mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-26 04:50:40 +01:00 
			
		
		
		
	
		
			
				
	
	
		
			304 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
			
		
		
	
	
			304 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
| {#
 | |
| SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
 | |
| SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 | |
| SPDX-FileCopyrightText: 2024 Suguru Hirahara
 | |
| 
 | |
| SPDX-License-Identifier: AGPL-3.0-or-later
 | |
| #}
 | |
| 
 | |
| # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API),
 | |
| homeserverUrl: {{ matrix_bot_draupnir_homeserver_url | to_json }}
 | |
| 
 | |
| # Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
 | |
| # only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
 | |
| rawHomeserverUrl: {{ matrix_bot_draupnir_raw_homeserver_url | to_json }}
 | |
| 
 | |
| # Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false.
 | |
| # This option can be loaded from a file by passing "--access-token-path <path>" at the command line,
 | |
| # which would allow using secret management systems such as systemd's service credentials.
 | |
| accessToken: {{ matrix_bot_draupnir_access_token | to_json }}
 | |
| 
 | |
| {% if matrix_bot_draupnir_pantalaimon_use or matrix_bot_draupnir_login_native %}
 | |
| # Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
 | |
| pantalaimon:
 | |
|   # Set to `true` when the bot is to login and fetch the access token on its own.
 | |
|   #
 | |
|   # Draupnir will log in using the given username and password once,
 | |
|   # then store the resulting access token in a file under dataPath.
 | |
|   use: true
 | |
| 
 | |
|   # The username to login with.
 | |
|   username: {{ matrix_bot_draupnir_login | to_json }}
 | |
| 
 | |
|   # The password Draupnir will login with.
 | |
|   #
 | |
|   # After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
 | |
|   # This option can be loaded from a file by passing "--password-path <path>" at the command line,
 | |
|   # which would allow using secret management systems such as systemd's service credentials.
 | |
|   password: {{ matrix_bot_draupnir_password | to_json }}
 | |
| {% endif %}
 | |
| 
 | |
| # Experimental usage of the matrix-bot-sdk rust crypto. This can not be used with Pantalaimon.
 | |
| # Make sure Pantalaimon is disabled in Draupnir's configuration.
 | |
| #
 | |
| # Warning: At this time this is not considered production safe.
 | |
| experimentalRustCrypto: {{ matrix_bot_draupnir_enable_experimental_rust_crypto | to_json }}
 | |
| 
 | |
| # The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers.
 | |
| dataPath: "/data"
 | |
| 
 | |
| # If true (the default), Draupnir will only accept invites from users present in managementRoom.
 | |
| autojoinOnlyIfManager: true
 | |
| 
 | |
| # If `autojoinOnlyIfManager` is false, only the members in this space can invite
 | |
| # the bot to new rooms.
 | |
| #acceptInvitesFromSpace: "!qporfwt:example.com"
 | |
| 
 | |
| # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
 | |
| recordIgnoredInvites: false
 | |
| 
 | |
| # The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir.
 | |
| #
 | |
| # Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
 | |
| #
 | |
| # This should be a room alias or room ID - not a matrix.to URL.
 | |
| #
 | |
| # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
 | |
| # (see verboseLogging to adjust this a bit.)
 | |
| managementRoom: {{ matrix_bot_draupnir_management_room | to_json }}
 | |
| 
 | |
| # Deprecated and will be removed in a future version.
 | |
| # Running with verboseLogging is unsupported.
 | |
| # Whether Draupnir should log a lot more messages in the room,
 | |
| # mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room.
 | |
| verboseLogging: false
 | |
| 
 | |
| # The log level of terminal (or container) output,
 | |
| # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
 | |
| #
 | |
| # This should be at INFO or DEBUG in order to get support for Draupnir problems.
 | |
| logLevel: "INFO"
 | |
| 
 | |
| # Whether or not Draupnir should synchronize policy lists immediately after startup.
 | |
| # Equivalent to running '!draupnir sync'.
 | |
| syncOnStartup: true
 | |
| 
 | |
| # Whether or not Draupnir should check moderation permissions in all protected rooms on startup.
 | |
| # Equivalent to running `!draupnir verify`.
 | |
| verifyPermissionsOnStartup: true
 | |
| 
 | |
| # Whether or not Draupnir should actually apply bans and policy lists,
 | |
| # turn on to trial some untrusted configuration or lists.
 | |
| noop: false
 | |
| 
 | |
| # Whether or not Draupnir should apply `m.room.server_acl` events.
 | |
| # DO NOT change this to `true` unless you are very confident that you know what you are doing.
 | |
| disableServerACL: {{ matrix_bot_draupnir_disable_server_acl | to_json }}
 | |
| 
 | |
| # A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
 | |
| #
 | |
| # If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
 | |
| # it will also remove the user's messages automatically.
 | |
| #
 | |
| # Typically this is useful to avoid having to give two commands to the bot.
 | |
| # Advanced: Use asterisks to have the reason match using "globs"
 | |
| # (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting").
 | |
| #
 | |
| # See here for more info: https://www.digitalocean.com/community/tools/glob
 | |
| # Note: Keep in mind that glob is NOT regex!
 | |
| automaticallyRedactForReasons:
 | |
|   - "spam"
 | |
|   - "advertising"
 | |
| 
 | |
| # Whether or not to add all joined rooms to the "protected rooms" list
 | |
| # (excluding the management room and watched policy list rooms, see below).
 | |
| #
 | |
| # Note that this effectively makes the protectedRooms and associated commands useless
 | |
| # for regular rooms.
 | |
| #
 | |
| # Note: the management room is *excluded* from this condition.
 | |
| # Explicitly add it as a protected room to protect it.
 | |
| #
 | |
| # Note: Ban list rooms the bot is watching but didn't create will not be protected.
 | |
| # Explicitly add these rooms as a protected room list if you want them protected.
 | |
| protectAllJoinedRooms: false
 | |
| 
 | |
| # Increase this delay to have Draupnir wait longer between two consecutive backgrounded
 | |
| # operations. The total duration of operations will be longer, but the homeserver won't
 | |
| # be affected as much. Conversely, decrease this delay to have Draupnir chain operations
 | |
| # faster. The total duration of operations will generally be shorter, but the performance
 | |
| # of the homeserver may be more impacted.
 | |
| backgroundDelayMS: 500
 | |
| 
 | |
| # FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
 | |
| # be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
 | |
| # and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
 | |
| # Server administration commands, these commands will only work if Draupnir is
 | |
| # a global server administrator, and the bot's server is a Synapse instance.
 | |
| #admin:
 | |
| #  # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
 | |
| #  # (with enough permissions) to "make" a user an admin.
 | |
| #  #
 | |
| #  # This only works if a local user with enough admin permissions is present in the room.
 | |
| #  enableMakeRoomAdminCommand: false
 | |
| #
 | |
| # Misc options for command handling and commands
 | |
| commands:
 | |
|   # Whether or not the `!draupnir` prefix is necessary to submit commands.
 | |
|   #
 | |
|   # If `true`, will allow commands like `!ban`, `!help`, etc.
 | |
|   #
 | |
|   # Note: Draupnir can also be pinged by display name instead of having to use
 | |
|   # the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
 | |
|   # will address only my_moderator_bot.
 | |
|   allowNoPrefix: false
 | |
| 
 | |
|   # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`.
 | |
|   additionalPrefixes:
 | |
|     - "draupnir-bot"
 | |
|     - "draupnir_bot"
 | |
|     - "draupnir"
 | |
| 
 | |
|   # The default reasons to be prompted with if the reason is missing from a ban command.
 | |
|   ban:
 | |
|     defaultReasons:
 | |
|       - "spam"
 | |
|       - "brigading"
 | |
|       - "harassment"
 | |
|       - "disagreement"
 | |
| 
 | |
| # Configuration specific to certain toggle-able protections
 | |
| #protections:
 | |
| #  # Configuration for the wordlist plugin, which can ban users based if they say certain
 | |
| #  # blocked words shortly after joining.
 | |
| #  wordlist:
 | |
| #    # A list of case-insensitive keywords that the WordList protection will watch for from new users.
 | |
| #    #
 | |
| #    # WordList will ban users who use these words when first joining a room, so take caution when selecting them.
 | |
| #    #
 | |
| #    # The word list protection does not support regular expressions at this time.
 | |
| #    # The configuration in the past stated support for Regex erroneously.
 | |
| #    #
 | |
| #    words:
 | |
| #      - "LoReM"
 | |
| #      - "IpSuM"
 | |
| #      - "DoLoR"
 | |
| #      - "aMeT"
 | |
| #
 | |
| #    # For how long (in minutes) the user is "new" to the WordList plugin.
 | |
| #    #
 | |
| #    # After this time, the user will no longer be banned for using a word in the above wordlist.
 | |
| #    #
 | |
| #    # Set to zero to disable the timeout and make users *always* appear "new".
 | |
| #    # (users will always be banned if they say a bad word)
 | |
| #    minutesBeforeTrusting: 20
 | |
| 
 | |
| # The room state backing store writes a copy of the room state for all protected
 | |
| # rooms to the data directory.
 | |
| # It is recommended to enable this option unless you deploy Draupnir close to the
 | |
| # homeserver and know that Draupnir is starting up quickly. If your homeserver can
 | |
| # respond quickly to Draupnir's requests for `/state` then you might not need this option.
 | |
| roomStateBackingStore:
 | |
|   enabled: {{ matrix_bot_draupnir_enable_room_state_backing_store | to_json }}
 | |
| 
 | |
| # Safe mode provides recovery options for some failure modes when Draupnir
 | |
| # fails to start. For example, if the bot fails to resolve a room alias in
 | |
| # a watched list, or if the server has parted from a protected room and can't
 | |
| # find a way back in. Safe mode will provide different options to recover from
 | |
| # these. Such as unprotecting the room or unwatching the policy list.
 | |
| # By default Draupnir will boot into safe mode only when the failure mode
 | |
| # is recoverable.
 | |
| # It may be desirable to prevent the bot from starting into safe mode if you have
 | |
| # a pager system when Draupnir is down, as Draupnir could prevent your monitoring
 | |
| # system from identifying a failure to start.
 | |
| #safeMode:
 | |
| #  # The option for entering safe mode when Draupnir fails to start up.
 | |
| #  # - "RecoveryOnly" will only start the bot in safe mode when there are recovery options available. This is the default.
 | |
| #  # - "Never" will never start the bot in safe mode when Draupnir fails to start normally.
 | |
| #  # - "Always" will always start the bot in safe mode when Draupnir fails to start normally.
 | |
| #  bootOption: RecoveryOnly
 | |
| 
 | |
| # Options for advanced monitoring of the health of the bot.
 | |
| health:
 | |
|   # healthz options. These options are best for use in container environments
 | |
|   # like Kubernetes to detect how healthy the service is. The bot will report
 | |
|   # that it is unhealthy until it is able to process user requests. Typically
 | |
|   # this means that it'll flag itself as unhealthy for a number of minutes
 | |
|   # before saying "Now monitoring rooms" and flagging itself healthy.
 | |
|   #
 | |
|   # Health is flagged through HTTP status codes, defined below.
 | |
|   healthz:
 | |
|     # Whether the healthz integration should be enabled (default false)
 | |
|     enabled: false
 | |
| 
 | |
|     # The port to expose the webserver on. Defaults to 8080.
 | |
|     port: 8080
 | |
| 
 | |
|     # The address to listen for requests on. Defaults to all addresses.
 | |
|     address: "0.0.0.0"
 | |
| 
 | |
|     # The path to expose the monitoring endpoint at. Defaults to `/healthz`
 | |
|     endpoint: "/healthz"
 | |
| 
 | |
|     # The HTTP status code which reports that the bot is healthy/ready to
 | |
|     # process requests. Typically this should not be changed. Defaults to
 | |
|     # 200.
 | |
|     healthyStatus: 200
 | |
| 
 | |
|     # The HTTP status code which reports that the bot is not healthy/ready.
 | |
|     # Defaults to 418.
 | |
|     unhealthyStatus: 418
 | |
| 
 | |
|   # Sentry options. Sentry is a tool used to receive/collate/triage runtime
 | |
|   # errors and performance issues. Skip this section if you do not wish to use
 | |
|   # Sentry.
 | |
|   sentry:
 | |
|     # The key used to upload Sentry data to the server.
 | |
|     # dsn: "https://XXXXXXXXX@example.com/YYY
 | |
| 
 | |
|     # Frequency of performance monitoring.
 | |
|     # A number in [0.0, 1.0], where 0.0 means "don't bother with tracing"
 | |
|     # and 1.0 means "trace performance at every opportunity".
 | |
|     # tracesSampleRate: 0.5
 | |
| 
 | |
| {% if matrix_bot_draupnir_web_enabled %}
 | |
| # Options for exposing web APIs.
 | |
| web:
 | |
|   # Whether to enable web APIs.
 | |
|   enabled: true
 | |
| 
 | |
|   # The port to expose the webserver on. Defaults to 8080.
 | |
|   port: 8080
 | |
| 
 | |
|   # The address to listen for requests on. Defaults to only the current
 | |
|   # computer.
 | |
|   address: "0.0.0.0"
 | |
| 
 | |
|   # Alternative setting to open to the entire web. Be careful,
 | |
|   # as this will increase your security perimeter:
 | |
|   #
 | |
|   #  address: "0.0.0.0"
 | |
| 
 | |
|   # A web API designed to intercept Matrix API
 | |
|   # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
 | |
|   # and display readable abuse reports in the moderation room.
 | |
|   #
 | |
|   # If you wish to take advantage of this feature, you will need
 | |
|   # to configure a reverse proxy, see e.g. test/nginx.conf
 | |
|   abuseReporting:
 | |
|     # Whether to enable this feature.
 | |
|     enabled: {{ matrix_bot_draupnir_abuse_reporting_enabled | to_json }}
 | |
| {% endif %}
 | |
| 
 | |
| # FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
 | |
| # be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
 | |
| # and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
 | |
| # Whether or not to actively poll synapse for abuse reports, to be used
 | |
| # instead of intercepting client calls to synapse's abuse endpoint, when that
 | |
| # isn't possible/practical.
 | |
| #pollReports: false
 | |
| 
 | |
| # Whether or not new reports, received either by webapi or polling,
 | |
| # should be printed to our managementRoom.
 | |
| displayReports: {{ matrix_bot_draupnir_display_reports | to_json }}
 |