From 282dd410d29203d667fbd75b0b268ac3ce070683 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Wed, 1 Aug 2018 00:32:10 +0200 Subject: [PATCH] Update script for new config - Add support for shared_secret, macaroon_secret, form_secret - Use the own tls cert and keys - Add possibility to enable the stats report --- conf/homeserver.yaml | 6 +++--- conf/turnserver.conf | 2 +- scripts/install | 42 +++++++++++++++++++++++++++---------- scripts/restore | 4 ++-- scripts/upgrade | 49 ++++++++++++++++++++++++++++++++++---------- 5 files changed, 75 insertions(+), 28 deletions(-) diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml index 26eede8..3d1c66a 100644 --- a/conf/homeserver.yaml +++ b/conf/homeserver.yaml @@ -4,13 +4,13 @@ # autogenerates on launch with your own SSL certificate + key pair # if you like. Any required intermediary certificates can be # appended after the primary certificate in hierarchical order. -tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem" +tls_certificate_path: "/etc/matrix-__APP__/__DOMAIN__.tls.crt" # PEM encoded private key for TLS -tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem" +tls_private_key_path: "/etc/matrix-__APP__/__DOMAIN__.tls.key" # PEM dh parameters for ephemeral keys -tls_dh_params_path: "/etc/matrix-__APP__/dh.pem" +tls_dh_params_path: "/etc/matrix-__APP__/__DOMAIN__.tls.dh" # Don't bind to the https port no_tls: False diff --git a/conf/turnserver.conf b/conf/turnserver.conf index 6895d6e..70d8086 100644 --- a/conf/turnserver.conf +++ b/conf/turnserver.conf @@ -11,7 +11,7 @@ cli-port=__CLI_PORT__ cert=/etc/yunohost/certs/__DOMAIN__/crt.pem pkey=/etc/yunohost/certs/__DOMAIN__/key.pem -dh-file=/etc/matrix-__APP__/dh.pem +dh-file=/etc/matrix-__APP__/__DOMAIN__.tls.dh no-sslv2 no-sslv3 diff --git a/scripts/install b/scripts/install index f03c4cc..69c4fe0 100644 --- a/scripts/install +++ b/scripts/install @@ -25,6 +25,7 @@ synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" upstream_version=$(ynh_app_upstream_version) +report_stats="False" #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST @@ -58,6 +59,7 @@ ynh_app_setting_set $app special_path $path_url ynh_app_setting_set $app final_path $final_path ynh_app_setting_set $app synapse_version $upstream_version ynh_app_setting_set $app is_public $is_public +ynh_app_setting_set $app report_stats $report_stats #================================================= # STANDARD MODIFICATIONS @@ -84,15 +86,6 @@ ynh_app_setting_set $app turnserver_tls_port $turnserver_tls_port ynh_app_setting_set $app turnserver_alt_tls_port $turnserver_alt_tls_port ynh_app_setting_set $app cli_port $cli_port -#================================================= -# CREATE A DH FILE -#================================================= - -# Make dh cert for synapse if it not exist -test ! -e /etc/matrix-$app/dh.pem && \ - mkdir -p /etc/matrix-$app && \ - openssl dhparam -out /etc/matrix-$app/dh.pem 2048 > /dev/null - #================================================= # INSTALL DEPENDENCIES #================================================= @@ -176,6 +169,30 @@ else deactivate fi +#================================================= +# CREATE SYNAPSE KEYS +#================================================= + +# Go in virtualenvironnement +source $final_path/bin/activate + +# Get the dh.pem if exist +test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem $domain.tls.dh + +# Generate config and keys +python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml + +# This fonction was defined while we call "source $final_path/bin/activate". By this fonction de undo what does "$final_path/bin/activate" +deactivate + +# Get randoms values from config +registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2) +form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f2) + +# store in yunohost settings +ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret" +ynh_app_setting_set $app form_secret "$form_secret" + #================================================= # SETUP SYSTEMD #================================================= @@ -219,6 +236,9 @@ ynh_replace_string __PORT__ $port "$homeserver_config_path" ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path" ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path" ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path" +ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path" +ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path" +ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path" ynh_replace_string __APP__ $app "/etc/matrix-$app/log.yaml" @@ -303,14 +323,14 @@ python3 $final_path/add_sso_conf.py || ynh_die "Your file /etc/ssowat/conf.json. # SECURE FILES AND DIRECTORIES #================================================= -# WARRNING : theses command are used in INSTALL, UPGRADE (2 times), RESTORE +# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times) # For any update do it in all files chown $synapse_user:root -R $final_path chown $synapse_user:root -R /var/lib/matrix-$app chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app -chmod 600 /etc/matrix-$app/dh.pem +chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key} setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app diff --git a/scripts/restore b/scripts/restore index 2f907a8..e6d6d5f 100644 --- a/scripts/restore +++ b/scripts/restore @@ -170,14 +170,14 @@ ynh_use_logrotate /var/log/matrix-$app # SECURE FILES AND DIRECTORIES #================================================= -# WARNING : these commands are used in INSTALL, UPGRADE, RESTORE +# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times) # For any update do it in all files chown $synapse_user:root -R $final_path chown $synapse_user:root -R /var/lib/matrix-$app chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app -chmod 600 /etc/matrix-$app/dh.pem +chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key} setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app diff --git a/scripts/upgrade b/scripts/upgrade index 54aca18..9acce4b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -42,6 +42,9 @@ turnserver_tls_port=$(ynh_app_setting_get $app turnserver_tls_port) turnserver_alt_tls_port=$(ynh_app_setting_get $app turnserver_alt_tls_port) turnserver_pwd=$(ynh_app_setting_get $app turnserver_pwd) cli_port=$(ynh_app_setting_get $app cli_port) +registration_shared_secret=$(ynh_app_setting_get $app registration_shared_secret) +form_secret=$(ynh_app_setting_get $app form_secret) +report_stats=$(ynh_app_setting_get $app report_stats) #================================================= # ENSURE DOWNWARD COMPATIBILITY @@ -115,6 +118,34 @@ else deactivate fi +#================================================= +# MIGRATION 1 : USE SYNAPSE OWN KEYS +#================================================= + +if [[ -z "$registration_shared_secret" ]] +then + # Go in virtualenvironnement + source $final_path/bin/activate + + # Get the dh.pem if exist + test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem /etc/matrix-$app/$domain.tls.dh + test -e /etc/matrix-$app/homeserver.signing.key && mv /etc/matrix-$app/homeserver.signing.key /etc/matrix-$app/$domain.signing.key + + # Generate config and keys + python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml + + # This fonction was defined while we call "source $final_path/bin/activate". By this fonction de undo what does "$final_path/bin/activate" + deactivate + + # Get randoms values from config + registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2) + form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f1) + + # store in yunohost settings + ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret" + ynh_app_setting_set $app form_secret "$form_secret" +fi + #================================================= # UPDATE SYNAPSE CONFIG #================================================= @@ -135,6 +166,9 @@ ynh_replace_string __PORT__ $port "$homeserver_config_path" ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path" ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path" ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path" +ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path" +ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path" +ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path" ynh_replace_string __APP__ $app "/etc/matrix-$app/log.yaml" @@ -149,7 +183,7 @@ ynh_store_file_checksum "$homeserver_config_path" ynh_store_file_checksum "/etc/matrix-$app/log.yaml" #================================================= -# MIGRATION 1 : MULTINSTANCE SUPPORT +# MIGRATION 2 : MULTINSTANCE SUPPORT #================================================= if [[ ! -e /etc/matrix-$app/coturn.conf ]] @@ -183,8 +217,7 @@ then fi #================================================= -# MIGRATION 2 : USE STANDARD ACCESS FOR CERTIFCATE -# AND USE INDEPENDANT DH FILE +# MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE #================================================= # Fix issue about certificates access @@ -194,12 +227,6 @@ then adduser turnserver ssl-cert fi -# In the old synapse instance we stored the dh.pem in /etc/yunohost/certs/DOMAIN.TLD/ but it was problematics with lets'encrypt witch made a link to the key. While the letsencrypt key was changed the dh.pem file was lost. So we decided to move to /etc/matrix-synapse/ witch is a directory witch is not managed by any other component. -# Here we check if the dh.pem file is already moved. If not we try to copy the file from the old place. If the file in the old place was already removed (by letsencrypt) we create a new one. -test -e /etc/matrix-$app/dh.pem || \ - cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-$app/dh.pem || \ - openssl dhparam -out /etc/matrix-$app/dh.pem 2048 > /dev/null - #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -274,14 +301,14 @@ ynh_add_systemd_config coturn-$app coturn-synapse.service # SECURE FILES AND DIRECTORIES #================================================= -# WARRNING : theses command are used in INSTALL, UPGRADE (2 times), RESTORE +# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times) # For any update do it in all files chown $synapse_user:root -R $final_path chown $synapse_user:root -R /var/lib/matrix-$app chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app -chmod 600 /etc/matrix-$app/dh.pem +chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key} setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app