wrenix/helm-charts
1
0
Fork 0
Code Issues 8 Pull requests 8 Projects Packages Activity

feat(mautrix-signal): init

Browse source
This commit is contained in:
WrenIX 2024-02-19 00:08:20 +01:00
parent 9c1ed80503
commit 2cc0b0472f
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
18 changed files with 1708 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/modules/charts/nav.adoc
View file

@ -11,6 +11,7 @@
** xref:hydrogen-web.adoc[hydrogen-web]
** xref:jellyfin.adoc[jellyfin]
** xref:matrix-synapse.adoc[matrix-synapse]
** xref:mautrix-signal.adoc[mautrix-signal]
** xref:miniserve.adoc[miniserve]
** xref:monitoring.adoc[monitoring]
** xref:ntfy.adoc[ntfy]

1
docs/modules/charts/pages/mautrix-signal.adoc Symbolic link
View file

@ -0,0 +1 @@
../../../../mautrix-signal/README.adoc

23
mautrix-signal/.helmignore Normal file
View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

10
mautrix-signal/Chart.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v2
name: mautrix-signal
description: A Matrix-Signal puppeting bridge.
type: application
version: 0.0.1
# renovate: image=dock.mau.dev/mautrix/signal
appVersion: "0.5.0"
maintainers:
- name: WrenIX
url: https://wrenix.eu

765
mautrix-signal/README.adoc Normal file
View file

@ -0,0 +1,765 @@
= mautrix-signal
image::https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square[Version: 0.0.1]
image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
image::https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square[AppVersion: 0.5.0]
== Maintainers
.Maintainers
|===
| Name | Email | Url
| WrenIX
|
| <https://wrenix.eu>
|===
= Alpha
WARNING
====
We stop working on this Helm-Chart.
There are still many breaking change like:
* https://github.com/stalwartlabs/mail-server/issues/211[storage.fts in toml configuration has two meanings]
We hope that stalward mail-server becomes more stable.
====
== Usage
Helm must be installed and setup to your kubernetes cluster to use the charts.
Refer to Helm's https://helm.sh/docs[documentation] to get started.
Once Helm has been set up correctly, fetch the charts as follows:
[source,bash]
----
helm pull oci://codeberg.org/wrenix/helm-charts/mautrix-signal
----
You can install a chart release using the following command:
[source,bash]
----
helm install mautrix-signal-release oci://codeberg.org/wrenix/helm-charts/mautrix-signal --values values.yaml
----
To uninstall a chart release use `helm`'s delete command:
[source,bash]
----
helm uninstall mautrix-signal-release
----
== Values
.Values
|===
| Key | Type | Default | Description
| affinity
| object
| `{}`
|
| autoscaling.enabled
| bool
| `false`
|
| autoscaling.maxReplicas
| int
| `100`
|
| autoscaling.minReplicas
| int
| `1`
|
| autoscaling.targetCPUUtilizationPercentage
| int
| `80`
|
| config.appservice.address
| string
| `"http://localhost:29328"`
| The address that the homeserver can use to connect to this appservice.
| config.appservice.async_transactions
| bool
| `false`
| Should incoming events be handled asynchronously? This may be necessary for large public instances with lots of messages going through. However, messages will not be guaranteed to be bridged in the same order they were sent in.
| config.appservice.bot.avatar
| string
| `"mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp"`
|
| config.appservice.bot.displayname
| string
| `"Signal bridge bot"`
| Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty to leave display name/avatar as-is.
| config.appservice.bot.username
| string
| `"signalbot"`
| Username of the appservice bot.
| config.appservice.database.max_conn_idle_time
| string
| `nil`
| Maximum connection idle time and lifetime before they're closed. Disabled if null. Parsed with https://pkg.go.dev/time#ParseDuration
| config.appservice.database.max_conn_lifetime
| string
| `nil`
|
| config.appservice.database.max_idle_conns
| int
| `2`
|
| config.appservice.database.max_open_conns
| int
| `20`
| Maximum number of connections. Mostly relevant for Postgres.
| config.appservice.database.type
| string
| `"postgres"`
| The database type. "sqlite3-fk-wal" and "postgres" are supported.
| config.appservice.database.uri
| string
| `"postgres://user:password@host/database?sslmode=disable"`
| The database URI. SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended. https://github.com/mattn/go-sqlite3#connection-string Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
| config.appservice.ephemeral_events
| bool
| `true`
| Whether or not to receive ephemeral events via appservice transactions. Requires MSC2409 support (i.e. Synapse 1.22+).
| config.appservice.hostname
| string
| `"0.0.0.0"`
| The hostname and port where this appservice should listen.
| config.appservice.id
| string
| `"signal"`
| The unique ID of this appservice.
| config.appservice.port
| int
| `29328`
|
| config.bridge
| object
| `{"bridge_notices":true,"caption_in_message":false,"command_prefix":"!signal","delivery_receipts":false,"displayname_template":"{{or .ProfileName .PhoneNumber \"Unknown user\"}}","double_puppet_allow_discovery":false,"double_puppet_server_map":{"example.com":"https://example.com"},"encryption":{"allow":false,"allow_key_sharing":false,"appservice":false,"default":false,"delete_keys":{"delete_fully_used_on_decrypt":false,"delete_on_device_delete":false,"delete_outbound_on_ack":false,"delete_outdated_inbound":false,"delete_prev_on_new_session":false,"dont_store_outbound":false,"periodically_delete_expired":false,"ratchet_on_decrypt":false},"require":false,"rotation":{"disable_device_change_key_rotation":false,"enable_custom":false,"messages":100,"milliseconds":604800000},"verification_levels":{"receive":"unverified","send":"unverified","share":"cross-signed-tofu"}},"federate_rooms":true,"login_shared_secret_map":{"example.com":"foobar"},"management_room_text":{"additional_help":"","welcome":"Hello, I'm a Signal bridge bot.","welcome_connected":"Use `help` for help.","welcome_unconnected":"Use `help` for help or `login` to log in."},"message_error_notices":true,"message_handling_timeout":{"deadline":"120s","error_after":null},"message_status_events":false,"note_to_self_avatar":"mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL","number_in_topic":true,"permissions":{"*":"relay","@admin:example.com":"admin","example.com":"user"},"personal_filtering_spaces":false,"portal_message_buffer":128,"private_chat_portal_meta":"default","provisioning":{"debug_endpoints":false,"prefix":"/_matrix/provision","shared_secret":"generate"},"public_portals":false,"relay":{"admin_only":true,"enabled":false,"message_formats":{"m.audio":"<b>{{ .Sender.Displayname }}</b> sent an audio file","m.emote":"* <b>{{ .Sender.Displayname }}</b> {{ .Message }}","m.file":"<b>{{ .Sender.Displayname }}</b> sent a file","m.image":"<b>{{ .Sender.Displayname }}</b> sent an image","m.location":"<b>{{ .Sender.Displayname }}</b> sent a location","m.notice":"<b>{{ .Sender.Displayname }}</b>: {{ .Message }}","m.text":"<b>{{ .Sender.Displayname }}</b>: {{ .Message }}","m.video":"<b>{{ .Sender.Displayname }}</b> sent a video"}},"resend_bridge_info":false,"sync_direct_chat_list":false,"use_contact_avatars":false,"username_template":"signal_{{.}}"}`
| Bridge config
| config.bridge.bridge_notices
| bool
| `true`
| Should Matrix m.notice-type messages be bridged?
| config.bridge.caption_in_message
| bool
| `false`
| Send captions in the same message as images. This will send data compatible with both MSC2530. This is currently not supported in most clients.
| config.bridge.command_prefix
| string
| `"!signal"`
| The prefix for commands. Only required in non-management rooms.
| config.bridge.delivery_receipts
| bool
| `false`
| Should the bridge send a read receipt from the bridge bot when a message has been sent to Signal?
| config.bridge.displayname_template
| string
| `"{{or .ProfileName .PhoneNumber \"Unknown user\"}}"`
| Displayname template for Signal users. This is also used as the room name in DMs if private_chat_portal_meta is enabled. {{.ProfileName}} - The Signal profile name set by the user. {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances. {{.PhoneNumber}} - The phone number of the user. {{.UUID}} - The UUID of the Signal user. {{.AboutEmoji}} - The emoji set by the user in their profile.
| config.bridge.double_puppet_allow_discovery
| bool
| `false`
| Allow using double puppeting from any server with a valid client .well-known file.
| config.bridge.double_puppet_server_map
| object
| `{"example.com":"https://example.com"}`
| Servers to always allow double puppeting from
| config.bridge.encryption.allow
| bool
| `false`
| Allow encryption, work in group chat rooms with e2ee enabled
| config.bridge.encryption.allow_key_sharing
| bool
| `false`
| Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. You must use a client that supports requesting keys from other users to use this feature.
| config.bridge.encryption.appservice
| bool
| `false`
| Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
| config.bridge.encryption.default
| bool
| `false`
| Default to encryption, force-enable encryption in all portals the bridge creates This will cause the bridge bot to be in private chats for the encryption to work properly.
| config.bridge.encryption.delete_keys
| object
| `{"delete_fully_used_on_decrypt":false,"delete_on_device_delete":false,"delete_outbound_on_ack":false,"delete_outdated_inbound":false,"delete_prev_on_new_session":false,"dont_store_outbound":false,"periodically_delete_expired":false,"ratchet_on_decrypt":false}`
| Options for deleting megolm sessions from the bridge.
| config.bridge.encryption.delete_keys.delete_fully_used_on_decrypt
| bool
| `false`
| Delete fully used keys (index >= max_messages) after decrypting messages.
| config.bridge.encryption.delete_keys.delete_on_device_delete
| bool
| `false`
| Delete megolm sessions received from a device when the device is deleted.
| config.bridge.encryption.delete_keys.delete_outbound_on_ack
| bool
| `false`
| Beeper-specific: delete outbound sessions when hungryserv confirms that the user has uploaded the key to key backup.
| config.bridge.encryption.delete_keys.delete_outdated_inbound
| bool
| `false`
| Delete inbound megolm sessions that don't have the received_at field used for automatic ratcheting and expired session deletion. This is meant as a migration to delete old keys prior to the bridge update.
| config.bridge.encryption.delete_keys.delete_prev_on_new_session
| bool
| `false`
| Delete previous megolm sessions from same device when receiving a new one.
| config.bridge.encryption.delete_keys.dont_store_outbound
| bool
| `false`
| Don't store outbound sessions in the inbound table.
| config.bridge.encryption.delete_keys.periodically_delete_expired
| bool
| `false`
| Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
| config.bridge.encryption.delete_keys.ratchet_on_decrypt
| bool
| `false`
| Ratchet megolm sessions forward after decrypting messages.
| config.bridge.encryption.require
| bool
| `false`
| Require encryption, drop any unencrypted messages.
| config.bridge.encryption.rotation.disable_device_change_key_rotation
| bool
| `false`
| Disable rotating keys when a user's devices change? You should not enable this option unless you understand all the implications.
| config.bridge.encryption.rotation.enable_custom
| bool
| `false`
| Enable custom Megolm room key rotation settings. Note that these settings will only apply to rooms created after this option is set.
| config.bridge.encryption.rotation.messages
| int
| `100`
| The maximum number of messages that should be sent with a given a session before changing it. The Matrix spec recommends 100 as the default.
| config.bridge.encryption.rotation.milliseconds
| int
| `604800000`
| The maximum number of milliseconds a session should be used before changing it. The Matrix spec recommends 604800000 (a week) as the default.
| config.bridge.encryption.verification_levels.receive
| string
| `"unverified"`
| Minimum level for which the bridge should send keys to when bridging messages from Signal to Matrix.
| config.bridge.encryption.verification_levels.send
| string
| `"unverified"`
| Minimum level that the bridge should accept for incoming Matrix messages.
| config.bridge.encryption.verification_levels.share
| string
| `"cross-signed-tofu"`
| Minimum level that the bridge should require for accepting key requests.
| config.bridge.federate_rooms
| bool
| `true`
| Whether or not created rooms should have federation enabled. If false, created portal rooms will never be federated.
| config.bridge.login_shared_secret_map
| object
| `{"example.com":"foobar"}`
| Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth If set, double puppeting will be enabled automatically for local users instead of users having to find an access token and run `login-matrix` manually.
| config.bridge.management_room_text.additional_help
| string
| `""`
| Optional extra text sent when joining a management room.
| config.bridge.management_room_text.welcome
| string
| `"Hello, I'm a Signal bridge bot."`
| Sent when joining a room.
| config.bridge.management_room_text.welcome_connected
| string
| `"Use `help` for help."`
| Sent when joining a management room and the user is already logged in.
| config.bridge.management_room_text.welcome_unconnected
| string
| `"Use `help` for help or `login` to log in."`
| Sent when joining a management room and the user is not logged in.
| config.bridge.message_error_notices
| bool
| `true`
| Whether the bridge should send error notices via m.notice events when a message fails to bridge.
| config.bridge.message_handling_timeout
| object
| `{"deadline":"120s","error_after":null}`
| Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration Null means there's no enforced timeout.
| config.bridge.message_handling_timeout.deadline
| string
| `"120s"`
| Drop messages after this timeout. They may still go through if the message got sent to the servers. This is counted from the time the bridge starts handling the message.
| config.bridge.message_handling_timeout.error_after
| string
| `nil`
| Send an error message after this timeout, but keep waiting for the response until the deadline. This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay. If the message is older than this when it reaches the bridge, the message won't be handled at all.
| config.bridge.message_status_events
| bool
| `false`
| Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
| config.bridge.note_to_self_avatar
| string
| `"mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL"`
| Avatar image for the Note to Self room.
| config.bridge.number_in_topic
| bool
| `true`
| Should the Signal user's phone number be included in the room topic in private chat portal rooms?
| config.bridge.personal_filtering_spaces
| bool
| `false`
| Should the bridge create a space for each logged-in user and add bridged rooms to it? Users who logged in before turning this on should run `!signal sync-space` to create and fill the space for the first time.
| config.bridge.private_chat_portal_meta
| string
| `"default"`
| Whether to explicitly set the avatar and room name for private chat portal rooms. If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. If set to `always`, all DM rooms will have explicit names and avatars set. If set to `never`, DM rooms will never have names and avatars set.
| config.bridge.provisioning.debug_endpoints
| bool
| `false`
| Enable debug API at /debug with provisioning authentication.
| config.bridge.provisioning.prefix
| string
| `"/_matrix/provision"`
| Prefix for the provisioning API paths.
| config.bridge.provisioning.shared_secret
| string
| `"generate"`
| Shared secret for authentication. If set to "generate", a random secret will be generated, or if set to "disable", the provisioning API will be disabled.
| config.bridge.public_portals
| bool
| `false`
| Whether or not to make portals of groups that don't need approval of an admin to join by invite link publicly joinable on Matrix.
| config.bridge.relay.admin_only
| bool
| `true`
| Should only admins be allowed to set themselves as relay users?
| config.bridge.relay.enabled
| bool
| `false`
| Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any authenticated user into a relaybot for that chat.
| config.bridge.relay.message_formats
| object
| `{"m.audio":"<b>{{ .Sender.Displayname }}</b> sent an audio file","m.emote":"* <b>{{ .Sender.Displayname }}</b> {{ .Message }}","m.file":"<b>{{ .Sender.Displayname }}</b> sent a file","m.image":"<b>{{ .Sender.Displayname }}</b> sent an image","m.location":"<b>{{ .Sender.Displayname }}</b> sent a location","m.notice":"<b>{{ .Sender.Displayname }}</b>: {{ .Message }}","m.text":"<b>{{ .Sender.Displayname }}</b>: {{ .Message }}","m.video":"<b>{{ .Sender.Displayname }}</b> sent a video"}`
| The formats to use when sending messages to Signal via the relaybot.
| config.bridge.resend_bridge_info
| bool
| `false`
| Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. This field will automatically be changed back to false after it, except if the config file is not writable.
| config.bridge.sync_direct_chat_list
| bool
| `false`
| Should the bridge update the m.direct account data event when double puppeting is enabled. Note that updating the m.direct event is not atomic (except with mautrix-asmux) and is therefore prone to race conditions.
| config.bridge.use_contact_avatars
| bool
| `false`
| Should avatars from the user's contact list be used? This is not safe on multi-user instances.
| config.bridge.username_template
| string
| `"signal_{{.}}"`
| Localpart template of MXIDs for Signal users. {{.}} is replaced with the internal ID of the Signal user.
| config.homeserver.address
| string
| `"https://matrix.example.com"`
| The address that this appservice can use to connect to the homeserver.
| config.homeserver.async_media
| bool
| `false`
| Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
| config.homeserver.domain
| string
| `"example.com"`
| The domain of the homeserver (also known as server_name, used for MXIDs, etc).
| config.homeserver.message_send_checkpoint_endpoint
| string
| `nil`
| Endpoint for reporting per-message status.
| config.homeserver.ping_interval_seconds
| int
| `0`
| How often should the websocket be pinged? Pinging will be disabled if this is zero.
| config.homeserver.software
| string
| `"standard"`
| What software is the homeserver running? Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
| config.homeserver.status_endpoint
| string
| `nil`
| The URL to push real-time bridge status to. If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. The bridge will use the appservice as_token to authorize requests.
| config.homeserver.websocket
| bool
| `false`
| Should the bridge use a websocket for connecting to the homeserver? The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, mautrix-asmux (deprecated), and hungryserv (proprietary).
| config.logging.min_level
| string
| `"warn"`
|
| config.logging.writers[0].format
| string
| `"json"`
|
| config.logging.writers[0].type
| string
| `"stdout"`
|
| config.metrics.enabled
| bool
| `true`
| Enable prometheus metrics?
| config.metrics.listen
| string
| `"0.0.0.0:8000"`
| IP and port where the metrics listener should be. The path is always /metrics
| config.signal.device_name
| string
| `"mautrix-signal"`
| Default device name that shows up in the Signal app.
| fullnameOverride
| string
| `""`
|
| global.image.pullPolicy
| string
| `nil`
| if set it will overwrite all pullPolicy
| global.image.registry
| string
| `nil`
| if set it will overwrite all registry entries
| image.pullPolicy
| string
| `"IfNotPresent"`
|
| image.registry
| string
| `"dock.mau.dev"`
|
| image.repository
| string
| `"mautrix/signal"`
|
| image.tag
| string
| `""`
|
| imagePullSecrets
| list
| `[]`
|
| ingress.annotations
| object
| `{}`
|
| ingress.className
| string
| `""`
|
| ingress.enabled
| bool
| `false`
|
| ingress.hosts[0].host
| string
| `"chart-example.local"`
|
| ingress.hosts[0].paths[0].path
| string
| `"/"`
|
| ingress.hosts[0].paths[0].pathType
| string
| `"ImplementationSpecific"`
|
| ingress.tls
| list
| `[]`
|
| livenessProbe.httpGet.path
| string
| `"/_matrix/mau/live"`
|
| livenessProbe.httpGet.port
| string
| `"http"`
|
| nameOverride
| string
| `""`
|
| nodeSelector
| object
| `{}`
|
| persistence.accessMode
| string
| `"ReadWriteOnce"`
| accessMode
| persistence.annotations
| object
| `{}`
|
| persistence.enabled
| bool
| `true`
| Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
| persistence.existingClaim
| string
| `nil`
| A manually managed Persistent Volume and Claim Requires persistence.enabled: true If defined, PVC must be created manually before volume will be bound
| persistence.hostPath
| string
| `nil`
| Do not create an PVC, direct use hostPath in Pod
| persistence.size
| string
| `"10Gi"`
| size
| persistence.storageClass
| string
| `nil`
| Persistent Volume Storage Class If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack)
| podAnnotations
| object
| `{}`
|
| podLabels
| object
| `{}`
|
| podSecurityContext
| object
| `{}`
|
| prometheus.servicemonitor.enabled
| bool
| `false`
|
| prometheus.servicemonitor.labels
| object
| `{}`
|
| readinessProbe.httpGet.path
| string
| `"/_matrix/mau/ready"`
|
| readinessProbe.httpGet.port
| string
| `"http"`
|
| registration."de.sorunome.msc2409.push_ephemeral"
| bool
| `true`
|
| registration.namespaces.users[0].exclusive
| bool
| `true`
|
| registration.namespaces.users[0].regex
| string
| `"^@signalbot:example.org$"`
|
| registration.namespaces.users[1].exclusive
| bool
| `true`
|
| registration.namespaces.users[1].regex
| string
| `"^@signal_.*:example.org$"`
|
| registration.push_ephemeral
| bool
| `true`
|
| registration.rate_limited
| bool
| `false`
|
| replicaCount
| int
| `1`
|
| resources
| object
| `{}`
|
| securityContext
| object
| `{}`
|
| service.type
| string
| `"ClusterIP"`
|
| serviceAccount.annotations
| object
| `{}`
|
| serviceAccount.automount
| bool
| `false`
|
| serviceAccount.create
| bool
| `false`
|
| serviceAccount.name
| string
| `""`
|
| tolerations
| list
| `[]`
|
| volumeMounts
| list
| `[]`
|
| volumes
| list
| `[]`
|
|===
Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]

14
mautrix-signal/_docs.gotmpl Normal file
View file

@ -0,0 +1,14 @@
{{ define "chart.prerequirements" -}}
= Alpha
WARNING
====
We stop working on this Helm-Chart.
There are still many breaking change like:
* https://github.com/stalwartlabs/mail-server/issues/211[storage.fts in toml configuration has two meanings]
We hope that stalward mail-server becomes more stable.
====
{{ end }}

22
mautrix-signal/templates/NOTES.txt Normal file
View file

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "mautrix-signal.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "mautrix-signal.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "mautrix-signal.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mautrix-signal.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

62
mautrix-signal/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "mautrix-signal.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "mautrix-signal.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "mautrix-signal.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "mautrix-signal.labels" -}}
helm.sh/chart: {{ include "mautrix-signal.chart" . }}
{{ include "mautrix-signal.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "mautrix-signal.selectorLabels" -}}
app.kubernetes.io/name: {{ include "mautrix-signal.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "mautrix-signal.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "mautrix-signal.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

105
mautrix-signal/templates/deployment.yaml Normal file
View file

@ -0,0 +1,105 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "mautrix-signal.fullname" . }}
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "mautrix-signal.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
"checksum/secret": {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "mautrix-signal.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mautrix-signal.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- with .Values.image }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.config.appservice.port }}
protocol: TCP
{{- if .Values.config.metrics.enabled }}
- name: metrics
containerPort: {{ regexSplit ":" .Values.config.metrics.listen -1 | last }}
protocol: TCP
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: data
mountPath: /data
- name: config
mountPath: /data/config.yaml
subPath: config.yaml
- name: config
mountPath: /data/registration.yaml
subPath: registration.yaml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: config
secret:
secretName: {{ include "mautrix-signal.fullname" . }}
items:
- key: config.yaml
path: config.yaml
- key: registration.yaml
path: registration.yaml
- name: "data"
{{- if .Values.persistence.enabled }}
{{- if .Values.persistence.hostPath }}
hostPath:
type: Directory
path: {{ .Values.persistence.hostPath | quote }}
{{- else }}{{/* else .persistence.hostPath */}}
persistentVolumeClaim:
claimName: {{ coalesce .Values.persistence.existingClaim (include "mautrix-signal.fullname" .) }}
{{- end }}{{/* end-else .persistence.hostPath */}}
{{- else }}{{/* else .persistence.enabled */}}
emptyDir: {}
{{- end }}{{/* end-else .persistence.enabled */}}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
mautrix-signal/templates/hpa.yaml Normal file
View file

@ -0,0 +1,32 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "mautrix-signal.fullname" . }}
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "mautrix-signal.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

61
mautrix-signal/templates/ingress.yaml Normal file
View file

@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "mautrix-signal.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

33
mautrix-signal/templates/pvc.yaml Normal file
View file

@ -0,0 +1,33 @@
{{- with .Values.persistence }}
{{- if and
.enabled
(not .existingClaim)
(not .hostPath)
-}}
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "mautrix-signal.fullname" $ }}
labels:
{{- include "mautrix-signal.labels" $ | nindent 4 }}
{{- with .annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .accessMode | quote }}
resources:
requests:
storage: {{ .size | quote }}
{{- with .storageClass }}
{{- if (eq "-" .) }}
storageClassName: ""
{{- else }}
storageClassName: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}{{/* end-if .enabled */}}
{{- end }}{{/* end-with .persistence */}}

46
mautrix-signal/templates/secrets.yaml Normal file
View file

@ -0,0 +1,46 @@
---
{{ $secretName := include "mautrix-signal.fullname" . }}
{{- $asToken := get .Values.config.appservice "as_token" }}
{{- $hsToken := get .Values.config.appservice "hs_token" }}
{{- $senderLocalpart := false }}
{{- if not (and $asToken $hsToken $senderLocalpart) }}
{{- with (lookup "v1" "Secret" .Release.Namespace $secretName)}}
{{- with get . "data" }}
{{- $asToken = $asToken | default (get . "as_token" | b64dec) }}
{{- $hsToken = $hsToken | default (get . "hs_token" | b64dec) }}
{{- $senderLocalpart = (get . "sender_localpart" | b64dec) }}
{{- end }}
{{- end }}
{{- end }}
{{- $asToken = $asToken | default (randAlphaNum 64) }}
{{- $hsToken = $hsToken | default (randAlphaNum 64) }}
{{- $senderLocalpart = $senderLocalpart | default (randAlphaNum 64) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
type: Opaque
data:
as_token: {{ $asToken | b64enc }}
hs_token: {{ $hsToken | b64enc }}
sender_localpart: {{ $senderLocalpart | b64enc }}
config.yaml: {{ mergeOverwrite (dict
"appservice" (dict
"as_token" $asToken
"hs_token" $hsToken
)
"bridge" (dict
"login_shared_secret_map" (dict
.Values.config.homeserver.domain (printf "as_token:%s" $asToken)
)
)
) .Values.config | toYaml | b64enc }}
registration.yaml: {{ mergeOverwrite (dict
"id" .Values.config.appservice.id
"as_token" $asToken
"hs_token" $hsToken
"url" .Values.config.appservice.address
"sender_localpart" $senderLocalpart
) .Values.registration | toYaml | b64enc }}

24
mautrix-signal/templates/service.yaml Normal file
View file

@ -0,0 +1,24 @@
{{- if and .Values.config .Values.config.appservice }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "mautrix-signal.fullname" . }}
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
publishNotReadyAddresses: true
selector:
{{- include "mautrix-signal.selectorLabels" . | nindent 4 }}
ports:
- port: {{ .Values.config.appservice.port }}
targetPort: http
protocol: TCP
name: http
{{- if .Values.config.metrics.enabled }}
- port: {{ regexSplit ":" .Values.config.metrics.listen -1 | last }}
targetPort: metrics
protocol: TCP
name: metrics
{{- end }}
{{- end }}

13
mautrix-signal/templates/serviceaccount.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "mautrix-signal.serviceAccountName" . }}
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

18
mautrix-signal/templates/servicemonitor.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if and .Values.prometheus.servicemonitor.enabled ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "mautrix-signal.fullname" . }}
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
{{- with .Values.prometheus.servicemonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "mautrix-signal.selectorLabels" . | nindent 6 }}
endpoints:
- port: metrics
path: /metrics
{{- end }}

15
mautrix-signal/templates/tests/test-connection.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "mautrix-signal.fullname" . }}-test-connection"
labels:
{{- include "mautrix-signal.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "mautrix-signal.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

463
mautrix-signal/values.yaml Normal file
View file

@ -0,0 +1,463 @@
global:
image:
# -- if set it will overwrite all registry entries
registry:
# -- if set it will overwrite all pullPolicy
pullPolicy:
replicaCount: 1
image:
registry: dock.mau.dev
repository: mautrix/signal
# Overrides the image tag whose default is the chart appVersion.
tag: ""
pullPolicy: IfNotPresent
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
config:
# Homeserver details.
homeserver:
# -- The address that this appservice can use to connect to the homeserver.
address: https://matrix.example.com
# -- The domain of the homeserver (also known as server_name, used for MXIDs, etc).
domain: example.com
# -- What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# -- The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# -- Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# -- Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
async_media: false
# -- Should the bridge use a websocket for connecting to the homeserver?
# The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
# mautrix-asmux (deprecated), and hungryserv (proprietary).
websocket: false
# -- How often should the websocket be pinged? Pinging will be disabled if this is zero.
ping_interval_seconds: 0
# Application service host/registration related details.
# Changing these values requires regeneration of the registration.
appservice:
# -- The address that the homeserver can use to connect to this appservice.
address: http://localhost:29328
# -- The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29328
# Database config.
database:
# -- The database type. "sqlite3-fk-wal" and "postgres" are supported.
type: postgres
# -- The database URI.
# SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
# https://github.com/mattn/go-sqlite3#connection-string
# Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
# To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
uri: postgres://user:password@host/database?sslmode=disable
# -- Maximum number of connections. Mostly relevant for Postgres.
max_open_conns: 20
max_idle_conns: 2
# -- Maximum connection idle time and lifetime before they're closed. Disabled if null.
# Parsed with https://pkg.go.dev/time#ParseDuration
max_conn_idle_time: null
max_conn_lifetime: null
# -- The unique ID of this appservice.
id: signal
# Appservice bot details.
bot:
# -- Username of the appservice bot.
username: signalbot
# -- Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
displayname: Signal bridge bot
avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
# -- Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
ephemeral_events: true
# -- Should incoming events be handled asynchronously?
# This may be necessary for large public instances with lots of messages going through.
# However, messages will not be guaranteed to be bridged in the same order they were sent in.
async_transactions: false
# Prometheus config.
metrics:
# -- Enable prometheus metrics?
enabled: true
# -- IP and port where the metrics listener should be. The path is always /metrics
listen: 0.0.0.0:8000
signal:
# -- Default device name that shows up in the Signal app.
device_name: mautrix-signal
# -- Bridge config
bridge:
# -- Localpart template of MXIDs for Signal users.
# {{.}} is replaced with the internal ID of the Signal user.
username_template: signal_{{.}}
# -- Displayname template for Signal users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
# {{.ProfileName}} - The Signal profile name set by the user.
# {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
# {{.PhoneNumber}} - The phone number of the user.
# {{.UUID}} - The UUID of the Signal user.
# {{.AboutEmoji}} - The emoji set by the user in their profile.
displayname_template: '{{or .ProfileName .PhoneNumber "Unknown user"}}'
# -- Whether to explicitly set the avatar and room name for private chat portal rooms.
# If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
# If set to `always`, all DM rooms will have explicit names and avatars set.
# If set to `never`, DM rooms will never have names and avatars set.
private_chat_portal_meta: default
# -- Should avatars from the user's contact list be used? This is not safe on multi-user instances.
use_contact_avatars: false
# -- Should the Signal user's phone number be included in the room topic in private chat portal rooms?
number_in_topic: true
# -- Avatar image for the Note to Self room.
note_to_self_avatar: mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL
portal_message_buffer: 128
# -- Should the bridge create a space for each logged-in user and add bridged rooms to it?
# Users who logged in before turning this on should run `!signal sync-space` to create and fill the space for the first time.
personal_filtering_spaces: false
# -- Should Matrix m.notice-type messages be bridged?
bridge_notices: true
# -- Should the bridge send a read receipt from the bridge bot when a message has been sent to Signal?
delivery_receipts: false
# -- Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# -- Whether the bridge should send error notices via m.notice events when a message fails to bridge.
message_error_notices: true
# -- Should the bridge update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# -- Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
# This field will automatically be changed back to false after it, except if the config file is not writable.
resend_bridge_info: false
# -- Whether or not to make portals of groups that don't need approval of an admin to join by invite
# link publicly joinable on Matrix.
public_portals: false
# -- Send captions in the same message as images. This will send data compatible with both MSC2530.
# This is currently not supported in most clients.
caption_in_message: false
# -- Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# -- Servers to always allow double puppeting from
double_puppet_server_map:
example.com: https://example.com
# -- Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# -- Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, double puppeting will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
login_shared_secret_map:
example.com: foobar
# -- Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
# Null means there's no enforced timeout.
message_handling_timeout:
# -- Send an error message after this timeout, but keep waiting for the response until the deadline.
# This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
# If the message is older than this when it reaches the bridge, the message won't be handled at all.
error_after: null
# -- Drop messages after this timeout. They may still go through if the message got sent to the servers.
# This is counted from the time the bridge starts handling the message.
deadline: 120s
# -- The prefix for commands. Only required in non-management rooms.
command_prefix: '!signal'
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# -- Sent when joining a room.
welcome: "Hello, I'm a Signal bridge bot."
# -- Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# -- Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# -- Optional extra text sent when joining a management room.
additional_help: ""
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# -- Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# -- Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# -- Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
# -- Require encryption, drop any unencrypted messages.
require: false
# -- Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# -- Options for deleting megolm sessions from the bridge.
delete_keys:
# -- Beeper-specific: delete outbound sessions when hungryserv confirms
# that the user has uploaded the key to key backup.
delete_outbound_on_ack: false
# -- Don't store outbound sessions in the inbound table.
dont_store_outbound: false
# -- Ratchet megolm sessions forward after decrypting messages.
ratchet_on_decrypt: false
# -- Delete fully used keys (index >= max_messages) after decrypting messages.
delete_fully_used_on_decrypt: false
# -- Delete previous megolm sessions from same device when receiving a new one.
delete_prev_on_new_session: false
# -- Delete megolm sessions received from a device when the device is deleted.
delete_on_device_delete: false
# -- Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
periodically_delete_expired: false
# -- Delete inbound megolm sessions that don't have the received_at field used for
# automatic ratcheting and expired session deletion. This is meant as a migration
# to delete old keys prior to the bridge update.
delete_outdated_inbound: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# -- Minimum level for which the bridge should send keys to when bridging messages from Signal to Matrix.
receive: unverified
# -- Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# -- Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# -- Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# -- The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# -- The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# -- Disable rotating keys when a user's devices change?
# You should not enable this option unless you understand all the implications.
disable_device_change_key_rotation: false
# Settings for provisioning API
provisioning:
# -- Prefix for the provisioning API paths.
prefix: /_matrix/provision
# -- Shared secret for authentication. If set to "generate", a random secret will be generated,
# or if set to "disable", the provisioning API will be disabled.
shared_secret: generate
# -- Enable debug API at /debug with provisioning authentication.
debug_endpoints: false
# Permissions for using the bridge.
# Permitted values:
# relay - Talk through the relaybot (if enabled), no access otherwise
# user - Access to use the bridge to chat with a Signal account.
# admin - User level and some additional administration tools
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": relay
"example.com": user
"@admin:example.com": admin
# Settings for relay mode
relay:
# -- Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# -- Should only admins be allowed to set themselves as relay users?
admin_only: true
# -- The formats to use when sending messages to Signal via the relaybot.
message_formats:
m.text: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
m.notice: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
m.emote: "* <b>{{ .Sender.Displayname }}</b> {{ .Message }}"
m.file: "<b>{{ .Sender.Displayname }}</b> sent a file"
m.image: "<b>{{ .Sender.Displayname }}</b> sent an image"
m.audio: "<b>{{ .Sender.Displayname }}</b> sent an audio file"
m.video: "<b>{{ .Sender.Displayname }}</b> sent a video"
m.location: "<b>{{ .Sender.Displayname }}</b> sent a location"
# Logging config. See https://github.com/tulir/zeroconfig for details.
logging:
min_level: warn
writers:
- type: stdout
format: json
registration:
# token from config.appservice.id
# id:
# taken from config.appservice.address
# url:
# taken from config.appservice.as_token default: self-generate
# as_token:
# taken from config.appservice.hs_token default: self-generate
# hs_token:
# take from config.appservice.bot.username
# sender_localpart: signalbot
rate_limited: false
namespaces:
users:
- regex: ^@signalbot:example.org$
exclusive: true
- regex: ^@signal_.*:example.org$
exclusive: true
de.sorunome.msc2409.push_ephemeral: true
push_ephemeral: true
serviceAccount:
# Specifies whether a service account should be created
create: false
# Automatically mount a ServiceAccount's API credentials?
automount: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
livenessProbe:
httpGet:
path: /_matrix/mau/live
port: http
readinessProbe:
httpGet:
path: /_matrix/mau/ready
port: http
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
persistence:
# -- Enable persistence using Persistent Volume Claims
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
enabled: true
annotations: {}
# -- Persistent Volume Storage Class
# If defined, storageClassName: <storageClass>
# If set to "-", storageClassName: "", which disables dynamic provisioning
# If undefined (the default) or set to null, no storageClassName spec is
# set, choosing the default provisioner. (gp2 on AWS, standard on
# GKE, AWS & OpenStack)
storageClass:
# -- A manually managed Persistent Volume and Claim
# Requires persistence.enabled: true
# If defined, PVC must be created manually before volume will be bound
existingClaim:
# -- Do not create an PVC, direct use hostPath in Pod
hostPath:
# -- accessMode
accessMode: ReadWriteOnce
# -- size
size: 10Gi
prometheus:
servicemonitor:
enabled: false
labels: {}