diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 2beff97bf1e..e54995beb19 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -12,7 +12,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc -matrix_appservice_irc_version: 1.0.1 +matrix_appservice_irc_version: 3.0.1 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" @@ -66,20 +66,25 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # It is also used in the Third Party Lookup API as the instance `desc` # # property, where each server is an instance. # name: "ExampleNet" - +# # Additional addresses to connect to, used for load balancing between IRCDs. # additionalAddresses: [ "irc2.example.com" ] +# # Typically additionalAddresses would be in addition to the address key given above, +# # but some configurations wish to exclusively use additional addresses while reserving +# # the top key for identification purposes. Set this to true to exclusively use the +# # additionalAddresses array when connecting to servers. +# onlyAdditionalAddresses: false # # # # [DEPRECATED] Use `name`, above, instead. # # A human-readable description string # # description: "Example.com IRC network" - +# # # An ID for uniquely identifying this server amongst other servers being bridged. # # networkId: "example" - -# # URL to an icon used as the network icon whenever this network appear in -# # a network list. (Like in the riot room directory, for instance.) -# # icon: https://example.com/images/hash.png - +# +# # MXC URL to an icon used as the network icon whenever this network appear in +# # a network list. (Like in the Element room directory, for instance.) +# # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf +# # # The port to connect to. Optional. # port: 6697 # # Whether to use SSL or not. Default: false. @@ -92,19 +97,25 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Whether to allow expired certs when connecting to the IRC server. # # Usually this should be off. Default: false. # allowExpiredCerts: false -# # A specific CA to trust instead of the default CAs. Optional. -# #ca: | -# # -----BEGIN CERTIFICATE----- -# # ... -# # -----END CERTIFICATE----- - +# # Set additional TLS options for the connections to the IRC server. +# #tlsOptions: +# # A specific CA to trust instead of the default CAs. Optional. +# #ca: | +# # -----BEGIN CERTIFICATE----- +# # ... +# # -----END CERTIFICATE----- +# # Server name for the SNI (Server Name Indication) TLS extension. If the address you +# # are using does not report the correct certificate name, you can override it here. +# # servername: real.server.name +# # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback +# # # # # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. # # password: 'pa$$w0rd' # # # # Whether or not to send connection/error notices to real Matrix users. Default: true. # sendConnectionMessages: true - +# # quitDebounce: # # Whether parts due to net-splits are debounced for delayMs, to allow # # time for the netsplit to resolve itself. A netsplit is detected as being @@ -124,13 +135,13 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # delayMinMs: 3600000 # 1h # # Default: 7200000, = 2h # delayMaxMs: 7200000 # 2h - +# # # A map for conversion of IRC user modes to Matrix power levels. This enables bridging # # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has # # been given multiple modes, the one that maps to the highest power level will be used. # modePowerMap: # o: 50 - +# v: 1 # botConfig: # # Enable the presence of the bot in IRC channels. The bot serves as the entity # # which maps from IRC -> Matrix. You can disable the bot entirely which @@ -153,6 +164,8 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # enabled: true # # The nickname to give the AS bot. # nick: "MatrixBot" +# # The username to give to the AS bot. Defaults to "matrixbot" +# username: "matrixbot" # # The password to give to NickServ or IRC Server for this nick. Optional. # # password: "helloworld" # # @@ -161,7 +174,7 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # real matrix users in them, even if there is a mapping for the channel. # # Default: true # joinChannelsIfNoUsers: true - +# # # Configuration for PMs / private 1:1 communications between users. # privateMessages: # # Enable the ability for PMs to be sent to/from IRC/Matrix. @@ -170,12 +183,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Prevent Matrix users from sending PMs to the following IRC nicks. # # Optional. Default: []. # # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED - +# # # Should created Matrix PM rooms be federated? If false, only users on the # # HS attached to this AS will be able to interact with this room. # # Optional. Default: true. # federate: true - +# # # Configuration for mappings not explicitly listed in the 'mappings' # # section. # dynamicChannels: @@ -189,27 +202,34 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Should the AS publish the new Matrix room to the public room list so # # anyone can see it? Default: true. # published: true +# # Publish the rooms to the homeserver directory, as oppose to the appservice +# # room directory. Only used if `published` is on. +# # Default: false +# useHomeserverDirectory: true # # What should the join_rule be for the new Matrix room? If 'public', # # anyone can join the room. If 'invite', only users with an invite can # # join the room. Note that if an IRC channel has +k or +i set on it, # # join_rules will be set to 'invite' until these modes are removed. # # Default: "public". # joinRule: public -# # This will set the m.room.related_groups state event in newly created rooms -# # with the given groupId. This means flares will show up on IRC users in those rooms. -# # This should be set to the same thing as namespaces.users.group_id in irc_registration. -# # This does not alter existing rooms. -# # Leaving this option empty will not set the event. -# groupId: +myircnetwork:localhost # # Should created Matrix rooms be federated? If false, only users on the # # HS attached to this AS will be able to interact with this room. # # Default: true. # federate: true +# # Force this room version when creating IRC channels. Beware if the homeserver doesn't +# # support the room version then the request will fail. By default, no version is requested. +# # roomVersion: "1" # # The room alias template to apply when creating new aliases. This only # # applies if createAlias is 'true'. The following variables are exposed: # # $SERVER => The IRC server address (e.g. "irc.example.com") # # $CHANNEL => The IRC channel (e.g. "#python") # # This MUST have $CHANNEL somewhere in it. +# # +# # In certain circumstances you might want to bridge your whole IRC network as a +# # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the +# # template to just be $CHANNEL. Doing so will preclude you from supporting +# # other prefix characters though. +# # # # Default: '#irc_$SERVER_$CHANNEL' # aliasTemplate: "#irc_$CHANNEL" # # A list of user IDs which the AS bot will send invites to in response @@ -221,7 +241,11 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Prevent the given list of channels from being mapped under any # # circumstances. # # exclude: ["#foo", "#bar"] - +# +# # excludedUsers: +# # - regex: "@.*:evilcorp.com" +# # kickReason: "We don't like Evilcorp" +# # # Configuration for controlling how Matrix and IRC membership lists are # # synced. # membershipLists: @@ -230,12 +254,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # synced. This must be enabled for anything else in this section to take # # effect. Default: false. # enabled: false - +# # # Syncing membership lists at startup can result in hundreds of members to # # process all at once. This timer drip feeds membership entries at the # # specified rate. Default: 10000. (10s) # floodDelayMs: 10000 - +# # global: # ircToMatrix: # # Get a snapshot of all real IRC users on a channel (via NAMES) and @@ -244,7 +268,14 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Make virtual matrix clients join and leave rooms as their real IRC # # counterparts join/part channels. Default: false. # incremental: false - +# # Should the bridge check if all Matrix users are connected to IRC and +# # joined to the channel before relaying messages into the room. +# # +# # This is considered a safety net to avoid any leakages by the bridge to +# # unconnected users, but given it ignores all IRC messages while users +# # are still connecting it may be overkill. +# requireMatrixJoined: false +# # matrixToIrc: # # Get a snapshot of all real Matrix users in the room and join all of # # them to the mapped IRC channel on startup. Default: false. @@ -253,21 +284,32 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # counterparts join/leave rooms. Make sure your 'maxClients' value is # # high enough! Default: false. # incremental: false - +# # # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. # rooms: # - room: "!fuasirouddJoxtwfge:localhost" # matrixToIrc: # initial: false # incremental: false - +# # # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. # channels: # - channel: "#foo" # ircToMatrix: # initial: false # incremental: false - +# requireMatrixJoined: false +# +# # Should the bridge ignore users which are not considered active on the bridge +# # during startup +# ignoreIdleUsersOnStartup: +# enabled: true +# # How many hours can a user be considered idle for before they are considered +# # ignoreable +# idleForHours: 720 +# # A regex which will exclude matching MXIDs from this check. +# exclude: "foobar" +# # mappings: # # 1:many mappings from IRC channels to room IDs on this IRC server. # # The matrix room must already exist. Your matrix client should expose @@ -277,27 +319,27 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Channel key/password to use. Optional. If provided, matrix users do # # not need to know the channel key in order to join the channel. # # key: "secret" - +# # # Configuration for virtual matrix users. The following variables are # # exposed: # # $NICK => The IRC nick # # $SERVER => The IRC server address (e.g. "irc.example.com") # matrixClients: # # The user ID template to use when creating virtual matrix users. This -# # MUST have $NICK somewhere in it. +# # MUST start with an @ and have $NICK somewhere in it. # # Optional. Default: "@$SERVER_$NICK". # # Example: "@irc.example.com_Alice:example.com" # userTemplate: "@irc_$NICK" # # The display name to use for created matrix clients. This should have # # $NICK somewhere in it if it is specified. Can also use $SERVER to # # insert the IRC domain. -# # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" -# displayName: "$NICK (IRC)" +# # Optional. Default: "$NICK". Example: "Alice" +# displayName: "$NICK" # # Number of tries a client can attempt to join a room before the request # # is discarded. You can also use -1 to never retry or 0 to never give up. # # Optional. Default: -1 # joinAttempts: -1 - +# # # Configuration for virtual IRC users. The following variables are exposed: # # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) # # $USERID => The user ID @@ -326,9 +368,20 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # connected user. If not specified, all users will connect from the same # # (default) address. This may require additional OS-specific work to allow # # for the node process to bind to multiple different source addresses -# # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library +# # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1 +# # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library # # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. # # prefix: "2001:0db8:85a3::" # modify appropriately +# +# # Optional. Define blocks of IPv6 addresses for different homeservers +# # which can be used to restrict users of those homeservers to a given +# # IP. These blocks should be considered immutable once set, as changing +# # the startFrom value will NOT adjust existing IP addresses. +# # Changing the startFrom value to a lower value may conflict with existing clients. +# # Multiple homeservers may NOT share blocks. +# blocks: +# - homeserver: another-server.org +# startFrom: '10:0000' # # # # The maximum amount of time in seconds that the client can exist # # without sending another message before being disconnected. Use 0 to @@ -365,6 +418,25 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # through the bridge e.g. caller ID as there is no way to /ACCEPT. # # Default: "" (no user modes) # # userModes: "R" +# # The format of the realname defined for users, either mxid or reverse-mxid +# realnameFormat: "mxid" +# # The minimum time to wait between connection attempts if we were disconnected +# # due to throttling. +# # pingTimeoutMs: 600000 +# # The rate at which to send pings to the IRCd if the client is being quiet for a while. +# # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears +# # that sometimes they don't get around to it and end up ping timing us out. +# # pingRateMs: 60000 +# # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from +# # defaults should be taken with care as it may dishonestly repesent Matrix users on the IRC +# # network, and cause your bridge to be banned. +# kickOn: +# # Kick a Matrix user from a bridged room if they fail to join the IRC channel. +# channelJoinFailure: true +# # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC. +# ircConnectionFailure: true +# # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network. +# userQuit: true # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container). # diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 index 94bbda7b812..cd57f542c08 100644 --- a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -1,14 +1,13 @@ #jinja2: lstrip_blocks: True +# +# Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml +# +# Configuration specific to AS registration. Unless other marked, all fields +# are *REQUIRED*. +# Unless otherwise specified, these keys CANNOT be hot-reloaded. homeserver: - # The URL to the home server for client-server API calls, also used to form the - # media URLs as displayed in bridged IRC channels: - url: {{ matrix_appservice_irc_homeserver_url }} - # - # The URL of the homeserver hosting media files. This is only used to transform - # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By - # default, this is the homeserver URL, specified above. - # - media_url: {{ matrix_appservice_irc_homeserver_media_url }} + # The URL to the home server for client-server API calls + url: "{{ matrix_appservice_irc_homeserver_url }}" # Drop Matrix messages which are older than this number of seconds, according to # the event's origin_server_ts. @@ -20,41 +19,40 @@ homeserver: # clock times and hence produce different origin_server_ts values, which may be old # enough to cause *all* events from the homeserver to be dropped. # Default: 0 (don't ever drop) + # This key CAN be hot-reloaded. # dropMatrixMessagesAfterSecs: 300 # 5 minutes # The 'domain' part for user IDs on this home server. Usually (but not always) # is the "domain name" part of the HS URL. - domain: {{ matrix_appservice_irc_homeserver_domain }} + domain: "{{ matrix_appservice_irc_homeserver_domain }}" # Should presence be enabled for matrix clients on this bridge. If disabled on the # homeserver then it should also be disabled here to avoid excess traffic. # Default: true enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} -ircService: - # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot - # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in - # the database. - # - # To generate a .pem file: - # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - # - # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords - # for storage in the database. Passwords are stored by using the admin room command - # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of - # the Matrix user, this password will be sent as the server password (PASS command). - passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification + # Which port should the appservice bind to. Can be overriden by the one provided in the + # command line! Optional. + # bindPort: 8090 - # Config for Matrix -> IRC bridging - matrixHandler: - # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). - eventCacheSize: 4096 + # Use this option to force the appservice to listen on another hostname for transactions. + # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional. + # bindHostname: 0.0.0.0 +# Configuration specific to the IRC service +ircService: + # All server keys can be hot-reloaded, however existing IRC connections + # will not have changes applied to them. servers: {{ matrix_appservice_irc_ircService_servers|to_json }} + # present relevant UI to the user. MSC2346 + bridgeInfoState: + enabled: false + initial: false # Configuration for an ident server. If you are running a public bridge it is # advised you setup an ident server so IRC mods can ban specific matrix users # rather than the application service itself. + # This key CANNOT be hot-reloaded ident: # True to listen for Ident requests and respond with the # matrix user's user_id (converted to ASCII, respecting RFC 1413). @@ -71,49 +69,62 @@ ircService: # Default: 0.0.0.0 address: "::" + # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set. + # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings + # encodingFallback: "ISO-8859-15" + # Configuration for logging. Optional. Default: console debug level logging # only. logging: # Level to log on console/logfile. One of error|warn|info|debug level: "debug" # The file location to log to. This is relative to the project directory. - #logfile: "debug.log" + logfile: "debug.log" # The file location to log errors to. This is relative to the project # directory. - #errfile: "errors.log" + errfile: "errors.log" # Whether to log to the console or not. toConsole: true # The max number of files to keep. Files will be overwritten eventually due # to rotations. maxFiles: 5 - # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: - # $ npm install prom-client@6.3.0 # Metrics will then be available via GET /metrics on the bridge listening port (-p). + # This key CANNOT be hot-reloaded metrics: # Whether to actually enable the metric endpoint. Default: false enabled: true + # Which port to listen on (omit to listen on the bindPort) + #port: 7001 + # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set + host: 127.0.0.1 + # When determining activeness of remote and matrix users, cut off at this number of hours. + userActivityThresholdHours: 72 # 3 days # When collecting remote user active times, which "buckets" should be used. Defaults are given below. # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). remoteUserAgeBuckets: - "1h" - "1d" - "1w" - # Configuration for the provisioning API. - # - # GET /_matrix/provision/link - # GET /_matrix/provision/unlink - # GET /_matrix/provision/listlinks - # + # This key CANNOT be hot-reloaded provisioning: # True to enable the provisioning HTTP endpoint. Default: false. enabled: false - # The number of seconds to wait before giving up on getting a response from - # an IRC channel operator. If the channel operator does not respond within the - # allotted time period, the provisioning request will fail. - # Default: 300 seconds (5 mins) - requestTimeoutSeconds: 300 + # Whether to enable hosting the setup widget page. Default: false. + widget: false + + # Config for the media proxy, required to serve publically accessible URLs to authenticated Matrix media + mediaProxy: + # To generate a .jwk file: + # $ node src/generate-signing-key.js > signingkey.jwk + signingKeyPath: "signingkey.jwk" + # How long should the generated URLs be valid for + ttlSeconds: 3600 + # The port for the media proxy to listen on + bindPort: 11111 + # The publically accessible URL to the media proxy + publicUrl: "https://irc.bridge/media" # Options here are generally only applicable to large-scale bridges and may have # consequences greater than other options in this configuration file. @@ -122,13 +133,18 @@ advanced: # however for large bridges it is important to rate limit the bridge to avoid # accidentally overloading the homeserver. Defaults to 1000, which should be # enough for the vast majority of use cases. + # This key CAN be hot-reloaded maxHttpSockets: 1000 + # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb + # This key CANNOT be hot-reloaded. + maxTxnSize: 10000000 # Use an external database to store bridge state. +# This key CANNOT be hot-reloaded. database: # database engine (must be 'postgres' or 'nedb'). Default: nedb engine: {{ matrix_appservice_irc_database_engine|to_json }} # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }} + connectionString: {{ matrix_appservice_irc_database_connectionString