diff --git a/.gitea/workflows/container.yaml b/.gitea/workflows/container.yaml new file mode 100644 index 0000000..e48b3fd --- /dev/null +++ b/.gitea/workflows/container.yaml @@ -0,0 +1,12 @@ +name: Build Multiarch Container Image +on: [push] +jobs: + call-reusable-workflow: + uses: container/multiarch-build-workflow/.gitea/workflows/build.yaml@main + with: + repository: ${{ gitea.repository }} + ref_name: ${{ gitea.ref_name }} + sha: ${{ gitea.sha }} + registry_url: ${{ secrets.REGISTRY_URL }} + registry_user: ${{ secrets.REGISTRY_USER }} + registry_pw: ${{ secrets.REGISTRY_PW }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index c32004e..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,20 +0,0 @@ -variables: - CONTAINER_NAME: thallian/matrix-appservice-telegram - -build: - stage: build - image: - name: gcr.io/kaniko-project/executor:debug - entrypoint: [""] - script: - - mkdir -p /kaniko/.docker - - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(printf "%s:%s" "$CI_REGISTRY_USER" "$CI_REGISTRY_PASSWORD" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json - - >- - /kaniko/executor - --cache=false - --context "$CI_PROJECT_DIR" - --dockerfile "$CI_PROJECT_DIR/Dockerfile" - --destination "$CONTAINER_NAME:$CI_COMMIT_SHA" - --destination "$CONTAINER_NAME:$CI_COMMIT_REF_NAME" - --destination "$CONTAINER_NAME:latest" - diff --git a/Dockerfile b/Containerfile similarity index 75% rename from Dockerfile rename to Containerfile index d7f3961..1b6abae 100644 --- a/Dockerfile +++ b/Containerfile @@ -1,10 +1,8 @@ -FROM docker.io/alpine:3.16 as builder - -ENV VERSION=85b8f5def7a3f40504b8f814437bf7e4507fc3ba +FROM docker.io/alpine:3.20 as builder RUN apk --no-cache add \ sed \ - gcc \ + gcc \ g++ \ git \ musl-dev \ @@ -12,8 +10,51 @@ RUN apk --no-cache add \ python3-dev \ rust \ cargo \ - py3-pip \ + py3-pip \ py3-wheel \ + py3-olm \ + py3-qrcode \ + py3-pillow \ + py3-unpaddedbase64 \ + py3-pycryptodome \ + py3-pyaes \ + py3-rsa \ + py3-cparser \ + py3-cffi \ + py3-decorator \ + py3-tqdm \ + py3-numpy \ + py3-future \ + py3-asn1 \ + py3-magic \ + py3-commonmark \ + py3-yarl \ + py3-mako + +ENV VERSION=f6cb26f7f53089488e085b45add5303fa283dc3e + +RUN git clone https://github.com/mautrix/telegram.git +WORKDIR /telegram +RUN git checkout "$VERSION" +RUN pip3 install --prefix=/install --upgrade -r requirements.txt +RUN pip3 install --prefix=/install --upgrade -r optional-requirements.txt +RUN cp -r mautrix_telegram /install/lib/python3.12/site-packages/ + + +FROM docker.io/thallian/confd-env:3.20-3.1.6.2 + +ENV FFMPEG_BINARY=/usr/bin/ffmpeg + +COPY --from=builder /install /py-pkgs + +RUN addgroup -g 2222 matrix-bridge +RUN adduser -h /var/lib/matrix-bridge -u 2222 -D -G matrix-bridge matrix-bridge + +RUN apk --no-cache add \ + ca-certificates \ + ffmpeg \ + libffi \ + python3 \ py3-brotli \ py3-olm \ py3-qrcode \ @@ -38,53 +79,7 @@ RUN apk --no-cache add \ py3-mako \ py3-setuptools -RUN git clone https://github.com/mautrix/telegram.git -WORKDIR /telegram -RUN git checkout "$VERSION" -RUN pip3 install --prefix=/install --upgrade -r requirements.txt -RUN pip3 install --prefix=/install --upgrade -r optional-requirements.txt -RUN cp -r mautrix_telegram /install/lib/python3.10/site-packages/ - - -FROM docker.io/thallian/confd-env:3.16 - -ENV FFMPEG_BINARY=/usr/bin/ffmpeg - -COPY --from=builder /install /py-pkgs - -RUN addgroup -g 2222 matrix-bridge -RUN adduser -h /var/lib/matrix-bridge -u 2222 -D -G matrix-bridge matrix-bridge - -RUN apk --no-cache add \ - ca-certificates \ - ffmpeg \ - libffi \ - python3 \ - py3-brotli \ - py3-olm \ - py3-qrcode \ - py3-pillow \ - py3-phonenumbers \ - py3-unpaddedbase64 \ - py3-pycryptodome \ - py3-pyaes \ - py3-rsa \ - py3-cparser \ - py3-cffi \ - py3-decorator \ - py3-tqdm \ - py3-numpy \ - py3-future \ - py3-asn1 \ - py3-ruamel.yaml \ - py3-magic \ - py3-commonmark \ - py3-aiohttp \ - py3-yarl \ - py3-mako \ - py3-setuptools - -ENV PYTHONPATH=/usr/lib/python3.10/site-packages:/py-pkgs/lib/python3.10/site-packages/ +ENV PYTHONPATH=/usr/lib/python3.12/site-packages:/py-pkgs/lib/python3.12/site-packages/ WORKDIR /var/lib/matrix-bridge @@ -96,4 +91,3 @@ RUN chown -R matrix-bridge:matrix-bridge /var/lib/matrix-bridge ENV HOME /var/lib/matrix-bridge EXPOSE 8080 - diff --git a/rootfs/etc/confd/templates/config.yaml.tmpl b/rootfs/etc/confd/templates/config.yaml.tmpl index 619052e..9a5fec2 100644 --- a/rootfs/etc/confd/templates/config.yaml.tmpl +++ b/rootfs/etc/confd/templates/config.yaml.tmpl @@ -1,4 +1,3 @@ -# Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. address: {{ getenv "SERVER_URL" }} @@ -7,7 +6,9 @@ homeserver: # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true - asmux: false + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard # Number of retries for all HTTP requests if the homeserver isn't reachable. http_retry_count: 4 # The URL to push real-time bridge status to. @@ -24,7 +25,7 @@ homeserver: # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: http://localhost:29317 + address: http://{{getenv "HOSTNAME"}}:29317 # When using https:// the TLS certificate and key files for the address. tls_cert: false tls_key: false @@ -38,13 +39,14 @@ appservice: # The full URI to the database. SQLite and Postgres are supported. # Format examples: - # SQLite: sqlite:///filename.db + # SQLite: sqlite:filename.db # Postgres: postgres://username:password@hostname/dbname database: {{ getenv "DATABASE_DATASOURCE"}} # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). database_opts: min_size: 1 max_size: 10 @@ -59,7 +61,7 @@ appservice: prefix: /public # The base URL where the public-facing endpoints are available. The prefix is not added # implicitly. - external: {{ getenv "SERVER_URL_PUBLIC" }} + external: https://example.com/public # Provisioning API part of the web server for automated portal creation and fetching information. # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). @@ -75,7 +77,7 @@ appservice: # The unique ID of this appservice. id: telegram # Username of the appservice bot. - bot_username: telegrambot + bot_username: telegram_bot # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Telegram bridge bot @@ -142,6 +144,9 @@ bridge: # as there's no way to determine whether an avatar is removed or just hidden from some users. If # you're on a single-user instance, this should be safe to enable. allow_avatar_remove: false + # Should contact names and profile pictures be allowed? + # This is only safe to enable on single-user instances. + allow_contact_info: false # Maximum number of members to sync per portal when starting up. Other members will be # synced when they send messages. The maximum is 10000, after which the Telegram server @@ -166,7 +171,10 @@ bridge: sync_update_limit: 0 # Number of most recently active dialogs to create portals for when syncing chats. # Set to 0 to remove limit. - sync_create_limit: 30 + sync_create_limit: 15 + # Should all chats be scheduled to be created later? + # This is best used in combination with MSC2716 infinite backfill. + sync_deferred_create_all: false # Whether or not to sync and create portals for direct chats at startup. sync_direct_chats: false # The maximum number of simultaneous Telegram deletions to handle. @@ -213,6 +221,11 @@ bridge: image_as_file_size: 10 # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216. image_as_file_pixels: 16777216 + # Maximum size of Telegram documents before linking to Telegrm instead of bridge + # to Matrix media. + document_as_link_size: + channel: + bot: # Enable experimental parallel file transfer, which makes uploads/downloads much faster by # streaming from/to Matrix and using many connections for Telegram. # Note that generating HQ thumbnails for videos is not possible with streamed transfers. @@ -221,6 +234,9 @@ bridge: # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: true + # Should the bridge send all unicode reactions as custom emoji reactions to Telegram? + # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions. + always_custom_emoji_reaction: false # Settings for converting animated stickers. animated_sticker: # Format to which animated stickers should be converted. @@ -255,11 +271,34 @@ bridge: # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. default: true + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false # Require encryption, drop any unencrypted messages. require: false # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow_key_sharing: false + allow_key_sharing: true + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false # What level of device verification should be required from users? # # Valid levels: @@ -295,14 +334,27 @@ bridge: # default. messages: 100 - # Whether or not to explicitly set the avatar and room name for private - # chat portal rooms. This will be implicitly enabled if encryption.default is true. - private_chat_portal_meta: false + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false + # Should cross-chat replies from Telegram be bridged? Most servers and clients don't support this. + cross_room_replies: false # Whether or not the bridge should send a read receipt from the bridge bot when a message has # been sent to Telegram. delivery_receipts: false # Whether or not delivery errors should be reported as messages in the Matrix room. delivery_error_reports: false + # Should errors in incoming message handling send a message to the Matrix room? + incoming_bridge_error_reports: false # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. message_status_events: false # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. @@ -329,34 +381,55 @@ bridge: create_group_on_invite: true # Settings for backfilling messages from Telegram. backfill: - # Whether or not the Telegram ghosts of logged in Matrix users should be - # invited to private chats when backfilling history from Telegram. This is - # usually needed to prevent rate limits and to allow timestamp massaging. - invite_own_puppet: true - # Maximum number of messages to backfill without using a takeout. - # The first time a takeout is used, the user has to manually approve it from a different - # device. If initial_limit or missed_limit are higher than this value, the bridge will ask - # the user to accept the takeout after logging in before syncing any chats. - takeout_limit: 100 - # Maximum number of messages to backfill initially. - # Set to 0 to disable backfilling when creating portal, or -1 to disable the limit. - # - # N.B. Initial backfill will only start after member sync. Make sure your - # max_initial_member_sync is set to a low enough value so it doesn't take forever. - initial_limit: 0 - # Maximum number of messages to backfill if messages were missed while the bridge was - # disconnected. Note that this only works for logged in users and only if the chat isn't - # older than sync_update_limit - # Set to 0 to disable backfilling missed messages. - missed_limit: 50 - # If using double puppeting, should notifications be disabled - # while the initial backfill is in progress? - disable_notifications: false + # Allow backfilling at all? + enable: true # Whether or not to enable backfilling in normal groups. # Normal groups have numerous technical problems in Telegram, and backfilling normal groups # will likely cause problems if there are multiple Matrix users in the group. normal_groups: false + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + + # Forward backfilling limits. + # + # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch. + forward_limits: + # Number of messages to backfill immediately after creating a portal. + initial: + user: 50 + normal_group: 100 + supergroup: 10 + channel: 10 + # Number of messages to backfill when syncing chats. + sync: + user: 100 + normal_group: 100 + supergroup: 100 + channel: 100 + # Timeout for forward backfills in seconds. If you have a high limit, you'll have to increase this too. + forward_timeout: 900 + + # Settings for incremental backfill of history. These only apply to Beeper, as upstream abandoned MSC2716. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of batches to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_batches: + # Direct chats + user: -1 + # Normal groups. Note that the normal_groups option above must be enabled + # for these to be backfilled. + normal_group: -1 + # Supergroups + supergroup: 10 + # Broadcast channels + channel: -1 + # Overrides for base power levels. initial_power_level_overrides: user: {} @@ -416,7 +489,6 @@ bridge: # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and # `filter-mode` management commands. # - # Filters do not affect direct chats. # An empty blacklist will essentially disable the filter. filter: # Filter mode to use. Either "blacklist" or "whitelist". @@ -425,6 +497,11 @@ bridge: mode: blacklist # The list of group/channel IDs to filter. list: [] + # How to handle direct chats: + # If users is "null", direct chats will follow the previous settings. + # If users is "true", direct chats will always be bridged. + # If users is "false", direct chats will never be bridged. + users: true # The prefix for commands. Only required in non-management rooms. command_prefix: "!tg" @@ -524,6 +601,8 @@ telegram: # is not recommended, since some requests can always trigger a call fail (such as searching # for messages). request_retries: 5 + # Use IPv6 for Telethon connection + use_ipv6: false # Device info sent to Telegram. device_info: