YunoHost-Apps/synapse_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
Code Issues Activity Actions

Fix certificate access

Browse source
This commit is contained in:
Josué Tille 2017-12-30 15:59:05 +01:00
parent c07318bf41
commit 9dac61a33a
7 changed files with 23 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -12,8 +12,8 @@ Setup
### Install for ARM arch (or slow arch) ### Install for ARM arch (or slow arch)
If you don't have a dh.pem file in `/etc/yunohost/certs/YOUR DOMAIN/dh.pem` you should built it befor to install the app because it could take a long time. For all slow or arm architecture it's recommended to build the dh file before the install to have quicker install.
You could built it by this cmd : `sudo openssl dhparam -out /etc/yunohost/certs/YOUR DOMAIN/dh.pem 2048 > /dev/null` You could built it by this cmd : `mkdir -p /etc/matrix-synapse && openssl dhparam -out /etc/matrix-synapse/dh.pem 2048 > /dev/null`
After that you can install it without problem. After that you can install it without problem.
The package use a prebuild python virtualenvironnement. The binary are taken from this repos : https://github.com/Josue-T/synapse_python_build The package use a prebuild python virtualenvironnement. The binary are taken from this repos : https://github.com/Josue-T/synapse_python_build

2
conf/homeserver.yaml
View file

@ -10,7 +10,7 @@ tls_certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem"
tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem" tls_private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem"
# PEM dh parameters for ephemeral keys # PEM dh parameters for ephemeral keys
tls_dh_params_path: "/etc/yunohost/certs/__DOMAIN__/dh.pem" tls_dh_params_path: "/etc/matrix-synapse/dh.pem"
# Don't bind to the https port # Don't bind to the https port
no_tls: False no_tls: False

2
manifest.json
View file

@ -38,7 +38,7 @@
"en": "Is it a public server ?", "en": "Is it a public server ?",
"fr": "Est-ce un serveur public ?" "fr": "Est-ce un serveur public ?"
}, },
"default": "0" "default": 0
} }
] ]
} }

51
scripts/_common.sh
View file

@ -37,6 +37,7 @@ set_permission() {
chown $synapse_user:root -R /var/log/matrix-synapse chown $synapse_user:root -R /var/log/matrix-synapse
chown turnserver:root -R /var/log/turnserver chown turnserver:root -R /var/log/turnserver
chown $synapse_user:root -R /etc/matrix-synapse chown $synapse_user:root -R /etc/matrix-synapse
chmod 600 /etc/matrix-synapse/dh.pem
} }
install_source() { install_source() {
@ -97,56 +98,6 @@ config_coturn() {
ynh_replace_string __TLS_PORT__ $turnserver_tls_port /etc/turnserver.conf ynh_replace_string __TLS_PORT__ $turnserver_tls_port /etc/turnserver.conf
} }
set_certificat_access() {
set_access $synapse_user /etc/yunohost/certs/$domain/crt.pem
set_access $synapse_user /etc/yunohost/certs/$domain/key.pem
set_access $synapse_user /etc/yunohost/certs/$domain/dh.pem
set_access turnserver /etc/yunohost/certs/$domain/crt.pem
set_access turnserver /etc/yunohost/certs/$domain/key.pem
set_access turnserver /etc/yunohost/certs/$domain/dh.pem
}
set_access() { # example : set_access USER FILE
user="$1"
file_to_set="$2"
while [[ 0 ]]
do
path_to_set=""
oldIFS="$IFS"
IFS="/"
for dirname in $file_to_set
do
if [[ -n "$dirname" ]]
then
test -f "$path_to_set"/"$dirname" && setfacl -m d:u:$user:r "$path_to_set"
path_to_set="$path_to_set/$dirname"
if $(sudo -u $user test ! -r "$path_to_set")
then
test -d "$path_to_set" && setfacl -m user:$user:rx "$path_to_set"
test -f "$path_to_set" && setfacl -m user:$user:r "$path_to_set"
fi
fi
done
IFS="$oldIFS"
if $(test -L "$file_to_set")
then
if [[ -n "$(readlink "$file_to_set" | grep -e "^/")" ]]
then
file_to_set=$(readlink "$file_to_set") # If it is an absolute path
else
file_to_set=$(realpath -s -m "$(echo "$file_to_set" | cut -d'/' -f-$(echo "$file_to_set" | grep -o '/' | wc -l))/$(readlink "$file_to_set")") # If it is an relative path (we get with realpath the absolute path)
fi
else
break
fi
done
}
####### Solve issue https://dev.yunohost.org/issues/1006 ####### Solve issue https://dev.yunohost.org/issues/1006
# Build and install a package from an equivs control file # Build and install a package from an equivs control file

9
scripts/install
View file

@ -31,7 +31,9 @@ yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1
yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1 yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1
# Make dh cert for synapse if it not exist # Make dh cert for synapse if it not exist
test ! -e /etc/yunohost/certs/$domain/dh.pem && openssl dhparam -out /etc/yunohost/certs/$domain/dh.pem 2048 > /dev/null test ! -e /etc/matrix-synapse/dh.pem && \
mkdir -p /etc/matrix-synapse && \
openssl dhparam -out /etc/matrix-synapse/dh.pem 2048 > /dev/null
# Find password for turnserver and database # Find password for turnserver and database
turnserver_pwd=$(ynh_string_random 30) turnserver_pwd=$(ynh_string_random 30)
@ -54,6 +56,8 @@ install_dependances
# Create user # Create user
ynh_system_user_create $synapse_user /var/lib/matrix-synapse ynh_system_user_create $synapse_user /var/lib/matrix-synapse
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert
# Create postgresql database # Create postgresql database
ynh_psql_test_if_first_run ynh_psql_test_if_first_run
@ -86,9 +90,6 @@ config_synapse
# Configure Coturn # Configure Coturn
config_coturn config_coturn
# Configure access for certificates
set_certificat_access
# Configuration de logrotate # Configuration de logrotate
ynh_use_logrotate /var/log/matrix-synapse ynh_use_logrotate /var/log/matrix-synapse
ynh_use_logrotate /var/log/turnserver ynh_use_logrotate /var/log/turnserver

8
scripts/restore
View file

@ -24,9 +24,6 @@ turnserver_pwd=$(ynh_app_setting_get $app turnserver_pwd)
# Check domain/path availability # Check domain/path availability
ynh_webpath_available $domain $path || ynh_die "$domain/$path is not available, please use an other domain." ynh_webpath_available $domain $path || ynh_die "$domain/$path is not available, please use an other domain."
# Make dh cert for synapse if it not exist
test ! -e /etc/yunohost/certs/$domain/dh.pem && openssl dhparam -out /etc/yunohost/certs/$domain/dh.pem 2048 > /dev/null
# Ouvre le port dans le firewall # Ouvre le port dans le firewall
yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1 yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1
yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1 yunohost firewall allow --no-upnp Both $turnserver_tls_port > /dev/null 2>&1
@ -36,6 +33,8 @@ install_dependances
# Create user # Create user
ynh_system_user_create $synapse_user /var/lib/matrix-synapse ynh_system_user_create $synapse_user /var/lib/matrix-synapse
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert
# Restore all config and data # Restore all config and data
ynh_restore ynh_restore
@ -46,9 +45,6 @@ set_permission
# Open access to server without a button the home # Open access to server without a button the home
python $final_path/add_sso_conf.py python $final_path/add_sso_conf.py
# Configure access for certificates
set_certificat_access
# Restore postgresql database # Restore postgresql database
ynh_psql_test_if_first_run ynh_psql_test_if_first_run
ynh_psql_create_user $synapse_db_user $synapse_db_pwd ynh_psql_create_user $synapse_db_user $synapse_db_pwd

14
scripts/upgrade
View file

@ -67,6 +67,7 @@ then
# Create directory Install synapse in virtualenv # Create directory Install synapse in virtualenv
setup_dir || true # If the dir aready exist the command could fail setup_dir || true # If the dir aready exist the command could fail
install_source install_source
cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-synapse/dh.pem
set_permission set_permission
# Open access to server without a button the home # Open access to server without a button the home
@ -76,6 +77,8 @@ then
# Create user # Create user
ynh_system_user_create $synapse_user /var/lib/matrix-synapse ynh_system_user_create $synapse_user /var/lib/matrix-synapse
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert
# Create systemd service # Create systemd service
ynh_secure_remove /etc/init.d/matrix-synapse ynh_secure_remove /etc/init.d/matrix-synapse
@ -122,6 +125,14 @@ fi
# If the turnserver log is not ready configured we configure it now # If the turnserver log is not ready configured we configure it now
test -e /var/log/turnserver || (mkdir -p /var/log/turnserver && ynh_use_logrotate /var/log/turnserver) test -e /var/log/turnserver || (mkdir -p /var/log/turnserver && ynh_use_logrotate /var/log/turnserver)
# Fix issue about certificates access
if [[ ! $(grep "ssl-cert:x:[0-9]*:.*matrix-synapse" /etc/group) ]]
then
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert
cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-synapse/dh.pem
fi
# Upgrade manually Synapse # Upgrade manually Synapse
install_source install_source
set_permission set_permission
@ -132,9 +143,6 @@ config_nginx
# Configure Synapse # Configure Synapse
config_synapse config_synapse
# Configure access for certificates
set_certificat_access
# Configure Coturn # Configure Coturn
config_coturn config_coturn