Update script for new config

- Add support for shared_secret, macaroon_secret, form_secret
- Use the own tls cert and keys
- Add possibility to enable the stats report

conf/homeserver.yaml

@@ -4,13 +4,13 @@
 # autogenerates on launch with your own SSL certificate + key pair
 # if you like.  Any required intermediary certificates can be
 # appended after the primary certificate in hierarchical order.
-tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem"
+tls_certificate_path: "/etc/matrix-__APP__/__DOMAIN__.tls.crt"
 
 # PEM encoded private key for TLS
-tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem"
+tls_private_key_path: "/etc/matrix-__APP__/__DOMAIN__.tls.key"
 
 # PEM dh parameters for ephemeral keys
-tls_dh_params_path: "/etc/matrix-__APP__/dh.pem"
+tls_dh_params_path: "/etc/matrix-__APP__/__DOMAIN__.tls.dh"
 
 # Don't bind to the https port
 no_tls: False

conf/turnserver.conf

@@ -11,7 +11,7 @@ cli-port=__CLI_PORT__
 
 cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
 pkey=/etc/yunohost/certs/__DOMAIN__/key.pem
-dh-file=/etc/matrix-__APP__/dh.pem
+dh-file=/etc/matrix-__APP__/__DOMAIN__.tls.dh
 
 no-sslv2
 no-sslv3

scripts/install

@@ -25,6 +25,7 @@ synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
+report_stats="False"
 
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
@@ -58,6 +59,7 @@ ynh_app_setting_set $app special_path $path_url
 ynh_app_setting_set $app final_path $final_path
 ynh_app_setting_set $app synapse_version $upstream_version
 ynh_app_setting_set $app is_public $is_public
+ynh_app_setting_set $app report_stats $report_stats
 
 #=================================================
 # STANDARD MODIFICATIONS
@@ -84,15 +86,6 @@ ynh_app_setting_set $app turnserver_tls_port $turnserver_tls_port
 ynh_app_setting_set $app turnserver_alt_tls_port $turnserver_alt_tls_port
 ynh_app_setting_set $app cli_port $cli_port
 
-#=================================================
-# CREATE A DH FILE
-#=================================================
-
-# Make dh cert for synapse if it not exist
-test ! -e /etc/matrix-$app/dh.pem && \
-    mkdir -p /etc/matrix-$app && \
-    openssl dhparam -out /etc/matrix-$app/dh.pem 2048 > /dev/null
-
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@@ -176,6 +169,30 @@ else
     deactivate
 fi
 
+#=================================================
+# CREATE SYNAPSE KEYS
+#=================================================
+
+# Go in virtualenvironnement
+source $final_path/bin/activate
+
+# Get the dh.pem if exist
+test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem $domain.tls.dh
+
+# Generate config and keys
+python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml
+
+# This fonction was defined while we call "source $final_path/bin/activate". By this fonction de undo what does "$final_path/bin/activate"
+deactivate
+
+# Get randoms values from config
+registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2)
+form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f2)
+
+# store in yunohost settings
+ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret"
+ynh_app_setting_set $app form_secret "$form_secret"
+
 #=================================================
 # SETUP SYSTEMD
 #=================================================
@@ -219,6 +236,9 @@ ynh_replace_string __PORT__ $port "$homeserver_config_path"
 ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
+ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
+ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path"
+ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path"
 
 ynh_replace_string __APP__ $app "/etc/matrix-$app/log.yaml"
 
@@ -303,14 +323,14 @@ python3 $final_path/add_sso_conf.py || ynh_die "Your file /etc/ssowat/conf.json.
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# WARRNING : theses command are used in INSTALL, UPGRADE (2 times), RESTORE
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times)
 # For any update do it in all files
 chown $synapse_user:root -R $final_path
 chown $synapse_user:root -R /var/lib/matrix-$app
 chown $synapse_user:root -R /var/log/matrix-$app
 chown $synapse_user:root -R /etc/matrix-$app
 chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/dh.pem
+chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key}
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app
 

scripts/restore

@@ -170,14 +170,14 @@ ynh_use_logrotate /var/log/matrix-$app
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# WARNING : these commands are used in INSTALL, UPGRADE, RESTORE
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times)
 # For any update do it in all files
 chown $synapse_user:root -R $final_path
 chown $synapse_user:root -R /var/lib/matrix-$app
 chown $synapse_user:root -R /var/log/matrix-$app
 chown $synapse_user:root -R /etc/matrix-$app
 chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/dh.pem
+chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key}
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app
 

scripts/upgrade

@@ -42,6 +42,9 @@ turnserver_tls_port=$(ynh_app_setting_get $app turnserver_tls_port)
 turnserver_alt_tls_port=$(ynh_app_setting_get $app turnserver_alt_tls_port)
 turnserver_pwd=$(ynh_app_setting_get $app turnserver_pwd)
 cli_port=$(ynh_app_setting_get $app cli_port)
+registration_shared_secret=$(ynh_app_setting_get $app registration_shared_secret)
+form_secret=$(ynh_app_setting_get $app form_secret)
+report_stats=$(ynh_app_setting_get $app report_stats)
 
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
@@ -115,6 +118,34 @@ else
     deactivate
 fi
 
+#=================================================
+# MIGRATION 1 : USE SYNAPSE OWN KEYS
+#=================================================
+
+if [[ -z "$registration_shared_secret" ]]
+then
+    # Go in virtualenvironnement
+    source $final_path/bin/activate
+
+    # Get the dh.pem if exist
+    test -e /etc/matrix-$app/dh.pem && mv /etc/matrix-$app/dh.pem /etc/matrix-$app/$domain.tls.dh
+    test -e /etc/matrix-$app/homeserver.signing.key && mv /etc/matrix-$app/homeserver.signing.key /etc/matrix-$app/$domain.signing.key
+
+    # Generate config and keys
+    python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml
+
+    # This fonction was defined while we call "source $final_path/bin/activate". By this fonction de undo what does "$final_path/bin/activate"
+    deactivate
+
+    # Get randoms values from config
+    registration_shared_secret=$(egrep "registration_shared_secret" homeserver.yml | cut -d'"' -f2)
+    form_secret=$(egrep "form_secret" homeserver.yml | cut -d'"' -f1)
+
+    # store in yunohost settings
+    ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret"
+    ynh_app_setting_set $app form_secret "$form_secret"
+fi
+
 #=================================================
 # UPDATE SYNAPSE CONFIG
 #=================================================
@@ -135,6 +166,9 @@ ynh_replace_string __PORT__ $port "$homeserver_config_path"
 ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path"
 ynh_replace_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
+ynh_replace_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
+ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path"
+ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path"
 
 ynh_replace_string __APP__ $app "/etc/matrix-$app/log.yaml"
 
@@ -149,7 +183,7 @@ ynh_store_file_checksum "$homeserver_config_path"
 ynh_store_file_checksum "/etc/matrix-$app/log.yaml"
 
 #=================================================
-# MIGRATION 1 : MULTINSTANCE SUPPORT
+# MIGRATION 2 : MULTINSTANCE SUPPORT
 #=================================================
 
 if [[ ! -e /etc/matrix-$app/coturn.conf ]]
@@ -183,8 +217,7 @@ then
 fi
 
 #=================================================
-# MIGRATION 2 : USE STANDARD ACCESS FOR CERTIFCATE
+# MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE
-# AND USE INDEPENDANT DH FILE
 #=================================================
 
 # Fix issue about certificates access
@@ -194,12 +227,6 @@ then
     adduser turnserver ssl-cert
 fi
 
-# In the old synapse instance we stored the dh.pem in /etc/yunohost/certs/DOMAIN.TLD/ but it was problematics with lets'encrypt witch made a link to the key. While the letsencrypt key was changed the dh.pem file was lost. So we decided to move to /etc/matrix-synapse/ witch is a directory witch is not managed by any other component.
-# Here we check if the dh.pem file is already moved. If not we try to copy the file from the old place. If the file in the old place was already removed (by letsencrypt) we create a new one.
-test -e /etc/matrix-$app/dh.pem || \
-    cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-$app/dh.pem || \
-        openssl dhparam -out /etc/matrix-$app/dh.pem 2048 > /dev/null
-
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@@ -274,14 +301,14 @@ ynh_add_systemd_config coturn-$app coturn-synapse.service
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# WARRNING : theses command are used in INSTALL, UPGRADE (2 times), RESTORE
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times)
 # For any update do it in all files
 chown $synapse_user:root -R $final_path
 chown $synapse_user:root -R /var/lib/matrix-$app
 chown $synapse_user:root -R /var/log/matrix-$app
 chown $synapse_user:root -R /etc/matrix-$app
 chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/dh.pem
+chmod 600 /etc/matrix-$app/{$domain.signing.key,$domain.tls.crt,$domain.tls.dh,$domain.tls.key}
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app