global:
image:
# -- if set it will overwrite all registry entries
registry:
# -- if set it will overwrite all pullPolicy
pullPolicy:
replicaCount: 1
image:
registry: dock.mau.dev
repository: mautrix/signal
# Overrides the image tag whose default is the chart appVersion.
tag: ""
pullPolicy: IfNotPresent
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
config:
# Bridge config
bridge:
# -- The prefix for commands. Only required in non-management rooms.
command_prefix: '!signal'
# -- Should the bridge create a space for each login containing the rooms that account is in?
personal_filtering_spaces: true
# -- Whether the bridge should set names and avatars explicitly for DM portals.
# This is only necessary when using clients that don't support MSC4171.
private_chat_portal_meta: false
# -- Should leaving Matrix rooms be bridged as leaving groups on the remote network?
bridge_matrix_leave: false
# -- Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
# Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
tag_only_on_create: true
# -- Should room mute status only be synced when creating the portal?
# Like tags, mutes can't currently be synced back to the remote network.
mute_only_on_create: true
# What should be done to portal rooms when a user logs out or is logged out?
# Permitted values:
# nothing - Do nothing, let the user stay in the portals
# kick - Remove the user from the portal rooms, but don't delete them
# unbridge - Remove all ghosts in the room and disassociate it from the remote chat
# delete - Remove all ghosts and users from the room (i.e. delete it)
cleanup_on_logout:
# -- Should cleanup on logout be enabled at all?
enabled: false
# Settings for manual logouts (explicitly initiated by the Matrix user)
manual:
# -- Action for private portals which will never be shared with other Matrix users.
private: nothing
# -- Action for portals with a relay user configured.
relayed: nothing
# -- Action for portals which may be shared, but don't currently have any other Matrix users.
shared_no_users: nothing
# -- Action for portals which have other logged-in Matrix users.
shared_has_users: nothing
# Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
# Keys have the same meanings as in the manual section.
bad_credentials:
private: nothing
relayed: nothing
shared_no_users: nothing
shared_has_users: nothing
# Settings for relay mode
relay:
# -- Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
# authenticated user into a relaybot for that chat.
enabled: false
# -- Should only admins be allowed to set themselves as relay users?
admin_only: true
# -- List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
default_relays: []
# -- The formats to use when sending messages via the relaybot.
# Available variables:
# .Sender.UserID - The Matrix user ID of the sender.
# .Sender.Displayname - The display name of the sender (if set).
# .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
# .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
# plus the user ID in parentheses if the displayname is not unique.
# If the displayname is not set, this is just the user ID.
# .Message - The `formatted_body` field of the message.
# .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
# .FileName - The name of the file being sent.
message_formats:
m.text: "{{ .Sender.DisambiguatedName }}: {{ .Message }}"
m.notice: "{{ .Sender.DisambiguatedName }}: {{ .Message }}"
m.emote: "* {{ .Sender.DisambiguatedName }} {{ .Message }}"
m.file: "{{ .Sender.DisambiguatedName }} sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}"
m.image: "{{ .Sender.DisambiguatedName }} sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}"
m.audio: "{{ .Sender.DisambiguatedName }} sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}"
m.video: "{{ .Sender.DisambiguatedName }} sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}"
m.location: "{{ .Sender.DisambiguatedName }} sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}"
# -- For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
# This has all the Sender variables available under message_formats (but without the .Sender prefix).
# Note that you need to manually remove the displayname from message_formats above.
displayname_format: "{{ .DisambiguatedName }}"
# -- Permissions for using the bridge.
# Permitted values:
# relay - Talk through the relaybot (if enabled), no access otherwise
# commands - Access to use commands in the bridge, but not login.
# user - Access to use the bridge with puppeting.
# admin - Full access, user level with some additional administration tools.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"*": relay
"example.com": user
"@admin:example.com": admin
# Database config.
database:
# -- The database type. "sqlite3-fk-wal" and "postgres" are supported.
type: postgres
# -- The database URI.
# SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended.
# https://github.com/mattn/go-sqlite3#connection-string
# Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
# To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
uri: postgres://user:password@host/database?sslmode=disable
# -- Maximum number of connections. Mostly relevant for Postgres.
max_open_conns: 20
max_idle_conns: 2
# -- Maximum connection idle time and lifetime before they're closed. Disabled if null.
# Parsed with https://pkg.go.dev/time#ParseDuration
max_conn_idle_time: null
max_conn_lifetime: null
# Homeserver details.
homeserver:
# -- The address that this appservice can use to connect to the homeserver.
address: https://matrix.example.com
# -- The domain of the homeserver (also known as server_name, used for MXIDs, etc).
domain: example.com
# -- Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
async_media: false
public_address:
# -- What software is the homeserver running?
# Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
software: standard
# -- The URL to push real-time bridge status to.
# If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
# The bridge will use the appservice as_token to authorize requests.
status_endpoint: null
# -- Endpoint for reporting per-message status.
message_send_checkpoint_endpoint: null
# -- Should the bridge use a websocket for connecting to the homeserver?
# The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
# mautrix-asmux (deprecated), and hungryserv (proprietary).
websocket: false
websocket_proxy: ""
# -- How often should the websocket be pinged? Pinging will be disabled if this is zero.
ping_interval_seconds: 0
# Application service host/registration related details.
# Changing these values requires regeneration of the registration.
appservice:
# -- The address that the homeserver can use to connect to this appservice.
address: http://localhost:29328
public_address:
# -- The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29328
# -- The unique ID of this appservice.
id: signal
# Appservice bot details.
bot:
# -- Username of the appservice bot.
username: signalbot
# -- Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
displayname: Signal bridge bot
avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
as_token: ""
hs_token: ""
# -- Whether or not to receive ephemeral events via appservice transactions.
# Requires MSC2409 support (i.e. Synapse 1.22+).
ephemeral_events: true
# -- Should incoming events be handled asynchronously?
# This may be necessary for large public instances with lots of messages going through.
# However, messages will not be guaranteed to be bridged in the same order they were sent in.
async_transactions: false
# -- Localpart template of MXIDs for Signal users.
# {{.}} is replaced with the internal ID of the Signal user.
username_template: signal_{{.}}
matrix:
# -- Should the bridge send a read receipt from the bridge bot when a message has been sent to Signal?
delivery_receipts: false
# -- Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
message_status_events: false
# -- Whether the bridge should send error notices via m.notice events when a message fails to bridge.
message_error_notices: true
# -- Should the bridge update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# -- Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
federate_rooms: true
# Settings for provisioning API
provisioning:
# -- Prefix for the provisioning API paths.
prefix: /_matrix/provision
# -- Shared secret for authentication. If set to "generate", a random secret will be generated,
# or if set to "disable", the provisioning API will be disabled.
shared_secret: generate
# -- Enable debug API at /debug with provisioning authentication.
debug_endpoints: false
# Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
# These settings control whether the bridge will provide such public media access.
public_media:
# -- Should public media be enabled at all?
# The public_address field under the appservice section MUST be set when enabling public media.
enabled: false
# -- A key for signing public media URLs.
# If set to "generate", a random key will be generated.
signing_key: generate
# -- Number of seconds that public media URLs are valid for.
# If set to 0, URLs will never expire.
expiry: 0
# -- Length of hash to use for public media URLs. Must be between 0 and 32.
hash_length: 32
# Settings for converting remote media to custom mxc:// URIs instead of reuploading.
# More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
direct_media:
# -- Should custom mxc:// URIs be used instead of reuploading media?
enabled: false
# -- The server name to use for the custom mxc:// URIs.
# This server name will effectively be a real Matrix server, it just won't implement anything other than media.
# You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
server_name: discord-media.example.com
# -- Optionally a custom .well-known response. This defaults to `server_name:443`
well_known_response:
# -- Optionally specify a custom prefix for the media ID part of the MXC URI.
media_id_prefix:
# -- If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
# media download redirects if the requester supports it. Optionally, you can force redirects
# and not allow proxying at all by setting this to false.
# This option does nothing if the remote network does not support media downloads over HTTP.
allow_proxy: true
# -- Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
# This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
server_key: ""
# Settings for backfilling messages.
# Note that the exact way settings are applied depends on the network connector.
# See https://docs.mau.fi/bridges/general/backfill.html for more details.
backfill:
# -- Whether to do backfilling at all.
enabled: false
# -- Maximum number of messages to backfill in empty rooms.
max_initial_messages: 50
# -- Maximum number of missed messages to backfill after bridge restarts.
max_catchup_messages: 500
# -- If a backfilled chat is older than this number of hours,
# mark it as read even if it's unread on the remote network.
unread_hours_threshold: 720
# Settings for backfilling threads within other backfills.
threads:
# -- Maximum number of messages to backfill in a new thread.
max_initial_messages: 50
# Settings for the backwards backfill queue. This only applies when connecting to
# Beeper as standard Matrix servers don't support inserting messages into history.
queue:
# -- Should the backfill queue be enabled?
enabled: false
# -- Number of messages to backfill in one batch.
batch_size: 100
# -- Delay between batches in seconds.
batch_delay: 20
# -- Maximum number of batches to backfill per portal.
# If set to -1, all available messages will be backfilled.
max_batches: -1
# -- Optional network-specific overrides for max batches.
# Interpretation of this field depends on the network connector.
max_batches_override: {}
# Settings for enabling double puppeting
double_puppet:
# -- Servers to always allow double puppeting from.
# This is only for other servers and should NOT contain the server the bridge is on.
servers:
example.com: https://example.com
# -- Whether to allow client API URL discovery for other servers. When using this option,
# users on other servers can use double puppeting even if their server URLs aren't
# explicitly added to the servers map above.
allow_discovery: false
# -- Shared secrets for automatic double puppeting.
# See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
secrets:
example.com: as_token:foobar
# End-to-bridge encryption support options.
#
# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
encryption:
# -- Allow encryption, work in group chat rooms with e2ee enabled
allow: false
# -- Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: false
# -- Require encryption, drop any unencrypted messages.
require: false
# -- Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
appservice: false
plaintext_mentions:
pickle_key:
# -- Options for deleting megolm sessions from the bridge.
delete_keys:
# -- Beeper-specific: delete outbound sessions when hungryserv confirms
# that the user has uploaded the key to key backup.
delete_outbound_on_ack: false
# -- Don't store outbound sessions in the inbound table.
dont_store_outbound: false
# -- Ratchet megolm sessions forward after decrypting messages.
ratchet_on_decrypt: false
# -- Delete fully used keys (index >= max_messages) after decrypting messages.
delete_fully_used_on_decrypt: false
# -- Delete previous megolm sessions from same device when receiving a new one.
delete_prev_on_new_session: false
# -- Delete megolm sessions received from a device when the device is deleted.
delete_on_device_delete: false
# -- Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
periodically_delete_expired: false
# -- Delete inbound megolm sessions that don't have the received_at field used for
# automatic ratcheting and expired session deletion. This is meant as a migration
# to delete old keys prior to the bridge update.
delete_outdated_inbound: false
# What level of device verification should be required from users?
#
# Valid levels:
# unverified - Send keys to all device in the room.
# cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
# cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
# cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
# Note that creating user signatures from the bridge bot is not currently possible.
# verified - Require manual per-device verification
# (currently only possible by modifying the `trust` column in the `crypto_device` database table).
verification_levels:
# -- Minimum level for which the bridge should send keys to when bridging messages from Signal to Matrix.
receive: unverified
# -- Minimum level that the bridge should accept for incoming Matrix messages.
send: unverified
# -- Minimum level that the bridge should require for accepting key requests.
share: cross-signed-tofu
# -- Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: false
# Options for Megolm room key rotation. These options allow you to
# configure the m.room.encryption event content. See:
# https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
# more information about that event.
rotation:
# -- Enable custom Megolm room key rotation settings. Note that these
# settings will only apply to rooms created after this option is
# set.
enable_custom: false
# -- The maximum number of milliseconds a session should be used
# before changing it. The Matrix spec recommends 604800000 (a week)
# as the default.
milliseconds: 604800000
# -- The maximum number of messages that should be sent with a given a
# session before changing it. The Matrix spec recommends 100 as the
# default.
messages: 100
# -- Disable rotating keys when a user's devices change?
# You should not enable this option unless you understand all the implications.
disable_device_change_key_rotation: false
# Logging config. See https://github.com/tulir/zeroconfig for details.
logging:
min_level: warn
writers:
- type: stdout
format: json
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
management_room_text:
# -- Sent when joining a room.
welcome: "Hello, I'm a Signal bridge bot."
# -- Sent when joining a management room and the user is already logged in.
welcome_connected: "Use `help` for help."
# -- Sent when joining a management room and the user is not logged in.
welcome_unconnected: "Use `help` for help or `login` to log in."
# -- Optional extra text sent when joining a management room.
additional_help: ""
signal:
# -- Displayname template for Signal users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
# {{.ProfileName}} - The Signal profile name set by the user.
# {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
# {{.PhoneNumber}} - The phone number of the user.
# {{.UUID}} - The UUID of the Signal user.
# {{.AboutEmoji}} - The emoji set by the user in their profile.
displayname_template: '{{or .ProfileName .PhoneNumber "Unknown user"}}'
# -- Should avatars from the user's contact list be used? This is not safe on multi-user instances.
use_contact_avatars: false
# -- Should the bridge request the user's contact list from the phone on startup?
sync_contacts_on_startup: true
# -- Should the bridge sync ghost user info even if profile fetching fails? This is not safe on multi-user instances.
use_outdated_profiles: false
# -- Should the Signal user's phone number be included in the room topic in private chat portal rooms?
number_in_topic: true
# -- Default device name that shows up in the Signal app.
device_name: mautrix-signal
# Avatar image for the Note to Self room.
note_to_self_avatar: mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL
# Format for generating URLs from location messages for sending to Signal.
# Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
# OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
location_format: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
registration:
# token from config.appservice.id
# id:
# taken from config.appservice.address
# url:
# taken from config.appservice.as_token default: self-generate
# as_token:
# taken from config.appservice.hs_token default: self-generate
# hs_token:
# take from config.appservice.bot.username
# sender_localpart: signalbot
rate_limited: false
namespaces:
users:
- regex: ^@signalbot:example.org$
exclusive: true
- regex: ^@signal_.*:example.org$
exclusive: true
de.sorunome.msc2409.push_ephemeral: true
push_ephemeral: true
serviceAccount:
# Specifies whether a service account should be created
create: false
# Automatically mount a ServiceAccount's API credentials?
automount: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
livenessProbe:
httpGet:
path: /_matrix/mau/live
port: http
readinessProbe:
httpGet:
path: /_matrix/mau/ready
port: http
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
persistence:
# -- Enable persistence using Persistent Volume Claims
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
enabled: true
annotations: {}
# -- Persistent Volume Storage Class
# If defined, storageClassName:
# If set to "-", storageClassName: "", which disables dynamic provisioning
# If undefined (the default) or set to null, no storageClassName spec is
# set, choosing the default provisioner. (gp2 on AWS, standard on
# GKE, AWS & OpenStack)
storageClass:
# -- A manually managed Persistent Volume and Claim
# Requires persistence.enabled: true
# If defined, PVC must be created manually before volume will be bound
existingClaim:
# -- Do not create an PVC, direct use hostPath in Pod
hostPath:
# -- accessMode
accessMode: ReadWriteOnce
# -- size
size: 10Gi