Coturn server (#13)

* Add coturn server

README.md

@@ -23,6 +23,7 @@ Galène is a videoconferencing server that is easy to deploy (just copy a few fi
 
 ## Configuration
 
+To check if the TURN server is up and running, type `/relay-test` in the chat box; if the TURN server is properly configured, you should see a message saying that the relay test has been successful.
 
 ## Documentation
 

README_fr.md

@@ -23,6 +23,8 @@ Galène est un serveur de visioconférence facile à déployer (il suffit de cop
 
 ## Configuration
 
+Pour vérifier si le serveur TURN est opérationnel, tapez `/relay-test` dans la boîte de dialogue; si le serveur TURN est correctement configuré, vous devriez voir un message indiquant que le test du relais a réussi.
+
 ## Documentation
 
  * Documentation officielle : https://galene.org/

conf/coturn-galene.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=coturn
+Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
+After=syslog.target network.target
+
+[Service]
+User=turnserver
+Group=turnserver
+Type=forking
+EnvironmentFile=/etc/default/coturn-__APP__
+PIDFile=/run/coturn-__APP__/turnserver.pid
+RuntimeDirectory=coturn-__APP__
+RuntimeDirectoryMode=0755
+ExecStart=/usr/bin/turnserver -o -c /etc/__APP__/coturn.conf $EXTRA_OPTIONS
+ExecStopPost=/bin/rm -f /run/coturn-__APP__/turnserver.pid
+Restart=on-abort
+
+LimitCORE=infinity
+LimitNOFILE=999999
+LimitNPROC=60000
+LimitRTPRIO=infinity
+LimitRTTIME=7000000
+CPUSchedulingPolicy=other
+UMask=0007
+
+[Install]
+WantedBy=multi-user.target

conf/coturn/default_coturn

@@ -0,0 +1,5 @@
+#
+# Uncomment it if you want to have the turnserver running as 
+# an automatic system service daemon
+#
+TURNSERVER_ENABLED=1

conf/coturn/turnserver.conf

@@ -0,0 +1,28 @@
+lt-cred-mech
+use-auth-secret
+static-auth-secret=__TURNPWD__
+realm=__DOMAIN__
+
+tls-listening-port=__TLS_PORT__
+alt-tls-listening-port=__TLS_ALT_PORT__
+min-port=49153
+max-port=49193
+cli-port=__CLI_PORT__
+
+cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
+pkey=/etc/yunohost/certs/__DOMAIN__/key.pem
+dh-file=/etc/ssl/private/dh2048.pem
+
+no-sslv2
+no-sslv3
+no-tlsv1
+no-tlsv1_1
+
+no-loopback-peers
+no-multicast-peers
+
+no-cli
+
+log-file=/var/log/__APP__/turnserver.log
+pidfile=/run/coturn-__APP__/turnserver.pid
+simple-log

conf/groupname.json

@@ -1,4 +1,16 @@
 {
     "op": [{"username": "__ADMIN__", "password": "__PASSWORD__"}],
-    "presenter": [{}]
+    "presenter": [
+        {"username": "", "password": ""},
+        {"username": "", "password": ""}
+    ],
+    "public": "true",
+    "description": "This is displayed on the landing page for public groups.",
+    "max-clients": 20,
+    "max-history-age": 14400,
+    "allow-recording": "true",
+    "allow-anonymous": "true",
+    "allow-subgroups": "true",
+    "redirect": "",
+    "codecs": ["vp8", "opus"]
 }

conf/ice-servers.json

@@ -0,0 +1,15 @@
+[
+    {
+        "urls": [
+            "turn:__DOMAIN__:__TLS_PORT__",
+            "turn:__DOMAIN__:__TLS_ALT_PORT__",
+            "turn:__DOMAIN__:__TLS_PORT__?transport=tcp",
+            "turn:__DOMAIN__:__TLS_ALT_PORT__?transport=tcp",
+            "turn:__DOMAIN__:__TLS_PORT__?transport=udp",
+            "turn:__DOMAIN__:__TLS_ALT_PORT__?transport=udp"
+        ],
+        "username": "__APP__",
+        "credential": "__TURNPWD__",
+        "credentialType": "hmac-sha1"
+    }
+]

manifest.json

@@ -48,8 +48,8 @@
                     "fr": "Définissez le mot de passe administrateur"
                 },
                 "help": {
-                    "en": "Use the help field to add an information for the admin about this question.",
+                    "en": "Set the administrator password (between 8 and 30 characters)",
-                    "fr": "Utilisez le champ aide pour ajouter une information à l'intention de l'administrateur à propos de cette question."
+                    "fr": "Définissez le mot de passe administrateur (entre 8 et 30 caractères)"
                 },
                 "example": "Choose a password"
             },
@@ -73,6 +73,10 @@
                     "en": "Choose a name for the group you want to create",
                     "fr": "Choisissez un nom pour le groupe que vous voulez créer"
                 },
+                "help": {
+                    "en": "The name will be used as filename (do not use space, dots or / in your name group).",
+                    "fr": "Le nom sera utilisé comme nom de fichier (n'utilisez pas d'espace, de points ou / dans votre groupe de noms)."
+                },
                 "default": "public",
                 "example": "public"
             }

scripts/_common.sh

@@ -5,7 +5,7 @@
 #=================================================
 
 # dependencies used by the app
-pkg_dependencies=""
+pkg_dependencies="coturn acl"
 
 #=================================================
 # PERSONAL HELPERS
@@ -15,6 +15,145 @@ pkg_dependencies=""
 # EXPERIMENTAL HELPERS
 #=================================================
 
+# Send an email to inform the administrator
+#
+# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type]
+# | arg: -m --app_message= - The file with the content to send to the administrator.
+# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root
+#       example: "root admin@domain"
+#       If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you
+#       example: "root admin@domain user1 user2"
+# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade'
+ynh_send_readme_to_admin() {
+        # Declare an array to define the options of this helper.
+        declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= )
+        local app_message
+        local recipients
+        local type
+        # Manage arguments with getopts
+
+        ynh_handle_getopts_args "$@"
+        app_message="${app_message:-}"
+        recipients="${recipients:-root}"
+        type="${type:-install}"
+
+        # Get the value of admin_mail_html
+        admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
+        admin_mail_html="${admin_mail_html:-0}"
+
+        # Retrieve the email of users
+        find_mails () {
+                local list_mails="$1"
+                local mail
+                local recipients=" "
+                # Read each mail in argument
+                for mail in $list_mails
+                do
+                        # Keep root or a real email address as it is
+                        if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@"
+                        then
+                                recipients="$recipients $mail"
+                        else
+                                # But replace an user name without a domain after by its email
+                                if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null)
+                                then
+                                        recipients="$recipients $mail"
+                                fi
+                        fi
+                done
+                echo "$recipients"
+        }
+        recipients=$(find_mails "$recipients")
+
+        # Subject base
+        local mail_subject="☁️🆈🅽🅷☁️: \`$app\`"
+
+        # Adapt the subject according to the type of mail required.
+        if [ "$type" = "backup" ]; then
+                mail_subject="$mail_subject has just been backup."
+        elif [ "$type" = "change_url" ]; then
+                mail_subject="$mail_subject has just been moved to a new URL!"
+        elif [ "$type" = "remove" ]; then
+                mail_subject="$mail_subject has just been removed!"
+        elif [ "$type" = "restore" ]; then
+                mail_subject="$mail_subject has just been restored!"
+        elif [ "$type" = "upgrade" ]; then
+                mail_subject="$mail_subject has just been upgraded!"
+        else    # install
+                mail_subject="$mail_subject has just been installed!"
+        fi
+
+        local mail_message="This is an automated message from your beloved YunoHost server.
+
+Specific information for the application $app.
+
+$(if [ -n "$app_message" ]
+then
+        cat "$app_message"
+else
+        echo "...No specific information..."
+fi)
+
+---
+Automatic diagnosis data from YunoHost
+
+__PRE_TAG1__$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')__PRE_TAG2__"
+
+        # Store the message into a file for further modifications.
+        echo "$mail_message" > mail_to_send
+
+        # If a html email is required. Apply html tags to the message.
+        if [ "$admin_mail_html" -eq 1 ]
+        then
+                # Insert 'br' tags at each ending of lines.
+                ynh_replace_string "$" "<br>" mail_to_send
+
+                # Insert starting HTML tags
+                sed --in-place '1s@^@<!DOCTYPE html>\n<html>\n<head></head>\n<body>\n@' mail_to_send
+
+                # Keep tabulations
+                ynh_replace_string "  " "\&#160;\&#160;" mail_to_send
+                ynh_replace_string "\t" "\&#160;\&#160;" mail_to_send
+
+                # Insert url links tags
+                ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "<a href=\"\2\">\1</a>" mail_to_send
+
+                # Insert pre tags
+                ynh_replace_string "__PRE_TAG1__" "<pre>" mail_to_send
+                ynh_replace_string "__PRE_TAG2__" "<\pre>" mail_to_send
+
+                # Insert finishing HTML tags
+                echo -e "\n</body>\n</html>" >> mail_to_send
+
+        # Otherwise, remove tags to keep a plain text.
+        else
+                # Remove URL tags
+                ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
+                ynh_replace_string "__URL_TAG2__" ": " mail_to_send
+
+                # Remove PRE tags
+                ynh_replace_string "__PRE_TAG[1-2]__" "" mail_to_send
+        fi
+
+        # Define binary to use for mail command
+        if [ -e /usr/bin/bsd-mailx ]
+        then
+                local mail_bin=/usr/bin/bsd-mailx
+        else
+                local mail_bin=/usr/bin/mail.mailutils
+        fi
+
+        if [ "$admin_mail_html" -eq 1 ]
+        then
+                content_type="text/html"
+        else
+                content_type="text/plain"
+        fi
+
+        # Send the email to the recipients
+        cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
+}
+
 #=================================================
 # FUTURE OFFICIAL HELPERS
 #=================================================
@@ -43,4 +182,4 @@ ynh_detect_arch(){
                 architecture="unknown"
         fi
         echo $architecture
-}
+}

scripts/backup

@@ -39,6 +39,15 @@ ynh_print_info --message="Declaring files to be backed up..."
 #=================================================
 
 ynh_backup --src_path="$final_path"
+ynh_backup --src_path="/etc/$app"
+
+#=================================================
+# BACKUP SYSTEMD
+#=================================================
+
+ynh_backup --src_path="/etc/systemd/system/$app.service"
+ynh_backup --src_path="/etc/default/coturn-$app"
+ynh_backup --src_path="/etc/systemd/system/coturn-$app.service"
 
 #=================================================
 # BACKUP THE NGINX CONFIGURATION
@@ -52,13 +61,21 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 # BACKUP LOGROTATE
 #=================================================
 
-#ynh_backup --src_path="/etc/logrotate.d/$app"
+ynh_backup --src_path="/etc/logrotate.d/$app"
+
+#=================================================
+# BACKUP GALÈNE LOG
+#=================================================
+
+ynh_backup --src_path="/var/log/$app"
 
 #=================================================
 # BACKUP SYSTEMD
 #=================================================
 
 ynh_backup --src_path="/etc/systemd/system/$app.service"
+ynh_backup --src_path="/etc/default/coturn-$app"
+ynh_backup --src_path="/etc/systemd/system/coturn-$app.service"
 
 #=================================================
 # END OF SCRIPT

scripts/install

@@ -27,7 +27,9 @@ domain=$YNH_APP_ARG_DOMAIN
 path_url="/"
 admin=$YNH_APP_ARG_ADMIN
 is_public=$YNH_APP_ARG_IS_PUBLIC
+ynh_print_OFF
 password=$YNH_APP_ARG_PASSWORD
+ynh_print_ON
 group_name=$YNH_APP_ARG_GROUP_NAME
 architecture=$(ynh_detect_arch)
 
@@ -54,6 +56,23 @@ ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=admin --value=$admin
 ynh_app_setting_set --app=$app --key=is_public --value=$is_public
 ynh_app_setting_set --app=$app --key=group_name --value=$group_name
+ynh_app_setting_set --app=$app --key=password --value=$password
+
+#=================================================
+# CREATE A DH FILE
+#=================================================
+ynh_script_progression --message="Creating a dhparam file..." --weight=3
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for Galène if it doesn't exist
+if [ ! -e /etc/ssl/private/dh2048.pem ]
+then
+    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
 
 #=================================================
 # STANDARD MODIFICATIONS
@@ -64,17 +83,28 @@ ynh_script_progression --message="Finding an available port..." --weight=3
 
 # Find an available port
 port=$(ynh_find_port --port=8443)
+turnserver_tls_port=$(ynh_find_port --port=5349)
+turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
+cli_port=$(ynh_find_port --port=5766)
+
 ynh_app_setting_set --app=$app --key=port --value=$port
 
 # Open the port
-# ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
+ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
+ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
+
+# Store opened ports
+ynh_app_setting_set --app=$app --key=port --value=$port
+ynh_app_setting_set --app=$app --key=turnserver_tls_port --value=$turnserver_tls_port
+ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
+ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
 
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
-#ynh_script_progression --message="Installing dependencies..." --time --weight=1
+ynh_script_progression --message="Installing dependencies..." --weight=5
 
-#ynh_install_app_dependencies $pkg_dependencies
+ynh_install_app_dependencies $pkg_dependencies
 
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@@ -110,6 +140,7 @@ ynh_script_progression --message="Configuring system user..." --weight=3
 
 # Create a system user
 ynh_system_user_create --username=$app
+adduser turnserver ssl-cert
 
 #=================================================
 # SETUP SYSTEMD
@@ -119,19 +150,79 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1
 # Create a dedicated systemd config
 ynh_add_systemd_config
 
+mkdir -p /var/log/$app
+mkdir -p /etc/$app
+# Create systemd service for turnserver
+cp ../conf/coturn/default_coturn /etc/default/coturn-$app
+ynh_add_systemd_config --service=coturn-$app --template=coturn-galene.service
+
+#=================================================
+# SET COTURN CONFIG
+#=================================================
+ynh_script_progression --message="Configuring coturn..." --weight=1
+
+# WARNING : theses command are used in INSTALL, UPGRADE
+# For any update do it in all files
+
+# Find password for turnserver
+ynh_print_OFF
+turnserver_pwd=$(ynh_string_random --length=30)
+ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
+ynh_print_ON
+
+coturn_config_path="/etc/$app/coturn.conf"
+
+cp ../conf/coturn/turnserver.conf "$coturn_config_path"
+
+ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
+ynh_print_OFF
+ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
+ynh_print_ON
+
+# Get public IP and set as external IP for coturn
+# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
+public_ip4="$(curl ip.yunohost.org)" || true
+public_ip6="$(curl ipv6.yunohost.org)" || true
+
+if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
+then
+    echo "external-ip=$public_ip4" >> "$coturn_config_path"
+fi
+
+if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
+then
+    echo "external-ip=$public_ip6" >> "$coturn_config_path"
+fi
+
+ynh_store_file_checksum --file="$coturn_config_path"
+
 #=================================================
 # MODIFY A CONFIG FILE
 #=================================================
 
 cp ../conf/passwd $final_path/data/passwd
 
-ynh_replace_string --match_string="__ADMIN__" --replace_string="$admin" --target_file="$final_path/data/passwd"
+ynh_replace_string --match_string=__ADMIN__ --replace_string=$admin --target_file="$final_path/data/passwd"
-ynh_replace_string --match_string="__PASSWORD__" --replace_string="$password" --target_file="$final_path/data/passwd"
+ynh_replace_string --match_string=__PASSWORD__ --replace_string=$password --target_file="$final_path/data/passwd"
 
-mv -f $final_path/groups/groupname.json $final_path/groups/$group_name.json
+mv $final_path/groups/groupname.json $final_path/groups/$group_name.json
 
-ynh_replace_string --match_string="__ADMIN__" --replace_string="$admin" --target_file="$final_path/groups/$group_name.json"
+ynh_replace_string --match_string=__ADMIN__ --replace_string=$admin --target_file="$final_path/groups/$group_name.json"
-ynh_replace_string --match_string="__PASSWORD__" --replace_string="$password" --target_file="$final_path/groups/$group_name.json"
+ynh_replace_string --match_string=__PASSWORD__ --replace_string=$password --target_file="$final_path/groups/$group_name.json"
+
+cp ../conf/ice-servers.json $final_path/data/ice-servers.json
+
+ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$final_path/data/ice-servers.json"
+ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/data/ice-servers.json"
+ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$final_path/data/ice-servers.json"
+ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$final_path/data/ice-servers.json"
+ynh_print_OFF
+ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$final_path/data/ice-servers.json"
+ynh_print_ON
 
 #=================================================
 # STORE THE CONFIG FILE CHECKSUM
@@ -140,6 +231,24 @@ ynh_replace_string --match_string="__PASSWORD__" --replace_string="$password" --
 # Calculate and store the config file checksum into the app settings
 ynh_store_file_checksum --file="$final_path/data/passwd"
 ynh_store_file_checksum --file="$final_path/groups/$group_name.json"
+ynh_store_file_checksum --file="$final_path/data/ice-servers.json"
+
+#=================================================
+# SETUP LOGROTATE
+#=================================================
+ynh_script_progression --message="Configuring log rotation..." --weight=1
+
+ynh_use_logrotate --logfile "/var/log/$app"
+
+#=================================================
+# ADD SCRIPT FOR COTURN CRON AND APP SERVICE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE
+# For any update do it in all files
+
+cp ../sources/Coturn_config_rotate.sh $final_path/
+ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh"
 
 #=================================================
 # GENERIC FINALIZATION
@@ -148,16 +257,14 @@ ynh_store_file_checksum --file="$final_path/groups/$group_name.json"
 #=================================================
 
 # Set permissions to app files
-chown -R $app: $final_path
+chown -R $app:root $final_path
 chmod -R 755 $final_path
-
+chown -R $app:root /var/log/$app
-#=================================================
+chown -R $app:root /etc/$app
-# SETUP LOGROTATE
+chmod -R u=rwX,g=rX,o= /etc/$app
-#=================================================
+chmod 770 $final_path/Coturn_config_rotate.sh
-#ynh_script_progression --message="Configuring log rotation..." --time --weight=1
+setfacl -R -m user:turnserver:rX  /etc/$app
-
+setfacl -R -m user:turnserver:rwX  /var/log/$app
-# Use logrotate to manage application logfile(s)
-#ynh_use_logrotate
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
@@ -165,6 +272,7 @@ chmod -R 755 $final_path
 ynh_script_progression --message="Integrating service in YunoHost..." --weight=2
 
 yunohost service add $app --description="Videoconferencing server" --log="/var/log/$app/$app.log"
+yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
 
 #=================================================
 # START SYSTEMD SERVICE
@@ -172,7 +280,8 @@ yunohost service add $app --description="Videoconferencing server" --log="/var/l
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 # Start a systemd service
-ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=$app --action=restart --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=coturn-$app.service --action=restart
 
 #=================================================
 # SETUP SSOWAT

scripts/remove

@@ -17,22 +17,29 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
-port=$(ynh_app_setting_get --app=$app --key=port)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+port=$(ynh_app_setting_get --app=$app --key=port)
+turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
+turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
 
 #=================================================
 # STANDARD REMOVE
 #=================================================
 # REMOVE SERVICE INTEGRATION IN YUNOHOST
 #=================================================
+ynh_script_progression --message="Removing $app service integration..." --weight=1
 
 # Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
 if ynh_exec_warn_less yunohost service status $app >/dev/null
 then
-	ynh_script_progression --message="Removing $app service integration..." --weight=1
 	yunohost service remove $app
 fi
 
+if ynh_exec_warn_less yunohost service status coturn-$app >/dev/null
+then
+	yunohost service remove coturn-$app
+fi
+
 #=================================================
 # STOP AND REMOVE SERVICE
 #=================================================
@@ -40,14 +47,15 @@ ynh_script_progression --message="Stopping and removing the systemd service..."
 
 # Remove the dedicated systemd config
 ynh_remove_systemd_config
+ynh_remove_systemd_config --service=coturn-$app
 
 #=================================================
 # REMOVE DEPENDENCIES
 #=================================================
-#ynh_script_progression --message="Removing dependencies..." --time --weight=1
+ynh_script_progression --message="Removing dependencies..." --weight=1
 
 # Remove metapackage and its dependencies
-#ynh_remove_app_dependencies
+ynh_remove_app_dependencies
 
 #=================================================
 # REMOVE APP MAIN DIR
@@ -55,7 +63,9 @@ ynh_remove_systemd_config
 ynh_script_progression --message="Removing app main directory..." --weight=2
 
 # Remove the app directory securely
-ynh_secure_remove --file="$final_path"
+ynh_secure_remove --file=$final_path
+ynh_secure_remove --file=/var/log/$app
+ynh_secure_remove --file=/etc/default/coturn-$app
 
 #=================================================
 # REMOVE NGINX CONFIGURATION
@@ -68,20 +78,30 @@ ynh_remove_nginx_config
 #=================================================
 # REMOVE LOGROTATE CONFIGURATION
 #=================================================
-#ynh_script_progression --message="Removing logrotate configuration..." --time --weight=1
+ynh_script_progression --message="Removing logrotate configuration..." --weight=1
 
 # Remove the app-specific logrotate config
-#ynh_remove_logrotate
+ynh_remove_logrotate
 
 #=================================================
 # CLOSE A PORT
 #=================================================
 
-# if yunohost firewall list | grep -q "\- $port$"
+closeport() {
-# then
+    local port=$1
-# 	ynh_script_progression --message="Closing port $port..." --time --weight=1
+    if yunohost firewall list | grep -q "\- $$turnserver_tls_port$"
-# 	ynh_exec_warn_less yunohost firewall disallow TCP $port
+    then
-# fi
+            ynh_script_progression --message="Closing port $turnserver_tls_port port"
+            ynh_exec_warn_less yunohost firewall disallow Both $turnserver_tls_port  
+    elif yunohost firewall list | grep -q "\- $turnserver_alt_tls_port$"
+    then
+    	ynh_script_progression --message="Closing port $turnserver_alt_tls_port port"
+    	ynh_exec_warn_less yunohost firewall disallow Both $turnserver_alt_tls_port
+    fi
+}
+
+#closeport $turnserver_tls_port
+#closeport $turnserver_alt_tls_port
 
 #=================================================
 # GENERIC FINALIZATION

scripts/restore

@@ -31,6 +31,8 @@ domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 group_name=$(ynh_app_setting_get --app=$app --key=group_name)
+turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
+turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
 
 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
@@ -43,7 +45,15 @@ test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "
 
 #=================================================
-# STANDARD RESTORATION STEPS
+# SPECIFIC RESTORATION
+#=================================================
+# REINSTALL DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Reinstalling dependencies..." --weight=1
+
+# Define and install dependencies
+ynh_install_app_dependencies $pkg_dependencies
+
 #=================================================
 # RESTORE THE NGINX CONFIGURATION
 #=================================================
@@ -56,6 +66,8 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 ynh_script_progression --message="Restoring the app main directory..." --weight=1
 
 ynh_restore_file --origin_path="$final_path"
+ynh_restore_file --origin_path="/etc/$app"
+ynh_restore_file --origin_path="/var/log/$app"
 
 #=================================================
 # RECREATE THE DEDICATED USER
@@ -64,24 +76,8 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei
 
 # Create the dedicated user (if not existing)
 ynh_system_user_create --username=$app
-
+ynh_system_user_create --username=turnserver ssl-cert
-#=================================================
+#adduser turnserver ssl-cert
-# RESTORE USER RIGHTS
-#=================================================
-
-# Restore permissions on app files
-chown -R $app: $final_path
-chmod -R 755 $final_path
-
-#=================================================
-# SPECIFIC RESTORATION
-#=================================================
-# REINSTALL DEPENDENCIES
-#=================================================
-#ynh_script_progression --message="Reinstalling dependencies..." --weight=1
-
-# Define and install dependencies
-#ynh_install_app_dependencies $pkg_dependencies
 
 #=================================================
 # RESTORE SYSTEMD
@@ -89,7 +85,10 @@ chmod -R 755 $final_path
 ynh_script_progression --message="Restoring the systemd configuration..." --weight=1
 
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
+ynh_restore_file --origin_path="/etc/default/coturn-$app"
+ynh_restore_file --origin_path="/etc/systemd/system/coturn-$app.service"
 systemctl enable $app.service --quiet
+systemctl enable coturn-$app.service --quiet
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
@@ -97,6 +96,7 @@ systemctl enable $app.service --quiet
 ynh_script_progression --message="Integrating service in YunoHost..." --weight=2
 
 yunohost service add $app --description="Videoconferencing server" --log="/var/log/$app/$app.log"
+yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
 
 #=================================================
 # START SYSTEMD SERVICE
@@ -104,12 +104,101 @@ yunohost service add $app --description="Videoconferencing server" --log="/var/l
 ynh_script_progression --message="Starting a systemd service..." --weight=3
 
 ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
+yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
+
+#=================================================
+# CREATE A DH FILE
+#=================================================
+ynh_script_progression --message="Creating a dhparam file..." --weight=3
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for synapse if it doesn't exist
+if [ ! -e /etc/ssl/private/dh2048.pem ]
+then
+    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
+#=================================================
+# RECONFIGURE THE TURNSERVER
+#=================================================
+ynh_script_progression --message="Reconfiguring coturn..." --weight=23
+
+# To be sure that at the restoration the IP address in coturn config is the same as the real address we remake the coturn config
+
+# Retrieve specific settings
+turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
+turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
+cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
+ynh_print_OFF
+turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
+ynh_print_ON
+
+# WARNING : these commands are used in INSTALL, UPGRADE
+# For any update do it in all files
+
+coturn_config_path="/etc/$app/coturn.conf"
+
+cp ../settings/conf/coturn/turnserver.conf "$coturn_config_path"
+
+ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
+ynh_print_OFF
+ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
+ynh_print_ON
+
+# Get public IP and set as external IP for coturn
+# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
+public_ip4="$(curl ip.yunohost.org)" || true
+public_ip6="$(curl ipv6.yunohost.org)" || true
+
+if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
+then
+    echo "external-ip=$public_ip4" >> "$coturn_config_path"
+fi
+
+if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
+then
+    echo "external-ip=$public_ip6" >> "$coturn_config_path"
+fi
+
+ynh_store_file_checksum --file="$coturn_config_path"
+
+#=================================================
+# OPEN THE PORT
+#=================================================
+
+# Ouvre le port dans le firewall
+ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
+ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
+
+#=================================================
+# RESTORE USER RIGHTS
+#=================================================
+ynh_script_progression --message="Restoring permissions..." --weight=1
+
+# Restore permissions on app files
+# Set permissions on app files
+chown -R $app:root $final_path
+chmod -R 755 $final_path
+chown -R $app:root /var/log/$app
+chown -R $app:root /etc/$app
+chmod -R u=rwX,g=rX,o= /etc/$app
+chmod 770 $final_path/Coturn_config_rotate.sh
+setfacl -R -m user:turnserver:rX  /etc/$app
+setfacl -R -m user:turnserver:rwX  /var/log/$app
 
 #=================================================
 # RESTORE THE LOGROTATE CONFIGURATION
 #=================================================
 
-#ynh_restore_file --origin_path="/etc/logrotate.d/$app"
+ynh_restore_file --origin_path="/etc/logrotate.d/$app"
 
 #=================================================
 # GENERIC FINALIZATION

scripts/upgrade

@@ -21,8 +21,13 @@ path_url=$(ynh_app_setting_get --app=$app --key=path)
 admin=$(ynh_app_setting_get --app=$app --key=admin)
 is_public=$(ynh_app_setting_get --app=$app --key=is_public)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+password=$(ynh_app_setting_get --app=$app --key=password)
 group_name=$(ynh_app_setting_get --app=$app --key=group_name)
 port=$(ynh_app_setting_get --app=$app --key=port)
+turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
+turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
+cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
+turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
 architecture=$(ynh_detect_arch)
 
 #=================================================
@@ -98,6 +103,126 @@ then
     popd
 fi
 
+#=================================================
+# MULTINSTANCE SUPPORT
+#=================================================
+
+if [ ! -e /etc/$app/coturn.conf ]
+then
+    ynh_script_progression --message="Creating an independant service for coturn..." --weight=1
+
+    #=================================================
+    # CREATE AN INDEPENDANT SERVICE FOR COTURN
+    #=================================================
+
+    # Disable default config for turnserver and create a new service
+    systemctl stop coturn.service
+
+    # Set by default the system config for coturn
+    echo "" > /etc/turnserver.conf
+    ynh_replace_string --match_string="TURNSERVER_ENABLED=1" --replace_string="TURNSERVER_ENABLED=0" --target_file=/etc/default/coturn
+
+    # Set a port for each service in turnserver
+    turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
+    cli_port=$(ynh_find_port --port=5766)
+
+    ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
+    ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
+
+    yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
+
+    #=================================================
+    # MAKE A CLEAN LOGROTATE CONFIG
+    #=================================================
+
+    ynh_use_logrotate --logfile /var/log/$app --nonappend
+fi
+
+#=================================================
+# CREATE A DH FILE
+#=================================================
+ynh_script_progression --message="Creating a dhparam file..." --weight=3
+
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
+# For any update do it in all files
+
+# Make dh cert for Galène if it doesn't exist
+if [ ! -e /etc/ssl/private/dh2048.pem ]
+then
+    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
+
+#=================================================
+# SPECIFIC UPGRADE
+#=================================================
+# UPDATE COTURN CONFIG
+#=================================================
+ynh_script_progression --message="Updating coturn config..." --weight=1
+
+# WARNING : theses command are used in INSTALL, UPGRADE
+# For any update do it in all files
+
+coturn_config_path="/etc/$app/coturn.conf"
+
+cp ../conf/coturn/turnserver.conf "$coturn_config_path"
+
+ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
+ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
+ynh_print_OFF
+ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
+ynh_print_ON
+
+# Get public IP and set as external IP for coturn
+# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
+public_ip4="$(curl ip.yunohost.org)" || true
+public_ip6="$(curl ipv6.yunohost.org)" || true
+
+if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
+then
+    echo "external-ip=$public_ip4" >> "$coturn_config_path"
+fi
+
+if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
+then
+    echo "external-ip=$public_ip6" >> "$coturn_config_path"
+fi
+
+ynh_store_file_checksum --file="$coturn_config_path"
+
+#=================================================
+# ADD SCRIPT FOR COTURN CRON AND APP SERVICE
+#=================================================
+
+# WARNING : theses command are used in INSTALL, UPGRADE
+# For any update do it in all files
+
+cp ../sources/Coturn_config_rotate.sh $final_path/
+ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh"
+
+#=================================================
+# MODIFY A CONFIG FILE
+#=================================================
+
+cp ../conf/passwd $final_path/data/passwd
+
+ynh_replace_string --match_string=__ADMIN__ --replace_string=$admin --target_file="$final_path/data/passwd"
+ynh_replace_string --match_string=__PASSWORD__ --replace_string=$password --target_file="$final_path/data/passwd"
+
+cp ../conf/ice-servers.json $final_path/data/ice-servers.json
+
+ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$final_path/data/ice-servers.json"
+ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/data/ice-servers.json"
+ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$final_path/data/ice-servers.json"
+ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$final_path/data/ice-servers.json"
+ynh_print_OFF
+ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$final_path/data/ice-servers.json"
+ynh_print_ON
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@@ -109,9 +234,9 @@ ynh_add_nginx_config
 #=================================================
 # UPGRADE DEPENDENCIES
 #=================================================
-#ynh_script_progression --message="Upgrading dependencies..." --weight=1
+ynh_script_progression --message="Upgrading dependencies..." --weight=1
 
-#ynh_install_app_dependencies $pkg_dependencies
+ynh_install_app_dependencies $pkg_dependencies
 
 #=================================================
 # CREATE DEDICATED USER
@@ -120,6 +245,7 @@ ynh_script_progression --message="Making sure dedicated system user exists..." -
 
 # Create a dedicated user (if not existing)
 ynh_system_user_create --username=$app
+adduser turnserver ssl-cert
 
 #=================================================
 # SETUP SYSTEMD
@@ -136,30 +262,38 @@ ynh_add_systemd_config
 #=================================================
 
 # Set permissions on app files
-chown -R $app: $final_path
+chown -R $app:root $final_path
 chmod -R 755 $final_path
+chown -R $app:root /var/log/$app
+chown -R $app:root /etc/$app
+chmod -R u=rwX,g=rX,o= /etc/$app
+chmod 770 $final_path/Coturn_config_rotate.sh
+setfacl -R -m user:turnserver:rX  /etc/$app
+setfacl -R -m user:turnserver:rwX  /var/log/$app
 
 #=================================================
 # SETUP LOGROTATE
 #=================================================
-# ynh_script_progression --message="Upgrading logrotate configuration..." --time --weight=1
+ynh_script_progression --message="Upgrading logrotate configuration..." --weight=1
 
 # # Use logrotate to manage app-specific logfile(s)
-# ynh_use_logrotate --non-append
+ynh_use_logrotate --non-append
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
-ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
+ynh_script_progression --message="Integrating service in YunoHost..." --weight=2
 
 yunohost service add $app --description="Videoconferencing server" --log="/var/log/$app/$app.log"
+yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
 
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=coturn-$app.service --action=restart
+ynh_systemd_action --service_name=$app --action=restart --log_path="/var/log/$app/$app.log"
 
 #=================================================
 # RELOAD NGINX

sources/Coturn_config_rotate.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+app_instance=__APP__
+
+source /usr/share/yunohost/helpers
+
+external_IP_line="external-ip=__IPV4__,__IPV6__"
+
+public_ip4="$(curl ip.yunohost.org)" || true
+public_ip6="$(curl ipv6.yunohost.org)" || true
+
+if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
+then
+    echo "external-ip=$public_ip4" >> "$coturn_config_path"
+fi
+
+if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
+then
+    echo "external-ip=$public_ip6" >> "$coturn_config_path"
+fi
+
+old_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
+ynh_replace_string "^external-ip=.*\$" "$external_IP_line" "/etc/matrix-$app_instance/coturn.conf"
+new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
+
+setfacl -R -m user:turnserver:rX  /etc/matrix-$app_instance
+
+if [ "$old_config_line" != "$new_config_line" ]
+then
+    systemctl restart coturn-$app_instance.service
+fi
+
+exit 0