mirror of
https://github.com/YunoHost-Apps/synapse_ynh.git
synced 2024-09-03 20:26:38 +02:00
Fix certificate access
This commit is contained in:
Josué Tille
parent
c07318bf41
commit
9dac61a33a
7 changed files with 23 additions and 67 deletions
|
|
@ -12,8 +12,8 @@ Setup
|
|||
|
||||
### Install for ARM arch (or slow arch)
|
||||
|
||||
If you don't have a dh.pem file in `/etc/yunohost/certs/YOUR DOMAIN/dh.pem` you should built it befor to install the app because it could take a long time.
|
||||
You could built it by this cmd : `sudo openssl dhparam -out /etc/yunohost/certs/YOUR DOMAIN/dh.pem 2048 > /dev/null`
|
||||
For all slow or arm architecture it's recommended to build the dh file before the install to have quicker install.
|
||||
You could built it by this cmd : `mkdir -p /etc/matrix-synapse && openssl dhparam -out /etc/matrix-synapse/dh.pem 2048 > /dev/null`
|
||||
After that you can install it without problem.
|
||||
|
||||
The package use a prebuild python virtualenvironnement. The binary are taken from this repos : https://github.com/Josue-T/synapse_python_build
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem"
|
|||
tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem"
|
||||
|
||||
# PEM dh parameters for ephemeral keys
|
||||
tls_dh_params_path: "/etc/yunohost/certs/__DOMAIN__/dh.pem"
|
||||
tls_dh_params_path: "/etc/matrix-synapse/dh.pem"
|
||||
|
||||
# Don't bind to the https port
|
||||
no_tls: False
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@
|
|||
"en": "Is it a public server ?",
|
||||
"fr": "Est-ce un serveur public ?"
|
||||
},
|
||||
"default": "0"
|
||||
"default": 0
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ set_permission() {
|
|||
chown $synapse_user:root -R /var/log/matrix-synapse
|
||||
chown turnserver:root -R /var/log/turnserver
|
||||
chown $synapse_user:root -R /etc/matrix-synapse
|
||||
chmod 600 /etc/matrix-synapse/dh.pem
|
||||
}
|
||||
|
||||
install_source() {
|
||||
|
|
@ -97,56 +98,6 @@ config_coturn() {
|
|||
ynh_replace_string __TLS_PORT__ $turnserver_tls_port /etc/turnserver.conf
|
||||
}
|
||||
|
||||
set_certificat_access() {
|
||||
set_access $synapse_user /etc/yunohost/certs/$domain/crt.pem
|
||||
set_access $synapse_user /etc/yunohost/certs/$domain/key.pem
|
||||
set_access $synapse_user /etc/yunohost/certs/$domain/dh.pem
|
||||
|
||||
set_access turnserver /etc/yunohost/certs/$domain/crt.pem
|
||||
set_access turnserver /etc/yunohost/certs/$domain/key.pem
|
||||
set_access turnserver /etc/yunohost/certs/$domain/dh.pem
|
||||
}
|
||||
|
||||
set_access() { # example : set_access USER FILE
|
||||
user="$1"
|
||||
file_to_set="$2"
|
||||
while [[ 0 ]]
|
||||
do
|
||||
path_to_set=""
|
||||
oldIFS="$IFS"
|
||||
IFS="/"
|
||||
for dirname in $file_to_set
|
||||
do
|
||||
if [[ -n "$dirname" ]]
|
||||
then
|
||||
test -f "$path_to_set"/"$dirname" && setfacl -m d:u:$user:r "$path_to_set"
|
||||
|
||||
path_to_set="$path_to_set/$dirname"
|
||||
|
||||
if $(sudo -u $user test ! -r "$path_to_set")
|
||||
then
|
||||
test -d "$path_to_set" && setfacl -m user:$user:rx "$path_to_set"
|
||||
test -f "$path_to_set" && setfacl -m user:$user:r "$path_to_set"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
IFS="$oldIFS"
|
||||
|
||||
if $(test -L "$file_to_set")
|
||||
then
|
||||
if [[ -n "$(readlink "$file_to_set" | grep -e "^/")" ]]
|
||||
then
|
||||
file_to_set=$(readlink "$file_to_set") # If it is an absolute path
|
||||
else
|
||||
file_to_set=$(realpath -s -m "$(echo "$file_to_set" | cut -d'/' -f-$(echo "$file_to_set" | grep -o '/' | wc -l))/$(readlink "$file_to_set")") # If it is an relative path (we get with realpath the absolute path)
|
||||
fi
|
||||
else
|
||||
break
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
####### Solve issue https://dev.yunohost.org/issues/1006
|
||||
|
||||
# Build and install a package from an equivs control file
|
||||
|
|
|
|||
|
|
@ -31,7 +31,9 @@ yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1
|
|||
yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1
|
||||
|
||||
# Make dh cert for synapse if it not exist
|
||||
test ! -e /etc/yunohost/certs/$domain/dh.pem && openssl dhparam -out /etc/yunohost/certs/$domain/dh.pem 2048 > /dev/null
|
||||
test ! -e /etc/matrix-synapse/dh.pem && \
|
||||
mkdir -p /etc/matrix-synapse && \
|
||||
openssl dhparam -out /etc/matrix-synapse/dh.pem 2048 > /dev/null
|
||||
|
||||
# Find password for turnserver and database
|
||||
turnserver_pwd=$(ynh_string_random 30)
|
||||
|
|
@ -54,6 +56,8 @@ install_dependances
|
|||
|
||||
# Create user
|
||||
ynh_system_user_create $synapse_user /var/lib/matrix-synapse
|
||||
adduser $synapse_user ssl-cert
|
||||
adduser turnserver ssl-cert
|
||||
|
||||
# Create postgresql database
|
||||
ynh_psql_test_if_first_run
|
||||
|
|
@ -86,9 +90,6 @@ config_synapse
|
|||
# Configure Coturn
|
||||
config_coturn
|
||||
|
||||
# Configure access for certificates
|
||||
set_certificat_access
|
||||
|
||||
# Configuration de logrotate
|
||||
ynh_use_logrotate /var/log/matrix-synapse
|
||||
ynh_use_logrotate /var/log/turnserver
|
||||
|
|
|
|||
|
|
@ -24,9 +24,6 @@ turnserver_pwd=$(ynh_app_setting_get $app turnserver_pwd)
|
|||
# Check domain/path availability
|
||||
ynh_webpath_available $domain $path || ynh_die "$domain/$path is not available, please use an other domain."
|
||||
|
||||
# Make dh cert for synapse if it not exist
|
||||
test ! -e /etc/yunohost/certs/$domain/dh.pem && openssl dhparam -out /etc/yunohost/certs/$domain/dh.pem 2048 > /dev/null
|
||||
|
||||
# Ouvre le port dans le firewall
|
||||
yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1
|
||||
yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1
|
||||
|
|
@ -36,6 +33,8 @@ install_dependances
|
|||
|
||||
# Create user
|
||||
ynh_system_user_create $synapse_user /var/lib/matrix-synapse
|
||||
adduser $synapse_user ssl-cert
|
||||
adduser turnserver ssl-cert
|
||||
|
||||
# Restore all config and data
|
||||
ynh_restore
|
||||
|
|
@ -46,9 +45,6 @@ set_permission
|
|||
# Open access to server without a button the home
|
||||
python $final_path/add_sso_conf.py
|
||||
|
||||
# Configure access for certificates
|
||||
set_certificat_access
|
||||
|
||||
# Restore postgresql database
|
||||
ynh_psql_test_if_first_run
|
||||
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
|
||||
|
|
|
|||
|
|
@ -67,6 +67,7 @@ then
|
|||
# Create directory Install synapse in virtualenv
|
||||
setup_dir || true # If the dir aready exist the command could fail
|
||||
install_source
|
||||
cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-synapse/dh.pem
|
||||
set_permission
|
||||
|
||||
# Open access to server without a button the home
|
||||
|
|
@ -76,6 +77,8 @@ then
|
|||
|
||||
# Create user
|
||||
ynh_system_user_create $synapse_user /var/lib/matrix-synapse
|
||||
adduser $synapse_user ssl-cert
|
||||
adduser turnserver ssl-cert
|
||||
|
||||
# Create systemd service
|
||||
ynh_secure_remove /etc/init.d/matrix-synapse
|
||||
|
|
@ -122,6 +125,14 @@ fi
|
|||
# If the turnserver log is not ready configured we configure it now
|
||||
test -e /var/log/turnserver || (mkdir -p /var/log/turnserver && ynh_use_logrotate /var/log/turnserver)
|
||||
|
||||
# Fix issue about certificates access
|
||||
if [[ ! $(grep "ssl-cert:x:[0-9]*:.*matrix-synapse" /etc/group) ]]
|
||||
then
|
||||
adduser $synapse_user ssl-cert
|
||||
adduser turnserver ssl-cert
|
||||
cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-synapse/dh.pem
|
||||
fi
|
||||
|
||||
# Upgrade manually Synapse
|
||||
install_source
|
||||
set_permission
|
||||
|
|
@ -132,9 +143,6 @@ config_nginx
|
|||
# Configure Synapse
|
||||
config_synapse
|
||||
|
||||
# Configure access for certificates
|
||||
set_certificat_access
|
||||
|
||||
# Configure Coturn
|
||||
config_coturn
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue