ID for uniquely identifying this server amongst other servers being bridged.
72 # networkId: "example"
73
74 # MXC URL to an icon used as the network icon whenever this network appear in
75 # a network list. (Like in the Element room directory, for instance.)
76 # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf
77
78 # The port to connect to. Optional.
79 port: 6697
80 # Whether to use SSL or not. Default: false.
81 ssl: true
82 # Whether or not IRC server is using a self-signed cert or not providing CA Chain
83 sslselfsign: false
84 # Should the connection attempt to identify via SASL (if a server or user password is given)
85 # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS.
86 sasl: false
87 # Whether to allow expired certs when connecting to the IRC server.
88 # Usually this should be off. Default: false.
89 allowExpiredCerts: false
90 # Set additional TLS options for the connections to the IRC server.
91 #tlsOptions:
92 # A specific CA to trust instead of the default CAs. Optional.
93 #ca: |
94 # -----BEGIN CERTIFICATE-----
95 # ...
96 # -----END CERTIFICATE-----
97 # Server name for the SNI (Server Name Indication) TLS extension. If the address you
98 # are using does not report the correct certificate name, you can override it here.
99 # servername: real.server.name
100 # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
101
102 #
103 # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
104 # password: 'pa$$w0rd'
105 #
106 # Whether or not to send connection/error notices to real Matrix users. Default: true.
107 sendConnectionMessages: true
108
109 quitDebounce:
110 # Whether parts due to net-splits are debounced for delayMs, to allow
111 # time for the netsplit to resolve itself. A netsplit is detected as being
112 # a QUIT rate higher than quitsPerSecond. Default: false.
113 enabled: false
114 # The maximum number of quits per second acceptable above which a netsplit is
115 # considered ongoing. Default: 5.
116 quitsPerSecond: 5
117 # The time window in which to wait before bridging a QUIT to Matrix that occurred during
118 # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS
119 # is not sent many requests to leave rooms all at once if a netsplit occurs and many
120 # people to not rejoin.
121 # If the user with the same IRC nick as the one who sent the quit rejoins a channel
122 # they are considered back online and the quit is not bridged, so long as the rejoin
123 # occurs before the randomly-jittered timeout is not reached.
124 # Default: 3600000, = 1h
125 delayMinMs: 3600000 # 1h
126 # Default: 7200000, = 2h
127 delayMaxMs: 7200000 # 2h
128
129 # A map for conversion of IRC user modes to Matrix power levels. This enables bridging
130 # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
131 # been given multiple modes, the one that maps to the highest power level will be used.
132 modePowerMap:
133 o: 50
134 v: 1
135
136 botConfig:
137 # Enable the presence of the bot in IRC channels. The bot serves as the entity
138 # which maps from IRC -> Matrix. You can disable the bot entirely which
139 # means IRC -> Matrix chat will be shared by active "M-Nick" connections
140 # in the room. If there are no users in the room (or if there are users
141 # but their connections are not on IRC) then nothing will be bridged to
142 # Matrix. If you're concerned about the bot being treated as a "logger"
143 # entity, then you may want to disable the bot. If you want IRC->Matrix
144 # but don't want to have TCP connections to IRC unless a Matrix user speaks
145 # (because your client connection limit is low), then you may want to keep
146 # the bot enabled. Default: true.
147 # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned
148 # on, else there will be no users and no bot in a channel (meaning no
149 # messages to Matrix!) until a Matrix user speaks which makes a client
150 # join the target IRC channel.
151 # NBB: The bridge bot IRC client will still join the target IRC network so
152 # it can service bridge-specific queries from the IRC-side e.g. so
153 # real IRC clients have a way to change their Matrix display name.
154 # See https://github.com/matrix-org/matrix-appservice-irc/issues/55
155 enabled: true
156 # The nickname to give the AS bot.
157 nick: "MatrixBot"
158 # The username to give to the AS bot. Defaults to "matrixbot"
159 username: "matrixbot"
160 # The password to give to NickServ or IRC Server for this nick. Optional.
161 # password: "helloworld"
162 #
163 # Join channels even if there are no Matrix users on the other side of
164 # the bridge. Set to false to prevent the bot from joining channels which have no
165 # real matrix users in them, even if there is a mapping for the channel.
166 # Default: true
167 joinChannelsIfNoUsers: true
168
169 # Configuration for PMs / private 1:1 communications between users.
170 privateMessages:
171 # Enable the ability for PMs to be sent to/from IRC/Matrix.
172 # Default: true.
173 enabled: true
174 # Prevent Matrix users from sending PMs to the following IRC nicks.
175 # Optional. Default: [].
176 # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
177
178 # Should created Matrix PM rooms be federated? If false, only users on the
179 # HS attached to this AS will be able to interact with this room.
180 # Optional. Default: true.
181 federate: true
182
183 # Configuration for mappings not explicitly listed in the 'mappings'
184 # section.
185 dynamicChannels:
186 # Enable the ability for Matrix users to join *any* channel on this IRC
187 # network.
188 # Default: false.
189 enabled: true
190 # Should the AS create a room alias for the new Matrix room? The form of
191 # the alias can be modified via 'aliasTemplate'. Default: true.
192 createAlias: true
193 # Should the AS publish the new Matrix room to the public room list so
194 # anyone can see it? Default: true.
195 published: true
196 # Publish the rooms to the homeserver directory, as oppose to the appservice
197 # room directory. Only used if `published` is on.
198 # Default: false
199 useHomeserverDirectory: true
200 # What should the join_rule be for the new Matrix room? If 'public',
201 # anyone can join the room. If 'invite', only users with an invite can
202 # join the room. Note that if an IRC channel has +k or +i set on it,
203 # join_rules will be set to 'invite' until these modes are removed.
204 # Default: "public".
205 joinRule: public
206 # This will set the m.room.related_groups state event in newly created rooms
207 # with the given groupId. This means flares will show up on IRC users in those rooms.
208 # This should be set to the same thing as namespaces.users.group_id in irc_registration.
209 # This does not alter existing rooms.
210 # Leaving this option empty will not set the event.
211 groupId: +myircnetwork:localhost
212 # Should created Matrix rooms be federated? If false, only users on the
213 # HS attached to this AS will be able to interact with this room.
214 # Default: true.
215 federate: true
216 # Force this room version when creating IRC channels. Beware if the homeserver doesn't
217 # support the room version then the request will fail. By default, no version is requested.
218 # roomVersion: "1"
219 # The room alias template to apply when creating new aliases. This only
220 # applies if createAlias is 'true'. The following variables are exposed:
221 # $SERVER => The IRC server address (e.g. "irc.example.com")
222 # $CHANNEL => The IRC channel (e.g. "#python")
223 # This MUST have $CHANNEL somewhere in it.
224 #
225 # In certain circumstances you might want to bridge your whole IRC network as a
226 # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the
227 # template to just be $CHANNEL. Doing so will preclude you from supporting
228 # other prefix characters though.
229 #
230 # Default: '#irc_$SERVER_$CHANNEL'
231 aliasTemplate: "#irc_$CHANNEL"
232 # A list of user IDs which the AS bot will send invites to in response
233 # to a !join. Only applies if joinRule is 'invite'. Default: []
234 # whitelist:
235 # - "@foo:example.com"
236 # - "@bar:example.com"
237 #
238 # Prevent the given list of channels from being mapped under any
239 # circumstances.
240 # exclude: ["#foo", "#bar"]
241
242 # excludedUsers:
243 # - regex: "@.*:evilcorp.com"
244 # kickReason: "We don't like Evilcorp"
245
246 # Configuration for controlling how Matrix and IRC membership lists are
247 # synced.
248 membershipLists:
249 # Enable the syncing of membership lists between IRC and Matrix. This
250 # can have a significant effect on performance on startup as the lists are
251 # synced. This must be enabled for anything else in this section to take
252 # effect. Default: false.
253 enabled: false
254
255 # Syncing membership lists at startup can result in hundreds of members to
256 # process all at once. This timer drip feeds membership entries at the
257 # specified rate. Default: 10000. (10s)
258 floodDelayMs: 10000
259
260 global:
261 ircToMatrix:
262 # Get a snapshot of all real IRC users on a channel (via NAMES) and
263 # join their virtual matrix clients to the room.
264 initial: false
265 # Make virtual matrix clients join and leave rooms as their real IRC
266 # counterparts join/part channels. Default: false.
267 incremental: false
268 # Should the bridge check if all Matrix users are connected to IRC and
269 # joined to the channel before relaying messages into the room.
270 #
271 # This is considered a safety net to avoid any leakages by the bridge to
272 # unconnected users, but given it ignores all IRC messages while users
273 # are still connecting it may be overkill.
274 requireMatrixJoined: false
275
276 matrixToIrc:
277 # Get a snapshot of all real Matrix users in the room and join all of
278 # them to the mapped IRC channel on startup. Default: false.
279 initial: false
280 # Make virtual IRC clients join and leave channels as their real Matrix
281 # counterparts join/leave rooms. Make sure your 'maxClients' value is
282 # high enough! Default: false.
283 incremental: false
284
285 # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
286 rooms: []
287 #- room: "!fuasirouddJoxtwfge:localhost"
288 # matrixToIrc:
289 # initial: false
290 # incremental: false
291
292 # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
293 channels: []
294 #- channel: "#foo"
295 # ircToMatrix:
296 # initial: false
297 # incremental: false
298 # requireMatrixJoined: false
299
300 # Should the bridge ignore users which are not considered active on the bridge
301 # during startup
302 ignoreIdleUsersOnStartup:
303 enabled: true
304 # How many hours can a user be considered idle for before they are considered
305 # ignoreable
306 idleForHours: 720
307 # A regex which will exclude matching MXIDs from this check.
308 exclude: "foobar"
309
310 #mappings:
311 # # 1:many mappings from IRC channels to room IDs on this IRC server.
312 # # The matrix room must already exist. Your matrix client should expose
313 # # the room ID in a "settings" page for the room.
314 # "#thepub":
315 # roomIds: ["!kieouiJuedJoxtVdaG:localhost"]
316 # # Channel key/password to use. Optional. If provided, matrix users do
317 # # not need to know the channel key in order to join the channel.
318 # # key: "secret"
319
320 # Configuration for virtual matrix users. The following variables are
321 # exposed:
322 # $NICK => The IRC nick
323 # $SERVER => The IRC server address (e.g. "irc.example.com")
324 matrixClients:
325 # The user ID template to use when creating virtual matrix users. This
326 # MUST have $NICK somewhere in it.
327 # Optional. Default: "@$SERVER_$NICK".
328 # Example: "@irc.example.com_Alice:example.com"
329 userTemplate: "@irc_$NICK"
330 # The display name to use for created matrix clients. This should have
331 # $NICK somewhere in it if it is specified. Can also use $SERVER to
332 # insert the IRC domain.
333 # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
334 displayName: "$NICK (IRC)"
335 # Number of tries a client can attempt to join a room before the request
336 # is discarded. You can also use -1 to never retry or 0 to never give up.
337 # Optional. Default: -1
338 joinAttempts: -1
339
340 # Configuration for virtual IRC users. The following variables are exposed:
341 # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
342 # $USERID => The user ID
343 # $DISPLAY => The display name of this user, with excluded characters
344 # (e.g. space) removed. If the user has no display name, this
345 # falls back to $LOCALPART.
346 ircClients:
347 # The template to apply to every IRC client nick. This MUST have either
348 # $DISPLAY or $USERID or $LOCALPART somewhere in it.
349 # Optional. Default: "M-$DISPLAY". Example: "M-Alice".
350 nickTemplate: "$DISPLAY[m]"
351 # True to allow virtual IRC clients to change their nick on this server
352 # by issuing !nick <server> <nick> commands to the IRC AS bot.
353 # This is completely freeform: it will NOT follow the nickTemplate.
354 allowNickChanges: true
355 # The max number of IRC clients that will connect. If the limit is
356 # reached, the client that spoke the longest time ago will be
357 # disconnected and replaced.
358 # Optional. Default: 30.
359 maxClients: 30
360 # IPv6 configuration.
361 ipv6:
362 # Optional. Set to true to force IPv6 for outgoing connections.
363 only: false
364 # Optional. The IPv6 prefix to use for generating unique addresses for each
365 # connected user. If not specified, all users will connect from the same
366 # (default) address. This may require additional OS-specific work to allow
367 # for the node process to bind to multiple different source addresses
368 # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1
369 # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library
370 # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
371 # prefix: "2001:0db8:85a3::" # modify appropriately
372 #
373 # The maximum amount of time in seconds that the client can exist
374 # without sending another message before being disconnected. Use 0 to
375 # not apply an idle timeout. This value is ignored if this IRC server is
376 # mirroring matrix membership lists to IRC. Default: 172800 (48 hours)
377 idleTimeout: 10800
378 # The number of millseconds to wait between consecutive reconnections if a
379 # client gets disconnected. Setting to 0 will cause the scheduling to be
380 # disabled, i.e. it will be scheduled immediately (with jitter.
381 # Otherwise, the scheduling interval will be used such that one client
382 # reconnect for this server will be handled every reconnectIntervalMs ms using
383 # a FIFO queue.
384 # Default: 5000 (5 seconds)
385 reconnectIntervalMs: 5000
386 # The number of concurrent reconnects if a user has been disconnected unexpectedly
387 # (e.g. a netsplit). You should set this to a reasonably high number so that
388 # bridges are not waiting an eternity to reconnect all its clients if
389 # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs
390 # setting above which is for connecting on restart of the bridge. Set to 0 to
391 # immediately try to reconnect all users.
392 # Default: 50
393 concurrentReconnectLimit: 50
394 # The number of lines to allow being sent by the IRC client that has received
395 # a large block of text to send from matrix. If the number of lines that would
396 # be sent is > lineLimit, the text will instead be uploaded to matrix and the
397 # resulting URI is treated as a file. As such, a link will be sent to the IRC
398 # side instead of potentially spamming IRC and getting the IRC client kicked.
399 # Default: 3.
400 lineLimit: 3
401 # A list of user modes to set on every IRC client. For example, "RiG" would set
402 # +R, +i and +G on every IRC connection when they have successfully connected.
403 # User modes vary wildly depending on the IRC network you're connecting to,
404 # so check before setting this value. Some modes may not work as intended
405 # through the bridge e.g. caller ID as there is no way to /ACCEPT.
406 # Default: "" (no user modes)
407 # userModes: "R"
408 # The format of the realname defined for users, either mxid or reverse-mxid
409 realnameFormat: "mxid"
410 # The minimum time to wait between connection attempts if we were disconnected
411 # due to throttling.
412 # pingTimeoutMs: 600000
413 # The rate at which to send pings to the IRCd if the client is being quiet for a while.
414 # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears
415 # that sometimes they don't get around to it and end up ping timing us out.
416 # pingRateMs: 60000
417 # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from
418 # defaults should be taken with care as it may dishonestly repesent Matrix users on the IRC
419 # network, and cause your bridge to be banned.
420 kickOn:
421 # Kick a Matrix user from a bridged room if they fail to join the IRC channel.
422 channelJoinFailure: true
423 # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC.
424 ircConnectionFailure: true
425 # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network.
426 userQuit: true
427
428
429 # Set information about the bridged channel in the room state, so that client's may
430 # present relevant UI to the user. MSC2346
431 bridgeInfoState:
432 enabled: false
433 initial: false
434 # Configuration for an ident server. If you are running a public bridge it is
435 # advised you setup an ident server so IRC mods can ban specific matrix users
436 # rather than the application service itself.
437 # This key CANNOT be hot-reloaded
438 ident:
439 # True to listen for Ident requests and respond with the
440 # matrix user's user_id (converted to ASCII, respecting RFC 1413).
441 # Default: false.
442 enabled: false
443 # The port to listen on for incoming ident requests.
444 # Ports below 1024 require root to listen on, and you may not want this to
445 # run as root. Instead, you can get something like an Apache to yank up
446 # incoming requests to 113 to a high numbered port. Set the port to listen
447 # on instead of 113 here.
448 # Default: 113.
449 port: 1113
450 # The address to listen on for incoming ident requests.
451 # Default: 0.0.0.0
452 address: "::"
453
454 # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set.
455 # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings
456 # encodingFallback: "ISO-8859-15"
457
458 # Configuration for logging. Optional. Default: console debug level logging
459 # only.
460 # This key CANNOT be hot-reloaded
461 logging:
462 # Level to log on console/logfile. One of error|warn|info|debug
463 level: "info"
464 # The file location to log to. This is relative to the project directory.
465 logfile: "/var/log/matrix-appservice-irc/debug.log"
466 # The file location to log errors to. This is relative to the project
467 # directory.
468 errfile: "/var/log/matrix-appservice-irc/errors.log"
469 # Whether to log to the console or not.
470 toConsole: true
471 # The max number of files to keep. Files will be overwritten eventually due
472 # to rotations.
473 maxFiles: 5
474
475 # Metrics will then be available via GET /metrics on the bridge listening port (-p).
476 # This key CANNOT be hot-reloaded
477 metrics:
478 # Whether to actually enable the metric endpoint. Default: false
479 enabled: true
480 # Which port to listen on (omit to listen on the bindPort)
481 port: 7001
482 # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set
483 host: 127.0.0.1
484 # When determining activeness of remote and matrix users, cut off at this number of hours.
485 userActivityThresholdHours: 72 # 3 days
486 # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
487 # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
488 remoteUserAgeBuckets:
489 - "1h"
490 - "1d"
491 - "1w"
492
493 # Configuration options for the debug HTTP API. To access this API, you must
494 # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests.
495 #
496 # The debug API exposes the following endpoints:
497 #
498 # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID.
499 #
500 # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection.
501 # Format: new line delimited commands as per IRC protocol.
502 #
503 # This key CANNOT be hot-reloaded
504 debugApi:
505 # True to enable the HTTP API endpoint. Default: false.
506 enabled: false
507 # The port to host the HTTP API.
508 port: 11100
509
510 # Configuration for the provisioning API.
511 #
512 # GET /_matrix/provision/link
513 # GET /_matrix/provision/unlink
514 # GET /_matrix/provision/listlinks
515 #
516 # This key CANNOT be hot-reloaded
517 provisioning:
518 # True to enable the provisioning HTTP endpoint. Default: false.
519 enabled: false
520 # The number of seconds to wait before giving up on getting a response from
521 # an IRC channel operator. If the channel operator does not respond within the
522 # allotted time period, the provisioning request will fail.
523 # Default: 300 seconds (5 mins)
524 requestTimeoutSeconds: 300
525 # A file defining the provisioning rules for rooms. Format is documented
526 # in rules.sample.yaml. Leave undefined to not specify any rules.
527 ruleFile: "./provisioning.rules.yaml"
528 # Watch the file for changes, and apply the rules. Default: false
529 enableReload: true
530 # Number of channels allowed to be bridged
531 roomLimit: 50
532
533 # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
534 # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
535 # the database.
536 #
537 # To generate a .pem file:
538 # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
539 #
540 # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
541 # for storage in the database. Passwords are stored by using the admin room command
542 # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
543 # the Matrix user, this password will be sent as the server password (PASS command).
544 # This key CANNOT be hot-reloaded
545 passwordEncryptionKeyPath: "/etc/matrix-appservice-irc/passkey.pem"
546
547 # Config for Matrix -> IRC bridging
548 # This key CANNOT be hot-reloaded
549 matrixHandler:
550 # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies).
551 eventCacheSize: 4096
552
553 ircHandler:
554 # Should we attempt to match an IRC side mention (nickaname match)
555 # with the nickname's owner's matrixId, if we are bridging them?
556 # "on" - Defaults to enabled, users can choose to disable.
557 # "off" - Defaults to disabled, users can choose to enable.
558 # "force-off" - Disabled, cannot be enabled.
559 mapIrcMentionsToMatrix: "on" # This can be "on", "off", "force-off".
560
561 # When handling lots of mode changes, wait this long before setting a power level
562 # event in order to batch together changes
563 # powerLevelGracePeriod: 1000
564
565 # Map of permissions from user/domain/wildcard to permission level.
566 # This is currently used to allow/disallow use of admin commands
567 # from the admin room but may be expanded in the future to contain more
568 # options. Currently, you may either set the value to be 'admin', or leave the key
569 # out to imply that the user does not have special permissions.
570 # UserID takes precedence over domain, which takes precedence over wildcard.
571 # permissions:
572 # '*': admin
573 # 'matrix.org': admin
574 # '@fibble:matrix.org': admin
575
576 # Allow room moderators to adjust the configuration of the bridge via room state.
577 # See docs/room_commands.md
578 # Optional: Off by default
579 perRoomConfig:
580 # Should the bridge use per-room configuration state. If false, the state
581 # events will be ignored.
582 enabled: false
583 # The maximum number that can be set for the `lineLimit` configuration option
584 # lineLimitMax: 5
585 # Allow matrix admins to disable or require Matrix users to be connected to the
586 # channel before any messages can be bridged. i.e. this is the per room
587 # version of `membershipLists.[].ircToMatrix.requireMatrixJoined`.
588 #
589 # If this is true, configuration in the room state will take priority over
590 # the configuration in the config file.
591 # allowUnconnectedMatrixUsers: true
592
593 # Options here are generally only applicable to large-scale bridges and may have
594 # consequences greater than other options in this configuration file.
595 advanced:
596 # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited
597 # however for large bridges it is important to rate limit the bridge to avoid
598 # accidentally overloading the homeserver. Defaults to 1000, which should be
599 # enough for the vast majority of use cases.
600 # This key CAN be hot-reloaded
601 maxHttpSockets: 1000
602 # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb
603 # This key CANNOT be hot-reloaded.
604 maxTxnSize: 10000000
605
606 # Capture information to a sentry.io instance
607 # This key CANNOT be hot-reloaded.
608 sentry:
609 enabled: false
610 dsn: "https://<key>@sentry.io/<project>"
611 # Optional. A tag to specify the production environment. Not set by default
612 # environment: ""
613 # Optional. A tag to specify the server name. Not set by default
614 # serverName: ""
615
616 # Use an external database to store bridge state.
617 # This key CANNOT be hot-reloaded.
618 database:
619 # database engine (must be 'postgres' or 'nedb'). Default: nedb
620 engine: "postgres"
621 # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
622 # For postgres, it must start with postgres://
623 # For NeDB, it must start with nedb://. The path is relative to the project directory.
624 #connectionString: "postgres://username:password@host:port/databasename"
625 connectionString: "postgres://matrix-appservice-irc:secure_long_password@localhost/matrix-appservice-irc"
At least configure
- Mandatory:
- homeserver
- address
- domain
- bindHostname
- bindPort
- database
- passwordEncryptionKeyPath
- tlsOptions to be not empty or commented
- homeserver
- optionally:
- Logging path
- path to /run
Generate the appservice registration (Please mind the underscore in the python-module).
1 DAEMON_USER="matrix-appservice-irc"
2 node --experimental-worker app.js -r \
3 -u "http://127.0.0.1:9999" \
4 -c "/etc/$DAEMON_USER/config.yaml" \
5 -f "/etc/$DAEMON_USER/registration.yaml" \
6 -l irc_bot
7 chown root."$DAEMON_USER" /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
8 chmod 640 /etc/"$DAEMON_USER"/{config.yaml,registration.yaml}
9 adduser matrix-synapse "$DAEMON_USER"
If you get the error
Error: Cannot find module 'worker_threads'
your node version is to old.
You may use the node flag --experimental-worker to stick with nodejs v10.
There are more options, that can be queried with
node app.js --help
Add the path to the registration file to your Synapse's /etc/matrix-synapse/homeserver.yaml under app_service_config_files. Restart Synapse to apply changes.
Hot reload
Send SIGHUP to the node process
1 kill -SIGHUP "$(pgrep node)"
SystemD integration of mautrix-signal
Create a file that defines environment variables
Create a systemd-unit (with compatibility to nodejs v10 --experimental-worker) /lib/systemd/system/matrix-appservice-irc.service
1 [Unit]
2 Description=Mautrix IRC Bridge
3 ConditionPathExists=/etc/matrix-appservice-irc/config.yaml
4 After=matrix-synapse.service
5 After=syslog.target
6
7 [Service]
8 Type=simple
9 User=matrix-appservice-irc
10 Group=matrix-appservice-irc
11 WorkingDirectory=/var/lib/matrix-appservice-irc
12 EnvironmentFile=/etc/default/matrix-appservice-irc
13 ExecStart=/usr/bin/node --experimental-worker app.js -c /etc/matrix-appservice-irc/config.yaml -f /etc/matrix-appservice-irc/registration.yaml
14 Restart=on-failure
15 RestartSec=3
16 SyslogIdentifier=matrix-appservice-irc
17 StandardOutput=syslog
18 StandardError=syslog
19
20 [Install]
21 WantedBy=multi-user.target
Reload SystemD, enable the service on boot and start the service
Use IRC
Create a private chat to
@irc_bot:matrix.rockstable.it
And type !help to get a list of available commands.
Open a new room to e.g. #debian on Freenode
You may find channels on https://netsplit.de/channels/?net=freenode
Migrate WhatsApp Chats
Create local backup in WhatsApp
Home > DOTS > Settings > Chats > Chat-Backup
Android Settings > About the telephone
Android Settings > System > Development Options
Your backup should reside in /sdcard/WhatsApp
ls -l /sdcard/WhatsApp
11