c0dd5b1cc2
from upstream MR https://gitlab.com/famedly/conduit/-/merge_requests/347 with the following changes (so far): - remove hardcoded list of allowed hosts (strongly disagree with this, even if it is desired, it should not be harcoded) - add more allow config options for granularity via URL contains, host contains, and domain is (explicit match) for security - warn if a user is allowing all URLs to be previewed for security reasons - replace an expect with proper error handling - bump webpage to 2.0 - improved code style a tad Co-authored-by: rooot <hey@rooot.gay> Signed-off-by: rooot <hey@rooot.gay> Signed-off-by: strawberry <strawberry@puppygock.gay>
308 lines
13 KiB
Bash
308 lines
13 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
. /usr/share/debconf/confmodule
|
|
|
|
CONDUIT_CONFIG_PATH=/etc/matrix-conduit
|
|
CONDUIT_CONFIG_FILE="${CONDUIT_CONFIG_PATH}/conduit.toml"
|
|
CONDUIT_DATABASE_PATH=/var/lib/matrix-conduit/
|
|
|
|
case "$1" in
|
|
configure)
|
|
# Create the `_matrix-conduit` user if it does not exist yet.
|
|
if ! getent passwd _matrix-conduit > /dev/null ; then
|
|
echo 'Adding system user for the Conduit Matrix homeserver' 1>&2
|
|
adduser --system --group --quiet \
|
|
--home "$CONDUIT_DATABASE_PATH" \
|
|
--disabled-login \
|
|
--force-badname \
|
|
_matrix-conduit
|
|
fi
|
|
|
|
# Create the database path if it does not exist yet and fix up ownership
|
|
# and permissions.
|
|
mkdir -p "$CONDUIT_DATABASE_PATH"
|
|
chown _matrix-conduit "$CONDUIT_DATABASE_PATH"
|
|
chmod 700 "$CONDUIT_DATABASE_PATH"
|
|
|
|
if [ ! -e "$CONDUIT_CONFIG_FILE" ]; then
|
|
# Write the debconf values in the config.
|
|
db_get matrix-conduit/hostname
|
|
CONDUIT_SERVER_NAME="$RET"
|
|
db_get matrix-conduit/address
|
|
CONDUIT_ADDRESS="$RET"
|
|
db_get matrix-conduit/port
|
|
CONDUIT_PORT="$RET"
|
|
mkdir -p "$CONDUIT_CONFIG_PATH"
|
|
cat > "$CONDUIT_CONFIG_FILE" << EOF
|
|
# =============================================================================
|
|
# This is the official example config for conduwuit.
|
|
# If you use it for your server, you will need to adjust it to your own needs.
|
|
# At the very least, change the server_name field!
|
|
# =============================================================================
|
|
|
|
[global]
|
|
|
|
# The server_name is the pretty name of this server. It is used as a suffix for user
|
|
# and room ids. Examples: matrix.org, conduit.rs
|
|
|
|
# The Conduit server needs all /_matrix/ requests to be reachable at
|
|
# https://your.server.name/ on port 443 (client-server) and 8448 (federation).
|
|
|
|
# If that's not possible for you, you can create /.well-known files to redirect
|
|
# requests (delegation). See
|
|
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
|
|
# and
|
|
# https://spec.matrix.org/v1.9/server-server-api/#getwell-knownmatrixserver
|
|
# for more information
|
|
|
|
# YOU NEED TO EDIT THIS
|
|
server_name = "${CONDUIT_SERVER_NAME}"
|
|
|
|
# Servers listed here will be used to gather public keys of other servers.
|
|
# Generally, copying this exactly should be enough. (Currently, conduwuit doesn't
|
|
# support batched key requests, so this list should only contain Synapse
|
|
# servers.) Defaults to `matrix.org`
|
|
# trusted_servers = ["matrix.org"]
|
|
|
|
|
|
|
|
### Database configuration
|
|
|
|
# This is the only directory where conduwuit will save its data, including media
|
|
database_path = "${CONDUIT_DATABASE_PATH}"
|
|
|
|
# Database backend: Only rocksdb and sqlite are supported. Please note that sqlite
|
|
# will perform significantly worse than rocksdb as it is not intended to be used the
|
|
# way it is by conduwuit. sqlite only exists for historical reasons.
|
|
database_backend = "rocksdb"
|
|
|
|
|
|
|
|
### Network
|
|
|
|
# The port conduwuit will be running on. You need to set up a reverse proxy such as
|
|
# Caddy or Nginx so all requests to /_matrix on port 443 and 8448 will be
|
|
# forwarded to the conduwuit instance running on this port
|
|
# Docker users: Don't change this, you'll need to map an external port to this.
|
|
port = ${CONDUIT_PORT}
|
|
|
|
# default address (IPv4 or IPv6) conduwuit will listen on. Generally you want this to be
|
|
# localhost (127.0.0.1 / ::1). If you are using Docker or a container NAT networking setup, you
|
|
# likely need this to be 0.0.0.0.
|
|
address = "${CONDUIT_ADDRESS}"
|
|
|
|
# How many requests conduwuit sends to other servers at the same time concurrently. Default is 500
|
|
# Note that because conduwuit is very fast unlike other homeserver implementations, setting this too
|
|
# high could inadvertently result in ratelimits kicking in, or overloading lower-end homeservers out there.
|
|
#
|
|
# A valid use-case for enabling this is if you have a significant amount of overall federation activity
|
|
# such as many rooms joined/tracked, and many servers in the true destination cache caused by that. Upon
|
|
# rebooting conduwuit, depending on how fast your resources are, client and incoming federation requests
|
|
# may timeout or be "stalled" for a period of time due to hitting the max concurrent requests limit from
|
|
# refreshing federation/destination caches and such.
|
|
#
|
|
# If you have a lot of active users on your homeserver, you will definitely need to raise this.
|
|
#
|
|
# No this will not speed up room joins.
|
|
#max_concurrent_requests = 500
|
|
|
|
# Max request size for file uploads
|
|
max_request_size = 20_000_000 # in bytes
|
|
|
|
# Uncomment unix_socket_path to listen on a UNIX socket at the specified path.
|
|
# If listening on a UNIX socket, you must remove/comment the 'address' key if defined and add your
|
|
# reverse proxy to the 'conduwuit' group, unless world RW permissions are specified with unix_socket_perms (666 minimum).
|
|
#unix_socket_path = "/run/conduwuit/conduwuit.sock"
|
|
#unix_socket_perms = 660
|
|
|
|
# Set this to true for conduwuit to compress HTTP response bodies using zstd.
|
|
# Please be aware that enabling HTTP compression may weaken or even defeat TLS.
|
|
# Most users should not need to enable this.
|
|
# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before deciding to enable this.
|
|
zstd_compression = false
|
|
|
|
# Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you do not want conduwuit to send outbound requests to.
|
|
# Defaults to RFC1918, unroutable, loopback, multicast, and testnet addresses for security.
|
|
#
|
|
# To disable, set this to be an empty vector (`[]`).
|
|
#
|
|
# Currently this does not account for proxies in use like Synapse does.
|
|
ip_range_denylist = [
|
|
"127.0.0.0/8",
|
|
"10.0.0.0/8",
|
|
"172.16.0.0/12",
|
|
"192.168.0.0/16",
|
|
"100.64.0.0/10",
|
|
"192.0.0.0/24",
|
|
"169.254.0.0/16",
|
|
"192.88.99.0/24",
|
|
"198.18.0.0/15",
|
|
"192.0.2.0/24",
|
|
"198.51.100.0/24",
|
|
"203.0.113.0/24",
|
|
"224.0.0.0/4",
|
|
"::1/128",
|
|
"fe80::/10",
|
|
"fc00::/7",
|
|
"2001:db8::/32",
|
|
"ff00::/8",
|
|
"fec0::/10",
|
|
]
|
|
|
|
|
|
|
|
### Moderation / Privacy / Security
|
|
|
|
# Set to true to allow user type "guest" registrations. Element attempts to register guest users automatically.
|
|
# For private homeservers, this is best at false.
|
|
allow_guest_registration = false
|
|
|
|
# Vector list of servers that conduwuit will refuse to download remote media from.
|
|
# No default.
|
|
# prevent_media_downloads_from = ["example.com", "example.local"]
|
|
|
|
# Enables open registration. If set to false, no users can register on this
|
|
# server.
|
|
# If set to true without a token configured, users can register with no form of 2nd-
|
|
# step only if you set
|
|
# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to
|
|
# true in your config. If you would like
|
|
# registration only via token reg, please configure the `registration_token` key.
|
|
allow_registration = false
|
|
# Please note that an open registration homeserver with no second-step verification
|
|
# is highly prone to abuse and potential defederation by homeservers, including
|
|
# matrix.org.
|
|
|
|
# A static registration token that new users will have to provide when creating
|
|
# an account. If unset and `allow_registration` is true, registration is open
|
|
# without any condition. YOU NEED TO EDIT THIS.
|
|
registration_token = "change this token for something specific to your server"
|
|
|
|
# controls whether federation is allowed or not
|
|
# defaults to true
|
|
# allow_federation = true
|
|
|
|
# controls whether users are allowed to create rooms.
|
|
# appservices and admins are always allowed to create rooms
|
|
# defaults to true
|
|
# allow_room_creation = true
|
|
|
|
# Set this to true to allow your server's public room directory to be federated.
|
|
# Set this to false to protect against /publicRooms spiders, but will forbid external users
|
|
# from viewing your server's public room directory. If federation is disabled entirely
|
|
# (`allow_federation`), this is inherently false.
|
|
allow_public_room_directory_over_federation = false
|
|
|
|
# Set this to true to allow your server's public room directory to be queried without client
|
|
# authentication (access token) through the Client APIs. Set this to false to protect against /publicRooms spiders.
|
|
allow_public_room_directory_without_auth = false
|
|
|
|
# Set this to true to allow federating device display names / allow external users to see your device display name.
|
|
# If federation is disabled entirely (`allow_federation`), this is inherently false. For privacy, this is best disabled.
|
|
allow_device_name_federation = false
|
|
|
|
# Vector list of domains allowed to send requests to for URL previews. Defaults to none.
|
|
# Note: this is a *contains* match, not an explicit match. Putting "google.com" will match "https://google.com" and "http://mymaliciousdomainexamplegoogle.com"
|
|
url_preview_domain_contains_allowlist = []
|
|
|
|
# Vector list of explicit domains allowed to send requests to for URL previews. Defaults to none.
|
|
# Note: This is an *explicit* match, not a ccontains match. Putting "google.com" will match "https://google.com", "http://google.com", but not "https://mymaliciousdomainexamplegoogle.com"
|
|
url_preview_domain_explicit_allowlist = []
|
|
|
|
# Vector list of URLs allowed to send requests to for URL previews. Defaults to none.
|
|
# Note that this is a *contains* match, not an explicit match. Putting "https://google.com" will match "https://google.com/" and "https://google.com/url?q=https://mymaliciousdomainexample.com"
|
|
url_preview_url_contains_allowlist = []
|
|
|
|
|
|
|
|
### Misc
|
|
|
|
# max log level for conduwuit. allows debug, info, warn, or error
|
|
#log = "warn"
|
|
|
|
# controls whether encrypted rooms and events are allowed (default true)
|
|
#allow_encryption = false
|
|
|
|
# conduwuit will send a simple GET request periodically to `https://pupbrain.dev/check-for-updates/stable`
|
|
# for any new announcements made. Despite the name, this is not an update check
|
|
# endpoint, it is simply an announcement check endpoint. I don't plan on using
|
|
# this so feel free to disable it.
|
|
allow_check_for_updates = true
|
|
|
|
# Enables adding the lightning bolt emoji (⚡️) to all newly registered users'
|
|
# initial display names.
|
|
enable_lightning_bolt = false
|
|
|
|
# If you are using delegation via well-known files and you cannot serve them from your reverse proxy, you can
|
|
# uncomment these to serve them directly from conduwuit. This requires proxying all requests to conduwuit, not just `/_matrix` to work.
|
|
#well_known_server = "matrix.example.com:443"
|
|
#well_known_client = "https://matrix.example.com"
|
|
# Note that whatever you put will show up in the well-known JSON values.
|
|
|
|
# Set to false to disable users from joining or creating room versions that aren't 100% officially supported by conduwuit.
|
|
# conduwuit officially supports room versions 6 - 10. conduwuit has experimental/unstable support for 1 - 5, and 11.
|
|
# Defaults to true.
|
|
#allow_unstable_room_versions = true
|
|
|
|
# Set this to any float value to multiply conduwuit's in-memory LRU caches with.
|
|
# May be useful if you have significant memory to spare to increase performance.
|
|
# Defaults to 1.0.
|
|
#conduit_cache_capacity_modifier = 1.0
|
|
|
|
# Set this to any float value in megabytes for conduwuit to tell the database engine that this much memory is available for database-related caches.
|
|
# May be useful if you have significant memory to spare to increase performance.
|
|
# Defaults to 900.0
|
|
#db_cache_capacity_mb = 900.0
|
|
|
|
|
|
|
|
### RocksDB options
|
|
|
|
# Set this to true to use RocksDB config options that are tailored to HDDs (slower device storage)
|
|
#rocksdb_optimize_for_spinning_disks = false
|
|
|
|
# RocksDB log level. This is not the same as conduwuit's log level. This is the log level for RocksDB itself
|
|
# which show up in your database folder/path as `LOG` files. Defaults to warn. conduwuit will typically log RocksDB errors.
|
|
#rocksdb_log_level = "warn"
|
|
|
|
# Max RocksDB `LOG` file size before rotating in bytes. Defaults to 4MB.
|
|
#rocksdb_max_log_file_size = 4194304
|
|
|
|
# Time in seconds before RocksDB will forcibly rotate logs. Defaults to 0.
|
|
#rocksdb_log_time_to_roll = 0
|
|
|
|
|
|
|
|
### Presence
|
|
|
|
# Config option to control local (your server only) presence updates/requests. Defaults to false.
|
|
# Note that presence on conduwuit is very fast unlike Synapse's.
|
|
#allow_local_presence = false
|
|
|
|
# Config option to control incoming federated presence updates/requests. Defaults to false.
|
|
# This option receives presence updates from other servers, but does not send any unless `allow_outgoing_presence` is true.
|
|
# Note that presence on conduwuit is very fast unlike Synapse's.
|
|
#allow_incoming_presence = false
|
|
|
|
# Config option to control outgoing presence updates/requests. Defaults to false.
|
|
# This option sends presence updates to other servers, but does not receive any unless `allow_incoming_presence` is true.
|
|
# Note that presence on conduwuit is very fast unlike Synapse's.
|
|
#
|
|
# Warning: Outgoing federated presence is not spec compliant due to relying on PDUs and EDUs combined.
|
|
# Outgoing presence will not be very reliable due to this and any issues with federated outgoing presence are very likely attributed to this issue.
|
|
# Incoming presence and local presence are unaffected.
|
|
#allow_outgoing_presence = false
|
|
|
|
# Config option to control how many seconds before presence updates that you are idle. Defaults to 5 minutes.
|
|
#presence_idle_timeout_s = 300
|
|
|
|
# Config option to control how many seconds before presence updates that you are offline. Defaults to 30 minutes.
|
|
#presence_offline_timeout_s = 1800
|
|
|
|
EOF
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
#DEBHELPER#
|