sij/hand_of_morpheus
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Expanded documentation

Browse source
This commit is contained in:
Sangye Ince-Johannsen 2025-04-04 18:14:36 +00:00
parent b073f2a734
commit b5a8dcd220
8 changed files with 371 additions and 124 deletions

202
README.md
View file

@ -1,111 +1,153 @@
# Matrix Registration System
# Sw1tch: Matrix Registration and Admin System for Conduwuit
A FastAPI-based web application that manages Matrix account registration requests for homeservers that do not offer SMTP authentication (like conduwuit). It provides a registration token to users via email, with automatic token rotation and various safety features.
`Sw1tch` is a FastAPI-based web application designed to enhance the `conduwuit` Matrix homeserver by addressing key shortcomings for public deployments. It manages account registration with email-based token requests and provides an admin API by relaying HTTP requests to a Matrix admin room, parsing responses for automation. Currently in use for the [We2.ee](https://we2.ee/about) homeserver at [join.we2.ee](https://join.we2.ee).
Currently in use for the [We2.ee](https://we2.ee/about) homeserver, at [join.we2.ee](https://join.we2.ee)
This project is specifically built around `conduwuit`, an excellent Matrix homeserver that lacks native SMTP authentication and a robust admin API—issues `sw1tch` resolves elegantly.
## Features
- Daily rotating registration tokens
- Daily rotating registration tokens, emailed upon request
- Email-based registration requiring a valid address
- Rate limiting per email address
- Multiple account restrictions
- IP and email address banning
- Username pattern banning with regex support
- IP, email, and regex-based username banning
- Automatic downtime before token rotation
- Gruvbox-themed UI with responsive design
- Admin API via Matrix room message relaying
- Warrant canary generation and posting (work in progress)
- Gruvbox-themed, responsive UI
## Setup
1. Clone the repo:
```bash
git clone https://sij.ai/sij/hand_of_morpheus
cd hand_of_morpheus
```
1. **Clone the Repository**:
```bash
git clone https://sij.ai/sij/hand_of_morpheus
cd hand_of_morpheus
```
2. Install dependencies:
```bash
pip install fastapi uvicorn jinja2 httpx pyyaml python-multipart
```
2. **Install Dependencies**:
```bash
pip install fastapi uvicorn jinja2 httpx pyyaml python-multipart nio requests feedparser urllib3 smtplib
```
3. Configure your settings:
```bash
cp example-config.yaml config.yaml
nano config.yaml
```
3. **Set Up Configuration**:
```bash
cp -r ./sw1tch/example-config ./sw1tch/config
nano sw1tch/config/config.yaml
```
- `config.yaml`: Fill in credentials and options for registration, Matrix admin, canary, and SMTP.
- `conduwuit.env`: Add `conduwuit` settings (see [Conduwuit Config Examples](https://conduwuit.puppyirl.gay/configuration/examples.html)).
- `banned_emails.txt`: Prefilled with disposable email providers linked to spam/abuse.
- `banned_usernames.txt`: Prefilled with regex patterns targeting CSAM-related usernames.
- `banned_ips.txt`: Blank; add IPs to block token requests.
- `attestations.txt`: Generic statements for the warrant canary; customize as needed.
4. Create required files:
```bash
touch banned_ips.txt banned_emails.txt banned_usernames.txt
4. **Add Static Assets**:
```bash
# Add your logo and favicon to the static directory
cp your-logo.png sw1tch/static/logo.png
cp your-favicon.ico sw1tch/static/favicon.ico
```
# Optionally, copy the anti-CSAM example-banned_usernames.txt
cp example-banned_usernames.txt banned_usernames.txt
```
5. **Generate Initial Registration Token**:
```bash
openssl rand -hex 16 > sw1tch/data/.registration_token
```
Add your logo.png to `static/logo.png`
Add favicon.ico to `static/favicon.ico`
6. **Configure `launch.sh`**:
- `launch.sh` manages token rotation, `conduwuit` container updates, and ensures the `sw1tch` service runs:
- Updates the `conduwuit` Docker image from a Nix-built repository.
- Refreshes the registration token and restarts the container.
- Starts or restarts the `sw1tch` FastAPI service.
```bash
nano launch.sh # Adjust paths (e.g., BASE_PATH, REPO_PATH) for your environment
chmod +x launch.sh
```
5. Generate initial registration token:
```bash
openssl rand -hex 16 > .registration_token
```
7. **Set Up Cron Jobs**:
```bash
crontab -e
```
Add:
```bash
# Daily token refresh and container restart at midnight UTC
0 0 * * * cd /home/sij/hand_of_morpheus && ./launch.sh --refresh-token > /home/sij/hand_of_morpheus/logs/token_refresh.log 2>&1
6. Set up token rotation:
```bash
# Copy and configure the token refresh script
cp example-refresh_token.sh refresh_token.sh
nano refresh_token.sh # configure paths for your environment
# Weekly conduwuit update (Sundays at 2 AM UTC)
0 2 * * 0 cd /home/sij/hand_of_morpheus && ./launch.sh --update --force-restart > /home/sij/hand_of_morpheus/logs/update.log 2>&1
# Make it executable
chmod +x refresh_token.sh
# Add to crontab (runs at midnight UTC)
crontab -e
# Add this line:
0 0 * * * /path/to/your/hand_of_morpheus/refresh_token.sh 2>&1
```
## Configuration
The `config.yaml` file supports these options:
```yaml
port: 6626
homeserver: "your.server"
token_reset_time_utc: 0 # 24-hour format (e.g., 0 = 00:00 UTC)
downtime_before_token_reset: 30 # minutes
email_cooldown: 3600 # seconds between requests per email
multiple_users_per_email: false # allow multiple accounts per email?
smtp:
host: "smtp.example.com"
port: 587
username: "your@email.com"
password: "yourpassword"
use_tls: true
```
You can also customize the subject and body of the email that is sent.
# Ensure service runs after reboot
@reboot cd /home/sij/hand_of_morpheus && ./launch.sh > /home/sij/hand_of_morpheus/logs/reboot.log 2>&1
```
## Running the Server
Run manually:
```bash
python registration.py
./launch.sh # --refresh-token, --super-admin, --update, and/or --force-restart
```
Consider running in a `tmux` session, or creating a system service for it.
### launch.sh Command line flags
1. **`--refresh-token`**:
- **Purpose**: Generates a new, random 6-character hexadecimal registration token and writes it to `sw1tch/data/.registration_token`.
- **Behavior**: Overwrites the existing token, logs the new value, and exits on failure (e.g., if the file isnt writable).
- **When to Use**:
- Daily via cron (e.g., at midnight UTC) to rotate tokens as a security measure.
- Manually if you suspect the current token has been compromised.
- **Example**: `./launch.sh --refresh-token`
2. **`--super-admin`**:
- **Purpose**: Generates a random 16-character emergency password for the `@conduit` user in `conduwuit` and passes it to the container via `CONDUWUIT_EMERGENCY_PASSWORD`.
- **Behavior**: Logs the username (`@conduit:we2.ee`) and password, which you can use to log in and regain admin access.
- **When to Use**:
- During initial setup to establish admin access.
- If you lose access to the admin account and need to recover it.
- **Example**: `./launch.sh --super-admin`
3. **`--update`**:
- **Purpose**: Updates the `conduwuit` Docker image by pulling the latest source from `REPO_PATH`, building it with Nix, and tagging it as `conduwuit:custom`.
- **Behavior**: Requires Git and Nix; exits on failure (e.g., if the build fails or no image is produced).
- **When to Use**:
- Weekly via cron to keep `conduwuit` up-to-date with the latest features or fixes.
- Manually when you want to apply a specific update.
- **Example**: `./launch.sh --update`
4. **`--force-restart`**:
- **Purpose**: Forces the `sw1tch` registration service to restart by killing any process on the configured port (from `config.yaml`) and starting a new instance.
- **Behavior**: Removes the PID file, starts `python3 -m sw1tch` detached, and verifies its running; logs errors if it fails to start.
- **When to Use**:
- After updating `sw1tch` code or configuration to ensure changes take effect.
- If the service is unresponsive or stuck.
- Combined with `--update` to refresh everything.
- **Example**: `./launch.sh --force-restart`
### Additional Notes
- **Combination**: Flags can be combined (e.g., `./launch.sh --update --force-restart`) for comprehensive updates.
- **Default Behavior**: Without flags, the script restarts the `conduwuit` container and ensures `sw1tch` is running (no forced restart).
- **Cron Integration**: The comments align with your crontab (daily `--refresh-token`, weekly `--update --force-restart`, reboot startup).
## Security Features
- **IP Banning**: Add IPs to `banned_ips.txt`, one per line
- **Email Banning**: Add emails to `banned_emails.txt`, one per line
- **Username Patterns**: Add regex patterns to `banned_usernames.txt`, one per line; consider including the anti-CSAM entries in `example-banned_usernames.txt` as a starting point
- **Registration Tracking**: All requests are logged to `registrations.json`
- **IP Banning**: Add IPs to `sw1tch/config/banned_ips.txt`.
- **Email Banning**: Add emails to `sw1tch/config/banned_emails.txt`.
- **Username Patterns**: Add regex to `sw1tch/config/banned_usernames.txt`.
- **Registration Tracking**: Logged to `sw1tch/data/registrations.json`.
- **Admin API**: Relays HTTP requests to `#admins` room, parsing responses.
## Security Notes
- Place behind a reverse proxy with HTTPS
- Consider placing the registration token file outside web root
- Regularly backup `registrations.json`
- Monitor logs for abuse patterns
- Use a reverse proxy (e.g., Nginx) with HTTPS.
- Move `.registration_token` outside the web root if exposed.
- Backup `sw1tch/data/registrations.json` regularly.
- Monitor `sw1tch/logs/registration.log` for abuse.
The included `refresh_token.sh` script handles both token rotation and conduwuit container management. Review and adjust its settings before use.
## Warrant Canary
The warrant canary feature (in progress) generates signed statements posted to a Matrix room, using data from RSS feeds and Bitcoin blocks for freshness. Configure in `config.yaml` under `canary`. Current limitations include UI polish and broader testing.
## Conduwuit Integration
`Sw1tch` resolves two `conduwuit` shortcomings:
1. **Email-Based Registration**: Requires a valid email for token requests, enhancing security for public homeservers.
2. **Admin API**: Bridges HTTP requests to Matrix room messages, enabling automation by parsing `@conduit` responses.
Review `launch.sh` for `conduwuit` container management settings.

111
launch.sh
View file

@ -1,25 +1,25 @@
#!/bin/bash
# File paths
BASE_PATH="/home/sij/hand_of_morpheus/sw1tch"
TOKEN_FILE="$BASE_PATH/data/.registration_token"
LOG_FILE="$BASE_PATH/logs/token_refresh.log"
BACKUP_PATH="/home/sij/conduwuit_backup"
ENV_FILE="$BASE_PATH/config/conduwuit.env"
REPO_PATH="$HOME/workshop/conduwuit"
CONFIG_FILE="$BASE_PATH/config/config.yaml"
# File paths for sw1tch and conduwuit integration
BASE_PATH="/home/sij/hand_of_morpheus/sw1tch" # Base directory for sw1tch package
TOKEN_FILE="$BASE_PATH/data/.registration_token" # File storing the current registration token
LOG_FILE="$BASE_PATH/logs/token_refresh.log" # Log file for token refresh and script actions
BACKUP_PATH="/home/sij/conduwuit_backup" # Directory for conduwuit backups
ENV_FILE="$BASE_PATH/config/conduwuit.env" # Environment file for conduwuit settings
REPO_PATH="$HOME/workshop/conduwuit" # Path to conduwuit source repository
CONFIG_FILE="$BASE_PATH/config/config.yaml" # sw1tch configuration file
# Static container settings
CONTAINER_NAME="conduwuit"
CONTAINER_IMAGE="conduwuit:custom"
# Static container settings for conduwuit
CONTAINER_NAME="conduwuit" # Name of the conduwuit Docker container
CONTAINER_IMAGE="conduwuit:custom" # Custom Docker image tag for conduwuit
# Flags
REFRESH_TOKEN=false
SUPER_ADMIN=false
UPDATE=false
FORCE_RESTART=false
# Flags to control script behavior (default to false)
REFRESH_TOKEN=false # --refresh-token: Generates a new registration token
SUPER_ADMIN=false # --super-admin: Sets an emergency password for @conduit user
UPDATE=false # --update: Pulls and rebuilds the conduwuit Docker image
FORCE_RESTART=false # --force-restart: Forces a restart of the sw1tch service
# Function to log with a timestamp to both file and terminal
# Function to log messages with a timestamp to both file and terminal
log() {
local message="$(date --iso-8601=seconds) $1"
echo "$message" >> "$LOG_FILE"
@ -27,8 +27,10 @@ log() {
}
# Function to refresh the registration token
# Triggered by --refresh-token flag
# Generates a new 6-character hex token and writes it to TOKEN_FILE
refresh_token() {
NEW_TOKEN=$(openssl rand -hex 3)
NEW_TOKEN=$(openssl rand -hex 3) # Short token for simplicity
echo -n "$NEW_TOKEN" > "$TOKEN_FILE"
if [ $? -ne 0 ]; then
log "ERROR: Failed to write new token to $TOKEN_FILE"
@ -37,31 +39,28 @@ refresh_token() {
log "Generated new registration token: $NEW_TOKEN"
}
# Function to update the Docker image
# Function to update the conduwuit Docker image
# Triggered by --update flag
# Pulls latest conduwuit source, builds it with Nix, and tags the Docker image
update_docker_image() {
log "Updating Conduwuit Docker image..."
cd "$REPO_PATH" || {
log "ERROR: Failed to cd into $REPO_PATH"
exit 1
}
git pull origin main || {
log "ERROR: git pull failed"
exit 1
}
nix build -L --extra-experimental-features "nix-command flakes" .#oci-image-x86_64-linux-musl-all-features || {
log "ERROR: nix build failed"
exit 1
}
IMAGE_TAR_PATH=$(readlink -f result)
if [ ! -f "$IMAGE_TAR_PATH" ]; then
log "ERROR: No image tarball found at $IMAGE_TAR_PATH"
exit 1
fi
docker load < "$IMAGE_TAR_PATH" | awk '/Loaded image:/ { print $3 }' | xargs -I {} docker tag {} "$CONTAINER_IMAGE"
if [ $? -ne 0 ]; then
log "ERROR: Failed to load and tag Docker image"
@ -70,20 +69,24 @@ update_docker_image() {
log "Docker image tagged as $CONTAINER_IMAGE"
}
# Function to restart the container
# Function to restart the conduwuit container
# Always runs unless script exits earlier
# Stops and removes the existing container, then starts a new one with updated settings
restart_container() {
docker stop "$CONTAINER_NAME" 2>/dev/null
docker rm "$CONTAINER_NAME" 2>/dev/null
docker stop "$CONTAINER_NAME" 2>/dev/null # Silently stop if running
docker rm "$CONTAINER_NAME" 2>/dev/null # Silently remove if exists
# Base Docker command with volume mounts and network settings
DOCKER_CMD=(docker run -d
-v "db:/var/lib/conduwuit/"
-v "${TOKEN_FILE}:/.registration_token:ro"
-v "${BACKUP_PATH}:/backup"
--network host
--name "$CONTAINER_NAME"
--restart unless-stopped
-v "db:/var/lib/conduwuit/" # Persistent conduwuit data
-v "${TOKEN_FILE}:/.registration_token:ro" # Mount token file read-only
-v "${BACKUP_PATH}:/backup" # Backup directory
--network host # Use host networking
--name "$CONTAINER_NAME" # Container name
--restart unless-stopped # Restart policy
)
# Load environment variables from conduwuit.env
if [ -f "$ENV_FILE" ]; then
while IFS='=' read -r key value; do
[[ -z "$key" || "$key" =~ ^# ]] && continue
@ -99,15 +102,17 @@ restart_container() {
exit 1
fi
# Set detailed logging for debugging
DOCKER_CMD+=(-e RUST_LOG="conduwuit=trace,reqwest=trace,hickory_proto=trace")
# If --super-admin is set, generate and apply an emergency password for @conduit
if [ "$SUPER_ADMIN" = true ]; then
EMERGENCY_PASSWORD=$(openssl rand -hex 8)
EMERGENCY_PASSWORD=$(openssl rand -hex 8) # 16-character hex password
log "Setting emergency password to: $EMERGENCY_PASSWORD"
DOCKER_CMD+=(-e CONDUWUIT_EMERGENCY_PASSWORD="$EMERGENCY_PASSWORD")
fi
DOCKER_CMD+=("$CONTAINER_IMAGE")
DOCKER_CMD+=("$CONTAINER_IMAGE") # Append the image name
log "Docker command: ${DOCKER_CMD[*]}"
"${DOCKER_CMD[@]}"
@ -119,6 +124,7 @@ restart_container() {
log "Successfully recreated container \"$CONTAINER_NAME\" with image \"$CONTAINER_IMAGE\"."
log " - Configuration loaded from $ENV_FILE"
# Provide login instructions if --super-admin was used
if [ "$SUPER_ADMIN" = true ]; then
log "Use the following credentials to log in as the @conduit server user:"
log " Username: @conduit:we2.ee"
@ -127,18 +133,21 @@ restart_container() {
fi
}
# Function to ensure the registration service is running
# Function to ensure the sw1tch registration service is running
# Always runs unless script exits earlier
# Checks port, restarts if --force-restart is set, or starts if not running
ensure_registration_service() {
local pid_file="$BASE_PATH/data/registration.pid"
local log_file="$BASE_PATH/logs/registration.log"
touch "$log_file" || { log "ERROR: Cannot write to $log_file"; exit 1; }
chmod 666 "$log_file"
chmod 666 "$log_file" # Ensure log file is writable by all (adjust as needed)
REG_PORT=$(python3 -c "import yaml, sys; print(yaml.safe_load(open('$CONFIG_FILE')).get('port', 8000))")
log "Registration service port from config: $REG_PORT"
if [ "$FORCE_RESTART" = true ]; then
# --force-restart: Kills any process on the port and starts sw1tch anew
log "Force restart requested. Clearing any process listening on port $REG_PORT..."
PIDS=$(lsof -ti tcp:"$REG_PORT")
if [ -n "$PIDS" ]; then
@ -146,22 +155,23 @@ ensure_registration_service() {
else
log "No process found running on port $REG_PORT"
fi
rm -f "$pid_file"
rm -f "$pid_file" # Clear old PID file
log "Force starting registration service..."
cd "$(dirname "$BASE_PATH")" || { log "ERROR: Cannot cd to $(dirname "$BASE_PATH")"; exit 1; }
log "Running: nohup python3 -m sw1tch >> $log_file 2>&1 &"
nohup python3 -m sw1tch >> "$log_file" 2>&1 &
nohup python3 -m sw1tch >> "$log_file" 2>&1 & # Run detached
NEW_PID=$!
sleep 2
sleep 2 # Wait for process to start
if ps -p "$NEW_PID" > /dev/null; then
echo "$NEW_PID" > "$pid_file"
log "Started registration service with PID $NEW_PID"
sudo lsof -i :"$REG_PORT" || log "WARNING: No process on port $REG_PORT after start"
else
log "ERROR: Process $NEW_PID did not start or exited immediately"
cat "$log_file" >> "$LOG_FILE"
cat "$log_file" >> "$LOG_FILE" # Append service logs for debugging
fi
else
# Normal mode: Start sw1tch only if not already running
EXISTING_PIDS=$(lsof -ti tcp:"$REG_PORT")
if [ -n "$EXISTING_PIDS" ]; then
log "Registration service already running on port $REG_PORT with PID(s): $EXISTING_PIDS"
@ -184,20 +194,33 @@ ensure_registration_service() {
fi
}
# Parse command-line flags and execute (unchanged)
# Parse command-line flags to determine script actions
while [[ $# -gt 0 ]]; do
case "$1" in
# --refresh-token: Regenerate the registration token
# Use: When you need a new token (e.g., daily via cron or after a security concern)
--refresh-token) REFRESH_TOKEN=true; shift;;
# --super-admin: Set an emergency password for @conduit user in conduwuit
# Use: For initial setup or if admin access is lost; logs credentials for manual login
--super-admin) SUPER_ADMIN=true; shift;;
# --update: Update the conduwuit Docker image from source
# Use: To apply the latest conduwuit changes (e.g., weekly via cron)
--update) UPDATE=true; shift;;
# --force-restart: Forcefully restart the sw1tch service, killing any existing process
# Use: After updates, config changes, or if the service is unresponsive
--force-restart) FORCE_RESTART=true; shift;;
*) log "ERROR: Unknown option: $1"; echo "Usage: $0 [--refresh-token] [--super-admin] [--update] [--force-restart]"; exit 1;;
esac
done
# Execute functions based on flags (order matters: update image before restarting)
if [ "$UPDATE" = true ]; then update_docker_image; fi
if [ "$REFRESH_TOKEN" = true ]; then refresh_token; fi
restart_container
ensure_registration_service
restart_container # Always restart container to apply token or image changes
ensure_registration_service # Always ensure sw1tch is running
exit 0

4
sw1tch/example-config/attestations.txt Normal file
View file

@ -0,0 +1,4 @@
has not received any National Security Letters or FISA court orders.
has not been subject to any searches or seizures of our servers.
has not been required to modify our systems to facilitate surveillance.
has not received any gag order that restrain our ability to make these declarations truthfully.

12
sw1tch/example-config/banned_emails.txt Normal file
View file

@ -0,0 +1,12 @@
*@yopmail.com
*@letterguard.net
*@sharklasers.com
*@msssg.com
*@10mail.org
*@monopolio.net
*@owlny.com
*@aleeas.com
*@passinbox.com
*@polkaroad.net
*@onionmail.org
*@mail2tor.com

1
sw1tch/example-config/banned_ips.txt Normal file
View file

@ -0,0 +1 @@

5
sw1tch/example-config/banned_usernames.txt Normal file
View file

@ -0,0 +1,5 @@
.*admin.*
.*loli.*
.*shota.*
.*pedo.*
.*pthc.*

36
sw1tch/example-config/conduwuit.env Normal file
View file

@ -0,0 +1,36 @@
# conduwuit.env
CONDUWUIT_SERVER_NAME=we2.ee
CONDUWUIT_DATABASE_PATH=/var/lib/conduwuit/conduwuit.db
CONDUWUIT_DATABASE_BACKEND=rocksdb
CONDUWUIT_DATABASE_BACKUP_PATH=/backup
CONDUWUIT_ALLOW_REGISTRATION=true
CONDUWUIT_REGISTRATION_TOKEN_FILE=/.registration_token
CONDUWUIT_ADDRESS=["0.0.0.0", "::"]
CONDUWUIT_PORT=8008
CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX=
CONDUWUIT_AUTO_JOIN_ROOMS=["#home:we2.ee", "#server:we2.ee", "#pub:we2.ee", "#help:we2.ee"]
CONDUWUIT_DB_CACHE_CAPACITY_MB=1024
CONDUWUIT_DB_WRITE_BUFFER_CAPACITY_MB=256
CONDUWUIT_DB_POOL_WORKERS=64
CONDUWUIT_DB_POOL_WORKERS_LIMIT=128
CONDUWUIT_STREAM_AMPLIFICATION=8192
CONDUWUIT_MAX_REQUEST_SIZE=33554432
CONDUWUIT_CACHE_CAPACITY_MODIFIER=1.5
CONDUWUIT_ALLOW_FEDERATION=true
CONDUWUIT_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION=true
CONDUWUIT_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH=true
CONDUWUIT_WELL_KNOWN_CONN_TIMEOUT=30
CONDUWUIT_FEDERATION_TIMEOUT=60
CONDUWUIT_FEDERATION_IDLE_TIMEOUT=60
CONDUWUIT_SENDER_TIMEOUT=600
CONDUWUIT_SENDER_IDLE_TIMEOUT=300
CONDUWUIT_SENDER_SHUTDOWN_TIMEOUT=30
CONDUWUIT_DNS_CACHE_ENTRIES=0
CONDUWUIT_DNS_MIN_TTL=0
CONDUWUIT_DNS_MIN_TTL_NXDOMAIN=15
CONDUWUIT_DNS_ATTEMPTS=5
CONDUWUIT_DNS_TIMEOUT=5
CONDUWUIT_DNS_TCP_FALLBACK=true
CONDUWUIT_QUERY_ALL_NAMESERVERS=false
CONDUWUIT_QUERY_OVER_TCP_ONLY=false
CONDUWUIT_IP_LOOKUP_STRATEGY=3

124
sw1tch/example-config/config.yaml Normal file
View file

@ -0,0 +1,124 @@
# The port on which the registration service will listen
port: 6626
# The domain name of the Matrix homeserver
homeserver: "server.net"
# The base URL for Matrix API endpoints (typically https://<homeserver>)
base_url: "https://server.net"
registration:
# Time (in UTC, HHMM format) when the registration token resets daily
# Example: 2330 means 11:30 PM UTC
token_reset_time_utc: 2330
# Minutes before token reset when registration closes
# Ensures a buffer period; 5 minutes means closure at 23:25 UTC in this case
downtime_before_token_reset: 5
# Cooldown period (in seconds) before an email can request another registration
# 300 seconds = 5 minutes
email_cooldown: 300
# Allow multiple registrations per email address
# Set to false to restrict to one user per email
multiple_users_per_email: true
matrix_admin:
# Matrix user ID of the admin account for managing the server
username: "@admin:server.net"
# Password for the admin Matrix account
# Keep this secure and avoid committing to version control in production
password: "MyAdminPassword"
# Room ID of the admin room where commands are sent and responses received
room: "!123AdminRoom:server.net"
# Matrix user ID of the super admin (e.g., @conduit) that responds to admin commands
super_admin: "@conduit:server.net"
canary:
# Room ID where the warrant canary will be posted
room: "!AnnouncementRoom:server.net"
credentials:
# Matrix user ID for posting the warrant canary
username: "@canary:server.net"
# Password for the canary Matrix account
# Keep secure, similar to matrix_admin password
password: "MyCanaryPassword"
# Name of the organization issuing the warrant canary
organization: "Another Matrix Homeserver"
# Name of the admin signing the canary
admin_name: "Homedog"
# Title of the admin signing the canary
admin_title: "server administrator"
# Path to the file containing canary attestations
# Relative to BASE_DIR (sw1tch/), so this points to sw1tch/config/attestations.txt
attestations: "config/attestations.txt"
# GPG key ID used to sign the warrant canary
# Must match a key in your GPG keyring
gpg_key_id: "123456abcdef"
rss:
# Name of the RSS feed source for datestamp proof
name: "Democracy Now!"
# URL of the RSS feed to fetch the latest headline
url: "https://www.democracynow.org/democracynow.rss"
email:
smtp:
# SMTP server hostname for sending registration emails
host: "mail.server.net"
# SMTP server port (587 is common for TLS)
port: 587
# Username for SMTP authentication
username: "admin@server.net"
# Password for SMTP authentication
# Keep secure and avoid exposing in version control
password: "MySMTPPassword"
# Email address that appears in the "From" field of sent emails
from: "Registration Team <no-reply@server.net>"
# Enable TLS for secure email transmission
# Set to false if your SMTP server doesnt support TLS (rare)
use_tls: true
templates:
registration_token:
# Subject line for registration token emails
# {homeserver} is replaced with the homeserver value above
subject: "{homeserver} registration token"
# Path to the plaintext email template
# Relative to BASE_DIR (sw1tch/), points to sw1tch/templates/emails/registration_token.txt
body: "templates/emails/registration_token.txt"
# Path to the HTML email template
# Relative to BASE_DIR, points to sw1tch/templates/emails/registration_token.html
body_html: "templates/emails/registration_token.html"
deactivation_notice:
# Subject line for account deactivation emails
# {homeserver} is replaced with the homeserver value
subject: "{homeserver} account deactivation notice"
# Path to the plaintext deactivation notice template
# Relative to BASE_DIR, points to sw1tch/templates/emails/account_deactivation.txt
body: "templates/emails/account_deactivation.txt"
# Path to the HTML deactivation notice template
# Relative to BASE_DIR, points to sw1tch/templates/emails/account_deactivation.html
body_html: "templates/emails/account_deactivation.html"