diff --git a/cmd/generate-config/main.go b/cmd/generate-config/main.go index 4dd125933..cff376d8c 100644 --- a/cmd/generate-config/main.go +++ b/cmd/generate-config/main.go @@ -10,6 +10,10 @@ import ( func main() { cfg := &config.Dendrite{} cfg.Defaults() + cfg.Global.TrustedIDServers = []string{ + "matrix.org", + "vector.im", + } cfg.Logging = []config.LogrusHook{ { Type: "file", @@ -19,6 +23,38 @@ func main() { }, }, } + cfg.ServerKeyAPI.KeyPerspectives = config.KeyPerspectives{ + { + ServerName: "matrix.org", + Keys: []config.KeyPerspectiveTrustKey{ + { + KeyID: "ed25519:auto", + PublicKey: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw", + }, + { + KeyID: "ed25519:a_RXGa", + PublicKey: "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ", + }, + }, + }, + } + cfg.MediaAPI.ThumbnailSizes = []config.ThumbnailSize{ + { + Width: 32, + Height: 32, + ResizeMethod: "crop", + }, + { + Width: 96, + Height: 96, + ResizeMethod: "crop", + }, + { + Width: 640, + Height: 480, + ResizeMethod: "scale", + }, + } j, err := yaml.Marshal(cfg) if err != nil { diff --git a/dendrite-config.yaml b/dendrite-config.yaml new file mode 100644 index 000000000..74bb0711b --- /dev/null +++ b/dendrite-config.yaml @@ -0,0 +1,304 @@ +# This is the Dendrite configuration file. +# +# The configuration is split up into sections - each Dendrite component has a +# configuration section, in addition to the "global" section which applies to +# all components. +# +# At a minimum, to get started, you will need to update the settings in the +# "global" section for your deployment, and you will need to check that the +# database "connection_string" line in each component section is correct. +# +# Each component with a "database" section can accept the following formats +# for "connection_string": +# SQLite: file:filename.db +# file:///path/to/filename.db +# PostgreSQL: postgresql://user:pass@hostname/database?params=... +# +# SQLite is embedded into Dendrite and therefore no further prerequisites are +# needed for the database when using SQLite mode. However, performance with +# PostgreSQL is significantly better and recommended for multi-user deployments. +# SQLite is typically around 20-30% slower than PostgreSQL when tested with a +# small number of users and likely will perform worse still with a higher volume +# of users. +# +# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# number of open/idle database connections. The value 0 will use the database +# engine default, and a negative value will use unlimited connections. The +# "conn_max_lifetime" option controls the maximum length of time a database +# connection can be idle in seconds - a negative value is unlimited. + +# The version of the configuration file. +version: 1 + +# Global Matrix configuration. This configuration applies to all components. +global: + # The domain name of this homeserver. + server_name: localhost + + # The path to the signing private key file, used to sign requests and events. + private_key: matrix_key.pem + + # A unique identifier for this private key. Must start with the prefix "ed25519:". + key_id: ed25519:auto + + # How long a remote server can cache our server signing key before requesting it + # again. Increasing this number will reduce the number of requests made by other + # servers for our key but increases the period that a compromised key will be + # considered valid by other homeservers. + key_validity_period: 168h0m0s + + # Lists of domains that the server will trust as identity servers to verify third + # party identifiers such as phone numbers and email addresses. + trusted_third_party_id_servers: + - matrix.org + - vector.im + + # Configuration for Kafka/Naffka. + kafka: + # List of Kafka broker addresses to connect to. This is not needed if using + # Naffka in monolith mode. + addresses: + - localhost:2181 + + # The prefix to use for Kafka topic names for this homeserver. Change this only if + # you are running more than one Dendrite homeserver on the same Kafka deployment. + topic_prefix: Dendrite + + # Whether to use Naffka instead of Kafka. This is only available in monolith + # mode, but means that you can run a single-process server without requiring + # Kafka. + use_naffka: true + + # Naffka database options. Not required when using Kafka. + naffka_database: + connection_string: file:naffka.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Configuration for Prometheus metric collection. + metrics: + # Whether or not Prometheus metrics are enabled. + enabled: false + + # HTTP basic authentication to protect access to monitoring. + basic_auth: + username: metrics + password: metrics + +# Configuration for the Appservice API. +app_service_api: + listen: localhost:7777 + bind: localhost:7777 + database: + connection_string: file:appservice.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Appservice configuration files to load into this homeserver. + config_files: [] + +# Configuration for the Client API. +client_api: + listen: localhost:7771 + bind: localhost:7771 + + # Prevents new users from being able to register on this homeserver, except when + # using the registration shared secret below. + registration_disabled: false + + # If set, allows registration by anyone who knows the shared secret, regardless of + # whether registration is otherwise disabled. + registration_shared_secret: "" + + # Whether to require reCAPTCHA for registration. + enable_registration_captcha: false + + # Settings for ReCAPTCHA. + recaptcha_public_key: "" + recaptcha_private_key: "" + recaptcha_bypass_secret: "" + recaptcha_siteverify_api: "" + + # TURN server information that this homeserver should send to clients. + turn: + turn_user_lifetime: "" + turn_uris: [] + turn_shared_secret: "" + turn_username: "" + turn_password: "" + +# Configuration for the Current State Server. +current_state_server: + listen: localhost:7782 + bind: localhost:7782 + database: + connection_string: file:currentstate.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the EDU server. +edu_server: + listen: localhost:7778 + bind: localhost:7778 + +# Configuration for the Federation API. +federation_api: + listen: localhost:7772 + bind: localhost:7772 + + # List of paths to X.509 certificates to be used by the external federation listeners. + # These certificates will be used to calculate the TLS fingerprints and other servers + # will expect the certificate to match these fingerprints. Certificates must be in PEM + # format. + federation_certificates: [] + +# Configuration for the Federation Sender. +federation_sender: + listen: localhost:7775 + bind: localhost:7775 + database: + connection_string: file:federationsender.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # How many times we will try to resend a failed transaction to a specific server. The + # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. + send_max_retries: 16 + + # Disable the validation of TLS certificates of remote federated homeservers. Do not + # enable this option in production as it presents a security risk! + disable_tls_validation: false + + # Use the following proxy server for outbound federation traffic. + proxy_outbound: + enabled: false + protocol: http + host: localhost + port: 8080 + +# Configuration for the Key Server (for end-to-end encryption). +key_server: + listen: localhost:7779 + bind: localhost:7779 + database: + connection_string: file:keyserver.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Media API. +media_api: + listen: localhost:7774 + bind: localhost:7774 + database: + connection_string: file:mediaapi.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Storage path for uploaded media. May be relative or absolute. + base_path: ./media_store + + # The maximum allowed file size (in bytes) for media uploads to this homeserver + # (0 = unlimited). + max_file_size_bytes: 10485760 + + # Whether to dynamically generate thumbnails if needed. + dynamic_thumbnails: false + + # The maximum number of simultaneous thumbnail generators to run. + max_thumbnail_generators: 10 + + # A list of thumbnail sizes to be generated for media content. + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 640 + height: 480 + method: scale + +# Configuration for the Room Server. +room_server: + listen: localhost:7770 + bind: localhost:7770 + database: + connection_string: file:roomserver.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Server Key API (for server signing keys). +server_key_api: + listen: localhost:7780 + bind: localhost:7780 + database: + connection_string: file:serverkeyapi.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Perspective keyservers to use as a backup when direct key fetches fail. This may + # be required to satisfy key requests for servers that are no longer online when + # joining some rooms. + key_perspectives: + - server_name: matrix.org + keys: + - key_id: ed25519:auto + public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw + - key_id: ed25519:a_RXGa + public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ + +# Configuration for the Sync API. +sync_api: + listen: localhost:7773 + bind: localhost:7773 + database: + connection_string: file:syncapi.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the User API. +user_api: + listen: localhost:7781 + bind: localhost:7781 + account_database: + connection_string: file:userapi_accounts.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + device_database: + connection_string: file:userapi_devices.db + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for Opentracing. +tracing: + enabled: false + jaeger: + serviceName: "" + disabled: false + rpc_metrics: false + tags: [] + sampler: null + reporter: null + headers: null + baggage_restrictions: null + throttler: null + +# Logging configuration, in addition to the standard logging that is sent to +# stdout by Dendrite. +logging: +- type: file + level: info + params: + path: /var/log/dendrite \ No newline at end of file diff --git a/internal/config/config.go b/internal/config/config.go index cf9168f71..6cd04722e 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -110,21 +110,6 @@ type Derived struct { // servers from creating RoomIDs in exclusive application service namespaces } -// KeyPerspectives are used to configure perspective key servers for -// retrieving server keys. -type KeyPerspectives []struct { - // The server name of the perspective key server - ServerName gomatrixserverlib.ServerName `yaml:"server_name"` - // Server keys for the perspective user, used to verify the - // keys have been signed by the perspective server - Keys []struct { - // The key ID, e.g. ed25519:auto - KeyID gomatrixserverlib.KeyID `yaml:"key_id"` - // The public key in base64 unpadded format - PublicKey string `yaml:"public_key"` - } `yaml:"keys"` -} - // A Path on the filesystem. type Path string diff --git a/internal/config/config_clientapi.go b/internal/config/config_clientapi.go index c441a9c0b..ae146fcb5 100644 --- a/internal/config/config_clientapi.go +++ b/internal/config/config_clientapi.go @@ -12,24 +12,25 @@ type ClientAPI struct { Listen Address `yaml:"listen"` Bind Address `yaml:"bind"` + // If set disables new users from registering (except via shared + // secrets) + RegistrationDisabled bool `yaml:"registration_disabled"` // If set, allows registration by anyone who also has the shared // secret, even if registration is otherwise disabled. RegistrationSharedSecret string `yaml:"registration_shared_secret"` + + // Boolean stating whether catpcha registration is enabled + // and required + RecaptchaEnabled bool `yaml:"enable_registration_captcha"` // This Home Server's ReCAPTCHA public key. RecaptchaPublicKey string `yaml:"recaptcha_public_key"` // This Home Server's ReCAPTCHA private key. RecaptchaPrivateKey string `yaml:"recaptcha_private_key"` - // Boolean stating whether catpcha registration is enabled - // and required - RecaptchaEnabled bool `yaml:"enable_registration_captcha"` // Secret used to bypass the captcha registration entirely - RecaptchaBypassSecret string `yaml:"captcha_bypass_secret"` + RecaptchaBypassSecret string `yaml:"recaptcha_bypass_secret"` // HTTP API endpoint used to verify whether the captcha response // was successful RecaptchaSiteVerifyAPI string `yaml:"recaptcha_siteverify_api"` - // If set disables new users from registering (except via shared - // secrets) - RegistrationDisabled bool `yaml:"registration_disabled"` // TURN options TURN TURN `yaml:"turn"` diff --git a/internal/config/config_global.go b/internal/config/config_global.go index 785a8033c..2b36da2f5 100644 --- a/internal/config/config_global.go +++ b/internal/config/config_global.go @@ -20,7 +20,7 @@ type Global struct { // An arbitrary string used to uniquely identify the PrivateKey. Must start with the // prefix "ed25519:". - KeyID gomatrixserverlib.KeyID `yaml:"-"` + KeyID gomatrixserverlib.KeyID `yaml:"key_id"` // How long a remote server can cache our server key for before requesting it again. // Increasing this number will reduce the number of requests made by remote servers @@ -43,7 +43,7 @@ type Global struct { func (c *Global) Defaults() { c.ServerName = "localhost" - c.PrivateKeyPath = "matrix.pem" + c.PrivateKeyPath = "matrix_key.pem" _, c.PrivateKey, _ = ed25519.GenerateKey(rand.New(rand.NewSource(0))) c.KeyID = "ed25519:auto" c.KeyValidityPeriod = time.Hour * 24 * 7 diff --git a/internal/config/config_kafka.go b/internal/config/config_kafka.go index 43a27cf29..e2bd6538e 100644 --- a/internal/config/config_kafka.go +++ b/internal/config/config_kafka.go @@ -14,6 +14,9 @@ const ( type Kafka struct { // A list of kafka addresses to connect to. Addresses []string `yaml:"addresses"` + // The prefix to use for Kafka topic names for this homeserver - really only + // useful if running more than one Dendrite on the same Kafka deployment. + TopicPrefix string `yaml:"topic_prefix"` // Whether to use naffka instead of kafka. // Naffka can only be used when running dendrite as a single monolithic server. // Kafka can be used both with a monolithic server and when running the @@ -21,9 +24,6 @@ type Kafka struct { UseNaffka bool `yaml:"use_naffka"` // The Naffka database is used internally by the naffka library, if used. Database DatabaseOptions `yaml:"naffka_database"` - // The prefix to use for Kafka topic names for this homeserver - really only - // useful if running more than one Dendrite on the same Kafka deployment. - TopicPrefix string `yaml:"topic_prefix"` } func (k *Kafka) TopicFor(name string) string { @@ -33,6 +33,7 @@ func (k *Kafka) TopicFor(name string) string { func (c *Kafka) Defaults() { c.UseNaffka = true c.Database.Defaults() + c.Addresses = []string{"localhost:2181"} c.Database.ConnectionString = DataSource("file:naffka.db") c.TopicPrefix = "Dendrite" } diff --git a/internal/config/config_serverkey.go b/internal/config/config_serverkey.go index cf1f537ab..78dc11947 100644 --- a/internal/config/config_serverkey.go +++ b/internal/config/config_serverkey.go @@ -1,5 +1,7 @@ package config +import "github.com/matrix-org/gomatrixserverlib" + type ServerKeyAPI struct { Matrix *Global `yaml:"-"` @@ -27,3 +29,22 @@ func (c *ServerKeyAPI) Verify(configErrs *ConfigErrors, isMonolith bool) { checkNotEmpty(configErrs, "server_key_api.bind", string(c.Bind)) checkNotEmpty(configErrs, "server_key_api.database.connection_string", string(c.Database.ConnectionString)) } + +// KeyPerspectives are used to configure perspective key servers for +// retrieving server keys. +type KeyPerspectives []KeyPerspective + +type KeyPerspective struct { + // The server name of the perspective key server + ServerName gomatrixserverlib.ServerName `yaml:"server_name"` + // Server keys for the perspective user, used to verify the + // keys have been signed by the perspective server + Keys []KeyPerspectiveTrustKey `yaml:"keys"` +} + +type KeyPerspectiveTrustKey struct { + // The key ID, e.g. ed25519:auto + KeyID gomatrixserverlib.KeyID `yaml:"key_id"` + // The public key in base64 unpadded format + PublicKey string `yaml:"public_key"` +} diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 4ff170e47..050debffd 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -37,22 +37,20 @@ version: 1 global: server_name: localhost private_key: matrix_key.pem + key_id: ed25519:auto key_validity_period: 168h0m0s - trusted_third_party_id_servers: [] + trusted_third_party_id_servers: + - matrix.org + - vector.im kafka: addresses: [] + topic_prefix: Dendrite use_naffka: true naffka_database: connection_string: file:naffka.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 - topics: - output_room_event: OutputRoomEventTopic - output_client_data: OutputClientDataTopic - output_typing_event: OutputTypingEventTopic - output_send_to_device_event: OutputSendToDeviceEventTopic - output_key_change_event: OutputKeyChangeEventTopic metrics: enabled: false basic_auth: @@ -63,20 +61,20 @@ app_service_api: bind: localhost:7777 database: connection_string: file:appservice.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 config_files: [] client_api: listen: localhost:7771 bind: localhost:7771 + registration_disabled: false registration_shared_secret: "" + enable_registration_captcha: false recaptcha_public_key: "" recaptcha_private_key: "" - enable_registration_captcha: false - captcha_bypass_secret: "" + recaptcha_bypass_secret: "" recaptcha_siteverify_api: "" - registration_disabled: false turn: turn_user_lifetime: "" turn_uris: [] @@ -88,8 +86,8 @@ current_state_server: bind: localhost:7782 database: connection_string: file:currentstate.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 edu_server: listen: localhost:7778 @@ -103,10 +101,11 @@ federation_sender: bind: localhost:7775 database: connection_string: file:federationsender.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 - federation_max_retries: 16 + send_max_retries: 16 + disable_tls_validation: false proxy_outbound: enabled: false protocol: http @@ -117,59 +116,74 @@ key_server: bind: localhost:7779 database: connection_string: file:keyserver.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 media_api: listen: localhost:7774 bind: localhost:7774 database: connection_string: file:mediaapi.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 - base_path: "" + base_path: ./media_store max_file_size_bytes: 10485760 dynamic_thumbnails: false max_thumbnail_generators: 10 - thumbnail_sizes: [] + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 640 + height: 480 + method: scale room_server: listen: localhost:7770 bind: localhost:7770 database: connection_string: file:roomserver.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 server_key_api: listen: localhost:7780 bind: localhost:7780 database: connection_string: file:serverkeyapi.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 - key_perspectives: [] + key_perspectives: + - server_name: matrix.org + keys: + - key_id: ed25519:auto + public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw + - key_id: ed25519:a_RXGa + public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ sync_api: listen: localhost:7773 bind: localhost:7773 database: connection_string: file:syncapi.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 user_api: listen: localhost:7781 bind: localhost:7781 account_database: connection_string: file:userapi_accounts.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 device_database: connection_string: file:userapi_devices.db - max_open_conns: 0 - max_idle_conns: 0 + max_open_conns: 100 + max_idle_conns: 2 conn_max_lifetime: -1 tracing: enabled: false @@ -183,7 +197,11 @@ tracing: headers: null baggage_restrictions: null throttler: null -logging: [] +logging: +- type: file + level: info + params: + path: /var/log/dendrite ` type mockReadFile map[string]string