diff --git a/srv/Matrix-Docker-Compose/docker-compose.yml b/srv/Matrix-Docker-Compose/docker-compose.yml index 09e6c82..132d750 100644 --- a/srv/Matrix-Docker-Compose/docker-compose.yml +++ b/srv/Matrix-Docker-Compose/docker-compose.yml @@ -48,12 +48,12 @@ services: cap_drop: - ALL - mjolnir: + mjolnir_PrivSec-dev: image: matrixdotorg/mjolnir:v1.8.3 # https://github.com/matrix-org/mjolnir/issues/556 - container_name: mjolnir + container_name: mjolnir_PrivSec-dev restart: unless-stopped volumes: - - ./mjolnir:/data + - ./mjolnir_PrivSec-dev:/data depends_on: - pantalaimon networks: @@ -67,6 +67,7 @@ services: - ALL honoroit-hssupport: + profiles: ["disabled"] image: registry.gitlab.com/etke.cc/honoroit:latest container_name: honoroit-hssupport restart: unless-stopped @@ -82,6 +83,18 @@ services: cap_drop: - ALL + mjolnir_MacDonald: + image: matrixdotorg/mjolnir:v1.8.3 # https://github.com/matrix-org/mjolnir/issues/556 + container_name: mjolnir_MacDonald + restart: unless-stopped + volumes: + - ./mjolnir_MacDonald:/data + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + networks: element: matrix-to: diff --git a/srv/Matrix-Docker-Compose/mjolnir_MacDonald/config/production.yaml b/srv/Matrix-Docker-Compose/mjolnir_MacDonald/config/production.yaml new file mode 100644 index 0000000..921b292 --- /dev/null +++ b/srv/Matrix-Docker-Compose/mjolnir_MacDonald/config/production.yaml @@ -0,0 +1,258 @@ +# Endpoint URL that Mjolnir uses to interact with the matrix homeserver (client-server API), +# set this to the pantalaimon URL if you're using that. +homeserverUrl: "https://matrix.arcticfoxes.net" + +# Endpoint URL that Mjolnir could use to fetch events related to reports (client-server API and /_synapse/), +# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. +rawHomeserverUrl: "https://matrix.arcticfoxes.net" + +# Matrix Access Token to use +accessToken: "REDACTED" + +# Options related to native encryption +encryption: + # whether to use native encryption in mjolnir, rather than using pantalaimon as a proxy + # note that if encryption is enabled here, pantaliamon must be disabled, and vice versa + use: false + +# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) +# Note that this option is now deprecated as native encryption is now supported in mjolnir, +# and will be removed at a later date. +pantalaimon: + # Whether or not Mjolnir will use pantalaimon to access the matrix homeserver, + # set to `true` if you're using pantalaimon. + # + # Be sure to point homeserverUrl to the pantalaimon instance. + # + # Mjolnir will log in using the given username and password once, + # then store the resulting access token in a file under dataPath. + use: false + +# The path Mjolnir will store its state/data in, leave default ("/data/storage") when using containers. +dataPath: "/data/storage" + +# If true (the default), Mjolnir will only accept invites from users present in managementRoom. +autojoinOnlyIfManager: true + +# If `autojoinOnlyIfManager` is false, only the members in this space can invite +# the bot to new rooms. +acceptInvitesFromSpace: "!example:example.org" + +# Whether Mjolnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +recordIgnoredInvites: false + +# The room ID (or room alias) of the management room, anyone in this room can issue commands to Mjolnir. +# +# Mjolnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# +# This should be a room alias or room ID - not a matrix.to URL. +# +# Note: By default, Mjolnir is fairly verbose - expect a lot of messages in this room. +# (see verboseLogging to adjust this a bit.) +managementRoom: "!REDACTED:arcticfoxes.net" + +# Forward any messages mentioning the bot user to the mangement room. Repeated mentions within +# a 10 minute period are ignored. +forwardMentionsToManagementRoom: false + +# Whether Mjolnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when mjolnir checks bans in a room. +verboseLogging: false + +# The log level of terminal (or container) output, +# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. +# +# This should be at INFO or DEBUG in order to get support for Mjolnir problems. +logLevel: "INFO" + +# Whether or not Mjolnir should synchronize policy lists immediately after startup. +# Equivalent to running '!mjolnir sync'. +syncOnStartup: true + +# Whether or not Mjolnir should check moderation permissions in all protected rooms on startup. +# Equivalent to running `!mjolnir verify`. +verifyPermissionsOnStartup: false + +# Whether or not Mjolnir should actually apply bans and policy lists, +# turn on to trial some untrusted configuration or lists. +noop: false + +# Whether Mjolnir should check member lists quicker (by using a different endpoint), +# keep in mind that enabling this will miss invited (but not joined) users. +# +# Turn on if your bot is in (very) large rooms, or in large amounts of rooms. +fasterMembershipChecks: false + +# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for. +# +# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list, +# it will also remove the user's messages automatically. +# +# Typically this is useful to avoid having to give two commands to the bot. +# Advanced: Use asterisks to have the reason match using "globs" +# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting"). +# +# See here for more info: https://www.digitalocean.com/community/tools/glob +# Note: Keep in mind that glob is NOT regex! +automaticallyRedactForReasons: [] + +# A list of rooms to protect. Mjolnir will add this to the list it knows from its account data. +# +# It won't, however, add it to the account data. +# Manually add the room via '!mjolnir rooms add' to have it stay protected regardless if this config value changes. +# +# Note: These must be matrix.to URLs +protectedRooms: [] + +# Whether or not to add all joined rooms to the "protected rooms" list +# (excluding the management room and watched policy list rooms, see below). +# +# Note that this effectively makes the protectedRooms and associated commands useless +# for regular rooms. +# +# Note: the management room is *excluded* from this condition. +# Explicitly add it as a protected room to protect it. +# +# Note: Ban list rooms the bot is watching but didn't create will not be protected. +# Explicitly add these rooms as a protected room list if you want them protected. +protectAllJoinedRooms: false + +# Increase this delay to have Mj lnir wait longer between two consecutive backgrounded +# operations. The total duration of operations will be longer, but the homeserver won't +# be affected as much. Conversely, decrease this delay to have Mj lnir chain operations +# faster. The total duration of operations will generally be shorter, but the performance +# of the homeserver may be more impacted. +backgroundDelayMS: 500 + +# Server administration commands, these commands will only work if Mjolnir is +# a global server administrator, and the bot's server is a Synapse instance. +admin: + # Whether or not Mjolnir can temporarily take control of any eligible account from the local homeserver who's in the room + # (with enough permissions) to "make" a user an admin. + # + # This only works if a local user with enough admin permissions is present in the room. + enableMakeRoomAdminCommand: false + +# Misc options for command handling and commands +commands: + # Whether or not the `!mjolnir` prefix is necessary to submit commands. + # + # If `true`, will allow commands like `!ban`, `!help`, etc. + # + # Note: Mjolnir can also be pinged by display name instead of having to use + # the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" + # will address only my_moderator_bot. + allowNoPrefix: true + + # Any additional bot prefixes that Mjolnir will listen to. i.e. adding `mod` will allow `!mod help`. + additionalPrefixes: + - "mjolnir_bot" + + # Whether or not commands with a wildcard (*) will require an additional `--force` argument + # in the command to be able to be submitted. + confirmWildcardBan: true + +# Configuration specific to certain toggle-able protections +protections: + # Configuration for the wordlist plugin, which can ban users based if they say certain + # blocked words shortly after joining. + wordlist: + # A list of case-insensitive keywords that the WordList protection will watch for from new users. + # + # WordList will ban users who use these words when first joining a room, so take caution when selecting them. + words: + - "REDACTED" + + # For how long (in minutes) the user is "new" to the WordList plugin. + # + # After this time, the user will no longer be banned for using a word in the above wordlist. + # + # Set to zero to disable the timeout and make users *always* appear "new". + # (users will always be banned if they say a bad word) + minutesBeforeTrusting: REDACTED + +# Options for advanced monitoring of the health of the bot. +health: + # healthz options. These options are best for use in container environments + # like Kubernetes to detect how healthy the service is. The bot will report + # that it is unhealthy until it is able to process user requests. Typically + # this means that it'll flag itself as unhealthy for a number of minutes + # before saying "Now monitoring rooms" and flagging itself healthy. + # + # Health is flagged through HTTP status codes, defined below. + healthz: + # Whether the healthz integration should be enabled (default false) + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to all addresses. + address: "0.0.0.0" + + # The path to expose the monitoring endpoint at. Defaults to `/healthz` + endpoint: "/healthz" + + # The HTTP status code which reports that the bot is healthy/ready to + # process requests. Typically this should not be changed. Defaults to + # 200. + healthyStatus: 200 + + # The HTTP status code which reports that the bot is not healthy/ready. + # Defaults to 418. + unhealthyStatus: 418 + + # Sentry options. Sentry is a tool used to receive/collate/triage runtime + # errors and performance issues. Skip this section if you do not wish to use + # Sentry. + sentry: + # The key used to upload Sentry data to the server. + # dsn: "https://XXXXXXXXX@example.com/YYY + + # Frequency of performance monitoring. + # A number in [0.0, 1.0], where 0.0 means "don't bother with tracing" + # and 1.0 means "trace performance at every opportunity". + # tracesSampleRate: 0.5 + + + +# Options for exposing web APIs. +web: + # Whether to enable web APIs. + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to only the current + # computer. + address: localhost + + # Alternative setting to open to the entire web. Be careful, + # as this will increase your security perimeter: + # + # address: "0.0.0.0" + + # A web API designed to intercept Matrix API + # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId} + # and display readable abuse reports in the moderation room. + # + # If you wish to take advantage of this feature, you will need + # to configure a reverse proxy, see e.g. test/nginx.conf + abuseReporting: + # Whether to enable this feature. + enabled: false + +# Whether or not to actively poll synapse for abuse reports, to be used +# instead of intercepting client calls to synapse's abuse endpoint, when that +# isn't possible/practical. +pollReports: false + +# Whether or not new reports, received either by webapi or polling, +# should be printed to our managementRoom. +displayReports: true + +# How sensitive the NsfwProtection should be, which determines if an image should be redacted. A number between 0 - .99, +# with a lower number indicating greater sensitivity, possibly resulting in images being more aggressively flagged +# and redacted as NSFW +nsfwSensitivity: REDACTED diff --git a/srv/Matrix-Docker-Compose/mjolnir_PrivSec-dev/config/production.yaml b/srv/Matrix-Docker-Compose/mjolnir_PrivSec-dev/config/production.yaml new file mode 100644 index 0000000..a5d5bc2 --- /dev/null +++ b/srv/Matrix-Docker-Compose/mjolnir_PrivSec-dev/config/production.yaml @@ -0,0 +1,233 @@ +# Endpoint URL that Mjolnir uses to interact with the matrix homeserver (client-server API), +# set this to the pantalaimon URL if you're using that. +homeserverUrl: "http://pantalaimon:8008" + +# Endpoint URL that Mjolnir could use to fetch events related to reports (client-server API and /_synapse/), +# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. +rawHomeserverUrl: "https://matrix.arcticfoxes.net" + +# Matrix Access Token to use, Mjolnir will only use this if pantalaimon.use is false. +accessToken: "YOUR_TOKEN_HERE" + +# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) +pantalaimon: + # Whether or not Mjolnir will use pantalaimon to access the matrix homeserver, + # set to `true` if you're using pantalaimon. + # + # Be sure to point homeserverUrl to the pantalaimon instance. + # + # Mjolnir will log in using the given username and password once, + # then store the resulting access token in a file under dataPath. + use: true + + # The username to login with. + username: mjolnir + + # The password Mjolnir will login with. + # + # After successfully logging in once, this will be ignored, so this value can be blanked after first startup. + password: REDACTED + +# The path Mjolnir will store its state/data in, leave default ("/data/storage") when using containers. +dataPath: "/data/storage" + +# If true (the default), Mjolnir will only accept invites from users present in managementRoom. +autojoinOnlyIfManager: true + +# If `autojoinOnlyIfManager` is false, only the members in this group can invite +# the bot to new rooms. +#acceptInvitesFromGroup: "+example:example.org" + +# Whether Mjolnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +recordIgnoredInvites: false + +# The room ID (or room alias) of the management room, anyone in this room can issue commands to Mjolnir. +# +# Mjolnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# +# This should be a room alias or room ID - not a matrix.to URL. +# +# Note: By default, Mjolnir is fairly verbose - expect a lot of messages in this room. +# (see verboseLogging to adjust this a bit.) +managementRoom: "!REDACTED:arcticfoxes.net" + +# Whether Mjolnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when mjolnir checks bans in a room. +verboseLogging: false + +# The log level of terminal (or container) output, +# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. +# +# This should be at INFO or DEBUG in order to get support for Mjolnir problems. +logLevel: "INFO" + +# Whether or not Mjolnir should synchronize policy lists immediately after startup. +# Equivalent to running '!mjolnir sync'. +syncOnStartup: true + +# Whether or not Mjolnir should check moderation permissions in all protected rooms on startup. +# Equivalent to running `!mjolnir verify`. +verifyPermissionsOnStartup: false + +# Whether or not Mjolnir should actually apply bans and policy lists, +# turn on to trial some untrusted configuration or lists. +noop: false + +# Whether Mjolnir should check member lists quicker (by using a different endpoint), +# keep in mind that enabling this will miss invited (but not joined) users. +# +# Turn on if your bot is in (very) large rooms, or in large amounts of rooms. +fasterMembershipChecks: false + +# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for. +# +# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list, +# it will also remove the user's messages automatically. +# +# Typically this is useful to avoid having to give two commands to the bot. +# Advanced: Use asterisks to have the reason match using "globs" +# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting"). +# +# See here for more info: https://www.digitalocean.com/community/tools/glob +# Note: Keep in mind that glob is NOT regex! +automaticallyRedactForReasons: + - "spam" + - "spam *" + - "advertising" + +# A list of rooms to protect. Mjolnir will add this to the list it knows from its account data. +# +# It won't, however, add it to the account data. +# Manually add the room via '!mjolnir rooms add' to have it stay protected regardless if this config value changes. +# +# Note: These must be matrix.to URLs +protectedRooms: [] + +# Whether or not to add all joined rooms to the "protected rooms" list +# (excluding the management room and watched policy list rooms, see below). +# +# Note that this effectively makes the protectedRooms and associated commands useless +# for regular rooms. +# +# Note: the management room is *excluded* from this condition. +# Explicitly add it as a protected room to protect it. +# +# Note: Ban list rooms the bot is watching but didn't create will not be protected. +# Explicitly add these rooms as a protected room list if you want them protected. +protectAllJoinedRooms: false + +# Increase this delay to have Mj lnir wait longer between two consecutive backgrounded +# operations. The total duration of operations will be longer, but the homeserver won't +# be affected as much. Conversely, decrease this delay to have Mj lnir chain operations +# faster. The total duration of operations will generally be shorter, but the performance +# of the homeserver may be more impacted. +backgroundDelayMS: 500 + +# Server administration commands, these commands will only work if Mjolnir is +# a global server administrator, and the bot's server is a Synapse instance. +admin: + # Whether or not Mjolnir can temporarily take control of any eligible account from the local homeserver who's in the room + # (with enough permissions) to "make" a user an admin. + # + # This only works if a local user with enough admin permissions is present in the room. + enableMakeRoomAdminCommand: false + +# Misc options for command handling and commands +commands: + # Whether or not the `!mjolnir` prefix is necessary to submit commands. + # + # If `true`, will allow commands like `!ban`, `!help`, etc. + # + # Note: Mjolnir can also be pinged by display name instead of having to use + # the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" + # will address only my_moderator_bot. + allowNoPrefix: true + + # Any additional bot prefixes that Mjolnir will listen to. i.e. adding `mod` will allow `!mod help`. + additionalPrefixes: + - "mjolnir_bot" + + # Whether or not commands with a wildcard (*) will require an additional `--force` argument + # in the command to be able to be submitted. + confirmWildcardBan: true + +# Configuration specific to certain toggle-able protections +protections: + # Configuration for the wordlist plugin, which can ban users based if they say certain + # blocked words shortly after joining. + wordlist: + # A list of case-insensitive keywords that the WordList protection will watch for from new users. + # + # WordList will ban users who use these words when first joining a room, so take caution when selecting them. + # + # For advanced usage, regex can also be used, see the following links for more information; + # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions + # - https://regexr.com/ + # - https://regexone.com/ + words: + - "REDACTED" + # For how long (in minutes) the user is "new" to the WordList plugin. + # + # After this time, the user will no longer be banned for using a word in the above wordlist. + # + # Set to zero to disable the timeout and make users *always* appear "new". + # (users will always be banned if they say a bad word) + minutesBeforeTrusting: REDACTED + +# Options for advanced monitoring of the health of the bot. +health: + # healthz options. These options are best for use in container environments + # like Kubernetes to detect how healthy the service is. The bot will report + # that it is unhealthy until it is able to process user requests. Typically + # this means that it'll flag itself as unhealthy for a number of minutes + # before saying "Now monitoring rooms" and flagging itself healthy. + # + # Health is flagged through HTTP status codes, defined below. + healthz: + # Whether the healthz integration should be enabled (default false) + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to all addresses. + address: "0.0.0.0" + + # The path to expose the monitoring endpoint at. Defaults to `/healthz` + endpoint: "/healthz" + + # The HTTP status code which reports that the bot is healthy/ready to + # process requests. Typically this should not be changed. Defaults to + # 200. + healthyStatus: 200 + + # The HTTP status code which reports that the bot is not healthy/ready. + # Defaults to 418. + unhealthyStatus: 418 + +# Options for exposing web APIs. +web: + # Whether to enable web APIs. + enabled: true + + # The port to expose the webserver on. Defaults to 8080. + port: 8081 + + # The address to listen for requests on. Defaults to only the current + # computer. + #address: localhost + + # Alternative setting to open to the entire web. Be careful, + # as this will increase your security perimeter: + # + address: "0.0.0.0" + + # A web API designed to intercept Matrix API + # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId} + # and display readable abuse reports in the moderation room. + # + # If you wish to take advantage of this feature, you will need + # to configure a reverse proxy, see e.g. test/nginx.conf + abuseReporting: + # Whether to enable this feature. + enabled: true diff --git a/srv/Matrix-Docker-Compose/pantalaimon/pantalaimon.conf b/srv/Matrix-Docker-Compose/pantalaimon/pantalaimon.conf new file mode 100644 index 0000000..7ef5482 --- /dev/null +++ b/srv/Matrix-Docker-Compose/pantalaimon/pantalaimon.conf @@ -0,0 +1,10 @@ +[Default] +LogLevel = Debug +SSL = True + +[local-matrix] +Homeserver = https://matrix.arcticfoxes.net +ListenAddress = 0.0.0.0 +ListenPort = 8008 +UseKeyring = False +IgnoreVerification = True