From eda164f116472e1b23c7499b6ac10a8cf1288354 Mon Sep 17 00:00:00 2001 From: sij <sij@sij.law> Date: Sun, 2 Feb 2025 23:12:44 +0000 Subject: [PATCH] Update README.md --- README.md | 45 +++++++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 741b552..6a36f77 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ A FastAPI-based web application that manages Matrix account registration requests for homeservers that do not offer SMTP authentication (like conduwuit). It provides a registration token to users via email, with automatic token rotation and various safety features. +Currently in use for the [We2.ee](https://we2.ee/about) homeserver, at [join.we2.ee](https://join.we2.ee) + ## Features - Daily rotating registration tokens @@ -45,10 +47,10 @@ The `config.yaml` file supports these options: ```yaml port: 6626 homeserver: "your.server" -token_reset_time_utc: 0 # 24-hour format (e.g., 0 = 00:00 UTC) -downtime_before_token_reset: 30 # minutes -email_cooldown: 3600 # seconds between requests per email -multiple_users_per_email: false # allow multiple accounts per email? +token_reset_time_utc: 0 # 24-hour format (e.g., 0 = 00:00 UTC) +downtime_before_token_reset: 30 # minutes +email_cooldown: 3600 # seconds between requests per email +multiple_users_per_email: false # allow multiple accounts per email? smtp: host: "smtp.example.com" @@ -64,32 +66,51 @@ Add this to your crontab to rotate the registration token daily at 00:00 UTC: ```bash # Edit crontab with: crontab -e -0 0 * * * openssl rand -base64 32 | tr -d '/+=' | head -c 32 > /path/to/your/.registration_token +0 0 * * * openssl rand -base64 32 | tr -d '/+=' | head -c 32 > /path/to/hand_of_morpheus/.registration_token ``` ## Running the Server -Development: ```bash python registration.py ``` -Production: -```bash -uvicorn registration:app --host 0.0.0.0 --port 6626 -``` +Consider running in a `tmux` session, or creating a system service for it. ## Security Features - **IP Banning**: Add IPs to `banned_ips.txt`, one per line - **Email Banning**: Add emails to `banned_emails.txt`, one per line -- **Username Patterns**: Add regex patterns to `banned_usernames.txt`, one per line +- **Username Patterns**: Add regex patterns to `banned_usernames.txt`, one per line; consider including the anti-CSAM entries in `example-banned_usernames.txt` as a starting point - **Registration Tracking**: All requests are logged to `registrations.json` - ## Security Notes - Place behind a reverse proxy with HTTPS - Consider placing the registration token file outside web root - Regularly backup `registrations.json` - Monitor logs for abuse patterns + +## Example Conduwuit docker run command + +```bash +docker run -d \ + -p 127.0.0.1:8448:6167 \ + -v db:/var/lib/conduwuit/ \ + -v /path/to/.registration_token:/registration_token:ro \ + -e CONDUWUIT_SERVER_NAME="your.domain" \ + -e CONDUWUIT_DATABASE_PATH="/var/lib/conduwuit/conduwuit.db" \ + -e CONDUWUIT_DATABASE_BACKUP_PATH="/var/lib/conduwuit/backup" \ + -e CONDUWUIT_ALLOW_REGISTRATION=true \ + -e CONDUWUIT_REGISTRATION_TOKEN_FILE="/registration_token" \ + -e CONDUWUIT_PORT=6167 \ + -e CONDUWUIT_ADDRESS="0.0.0.0" \ + -e CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX="" \ + -e CONDUWUIT_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION=true \ + -e CONDUWUIT_ALLOW_PUBLIC_ROOM_DIRECTORY_WITHOUT_AUTH=true \ + -e CONDUWUIT_ALLOW_FEDERATION=true \ + -e CONDUWUIT_AUTO_JOIN_ROOMS='["#community:your.domain","#welcome:your.domain"]' \ + --name conduwuit \ + --restart unless-stopped \ + ghcr.io/girlbossceo/conduwuit:v0.5.0-rc2-e5049cae4a3890dc5f61ead53281f23b36bf4c97 + ``` \ No newline at end of file