1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
synapse_ynh/doc/ADMIN.md

177 lines
8.3 KiB
Markdown
Raw Normal View History

## Web client
2022-05-21 21:53:32 +02:00
The most well-known Matrix web client is Element, which is available in the YunoHost app catalog: <https://github.com/YunoHost-Apps/element_ynh>.
2022-05-21 21:53:32 +02:00
### Important Security Note
2022-05-21 21:53:32 +02:00
We do not recommend running Element from the same domain name as your Matrix homeserver (synapse). The reason is the risk of XSS (cross-site-scripting) vulnerabilities that could occur if someone caused Element to load and render malicious user generated content from a Matrix API which then had trusted access to Element (or other apps) due to sharing the same domain.
2022-05-21 21:53:32 +02:00
We have put some coarse mitigations into place to try to protect against this situation, but it's still not a good practice to do it in the first place. See https://github.com/vector-im/element-web/issues/1977 for more details.
## Admin UI
You may be interested in the synapse-admin app, which provides an administration interface for synapse: <https://github.com/YunoHost-Apps/synapse-admin_ynh>.
Then, to log in the API with your admin credentials (cf next section)
### Set user as admin
2022-05-21 21:53:32 +02:00
Currently, the client interface doesn't allow to grant admin rights. The workaround is to enable it manually in the database. The YunoHost app provides a small script to do so, which can be invoked:
```bash
/opt/yunohost/matrix-__APP__/set_admin_user.sh '@user_to_be_admin:domain.tld'
```
2022-05-21 21:53:32 +02:00
2024-02-29 23:50:49 +01:00
## Access by federation
2022-05-21 21:53:32 +02:00
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
2024-02-29 23:50:49 +01:00
If not, you can add the following line in the dns configuration but you normally don't need it as a `.well-known` file is edited during the install to declare your server name and port to the federation.
2022-05-21 21:53:32 +02:00
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
2024-03-01 08:29:02 +01:00
_matrix._tcp.example.com. 3600 IN SRV 10 0 <synapse_port> synapse.example.com.
2022-05-21 21:53:32 +02:00
```
2024-03-01 08:29:02 +01:00
You need to replace `<synapse_port>` by the real port. This port can be obtained by the command: `yunohost app setting <synapse_instance_name> port_synapse_tls`
2022-05-21 21:53:32 +02:00
2024-01-24 21:23:51 +01:00
For more details, see : https://github.com/element-hq/synapse/blob/master/docs/federate.md
2022-05-21 21:53:32 +02:00
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
https://federationtester.matrix.org/ can be used to easily debug federation issues
2024-02-29 23:50:49 +01:00
## Turnserver
2022-05-21 21:53:32 +02:00
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```bash
yunohost app setting synapse port_turnserver_tls
yunohost app setting synapse port_turnserver_alt_tls
2022-05-21 21:53:32 +02:00
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```bash
2022-05-21 21:53:32 +02:00
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
2024-03-01 08:29:02 +01:00
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/matrix-<synapse_instance_name>/Coturn_config_rotate.sh` to update your config.
2022-05-21 21:53:32 +02:00
2024-03-01 08:29:02 +01:00
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the `<synapse_instance_name>` which could be `synapse` or maybe `synapse__2`).
2022-05-21 21:53:32 +02:00
```
2024-03-01 08:29:02 +01:00
*/15 * * * * root bash /opt/yunohost/matrix-<synapse_instance_name>/Coturn_config_rotate.sh;
2022-05-21 21:53:32 +02:00
```
2024-02-29 23:50:49 +01:00
## OpenVPN
2022-05-21 21:53:32 +02:00
If your server is behind a VPN, you may want `synapse-coturn` ti automatically restart when the VPN restarts. To do this, create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```bash
2022-05-21 21:53:32 +02:00
#!/bin/bash
(
sleep 5
sudo systemctl restart synapse-coturn.service
2022-05-21 21:53:32 +02:00
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart synapse-coturn.service
2022-05-21 21:53:32 +02:00
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
## Backup
2022-05-21 21:53:32 +02:00
Before any major maintenance action, it is recommended to backup the app.
2022-05-21 21:53:32 +02:00
To ensure the integrity of the data, it is recommended to explictly stop the server during the backup:
2022-05-21 21:53:32 +02:00
- Stop synapse service with theses following command:
2024-02-29 23:50:49 +01:00
```bash
systemctl stop synapse.service
2022-09-20 21:04:22 +02:00
```
- Launch the backup of synapse with this following command:
```bash
yunohost backup create --app synapse
```
2022-09-18 12:29:14 +02:00
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/synapse`.
- Restart the synapse service with these command:
```bash
systemctl start synapse.service
```
2022-09-18 12:29:14 +02:00
## Changing the server URL
2022-09-20 21:04:22 +02:00
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
2022-09-20 21:04:22 +02:00
2024-03-09 00:02:58 +01:00
Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which is an other thing.**
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
The advantage of this is that you can put the app on a specific domain without impacting the domain name of the accounts. For instance you can have the synapse app on `matrix.yolo.net` and the user account will be something like that `@michu:yolo.net`. Note that it's the main difference between the domain of the app (which is `matrix.yolo.net`) and the "server name" which is `yolo.net`.
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
**Note that this change will have some important implications:**
- **This will break the connection from all previous connected clients. So all client connected before this change won't be able to communicate with the server until users will do a logout and login (which can also be problematic for e2e keys).** [There are a workaround which are described below](#avoid-the-need-to-reconnect-all-client-after-change-url-operation).
- In some case the client configuration will need to be updated. By example on element we can configure a default matrix server, this settings by example will need to be updated to the new domain to work correctly.
- In case of the "server name" domain are not on the same server than the synapse domain, you will need to update the `.well-known` or your DNS.
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
To do the change url of synapse you can do it by this following command or with the webadmin.
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
```bash
sudo yunohost app change-url synapse
2024-02-29 23:50:49 +01:00
```
2022-09-20 21:04:22 +02:00
### Avoid the need to reconnect all client after change-url operation
2022-09-20 21:04:22 +02:00
If you did change the url of synapse and you don't wan't to reconnect all client, this workaround should solve the issue.
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
The idea is to setup again a minimal configuration on the previous domain so the client configurated with the previous domain will still work correctly.
2022-09-20 21:04:22 +02:00
#### Nginx config
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
Retrive the server port with this command:
```bash
yunohost app setting synapse port_synapse
```
2022-09-20 21:04:22 +02:00
2024-03-01 08:29:02 +01:00
Edit the file `/etc/nginx/conf.d/<previous-domain.tld>.d/synapse.conf` and add this text:
2024-02-29 23:50:49 +01:00
```
location /_matrix/ {
2024-03-01 08:29:02 +01:00
proxy_pass http://localhost:<server_port_retrived_before>;
2024-02-29 23:50:49 +01:00
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
client_max_body_size 200M;
}
```
Then reload nginx config:
```bash
systemctl reload nginx.service
```
2022-09-20 21:04:22 +02:00
#### Add permanent rule on SSOWAT
2022-09-20 21:04:22 +02:00
2024-02-29 23:50:49 +01:00
- Edit the file `/etc/ssowat/conf.json.persistent`
2024-03-01 08:29:02 +01:00
- Add `"<previous-domain.tld>/_matrix"` into the list in: `permissions` > `custom_skipped` > `uris`
2024-02-29 23:50:49 +01:00
Now the configured client before the change-url should work again.
## Removing the app
2024-02-29 23:50:49 +01:00
The YunoHost policy is to not remove the data when removing an app (stored in `/home/yunohost.app/synapse`). Use the `--purge` flag during the removal of the app to remove those, or just manually delete the folder after the app is deleted.