Deploy mjolnir_MacDonald and upload missing files

srv/Matrix-Docker-Compose/docker-compose.yml

@@ -48,12 +48,12 @@ services:
     cap_drop:
       - ALL
 
-  mjolnir:
+  mjolnir_PrivSec-dev:
     image: matrixdotorg/mjolnir:v1.8.3 # https://github.com/matrix-org/mjolnir/issues/556
-    container_name: mjolnir
+    container_name: mjolnir_PrivSec-dev
     restart: unless-stopped
     volumes:
-      - ./mjolnir:/data
+      - ./mjolnir_PrivSec-dev:/data
     depends_on:
       - pantalaimon
     networks:
@@ -67,6 +67,7 @@ services:
       - ALL
 
   honoroit-hssupport:
+    profiles: ["disabled"]
     image: registry.gitlab.com/etke.cc/honoroit:latest
     container_name: honoroit-hssupport
     restart: unless-stopped
@@ -82,6 +83,18 @@ services:
     cap_drop:
       - ALL
 
+  mjolnir_MacDonald:
+    image: matrixdotorg/mjolnir:v1.8.3 # https://github.com/matrix-org/mjolnir/issues/556
+    container_name: mjolnir_MacDonald
+    restart: unless-stopped
+    volumes:
+      - ./mjolnir_MacDonald:/data
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+
 networks:
   element:
   matrix-to:

srv/Matrix-Docker-Compose/mjolnir_MacDonald/config/production.yaml

@@ -0,0 +1,258 @@
+# Endpoint URL that Mjolnir uses to interact with the matrix homeserver (client-server API),
+# set this to the pantalaimon URL if you're using that.
+homeserverUrl: "https://matrix.arcticfoxes.net"
+
+# Endpoint URL that Mjolnir could use to fetch events related to reports (client-server API and /_synapse/),
+# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
+rawHomeserverUrl: "https://matrix.arcticfoxes.net"
+
+# Matrix Access Token to use
+accessToken: "REDACTED"
+
+# Options related to native encryption
+encryption:
+  # whether to use native encryption in mjolnir, rather than using pantalaimon as a proxy
+  # note that if encryption is enabled here, pantaliamon must be disabled, and vice versa
+  use: false
+
+# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
+# Note that this option is now deprecated as native encryption is now supported in mjolnir,
+# and will be removed at a later date.
+pantalaimon:
+  # Whether or not Mjolnir will use pantalaimon to access the matrix homeserver,
+  # set to `true` if you're using pantalaimon.
+  #
+  # Be sure to point homeserverUrl to the pantalaimon instance.
+  #
+  # Mjolnir will log in using the given username and password once,
+  # then store the resulting access token in a file under dataPath.
+  use: false
+
+# The path Mjolnir will store its state/data in, leave default ("/data/storage") when using containers.
+dataPath: "/data/storage"
+
+# If true (the default), Mjolnir will only accept invites from users present in managementRoom.
+autojoinOnlyIfManager: true
+
+# If `autojoinOnlyIfManager` is false, only the members in this space can invite
+# the bot to new rooms.
+acceptInvitesFromSpace: "!example:example.org"
+
+# Whether Mjolnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
+recordIgnoredInvites: false
+
+# The room ID (or room alias) of the management room, anyone in this room can issue commands to Mjolnir.
+#
+# Mjolnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
+#
+# This should be a room alias or room ID - not a matrix.to URL.
+#
+# Note: By default, Mjolnir is fairly verbose - expect a lot of messages in this room.
+# (see verboseLogging to adjust this a bit.)
+managementRoom: "!REDACTED:arcticfoxes.net"
+
+# Forward any messages mentioning the bot user to the mangement room. Repeated mentions within
+# a 10 minute period are ignored.
+forwardMentionsToManagementRoom: false
+
+# Whether Mjolnir should log a lot more messages in the room,
+# mainly involves "all-OK" messages, and debugging messages for when mjolnir checks bans in a room.
+verboseLogging: false
+
+# The log level of terminal (or container) output,
+# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
+#
+# This should be at INFO or DEBUG in order to get support for Mjolnir problems.
+logLevel: "INFO"
+
+# Whether or not Mjolnir should synchronize policy lists immediately after startup.
+# Equivalent to running '!mjolnir sync'.
+syncOnStartup: true
+
+# Whether or not Mjolnir should check moderation permissions in all protected rooms on startup.
+# Equivalent to running `!mjolnir verify`.
+verifyPermissionsOnStartup: false
+
+# Whether or not Mjolnir should actually apply bans and policy lists,
+# turn on to trial some untrusted configuration or lists.
+noop: false
+
+# Whether Mjolnir should check member lists quicker (by using a different endpoint),
+# keep in mind that enabling this will miss invited (but not joined) users.
+#
+# Turn on if your bot is in (very) large rooms, or in large amounts of rooms.
+fasterMembershipChecks: false
+
+# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
+#
+# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
+# it will also remove the user's messages automatically.
+#
+# Typically this is useful to avoid having to give two commands to the bot.
+# Advanced: Use asterisks to have the reason match using "globs"
+# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting").
+#
+# See here for more info: https://www.digitalocean.com/community/tools/glob
+# Note: Keep in mind that glob is NOT regex!
+automaticallyRedactForReasons: []
+
+# A list of rooms to protect. Mjolnir will add this to the list it knows from its account data.
+#
+# It won't, however, add it to the account data.
+# Manually add the room via '!mjolnir rooms add' to have it stay protected regardless if this config value changes.
+#
+# Note: These must be matrix.to URLs
+protectedRooms: []
+
+# Whether or not to add all joined rooms to the "protected rooms" list
+# (excluding the management room and watched policy list rooms, see below).
+#
+# Note that this effectively makes the protectedRooms and associated commands useless
+# for regular rooms.
+#
+# Note: the management room is *excluded* from this condition.
+# Explicitly add it as a protected room to protect it.
+#
+# Note: Ban list rooms the bot is watching but didn't create will not be protected.
+# Explicitly add these rooms as a protected room list if you want them protected.
+protectAllJoinedRooms: false
+
+# Increase this delay to have Mj  lnir wait longer between two consecutive backgrounded
+# operations. The total duration of operations will be longer, but the homeserver won't
+# be affected as much. Conversely, decrease this delay to have Mj  lnir chain operations
+# faster. The total duration of operations will generally be shorter, but the performance
+# of the homeserver may be more impacted.
+backgroundDelayMS: 500
+
+# Server administration commands, these commands will only work if Mjolnir is
+# a global server administrator, and the bot's server is a Synapse instance.
+admin:
+  # Whether or not Mjolnir can temporarily take control of any eligible account from the local homeserver who's in the room
+  # (with enough permissions) to "make" a user an admin.
+  #
+  # This only works if a local user with enough admin permissions is present in the room.
+  enableMakeRoomAdminCommand: false
+
+# Misc options for command handling and commands
+commands:
+  # Whether or not the `!mjolnir` prefix is necessary to submit commands.
+  #
+  # If `true`, will allow commands like `!ban`, `!help`, etc.
+  #
+  # Note: Mjolnir can also be pinged by display name instead of having to use
+  # the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
+  # will address only my_moderator_bot.
+  allowNoPrefix: true
+
+  # Any additional bot prefixes that Mjolnir will listen to. i.e. adding `mod` will allow `!mod help`.
+  additionalPrefixes:
+    - "mjolnir_bot"
+
+  # Whether or not commands with a wildcard (*) will require an additional `--force` argument
+  # in the command to be able to be submitted.
+  confirmWildcardBan: true
+
+# Configuration specific to certain toggle-able protections
+protections:
+  # Configuration for the wordlist plugin, which can ban users based if they say certain
+  # blocked words shortly after joining.
+  wordlist:
+    # A list of case-insensitive keywords that the WordList protection will watch for from new users.
+    #
+    # WordList will ban users who use these words when first joining a room, so take caution when selecting them.
+    words:
+      - "REDACTED"
+
+    # For how long (in minutes) the user is "new" to the WordList plugin.
+    #
+    # After this time, the user will no longer be banned for using a word in the above wordlist.
+    #
+    # Set to zero to disable the timeout and make users *always* appear "new".
+    # (users will always be banned if they say a bad word)
+    minutesBeforeTrusting: REDACTED
+
+# Options for advanced monitoring of the health of the bot.
+health:
+  # healthz options. These options are best for use in container environments
+  # like Kubernetes to detect how healthy the service is. The bot will report
+  # that it is unhealthy until it is able to process user requests. Typically
+  # this means that it'll flag itself as unhealthy for a number of minutes
+  # before saying "Now monitoring rooms" and flagging itself healthy.
+  #
+  # Health is flagged through HTTP status codes, defined below.
+  healthz:
+    # Whether the healthz integration should be enabled (default false)
+    enabled: false
+
+    # The port to expose the webserver on. Defaults to 8080.
+    port: 8080
+
+    # The address to listen for requests on. Defaults to all addresses.
+    address: "0.0.0.0"
+
+    # The path to expose the monitoring endpoint at. Defaults to `/healthz`
+    endpoint: "/healthz"
+
+    # The HTTP status code which reports that the bot is healthy/ready to
+    # process requests. Typically this should not be changed. Defaults to
+    # 200.
+    healthyStatus: 200
+
+    # The HTTP status code which reports that the bot is not healthy/ready.
+    # Defaults to 418.
+    unhealthyStatus: 418
+
+  # Sentry options. Sentry is a tool used to receive/collate/triage runtime
+  # errors and performance issues. Skip this section if you do not wish to use
+  # Sentry.
+  sentry:
+    # The key used to upload Sentry data to the server.
+    # dsn: "https://XXXXXXXXX@example.com/YYY
+
+    # Frequency of performance monitoring.
+    # A number in [0.0, 1.0], where 0.0 means "don't bother with tracing"
+    # and 1.0 means "trace performance at every opportunity".
+    # tracesSampleRate: 0.5
+
+
+
+# Options for exposing web APIs.
+web:
+  # Whether to enable web APIs.
+  enabled: false
+
+  # The port to expose the webserver on. Defaults to 8080.
+  port: 8080
+
+  # The address to listen for requests on. Defaults to only the current
+  # computer.
+  address: localhost
+
+  # Alternative setting to open to the entire web. Be careful,
+  # as this will increase your security perimeter:
+  #
+  #  address: "0.0.0.0"
+
+  # A web API designed to intercept Matrix API
+  # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
+  # and display readable abuse reports in the moderation room.
+  #
+  # If you wish to take advantage of this feature, you will need
+  # to configure a reverse proxy, see e.g. test/nginx.conf
+  abuseReporting:
+    # Whether to enable this feature.
+    enabled: false
+
+# Whether or not to actively poll synapse for abuse reports, to be used
+# instead of intercepting client calls to synapse's abuse endpoint, when that
+# isn't possible/practical.
+pollReports: false
+
+# Whether or not new reports, received either by webapi or polling,
+# should be printed to our managementRoom.
+displayReports: true
+
+# How sensitive the NsfwProtection should be, which determines if an image should be redacted. A number between 0 - .99,
+# with a lower number indicating greater sensitivity, possibly resulting in images being more aggressively flagged
+# and redacted as NSFW
+nsfwSensitivity: REDACTED

srv/Matrix-Docker-Compose/mjolnir_PrivSec-dev/config/production.yaml

@@ -0,0 +1,233 @@
+# Endpoint URL that Mjolnir uses to interact with the matrix homeserver (client-server API),
+# set this to the pantalaimon URL if you're using that.
+homeserverUrl: "http://pantalaimon:8008"
+
+# Endpoint URL that Mjolnir could use to fetch events related to reports (client-server API and /_synapse/),
+# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
+rawHomeserverUrl: "https://matrix.arcticfoxes.net"
+
+# Matrix Access Token to use, Mjolnir will only use this if pantalaimon.use is false.
+accessToken: "YOUR_TOKEN_HERE"
+
+# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
+pantalaimon:
+  # Whether or not Mjolnir will use pantalaimon to access the matrix homeserver,
+  # set to `true` if you're using pantalaimon.
+  #
+  # Be sure to point homeserverUrl to the pantalaimon instance.
+  #
+  # Mjolnir will log in using the given username and password once,
+  # then store the resulting access token in a file under dataPath.
+  use: true
+
+  # The username to login with.
+  username: mjolnir
+
+  # The password Mjolnir will login with.
+  #
+  # After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
+  password: REDACTED
+
+# The path Mjolnir will store its state/data in, leave default ("/data/storage") when using containers.
+dataPath: "/data/storage"
+
+# If true (the default), Mjolnir will only accept invites from users present in managementRoom.
+autojoinOnlyIfManager: true
+
+# If `autojoinOnlyIfManager` is false, only the members in this group can invite
+# the bot to new rooms.
+#acceptInvitesFromGroup: "+example:example.org"
+
+# Whether Mjolnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
+recordIgnoredInvites: false
+
+# The room ID (or room alias) of the management room, anyone in this room can issue commands to Mjolnir.
+#
+# Mjolnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
+#
+# This should be a room alias or room ID - not a matrix.to URL.
+#
+# Note: By default, Mjolnir is fairly verbose - expect a lot of messages in this room.
+# (see verboseLogging to adjust this a bit.)
+managementRoom: "!REDACTED:arcticfoxes.net"
+
+# Whether Mjolnir should log a lot more messages in the room,
+# mainly involves "all-OK" messages, and debugging messages for when mjolnir checks bans in a room.
+verboseLogging: false
+
+# The log level of terminal (or container) output,
+# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
+#
+# This should be at INFO or DEBUG in order to get support for Mjolnir problems.
+logLevel: "INFO"
+
+# Whether or not Mjolnir should synchronize policy lists immediately after startup.
+# Equivalent to running '!mjolnir sync'.
+syncOnStartup: true
+
+# Whether or not Mjolnir should check moderation permissions in all protected rooms on startup.
+# Equivalent to running `!mjolnir verify`.
+verifyPermissionsOnStartup: false
+
+# Whether or not Mjolnir should actually apply bans and policy lists,
+# turn on to trial some untrusted configuration or lists.
+noop: false
+
+# Whether Mjolnir should check member lists quicker (by using a different endpoint),
+# keep in mind that enabling this will miss invited (but not joined) users.
+#
+# Turn on if your bot is in (very) large rooms, or in large amounts of rooms.
+fasterMembershipChecks: false
+
+# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
+#
+# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
+# it will also remove the user's messages automatically.
+#
+# Typically this is useful to avoid having to give two commands to the bot.
+# Advanced: Use asterisks to have the reason match using "globs"
+# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting").
+#
+# See here for more info: https://www.digitalocean.com/community/tools/glob
+# Note: Keep in mind that glob is NOT regex!
+automaticallyRedactForReasons:
+  - "spam"
+  - "spam *"
+  - "advertising"
+
+# A list of rooms to protect. Mjolnir will add this to the list it knows from its account data.
+#
+# It won't, however, add it to the account data.
+# Manually add the room via '!mjolnir rooms add' to have it stay protected regardless if this config value changes.
+#
+# Note: These must be matrix.to URLs
+protectedRooms: []
+
+# Whether or not to add all joined rooms to the "protected rooms" list
+# (excluding the management room and watched policy list rooms, see below).
+#
+# Note that this effectively makes the protectedRooms and associated commands useless
+# for regular rooms.
+#
+# Note: the management room is *excluded* from this condition.
+# Explicitly add it as a protected room to protect it.
+#
+# Note: Ban list rooms the bot is watching but didn't create will not be protected.
+# Explicitly add these rooms as a protected room list if you want them protected.
+protectAllJoinedRooms: false
+
+# Increase this delay to have Mj  lnir wait longer between two consecutive backgrounded
+# operations. The total duration of operations will be longer, but the homeserver won't
+# be affected as much. Conversely, decrease this delay to have Mj  lnir chain operations
+# faster. The total duration of operations will generally be shorter, but the performance
+# of the homeserver may be more impacted.
+backgroundDelayMS: 500
+
+# Server administration commands, these commands will only work if Mjolnir is
+# a global server administrator, and the bot's server is a Synapse instance.
+admin:
+  # Whether or not Mjolnir can temporarily take control of any eligible account from the local homeserver who's in the room
+  # (with enough permissions) to "make" a user an admin.
+  #
+  # This only works if a local user with enough admin permissions is present in the room.
+  enableMakeRoomAdminCommand: false
+
+# Misc options for command handling and commands
+commands:
+  # Whether or not the `!mjolnir` prefix is necessary to submit commands.
+  #
+  # If `true`, will allow commands like `!ban`, `!help`, etc.
+  #
+  # Note: Mjolnir can also be pinged by display name instead of having to use
+  # the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
+  # will address only my_moderator_bot.
+  allowNoPrefix: true
+
+  # Any additional bot prefixes that Mjolnir will listen to. i.e. adding `mod` will allow `!mod help`.
+  additionalPrefixes:
+    - "mjolnir_bot"
+
+  # Whether or not commands with a wildcard (*) will require an additional `--force` argument
+  # in the command to be able to be submitted.
+  confirmWildcardBan: true
+
+# Configuration specific to certain toggle-able protections
+protections:
+  # Configuration for the wordlist plugin, which can ban users based if they say certain
+  # blocked words shortly after joining.
+  wordlist:
+    # A list of case-insensitive keywords that the WordList protection will watch for from new users.
+    #
+    # WordList will ban users who use these words when first joining a room, so take caution when selecting them.
+    #
+    # For advanced usage, regex can also be used, see the following links for more information;
+    #  - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions
+    #  - https://regexr.com/
+    #  - https://regexone.com/
+    words:
+      - "REDACTED"
+    # For how long (in minutes) the user is "new" to the WordList plugin.
+    #
+    # After this time, the user will no longer be banned for using a word in the above wordlist.
+    #
+    # Set to zero to disable the timeout and make users *always* appear "new".
+    # (users will always be banned if they say a bad word)
+    minutesBeforeTrusting: REDACTED
+
+# Options for advanced monitoring of the health of the bot.
+health:
+  # healthz options. These options are best for use in container environments
+  # like Kubernetes to detect how healthy the service is. The bot will report
+  # that it is unhealthy until it is able to process user requests. Typically
+  # this means that it'll flag itself as unhealthy for a number of minutes
+  # before saying "Now monitoring rooms" and flagging itself healthy.
+  #
+  # Health is flagged through HTTP status codes, defined below.
+  healthz:
+    # Whether the healthz integration should be enabled (default false)
+    enabled: false
+
+    # The port to expose the webserver on. Defaults to 8080.
+    port: 8080
+
+    # The address to listen for requests on. Defaults to all addresses.
+    address: "0.0.0.0"
+
+    # The path to expose the monitoring endpoint at. Defaults to `/healthz`
+    endpoint: "/healthz"
+
+    # The HTTP status code which reports that the bot is healthy/ready to
+    # process requests. Typically this should not be changed. Defaults to
+    # 200.
+    healthyStatus: 200
+
+    # The HTTP status code which reports that the bot is not healthy/ready.
+    # Defaults to 418.
+    unhealthyStatus: 418
+
+# Options for exposing web APIs.
+web:
+  # Whether to enable web APIs.
+  enabled: true
+
+  # The port to expose the webserver on. Defaults to 8080.
+  port: 8081
+
+  # The address to listen for requests on. Defaults to only the current
+  # computer.
+  #address: localhost
+
+  # Alternative setting to open to the entire web. Be careful,
+  # as this will increase your security perimeter:
+  #
+  address: "0.0.0.0"
+
+  # A web API designed to intercept Matrix API
+  # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
+  # and display readable abuse reports in the moderation room.
+  #
+  # If you wish to take advantage of this feature, you will need
+  # to configure a reverse proxy, see e.g. test/nginx.conf
+  abuseReporting:
+    # Whether to enable this feature.
+    enabled: true

srv/Matrix-Docker-Compose/pantalaimon/pantalaimon.conf

@@ -0,0 +1,10 @@
+[Default]
+LogLevel = Debug
+SSL = True
+
+[local-matrix]
+Homeserver = https://matrix.arcticfoxes.net
+ListenAddress = 0.0.0.0
+ListenPort = 8008
+UseKeyring = False
+IgnoreVerification = True