helm-charts/mautrix-signal/values.yaml

global:
  image:
    # -- if set it will overwrite all registry entries
    registry:
    # -- if set it will overwrite all pullPolicy
    pullPolicy:

replicaCount: 1

image:
  registry: dock.mau.dev
  repository: mautrix/signal
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""
  pullPolicy: IfNotPresent

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

config:
  # Bridge config
  bridge:
    # -- The prefix for commands. Only required in non-management rooms.
    command_prefix: '!signal'
    # -- Should the bridge create a space for each login containing the rooms that account is in?
    personal_filtering_spaces: true
    # -- Whether the bridge should set names and avatars explicitly for DM portals.
    # This is only necessary when using clients that don't support MSC4171.
    private_chat_portal_meta: false

    # -- Should leaving Matrix rooms be bridged as leaving groups on the remote network?
    bridge_matrix_leave: false
    # -- Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
    tag_only_on_create: true
    # -- Should room mute status only be synced when creating the portal?
    # Like tags, mutes can't currently be synced back to the remote network.
    mute_only_on_create: true

    # What should be done to portal rooms when a user logs out or is logged out?
    # Permitted values:
    #   nothing - Do nothing, let the user stay in the portals
    #   kick - Remove the user from the portal rooms, but don't delete them
    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
    #   delete - Remove all ghosts and users from the room (i.e. delete it)
    cleanup_on_logout:
      # -- Should cleanup on logout be enabled at all?
      enabled: false
      # Settings for manual logouts (explicitly initiated by the Matrix user)
      manual:
        # -- Action for private portals which will never be shared with other Matrix users.
        private: nothing
        # -- Action for portals with a relay user configured.
        relayed: nothing
        # -- Action for portals which may be shared, but don't currently have any other Matrix users.
        shared_no_users: nothing
        # -- Action for portals which have other logged-in Matrix users.
        shared_has_users: nothing
      # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
      # Keys have the same meanings as in the manual section.
      bad_credentials:
        private: nothing
        relayed: nothing
        shared_no_users: nothing
        shared_has_users: nothing

    # Settings for relay mode
    relay:
      # -- Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
      # authenticated user into a relaybot for that chat.
      enabled: false
      # -- Should only admins be allowed to set themselves as relay users?
      admin_only: true
      # -- List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
      default_relays: []
      # -- The formats to use when sending messages via the relaybot.
      # Available variables:
      #   .Sender.UserID - The Matrix user ID of the sender.
      #   .Sender.Displayname - The display name of the sender (if set).
      #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
      #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
      #                               plus the user ID in parentheses if the displayname is not unique.
      #                               If the displayname is not set, this is just the user ID.
      #   .Message - The `formatted_body` field of the message.
      #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
      #   .FileName - The name of the file being sent.
      message_formats:
        m.text: "<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}"
        m.notice: "<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}"
        m.emote: "* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}"
        m.file: "<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}"
        m.image: "<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}"
        m.audio: "<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}"
        m.video: "<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}"
        m.location: "<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}"
      # -- For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
      # This has all the Sender variables available under message_formats (but without the .Sender prefix).
      # Note that you need to manually remove the displayname from message_formats above.
      displayname_format: "{{ .DisambiguatedName }}"
  
    # -- Permissions for using the bridge.
    # Permitted values:
    #    relay - Talk through the relaybot (if enabled), no access otherwise
    # commands - Access to use commands in the bridge, but not login.
    #     user - Access to use the bridge with puppeting.
    #    admin - Full access, user level with some additional administration tools.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions:
      "*": relay
      "example.com": user
      "@admin:example.com": admin


  # Database config.
  database:
    # -- The database type. "sqlite3-fk-wal" and "postgres" are supported.
    type: postgres
    # -- The database URI.
    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
    #           https://github.com/mattn/go-sqlite3#connection-string
    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
    uri: postgres://user:password@host/database?sslmode=disable
    # -- Maximum number of connections. Mostly relevant for Postgres.
    max_open_conns: 20
    max_idle_conns: 2
    # -- Maximum connection idle time and lifetime before they're closed. Disabled if null.
    # Parsed with https://pkg.go.dev/time#ParseDuration
    max_conn_idle_time: null
    max_conn_lifetime: null

  # Homeserver details.
  homeserver:
    # -- The address that this appservice can use to connect to the homeserver.
    address: https://matrix.example.com
    # -- The domain of the homeserver (also known as server_name, used for MXIDs, etc).
    domain: example.com
    # -- Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
    async_media: false
    public_address:

    # -- What software is the homeserver running?
    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
    software: standard
    # -- The URL to push real-time bridge status to.
    # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
    status_endpoint: null
    # -- Endpoint for reporting per-message status.
    message_send_checkpoint_endpoint: null

    # -- Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
    # mautrix-asmux (deprecated), and hungryserv (proprietary).
    websocket: false
    websocket_proxy: ""
    # -- How often should the websocket be pinged? Pinging will be disabled if this is zero.
    ping_interval_seconds: 0

  
  # Application service host/registration related details.
  # Changing these values requires regeneration of the registration.
  appservice:
    # -- The address that the homeserver can use to connect to this appservice.
    address: http://localhost:29328
    public_address:
    # -- The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 29328

    # -- The unique ID of this appservice.
    id: signal
    # Appservice bot details.
    bot:
      # -- Username of the appservice bot.
      username: signalbot
      # -- Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
      # to leave display name/avatar as-is.
      displayname: Signal bridge bot
      avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp

    as_token: ""
    hs_token: ""

    # -- Whether or not to receive ephemeral events via appservice transactions.
    # Requires MSC2409 support (i.e. Synapse 1.22+).
    ephemeral_events: true
    # -- Should incoming events be handled asynchronously?
    # This may be necessary for large public instances with lots of messages going through.
    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
    async_transactions: false

    # -- Localpart template of MXIDs for Signal users.
    # {{.}} is replaced with the internal ID of the Signal user.
    username_template: signal_{{.}}

  matrix:
    # -- Should the bridge send a read receipt from the bridge bot when a message has been sent to Signal?
    delivery_receipts: false
    # -- Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
    message_status_events: false
    # -- Whether the bridge should send error notices via m.notice events when a message fails to bridge.
    message_error_notices: true
    # -- Should the bridge update the m.direct account data event when double puppeting is enabled.
    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
    # and is therefore prone to race conditions.
    sync_direct_chat_list: false
    # -- Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: true
    
  # Settings for provisioning API
  provisioning:
    # -- Prefix for the provisioning API paths.
    prefix: /_matrix/provision
    # -- Shared secret for authentication. If set to "generate", a random secret will be generated,
    # or if set to "disable", the provisioning API will be disabled.
    shared_secret: generate
    # -- Enable debug API at /debug with provisioning authentication.
    debug_endpoints: false

  # Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
  # These settings control whether the bridge will provide such public media access.
  public_media:
    # -- Should public media be enabled at all?
    # The public_address field under the appservice section MUST be set when enabling public media.
    enabled: false
    # -- A key for signing public media URLs.
    # If set to "generate", a random key will be generated.
    signing_key: generate
    # -- Number of seconds that public media URLs are valid for.
    # If set to 0, URLs will never expire.
    expiry: 0
    # -- Length of hash to use for public media URLs. Must be between 0 and 32.
    hash_length: 32

  # Settings for converting remote media to custom mxc:// URIs instead of reuploading.
  # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
  direct_media:
    # -- Should custom mxc:// URIs be used instead of reuploading media?
    enabled: false
    # -- The server name to use for the custom mxc:// URIs.
    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
    server_name: discord-media.example.com
    # -- Optionally a custom .well-known response. This defaults to `server_name:443`
    well_known_response:
    # -- Optionally specify a custom prefix for the media ID part of the MXC URI.
    media_id_prefix:
    # -- If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
    # media download redirects if the requester supports it. Optionally, you can force redirects
    # and not allow proxying at all by setting this to false.
    # This option does nothing if the remote network does not support media downloads over HTTP.
    allow_proxy: true
    # -- Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
    server_key: ""

  # Settings for backfilling messages.
  # Note that the exact way settings are applied depends on the network connector.
  # See https://docs.mau.fi/bridges/general/backfill.html for more details.
  backfill:
    # -- Whether to do backfilling at all.
    enabled: false
    # -- Maximum number of messages to backfill in empty rooms.
    max_initial_messages: 50
    # -- Maximum number of missed messages to backfill after bridge restarts.
    max_catchup_messages: 500
    # -- If a backfilled chat is older than this number of hours,
    # mark it as read even if it's unread on the remote network.
    unread_hours_threshold: 720
    # Settings for backfilling threads within other backfills.
    threads:
        # -- Maximum number of messages to backfill in a new thread.
        max_initial_messages: 50
    # Settings for the backwards backfill queue. This only applies when connecting to
    # Beeper as standard Matrix servers don't support inserting messages into history.
    queue:
        # -- Should the backfill queue be enabled?
        enabled: false
        # -- Number of messages to backfill in one batch.
        batch_size: 100
        # -- Delay between batches in seconds.
        batch_delay: 20
        # -- Maximum number of batches to backfill per portal.
        # If set to -1, all available messages will be backfilled.
        max_batches: -1
        # -- Optional network-specific overrides for max batches.
        # Interpretation of this field depends on the network connector.
        max_batches_override: {}


  # Settings for enabling double puppeting
  double_puppet:
    # -- Servers to always allow double puppeting from.
    # This is only for other servers and should NOT contain the server the bridge is on.
    servers:
      example.com: https://example.com
    # -- Whether to allow client API URL discovery for other servers. When using this option,
    # users on other servers can use double puppeting even if their server URLs aren't
    # explicitly added to the servers map above.
    allow_discovery: false
    # -- Shared secrets for automatic double puppeting.
    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
    secrets:
      example.com: as_token:foobar

  # End-to-bridge encryption support options.
  #
  # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
  encryption:
    # -- Allow encryption, work in group chat rooms with e2ee enabled
    allow: false
    # -- Default to encryption, force-enable encryption in all portals the bridge creates
    # This will cause the bridge bot to be in private chats for the encryption to work properly.
    default: false
    # -- Require encryption, drop any unencrypted messages.
    require: false
    # -- Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
    appservice: false
    plaintext_mentions:
    pickle_key:
    # -- Options for deleting megolm sessions from the bridge.
    delete_keys:
      # -- Beeper-specific: delete outbound sessions when hungryserv confirms
      # that the user has uploaded the key to key backup.
      delete_outbound_on_ack: false
      # -- Don't store outbound sessions in the inbound table.
      dont_store_outbound: false
      # -- Ratchet megolm sessions forward after decrypting messages.
      ratchet_on_decrypt: false
      # -- Delete fully used keys (index >= max_messages) after decrypting messages.
      delete_fully_used_on_decrypt: false
      # -- Delete previous megolm sessions from same device when receiving a new one.
      delete_prev_on_new_session: false
      # -- Delete megolm sessions received from a device when the device is deleted.
      delete_on_device_delete: false
      # -- Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
      periodically_delete_expired: false
      # -- Delete inbound megolm sessions that don't have the received_at field used for
      # automatic ratcheting and expired session deletion. This is meant as a migration
      # to delete old keys prior to the bridge update.
      delete_outdated_inbound: false
    # What level of device verification should be required from users?
    #
    # Valid levels:
    #   unverified - Send keys to all device in the room.
    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
    #                           Note that creating user signatures from the bridge bot is not currently possible.
    #   verified - Require manual per-device verification
    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
    verification_levels:
      # -- Minimum level for which the bridge should send keys to when bridging messages from Signal to Matrix.
      receive: unverified
      # -- Minimum level that the bridge should accept for incoming Matrix messages.
      send: unverified
      # -- Minimum level that the bridge should require for accepting key requests.
      share: cross-signed-tofu
    # -- Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
    # You must use a client that supports requesting keys from other users to use this feature.
    allow_key_sharing: false
    # Options for Megolm room key rotation. These options allow you to
    # configure the m.room.encryption event content. See:
    # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
    # more information about that event.
    rotation:
      # -- Enable custom Megolm room key rotation settings. Note that these
      # settings will only apply to rooms created after this option is
      # set.
      enable_custom: false
      # -- The maximum number of milliseconds a session should be used
      # before changing it. The Matrix spec recommends 604800000 (a week)
      # as the default.
      milliseconds: 604800000
      # -- The maximum number of messages that should be sent with a given a
      # session before changing it. The Matrix spec recommends 100 as the
      # default.
      messages: 100

      # -- Disable rotating keys when a user's devices change?
      # You should not enable this option unless you understand all the implications.
      disable_device_change_key_rotation: false


  # Logging config. See https://github.com/tulir/zeroconfig for details.
  logging:
    min_level: warn
    writers:
      - type: stdout
        format: json

  # Messages sent upon joining a management room.
  # Markdown is supported. The defaults are listed below.
  management_room_text:
    # -- Sent when joining a room.
    welcome: "Hello, I'm a Signal bridge bot."
    # -- Sent when joining a management room and the user is already logged in.
    welcome_connected: "Use `help` for help."
    # -- Sent when joining a management room and the user is not logged in.
    welcome_unconnected: "Use `help` for help or `login` to log in."
    # -- Optional extra text sent when joining a management room.
    additional_help: ""

  signal:
    # -- Displayname template for Signal users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
    # {{.ProfileName}} - The Signal profile name set by the user.
    # {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
    # {{.PhoneNumber}} - The phone number of the user.
    # {{.UUID}} - The UUID of the Signal user.
    # {{.AboutEmoji}} - The emoji set by the user in their profile.
    displayname_template: '{{ printf "%s (%s) %s" (or .ProfileName .ContactName "Unknown user") (or .PhoneNumber "Unknown number" (or .AboutEmoji "")}}'
    # -- Should avatars from the user's contact list be used? This is not safe on multi-user instances.
    use_contact_avatars: false
    # -- Should the bridge request the user's contact list from the phone on startup?
    sync_contacts_on_startup: true
    # -- Should the bridge sync ghost user info even if profile fetching fails? This is not safe on multi-user instances.
    use_outdated_profiles: false
    # -- Should the Signal user's phone number be included in the room topic in private chat portal rooms?
    number_in_topic: true
    # -- Default device name that shows up in the Signal app.
    device_name: mautrix-signal
    # Avatar image for the Note to Self room.
    note_to_self_avatar: mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL
    # Format for generating URLs from location messages for sending to Signal.
    # Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
    # OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
    location_format: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'

registration:
  # token from config.appservice.id
  # id:
  # taken from config.appservice.address
  # url:
  # taken from config.appservice.as_token default: self-generate
  # as_token:
  # taken from config.appservice.hs_token default: self-generate
  # hs_token:
  # take from config.appservice.bot.username
  # sender_localpart: signalbot
  rate_limited: false
  namespaces:
    users:
      - regex: ^@signalbot:example.org$
        exclusive: true
      - regex: ^@signal_.*:example.org$
        exclusive: true
  de.sorunome.msc2409.push_ephemeral: true
  push_ephemeral: true

serviceAccount:
  # Specifies whether a service account should be created
  create: false
  # Automatically mount a ServiceAccount's API credentials?
  automount: false
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}
podLabels: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP

ingress:
  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

livenessProbe:
  httpGet:
    path: /_matrix/mau/live
    port: http
readinessProbe:
  httpGet:
    path: /_matrix/mau/ready
    port: http

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
#   secret:
#     secretName: mysecret
#     optional: false

# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
#   mountPath: "/etc/foo"
#   readOnly: true

nodeSelector: {}

tolerations: []

affinity: {}

persistence:
  # -- Enable persistence using Persistent Volume Claims
  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
  enabled: true
  annotations: {}
  # -- Persistent Volume Storage Class
  # If defined, storageClassName: <storageClass>
  # If set to "-", storageClassName: "", which disables dynamic provisioning
  # If undefined (the default) or set to null, no storageClassName spec is
  #   set, choosing the default provisioner.  (gp2 on AWS, standard on
  #   GKE, AWS & OpenStack)
  storageClass:

  # -- A manually managed Persistent Volume and Claim
  # Requires persistence.enabled: true
  # If defined, PVC must be created manually before volume will be bound
  existingClaim:

  # --  Do not create an PVC, direct use hostPath in Pod
  hostPath:
  # --  accessMode
  accessMode: ReadWriteOnce
  # -- size
  size: 10Gi