From a7f20354b2d821cd93d8fe6220863d24164a5756 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Mon, 26 Sep 2022 00:58:05 +0200 Subject: [PATCH 1/6] Fix #50 --- conf/nginx.conf | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index fb22fe4..8f13985 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,14 +1,15 @@ rewrite ^$ /; location ~ ^/$ { - default_type text/plain; - return 200 "This is where Dendrite is installed."; + default_type text/plain; + return 200 "This is where Dendrite is installed."; } location /_matrix { - proxy_pass http://localhost:__PORT__; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - proxy_read_timeout 600; - client_max_body_size 100M; - more_set_headers "Access-Control-Allow-Origin: *"; + proxy_pass http://localhost:__PORT__; + more_set_headers "X-Forwarded-For: $remote_addr"; + more_set_headers "X-Real-IP: $remote_addr"; + more_set_headers "Host: $host"; + proxy_read_timeout 600; + client_max_body_size 100M; + more_set_headers "Access-Control-Allow-Origin: *"; } From c5f6df4c3bab51da6370599dd242db9e4637b90f Mon Sep 17 00:00:00 2001 From: yalh76 Date: Mon, 26 Sep 2022 00:59:44 +0200 Subject: [PATCH 2/6] Update manifest.json --- manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.json b/manifest.json index b9d5395..ac85d20 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Matrix homeserver of second generation", "fr": "Serveur Matrix de seconde génération" }, - "version": "0.9.9~ynh1", + "version": "0.9.9~ynh2", "url": "https://matrix.org/", "upstream": { "license": "Apache-2.0", From 3e0a9551963ab86da069f21ab2e3ad5be2e112b2 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sun, 25 Sep 2022 22:59:49 +0000 Subject: [PATCH 3/6] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7fa6b78..ec5d849 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Dendrite is a second-generation Matrix homeserver written in Go. It intends to p - Scalable: can run on multiple machines and eventually scale to massive homeserver deployments. -**Shipped version:** 0.9.9~ynh1 +**Shipped version:** 0.9.9~ynh2 ## Disclaimers / important information diff --git a/README_fr.md b/README_fr.md index 8c88b45..ef5e5e1 100644 --- a/README_fr.md +++ b/README_fr.md @@ -24,7 +24,7 @@ Dendrite is a second-generation Matrix homeserver written in Go. It intends to p - Scalable: can run on multiple machines and eventually scale to massive homeserver deployments. -**Version incluse :** 0.9.9~ynh1 +**Version incluse :** 0.9.9~ynh2 ## Avertissements / informations importantes From a5674ff3039af544c6b8041129d66072fe0aaef1 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Mon, 26 Sep 2022 01:18:29 +0200 Subject: [PATCH 4/6] Apply last example_ynh --- .github/workflows/updater.sh | 12 ++++--- check_process | 3 +- conf/app.src | 1 + conf/systemd.service | 4 +-- scripts/_common.sh | 2 +- scripts/backup | 12 +++---- scripts/install | 43 ++++++++++------------- scripts/remove | 6 ++-- scripts/restore | 45 +++++++++++++++++------- scripts/upgrade | 66 ++++++++++++++++-------------------- 10 files changed, 101 insertions(+), 93 deletions(-) diff --git a/.github/workflows/updater.sh b/.github/workflows/updater.sh index ede8049..a0f5bdd 100644 --- a/.github/workflows/updater.sh +++ b/.github/workflows/updater.sh @@ -24,24 +24,25 @@ asset_url=$(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r # Sometimes the release name starts with a "v", so let's filter it out. # You may need more tweaks here if the upstream repository has different naming conventions. if [[ ${version:0:1} == "v" || ${version:0:1} == "V" ]]; then - version=${version:1} + version=${version:1} fi # Setting up the environment variables echo "Current version: $current_version" echo "Latest release from upstream: $version" echo "VERSION=$version" >> $GITHUB_ENV +echo "REPO=$repo" >> $GITHUB_ENV # For the time being, let's assume the script will fail echo "PROCEED=false" >> $GITHUB_ENV # Proceed only if the retrieved version is greater than the current one if ! dpkg --compare-versions "$current_version" "lt" "$version" ; then - echo "::warning ::No new version available" - exit 0 + echo "::warning ::No new version available" + exit 0 # Proceed only if a PR for this new version does not already exist elif git ls-remote -q --exit-code --heads https://github.com/$GITHUB_REPOSITORY.git ci-auto-update-v$version ; then - echo "::warning ::A branch already exists for this update" - exit 0 + echo "::warning ::A branch already exists for this update" + exit 0 fi #================================================= @@ -71,6 +72,7 @@ SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true SOURCE_FILENAME= +SOURCE_EXTRACT=true EOT echo "... conf/$src.src updated" diff --git a/check_process b/check_process index 53be51c..68cc371 100644 --- a/check_process +++ b/check_process @@ -12,7 +12,8 @@ setup_private=0 setup_public=1 upgrade=1 -# upgrade=1 from_commit=CommitHash + # 0.9.9~ynh1 + upgrade=1 from_commit=15f4690bafea6454b1777a00658f9839e7ea77c0 backup_restore=1 multi_instance=0 port_already_use=0 diff --git a/conf/app.src b/conf/app.src index 107322e..b15e1fe 100644 --- a/conf/app.src +++ b/conf/app.src @@ -4,3 +4,4 @@ SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/systemd.service b/conf/systemd.service index 9d09edc..a37eabc 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,7 +13,7 @@ StandardError=inherit LimitNOFILE=65535 # Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these +# Depending on specificities of your service/app, you may need to tweak these # .. but this should be a good baseline # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html NoNewPrivileges=yes @@ -40,7 +40,7 @@ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target diff --git a/scripts/_common.sh b/scripts/_common.sh index 439b020..7ab456c 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,7 +4,7 @@ # COMMON VARIABLES #================================================= -# dependencies used by the app +# dependencies used by the app (must be on a single line) pkg_dependencies="postgresql postgresql-contrib" GO_VERSION="1.18" diff --git a/scripts/backup b/scripts/backup index da7f321..ca96846 100644 --- a/scripts/backup +++ b/scripts/backup @@ -63,19 +63,19 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/systemd/system/$app.service" +#================================================= +# BACKUP VARIOUS FILES +#================================================= + if yunohost --output-as plain domain list | grep -q "^$server_name$" then ynh_backup --src_path="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi #================================================= -# BACKUP VARIOUS FILES +# BACKUP THE POSTGRESQL DATABASE #================================================= - -#================================================= -# BACKUP THE PSQL DATABASE -#================================================= -ynh_print_info --message="Backing up the PSQL database..." +ynh_print_info --message="Backing up the PostgreSQL database..." ynh_psql_dump_db --database="$db_name" > db.sql diff --git a/scripts/install b/scripts/install index 289e6e5..c5e3d25 100644 --- a/scripts/install +++ b/scripts/install @@ -15,7 +15,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_clean_setup () { - ynh_clean_check_starting + true } # Exit if an error occurs during the execution of the script ynh_abort_if_errors @@ -78,15 +78,6 @@ ynh_app_setting_set --app=$app --key=tls_port --value=$tls_port # Open TLS port ynh_exec_warn_less yunohost firewall allow TCP $tls_port -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Configuring system user..." --weight=1 - -# Create a system user -# It needs to be created before using the ynh_install_go helper -ynh_system_user_create --username=$app --use_shell --groups="ssl-cert" - #================================================= # INSTALL DEPENDENCIES #================================================= @@ -196,22 +187,6 @@ ynh_add_systemd_config #================================================= # GENERIC FINALIZATION -#================================================= -# SETUP PERMISSIONS -#================================================= -ynh_script_progression --message="Configuring permissions..." --weight=1 - -ynh_permission_update --permission=main --show_tile=false - -ynh_permission_create --permission=server_api --url=$domain/_matrix \ - --label="Server access for client apps." --show_tile=false --allowed=visitors \ - --auth_header=false --protected=true -if yunohost --output-as plain domain list | grep -q "^$server_name$"; then - ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \ - --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \ - --auth_header=false --protected=true -fi - #================================================= # SETUP LOGROTATE #================================================= @@ -241,6 +216,22 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service ynh_systemd_action --service_name=$app --action="start" --line_match="Starting external Monolith listener" --log_path="/var/log/$app/Monolith.log" +#================================================= +# SETUP SSOWAT +#================================================= +ynh_script_progression --message="Configuring permissions..." --weight=1 + +ynh_permission_update --permission=main --show_tile=false + +ynh_permission_create --permission=server_api --url=$domain/_matrix \ + --label="Server access for client apps." --show_tile=false --allowed=visitors \ + --auth_header=false --protected=true +if yunohost --output-as plain domain list | grep -q "^$server_name$"; then + ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \ + --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \ + --auth_header=false --protected=true +fi + #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/remove b/scripts/remove index 090c95c..afa6bf2 100644 --- a/scripts/remove +++ b/scripts/remove @@ -55,7 +55,7 @@ ynh_remove_logrotate #================================================= # REMOVE THE POSTGRESQL DATABASE #================================================= -ynh_script_progression --message="Removing the PostgreSQL database" --weight=2 +ynh_script_progression --message="Removing the PostgreSQL database..." --weight=2 # Remove a database if it exists, along with the associated user ynh_psql_remove_db --db_user=$db_user --db_name=$db_name @@ -90,8 +90,8 @@ ynh_remove_app_dependencies if yunohost firewall list | grep -q "\- $tls_port$" then - ynh_script_progression --message="Closing port $tls_port..." --weight=1 - ynh_exec_warn_less yunohost firewall disallow TCP $tls_port + ynh_script_progression --message="Closing port $tls_port..." --weight=1 + ynh_exec_warn_less yunohost firewall disallow TCP $tls_port fi #================================================= diff --git a/scripts/restore b/scripts/restore index 6bf8a10..86cdd13 100644 --- a/scripts/restore +++ b/scripts/restore @@ -15,7 +15,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_clean_setup () { - ynh_clean_check_starting + true } # Exit if an error occurs during the execution of the script ynh_abort_if_errors @@ -54,20 +54,12 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei # Create the dedicated user (if not existing) ynh_system_user_create --username=$app --home_dir="$final_path" --groups="ssl-cert" -#================================================= -# RESTORE ALL CONFIG AND DATA -#================================================= -ynh_script_progression --message="Restoring directory and configuration..." --weight=10 - -mkdir -p /var/log/$app -chown -R $app:root /var/log/$app - -ynh_restore - #================================================= # RESTORE THE APP MAIN DIR #================================================= -ynh_script_progression --message="Restoring the app main directory permissions..." --weight=1 +ynh_script_progression --message="Restoring the app main directory..." --weight=1 + +ynh_restore_file --origin_path="$final_path" chmod 750 "$final_path" chmod -R o-rwx "$final_path" @@ -83,6 +75,13 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=3 # Define and install dependencies ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies +#================================================= +# RESTORE THE NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 + +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" + #================================================= # RESTORE THE POSTGRESQL DATABASE #================================================= @@ -93,13 +92,33 @@ ynh_psql_test_if_first_run ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name +#================================================= +# RESTORE VARIOUS FILES +#================================================= +ynh_script_progression --message="Restoring various files..." --weight=1 + +if yunohost --output-as plain domain list | grep -q "^$server_name$" +then + ynh_restore_file --origin_path="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" +fi + #================================================= # RESTORE SYSTEMD #================================================= -ynh_script_progression --message="Enabling the systemd service..." --weight=1 +ynh_script_progression --message="Restoring the systemd configuration..." --weight=1 +ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet +#================================================= +# RESTORE THE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the logrotate configuration..." --weight=1 + +mkdir -p /var/log/$app +chown -R $app:root /var/log/$app +ynh_restore_file --origin_path="/etc/logrotate.d/$app" + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 4467f3c..397dbb5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -31,7 +31,7 @@ registration=$(ynh_app_setting_get --app=$app --key=registration) #================================================= # CHECK VERSION #================================================= -ynh_script_progression --message="Checking version..." +ynh_script_progression --message="Checking version..." --weight=1 upgrade_type=$(ynh_check_app_version_changed) @@ -43,7 +43,6 @@ ynh_script_progression --message="Backing up the app before upgrading (may take # Backup the current version of the app ynh_backup_before_upgrade ynh_clean_setup () { - ynh_clean_check_starting # Restore it if the upgrade fails ynh_restore_upgradebackup } @@ -85,6 +84,28 @@ else ynh_app_setting_set --app=$app --key=registration --value=0 fi +if ! ynh_permission_exists --permission=server_api; then + ynh_permission_create --permission=server_api --url=$domain/_matrix \ + --label="Server access for client apps." --show_tile=false --allowed=visitors \ + --auth_header=false --protected=true +else + ynh_permission_url --permission=server_api --url=$domain/_matrix --remove_url=$server_name/.well-known/matrix \ + --auth_header=false + ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \ + --protected=true +fi + +if yunohost --output-as plain domain list | grep -q "^$server_name"'$' && ! ynh_permission_exists --permission=server_client_infos; then + ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \ + --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \ + --auth_header=false --protected=true +elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then + ynh_permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \ + --auth_header=false + ynh_permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \ + --protected=true +fi + #================================================= # CREATE DEDICATED USER #================================================= @@ -109,6 +130,13 @@ chmod 750 "$final_path" chmod -R o-rwx "$final_path" chown -R $app:root "$final_path" +#================================================= +# UPGRADE DEPENDENCIES +#================================================= +ynh_script_progression --message="Upgrading dependencies..." --weight=1 + +ynh_exec_warn_less ynh_install_app_dependencies "$pkg_dependencies" + #================================================= # NGINX CONFIGURATION #================================================= @@ -123,13 +151,6 @@ then ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Upgrading dependencies..." --weight=1 - -ynh_exec_warn_less ynh_install_app_dependencies "$pkg_dependencies" - #================================================= # SPECIFIC UPGRADE #================================================= @@ -178,33 +199,6 @@ ynh_add_systemd_config #================================================= # GENERIC FINALIZATION -#================================================= -# SETUP PERMISSIONS -#================================================= -ynh_script_progression --message="Configuring permissions..." --weight=1 - -if ! ynh_permission_exists --permission=server_api; then - ynh_permission_create --permission=server_api --url=$domain/_matrix \ - --label="Server access for client apps." --show_tile=false --allowed=visitors \ - --auth_header=false --protected=true -else - ynh_permission_url --permission=server_api --url=$domain/_matrix --remove_url=$server_name/.well-known/matrix \ - --auth_header=false - ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \ - --protected=true -fi - -if yunohost --output-as plain domain list | grep -q "^$server_name"'$' && ! ynh_permission_exists --permission=server_client_infos; then - ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \ - --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \ - --auth_header=false --protected=true -elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then - ynh_permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \ - --auth_header=false - ynh_permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \ - --protected=true -fi - #================================================= # SETUP LOGROTATE #================================================= From e65d7e64ecd9f95968b88b106d07ab7f412d3e86 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 27 Sep 2022 00:02:58 +0200 Subject: [PATCH 5/6] Use X-Real-IP for proxy header --- conf/dendrite.yaml | 2 +- conf/nginx.conf | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/conf/dendrite.yaml b/conf/dendrite.yaml index e5ce76e..e334ec7 100644 --- a/conf/dendrite.yaml +++ b/conf/dendrite.yaml @@ -326,7 +326,7 @@ sync_api: # This option controls which HTTP header to inspect to find the real remote IP # address of the client. This is likely required if Dendrite is running behind # a reverse proxy server. - # real_ip_header: X-Real-IP + real_ip_header: X-Real-IP # Configuration for the User API. user_api: diff --git a/conf/nginx.conf b/conf/nginx.conf index 8f13985..c037f05 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -6,9 +6,7 @@ location ~ ^/$ { location /_matrix { proxy_pass http://localhost:__PORT__; - more_set_headers "X-Forwarded-For: $remote_addr"; more_set_headers "X-Real-IP: $remote_addr"; - more_set_headers "Host: $host"; proxy_read_timeout 600; client_max_body_size 100M; more_set_headers "Access-Control-Allow-Origin: *"; From 0be521076603da7b236591ff686b09496c009692 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 27 Sep 2022 23:40:58 +0200 Subject: [PATCH 6/6] Fix headers in nginx config --- conf/nginx.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index c037f05..5757cd1 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -6,7 +6,8 @@ location ~ ^/$ { location /_matrix { proxy_pass http://localhost:__PORT__; - more_set_headers "X-Real-IP: $remote_addr"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; proxy_read_timeout 600; client_max_body_size 100M; more_set_headers "Access-Control-Allow-Origin: *";