YunoHost-Apps/synapse_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
Code Issues Activity Actions

Merge branch 'testing' into fix-changeurl

Browse source
This commit is contained in:
tituspijean 2022-09-20 21:14:42 +02:00 committed by GitHub
commit 2e06f532e9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 2330 additions and 674 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
README.md
View file

@ -1,20 +1,28 @@
<!--
N.B.: This README was automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
It shall NOT be edited by hand.
-->
# Synapse for YunoHost
![](https://matrix.org/blog/wp-content/uploads/2015/01/logo1.png)
[![Integration level](https://dash.yunohost.org/integration/synapse.svg)](https://dash.yunohost.org/appci/app/synapse) ![](https://ci-apps.yunohost.org/ci/badges/synapse.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/synapse.maintain.svg)
[![Integration level](https://dash.yunohost.org/integration/synapse.svg)](https://dash.yunohost.org/appci/app/synapse) ![Working status](https://ci-apps.yunohost.org/ci/badges/synapse.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/synapse.maintain.svg)
[![Install Synapse with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
> *This package allows you to install Synapse quickly and simply on a YunoHost server.
If you don't have YunoHost, please see [here](https://yunohost.org/#/install) to know how to install and enjoy it.*
*[Lire ce readme en français.](./README_fr.md)*
> *This package allows you to install Synapse quickly and simply on a YunoHost server.
If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.*
## Overview
Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://riot.im/app/#/room/#yunohost:matrix.org](https://riot.im/app/#/room/#yunohost:matrix.org)
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Shipped version:** 1.52.0
**Shipped version:** 1.67.0~ynh1
## Disclaimers / important information
## Configuration
@ -113,23 +121,8 @@ We have put some coarse mitigations into place to try to protect against this
situation, but it's still not a good practice to do it in the first place. See
https://github.com/vector-im/element-web/issues/1977 for more details.
## Documentation
- Official documentation: https://github.com/matrix-org/synapse
- YunoHost documentation: to be created; feel free to help!
## YunoHost specific features
### Multi-users support
Supported with LDAP.
### Supported architectures
* x86-64 - [![Build Status](https://ci-apps.yunohost.org/ci/logs/synapse%20%28Apps%29.svg)](https://ci-apps.yunohost.org/ci/apps/synapse/)
* ARMv8-A - [![Build Status](https://ci-apps-arm.yunohost.org/ci/logs/synapse%20%28Apps%29.svg)](https://ci-apps-arm.yunohost.org/ci/apps/synapse/)
## Limitations
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
@ -138,7 +131,7 @@ This app doesn't provide any real good web interface. So it's recommended to use
## Additional information
## Administation
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
@ -155,10 +148,20 @@ The following command will grant admin privilege to the specified user:
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
- Pass the `NO_BACKUP_UPGRADE` env variable with `1` at each upgrade. By example `NO_BACKUP_UPGRADE=1 yunohost app upgrade synapse`.
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
`yunohost app setting synapse disable_backup_before_upgrade -v 1`
@ -167,7 +170,7 @@ After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade seafile`
`yunohost app upgrade synapse`
### Backup
@ -182,13 +185,15 @@ This app use now the core-only feature of the backup. To keep the integrity of t
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with theses command:
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**. It need to be removed manually to purge app user data.
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
@ -199,43 +204,23 @@ yunohost app setting synapse__<instancenumber> synapse_tls_port
Before installing a second instance of the app it's really recommended to update all existing instances.
### Migration from old package
## Documentation and resources
The old synapse package had some problems, the package has been reviewed in the summer 2017. The old package was made with the debian package with the synapse apt repos. The database used sqlite. To improve the performance and to have a better compatibility the new package uses python virtual environment and postgresql as database. The Upgrade was made to make the migration from the old package to the new package. The part of this script is available here : https://github.com/YunoHost-Apps/synapse_ynh/blob/master/scripts/upgrade#L40-L119 .
* Official app website: <https://matrix.org/>
* Upstream app code repository: <https://github.com/matrix-org/synapse>
* YunoHost documentation for this app: <https://yunohost.org/app_synapse>
* Report a bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
This script tries to upgrade the app without any problem but it could happen that something fails and in this case the restoration is NOT guaranteed to be successful. So it's REALLY recommended to make MANUAL a backup before this big upgrade.
## Developer info
To check if you use the old synapse package type this command:
`sudo yunohost app setting synapse synapse_version`
- If the command returns nothing you are using the old package.
- If the command returns something like 0.25.1 you are using the new package.
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/synapse_ynh/tree/testing).
To do a backup before the upgrade use this command : `sudo yunohost backup create --verbose --ignore-system --apps synapse`
To try the testing branch, please proceed like that.
If anything fails while you are doing the upgrade please create an issue here: https://github.com/YunoHost-Apps/synapse_ynh/issues
### License
Synapse is published under the Apache License: https://github.com/matrix-org/synapse/blob/master/LICENSE
## Links
- Report a bug: https://github.com/YunoHost-Apps/synapse_ynh/issues
- Matrix website: https://matrix.org/
- Synapse repository: https://github.com/matrix-org/synapse
- YunoHost website: https://yunohost.org/
---
Developers infos
----------------
Please do your pull request to the [testing branch](https://github.com/YunoHost-Apps/synapse_ynh/tree/testing).
To try the testing branch, please proceed like that:
```bash
``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
or
sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
```
**More info regarding app packaging:** <https://yunohost.org/packaging_apps>

226
README_fr.md Normal file
View file

@ -0,0 +1,226 @@
<!--
N.B.: This README was automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
It shall NOT be edited by hand.
-->
# Synapse pour YunoHost
[![Niveau d'intégration](https://dash.yunohost.org/integration/synapse.svg)](https://dash.yunohost.org/appci/app/synapse) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/synapse.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/synapse.maintain.svg)
[![Installer Synapse avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
*[Read this readme in english.](./README.md)*
> *Ce package vous permet d'installer Synapse rapidement et simplement sur un serveur YunoHost.
Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
## Vue d'ensemble
Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Version incluse :** 1.67.0~ynh1
## Avertissements / informations importantes
## Configuration
### Install for ARM arch (or slow arch)
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
After that you can install it without problem.
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
The script to build the binary is also available.
### Web client
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
### Access by federation
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
```
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
### Turnserver
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```
yunohost app setting synapse turnserver_tls_port
yunohost app setting synapse turnserver_alt_tls_port
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
```
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
```
#### OpenVPN
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```
#!/bin/bash
(
sleep 5
sudo systemctl restart coturn-synapse.service
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
### Important Security Note
We do not recommend running Element from the same domain name as your Matrix
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
vulnerabilities that could occur if someone caused Element to load and render
malicious user generated content from a Matrix API which then had trusted
access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this
situation, but it's still not a good practice to do it in the first place. See
https://github.com/vector-im/element-web/issues/1977 for more details.
## YunoHost specific features
## Limitations
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
`yunohost app setting synapse disable_backup_before_upgrade -v 1`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
```
yunohost app setting synapse__<instancenumber> synapse_tls_port
```
Before installing a second instance of the app it's really recommended to update all existing instances.
## Documentations et ressources
* Site officiel de l'app : <https://matrix.org/>
* Dépôt de code officiel de l'app : <https://github.com/matrix-org/synapse>
* Documentation YunoHost pour cette app : <https://yunohost.org/app_synapse>
* Signaler un bug : <https://github.com/YunoHost-Apps/synapse_ynh/issues>
## Informations pour les développeurs
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/synapse_ynh/tree/testing).
Pour essayer la branche testing, procédez comme suit.
``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
ou
sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
```
**Plus d'infos sur le packaging d'applications :** <https://yunohost.org/packaging_apps>

14
check_process
View file

@ -2,7 +2,7 @@
; Manifest
domain="domain.tld" (DOMAIN)
path="/_matrix/static/" (PATH)
is_public=1 (PUBLIC|public=1|private=0)
is_free_registration=1 (PUBLIC|public=1|private=0)
server_name="domain.tld" (DOMAIN)
; Checks
pkg_linter=1
@ -12,8 +12,8 @@
setup_private=0
setup_public=1
upgrade=1
upgrade=1 from_commit=35774cc0eabb82b03230210689fa060d5f2b0bd8
upgrade=1 from_commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf
upgrade=1 from_commit=0a485e0d6bcd14392b9203b3b27e7e1a7ba21d19
upgrade=1 from_commit=6af39e6e086e70e2063eb8f63c48a1e4a597300d
backup_restore=1
multi_instance=0
incorrect_path=0
@ -22,7 +22,7 @@
;;; Levels
Level 5=auto
;;; Upgrade options
; commit=35774cc0eabb82b03230210689fa060d5f2b0bd8
name=Migrate from self signed certificate to cert managed by Yunohost from old_version_for_CI_3 branch
; commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf
name=Before permission implementation
; commit=0a485e0d6bcd14392b9203b3b27e7e1a7ba21d19
name=Before permission implementation (branch old_version_for_CI_4)
; commit=6af39e6e086e70e2063eb8f63c48a1e4a597300d
name=Before app user creation

4
conf/armv7_bullseye.src
View file

@ -1,5 +1,5 @@
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.52.0/matrix-synapse_1.52.0-bullseye-bin1_armv7l.tar.gz
SOURCE_SUM=7f99e741b152ba2cdade7919540adff9950c0c04c37bb85f613b4e7fb3881eb2
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.67.0/matrix-synapse_1.67.0-bullseye-bin1_armv7l.tar.gz
SOURCE_SUM=3b156833ac280aac5b958257deef0b537ebe52d2b0530aa4934bd06af9f5b7e0
# (Optional) Program to check the integrity (sha256sum, md5sum...)
# default: sha256
SOURCE_SUM_PRG=sha256sum

4
conf/armv7_buster.src
View file

@ -1,5 +1,5 @@
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.52.0/matrix-synapse_1.52.0-buster-bin1_armv7l.tar.gz
SOURCE_SUM=c66d248c9335c14b4395ffe19670c408e163e38ee36af05e57719c5d3192056b
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.67.0/matrix-synapse_1.67.0-buster-bin1_armv7l.tar.gz
SOURCE_SUM=bcc0d6eedd3688f0f92aff5acbac9adfba588fd2352ba03fc7b02fdf5ea579c5
# (Optional) Program to check the integrity (sha256sum, md5sum...)
# default: sha256
SOURCE_SUM_PRG=sha256sum

37
conf/coturn-synapse.service
View file

@ -6,13 +6,9 @@ After=syslog.target network.target
[Service]
User=turnserver
Group=turnserver
Type=forking
Type=simple
EnvironmentFile=/etc/default/coturn-__APP__
PIDFile=/run/coturn-__APP__/turnserver.pid
RuntimeDirectory=coturn-__APP__
RuntimeDirectoryMode=0755
ExecStart=/usr/bin/turnserver -o -c /etc/matrix-__APP__/coturn.conf $EXTRA_OPTIONS
ExecStopPost=/bin/rm -f /run/coturn-__APP__/turnserver.pid
ExecStart=/usr/bin/turnserver -c /etc/matrix-__APP__/coturn.conf $EXTRA_OPTIONS --pidfile=
Restart=on-abort
LimitCORE=infinity
@ -23,5 +19,34 @@ LimitRTTIME=7000000
CPUSchedulingPolicy=other
UMask=0007
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @swap
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target

2251
conf/homeserver.yaml
View file

File diff suppressed because it is too large Load diff

32
conf/matrix-synapse.service
View file

@ -6,12 +6,42 @@ After=network.target
Type=simple
User=matrix-__APP__
WorkingDirectory=/opt/yunohost/matrix-__APP__
BindPaths=/etc/matrix-__APP__
EnvironmentFile=/etc/default/matrix-__APP__
ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ --generate-keys
ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/
Restart=always
RestartSec=3
RuntimeDirectory=%i
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target

2
conf/nginx.conf
View file

@ -1,4 +1,4 @@
location __PATH__ {
location __PATH__/ {
proxy_pass http://localhost:__PORT__;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;

6
config_panel.toml
View file

@ -13,11 +13,11 @@ name = "Synapse configuration"
default = false
help = "True to send anonymous statistics about synapse to improve the performances"
[synapse_config.server_config.is_public]
ask = "Server public"
[synapse_config.server_config.is_free_registration]
ask = "Server with free registration"
type = "boolean"
default = false
help = "Is it a public server"
help = "A public server means that anybody will be able to register on this server."
[synapse_config.server_config.allow_public_rooms]
ask = "Public rooms directory"

3
doc/DESCRIPTION.md Normal file
View file

@ -0,0 +1,3 @@
Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)

179
doc/DISCLAIMER.md Normal file
View file

@ -0,0 +1,179 @@
## Configuration
### Install for ARM arch (or slow arch)
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
After that you can install it without problem.
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
The script to build the binary is also available.
### Web client
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
### Access by federation
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
```
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
### Turnserver
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```
yunohost app setting synapse turnserver_tls_port
yunohost app setting synapse turnserver_alt_tls_port
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
```
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
```
#### OpenVPN
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```
#!/bin/bash
(
sleep 5
sudo systemctl restart coturn-synapse.service
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
### Important Security Note
We do not recommend running Element from the same domain name as your Matrix
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
vulnerabilities that could occur if someone caused Element to load and render
malicious user generated content from a Matrix API which then had trusted
access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this
situation, but it's still not a good practice to do it in the first place. See
https://github.com/vector-im/element-web/issues/1977 for more details.
## YunoHost specific features
## Limitations
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
`yunohost app setting synapse disable_backup_before_upgrade -v 1`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
```
yunohost app setting synapse__<instancenumber> synapse_tls_port
```
Before installing a second instance of the app it's really recommended to update all existing instances.

22
manifest.json
View file

@ -6,13 +6,18 @@
"en": "Instant messaging server which uses Matrix",
"fr": "Un serveur de messagerie instantané basé sur Matrix"
},
"version": "1.52.0~ynh1",
"version": "1.67.0~ynh1",
"url": "http://matrix.org",
"license": "Apache-2.0",
"maintainer": {
"name": "Josué Tille",
"email": "josue@tille.ch"
},
"upstream": {
"license": "Apache-2.0",
"website": "https://matrix.org/",
"code": "https://github.com/matrix-org/synapse"
},
"requirements": {
"yunohost": ">= 4.1"
},
@ -24,12 +29,7 @@
"install" : [
{
"name": "domain",
"type": "domain",
"ask": {
"en": "Choose a domain for Synapse",
"fr": "Choisissez un domaine pour Synapse"
},
"example": "synapse.domain.org"
"type": "domain"
},
{
"name": "server_name",
@ -42,14 +42,14 @@
"default": "Same than the domain"
},
{
"name": "is_public",
"name": "is_free_registration",
"type": "boolean",
"ask": {
"en": "Is it a public server?",
"fr": "Est-ce un serveur public ?"
"en": "Is it a server with free registration ?",
"fr": "Est-ce un serveur avec création de compte libre ?"
},
"default": false,
"help": {
"help": {
"en": "A public server means that anybody will be able to register on this server.",
"fr": "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur."
}

14
scripts/_common.sh
View file

@ -1,5 +1,6 @@
dependances="coturn build-essential python3-dev libffi-dev python3-pip python3-setuptools sqlite3 libssl-dev python3-venv libxml2-dev libxslt1-dev python3-lxml zlib1g-dev libjpeg-dev libpq-dev postgresql acl"
python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)"
app=$YNH_APP_INSTANCE_NAME
install_sources() {
# Install/upgrade synapse in virtualenv
@ -45,7 +46,12 @@ install_sources() {
set +$u_arg;
source $final_path/bin/activate
set -$u_arg;
pip3 install --upgrade setuptools wheel pip
if [ $(lsb_release --codename --short) == "bullseye" ]; then
pip3 install --upgrade setuptools==60.8.2 wheel pip
else
pip3 install --upgrade setuptools wheel pip
fi
chown $synapse_user:root -R $final_path
sudo -u $synapse_user env PATH=$PATH pip3 install --upgrade 'cryptography>=3.4.7'
pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml jinja2
@ -62,3 +68,9 @@ install_sources() {
ynh_secure_remove --file=$final_path/.cargo
fi
}
get_domain_list() {
yunohost --output-as plain domain list | grep -E "^#" -v | sort | uniq | while read domain; do
echo -n " - https://$domain\n"
done
}

10
scripts/change_url
View file

@ -26,7 +26,7 @@ server_name=$(ynh_app_setting_get --app=$app --key=server_name)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
is_public=$(ynh_app_setting_get --app=$app --key=is_public)
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
port=$(ynh_app_setting_get --app=$app --key=synapse_port)
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
@ -35,19 +35,21 @@ cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
ynh_print_OFF
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
ynh_print_ON
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
main_domain=$(yunohost domain list --output-as json | jq -r .main)
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
domain_whitelist_client=$(get_domain_list)
# Check if the new path stay /_matrix if not exit
@ -102,7 +104,7 @@ else
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi
if [ $is_public -eq 0 ]
if [ $is_free_registration -eq 0 ]
then
allowed_access=False
sso_enabled=True

15
scripts/config
View file

@ -23,9 +23,12 @@ app=$YNH_APP_INSTANCE_NAME
report_stats=$(ynh_app_setting_get --app $app --key report_stats)
allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
disable_backup_before_upgrade=$(ynh_app_setting_get --app $app --key disable_backup_before_upgrade)
is_public=$(ynh_app_setting_get --app $app --key is_public)
is_free_registration=$(ynh_app_setting_get --app $app --key is_free_registration)
jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
domain_whitelist_client=$(get_domain_list)
main_domain=$(yunohost domain list --output-as json | jq -r .main)
#=================================================
# SHOW_CONFIG FUNCTION FOR 'SHOW' COMMAND
@ -37,7 +40,7 @@ show_config() {
ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS=$report_stats"
ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_ALLOW_PUBLIC_ROOMS=$allow_public_rooms"
ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_JITSI_SERVER=$jitsi_server"
ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC=${is_public}"
ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_FREE_REGISTRATION=${is_free_registration}"
ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_E2E_ENABLED_BY_DEFAULT=${e2e_enabled_by_default}"
if [[ ${disable_backup_before_upgrade:-0} -eq 1 ]]
@ -56,7 +59,7 @@ apply_config() {
report_stats=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS:-$report_stats}
allow_public_rooms=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_ALLOW_PUBLIC_ROOMS:-$allow_public_rooms}
do_backup_before_upgrade=${YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE:-}
is_public=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC:-$is_public}
is_free_registration=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_FREE_REGISTRATION:-$is_free_registration}
jitsi_server=${YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_JITSI_SERVER:-$jitsi_server}
e2e_enabled_by_default=${YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_E2E_ENABLED_BY_DEFAULT:-$e2e_enabled_by_default}
@ -81,7 +84,7 @@ apply_config() {
ynh_app_setting_set --app $app --key report_stats --value $report_stats
ynh_app_setting_set --app $app --key allow_public_rooms --value $allow_public_rooms
ynh_app_setting_set --app $app --key is_public --value $is_public
ynh_app_setting_set --app $app --key is_free_registration --value $is_free_registration
ynh_app_setting_set --app $app --key jitsi_server --value $jitsi_server
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
@ -96,7 +99,7 @@ apply_config() {
domain=$(ynh_app_setting_get --app $app --key domain)
server_name=$(ynh_app_setting_get --app $app --key server_name)
synapse_db_pwd=$(ynh_app_setting_get --app $app --key synapse_db_pwd)
is_public=$(ynh_app_setting_get --app $app --key is_public)
is_free_registration=$(ynh_app_setting_get --app $app --key is_free_registration)
port=$(ynh_app_setting_get --app $app --key synapse_port)
synapse_tls_port=$(ynh_app_setting_get --app $app --key synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app $app --key turnserver_tls_port)
@ -124,7 +127,7 @@ apply_config() {
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi
if [ $is_public -eq 0 ]
if [ $is_free_registration -eq 0 ]
then
allowed_access=False
sso_enabled=True

38
scripts/install
View file

@ -21,20 +21,13 @@ ynh_clean_setup () {
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================
domain=$YNH_APP_ARG_DOMAIN
is_public=$YNH_APP_ARG_IS_PUBLIC
app=$YNH_APP_INSTANCE_NAME
#=================================================
# SET CONSTANTS
#=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_user_app_pwd="$(ynh_string_random --length=30)"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
@ -43,6 +36,7 @@ report_stats="false"
allow_public_rooms="false"
e2e_enabled_by_default="true"
default_domain_value="Same than the domain"
domain_whitelist_client=$(get_domain_list)
#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
@ -50,23 +44,22 @@ default_domain_value="Same than the domain"
domain=$YNH_APP_ARG_DOMAIN
server_name=$YNH_APP_ARG_SERVER_NAME
is_public=$YNH_APP_ARG_IS_PUBLIC
is_free_registration=$YNH_APP_ARG_IS_FREE_REGISTRATION
jitsi_server=$YNH_APP_ARG_JITSI_SERVER
path_url="/_matrix"
final_path="/opt/yunohost/matrix-$app"
final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app"
main_domain=$(yunohost domain list --output-as json | jq -r .main)
if [[ "$server_name" == "$default_domain_value" ]]; then
server_name=$domain
server_name=$domain
fi
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_script_progression --message="Validating installation parameters..." --weight=2
[ $(ynh_webpath_available --domain=$domain --path_url=$path_url) == "True" ] || ynh_die --message="$domain is not available as domain, please use an other domain."
test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die --message="$domain is not available as domain, please use an other domain."
# Check Final Path availability
@ -90,10 +83,11 @@ ynh_app_setting_set --app=$app --key=server_name --value=$server_name
ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
ynh_app_setting_set --app=$app --key=is_public --value=$is_public
ynh_app_setting_set --app=$app --key=is_free_registration --value=$is_free_registration
ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
ynh_app_setting_set --app=$app --key=allow_public_rooms --value=$allow_public_rooms
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
#=================================================
# STANDARD MODIFICATIONS
@ -152,6 +146,7 @@ ynh_install_app_dependencies $dependances
ynh_script_progression --message="Configuring system user..." --weight=3
ynh_system_user_create --username=$synapse_user --home_dir=$final_path
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert
@ -160,16 +155,12 @@ adduser turnserver ssl-cert
#=================================================
ynh_script_progression --message="Creating a PostgreSQL database..." --weight=4
ynh_print_OFF
synapse_db_pwd=$(ynh_string_random --length=30)
ynh_app_setting_set --app=$app --key=synapse_db_pwd --value=$synapse_db_pwd
ynh_print_ON
# Create postgresql database
ynh_psql_test_if_first_run
ynh_print_OFF
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
ynh_print_ON
ynh_psql_execute_as_root \
--sql="CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;"
@ -214,7 +205,7 @@ source $final_path/bin/activate
set -u;
# Generate config
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --server-name $server_name --report-stats=no -c homeserver.yml
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
set +u;
@ -222,7 +213,6 @@ deactivate
set -u;
# Get random values from config
ynh_print_OFF
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
macaroon_secret_key=$(egrep "^macaroon_secret_key:" homeserver.yml | cut -d'"' -f2)
@ -231,7 +221,6 @@ macaroon_secret_key=$(egrep "^macaroon_secret_key:" homeserver.yml | cut -d'"' -
ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secret_key"
ynh_print_ON
#=================================================
# SETUP SYSTEMD
@ -279,7 +268,7 @@ ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
if [ $is_public -eq 0 ]
if [ $is_free_registration -eq 0 ]
then
allowed_access=False
sso_enabled=True
@ -347,12 +336,15 @@ ynh_permission_update --permission=main --show_tile=false --protected=true
ynh_permission_create --permission=server_api --url=$domain/_matrix \
--label="Server access for client apps." --show_tile=false --allowed=visitors \
--auth_header=false --protected=true
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
--label="Server administration API." --show_tile=false \
--auth_header=false
if yunohost --output-as plain domain list | grep -q "^$server_name$"; then
ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
--auth_header=false --protected=true
fi
#=================================================
# UPDATE HOOKS
#=================================================

2
scripts/remove
View file

@ -29,6 +29,7 @@ turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tl
#=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
@ -142,6 +143,7 @@ ynh_script_progression --message="Removing the dedicated system user" --weight=1
# Delete a system user
ynh_system_user_delete --username=$synapse_user
yunohost user delete $synapse_user_app
#=================================================
# END OF SCRIPT

12
scripts/restore
View file

@ -37,15 +37,16 @@ synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
ynh_print_OFF
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
ynh_print_ON
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
main_domain=$(yunohost domain list --output-as json | jq -r .main)
#=================================================
# SET ALL CONSTANT
#=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
@ -58,8 +59,6 @@ data_path="/home/yunohost.app/matrix-$app"
#=================================================
ynh_script_progression --message="Validating restoration parameters..." --weight=2
ynh_webpath_available --domain=$domain --path_url=$path_url \
|| ynh_die --message="Path not available: ${domain}${path_url}"
test ! -d $final_path \
|| ynh_die --message="There is already a directory: $final_path "
@ -81,6 +80,7 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei
# Create the dedicated user (if not existing)
ynh_system_user_create --username=$synapse_user --home_dir=$final_path
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert
@ -110,9 +110,7 @@ ynh_systemd_action --action=restart --service_name=fail2ban
ynh_script_progression --message="Restoring the PostgreSQL database..." --weight=13
ynh_psql_test_if_first_run
ynh_print_OFF
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
ynh_print_ON
ynh_psql_execute_as_root \
--sql="CREATE DATABASE $synapse_db_name
ENCODING 'UTF8'
@ -165,9 +163,7 @@ ynh_script_progression --message="Reconfiguring coturn..." --weight=23
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
ynh_print_OFF
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
ynh_print_ON
# WARNING : these commands are used in INSTALL, UPGRADE
# For any update do it in all files

32
scripts/upgrade
View file

@ -26,7 +26,7 @@ jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
is_public=$(ynh_app_setting_get --app=$app --key=is_public)
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
port=$(ynh_app_setting_get --app=$app --key=synapse_port)
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
@ -35,19 +35,21 @@ cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
ynh_print_OFF
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
ynh_print_ON
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
domain_whitelist_client=$(get_domain_list)
main_domain=$(yunohost domain list --output-as json | jq -r .main)
#=================================================
# SET ALL CONSTANT
#=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
@ -131,6 +133,17 @@ if [ -z $allow_public_rooms ]; then
ynh_app_setting_set --app=$app --key=allow_public_rooms --value=$allow_public_rooms
fi
if [ -z $is_free_registration ]; then
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public)
ynh_app_setting_set --app=$app --key=is_free_registration --value=$is_free_registration
fi
if [ -z $synapse_user_app_pwd ]; then
synapse_user_app_pwd="$(ynh_string_random --length=30)"
ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
fi
#=================================================
# MIGRATION 6 : Migrate data directory
#=================================================
@ -183,10 +196,8 @@ chown $synapse_user:root -R $final_www_path
# MIGRATION 1 : GENERATE SYNAPSE SECRET
#=================================================
ynh_print_OFF
if [ -z "$registration_shared_secret" ] || [ "$form_secret" == "form_secret: " ]
then
ynh_print_ON
ynh_script_progression --message="Generating synapse secret..." --weight=1
# Go in virtualenvironnement
@ -203,16 +214,13 @@ then
set -u;
# Get random values from config
ynh_print_OFF
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
# store in yunohost settings
ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
ynh_print_ON
fi
ynh_print_ON
#=================================================
# UPDATE SYNAPSE CONFIG
@ -232,7 +240,7 @@ else
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi
if [ $is_public -eq 0 ]
if [ $is_free_registration -eq 0 ]
then
allowed_access=False
sso_enabled=True
@ -431,6 +439,12 @@ elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
--protected=true
fi
if ! ynh_permission_exists --permission=admin_api; then
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
--label="Server administration API." --show_tile=false \
--auth_header=false
fi
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================