Newer
Older
# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API),
# set this to the pantalaimon URL if you're using that.
homeserverUrl: "http://127.0.0.1:8009"
# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
rawHomeserverUrl: "http://127.0.0.1:8008"
# Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false.
# This option can be loaded from a file by passing "--access-token-path <path>" at the command line,
# which would allow using secret management systems such as systemd's service credentials.
accessToken: ""
# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
# Whether or not Draupnir will use pantalaimon to access the matrix homeserver,
# set to `true` if you're using pantalaimon.
#
# Be sure to point homeserverUrl to the pantalaimon instance.
#
# Draupnir will log in using the given username and password once,
# then store the resulting access token in a file under dataPath.
use: true
# The username to login with.
username: mjolnir
# The password Draupnir will login with.
#
# After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
# This option can be loaded from a file by passing "--pantalaimon-password-path <path>" at the command line,
# which would allow using secret management systems such as systemd's service credentials.
password: "{{ vault_matrix_secrets.mjolnir_user_password }}"
# Experimental usage of the matrix-bot-sdk rust crypto.
# This can not be used with Pantalaimon.
# Make sure to setup the bot as if you are not using pantalaimon for this.
#
# Warning: At this time this is not considered production safe.
experimentalRustCrypto: false
# The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers.
dataPath: "/var/lib/synapse/draupnir-data"
# If true (the default), Draupnir will only accept invites from users present in managementRoom.
autojoinOnlyIfManager: true
# If `autojoinOnlyIfManager` is false, only the members in this space can invite
# the bot to new rooms.
acceptInvitesFromSpace: "!example:example.org"
# Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
recordIgnoredInvites: true
# The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir.
# Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
# This should be a room alias or room ID - not a matrix.to URL.
# Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
# (see verboseLogging to adjust this a bit.)
managementRoom: "#mjolnir:{{ matrix_server_name }}"
# Deprecated and will be removed in a future version.
# Running with verboseLogging is unsupported.
# Whether Draupnir should log a lot more messages in the room,
# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room.
verboseLogging: false
# The log level of terminal (or container) output,
# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
#
# This should be at INFO or DEBUG in order to get support for Draupnir problems.
logLevel: "INFO"
# Whether or not Draupnir should synchronize policy lists immediately after startup.
# Equivalent to running '!draupnir sync'.
syncOnStartup: true
# Whether or not Draupnir should check moderation permissions in all protected rooms on startup.
# Equivalent to running `!draupnir verify`.
verifyPermissionsOnStartup: true
# Whether or not Draupnir should actually apply bans and policy lists,
# turn on to trial some untrusted configuration or lists.
# Whether or not Draupnir should apply `m.room.server_acl` events.
# DO NOT change this to `true` unless you are very confident that you know what you are doing.
disableServerACL: false
# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
#
# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
# it will also remove the user's messages automatically.
#
# Typically this is useful to avoid having to give two commands to the bot.
# Advanced: Use asterisks to have the reason match using "globs"
# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting").
#
# See here for more info: https://www.digitalocean.com/community/tools/glob
# Note: Keep in mind that glob is NOT regex!
automaticallyRedactForReasons:
- "spam"
Jan Alexander Steffens (heftig)
committed
- "redact:*"
# Whether or not to add all joined rooms to the "protected rooms" list
# (excluding the management room and watched policy list rooms, see below).
# Note that this effectively makes the protectedRooms and associated commands useless
# for regular rooms.
# Note: the management room is *excluded* from this condition.
# Explicitly add it as a protected room to protect it.
#
# Note: Ban list rooms the bot is watching but didn't create will not be protected.
# Explicitly add these rooms as a protected room list if you want them protected.
protectAllJoinedRooms: false
# Increase this delay to have Draupnir wait longer between two consecutive backgrounded
# operations. The total duration of operations will be longer, but the homeserver won't
# be affected as much. Conversely, decrease this delay to have Draupnir chain operations
# faster. The total duration of operations will generally be shorter, but the performance
# of the homeserver may be more impacted.
backgroundDelayMS: 500
# Server administration commands, these commands will only work if Draupnir is
# a global server administrator, and the bot's server is a Synapse instance.
# Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
# (with enough permissions) to "make" a user an admin.
# This only works if a local user with enough admin permissions is present in the room.
enableMakeRoomAdminCommand: true
# Misc options for command handling and commands
commands:
# Whether or not the `!draupnir` prefix is necessary to submit commands.
#
# If `true`, will allow commands like `!ban`, `!help`, etc.
# Note: Draupnir can also be pinged by display name instead of having to use
# the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
# will address only my_moderator_bot.
allowNoPrefix: true
# Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`.
additionalPrefixes:
- "draupnir"
- "mjolnir"
# The default reasons to be prompted with if the reason is missing from a ban command.
ban:
defaultReasons:
- "spam"
- "redact:coc"
- "redact:troll"
- "coc"
- "troll"
# Configuration specific to certain toggle-able protections
protections:
# Configuration for the wordlist plugin, which can ban users based if they say certain
# blocked words shortly after joining.
wordlist:
# A list of case-insensitive keywords that the WordList protection will watch for from new users.
#
# WordList will ban users who use these words when first joining a room, so take caution when selecting them.
#
# The word list protection does not support regular expressions at this time.
# The configuration in the past stated support for Regex erroneously.
#
{% for word in vault_matrix_secrets.badwords %}
- {{ word | to_json }}
Jan Alexander Steffens (heftig)
committed
{% endfor %}
# For how long (in minutes) the user is "new" to the WordList plugin.
#
# After this time, the user will no longer be banned for using a word in the above wordlist.
#
# Set to zero to disable the timeout and make users *always* appear "new".
# (users will always be banned if they say a bad word)
minutesBeforeTrusting: 2160
# The room state backing store writes a copy of the room state for all protected
# rooms to the data directory.
# It is recommended to enable this option unless you deploy Draupnir close to the
# homeserver and know that Draupnir is starting up quickly. If your homeserver can
# respond quickly to Draupnir's requests for `/state` then you might not need this option.
roomStateBackingStore:
enabled: true
# Safe mode provides recovery options for some failure modes when Draupnir
# fails to start. For example, if the bot fails to resolve a room alias in
# a watched list, or if the server has parted from a protected room and can't
# find a way back in. Safe mode will provide different options to recover from
# these. Such as unprotecting the room or unwatching the policy list.
# By default Draupnir will boot into safe mode only when the failure mode
# is recoverable.
# It may be desirable to prevent the bot from starting into safe mode if you have
# a pager system when Draupnir is down, as Draupnir could prevent your monitoring
# system from identifying a failure to start.
#safeMode:
# # The option for entering safe mode when Draupnir fails to start up.
# # - "RecoveryOnly" will only start the bot in safe mode when there are recovery options available. This is the default.
# # - "Never" will never start the bot in safe mode when Draupnir fails to start normally.
# # - "Always" will always start the bot in safe mode when Draupnir fails to start normally.
# bootOption: RecoveryOnly
# Options for advanced monitoring of the health of the bot.
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
health:
# healthz options. These options are best for use in container environments
# like Kubernetes to detect how healthy the service is. The bot will report
# that it is unhealthy until it is able to process user requests. Typically
# this means that it'll flag itself as unhealthy for a number of minutes
# before saying "Now monitoring rooms" and flagging itself healthy.
#
# Health is flagged through HTTP status codes, defined below.
healthz:
# Whether the healthz integration should be enabled (default false)
enabled: false
# The port to expose the webserver on. Defaults to 8080.
port: 8080
# The address to listen for requests on. Defaults to all addresses.
address: "0.0.0.0"
# The path to expose the monitoring endpoint at. Defaults to `/healthz`
endpoint: "/healthz"
# The HTTP status code which reports that the bot is healthy/ready to
# process requests. Typically this should not be changed. Defaults to
# 200.
healthyStatus: 200
# The HTTP status code which reports that the bot is not healthy/ready.
# Defaults to 418.
unhealthyStatus: 418
# Sentry options. Sentry is a tool used to receive/collate/triage runtime
# errors and performance issues. Skip this section if you do not wish to use
# Sentry.
sentry:
# The key used to upload Sentry data to the server.
# dsn: "https://XXXXXXXXX@example.com/YYY
# Frequency of performance monitoring.
# A number in [0.0, 1.0], where 0.0 means "don't bother with tracing"
# and 1.0 means "trace performance at every opportunity".
# tracesSampleRate: 0.5
# Options for exposing web APIs.
web:
# Whether to enable web APIs.
# The port to expose the webserver on. Defaults to 8080.
port: 8010
# The address to listen for requests on. Defaults to only the current
# computer.
address: localhost
# Alternative setting to open to the entire web. Be careful,
# as this will increase your security perimeter:
#
# address: "0.0.0.0"
# A web API designed to intercept Matrix API
# POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
# and display readable abuse reports in the moderation room.
#
# If you wish to take advantage of this feature, you will need
# to configure a reverse proxy, see e.g. test/nginx.conf
abuseReporting:
# Whether to enable this feature.
enabled: true
# Whether or not to actively poll synapse for abuse reports, to be used
# instead of intercepting client calls to synapse's abuse endpoint, when that
# isn't possible/practical.
pollReports: false
# Whether or not new reports, received either by webapi or polling,
# should be printed to our managementRoom.
displayReports: true