Merge branch 'testing' into matrix_v2

2024-09-03 20:26:38 +02:00 · 2024-03-09 11:20:38 +01:00 · 2024-03-09 11:20:38 +01:00 · 1b522bd814
commit 1b522bd814
parent 632ecc4599 3d6b4e998c
6 changed files with 22 additions and 14 deletions
--- a/auto_update/auto_update.sh
+++ b/auto_update/auto_update.sh
@ -78,7 +78,7 @@ upgrade_synapse() {
 push_armv7_build() {
    ## Make a draft release json with a markdown body
    local release='"tag_name": "v'$synapse_version'", "target_commitish": "master", "name": "v'$synapse_version'", '
-    local body="Synapse prebuilt bin for synapse_ynh\\n=========\\nPlease refer to upstream project for the change : https://github.com/element-hq/synapse/releases\\n\\nSha256sum for $debian_version_name_1 : $(cat $build_result_path_deb_1/SUM_matrix-synapse_${synapse_version}-$debian_version_name_1-bin1_armv7l.tar.gz)\\nSha256sum for $debian_version_name_2 : $(cat $build_result_path_deb_2/SUM_matrix-synapse_${synapse_version}-$debian_version_name_2-bin1_armv7l.tar.gz)"
+    local body="Synapse prebuilt bin for synapse_ynh\\n=========\\nPlease refer to upstream project for the change : https://github.com/element-hq/synapse/releases\\n\\nSha256sum for $debian_version_name_1 : $(cat $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt)\\nSha256sum for $debian_version_name_2 : $(cat $build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l-sha256.txt)"
    release+='"body": "'$body'",'
    release+='"draft": true, "prerelease": false'
    release='{'$release'}'
--- a/conf/turnserver.conf
+++ b/conf/turnserver.conf
@ -13,15 +13,16 @@ cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
 pkey=/etc/yunohost/certs/__DOMAIN__/key.pem
 dh-file=/etc/ssl/private/dh2048.pem

+# Block clear communication
+no-udp
+no-tcp
+
+# Block old protocols
 no-sslv2
 no-sslv3
 no-tlsv1
 no-tlsv1_1

-no-multicast-peers
-
-no-cli
-
 log-file=/var/log/matrix-__APP__/turnserver.log
 pidfile=/run/coturn-__APP__/turnserver.pid
 simple-log
@ -30,6 +31,12 @@ simple-log
 user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
 total-quota=1200

+# recommended additional local peers to block, to mitigate external access to internal services.
+# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
+no-multicast-peers
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+
 # Max time 12h
 max-allocate-lifetime=43200

--- a/doc/ADMIN.md
+++ b/doc/ADMIN.md
@ -129,7 +129,7 @@ Then, to log in the API with your credentials, you need to set your user as admi

 ### Change url

-Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which an other thing.**
+Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which is an other thing.**

 The advantage of this is that you can put the app on a specific domain without impacting the domain name of the accounts. For instance you can have the synapse app on `matrix.yolo.net` and the user account will be something like that `@michu:yolo.net`. Note that it's the main difference between the domain of the app (which is `matrix.yolo.net`) and the "server name" which is `yolo.net`.

--- a/manifest.toml
+++ b/manifest.toml
@ -63,13 +63,13 @@ ram.runtime = "200M"
 [resources]
    [resources.sources.synapse_prebuilt_armv7_bookworm]
    prefetch = false
-    armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bookworm-bin1_armv7l.tar.gz"
-    armhf.sha256 = "5fd5296d76675cd7a109115e1eb035758c16b095cd953a65fc8cc840fb449e40"
+    armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bookworm-bin2_armv7l.tar.gz"
+    armhf.sha256 = "4027b8e41950aeec151dfa19eda2402e7974de56d33abb9eee3879e211227eef"

    [resources.sources.synapse_prebuilt_armv7_bullseye]
    prefetch = false
-    armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bullseye-bin1_armv7l.tar.gz"
-    armhf.sha256 = "4027b8e41950aeec151dfa19eda2402e7974de56d33abb9eee3879e211227eef"
+    armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bullseye-bin2_armv7l.tar.gz"
+    armhf.sha256 = "5fd5296d76675cd7a109115e1eb035758c16b095cd953a65fc8cc840fb449e40"

    [resources.sources.sliding_proxy]
    prefetch = true
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -104,9 +104,9 @@ configure_synapse() {
    fi
    local turn_server_config=""
    if $enable_dtls_for_audio_video_turn_call; then
-        turn_server_config='turn_uris: [ "stuns:'$domain:$port_turnserver_tls'?transport=dtls", "stuns:'$domain:$port_turnserver_tls'?transport=tls", "turns:'$domain:$port_turnserver_tls'?transport=dtls", "turns:'$domain:$port_turnserver_tls'?transport=tls" ]'
+        turn_server_config='turn_uris: [ "turns:'$domain:$port_turnserver_tls'", "turns:'$domain:$port_turnserver_alt_tls'" ]'
    else
-        turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'?transport=udp", "turn:'$domain:$port_turnserver_tls'?transport=tcp" ]'
+        turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'", "turn:'$domain:$port_turnserver_alt_tls'" ]'
    fi

    ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -201,7 +201,7 @@ then
 fi
 if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ]
 then
-    enable_dtls_for_audio_video_turn_call="true"
+    enable_dtls_for_audio_video_turn_call=true
    ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
 fi
 if [ -z "${sync_proxy_secret:-}" ]
@ -339,7 +339,8 @@ if yunohost app map -r --output-as json | jq -r '."'$domain'" | select( . != nul
    ynh_print_warn 'An other app is installed on this domain. Now synapse require to be alone on the domain.'
    ynh_print_warn 'To solve this you can:'
    ynh_print_warn " - Remove or move all other app which use '$domain'"
-    ynh_print_warn ' - Change the domain of synapse. You can find more informations here: https://github.com/YunoHost-Apps/synapse_ynh/blob/ce38d582ea379f60574a438056893cac79525808/doc/ADMIN.md#change-url'
+    ynh_print_warn ' - Change the domain of synapse. You can find more informations here: https://github.com/YunoHost-Apps/synapse_ynh/tree/testing/doc/ADMIN.md#change-url'
+    ynh_print_warn 'For more information you can see this issue: https://github.com/YunoHost-Apps/synapse_ynh/issues/443'
 fi

 #=================================================