YunoHost-Apps/synapse_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
Code Issues Activity Actions

Remplement TLS/DTLS for calls

Browse source
This commit is contained in:
Josué Tille 2024-02-26 22:35:05 +01:00
parent 6fb5996d73
commit 17ebb27425
No known key found for this signature in database
GPG key ID: 5F259226AD51F2F5
6 changed files with 32 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
conf/homeserver.yaml
View file

@ -1181,7 +1181,7 @@ oembed:
# The public URIs of the TURN server to give to clients # The public URIs of the TURN server to give to clients
# #
turn_uris: [ "turn:__DOMAIN__:__PORT_TURNSERVER_TLS__?transport=udp", "turn:__DOMAIN__:__PORT_TURNSERVER_TLS__?transport=tcp" ] __TURN_SERVER_CONFIG__
# The shared secret used to compute passwords for the TURN server # The shared secret used to compute passwords for the TURN server
# #
@ -1195,7 +1195,7 @@ turn_shared_secret: "__TURNSERVER_PWD__"
# How long generated TURN credentials last # How long generated TURN credentials last
# #
turn_user_lifetime: 1h turn_user_lifetime: 12h
# Whether guests should be allowed to use the TURN server. # Whether guests should be allowed to use the TURN server.
# This defaults to True, otherwise VoIP will be unreliable for guests. # This defaults to True, otherwise VoIP will be unreliable for guests.

7
conf/turnserver.conf
View file

@ -26,4 +26,11 @@ log-file=/var/log/matrix-__APP__/turnserver.log
pidfile=/run/coturn-__APP__/turnserver.pid pidfile=/run/coturn-__APP__/turnserver.pid
simple-log simple-log
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200
# Max time 12h
max-allocate-lifetime=43200
_TURN_EXTERNAL_IP_ _TURN_EXTERNAL_IP_

10
config_panel.toml
View file

@ -224,3 +224,13 @@ services = ["matrix-__APP__"]
ask = "Shared Secret for Registration" ask = "Shared Secret for Registration"
type = "string" type = "string"
help = "Allows registration of standard or admin accounts, even if Registration disabled." help = "Allows registration of standard or admin accounts, even if Registration disabled."
[advanced.security]
name = "Security"
[advanced.security.enable_dtls_for_audio_video_turn_call]
ask = "Enable TLS/DTLS on Audio/Video coll"
type = "boolean"
yes = "true"
no = "false"
help = "Enabling TLS/DTLS is really recommanded but it could bring some issues depending of the server certificate. There are some known issues with let's encrypt (https://github.com/element-hq/element-android/issues/1533), so if you have issues it could be better to disable this feature."

6
scripts/_common.sh
View file

@ -95,6 +95,12 @@ configure_synapse() {
done <<< "${allowed_local_3pids_msisdn}," done <<< "${allowed_local_3pids_msisdn},"
fi fi
fi fi
local turn_server_config=""
if $enable_dtls_for_audio_video_turn_call; then
turn_server_config='turn_uris: [ "stuns:'$domain:$port_turnserver_tls'?transport=dtls", "stuns:'$domain:$port_turnserver_tls'?transport=tls", "turns:'$domain:$port_turnserver_tls'?transport=dtls", "turns:'$domain:$port_turnserver_tls'?transport=tls" ]'
else
turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'?transport=udp", "turn:'$domain:$port_turnserver_tls'?transport=tcp" ]'
fi
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
sed -i "s|_DOMAIN_WHITELIST_CLIENT_|$domain_whitelist_client|g" /etc/matrix-$app/homeserver.yaml sed -i "s|_DOMAIN_WHITELIST_CLIENT_|$domain_whitelist_client|g" /etc/matrix-$app/homeserver.yaml

2
scripts/install
View file

@ -43,6 +43,7 @@ notif_for_new_users="true"
enable_group_creation="true" enable_group_creation="true"
push_include_content="true" push_include_content="true"
enable_3pid_lookup=false enable_3pid_lookup=false
enable_dtls_for_audio_video_turn_call=true
if [ "$is_free_registration" -eq 0 ] if [ "$is_free_registration" -eq 0 ]
then then
@ -91,6 +92,7 @@ ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
#================================================= #=================================================
# STANDARD MODIFICATIONS # STANDARD MODIFICATIONS

5
scripts/upgrade
View file

@ -199,6 +199,11 @@ then
push_include_content="true" push_include_content="true"
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
fi fi
if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ]
then
enable_dtls_for_audio_video_turn_call="true"
ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
fi
#================================================= #=================================================
# MIGRATION 7 : STANDARDIZE SYSTEMD UNIT # MIGRATION 7 : STANDARDIZE SYSTEMD UNIT