From 003b05defdd867bd76776bf578f88efdccca455d Mon Sep 17 00:00:00 2001 From: Dante Date: Thu, 2 Mar 2023 12:29:49 +0000 Subject: [PATCH 1/3] Improve manifest question descriptions and allow specifying multiple users during install --- manifest.json | 22 ++++++++++------------ scripts/install | 3 +++ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/manifest.json b/manifest.json index 4e801fe..3289c2a 100644 --- a/manifest.json +++ b/manifest.json @@ -52,8 +52,8 @@ }, "example": "whatsappbot", "help": { - "en": "A system user will be created. Invite @whatsappbot:localsynapse.servername from an authorized Matrix account to start bridging. Give the Matrix server_name, not the full domain/URL.", - "fr": "Un utilisateur système sera créé. Inviter @whatsappbot:localsynapse.servername depuis un compte Matrix autorisé pour démarrer une passerelle. Donner le nom du serveur Matrix, pas le domaine/URL complet." + "en": "A system user will be created. Invite @whatsappbot:localsynapse.servername from an authorized Matrix account to start bridging.\nGive the Matrix server_name, not the full domain/URL.", + "fr": "Un utilisateur système sera créé. Inviter @whatsappbot:localsynapse.servername depuis un compte Matrix autorisé pour démarrer une passerelle.\nDonner le nom du serveur Matrix, pas le domaine/URL complet." }, "default": "whatsappbot" }, @@ -65,8 +65,8 @@ "fr": "Donner au robot WhatsApp des droits administrateur à l'instance Synapse ?" }, "help": { - "en": "If true, the bot can group WhatsApp chats in a Matrix space. Not required if you set up Synapse so that non-admins are authorized to create communities.", - "fr": "Si true, le robot groupera les conversations WhatsApp dans une communauté Matrix. Pas nécessaire si vous avez réglé Synapse pour qu'il autorise les non-admin à créer des communautés." + "en": "If true, the bot can group WhatsApp chats in a Matrix space.\nNot required if you set up Synapse so that non-admins are authorized to create communities.", + "fr": "Si true, le robot groupera les conversations WhatsApp dans une communauté Matrix.\nPas nécessaire si vous avez réglé Synapse pour qu'il autorise les non-admin à créer des communautés." }, "default": true }, @@ -92,10 +92,9 @@ }, "example": "@johndoe:localsynapse.servername or @johndoe:matrix.org", "help": { - "en": "The WhatsApp bot administrator does not need to be a local Synapse account.", - "fr": "Le compte administrateur du robot WhatsApp peut ne pas être un compte local Synapse." - }, - "default": "Your main Matrix account" + "en": "The administrator does not need to be a local Synapse account. Valid formats are @johndoe:localsynapse.servername or @johndoe:matrix.org", + "fr": "L'administrateur peut ne pas être un compte local Synapse. Les formats valables sont @johndoe:localsynapse.servername or @johndoe:matrix.org" + } }, { "name": "botusers", @@ -104,11 +103,10 @@ "en": "Choose Matrix user(s) authorized to bridge with the WhatsApp bot.", "fr": "Choisissez le/les compte(s) Matrix autorisés à utiliser la passerelle WhatsApp." }, - "example": "local or @johndoe:server.name or server.name or *", - "default": "local", + "example": "@johndoe:server.name or server.name or *", "help": { - "en": "Either all local Synapse users (local), a remote or local user (@johndoe:server.name), a remote server (matrix.org), or all remote/local servers (*) can be authorized. Give the Matrix server_name, not the full domain/URL.", - "fr": "Soit tous les comptes Synapse locaux (local), un compte local ou distant (@johndoe:server.name), un serveur distant (matrix.org), ou tous les serveurs remote/local (*). Donner le nom du serveur Matrix, pas le domaine/URL complet." + "en": "A remote or local user (@johndoe:server.name), a remote server (matrix.org), or all remote/local servers (*) can be authorized.\nGive the Matrix server_name, not the full domain/URL.\nIt is also possible to specify multiple values by separating them with comma. Example: @johndoe:server.name,domain.tld,matrix.org", + "fr": "Un compte local ou distant (@johndoe:server.name), un serveur distant (matrix.org), ou tous les serveurs remote/local (*).\nDonner le nom du serveur Matrix, pas le domaine/URL complet\nIl est également possible de spécifier plusieurs valeurs en les séparant par une virgule. Exemple : @johndoe:server.name,domain.tld,matrix.org" } } ] diff --git a/scripts/install b/scripts/install index 34c02cb..d81bb5c 100755 --- a/scripts/install +++ b/scripts/install @@ -179,6 +179,9 @@ ynh_add_config --template="../conf/config.yaml" --destination="$final_path/confi chmod 400 "$final_path/config.yaml" chown $app:$app "$final_path/config.yaml" +# This call allows to set multiple users during install question "botusers" specifying them separated by a comma +set__listuser + #================================================= # REGISTER SYNAPSE APP-SERVICE #================================================= From abe590e1388a6f4250a7ec5d679e58398023f7a2 Mon Sep 17 00:00:00 2001 From: Dante Date: Thu, 2 Mar 2023 15:10:04 +0000 Subject: [PATCH 2/3] Improve systemd security, fix encryption wrong value and remove local option --- conf/systemd.service | 12 ++++++++++++ manifest.json | 4 ++-- scripts/install | 8 ++++++-- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index c16a18b..0bcb2dc 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -33,5 +33,17 @@ SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 3289c2a..3b340b2 100644 --- a/manifest.json +++ b/manifest.json @@ -105,8 +105,8 @@ }, "example": "@johndoe:server.name or server.name or *", "help": { - "en": "A remote or local user (@johndoe:server.name), a remote server (matrix.org), or all remote/local servers (*) can be authorized.\nGive the Matrix server_name, not the full domain/URL.\nIt is also possible to specify multiple values by separating them with comma. Example: @johndoe:server.name,domain.tld,matrix.org", - "fr": "Un compte local ou distant (@johndoe:server.name), un serveur distant (matrix.org), ou tous les serveurs remote/local (*).\nDonner le nom du serveur Matrix, pas le domaine/URL complet\nIl est également possible de spécifier plusieurs valeurs en les séparant par une virgule. Exemple : @johndoe:server.name,domain.tld,matrix.org" + "en": "A remote or local user (@johndoe:server.name),the local server (server.name), a remote server (matrix.org), or all remote/local servers (*) can be authorized.\nGive the Matrix server_name, not the full domain/URL.\nIt is also possible to specify multiple values by separating them with comma. Example: @johndoe:server.name,domain.tld,matrix.org", + "fr": "Un compte local ou distant (@johndoe:server.name), le serveur local (server.name), un serveur distant (matrix.org), ou tous les serveurs remote/local (*).\nDonner le nom du serveur Matrix, pas le domaine/URL complet\nIl est également possible de spécifier plusieurs valeurs en les séparant par une virgule. Exemple : @johndoe:server.name,domain.tld,matrix.org" } } ] diff --git a/scripts/install b/scripts/install index d81bb5c..951125a 100755 --- a/scripts/install +++ b/scripts/install @@ -44,9 +44,13 @@ server_name=$(ynh_app_setting_get --app $synapse_instance --key server_name) domain=$(ynh_app_setting_get --app $synapse_instance --key domain) synapse_db_name="matrix_$synapse_instance" -if [ "$listuser" == "local" ] +# This is needed to convert the value from the manifest to a valid value for the config.yaml file. +# Without this the install script will throw a warning. +if [ "$encryption" -eq "1" ] then - listuser="$server_name" + encryption="true" +else + encryption="false" fi #================================================= From c0d4d969de6b89d84c75f8d64528a07611a50c55 Mon Sep 17 00:00:00 2001 From: Dante Date: Thu, 2 Mar 2023 16:19:03 +0000 Subject: [PATCH 3/3] Bump Yuno version --- README.md | 2 +- README_fr.md | 2 +- manifest.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6a36e84..a558d63 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Therefore, [Synapse for YunoHost](https://github.com/YunoHost-Apps/synapse_ynh) ** Attention: always backup and restore the Yunohost matrix_synapse et mautrix_whatsapp apps together!** -**Shipped version:** 0.8.2~ynh1 +**Shipped version:** 0.8.2~ynh2 ## Disclaimers / important information ## List of known public services diff --git a/README_fr.md b/README_fr.md index 851ffbb..add9114 100644 --- a/README_fr.md +++ b/README_fr.md @@ -25,7 +25,7 @@ C'est pourquoi [Synapse for YunoHost](https://github.com/YunoHost-Apps/synapse_y ** Attention : sauvegardez et restaurez toujours les deux applications Yunohost matrix_synapse et mautrix_whatsapp en même temps!** -**Version incluse :** 0.8.2~ynh1 +**Version incluse :** 0.8.2~ynh2 ## Avertissements / informations importantes ## Liste de passerelles publiques diff --git a/manifest.json b/manifest.json index 3b340b2..c7479ae 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Matrix / Synapse puppeting bridge for WhatsApp", "fr": "Passerelle Matrix / Synapse pour WhatsApp" }, - "version": "0.8.2~ynh1", + "version": "0.8.2~ynh2", "url": "https://github.com/mautrix/whatsapp", "upstream": { "license": "AGPL-3.0-or-later",