add rocksdb paranoid_file_checks config option, add some more config …

…checks

Signed-off-by: strawberry <[email protected]>

conduwuit-example.toml

@@ -105,7 +105,7 @@
 #
 # This defaults to 128.0 + (64.0 * CPU core count)
 #
-#db_cache_capacity_mb =
+#db_cache_capacity_mb = varies by system
 
 # Option to control adding arbitrary text to the end of the user's
 # displayname upon registration with a space before the text. This was the
@@ -114,9 +114,9 @@
 #
 # The default is the trans pride flag.
 #
-# example: "🏳️⚧️"
+# example: "🏳️‍⚧️"
 #
-#new_user_displayname_suffix = "🏳️⚧️"
+#new_user_displayname_suffix = "🏳️‍⚧️"
 
 # If enabled, conduwuit will send a simple GET request periodically to
 # `https://pupbrain.dev/check-for-updates/stable` for any new
@@ -132,8 +132,7 @@
 # with such as "auth_chain_cache_capacity".
 #
 # May be useful if you have significant memory to spare to increase
-# performance. This was previously called
-# `conduit_cache_capacity_modifier`.
+# performance.
 #
 # If you have low memory, reducing this may be viable.
 #
@@ -204,9 +203,7 @@
 # longer running Matrix). Only decrease this if you are using an external
 # DNS cache.
 #
-# default_dns_min_ttl: 259200
-#
-#dns_min_ttl =
+#dns_min_ttl = 10800
 
 # Minimum time-to-live in seconds for NXDOMAIN entries in the DNS cache.
 # This value is critical for the server to federate efficiently.
@@ -217,7 +214,7 @@
 #
 #dns_min_ttl_nxdomain = 259200
 
-# Number of retries after a timeout.
+# Number of DNS nameserver retries after a timeout or error.
 #
 #dns_attempts = 10
 
@@ -547,7 +544,7 @@
 # Currently, conduwuit doesn't support inbound batched key requests, so
 # this list should only contain other Synapse servers
 #
-# example: ["matrix.org", "constellatory.net", "tchncs.de"]
+# example: ["matrix.org", "envs.net", "constellatory.net", "tchncs.de"]
 #
 #trusted_servers = ["matrix.org"]
 
@@ -689,14 +686,14 @@
 # room invites) are ignored here.
 #
 # Defaults to false as rooms can be banned for non-moderation-related
-# reasons
+# reasons and this performs a full user deactivation
 #
 #auto_deactivate_banned_room_attempts = false
 
 # RocksDB log level. This is not the same as conduwuit's log level. This
 # is the log level for the RocksDB engine/library which show up in your
 # database folder/path as `LOG` files. conduwuit will log RocksDB errors
-# as normal through tracing.
+# as normal through tracing or panics if severe for safety.
 #
 #rocksdb_log_level = "error"
 
@@ -745,7 +742,7 @@
 # operatons such as cleanup, sync, flush, compaction, etc. Set to 0 to use
 # all your logical threads. Defaults to your CPU logical thread count.
 #
-#rocksdb_parallelism_threads = 0
+#rocksdb_parallelism_threads = varies by system
 
 # Maximum number of LOG files RocksDB will keep. This must *not* be set to
 # 0. It must be at least 1. Defaults to 3 as these are not very useful
@@ -833,6 +830,14 @@
 #
 #rocksdb_recovery_mode = 1
 
+# Enables or disables paranoid SST file checks. This can improve RocksDB
+# database consistency at a potential performance impact due to further
+# safety checks ran.
+#
+# See https://github.com/facebook/rocksdb/wiki/Online-Verification#columnfamilyoptionsparanoid_file_checks for more information.
+#
+#rocksdb_paranoid_file_checks = false
+
 # Database repair mode (for RocksDB SST corruption)
 #
 # Use this option when the server reports corruption while running or
@@ -1119,12 +1124,14 @@
 #
 # To disable, set this to be an empty vector (`[]`).
 #
+# Defaults to:
+# ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12",
 # "192.168.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "169.254.0.0/16",
 # "192.88.99.0/24", "198.18.0.0/15", "192.0.2.0/24", "198.51.100.0/24",
 # "203.0.113.0/24", "224.0.0.0/4", "::1/128", "fe80::/10", "fc00::/7",
 # "2001:db8::/32", "ff00::/8", "fec0::/10"]
 #
-#ip_range_denylist = ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12",
+#ip_range_denylist =
 
 # Optional IP address or network interface-name to bind as the source of
 # URL preview requests. If not set, it will not bind to a specific
@@ -1181,9 +1188,9 @@
 #url_preview_url_contains_allowlist = []
 
 # Maximum amount of bytes allowed in a URL preview body size when
-# spidering. Defaults to 384KB in bytes.
+# spidering. Defaults to 256KB in bytes.
 #
-#url_preview_max_spider_size = 384000
+#url_preview_max_spider_size = 256000
 
 # Option to decide whether you would like to run the domain allowlist
 # checks (contains and explicit) on the root domain or not. Does not apply
@@ -1302,7 +1309,7 @@
 
 # Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
 # This is NOT enabled by default. conduwuit's default Sentry reporting
-# endpoint is o4506996327251968.ingest.us.sentry.io
+# endpoint domain is o4506996327251968.ingest.us.sentry.io
 #
 #sentry = false
 

src/core/config/check.rs

@@ -20,10 +20,7 @@ pub fn check(config: &Config) -> Result<()> {
 	}
 
 	if cfg!(all(feature = "hardened_malloc", feature = "jemalloc")) {
-		warn!(
-			"hardened_malloc and jemalloc are both enabled, this causes jemalloc to be used. If using --all-features, \
-			 this is harmless."
-		);
+		info!("hardened_malloc and jemalloc compile-time features are both enabled, this causes jemalloc to be used.");
 	}
 
 	if cfg!(not(unix)) && config.unix_socket_path.is_some() {
@@ -34,7 +31,15 @@ pub fn check(config: &Config) -> Result<()> {
 		));
 	}
 
-	if cfg!(unix) && config.unix_socket_path.is_none() {
+	if config.unix_socket_path.is_none() && config.get_bind_hosts().is_empty() {
+		return Err!(Config("address", "No TCP addresses were specified to listen on"));
+	}
+
+	if config.unix_socket_path.is_none() && config.get_bind_ports().is_empty() {
+		return Err!(Config("port", "No ports were specified to listen on"));
+	}
+
+	if config.unix_socket_path.is_none() {
 		config.get_bind_addrs().iter().for_each(|addr| {
 			use std::path::Path;
 
@@ -50,18 +55,14 @@ pub fn check(config: &Config) -> Result<()> {
 						 host and guest, this will NOT work. Please change this to \"0.0.0.0\". If this is expected, \
 						 you can ignore.",
 					);
-				}
-
-				if Path::new("/.dockerenv").exists() {
+				} else if Path::new("/.dockerenv").exists() {
 					error!(
 						"You are detected using Docker with a loopback/localhost listening address of {addr}. If you \
 						 are using a reverse proxy on the host and require communication to conduwuit in the Docker \
 						 container via NAT-based networking, this will NOT work. Please change this to \"0.0.0.0\". \
 						 If this is expected, you can ignore.",
 					);
-				}
-
-				if Path::new("/run/.containerenv").exists() {
+				} else if Path::new("/run/.containerenv").exists() {
 					error!(
 						"You are detected using Podman with a loopback/localhost listening address of {addr}. If you \
 						 are using a reverse proxy on the host and require communication to conduwuit in the Podman \
@@ -89,6 +90,13 @@ pub fn check(config: &Config) -> Result<()> {
 		));
 	}
 
+	if config.emergency_password == Some(String::from("F670$2CP@Hw8mG7RY1$%!#Ic7YA")) {
+		return Err!(Config(
+			"emergency_password",
+			"The public example emergency password is being used, this is insecure. Please change this."
+		));
+	}
+
 	// check if the user specified a registration token as `""`
 	if config.registration_token == Some(String::new()) {
 		return Err!(Config(
@@ -113,17 +121,20 @@ pub fn check(config: &Config) -> Result<()> {
 		));
 	}
 
-	if config.max_request_size < 5_120_000 {
+	if config.max_request_size < 10_000_000 {
 		return Err!(Config(
 			"max_request_size",
-			"Max request size is less than 5MB. Please increase it."
+			"Max request size is less than 10MB. Please increase it as this is too low for operable federation."
 		));
 	}
 
 	// check if user specified valid IP CIDR ranges on startup
 	for cidr in &config.ip_range_denylist {
 		if let Err(e) = ipaddress::IPAddress::parse(cidr) {
-			return Err!(Config("ip_range_denylist", "Parsing specified IP CIDR range from string: {e}."));
+			return Err!(Config(
+				"ip_range_denylist",
+				"Parsing specified IP CIDR range from string failed: {e}."
+			));
 		}
 	}
 
@@ -135,10 +146,10 @@ pub fn check(config: &Config) -> Result<()> {
 		return Err!(Config(
 			"registration_token",
 			"!! You have `allow_registration` enabled without a token configured in your config which means you are \
-			 allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
-If this is not the intended behaviour, please set a registration token.\n
-For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you \
-			 want, please set the following config option to true:
+			 allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token). \
+			 If this is not the intended behaviour, please set a registration token. For security and safety reasons, \
+			 conduwuit will shut down. If you are extra sure this is the desired behaviour you want, please set the \
+			 following config option to true:
 `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`"
 		));
 	}
@@ -151,15 +162,16 @@ For security and safety reasons, conduwuit will shut down. If you are extra sure
 		warn!(
 			"Open registration is enabled via setting \
 			 `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to \
-			 true without a registration token configured. You are expected to be aware of the risks now.\n
-    If this is not the desired behaviour, please set a registration token."
+			 true without a registration token configured. You are expected to be aware of the risks now. If this is \
+			 not the desired behaviour, please set a registration token."
 		);
 	}
 
 	if config.allow_outgoing_presence && !config.allow_local_presence {
 		return Err!(Config(
 			"allow_local_presence",
-			"Outgoing presence requires allowing local presence. Please enable 'allow_local_presence'."
+			"Outgoing presence requires allowing local presence. Please enable 'allow_local_presence' or disable \
+			 outgoing presence."
 		));
 	}