YunoHost-Apps/synapse_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
Code Issues Activity Actions

Merge pull request #336 from YunoHost-Apps/testing

Browse source 
v1.68, add administration API protection, various fixes
This commit is contained in:
Josue-T 2022-10-25 06:23:41 +02:00 committed by GitHub
commit 2d04bb3fb9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 214 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
README.md
View file

@ -20,8 +20,7 @@ Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Shipped version:** 1.67.0~ynh1
**Shipped version:** 1.69.0~ynh1
## Disclaimers / important information
## Configuration
@ -131,6 +130,70 @@ This app doesn't provide any real good web interface. So it's recommended to use
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
`yunohost app setting synapse disable_backup_before_upgrade -v 1`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:

67
README_fr.md
View file

@ -20,8 +20,7 @@ Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Version incluse :** 1.67.0~ynh1
**Version incluse :** 1.69.0~ynh1
## Avertissements / informations importantes
## Configuration
@ -131,6 +130,70 @@ This app doesn't provide any real good web interface. So it's recommended to use
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
`yunohost app setting synapse disable_backup_before_upgrade -v 1`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:

4
conf/armv7_bullseye.src
View file

@ -1,5 +1,5 @@
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.67.0/matrix-synapse_1.67.0-bullseye-bin1_armv7l.tar.gz
SOURCE_SUM=3b156833ac280aac5b958257deef0b537ebe52d2b0530aa4934bd06af9f5b7e0
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.69.0/matrix-synapse_1.69.0-bullseye-bin1_armv7l.tar.gz
SOURCE_SUM=d390ac7900e545e5fb58f243c98a1c2cfe6d8dba4fd58775c8e73e931d20afe2
# (Optional) Program to check the integrity (sha256sum, md5sum...)
# default: sha256
SOURCE_SUM_PRG=sha256sum

4
conf/armv7_buster.src
View file

@ -1,5 +1,5 @@
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.67.0/matrix-synapse_1.67.0-buster-bin1_armv7l.tar.gz
SOURCE_SUM=bcc0d6eedd3688f0f92aff5acbac9adfba588fd2352ba03fc7b02fdf5ea579c5
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.69.0/matrix-synapse_1.69.0-buster-bin1_armv7l.tar.gz
SOURCE_SUM=e99f100a3446b9ceff29a5c3ea55657342a2ee22cf2eb5821e75716ede9bea8b
# (Optional) Program to check the integrity (sha256sum, md5sum...)
# default: sha256
SOURCE_SUM_PRG=sha256sum

2
conf/homeserver.yaml
View file

@ -2246,7 +2246,7 @@ password_providers:
uid: "uid"
mail: "mail"
name: "givenName"
bind_dn: __SYNAPSE_USER_APP__
bind_dn: "uid=__SYNAPSE_USER_APP__,ou=users,dc=yunohost,dc=org"
bind_password: __SYNAPSE_USER_APP_PWD__
filter: "(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))"

1
conf/turnserver.conf
View file

@ -18,7 +18,6 @@ no-sslv3
no-tlsv1
no-tlsv1_1
no-loopback-peers
no-multicast-peers
no-cli

64
doc/DISCLAIMER.md
View file

@ -105,6 +105,70 @@ This app doesn't provide any real good web interface. So it's recommended to use
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
`yunohost app setting synapse disable_backup_before_upgrade -v 1`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:

4
manifest.json
View file

@ -6,7 +6,7 @@
"en": "Instant messaging server which uses Matrix",
"fr": "Un serveur de messagerie instantané basé sur Matrix"
},
"version": "1.67.0~ynh1",
"version": "1.69.0~ynh1",
"url": "http://matrix.org",
"license": "Apache-2.0",
"maintainer": {
@ -19,7 +19,7 @@
"code": "https://github.com/matrix-org/synapse"
},
"requirements": {
"yunohost": ">= 4.1"
"yunohost": ">= 4.1.2"
},
"multi_instance": true,
"services": [

8
scripts/change_url
View file

@ -117,12 +117,12 @@ ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/home
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
#=================================================
# SETUP PERMISSIONS
# SECURE FILES AND DIRECTORIES
#=================================================
ynh_script_progression --message="Configuring permissions..." --weight=1
ynh_permission_url --permission=server_api --clear_urls
ynh_permission_url --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
# Only setting permissions for the two config files updated above
chown $synapse_user:root -R /etc/matrix-$app
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
#=================================================
# RELOAD SERVICES

3
scripts/install
View file

@ -336,6 +336,9 @@ ynh_permission_update --permission=main --show_tile=false --protected=true
ynh_permission_create --permission=server_api --url=$domain/_matrix \
--label="Server access for client apps." --show_tile=false --allowed=visitors \
--auth_header=false --protected=true
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
--label="Server administration API." --show_tile=false \
--auth_header=false --allowed=visitors
if yunohost --output-as plain domain list | grep -q "^$server_name$"; then
ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \

6
scripts/upgrade
View file

@ -439,6 +439,12 @@ elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
--protected=true
fi
if ! ynh_permission_exists --permission=admin_api; then
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
--label="Server administration API." --show_tile=false \
--auth_header=false --allowed=visitors
fi
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================