diff --git a/README.md b/README.md
index 26cbba4..257138e 100644
--- a/README.md
+++ b/README.md
@@ -1,111 +1,153 @@
-# Matrix Registration System
+# Sw1tch: Matrix Registration and Admin System for Conduwuit
-A FastAPI-based web application that manages Matrix account registration requests for homeservers that do not offer SMTP authentication (like conduwuit). It provides a registration token to users via email, with automatic token rotation and various safety features.
+`Sw1tch` is a FastAPI-based web application designed to enhance the `conduwuit` Matrix homeserver by addressing key shortcomings for public deployments. It manages account registration with email-based token requests and provides an admin API by relaying HTTP requests to a Matrix admin room, parsing responses for automation. Currently in use for the [We2.ee](https://we2.ee/about) homeserver at [join.we2.ee](https://join.we2.ee).
-Currently in use for the [We2.ee](https://we2.ee/about) homeserver, at [join.we2.ee](https://join.we2.ee)
+This project is specifically built around `conduwuit`, an excellent Matrix homeserver that lacks native SMTP authentication and a robust admin API—issues `sw1tch` resolves elegantly.
## Features
-- Daily rotating registration tokens
+- Daily rotating registration tokens, emailed upon request
+- Email-based registration requiring a valid address
- Rate limiting per email address
-- Multiple account restrictions
-- IP and email address banning
-- Username pattern banning with regex support
+- IP, email, and regex-based username banning
- Automatic downtime before token rotation
-- Gruvbox-themed UI with responsive design
+- Admin API via Matrix room message relaying
+- Warrant canary generation and posting (work in progress)
+- Gruvbox-themed, responsive UI
## Setup
-1. Clone the repo:
-```bash
-git clone https://sij.ai/sij/hand_of_morpheus
-cd hand_of_morpheus
-```
+1. **Clone the Repository**:
+ ```bash
+ git clone https://sij.ai/sij/hand_of_morpheus
+ cd hand_of_morpheus
+ ```
-2. Install dependencies:
-```bash
-pip install fastapi uvicorn jinja2 httpx pyyaml python-multipart
-```
+2. **Install Dependencies**:
+ ```bash
+ pip install fastapi uvicorn jinja2 httpx pyyaml python-multipart nio requests feedparser urllib3 smtplib
+ ```
-3. Configure your settings:
-```bash
-cp example-config.yaml config.yaml
-nano config.yaml
-```
+3. **Set Up Configuration**:
+ ```bash
+ cp -r ./sw1tch/example-config ./sw1tch/config
+ nano sw1tch/config/config.yaml
+ ```
+ - `config.yaml`: Fill in credentials and options for registration, Matrix admin, canary, and SMTP.
+ - `conduwuit.env`: Add `conduwuit` settings (see [Conduwuit Config Examples](https://conduwuit.puppyirl.gay/configuration/examples.html)).
+ - `banned_emails.txt`: Prefilled with disposable email providers linked to spam/abuse.
+ - `banned_usernames.txt`: Prefilled with regex patterns targeting CSAM-related usernames.
+ - `banned_ips.txt`: Blank; add IPs to block token requests.
+ - `attestations.txt`: Generic statements for the warrant canary; customize as needed.
-4. Create required files:
-```bash
-touch banned_ips.txt banned_emails.txt banned_usernames.txt
+4. **Add Static Assets**:
+ ```bash
+ # Add your logo and favicon to the static directory
+ cp your-logo.png sw1tch/static/logo.png
+ cp your-favicon.ico sw1tch/static/favicon.ico
+ ```
-# Optionally, copy the anti-CSAM example-banned_usernames.txt
-cp example-banned_usernames.txt banned_usernames.txt
-```
+5. **Generate Initial Registration Token**:
+ ```bash
+ openssl rand -hex 16 > sw1tch/data/.registration_token
+ ```
-Add your logo.png to `static/logo.png`
-Add favicon.ico to `static/favicon.ico`
+6. **Configure `launch.sh`**:
+ - `launch.sh` manages token rotation, `conduwuit` container updates, and ensures the `sw1tch` service runs:
+ - Updates the `conduwuit` Docker image from a Nix-built repository.
+ - Refreshes the registration token and restarts the container.
+ - Starts or restarts the `sw1tch` FastAPI service.
+ ```bash
+ nano launch.sh # Adjust paths (e.g., BASE_PATH, REPO_PATH) for your environment
+ chmod +x launch.sh
+ ```
-5. Generate initial registration token:
-```bash
-openssl rand -hex 16 > .registration_token
-```
+7. **Set Up Cron Jobs**:
+ ```bash
+ crontab -e
+ ```
+ Add:
+ ```bash
+ # Daily token refresh and container restart at midnight UTC
+ 0 0 * * * cd /home/sij/hand_of_morpheus && ./launch.sh --refresh-token > /home/sij/hand_of_morpheus/logs/token_refresh.log 2>&1
-6. Set up token rotation:
-```bash
-# Copy and configure the token refresh script
-cp example-refresh_token.sh refresh_token.sh
-nano refresh_token.sh # configure paths for your environment
+ # Weekly conduwuit update (Sundays at 2 AM UTC)
+ 0 2 * * 0 cd /home/sij/hand_of_morpheus && ./launch.sh --update --force-restart > /home/sij/hand_of_morpheus/logs/update.log 2>&1
-# Make it executable
-chmod +x refresh_token.sh
-
-# Add to crontab (runs at midnight UTC)
-crontab -e
-# Add this line:
-0 0 * * * /path/to/your/hand_of_morpheus/refresh_token.sh 2>&1
-```
-
-## Configuration
-
-The `config.yaml` file supports these options:
-
-```yaml
-port: 6626
-homeserver: "your.server"
-token_reset_time_utc: 0 # 24-hour format (e.g., 0 = 00:00 UTC)
-downtime_before_token_reset: 30 # minutes
-email_cooldown: 3600 # seconds between requests per email
-multiple_users_per_email: false # allow multiple accounts per email?
-
-smtp:
- host: "smtp.example.com"
- port: 587
- username: "your@email.com"
- password: "yourpassword"
- use_tls: true
-```
-
-You can also customize the subject and body of the email that is sent.
+ # Ensure service runs after reboot
+ @reboot cd /home/sij/hand_of_morpheus && ./launch.sh > /home/sij/hand_of_morpheus/logs/reboot.log 2>&1
+ ```
## Running the Server
+Run manually:
```bash
-python registration.py
+./launch.sh # --refresh-token, --super-admin, --update, and/or --force-restart
```
-Consider running in a `tmux` session, or creating a system service for it.
+### launch.sh Command line flags
+
+1. **`--refresh-token`**:
+ - **Purpose**: Generates a new, random 6-character hexadecimal registration token and writes it to `sw1tch/data/.registration_token`.
+ - **Behavior**: Overwrites the existing token, logs the new value, and exits on failure (e.g., if the file isn’t writable).
+ - **When to Use**:
+ - Daily via cron (e.g., at midnight UTC) to rotate tokens as a security measure.
+ - Manually if you suspect the current token has been compromised.
+ - **Example**: `./launch.sh --refresh-token`
+
+2. **`--super-admin`**:
+ - **Purpose**: Generates a random 16-character emergency password for the `@conduit` user in `conduwuit` and passes it to the container via `CONDUWUIT_EMERGENCY_PASSWORD`.
+ - **Behavior**: Logs the username (`@conduit:we2.ee`) and password, which you can use to log in and regain admin access.
+ - **When to Use**:
+ - During initial setup to establish admin access.
+ - If you lose access to the admin account and need to recover it.
+ - **Example**: `./launch.sh --super-admin`
+
+3. **`--update`**:
+ - **Purpose**: Updates the `conduwuit` Docker image by pulling the latest source from `REPO_PATH`, building it with Nix, and tagging it as `conduwuit:custom`.
+ - **Behavior**: Requires Git and Nix; exits on failure (e.g., if the build fails or no image is produced).
+ - **When to Use**:
+ - Weekly via cron to keep `conduwuit` up-to-date with the latest features or fixes.
+ - Manually when you want to apply a specific update.
+ - **Example**: `./launch.sh --update`
+
+4. **`--force-restart`**:
+ - **Purpose**: Forces the `sw1tch` registration service to restart by killing any process on the configured port (from `config.yaml`) and starting a new instance.
+ - **Behavior**: Removes the PID file, starts `python3 -m sw1tch` detached, and verifies it’s running; logs errors if it fails to start.
+ - **When to Use**:
+ - After updating `sw1tch` code or configuration to ensure changes take effect.
+ - If the service is unresponsive or stuck.
+ - Combined with `--update` to refresh everything.
+ - **Example**: `./launch.sh --force-restart`
+
+### Additional Notes
+- **Combination**: Flags can be combined (e.g., `./launch.sh --update --force-restart`) for comprehensive updates.
+- **Default Behavior**: Without flags, the script restarts the `conduwuit` container and ensures `sw1tch` is running (no forced restart).
+- **Cron Integration**: The comments align with your crontab (daily `--refresh-token`, weekly `--update --force-restart`, reboot startup).
## Security Features
-- **IP Banning**: Add IPs to `banned_ips.txt`, one per line
-- **Email Banning**: Add emails to `banned_emails.txt`, one per line
-- **Username Patterns**: Add regex patterns to `banned_usernames.txt`, one per line; consider including the anti-CSAM entries in `example-banned_usernames.txt` as a starting point
-- **Registration Tracking**: All requests are logged to `registrations.json`
+- **IP Banning**: Add IPs to `sw1tch/config/banned_ips.txt`.
+- **Email Banning**: Add emails to `sw1tch/config/banned_emails.txt`.
+- **Username Patterns**: Add regex to `sw1tch/config/banned_usernames.txt`.
+- **Registration Tracking**: Logged to `sw1tch/data/registrations.json`.
+- **Admin API**: Relays HTTP requests to `#admins` room, parsing responses.
## Security Notes
-- Place behind a reverse proxy with HTTPS
-- Consider placing the registration token file outside web root
-- Regularly backup `registrations.json`
-- Monitor logs for abuse patterns
+- Use a reverse proxy (e.g., Nginx) with HTTPS.
+- Move `.registration_token` outside the web root if exposed.
+- Backup `sw1tch/data/registrations.json` regularly.
+- Monitor `sw1tch/logs/registration.log` for abuse.
-The included `refresh_token.sh` script handles both token rotation and conduwuit container management. Review and adjust its settings before use.
+## Warrant Canary
+
+The warrant canary feature (in progress) generates signed statements posted to a Matrix room, using data from RSS feeds and Bitcoin blocks for freshness. Configure in `config.yaml` under `canary`. Current limitations include UI polish and broader testing.
+
+## Conduwuit Integration
+
+`Sw1tch` resolves two `conduwuit` shortcomings:
+1. **Email-Based Registration**: Requires a valid email for token requests, enhancing security for public homeservers.
+2. **Admin API**: Bridges HTTP requests to Matrix room messages, enabling automation by parsing `@conduit` responses.
+
+Review `launch.sh` for `conduwuit` container management settings.
diff --git a/launch.sh b/launch.sh
index 756e937..bb6aa47 100755
--- a/launch.sh
+++ b/launch.sh
@@ -1,25 +1,25 @@
#!/bin/bash
-# File paths
-BASE_PATH="/home/sij/hand_of_morpheus/sw1tch"
-TOKEN_FILE="$BASE_PATH/data/.registration_token"
-LOG_FILE="$BASE_PATH/logs/token_refresh.log"
-BACKUP_PATH="/home/sij/conduwuit_backup"
-ENV_FILE="$BASE_PATH/config/conduwuit.env"
-REPO_PATH="$HOME/workshop/conduwuit"
-CONFIG_FILE="$BASE_PATH/config/config.yaml"
+# File paths for sw1tch and conduwuit integration
+BASE_PATH="/home/sij/hand_of_morpheus/sw1tch" # Base directory for sw1tch package
+TOKEN_FILE="$BASE_PATH/data/.registration_token" # File storing the current registration token
+LOG_FILE="$BASE_PATH/logs/token_refresh.log" # Log file for token refresh and script actions
+BACKUP_PATH="/home/sij/conduwuit_backup" # Directory for conduwuit backups
+ENV_FILE="$BASE_PATH/config/conduwuit.env" # Environment file for conduwuit settings
+REPO_PATH="$HOME/workshop/conduwuit" # Path to conduwuit source repository
+CONFIG_FILE="$BASE_PATH/config/config.yaml" # sw1tch configuration file
-# Static container settings
-CONTAINER_NAME="conduwuit"
-CONTAINER_IMAGE="conduwuit:custom"
+# Static container settings for conduwuit
+CONTAINER_NAME="conduwuit" # Name of the conduwuit Docker container
+CONTAINER_IMAGE="conduwuit:custom" # Custom Docker image tag for conduwuit
-# Flags
-REFRESH_TOKEN=false
-SUPER_ADMIN=false
-UPDATE=false
-FORCE_RESTART=false
+# Flags to control script behavior (default to false)
+REFRESH_TOKEN=false # --refresh-token: Generates a new registration token
+SUPER_ADMIN=false # --super-admin: Sets an emergency password for @conduit user
+UPDATE=false # --update: Pulls and rebuilds the conduwuit Docker image
+FORCE_RESTART=false # --force-restart: Forces a restart of the sw1tch service
-# Function to log with a timestamp to both file and terminal
+# Function to log messages with a timestamp to both file and terminal
log() {
local message="$(date --iso-8601=seconds) $1"
echo "$message" >> "$LOG_FILE"
@@ -27,8 +27,10 @@ log() {
}
# Function to refresh the registration token
+# Triggered by --refresh-token flag
+# Generates a new 6-character hex token and writes it to TOKEN_FILE
refresh_token() {
- NEW_TOKEN=$(openssl rand -hex 3)
+ NEW_TOKEN=$(openssl rand -hex 3) # Short token for simplicity
echo -n "$NEW_TOKEN" > "$TOKEN_FILE"
if [ $? -ne 0 ]; then
log "ERROR: Failed to write new token to $TOKEN_FILE"
@@ -37,31 +39,28 @@ refresh_token() {
log "Generated new registration token: $NEW_TOKEN"
}
-# Function to update the Docker image
+# Function to update the conduwuit Docker image
+# Triggered by --update flag
+# Pulls latest conduwuit source, builds it with Nix, and tags the Docker image
update_docker_image() {
log "Updating Conduwuit Docker image..."
-
cd "$REPO_PATH" || {
log "ERROR: Failed to cd into $REPO_PATH"
exit 1
}
-
git pull origin main || {
log "ERROR: git pull failed"
exit 1
}
-
nix build -L --extra-experimental-features "nix-command flakes" .#oci-image-x86_64-linux-musl-all-features || {
log "ERROR: nix build failed"
exit 1
}
-
IMAGE_TAR_PATH=$(readlink -f result)
if [ ! -f "$IMAGE_TAR_PATH" ]; then
log "ERROR: No image tarball found at $IMAGE_TAR_PATH"
exit 1
fi
-
docker load < "$IMAGE_TAR_PATH" | awk '/Loaded image:/ { print $3 }' | xargs -I {} docker tag {} "$CONTAINER_IMAGE"
if [ $? -ne 0 ]; then
log "ERROR: Failed to load and tag Docker image"
@@ -70,20 +69,24 @@ update_docker_image() {
log "Docker image tagged as $CONTAINER_IMAGE"
}
-# Function to restart the container
+# Function to restart the conduwuit container
+# Always runs unless script exits earlier
+# Stops and removes the existing container, then starts a new one with updated settings
restart_container() {
- docker stop "$CONTAINER_NAME" 2>/dev/null
- docker rm "$CONTAINER_NAME" 2>/dev/null
+ docker stop "$CONTAINER_NAME" 2>/dev/null # Silently stop if running
+ docker rm "$CONTAINER_NAME" 2>/dev/null # Silently remove if exists
+ # Base Docker command with volume mounts and network settings
DOCKER_CMD=(docker run -d
- -v "db:/var/lib/conduwuit/"
- -v "${TOKEN_FILE}:/.registration_token:ro"
- -v "${BACKUP_PATH}:/backup"
- --network host
- --name "$CONTAINER_NAME"
- --restart unless-stopped
+ -v "db:/var/lib/conduwuit/" # Persistent conduwuit data
+ -v "${TOKEN_FILE}:/.registration_token:ro" # Mount token file read-only
+ -v "${BACKUP_PATH}:/backup" # Backup directory
+ --network host # Use host networking
+ --name "$CONTAINER_NAME" # Container name
+ --restart unless-stopped # Restart policy
)
+ # Load environment variables from conduwuit.env
if [ -f "$ENV_FILE" ]; then
while IFS='=' read -r key value; do
[[ -z "$key" || "$key" =~ ^# ]] && continue
@@ -99,15 +102,17 @@ restart_container() {
exit 1
fi
+ # Set detailed logging for debugging
DOCKER_CMD+=(-e RUST_LOG="conduwuit=trace,reqwest=trace,hickory_proto=trace")
+ # If --super-admin is set, generate and apply an emergency password for @conduit
if [ "$SUPER_ADMIN" = true ]; then
- EMERGENCY_PASSWORD=$(openssl rand -hex 8)
+ EMERGENCY_PASSWORD=$(openssl rand -hex 8) # 16-character hex password
log "Setting emergency password to: $EMERGENCY_PASSWORD"
DOCKER_CMD+=(-e CONDUWUIT_EMERGENCY_PASSWORD="$EMERGENCY_PASSWORD")
fi
- DOCKER_CMD+=("$CONTAINER_IMAGE")
+ DOCKER_CMD+=("$CONTAINER_IMAGE") # Append the image name
log "Docker command: ${DOCKER_CMD[*]}"
"${DOCKER_CMD[@]}"
@@ -119,6 +124,7 @@ restart_container() {
log "Successfully recreated container \"$CONTAINER_NAME\" with image \"$CONTAINER_IMAGE\"."
log " - Configuration loaded from $ENV_FILE"
+ # Provide login instructions if --super-admin was used
if [ "$SUPER_ADMIN" = true ]; then
log "Use the following credentials to log in as the @conduit server user:"
log " Username: @conduit:we2.ee"
@@ -127,18 +133,21 @@ restart_container() {
fi
}
-# Function to ensure the registration service is running
+# Function to ensure the sw1tch registration service is running
+# Always runs unless script exits earlier
+# Checks port, restarts if --force-restart is set, or starts if not running
ensure_registration_service() {
local pid_file="$BASE_PATH/data/registration.pid"
local log_file="$BASE_PATH/logs/registration.log"
touch "$log_file" || { log "ERROR: Cannot write to $log_file"; exit 1; }
- chmod 666 "$log_file"
+ chmod 666 "$log_file" # Ensure log file is writable by all (adjust as needed)
REG_PORT=$(python3 -c "import yaml, sys; print(yaml.safe_load(open('$CONFIG_FILE')).get('port', 8000))")
log "Registration service port from config: $REG_PORT"
if [ "$FORCE_RESTART" = true ]; then
+ # --force-restart: Kills any process on the port and starts sw1tch anew
log "Force restart requested. Clearing any process listening on port $REG_PORT..."
PIDS=$(lsof -ti tcp:"$REG_PORT")
if [ -n "$PIDS" ]; then
@@ -146,22 +155,23 @@ ensure_registration_service() {
else
log "No process found running on port $REG_PORT"
fi
- rm -f "$pid_file"
+ rm -f "$pid_file" # Clear old PID file
log "Force starting registration service..."
cd "$(dirname "$BASE_PATH")" || { log "ERROR: Cannot cd to $(dirname "$BASE_PATH")"; exit 1; }
log "Running: nohup python3 -m sw1tch >> $log_file 2>&1 &"
- nohup python3 -m sw1tch >> "$log_file" 2>&1 &
+ nohup python3 -m sw1tch >> "$log_file" 2>&1 & # Run detached
NEW_PID=$!
- sleep 2
+ sleep 2 # Wait for process to start
if ps -p "$NEW_PID" > /dev/null; then
echo "$NEW_PID" > "$pid_file"
log "Started registration service with PID $NEW_PID"
sudo lsof -i :"$REG_PORT" || log "WARNING: No process on port $REG_PORT after start"
else
log "ERROR: Process $NEW_PID did not start or exited immediately"
- cat "$log_file" >> "$LOG_FILE"
+ cat "$log_file" >> "$LOG_FILE" # Append service logs for debugging
fi
else
+ # Normal mode: Start sw1tch only if not already running
EXISTING_PIDS=$(lsof -ti tcp:"$REG_PORT")
if [ -n "$EXISTING_PIDS" ]; then
log "Registration service already running on port $REG_PORT with PID(s): $EXISTING_PIDS"
@@ -184,20 +194,33 @@ ensure_registration_service() {
fi
}
-# Parse command-line flags and execute (unchanged)
+# Parse command-line flags to determine script actions
while [[ $# -gt 0 ]]; do
case "$1" in
+ # --refresh-token: Regenerate the registration token
+ # Use: When you need a new token (e.g., daily via cron or after a security concern)
--refresh-token) REFRESH_TOKEN=true; shift;;
+
+ # --super-admin: Set an emergency password for @conduit user in conduwuit
+ # Use: For initial setup or if admin access is lost; logs credentials for manual login
--super-admin) SUPER_ADMIN=true; shift;;
+
+ # --update: Update the conduwuit Docker image from source
+ # Use: To apply the latest conduwuit changes (e.g., weekly via cron)
--update) UPDATE=true; shift;;
+
+ # --force-restart: Forcefully restart the sw1tch service, killing any existing process
+ # Use: After updates, config changes, or if the service is unresponsive
--force-restart) FORCE_RESTART=true; shift;;
+
*) log "ERROR: Unknown option: $1"; echo "Usage: $0 [--refresh-token] [--super-admin] [--update] [--force-restart]"; exit 1;;
esac
done
+# Execute functions based on flags (order matters: update image before restarting)
if [ "$UPDATE" = true ]; then update_docker_image; fi
if [ "$REFRESH_TOKEN" = true ]; then refresh_token; fi
-restart_container
-ensure_registration_service
+restart_container # Always restart container to apply token or image changes
+ensure_registration_service # Always ensure sw1tch is running
exit 0
diff --git a/sw1tch/example-config/attestations.txt b/sw1tch/example-config/attestations.txt
new file mode 100644
index 0000000..3ea052a
--- /dev/null
+++ b/sw1tch/example-config/attestations.txt
@@ -0,0 +1,4 @@
+has not received any National Security Letters or FISA court orders.
+has not been subject to any searches or seizures of our servers.
+has not been required to modify our systems to facilitate surveillance.
+has not received any gag order that restrain our ability to make these declarations truthfully.
diff --git a/sw1tch/example-config/banned_emails.txt b/sw1tch/example-config/banned_emails.txt
new file mode 100644
index 0000000..71dfbca
--- /dev/null
+++ b/sw1tch/example-config/banned_emails.txt
@@ -0,0 +1,12 @@
+*@yopmail.com
+*@letterguard.net
+*@sharklasers.com
+*@msssg.com
+*@10mail.org
+*@monopolio.net
+*@owlny.com
+*@aleeas.com
+*@passinbox.com
+*@polkaroad.net
+*@onionmail.org
+*@mail2tor.com
diff --git a/sw1tch/example-config/banned_ips.txt b/sw1tch/example-config/banned_ips.txt
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/sw1tch/example-config/banned_ips.txt
@@ -0,0 +1 @@
+
diff --git a/sw1tch/example-config/banned_usernames.txt b/sw1tch/example-config/banned_usernames.txt
new file mode 100644
index 0000000..a2a5cb3
--- /dev/null
+++ b/sw1tch/example-config/banned_usernames.txt
@@ -0,0 +1,5 @@
+.*admin.*
+.*loli.*
+.*shota.*
+.*pedo.*
+.*pthc.*
diff --git a/sw1tch/example-config/conduwuit.env b/sw1tch/example-config/conduwuit.env
new file mode 100644
index 0000000..711e624
--- /dev/null
+++ b/sw1tch/example-config/conduwuit.env
@@ -0,0 +1,36 @@
+# conduwuit.env
+CONDUWUIT_SERVER_NAME=we2.ee
+CONDUWUIT_DATABASE_PATH=/var/lib/conduwuit/conduwuit.db
+CONDUWUIT_DATABASE_BACKEND=rocksdb
+CONDUWUIT_DATABASE_BACKUP_PATH=/backup
+CONDUWUIT_ALLOW_REGISTRATION=true
+CONDUWUIT_REGISTRATION_TOKEN_FILE=/.registration_token
+CONDUWUIT_ADDRESS=["0.0.0.0", "::"]
+CONDUWUIT_PORT=8008
+CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX=
+CONDUWUIT_AUTO_JOIN_ROOMS=["#home:we2.ee", "#server:we2.ee", "#pub:we2.ee", "#help:we2.ee"]
+CONDUWUIT_DB_CACHE_CAPACITY_MB=1024
+CONDUWUIT_DB_WRITE_BUFFER_CAPACITY_MB=256
+CONDUWUIT_DB_POOL_WORKERS=64
+CONDUWUIT_DB_POOL_WORKERS_LIMIT=128
+CONDUWUIT_STREAM_AMPLIFICATION=8192
+CONDUWUIT_MAX_REQUEST_SIZE=33554432
+CONDUWUIT_CACHE_CAPACITY_MODIFIER=1.5
+CONDUWUIT_ALLOW_FEDERATION=true
+CONDUWUIT_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION=true
+CONDUWUIT_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH=true
+CONDUWUIT_WELL_KNOWN_CONN_TIMEOUT=30
+CONDUWUIT_FEDERATION_TIMEOUT=60
+CONDUWUIT_FEDERATION_IDLE_TIMEOUT=60
+CONDUWUIT_SENDER_TIMEOUT=600
+CONDUWUIT_SENDER_IDLE_TIMEOUT=300
+CONDUWUIT_SENDER_SHUTDOWN_TIMEOUT=30
+CONDUWUIT_DNS_CACHE_ENTRIES=0
+CONDUWUIT_DNS_MIN_TTL=0
+CONDUWUIT_DNS_MIN_TTL_NXDOMAIN=15
+CONDUWUIT_DNS_ATTEMPTS=5
+CONDUWUIT_DNS_TIMEOUT=5
+CONDUWUIT_DNS_TCP_FALLBACK=true
+CONDUWUIT_QUERY_ALL_NAMESERVERS=false
+CONDUWUIT_QUERY_OVER_TCP_ONLY=false
+CONDUWUIT_IP_LOOKUP_STRATEGY=3
diff --git a/sw1tch/example-config/config.yaml b/sw1tch/example-config/config.yaml
new file mode 100644
index 0000000..065647a
--- /dev/null
+++ b/sw1tch/example-config/config.yaml
@@ -0,0 +1,124 @@
+# The port on which the registration service will listen
+port: 6626
+
+# The domain name of the Matrix homeserver
+homeserver: "server.net"
+
+# The base URL for Matrix API endpoints (typically https://<homeserver>)
+base_url: "https://server.net"
+
+registration:
+ # Time (in UTC, HHMM format) when the registration token resets daily
+ # Example: 2330 means 11:30 PM UTC
+ token_reset_time_utc: 2330
+
+ # Minutes before token reset when registration closes
+ # Ensures a buffer period; 5 minutes means closure at 23:25 UTC in this case
+ downtime_before_token_reset: 5
+
+ # Cooldown period (in seconds) before an email can request another registration
+ # 300 seconds = 5 minutes
+ email_cooldown: 300
+
+ # Allow multiple registrations per email address
+ # Set to false to restrict to one user per email
+ multiple_users_per_email: true
+
+matrix_admin:
+ # Matrix user ID of the admin account for managing the server
+ username: "@admin:server.net"
+
+ # Password for the admin Matrix account
+ # Keep this secure and avoid committing to version control in production
+ password: "MyAdminPassword"
+
+ # Room ID of the admin room where commands are sent and responses received
+ room: "!123AdminRoom:server.net"
+
+ # Matrix user ID of the super admin (e.g., @conduit) that responds to admin commands
+ super_admin: "@conduit:server.net"
+
+canary:
+ # Room ID where the warrant canary will be posted
+ room: "!AnnouncementRoom:server.net"
+
+ credentials:
+ # Matrix user ID for posting the warrant canary
+ username: "@canary:server.net"
+
+ # Password for the canary Matrix account
+ # Keep secure, similar to matrix_admin password
+ password: "MyCanaryPassword"
+
+ # Name of the organization issuing the warrant canary
+ organization: "Another Matrix Homeserver"
+
+ # Name of the admin signing the canary
+ admin_name: "Homedog"
+
+ # Title of the admin signing the canary
+ admin_title: "server administrator"
+
+ # Path to the file containing canary attestations
+ # Relative to BASE_DIR (sw1tch/), so this points to sw1tch/config/attestations.txt
+ attestations: "config/attestations.txt"
+
+ # GPG key ID used to sign the warrant canary
+ # Must match a key in your GPG keyring
+ gpg_key_id: "123456abcdef"
+
+ rss:
+ # Name of the RSS feed source for datestamp proof
+ name: "Democracy Now!"
+
+ # URL of the RSS feed to fetch the latest headline
+ url: "https://www.democracynow.org/democracynow.rss"
+
+email:
+ smtp:
+ # SMTP server hostname for sending registration emails
+ host: "mail.server.net"
+
+ # SMTP server port (587 is common for TLS)
+ port: 587
+
+ # Username for SMTP authentication
+ username: "admin@server.net"
+
+ # Password for SMTP authentication
+ # Keep secure and avoid exposing in version control
+ password: "MySMTPPassword"
+
+ # Email address that appears in the "From" field of sent emails
+ from: "Registration Team <no-reply@server.net>"
+
+ # Enable TLS for secure email transmission
+ # Set to false if your SMTP server doesn’t support TLS (rare)
+ use_tls: true
+
+ templates:
+ registration_token:
+ # Subject line for registration token emails
+ # {homeserver} is replaced with the homeserver value above
+ subject: "{homeserver} registration token"
+
+ # Path to the plaintext email template
+ # Relative to BASE_DIR (sw1tch/), points to sw1tch/templates/emails/registration_token.txt
+ body: "templates/emails/registration_token.txt"
+
+ # Path to the HTML email template
+ # Relative to BASE_DIR, points to sw1tch/templates/emails/registration_token.html
+ body_html: "templates/emails/registration_token.html"
+
+ deactivation_notice:
+ # Subject line for account deactivation emails
+ # {homeserver} is replaced with the homeserver value
+ subject: "{homeserver} account deactivation notice"
+
+ # Path to the plaintext deactivation notice template
+ # Relative to BASE_DIR, points to sw1tch/templates/emails/account_deactivation.txt
+ body: "templates/emails/account_deactivation.txt"
+
+ # Path to the HTML deactivation notice template
+ # Relative to BASE_DIR, points to sw1tch/templates/emails/account_deactivation.html
+ body_html: "templates/emails/account_deactivation.html"