1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00

Merge pull request #444 from YunoHost-Apps/testing

Testing
This commit is contained in:
Josue-T 2024-04-12 08:35:21 +02:00 committed by GitHub
commit c58222a7bb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
46 changed files with 1595 additions and 2704 deletions

3
.gitignore vendored
View file

@ -5,3 +5,6 @@
*swp *swp
auto_update_config.sh
auto_update/Synapse_build_*.log
auto_update/synapse_build_temp.log

View file

@ -1,6 +1,7 @@
# All available README files by language # All available README files by language
- [Read the README in English](README.md) - [Read the README in English](README.md)
- [Irakurri README euskaraz](README_eu.md)
- [Lire le README en français](README_fr.md) - [Lire le README en français](README_fr.md)
- [Le o README en galego](README_gl.md) - [Le o README en galego](README_gl.md)
- [Leggi il “README” in italiano](README_it.md) - [阅读中文(简体)的 README](README_zh_Hans.md)

191
README.md
View file

@ -9,7 +9,7 @@ It shall NOT be edited by hand.
[![Install Synapse with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse) [![Install Synapse with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
*[Read this README is other languages.](./ALL_README.md)* *[Read this README in other languages.](./ALL_README.md)*
> *This package allows you to install Synapse quickly and simply on a YunoHost server.* > *This package allows you to install Synapse quickly and simply on a YunoHost server.*
> *If you don't have YunoHost, please consult [the guide](https://yunohost.org/install) to learn how to install it.* > *If you don't have YunoHost, please consult [the guide](https://yunohost.org/install) to learn how to install it.*
@ -21,195 +21,12 @@ Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org) Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Shipped version:** 1.98.0~ynh1 **Shipped version:** 1.104.0~ynh1
## Disclaimers / important information
## Configuration
### Install for ARM arch (or slow arch)
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
After that you can install it without problem.
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
The script to build the binary is also available.
### Web client
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
### Access by federation
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
```
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
https://federationtester.matrix.org/ can be used to easily debug federation issues
### Turnserver
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```
yunohost app setting synapse turnserver_tls_port
yunohost app setting synapse turnserver_alt_tls_port
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
```
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
```
#### OpenVPN
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```
#!/bin/bash
(
sleep 5
sudo systemctl restart coturn-synapse.service
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
### Important Security Note
We do not recommend running Element from the same domain name as your Matrix
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
vulnerabilities that could occur if someone caused Element to load and render
malicious user generated content from a Matrix API which then had trusted
access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this
situation, but it's still not a good practice to do it in the first place. See
https://github.com/vector-im/element-web/issues/1977 for more details.
## YunoHost specific features
## Limitations
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
`yunohost app setting synapse backup_before_upgrade -v 0`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
```
yunohost app setting synapse__<instancenumber> synapse_tls_port
```
Before installing a second instance of the app it's really recommended to update all existing instances.
## Documentation and resources ## Documentation and resources
- Official app website: <https://matrix.org/> - Official app website: <https://matrix.org/>
- Upstream app code repository: <https://github.com/matrix-org/synapse> - Official admin documentation: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
- Upstream app code repository: <https://github.com/element-hq/synapse>
- YunoHost Store: <https://apps.yunohost.org/app/synapse> - YunoHost Store: <https://apps.yunohost.org/app/synapse>
- Report a bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues> - Report a bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues>

45
README_eu.md Normal file
View file

@ -0,0 +1,45 @@
<!--
Ohart ongi: README hau automatikoki sortu da <https://github.com/YunoHost/apps/tree/master/tools/readme_generator>ri esker
EZ editatu eskuz.
-->
# Synapse YunoHost-erako
[![Integrazio maila](https://dash.yunohost.org/integration/synapse.svg)](https://dash.yunohost.org/appci/app/synapse) ![Funtzionamendu egoera](https://ci-apps.yunohost.org/ci/badges/synapse.status.svg) ![Mantentze egoera](https://ci-apps.yunohost.org/ci/badges/synapse.maintain.svg)
[![Instalatu Synapse YunoHost-ekin](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
*[Irakurri README hau beste hizkuntzatan.](./ALL_README.md)*
> *Pakete honek Synapse YunoHost zerbitzari batean azkar eta zailtasunik gabe instalatzea ahalbidetzen dizu.*
> *YunoHost ez baduzu, kontsultatu [gida](https://yunohost.org/install) nola instalatu ikasteko.*
## Aurreikuspena
Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Paketatutako bertsioa:** 1.104.0~ynh1
## Dokumentazioa eta baliabideak
- Aplikazioaren webgune ofiziala: <https://matrix.org/>
- Administratzaileen dokumentazio ofiziala: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
- Jatorrizko aplikazioaren kode-gordailua: <https://github.com/element-hq/synapse>
- YunoHost Denda: <https://apps.yunohost.org/app/synapse>
- Eman errore baten berri: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
## Garatzaileentzako informazioa
Bidali `pull request`a [`testing` abarrera](https://github.com/YunoHost-Apps/synapse_ynh/tree/testing).
`testing` abarra probatzeko, ondorengoa egin:
```bash
sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
edo
sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
```
**Informazio gehiago aplikazioaren paketatzeari buruz:** <https://yunohost.org/packaging_apps>

View file

@ -21,195 +21,12 @@ Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org) Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Version incluse:** 1.98.0~ynh1 **Version incluse:** 1.104.0~ynh1
## Avertissements / informations importantes
## Configuration
### Install for ARM arch (or slow arch)
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
After that you can install it without problem.
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
The script to build the binary is also available.
### Web client
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
### Access by federation
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
```
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
https://federationtester.matrix.org/ can be used to easily debug federation issues
### Turnserver
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```
yunohost app setting synapse turnserver_tls_port
yunohost app setting synapse turnserver_alt_tls_port
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
```
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
```
#### OpenVPN
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```
#!/bin/bash
(
sleep 5
sudo systemctl restart coturn-synapse.service
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
### Important Security Note
We do not recommend running Element from the same domain name as your Matrix
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
vulnerabilities that could occur if someone caused Element to load and render
malicious user generated content from a Matrix API which then had trusted
access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this
situation, but it's still not a good practice to do it in the first place. See
https://github.com/vector-im/element-web/issues/1977 for more details.
## YunoHost specific features
## Limitations
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
`yunohost app setting synapse backup_before_upgrade -v 0`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
```
yunohost app setting synapse__<instancenumber> synapse_tls_port
```
Before installing a second instance of the app it's really recommended to update all existing instances.
## Documentations et ressources ## Documentations et ressources
- Site officiel de lapp: <https://matrix.org/> - Site officiel de lapp: <https://matrix.org/>
- Dépôt de code officiel de lapp: <https://github.com/matrix-org/synapse> - Documentation officielle de ladmin: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
- Dépôt de code officiel de lapp: <https://github.com/element-hq/synapse>
- YunoHost Store: <https://apps.yunohost.org/app/synapse> - YunoHost Store: <https://apps.yunohost.org/app/synapse>
- Signaler un bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues> - Signaler un bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues>

View file

@ -21,195 +21,12 @@ Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org) Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**Versión proporcionada:** 1.98.0~ynh1 **Versión proporcionada:** 1.104.0~ynh1
## Avisos / información importante
## Configuration
### Install for ARM arch (or slow arch)
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
After that you can install it without problem.
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
The script to build the binary is also available.
### Web client
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
### Access by federation
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
```
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
https://federationtester.matrix.org/ can be used to easily debug federation issues
### Turnserver
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```
yunohost app setting synapse turnserver_tls_port
yunohost app setting synapse turnserver_alt_tls_port
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
```
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
```
#### OpenVPN
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```
#!/bin/bash
(
sleep 5
sudo systemctl restart coturn-synapse.service
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
### Important Security Note
We do not recommend running Element from the same domain name as your Matrix
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
vulnerabilities that could occur if someone caused Element to load and render
malicious user generated content from a Matrix API which then had trusted
access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this
situation, but it's still not a good practice to do it in the first place. See
https://github.com/vector-im/element-web/issues/1977 for more details.
## YunoHost specific features
## Limitations
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
`yunohost app setting synapse backup_before_upgrade -v 0`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
```
yunohost app setting synapse__<instancenumber> synapse_tls_port
```
Before installing a second instance of the app it's really recommended to update all existing instances.
## Documentación e recursos ## Documentación e recursos
- Web oficial da app: <https://matrix.org/> - Web oficial da app: <https://matrix.org/>
- Repositorio de orixe do código: <https://github.com/matrix-org/synapse> - Documentación oficial para admin: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
- Repositorio de orixe do código: <https://github.com/element-hq/synapse>
- Tenda YunoHost: <https://apps.yunohost.org/app/synapse> - Tenda YunoHost: <https://apps.yunohost.org/app/synapse>
- Informar dun problema: <https://github.com/YunoHost-Apps/synapse_ynh/issues> - Informar dun problema: <https://github.com/YunoHost-Apps/synapse_ynh/issues>

45
README_zh_Hans.md Normal file
View file

@ -0,0 +1,45 @@
<!--
注意:此 README 由 <https://github.com/YunoHost/apps/tree/master/tools/readme_generator> 自动生成
请勿手动编辑。
-->
# YunoHost 的 Synapse
[![集成程度](https://dash.yunohost.org/integration/synapse.svg)](https://dash.yunohost.org/appci/app/synapse) ![工作状态](https://ci-apps.yunohost.org/ci/badges/synapse.status.svg) ![维护状态](https://ci-apps.yunohost.org/ci/badges/synapse.maintain.svg)
[![使用 YunoHost 安装 Synapse](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
*[阅读此 README 的其它语言版本。](./ALL_README.md)*
> *通过此软件包,您可以在 YunoHost 服务器上快速、简单地安装 Synapse。*
> *如果您还没有 YunoHost请参阅[指南](https://yunohost.org/install)了解如何安装它。*
## 概况
Instant messaging server matrix network.
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
**分发版本:** 1.104.0~ynh1
## 文档与资源
- 官方应用网站: <https://matrix.org/>
- 官方管理文档: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
- 上游应用代码库: <https://github.com/element-hq/synapse>
- YunoHost 商店: <https://apps.yunohost.org/app/synapse>
- 报告 bug <https://github.com/YunoHost-Apps/synapse_ynh/issues>
## 开发者信息
请向 [`testing` 分支](https://github.com/YunoHost-Apps/synapse_ynh/tree/testing) 发送拉取请求。
如要尝试 `testing` 分支,请这样操作:
```bash
sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
```
**有关应用打包的更多信息:** <https://yunohost.org/packaging_apps>

View file

@ -1,33 +0,0 @@
[update_turnserver_ip]
name = "Update turnserver ip"
command = "/opt/yunohost/matrix-$YNH_APP_INSTANCE_NAME/Coturn_config_rotate.sh"
user = "root"
accepted_return_codes = [0]
description = "Update the ip in the turnserver config"
[open_turnserver_firewall_ports]
name = "Open ports for turnserver"
command = "yunohost firewall allow Both 49153:49193"
user = "root"
accepted_return_codes = [0]
description = "Open the ports range 49153:49193 with TCP and UDP to be able to use correctly the turnserver."
[close_turnserver_firewall_ports]
name = "Close ports for turnserver"
command = "yunohost firewall disallow Both 49153:49193"
user = "root"
accepted_return_codes = [0]
description = "Close the ports range 49153:49193 with TCP and UDP. (Undo \"Open ports for turnserver\" action)"
[set_admin_user]
name = "Set a user as admin"
command = "[[ \"$(su --command=\"psql matrix_synapse\" postgres <<< \"UPDATE users SET admin = 1 WHERE name = '@$YNH_ACTION_USERNAME:$(yunohost app setting $YNH_APP_INSTANCE_NAME server_name)'\")\" == 'UPDATE 1' ]]"
user = "root"
accepted_return_codes = [0]
description = "Set a synapse user as admin in the synapse server. It is mainly required to manage the community function."
[set_admin_user.arguments]
[set_admin_user.arguments.username]
type = "string"
ask = "username of the user to set as admin"
example = "bob"

169
auto_update/auto_update.sh Normal file
View file

@ -0,0 +1,169 @@
#!/bin/bash
set -eu
readonly app_name=synapse
source auto_update_config.sh
readonly debian_version_name_1=bullseye
readonly debian_version_name_2=bookworm
get_from_manifest() {
result=$(python3 <<EOL
import toml
import json
with open("../manifest.toml", "r") as f:
file_content = f.read()
loaded_toml = toml.loads(file_content)
json_str = json.dumps(loaded_toml)
print(json_str)
EOL
)
echo $result | jq -r "$1"
}
check_app_version() {
local app_remote_version=$(curl 'https://api.github.com/repos/element-hq/synapse/releases/latest' -H 'Host: api.github.com' --compressed | jq -r ".tag_name" | cut -dv -f2)
## Check if new build is needed
if [[ "$app_version" != "$app_remote_version" ]]
then
app_version="$app_remote_version"
return 0
else
return 1
fi
}
upgrade_app() {
(
set -eu
# Define output file name
# arm build: ${result_prefix_name_deb_1}-bin1_armv7l.tar.gz
# arm build checksum: ${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt
# requirement.txt: ${result_prefix_name_deb_1}-build1_requirement.txt
readonly result_prefix_name_deb_1="matrix-synapse_${app_version}-$debian_version_name_1"
readonly result_prefix_name_deb_2="matrix-synapse_${app_version}-$debian_version_name_2"
# Build armv7 build
build_cmd_deb_1 $app_version $result_prefix_name_deb_1
build_cmd_deb_2 $app_version $result_prefix_name_deb_2
push_armv7_build
# Update python requirement
cp "$build_result_path_deb_1/${result_prefix_name_deb_1}"-build1_requirement.txt ../conf/requirement_"$debian_version_name_1".txt
cp "$build_result_path_deb_2/${result_prefix_name_deb_2}"-build1_requirement.txt ../conf/requirement_"$debian_version_name_2".txt
# Update manifest
sed -r -i 's|version = "[[:alnum:].]{4,8}~ynh[[:alnum:].]{1,2}"|version = "'${app_version}'~ynh1"|' ../manifest.toml
# Update this link
sed -r -i "s|armhf.url\s*=(.*)/releases/download/v[[:alnum:].]{4,10}/matrix-synapse_[[:alnum:].]{4,10}-$debian_version_name_1-bin[[:digit:]]_armv7l.tar.gz|armhf.url =\1/releases/download/v${app_version}/matrix-synapse_${app_version}-$debian_version_name_1-bin1_armv7l.tar.gz|" ../manifest.toml
sed -r -i "s|armhf.url\s*=(.*)/releases/download/v[[:alnum:].]{4,10}/matrix-synapse_[[:alnum:].]{4,10}-$debian_version_name_2-bin[[:digit:]]_armv7l.tar.gz|armhf.url =\1/releases/download/v${app_version}/matrix-synapse_${app_version}-$debian_version_name_2-bin1_armv7l.tar.gz|" ../manifest.toml
# Update checksum
sha256sum_arm_archive_deb_1=$(cat $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt)
sha256sum_arm_archive_deb_2=$(cat $build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l-sha256.txt)
prev_sha256sum_arm_archive_deb_1=$(get_from_manifest ".resources.sources.${app_name}_prebuilt_armv7_$debian_version_name_1.armhf.sha256")
prev_sha256sum_arm_archive_deb_2=$(get_from_manifest ".resources.sources.${app_name}_prebuilt_armv7_$debian_version_name_2.armhf.sha256")
sed -r -i "s|$prev_sha256sum_arm_archive_deb_1|$sha256sum_arm_archive_deb_1|" ../manifest.toml
sed -r -i "s|$prev_sha256sum_arm_archive_deb_2|$sha256sum_arm_archive_deb_2|" ../manifest.toml
git commit -a -m "Upgrade $app_name to $app_version"
git push gitea auto_update:auto_update
) 2>&1 | tee "${app_name}_build_temp.log"
return ${PIPESTATUS[0]}
}
push_armv7_build() {
## Make a draft release json with a markdown body
local release='"tag_name": "v'$app_version'", "target_commitish": "master", "name": "v'$app_version'", '
local body="$app_name prebuilt bin for ${app_name}_ynh\\n=========\\nPlease refer to upstream project for the change : https://github.com/element-hq/synapse/releases\\n\\nSha256sum for $debian_version_name_1 : $(cat $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt)\\nSha256sum for $debian_version_name_2 : $(cat $build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l-sha256.txt)"
release+='"body": "'$body'",'
release+='"draft": true, "prerelease": false'
release='{'$release'}'
local url="https://api.github.com/repos/$owner/$repo/releases"
local succ=$(curl -H "Authorization: token $perstok" --data "$release" $url)
## In case of success, we upload a file
local upload_generic=$(echo "$succ" | grep upload_url)
if [[ $? -eq 0 ]]; then
echo "Release created."
else
echo "Error creating release!"
return 1
fi
local upload_prefix
local upload_file
local upload_ok
local download
for archive_name in $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l.tar.gz \
$build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l.tar.gz
do
# $upload_generic is like:
# "upload_url": "https://uploads.github.com/repos/:owner/:repo/releases/:ID/assets{?name,label}",
upload_prefix=$(echo $upload_generic | cut -d "\"" -f4 | cut -d "{" -f1)
upload_file="$upload_prefix?name=${archive_name##*/}"
echo "Start uploading file"
i=0
upload_ok=false
while [ $i -le 4 ]; do
i=$((i+1))
# Download file
set +e
succ=$(curl -H "Authorization: token $perstok" \
-H "Content-Type: $(file -b --mime-type $archive_name)" \
-H "Accept: application/vnd.github.v3+json" \
--data-binary @$archive_name $upload_file)
res=$?
set -e
if [ $res -ne 0 ]; then
echo "Curl upload failled"
continue
fi
echo "Upload done, check result"
set +eu
download=$(echo "$succ" | egrep -o "browser_download_url.+?")
res=$?
if [ $res -ne 0 ] || [ -z "$download" ]; then
set -eu
echo "Result upload error"
continue
fi
set -eu
echo "$download" | cut -d: -f2,3 | cut -d\" -f2
echo "Upload OK"
upload_ok=true
break
done
if ! $upload_ok; then
echo "Upload completely failed, exit"
return 1
fi
done
}
app_version=$(get_from_manifest ".version" | cut -d'~' -f1)
if check_app_version
then
set +eu
upgrade_app
res=$?
set -eu
if [ $res -eq 0 ]; then
result="Success"
else
result="Failed"
fi
msg="Build: $app_name version $app_version\n"
msg+="$(cat ${app_name}_build_temp.log)"
echo -e "$msg" | mail.mailutils -a "Content-Type: text/plain; charset=UTF-8" -s "Autoupgrade $app_name : $result" "$notify_email"
fi

View file

@ -0,0 +1,24 @@
build_cmd_deb_1() {
pushd ~
sudo /root/build_synapse_bin.sh $1 $2 --chroot-yes
popd
sudo chown app_upgrader ~/$2*
}
build_cmd_deb_2() {
local target_dir=~
sudo chroot /mnt/bookworm_build /root/build_synapse_bin.sh $1 $2 --chroot-yes
sudo mv -t $target_dir /mnt/bookworm_build/$2*
sudo chown app_upgrader $target_dir/$2*
}
build_result_path_deb_1=~
build_result_path_deb_2=~
notify_email="hello@world.tld"
# For github arm release
owner="YunoHost-Apps"
repo="synapse_python_build"
perstok="kkk"

View file

@ -1,25 +0,0 @@
;; General
; Manifest
domain="domain.tld"
path="/_matrix/static/"
is_free_registration=1
server_name="domain.tld"
; Checks
pkg_linter=1
setup_sub_dir=1
setup_root=0
setup_nourl=0
setup_private=0
setup_public=1
upgrade=1
upgrade=1 from_commit=b3bacec606f25c7f69de44da9e9e7eac405810c7
backup_restore=1
multi_instance=0
incorrect_path=0
port_already_use=1 (8448)
change_url=0
;;; Levels
Level 5=auto
;;; Upgrade options
; commit=ed9d550d69c168182aa9e070f265a141d8bd9fd2
name=Post app user creation

View file

@ -1,7 +0,0 @@
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.98.0/matrix-synapse_1.98.0-bookworm-bin1_armv7l.tar.gz
SOURCE_SUM=d65552797237b1ce85f7a3a4c627f9da3c9b46fc72132ce8bb1a3022f78fd454
# (Optional) Program to check the integrity (sha256sum, md5sum...)
# default: sha256
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=true

View file

@ -1,7 +0,0 @@
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.98.0/matrix-synapse_1.98.0-bullseye-bin1_armv7l.tar.gz
SOURCE_SUM=ff48049e5f4a4b8ff1e84af999b694a4aece3d647e23c3b3fe013ea86a17c820
# (Optional) Program to check the integrity (sha256sum, md5sum...)
# default: sha256
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=true

View file

@ -1,3 +0,0 @@
# Specify environment variables used when running Synapse
# SYNAPSE_CACHE_FACTOR=1 (default)

View file

@ -5,7 +5,10 @@
# should have the same indentation. # should have the same indentation.
# #
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
## Modules ## ## Modules ##
@ -285,7 +288,7 @@ listeners:
# will also need to give Synapse a TLS key and certificate: see the TLS section # will also need to give Synapse a TLS key and certificate: see the TLS section
# below.) # below.)
# #
- port: __SYNAPSE_TLS_PORT__ - port: __PORT_SYNAPSE_TLS__
type: http type: http
tls: true tls: true
resources: resources:
@ -297,7 +300,7 @@ listeners:
# If you plan to use a reverse proxy, please see # If you plan to use a reverse proxy, please see
# https://matrix-org.github.io/synapse/latest/reverse_proxy.html. # https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
# #
- port: __PORT__ - port: __PORT_SYNAPSE__
tls: false tls: false
type: http type: http
x_forwarded: true x_forwarded: true
@ -801,9 +804,9 @@ database:
name: psycopg2 name: psycopg2
#txn_limit: 10000 #txn_limit: 10000
args: args:
user: __SYNAPSE_DB_USER__ user: __DB_USER__
password: __SYNAPSE_DB_PWD__ password: __DB_PWD__
database: __SYNAPSE_DB_NAME__ database: __DB_NAME__
host: localhost host: localhost
port: 5432 port: 5432
cp_min: 5 cp_min: 5
@ -956,7 +959,7 @@ log_config: "/etc/matrix-__APP__/log.yaml"
# Directory where uploaded images and attachments are stored. # Directory where uploaded images and attachments are stored.
# #
media_store_path: "/home/yunohost.app/matrix-__APP__/media" media_store_path: "__DATA_DIR__/media"
# Media storage providers allow media to be stored in different # Media storage providers allow media to be stored in different
# locations. # locations.
@ -970,7 +973,7 @@ media_storage_providers:
# Whether to wait for successful storage for local uploads # Whether to wait for successful storage for local uploads
store_synchronous: false store_synchronous: false
config: config:
directory: "/home/yunohost.app/matrix-__APP__/media_storage" directory: "__DATA_DIR__/media_storage"
# The largest allowed upload size in bytes # The largest allowed upload size in bytes
# #
@ -1178,7 +1181,7 @@ oembed:
# The public URIs of the TURN server to give to clients # The public URIs of the TURN server to give to clients
# #
turn_uris: [ "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=udp", "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=tcp" ] __TURN_SERVER_CONFIG__
# The shared secret used to compute passwords for the TURN server # The shared secret used to compute passwords for the TURN server
# #
@ -1192,7 +1195,7 @@ turn_shared_secret: "__TURNSERVER_PWD__"
# How long generated TURN credentials last # How long generated TURN credentials last
# #
turn_user_lifetime: 1h turn_user_lifetime: 12h
# Whether guests should be allowed to use the TURN server. # Whether guests should be allowed to use the TURN server.
# This defaults to True, otherwise VoIP will be unreliable for guests. # This defaults to True, otherwise VoIP will be unreliable for guests.
@ -1200,7 +1203,7 @@ turn_user_lifetime: 1h
# connect to arbitrary endpoints without having first signed up for a # connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA). # valid account (e.g. by passing a CAPTCHA).
# #
turn_allow_guests: __TURN_ALLOW_GUESTS__ turn_allow_guests: __ALLOW_GUEST_ACCESS__
## Registration ## ## Registration ##
@ -1271,9 +1274,7 @@ enable_registration: __ENABLE_REGISTRATION__
# The user must provide all of the below types of 3PID when registering. # The user must provide all of the below types of 3PID when registering.
# #
registrations_require_3pid: _REGISTRATION_REQUIRE_3PID_SED_PARAM_
- email
# - msisdn
# Explicitly disable asking for MSISDNs from the registration # Explicitly disable asking for MSISDNs from the registration
# flow (overrides registrations_require_3pid if MSISDNs are set as required) # flow (overrides registrations_require_3pid if MSISDNs are set as required)
@ -1283,6 +1284,7 @@ disable_msisdn_registration: __DISABLE_MSISDN_REGISTRATION__
# Mandate that users are only allowed to associate certain formats of # Mandate that users are only allowed to associate certain formats of
# 3PIDs with accounts on this server. # 3PIDs with accounts on this server.
# #
_ALLOWD_LOCAL_3PIDS_SED_PARAM_
#allowed_local_3pids: #allowed_local_3pids:
# - medium: email # - medium: email
# pattern: '^[^@]+@vector\.im$' # pattern: '^[^@]+@vector\.im$'
@ -1356,9 +1358,9 @@ default_identity_server: __DEFAULT_IDENTITY_SERVER__
# by the Matrix Identity Service API specification: # by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest # https://matrix.org/docs/spec/identity_service/latest
# #
# As email delegates is managed by the synapse server itself this email section is # As email delegates is managed by the synapse server itself this email section is
# not necessary but msisdn format is still composed by msisdn: <value> on a new line # not necessary but msisdn format is still composed by msisdn: <value> on a new line
account_threepid_delegates: account_threepid_delegates:
msisdn: __ACCOUNT_THREEPID_DELEGATES_MSISDN__ msisdn: __ACCOUNT_THREEPID_DELEGATES_MSISDN__
#email: https://example.com # Delegate email sending to example.com #email: https://example.com # Delegate email sending to example.com
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process #msisdn: http://localhost:8090 # Delegate SMS sending to this local process
@ -1395,8 +1397,7 @@ account_threepid_delegates:
# If the room already exists, make certain it is a publicly joinable # If the room already exists, make certain it is a publicly joinable
# room. The join rule of the room must be set to 'public'. # room. The join rule of the room must be set to 'public'.
# #
auto_join_rooms: _AUTO_JOIN_ROOMS_SED_PARAM_
- "#example:example.com"
# Where auto_join_rooms are specified, setting this flag ensures that the # Where auto_join_rooms are specified, setting this flag ensures that the
# the rooms exist by creating them when the first user on the # the rooms exist by creating them when the first user on the
@ -2043,7 +2044,7 @@ cas_config:
# Uncomment the following to enable authorization against a CAS server. # Uncomment the following to enable authorization against a CAS server.
# Defaults to false. # Defaults to false.
# #
enabled: __SSO_ENABLED__ enabled: true
# The URL of the CAS authorization endpoint. # The URL of the CAS authorization endpoint.
# #
@ -2089,7 +2090,7 @@ sso:
# By default, this list contains only the login fallback page. # By default, this list contains only the login fallback page.
# #
client_whitelist: client_whitelist:
__DOMAIN_WHITELIST_CLIENT__ _DOMAIN_WHITELIST_CLIENT_
# Uncomment to keep a user's profile fields in sync with information from # Uncomment to keep a user's profile fields in sync with information from
# the identity provider. Currently only syncing the displayname is # the identity provider. Currently only syncing the displayname is
@ -2247,12 +2248,10 @@ password_providers:
uid: "uid" uid: "uid"
mail: "mail" mail: "mail"
name: "givenName" name: "givenName"
bind_dn: "uid=__SYNAPSE_USER_APP__,ou=users,dc=yunohost,dc=org"
bind_password: __SYNAPSE_USER_APP_PWD__
filter: "(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))" filter: "(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))"
# Configuration for sending emails from Synapse. # Configuration for sending emails from Synapse.
# #
# Server admins can configure custom templates for email content. See # Server admins can configure custom templates for email content. See
@ -2261,7 +2260,7 @@ password_providers:
email: email:
# The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
# #
smtp_host: "__MAIN_DOMAIN__" smtp_host: "__DOMAIN__"
# The port on the mail server for outgoing SMTP. Defaults to 25. # The port on the mail server for outgoing SMTP. Defaults to 25.
# #
@ -2270,8 +2269,8 @@ email:
# Username/password for authentication to the SMTP server. By default, no # Username/password for authentication to the SMTP server. By default, no
# authentication is attempted. # authentication is attempted.
# #
smtp_user: __SYNAPSE_USER_APP__ smtp_user: __APP__
smtp_pass: __SYNAPSE_USER_APP_PWD__ smtp_pass: __MAIL_PWD__
# Uncomment the following to require TLS transport security for SMTP. # Uncomment the following to require TLS transport security for SMTP.
# By default, Synapse will connect over plain text, and will then switch to # By default, Synapse will connect over plain text, and will then switch to
@ -2298,7 +2297,7 @@ email:
# Note that the placeholder must be written '%(app)s', including the # Note that the placeholder must be written '%(app)s', including the
# trailing 's'. # trailing 's'.
# #
notif_from: "Your Friendly %(app)s Home Server <__SYNAPSE_USER_APP__@__DOMAIN__>" notif_from: "Your Friendly %(app)s Home Server <__APP__@__DOMAIN__>"
# app_name defines the default value for '%(app)s' in notif_from and email # app_name defines the default value for '%(app)s' in notif_from and email
# subjects. It defaults to 'Matrix'. # subjects. It defaults to 'Matrix'.

View file

@ -1,26 +1,31 @@
location __PATH__/ { rewrite ^$ /;
proxy_pass http://localhost:__PORT__; location ~ ^/$ {
default_type text/plain;
return 200 "This is where Synapse is installed.";
}
location /_matrix/ {
proxy_pass http://localhost:__PORT_SYNAPSE__;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host; proxy_set_header Host $host;
client_max_body_size 100M; client_max_body_size __MAX_UPLOAD_SIZE__;
# Use the specific path for the php file. It's more secure than global php path
location __PATH__/cas_server.php {
alias /var/www/__APP__/;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
include fastcgi_params;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME cas_server.php;
}
} }
# Use the specific path for the php file. It's more secure than global php path
location /_matrix/cas_server.php/ {
alias /var/www/__APP__/;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
include fastcgi_params;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME cas_server.php;
}
location /_synapse/ { location /_synapse/ {
proxy_pass http://localhost:__PORT__; proxy_pass http://localhost:__PORT_SYNAPSE__;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host; proxy_set_header Host $host;

View file

@ -1,58 +1,58 @@
annotated-types==0.6.0 annotated-types==0.6.0
attrs==23.1.0 attrs==23.2.0
Automat==22.10.0 Automat==22.10.0
bcrypt==4.1.1 bcrypt==4.1.2
bleach==6.1.0 bleach==6.1.0
canonicaljson==2.0.0 canonicaljson==2.0.0
certifi==2023.11.17 certifi==2024.2.2
cffi==1.16.0 cffi==1.16.0
charset-normalizer==3.3.2 charset-normalizer==3.3.2
constantly==23.10.4 constantly==23.10.4
cryptography==41.0.7 cryptography==42.0.5
hyperlink==21.0.0 hyperlink==21.0.0
idna==3.6 idna==3.6
ijson==3.2.3 ijson==3.2.3
immutabledict==4.0.0 immutabledict==4.2.0
incremental==22.10.0 incremental==22.10.0
Jinja2==3.1.2 Jinja2==3.1.3
jsonschema==4.20.0 jsonschema==4.21.1
jsonschema-specifications==2023.11.2 jsonschema-specifications==2023.12.1
ldap3==2.9.1 ldap3==2.9.1
lxml==4.9.3 lxml==5.2.1
MarkupSafe==2.1.3 MarkupSafe==2.1.5
matrix-common==1.3.0 matrix-common==1.3.0
matrix-synapse==1.98.0 matrix-synapse==1.104.0
matrix-synapse-ldap3==0.3.0 matrix-synapse-ldap3==0.3.0
msgpack==1.0.7 msgpack==1.0.8
ndg-httpsclient==0.5.1 ndg-httpsclient==0.5.1
netaddr==0.9.0 netaddr==1.2.1
packaging==23.2 packaging==24.0
phonenumbers==8.13.26 phonenumbers==8.13.33
Pillow==10.1.0 pillow==10.3.0
prometheus-client==0.19.0 prometheus_client==0.20.0
psycopg2==2.9.9 psycopg2==2.9.9
pyasn1==0.5.1 pyasn1==0.6.0
pyasn1-modules==0.3.0 pyasn1_modules==0.4.0
pycparser==2.21 pycparser==2.22
pydantic==2.5.2 pydantic==2.6.4
pydantic_core==2.14.5 pydantic_core==2.16.3
pymacaroons==0.13.0 pymacaroons==0.13.0
PyNaCl==1.5.0 PyNaCl==1.5.0
pyOpenSSL==23.3.0 pyOpenSSL==24.1.0
PyYAML==6.0.1 PyYAML==6.0.1
referencing==0.32.0 referencing==0.34.0
requests==2.31.0 requests==2.31.0
rpds-py==0.13.2 rpds-py==0.18.0
semantic-version==2.10.0 semantic-version==2.10.0
service-identity==23.1.0 service-identity==24.1.0
setuptools-rust==1.8.1 setuptools-rust==1.9.0
signedjson==1.1.4 signedjson==1.1.4
six==1.16.0 six==1.16.0
sortedcontainers==2.4.0 sortedcontainers==2.4.0
treq==23.11.0 treq==23.11.0
Twisted==23.10.0 Twisted==24.3.0
typing_extensions==4.9.0 typing_extensions==4.10.0
unpaddedbase64==2.1.0 unpaddedbase64==2.1.0
urllib3==2.1.0 urllib3==2.2.1
webencodings==0.5.1 webencodings==0.5.1
zope.interface==6.1 zope.interface==6.2

View file

@ -1,60 +1,59 @@
annotated-types==0.6.0 annotated-types==0.6.0
attrs==23.1.0 attrs==23.2.0
Automat==22.10.0 Automat==22.10.0
bcrypt==4.1.1 bcrypt==4.1.2
bleach==6.1.0 bleach==6.1.0
canonicaljson==2.0.0 canonicaljson==2.0.0
certifi==2023.11.17 certifi==2024.2.2
cffi==1.16.0 cffi==1.16.0
charset-normalizer==3.3.2 charset-normalizer==3.3.2
constantly==23.10.4 constantly==23.10.4
cryptography==41.0.7 cryptography==42.0.5
hyperlink==21.0.0 hyperlink==21.0.0
idna==3.6 idna==3.6
ijson==3.2.3 ijson==3.2.3
immutabledict==4.0.0 immutabledict==4.2.0
incremental==22.10.0 incremental==22.10.0
Jinja2==3.1.2 Jinja2==3.1.3
jsonschema==4.20.0 jsonschema==4.21.1
jsonschema-specifications==2023.11.2 jsonschema-specifications==2023.12.1
ldap3==2.9.1 ldap3==2.9.1
lxml==4.9.3 lxml==5.2.1
MarkupSafe==2.1.3 MarkupSafe==2.1.5
matrix-common==1.3.0 matrix-common==1.3.0
matrix-synapse==1.98.0 matrix-synapse==1.104.0
matrix-synapse-ldap3==0.3.0 matrix-synapse-ldap3==0.3.0
msgpack==1.0.7 msgpack==1.0.8
ndg-httpsclient==0.5.1 ndg-httpsclient==0.5.1
netaddr==0.9.0 netaddr==1.2.1
packaging==23.2 packaging==24.0
phonenumbers==8.13.26 phonenumbers==8.13.33
Pillow==10.1.0 pillow==10.3.0
pkg_resources==0.0.0 prometheus_client==0.20.0
prometheus-client==0.19.0
psycopg2==2.9.9 psycopg2==2.9.9
pyasn1==0.5.1 pyasn1==0.6.0
pyasn1-modules==0.3.0 pyasn1_modules==0.4.0
pycparser==2.21 pycparser==2.22
pydantic==2.5.2 pydantic==2.6.4
pydantic_core==2.14.5 pydantic_core==2.16.3
pymacaroons==0.13.0 pymacaroons==0.13.0
PyNaCl==1.5.0 PyNaCl==1.5.0
pyOpenSSL==23.3.0 pyOpenSSL==24.1.0
PyYAML==6.0.1 PyYAML==6.0.1
referencing==0.32.0 referencing==0.34.0
requests==2.31.0 requests==2.31.0
rpds-py==0.13.2 rpds-py==0.18.0
semantic-version==2.10.0 semantic-version==2.10.0
service-identity==23.1.0 service-identity==24.1.0
setuptools-rust==1.8.1 setuptools-rust==1.9.0
signedjson==1.1.4 signedjson==1.1.4
six==1.16.0 six==1.16.0
sortedcontainers==2.4.0 sortedcontainers==2.4.0
tomli==2.0.1 tomli==2.0.1
treq==23.11.0 treq==23.11.0
Twisted==23.10.0 Twisted==24.3.0
typing_extensions==4.9.0 typing_extensions==4.10.0
unpaddedbase64==2.1.0 unpaddedbase64==2.1.0
urllib3==2.1.0 urllib3==2.2.1
webencodings==0.5.1 webencodings==0.5.1
zope.interface==6.1 zope.interface==6.2

View file

@ -1,14 +1,14 @@
location /.well-known/matrix/server { location = /.well-known/matrix/server {
return 200 '{"m.server": "__DOMAIN__:__SYNAPSE_TLS_PORT__"}'; return 200 '{"m.server": "__DOMAIN__:__PORT_SYNAPSE_TLS__"}';
add_header Content-Type application/json; add_header Content-Type application/json;
add_header Access-Control-Allow-Origin '*'; add_header Access-Control-Allow-Origin '*';
} }
location /.well-known/matrix/client { location = /.well-known/matrix/client {
return 200 '{ return 200 '{
"m.homeserver": { "base_url": "https://__DOMAIN__" }, "m.homeserver": { "base_url": "https://__DOMAIN__" },
"im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"}, "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"},
"im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT__ } "im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT_CLIENT_CONFIG__ }
}'; }';
add_header Content-Type application/json; add_header Content-Type application/json;
add_header Access-Control-Allow-Origin '*'; add_header Access-Control-Allow-Origin '*';

View file

@ -1,15 +1,17 @@
[Unit] [Unit]
Description=Coturn Description=Coturn
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1) Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
After=syslog.target network.target After=syslog.target network-online.target
[Service] [Service]
User=turnserver User=turnserver
Group=turnserver Group=turnserver
Type=simple Type=notify
EnvironmentFile=/etc/default/coturn-__APP__ EnvironmentFile=/etc/matrix-__APP__/coturn_env
ExecStart=/usr/bin/turnserver -c /etc/matrix-__APP__/coturn.conf $EXTRA_OPTIONS --pidfile= ExecStart=/usr/bin/turnserver -c /etc/matrix-__APP__/coturn.conf $EXTRA_OPTIONS --pidfile=
Restart=on-abort Restart=on-failure
InaccessibleDirectories=/home
PrivateTmp=yes
LimitCORE=infinity LimitCORE=infinity
LimitNOFILE=999999 LimitNOFILE=999999

View file

@ -4,10 +4,9 @@ After=network.target
[Service] [Service]
Type=simple Type=simple
User=matrix-__APP__ User=__APP__
WorkingDirectory=/opt/yunohost/matrix-__APP__ WorkingDirectory=/opt/yunohost/matrix-__APP__
BindPaths=/etc/matrix-__APP__ BindPaths=/etc/matrix-__APP__
EnvironmentFile=/etc/default/matrix-__APP__
ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ --generate-keys ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ --generate-keys
ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/
Restart=always Restart=always
@ -41,7 +40,7 @@ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -3,27 +3,39 @@ use-auth-secret
static-auth-secret=__TURNSERVER_PWD__ static-auth-secret=__TURNSERVER_PWD__
realm=__DOMAIN__ realm=__DOMAIN__
tls-listening-port=__TURNSERVER_TLS_PORT__ tls-listening-port=__PORT_TURNSERVER_TLS__
alt-tls-listening-port=__TURNSERVER_ALT_TLS_PORT__ alt-tls-listening-port=__PORT_TURNSERVER_ALT_TLS__
min-port=49153 min-port=49153
max-port=49193 max-port=49193
cli-port=__CLI_PORT__ cli-port=__PORT_CLI__
cert=/etc/yunohost/certs/__DOMAIN__/crt.pem cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
pkey=/etc/yunohost/certs/__DOMAIN__/key.pem pkey=/etc/yunohost/certs/__DOMAIN__/key.pem
dh-file=/etc/ssl/private/dh2048.pem dh-file=/etc/ssl/private/dh2048.pem
_TURN_CLEAR_COM_PARAM_
# Block old protocols
no-sslv2 no-sslv2
no-sslv3 no-sslv3
no-tlsv1 no-tlsv1
no-tlsv1_1 no-tlsv1_1
no-multicast-peers
no-cli
log-file=/var/log/matrix-__APP__/turnserver.log log-file=/var/log/matrix-__APP__/turnserver.log
pidfile=/run/coturn-__APP__/turnserver.pid pidfile=/run/coturn-__APP__/turnserver.pid
simple-log simple-log
__TURN_EXTERNAL_IP__ # consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200
# recommended additional local peers to block, to mitigate external access to internal services.
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
# Max time 12h
max-allocate-lifetime=43200
_TURN_EXTERNAL_IP_

View file

@ -1,76 +0,0 @@
# This file must be used with "source bin/activate" *from bash*
# you cannot run it directly
deactivate () {
# reset old environment variables
if [ -n "${_OLD_VIRTUAL_PATH:-}" ] ; then
PATH="${_OLD_VIRTUAL_PATH:-}"
export PATH
unset _OLD_VIRTUAL_PATH
fi
if [ -n "${_OLD_VIRTUAL_PYTHONHOME:-}" ] ; then
PYTHONHOME="${_OLD_VIRTUAL_PYTHONHOME:-}"
export PYTHONHOME
unset _OLD_VIRTUAL_PYTHONHOME
fi
# This should detect bash and zsh, which have a hash command that must
# be called to get it to forget past commands. Without forgetting
# past commands the $PATH changes we made may not be respected
if [ -n "${BASH:-}" -o -n "${ZSH_VERSION:-}" ] ; then
hash -r
fi
if [ -n "${_OLD_VIRTUAL_PS1:-}" ] ; then
PS1="${_OLD_VIRTUAL_PS1:-}"
export PS1
unset _OLD_VIRTUAL_PS1
fi
unset VIRTUAL_ENV
if [ ! "${1:-}" = "nondestructive" ] ; then
# Self destruct!
unset -f deactivate
fi
}
# unset irrelevant variables
deactivate nondestructive
VIRTUAL_ENV="__FINAL_PATH__"
export VIRTUAL_ENV
_OLD_VIRTUAL_PATH="$PATH"
PATH="$VIRTUAL_ENV/bin:$PATH"
export PATH
# unset PYTHONHOME if set
# this will fail if PYTHONHOME is set to the empty string (which is bad anyway)
# could use `if (set -u; : $PYTHONHOME) ;` in bash
if [ -n "${PYTHONHOME:-}" ] ; then
_OLD_VIRTUAL_PYTHONHOME="${PYTHONHOME:-}"
unset PYTHONHOME
fi
if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then
_OLD_VIRTUAL_PS1="${PS1:-}"
if [ "x(new) " != x ] ; then
PS1="(new) ${PS1:-}"
else
if [ "`basename \"$VIRTUAL_ENV\"`" = "__" ] ; then
# special case for Aspen magic directories
# see http://www.zetadev.com/software/aspen/
PS1="[`basename \`dirname \"$VIRTUAL_ENV\"\``] $PS1"
else
PS1="(`basename \"$VIRTUAL_ENV\"`)$PS1"
fi
fi
export PS1
fi
# This should detect bash and zsh, which have a hash command that must
# be called to get it to forget past commands. Without forgetting
# past commands the $PATH changes we made may not be respected
if [ -n "${BASH:-}" -o -n "${ZSH_VERSION:-}" ] ; then
hash -r
fi

View file

@ -2,88 +2,83 @@ version = "1.0"
[main] [main]
name = "Main Settings" name = "Main Settings"
services = ["matrix-__APP__"] services = ["__APP__"]
[main.welcome] [main.welcome]
name = "Experience for new Users" name = "Experience for new Users"
[main.welcome.enable_registration] [main.welcome.enable_registration]
ask = "Enable Registration for new users." ask = "Enable Registration for new users"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Defaults to 'false'. If 'true', it is highly recommended to use either captcha, email, or token-based verification to avoid SPAM." help = "Defaults to 'false'. If 'true', it is highly recommended to use either captcha, email, or token-based verification to avoid SPAM."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[main.welcome.password_enabled] [main.welcome.password_enabled]
ask = "Enable Password Login?" ask = "Enable Password Login"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "If disabled, Login with Non-YunoHost Users impossible. But it simplies Login process if your Matrix server only has YunoHost SSO Users." help = "If disabled, Login with Non-YunoHost Users impossible. But it simplies Login process if your Matrix server only has YunoHost SSO Users."
bind = "password_config>enabled:/etc/matrix-__APP__/homeserver.yaml" # Temporary disable the visible flag due of https://github.com/YunoHost/issues/issues/2331
visible = "! enable_registration" # visible = "! enable_registration"
[main.welcome.registrations_require_3pid] [main.welcome.registrations_require_3pid]
ask = "Registration requires all following 3PID personal identifier." ask = "Registration requires all following 3PID personal identifier"
type = "select" type = "select"
choices = ["none","email", "msisdn", "email&msisdn"] choices = ["email", "msisdn", "email&msisdn"]
help = "! Warning msisdn (Phone number) registration require a third party service which send confirmation token by SMS.\n Do not select any option including msisdn if you don't know what to do. And don't user email nor msisdn if you don't understand privacy flow\nDefaults to: 'none'." help = "! Warning msisdn (Phone number) registration require a third party service which send confirmation token by SMS.\nDo not select msisdn if you don't know what to do. And don't select user msisdn if you don't understand privacy flow\nDefaults to: 'email'."
visible = "enable_registration" visible = "enable_registration"
[main.welcome.allowed_local_3pids_email] [main.welcome.allowed_local_3pids_email]
ask = "Register only with given email formats." ask = "Register only with given email formats"
type = "tags" type = "tags"
help = '( e.g. ^[^@]+@matrix\\\\.org$ ) Note that \\\ will write \\ as suggested in homeserver.yaml' help = '( e.g. ^[^@]+@matrix\\.org$ )'
visible = 'enable_registration && (registrations_require_3pid == "email" || registrations_require_3pid == "email&msisdn")' visible = 'enable_registration && (registrations_require_3pid == "email" || registrations_require_3pid == "email&msisdn")'
[main.welcome.allowed_local_3pids_msisdn] [main.welcome.allowed_local_3pids_msisdn]
ask = "Register only with given phone number formats." ask = "Register only with given phone number formats"
type = "tags" type = "tags"
help = '( e.g. \\\\+33 ) Note that \\\ will write \\ as suggested in homeserver.yaml' help = '( e.g. \\+33 )'
visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")' visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")'
[main.welcome.disable_msisdn_registration] [main.welcome.disable_msisdn_registration]
ask = "Disable asking Phone Number in Registration flow." ask = "Disable asking Phone Number in Registration flow"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Overrides 3PID settings if MSISDNs are set as required." help = "Overrides 3PID settings if MSISDNs are set as required."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
visible = "enable_registration" visible = "enable_registration"
[main.welcome.account_threepid_delegates_msisdn] [main.welcome.account_threepid_delegates_msisdn]
ask = "Specify a third party server to send confirmation code by SMS." ask = "Specify a third party server to send confirmation code by SMS"
type = "string" type = "string"
help = "That should be an URL with port or API." help = "That should be an URL with port or API."
bind = "account_threepid_delegates>msisdn:/etc/matrix-__APP__/homeserver.yaml"
visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")' visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")'
[main.welcome.auto_join_rooms] [main.welcome.auto_join_rooms]
ask = "Auto Join new Users in following Rooms:" ask = "Auto Join new Users in following Rooms"
type = "tags" type = "tags"
help = "( e.g. \\\\#example:example.com ) Note that \\\\# will write # in homeserver.yaml. Users who register on this homeserver will automatically be joined to these rooms. If the room already exists, the join rule must be set to 'public'. See also next setting." help = "( e.g. #example:example.com ) Users who register on this homeserver will automatically be joined to these rooms. If the room already exists, the join rule must be set to 'public'. See also next setting."
[main.welcome.autocreate_auto_join_rooms] [main.welcome.autocreate_auto_join_rooms]
ask = "Auto-Create room for Auto Join if not existing?" ask = "Auto-Create room for Auto Join if not existing"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Setting to false means that if the rooms are not manually created, users cannot be auto-joined. Auto-created rooms will be public and federated by default, this can be customised in CLI with the settings auto_join_*." help = "Setting to false means that if the rooms are not manually created, users cannot be auto-joined. Auto-created rooms will be public and federated by default, this can be customised in CLI with the settings auto_join_*."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[main.welcome.notif_for_new_users] [main.welcome.notif_for_new_users]
ask = "Enable email notifications for new users?" ask = "Enable email notifications for new users"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Defaults to 'true'." help = "Defaults to 'true'."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
visible = "enable_notifs" visible = "enable_notifs"
[main.privacy] [main.privacy]
name = "Data Privacy" name = "Data Privacy"
[main.privacy.text] [main.privacy.text]
ask = ''' ask = '''
* "all": any locally-created room * "all": any locally-created room
@ -97,164 +92,145 @@ services = ["matrix-__APP__"]
type = "select" type = "select"
choices = ["all", "invite", "off"] choices = ["all", "invite", "off"]
help = "Note that encryption can always be turned on manually, even after creation." help = "Note that encryption can always be turned on manually, even after creation."
bind = "encryption_enabled_by_default_for_room_type:/etc/matrix-__APP__/homeserver.yaml"
[main.privacy.allow_public_rooms_over_federation] [main.privacy.allow_public_rooms_over_federation]
ask = "Access Public Rooms Directory over Federation?" ask = "Access Public Rooms Directory over Federation"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Disabled by default. If disabled, users on other homeserver will not be able to look for a public room on your homeserver. They will have to type the ID of the room to join." help = "Disabled by default. If disabled, users on other homeserver will not be able to look for a public room on your homeserver. They will have to type the ID of the room to join."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[main.privacy.push_include_content] [main.privacy.push_include_content]
ask = "Disable content sharing inside push notification." ask = "Disable content sharing inside push notification"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Send content message and sender information in push notification. Set to false increase privacy when GAFAM notification service is used (ie: when element client is downloaded thrue Gplay store)." help = "Send content message and sender information in push notification. Set to false increase privacy when GAFAM notification service is used (ie: when element client is downloaded thrue Gplay store)."
bind = "push>include_content:/etc/matrix-__APP__/homeserver.yaml"
[main.experience] [main.experience]
name = "User Experience" name = "User Experience"
[main.experience.web_client_location] [main.experience.web_client_location]
ask = "Element instance your HomeServer should redirect to." ask = "Element instance your HomeServer should redirect to"
type = "url" type = "url"
help = "URL to the web client which / will redirect to." help = "URL to the web client which / will redirect to."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[main.experience.enable_group_creation] [main.experience.enable_group_creation]
ask = "Allow non-server-admin Users to create Spaces?" ask = "Allow non-server-admin Users to create Spaces"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Disabled by default: only server admins can create Spaces" help = "Disabled by default: only server admins can create Spaces"
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[main.experience.enable_notifs] [main.experience.enable_notifs]
ask = "Enable sending emails for messages the user missed?" ask = "Enable sending emails for messages the user missed"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Defaults to 'false'." help = "Defaults to 'false'."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[main.experience.client_base_url] [main.experience.client_base_url]
ask = "URL for client links within the email notifications." ask = "URL for client links within the email notifications"
type = "url" type = "url"
help = "Used to be called 'riot_base_url', still supported" help = "Used to be called 'riot_base_url', still supported"
bind = ":/etc/matrix-__APP__/homeserver.yaml"
visible = "enable_notifs" visible = "enable_notifs"
[resources] [resources]
name = "Resource Usage" name = "Resource Usage"
services = ["matrix-__APP__", "nginx"] services = ["__APP__"]
[resources.media] [resources.media]
name = "Manage Media growth and clean-up" name = "Manage Media growth and clean-up"
[resources.media.max_upload_size] [resources.media.max_upload_size]
ask = "Largest allowed media upload size in bytes." ask = "Largest allowed media upload size in bytes"
type = "string" type = "string"
help = "Defaults to: '10M' . Format : <value><[GMK]?>" help = "Defaults to: '10M' . Format : <value><[GMK]?>"
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[advanced] [advanced]
name = "Advanced Settings" name = "Advanced Settings"
services = ["matrix-__APP__"] services = ["matrix-__APP__"]
[advanced.help] # Disabled as it don't work any more on bookworm
name = "SETTINGS FOR EXPERTS IN SERVER ADMINISTRATION" #
# [advanced.help]
[advanced.help.text] # name = "SETTINGS FOR EXPERTS IN SERVER ADMINISTRATION"
ask = ''' #
!!There are security and privacy risks if you change these settings without knowing what you do!! # [advanced.help.text]
''' # ask = '''
type = "markdown" # !!There are security and privacy risks if you change these settings without knowing what you do!!
# '''
# type = "markdown"
[advanced.others] [advanced.others]
name = "Others" name = "Others"
[advanced.others.backup_before_upgrade] [advanced.others.report_stats]
ask = "Backup before upgrade?"
type = "boolean"
yes = "true"
no = "false"
help = "!! If disabled, do a manual backup before upgrade !! Disable if your Synapse instance is huge and you prefer to disable the backup that is normally automatically done before each upgrade."
[advanced.others.server_statistics]
ask = "Server statistics" ask = "Server statistics"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Enable to send anonymous statistics to Synapse Developers to improve performance." help = "Enable to send anonymous statistics to Synapse Developers to improve performance."
bind = "report_stats:/etc/matrix-__APP__/homeserver.yaml"
[advanced.guests] [advanced.guests]
name = "Experience for Guests / Anonymous" name = "Experience for Guests / Anonymous"
[advanced.guests.invite_client_location] [advanced.guests.invite_client_location]
ask = "Web client location to direct users to during an invite." ask = "Web client location to direct users to during an invite"
type = "url" type = "url"
help = "This is passed to the identity server as the org.matrix.web_client_location key. Defaults to unset, giving no guidance to the identity server." help = "This is passed to the identity server as the org.matrix.web_client_location key. Defaults to unset, giving no guidance to the identity server."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[advanced.guests.allow_guest_access] [advanced.guests.allow_guest_access]
ask = "Allow Users to Register as Guests?" ask = "Allow Users to Register as Guests"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Guests can participate on this server in rooms with guest access enabled, without a password/email/etc." help = "Guests can participate on this server in rooms with guest access enabled, without a password/email/etc."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[advanced.guests.auto_join_rooms_for_guests] [advanced.guests.auto_join_rooms_for_guests]
ask = "Enable Auto Join Room for Guests?" ask = "Enable Auto Join Room for Guests"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Defaults to 'true'." help = "Defaults to 'true'."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
visible = "allow_guest_access" visible = "allow_guest_access"
[advanced.privacy] [advanced.privacy]
name = "Data Privacy" name = "Data Privacy"
[advanced.privacy.enable_3pid_lookup] [advanced.privacy.enable_3pid_lookup]
ask = "Allow discovering friends with phone number or email?" ask = "Allow discovering friends with phone number or email"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Enable 3PIDs lookup requests to identity servers from this server. See Settings->General->Discovery in Element." help = "Enable 3PIDs lookup requests to identity servers from this server. See Settings->General->Discovery in Element."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[advanced.privacy.default_identity_server] [advanced.privacy.default_identity_server]
ask = "Identity server suggested to clients?" ask = "Identity server suggested to clients"
type = "url" type = "url"
help = "Identity server allows to discover, be discovered and invite people you know with phone number or email. If not set, users will probably chose centralized vector.im. See Settings->General->Discovery in Element." help = "Identity server allows to discover, be discovered and invite people you know with phone number or email. If not set, users will probably chose centralized vector.im. See Settings->General->Discovery in Element."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[advanced.privacy.allow_public_rooms_without_auth] [advanced.privacy.allow_public_rooms_without_auth]
ask = "Access Public Rooms Directory without authentification?" ask = "Access Public Rooms Directory without authentification"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "Disabled by default. If enabled, anyone can query the Public Rooms Directory (access through the client API). This only makes sense if you want everyone to be able to scroll your public room to see what's interesting on your Homeserver" help = "Disabled by default. If enabled, anyone can query the Public Rooms Directory (access through the client API). This only makes sense if you want everyone to be able to scroll your public room to see what's interesting on your Homeserver"
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[advanced.registration] [advanced.registration]
name = "Account Registration" name = "Account Registration"
[advanced.registration.registration_shared_secret] [advanced.registration.registration_shared_secret]
ask = "Shared Secret for Registration." ask = "Shared Secret for Registration"
type = "string" type = "string"
help = "Allows registration of standard or admin accounts, even if Registration disabled." help = "Allows registration of standard or admin accounts, even if Registration disabled."
bind = ":/etc/matrix-__APP__/homeserver.yaml"
[advanced.registration.turn_allow_guests] [advanced.security]
ask = "Should guests be allowed to use the TURN server?" name = "Security"
[advanced.security.enable_dtls_for_audio_video_turn_call]
ask = "Enable TLS/DTLS on Audio/Video coll"
type = "boolean" type = "boolean"
yes = "true" yes = "true"
no = "false" no = "false"
help = "This defaults to True, otherwise VoIP will be unreliable for guests. However, it does introduce a slight security risk as it allows users to connect to arbitrary endpoints without having first signed up for a valid account (e.g. by passing a CAPTCHA)." help = "Enabling TLS/DTLS is really recommanded but it could bring some issues depending of the server certificate. There are some known issues with let's encrypt (https://github.com/element-hq/element-android/issues/1533), so if you have issues it could be better to disable this feature."
bind = ":/etc/matrix-__APP__/homeserver.yaml"

176
doc/ADMIN.md Normal file
View file

@ -0,0 +1,176 @@
## Web client
The most well-known Matrix web client is Element, which is available in the YunoHost app catalog: <https://github.com/YunoHost-Apps/element_ynh>.
### Important Security Note
We do not recommend running Element from the same domain name as your Matrix homeserver (synapse). The reason is the risk of XSS (cross-site-scripting) vulnerabilities that could occur if someone caused Element to load and render malicious user generated content from a Matrix API which then had trusted access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this situation, but it's still not a good practice to do it in the first place. See https://github.com/vector-im/element-web/issues/1977 for more details.
## Admin UI
You may be interested in the synapse-admin app, which provides an administration interface for synapse: <https://github.com/YunoHost-Apps/synapse-admin_ynh>.
Then, to log in the API with your admin credentials (cf next section)
### Set user as admin
Currently, the client interface doesn't allow to grant admin rights. The workaround is to enable it manually in the database. The YunoHost app provides a small script to do so, which can be invoked:
```bash
/opt/yunohost/matrix-__APP__/set_admin_user.sh '@user_to_be_admin:domain.tld'
```
## Access by federation
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you can add the following line in the dns configuration but you normally don't need it as a `.well-known` file is edited during the install to declare your server name and port to the federation.
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
_matrix._tcp.example.com. 3600 IN SRV 10 0 <synapse_port> synapse.example.com.
```
You need to replace `<synapse_port>` by the real port. This port can be obtained by the command: `yunohost app setting <synapse_instance_name> port_synapse_tls`
For more details, see : https://github.com/element-hq/synapse/blob/master/docs/federate.md
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
https://federationtester.matrix.org/ can be used to easily debug federation issues
## Turnserver
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```bash
yunohost app setting synapse port_turnserver_tls
yunohost app setting synapse port_turnserver_alt_tls
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```bash
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/matrix-<synapse_instance_name>/Coturn_config_rotate.sh` to update your config.
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the `<synapse_instance_name>` which could be `synapse` or maybe `synapse__2`).
```
*/15 * * * * root bash /opt/yunohost/matrix-<synapse_instance_name>/Coturn_config_rotate.sh;
```
## OpenVPN
If your server is behind a VPN, you may want `synapse-coturn` ti automatically restart when the VPN restarts. To do this, create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```bash
#!/bin/bash
(
sleep 5
sudo systemctl restart synapse-coturn.service
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart synapse-coturn.service
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
## Backup
Before any major maintenance action, it is recommended to backup the app.
To ensure the integrity of the data, it is recommended to explictly stop the server during the backup:
- Stop synapse service with theses following command:
```bash
systemctl stop synapse.service
```
- Launch the backup of synapse with this following command:
```bash
yunohost backup create --app synapse
```
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/synapse`.
- Restart the synapse service with these command:
```bash
systemctl start synapse.service
```
## Changing the server URL
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which is an other thing.**
The advantage of this is that you can put the app on a specific domain without impacting the domain name of the accounts. For instance you can have the synapse app on `matrix.yolo.net` and the user account will be something like that `@michu:yolo.net`. Note that it's the main difference between the domain of the app (which is `matrix.yolo.net`) and the "server name" which is `yolo.net`.
**Note that this change will have some important implications:**
- **This will break the connection from all previous connected clients. So all client connected before this change won't be able to communicate with the server until users will do a logout and login (which can also be problematic for e2e keys).** [There are a workaround which are described below](#avoid-the-need-to-reconnect-all-client-after-change-url-operation).
- In some case the client configuration will need to be updated. By example on element we can configure a default matrix server, this settings by example will need to be updated to the new domain to work correctly.
- In case of the "server name" domain are not on the same server than the synapse domain, you will need to update the `.well-known` or your DNS.
To do the change url of synapse you can do it by this following command or with the webadmin.
```bash
sudo yunohost app change-url synapse
```
### Avoid the need to reconnect all client after change-url operation
If you did change the url of synapse and you don't wan't to reconnect all client, this workaround should solve the issue.
The idea is to setup again a minimal configuration on the previous domain so the client configurated with the previous domain will still work correctly.
#### Nginx config
Retrive the server port with this command:
```bash
yunohost app setting synapse port_synapse
```
Edit the file `/etc/nginx/conf.d/<previous-domain.tld>.d/synapse.conf` and add this text:
```
location /_matrix/ {
proxy_pass http://localhost:<server_port_retrived_before>;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 200M;
}
```
Then reload nginx config:
```bash
systemctl reload nginx.service
```
#### Add permanent rule on SSOWAT
- Edit the file `/etc/ssowat/conf.json.persistent`
- Add `"<previous-domain.tld>/_matrix"` into the list in: `permissions` > `custom_skipped` > `uris`
Now the configured client before the change-url should work again.
## Removing the app
The YunoHost policy is to not remove the data when removing an app (stored in `/home/yunohost.app/synapse`). Use the `--purge` flag during the removal of the app to remove those, or just manually delete the folder after the app is deleted.

View file

@ -1,181 +0,0 @@
## Configuration
### Install for ARM arch (or slow arch)
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
After that you can install it without problem.
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
The script to build the binary is also available.
### Web client
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
### Access by federation
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
```
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
```
for example
```
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
```
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
If it is not automatically done, you need to open this in your ISP box.
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
https://federationtester.matrix.org/ can be used to easily debug federation issues
### Turnserver
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
```
yunohost app setting synapse turnserver_tls_port
yunohost app setting synapse turnserver_alt_tls_port
```
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
```
yunohost firewall allow Both 49153:49193
```
You might also need to open these ports (if it is not automatically done) on your ISP box.
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
```
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
```
#### OpenVPN
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
```
#!/bin/bash
(
sleep 5
sudo systemctl restart coturn-synapse.service
) &
exit 0
```
Add this line in you sudo config file `/etc/sudoers`
```
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
```
And add this line in your OpenVPN config file
```
ipchange /usr/local/bin/openvpn_up_script.sh
```
### Important Security Note
We do not recommend running Element from the same domain name as your Matrix
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
vulnerabilities that could occur if someone caused Element to load and render
malicious user generated content from a Matrix API which then had trusted
access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this
situation, but it's still not a good practice to do it in the first place. See
https://github.com/vector-im/element-web/issues/1977 for more details.
## YunoHost specific features
## Limitations
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
## Additional information
## Administration
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
Before any manipulation it's recommended to do a backup by this following command :
`sudo yunohost backup create --apps synapse`
### Set user as admin
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
The following command will grant admin privilege to the specified user:
```
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
```
### Administration API
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
By default, no one has access to this path.
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
you need to give this permission to visitors.
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
### Upgrade
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
`yunohost app setting synapse backup_before_upgrade -v 0`
After this settings will be applied for **all** next upgrade.
From command line:
`yunohost app upgrade synapse`
### Backup
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
- Stop synapse service with theses following command:
`systemctl stop synapse.service`
- Launch the backup of synapse with this following command:
`yunohost backup create --app synapse`
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
- Restart the synapse service with these command:
`systemctl start synapse.service`
### Remove
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
Use the `--purge` flag with the command, or remove it manually to purge app user data.
### Multi instance support
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
```
yunohost app setting synapse__<instancenumber> synapse_tls_port
```
Before installing a second instance of the app it's really recommended to update all existing instances.

17
doc/POST_INSTALL.md Normal file
View file

@ -0,0 +1,17 @@
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you may need to put the following line in the dns configuration:
```text
_matrix._tcp.__DOMAIN__. 3600 IN SRV 10 0 __PORT_SYNAPSE_TLS__ __DOMAIN__.
```
For more details, see : https://github.com/element-hq/synapse#setting-up-federation
You also need to open the TCP port __PORT_SYNAPSE_TLS__ on your ISP box if it's not automatically done.
Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en

3
doc/PRE_INSTALL.md Normal file
View file

@ -0,0 +1,3 @@
- Synapse consumes a significant amount of resources (both CPU and ARM), and therefore is not recommended for "small" setups such as small ARM boards
- During the install, the generation of Diffie-Hellman parameters may take a significant amount of time. You can speed things up by manually initializing them before running the install: `openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048`
- The package uses a prebuilt python virtual environnement. The binary are taken from this repository: <https://github.com/YunoHost-Apps/synapse_python_build>. The script to build the binary is also available.

View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
if [ $1 == __DOMAIN__ ]; then if [ $1 == __DOMAIN__ ]; then
systemctl restart matrix-__APP__ systemctl restart __APP__.service
fi fi

View file

@ -1,69 +0,0 @@
{
"name": "Synapse",
"id": "synapse",
"packaging_format": 1,
"description": {
"en": "Instant messaging server which uses Matrix",
"fr": "Serveur de messagerie instantané basé sur Matrix"
},
"version": "1.98.0~ynh1",
"url": "http://matrix.org",
"license": "Apache-2.0",
"maintainer": {
"name": "Josué Tille",
"email": "josue@tille.ch"
},
"upstream": {
"license": "Apache-2.0",
"website": "https://matrix.org/",
"code": "https://github.com/matrix-org/synapse"
},
"requirements": {
"yunohost": ">= 11.2"
},
"multi_instance": true,
"services": [
"nginx"
],
"arguments": {
"install" : [
{
"name": "domain",
"type": "domain"
},
{
"name": "server_name",
"type": "string",
"ask": {
"en": "If your Synapse domain is a subdomain, you can choose a name for your Synapse server to have your Matrix user-ids looking like @user:domain.org instead of @user:synapse.domain.org",
"fr": "Si votre domaine pour Synapse est un sous-domaine, vous pouvez choisir un nom pour votre serveur Synapse afin que vos identifiants Matrix soient @utilisateur:domain.org plutôt que @utilisateur:synapse.domain.org"
},
"example": "domain.org",
"default": "Same than the domain"
},
{
"name": "is_free_registration",
"type": "boolean",
"ask": {
"en": "Is it a server with free registration?",
"fr": "Est-ce un serveur avec création de compte libre ?"
},
"default": false,
"help": {
"en": "A public server means that anybody will be able to register on this server.",
"fr": "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur."
}
},
{
"name": "jitsi_server",
"type": "string",
"ask": {
"en": "Jitsi server address for conferencing?",
"fr": "Adresse du serveur Jitsi pour les conférences ?"
},
"example": "domain.org",
"default": "jitsi.riot.im"
}
]
}
}

124
manifest.toml Normal file
View file

@ -0,0 +1,124 @@
packaging_format = 2
id = "synapse"
name = "Synapse"
description.en = "Instant messaging server which uses Matrix"
description.fr = "Serveur de messagerie instantané basé sur Matrix"
version = "1.104.0~ynh1"
maintainers = ["Josué Tille"]
[upstream]
license = "Apache-2.0"
website = "https://matrix.org/"
code = "https://github.com/element-hq/synapse"
admindoc = "https://matrix-org.github.io/synapse/latest/welcome_and_overview.html"
cpe = "cpe:2.3:a:matrix:synapse"
fund = "https://matrix.org/support/#"
[integration]
yunohost = ">= 11.2.11"
architectures = "all"
multi_instance = true
ldap = true
sso = "not_relevant"
disk = "250M"
ram.build = "500M"
ram.runtime = "1G"
[install]
[install.domain]
# this is a generic question - ask strings are automatically handled by Yunohost's core
type = "domain"
[install.server_name]
ask.en = "If your Synapse domain is a subdomain, you can choose a name for your Synapse server to have your Matrix user-ids looking like @user:domain.org instead of @user:synapse.domain.org"
ask.fr = "Si votre domaine pour Synapse est un sous-domaine, vous pouvez choisir un nom pour votre serveur Synapse afin que vos identifiants Matrix soient @utilisateur:domain.org plutôt que @utilisateur:synapse.domain.org"
type = "string"
example = "domain.org"
default = "Same than the domain"
[install.is_free_registration]
ask.en = "Is it a server with free registration?"
ask.fr = "Est-ce un serveur avec création de compte libre ?"
help.en = "A public server means that anybody will be able to register on this server."
help.fr = "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur."
type = "boolean"
default = false
[install.jitsi_server]
ask.en = "Jitsi server address for conferencing?"
ask.fr = "Adresse du serveur Jitsi pour les conférences ?"
type = "string"
example = "domain.org"
default = "jitsi.riot.im"
[install.init_main_permission]
help.en = "Define the users allowed to access to synapse. Setting this to 'visitors' don't make sens in this case."
type = "group"
example = "all_users"
default = "all_users"
[resources]
[resources.sources.synapse_prebuilt_armv7_bookworm]
prefetch = false
armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.104.0/matrix-synapse_1.104.0-bookworm-bin1_armv7l.tar.gz"
armhf.sha256 = "880c3507a424277cd5414363e22dc2018407e572c5f7bb388a6560707ae4231e"
[resources.sources.synapse_prebuilt_armv7_bullseye]
prefetch = false
armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.104.0/matrix-synapse_1.104.0-bullseye-bin1_armv7l.tar.gz"
armhf.sha256 = "8f2f957d25566e5051aa0d5c88bcedacf6ea1615cc7aca84491a7ded84fbae11"
[resources.system_user]
allow_email = true
home = "/opt/yunohost/matrix-__APP__"
[resources.install_dir]
dir = "/var/www/__APP__"
owner = "__APP__:rwX"
group = "__APP__:rX"
[resources.data_dir]
dir = "/home/yunohost.app/__APP__"
[resources.permissions]
main.url = "/"
main.additional_urls = ["/_matrix/cas_server.php/login"]
main.label = "Server SSO"
main.auth_header = true
main.show_tile=false
main.protected = true
server_api.url = "/_matrix"
server_api.label = "Server access for client apps"
server_api.allowed = "visitors"
server_api.auth_header = false
server_api.show_tile = false
server_api.protected = true
admin_api.url = "/_synapse"
admin_api.label = "Admin API"
admin_api.allowed = "visitors"
admin_api.auth_header = false
admin_api.show_tile = false
admin_api.protected = true
[resources.ports]
synapse_tls.default = 8448
synapse_tls.exposed = "TCP"
synapse.default = 8008
turnserver_tls.default = 5349
turnserver_tls.exposed = "Both"
turnserver_alt_tls.default = 5350
turnserver_alt_tls.exposed = "Both"
cli.default = 5766
[resources.apt]
packages = ["coturn", "acl", "postgresql", "php-fpm",
"python3-dev", "python3-venv", "python3-pip", "python3-setuptools", "python3-lxml",
"build-essential", "libffi-dev", "libssl-dev", "libxml2-dev", "libxslt1-dev", "zlib1g-dev", "libjpeg-dev", "libpq-dev"]
[resources.database]
type = "postgresql"

View file

@ -1,65 +1,186 @@
dependances="coturn build-essential python3-dev libffi-dev python3-pip python3-setuptools sqlite3 libssl-dev python3-venv libxml2-dev libxslt1-dev python3-lxml zlib1g-dev libjpeg-dev libpq-dev postgresql acl"
python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)" python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)"
app=$YNH_APP_INSTANCE_NAME code_dir="/opt/yunohost/matrix-$app"
install_sources() { install_sources() {
# Install/upgrade synapse in virtualenv # Install/upgrade synapse in virtualenv
# Clean venv is it was on python2.7 or python3 with old version in case major upgrade of debian # Clean venv is it was on python2.7 or python3 with old version in case major upgrade of debian
if [ ! -e $final_path/bin/python3 ] || [ ! -e $final_path/lib/python$python_version ]; then if [ ! -e $code_dir/bin/python3 ] || [ ! -e $code_dir/lib/python$python_version ]; then
ynh_secure_remove --file=$final_path/bin ynh_secure_remove --file=$code_dir/bin
ynh_secure_remove --file=$final_path/lib ynh_secure_remove --file=$code_dir/lib
ynh_secure_remove --file=$final_path/lib64 ynh_secure_remove --file=$code_dir/lib64
ynh_secure_remove --file=$final_path/include ynh_secure_remove --file=$code_dir/include
ynh_secure_remove --file=$final_path/share ynh_secure_remove --file=$code_dir/share
ynh_secure_remove --file=$final_path/pyvenv.cfg ynh_secure_remove --file=$code_dir/pyvenv.cfg
fi fi
mkdir -p $final_path mkdir -p $code_dir
chown $synapse_user:root -R $final_path chown $app:root -R $code_dir
if [ -n "$(uname -m | grep arm)" ] if [ -n "$(uname -m | grep arm)" ]
then then
# Clean old file, sometimes it could make some big issues if we don't do this!! # Clean old file, sometimes it could make some big issues if we don't do this!!
ynh_secure_remove --file=$final_path/bin ynh_secure_remove --file=$code_dir/bin
ynh_secure_remove --file=$final_path/lib ynh_secure_remove --file=$code_dir/lib
ynh_secure_remove --file=$final_path/include ynh_secure_remove --file=$code_dir/include
ynh_secure_remove --file=$final_path/share ynh_secure_remove --file=$code_dir/share
ynh_setup_source --dest_dir=$final_path/ --source_id="armv7_$(lsb_release --codename --short)" ynh_setup_source --dest_dir=$code_dir/ --source_id="synapse_prebuilt_armv7_$(lsb_release --codename --short)"
# Fix multi-instance support # Fix multi-instance support
for f in $(ls $final_path/bin); do for f in $(ls $code_dir/bin); do
if ! [[ $f =~ "__" ]]; then if ! [[ $f =~ "__" ]]; then
ynh_replace_special_string --match_string='#!/opt/yunohost/matrix-synapse' --replace_string='#!'$final_path --target_file=$final_path/bin/$f ynh_replace_special_string --match_string='#!/opt/yunohost/matrix-synapse' --replace_string='#!'$code_dir --target_file=$code_dir/bin/$f
fi fi
done done
else else
# Install virtualenv if it don't exist # Install virtualenv if it don't exist
test -e $final_path/bin/python3 || python3 -m venv $final_path test -e $code_dir/bin/python3 || python3 -m venv $code_dir
# Install synapse in virtualenv # Install synapse in virtualenv
local pip3=$code_dir/bin/pip3
# We set all necessary environement variable to create a python virtualenvironnement. $pip3 install --upgrade setuptools wheel pip cffi
u_arg='u' $pip3 install --upgrade -r $YNH_APP_BASEDIR/conf/requirement_$(lsb_release --codename --short).txt
set +$u_arg; fi
source $final_path/bin/activate
set -$u_arg;
pip3 install --upgrade setuptools wheel pip
pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml jinja2
pip3 install --upgrade -r $YNH_APP_BASEDIR/conf/requirement_$(lsb_release --codename --short).txt
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does # Apply patch for LDAP auth if needed
set +$u_arg; # Note that we put patch into scripts dir because /source are not stored and can't be used on restore
deactivate if ! grep -F -q '# LDAP Filter anonymous user Applied' $code_dir/lib/python$python_version/site-packages/ldap_auth_provider.py; then
set -$u_arg; pushd $code_dir/lib/python$python_version/site-packages
patch < $YNH_APP_BASEDIR/scripts/patch/ldap_auth_filter_anonymous_user.patch
popd
fi fi
} }
get_domain_list() { configure_synapse() {
yunohost --output-as plain domain list | grep -E "^#" -v | sort | uniq | while read domain; do local domain_whitelist_client=$(yunohost --output-as plain domain list \
echo -n " - https://$domain\n" | grep -E "^#" -v \
done | sort | uniq \
| sed -r 's|^(.*)$| - \1|' \
| sed -z 's|\n|\\n|g')
local macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
local auto_join_rooms_sed_param=""
if [ -n "$auto_join_rooms" ]; then
auto_join_rooms_sed_param+='auto_join_rooms:'
while read -d, room; do
auto_join_rooms_sed_param+='\n - "'$room'"'
done <<< "${auto_join_rooms},"
fi
local registration_require_3pid_sed_param=""
case ${registrations_require_3pid} in
'email')
registration_require_3pid_sed_param="registrations_require_3pid:\n - email"
;;
'msisdn')
registration_require_3pid_sed_param="registrations_require_3pid:\n - msisdn"
;;
'email&msisdn')
registration_require_3pid_sed_param="registrations_require_3pid:\n - email\n - msisdn"
;;
esac
local allowd_local_3pids_sed_param=""
if [ -n "$allowed_local_3pids_email" ] || [ -n "$allowed_local_3pids_msisdn" ]; then
allowd_local_3pids_sed_param="allowed_local_3pids:"
if [ -n "$allowed_local_3pids_email" ]; then
while read -d, pattern ; do
allowd_local_3pids_sed_param+="\n - medium: email\n pattern: '$pattern'"
done <<< "${allowed_local_3pids_email},"
fi
if [ -n "$allowed_local_3pids_msisdn" ]; then
while read -d, pattern ; do
allowd_local_3pids_sed_param+="\n - medium: msisdn\n pattern: '$pattern'"
done <<< "${allowed_local_3pids_msisdn},"
fi
fi
local turn_server_config=""
if $enable_dtls_for_audio_video_turn_call; then
turn_server_config='turn_uris: [ "turns:'$domain:$port_turnserver_tls'", "turns:'$domain:$port_turnserver_alt_tls'" ]'
else
turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'", "turn:'$domain:$port_turnserver_alt_tls'" ]'
fi
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
sed -i "s|_DOMAIN_WHITELIST_CLIENT_|$domain_whitelist_client|g" /etc/matrix-$app/homeserver.yaml
sed -i "s|_AUTO_JOIN_ROOMS_SED_PARAM_|$auto_join_rooms_sed_param|g" /etc/matrix-$app/homeserver.yaml
sed -i "s|_REGISTRATION_REQUIRE_3PID_SED_PARAM_|$registration_require_3pid_sed_param|g" /etc/matrix-$app/homeserver.yaml
sed -i "s|_ALLOWD_LOCAL_3PIDS_SED_PARAM_|$allowd_local_3pids_sed_param|g" /etc/matrix-$app/homeserver.yaml
ynh_store_file_checksum --file=/etc/matrix-$app/homeserver.yaml
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
}
configure_coturn() {
# Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
local public_ip4="$(curl -s ip.yunohost.org)" || true
local public_ip6="$(curl -s ipv6.yunohost.org)" || true
local turn_external_ip=""
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then
turn_external_ip+="external-ip=$public_ip4\\n"
fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then
turn_external_ip+="external-ip=$public_ip6\\n"
fi
local turn_clear_com_param=''
if $enable_dtls_for_audio_video_turn_call; then
turn_clear_com_param+='# Block clear communication\nno-udp\nno-tcp'
fi
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
sed -i "s|_TURN_CLEAR_COM_PARAM_|$turn_clear_com_param|g" /etc/matrix-$app/coturn.conf
sed -i "s|_TURN_EXTERNAL_IP_|$turn_external_ip|g" /etc/matrix-$app/coturn.conf
ynh_store_file_checksum --file=/etc/matrix-$app/coturn.conf
}
configure_nginx() {
local e2e_enabled_by_default_client_config
# Create .well-known redirection for access by federation
if yunohost --output-as plain domain list | grep -q "^$server_name$"
then
local e2e_enabled_by_default_client_config
if [ $e2e_enabled_by_default == "off" ]; then
e2e_enabled_by_default_client_config=false
else
e2e_enabled_by_default_client_config=true
fi
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi
# Create a dedicated NGINX config
ynh_add_nginx_config
}
set_permissions() {
chown $app:$app -R $code_dir
chmod o= -R $code_dir
chmod 770 $code_dir/Coturn_config_rotate.sh
chmod 700 $code_dir/update_synapse_for_appservice.sh
chmod 700 $code_dir/set_admin_user.sh
if [ "${1:-}" == data ]; then
find $data_dir \( \! -perm -o= \
-o \! -user $app \
-o \! -group $app \) \
-exec chown $app:$app {} \; \
-exec chmod o= {} \;
fi
chown $app:$app -R /etc/matrix-$app
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
setfacl -R -m user:turnserver:rX /etc/matrix-$app
chmod 600 /etc/matrix-$app/$server_name.signing.key
chown $app:root -R /var/log/matrix-$app
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
} }

View file

@ -14,37 +14,10 @@ source /usr/share/yunohost/helpers
# MANAGE SCRIPT FAILURE # MANAGE SCRIPT FAILURE
#================================================= #=================================================
# Exit if an error occurs during the execution of the script if systemctl is-active $app.service --quiet; then
ynh_abort_if_errors ynh_print_warn --message="It's hightly recommended to make your backup when the service is stopped. Please stop $app service with this command before to run the backup 'systemctl stop $app.service'"
#=================================================
# LOAD SETTINGS
#=================================================
ynh_print_info --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
if [[ ! "$(systemctl status matrix-$app.service)" =~ "Active: inactive (dead)" ]]; then
ynh_print_warn --message="It's hightly recommended to make your backup when the service is stopped. Please stop $app service with this command before to run the backup 'systemctl stop matrix-$app.service'"
fi fi
#=================================================
# SET CONSTANTS
#=================================================
synapse_user="matrix-$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app"
#================================================= #=================================================
# DECLARE DATA AND CONF FILES TO BACKUP # DECLARE DATA AND CONF FILES TO BACKUP
#================================================= #=================================================
@ -56,8 +29,8 @@ ynh_print_info --message="Declaring files to be backed up..."
# BACKUP THE APP MAIN DIR # BACKUP THE APP MAIN DIR
#================================================= #=================================================
ynh_backup --src_path="$final_path" ynh_backup --src_path="$code_dir"
ynh_backup --src_path="$final_www_path" ynh_backup --src_path="$install_dir"
#================================================= #=================================================
# BACKUP THE NGINX CONFIGURATION # BACKUP THE NGINX CONFIGURATION
@ -76,7 +49,7 @@ fi
# BACKUP THE POSTGRESQL DATABASE # BACKUP THE POSTGRESQL DATABASE
#================================================= #=================================================
ynh_psql_dump_db --database="$synapse_db_name" > ${YNH_CWD}/dump.sql ynh_psql_dump_db --database="$db_name" > ${YNH_CWD}/dump.sql
#================================================= #=================================================
# BACKUP FAIL2BAN CONFIGURATION # BACKUP FAIL2BAN CONFIGURATION
@ -97,16 +70,14 @@ ynh_backup --src_path="/etc/matrix-$app"
# BACKUP SYSTEMD # BACKUP SYSTEMD
#================================================= #=================================================
ynh_backup --src_path="/etc/default/matrix-$app" ynh_backup --src_path="/etc/systemd/system/$app.service"
ynh_backup --src_path="/etc/systemd/system/matrix-$app.service" ynh_backup --src_path="/etc/systemd/system/$app-coturn.service"
ynh_backup --src_path="/etc/default/coturn-$app"
ynh_backup --src_path="/etc/systemd/system/coturn-$app.service"
#================================================= #=================================================
# BACKUP SYNAPSE DATA # BACKUP SYNAPSE DATA
#================================================= #=================================================
ynh_backup --src_path="$data_path" --is_big=1 ynh_backup --src_path="$data_dir" --is_big=1
#================================================= #=================================================
# BACKUP SYNAPSE LOG # BACKUP SYNAPSE LOG

View file

@ -5,62 +5,12 @@
#================================================= #=================================================
# IMPORT GENERIC HELPERS # IMPORT GENERIC HELPERS
source /usr/share/yunohost/helpers
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
# Import common cmd
source ./experimental_helper.sh source ./experimental_helper.sh
source ./_common.sh source ./_common.sh
source /usr/share/yunohost/helpers
ynh_script_progression --message="Loading installation settings..." # We stop the service
ynh_systemd_action --service_name=$app.service --action=stop
# RETRIEVE ARGUMENTS
old_domain=$YNH_APP_OLD_DOMAIN
domain=$YNH_APP_NEW_DOMAIN
path_url=$(ynh_normalize_url_path --path_url $YNH_APP_NEW_PATH)
app=$YNH_APP_INSTANCE_NAME
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
port=$(ynh_app_setting_get --app=$app --key=synapse_port)
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
main_domain=$(yunohost domain list --output-as json | jq -r .main)
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
domain_whitelist_client_=$(get_domain_list)
domain_whitelist_client=${domain_whitelist_client_%"\n"}
# Check if the new path stay /_matrix if not exit
if [[ $path_url != "/_matrix" ]]
then
ynh_die --message "You can't use an other path than '/_matrix'. You can only change the domain."
fi
# We stop the service before to set ynh_clean_setup
ynh_systemd_action --service_name=matrix-$app.service --action=stop
#================================================= #=================================================
# STANDARD MODIFICATIONS # STANDARD MODIFICATIONS
@ -70,21 +20,8 @@ ynh_systemd_action --service_name=matrix-$app.service --action=stop
ynh_script_progression --message="Updating NGINX configuration..." ynh_script_progression --message="Updating NGINX configuration..."
# MODIFY URL IN NGINX CONF ynh_change_url_nginx_config
nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf configure_nginx
# Change the domain for nginx
# Delete file checksum for the old conf file location
ynh_delete_file_checksum --file "$nginx_conf_path"
mv $nginx_conf_path /etc/nginx/conf.d/$domain.d/$app.conf
# Store file checksum for the new config file location
ynh_store_file_checksum --file "/etc/nginx/conf.d/$domain.d/$app.conf"
# Create .well-known redirection for access by federation
if yunohost --output-as plain domain list | grep -q "^$server_name$"
then
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi
#================================================= #=================================================
# UPDATE SYNAPSE CONFIG # UPDATE SYNAPSE CONFIG
@ -92,45 +29,25 @@ fi
ynh_script_progression --message="Updating Synapse config..." --weight=2 ynh_script_progression --message="Updating Synapse config..." --weight=2
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) configure_synapse
# For any update do it in all files
if [ -z $macaroon_secret_key ]; then
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
# So for the old install we just leave this as it is. And for the new install we use a real macaroon.
macaroon_secret_key_param='# macaroon_secret_key: ""'
else
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi
if [ $is_free_registration -eq 0 ]
then
allowed_access=False
sso_enabled=True
else
allowed_access=True
sso_enabled=False
fi
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
#================================================= #=================================================
# SECURE FILES AND DIRECTORIES # SECURE FILES AND DIRECTORIES
#================================================= #=================================================
# Only setting permissions for the two config files updated above ynh_script_progression --message="Protecting directories..." --weight=3
chown $synapse_user:root -R /etc/matrix-$app set_permissions
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
#================================================= #=================================================
# RELOAD SERVICES # RELOAD SERVICES
#================================================= #=================================================
ynh_script_progression --message="Restarting Synapse services..." --weight=5 ynh_script_progression --message="Restarting Synapse services..." --weight=5
ynh_systemd_action --service_name=coturn-$app.service --action=restart ynh_systemd_action --service_name=$app-coturn.service --action=restart
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
if ! yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
ynh_print_warn "Note yunohost won't be able to manage the required config for $server_name. So please add the needed DNS config as described on the documentation"
fi
ynh_script_progression --message="Change of URL completed for $app" --last ynh_script_progression --message="Change of URL completed for $app" --last

View file

@ -6,161 +6,28 @@
# IMPORT GENERIC HELPERS # IMPORT GENERIC HELPERS
#================================================= #=================================================
source ./_common.sh
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
# Stop script if errors ynh_app_config_validate() {
ynh_abort_if_errors # Depending of the status of the $enable_regirtration we should default value of the hidden fields
final_path=$(ynh_app_setting_get --app=$app --key=final_path) if $enable_registration; then
# Must enable password authentication when free registration is enabled as any user must be able to authenticate
get__max_upload_size() { password_enabled=true
max_upload_size=$(ynh_app_setting_get --app $app --key max_upload_size) else
echo "${max_upload_size}" registrations_require_3pid=email
allowed_local_3pids_email=''
allowed_local_3pids_msisdn=''
disable_msisdn_registration=true
fi
_ynh_app_config_validate
} }
set__max_upload_size() { ynh_app_config_apply() {
ynh_write_var_in_file --file=/etc/matrix-$app/homeserver.yaml --key=max_upload_size --value="${max_upload_size}" _ynh_app_config_apply
sed -i -r "s|client_max_body_size\s[[:digit:]]*[GMK]?;|client_max_body_size ${max_upload_size};|g" "/etc/nginx/conf.d/$domain.d/$app.conf" configure_nginx
ynh_add_nginx_conf configure_synapse
} set_permissions
get__registrations_require_3pid() {
registrations_require_3pid=$(ynh_app_setting_get --app $app --key registrations_require_3pid)
echo "${registrations_require_3pid}"
}
# set__registrations_require_3pid() this function is setting datas for registrations_require_3pid field and allowed_local_3pids_(email/msisdn)
# it consist on comment or not "registrations_require_3pid:", " - email" and/or " - msisdn"
# then depending on the "registrations_require_3pid" value it comment or not "allowed_local_3pids:" lines
# and generate all it sub configuration :
#
# allowed_local_3pids:
# - medium: email
# pattern: *
# ...
# - medium: msisdn
# pattern: *
#
# sed -z and \n as new line carracter do the trick on this kind of multline replacement.
set__registrations_require_3pid() {
# search pattern to replace (it correspond to the complete section)
allowedLocal3pids="s;#?([^\S\n]*allowed_local_3pids:)\n(#?([^\S\n]*-[^\S\n]*medium:[^\S\n]*(email|msisdn)\n)#?([^\S\n]*pattern:[^\S\n]*[^\n]*\n))*;"
case ${registrations_require_3pid} in
'email')
# registrations_require_3pid: part
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n - email\n# - msisdn|" "/etc/matrix-$app/homeserver.yaml"
# allowed_local_3pids: part
allowedLocal3pids=${allowedLocal3pids}"\1"
readarray -td, arr3pidemail < <(echo ${allowed_local_3pids_email});
for pidemail in "${arr3pidemail[@]}"; do
# add it to regex substitution part
allowedLocal3pids=${allowedLocal3pids}"\n - medium: email";
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidemail})'";
done;
;;
'msisdn')
# registrations_require_3pid: part
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n# - email\n - msisdn|" "/etc/matrix-$app/homeserver.yaml"
# allowed_local_3pids: part
allowedLocal3pids=${allowedLocal3pids}"\1"
readarray -td, arr3pidmsisdn < <(echo ${allowed_local_3pids_msisdn});
for pidmsisdn in "${arr3pidmsisdn[@]}"; do
# add it to regex substitution part
allowedLocal3pids=${allowedLocal3pids}"\n - medium: msisdn";
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidmsisdn})'";
done;
;;
'email&msisdn')
# registrations_require_3pid: part
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n - email\n - msisdn|" "/etc/matrix-$app/homeserver.yaml"
# allowed_local_3pids: part
allowedLocal3pids=${allowedLocal3pids}"\1"
readarray -td, arr3pidemail < <(echo ${allowed_local_3pids_email});
for pidemail in "${arr3pidemail[@]}"; do
# add it to regex substitution part
allowedLocal3pids=${allowedLocal3pids}"\n - medium: email";
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidemail})'";
done;
readarray -td, arr3pidmsisdn < <(echo ${allowed_local_3pids_msisdn});
for pidmsisdn in "${arr3pidmsisdn[@]}"; do
# add it to regex substitution part
allowedLocal3pids=${allowedLocal3pids}"\n - medium: msisdn";
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidmsisdn})'";
done;
;;
*)
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|#registrations_require_3pid:\n# - email\n# - msisdn|" "/etc/matrix-$app/homeserver.yaml"
# empty fields and comment registration
allowedLocal3pids=${allowedLocal3pids}"#\1"
;;
esac
# finalize regex then apply sed command on the homeserver conf file
allowedLocal3pids="${allowedLocal3pids}\n;";
sed -i -z -r "${allowedLocal3pids}" "/etc/matrix-$app/homeserver.yaml"
ynh_app_setting_set --app=$app --key=registrations_require_3pid --value="${registrations_require_3pid}"
}
get__allowed_local_3pids_email() {
allowed_local_3pids_email=$(ynh_app_setting_get --app $app --key allowed_local_3pids_email)
echo "${allowed_local_3pids_email}"
}
set__allowed_local_3pids_email() {
set__registrations_require_3pid;
ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value="${allowed_local_3pids_email}"
}
get__allowed_local_3pids_msisdn() {
allowed_local_3pids_msisdn=$(ynh_app_setting_get --app $app --key allowed_local_3pids_msisdn)
echo "${allowed_local_3pids_msisdn}"
}
set__allowed_local_3pids_msisdn() {
set__registrations_require_3pid;
ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value="${allowed_local_3pids_msisdn}"
}
get__auto_join_rooms() {
auto_join_rooms=$(ynh_app_setting_get --app $app --key auto_join_rooms)
auto_join_rooms=$(echo ${auto_join_rooms} | sed "s~(\\\\)*\#~\\\\\#~g")
echo "${auto_join_rooms}"
}
set__auto_join_rooms() {
if [ -z ${auto_join_rooms} ] ; then
# remove all values comment header and example value
sed -i -z -r "s|#?([^\S\n]*auto_join_rooms:\n)#?([^\S\n]*-[^\n]*\n)*|#\1# - \"#example:example.com\"\n|" "/etc/matrix-$app/homeserver.yaml"
else
readarray -td, arrroom < <(echo ${auto_join_rooms});
# print header then all space separated values
autoJoinRooms="s|#?([^\S\n]*auto_join_rooms:)\n(#?[^\S\n]*-[^\n]*\n)*|\1";
for room in "${arrroom[@]}"; do
autoJoinRooms="${autoJoinRooms}\n - '$(echo ${room})'";
done;
autoJoinRooms="${autoJoinRooms}\n|";
sed -i -z -r "${autoJoinRooms}" "/etc/matrix-$app/homeserver.yaml"
fi
ynh_app_setting_set --app=$app --key=auto_join_rooms --value="${auto_join_rooms}"
} }
#================================================= #=================================================

View file

@ -1,141 +0,0 @@
#!/bin/bash
# Send an email to inform the administrator
#
# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type]
# | arg: -m --app_message= - The file with the content to send to the administrator.
# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root
# example: "root admin@domain"
# If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you
# example: "root admin@domain user1 user2"
# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade'
ynh_send_readme_to_admin() {
# Declare an array to define the options of this helper.
declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= )
local app_message
local recipients
local type
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
app_message="${app_message:-}"
recipients="${recipients:-root}"
type="${type:-install}"
# Get the value of admin_mail_html
admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
admin_mail_html="${admin_mail_html:-0}"
# Retrieve the email of users
find_mails () {
local list_mails="$1"
local mail
local recipients=" "
# Read each mail in argument
for mail in $list_mails
do
# Keep root or a real email address as it is
if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@"
then
recipients="$recipients $mail"
else
# But replace an user name without a domain after by its email
if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null)
then
recipients="$recipients $mail"
fi
fi
done
echo "$recipients"
}
recipients=$(find_mails "$recipients")
# Subject base
local mail_subject="☁️🆈🅽🅷☁️: \`$app\`"
# Adapt the subject according to the type of mail required.
if [ "$type" = "backup" ]; then
mail_subject="$mail_subject has just been backup."
elif [ "$type" = "change_url" ]; then
mail_subject="$mail_subject has just been moved to a new URL!"
elif [ "$type" = "remove" ]; then
mail_subject="$mail_subject has just been removed!"
elif [ "$type" = "restore" ]; then
mail_subject="$mail_subject has just been restored!"
elif [ "$type" = "upgrade" ]; then
mail_subject="$mail_subject has just been upgraded!"
else # install
mail_subject="$mail_subject has just been installed!"
fi
local mail_message="This is an automated message from your beloved YunoHost server.
Specific information for the application $app.
$(if [ -n "$app_message" ]
then
cat "$app_message"
else
echo "...No specific information..."
fi)
---
Automatic diagnosis data from YunoHost
__PRE_TAG1__$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')__PRE_TAG2__"
# Store the message into a file for further modifications.
echo "$mail_message" > mail_to_send
# If a html email is required. Apply html tags to the message.
if [ "$admin_mail_html" -eq 1 ]
then
# Insert 'br' tags at each ending of lines.
ynh_replace_string "$" "<br>" mail_to_send
# Insert starting HTML tags
sed --in-place '1s@^@<!DOCTYPE html>\n<html>\n<head></head>\n<body>\n@' mail_to_send
# Keep tabulations
ynh_replace_string " " "\&#160;\&#160;" mail_to_send
ynh_replace_string "\t" "\&#160;\&#160;" mail_to_send
# Insert url links tags
ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "<a href=\"\2\">\1</a>" mail_to_send
# Insert pre tags
ynh_replace_string "__PRE_TAG1__" "<pre>" mail_to_send
ynh_replace_string "__PRE_TAG2__" "<\pre>" mail_to_send
# Insert finishing HTML tags
echo -e "\n</body>\n</html>" >> mail_to_send
# Otherwise, remove tags to keep a plain text.
else
# Remove URL tags
ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
ynh_replace_string "__URL_TAG2__" ": " mail_to_send
# Remove PRE tags
ynh_replace_string "__PRE_TAG[1-2]__" "" mail_to_send
fi
# Define binary to use for mail command
if [ -e /usr/bin/bsd-mailx ]
then
local mail_bin=/usr/bin/bsd-mailx
else
local mail_bin=/usr/bin/mail.mailutils
fi
if [ "$admin_mail_html" -eq 1 ]
then
content_type="text/html"
else
content_type="text/plain"
fi
# Send the email to the recipients
cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
}

View file

@ -1,7 +1,5 @@
#!/bin/bash #!/bin/bash
#=================================================
# GENERIC START
#================================================= #=================================================
# IMPORT GENERIC HELPERS # IMPORT GENERIC HELPERS
#================================================= #=================================================
@ -10,107 +8,52 @@ source _common.sh
source experimental_helper.sh source experimental_helper.sh
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
ynh_clean_setup () {
# Clean installation remainings that are not handled by the remove script.
ynh_clean_check_starting
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# SET CONSTANTS
#=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_user_app_pwd="$(ynh_string_random --length=30)"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
report_stats="false"
e2e_enabled_by_default="off"
default_domain_value="Same than the domain"
domain_whitelist_client_=$(get_domain_list)
domain_whitelist_client=${domain_whitelist_client_%"\n"}
#================================================= #=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST # RETRIEVE ARGUMENTS FROM THE MANIFEST
#================================================= #=================================================
domain=$YNH_APP_ARG_DOMAIN if [ "$server_name" == "Same than the domain" ]; then
server_name=$YNH_APP_ARG_SERVER_NAME
is_free_registration=$YNH_APP_ARG_IS_FREE_REGISTRATION
jitsi_server=$YNH_APP_ARG_JITSI_SERVER
path_url="/_matrix"
final_path="/opt/yunohost/matrix-$app"
final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app"
main_domain=$(yunohost domain list --output-as json | jq -r .main)
if [[ "$server_name" == "$default_domain_value" ]]; then
server_name=$domain server_name=$domain
ynh_app_setting_set --app=$app --key=server_name --value=$server_name
fi fi
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_script_progression --message="Validating installation parameters..." --weight=2
test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die --message="$domain is not available as domain, please use an other domain."
# Check Final Path availability
test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
if [ -e "$data_path" ]; then
old_data_dir_path="$data_path$(date '+%Y%m%d.%H%M%S')"
ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
mv "$data_path" "$old_data_dir_path"
fi
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=server_name --value=$server_name
ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
if [ "$is_free_registration" -eq "0" ]
then
enable_registration="false"
turn_allow_guests="false"
sso_enabled="true"
password_enabled="false"
enable_3pid_lookup="false"
else
enable_registration="true"
turn_allow_guests="true"
sso_enabled="false"
password_enabled="true"
enable_3pid_lookup="true"
fi
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
ynh_app_setting_set --app=$app --key=turn_allow_guests --value=$turn_allow_guests
ynh_app_setting_set --app=$app --key=sso_enabled --value=$sso_enabled
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
#================================================= #=================================================
## SET STANDARD SETTINGS FROM DEFAULT CONFIG ## SET STANDARD SETTINGS FROM DEFAULT CONFIG
#================================================= #=================================================
ynh_script_progression --message="Storing installation settings..." --weight=1
report_stats="false"
e2e_enabled_by_default="off"
allow_public_rooms_without_auth="false"
allow_public_rooms_over_federation="false"
max_upload_size="100M"
disable_msisdn_registration="true"
registrations_require_3pid=email
allowed_local_3pids_email=""
allowed_local_3pids_msisdn=""
allow_guest_access="false"
account_threepid_delegates_msisdn=""
default_identity_server="https://matrix.org"
auto_join_rooms=""
autocreate_auto_join_rooms="false"
auto_join_rooms_for_guests="true"
enable_notifs="true"
notif_for_new_users="true"
enable_group_creation="true"
push_include_content="true"
enable_3pid_lookup=false
enable_dtls_for_audio_video_turn_call=true
if [ "$is_free_registration" -eq 0 ]
then
enable_registration="false"
password_enabled="false"
else
enable_registration="true"
password_enabled="true"
fi
element_ynh_url="https://matrix.to/" element_ynh_url="https://matrix.to/"
# Get app name of first Element Instance (can be changed later in Config Panel) # Get app name of first Element Instance (can be changed later in Config Panel)
element_instance="element" element_instance="element"
@ -123,30 +66,8 @@ web_client_location=$element_ynh_url
client_base_url=$element_ynh_url client_base_url=$element_ynh_url
invite_client_location=$element_ynh_url invite_client_location=$element_ynh_url
backup_before_upgrade="true" ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
server_statistics="false" ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
allow_public_rooms_without_auth="false"
allow_public_rooms_over_federation="false"
max_upload_size="10M"
disable_msisdn_registration="true"
registrations_require_3pid="none"
# here we need sed magic to transform $server_name
allowed_local_3pids_email=""
allowed_local_3pids_msisdn=""
allow_guest_access="false"
account_threepid_delegates_msisdn=""
default_identity_server="https://matrix.org"
auto_join_rooms="#auto_join_room:""$server_name"
autocreate_auto_join_rooms="false"
auto_join_rooms_for_guests="true"
password_enabled="true"
enable_notifs="true"
notif_for_new_users="true"
enable_group_creation="true"
push_include_content="true"
ynh_app_setting_set --app=$app --key=backup_before_upgrade --value=$backup_before_upgrade
ynh_app_setting_set --app=$app --key=server_statistics --value=$server_statistics
ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
@ -168,33 +89,23 @@ ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
#================================================= #=================================================
# STANDARD MODIFICATIONS # STANDARD MODIFICATIONS
#================================================= #=================================================
# FIND AND OPEN A PORT # Check datadir empty
#================================================= #=================================================
ynh_script_progression --message="Configuring firewall..." --weight=19
# Find a free port if [ -n "$(ls -A $data_dir)" ]; then
synapse_tls_port=$(ynh_find_port --port=8448) old_data_dir_path="${data_dir}_$(date '+%Y%m%d.%H%M%S')"
port=$(ynh_find_port --port=8008) ynh_print_warn "Data directory was not empty. Data was moved to $old_data_dir_path"
turnserver_tls_port=$(ynh_find_port --port=5349) mkdir -p $old_data_dir_path
turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1))) mv -t "$old_data_dir_path" "$data_dir"/*
cli_port=$(ynh_find_port --port=5766) fi
# Open this port
ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
# Store opened ports
ynh_app_setting_set --app=$app --key=synapse_port --value=$port
ynh_app_setting_set --app=$app --key=synapse_tls_port --value=$synapse_tls_port
ynh_app_setting_set --app=$app --key=turnserver_tls_port --value=$turnserver_tls_port
ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
#================================================= #=================================================
# CREATE A DH FILE # CREATE A DH FILE
@ -207,49 +118,26 @@ ynh_script_progression --message="Creating a dh file..." --weight=3
# Make dh cert for synapse if it doesn't exist # Make dh cert for synapse if it doesn't exist
if [ ! -e /etc/ssl/private/dh2048.pem ] if [ ! -e /etc/ssl/private/dh2048.pem ]
then then
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048
chown root:ssl-cert /etc/ssl/private/dh2048.pem chown root:ssl-cert /etc/ssl/private/dh2048.pem
chmod 640 /etc/ssl/private/dh2048.pem chmod 640 /etc/ssl/private/dh2048.pem
fi fi
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Installing dependencies..." --weight=80
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
# For any update do it in all files
ynh_exec_warn_less ynh_install_app_dependencies $dependances
#================================================= #=================================================
# CREATE DEDICATED USER # CREATE DEDICATED USER
#================================================= #=================================================
ynh_script_progression --message="Configuring system user..." --weight=3 ynh_script_progression --message='Configuring system groups'
ynh_system_user_create --username=$synapse_user --home_dir=$final_path adduser $app ssl-cert
# The format to create an user account varies depending on the version of YunoHost currently installed.
ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
else
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
fi
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert adduser turnserver ssl-cert
#================================================= #=================================================
# CREATE A POSTGRESQL DATABASE # FIX DB CONFIG
#================================================= #=================================================
ynh_script_progression --message="Creating a PostgreSQL database..." --weight=4 ynh_script_progression --message="Fixing database type..." --weight=1
synapse_db_pwd=$(ynh_string_random --length=30)
ynh_app_setting_set --app=$app --key=synapse_db_pwd --value=$synapse_db_pwd
# Create postgresql database
ynh_psql_test_if_first_run
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
ynh_psql_execute_as_root \ ynh_psql_execute_as_root \
--sql="CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;" --sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';"
#================================================= #=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE # DOWNLOAD, CHECK AND UNPACK SOURCE
@ -260,7 +148,6 @@ ynh_script_progression --message="Setting up source files..." --weight=50
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
mkdir -p $data_path
mkdir -p /var/log/matrix-$app mkdir -p /var/log/matrix-$app
mkdir -p /etc/matrix-$app/conf.d mkdir -p /etc/matrix-$app/conf.d
mkdir -p /etc/matrix-$app/app-service mkdir -p /etc/matrix-$app/app-service
@ -275,10 +162,9 @@ install_sources
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
mkdir -p $final_www_path cp ../sources/cas_server.php $install_dir/
cp ../sources/cas_server.php $final_www_path/ chmod u=rwX,g=rX,o= -R $install_dir
chmod u=rwX,g=rX,o= -R $final_www_path chown $app:$app -R $install_dir
chown $synapse_user:root -R $final_www_path
#================================================= #=================================================
# CREATE SYNAPSE CONFIG # CREATE SYNAPSE CONFIG
@ -286,18 +172,8 @@ chown $synapse_user:root -R $final_www_path
ynh_script_progression --message="Creating Synapse config..." --weight=3 ynh_script_progression --message="Creating Synapse config..." --weight=3
# Go in virtualenvironnement
set +u;
source $final_path/bin/activate
set -u;
# Generate config # Generate config
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --server-name $server_name --report-stats=no -c homeserver.yml $code_dir/bin/python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --server-name $server_name --report-stats=no -c homeserver.yml
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
set +u;
deactivate
set -u;
# Get random values from config # Get random values from config
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2) registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
@ -315,11 +191,10 @@ ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secr
ynh_script_progression --message="Configuring a systemd service..." --weight=2 ynh_script_progression --message="Configuring a systemd service..." --weight=2
# Create systemd service for synapse and turnserver # Create systemd service for synapse and turnserver
cp ../conf/default_matrix-synapse /etc/default/matrix-$app ynh_add_systemd_config --service=$app --template=synapse.service
ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service
cp ../conf/default_coturn /etc/default/coturn-$app cp ../conf/default_coturn /etc/matrix-$app/coturn_env
ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service
#================================================= #=================================================
# NGINX CONFIGURATION # NGINX CONFIGURATION
@ -330,19 +205,8 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=2
ynh_script_progression --message="Configuring application..." ynh_script_progression --message="Configuring application..."
ynh_add_fpm_config --usage=low --footprint=low ynh_add_fpm_config --usage=low --footprint=low
sed -i "s|user\s*=\s*$app|user = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
sed -i "s|group\s*=\s*$app|group = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
sed -i "s|chdir\s*=\s*/opt/yunohost/matrix-synapse.*|chdir = $final_www_path|g" /etc/php/7.*/fpm/pool.d/$app.conf
ynh_store_file_checksum --file=$(ls /etc/php/7.*/fpm/pool.d/$app.conf)
# Create .well-known redirection for access by federation configure_nginx
if yunohost --output-as plain domain list | grep -q "^$server_name$"
then
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi
# Create a dedicated nginx config
ynh_add_nginx_config app
#================================================= #=================================================
# SET SYNAPSE CONFIG # SET SYNAPSE CONFIG
@ -353,41 +217,14 @@ ynh_script_progression --message="Configuring Synapse..." --weight=2
turnserver_pwd=$(ynh_string_random --length=30) turnserver_pwd=$(ynh_string_random --length=30)
ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
# Configure Synapse configure_synapse
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
# For any update do it in all files
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
#================================================= #=================================================
# SET COTURN CONFIG # SET COTURN CONFIG
#================================================= #=================================================
ynh_script_progression --message="Configuring Coturn..." --weight=1 ynh_script_progression --message="Configuring Coturn..." --weight=1
# WARNING : theses command are used in INSTALL, UPGRADE configure_coturn
# For any update do it in all files
# Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
public_ip4="$(curl -s ip.yunohost.org)" || true
public_ip6="$(curl -s ipv6.yunohost.org)" || true
turn_external_ip=""
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then
turn_external_ip+="external-ip="$public_ip4%"\n"
fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then
turn_external_ip+="external-ip="$public_ip6%"\n"
fi
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
#================================================= #=================================================
# SETUP LOGROTATE # SETUP LOGROTATE
@ -403,29 +240,24 @@ ynh_use_logrotate --logfile "/var/log/matrix-$app"
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh" ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$code_dir/Coturn_config_rotate.sh"
ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh" ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$code_dir/update_synapse_for_appservice.sh"
ynh_add_config --template=../sources/set_admin_user.sh --destination=$code_dir/set_admin_user.sh
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION
#================================================= #=================================================
# SETUP PERMISSIONS # SETUP PERMISSIONS
#================================================= #=================================================
ynh_script_progression --message="Configuring permissions..." --weight=1 ynh_script_progression --message="Configuring permissions..." --weight=1
ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
ynh_permission_update --permission=main --show_tile=false --protected=true
ynh_permission_create --permission=server_api --url=$domain/_matrix \
--label="Server access for client apps." --show_tile=false --allowed=visitors \
--auth_header=false --protected=true
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
--label="Server administration API." --show_tile=false \
--auth_header=false --allowed=visitors
if yunohost --output-as plain domain list | grep -q "^$server_name$"; then if yunohost --output-as plain domain list | grep -q "^$server_name$"; then
ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \ ynh_""permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \ --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
--auth_header=false --protected=true --auth_header=false --protected=true
else
ynh_print_warn "Note yunohost won't be able to manage the required config for $server_name. So please add the needed DNS config as described on the documentation"
fi fi
#================================================= #=================================================
@ -441,69 +273,31 @@ ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update
# SECURE FILES AND DIRECTORIES # SECURE FILES AND DIRECTORIES
#================================================= #=================================================
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE ynh_script_progression --message="Protecting directories..." --weight=3
# For any update do it in all files set_permissions data
chown $synapse_user:root -R $final_path
chmod 770 $final_path/Coturn_config_rotate.sh
chmod 700 $final_path/update_synapse_for_appservice.sh
chown $synapse_user:root -R $data_path
chown $synapse_user:root -R /var/log/matrix-$app
chown $synapse_user:root -R /etc/matrix-$app
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
chmod 600 /etc/matrix-$app/$server_name.signing.key
setfacl -R -m user:turnserver:rX /etc/matrix-$app
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
#================================================= #=================================================
# ADVERTISE SERVICE IN ADMIN PANEL # ADVERTISE SERVICE IN ADMIN PANEL
#================================================= #=================================================
yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
#================================================= #=================================================
# RELOAD SERVICES # RELOAD SERVICES
#================================================= #=================================================
ynh_script_progression --message="Restarting Synapse services..." --weight=11 ynh_script_progression --message="Restarting Synapse services..." --weight=11
ynh_systemd_action --service_name=coturn-$app.service --action=restart ynh_systemd_action --service_name=$app-coturn.service --action=restart
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
#================================================= #=================================================
# SETUP FAIL2BAN # SETUP FAIL2BAN
#================================================= #=================================================
ynh_script_progression --message="Configuring Fail2Ban..." --weight=10 ynh_script_progression --message="Configuring Fail2Ban..." --weight=10
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
ynh_add_fail2ban_config --use_template ynh_add_fail2ban_config --use_template
#=================================================
# SEND A README FOR THE ADMIN
#=================================================
# WARNING : theses command are used in INSTALL, RESTORE
# For any update do it in all files
echo "If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you may need to put the following line in the dns configuration:
_matrix._tcp.$domain. 3600 IN SRV 10 0 $synapse_tls_port $domain.
For more details, see : https://github.com/matrix-org/synapse#setting-up-federation
You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done.
Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en" > mail_to_send
ynh_send_readme_to_admin --app_message="mail_to_send" --type="install"
#================================================= #=================================================
# END OF SCRIPT # END OF SCRIPT
#================================================= #=================================================

View file

@ -0,0 +1,106 @@
diff --git a/ldap_auth_provider.py b/ldap_auth_provider.py
index 3646948..96296b6 100644
--- a/ldap_auth_provider.py
+++ b/ldap_auth_provider.py
@@ -373,9 +373,12 @@ class LdapAuthProvider:
],
)
+ # LDAP Filter anonymous user Applied
ldap_config = _LdapConfig(
enabled=config.get("enabled", False),
- mode=LDAPMode.SIMPLE,
+ mode=LDAPMode.SEARCH
+ if config.get("mode", "simple") == "search"
+ else LDAPMode.SIMPLE,
uri=config["uri"],
start_tls=config.get("start_tls", False),
tls_options=config.get("tls_options"),
@@ -403,6 +406,8 @@ class LdapAuthProvider:
raise ValueError(
"Either bind_password or bind_password_file must be set!"
)
+
+ if ldap_config.mode == LDAPMode.SEARCH:
ldap_config.filter = config.get("filter", None)
# verify attribute lookup
@@ -461,13 +466,16 @@ class LdapAuthProvider:
server = self._get_server(get_info=ldap3.DSA)
if self.ldap_bind_dn is None or self.ldap_bind_password is None:
- raise ValueError("Missing bind DN or bind password")
-
- result, conn = await self._ldap_simple_bind(
- server=server,
- bind_dn=self.ldap_bind_dn,
- password=self.ldap_bind_password,
- )
+ result, conn = await self._ldap_simple_bind(
+ server=server,
+ auth_type=ldap3.ANONYMOUS,
+ )
+ else:
+ result, conn = await self._ldap_simple_bind(
+ server=server,
+ bind_dn=self.ldap_bind_dn,
+ password=self.ldap_bind_password,
+ )
if not result:
logger.warning("Unable to get root domain due to failed LDAP bind")
@@ -503,7 +511,11 @@ class LdapAuthProvider:
return self.ldap_root_domain
async def _ldap_simple_bind(
- self, server: ldap3.ServerPool, bind_dn: str, password: str
+ self,
+ server: ldap3.ServerPool,
+ bind_dn: Optional[str] = None,
+ password: Optional[str] = None,
+ auth_type: str = ldap3.SIMPLE,
) -> Tuple[bool, Optional[ldap3.Connection]]:
"""Attempt a simple bind with the credentials given by the user against
the LDAP server.
@@ -513,6 +525,8 @@ class LdapAuthProvider:
Returns False, None
if an error occured
"""
+ if (bind_dn is None or password is None) and auth_type == ldap3.SIMPLE:
+ raise ValueError("Missing bind DN or bind password")
try:
# bind with the the local user's ldap credentials
@@ -521,7 +535,7 @@ class LdapAuthProvider:
server,
bind_dn,
password,
- authentication=ldap3.SIMPLE,
+ authentication=auth_type,
read_only=True,
)
logger.debug("Established LDAP connection in simple bind mode: %s", conn)
@@ -578,13 +592,16 @@ class LdapAuthProvider:
try:
if self.ldap_bind_dn is None or self.ldap_bind_password is None:
- raise ValueError("Missing bind DN or bind password")
-
- result, conn = await self._ldap_simple_bind(
- server=server,
- bind_dn=self.ldap_bind_dn,
- password=self.ldap_bind_password,
- )
+ result, conn = await self._ldap_simple_bind(
+ server=server,
+ auth_type=ldap3.ANONYMOUS,
+ )
+ else:
+ result, conn = await self._ldap_simple_bind(
+ server=server,
+ bind_dn=self.ldap_bind_dn,
+ password=self.ldap_bind_password,
+ )
if not result:
return (False, None, None)

View file

@ -10,32 +10,6 @@ source _common.sh
source experimental_helper.sh source experimental_helper.sh
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --weight=3
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
#=================================================
# SET CONSTANTS
#=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
final_www_path="/var/www/$app"
#================================================= #=================================================
# STANDARD REMOVE # STANDARD REMOVE
#================================================= #=================================================
@ -43,51 +17,25 @@ final_www_path="/var/www/$app"
#================================================= #=================================================
# Remove a service from the admin panel, added by `yunohost service add` # Remove a service from the admin panel, added by `yunohost service add`
if yunohost service status matrix-$app >/dev/null 2>&1 yunohost service remove $app
then yunohost service remove $app-coturn
yunohost service remove matrix-$app
fi
if yunohost service status coturn-$app >/dev/null 2>&1
then
yunohost service remove coturn-$app
fi
#================================================= #=================================================
# STOP AND REMOVE SERVICE # STOP AND REMOVE SERVICE
#================================================= #=================================================
ynh_script_progression --message="Stopping and removing the systemd service" --weight=2 ynh_script_progression --message="Stopping and removing the systemd service" --weight=2
ynh_remove_systemd_config --service=matrix-$app ynh_remove_systemd_config --service=$app
ynh_remove_systemd_config --service=coturn-$app ynh_remove_systemd_config --service=$app-coturn
#=================================================
# REMOVE THE POSTGRESQL DATABASE
#=================================================
ynh_script_progression --message="Removing the PostgreSQL database" --weight=2
# Remove a database if it exists, along with the associated user
ynh_psql_remove_db --db_user=$synapse_db_name --db_name=$synapse_db_user
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_script_progression --message="Removing dependencies" --weight=15
# Remove metapackage and its dependencies
ynh_remove_app_dependencies
#================================================= #=================================================
# REMOVE APP MAIN DIR # REMOVE APP MAIN DIR
#================================================= #=================================================
ynh_script_progression --message="Removing app main directory" --weight=2 ynh_script_progression --message="Removing app main directory" --weight=2
ynh_secure_remove --file=$final_path ynh_secure_remove --file=$code_dir
ynh_secure_remove --file=$final_www_path
ynh_secure_remove --file=/var/log/matrix-$app ynh_secure_remove --file=/var/log/matrix-$app
ynh_secure_remove --file=/etc/matrix-$app ynh_secure_remove --file=/etc/matrix-$app
ynh_secure_remove --file=/etc/default/matrix-$app
ynh_secure_remove --file=/etc/default/coturn-$app
ynh_secure_remove --file=/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf ynh_secure_remove --file=/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
#================================================= #=================================================
@ -109,23 +57,6 @@ ynh_script_progression --message="Removing logrotate configuration" --weight=1
# Remove the app-specific logrotate config # Remove the app-specific logrotate config
ynh_remove_logrotate ynh_remove_logrotate
#=================================================
# CLOSE A PORT
#=================================================
closeport() {
local port=$1
if yunohost firewall list | grep -q "\- $port$"
then
ynh_script_progression --message="Closing port $port"
ynh_exec_warn_less yunohost firewall disallow Both $port
fi
}
closeport $synapse_tls_port
closeport $turnserver_tls_port
closeport $turnserver_alt_tls_port
#================================================= #=================================================
# REMOVE FAIL2BAN CONFIGURATION # REMOVE FAIL2BAN CONFIGURATION
#================================================= #=================================================
@ -137,18 +68,6 @@ ynh_remove_fail2ban_config
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION
#================================================= #=================================================
# REMOVE DEDICATED USER
#=================================================
ynh_script_progression --message="Removing the dedicated system user" --weight=1
# Delete a system user
ynh_system_user_delete --username=$synapse_user
yunohost user delete $synapse_user_app
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info --message="Due of the backup core only feature the data directory in '/home/yunohost.app/matrix-$app' was not removed. It need to be removed manually to purge app user data."
ynh_script_progression --message="Removal of $app completed" --last ynh_script_progression --message="Removal of $app completed" --last
sleep 1 sleep 1

View file

@ -1,39 +0,0 @@
import json
import sys
with open("/etc/ssowat/" + "conf.json.persistent", "r", encoding='utf-8') as jsonFile:
data = json.load(jsonFile)
for domain in ("", sys.argv[1], sys.argv[2]):
for path in ("/_matrix", "/.well-known/matrix/", "/_matrix/cas_server.php/login"):
url = domain + path
try:
uri_list = data["skipped_urls"]
while url in uri_list:
uri_list.remove(url)
except:
pass
try:
uri_list = data["protected_urls"]
while url in uri_list:
uri_list.remove(url)
except:
pass
try:
uri_list = data["permissions"]["custom_protected"]["uris"]
while url in uri_list:
uri_list.remove(url)
except:
pass
try:
uri_list = data["permissions"]["custom_skipped"]["uris"]
while url in uri_list:
uri_list.remove(url)
except:
pass
with open("/etc/ssowat/" + "conf.json.persistent", "w", encoding='utf-8') as jsonFile:
jsonFile.write(json.dumps(data, indent=4, sort_keys=True))

View file

@ -11,85 +11,28 @@ source ../settings/scripts/_common.sh
source ../settings/scripts/experimental_helper.sh source ../settings/scripts/experimental_helper.sh
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
ynh_clean_setup () {
# Clean installation remainings that are not handled by the remove script.
ynh_clean_check_starting
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#================================================= #=================================================
# LOAD SETTINGS # LOAD SETTINGS
#================================================= #=================================================
ynh_script_progression --message="Loading settings..." ynh_script_progression --message="Loading settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
main_domain=$(yunohost domain list --output-as json | jq -r .main)
#=================================================
# SET ALL CONSTANT
#=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app"
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
ynh_script_progression --message="Validating restoration parameters..." --weight=2
test ! -d $final_path \
|| ynh_die --message="There is already a directory: $final_path "
#=================================================
# STANDARD RESTORATION STEPS
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Reinstalling dependencies..." --weight=70
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
# For any update do it in all files
ynh_exec_warn_less ynh_install_app_dependencies $dependances
#================================================= #=================================================
# RECREATE THE DEDICATED USER # RECREATE THE DEDICATED USER
#================================================= #=================================================
ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 ynh_script_progression --message='Configuring system groups'
# Create the dedicated user (if not existing) # Create the dedicated user (if not existing)
ynh_system_user_create --username=$synapse_user --home_dir=$final_path adduser $app ssl-cert
# The format to create an user account varies depending on the version of YunoHost currently installed.
ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
else
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
fi
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert adduser turnserver ssl-cert
#=================================================
# FIX DB CONFIG
#=================================================
ynh_script_progression --message="Fixing database type..." --weight=1
ynh_psql_execute_as_root \
--sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';"
#================================================= #=================================================
# RESTORE ALL CONFIG AND DATA # RESTORE ALL CONFIG AND DATA
#================================================= #=================================================
@ -115,16 +58,7 @@ ynh_systemd_action --action=restart --service_name=fail2ban
#================================================= #=================================================
ynh_script_progression --message="Restoring the PostgreSQL database..." --weight=13 ynh_script_progression --message="Restoring the PostgreSQL database..." --weight=13
ynh_psql_test_if_first_run ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$db_name"
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
ynh_psql_execute_as_root \
--sql="CREATE DATABASE $synapse_db_name
ENCODING 'UTF8'
LC_COLLATE='C'
LC_CTYPE='C'
template=template0
OWNER $synapse_db_user;"
ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$synapse_db_name"
#================================================= #=================================================
# RESTORE SYSTEMD # RESTORE SYSTEMD
@ -132,15 +66,15 @@ ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$synapse_
ynh_script_progression --message="Enable systemd services" --weight=2 ynh_script_progression --message="Enable systemd services" --weight=2
# systemctl daemon-reload # systemctl daemon-reload
systemctl enable matrix-$app.service --quiet systemctl enable $app.service --quiet
systemctl enable coturn-$app.service --quiet systemctl enable $app-coturn.service --quiet
#================================================= #=================================================
# ADVERTISE SERVICE IN ADMIN PANEL # ADVERTISE SERVICE IN ADMIN PANEL
#================================================= #=================================================
yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
#================================================= #=================================================
# CREATE A DH FILE # CREATE A DH FILE
@ -153,7 +87,7 @@ ynh_script_progression --message="Creating a dh file..." --weight=40
# Make dh cert for synapse if it doesn't exist # Make dh cert for synapse if it doesn't exist
if [ ! -e /etc/ssl/private/dh2048.pem ] if [ ! -e /etc/ssl/private/dh2048.pem ]
then then
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048
chown root:ssl-cert /etc/ssl/private/dh2048.pem chown root:ssl-cert /etc/ssl/private/dh2048.pem
chmod 640 /etc/ssl/private/dh2048.pem chmod 640 /etc/ssl/private/dh2048.pem
fi fi
@ -163,43 +97,7 @@ fi
#================================================= #=================================================
ynh_script_progression --message="Reconfiguring Coturn..." --weight=23 ynh_script_progression --message="Reconfiguring Coturn..." --weight=23
# To be sure that at the restoration the IP address in coturn config is the same as the real address we remake the coturn config configure_coturn
# Retrieve specific settings
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
# WARNING : these commands are used in INSTALL, UPGRADE
# For any update do it in all files
# Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
public_ip4="$(curl -s ip.yunohost.org)" || true
public_ip6="$(curl -s ipv6.yunohost.org)" || true
turn_external_ip=""
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then
turn_external_ip+="external-ip="$public_ip4%"\n"
fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then
turn_external_ip+="external-ip="$public_ip6%"\n"
fi
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
#=================================================
# OPEN THE PORT
#=================================================
# Ouvre le port dans le firewall
ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
#================================================= #=================================================
# SETUP LOGROTATE # SETUP LOGROTATE
@ -214,48 +112,16 @@ ynh_use_logrotate --logfile /var/log/matrix-$app
# SECURE FILES AND DIRECTORIES # SECURE FILES AND DIRECTORIES
#================================================= #=================================================
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times) ynh_script_progression --message="Protecting directories..." --weight=3
# For any update do it in all files set_permissions data
ynh_script_progression --message="Configuring file permission..."
chown $synapse_user:root -R $final_path
chmod 770 $final_path/Coturn_config_rotate.sh
chmod 700 $final_path/update_synapse_for_appservice.sh
chown $synapse_user:root -R $data_path
chown $synapse_user:root -R /var/log/matrix-$app
chown $synapse_user:root -R /etc/matrix-$app
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
chmod 600 /etc/matrix-$app/$server_name.signing.key
setfacl -R -m user:turnserver:rX /etc/matrix-$app
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
chmod u=rwX,g=rX,o= -R $final_www_path
chown $synapse_user:root -R $final_www_path
#================================================= #=================================================
# RELOAD NGINX, SYNAPSE AND COTURN # RELOAD NGINX, SYNAPSE AND COTURN
#================================================= #=================================================
ynh_script_progression --message="Restarting Synapse services..." --weight=7 ynh_script_progression --message="Restarting Synapse services..." --weight=7
ynh_systemd_action --service_name=coturn-$app.service --action=restart ynh_systemd_action --service_name=$app-coturn.service --action=restart
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
#=================================================
# SEND A README FOR THE ADMIN
#=================================================
# WARNING : theses command are used in INSTALL, RESTORE
# For any update do it in all files
echo "To federate this app you need to add this line in your DNS configuration:
_matrix._tcp.$domain. 3600 IN SRV 10 0 $synapse_tls_port $domain.
You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done.
Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh" > mail_to_send
ynh_send_readme_to_admin --app_message="mail_to_send" --type="restore"
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION

View file

@ -10,129 +10,11 @@ source _common.sh
source experimental_helper.sh source experimental_helper.sh
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --weight=3
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
port=$(ynh_app_setting_get --app=$app --key=synapse_port)
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
domain_whitelist_client_=$(get_domain_list)
domain_whitelist_client=${domain_whitelist_client_%"\n"}
main_domain=$(yunohost domain list --output-as json | jq -r .main)
#================================================= #=================================================
# SET ALL CONSTANT # SET ALL CONSTANT
#================================================= #=================================================
synapse_user="matrix-$app"
synapse_user_app="$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
upgrade_type=$(ynh_check_app_version_changed) upgrade_type=$(ynh_check_app_version_changed)
final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app"
#=================================================
# GET CONFIG PANEL SETTINGS
#=================================================
server_statistics=$(ynh_app_setting_get --app=$app --key=server_statistics)
web_client_location=$(ynh_app_setting_get --app=$app --key=web_client_location)
client_base_url=$(ynh_app_setting_get --app=$app --key=client_base_url)
invite_client_location=$(ynh_app_setting_get --app=$app --key=invite_client_location)
allow_public_rooms_without_auth=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_without_auth)
allow_public_rooms_over_federation=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_over_federation)
max_upload_size=$(ynh_app_setting_get --app=$app --key=max_upload_size)
disable_msisdn_registration=$(ynh_app_setting_get --app=$app --key=disable_msisdn_registration)
registrations_require_3pid=$(ynh_app_setting_get --app=$app --key=registrations_require_3pid)
allowed_local_3pids_email=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_email)
allowed_local_3pids_msisdn=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_msisdn)
account_threepid_delegates_msisdn=$(ynh_app_setting_get --app=$app --key=account_threepid_delegates_msisdn)
allow_guest_access=$(ynh_app_setting_get --app=$app --key=allow_guest_access)
default_identity_server=$(ynh_app_setting_get --app=$app --key=default_identity_server)
auto_join_rooms=$(ynh_app_setting_get --app=$app --key=auto_join_rooms)
autocreate_auto_join_rooms=$(ynh_app_setting_get --app=$app --key=autocreate_auto_join_rooms)
auto_join_rooms_for_guests=$(ynh_app_setting_get --app=$app --key=auto_join_rooms_for_guests)
enable_notifs=$(ynh_app_setting_get --app=$app --key=enable_notifs)
notif_for_new_users=$(ynh_app_setting_get --app=$app --key=notif_for_new_users)
enable_group_creation=$(ynh_app_setting_get --app=$app --key=enable_group_creation)
enable_registration=$(ynh_app_setting_get --app=$app --key=enable_registration)
turn_allow_guests=$(ynh_app_setting_get --app=$app --key=turn_allow_guests)
sso_enabled=$(ynh_app_setting_get --app=$app --key=sso_enabled)
password_enabled=$(ynh_app_setting_get --app=$app --key=password_enabled)
enable_3pid_lookup=$(ynh_app_setting_get --app=$app --key=enable_3pid_lookup)
push_include_content=$(ynh_app_setting_get --app=$app --key=push_include_content)
#=================================================
# ENSURE DOWNWARD COMPATIBILITY
#=================================================
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
# Following the discussion here https://github.com/YunoHost-Apps/synapse_ynh/pull/51 we decided to remove definitely the support of the old package migration.
if [ -z "$synapse_old_version" ]
then
ynh_die --message="Update from this synapse version is not available. You need to remove this package and reinstall the new package version."
fi
#=================================================
# MIGRATION 7 : Working config panel v1
#=================================================
backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=backup_before_upgrade)
if [ -z $backup_before_upgrade ] ; then
backup_before_upgrade="true"
disable_backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=disable_backup_before_upgrade)
if [ "0$disable_backup_before_upgrade" -ne 0 ]; then
backup_before_upgrade="false"
fi
ynh_app_setting_set --app=$app --key=backup_before_upgrade --value=$backup_before_upgrade
fi
#=================================================
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
#=================================================
# We stop the service before to set ynh_clean_setup
ynh_systemd_action --service_name=matrix-$app.service --action=stop
# Backup the current version of the app
if $backup_before_upgrade ; then
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=30
ynh_backup_before_upgrade
ynh_clean_setup () {
# Clean installation remainings that are not handled by the remove script.
ynh_clean_check_starting
ynh_restore_upgradebackup
}
else
ynh_script_progression --message="NOT Backing up the app before upgrading..." --weight=1
fi
#================================================= #=================================================
# STANDARD UPGRADE STEPS # STANDARD UPGRADE STEPS
@ -141,313 +23,265 @@ fi
#================================================= #=================================================
# Migrate from settings 'special_domain' to 'domain' and 'special_path' to 'path' # Migrate from settings 'special_domain' to 'domain' and 'special_path' to 'path'
if [ -z $domain ]; then if [ -z "${domain:-}" ]; then
domain=$(ynh_app_setting_get --app=$app --key=special_domain) domain=$(ynh_app_setting_get --app=$app --key=special_domain)
path_url=$(ynh_app_setting_get --app=$app --key=special_path) path=$(ynh_app_setting_get --app=$app --key=special_path)
ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=path --value=$path
ynh_app_setting_delete --app=$app --key=special_domain ynh_app_setting_delete --app=$app --key=special_domain
ynh_app_setting_delete --app=$app --key=special_path ynh_app_setting_delete --app=$app --key=special_path
ynh_app_setting_set --app=$app --key=no_sso --value true ynh_app_setting_set --app=$app --key=no_sso --value true
fi fi
# Define $server_name if not already defined # Define $server_name if not already defined
if [ -z $server_name ]; then if [ -z "${server_name:-}" ]; then
server_name=$domain server_name=$domain
ynh_app_setting_set --app=$app --key=server_name --value=$domain ynh_app_setting_set --app=$app --key=server_name --value=$domain
fi fi
# Define $jitsi_server if not already defined # Define $jitsi_server if not already defined
if [ -z $jitsi_server ]; then if [ -z "${jitsi_server:-}" ]; then
jitsi_server='jitsi.riot.im' jitsi_server='jitsi.riot.im'
ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
fi fi
# Define $e2e_enabled_by_default if not already defined # Define $e2e_enabled_by_default if not already defined
if [ -z $e2e_enabled_by_default ] ; then if [ -z "${e2e_enabled_by_default:-}" ] ; then
e2e_enabled_by_default="invite" e2e_enabled_by_default="invite"
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
fi fi
if [ "$e2e_enabled_by_default" = "true" ] ; then if [ "$e2e_enabled_by_default" = "true" ] ; then
e2e_enabled_by_default="all" e2e_enabled_by_default="all"
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
fi fi
if [ "$e2e_enabled_by_default" = "false" ]; then if [ "$e2e_enabled_by_default" = "false" ]; then
e2e_enabled_by_default="off" e2e_enabled_by_default="off"
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
fi fi
if [ -z $report_stats ]; then if [ -z "${report_stats:-}" ]; then
report_stats="false" report_stats="false"
ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
fi fi
if [ -z $is_free_registration ]; then if [ -z "${web_client_location:-}" ]
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public) then
web_client_location="https://matrix.to/"
element_instance="element"
if yunohost --output-as plain app list | grep -q "^$element_instance"'$'; then
element_domain=$(ynh_app_setting_get --app $element_instance --key domain)
element_path=$(ynh_app_setting_get --app $element_instance --key path)
web_client_location="https://""$element_domain""$element_path"
fi
ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
fi
if [ -z "${client_base_url:-}" ]
then
client_base_url=$web_client_location
ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
fi
if [ -z "${invite_client_location:-}" ]
then
invite_client_location=$web_client_location
ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
fi
if [ -z "${allow_public_rooms_without_auth:-}" ]
then
allow_public_rooms_without_auth=${allow_public_rooms:-false}
ynh_app_setting_set --app=$app --key=allow_public_rooms_without_auth --value=$allow_public_rooms_without_auth
fi
if [ -z "${allow_public_rooms_over_federation:-}" ]
then
allow_public_rooms_over_federation=${allow_public_rooms:-false}
ynh_app_setting_set --app=$app --key=allow_public_rooms_over_federation --value=$allow_public_rooms_over_federation
fi
if [ -z "${max_upload_size:-}" ]
then
max_upload_size="100M"
ynh_app_setting_set --app=$app --key=max_upload_size --value=$max_upload_size
fi
if [ -z "${disable_msisdn_registration:-}" ]
then
disable_msisdn_registration="true"
ynh_app_setting_set --app=$app --key=disable_msisdn_registration --value=$disable_msisdn_registration
fi
if [ -z "${registrations_require_3pid:-}" ] || [ "${registrations_require_3pid}" == none ]
then
registrations_require_3pid=email
ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid
fi
if [ -z "${allowed_local_3pids_email:-}" ] || [[ "${allowed_local_3pids_email}" =~ \'.*\' ]] # Also remove shit value from previous config panel
then
allowed_local_3pids_email=''
ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email
fi
if [ -z "${allowed_local_3pids_msisdn:-}" ] || [[ "${allowed_local_3pids_msisdn}" =~ \'.*\' ]] # Also remove shit value from previous config panel
then
allowed_local_3pids_msisdn=''
ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn
fi
if [ -z "${account_threepid_delegates_msisdn:-}" ]
then
account_threepid_delegates_msisdn=""
ynh_app_setting_set --app=$app --key=account_threepid_delegates_msisdn --value=$account_threepid_delegates_msisdn
fi
if [ -z "${allow_guest_access:-}" ]
then
allow_guest_access="false"
ynh_app_setting_set --app=$app --key=allow_guest_access --value=$allow_guest_access
fi
if [ -z "${default_identity_server:-}" ]
then
default_identity_server="https://matrix.org"
ynh_app_setting_set --app=$app --key=default_identity_server --value=$default_identity_server
fi
if [ -z "${auto_join_rooms:-}" ]
then
auto_join_rooms=""
ynh_app_setting_set --app=$app --key=auto_join_rooms --value=$auto_join_rooms
fi
if [ -z "${autocreate_auto_join_rooms:-}" ]
then
autocreate_auto_join_rooms="false"
ynh_app_setting_set --app=$app --key=autocreate_auto_join_rooms --value=$autocreate_auto_join_rooms
fi
if [ -z "${auto_join_rooms_for_guests:-}" ]
then
auto_join_rooms_for_guests="true"
ynh_app_setting_set --app=$app --key=auto_join_rooms_for_guests --value=$auto_join_rooms_for_guests
fi
if [ -z "${enable_notifs:-}" ]
then
enable_notifs="true"
ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
fi
if [ -z "${notif_for_new_users:-}" ]
then
notif_for_new_users="true"
ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
fi
if [ -z "${enable_group_creation:-}" ]
then
enable_group_creation="true"
ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
fi
if [ -z "${enable_3pid_lookup:-}" ]
then
enable_3pid_lookup=false
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
fi fi
if [ -z $synapse_user_app_pwd ]; then
synapse_user_app_pwd="$(ynh_string_random --length=30)" if [ -z "${enable_registration:-}" ]
ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd then
# The format to create an user account varies depending on the version of YunoHost currently installed. if [ -z "${is_free_registration:-}" ]; then
ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost) is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public)
if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then fi
yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
else if [ "$is_free_registration" -eq "0" ]
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd" then
fi enable_registration="false"
password_enabled="false"
else
enable_registration="true"
password_enabled="true"
fi
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
fi fi
if [ -z "${push_include_content:-}" ]
then
push_include_content="true"
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
fi
if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ]
then
enable_dtls_for_audio_video_turn_call=true
ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
fi
# remove legacy env file into /etc/default
ynh_secure_remove --file=/etc/default/coturn-$app
#=================================================
# MIGRATION 7 : STANDARDIZE SYSTEMD UNIT
#=================================================
if [ -e /etc/systemd/system/matrix-$app.service ]
then
ynh_script_progression --message='Migrating systemd unit to standard name...'
systemctl stop matrix-$app.service || true
systemctl stop coturn-$app.service || true
yunohost service remove matrix-$app || true
yunohost service remove coturn-$app || true
ynh_secure_remove --file=/etc/systemd/system/matrix-$app.service
ynh_secure_remove --file=/etc/systemd/system/coturn-$app.service
touch /etc/systemd/system/$app.service
systemctl daemon-reload || true
fi
#=================================================
# STOP SERVICES
#=================================================
# We stop the service
ynh_systemd_action --service_name=$app.service --action=stop
ynh_script_progression --message='Managing migrations...'
#================================================= #=================================================
# MIGRATION 6 : Migrate data directory # MIGRATION 6 : Migrate data directory
#================================================= #=================================================
if [ -e "/var/lib/matrix-$app" ]; then if [ -e "/var/lib/matrix-$app" ]; then
ynh_script_progression --message="Moving data directory to $data_path..." --weight=1 ynh_script_progression --message="Moving data directory to $data_dir..." --weight=1
if [ -e "$data_path" ]; then if [ -e "$data_dir" ]; then
old_data_dir_path="$data_path$(date '+%Y%m%d.%H%M%S')" old_data_dir_path="$data_dir$(date '+%Y%m%d.%H%M%S')"
ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path" ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
mv "$data_path" "$old_data_dir_path" mv "$data_dir" "$old_data_dir_path"
fi fi
mv "/var/lib/matrix-$app" "$data_path" mv "/var/lib/matrix-$app" "$data_dir"
fi
if ! grep -q "$final_path" /etc/passwd; then
# matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin
sed --in-place -r "s@matrix-$app\:x\:([[:digit:]]+\:[[:digit:]]+)\:\:/.*/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:\1\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd
fi fi
#================================================= #=================================================
# MIGRATION 7 : Working config panel v1 # MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE
#================================================= #=================================================
allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms) # Fix issue about certificates access
if [ -z $allow_public_rooms ]; then if [ ! $(grep "ssl-cert:x:[0-9]*:.*$app" /etc/group) ]
allow_public_rooms="false" then
fi ynh_script_progression --message="Use standard access for certificate..." --weight=1
# SET STANDARD SETTINGS FROM DEFAULT CONFIG adduser $app ssl-cert
adduser turnserver ssl-cert
# Get app name of first Element Instance
element_ynh_url="https://matrix.to/"
element_domain=""
element_path=""
web_client_location=$element_ynh_url
client_base_url=$element_ynh_url
invite_client_location=$element_ynh_url
element_instance="element"
if [ -z "$web_client_location" ]
then
if yunohost --output-as plain app list | grep -q "^$element_instance"'$'; then
element_domain=$(ynh_app_setting_get --app $element_instance --key domain)
element_path=$(ynh_app_setting_get --app $element_instance --key path)
element_ynh_url="https://""$element_domain""$element_path"
fi
web_client_location=$element_ynh_url
client_base_url=$element_ynh_url
invite_client_location=$element_ynh_url
ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
fi
if [ -z "$server_statistics" ]
then
server_statistics="false"
ynh_app_setting_set --app=$app --key=server_statistics --value=$server_statistics
fi
if [ -z "$allow_public_rooms_without_auth" ]
then
allow_public_rooms_without_auth=$allow_public_rooms
ynh_app_setting_set --app=$app --key=allow_public_rooms_without_auth --value=$allow_public_rooms_without_auth
fi
if [ -z "$allow_public_rooms_over_federation" ]
then
allow_public_rooms_over_federation=$allow_public_rooms
ynh_app_setting_set --app=$app --key=allow_public_rooms_over_federation --value=$allow_public_rooms_over_federation
fi
if [ -z "$max_upload_size" ]
then
max_upload_size="10M"
ynh_app_setting_set --app=$app --key=max_upload_size --value=$max_upload_size
fi
if [ -z "$disable_msisdn_registration" ]
then
disable_msisdn_registration="true"
ynh_app_setting_set --app=$app --key=disable_msisdn_registration --value=$disable_msisdn_registration
fi
if [ -z "$registrations_require_3pid" ]
then
registrations_require_3pid="none"
ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid
fi
if [ -z "$allowed_local_3pids_email" ]
then
allowed_local_3pids_email="'^[^@]+@""matrix""\.org$'"
ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email
fi
if [ -z "$allowed_local_3pids_msisdn" ]
then
allowed_local_3pids_msisdn="'\+33'"
ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn
fi
if [ -z "$account_threepid_delegates_msisdn" ]
then
account_threepid_delegates_msisdn=""
ynh_app_setting_set --app=$app --key=account_threepid_delegates_msisdn --value=$account_threepid_delegates_msisdn
fi
if [ -z "$allow_guest_access" ]
then
allow_guest_access="false"
ynh_app_setting_set --app=$app --key=allow_guest_access --value=$allow_guest_access
fi
if [ -z "$default_identity_server" ]
then
default_identity_server="https://matrix.org"
ynh_app_setting_set --app=$app --key=default_identity_server --value=$default_identity_server
fi
if [ -z "$auto_join_rooms" ]
then
auto_join_rooms="#auto_join_room:""$server_name"
ynh_app_setting_set --app=$app --key=auto_join_rooms --value=$auto_join_rooms
fi
if [ -z "$autocreate_auto_join_rooms" ]
then
autocreate_auto_join_rooms="false"
ynh_app_setting_set --app=$app --key=autocreate_auto_join_rooms --value=$autocreate_auto_join_rooms
fi
if [ -z "$auto_join_rooms_for_guests" ]
then
auto_join_rooms_for_guests="true"
ynh_app_setting_set --app=$app --key=auto_join_rooms_for_guests --value=$auto_join_rooms_for_guests
fi
if [ -z "$enable_notifs" ]
then
enable_notifs="true"
ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
fi
if [ -z "$notif_for_new_users" ]
then
notif_for_new_users="true"
ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
fi
if [ -z "$enable_group_creation" ]
then
enable_group_creation="true"
ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
fi
if [ -z "$enable_registration" ]
then
if [ "$is_free_registration" -eq "0" ]
then
enable_registration="false"
turn_allow_guests="false"
sso_enabled="true"
password_enabled="false"
enable_3pid_lookup="false"
else
enable_registration="true"
turn_allow_guests="true"
sso_enabled="false"
password_enabled="true"
enable_3pid_lookup="true"
fi
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
ynh_app_setting_set --app=$app --key=turn_allow_guests --value=$turn_allow_guests
ynh_app_setting_set --app=$app --key=sso_enabled --value=$sso_enabled
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
fi
if [ -z "$push_include_content" ]
then
push_include_content="true"
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
fi fi
#================================================= #=================================================
# INSTALL DEPENDENCIES # MIGRATION 4 : CREATE A DH FILE
#================================================= #=================================================
ynh_script_progression --message="Upgrading dependencies..." --weight=6
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
# For any update do it in all files # For any update do it in all files
ynh_exec_warn_less ynh_install_app_dependencies $dependances
#================================================= # Make dh cert for synapse if it doesn't exist
# DOWNLOAD, CHECK AND UNPACK SOURCE if [ ! -e /etc/ssl/private/dh2048.pem ]
#=================================================
if [ "$upgrade_type" == "UPGRADE_APP" ] || [ ! -e $final_path/bin/python3 ] || [ ! -e $final_path/lib/python$python_version ]
then then
ynh_script_progression --message="Upgrading source files..." --weight=6 ynh_script_progression --message="Creating a dh file..." --weight=1
install_sources
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048
chown root:ssl-cert /etc/ssl/private/dh2048.pem
chmod 640 /etc/ssl/private/dh2048.pem
fi fi
#=================================================
# CREATE SMALL CAS SERVER
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
mkdir -p $final_www_path
cp ../sources/cas_server.php $final_www_path/
chmod u=rwX,g=rX,o= -R $final_www_path
chown $synapse_user:root -R $final_www_path
#=================================================
# MIGRATION 1 : GENERATE SYNAPSE SECRET
#=================================================
if [ -z "$registration_shared_secret" ] || [ "$form_secret" == "form_secret: " ]
then
ynh_script_progression --message="Generating synapse secret..." --weight=1
# Go in virtualenvironnement
set +u
source $final_path/bin/activate
set -u
# Generate config and keys
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
set +u;
deactivate
set -u;
# Get random values from config
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
# store in yunohost settings
ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
fi
#=================================================
# UPDATE SYNAPSE CONFIG
#=================================================
ynh_script_progression --message="Updating synapse config..." --weight=2
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
# For any update do it in all files
if [ -z $macaroon_secret_key ]; then
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
# So for the old install we just leave this as it is. And for the new install we use a real macaroon.
macaroon_secret_key_param='# macaroon_secret_key: ""'
else
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
#================================================= #=================================================
# MIGRATION 2 : MULTINSTANCE SUPPORT # MIGRATION 2 : MULTINSTANCE SUPPORT
#================================================= #=================================================
@ -463,15 +297,6 @@ then
# Disable default config for turnserver and create a new service # Disable default config for turnserver and create a new service
systemctl stop coturn.service systemctl stop coturn.service
# Set a port for each service in turnserver
turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
cli_port=$(ynh_find_port --port=5766)
ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
#================================================= #=================================================
# MAKE A CLEAN LOGROTATE CONFIG # MAKE A CLEAN LOGROTATE CONFIG
#================================================= #=================================================
@ -480,37 +305,109 @@ then
fi fi
#================================================= #=================================================
# MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE # MIGRATION 8 : Migrate database to managed database (Migrate db name from matrix_$app to $app)
#================================================= #=================================================
# Fix issue about certificates access if ynh_psql_execute_as_root --sql='\list' | grep matrix_$app; then
if [ ! $(grep "ssl-cert:x:[0-9]*:.*matrix-$app" /etc/group) ] ynh_''psql_remove_db --db_user="user_wich_must_dont_exist_and_keep_current_user" --db_name=$db_name
then ynh_psql_execute_as_root --sql="ALTER DATABASE matrix_$app RENAME TO $db_name;"
ynh_script_progression --message="Use standard access for certificate..." --weight=1 ynh_psql_execute_as_root --database=$db_name --sql="REASSIGN OWNED BY matrix_$app TO $db_user;"
ynh_psql_execute_as_root --sql="UPDATE pg_database SET datcollate='C', datctype='C' WHERE datname='$db_name';"
adduser $synapse_user ssl-cert ynh_psql_execute_as_root --sql="DROP USER matrix_$app;"
adduser turnserver ssl-cert # for unknown reason we need to set again the password for synapse user. Without this synapse can't authenticate to postgresql
ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH ENCRYPTED PASSWORD '$db_pwd';"
fi fi
#================================================= #=================================================
# MIGRATION 4 : CREATE A DH FILE # MIGRATION 9 : migrate data path (from matrix-$app to $app)
#================================================= #=================================================
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE if [ -e /home/yunohost.app/matrix-$app ]; then
# For any update do it in all files mv -t $data_dir /home/yunohost.app/matrix-$app/*
ynh_secure_remove --file=/home/yunohost.app/matrix-$app
fi
# Make dh cert for synapse if it doesn't exist #=================================================
if [ ! -e /etc/ssl/private/dh2048.pem ] # MIGRATION 11 : make this app using full domain
#=================================================
ynh_app_setting_set --app=$app --key=path --value=/
if yunohost app map -r --output-as json | jq -r '."'$domain'" | select( . != null ) | .[] | .id' | grep -v "$app" -q; then
ynh_print_warn 'An other app is installed on this domain. Now synapse require to be alone on the domain.'
ynh_print_warn 'To solve this you can:'
ynh_print_warn " - Remove or move all other app which use '$domain'"
ynh_print_warn ' - Change the domain of synapse. You can find more informations here: https://github.com/YunoHost-Apps/synapse_ynh/tree/testing/doc/ADMIN.md#change-url'
ynh_print_warn 'For more information you can see this issue: https://github.com/YunoHost-Apps/synapse_ynh/issues/443'
fi
#=================================================
# MIGRATION 12 : update system user and drop yunohost user
#=================================================
if grep -q "^matrix-$app" /etc/passwd; then
# Must stop php before remove user as user is used by php
systemctl stop php$YNH_PHP_VERSION-fpm.service
ynh_''system_user_delete --username=matrix-$app
yunohost user delete $app || true
ynh_''system_user_create --username=$app --home_dir=$code_dir
adduser $app ssl-cert
fi
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
if [ "$upgrade_type" == "UPGRADE_APP" ] || [ ! -e $code_dir/bin/python3 ] || [ ! -e $code_dir/lib/python$python_version ]
then then
ynh_script_progression --message="Creating a dh file..." --weight=1 ynh_script_progression --message="Upgrading source files..." --weight=6
install_sources
fi
openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null #=================================================
chown root:ssl-cert /etc/ssl/private/dh2048.pem # MIGRATION 1 : GENERATE SYNAPSE SECRET
chmod 640 /etc/ssl/private/dh2048.pem #=================================================
if [ -z "${registration_shared_secret:-}" ] || [ "$form_secret" == "form_secret: " ]
then
ynh_script_progression --message="Generating synapse secret..." --weight=1
# Generate config and keys
$code_dir/bin/python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
# Get random values from config
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
# store in yunohost settings
ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
fi fi
#================================================= #=================================================
# STANDARD UPGRADE STEPS # STANDARD UPGRADE STEPS
#=================================================
#=================================================
# UPDATE SYNAPSE CONFIG
#=================================================
ynh_script_progression --message="Updating synapse config..." --weight=2
configure_synapse
#=================================================
# CREATE SMALL CAS SERVER
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
mkdir -p $install_dir
cp ../sources/cas_server.php $install_dir/
chmod u=rwX,g=rX,o= -R $install_dir
chown $app:root -R $install_dir
#================================================= #=================================================
# NGINX CONFIGURATION # NGINX CONFIGURATION
#================================================= #=================================================
@ -520,19 +417,8 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -
ynh_script_progression --message="Configuring application..." ynh_script_progression --message="Configuring application..."
ynh_add_fpm_config --usage=low --footprint=low ynh_add_fpm_config --usage=low --footprint=low
sed -i "s|user\s*=\s*$app|user = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
sed -i "s|group\s*=\s*$app|group = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
sed -i "s|chdir\s*=\s*/opt/yunohost/matrix-synapse.*|chdir = $final_www_path|g" /etc/php/7.*/fpm/pool.d/$app.conf
ynh_store_file_checksum --file=$(ls /etc/php/7.*/fpm/pool.d/$app.conf)
# Create .well-known redirection for access by federation configure_nginx
if yunohost --output-as plain domain list | grep -q "^$server_name$"
then
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi
# Create a dedicated NGINX config
ynh_add_nginx_config app
#================================================= #=================================================
# SPECIFIC UPGRADE # SPECIFIC UPGRADE
@ -541,26 +427,7 @@ ynh_add_nginx_config app
#================================================= #=================================================
ynh_script_progression --message="Updating Coturn config..." --weight=1 ynh_script_progression --message="Updating Coturn config..." --weight=1
# WARNING : theses command are used in INSTALL, UPGRADE configure_coturn
# For any update do it in all files
# Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
public_ip4="$(curl -s ip.yunohost.org)" || true
public_ip6="$(curl -s ipv6.yunohost.org)" || true
turn_external_ip=""
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then
turn_external_ip+="external-ip="$public_ip4%"\n"
fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then
turn_external_ip+="external-ip="$public_ip6%"\n"
fi
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
#================================================= #=================================================
# ADD SCRIPT FOR COTURN CRON AND APP SERVICE # ADD SCRIPT FOR COTURN CRON AND APP SERVICE
@ -569,8 +436,9 @@ ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/cotu
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh" ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$code_dir/Coturn_config_rotate.sh"
ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh" ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$code_dir/update_synapse_for_appservice.sh"
ynh_add_config --template=../sources/set_admin_user.sh --destination=$code_dir/set_admin_user.sh
# Ensure app-service folder has exists and the config file exit (Migration) # Ensure app-service folder has exists and the config file exit (Migration)
mkdir -p /etc/matrix-$app/app-service mkdir -p /etc/matrix-$app/app-service
@ -587,8 +455,8 @@ fi
# ADVERTISE SERVICE IN ADMIN PANEL # ADVERTISE SERVICE IN ADMIN PANEL
#================================================= #=================================================
yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
#================================================= #=================================================
# UPDATE SYSTEMD # UPDATE SYSTEMD
@ -596,20 +464,16 @@ yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
ynh_script_progression --message="Upgrading systemd configuration..." --weight=3 ynh_script_progression --message="Upgrading systemd configuration..." --weight=3
# Create systemd service for synapse and turnserver # Create systemd service for synapse and turnserver
cp ../conf/default_matrix-synapse /etc/default/matrix-$app ynh_add_systemd_config --service=$app --template=synapse.service
ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service
cp ../conf/default_coturn /etc/default/coturn-$app cp ../conf/default_coturn /etc/matrix-$app/coturn_env
ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service
#================================================= #=================================================
# UPGRADE FAIL2BAN # UPGRADE FAIL2BAN
#================================================= #=================================================
ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=8 ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=8
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
ynh_add_fail2ban_config --use_template ynh_add_fail2ban_config --use_template
#================================================= #=================================================
@ -617,58 +481,28 @@ ynh_add_fail2ban_config --use_template
#================================================= #=================================================
# SETUP PERMISSIONS # SETUP PERMISSIONS
#================================================= #=================================================
ynh_script_progression --message="Configuring permissions..." --weight=1 ynh_script_progression --message="Configuring permissions..." --weight=1
ynh_legacy_permissions_delete_all
ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true if yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
ynh_permission_update --permission=main --show_tile=false --protected=true if ! ynh_""permission_exists --permission=server_client_infos; then
ynh_""permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
if ! ynh_permission_exists --permission=server_api; then --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
ynh_permission_create --permission=server_api --url=$domain/_matrix \ --auth_header=false --protected=true
--label="Server access for client apps." --show_tile=false --allowed=visitors \ else yunohost --output-as plain domain list | grep -q "^$server_name"'$'
--auth_header=false --protected=true ynh_""permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \
python3 remove_sso_conf_persistent.py $domain $server_name \ --auth_header=false
|| ynh_print_warn --message="Your file /etc/ssowat/""conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually." ynh_""permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \
else --protected=true
ynh_permission_url --permission=server_api --url=$domain/_matrix --remove_url=$server_name/.well-known/matrix \ fi
--auth_header=false
ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \
--protected=true
fi
if yunohost --output-as plain domain list | grep -q "^$server_name"'$' && ! ynh_permission_exists --permission=server_client_infos; then
ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
--auth_header=false --protected=true
elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
ynh_permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \
--auth_header=false
ynh_permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \
--protected=true
fi
if ! ynh_permission_exists --permission=admin_api; then
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
--label="Server administration API." --show_tile=false \
--auth_header=false --allowed=visitors
fi fi
#================================================= #=================================================
# SECURE FILES AND DIRECTORIES # SECURE FILES AND DIRECTORIES
#================================================= #=================================================
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE ynh_script_progression --message="Protecting directories... (note that it could take a long time depending of your install size)" --weight=3
# For any update do it in all files set_permissions data
chown $synapse_user:root -R $final_path
chmod 770 $final_path/Coturn_config_rotate.sh
chmod 700 $final_path/update_synapse_for_appservice.sh
chown $synapse_user:root -R $data_path
chown $synapse_user:root -R /var/log/matrix-$app
chown $synapse_user:root -R /etc/matrix-$app
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
chmod 600 /etc/matrix-$app/$server_name.signing.key
setfacl -R -m user:turnserver:rX /etc/matrix-$app
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
#================================================= #=================================================
# UPDATE HOOKS # UPDATE HOOKS
@ -679,19 +513,13 @@ setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
ynh_replace_string __APP__ $app ../hooks/post_cert_update ynh_replace_string __APP__ $app ../hooks/post_cert_update
ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update
#=================================================
# UPDATE VERSION SETTINGS
#=================================================
ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
#================================================= #=================================================
# RELOAD SERVICES # RELOAD SERVICES
#================================================= #=================================================
ynh_script_progression --message="Restarting Synapse services..." --weight=5 ynh_script_progression --message="Restarting Synapse services..." --weight=5
ynh_systemd_action --service_name=coturn-$app.service --action=restart ynh_systemd_action --service_name=$app-coturn.service --action=restart
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
#================================================= #=================================================
# END OF SCRIPT # END OF SCRIPT

View file

@ -1,33 +1,34 @@
#!/bin/bash #!/bin/bash
app_instance=__APP__ set -eu
app=__APP__
YNH_APP_BASEDIR=/etc/yunohost/apps/"$app"
pushd /etc/yunohost/apps/$app/conf
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
coturn_config_path="/etc/matrix-$app_instance/coturn.conf" # Must load db_name var to load _common.sh
public_ip4="$(curl ip.yunohost.org)" || true db_name=$(ynh_app_setting_get --app=$app --key=db_name)
public_ip6="$(curl ipv6.yunohost.org)" || true source ../scripts/_common.sh
old_config_line=$(egrep "^external-ip=.*\$" $coturn_config_path) domain=$(ynh_app_setting_get --app=$app --key=domain)
perl -i -pe 's/(^external-ip=.*\n)*//g' $coturn_config_path port_cli=$(ynh_app_setting_get --app=$app --key=port_cli)
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
port_turnserver_tls=$(ynh_app_setting_get --app=$app --key=port_turnserver_tls)
port_turnserver_alt_tls=$(ynh_app_setting_get --app=$app --key=port_turnserver_alt_tls)
enable_dtls_for_audio_video_turn_call=$(ynh_app_setting_get --app=$app --key=enable_dtls_for_audio_video_turn_call)
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" previous_checksum=$(ynh_app_setting_get --app=$app --key=checksum__etc_matrix-synapse_coturn.conf)
configure_coturn
new_checksum=$(ynh_app_setting_get --app=$app --key=checksum__etc_matrix-synapse_coturn.conf)
setfacl -R -m user:turnserver:rX /etc/matrix-$app
if [ "$previous_checksum" != "$new_checksum" ]
then then
echo "external-ip=$public_ip4" >> "$coturn_config_path" systemctl restart $app-coturn.service
fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then
echo "external-ip=$public_ip6" >> "$coturn_config_path"
fi
new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
setfacl -R -m user:turnserver:rX /etc/matrix-$app_instance
if [ "$old_config_line" != "$new_config_line" ]
then
systemctl restart coturn-$app_instance.service
fi fi
exit 0 exit 0

21
sources/set_admin_user.sh Normal file
View file

@ -0,0 +1,21 @@
#!/bin/bash
set -eu
source /usr/share/yunohost/helpers
app=__APP__
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$(ynh_app_setting_get --app=$app --key=db_user)
db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
if [ -z ${1:-} ]; then
echo "Usage: set_admin_user.sh user_to_set_as_admin"
exit 1
fi
ynh_psql_execute_as_root --database=$db_name --sql="UPDATE users SET admin = 1 WHERE name = '@$1:$server_name'"
exit 0

View file

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
set -eu
app=__APP__ app=__APP__
service_config_file=/etc/matrix-$app/conf.d/app_service.yaml service_config_file=/etc/matrix-$app/conf.d/app_service.yaml
@ -21,7 +23,7 @@ chown matrix-$app /etc/matrix-$app/app-service/*
chmod 600 $service_config_file chmod 600 $service_config_file
chmod 600 /etc/matrix-$app/app-service/* chmod 600 /etc/matrix-$app/app-service/*
systemctl restart matrix-$app systemctl restart $app.service
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
rm /tmp/app_service_backup.yaml rm /tmp/app_service_backup.yaml

9
tests.toml Normal file
View file

@ -0,0 +1,9 @@
#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json
test_format = 1.0
[default]
test_upgrade_from.672791a51c1d239918562d7a0d4420ec137e6694.name = "Post app user creation (branch old_version_for_CI_7)"
test_upgrade_from.971f2eb590325fb1d6e1ca5723f59aacd639c9ce.name = "Before packaging v2 (branch old_version_for_CI_6)"