mirror of
https://github.com/YunoHost-Apps/synapse_ynh.git
synced 2024-09-03 20:26:38 +02:00
commit
c58222a7bb
46 changed files with 1595 additions and 2704 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -5,3 +5,6 @@
|
||||||
|
|
||||||
*swp
|
*swp
|
||||||
|
|
||||||
|
auto_update_config.sh
|
||||||
|
auto_update/Synapse_build_*.log
|
||||||
|
auto_update/synapse_build_temp.log
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
# All available README files by language
|
# All available README files by language
|
||||||
|
|
||||||
- [Read the README in English](README.md)
|
- [Read the README in English](README.md)
|
||||||
|
- [Irakurri README euskaraz](README_eu.md)
|
||||||
- [Lire le README en français](README_fr.md)
|
- [Lire le README en français](README_fr.md)
|
||||||
- [Le o README en galego](README_gl.md)
|
- [Le o README en galego](README_gl.md)
|
||||||
- [Leggi il “README” in italiano](README_it.md)
|
- [阅读中文(简体)的 README](README_zh_Hans.md)
|
||||||
|
|
191
README.md
191
README.md
|
@ -9,7 +9,7 @@ It shall NOT be edited by hand.
|
||||||
|
|
||||||
[![Install Synapse with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
|
[![Install Synapse with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
|
||||||
|
|
||||||
*[Read this README is other languages.](./ALL_README.md)*
|
*[Read this README in other languages.](./ALL_README.md)*
|
||||||
|
|
||||||
> *This package allows you to install Synapse quickly and simply on a YunoHost server.*
|
> *This package allows you to install Synapse quickly and simply on a YunoHost server.*
|
||||||
> *If you don't have YunoHost, please consult [the guide](https://yunohost.org/install) to learn how to install it.*
|
> *If you don't have YunoHost, please consult [the guide](https://yunohost.org/install) to learn how to install it.*
|
||||||
|
@ -21,195 +21,12 @@ Instant messaging server matrix network.
|
||||||
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
||||||
|
|
||||||
|
|
||||||
**Shipped version:** 1.98.0~ynh1
|
**Shipped version:** 1.104.0~ynh1
|
||||||
## Disclaimers / important information
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
### Install for ARM arch (or slow arch)
|
|
||||||
|
|
||||||
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
|
|
||||||
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
|
|
||||||
After that you can install it without problem.
|
|
||||||
|
|
||||||
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
|
|
||||||
The script to build the binary is also available.
|
|
||||||
|
|
||||||
### Web client
|
|
||||||
|
|
||||||
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
|
|
||||||
|
|
||||||
### Access by federation
|
|
||||||
|
|
||||||
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
|
|
||||||
|
|
||||||
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
|
|
||||||
|
|
||||||
```
|
|
||||||
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
|
|
||||||
```
|
|
||||||
for example
|
|
||||||
```
|
|
||||||
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
|
|
||||||
```
|
|
||||||
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
|
|
||||||
|
|
||||||
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
|
|
||||||
|
|
||||||
If it is not automatically done, you need to open this in your ISP box.
|
|
||||||
|
|
||||||
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
|
|
||||||
|
|
||||||
https://federationtester.matrix.org/ can be used to easily debug federation issues
|
|
||||||
|
|
||||||
### Turnserver
|
|
||||||
|
|
||||||
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse turnserver_tls_port
|
|
||||||
yunohost app setting synapse turnserver_alt_tls_port
|
|
||||||
|
|
||||||
```
|
|
||||||
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
|
|
||||||
|
|
||||||
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
|
|
||||||
|
|
||||||
```
|
|
||||||
yunohost firewall allow Both 49153:49193
|
|
||||||
```
|
|
||||||
|
|
||||||
You might also need to open these ports (if it is not automatically done) on your ISP box.
|
|
||||||
|
|
||||||
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
|
|
||||||
|
|
||||||
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
|
|
||||||
|
|
||||||
```
|
|
||||||
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
|
|
||||||
```
|
|
||||||
|
|
||||||
#### OpenVPN
|
|
||||||
|
|
||||||
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
|
|
||||||
```
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
(
|
|
||||||
sleep 5
|
|
||||||
sudo systemctl restart coturn-synapse.service
|
|
||||||
) &
|
|
||||||
exit 0
|
|
||||||
```
|
|
||||||
|
|
||||||
Add this line in you sudo config file `/etc/sudoers`
|
|
||||||
```
|
|
||||||
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
|
|
||||||
```
|
|
||||||
|
|
||||||
And add this line in your OpenVPN config file
|
|
||||||
```
|
|
||||||
ipchange /usr/local/bin/openvpn_up_script.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
### Important Security Note
|
|
||||||
|
|
||||||
We do not recommend running Element from the same domain name as your Matrix
|
|
||||||
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
|
|
||||||
vulnerabilities that could occur if someone caused Element to load and render
|
|
||||||
malicious user generated content from a Matrix API which then had trusted
|
|
||||||
access to Element (or other apps) due to sharing the same domain.
|
|
||||||
|
|
||||||
We have put some coarse mitigations into place to try to protect against this
|
|
||||||
situation, but it's still not a good practice to do it in the first place. See
|
|
||||||
https://github.com/vector-im/element-web/issues/1977 for more details.
|
|
||||||
|
|
||||||
## YunoHost specific features
|
|
||||||
|
|
||||||
## Limitations
|
|
||||||
|
|
||||||
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
|
|
||||||
|
|
||||||
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
|
|
||||||
|
|
||||||
## Additional information
|
|
||||||
|
|
||||||
## Administration
|
|
||||||
|
|
||||||
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
|
|
||||||
|
|
||||||
Before any manipulation it's recommended to do a backup by this following command :
|
|
||||||
|
|
||||||
`sudo yunohost backup create --apps synapse`
|
|
||||||
|
|
||||||
### Set user as admin
|
|
||||||
|
|
||||||
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
|
|
||||||
|
|
||||||
The following command will grant admin privilege to the specified user:
|
|
||||||
```
|
|
||||||
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Administration API
|
|
||||||
|
|
||||||
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
|
|
||||||
By default, no one has access to this path.
|
|
||||||
|
|
||||||
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
|
|
||||||
you need to give this permission to visitors.
|
|
||||||
|
|
||||||
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
|
|
||||||
|
|
||||||
### Upgrade
|
|
||||||
|
|
||||||
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
|
|
||||||
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
|
|
||||||
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
|
|
||||||
|
|
||||||
`yunohost app setting synapse backup_before_upgrade -v 0`
|
|
||||||
|
|
||||||
After this settings will be applied for **all** next upgrade.
|
|
||||||
|
|
||||||
From command line:
|
|
||||||
|
|
||||||
`yunohost app upgrade synapse`
|
|
||||||
|
|
||||||
### Backup
|
|
||||||
|
|
||||||
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
|
|
||||||
|
|
||||||
- Stop synapse service with theses following command:
|
|
||||||
|
|
||||||
`systemctl stop synapse.service`
|
|
||||||
|
|
||||||
- Launch the backup of synapse with this following command:
|
|
||||||
|
|
||||||
`yunohost backup create --app synapse`
|
|
||||||
|
|
||||||
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
|
|
||||||
- Restart the synapse service with these command:
|
|
||||||
|
|
||||||
`systemctl start synapse.service`
|
|
||||||
|
|
||||||
### Remove
|
|
||||||
|
|
||||||
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
|
|
||||||
|
|
||||||
Use the `--purge` flag with the command, or remove it manually to purge app user data.
|
|
||||||
|
|
||||||
### Multi instance support
|
|
||||||
|
|
||||||
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse__<instancenumber> synapse_tls_port
|
|
||||||
```
|
|
||||||
|
|
||||||
Before installing a second instance of the app it's really recommended to update all existing instances.
|
|
||||||
|
|
||||||
## Documentation and resources
|
## Documentation and resources
|
||||||
|
|
||||||
- Official app website: <https://matrix.org/>
|
- Official app website: <https://matrix.org/>
|
||||||
- Upstream app code repository: <https://github.com/matrix-org/synapse>
|
- Official admin documentation: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
|
||||||
|
- Upstream app code repository: <https://github.com/element-hq/synapse>
|
||||||
- YunoHost Store: <https://apps.yunohost.org/app/synapse>
|
- YunoHost Store: <https://apps.yunohost.org/app/synapse>
|
||||||
- Report a bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
- Report a bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
||||||
|
|
||||||
|
|
45
README_eu.md
Normal file
45
README_eu.md
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
<!--
|
||||||
|
Ohart ongi: README hau automatikoki sortu da <https://github.com/YunoHost/apps/tree/master/tools/readme_generator>ri esker
|
||||||
|
EZ editatu eskuz.
|
||||||
|
-->
|
||||||
|
|
||||||
|
# Synapse YunoHost-erako
|
||||||
|
|
||||||
|
[![Integrazio maila](https://dash.yunohost.org/integration/synapse.svg)](https://dash.yunohost.org/appci/app/synapse) ![Funtzionamendu egoera](https://ci-apps.yunohost.org/ci/badges/synapse.status.svg) ![Mantentze egoera](https://ci-apps.yunohost.org/ci/badges/synapse.maintain.svg)
|
||||||
|
|
||||||
|
[![Instalatu Synapse YunoHost-ekin](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
|
||||||
|
|
||||||
|
*[Irakurri README hau beste hizkuntzatan.](./ALL_README.md)*
|
||||||
|
|
||||||
|
> *Pakete honek Synapse YunoHost zerbitzari batean azkar eta zailtasunik gabe instalatzea ahalbidetzen dizu.*
|
||||||
|
> *YunoHost ez baduzu, kontsultatu [gida](https://yunohost.org/install) nola instalatu ikasteko.*
|
||||||
|
|
||||||
|
## Aurreikuspena
|
||||||
|
|
||||||
|
Instant messaging server matrix network.
|
||||||
|
|
||||||
|
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
||||||
|
|
||||||
|
|
||||||
|
**Paketatutako bertsioa:** 1.104.0~ynh1
|
||||||
|
## Dokumentazioa eta baliabideak
|
||||||
|
|
||||||
|
- Aplikazioaren webgune ofiziala: <https://matrix.org/>
|
||||||
|
- Administratzaileen dokumentazio ofiziala: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
|
||||||
|
- Jatorrizko aplikazioaren kode-gordailua: <https://github.com/element-hq/synapse>
|
||||||
|
- YunoHost Denda: <https://apps.yunohost.org/app/synapse>
|
||||||
|
- Eman errore baten berri: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
||||||
|
|
||||||
|
## Garatzaileentzako informazioa
|
||||||
|
|
||||||
|
Bidali `pull request`a [`testing` abarrera](https://github.com/YunoHost-Apps/synapse_ynh/tree/testing).
|
||||||
|
|
||||||
|
`testing` abarra probatzeko, ondorengoa egin:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
|
||||||
|
edo
|
||||||
|
sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
|
||||||
|
```
|
||||||
|
|
||||||
|
**Informazio gehiago aplikazioaren paketatzeari buruz:** <https://yunohost.org/packaging_apps>
|
189
README_fr.md
189
README_fr.md
|
@ -21,195 +21,12 @@ Instant messaging server matrix network.
|
||||||
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
||||||
|
|
||||||
|
|
||||||
**Version incluse :** 1.98.0~ynh1
|
**Version incluse :** 1.104.0~ynh1
|
||||||
## Avertissements / informations importantes
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
### Install for ARM arch (or slow arch)
|
|
||||||
|
|
||||||
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
|
|
||||||
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
|
|
||||||
After that you can install it without problem.
|
|
||||||
|
|
||||||
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
|
|
||||||
The script to build the binary is also available.
|
|
||||||
|
|
||||||
### Web client
|
|
||||||
|
|
||||||
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
|
|
||||||
|
|
||||||
### Access by federation
|
|
||||||
|
|
||||||
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
|
|
||||||
|
|
||||||
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
|
|
||||||
|
|
||||||
```
|
|
||||||
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
|
|
||||||
```
|
|
||||||
for example
|
|
||||||
```
|
|
||||||
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
|
|
||||||
```
|
|
||||||
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
|
|
||||||
|
|
||||||
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
|
|
||||||
|
|
||||||
If it is not automatically done, you need to open this in your ISP box.
|
|
||||||
|
|
||||||
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
|
|
||||||
|
|
||||||
https://federationtester.matrix.org/ can be used to easily debug federation issues
|
|
||||||
|
|
||||||
### Turnserver
|
|
||||||
|
|
||||||
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse turnserver_tls_port
|
|
||||||
yunohost app setting synapse turnserver_alt_tls_port
|
|
||||||
|
|
||||||
```
|
|
||||||
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
|
|
||||||
|
|
||||||
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
|
|
||||||
|
|
||||||
```
|
|
||||||
yunohost firewall allow Both 49153:49193
|
|
||||||
```
|
|
||||||
|
|
||||||
You might also need to open these ports (if it is not automatically done) on your ISP box.
|
|
||||||
|
|
||||||
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
|
|
||||||
|
|
||||||
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
|
|
||||||
|
|
||||||
```
|
|
||||||
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
|
|
||||||
```
|
|
||||||
|
|
||||||
#### OpenVPN
|
|
||||||
|
|
||||||
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
|
|
||||||
```
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
(
|
|
||||||
sleep 5
|
|
||||||
sudo systemctl restart coturn-synapse.service
|
|
||||||
) &
|
|
||||||
exit 0
|
|
||||||
```
|
|
||||||
|
|
||||||
Add this line in you sudo config file `/etc/sudoers`
|
|
||||||
```
|
|
||||||
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
|
|
||||||
```
|
|
||||||
|
|
||||||
And add this line in your OpenVPN config file
|
|
||||||
```
|
|
||||||
ipchange /usr/local/bin/openvpn_up_script.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
### Important Security Note
|
|
||||||
|
|
||||||
We do not recommend running Element from the same domain name as your Matrix
|
|
||||||
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
|
|
||||||
vulnerabilities that could occur if someone caused Element to load and render
|
|
||||||
malicious user generated content from a Matrix API which then had trusted
|
|
||||||
access to Element (or other apps) due to sharing the same domain.
|
|
||||||
|
|
||||||
We have put some coarse mitigations into place to try to protect against this
|
|
||||||
situation, but it's still not a good practice to do it in the first place. See
|
|
||||||
https://github.com/vector-im/element-web/issues/1977 for more details.
|
|
||||||
|
|
||||||
## YunoHost specific features
|
|
||||||
|
|
||||||
## Limitations
|
|
||||||
|
|
||||||
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
|
|
||||||
|
|
||||||
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
|
|
||||||
|
|
||||||
## Additional information
|
|
||||||
|
|
||||||
## Administration
|
|
||||||
|
|
||||||
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
|
|
||||||
|
|
||||||
Before any manipulation it's recommended to do a backup by this following command :
|
|
||||||
|
|
||||||
`sudo yunohost backup create --apps synapse`
|
|
||||||
|
|
||||||
### Set user as admin
|
|
||||||
|
|
||||||
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
|
|
||||||
|
|
||||||
The following command will grant admin privilege to the specified user:
|
|
||||||
```
|
|
||||||
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Administration API
|
|
||||||
|
|
||||||
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
|
|
||||||
By default, no one has access to this path.
|
|
||||||
|
|
||||||
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
|
|
||||||
you need to give this permission to visitors.
|
|
||||||
|
|
||||||
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
|
|
||||||
|
|
||||||
### Upgrade
|
|
||||||
|
|
||||||
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
|
|
||||||
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
|
|
||||||
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
|
|
||||||
|
|
||||||
`yunohost app setting synapse backup_before_upgrade -v 0`
|
|
||||||
|
|
||||||
After this settings will be applied for **all** next upgrade.
|
|
||||||
|
|
||||||
From command line:
|
|
||||||
|
|
||||||
`yunohost app upgrade synapse`
|
|
||||||
|
|
||||||
### Backup
|
|
||||||
|
|
||||||
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
|
|
||||||
|
|
||||||
- Stop synapse service with theses following command:
|
|
||||||
|
|
||||||
`systemctl stop synapse.service`
|
|
||||||
|
|
||||||
- Launch the backup of synapse with this following command:
|
|
||||||
|
|
||||||
`yunohost backup create --app synapse`
|
|
||||||
|
|
||||||
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
|
|
||||||
- Restart the synapse service with these command:
|
|
||||||
|
|
||||||
`systemctl start synapse.service`
|
|
||||||
|
|
||||||
### Remove
|
|
||||||
|
|
||||||
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
|
|
||||||
|
|
||||||
Use the `--purge` flag with the command, or remove it manually to purge app user data.
|
|
||||||
|
|
||||||
### Multi instance support
|
|
||||||
|
|
||||||
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse__<instancenumber> synapse_tls_port
|
|
||||||
```
|
|
||||||
|
|
||||||
Before installing a second instance of the app it's really recommended to update all existing instances.
|
|
||||||
|
|
||||||
## Documentations et ressources
|
## Documentations et ressources
|
||||||
|
|
||||||
- Site officiel de l’app : <https://matrix.org/>
|
- Site officiel de l’app : <https://matrix.org/>
|
||||||
- Dépôt de code officiel de l’app : <https://github.com/matrix-org/synapse>
|
- Documentation officielle de l’admin : <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
|
||||||
|
- Dépôt de code officiel de l’app : <https://github.com/element-hq/synapse>
|
||||||
- YunoHost Store : <https://apps.yunohost.org/app/synapse>
|
- YunoHost Store : <https://apps.yunohost.org/app/synapse>
|
||||||
- Signaler un bug : <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
- Signaler un bug : <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
||||||
|
|
||||||
|
|
189
README_gl.md
189
README_gl.md
|
@ -21,195 +21,12 @@ Instant messaging server matrix network.
|
||||||
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
||||||
|
|
||||||
|
|
||||||
**Versión proporcionada:** 1.98.0~ynh1
|
**Versión proporcionada:** 1.104.0~ynh1
|
||||||
## Avisos / información importante
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
### Install for ARM arch (or slow arch)
|
|
||||||
|
|
||||||
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
|
|
||||||
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
|
|
||||||
After that you can install it without problem.
|
|
||||||
|
|
||||||
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
|
|
||||||
The script to build the binary is also available.
|
|
||||||
|
|
||||||
### Web client
|
|
||||||
|
|
||||||
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
|
|
||||||
|
|
||||||
### Access by federation
|
|
||||||
|
|
||||||
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
|
|
||||||
|
|
||||||
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
|
|
||||||
|
|
||||||
```
|
|
||||||
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
|
|
||||||
```
|
|
||||||
for example
|
|
||||||
```
|
|
||||||
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
|
|
||||||
```
|
|
||||||
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
|
|
||||||
|
|
||||||
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
|
|
||||||
|
|
||||||
If it is not automatically done, you need to open this in your ISP box.
|
|
||||||
|
|
||||||
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
|
|
||||||
|
|
||||||
https://federationtester.matrix.org/ can be used to easily debug federation issues
|
|
||||||
|
|
||||||
### Turnserver
|
|
||||||
|
|
||||||
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse turnserver_tls_port
|
|
||||||
yunohost app setting synapse turnserver_alt_tls_port
|
|
||||||
|
|
||||||
```
|
|
||||||
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
|
|
||||||
|
|
||||||
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
|
|
||||||
|
|
||||||
```
|
|
||||||
yunohost firewall allow Both 49153:49193
|
|
||||||
```
|
|
||||||
|
|
||||||
You might also need to open these ports (if it is not automatically done) on your ISP box.
|
|
||||||
|
|
||||||
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
|
|
||||||
|
|
||||||
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
|
|
||||||
|
|
||||||
```
|
|
||||||
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
|
|
||||||
```
|
|
||||||
|
|
||||||
#### OpenVPN
|
|
||||||
|
|
||||||
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
|
|
||||||
```
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
(
|
|
||||||
sleep 5
|
|
||||||
sudo systemctl restart coturn-synapse.service
|
|
||||||
) &
|
|
||||||
exit 0
|
|
||||||
```
|
|
||||||
|
|
||||||
Add this line in you sudo config file `/etc/sudoers`
|
|
||||||
```
|
|
||||||
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
|
|
||||||
```
|
|
||||||
|
|
||||||
And add this line in your OpenVPN config file
|
|
||||||
```
|
|
||||||
ipchange /usr/local/bin/openvpn_up_script.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
### Important Security Note
|
|
||||||
|
|
||||||
We do not recommend running Element from the same domain name as your Matrix
|
|
||||||
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
|
|
||||||
vulnerabilities that could occur if someone caused Element to load and render
|
|
||||||
malicious user generated content from a Matrix API which then had trusted
|
|
||||||
access to Element (or other apps) due to sharing the same domain.
|
|
||||||
|
|
||||||
We have put some coarse mitigations into place to try to protect against this
|
|
||||||
situation, but it's still not a good practice to do it in the first place. See
|
|
||||||
https://github.com/vector-im/element-web/issues/1977 for more details.
|
|
||||||
|
|
||||||
## YunoHost specific features
|
|
||||||
|
|
||||||
## Limitations
|
|
||||||
|
|
||||||
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
|
|
||||||
|
|
||||||
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
|
|
||||||
|
|
||||||
## Additional information
|
|
||||||
|
|
||||||
## Administration
|
|
||||||
|
|
||||||
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
|
|
||||||
|
|
||||||
Before any manipulation it's recommended to do a backup by this following command :
|
|
||||||
|
|
||||||
`sudo yunohost backup create --apps synapse`
|
|
||||||
|
|
||||||
### Set user as admin
|
|
||||||
|
|
||||||
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
|
|
||||||
|
|
||||||
The following command will grant admin privilege to the specified user:
|
|
||||||
```
|
|
||||||
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Administration API
|
|
||||||
|
|
||||||
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
|
|
||||||
By default, no one has access to this path.
|
|
||||||
|
|
||||||
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
|
|
||||||
you need to give this permission to visitors.
|
|
||||||
|
|
||||||
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
|
|
||||||
|
|
||||||
### Upgrade
|
|
||||||
|
|
||||||
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
|
|
||||||
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
|
|
||||||
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
|
|
||||||
|
|
||||||
`yunohost app setting synapse backup_before_upgrade -v 0`
|
|
||||||
|
|
||||||
After this settings will be applied for **all** next upgrade.
|
|
||||||
|
|
||||||
From command line:
|
|
||||||
|
|
||||||
`yunohost app upgrade synapse`
|
|
||||||
|
|
||||||
### Backup
|
|
||||||
|
|
||||||
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
|
|
||||||
|
|
||||||
- Stop synapse service with theses following command:
|
|
||||||
|
|
||||||
`systemctl stop synapse.service`
|
|
||||||
|
|
||||||
- Launch the backup of synapse with this following command:
|
|
||||||
|
|
||||||
`yunohost backup create --app synapse`
|
|
||||||
|
|
||||||
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
|
|
||||||
- Restart the synapse service with these command:
|
|
||||||
|
|
||||||
`systemctl start synapse.service`
|
|
||||||
|
|
||||||
### Remove
|
|
||||||
|
|
||||||
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
|
|
||||||
|
|
||||||
Use the `--purge` flag with the command, or remove it manually to purge app user data.
|
|
||||||
|
|
||||||
### Multi instance support
|
|
||||||
|
|
||||||
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse__<instancenumber> synapse_tls_port
|
|
||||||
```
|
|
||||||
|
|
||||||
Before installing a second instance of the app it's really recommended to update all existing instances.
|
|
||||||
|
|
||||||
## Documentación e recursos
|
## Documentación e recursos
|
||||||
|
|
||||||
- Web oficial da app: <https://matrix.org/>
|
- Web oficial da app: <https://matrix.org/>
|
||||||
- Repositorio de orixe do código: <https://github.com/matrix-org/synapse>
|
- Documentación oficial para admin: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
|
||||||
|
- Repositorio de orixe do código: <https://github.com/element-hq/synapse>
|
||||||
- Tenda YunoHost: <https://apps.yunohost.org/app/synapse>
|
- Tenda YunoHost: <https://apps.yunohost.org/app/synapse>
|
||||||
- Informar dun problema: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
- Informar dun problema: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
||||||
|
|
||||||
|
|
45
README_zh_Hans.md
Normal file
45
README_zh_Hans.md
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
<!--
|
||||||
|
注意:此 README 由 <https://github.com/YunoHost/apps/tree/master/tools/readme_generator> 自动生成
|
||||||
|
请勿手动编辑。
|
||||||
|
-->
|
||||||
|
|
||||||
|
# YunoHost 的 Synapse
|
||||||
|
|
||||||
|
[![集成程度](https://dash.yunohost.org/integration/synapse.svg)](https://dash.yunohost.org/appci/app/synapse) ![工作状态](https://ci-apps.yunohost.org/ci/badges/synapse.status.svg) ![维护状态](https://ci-apps.yunohost.org/ci/badges/synapse.maintain.svg)
|
||||||
|
|
||||||
|
[![使用 YunoHost 安装 Synapse](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=synapse)
|
||||||
|
|
||||||
|
*[阅读此 README 的其它语言版本。](./ALL_README.md)*
|
||||||
|
|
||||||
|
> *通过此软件包,您可以在 YunoHost 服务器上快速、简单地安装 Synapse。*
|
||||||
|
> *如果您还没有 YunoHost,请参阅[指南](https://yunohost.org/install)了解如何安装它。*
|
||||||
|
|
||||||
|
## 概况
|
||||||
|
|
||||||
|
Instant messaging server matrix network.
|
||||||
|
|
||||||
|
Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
|
||||||
|
|
||||||
|
|
||||||
|
**分发版本:** 1.104.0~ynh1
|
||||||
|
## 文档与资源
|
||||||
|
|
||||||
|
- 官方应用网站: <https://matrix.org/>
|
||||||
|
- 官方管理文档: <https://matrix-org.github.io/synapse/latest/welcome_and_overview.html>
|
||||||
|
- 上游应用代码库: <https://github.com/element-hq/synapse>
|
||||||
|
- YunoHost 商店: <https://apps.yunohost.org/app/synapse>
|
||||||
|
- 报告 bug: <https://github.com/YunoHost-Apps/synapse_ynh/issues>
|
||||||
|
|
||||||
|
## 开发者信息
|
||||||
|
|
||||||
|
请向 [`testing` 分支](https://github.com/YunoHost-Apps/synapse_ynh/tree/testing) 发送拉取请求。
|
||||||
|
|
||||||
|
如要尝试 `testing` 分支,请这样操作:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
|
||||||
|
或
|
||||||
|
sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug
|
||||||
|
```
|
||||||
|
|
||||||
|
**有关应用打包的更多信息:** <https://yunohost.org/packaging_apps>
|
33
actions.toml
33
actions.toml
|
@ -1,33 +0,0 @@
|
||||||
[update_turnserver_ip]
|
|
||||||
name = "Update turnserver ip"
|
|
||||||
command = "/opt/yunohost/matrix-$YNH_APP_INSTANCE_NAME/Coturn_config_rotate.sh"
|
|
||||||
user = "root"
|
|
||||||
accepted_return_codes = [0]
|
|
||||||
description = "Update the ip in the turnserver config"
|
|
||||||
|
|
||||||
[open_turnserver_firewall_ports]
|
|
||||||
name = "Open ports for turnserver"
|
|
||||||
command = "yunohost firewall allow Both 49153:49193"
|
|
||||||
user = "root"
|
|
||||||
accepted_return_codes = [0]
|
|
||||||
description = "Open the ports range 49153:49193 with TCP and UDP to be able to use correctly the turnserver."
|
|
||||||
|
|
||||||
[close_turnserver_firewall_ports]
|
|
||||||
name = "Close ports for turnserver"
|
|
||||||
command = "yunohost firewall disallow Both 49153:49193"
|
|
||||||
user = "root"
|
|
||||||
accepted_return_codes = [0]
|
|
||||||
description = "Close the ports range 49153:49193 with TCP and UDP. (Undo \"Open ports for turnserver\" action)"
|
|
||||||
|
|
||||||
[set_admin_user]
|
|
||||||
name = "Set a user as admin"
|
|
||||||
command = "[[ \"$(su --command=\"psql matrix_synapse\" postgres <<< \"UPDATE users SET admin = 1 WHERE name = '@$YNH_ACTION_USERNAME:$(yunohost app setting $YNH_APP_INSTANCE_NAME server_name)'\")\" == 'UPDATE 1' ]]"
|
|
||||||
user = "root"
|
|
||||||
accepted_return_codes = [0]
|
|
||||||
description = "Set a synapse user as admin in the synapse server. It is mainly required to manage the community function."
|
|
||||||
|
|
||||||
[set_admin_user.arguments]
|
|
||||||
[set_admin_user.arguments.username]
|
|
||||||
type = "string"
|
|
||||||
ask = "username of the user to set as admin"
|
|
||||||
example = "bob"
|
|
169
auto_update/auto_update.sh
Normal file
169
auto_update/auto_update.sh
Normal file
|
@ -0,0 +1,169 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
readonly app_name=synapse
|
||||||
|
|
||||||
|
source auto_update_config.sh
|
||||||
|
|
||||||
|
readonly debian_version_name_1=bullseye
|
||||||
|
readonly debian_version_name_2=bookworm
|
||||||
|
|
||||||
|
get_from_manifest() {
|
||||||
|
result=$(python3 <<EOL
|
||||||
|
import toml
|
||||||
|
import json
|
||||||
|
with open("../manifest.toml", "r") as f:
|
||||||
|
file_content = f.read()
|
||||||
|
loaded_toml = toml.loads(file_content)
|
||||||
|
json_str = json.dumps(loaded_toml)
|
||||||
|
print(json_str)
|
||||||
|
EOL
|
||||||
|
)
|
||||||
|
echo $result | jq -r "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
check_app_version() {
|
||||||
|
local app_remote_version=$(curl 'https://api.github.com/repos/element-hq/synapse/releases/latest' -H 'Host: api.github.com' --compressed | jq -r ".tag_name" | cut -dv -f2)
|
||||||
|
|
||||||
|
## Check if new build is needed
|
||||||
|
if [[ "$app_version" != "$app_remote_version" ]]
|
||||||
|
then
|
||||||
|
app_version="$app_remote_version"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
upgrade_app() {
|
||||||
|
(
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
# Define output file name
|
||||||
|
# arm build: ${result_prefix_name_deb_1}-bin1_armv7l.tar.gz
|
||||||
|
# arm build checksum: ${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt
|
||||||
|
# requirement.txt: ${result_prefix_name_deb_1}-build1_requirement.txt
|
||||||
|
readonly result_prefix_name_deb_1="matrix-synapse_${app_version}-$debian_version_name_1"
|
||||||
|
readonly result_prefix_name_deb_2="matrix-synapse_${app_version}-$debian_version_name_2"
|
||||||
|
|
||||||
|
# Build armv7 build
|
||||||
|
build_cmd_deb_1 $app_version $result_prefix_name_deb_1
|
||||||
|
build_cmd_deb_2 $app_version $result_prefix_name_deb_2
|
||||||
|
push_armv7_build
|
||||||
|
|
||||||
|
# Update python requirement
|
||||||
|
cp "$build_result_path_deb_1/${result_prefix_name_deb_1}"-build1_requirement.txt ../conf/requirement_"$debian_version_name_1".txt
|
||||||
|
cp "$build_result_path_deb_2/${result_prefix_name_deb_2}"-build1_requirement.txt ../conf/requirement_"$debian_version_name_2".txt
|
||||||
|
|
||||||
|
# Update manifest
|
||||||
|
sed -r -i 's|version = "[[:alnum:].]{4,8}~ynh[[:alnum:].]{1,2}"|version = "'${app_version}'~ynh1"|' ../manifest.toml
|
||||||
|
|
||||||
|
# Update this link
|
||||||
|
sed -r -i "s|armhf.url\s*=(.*)/releases/download/v[[:alnum:].]{4,10}/matrix-synapse_[[:alnum:].]{4,10}-$debian_version_name_1-bin[[:digit:]]_armv7l.tar.gz|armhf.url =\1/releases/download/v${app_version}/matrix-synapse_${app_version}-$debian_version_name_1-bin1_armv7l.tar.gz|" ../manifest.toml
|
||||||
|
sed -r -i "s|armhf.url\s*=(.*)/releases/download/v[[:alnum:].]{4,10}/matrix-synapse_[[:alnum:].]{4,10}-$debian_version_name_2-bin[[:digit:]]_armv7l.tar.gz|armhf.url =\1/releases/download/v${app_version}/matrix-synapse_${app_version}-$debian_version_name_2-bin1_armv7l.tar.gz|" ../manifest.toml
|
||||||
|
|
||||||
|
# Update checksum
|
||||||
|
sha256sum_arm_archive_deb_1=$(cat $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt)
|
||||||
|
sha256sum_arm_archive_deb_2=$(cat $build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l-sha256.txt)
|
||||||
|
prev_sha256sum_arm_archive_deb_1=$(get_from_manifest ".resources.sources.${app_name}_prebuilt_armv7_$debian_version_name_1.armhf.sha256")
|
||||||
|
prev_sha256sum_arm_archive_deb_2=$(get_from_manifest ".resources.sources.${app_name}_prebuilt_armv7_$debian_version_name_2.armhf.sha256")
|
||||||
|
sed -r -i "s|$prev_sha256sum_arm_archive_deb_1|$sha256sum_arm_archive_deb_1|" ../manifest.toml
|
||||||
|
sed -r -i "s|$prev_sha256sum_arm_archive_deb_2|$sha256sum_arm_archive_deb_2|" ../manifest.toml
|
||||||
|
|
||||||
|
git commit -a -m "Upgrade $app_name to $app_version"
|
||||||
|
git push gitea auto_update:auto_update
|
||||||
|
) 2>&1 | tee "${app_name}_build_temp.log"
|
||||||
|
return ${PIPESTATUS[0]}
|
||||||
|
}
|
||||||
|
|
||||||
|
push_armv7_build() {
|
||||||
|
## Make a draft release json with a markdown body
|
||||||
|
local release='"tag_name": "v'$app_version'", "target_commitish": "master", "name": "v'$app_version'", '
|
||||||
|
local body="$app_name prebuilt bin for ${app_name}_ynh\\n=========\\nPlease refer to upstream project for the change : https://github.com/element-hq/synapse/releases\\n\\nSha256sum for $debian_version_name_1 : $(cat $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l-sha256.txt)\\nSha256sum for $debian_version_name_2 : $(cat $build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l-sha256.txt)"
|
||||||
|
release+='"body": "'$body'",'
|
||||||
|
release+='"draft": true, "prerelease": false'
|
||||||
|
release='{'$release'}'
|
||||||
|
local url="https://api.github.com/repos/$owner/$repo/releases"
|
||||||
|
local succ=$(curl -H "Authorization: token $perstok" --data "$release" $url)
|
||||||
|
|
||||||
|
## In case of success, we upload a file
|
||||||
|
local upload_generic=$(echo "$succ" | grep upload_url)
|
||||||
|
if [[ $? -eq 0 ]]; then
|
||||||
|
echo "Release created."
|
||||||
|
else
|
||||||
|
echo "Error creating release!"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
local upload_prefix
|
||||||
|
local upload_file
|
||||||
|
local upload_ok
|
||||||
|
local download
|
||||||
|
for archive_name in $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l.tar.gz \
|
||||||
|
$build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l.tar.gz
|
||||||
|
do
|
||||||
|
|
||||||
|
# $upload_generic is like:
|
||||||
|
# "upload_url": "https://uploads.github.com/repos/:owner/:repo/releases/:ID/assets{?name,label}",
|
||||||
|
upload_prefix=$(echo $upload_generic | cut -d "\"" -f4 | cut -d "{" -f1)
|
||||||
|
upload_file="$upload_prefix?name=${archive_name##*/}"
|
||||||
|
|
||||||
|
echo "Start uploading file"
|
||||||
|
i=0
|
||||||
|
upload_ok=false
|
||||||
|
while [ $i -le 4 ]; do
|
||||||
|
i=$((i+1))
|
||||||
|
# Download file
|
||||||
|
set +e
|
||||||
|
succ=$(curl -H "Authorization: token $perstok" \
|
||||||
|
-H "Content-Type: $(file -b --mime-type $archive_name)" \
|
||||||
|
-H "Accept: application/vnd.github.v3+json" \
|
||||||
|
--data-binary @$archive_name $upload_file)
|
||||||
|
res=$?
|
||||||
|
set -e
|
||||||
|
if [ $res -ne 0 ]; then
|
||||||
|
echo "Curl upload failled"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
echo "Upload done, check result"
|
||||||
|
|
||||||
|
set +eu
|
||||||
|
download=$(echo "$succ" | egrep -o "browser_download_url.+?")
|
||||||
|
res=$?
|
||||||
|
if [ $res -ne 0 ] || [ -z "$download" ]; then
|
||||||
|
set -eu
|
||||||
|
echo "Result upload error"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
set -eu
|
||||||
|
echo "$download" | cut -d: -f2,3 | cut -d\" -f2
|
||||||
|
echo "Upload OK"
|
||||||
|
upload_ok=true
|
||||||
|
break
|
||||||
|
done
|
||||||
|
|
||||||
|
if ! $upload_ok; then
|
||||||
|
echo "Upload completely failed, exit"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
app_version=$(get_from_manifest ".version" | cut -d'~' -f1)
|
||||||
|
|
||||||
|
if check_app_version
|
||||||
|
then
|
||||||
|
set +eu
|
||||||
|
upgrade_app
|
||||||
|
res=$?
|
||||||
|
set -eu
|
||||||
|
if [ $res -eq 0 ]; then
|
||||||
|
result="Success"
|
||||||
|
else
|
||||||
|
result="Failed"
|
||||||
|
fi
|
||||||
|
msg="Build: $app_name version $app_version\n"
|
||||||
|
msg+="$(cat ${app_name}_build_temp.log)"
|
||||||
|
echo -e "$msg" | mail.mailutils -a "Content-Type: text/plain; charset=UTF-8" -s "Autoupgrade $app_name : $result" "$notify_email"
|
||||||
|
fi
|
24
auto_update/auto_update_config_example.sh
Normal file
24
auto_update/auto_update_config_example.sh
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
|
||||||
|
build_cmd_deb_1() {
|
||||||
|
pushd ~
|
||||||
|
sudo /root/build_synapse_bin.sh $1 $2 --chroot-yes
|
||||||
|
popd
|
||||||
|
sudo chown app_upgrader ~/$2*
|
||||||
|
}
|
||||||
|
build_cmd_deb_2() {
|
||||||
|
local target_dir=~
|
||||||
|
sudo chroot /mnt/bookworm_build /root/build_synapse_bin.sh $1 $2 --chroot-yes
|
||||||
|
sudo mv -t $target_dir /mnt/bookworm_build/$2*
|
||||||
|
sudo chown app_upgrader $target_dir/$2*
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
build_result_path_deb_1=~
|
||||||
|
build_result_path_deb_2=~
|
||||||
|
|
||||||
|
notify_email="hello@world.tld"
|
||||||
|
|
||||||
|
# For github arm release
|
||||||
|
owner="YunoHost-Apps"
|
||||||
|
repo="synapse_python_build"
|
||||||
|
perstok="kkk"
|
|
@ -1,25 +0,0 @@
|
||||||
;; General
|
|
||||||
; Manifest
|
|
||||||
domain="domain.tld"
|
|
||||||
path="/_matrix/static/"
|
|
||||||
is_free_registration=1
|
|
||||||
server_name="domain.tld"
|
|
||||||
; Checks
|
|
||||||
pkg_linter=1
|
|
||||||
setup_sub_dir=1
|
|
||||||
setup_root=0
|
|
||||||
setup_nourl=0
|
|
||||||
setup_private=0
|
|
||||||
setup_public=1
|
|
||||||
upgrade=1
|
|
||||||
upgrade=1 from_commit=b3bacec606f25c7f69de44da9e9e7eac405810c7
|
|
||||||
backup_restore=1
|
|
||||||
multi_instance=0
|
|
||||||
incorrect_path=0
|
|
||||||
port_already_use=1 (8448)
|
|
||||||
change_url=0
|
|
||||||
;;; Levels
|
|
||||||
Level 5=auto
|
|
||||||
;;; Upgrade options
|
|
||||||
; commit=ed9d550d69c168182aa9e070f265a141d8bd9fd2
|
|
||||||
name=Post app user creation
|
|
|
@ -1,7 +0,0 @@
|
||||||
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.98.0/matrix-synapse_1.98.0-bookworm-bin1_armv7l.tar.gz
|
|
||||||
SOURCE_SUM=d65552797237b1ce85f7a3a4c627f9da3c9b46fc72132ce8bb1a3022f78fd454
|
|
||||||
# (Optional) Program to check the integrity (sha256sum, md5sum...)
|
|
||||||
# default: sha256
|
|
||||||
SOURCE_SUM_PRG=sha256sum
|
|
||||||
SOURCE_FORMAT=tar.gz
|
|
||||||
SOURCE_IN_SUBDIR=true
|
|
|
@ -1,7 +0,0 @@
|
||||||
SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.98.0/matrix-synapse_1.98.0-bullseye-bin1_armv7l.tar.gz
|
|
||||||
SOURCE_SUM=ff48049e5f4a4b8ff1e84af999b694a4aece3d647e23c3b3fe013ea86a17c820
|
|
||||||
# (Optional) Program to check the integrity (sha256sum, md5sum...)
|
|
||||||
# default: sha256
|
|
||||||
SOURCE_SUM_PRG=sha256sum
|
|
||||||
SOURCE_FORMAT=tar.gz
|
|
||||||
SOURCE_IN_SUBDIR=true
|
|
|
@ -1,3 +0,0 @@
|
||||||
# Specify environment variables used when running Synapse
|
|
||||||
# SYNAPSE_CACHE_FACTOR=1 (default)
|
|
||||||
|
|
|
@ -5,7 +5,10 @@
|
||||||
# should have the same indentation.
|
# should have the same indentation.
|
||||||
#
|
#
|
||||||
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
|
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
|
||||||
|
#
|
||||||
|
# For more information on how to configure Synapse, including a complete accounting of
|
||||||
|
# each option, go to docs/usage/configuration/config_documentation.md or
|
||||||
|
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
|
||||||
|
|
||||||
## Modules ##
|
## Modules ##
|
||||||
|
|
||||||
|
@ -285,7 +288,7 @@ listeners:
|
||||||
# will also need to give Synapse a TLS key and certificate: see the TLS section
|
# will also need to give Synapse a TLS key and certificate: see the TLS section
|
||||||
# below.)
|
# below.)
|
||||||
#
|
#
|
||||||
- port: __SYNAPSE_TLS_PORT__
|
- port: __PORT_SYNAPSE_TLS__
|
||||||
type: http
|
type: http
|
||||||
tls: true
|
tls: true
|
||||||
resources:
|
resources:
|
||||||
|
@ -297,7 +300,7 @@ listeners:
|
||||||
# If you plan to use a reverse proxy, please see
|
# If you plan to use a reverse proxy, please see
|
||||||
# https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
|
# https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
|
||||||
#
|
#
|
||||||
- port: __PORT__
|
- port: __PORT_SYNAPSE__
|
||||||
tls: false
|
tls: false
|
||||||
type: http
|
type: http
|
||||||
x_forwarded: true
|
x_forwarded: true
|
||||||
|
@ -801,9 +804,9 @@ database:
|
||||||
name: psycopg2
|
name: psycopg2
|
||||||
#txn_limit: 10000
|
#txn_limit: 10000
|
||||||
args:
|
args:
|
||||||
user: __SYNAPSE_DB_USER__
|
user: __DB_USER__
|
||||||
password: __SYNAPSE_DB_PWD__
|
password: __DB_PWD__
|
||||||
database: __SYNAPSE_DB_NAME__
|
database: __DB_NAME__
|
||||||
host: localhost
|
host: localhost
|
||||||
port: 5432
|
port: 5432
|
||||||
cp_min: 5
|
cp_min: 5
|
||||||
|
@ -956,7 +959,7 @@ log_config: "/etc/matrix-__APP__/log.yaml"
|
||||||
|
|
||||||
# Directory where uploaded images and attachments are stored.
|
# Directory where uploaded images and attachments are stored.
|
||||||
#
|
#
|
||||||
media_store_path: "/home/yunohost.app/matrix-__APP__/media"
|
media_store_path: "__DATA_DIR__/media"
|
||||||
|
|
||||||
# Media storage providers allow media to be stored in different
|
# Media storage providers allow media to be stored in different
|
||||||
# locations.
|
# locations.
|
||||||
|
@ -970,7 +973,7 @@ media_storage_providers:
|
||||||
# Whether to wait for successful storage for local uploads
|
# Whether to wait for successful storage for local uploads
|
||||||
store_synchronous: false
|
store_synchronous: false
|
||||||
config:
|
config:
|
||||||
directory: "/home/yunohost.app/matrix-__APP__/media_storage"
|
directory: "__DATA_DIR__/media_storage"
|
||||||
|
|
||||||
# The largest allowed upload size in bytes
|
# The largest allowed upload size in bytes
|
||||||
#
|
#
|
||||||
|
@ -1178,7 +1181,7 @@ oembed:
|
||||||
|
|
||||||
# The public URIs of the TURN server to give to clients
|
# The public URIs of the TURN server to give to clients
|
||||||
#
|
#
|
||||||
turn_uris: [ "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=udp", "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=tcp" ]
|
__TURN_SERVER_CONFIG__
|
||||||
|
|
||||||
# The shared secret used to compute passwords for the TURN server
|
# The shared secret used to compute passwords for the TURN server
|
||||||
#
|
#
|
||||||
|
@ -1192,7 +1195,7 @@ turn_shared_secret: "__TURNSERVER_PWD__"
|
||||||
|
|
||||||
# How long generated TURN credentials last
|
# How long generated TURN credentials last
|
||||||
#
|
#
|
||||||
turn_user_lifetime: 1h
|
turn_user_lifetime: 12h
|
||||||
|
|
||||||
# Whether guests should be allowed to use the TURN server.
|
# Whether guests should be allowed to use the TURN server.
|
||||||
# This defaults to True, otherwise VoIP will be unreliable for guests.
|
# This defaults to True, otherwise VoIP will be unreliable for guests.
|
||||||
|
@ -1200,7 +1203,7 @@ turn_user_lifetime: 1h
|
||||||
# connect to arbitrary endpoints without having first signed up for a
|
# connect to arbitrary endpoints without having first signed up for a
|
||||||
# valid account (e.g. by passing a CAPTCHA).
|
# valid account (e.g. by passing a CAPTCHA).
|
||||||
#
|
#
|
||||||
turn_allow_guests: __TURN_ALLOW_GUESTS__
|
turn_allow_guests: __ALLOW_GUEST_ACCESS__
|
||||||
|
|
||||||
|
|
||||||
## Registration ##
|
## Registration ##
|
||||||
|
@ -1271,9 +1274,7 @@ enable_registration: __ENABLE_REGISTRATION__
|
||||||
|
|
||||||
# The user must provide all of the below types of 3PID when registering.
|
# The user must provide all of the below types of 3PID when registering.
|
||||||
#
|
#
|
||||||
registrations_require_3pid:
|
_REGISTRATION_REQUIRE_3PID_SED_PARAM_
|
||||||
- email
|
|
||||||
# - msisdn
|
|
||||||
|
|
||||||
# Explicitly disable asking for MSISDNs from the registration
|
# Explicitly disable asking for MSISDNs from the registration
|
||||||
# flow (overrides registrations_require_3pid if MSISDNs are set as required)
|
# flow (overrides registrations_require_3pid if MSISDNs are set as required)
|
||||||
|
@ -1283,6 +1284,7 @@ disable_msisdn_registration: __DISABLE_MSISDN_REGISTRATION__
|
||||||
# Mandate that users are only allowed to associate certain formats of
|
# Mandate that users are only allowed to associate certain formats of
|
||||||
# 3PIDs with accounts on this server.
|
# 3PIDs with accounts on this server.
|
||||||
#
|
#
|
||||||
|
_ALLOWD_LOCAL_3PIDS_SED_PARAM_
|
||||||
#allowed_local_3pids:
|
#allowed_local_3pids:
|
||||||
# - medium: email
|
# - medium: email
|
||||||
# pattern: '^[^@]+@vector\.im$'
|
# pattern: '^[^@]+@vector\.im$'
|
||||||
|
@ -1356,9 +1358,9 @@ default_identity_server: __DEFAULT_IDENTITY_SERVER__
|
||||||
# by the Matrix Identity Service API specification:
|
# by the Matrix Identity Service API specification:
|
||||||
# https://matrix.org/docs/spec/identity_service/latest
|
# https://matrix.org/docs/spec/identity_service/latest
|
||||||
#
|
#
|
||||||
# As email delegates is managed by the synapse server itself this email section is
|
# As email delegates is managed by the synapse server itself this email section is
|
||||||
# not necessary but msisdn format is still composed by msisdn: <value> on a new line
|
# not necessary but msisdn format is still composed by msisdn: <value> on a new line
|
||||||
account_threepid_delegates:
|
account_threepid_delegates:
|
||||||
msisdn: __ACCOUNT_THREEPID_DELEGATES_MSISDN__
|
msisdn: __ACCOUNT_THREEPID_DELEGATES_MSISDN__
|
||||||
#email: https://example.com # Delegate email sending to example.com
|
#email: https://example.com # Delegate email sending to example.com
|
||||||
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
|
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
|
||||||
|
@ -1395,8 +1397,7 @@ account_threepid_delegates:
|
||||||
# If the room already exists, make certain it is a publicly joinable
|
# If the room already exists, make certain it is a publicly joinable
|
||||||
# room. The join rule of the room must be set to 'public'.
|
# room. The join rule of the room must be set to 'public'.
|
||||||
#
|
#
|
||||||
auto_join_rooms:
|
_AUTO_JOIN_ROOMS_SED_PARAM_
|
||||||
- "#example:example.com"
|
|
||||||
|
|
||||||
# Where auto_join_rooms are specified, setting this flag ensures that the
|
# Where auto_join_rooms are specified, setting this flag ensures that the
|
||||||
# the rooms exist by creating them when the first user on the
|
# the rooms exist by creating them when the first user on the
|
||||||
|
@ -2043,7 +2044,7 @@ cas_config:
|
||||||
# Uncomment the following to enable authorization against a CAS server.
|
# Uncomment the following to enable authorization against a CAS server.
|
||||||
# Defaults to false.
|
# Defaults to false.
|
||||||
#
|
#
|
||||||
enabled: __SSO_ENABLED__
|
enabled: true
|
||||||
|
|
||||||
# The URL of the CAS authorization endpoint.
|
# The URL of the CAS authorization endpoint.
|
||||||
#
|
#
|
||||||
|
@ -2089,7 +2090,7 @@ sso:
|
||||||
# By default, this list contains only the login fallback page.
|
# By default, this list contains only the login fallback page.
|
||||||
#
|
#
|
||||||
client_whitelist:
|
client_whitelist:
|
||||||
__DOMAIN_WHITELIST_CLIENT__
|
_DOMAIN_WHITELIST_CLIENT_
|
||||||
|
|
||||||
# Uncomment to keep a user's profile fields in sync with information from
|
# Uncomment to keep a user's profile fields in sync with information from
|
||||||
# the identity provider. Currently only syncing the displayname is
|
# the identity provider. Currently only syncing the displayname is
|
||||||
|
@ -2247,12 +2248,10 @@ password_providers:
|
||||||
uid: "uid"
|
uid: "uid"
|
||||||
mail: "mail"
|
mail: "mail"
|
||||||
name: "givenName"
|
name: "givenName"
|
||||||
bind_dn: "uid=__SYNAPSE_USER_APP__,ou=users,dc=yunohost,dc=org"
|
|
||||||
bind_password: __SYNAPSE_USER_APP_PWD__
|
|
||||||
filter: "(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))"
|
filter: "(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Configuration for sending emails from Synapse.
|
# Configuration for sending emails from Synapse.
|
||||||
#
|
#
|
||||||
# Server admins can configure custom templates for email content. See
|
# Server admins can configure custom templates for email content. See
|
||||||
|
@ -2261,7 +2260,7 @@ password_providers:
|
||||||
email:
|
email:
|
||||||
# The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
# The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
|
||||||
#
|
#
|
||||||
smtp_host: "__MAIN_DOMAIN__"
|
smtp_host: "__DOMAIN__"
|
||||||
|
|
||||||
# The port on the mail server for outgoing SMTP. Defaults to 25.
|
# The port on the mail server for outgoing SMTP. Defaults to 25.
|
||||||
#
|
#
|
||||||
|
@ -2270,8 +2269,8 @@ email:
|
||||||
# Username/password for authentication to the SMTP server. By default, no
|
# Username/password for authentication to the SMTP server. By default, no
|
||||||
# authentication is attempted.
|
# authentication is attempted.
|
||||||
#
|
#
|
||||||
smtp_user: __SYNAPSE_USER_APP__
|
smtp_user: __APP__
|
||||||
smtp_pass: __SYNAPSE_USER_APP_PWD__
|
smtp_pass: __MAIL_PWD__
|
||||||
|
|
||||||
# Uncomment the following to require TLS transport security for SMTP.
|
# Uncomment the following to require TLS transport security for SMTP.
|
||||||
# By default, Synapse will connect over plain text, and will then switch to
|
# By default, Synapse will connect over plain text, and will then switch to
|
||||||
|
@ -2298,7 +2297,7 @@ email:
|
||||||
# Note that the placeholder must be written '%(app)s', including the
|
# Note that the placeholder must be written '%(app)s', including the
|
||||||
# trailing 's'.
|
# trailing 's'.
|
||||||
#
|
#
|
||||||
notif_from: "Your Friendly %(app)s Home Server <__SYNAPSE_USER_APP__@__DOMAIN__>"
|
notif_from: "Your Friendly %(app)s Home Server <__APP__@__DOMAIN__>"
|
||||||
|
|
||||||
# app_name defines the default value for '%(app)s' in notif_from and email
|
# app_name defines the default value for '%(app)s' in notif_from and email
|
||||||
# subjects. It defaults to 'Matrix'.
|
# subjects. It defaults to 'Matrix'.
|
||||||
|
|
|
@ -1,26 +1,31 @@
|
||||||
location __PATH__/ {
|
rewrite ^$ /;
|
||||||
proxy_pass http://localhost:__PORT__;
|
location ~ ^/$ {
|
||||||
|
default_type text/plain;
|
||||||
|
return 200 "This is where Synapse is installed.";
|
||||||
|
}
|
||||||
|
|
||||||
|
location /_matrix/ {
|
||||||
|
proxy_pass http://localhost:__PORT_SYNAPSE__;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
client_max_body_size 100M;
|
client_max_body_size __MAX_UPLOAD_SIZE__;
|
||||||
|
|
||||||
# Use the specific path for the php file. It's more secure than global php path
|
|
||||||
location __PATH__/cas_server.php {
|
|
||||||
alias /var/www/__APP__/;
|
|
||||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
||||||
fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param REMOTE_USER $remote_user;
|
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
||||||
fastcgi_param SCRIPT_FILENAME cas_server.php;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Use the specific path for the php file. It's more secure than global php path
|
||||||
|
location /_matrix/cas_server.php/ {
|
||||||
|
alias /var/www/__APP__/;
|
||||||
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||||
|
fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param REMOTE_USER $remote_user;
|
||||||
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
|
fastcgi_param SCRIPT_FILENAME cas_server.php;
|
||||||
|
}
|
||||||
|
|
||||||
location /_synapse/ {
|
location /_synapse/ {
|
||||||
proxy_pass http://localhost:__PORT__;
|
proxy_pass http://localhost:__PORT_SYNAPSE__;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
@ -1,58 +1,58 @@
|
||||||
annotated-types==0.6.0
|
annotated-types==0.6.0
|
||||||
attrs==23.1.0
|
attrs==23.2.0
|
||||||
Automat==22.10.0
|
Automat==22.10.0
|
||||||
bcrypt==4.1.1
|
bcrypt==4.1.2
|
||||||
bleach==6.1.0
|
bleach==6.1.0
|
||||||
canonicaljson==2.0.0
|
canonicaljson==2.0.0
|
||||||
certifi==2023.11.17
|
certifi==2024.2.2
|
||||||
cffi==1.16.0
|
cffi==1.16.0
|
||||||
charset-normalizer==3.3.2
|
charset-normalizer==3.3.2
|
||||||
constantly==23.10.4
|
constantly==23.10.4
|
||||||
cryptography==41.0.7
|
cryptography==42.0.5
|
||||||
hyperlink==21.0.0
|
hyperlink==21.0.0
|
||||||
idna==3.6
|
idna==3.6
|
||||||
ijson==3.2.3
|
ijson==3.2.3
|
||||||
immutabledict==4.0.0
|
immutabledict==4.2.0
|
||||||
incremental==22.10.0
|
incremental==22.10.0
|
||||||
Jinja2==3.1.2
|
Jinja2==3.1.3
|
||||||
jsonschema==4.20.0
|
jsonschema==4.21.1
|
||||||
jsonschema-specifications==2023.11.2
|
jsonschema-specifications==2023.12.1
|
||||||
ldap3==2.9.1
|
ldap3==2.9.1
|
||||||
lxml==4.9.3
|
lxml==5.2.1
|
||||||
MarkupSafe==2.1.3
|
MarkupSafe==2.1.5
|
||||||
matrix-common==1.3.0
|
matrix-common==1.3.0
|
||||||
matrix-synapse==1.98.0
|
matrix-synapse==1.104.0
|
||||||
matrix-synapse-ldap3==0.3.0
|
matrix-synapse-ldap3==0.3.0
|
||||||
msgpack==1.0.7
|
msgpack==1.0.8
|
||||||
ndg-httpsclient==0.5.1
|
ndg-httpsclient==0.5.1
|
||||||
netaddr==0.9.0
|
netaddr==1.2.1
|
||||||
packaging==23.2
|
packaging==24.0
|
||||||
phonenumbers==8.13.26
|
phonenumbers==8.13.33
|
||||||
Pillow==10.1.0
|
pillow==10.3.0
|
||||||
prometheus-client==0.19.0
|
prometheus_client==0.20.0
|
||||||
psycopg2==2.9.9
|
psycopg2==2.9.9
|
||||||
pyasn1==0.5.1
|
pyasn1==0.6.0
|
||||||
pyasn1-modules==0.3.0
|
pyasn1_modules==0.4.0
|
||||||
pycparser==2.21
|
pycparser==2.22
|
||||||
pydantic==2.5.2
|
pydantic==2.6.4
|
||||||
pydantic_core==2.14.5
|
pydantic_core==2.16.3
|
||||||
pymacaroons==0.13.0
|
pymacaroons==0.13.0
|
||||||
PyNaCl==1.5.0
|
PyNaCl==1.5.0
|
||||||
pyOpenSSL==23.3.0
|
pyOpenSSL==24.1.0
|
||||||
PyYAML==6.0.1
|
PyYAML==6.0.1
|
||||||
referencing==0.32.0
|
referencing==0.34.0
|
||||||
requests==2.31.0
|
requests==2.31.0
|
||||||
rpds-py==0.13.2
|
rpds-py==0.18.0
|
||||||
semantic-version==2.10.0
|
semantic-version==2.10.0
|
||||||
service-identity==23.1.0
|
service-identity==24.1.0
|
||||||
setuptools-rust==1.8.1
|
setuptools-rust==1.9.0
|
||||||
signedjson==1.1.4
|
signedjson==1.1.4
|
||||||
six==1.16.0
|
six==1.16.0
|
||||||
sortedcontainers==2.4.0
|
sortedcontainers==2.4.0
|
||||||
treq==23.11.0
|
treq==23.11.0
|
||||||
Twisted==23.10.0
|
Twisted==24.3.0
|
||||||
typing_extensions==4.9.0
|
typing_extensions==4.10.0
|
||||||
unpaddedbase64==2.1.0
|
unpaddedbase64==2.1.0
|
||||||
urllib3==2.1.0
|
urllib3==2.2.1
|
||||||
webencodings==0.5.1
|
webencodings==0.5.1
|
||||||
zope.interface==6.1
|
zope.interface==6.2
|
||||||
|
|
|
@ -1,60 +1,59 @@
|
||||||
annotated-types==0.6.0
|
annotated-types==0.6.0
|
||||||
attrs==23.1.0
|
attrs==23.2.0
|
||||||
Automat==22.10.0
|
Automat==22.10.0
|
||||||
bcrypt==4.1.1
|
bcrypt==4.1.2
|
||||||
bleach==6.1.0
|
bleach==6.1.0
|
||||||
canonicaljson==2.0.0
|
canonicaljson==2.0.0
|
||||||
certifi==2023.11.17
|
certifi==2024.2.2
|
||||||
cffi==1.16.0
|
cffi==1.16.0
|
||||||
charset-normalizer==3.3.2
|
charset-normalizer==3.3.2
|
||||||
constantly==23.10.4
|
constantly==23.10.4
|
||||||
cryptography==41.0.7
|
cryptography==42.0.5
|
||||||
hyperlink==21.0.0
|
hyperlink==21.0.0
|
||||||
idna==3.6
|
idna==3.6
|
||||||
ijson==3.2.3
|
ijson==3.2.3
|
||||||
immutabledict==4.0.0
|
immutabledict==4.2.0
|
||||||
incremental==22.10.0
|
incremental==22.10.0
|
||||||
Jinja2==3.1.2
|
Jinja2==3.1.3
|
||||||
jsonschema==4.20.0
|
jsonschema==4.21.1
|
||||||
jsonschema-specifications==2023.11.2
|
jsonschema-specifications==2023.12.1
|
||||||
ldap3==2.9.1
|
ldap3==2.9.1
|
||||||
lxml==4.9.3
|
lxml==5.2.1
|
||||||
MarkupSafe==2.1.3
|
MarkupSafe==2.1.5
|
||||||
matrix-common==1.3.0
|
matrix-common==1.3.0
|
||||||
matrix-synapse==1.98.0
|
matrix-synapse==1.104.0
|
||||||
matrix-synapse-ldap3==0.3.0
|
matrix-synapse-ldap3==0.3.0
|
||||||
msgpack==1.0.7
|
msgpack==1.0.8
|
||||||
ndg-httpsclient==0.5.1
|
ndg-httpsclient==0.5.1
|
||||||
netaddr==0.9.0
|
netaddr==1.2.1
|
||||||
packaging==23.2
|
packaging==24.0
|
||||||
phonenumbers==8.13.26
|
phonenumbers==8.13.33
|
||||||
Pillow==10.1.0
|
pillow==10.3.0
|
||||||
pkg_resources==0.0.0
|
prometheus_client==0.20.0
|
||||||
prometheus-client==0.19.0
|
|
||||||
psycopg2==2.9.9
|
psycopg2==2.9.9
|
||||||
pyasn1==0.5.1
|
pyasn1==0.6.0
|
||||||
pyasn1-modules==0.3.0
|
pyasn1_modules==0.4.0
|
||||||
pycparser==2.21
|
pycparser==2.22
|
||||||
pydantic==2.5.2
|
pydantic==2.6.4
|
||||||
pydantic_core==2.14.5
|
pydantic_core==2.16.3
|
||||||
pymacaroons==0.13.0
|
pymacaroons==0.13.0
|
||||||
PyNaCl==1.5.0
|
PyNaCl==1.5.0
|
||||||
pyOpenSSL==23.3.0
|
pyOpenSSL==24.1.0
|
||||||
PyYAML==6.0.1
|
PyYAML==6.0.1
|
||||||
referencing==0.32.0
|
referencing==0.34.0
|
||||||
requests==2.31.0
|
requests==2.31.0
|
||||||
rpds-py==0.13.2
|
rpds-py==0.18.0
|
||||||
semantic-version==2.10.0
|
semantic-version==2.10.0
|
||||||
service-identity==23.1.0
|
service-identity==24.1.0
|
||||||
setuptools-rust==1.8.1
|
setuptools-rust==1.9.0
|
||||||
signedjson==1.1.4
|
signedjson==1.1.4
|
||||||
six==1.16.0
|
six==1.16.0
|
||||||
sortedcontainers==2.4.0
|
sortedcontainers==2.4.0
|
||||||
tomli==2.0.1
|
tomli==2.0.1
|
||||||
treq==23.11.0
|
treq==23.11.0
|
||||||
Twisted==23.10.0
|
Twisted==24.3.0
|
||||||
typing_extensions==4.9.0
|
typing_extensions==4.10.0
|
||||||
unpaddedbase64==2.1.0
|
unpaddedbase64==2.1.0
|
||||||
urllib3==2.1.0
|
urllib3==2.2.1
|
||||||
webencodings==0.5.1
|
webencodings==0.5.1
|
||||||
zope.interface==6.1
|
zope.interface==6.2
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
location /.well-known/matrix/server {
|
location = /.well-known/matrix/server {
|
||||||
return 200 '{"m.server": "__DOMAIN__:__SYNAPSE_TLS_PORT__"}';
|
return 200 '{"m.server": "__DOMAIN__:__PORT_SYNAPSE_TLS__"}';
|
||||||
add_header Content-Type application/json;
|
add_header Content-Type application/json;
|
||||||
add_header Access-Control-Allow-Origin '*';
|
add_header Access-Control-Allow-Origin '*';
|
||||||
}
|
}
|
||||||
|
|
||||||
location /.well-known/matrix/client {
|
location = /.well-known/matrix/client {
|
||||||
return 200 '{
|
return 200 '{
|
||||||
"m.homeserver": { "base_url": "https://__DOMAIN__" },
|
"m.homeserver": { "base_url": "https://__DOMAIN__" },
|
||||||
"im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"},
|
"im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"},
|
||||||
"im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT__ }
|
"im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT_CLIENT_CONFIG__ }
|
||||||
}';
|
}';
|
||||||
add_header Content-Type application/json;
|
add_header Content-Type application/json;
|
||||||
add_header Access-Control-Allow-Origin '*';
|
add_header Access-Control-Allow-Origin '*';
|
||||||
|
|
|
@ -1,15 +1,17 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Coturn
|
Description=Coturn
|
||||||
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
|
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
|
||||||
After=syslog.target network.target
|
After=syslog.target network-online.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
User=turnserver
|
User=turnserver
|
||||||
Group=turnserver
|
Group=turnserver
|
||||||
Type=simple
|
Type=notify
|
||||||
EnvironmentFile=/etc/default/coturn-__APP__
|
EnvironmentFile=/etc/matrix-__APP__/coturn_env
|
||||||
ExecStart=/usr/bin/turnserver -c /etc/matrix-__APP__/coturn.conf $EXTRA_OPTIONS --pidfile=
|
ExecStart=/usr/bin/turnserver -c /etc/matrix-__APP__/coturn.conf $EXTRA_OPTIONS --pidfile=
|
||||||
Restart=on-abort
|
Restart=on-failure
|
||||||
|
InaccessibleDirectories=/home
|
||||||
|
PrivateTmp=yes
|
||||||
|
|
||||||
LimitCORE=infinity
|
LimitCORE=infinity
|
||||||
LimitNOFILE=999999
|
LimitNOFILE=999999
|
|
@ -4,10 +4,9 @@ After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
User=matrix-__APP__
|
User=__APP__
|
||||||
WorkingDirectory=/opt/yunohost/matrix-__APP__
|
WorkingDirectory=/opt/yunohost/matrix-__APP__
|
||||||
BindPaths=/etc/matrix-__APP__
|
BindPaths=/etc/matrix-__APP__
|
||||||
EnvironmentFile=/etc/default/matrix-__APP__
|
|
||||||
ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ --generate-keys
|
ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ --generate-keys
|
||||||
ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/
|
ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -41,7 +40,7 @@ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
|
||||||
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
||||||
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
||||||
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
|
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
|
||||||
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
|
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
|
@ -3,27 +3,39 @@ use-auth-secret
|
||||||
static-auth-secret=__TURNSERVER_PWD__
|
static-auth-secret=__TURNSERVER_PWD__
|
||||||
realm=__DOMAIN__
|
realm=__DOMAIN__
|
||||||
|
|
||||||
tls-listening-port=__TURNSERVER_TLS_PORT__
|
tls-listening-port=__PORT_TURNSERVER_TLS__
|
||||||
alt-tls-listening-port=__TURNSERVER_ALT_TLS_PORT__
|
alt-tls-listening-port=__PORT_TURNSERVER_ALT_TLS__
|
||||||
min-port=49153
|
min-port=49153
|
||||||
max-port=49193
|
max-port=49193
|
||||||
cli-port=__CLI_PORT__
|
cli-port=__PORT_CLI__
|
||||||
|
|
||||||
cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
|
cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
|
||||||
pkey=/etc/yunohost/certs/__DOMAIN__/key.pem
|
pkey=/etc/yunohost/certs/__DOMAIN__/key.pem
|
||||||
dh-file=/etc/ssl/private/dh2048.pem
|
dh-file=/etc/ssl/private/dh2048.pem
|
||||||
|
|
||||||
|
_TURN_CLEAR_COM_PARAM_
|
||||||
|
|
||||||
|
# Block old protocols
|
||||||
no-sslv2
|
no-sslv2
|
||||||
no-sslv3
|
no-sslv3
|
||||||
no-tlsv1
|
no-tlsv1
|
||||||
no-tlsv1_1
|
no-tlsv1_1
|
||||||
|
|
||||||
no-multicast-peers
|
|
||||||
|
|
||||||
no-cli
|
|
||||||
|
|
||||||
log-file=/var/log/matrix-__APP__/turnserver.log
|
log-file=/var/log/matrix-__APP__/turnserver.log
|
||||||
pidfile=/run/coturn-__APP__/turnserver.pid
|
pidfile=/run/coturn-__APP__/turnserver.pid
|
||||||
simple-log
|
simple-log
|
||||||
|
|
||||||
__TURN_EXTERNAL_IP__
|
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
||||||
|
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
||||||
|
total-quota=1200
|
||||||
|
|
||||||
|
# recommended additional local peers to block, to mitigate external access to internal services.
|
||||||
|
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
|
||||||
|
no-multicast-peers
|
||||||
|
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||||
|
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||||
|
|
||||||
|
# Max time 12h
|
||||||
|
max-allocate-lifetime=43200
|
||||||
|
|
||||||
|
_TURN_EXTERNAL_IP_
|
||||||
|
|
|
@ -1,76 +0,0 @@
|
||||||
# This file must be used with "source bin/activate" *from bash*
|
|
||||||
# you cannot run it directly
|
|
||||||
|
|
||||||
deactivate () {
|
|
||||||
# reset old environment variables
|
|
||||||
if [ -n "${_OLD_VIRTUAL_PATH:-}" ] ; then
|
|
||||||
PATH="${_OLD_VIRTUAL_PATH:-}"
|
|
||||||
export PATH
|
|
||||||
unset _OLD_VIRTUAL_PATH
|
|
||||||
fi
|
|
||||||
if [ -n "${_OLD_VIRTUAL_PYTHONHOME:-}" ] ; then
|
|
||||||
PYTHONHOME="${_OLD_VIRTUAL_PYTHONHOME:-}"
|
|
||||||
export PYTHONHOME
|
|
||||||
unset _OLD_VIRTUAL_PYTHONHOME
|
|
||||||
fi
|
|
||||||
|
|
||||||
# This should detect bash and zsh, which have a hash command that must
|
|
||||||
# be called to get it to forget past commands. Without forgetting
|
|
||||||
# past commands the $PATH changes we made may not be respected
|
|
||||||
if [ -n "${BASH:-}" -o -n "${ZSH_VERSION:-}" ] ; then
|
|
||||||
hash -r
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "${_OLD_VIRTUAL_PS1:-}" ] ; then
|
|
||||||
PS1="${_OLD_VIRTUAL_PS1:-}"
|
|
||||||
export PS1
|
|
||||||
unset _OLD_VIRTUAL_PS1
|
|
||||||
fi
|
|
||||||
|
|
||||||
unset VIRTUAL_ENV
|
|
||||||
if [ ! "${1:-}" = "nondestructive" ] ; then
|
|
||||||
# Self destruct!
|
|
||||||
unset -f deactivate
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# unset irrelevant variables
|
|
||||||
deactivate nondestructive
|
|
||||||
|
|
||||||
VIRTUAL_ENV="__FINAL_PATH__"
|
|
||||||
export VIRTUAL_ENV
|
|
||||||
|
|
||||||
_OLD_VIRTUAL_PATH="$PATH"
|
|
||||||
PATH="$VIRTUAL_ENV/bin:$PATH"
|
|
||||||
export PATH
|
|
||||||
|
|
||||||
# unset PYTHONHOME if set
|
|
||||||
# this will fail if PYTHONHOME is set to the empty string (which is bad anyway)
|
|
||||||
# could use `if (set -u; : $PYTHONHOME) ;` in bash
|
|
||||||
if [ -n "${PYTHONHOME:-}" ] ; then
|
|
||||||
_OLD_VIRTUAL_PYTHONHOME="${PYTHONHOME:-}"
|
|
||||||
unset PYTHONHOME
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then
|
|
||||||
_OLD_VIRTUAL_PS1="${PS1:-}"
|
|
||||||
if [ "x(new) " != x ] ; then
|
|
||||||
PS1="(new) ${PS1:-}"
|
|
||||||
else
|
|
||||||
if [ "`basename \"$VIRTUAL_ENV\"`" = "__" ] ; then
|
|
||||||
# special case for Aspen magic directories
|
|
||||||
# see http://www.zetadev.com/software/aspen/
|
|
||||||
PS1="[`basename \`dirname \"$VIRTUAL_ENV\"\``] $PS1"
|
|
||||||
else
|
|
||||||
PS1="(`basename \"$VIRTUAL_ENV\"`)$PS1"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
export PS1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# This should detect bash and zsh, which have a hash command that must
|
|
||||||
# be called to get it to forget past commands. Without forgetting
|
|
||||||
# past commands the $PATH changes we made may not be respected
|
|
||||||
if [ -n "${BASH:-}" -o -n "${ZSH_VERSION:-}" ] ; then
|
|
||||||
hash -r
|
|
||||||
fi
|
|
|
@ -2,88 +2,83 @@ version = "1.0"
|
||||||
|
|
||||||
[main]
|
[main]
|
||||||
name = "Main Settings"
|
name = "Main Settings"
|
||||||
services = ["matrix-__APP__"]
|
services = ["__APP__"]
|
||||||
|
|
||||||
[main.welcome]
|
[main.welcome]
|
||||||
name = "Experience for new Users"
|
name = "Experience for new Users"
|
||||||
|
|
||||||
[main.welcome.enable_registration]
|
[main.welcome.enable_registration]
|
||||||
ask = "Enable Registration for new users."
|
ask = "Enable Registration for new users"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Defaults to 'false'. If 'true', it is highly recommended to use either captcha, email, or token-based verification to avoid SPAM."
|
help = "Defaults to 'false'. If 'true', it is highly recommended to use either captcha, email, or token-based verification to avoid SPAM."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.welcome.password_enabled]
|
[main.welcome.password_enabled]
|
||||||
ask = "Enable Password Login?"
|
ask = "Enable Password Login"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "If disabled, Login with Non-YunoHost Users impossible. But it simplies Login process if your Matrix server only has YunoHost SSO Users."
|
help = "If disabled, Login with Non-YunoHost Users impossible. But it simplies Login process if your Matrix server only has YunoHost SSO Users."
|
||||||
bind = "password_config>enabled:/etc/matrix-__APP__/homeserver.yaml"
|
# Temporary disable the visible flag due of https://github.com/YunoHost/issues/issues/2331
|
||||||
visible = "! enable_registration"
|
# visible = "! enable_registration"
|
||||||
|
|
||||||
[main.welcome.registrations_require_3pid]
|
[main.welcome.registrations_require_3pid]
|
||||||
ask = "Registration requires all following 3PID personal identifier."
|
ask = "Registration requires all following 3PID personal identifier"
|
||||||
type = "select"
|
type = "select"
|
||||||
choices = ["none","email", "msisdn", "email&msisdn"]
|
choices = ["email", "msisdn", "email&msisdn"]
|
||||||
help = "! Warning msisdn (Phone number) registration require a third party service which send confirmation token by SMS.\n Do not select any option including msisdn if you don't know what to do. And don't user email nor msisdn if you don't understand privacy flow\nDefaults to: 'none'."
|
help = "! Warning msisdn (Phone number) registration require a third party service which send confirmation token by SMS.\nDo not select msisdn if you don't know what to do. And don't select user msisdn if you don't understand privacy flow\nDefaults to: 'email'."
|
||||||
visible = "enable_registration"
|
visible = "enable_registration"
|
||||||
|
|
||||||
[main.welcome.allowed_local_3pids_email]
|
[main.welcome.allowed_local_3pids_email]
|
||||||
ask = "Register only with given email formats."
|
ask = "Register only with given email formats"
|
||||||
type = "tags"
|
type = "tags"
|
||||||
help = '( e.g. ^[^@]+@matrix\\\\.org$ ) Note that \\\ will write \\ as suggested in homeserver.yaml'
|
help = '( e.g. ^[^@]+@matrix\\.org$ )'
|
||||||
visible = 'enable_registration && (registrations_require_3pid == "email" || registrations_require_3pid == "email&msisdn")'
|
visible = 'enable_registration && (registrations_require_3pid == "email" || registrations_require_3pid == "email&msisdn")'
|
||||||
|
|
||||||
[main.welcome.allowed_local_3pids_msisdn]
|
[main.welcome.allowed_local_3pids_msisdn]
|
||||||
ask = "Register only with given phone number formats."
|
ask = "Register only with given phone number formats"
|
||||||
type = "tags"
|
type = "tags"
|
||||||
help = '( e.g. \\\\+33 ) Note that \\\ will write \\ as suggested in homeserver.yaml'
|
help = '( e.g. \\+33 )'
|
||||||
visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")'
|
visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")'
|
||||||
|
|
||||||
[main.welcome.disable_msisdn_registration]
|
[main.welcome.disable_msisdn_registration]
|
||||||
ask = "Disable asking Phone Number in Registration flow."
|
ask = "Disable asking Phone Number in Registration flow"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Overrides 3PID settings if MSISDNs are set as required."
|
help = "Overrides 3PID settings if MSISDNs are set as required."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
visible = "enable_registration"
|
visible = "enable_registration"
|
||||||
|
|
||||||
[main.welcome.account_threepid_delegates_msisdn]
|
[main.welcome.account_threepid_delegates_msisdn]
|
||||||
ask = "Specify a third party server to send confirmation code by SMS."
|
ask = "Specify a third party server to send confirmation code by SMS"
|
||||||
type = "string"
|
type = "string"
|
||||||
help = "That should be an URL with port or API."
|
help = "That should be an URL with port or API."
|
||||||
bind = "account_threepid_delegates>msisdn:/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")'
|
visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")'
|
||||||
|
|
||||||
[main.welcome.auto_join_rooms]
|
[main.welcome.auto_join_rooms]
|
||||||
ask = "Auto Join new Users in following Rooms:"
|
ask = "Auto Join new Users in following Rooms"
|
||||||
type = "tags"
|
type = "tags"
|
||||||
help = "( e.g. \\\\#example:example.com ) Note that \\\\# will write # in homeserver.yaml. Users who register on this homeserver will automatically be joined to these rooms. If the room already exists, the join rule must be set to 'public'. See also next setting."
|
help = "( e.g. #example:example.com ) Users who register on this homeserver will automatically be joined to these rooms. If the room already exists, the join rule must be set to 'public'. See also next setting."
|
||||||
|
|
||||||
[main.welcome.autocreate_auto_join_rooms]
|
[main.welcome.autocreate_auto_join_rooms]
|
||||||
ask = "Auto-Create room for Auto Join if not existing?"
|
ask = "Auto-Create room for Auto Join if not existing"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Setting to false means that if the rooms are not manually created, users cannot be auto-joined. Auto-created rooms will be public and federated by default, this can be customised in CLI with the settings auto_join_*."
|
help = "Setting to false means that if the rooms are not manually created, users cannot be auto-joined. Auto-created rooms will be public and federated by default, this can be customised in CLI with the settings auto_join_*."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.welcome.notif_for_new_users]
|
[main.welcome.notif_for_new_users]
|
||||||
ask = "Enable email notifications for new users?"
|
ask = "Enable email notifications for new users"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Defaults to 'true'."
|
help = "Defaults to 'true'."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
visible = "enable_notifs"
|
visible = "enable_notifs"
|
||||||
|
|
||||||
[main.privacy]
|
[main.privacy]
|
||||||
name = "Data Privacy"
|
name = "Data Privacy"
|
||||||
|
|
||||||
[main.privacy.text]
|
[main.privacy.text]
|
||||||
ask = '''
|
ask = '''
|
||||||
* "all": any locally-created room
|
* "all": any locally-created room
|
||||||
|
@ -97,164 +92,145 @@ services = ["matrix-__APP__"]
|
||||||
type = "select"
|
type = "select"
|
||||||
choices = ["all", "invite", "off"]
|
choices = ["all", "invite", "off"]
|
||||||
help = "Note that encryption can always be turned on manually, even after creation."
|
help = "Note that encryption can always be turned on manually, even after creation."
|
||||||
bind = "encryption_enabled_by_default_for_room_type:/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.privacy.allow_public_rooms_over_federation]
|
[main.privacy.allow_public_rooms_over_federation]
|
||||||
ask = "Access Public Rooms Directory over Federation?"
|
ask = "Access Public Rooms Directory over Federation"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Disabled by default. If disabled, users on other homeserver will not be able to look for a public room on your homeserver. They will have to type the ID of the room to join."
|
help = "Disabled by default. If disabled, users on other homeserver will not be able to look for a public room on your homeserver. They will have to type the ID of the room to join."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.privacy.push_include_content]
|
[main.privacy.push_include_content]
|
||||||
ask = "Disable content sharing inside push notification."
|
ask = "Disable content sharing inside push notification"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Send content message and sender information in push notification. Set to false increase privacy when GAFAM notification service is used (ie: when element client is downloaded thrue Gplay store)."
|
help = "Send content message and sender information in push notification. Set to false increase privacy when GAFAM notification service is used (ie: when element client is downloaded thrue Gplay store)."
|
||||||
bind = "push>include_content:/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.experience]
|
[main.experience]
|
||||||
name = "User Experience"
|
name = "User Experience"
|
||||||
|
|
||||||
[main.experience.web_client_location]
|
[main.experience.web_client_location]
|
||||||
ask = "Element instance your HomeServer should redirect to."
|
ask = "Element instance your HomeServer should redirect to"
|
||||||
type = "url"
|
type = "url"
|
||||||
help = "URL to the web client which / will redirect to."
|
help = "URL to the web client which / will redirect to."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.experience.enable_group_creation]
|
[main.experience.enable_group_creation]
|
||||||
ask = "Allow non-server-admin Users to create Spaces?"
|
ask = "Allow non-server-admin Users to create Spaces"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Disabled by default: only server admins can create Spaces"
|
help = "Disabled by default: only server admins can create Spaces"
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.experience.enable_notifs]
|
[main.experience.enable_notifs]
|
||||||
ask = "Enable sending emails for messages the user missed?"
|
ask = "Enable sending emails for messages the user missed"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Defaults to 'false'."
|
help = "Defaults to 'false'."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[main.experience.client_base_url]
|
[main.experience.client_base_url]
|
||||||
ask = "URL for client links within the email notifications."
|
ask = "URL for client links within the email notifications"
|
||||||
type = "url"
|
type = "url"
|
||||||
help = "Used to be called 'riot_base_url', still supported"
|
help = "Used to be called 'riot_base_url', still supported"
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
visible = "enable_notifs"
|
visible = "enable_notifs"
|
||||||
|
|
||||||
[resources]
|
[resources]
|
||||||
name = "Resource Usage"
|
name = "Resource Usage"
|
||||||
services = ["matrix-__APP__", "nginx"]
|
services = ["__APP__"]
|
||||||
|
|
||||||
[resources.media]
|
[resources.media]
|
||||||
name = "Manage Media growth and clean-up"
|
name = "Manage Media growth and clean-up"
|
||||||
|
|
||||||
[resources.media.max_upload_size]
|
[resources.media.max_upload_size]
|
||||||
ask = "Largest allowed media upload size in bytes."
|
ask = "Largest allowed media upload size in bytes"
|
||||||
type = "string"
|
type = "string"
|
||||||
help = "Defaults to: '10M' . Format : <value><[GMK]?>"
|
help = "Defaults to: '10M' . Format : <value><[GMK]?>"
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced]
|
[advanced]
|
||||||
name = "Advanced Settings"
|
name = "Advanced Settings"
|
||||||
services = ["matrix-__APP__"]
|
services = ["matrix-__APP__"]
|
||||||
|
|
||||||
[advanced.help]
|
# Disabled as it don't work any more on bookworm
|
||||||
name = "SETTINGS FOR EXPERTS IN SERVER ADMINISTRATION"
|
#
|
||||||
|
# [advanced.help]
|
||||||
[advanced.help.text]
|
# name = "SETTINGS FOR EXPERTS IN SERVER ADMINISTRATION"
|
||||||
ask = '''
|
#
|
||||||
!!There are security and privacy risks if you change these settings without knowing what you do!!
|
# [advanced.help.text]
|
||||||
'''
|
# ask = '''
|
||||||
type = "markdown"
|
# !!There are security and privacy risks if you change these settings without knowing what you do!!
|
||||||
|
# '''
|
||||||
|
# type = "markdown"
|
||||||
|
|
||||||
[advanced.others]
|
[advanced.others]
|
||||||
name = "Others"
|
name = "Others"
|
||||||
|
|
||||||
[advanced.others.backup_before_upgrade]
|
[advanced.others.report_stats]
|
||||||
ask = "Backup before upgrade?"
|
|
||||||
type = "boolean"
|
|
||||||
yes = "true"
|
|
||||||
no = "false"
|
|
||||||
help = "!! If disabled, do a manual backup before upgrade !! Disable if your Synapse instance is huge and you prefer to disable the backup that is normally automatically done before each upgrade."
|
|
||||||
|
|
||||||
[advanced.others.server_statistics]
|
|
||||||
ask = "Server statistics"
|
ask = "Server statistics"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Enable to send anonymous statistics to Synapse Developers to improve performance."
|
help = "Enable to send anonymous statistics to Synapse Developers to improve performance."
|
||||||
bind = "report_stats:/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced.guests]
|
[advanced.guests]
|
||||||
name = "Experience for Guests / Anonymous"
|
name = "Experience for Guests / Anonymous"
|
||||||
|
|
||||||
[advanced.guests.invite_client_location]
|
[advanced.guests.invite_client_location]
|
||||||
ask = "Web client location to direct users to during an invite."
|
ask = "Web client location to direct users to during an invite"
|
||||||
type = "url"
|
type = "url"
|
||||||
help = "This is passed to the identity server as the org.matrix.web_client_location key. Defaults to unset, giving no guidance to the identity server."
|
help = "This is passed to the identity server as the org.matrix.web_client_location key. Defaults to unset, giving no guidance to the identity server."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced.guests.allow_guest_access]
|
[advanced.guests.allow_guest_access]
|
||||||
ask = "Allow Users to Register as Guests?"
|
ask = "Allow Users to Register as Guests"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Guests can participate on this server in rooms with guest access enabled, without a password/email/etc."
|
help = "Guests can participate on this server in rooms with guest access enabled, without a password/email/etc."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced.guests.auto_join_rooms_for_guests]
|
[advanced.guests.auto_join_rooms_for_guests]
|
||||||
ask = "Enable Auto Join Room for Guests?"
|
ask = "Enable Auto Join Room for Guests"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Defaults to 'true'."
|
help = "Defaults to 'true'."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
visible = "allow_guest_access"
|
visible = "allow_guest_access"
|
||||||
|
|
||||||
[advanced.privacy]
|
[advanced.privacy]
|
||||||
name = "Data Privacy"
|
name = "Data Privacy"
|
||||||
|
|
||||||
[advanced.privacy.enable_3pid_lookup]
|
[advanced.privacy.enable_3pid_lookup]
|
||||||
ask = "Allow discovering friends with phone number or email?"
|
ask = "Allow discovering friends with phone number or email"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Enable 3PIDs lookup requests to identity servers from this server. See Settings->General->Discovery in Element."
|
help = "Enable 3PIDs lookup requests to identity servers from this server. See Settings->General->Discovery in Element."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced.privacy.default_identity_server]
|
[advanced.privacy.default_identity_server]
|
||||||
ask = "Identity server suggested to clients?"
|
ask = "Identity server suggested to clients"
|
||||||
type = "url"
|
type = "url"
|
||||||
help = "Identity server allows to discover, be discovered and invite people you know with phone number or email. If not set, users will probably chose centralized vector.im. See Settings->General->Discovery in Element."
|
help = "Identity server allows to discover, be discovered and invite people you know with phone number or email. If not set, users will probably chose centralized vector.im. See Settings->General->Discovery in Element."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced.privacy.allow_public_rooms_without_auth]
|
[advanced.privacy.allow_public_rooms_without_auth]
|
||||||
ask = "Access Public Rooms Directory without authentification?"
|
ask = "Access Public Rooms Directory without authentification"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "Disabled by default. If enabled, anyone can query the Public Rooms Directory (access through the client API). This only makes sense if you want everyone to be able to scroll your public room to see what's interesting on your Homeserver"
|
help = "Disabled by default. If enabled, anyone can query the Public Rooms Directory (access through the client API). This only makes sense if you want everyone to be able to scroll your public room to see what's interesting on your Homeserver"
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced.registration]
|
[advanced.registration]
|
||||||
name = "Account Registration"
|
name = "Account Registration"
|
||||||
|
|
||||||
[advanced.registration.registration_shared_secret]
|
[advanced.registration.registration_shared_secret]
|
||||||
ask = "Shared Secret for Registration."
|
ask = "Shared Secret for Registration"
|
||||||
type = "string"
|
type = "string"
|
||||||
help = "Allows registration of standard or admin accounts, even if Registration disabled."
|
help = "Allows registration of standard or admin accounts, even if Registration disabled."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
||||||
[advanced.registration.turn_allow_guests]
|
[advanced.security]
|
||||||
ask = "Should guests be allowed to use the TURN server?"
|
name = "Security"
|
||||||
|
|
||||||
|
[advanced.security.enable_dtls_for_audio_video_turn_call]
|
||||||
|
ask = "Enable TLS/DTLS on Audio/Video coll"
|
||||||
type = "boolean"
|
type = "boolean"
|
||||||
yes = "true"
|
yes = "true"
|
||||||
no = "false"
|
no = "false"
|
||||||
help = "This defaults to True, otherwise VoIP will be unreliable for guests. However, it does introduce a slight security risk as it allows users to connect to arbitrary endpoints without having first signed up for a valid account (e.g. by passing a CAPTCHA)."
|
help = "Enabling TLS/DTLS is really recommanded but it could bring some issues depending of the server certificate. There are some known issues with let's encrypt (https://github.com/element-hq/element-android/issues/1533), so if you have issues it could be better to disable this feature."
|
||||||
bind = ":/etc/matrix-__APP__/homeserver.yaml"
|
|
||||||
|
|
176
doc/ADMIN.md
Normal file
176
doc/ADMIN.md
Normal file
|
@ -0,0 +1,176 @@
|
||||||
|
## Web client
|
||||||
|
|
||||||
|
The most well-known Matrix web client is Element, which is available in the YunoHost app catalog: <https://github.com/YunoHost-Apps/element_ynh>.
|
||||||
|
|
||||||
|
### Important Security Note
|
||||||
|
|
||||||
|
We do not recommend running Element from the same domain name as your Matrix homeserver (synapse). The reason is the risk of XSS (cross-site-scripting) vulnerabilities that could occur if someone caused Element to load and render malicious user generated content from a Matrix API which then had trusted access to Element (or other apps) due to sharing the same domain.
|
||||||
|
|
||||||
|
We have put some coarse mitigations into place to try to protect against this situation, but it's still not a good practice to do it in the first place. See https://github.com/vector-im/element-web/issues/1977 for more details.
|
||||||
|
|
||||||
|
## Admin UI
|
||||||
|
|
||||||
|
You may be interested in the synapse-admin app, which provides an administration interface for synapse: <https://github.com/YunoHost-Apps/synapse-admin_ynh>.
|
||||||
|
|
||||||
|
Then, to log in the API with your admin credentials (cf next section)
|
||||||
|
|
||||||
|
### Set user as admin
|
||||||
|
|
||||||
|
Currently, the client interface doesn't allow to grant admin rights. The workaround is to enable it manually in the database. The YunoHost app provides a small script to do so, which can be invoked:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
/opt/yunohost/matrix-__APP__/set_admin_user.sh '@user_to_be_admin:domain.tld'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Access by federation
|
||||||
|
|
||||||
|
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
|
||||||
|
|
||||||
|
If not, you can add the following line in the dns configuration but you normally don't need it as a `.well-known` file is edited during the install to declare your server name and port to the federation.
|
||||||
|
|
||||||
|
```
|
||||||
|
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
|
||||||
|
```
|
||||||
|
for example
|
||||||
|
```
|
||||||
|
_matrix._tcp.example.com. 3600 IN SRV 10 0 <synapse_port> synapse.example.com.
|
||||||
|
```
|
||||||
|
You need to replace `<synapse_port>` by the real port. This port can be obtained by the command: `yunohost app setting <synapse_instance_name> port_synapse_tls`
|
||||||
|
|
||||||
|
For more details, see : https://github.com/element-hq/synapse/blob/master/docs/federate.md
|
||||||
|
|
||||||
|
If it is not automatically done, you need to open this in your ISP box.
|
||||||
|
|
||||||
|
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
|
||||||
|
|
||||||
|
https://federationtester.matrix.org/ can be used to easily debug federation issues
|
||||||
|
|
||||||
|
## Turnserver
|
||||||
|
|
||||||
|
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
|
||||||
|
```bash
|
||||||
|
yunohost app setting synapse port_turnserver_tls
|
||||||
|
yunohost app setting synapse port_turnserver_alt_tls
|
||||||
|
```
|
||||||
|
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
|
||||||
|
|
||||||
|
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
yunohost firewall allow Both 49153:49193
|
||||||
|
```
|
||||||
|
|
||||||
|
You might also need to open these ports (if it is not automatically done) on your ISP box.
|
||||||
|
|
||||||
|
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/matrix-<synapse_instance_name>/Coturn_config_rotate.sh` to update your config.
|
||||||
|
|
||||||
|
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the `<synapse_instance_name>` which could be `synapse` or maybe `synapse__2`).
|
||||||
|
|
||||||
|
```
|
||||||
|
*/15 * * * * root bash /opt/yunohost/matrix-<synapse_instance_name>/Coturn_config_rotate.sh;
|
||||||
|
```
|
||||||
|
|
||||||
|
## OpenVPN
|
||||||
|
|
||||||
|
If your server is behind a VPN, you may want `synapse-coturn` ti automatically restart when the VPN restarts. To do this, create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
|
||||||
|
```bash
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
(
|
||||||
|
sleep 5
|
||||||
|
sudo systemctl restart synapse-coturn.service
|
||||||
|
) &
|
||||||
|
exit 0
|
||||||
|
```
|
||||||
|
|
||||||
|
Add this line in you sudo config file `/etc/sudoers`
|
||||||
|
```
|
||||||
|
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart synapse-coturn.service
|
||||||
|
```
|
||||||
|
|
||||||
|
And add this line in your OpenVPN config file
|
||||||
|
```
|
||||||
|
ipchange /usr/local/bin/openvpn_up_script.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## Backup
|
||||||
|
|
||||||
|
Before any major maintenance action, it is recommended to backup the app.
|
||||||
|
|
||||||
|
To ensure the integrity of the data, it is recommended to explictly stop the server during the backup:
|
||||||
|
|
||||||
|
- Stop synapse service with theses following command:
|
||||||
|
```bash
|
||||||
|
systemctl stop synapse.service
|
||||||
|
```
|
||||||
|
|
||||||
|
- Launch the backup of synapse with this following command:
|
||||||
|
```bash
|
||||||
|
yunohost backup create --app synapse
|
||||||
|
```
|
||||||
|
|
||||||
|
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/synapse`.
|
||||||
|
- Restart the synapse service with these command:
|
||||||
|
```bash
|
||||||
|
systemctl start synapse.service
|
||||||
|
```
|
||||||
|
|
||||||
|
## Changing the server URL
|
||||||
|
|
||||||
|
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
|
||||||
|
|
||||||
|
Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which is an other thing.**
|
||||||
|
|
||||||
|
The advantage of this is that you can put the app on a specific domain without impacting the domain name of the accounts. For instance you can have the synapse app on `matrix.yolo.net` and the user account will be something like that `@michu:yolo.net`. Note that it's the main difference between the domain of the app (which is `matrix.yolo.net`) and the "server name" which is `yolo.net`.
|
||||||
|
|
||||||
|
**Note that this change will have some important implications:**
|
||||||
|
- **This will break the connection from all previous connected clients. So all client connected before this change won't be able to communicate with the server until users will do a logout and login (which can also be problematic for e2e keys).** [There are a workaround which are described below](#avoid-the-need-to-reconnect-all-client-after-change-url-operation).
|
||||||
|
- In some case the client configuration will need to be updated. By example on element we can configure a default matrix server, this settings by example will need to be updated to the new domain to work correctly.
|
||||||
|
- In case of the "server name" domain are not on the same server than the synapse domain, you will need to update the `.well-known` or your DNS.
|
||||||
|
|
||||||
|
To do the change url of synapse you can do it by this following command or with the webadmin.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo yunohost app change-url synapse
|
||||||
|
```
|
||||||
|
|
||||||
|
### Avoid the need to reconnect all client after change-url operation
|
||||||
|
|
||||||
|
If you did change the url of synapse and you don't wan't to reconnect all client, this workaround should solve the issue.
|
||||||
|
|
||||||
|
The idea is to setup again a minimal configuration on the previous domain so the client configurated with the previous domain will still work correctly.
|
||||||
|
|
||||||
|
#### Nginx config
|
||||||
|
|
||||||
|
Retrive the server port with this command:
|
||||||
|
```bash
|
||||||
|
yunohost app setting synapse port_synapse
|
||||||
|
```
|
||||||
|
|
||||||
|
Edit the file `/etc/nginx/conf.d/<previous-domain.tld>.d/synapse.conf` and add this text:
|
||||||
|
```
|
||||||
|
location /_matrix/ {
|
||||||
|
proxy_pass http://localhost:<server_port_retrived_before>;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
client_max_body_size 200M;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Then reload nginx config:
|
||||||
|
```bash
|
||||||
|
systemctl reload nginx.service
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Add permanent rule on SSOWAT
|
||||||
|
|
||||||
|
- Edit the file `/etc/ssowat/conf.json.persistent`
|
||||||
|
- Add `"<previous-domain.tld>/_matrix"` into the list in: `permissions` > `custom_skipped` > `uris`
|
||||||
|
|
||||||
|
Now the configured client before the change-url should work again.
|
||||||
|
|
||||||
|
## Removing the app
|
||||||
|
|
||||||
|
The YunoHost policy is to not remove the data when removing an app (stored in `/home/yunohost.app/synapse`). Use the `--purge` flag during the removal of the app to remove those, or just manually delete the folder after the app is deleted.
|
|
@ -1,181 +0,0 @@
|
||||||
## Configuration
|
|
||||||
|
|
||||||
### Install for ARM arch (or slow arch)
|
|
||||||
|
|
||||||
For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install.
|
|
||||||
You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null`
|
|
||||||
After that you can install it without problem.
|
|
||||||
|
|
||||||
The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build
|
|
||||||
The script to build the binary is also available.
|
|
||||||
|
|
||||||
### Web client
|
|
||||||
|
|
||||||
If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh .
|
|
||||||
|
|
||||||
### Access by federation
|
|
||||||
|
|
||||||
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
|
|
||||||
|
|
||||||
If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation.
|
|
||||||
|
|
||||||
```
|
|
||||||
_matrix._tcp.<server_name.tld> <ttl> IN SRV 10 0 <port> <domain-or-subdomain-of-synapse.tld>
|
|
||||||
```
|
|
||||||
for example
|
|
||||||
```
|
|
||||||
_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com.
|
|
||||||
```
|
|
||||||
You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port`
|
|
||||||
|
|
||||||
For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md
|
|
||||||
|
|
||||||
If it is not automatically done, you need to open this in your ISP box.
|
|
||||||
|
|
||||||
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
|
|
||||||
|
|
||||||
https://federationtester.matrix.org/ can be used to easily debug federation issues
|
|
||||||
|
|
||||||
### Turnserver
|
|
||||||
|
|
||||||
For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse turnserver_tls_port
|
|
||||||
yunohost app setting synapse turnserver_alt_tls_port
|
|
||||||
|
|
||||||
```
|
|
||||||
The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193.
|
|
||||||
|
|
||||||
For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command:
|
|
||||||
|
|
||||||
```
|
|
||||||
yunohost firewall allow Both 49153:49193
|
|
||||||
```
|
|
||||||
|
|
||||||
You might also need to open these ports (if it is not automatically done) on your ISP box.
|
|
||||||
|
|
||||||
To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config.
|
|
||||||
|
|
||||||
If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`).
|
|
||||||
|
|
||||||
```
|
|
||||||
*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh;
|
|
||||||
```
|
|
||||||
|
|
||||||
#### OpenVPN
|
|
||||||
|
|
||||||
In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content:
|
|
||||||
```
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
(
|
|
||||||
sleep 5
|
|
||||||
sudo systemctl restart coturn-synapse.service
|
|
||||||
) &
|
|
||||||
exit 0
|
|
||||||
```
|
|
||||||
|
|
||||||
Add this line in you sudo config file `/etc/sudoers`
|
|
||||||
```
|
|
||||||
openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service
|
|
||||||
```
|
|
||||||
|
|
||||||
And add this line in your OpenVPN config file
|
|
||||||
```
|
|
||||||
ipchange /usr/local/bin/openvpn_up_script.sh
|
|
||||||
```
|
|
||||||
|
|
||||||
### Important Security Note
|
|
||||||
|
|
||||||
We do not recommend running Element from the same domain name as your Matrix
|
|
||||||
homeserver (synapse). The reason is the risk of XSS (cross-site-scripting)
|
|
||||||
vulnerabilities that could occur if someone caused Element to load and render
|
|
||||||
malicious user generated content from a Matrix API which then had trusted
|
|
||||||
access to Element (or other apps) due to sharing the same domain.
|
|
||||||
|
|
||||||
We have put some coarse mitigations into place to try to protect against this
|
|
||||||
situation, but it's still not a good practice to do it in the first place. See
|
|
||||||
https://github.com/vector-im/element-web/issues/1977 for more details.
|
|
||||||
|
|
||||||
## YunoHost specific features
|
|
||||||
|
|
||||||
## Limitations
|
|
||||||
|
|
||||||
Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM.
|
|
||||||
|
|
||||||
This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh)
|
|
||||||
|
|
||||||
## Additional information
|
|
||||||
|
|
||||||
## Administration
|
|
||||||
|
|
||||||
**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
|
|
||||||
|
|
||||||
Before any manipulation it's recommended to do a backup by this following command :
|
|
||||||
|
|
||||||
`sudo yunohost backup create --apps synapse`
|
|
||||||
|
|
||||||
### Set user as admin
|
|
||||||
|
|
||||||
Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
|
|
||||||
|
|
||||||
The following command will grant admin privilege to the specified user:
|
|
||||||
```
|
|
||||||
su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Administration API
|
|
||||||
|
|
||||||
Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
|
|
||||||
By default, no one has access to this path.
|
|
||||||
|
|
||||||
If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
|
|
||||||
you need to give this permission to visitors.
|
|
||||||
|
|
||||||
Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
|
|
||||||
|
|
||||||
### Upgrade
|
|
||||||
|
|
||||||
By default a backup is made before the upgrade. If for some reason you want to upgrade without backup:
|
|
||||||
- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
|
|
||||||
- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line:
|
|
||||||
|
|
||||||
`yunohost app setting synapse backup_before_upgrade -v 0`
|
|
||||||
|
|
||||||
After this settings will be applied for **all** next upgrade.
|
|
||||||
|
|
||||||
From command line:
|
|
||||||
|
|
||||||
`yunohost app upgrade synapse`
|
|
||||||
|
|
||||||
### Backup
|
|
||||||
|
|
||||||
This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
|
|
||||||
|
|
||||||
- Stop synapse service with theses following command:
|
|
||||||
|
|
||||||
`systemctl stop synapse.service`
|
|
||||||
|
|
||||||
- Launch the backup of synapse with this following command:
|
|
||||||
|
|
||||||
`yunohost backup create --app synapse`
|
|
||||||
|
|
||||||
- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
|
|
||||||
- Restart the synapse service with these command:
|
|
||||||
|
|
||||||
`systemctl start synapse.service`
|
|
||||||
|
|
||||||
### Remove
|
|
||||||
|
|
||||||
Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
|
|
||||||
|
|
||||||
Use the `--purge` flag with the command, or remove it manually to purge app user data.
|
|
||||||
|
|
||||||
### Multi instance support
|
|
||||||
|
|
||||||
To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:
|
|
||||||
```
|
|
||||||
yunohost app setting synapse__<instancenumber> synapse_tls_port
|
|
||||||
```
|
|
||||||
|
|
||||||
Before installing a second instance of the app it's really recommended to update all existing instances.
|
|
17
doc/POST_INSTALL.md
Normal file
17
doc/POST_INSTALL.md
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
|
||||||
|
|
||||||
|
If not, you may need to put the following line in the dns configuration:
|
||||||
|
|
||||||
|
```text
|
||||||
|
_matrix._tcp.__DOMAIN__. 3600 IN SRV 10 0 __PORT_SYNAPSE_TLS__ __DOMAIN__.
|
||||||
|
```
|
||||||
|
|
||||||
|
For more details, see : https://github.com/element-hq/synapse#setting-up-federation
|
||||||
|
|
||||||
|
You also need to open the TCP port __PORT_SYNAPSE_TLS__ on your ISP box if it's not automatically done.
|
||||||
|
|
||||||
|
Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
|
||||||
|
|
||||||
|
If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
|
||||||
|
|
||||||
|
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en
|
3
doc/PRE_INSTALL.md
Normal file
3
doc/PRE_INSTALL.md
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
- Synapse consumes a significant amount of resources (both CPU and ARM), and therefore is not recommended for "small" setups such as small ARM boards
|
||||||
|
- During the install, the generation of Diffie-Hellman parameters may take a significant amount of time. You can speed things up by manually initializing them before running the install: `openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048`
|
||||||
|
- The package uses a prebuilt python virtual environnement. The binary are taken from this repository: <https://github.com/YunoHost-Apps/synapse_python_build>. The script to build the binary is also available.
|
|
@ -1,5 +1,5 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
if [ $1 == __DOMAIN__ ]; then
|
if [ $1 == __DOMAIN__ ]; then
|
||||||
systemctl restart matrix-__APP__
|
systemctl restart __APP__.service
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -1,69 +0,0 @@
|
||||||
{
|
|
||||||
"name": "Synapse",
|
|
||||||
"id": "synapse",
|
|
||||||
"packaging_format": 1,
|
|
||||||
"description": {
|
|
||||||
"en": "Instant messaging server which uses Matrix",
|
|
||||||
"fr": "Serveur de messagerie instantané basé sur Matrix"
|
|
||||||
},
|
|
||||||
"version": "1.98.0~ynh1",
|
|
||||||
"url": "http://matrix.org",
|
|
||||||
"license": "Apache-2.0",
|
|
||||||
"maintainer": {
|
|
||||||
"name": "Josué Tille",
|
|
||||||
"email": "josue@tille.ch"
|
|
||||||
},
|
|
||||||
"upstream": {
|
|
||||||
"license": "Apache-2.0",
|
|
||||||
"website": "https://matrix.org/",
|
|
||||||
"code": "https://github.com/matrix-org/synapse"
|
|
||||||
},
|
|
||||||
"requirements": {
|
|
||||||
"yunohost": ">= 11.2"
|
|
||||||
},
|
|
||||||
"multi_instance": true,
|
|
||||||
"services": [
|
|
||||||
"nginx"
|
|
||||||
],
|
|
||||||
"arguments": {
|
|
||||||
"install" : [
|
|
||||||
{
|
|
||||||
"name": "domain",
|
|
||||||
"type": "domain"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"name": "server_name",
|
|
||||||
"type": "string",
|
|
||||||
"ask": {
|
|
||||||
"en": "If your Synapse domain is a subdomain, you can choose a name for your Synapse server to have your Matrix user-ids looking like @user:domain.org instead of @user:synapse.domain.org",
|
|
||||||
"fr": "Si votre domaine pour Synapse est un sous-domaine, vous pouvez choisir un nom pour votre serveur Synapse afin que vos identifiants Matrix soient @utilisateur:domain.org plutôt que @utilisateur:synapse.domain.org"
|
|
||||||
},
|
|
||||||
"example": "domain.org",
|
|
||||||
"default": "Same than the domain"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"name": "is_free_registration",
|
|
||||||
"type": "boolean",
|
|
||||||
"ask": {
|
|
||||||
"en": "Is it a server with free registration?",
|
|
||||||
"fr": "Est-ce un serveur avec création de compte libre ?"
|
|
||||||
},
|
|
||||||
"default": false,
|
|
||||||
"help": {
|
|
||||||
"en": "A public server means that anybody will be able to register on this server.",
|
|
||||||
"fr": "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur."
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"name": "jitsi_server",
|
|
||||||
"type": "string",
|
|
||||||
"ask": {
|
|
||||||
"en": "Jitsi server address for conferencing?",
|
|
||||||
"fr": "Adresse du serveur Jitsi pour les conférences ?"
|
|
||||||
},
|
|
||||||
"example": "domain.org",
|
|
||||||
"default": "jitsi.riot.im"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
124
manifest.toml
Normal file
124
manifest.toml
Normal file
|
@ -0,0 +1,124 @@
|
||||||
|
packaging_format = 2
|
||||||
|
|
||||||
|
id = "synapse"
|
||||||
|
name = "Synapse"
|
||||||
|
description.en = "Instant messaging server which uses Matrix"
|
||||||
|
description.fr = "Serveur de messagerie instantané basé sur Matrix"
|
||||||
|
|
||||||
|
version = "1.104.0~ynh1"
|
||||||
|
|
||||||
|
maintainers = ["Josué Tille"]
|
||||||
|
|
||||||
|
[upstream]
|
||||||
|
license = "Apache-2.0"
|
||||||
|
website = "https://matrix.org/"
|
||||||
|
code = "https://github.com/element-hq/synapse"
|
||||||
|
admindoc = "https://matrix-org.github.io/synapse/latest/welcome_and_overview.html"
|
||||||
|
cpe = "cpe:2.3:a:matrix:synapse"
|
||||||
|
fund = "https://matrix.org/support/#"
|
||||||
|
|
||||||
|
[integration]
|
||||||
|
yunohost = ">= 11.2.11"
|
||||||
|
architectures = "all"
|
||||||
|
multi_instance = true
|
||||||
|
ldap = true
|
||||||
|
sso = "not_relevant"
|
||||||
|
disk = "250M"
|
||||||
|
ram.build = "500M"
|
||||||
|
ram.runtime = "1G"
|
||||||
|
|
||||||
|
[install]
|
||||||
|
[install.domain]
|
||||||
|
# this is a generic question - ask strings are automatically handled by Yunohost's core
|
||||||
|
type = "domain"
|
||||||
|
|
||||||
|
[install.server_name]
|
||||||
|
ask.en = "If your Synapse domain is a subdomain, you can choose a name for your Synapse server to have your Matrix user-ids looking like @user:domain.org instead of @user:synapse.domain.org"
|
||||||
|
ask.fr = "Si votre domaine pour Synapse est un sous-domaine, vous pouvez choisir un nom pour votre serveur Synapse afin que vos identifiants Matrix soient @utilisateur:domain.org plutôt que @utilisateur:synapse.domain.org"
|
||||||
|
type = "string"
|
||||||
|
example = "domain.org"
|
||||||
|
default = "Same than the domain"
|
||||||
|
|
||||||
|
[install.is_free_registration]
|
||||||
|
ask.en = "Is it a server with free registration?"
|
||||||
|
ask.fr = "Est-ce un serveur avec création de compte libre ?"
|
||||||
|
help.en = "A public server means that anybody will be able to register on this server."
|
||||||
|
help.fr = "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur."
|
||||||
|
type = "boolean"
|
||||||
|
default = false
|
||||||
|
|
||||||
|
[install.jitsi_server]
|
||||||
|
ask.en = "Jitsi server address for conferencing?"
|
||||||
|
ask.fr = "Adresse du serveur Jitsi pour les conférences ?"
|
||||||
|
type = "string"
|
||||||
|
example = "domain.org"
|
||||||
|
default = "jitsi.riot.im"
|
||||||
|
|
||||||
|
[install.init_main_permission]
|
||||||
|
help.en = "Define the users allowed to access to synapse. Setting this to 'visitors' don't make sens in this case."
|
||||||
|
type = "group"
|
||||||
|
example = "all_users"
|
||||||
|
default = "all_users"
|
||||||
|
|
||||||
|
[resources]
|
||||||
|
[resources.sources.synapse_prebuilt_armv7_bookworm]
|
||||||
|
prefetch = false
|
||||||
|
armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.104.0/matrix-synapse_1.104.0-bookworm-bin1_armv7l.tar.gz"
|
||||||
|
armhf.sha256 = "880c3507a424277cd5414363e22dc2018407e572c5f7bb388a6560707ae4231e"
|
||||||
|
|
||||||
|
[resources.sources.synapse_prebuilt_armv7_bullseye]
|
||||||
|
prefetch = false
|
||||||
|
armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.104.0/matrix-synapse_1.104.0-bullseye-bin1_armv7l.tar.gz"
|
||||||
|
armhf.sha256 = "8f2f957d25566e5051aa0d5c88bcedacf6ea1615cc7aca84491a7ded84fbae11"
|
||||||
|
|
||||||
|
[resources.system_user]
|
||||||
|
allow_email = true
|
||||||
|
home = "/opt/yunohost/matrix-__APP__"
|
||||||
|
|
||||||
|
[resources.install_dir]
|
||||||
|
dir = "/var/www/__APP__"
|
||||||
|
owner = "__APP__:rwX"
|
||||||
|
group = "__APP__:rX"
|
||||||
|
|
||||||
|
[resources.data_dir]
|
||||||
|
dir = "/home/yunohost.app/__APP__"
|
||||||
|
|
||||||
|
[resources.permissions]
|
||||||
|
main.url = "/"
|
||||||
|
main.additional_urls = ["/_matrix/cas_server.php/login"]
|
||||||
|
main.label = "Server SSO"
|
||||||
|
main.auth_header = true
|
||||||
|
main.show_tile=false
|
||||||
|
main.protected = true
|
||||||
|
|
||||||
|
server_api.url = "/_matrix"
|
||||||
|
server_api.label = "Server access for client apps"
|
||||||
|
server_api.allowed = "visitors"
|
||||||
|
server_api.auth_header = false
|
||||||
|
server_api.show_tile = false
|
||||||
|
server_api.protected = true
|
||||||
|
|
||||||
|
admin_api.url = "/_synapse"
|
||||||
|
admin_api.label = "Admin API"
|
||||||
|
admin_api.allowed = "visitors"
|
||||||
|
admin_api.auth_header = false
|
||||||
|
admin_api.show_tile = false
|
||||||
|
admin_api.protected = true
|
||||||
|
|
||||||
|
[resources.ports]
|
||||||
|
synapse_tls.default = 8448
|
||||||
|
synapse_tls.exposed = "TCP"
|
||||||
|
synapse.default = 8008
|
||||||
|
turnserver_tls.default = 5349
|
||||||
|
turnserver_tls.exposed = "Both"
|
||||||
|
turnserver_alt_tls.default = 5350
|
||||||
|
turnserver_alt_tls.exposed = "Both"
|
||||||
|
cli.default = 5766
|
||||||
|
|
||||||
|
[resources.apt]
|
||||||
|
packages = ["coturn", "acl", "postgresql", "php-fpm",
|
||||||
|
"python3-dev", "python3-venv", "python3-pip", "python3-setuptools", "python3-lxml",
|
||||||
|
"build-essential", "libffi-dev", "libssl-dev", "libxml2-dev", "libxslt1-dev", "zlib1g-dev", "libjpeg-dev", "libpq-dev"]
|
||||||
|
|
||||||
|
[resources.database]
|
||||||
|
type = "postgresql"
|
|
@ -1,65 +1,186 @@
|
||||||
dependances="coturn build-essential python3-dev libffi-dev python3-pip python3-setuptools sqlite3 libssl-dev python3-venv libxml2-dev libxslt1-dev python3-lxml zlib1g-dev libjpeg-dev libpq-dev postgresql acl"
|
|
||||||
python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)"
|
python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)"
|
||||||
app=$YNH_APP_INSTANCE_NAME
|
code_dir="/opt/yunohost/matrix-$app"
|
||||||
|
|
||||||
install_sources() {
|
install_sources() {
|
||||||
# Install/upgrade synapse in virtualenv
|
# Install/upgrade synapse in virtualenv
|
||||||
|
|
||||||
# Clean venv is it was on python2.7 or python3 with old version in case major upgrade of debian
|
# Clean venv is it was on python2.7 or python3 with old version in case major upgrade of debian
|
||||||
if [ ! -e $final_path/bin/python3 ] || [ ! -e $final_path/lib/python$python_version ]; then
|
if [ ! -e $code_dir/bin/python3 ] || [ ! -e $code_dir/lib/python$python_version ]; then
|
||||||
ynh_secure_remove --file=$final_path/bin
|
ynh_secure_remove --file=$code_dir/bin
|
||||||
ynh_secure_remove --file=$final_path/lib
|
ynh_secure_remove --file=$code_dir/lib
|
||||||
ynh_secure_remove --file=$final_path/lib64
|
ynh_secure_remove --file=$code_dir/lib64
|
||||||
ynh_secure_remove --file=$final_path/include
|
ynh_secure_remove --file=$code_dir/include
|
||||||
ynh_secure_remove --file=$final_path/share
|
ynh_secure_remove --file=$code_dir/share
|
||||||
ynh_secure_remove --file=$final_path/pyvenv.cfg
|
ynh_secure_remove --file=$code_dir/pyvenv.cfg
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p $final_path
|
mkdir -p $code_dir
|
||||||
chown $synapse_user:root -R $final_path
|
chown $app:root -R $code_dir
|
||||||
|
|
||||||
if [ -n "$(uname -m | grep arm)" ]
|
if [ -n "$(uname -m | grep arm)" ]
|
||||||
then
|
then
|
||||||
# Clean old file, sometimes it could make some big issues if we don't do this!!
|
# Clean old file, sometimes it could make some big issues if we don't do this!!
|
||||||
ynh_secure_remove --file=$final_path/bin
|
ynh_secure_remove --file=$code_dir/bin
|
||||||
ynh_secure_remove --file=$final_path/lib
|
ynh_secure_remove --file=$code_dir/lib
|
||||||
ynh_secure_remove --file=$final_path/include
|
ynh_secure_remove --file=$code_dir/include
|
||||||
ynh_secure_remove --file=$final_path/share
|
ynh_secure_remove --file=$code_dir/share
|
||||||
|
|
||||||
ynh_setup_source --dest_dir=$final_path/ --source_id="armv7_$(lsb_release --codename --short)"
|
ynh_setup_source --dest_dir=$code_dir/ --source_id="synapse_prebuilt_armv7_$(lsb_release --codename --short)"
|
||||||
|
|
||||||
# Fix multi-instance support
|
# Fix multi-instance support
|
||||||
for f in $(ls $final_path/bin); do
|
for f in $(ls $code_dir/bin); do
|
||||||
if ! [[ $f =~ "__" ]]; then
|
if ! [[ $f =~ "__" ]]; then
|
||||||
ynh_replace_special_string --match_string='#!/opt/yunohost/matrix-synapse' --replace_string='#!'$final_path --target_file=$final_path/bin/$f
|
ynh_replace_special_string --match_string='#!/opt/yunohost/matrix-synapse' --replace_string='#!'$code_dir --target_file=$code_dir/bin/$f
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
|
||||||
# Install virtualenv if it don't exist
|
# Install virtualenv if it don't exist
|
||||||
test -e $final_path/bin/python3 || python3 -m venv $final_path
|
test -e $code_dir/bin/python3 || python3 -m venv $code_dir
|
||||||
|
|
||||||
# Install synapse in virtualenv
|
# Install synapse in virtualenv
|
||||||
|
local pip3=$code_dir/bin/pip3
|
||||||
|
|
||||||
# We set all necessary environement variable to create a python virtualenvironnement.
|
$pip3 install --upgrade setuptools wheel pip cffi
|
||||||
u_arg='u'
|
$pip3 install --upgrade -r $YNH_APP_BASEDIR/conf/requirement_$(lsb_release --codename --short).txt
|
||||||
set +$u_arg;
|
fi
|
||||||
source $final_path/bin/activate
|
|
||||||
set -$u_arg;
|
|
||||||
|
|
||||||
pip3 install --upgrade setuptools wheel pip
|
|
||||||
pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml jinja2
|
|
||||||
pip3 install --upgrade -r $YNH_APP_BASEDIR/conf/requirement_$(lsb_release --codename --short).txt
|
|
||||||
|
|
||||||
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
|
# Apply patch for LDAP auth if needed
|
||||||
set +$u_arg;
|
# Note that we put patch into scripts dir because /source are not stored and can't be used on restore
|
||||||
deactivate
|
if ! grep -F -q '# LDAP Filter anonymous user Applied' $code_dir/lib/python$python_version/site-packages/ldap_auth_provider.py; then
|
||||||
set -$u_arg;
|
pushd $code_dir/lib/python$python_version/site-packages
|
||||||
|
patch < $YNH_APP_BASEDIR/scripts/patch/ldap_auth_filter_anonymous_user.patch
|
||||||
|
popd
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
get_domain_list() {
|
configure_synapse() {
|
||||||
yunohost --output-as plain domain list | grep -E "^#" -v | sort | uniq | while read domain; do
|
local domain_whitelist_client=$(yunohost --output-as plain domain list \
|
||||||
echo -n " - https://$domain\n"
|
| grep -E "^#" -v \
|
||||||
done
|
| sort | uniq \
|
||||||
|
| sed -r 's|^(.*)$| - \1|' \
|
||||||
|
| sed -z 's|\n|\\n|g')
|
||||||
|
local macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
|
||||||
|
local auto_join_rooms_sed_param=""
|
||||||
|
if [ -n "$auto_join_rooms" ]; then
|
||||||
|
auto_join_rooms_sed_param+='auto_join_rooms:'
|
||||||
|
while read -d, room; do
|
||||||
|
auto_join_rooms_sed_param+='\n - "'$room'"'
|
||||||
|
done <<< "${auto_join_rooms},"
|
||||||
|
fi
|
||||||
|
local registration_require_3pid_sed_param=""
|
||||||
|
case ${registrations_require_3pid} in
|
||||||
|
'email')
|
||||||
|
registration_require_3pid_sed_param="registrations_require_3pid:\n - email"
|
||||||
|
;;
|
||||||
|
'msisdn')
|
||||||
|
registration_require_3pid_sed_param="registrations_require_3pid:\n - msisdn"
|
||||||
|
;;
|
||||||
|
'email&msisdn')
|
||||||
|
registration_require_3pid_sed_param="registrations_require_3pid:\n - email\n - msisdn"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
local allowd_local_3pids_sed_param=""
|
||||||
|
if [ -n "$allowed_local_3pids_email" ] || [ -n "$allowed_local_3pids_msisdn" ]; then
|
||||||
|
allowd_local_3pids_sed_param="allowed_local_3pids:"
|
||||||
|
|
||||||
|
if [ -n "$allowed_local_3pids_email" ]; then
|
||||||
|
while read -d, pattern ; do
|
||||||
|
allowd_local_3pids_sed_param+="\n - medium: email\n pattern: '$pattern'"
|
||||||
|
done <<< "${allowed_local_3pids_email},"
|
||||||
|
fi
|
||||||
|
if [ -n "$allowed_local_3pids_msisdn" ]; then
|
||||||
|
while read -d, pattern ; do
|
||||||
|
allowd_local_3pids_sed_param+="\n - medium: msisdn\n pattern: '$pattern'"
|
||||||
|
done <<< "${allowed_local_3pids_msisdn},"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
local turn_server_config=""
|
||||||
|
if $enable_dtls_for_audio_video_turn_call; then
|
||||||
|
turn_server_config='turn_uris: [ "turns:'$domain:$port_turnserver_tls'", "turns:'$domain:$port_turnserver_alt_tls'" ]'
|
||||||
|
else
|
||||||
|
turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'", "turn:'$domain:$port_turnserver_alt_tls'" ]'
|
||||||
|
fi
|
||||||
|
|
||||||
|
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
|
||||||
|
sed -i "s|_DOMAIN_WHITELIST_CLIENT_|$domain_whitelist_client|g" /etc/matrix-$app/homeserver.yaml
|
||||||
|
sed -i "s|_AUTO_JOIN_ROOMS_SED_PARAM_|$auto_join_rooms_sed_param|g" /etc/matrix-$app/homeserver.yaml
|
||||||
|
sed -i "s|_REGISTRATION_REQUIRE_3PID_SED_PARAM_|$registration_require_3pid_sed_param|g" /etc/matrix-$app/homeserver.yaml
|
||||||
|
sed -i "s|_ALLOWD_LOCAL_3PIDS_SED_PARAM_|$allowd_local_3pids_sed_param|g" /etc/matrix-$app/homeserver.yaml
|
||||||
|
ynh_store_file_checksum --file=/etc/matrix-$app/homeserver.yaml
|
||||||
|
|
||||||
|
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
|
||||||
|
}
|
||||||
|
|
||||||
|
configure_coturn() {
|
||||||
|
# Get public IP and set as external IP for coturn
|
||||||
|
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
|
||||||
|
local public_ip4="$(curl -s ip.yunohost.org)" || true
|
||||||
|
local public_ip6="$(curl -s ipv6.yunohost.org)" || true
|
||||||
|
|
||||||
|
local turn_external_ip=""
|
||||||
|
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
|
||||||
|
then
|
||||||
|
turn_external_ip+="external-ip=$public_ip4\\n"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
|
||||||
|
then
|
||||||
|
turn_external_ip+="external-ip=$public_ip6\\n"
|
||||||
|
fi
|
||||||
|
local turn_clear_com_param=''
|
||||||
|
if $enable_dtls_for_audio_video_turn_call; then
|
||||||
|
turn_clear_com_param+='# Block clear communication\nno-udp\nno-tcp'
|
||||||
|
fi
|
||||||
|
|
||||||
|
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
|
||||||
|
sed -i "s|_TURN_CLEAR_COM_PARAM_|$turn_clear_com_param|g" /etc/matrix-$app/coturn.conf
|
||||||
|
sed -i "s|_TURN_EXTERNAL_IP_|$turn_external_ip|g" /etc/matrix-$app/coturn.conf
|
||||||
|
ynh_store_file_checksum --file=/etc/matrix-$app/coturn.conf
|
||||||
|
}
|
||||||
|
|
||||||
|
configure_nginx() {
|
||||||
|
local e2e_enabled_by_default_client_config
|
||||||
|
|
||||||
|
# Create .well-known redirection for access by federation
|
||||||
|
if yunohost --output-as plain domain list | grep -q "^$server_name$"
|
||||||
|
then
|
||||||
|
local e2e_enabled_by_default_client_config
|
||||||
|
if [ $e2e_enabled_by_default == "off" ]; then
|
||||||
|
e2e_enabled_by_default_client_config=false
|
||||||
|
else
|
||||||
|
e2e_enabled_by_default_client_config=true
|
||||||
|
fi
|
||||||
|
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create a dedicated NGINX config
|
||||||
|
ynh_add_nginx_config
|
||||||
|
}
|
||||||
|
|
||||||
|
set_permissions() {
|
||||||
|
chown $app:$app -R $code_dir
|
||||||
|
chmod o= -R $code_dir
|
||||||
|
|
||||||
|
chmod 770 $code_dir/Coturn_config_rotate.sh
|
||||||
|
chmod 700 $code_dir/update_synapse_for_appservice.sh
|
||||||
|
chmod 700 $code_dir/set_admin_user.sh
|
||||||
|
|
||||||
|
if [ "${1:-}" == data ]; then
|
||||||
|
find $data_dir \( \! -perm -o= \
|
||||||
|
-o \! -user $app \
|
||||||
|
-o \! -group $app \) \
|
||||||
|
-exec chown $app:$app {} \; \
|
||||||
|
-exec chmod o= {} \;
|
||||||
|
fi
|
||||||
|
|
||||||
|
chown $app:$app -R /etc/matrix-$app
|
||||||
|
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
|
||||||
|
setfacl -R -m user:turnserver:rX /etc/matrix-$app
|
||||||
|
|
||||||
|
chmod 600 /etc/matrix-$app/$server_name.signing.key
|
||||||
|
|
||||||
|
chown $app:root -R /var/log/matrix-$app
|
||||||
|
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,37 +14,10 @@ source /usr/share/yunohost/helpers
|
||||||
# MANAGE SCRIPT FAILURE
|
# MANAGE SCRIPT FAILURE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# Exit if an error occurs during the execution of the script
|
if systemctl is-active $app.service --quiet; then
|
||||||
ynh_abort_if_errors
|
ynh_print_warn --message="It's hightly recommended to make your backup when the service is stopped. Please stop $app service with this command before to run the backup 'systemctl stop $app.service'"
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# LOAD SETTINGS
|
|
||||||
#=================================================
|
|
||||||
ynh_print_info --message="Loading installation settings..."
|
|
||||||
|
|
||||||
app=$YNH_APP_INSTANCE_NAME
|
|
||||||
|
|
||||||
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
|
||||||
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
|
|
||||||
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
|
||||||
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
|
|
||||||
|
|
||||||
if [[ ! "$(systemctl status matrix-$app.service)" =~ "Active: inactive (dead)" ]]; then
|
|
||||||
ynh_print_warn --message="It's hightly recommended to make your backup when the service is stopped. Please stop $app service with this command before to run the backup 'systemctl stop matrix-$app.service'"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# SET CONSTANTS
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
synapse_user="matrix-$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
synapse_db_user="matrix_$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
upstream_version=$(ynh_app_upstream_version)
|
|
||||||
final_www_path="/var/www/$app"
|
|
||||||
data_path="/home/yunohost.app/matrix-$app"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# DECLARE DATA AND CONF FILES TO BACKUP
|
# DECLARE DATA AND CONF FILES TO BACKUP
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -56,8 +29,8 @@ ynh_print_info --message="Declaring files to be backed up..."
|
||||||
# BACKUP THE APP MAIN DIR
|
# BACKUP THE APP MAIN DIR
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
ynh_backup --src_path="$final_path"
|
ynh_backup --src_path="$code_dir"
|
||||||
ynh_backup --src_path="$final_www_path"
|
ynh_backup --src_path="$install_dir"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# BACKUP THE NGINX CONFIGURATION
|
# BACKUP THE NGINX CONFIGURATION
|
||||||
|
@ -76,7 +49,7 @@ fi
|
||||||
# BACKUP THE POSTGRESQL DATABASE
|
# BACKUP THE POSTGRESQL DATABASE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
ynh_psql_dump_db --database="$synapse_db_name" > ${YNH_CWD}/dump.sql
|
ynh_psql_dump_db --database="$db_name" > ${YNH_CWD}/dump.sql
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# BACKUP FAIL2BAN CONFIGURATION
|
# BACKUP FAIL2BAN CONFIGURATION
|
||||||
|
@ -97,16 +70,14 @@ ynh_backup --src_path="/etc/matrix-$app"
|
||||||
# BACKUP SYSTEMD
|
# BACKUP SYSTEMD
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
ynh_backup --src_path="/etc/default/matrix-$app"
|
ynh_backup --src_path="/etc/systemd/system/$app.service"
|
||||||
ynh_backup --src_path="/etc/systemd/system/matrix-$app.service"
|
ynh_backup --src_path="/etc/systemd/system/$app-coturn.service"
|
||||||
ynh_backup --src_path="/etc/default/coturn-$app"
|
|
||||||
ynh_backup --src_path="/etc/systemd/system/coturn-$app.service"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# BACKUP SYNAPSE DATA
|
# BACKUP SYNAPSE DATA
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
ynh_backup --src_path="$data_path" --is_big=1
|
ynh_backup --src_path="$data_dir" --is_big=1
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# BACKUP SYNAPSE LOG
|
# BACKUP SYNAPSE LOG
|
||||||
|
|
|
@ -5,62 +5,12 @@
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# IMPORT GENERIC HELPERS
|
# IMPORT GENERIC HELPERS
|
||||||
source /usr/share/yunohost/helpers
|
|
||||||
|
|
||||||
# Exit if an error occurs during the execution of the script
|
|
||||||
ynh_abort_if_errors
|
|
||||||
|
|
||||||
# Import common cmd
|
|
||||||
source ./experimental_helper.sh
|
source ./experimental_helper.sh
|
||||||
source ./_common.sh
|
source ./_common.sh
|
||||||
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
ynh_script_progression --message="Loading installation settings..."
|
# We stop the service
|
||||||
|
ynh_systemd_action --service_name=$app.service --action=stop
|
||||||
# RETRIEVE ARGUMENTS
|
|
||||||
old_domain=$YNH_APP_OLD_DOMAIN
|
|
||||||
domain=$YNH_APP_NEW_DOMAIN
|
|
||||||
path_url=$(ynh_normalize_url_path --path_url $YNH_APP_NEW_PATH)
|
|
||||||
app=$YNH_APP_INSTANCE_NAME
|
|
||||||
|
|
||||||
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
|
|
||||||
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
|
||||||
synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
|
|
||||||
jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
|
|
||||||
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
|
|
||||||
port=$(ynh_app_setting_get --app=$app --key=synapse_port)
|
|
||||||
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
|
|
||||||
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
|
|
||||||
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
|
|
||||||
cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
|
|
||||||
report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
|
|
||||||
allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
|
|
||||||
e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
|
|
||||||
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
|
|
||||||
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
|
|
||||||
registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
|
|
||||||
form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
|
|
||||||
macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
|
|
||||||
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
|
|
||||||
main_domain=$(yunohost domain list --output-as json | jq -r .main)
|
|
||||||
|
|
||||||
synapse_user="matrix-$app"
|
|
||||||
synapse_user_app="$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
synapse_db_user="matrix_$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
upstream_version=$(ynh_app_upstream_version)
|
|
||||||
domain_whitelist_client_=$(get_domain_list)
|
|
||||||
domain_whitelist_client=${domain_whitelist_client_%"\n"}
|
|
||||||
|
|
||||||
# Check if the new path stay /_matrix if not exit
|
|
||||||
|
|
||||||
if [[ $path_url != "/_matrix" ]]
|
|
||||||
then
|
|
||||||
ynh_die --message "You can't use an other path than '/_matrix'. You can only change the domain."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# We stop the service before to set ynh_clean_setup
|
|
||||||
ynh_systemd_action --service_name=matrix-$app.service --action=stop
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# STANDARD MODIFICATIONS
|
# STANDARD MODIFICATIONS
|
||||||
|
@ -70,21 +20,8 @@ ynh_systemd_action --service_name=matrix-$app.service --action=stop
|
||||||
|
|
||||||
ynh_script_progression --message="Updating NGINX configuration..."
|
ynh_script_progression --message="Updating NGINX configuration..."
|
||||||
|
|
||||||
# MODIFY URL IN NGINX CONF
|
ynh_change_url_nginx_config
|
||||||
nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
|
configure_nginx
|
||||||
|
|
||||||
# Change the domain for nginx
|
|
||||||
# Delete file checksum for the old conf file location
|
|
||||||
ynh_delete_file_checksum --file "$nginx_conf_path"
|
|
||||||
mv $nginx_conf_path /etc/nginx/conf.d/$domain.d/$app.conf
|
|
||||||
# Store file checksum for the new config file location
|
|
||||||
ynh_store_file_checksum --file "/etc/nginx/conf.d/$domain.d/$app.conf"
|
|
||||||
|
|
||||||
# Create .well-known redirection for access by federation
|
|
||||||
if yunohost --output-as plain domain list | grep -q "^$server_name$"
|
|
||||||
then
|
|
||||||
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# UPDATE SYNAPSE CONFIG
|
# UPDATE SYNAPSE CONFIG
|
||||||
|
@ -92,45 +29,25 @@ fi
|
||||||
|
|
||||||
ynh_script_progression --message="Updating Synapse config..." --weight=2
|
ynh_script_progression --message="Updating Synapse config..." --weight=2
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
|
configure_synapse
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
if [ -z $macaroon_secret_key ]; then
|
|
||||||
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
|
|
||||||
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
|
|
||||||
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
|
|
||||||
# So for the old install we just leave this as it is. And for the new install we use a real macaroon.
|
|
||||||
macaroon_secret_key_param='# macaroon_secret_key: ""'
|
|
||||||
else
|
|
||||||
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $is_free_registration -eq 0 ]
|
|
||||||
then
|
|
||||||
allowed_access=False
|
|
||||||
sso_enabled=True
|
|
||||||
else
|
|
||||||
allowed_access=True
|
|
||||||
sso_enabled=False
|
|
||||||
fi
|
|
||||||
|
|
||||||
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
|
|
||||||
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SECURE FILES AND DIRECTORIES
|
# SECURE FILES AND DIRECTORIES
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# Only setting permissions for the two config files updated above
|
ynh_script_progression --message="Protecting directories..." --weight=3
|
||||||
chown $synapse_user:root -R /etc/matrix-$app
|
set_permissions
|
||||||
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RELOAD SERVICES
|
# RELOAD SERVICES
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Restarting Synapse services..." --weight=5
|
ynh_script_progression --message="Restarting Synapse services..." --weight=5
|
||||||
|
|
||||||
ynh_systemd_action --service_name=coturn-$app.service --action=restart
|
ynh_systemd_action --service_name=$app-coturn.service --action=restart
|
||||||
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
||||||
|
|
||||||
|
if ! yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
|
||||||
|
ynh_print_warn "Note yunohost won't be able to manage the required config for $server_name. So please add the needed DNS config as described on the documentation"
|
||||||
|
fi
|
||||||
|
|
||||||
ynh_script_progression --message="Change of URL completed for $app" --last
|
ynh_script_progression --message="Change of URL completed for $app" --last
|
||||||
|
|
169
scripts/config
169
scripts/config
|
@ -6,161 +6,28 @@
|
||||||
# IMPORT GENERIC HELPERS
|
# IMPORT GENERIC HELPERS
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
|
source ./_common.sh
|
||||||
source /usr/share/yunohost/helpers
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
# Stop script if errors
|
ynh_app_config_validate() {
|
||||||
ynh_abort_if_errors
|
# Depending of the status of the $enable_regirtration we should default value of the hidden fields
|
||||||
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
if $enable_registration; then
|
||||||
|
# Must enable password authentication when free registration is enabled as any user must be able to authenticate
|
||||||
get__max_upload_size() {
|
password_enabled=true
|
||||||
max_upload_size=$(ynh_app_setting_get --app $app --key max_upload_size)
|
else
|
||||||
echo "${max_upload_size}"
|
registrations_require_3pid=email
|
||||||
|
allowed_local_3pids_email=''
|
||||||
|
allowed_local_3pids_msisdn=''
|
||||||
|
disable_msisdn_registration=true
|
||||||
|
fi
|
||||||
|
_ynh_app_config_validate
|
||||||
}
|
}
|
||||||
|
|
||||||
set__max_upload_size() {
|
ynh_app_config_apply() {
|
||||||
ynh_write_var_in_file --file=/etc/matrix-$app/homeserver.yaml --key=max_upload_size --value="${max_upload_size}"
|
_ynh_app_config_apply
|
||||||
sed -i -r "s|client_max_body_size\s[[:digit:]]*[GMK]?;|client_max_body_size ${max_upload_size};|g" "/etc/nginx/conf.d/$domain.d/$app.conf"
|
configure_nginx
|
||||||
ynh_add_nginx_conf
|
configure_synapse
|
||||||
}
|
set_permissions
|
||||||
|
|
||||||
get__registrations_require_3pid() {
|
|
||||||
registrations_require_3pid=$(ynh_app_setting_get --app $app --key registrations_require_3pid)
|
|
||||||
echo "${registrations_require_3pid}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# set__registrations_require_3pid() this function is setting datas for registrations_require_3pid field and allowed_local_3pids_(email/msisdn)
|
|
||||||
# it consist on comment or not "registrations_require_3pid:", " - email" and/or " - msisdn"
|
|
||||||
# then depending on the "registrations_require_3pid" value it comment or not "allowed_local_3pids:" lines
|
|
||||||
# and generate all it sub configuration :
|
|
||||||
#
|
|
||||||
# allowed_local_3pids:
|
|
||||||
# - medium: email
|
|
||||||
# pattern: *
|
|
||||||
# ...
|
|
||||||
# - medium: msisdn
|
|
||||||
# pattern: *
|
|
||||||
#
|
|
||||||
# sed -z and \n as new line carracter do the trick on this kind of multline replacement.
|
|
||||||
|
|
||||||
set__registrations_require_3pid() {
|
|
||||||
|
|
||||||
# search pattern to replace (it correspond to the complete section)
|
|
||||||
allowedLocal3pids="s;#?([^\S\n]*allowed_local_3pids:)\n(#?([^\S\n]*-[^\S\n]*medium:[^\S\n]*(email|msisdn)\n)#?([^\S\n]*pattern:[^\S\n]*[^\n]*\n))*;"
|
|
||||||
|
|
||||||
case ${registrations_require_3pid} in
|
|
||||||
'email')
|
|
||||||
# registrations_require_3pid: part
|
|
||||||
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n - email\n# - msisdn|" "/etc/matrix-$app/homeserver.yaml"
|
|
||||||
|
|
||||||
# allowed_local_3pids: part
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\1"
|
|
||||||
|
|
||||||
readarray -td, arr3pidemail < <(echo ${allowed_local_3pids_email});
|
|
||||||
for pidemail in "${arr3pidemail[@]}"; do
|
|
||||||
# add it to regex substitution part
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n - medium: email";
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidemail})'";
|
|
||||||
done;
|
|
||||||
;;
|
|
||||||
|
|
||||||
'msisdn')
|
|
||||||
# registrations_require_3pid: part
|
|
||||||
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n# - email\n - msisdn|" "/etc/matrix-$app/homeserver.yaml"
|
|
||||||
|
|
||||||
# allowed_local_3pids: part
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\1"
|
|
||||||
|
|
||||||
readarray -td, arr3pidmsisdn < <(echo ${allowed_local_3pids_msisdn});
|
|
||||||
for pidmsisdn in "${arr3pidmsisdn[@]}"; do
|
|
||||||
# add it to regex substitution part
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n - medium: msisdn";
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidmsisdn})'";
|
|
||||||
done;
|
|
||||||
;;
|
|
||||||
|
|
||||||
'email&msisdn')
|
|
||||||
# registrations_require_3pid: part
|
|
||||||
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n - email\n - msisdn|" "/etc/matrix-$app/homeserver.yaml"
|
|
||||||
|
|
||||||
# allowed_local_3pids: part
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\1"
|
|
||||||
|
|
||||||
readarray -td, arr3pidemail < <(echo ${allowed_local_3pids_email});
|
|
||||||
for pidemail in "${arr3pidemail[@]}"; do
|
|
||||||
# add it to regex substitution part
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n - medium: email";
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidemail})'";
|
|
||||||
done;
|
|
||||||
|
|
||||||
readarray -td, arr3pidmsisdn < <(echo ${allowed_local_3pids_msisdn});
|
|
||||||
for pidmsisdn in "${arr3pidmsisdn[@]}"; do
|
|
||||||
# add it to regex substitution part
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n - medium: msisdn";
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidmsisdn})'";
|
|
||||||
done;
|
|
||||||
;;
|
|
||||||
|
|
||||||
*)
|
|
||||||
sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|#registrations_require_3pid:\n# - email\n# - msisdn|" "/etc/matrix-$app/homeserver.yaml"
|
|
||||||
|
|
||||||
# empty fields and comment registration
|
|
||||||
allowedLocal3pids=${allowedLocal3pids}"#\1"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# finalize regex then apply sed command on the homeserver conf file
|
|
||||||
allowedLocal3pids="${allowedLocal3pids}\n;";
|
|
||||||
sed -i -z -r "${allowedLocal3pids}" "/etc/matrix-$app/homeserver.yaml"
|
|
||||||
|
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=registrations_require_3pid --value="${registrations_require_3pid}"
|
|
||||||
}
|
|
||||||
|
|
||||||
get__allowed_local_3pids_email() {
|
|
||||||
allowed_local_3pids_email=$(ynh_app_setting_get --app $app --key allowed_local_3pids_email)
|
|
||||||
echo "${allowed_local_3pids_email}"
|
|
||||||
}
|
|
||||||
|
|
||||||
set__allowed_local_3pids_email() {
|
|
||||||
set__registrations_require_3pid;
|
|
||||||
ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value="${allowed_local_3pids_email}"
|
|
||||||
}
|
|
||||||
|
|
||||||
get__allowed_local_3pids_msisdn() {
|
|
||||||
allowed_local_3pids_msisdn=$(ynh_app_setting_get --app $app --key allowed_local_3pids_msisdn)
|
|
||||||
echo "${allowed_local_3pids_msisdn}"
|
|
||||||
}
|
|
||||||
|
|
||||||
set__allowed_local_3pids_msisdn() {
|
|
||||||
set__registrations_require_3pid;
|
|
||||||
ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value="${allowed_local_3pids_msisdn}"
|
|
||||||
}
|
|
||||||
|
|
||||||
get__auto_join_rooms() {
|
|
||||||
auto_join_rooms=$(ynh_app_setting_get --app $app --key auto_join_rooms)
|
|
||||||
auto_join_rooms=$(echo ${auto_join_rooms} | sed "s~(\\\\)*\#~\\\\\#~g")
|
|
||||||
echo "${auto_join_rooms}"
|
|
||||||
}
|
|
||||||
|
|
||||||
set__auto_join_rooms() {
|
|
||||||
|
|
||||||
if [ -z ${auto_join_rooms} ] ; then
|
|
||||||
# remove all values comment header and example value
|
|
||||||
sed -i -z -r "s|#?([^\S\n]*auto_join_rooms:\n)#?([^\S\n]*-[^\n]*\n)*|#\1# - \"#example:example.com\"\n|" "/etc/matrix-$app/homeserver.yaml"
|
|
||||||
else
|
|
||||||
|
|
||||||
readarray -td, arrroom < <(echo ${auto_join_rooms});
|
|
||||||
|
|
||||||
# print header then all space separated values
|
|
||||||
autoJoinRooms="s|#?([^\S\n]*auto_join_rooms:)\n(#?[^\S\n]*-[^\n]*\n)*|\1";
|
|
||||||
for room in "${arrroom[@]}"; do
|
|
||||||
autoJoinRooms="${autoJoinRooms}\n - '$(echo ${room})'";
|
|
||||||
done;
|
|
||||||
autoJoinRooms="${autoJoinRooms}\n|";
|
|
||||||
sed -i -z -r "${autoJoinRooms}" "/etc/matrix-$app/homeserver.yaml"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=auto_join_rooms --value="${auto_join_rooms}"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -1,141 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Send an email to inform the administrator
|
|
||||||
#
|
|
||||||
# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type]
|
|
||||||
# | arg: -m --app_message= - The file with the content to send to the administrator.
|
|
||||||
# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root
|
|
||||||
# example: "root admin@domain"
|
|
||||||
# If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you
|
|
||||||
# example: "root admin@domain user1 user2"
|
|
||||||
# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade'
|
|
||||||
ynh_send_readme_to_admin() {
|
|
||||||
# Declare an array to define the options of this helper.
|
|
||||||
declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= )
|
|
||||||
local app_message
|
|
||||||
local recipients
|
|
||||||
local type
|
|
||||||
# Manage arguments with getopts
|
|
||||||
|
|
||||||
ynh_handle_getopts_args "$@"
|
|
||||||
app_message="${app_message:-}"
|
|
||||||
recipients="${recipients:-root}"
|
|
||||||
type="${type:-install}"
|
|
||||||
|
|
||||||
# Get the value of admin_mail_html
|
|
||||||
admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
|
|
||||||
admin_mail_html="${admin_mail_html:-0}"
|
|
||||||
|
|
||||||
# Retrieve the email of users
|
|
||||||
find_mails () {
|
|
||||||
local list_mails="$1"
|
|
||||||
local mail
|
|
||||||
local recipients=" "
|
|
||||||
# Read each mail in argument
|
|
||||||
for mail in $list_mails
|
|
||||||
do
|
|
||||||
# Keep root or a real email address as it is
|
|
||||||
if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@"
|
|
||||||
then
|
|
||||||
recipients="$recipients $mail"
|
|
||||||
else
|
|
||||||
# But replace an user name without a domain after by its email
|
|
||||||
if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null)
|
|
||||||
then
|
|
||||||
recipients="$recipients $mail"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
echo "$recipients"
|
|
||||||
}
|
|
||||||
recipients=$(find_mails "$recipients")
|
|
||||||
|
|
||||||
# Subject base
|
|
||||||
local mail_subject="☁️🆈🅽🅷☁️: \`$app\`"
|
|
||||||
|
|
||||||
# Adapt the subject according to the type of mail required.
|
|
||||||
if [ "$type" = "backup" ]; then
|
|
||||||
mail_subject="$mail_subject has just been backup."
|
|
||||||
elif [ "$type" = "change_url" ]; then
|
|
||||||
mail_subject="$mail_subject has just been moved to a new URL!"
|
|
||||||
elif [ "$type" = "remove" ]; then
|
|
||||||
mail_subject="$mail_subject has just been removed!"
|
|
||||||
elif [ "$type" = "restore" ]; then
|
|
||||||
mail_subject="$mail_subject has just been restored!"
|
|
||||||
elif [ "$type" = "upgrade" ]; then
|
|
||||||
mail_subject="$mail_subject has just been upgraded!"
|
|
||||||
else # install
|
|
||||||
mail_subject="$mail_subject has just been installed!"
|
|
||||||
fi
|
|
||||||
|
|
||||||
local mail_message="This is an automated message from your beloved YunoHost server.
|
|
||||||
|
|
||||||
Specific information for the application $app.
|
|
||||||
|
|
||||||
$(if [ -n "$app_message" ]
|
|
||||||
then
|
|
||||||
cat "$app_message"
|
|
||||||
else
|
|
||||||
echo "...No specific information..."
|
|
||||||
fi)
|
|
||||||
|
|
||||||
---
|
|
||||||
Automatic diagnosis data from YunoHost
|
|
||||||
|
|
||||||
__PRE_TAG1__$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')__PRE_TAG2__"
|
|
||||||
|
|
||||||
# Store the message into a file for further modifications.
|
|
||||||
echo "$mail_message" > mail_to_send
|
|
||||||
|
|
||||||
# If a html email is required. Apply html tags to the message.
|
|
||||||
if [ "$admin_mail_html" -eq 1 ]
|
|
||||||
then
|
|
||||||
# Insert 'br' tags at each ending of lines.
|
|
||||||
ynh_replace_string "$" "<br>" mail_to_send
|
|
||||||
|
|
||||||
# Insert starting HTML tags
|
|
||||||
sed --in-place '1s@^@<!DOCTYPE html>\n<html>\n<head></head>\n<body>\n@' mail_to_send
|
|
||||||
|
|
||||||
# Keep tabulations
|
|
||||||
ynh_replace_string " " "\ \ " mail_to_send
|
|
||||||
ynh_replace_string "\t" "\ \ " mail_to_send
|
|
||||||
|
|
||||||
# Insert url links tags
|
|
||||||
ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "<a href=\"\2\">\1</a>" mail_to_send
|
|
||||||
|
|
||||||
# Insert pre tags
|
|
||||||
ynh_replace_string "__PRE_TAG1__" "<pre>" mail_to_send
|
|
||||||
ynh_replace_string "__PRE_TAG2__" "<\pre>" mail_to_send
|
|
||||||
|
|
||||||
# Insert finishing HTML tags
|
|
||||||
echo -e "\n</body>\n</html>" >> mail_to_send
|
|
||||||
|
|
||||||
# Otherwise, remove tags to keep a plain text.
|
|
||||||
else
|
|
||||||
# Remove URL tags
|
|
||||||
ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
|
|
||||||
ynh_replace_string "__URL_TAG2__" ": " mail_to_send
|
|
||||||
|
|
||||||
# Remove PRE tags
|
|
||||||
ynh_replace_string "__PRE_TAG[1-2]__" "" mail_to_send
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Define binary to use for mail command
|
|
||||||
if [ -e /usr/bin/bsd-mailx ]
|
|
||||||
then
|
|
||||||
local mail_bin=/usr/bin/bsd-mailx
|
|
||||||
else
|
|
||||||
local mail_bin=/usr/bin/mail.mailutils
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$admin_mail_html" -eq 1 ]
|
|
||||||
then
|
|
||||||
content_type="text/html"
|
|
||||||
else
|
|
||||||
content_type="text/plain"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Send the email to the recipients
|
|
||||||
cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
|
|
||||||
}
|
|
||||||
|
|
360
scripts/install
360
scripts/install
|
@ -1,7 +1,5 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# GENERIC START
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# IMPORT GENERIC HELPERS
|
# IMPORT GENERIC HELPERS
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -10,107 +8,52 @@ source _common.sh
|
||||||
source experimental_helper.sh
|
source experimental_helper.sh
|
||||||
source /usr/share/yunohost/helpers
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# MANAGE SCRIPT FAILURE
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
ynh_clean_setup () {
|
|
||||||
# Clean installation remainings that are not handled by the remove script.
|
|
||||||
ynh_clean_check_starting
|
|
||||||
}
|
|
||||||
# Exit if an error occurs during the execution of the script
|
|
||||||
ynh_abort_if_errors
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# SET CONSTANTS
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
synapse_user="matrix-$app"
|
|
||||||
synapse_user_app="$app"
|
|
||||||
synapse_user_app_pwd="$(ynh_string_random --length=30)"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
synapse_db_user="matrix_$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
upstream_version=$(ynh_app_upstream_version)
|
|
||||||
report_stats="false"
|
|
||||||
e2e_enabled_by_default="off"
|
|
||||||
default_domain_value="Same than the domain"
|
|
||||||
domain_whitelist_client_=$(get_domain_list)
|
|
||||||
domain_whitelist_client=${domain_whitelist_client_%"\n"}
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RETRIEVE ARGUMENTS FROM THE MANIFEST
|
# RETRIEVE ARGUMENTS FROM THE MANIFEST
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
domain=$YNH_APP_ARG_DOMAIN
|
if [ "$server_name" == "Same than the domain" ]; then
|
||||||
server_name=$YNH_APP_ARG_SERVER_NAME
|
|
||||||
is_free_registration=$YNH_APP_ARG_IS_FREE_REGISTRATION
|
|
||||||
jitsi_server=$YNH_APP_ARG_JITSI_SERVER
|
|
||||||
path_url="/_matrix"
|
|
||||||
final_path="/opt/yunohost/matrix-$app"
|
|
||||||
final_www_path="/var/www/$app"
|
|
||||||
data_path="/home/yunohost.app/matrix-$app"
|
|
||||||
main_domain=$(yunohost domain list --output-as json | jq -r .main)
|
|
||||||
|
|
||||||
if [[ "$server_name" == "$default_domain_value" ]]; then
|
|
||||||
server_name=$domain
|
server_name=$domain
|
||||||
|
ynh_app_setting_set --app=$app --key=server_name --value=$server_name
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Validating installation parameters..." --weight=2
|
|
||||||
test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die --message="$domain is not available as domain, please use an other domain."
|
|
||||||
|
|
||||||
# Check Final Path availability
|
|
||||||
test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
|
|
||||||
|
|
||||||
if [ -e "$data_path" ]; then
|
|
||||||
old_data_dir_path="$data_path$(date '+%Y%m%d.%H%M%S')"
|
|
||||||
ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
|
|
||||||
mv "$data_path" "$old_data_dir_path"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# STORE SETTINGS FROM MANIFEST
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Storing installation settings..." --weight=1
|
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=domain --value=$domain
|
|
||||||
ynh_app_setting_set --app=$app --key=path --value=$path_url
|
|
||||||
ynh_app_setting_set --app=$app --key=server_name --value=$server_name
|
|
||||||
ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
|
|
||||||
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
|
||||||
ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
|
|
||||||
ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
|
|
||||||
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
|
||||||
ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
|
|
||||||
|
|
||||||
if [ "$is_free_registration" -eq "0" ]
|
|
||||||
then
|
|
||||||
enable_registration="false"
|
|
||||||
turn_allow_guests="false"
|
|
||||||
sso_enabled="true"
|
|
||||||
password_enabled="false"
|
|
||||||
enable_3pid_lookup="false"
|
|
||||||
else
|
|
||||||
enable_registration="true"
|
|
||||||
turn_allow_guests="true"
|
|
||||||
sso_enabled="false"
|
|
||||||
password_enabled="true"
|
|
||||||
enable_3pid_lookup="true"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
|
|
||||||
ynh_app_setting_set --app=$app --key=turn_allow_guests --value=$turn_allow_guests
|
|
||||||
ynh_app_setting_set --app=$app --key=sso_enabled --value=$sso_enabled
|
|
||||||
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
|
|
||||||
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
## SET STANDARD SETTINGS FROM DEFAULT CONFIG
|
## SET STANDARD SETTINGS FROM DEFAULT CONFIG
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
|
ynh_script_progression --message="Storing installation settings..." --weight=1
|
||||||
|
|
||||||
|
report_stats="false"
|
||||||
|
e2e_enabled_by_default="off"
|
||||||
|
allow_public_rooms_without_auth="false"
|
||||||
|
allow_public_rooms_over_federation="false"
|
||||||
|
max_upload_size="100M"
|
||||||
|
disable_msisdn_registration="true"
|
||||||
|
registrations_require_3pid=email
|
||||||
|
allowed_local_3pids_email=""
|
||||||
|
allowed_local_3pids_msisdn=""
|
||||||
|
allow_guest_access="false"
|
||||||
|
account_threepid_delegates_msisdn=""
|
||||||
|
default_identity_server="https://matrix.org"
|
||||||
|
auto_join_rooms=""
|
||||||
|
autocreate_auto_join_rooms="false"
|
||||||
|
auto_join_rooms_for_guests="true"
|
||||||
|
enable_notifs="true"
|
||||||
|
notif_for_new_users="true"
|
||||||
|
enable_group_creation="true"
|
||||||
|
push_include_content="true"
|
||||||
|
enable_3pid_lookup=false
|
||||||
|
enable_dtls_for_audio_video_turn_call=true
|
||||||
|
|
||||||
|
if [ "$is_free_registration" -eq 0 ]
|
||||||
|
then
|
||||||
|
enable_registration="false"
|
||||||
|
password_enabled="false"
|
||||||
|
else
|
||||||
|
enable_registration="true"
|
||||||
|
password_enabled="true"
|
||||||
|
fi
|
||||||
|
|
||||||
element_ynh_url="https://matrix.to/"
|
element_ynh_url="https://matrix.to/"
|
||||||
# Get app name of first Element Instance (can be changed later in Config Panel)
|
# Get app name of first Element Instance (can be changed later in Config Panel)
|
||||||
element_instance="element"
|
element_instance="element"
|
||||||
|
@ -123,30 +66,8 @@ web_client_location=$element_ynh_url
|
||||||
client_base_url=$element_ynh_url
|
client_base_url=$element_ynh_url
|
||||||
invite_client_location=$element_ynh_url
|
invite_client_location=$element_ynh_url
|
||||||
|
|
||||||
backup_before_upgrade="true"
|
ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
|
||||||
server_statistics="false"
|
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
||||||
allow_public_rooms_without_auth="false"
|
|
||||||
allow_public_rooms_over_federation="false"
|
|
||||||
max_upload_size="10M"
|
|
||||||
disable_msisdn_registration="true"
|
|
||||||
registrations_require_3pid="none"
|
|
||||||
# here we need sed magic to transform $server_name
|
|
||||||
allowed_local_3pids_email=""
|
|
||||||
allowed_local_3pids_msisdn=""
|
|
||||||
allow_guest_access="false"
|
|
||||||
account_threepid_delegates_msisdn=""
|
|
||||||
default_identity_server="https://matrix.org"
|
|
||||||
auto_join_rooms="#auto_join_room:""$server_name"
|
|
||||||
autocreate_auto_join_rooms="false"
|
|
||||||
auto_join_rooms_for_guests="true"
|
|
||||||
password_enabled="true"
|
|
||||||
enable_notifs="true"
|
|
||||||
notif_for_new_users="true"
|
|
||||||
enable_group_creation="true"
|
|
||||||
push_include_content="true"
|
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=backup_before_upgrade --value=$backup_before_upgrade
|
|
||||||
ynh_app_setting_set --app=$app --key=server_statistics --value=$server_statistics
|
|
||||||
ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
|
ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
|
||||||
ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
|
ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
|
||||||
ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
|
ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
|
||||||
|
@ -168,33 +89,23 @@ ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
|
||||||
ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
|
ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
|
||||||
ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
|
ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
|
||||||
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
|
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
|
||||||
|
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# STANDARD MODIFICATIONS
|
# STANDARD MODIFICATIONS
|
||||||
#=================================================
|
#=================================================
|
||||||
# FIND AND OPEN A PORT
|
# Check datadir empty
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Configuring firewall..." --weight=19
|
|
||||||
|
|
||||||
# Find a free port
|
if [ -n "$(ls -A $data_dir)" ]; then
|
||||||
synapse_tls_port=$(ynh_find_port --port=8448)
|
old_data_dir_path="${data_dir}_$(date '+%Y%m%d.%H%M%S')"
|
||||||
port=$(ynh_find_port --port=8008)
|
ynh_print_warn "Data directory was not empty. Data was moved to $old_data_dir_path"
|
||||||
turnserver_tls_port=$(ynh_find_port --port=5349)
|
mkdir -p $old_data_dir_path
|
||||||
turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
|
mv -t "$old_data_dir_path" "$data_dir"/*
|
||||||
cli_port=$(ynh_find_port --port=5766)
|
fi
|
||||||
|
|
||||||
# Open this port
|
|
||||||
ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
|
|
||||||
ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
|
|
||||||
ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
|
|
||||||
|
|
||||||
# Store opened ports
|
|
||||||
ynh_app_setting_set --app=$app --key=synapse_port --value=$port
|
|
||||||
ynh_app_setting_set --app=$app --key=synapse_tls_port --value=$synapse_tls_port
|
|
||||||
ynh_app_setting_set --app=$app --key=turnserver_tls_port --value=$turnserver_tls_port
|
|
||||||
ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
|
|
||||||
ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CREATE A DH FILE
|
# CREATE A DH FILE
|
||||||
|
@ -207,49 +118,26 @@ ynh_script_progression --message="Creating a dh file..." --weight=3
|
||||||
# Make dh cert for synapse if it doesn't exist
|
# Make dh cert for synapse if it doesn't exist
|
||||||
if [ ! -e /etc/ssl/private/dh2048.pem ]
|
if [ ! -e /etc/ssl/private/dh2048.pem ]
|
||||||
then
|
then
|
||||||
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam
|
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048
|
||||||
chown root:ssl-cert /etc/ssl/private/dh2048.pem
|
chown root:ssl-cert /etc/ssl/private/dh2048.pem
|
||||||
chmod 640 /etc/ssl/private/dh2048.pem
|
chmod 640 /etc/ssl/private/dh2048.pem
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# INSTALL DEPENDENCIES
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Installing dependencies..." --weight=80
|
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
|
|
||||||
# For any update do it in all files
|
|
||||||
ynh_exec_warn_less ynh_install_app_dependencies $dependances
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CREATE DEDICATED USER
|
# CREATE DEDICATED USER
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Configuring system user..." --weight=3
|
ynh_script_progression --message='Configuring system groups'
|
||||||
|
|
||||||
ynh_system_user_create --username=$synapse_user --home_dir=$final_path
|
adduser $app ssl-cert
|
||||||
# The format to create an user account varies depending on the version of YunoHost currently installed.
|
|
||||||
ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
|
|
||||||
if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
|
|
||||||
yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
|
|
||||||
else
|
|
||||||
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
|
|
||||||
fi
|
|
||||||
adduser $synapse_user ssl-cert
|
|
||||||
adduser turnserver ssl-cert
|
adduser turnserver ssl-cert
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CREATE A POSTGRESQL DATABASE
|
# FIX DB CONFIG
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Creating a PostgreSQL database..." --weight=4
|
ynh_script_progression --message="Fixing database type..." --weight=1
|
||||||
|
|
||||||
synapse_db_pwd=$(ynh_string_random --length=30)
|
|
||||||
ynh_app_setting_set --app=$app --key=synapse_db_pwd --value=$synapse_db_pwd
|
|
||||||
|
|
||||||
# Create postgresql database
|
|
||||||
ynh_psql_test_if_first_run
|
|
||||||
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
|
|
||||||
ynh_psql_execute_as_root \
|
ynh_psql_execute_as_root \
|
||||||
--sql="CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;"
|
--sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# DOWNLOAD, CHECK AND UNPACK SOURCE
|
# DOWNLOAD, CHECK AND UNPACK SOURCE
|
||||||
|
@ -260,7 +148,6 @@ ynh_script_progression --message="Setting up source files..." --weight=50
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
# WARNING : theses command are used in INSTALL, UPGRADE
|
||||||
# For any update do it in all files
|
# For any update do it in all files
|
||||||
mkdir -p $data_path
|
|
||||||
mkdir -p /var/log/matrix-$app
|
mkdir -p /var/log/matrix-$app
|
||||||
mkdir -p /etc/matrix-$app/conf.d
|
mkdir -p /etc/matrix-$app/conf.d
|
||||||
mkdir -p /etc/matrix-$app/app-service
|
mkdir -p /etc/matrix-$app/app-service
|
||||||
|
@ -275,10 +162,9 @@ install_sources
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
# WARNING : theses command are used in INSTALL, UPGRADE
|
||||||
# For any update do it in all files
|
# For any update do it in all files
|
||||||
|
|
||||||
mkdir -p $final_www_path
|
cp ../sources/cas_server.php $install_dir/
|
||||||
cp ../sources/cas_server.php $final_www_path/
|
chmod u=rwX,g=rX,o= -R $install_dir
|
||||||
chmod u=rwX,g=rX,o= -R $final_www_path
|
chown $app:$app -R $install_dir
|
||||||
chown $synapse_user:root -R $final_www_path
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CREATE SYNAPSE CONFIG
|
# CREATE SYNAPSE CONFIG
|
||||||
|
@ -286,18 +172,8 @@ chown $synapse_user:root -R $final_www_path
|
||||||
|
|
||||||
ynh_script_progression --message="Creating Synapse config..." --weight=3
|
ynh_script_progression --message="Creating Synapse config..." --weight=3
|
||||||
|
|
||||||
# Go in virtualenvironnement
|
|
||||||
set +u;
|
|
||||||
source $final_path/bin/activate
|
|
||||||
set -u;
|
|
||||||
|
|
||||||
# Generate config
|
# Generate config
|
||||||
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --server-name $server_name --report-stats=no -c homeserver.yml
|
$code_dir/bin/python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --server-name $server_name --report-stats=no -c homeserver.yml
|
||||||
|
|
||||||
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
|
|
||||||
set +u;
|
|
||||||
deactivate
|
|
||||||
set -u;
|
|
||||||
|
|
||||||
# Get random values from config
|
# Get random values from config
|
||||||
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
|
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
|
||||||
|
@ -315,11 +191,10 @@ ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secr
|
||||||
ynh_script_progression --message="Configuring a systemd service..." --weight=2
|
ynh_script_progression --message="Configuring a systemd service..." --weight=2
|
||||||
|
|
||||||
# Create systemd service for synapse and turnserver
|
# Create systemd service for synapse and turnserver
|
||||||
cp ../conf/default_matrix-synapse /etc/default/matrix-$app
|
ynh_add_systemd_config --service=$app --template=synapse.service
|
||||||
ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service
|
|
||||||
|
|
||||||
cp ../conf/default_coturn /etc/default/coturn-$app
|
cp ../conf/default_coturn /etc/matrix-$app/coturn_env
|
||||||
ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service
|
ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# NGINX CONFIGURATION
|
# NGINX CONFIGURATION
|
||||||
|
@ -330,19 +205,8 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=2
|
||||||
ynh_script_progression --message="Configuring application..."
|
ynh_script_progression --message="Configuring application..."
|
||||||
|
|
||||||
ynh_add_fpm_config --usage=low --footprint=low
|
ynh_add_fpm_config --usage=low --footprint=low
|
||||||
sed -i "s|user\s*=\s*$app|user = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
|
|
||||||
sed -i "s|group\s*=\s*$app|group = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
|
|
||||||
sed -i "s|chdir\s*=\s*/opt/yunohost/matrix-synapse.*|chdir = $final_www_path|g" /etc/php/7.*/fpm/pool.d/$app.conf
|
|
||||||
ynh_store_file_checksum --file=$(ls /etc/php/7.*/fpm/pool.d/$app.conf)
|
|
||||||
|
|
||||||
# Create .well-known redirection for access by federation
|
configure_nginx
|
||||||
if yunohost --output-as plain domain list | grep -q "^$server_name$"
|
|
||||||
then
|
|
||||||
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create a dedicated nginx config
|
|
||||||
ynh_add_nginx_config app
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SET SYNAPSE CONFIG
|
# SET SYNAPSE CONFIG
|
||||||
|
@ -353,41 +217,14 @@ ynh_script_progression --message="Configuring Synapse..." --weight=2
|
||||||
turnserver_pwd=$(ynh_string_random --length=30)
|
turnserver_pwd=$(ynh_string_random --length=30)
|
||||||
ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
|
ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
|
||||||
|
|
||||||
# Configure Synapse
|
configure_synapse
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
|
|
||||||
|
|
||||||
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
|
|
||||||
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SET COTURN CONFIG
|
# SET COTURN CONFIG
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Configuring Coturn..." --weight=1
|
ynh_script_progression --message="Configuring Coturn..." --weight=1
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
configure_coturn
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
# Get public IP and set as external IP for coturn
|
|
||||||
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
|
|
||||||
public_ip4="$(curl -s ip.yunohost.org)" || true
|
|
||||||
public_ip6="$(curl -s ipv6.yunohost.org)" || true
|
|
||||||
|
|
||||||
turn_external_ip=""
|
|
||||||
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
|
|
||||||
then
|
|
||||||
turn_external_ip+="external-ip="$public_ip4%"\n"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
|
|
||||||
then
|
|
||||||
turn_external_ip+="external-ip="$public_ip6%"\n"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP LOGROTATE
|
# SETUP LOGROTATE
|
||||||
|
@ -403,29 +240,24 @@ ynh_use_logrotate --logfile "/var/log/matrix-$app"
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
# WARNING : theses command are used in INSTALL, UPGRADE
|
||||||
# For any update do it in all files
|
# For any update do it in all files
|
||||||
|
|
||||||
ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
|
ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$code_dir/Coturn_config_rotate.sh"
|
||||||
ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
|
ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$code_dir/update_synapse_for_appservice.sh"
|
||||||
|
ynh_add_config --template=../sources/set_admin_user.sh --destination=$code_dir/set_admin_user.sh
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# GENERIC FINALIZATION
|
# GENERIC FINALIZATION
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP PERMISSIONS
|
# SETUP PERMISSIONS
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
ynh_script_progression --message="Configuring permissions..." --weight=1
|
ynh_script_progression --message="Configuring permissions..." --weight=1
|
||||||
|
|
||||||
ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
|
|
||||||
ynh_permission_update --permission=main --show_tile=false --protected=true
|
|
||||||
|
|
||||||
ynh_permission_create --permission=server_api --url=$domain/_matrix \
|
|
||||||
--label="Server access for client apps." --show_tile=false --allowed=visitors \
|
|
||||||
--auth_header=false --protected=true
|
|
||||||
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
|
|
||||||
--label="Server administration API." --show_tile=false \
|
|
||||||
--auth_header=false --allowed=visitors
|
|
||||||
if yunohost --output-as plain domain list | grep -q "^$server_name$"; then
|
if yunohost --output-as plain domain list | grep -q "^$server_name$"; then
|
||||||
ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
|
ynh_""permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
|
||||||
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
|
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
|
||||||
--auth_header=false --protected=true
|
--auth_header=false --protected=true
|
||||||
|
else
|
||||||
|
ynh_print_warn "Note yunohost won't be able to manage the required config for $server_name. So please add the needed DNS config as described on the documentation"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -441,69 +273,31 @@ ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update
|
||||||
# SECURE FILES AND DIRECTORIES
|
# SECURE FILES AND DIRECTORIES
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
|
ynh_script_progression --message="Protecting directories..." --weight=3
|
||||||
# For any update do it in all files
|
set_permissions data
|
||||||
chown $synapse_user:root -R $final_path
|
|
||||||
chmod 770 $final_path/Coturn_config_rotate.sh
|
|
||||||
chmod 700 $final_path/update_synapse_for_appservice.sh
|
|
||||||
chown $synapse_user:root -R $data_path
|
|
||||||
chown $synapse_user:root -R /var/log/matrix-$app
|
|
||||||
chown $synapse_user:root -R /etc/matrix-$app
|
|
||||||
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
|
|
||||||
chmod 600 /etc/matrix-$app/$server_name.signing.key
|
|
||||||
setfacl -R -m user:turnserver:rX /etc/matrix-$app
|
|
||||||
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# ADVERTISE SERVICE IN ADMIN PANEL
|
# ADVERTISE SERVICE IN ADMIN PANEL
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port
|
yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
|
||||||
yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
|
yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RELOAD SERVICES
|
# RELOAD SERVICES
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Restarting Synapse services..." --weight=11
|
ynh_script_progression --message="Restarting Synapse services..." --weight=11
|
||||||
|
|
||||||
ynh_systemd_action --service_name=coturn-$app.service --action=restart
|
ynh_systemd_action --service_name=$app-coturn.service --action=restart
|
||||||
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP FAIL2BAN
|
# SETUP FAIL2BAN
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Configuring Fail2Ban..." --weight=10
|
ynh_script_progression --message="Configuring Fail2Ban..." --weight=10
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
ynh_add_fail2ban_config --use_template
|
ynh_add_fail2ban_config --use_template
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# SEND A README FOR THE ADMIN
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, RESTORE
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
echo "If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
|
|
||||||
|
|
||||||
If not, you may need to put the following line in the dns configuration:
|
|
||||||
|
|
||||||
_matrix._tcp.$domain. 3600 IN SRV 10 0 $synapse_tls_port $domain.
|
|
||||||
|
|
||||||
For more details, see : https://github.com/matrix-org/synapse#setting-up-federation
|
|
||||||
|
|
||||||
You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done.
|
|
||||||
|
|
||||||
Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
|
|
||||||
|
|
||||||
If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
|
|
||||||
|
|
||||||
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en" > mail_to_send
|
|
||||||
|
|
||||||
ynh_send_readme_to_admin --app_message="mail_to_send" --type="install"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# END OF SCRIPT
|
# END OF SCRIPT
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
106
scripts/patch/ldap_auth_filter_anonymous_user.patch
Normal file
106
scripts/patch/ldap_auth_filter_anonymous_user.patch
Normal file
|
@ -0,0 +1,106 @@
|
||||||
|
diff --git a/ldap_auth_provider.py b/ldap_auth_provider.py
|
||||||
|
index 3646948..96296b6 100644
|
||||||
|
--- a/ldap_auth_provider.py
|
||||||
|
+++ b/ldap_auth_provider.py
|
||||||
|
@@ -373,9 +373,12 @@ class LdapAuthProvider:
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
+ # LDAP Filter anonymous user Applied
|
||||||
|
ldap_config = _LdapConfig(
|
||||||
|
enabled=config.get("enabled", False),
|
||||||
|
- mode=LDAPMode.SIMPLE,
|
||||||
|
+ mode=LDAPMode.SEARCH
|
||||||
|
+ if config.get("mode", "simple") == "search"
|
||||||
|
+ else LDAPMode.SIMPLE,
|
||||||
|
uri=config["uri"],
|
||||||
|
start_tls=config.get("start_tls", False),
|
||||||
|
tls_options=config.get("tls_options"),
|
||||||
|
@@ -403,6 +406,8 @@ class LdapAuthProvider:
|
||||||
|
raise ValueError(
|
||||||
|
"Either bind_password or bind_password_file must be set!"
|
||||||
|
)
|
||||||
|
+
|
||||||
|
+ if ldap_config.mode == LDAPMode.SEARCH:
|
||||||
|
ldap_config.filter = config.get("filter", None)
|
||||||
|
|
||||||
|
# verify attribute lookup
|
||||||
|
@@ -461,13 +466,16 @@ class LdapAuthProvider:
|
||||||
|
server = self._get_server(get_info=ldap3.DSA)
|
||||||
|
|
||||||
|
if self.ldap_bind_dn is None or self.ldap_bind_password is None:
|
||||||
|
- raise ValueError("Missing bind DN or bind password")
|
||||||
|
-
|
||||||
|
- result, conn = await self._ldap_simple_bind(
|
||||||
|
- server=server,
|
||||||
|
- bind_dn=self.ldap_bind_dn,
|
||||||
|
- password=self.ldap_bind_password,
|
||||||
|
- )
|
||||||
|
+ result, conn = await self._ldap_simple_bind(
|
||||||
|
+ server=server,
|
||||||
|
+ auth_type=ldap3.ANONYMOUS,
|
||||||
|
+ )
|
||||||
|
+ else:
|
||||||
|
+ result, conn = await self._ldap_simple_bind(
|
||||||
|
+ server=server,
|
||||||
|
+ bind_dn=self.ldap_bind_dn,
|
||||||
|
+ password=self.ldap_bind_password,
|
||||||
|
+ )
|
||||||
|
|
||||||
|
if not result:
|
||||||
|
logger.warning("Unable to get root domain due to failed LDAP bind")
|
||||||
|
@@ -503,7 +511,11 @@ class LdapAuthProvider:
|
||||||
|
return self.ldap_root_domain
|
||||||
|
|
||||||
|
async def _ldap_simple_bind(
|
||||||
|
- self, server: ldap3.ServerPool, bind_dn: str, password: str
|
||||||
|
+ self,
|
||||||
|
+ server: ldap3.ServerPool,
|
||||||
|
+ bind_dn: Optional[str] = None,
|
||||||
|
+ password: Optional[str] = None,
|
||||||
|
+ auth_type: str = ldap3.SIMPLE,
|
||||||
|
) -> Tuple[bool, Optional[ldap3.Connection]]:
|
||||||
|
"""Attempt a simple bind with the credentials given by the user against
|
||||||
|
the LDAP server.
|
||||||
|
@@ -513,6 +525,8 @@ class LdapAuthProvider:
|
||||||
|
Returns False, None
|
||||||
|
if an error occured
|
||||||
|
"""
|
||||||
|
+ if (bind_dn is None or password is None) and auth_type == ldap3.SIMPLE:
|
||||||
|
+ raise ValueError("Missing bind DN or bind password")
|
||||||
|
|
||||||
|
try:
|
||||||
|
# bind with the the local user's ldap credentials
|
||||||
|
@@ -521,7 +535,7 @@ class LdapAuthProvider:
|
||||||
|
server,
|
||||||
|
bind_dn,
|
||||||
|
password,
|
||||||
|
- authentication=ldap3.SIMPLE,
|
||||||
|
+ authentication=auth_type,
|
||||||
|
read_only=True,
|
||||||
|
)
|
||||||
|
logger.debug("Established LDAP connection in simple bind mode: %s", conn)
|
||||||
|
@@ -578,13 +592,16 @@ class LdapAuthProvider:
|
||||||
|
|
||||||
|
try:
|
||||||
|
if self.ldap_bind_dn is None or self.ldap_bind_password is None:
|
||||||
|
- raise ValueError("Missing bind DN or bind password")
|
||||||
|
-
|
||||||
|
- result, conn = await self._ldap_simple_bind(
|
||||||
|
- server=server,
|
||||||
|
- bind_dn=self.ldap_bind_dn,
|
||||||
|
- password=self.ldap_bind_password,
|
||||||
|
- )
|
||||||
|
+ result, conn = await self._ldap_simple_bind(
|
||||||
|
+ server=server,
|
||||||
|
+ auth_type=ldap3.ANONYMOUS,
|
||||||
|
+ )
|
||||||
|
+ else:
|
||||||
|
+ result, conn = await self._ldap_simple_bind(
|
||||||
|
+ server=server,
|
||||||
|
+ bind_dn=self.ldap_bind_dn,
|
||||||
|
+ password=self.ldap_bind_password,
|
||||||
|
+ )
|
||||||
|
|
||||||
|
if not result:
|
||||||
|
return (False, None, None)
|
|
@ -10,32 +10,6 @@ source _common.sh
|
||||||
source experimental_helper.sh
|
source experimental_helper.sh
|
||||||
source /usr/share/yunohost/helpers
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# LOAD SETTINGS
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Loading installation settings..." --weight=3
|
|
||||||
|
|
||||||
app=$YNH_APP_INSTANCE_NAME
|
|
||||||
|
|
||||||
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
|
||||||
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
|
|
||||||
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
|
||||||
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
|
|
||||||
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
|
|
||||||
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# SET CONSTANTS
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
synapse_user="matrix-$app"
|
|
||||||
synapse_user_app="$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
synapse_db_user="matrix_$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
upstream_version=$(ynh_app_upstream_version)
|
|
||||||
final_www_path="/var/www/$app"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# STANDARD REMOVE
|
# STANDARD REMOVE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -43,51 +17,25 @@ final_www_path="/var/www/$app"
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# Remove a service from the admin panel, added by `yunohost service add`
|
# Remove a service from the admin panel, added by `yunohost service add`
|
||||||
if yunohost service status matrix-$app >/dev/null 2>&1
|
yunohost service remove $app
|
||||||
then
|
yunohost service remove $app-coturn
|
||||||
yunohost service remove matrix-$app
|
|
||||||
fi
|
|
||||||
|
|
||||||
if yunohost service status coturn-$app >/dev/null 2>&1
|
|
||||||
then
|
|
||||||
yunohost service remove coturn-$app
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# STOP AND REMOVE SERVICE
|
# STOP AND REMOVE SERVICE
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Stopping and removing the systemd service" --weight=2
|
ynh_script_progression --message="Stopping and removing the systemd service" --weight=2
|
||||||
|
|
||||||
ynh_remove_systemd_config --service=matrix-$app
|
ynh_remove_systemd_config --service=$app
|
||||||
ynh_remove_systemd_config --service=coturn-$app
|
ynh_remove_systemd_config --service=$app-coturn
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# REMOVE THE POSTGRESQL DATABASE
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Removing the PostgreSQL database" --weight=2
|
|
||||||
|
|
||||||
# Remove a database if it exists, along with the associated user
|
|
||||||
ynh_psql_remove_db --db_user=$synapse_db_name --db_name=$synapse_db_user
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# REMOVE DEPENDENCIES
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Removing dependencies" --weight=15
|
|
||||||
|
|
||||||
# Remove metapackage and its dependencies
|
|
||||||
ynh_remove_app_dependencies
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# REMOVE APP MAIN DIR
|
# REMOVE APP MAIN DIR
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Removing app main directory" --weight=2
|
ynh_script_progression --message="Removing app main directory" --weight=2
|
||||||
|
|
||||||
ynh_secure_remove --file=$final_path
|
ynh_secure_remove --file=$code_dir
|
||||||
ynh_secure_remove --file=$final_www_path
|
|
||||||
ynh_secure_remove --file=/var/log/matrix-$app
|
ynh_secure_remove --file=/var/log/matrix-$app
|
||||||
ynh_secure_remove --file=/etc/matrix-$app
|
ynh_secure_remove --file=/etc/matrix-$app
|
||||||
ynh_secure_remove --file=/etc/default/matrix-$app
|
|
||||||
ynh_secure_remove --file=/etc/default/coturn-$app
|
|
||||||
ynh_secure_remove --file=/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
|
ynh_secure_remove --file=/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -109,23 +57,6 @@ ynh_script_progression --message="Removing logrotate configuration" --weight=1
|
||||||
# Remove the app-specific logrotate config
|
# Remove the app-specific logrotate config
|
||||||
ynh_remove_logrotate
|
ynh_remove_logrotate
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# CLOSE A PORT
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
closeport() {
|
|
||||||
local port=$1
|
|
||||||
if yunohost firewall list | grep -q "\- $port$"
|
|
||||||
then
|
|
||||||
ynh_script_progression --message="Closing port $port"
|
|
||||||
ynh_exec_warn_less yunohost firewall disallow Both $port
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
closeport $synapse_tls_port
|
|
||||||
closeport $turnserver_tls_port
|
|
||||||
closeport $turnserver_alt_tls_port
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# REMOVE FAIL2BAN CONFIGURATION
|
# REMOVE FAIL2BAN CONFIGURATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -137,18 +68,6 @@ ynh_remove_fail2ban_config
|
||||||
#=================================================
|
#=================================================
|
||||||
# GENERIC FINALIZATION
|
# GENERIC FINALIZATION
|
||||||
#=================================================
|
#=================================================
|
||||||
# REMOVE DEDICATED USER
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Removing the dedicated system user" --weight=1
|
|
||||||
|
|
||||||
# Delete a system user
|
|
||||||
ynh_system_user_delete --username=$synapse_user
|
|
||||||
yunohost user delete $synapse_user_app
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# END OF SCRIPT
|
|
||||||
#=================================================
|
|
||||||
ynh_print_info --message="Due of the backup core only feature the data directory in '/home/yunohost.app/matrix-$app' was not removed. It need to be removed manually to purge app user data."
|
|
||||||
|
|
||||||
ynh_script_progression --message="Removal of $app completed" --last
|
ynh_script_progression --message="Removal of $app completed" --last
|
||||||
sleep 1
|
sleep 1
|
||||||
|
|
|
@ -1,39 +0,0 @@
|
||||||
import json
|
|
||||||
import sys
|
|
||||||
|
|
||||||
with open("/etc/ssowat/" + "conf.json.persistent", "r", encoding='utf-8') as jsonFile:
|
|
||||||
data = json.load(jsonFile)
|
|
||||||
|
|
||||||
for domain in ("", sys.argv[1], sys.argv[2]):
|
|
||||||
for path in ("/_matrix", "/.well-known/matrix/", "/_matrix/cas_server.php/login"):
|
|
||||||
url = domain + path
|
|
||||||
try:
|
|
||||||
uri_list = data["skipped_urls"]
|
|
||||||
while url in uri_list:
|
|
||||||
uri_list.remove(url)
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
|
|
||||||
try:
|
|
||||||
uri_list = data["protected_urls"]
|
|
||||||
while url in uri_list:
|
|
||||||
uri_list.remove(url)
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
|
|
||||||
try:
|
|
||||||
uri_list = data["permissions"]["custom_protected"]["uris"]
|
|
||||||
while url in uri_list:
|
|
||||||
uri_list.remove(url)
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
|
|
||||||
try:
|
|
||||||
uri_list = data["permissions"]["custom_skipped"]["uris"]
|
|
||||||
while url in uri_list:
|
|
||||||
uri_list.remove(url)
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
|
|
||||||
with open("/etc/ssowat/" + "conf.json.persistent", "w", encoding='utf-8') as jsonFile:
|
|
||||||
jsonFile.write(json.dumps(data, indent=4, sort_keys=True))
|
|
176
scripts/restore
176
scripts/restore
|
@ -11,85 +11,28 @@ source ../settings/scripts/_common.sh
|
||||||
source ../settings/scripts/experimental_helper.sh
|
source ../settings/scripts/experimental_helper.sh
|
||||||
source /usr/share/yunohost/helpers
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# MANAGE SCRIPT FAILURE
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
ynh_clean_setup () {
|
|
||||||
# Clean installation remainings that are not handled by the remove script.
|
|
||||||
ynh_clean_check_starting
|
|
||||||
}
|
|
||||||
# Exit if an error occurs during the execution of the script
|
|
||||||
ynh_abort_if_errors
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# LOAD SETTINGS
|
# LOAD SETTINGS
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Loading settings..."
|
ynh_script_progression --message="Loading settings..."
|
||||||
|
|
||||||
app=$YNH_APP_INSTANCE_NAME
|
|
||||||
|
|
||||||
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
|
||||||
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
|
|
||||||
path_url=$(ynh_app_setting_get --app=$app --key=path)
|
|
||||||
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
|
||||||
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
|
|
||||||
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
|
|
||||||
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
|
|
||||||
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
|
|
||||||
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
|
|
||||||
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
|
|
||||||
main_domain=$(yunohost domain list --output-as json | jq -r .main)
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# SET ALL CONSTANT
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
synapse_user="matrix-$app"
|
|
||||||
synapse_user_app="$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
synapse_db_user="matrix_$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
upstream_version=$(ynh_app_upstream_version)
|
|
||||||
final_www_path="/var/www/$app"
|
|
||||||
data_path="/home/yunohost.app/matrix-$app"
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# CHECK IF THE APP CAN BE RESTORED
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Validating restoration parameters..." --weight=2
|
|
||||||
|
|
||||||
test ! -d $final_path \
|
|
||||||
|| ynh_die --message="There is already a directory: $final_path "
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# STANDARD RESTORATION STEPS
|
|
||||||
#=================================================
|
|
||||||
# REINSTALL DEPENDENCIES
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Reinstalling dependencies..." --weight=70
|
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
|
|
||||||
# For any update do it in all files
|
|
||||||
ynh_exec_warn_less ynh_install_app_dependencies $dependances
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RECREATE THE DEDICATED USER
|
# RECREATE THE DEDICATED USER
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Recreating the dedicated system user..." --weight=3
|
ynh_script_progression --message='Configuring system groups'
|
||||||
|
|
||||||
# Create the dedicated user (if not existing)
|
# Create the dedicated user (if not existing)
|
||||||
ynh_system_user_create --username=$synapse_user --home_dir=$final_path
|
adduser $app ssl-cert
|
||||||
# The format to create an user account varies depending on the version of YunoHost currently installed.
|
|
||||||
ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
|
|
||||||
if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
|
|
||||||
yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
|
|
||||||
else
|
|
||||||
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
|
|
||||||
fi
|
|
||||||
adduser $synapse_user ssl-cert
|
|
||||||
adduser turnserver ssl-cert
|
adduser turnserver ssl-cert
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# FIX DB CONFIG
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Fixing database type..." --weight=1
|
||||||
|
|
||||||
|
ynh_psql_execute_as_root \
|
||||||
|
--sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RESTORE ALL CONFIG AND DATA
|
# RESTORE ALL CONFIG AND DATA
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -115,16 +58,7 @@ ynh_systemd_action --action=restart --service_name=fail2ban
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Restoring the PostgreSQL database..." --weight=13
|
ynh_script_progression --message="Restoring the PostgreSQL database..." --weight=13
|
||||||
|
|
||||||
ynh_psql_test_if_first_run
|
ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$db_name"
|
||||||
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
|
|
||||||
ynh_psql_execute_as_root \
|
|
||||||
--sql="CREATE DATABASE $synapse_db_name
|
|
||||||
ENCODING 'UTF8'
|
|
||||||
LC_COLLATE='C'
|
|
||||||
LC_CTYPE='C'
|
|
||||||
template=template0
|
|
||||||
OWNER $synapse_db_user;"
|
|
||||||
ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$synapse_db_name"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RESTORE SYSTEMD
|
# RESTORE SYSTEMD
|
||||||
|
@ -132,15 +66,15 @@ ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$synapse_
|
||||||
ynh_script_progression --message="Enable systemd services" --weight=2
|
ynh_script_progression --message="Enable systemd services" --weight=2
|
||||||
|
|
||||||
# systemctl daemon-reload
|
# systemctl daemon-reload
|
||||||
systemctl enable matrix-$app.service --quiet
|
systemctl enable $app.service --quiet
|
||||||
systemctl enable coturn-$app.service --quiet
|
systemctl enable $app-coturn.service --quiet
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# ADVERTISE SERVICE IN ADMIN PANEL
|
# ADVERTISE SERVICE IN ADMIN PANEL
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port
|
yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
|
||||||
yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
|
yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CREATE A DH FILE
|
# CREATE A DH FILE
|
||||||
|
@ -153,7 +87,7 @@ ynh_script_progression --message="Creating a dh file..." --weight=40
|
||||||
# Make dh cert for synapse if it doesn't exist
|
# Make dh cert for synapse if it doesn't exist
|
||||||
if [ ! -e /etc/ssl/private/dh2048.pem ]
|
if [ ! -e /etc/ssl/private/dh2048.pem ]
|
||||||
then
|
then
|
||||||
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam
|
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048
|
||||||
chown root:ssl-cert /etc/ssl/private/dh2048.pem
|
chown root:ssl-cert /etc/ssl/private/dh2048.pem
|
||||||
chmod 640 /etc/ssl/private/dh2048.pem
|
chmod 640 /etc/ssl/private/dh2048.pem
|
||||||
fi
|
fi
|
||||||
|
@ -163,43 +97,7 @@ fi
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Reconfiguring Coturn..." --weight=23
|
ynh_script_progression --message="Reconfiguring Coturn..." --weight=23
|
||||||
|
|
||||||
# To be sure that at the restoration the IP address in coturn config is the same as the real address we remake the coturn config
|
configure_coturn
|
||||||
|
|
||||||
# Retrieve specific settings
|
|
||||||
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
|
|
||||||
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
|
|
||||||
cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
|
|
||||||
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
|
|
||||||
|
|
||||||
# WARNING : these commands are used in INSTALL, UPGRADE
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
# Get public IP and set as external IP for coturn
|
|
||||||
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
|
|
||||||
public_ip4="$(curl -s ip.yunohost.org)" || true
|
|
||||||
public_ip6="$(curl -s ipv6.yunohost.org)" || true
|
|
||||||
|
|
||||||
turn_external_ip=""
|
|
||||||
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
|
|
||||||
then
|
|
||||||
turn_external_ip+="external-ip="$public_ip4%"\n"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
|
|
||||||
then
|
|
||||||
turn_external_ip+="external-ip="$public_ip6%"\n"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# OPEN THE PORT
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
# Ouvre le port dans le firewall
|
|
||||||
ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
|
|
||||||
ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
|
|
||||||
ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP LOGROTATE
|
# SETUP LOGROTATE
|
||||||
|
@ -214,48 +112,16 @@ ynh_use_logrotate --logfile /var/log/matrix-$app
|
||||||
# SECURE FILES AND DIRECTORIES
|
# SECURE FILES AND DIRECTORIES
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times)
|
ynh_script_progression --message="Protecting directories..." --weight=3
|
||||||
# For any update do it in all files
|
set_permissions data
|
||||||
ynh_script_progression --message="Configuring file permission..."
|
|
||||||
chown $synapse_user:root -R $final_path
|
|
||||||
chmod 770 $final_path/Coturn_config_rotate.sh
|
|
||||||
chmod 700 $final_path/update_synapse_for_appservice.sh
|
|
||||||
chown $synapse_user:root -R $data_path
|
|
||||||
chown $synapse_user:root -R /var/log/matrix-$app
|
|
||||||
chown $synapse_user:root -R /etc/matrix-$app
|
|
||||||
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
|
|
||||||
chmod 600 /etc/matrix-$app/$server_name.signing.key
|
|
||||||
setfacl -R -m user:turnserver:rX /etc/matrix-$app
|
|
||||||
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
|
|
||||||
chmod u=rwX,g=rX,o= -R $final_www_path
|
|
||||||
chown $synapse_user:root -R $final_www_path
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RELOAD NGINX, SYNAPSE AND COTURN
|
# RELOAD NGINX, SYNAPSE AND COTURN
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Restarting Synapse services..." --weight=7
|
ynh_script_progression --message="Restarting Synapse services..." --weight=7
|
||||||
|
|
||||||
ynh_systemd_action --service_name=coturn-$app.service --action=restart
|
ynh_systemd_action --service_name=$app-coturn.service --action=restart
|
||||||
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# SEND A README FOR THE ADMIN
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, RESTORE
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
echo "To federate this app you need to add this line in your DNS configuration:
|
|
||||||
|
|
||||||
_matrix._tcp.$domain. 3600 IN SRV 10 0 $synapse_tls_port $domain.
|
|
||||||
|
|
||||||
You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done.
|
|
||||||
|
|
||||||
Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
|
|
||||||
|
|
||||||
If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh" > mail_to_send
|
|
||||||
|
|
||||||
ynh_send_readme_to_admin --app_message="mail_to_send" --type="restore"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# GENERIC FINALIZATION
|
# GENERIC FINALIZATION
|
||||||
|
|
812
scripts/upgrade
812
scripts/upgrade
|
@ -10,129 +10,11 @@ source _common.sh
|
||||||
source experimental_helper.sh
|
source experimental_helper.sh
|
||||||
source /usr/share/yunohost/helpers
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
# Exit if an error occurs during the execution of the script
|
|
||||||
ynh_abort_if_errors
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# LOAD SETTINGS
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Loading installation settings..." --weight=3
|
|
||||||
|
|
||||||
app=$YNH_APP_INSTANCE_NAME
|
|
||||||
|
|
||||||
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
|
||||||
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
|
|
||||||
jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
|
|
||||||
path_url=$(ynh_app_setting_get --app=$app --key=path)
|
|
||||||
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
|
||||||
synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
|
|
||||||
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
|
|
||||||
port=$(ynh_app_setting_get --app=$app --key=synapse_port)
|
|
||||||
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
|
|
||||||
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
|
|
||||||
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
|
|
||||||
cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
|
|
||||||
report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
|
|
||||||
e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
|
|
||||||
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
|
|
||||||
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
|
|
||||||
registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
|
|
||||||
form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
|
|
||||||
macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
|
|
||||||
synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
|
|
||||||
domain_whitelist_client_=$(get_domain_list)
|
|
||||||
domain_whitelist_client=${domain_whitelist_client_%"\n"}
|
|
||||||
main_domain=$(yunohost domain list --output-as json | jq -r .main)
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SET ALL CONSTANT
|
# SET ALL CONSTANT
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
synapse_user="matrix-$app"
|
|
||||||
synapse_user_app="$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
synapse_db_user="matrix_$app"
|
|
||||||
synapse_db_name="matrix_$app"
|
|
||||||
upstream_version=$(ynh_app_upstream_version)
|
|
||||||
upgrade_type=$(ynh_check_app_version_changed)
|
upgrade_type=$(ynh_check_app_version_changed)
|
||||||
final_www_path="/var/www/$app"
|
|
||||||
data_path="/home/yunohost.app/matrix-$app"
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# GET CONFIG PANEL SETTINGS
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
server_statistics=$(ynh_app_setting_get --app=$app --key=server_statistics)
|
|
||||||
web_client_location=$(ynh_app_setting_get --app=$app --key=web_client_location)
|
|
||||||
client_base_url=$(ynh_app_setting_get --app=$app --key=client_base_url)
|
|
||||||
invite_client_location=$(ynh_app_setting_get --app=$app --key=invite_client_location)
|
|
||||||
allow_public_rooms_without_auth=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_without_auth)
|
|
||||||
allow_public_rooms_over_federation=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_over_federation)
|
|
||||||
max_upload_size=$(ynh_app_setting_get --app=$app --key=max_upload_size)
|
|
||||||
disable_msisdn_registration=$(ynh_app_setting_get --app=$app --key=disable_msisdn_registration)
|
|
||||||
registrations_require_3pid=$(ynh_app_setting_get --app=$app --key=registrations_require_3pid)
|
|
||||||
allowed_local_3pids_email=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_email)
|
|
||||||
allowed_local_3pids_msisdn=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_msisdn)
|
|
||||||
account_threepid_delegates_msisdn=$(ynh_app_setting_get --app=$app --key=account_threepid_delegates_msisdn)
|
|
||||||
allow_guest_access=$(ynh_app_setting_get --app=$app --key=allow_guest_access)
|
|
||||||
default_identity_server=$(ynh_app_setting_get --app=$app --key=default_identity_server)
|
|
||||||
auto_join_rooms=$(ynh_app_setting_get --app=$app --key=auto_join_rooms)
|
|
||||||
autocreate_auto_join_rooms=$(ynh_app_setting_get --app=$app --key=autocreate_auto_join_rooms)
|
|
||||||
auto_join_rooms_for_guests=$(ynh_app_setting_get --app=$app --key=auto_join_rooms_for_guests)
|
|
||||||
enable_notifs=$(ynh_app_setting_get --app=$app --key=enable_notifs)
|
|
||||||
notif_for_new_users=$(ynh_app_setting_get --app=$app --key=notif_for_new_users)
|
|
||||||
enable_group_creation=$(ynh_app_setting_get --app=$app --key=enable_group_creation)
|
|
||||||
|
|
||||||
enable_registration=$(ynh_app_setting_get --app=$app --key=enable_registration)
|
|
||||||
turn_allow_guests=$(ynh_app_setting_get --app=$app --key=turn_allow_guests)
|
|
||||||
sso_enabled=$(ynh_app_setting_get --app=$app --key=sso_enabled)
|
|
||||||
password_enabled=$(ynh_app_setting_get --app=$app --key=password_enabled)
|
|
||||||
enable_3pid_lookup=$(ynh_app_setting_get --app=$app --key=enable_3pid_lookup)
|
|
||||||
push_include_content=$(ynh_app_setting_get --app=$app --key=push_include_content)
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# ENSURE DOWNWARD COMPATIBILITY
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
|
|
||||||
|
|
||||||
# Following the discussion here https://github.com/YunoHost-Apps/synapse_ynh/pull/51 we decided to remove definitely the support of the old package migration.
|
|
||||||
if [ -z "$synapse_old_version" ]
|
|
||||||
then
|
|
||||||
ynh_die --message="Update from this synapse version is not available. You need to remove this package and reinstall the new package version."
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# MIGRATION 7 : Working config panel v1
|
|
||||||
#=================================================
|
|
||||||
backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=backup_before_upgrade)
|
|
||||||
if [ -z $backup_before_upgrade ] ; then
|
|
||||||
backup_before_upgrade="true"
|
|
||||||
disable_backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=disable_backup_before_upgrade)
|
|
||||||
if [ "0$disable_backup_before_upgrade" -ne 0 ]; then
|
|
||||||
backup_before_upgrade="false"
|
|
||||||
fi
|
|
||||||
ynh_app_setting_set --app=$app --key=backup_before_upgrade --value=$backup_before_upgrade
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
# We stop the service before to set ynh_clean_setup
|
|
||||||
ynh_systemd_action --service_name=matrix-$app.service --action=stop
|
|
||||||
|
|
||||||
# Backup the current version of the app
|
|
||||||
if $backup_before_upgrade ; then
|
|
||||||
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=30
|
|
||||||
ynh_backup_before_upgrade
|
|
||||||
ynh_clean_setup () {
|
|
||||||
# Clean installation remainings that are not handled by the remove script.
|
|
||||||
ynh_clean_check_starting
|
|
||||||
ynh_restore_upgradebackup
|
|
||||||
}
|
|
||||||
else
|
|
||||||
ynh_script_progression --message="NOT Backing up the app before upgrading..." --weight=1
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# STANDARD UPGRADE STEPS
|
# STANDARD UPGRADE STEPS
|
||||||
|
@ -141,313 +23,265 @@ fi
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# Migrate from settings 'special_domain' to 'domain' and 'special_path' to 'path'
|
# Migrate from settings 'special_domain' to 'domain' and 'special_path' to 'path'
|
||||||
if [ -z $domain ]; then
|
if [ -z "${domain:-}" ]; then
|
||||||
domain=$(ynh_app_setting_get --app=$app --key=special_domain)
|
domain=$(ynh_app_setting_get --app=$app --key=special_domain)
|
||||||
path_url=$(ynh_app_setting_get --app=$app --key=special_path)
|
path=$(ynh_app_setting_get --app=$app --key=special_path)
|
||||||
ynh_app_setting_set --app=$app --key=domain --value=$domain
|
ynh_app_setting_set --app=$app --key=domain --value=$domain
|
||||||
ynh_app_setting_set --app=$app --key=path --value=$path_url
|
ynh_app_setting_set --app=$app --key=path --value=$path
|
||||||
ynh_app_setting_delete --app=$app --key=special_domain
|
ynh_app_setting_delete --app=$app --key=special_domain
|
||||||
ynh_app_setting_delete --app=$app --key=special_path
|
ynh_app_setting_delete --app=$app --key=special_path
|
||||||
ynh_app_setting_set --app=$app --key=no_sso --value true
|
ynh_app_setting_set --app=$app --key=no_sso --value true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Define $server_name if not already defined
|
# Define $server_name if not already defined
|
||||||
if [ -z $server_name ]; then
|
if [ -z "${server_name:-}" ]; then
|
||||||
server_name=$domain
|
server_name=$domain
|
||||||
ynh_app_setting_set --app=$app --key=server_name --value=$domain
|
ynh_app_setting_set --app=$app --key=server_name --value=$domain
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Define $jitsi_server if not already defined
|
# Define $jitsi_server if not already defined
|
||||||
if [ -z $jitsi_server ]; then
|
if [ -z "${jitsi_server:-}" ]; then
|
||||||
jitsi_server='jitsi.riot.im'
|
jitsi_server='jitsi.riot.im'
|
||||||
ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
|
ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Define $e2e_enabled_by_default if not already defined
|
# Define $e2e_enabled_by_default if not already defined
|
||||||
if [ -z $e2e_enabled_by_default ] ; then
|
if [ -z "${e2e_enabled_by_default:-}" ] ; then
|
||||||
e2e_enabled_by_default="invite"
|
e2e_enabled_by_default="invite"
|
||||||
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$e2e_enabled_by_default" = "true" ] ; then
|
if [ "$e2e_enabled_by_default" = "true" ] ; then
|
||||||
e2e_enabled_by_default="all"
|
e2e_enabled_by_default="all"
|
||||||
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$e2e_enabled_by_default" = "false" ]; then
|
if [ "$e2e_enabled_by_default" = "false" ]; then
|
||||||
e2e_enabled_by_default="off"
|
e2e_enabled_by_default="off"
|
||||||
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z $report_stats ]; then
|
if [ -z "${report_stats:-}" ]; then
|
||||||
report_stats="false"
|
report_stats="false"
|
||||||
ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
|
ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z $is_free_registration ]; then
|
if [ -z "${web_client_location:-}" ]
|
||||||
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public)
|
then
|
||||||
|
web_client_location="https://matrix.to/"
|
||||||
|
|
||||||
|
element_instance="element"
|
||||||
|
if yunohost --output-as plain app list | grep -q "^$element_instance"'$'; then
|
||||||
|
element_domain=$(ynh_app_setting_get --app $element_instance --key domain)
|
||||||
|
element_path=$(ynh_app_setting_get --app $element_instance --key path)
|
||||||
|
web_client_location="https://""$element_domain""$element_path"
|
||||||
|
fi
|
||||||
|
ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
|
||||||
|
fi
|
||||||
|
if [ -z "${client_base_url:-}" ]
|
||||||
|
then
|
||||||
|
client_base_url=$web_client_location
|
||||||
|
ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
|
||||||
|
fi
|
||||||
|
if [ -z "${invite_client_location:-}" ]
|
||||||
|
then
|
||||||
|
invite_client_location=$web_client_location
|
||||||
|
ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
|
||||||
|
fi
|
||||||
|
if [ -z "${allow_public_rooms_without_auth:-}" ]
|
||||||
|
then
|
||||||
|
allow_public_rooms_without_auth=${allow_public_rooms:-false}
|
||||||
|
ynh_app_setting_set --app=$app --key=allow_public_rooms_without_auth --value=$allow_public_rooms_without_auth
|
||||||
|
fi
|
||||||
|
if [ -z "${allow_public_rooms_over_federation:-}" ]
|
||||||
|
then
|
||||||
|
allow_public_rooms_over_federation=${allow_public_rooms:-false}
|
||||||
|
ynh_app_setting_set --app=$app --key=allow_public_rooms_over_federation --value=$allow_public_rooms_over_federation
|
||||||
|
fi
|
||||||
|
if [ -z "${max_upload_size:-}" ]
|
||||||
|
then
|
||||||
|
max_upload_size="100M"
|
||||||
|
ynh_app_setting_set --app=$app --key=max_upload_size --value=$max_upload_size
|
||||||
|
fi
|
||||||
|
if [ -z "${disable_msisdn_registration:-}" ]
|
||||||
|
then
|
||||||
|
disable_msisdn_registration="true"
|
||||||
|
ynh_app_setting_set --app=$app --key=disable_msisdn_registration --value=$disable_msisdn_registration
|
||||||
|
fi
|
||||||
|
if [ -z "${registrations_require_3pid:-}" ] || [ "${registrations_require_3pid}" == none ]
|
||||||
|
then
|
||||||
|
registrations_require_3pid=email
|
||||||
|
ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid
|
||||||
|
fi
|
||||||
|
if [ -z "${allowed_local_3pids_email:-}" ] || [[ "${allowed_local_3pids_email}" =~ \'.*\' ]] # Also remove shit value from previous config panel
|
||||||
|
then
|
||||||
|
allowed_local_3pids_email=''
|
||||||
|
ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email
|
||||||
|
fi
|
||||||
|
if [ -z "${allowed_local_3pids_msisdn:-}" ] || [[ "${allowed_local_3pids_msisdn}" =~ \'.*\' ]] # Also remove shit value from previous config panel
|
||||||
|
then
|
||||||
|
allowed_local_3pids_msisdn=''
|
||||||
|
ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn
|
||||||
|
fi
|
||||||
|
if [ -z "${account_threepid_delegates_msisdn:-}" ]
|
||||||
|
then
|
||||||
|
account_threepid_delegates_msisdn=""
|
||||||
|
ynh_app_setting_set --app=$app --key=account_threepid_delegates_msisdn --value=$account_threepid_delegates_msisdn
|
||||||
|
fi
|
||||||
|
if [ -z "${allow_guest_access:-}" ]
|
||||||
|
then
|
||||||
|
allow_guest_access="false"
|
||||||
|
ynh_app_setting_set --app=$app --key=allow_guest_access --value=$allow_guest_access
|
||||||
|
fi
|
||||||
|
if [ -z "${default_identity_server:-}" ]
|
||||||
|
then
|
||||||
|
default_identity_server="https://matrix.org"
|
||||||
|
ynh_app_setting_set --app=$app --key=default_identity_server --value=$default_identity_server
|
||||||
|
fi
|
||||||
|
if [ -z "${auto_join_rooms:-}" ]
|
||||||
|
then
|
||||||
|
auto_join_rooms=""
|
||||||
|
ynh_app_setting_set --app=$app --key=auto_join_rooms --value=$auto_join_rooms
|
||||||
|
fi
|
||||||
|
if [ -z "${autocreate_auto_join_rooms:-}" ]
|
||||||
|
then
|
||||||
|
autocreate_auto_join_rooms="false"
|
||||||
|
ynh_app_setting_set --app=$app --key=autocreate_auto_join_rooms --value=$autocreate_auto_join_rooms
|
||||||
|
fi
|
||||||
|
if [ -z "${auto_join_rooms_for_guests:-}" ]
|
||||||
|
then
|
||||||
|
auto_join_rooms_for_guests="true"
|
||||||
|
ynh_app_setting_set --app=$app --key=auto_join_rooms_for_guests --value=$auto_join_rooms_for_guests
|
||||||
|
fi
|
||||||
|
if [ -z "${enable_notifs:-}" ]
|
||||||
|
then
|
||||||
|
enable_notifs="true"
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
|
||||||
|
fi
|
||||||
|
if [ -z "${notif_for_new_users:-}" ]
|
||||||
|
then
|
||||||
|
notif_for_new_users="true"
|
||||||
|
ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
|
||||||
|
fi
|
||||||
|
if [ -z "${enable_group_creation:-}" ]
|
||||||
|
then
|
||||||
|
enable_group_creation="true"
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
|
||||||
|
fi
|
||||||
|
if [ -z "${enable_3pid_lookup:-}" ]
|
||||||
|
then
|
||||||
|
enable_3pid_lookup=false
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z $synapse_user_app_pwd ]; then
|
|
||||||
synapse_user_app_pwd="$(ynh_string_random --length=30)"
|
if [ -z "${enable_registration:-}" ]
|
||||||
ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
|
then
|
||||||
# The format to create an user account varies depending on the version of YunoHost currently installed.
|
if [ -z "${is_free_registration:-}" ]; then
|
||||||
ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
|
is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public)
|
||||||
if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
|
fi
|
||||||
yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
|
|
||||||
else
|
if [ "$is_free_registration" -eq "0" ]
|
||||||
yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
|
then
|
||||||
fi
|
enable_registration="false"
|
||||||
|
password_enabled="false"
|
||||||
|
|
||||||
|
else
|
||||||
|
enable_registration="true"
|
||||||
|
password_enabled="true"
|
||||||
|
fi
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
|
||||||
|
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -z "${push_include_content:-}" ]
|
||||||
|
then
|
||||||
|
push_include_content="true"
|
||||||
|
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
|
||||||
|
fi
|
||||||
|
if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ]
|
||||||
|
then
|
||||||
|
enable_dtls_for_audio_video_turn_call=true
|
||||||
|
ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
|
||||||
|
fi
|
||||||
|
|
||||||
|
# remove legacy env file into /etc/default
|
||||||
|
ynh_secure_remove --file=/etc/default/coturn-$app
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# MIGRATION 7 : STANDARDIZE SYSTEMD UNIT
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
if [ -e /etc/systemd/system/matrix-$app.service ]
|
||||||
|
then
|
||||||
|
ynh_script_progression --message='Migrating systemd unit to standard name...'
|
||||||
|
|
||||||
|
systemctl stop matrix-$app.service || true
|
||||||
|
systemctl stop coturn-$app.service || true
|
||||||
|
|
||||||
|
yunohost service remove matrix-$app || true
|
||||||
|
yunohost service remove coturn-$app || true
|
||||||
|
|
||||||
|
ynh_secure_remove --file=/etc/systemd/system/matrix-$app.service
|
||||||
|
ynh_secure_remove --file=/etc/systemd/system/coturn-$app.service
|
||||||
|
|
||||||
|
touch /etc/systemd/system/$app.service
|
||||||
|
systemctl daemon-reload || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# STOP SERVICES
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
# We stop the service
|
||||||
|
ynh_systemd_action --service_name=$app.service --action=stop
|
||||||
|
|
||||||
|
ynh_script_progression --message='Managing migrations...'
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# MIGRATION 6 : Migrate data directory
|
# MIGRATION 6 : Migrate data directory
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
if [ -e "/var/lib/matrix-$app" ]; then
|
if [ -e "/var/lib/matrix-$app" ]; then
|
||||||
ynh_script_progression --message="Moving data directory to $data_path..." --weight=1
|
ynh_script_progression --message="Moving data directory to $data_dir..." --weight=1
|
||||||
if [ -e "$data_path" ]; then
|
if [ -e "$data_dir" ]; then
|
||||||
old_data_dir_path="$data_path$(date '+%Y%m%d.%H%M%S')"
|
old_data_dir_path="$data_dir$(date '+%Y%m%d.%H%M%S')"
|
||||||
ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
|
ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
|
||||||
mv "$data_path" "$old_data_dir_path"
|
mv "$data_dir" "$old_data_dir_path"
|
||||||
fi
|
fi
|
||||||
mv "/var/lib/matrix-$app" "$data_path"
|
mv "/var/lib/matrix-$app" "$data_dir"
|
||||||
fi
|
|
||||||
if ! grep -q "$final_path" /etc/passwd; then
|
|
||||||
# matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin
|
|
||||||
sed --in-place -r "s@matrix-$app\:x\:([[:digit:]]+\:[[:digit:]]+)\:\:/.*/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:\1\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# MIGRATION 7 : Working config panel v1
|
# MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
|
# Fix issue about certificates access
|
||||||
if [ -z $allow_public_rooms ]; then
|
if [ ! $(grep "ssl-cert:x:[0-9]*:.*$app" /etc/group) ]
|
||||||
allow_public_rooms="false"
|
then
|
||||||
fi
|
ynh_script_progression --message="Use standard access for certificate..." --weight=1
|
||||||
|
|
||||||
# SET STANDARD SETTINGS FROM DEFAULT CONFIG
|
adduser $app ssl-cert
|
||||||
|
adduser turnserver ssl-cert
|
||||||
# Get app name of first Element Instance
|
|
||||||
element_ynh_url="https://matrix.to/"
|
|
||||||
element_domain=""
|
|
||||||
element_path=""
|
|
||||||
web_client_location=$element_ynh_url
|
|
||||||
client_base_url=$element_ynh_url
|
|
||||||
invite_client_location=$element_ynh_url
|
|
||||||
element_instance="element"
|
|
||||||
if [ -z "$web_client_location" ]
|
|
||||||
then
|
|
||||||
if yunohost --output-as plain app list | grep -q "^$element_instance"'$'; then
|
|
||||||
element_domain=$(ynh_app_setting_get --app $element_instance --key domain)
|
|
||||||
element_path=$(ynh_app_setting_get --app $element_instance --key path)
|
|
||||||
element_ynh_url="https://""$element_domain""$element_path"
|
|
||||||
fi
|
|
||||||
web_client_location=$element_ynh_url
|
|
||||||
client_base_url=$element_ynh_url
|
|
||||||
invite_client_location=$element_ynh_url
|
|
||||||
ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
|
|
||||||
ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
|
|
||||||
ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$server_statistics" ]
|
|
||||||
then
|
|
||||||
server_statistics="false"
|
|
||||||
ynh_app_setting_set --app=$app --key=server_statistics --value=$server_statistics
|
|
||||||
fi
|
|
||||||
if [ -z "$allow_public_rooms_without_auth" ]
|
|
||||||
then
|
|
||||||
allow_public_rooms_without_auth=$allow_public_rooms
|
|
||||||
ynh_app_setting_set --app=$app --key=allow_public_rooms_without_auth --value=$allow_public_rooms_without_auth
|
|
||||||
fi
|
|
||||||
if [ -z "$allow_public_rooms_over_federation" ]
|
|
||||||
then
|
|
||||||
allow_public_rooms_over_federation=$allow_public_rooms
|
|
||||||
ynh_app_setting_set --app=$app --key=allow_public_rooms_over_federation --value=$allow_public_rooms_over_federation
|
|
||||||
fi
|
|
||||||
if [ -z "$max_upload_size" ]
|
|
||||||
then
|
|
||||||
max_upload_size="10M"
|
|
||||||
ynh_app_setting_set --app=$app --key=max_upload_size --value=$max_upload_size
|
|
||||||
fi
|
|
||||||
if [ -z "$disable_msisdn_registration" ]
|
|
||||||
then
|
|
||||||
disable_msisdn_registration="true"
|
|
||||||
ynh_app_setting_set --app=$app --key=disable_msisdn_registration --value=$disable_msisdn_registration
|
|
||||||
fi
|
|
||||||
if [ -z "$registrations_require_3pid" ]
|
|
||||||
then
|
|
||||||
registrations_require_3pid="none"
|
|
||||||
ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid
|
|
||||||
fi
|
|
||||||
if [ -z "$allowed_local_3pids_email" ]
|
|
||||||
then
|
|
||||||
allowed_local_3pids_email="'^[^@]+@""matrix""\.org$'"
|
|
||||||
ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email
|
|
||||||
fi
|
|
||||||
if [ -z "$allowed_local_3pids_msisdn" ]
|
|
||||||
then
|
|
||||||
allowed_local_3pids_msisdn="'\+33'"
|
|
||||||
ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn
|
|
||||||
fi
|
|
||||||
if [ -z "$account_threepid_delegates_msisdn" ]
|
|
||||||
then
|
|
||||||
account_threepid_delegates_msisdn=""
|
|
||||||
ynh_app_setting_set --app=$app --key=account_threepid_delegates_msisdn --value=$account_threepid_delegates_msisdn
|
|
||||||
fi
|
|
||||||
if [ -z "$allow_guest_access" ]
|
|
||||||
then
|
|
||||||
allow_guest_access="false"
|
|
||||||
ynh_app_setting_set --app=$app --key=allow_guest_access --value=$allow_guest_access
|
|
||||||
fi
|
|
||||||
if [ -z "$default_identity_server" ]
|
|
||||||
then
|
|
||||||
default_identity_server="https://matrix.org"
|
|
||||||
ynh_app_setting_set --app=$app --key=default_identity_server --value=$default_identity_server
|
|
||||||
fi
|
|
||||||
if [ -z "$auto_join_rooms" ]
|
|
||||||
then
|
|
||||||
auto_join_rooms="#auto_join_room:""$server_name"
|
|
||||||
ynh_app_setting_set --app=$app --key=auto_join_rooms --value=$auto_join_rooms
|
|
||||||
fi
|
|
||||||
if [ -z "$autocreate_auto_join_rooms" ]
|
|
||||||
then
|
|
||||||
autocreate_auto_join_rooms="false"
|
|
||||||
ynh_app_setting_set --app=$app --key=autocreate_auto_join_rooms --value=$autocreate_auto_join_rooms
|
|
||||||
fi
|
|
||||||
if [ -z "$auto_join_rooms_for_guests" ]
|
|
||||||
then
|
|
||||||
auto_join_rooms_for_guests="true"
|
|
||||||
ynh_app_setting_set --app=$app --key=auto_join_rooms_for_guests --value=$auto_join_rooms_for_guests
|
|
||||||
fi
|
|
||||||
if [ -z "$enable_notifs" ]
|
|
||||||
then
|
|
||||||
enable_notifs="true"
|
|
||||||
ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
|
|
||||||
fi
|
|
||||||
if [ -z "$notif_for_new_users" ]
|
|
||||||
then
|
|
||||||
notif_for_new_users="true"
|
|
||||||
ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
|
|
||||||
fi
|
|
||||||
if [ -z "$enable_group_creation" ]
|
|
||||||
then
|
|
||||||
enable_group_creation="true"
|
|
||||||
ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$enable_registration" ]
|
|
||||||
then
|
|
||||||
if [ "$is_free_registration" -eq "0" ]
|
|
||||||
then
|
|
||||||
enable_registration="false"
|
|
||||||
turn_allow_guests="false"
|
|
||||||
sso_enabled="true"
|
|
||||||
password_enabled="false"
|
|
||||||
enable_3pid_lookup="false"
|
|
||||||
else
|
|
||||||
enable_registration="true"
|
|
||||||
turn_allow_guests="true"
|
|
||||||
sso_enabled="false"
|
|
||||||
password_enabled="true"
|
|
||||||
enable_3pid_lookup="true"
|
|
||||||
fi
|
|
||||||
ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
|
|
||||||
ynh_app_setting_set --app=$app --key=turn_allow_guests --value=$turn_allow_guests
|
|
||||||
ynh_app_setting_set --app=$app --key=sso_enabled --value=$sso_enabled
|
|
||||||
ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
|
|
||||||
ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$push_include_content" ]
|
|
||||||
then
|
|
||||||
push_include_content="true"
|
|
||||||
ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# INSTALL DEPENDENCIES
|
# MIGRATION 4 : CREATE A DH FILE
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Upgrading dependencies..." --weight=6
|
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
|
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
|
||||||
# For any update do it in all files
|
# For any update do it in all files
|
||||||
ynh_exec_warn_less ynh_install_app_dependencies $dependances
|
|
||||||
|
|
||||||
#=================================================
|
# Make dh cert for synapse if it doesn't exist
|
||||||
# DOWNLOAD, CHECK AND UNPACK SOURCE
|
if [ ! -e /etc/ssl/private/dh2048.pem ]
|
||||||
#=================================================
|
|
||||||
|
|
||||||
if [ "$upgrade_type" == "UPGRADE_APP" ] || [ ! -e $final_path/bin/python3 ] || [ ! -e $final_path/lib/python$python_version ]
|
|
||||||
then
|
then
|
||||||
ynh_script_progression --message="Upgrading source files..." --weight=6
|
ynh_script_progression --message="Creating a dh file..." --weight=1
|
||||||
install_sources
|
|
||||||
|
ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -dsaparam 2048
|
||||||
|
chown root:ssl-cert /etc/ssl/private/dh2048.pem
|
||||||
|
chmod 640 /etc/ssl/private/dh2048.pem
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# CREATE SMALL CAS SERVER
|
|
||||||
#=================================================
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
mkdir -p $final_www_path
|
|
||||||
cp ../sources/cas_server.php $final_www_path/
|
|
||||||
chmod u=rwX,g=rX,o= -R $final_www_path
|
|
||||||
chown $synapse_user:root -R $final_www_path
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# MIGRATION 1 : GENERATE SYNAPSE SECRET
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
if [ -z "$registration_shared_secret" ] || [ "$form_secret" == "form_secret: " ]
|
|
||||||
then
|
|
||||||
ynh_script_progression --message="Generating synapse secret..." --weight=1
|
|
||||||
|
|
||||||
# Go in virtualenvironnement
|
|
||||||
set +u
|
|
||||||
source $final_path/bin/activate
|
|
||||||
set -u
|
|
||||||
|
|
||||||
# Generate config and keys
|
|
||||||
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
|
|
||||||
|
|
||||||
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
|
|
||||||
set +u;
|
|
||||||
deactivate
|
|
||||||
set -u;
|
|
||||||
|
|
||||||
# Get random values from config
|
|
||||||
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
|
|
||||||
form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
|
|
||||||
|
|
||||||
# store in yunohost settings
|
|
||||||
ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
|
|
||||||
ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# UPDATE SYNAPSE CONFIG
|
|
||||||
#=================================================
|
|
||||||
ynh_script_progression --message="Updating synapse config..." --weight=2
|
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
if [ -z $macaroon_secret_key ]; then
|
|
||||||
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
|
|
||||||
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
|
|
||||||
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
|
|
||||||
# So for the old install we just leave this as it is. And for the new install we use a real macaroon.
|
|
||||||
macaroon_secret_key_param='# macaroon_secret_key: ""'
|
|
||||||
else
|
|
||||||
macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
|
|
||||||
fi
|
|
||||||
|
|
||||||
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
|
|
||||||
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# MIGRATION 2 : MULTINSTANCE SUPPORT
|
# MIGRATION 2 : MULTINSTANCE SUPPORT
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -463,15 +297,6 @@ then
|
||||||
# Disable default config for turnserver and create a new service
|
# Disable default config for turnserver and create a new service
|
||||||
systemctl stop coturn.service
|
systemctl stop coturn.service
|
||||||
|
|
||||||
# Set a port for each service in turnserver
|
|
||||||
turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
|
|
||||||
cli_port=$(ynh_find_port --port=5766)
|
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
|
|
||||||
ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
|
|
||||||
|
|
||||||
yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# MAKE A CLEAN LOGROTATE CONFIG
|
# MAKE A CLEAN LOGROTATE CONFIG
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -480,37 +305,109 @@ then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE
|
# MIGRATION 8 : Migrate database to managed database (Migrate db name from matrix_$app to $app)
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# Fix issue about certificates access
|
if ynh_psql_execute_as_root --sql='\list' | grep matrix_$app; then
|
||||||
if [ ! $(grep "ssl-cert:x:[0-9]*:.*matrix-$app" /etc/group) ]
|
ynh_''psql_remove_db --db_user="user_wich_must_dont_exist_and_keep_current_user" --db_name=$db_name
|
||||||
then
|
ynh_psql_execute_as_root --sql="ALTER DATABASE matrix_$app RENAME TO $db_name;"
|
||||||
ynh_script_progression --message="Use standard access for certificate..." --weight=1
|
ynh_psql_execute_as_root --database=$db_name --sql="REASSIGN OWNED BY matrix_$app TO $db_user;"
|
||||||
|
ynh_psql_execute_as_root --sql="UPDATE pg_database SET datcollate='C', datctype='C' WHERE datname='$db_name';"
|
||||||
adduser $synapse_user ssl-cert
|
ynh_psql_execute_as_root --sql="DROP USER matrix_$app;"
|
||||||
adduser turnserver ssl-cert
|
# for unknown reason we need to set again the password for synapse user. Without this synapse can't authenticate to postgresql
|
||||||
|
ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH ENCRYPTED PASSWORD '$db_pwd';"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# MIGRATION 4 : CREATE A DH FILE
|
# MIGRATION 9 : migrate data path (from matrix-$app to $app)
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
|
if [ -e /home/yunohost.app/matrix-$app ]; then
|
||||||
# For any update do it in all files
|
mv -t $data_dir /home/yunohost.app/matrix-$app/*
|
||||||
|
ynh_secure_remove --file=/home/yunohost.app/matrix-$app
|
||||||
|
fi
|
||||||
|
|
||||||
# Make dh cert for synapse if it doesn't exist
|
#=================================================
|
||||||
if [ ! -e /etc/ssl/private/dh2048.pem ]
|
# MIGRATION 11 : make this app using full domain
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
ynh_app_setting_set --app=$app --key=path --value=/
|
||||||
|
|
||||||
|
if yunohost app map -r --output-as json | jq -r '."'$domain'" | select( . != null ) | .[] | .id' | grep -v "$app" -q; then
|
||||||
|
ynh_print_warn 'An other app is installed on this domain. Now synapse require to be alone on the domain.'
|
||||||
|
ynh_print_warn 'To solve this you can:'
|
||||||
|
ynh_print_warn " - Remove or move all other app which use '$domain'"
|
||||||
|
ynh_print_warn ' - Change the domain of synapse. You can find more informations here: https://github.com/YunoHost-Apps/synapse_ynh/tree/testing/doc/ADMIN.md#change-url'
|
||||||
|
ynh_print_warn 'For more information you can see this issue: https://github.com/YunoHost-Apps/synapse_ynh/issues/443'
|
||||||
|
fi
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# MIGRATION 12 : update system user and drop yunohost user
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
if grep -q "^matrix-$app" /etc/passwd; then
|
||||||
|
# Must stop php before remove user as user is used by php
|
||||||
|
systemctl stop php$YNH_PHP_VERSION-fpm.service
|
||||||
|
|
||||||
|
ynh_''system_user_delete --username=matrix-$app
|
||||||
|
yunohost user delete $app || true
|
||||||
|
ynh_''system_user_create --username=$app --home_dir=$code_dir
|
||||||
|
adduser $app ssl-cert
|
||||||
|
fi
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# DOWNLOAD, CHECK AND UNPACK SOURCE
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
if [ "$upgrade_type" == "UPGRADE_APP" ] || [ ! -e $code_dir/bin/python3 ] || [ ! -e $code_dir/lib/python$python_version ]
|
||||||
then
|
then
|
||||||
ynh_script_progression --message="Creating a dh file..." --weight=1
|
ynh_script_progression --message="Upgrading source files..." --weight=6
|
||||||
|
install_sources
|
||||||
|
fi
|
||||||
|
|
||||||
openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
|
#=================================================
|
||||||
chown root:ssl-cert /etc/ssl/private/dh2048.pem
|
# MIGRATION 1 : GENERATE SYNAPSE SECRET
|
||||||
chmod 640 /etc/ssl/private/dh2048.pem
|
#=================================================
|
||||||
|
|
||||||
|
if [ -z "${registration_shared_secret:-}" ] || [ "$form_secret" == "form_secret: " ]
|
||||||
|
then
|
||||||
|
ynh_script_progression --message="Generating synapse secret..." --weight=1
|
||||||
|
|
||||||
|
# Generate config and keys
|
||||||
|
$code_dir/bin/python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
|
||||||
|
|
||||||
|
# Get random values from config
|
||||||
|
registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
|
||||||
|
form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
|
||||||
|
|
||||||
|
# store in yunohost settings
|
||||||
|
ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
|
||||||
|
ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# STANDARD UPGRADE STEPS
|
# STANDARD UPGRADE STEPS
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# UPDATE SYNAPSE CONFIG
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Updating synapse config..." --weight=2
|
||||||
|
|
||||||
|
configure_synapse
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# CREATE SMALL CAS SERVER
|
||||||
|
#=================================================
|
||||||
|
# WARNING : theses command are used in INSTALL, UPGRADE
|
||||||
|
# For any update do it in all files
|
||||||
|
|
||||||
|
mkdir -p $install_dir
|
||||||
|
cp ../sources/cas_server.php $install_dir/
|
||||||
|
chmod u=rwX,g=rX,o= -R $install_dir
|
||||||
|
chown $app:root -R $install_dir
|
||||||
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# NGINX CONFIGURATION
|
# NGINX CONFIGURATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -520,19 +417,8 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -
|
||||||
ynh_script_progression --message="Configuring application..."
|
ynh_script_progression --message="Configuring application..."
|
||||||
|
|
||||||
ynh_add_fpm_config --usage=low --footprint=low
|
ynh_add_fpm_config --usage=low --footprint=low
|
||||||
sed -i "s|user\s*=\s*$app|user = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
|
|
||||||
sed -i "s|group\s*=\s*$app|group = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
|
|
||||||
sed -i "s|chdir\s*=\s*/opt/yunohost/matrix-synapse.*|chdir = $final_www_path|g" /etc/php/7.*/fpm/pool.d/$app.conf
|
|
||||||
ynh_store_file_checksum --file=$(ls /etc/php/7.*/fpm/pool.d/$app.conf)
|
|
||||||
|
|
||||||
# Create .well-known redirection for access by federation
|
configure_nginx
|
||||||
if yunohost --output-as plain domain list | grep -q "^$server_name$"
|
|
||||||
then
|
|
||||||
ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create a dedicated NGINX config
|
|
||||||
ynh_add_nginx_config app
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SPECIFIC UPGRADE
|
# SPECIFIC UPGRADE
|
||||||
|
@ -541,26 +427,7 @@ ynh_add_nginx_config app
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Updating Coturn config..." --weight=1
|
ynh_script_progression --message="Updating Coturn config..." --weight=1
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
configure_coturn
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
# Get public IP and set as external IP for coturn
|
|
||||||
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
|
|
||||||
public_ip4="$(curl -s ip.yunohost.org)" || true
|
|
||||||
public_ip6="$(curl -s ipv6.yunohost.org)" || true
|
|
||||||
|
|
||||||
turn_external_ip=""
|
|
||||||
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
|
|
||||||
then
|
|
||||||
turn_external_ip+="external-ip="$public_ip4%"\n"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
|
|
||||||
then
|
|
||||||
turn_external_ip+="external-ip="$public_ip6%"\n"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# ADD SCRIPT FOR COTURN CRON AND APP SERVICE
|
# ADD SCRIPT FOR COTURN CRON AND APP SERVICE
|
||||||
|
@ -569,8 +436,9 @@ ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/cotu
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
# WARNING : theses command are used in INSTALL, UPGRADE
|
||||||
# For any update do it in all files
|
# For any update do it in all files
|
||||||
|
|
||||||
ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
|
ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$code_dir/Coturn_config_rotate.sh"
|
||||||
ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
|
ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$code_dir/update_synapse_for_appservice.sh"
|
||||||
|
ynh_add_config --template=../sources/set_admin_user.sh --destination=$code_dir/set_admin_user.sh
|
||||||
|
|
||||||
# Ensure app-service folder has exists and the config file exit (Migration)
|
# Ensure app-service folder has exists and the config file exit (Migration)
|
||||||
mkdir -p /etc/matrix-$app/app-service
|
mkdir -p /etc/matrix-$app/app-service
|
||||||
|
@ -587,8 +455,8 @@ fi
|
||||||
# ADVERTISE SERVICE IN ADMIN PANEL
|
# ADVERTISE SERVICE IN ADMIN PANEL
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port
|
yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
|
||||||
yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
|
yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# UPDATE SYSTEMD
|
# UPDATE SYSTEMD
|
||||||
|
@ -596,20 +464,16 @@ yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
|
||||||
ynh_script_progression --message="Upgrading systemd configuration..." --weight=3
|
ynh_script_progression --message="Upgrading systemd configuration..." --weight=3
|
||||||
|
|
||||||
# Create systemd service for synapse and turnserver
|
# Create systemd service for synapse and turnserver
|
||||||
cp ../conf/default_matrix-synapse /etc/default/matrix-$app
|
ynh_add_systemd_config --service=$app --template=synapse.service
|
||||||
ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service
|
|
||||||
|
|
||||||
cp ../conf/default_coturn /etc/default/coturn-$app
|
cp ../conf/default_coturn /etc/matrix-$app/coturn_env
|
||||||
ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service
|
ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# UPGRADE FAIL2BAN
|
# UPGRADE FAIL2BAN
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=8
|
ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=8
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE
|
|
||||||
# For any update do it in all files
|
|
||||||
|
|
||||||
ynh_add_fail2ban_config --use_template
|
ynh_add_fail2ban_config --use_template
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -617,58 +481,28 @@ ynh_add_fail2ban_config --use_template
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP PERMISSIONS
|
# SETUP PERMISSIONS
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
ynh_script_progression --message="Configuring permissions..." --weight=1
|
ynh_script_progression --message="Configuring permissions..." --weight=1
|
||||||
ynh_legacy_permissions_delete_all
|
|
||||||
|
|
||||||
ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
|
if yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
|
||||||
ynh_permission_update --permission=main --show_tile=false --protected=true
|
if ! ynh_""permission_exists --permission=server_client_infos; then
|
||||||
|
ynh_""permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
|
||||||
if ! ynh_permission_exists --permission=server_api; then
|
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
|
||||||
ynh_permission_create --permission=server_api --url=$domain/_matrix \
|
--auth_header=false --protected=true
|
||||||
--label="Server access for client apps." --show_tile=false --allowed=visitors \
|
else yunohost --output-as plain domain list | grep -q "^$server_name"'$'
|
||||||
--auth_header=false --protected=true
|
ynh_""permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \
|
||||||
python3 remove_sso_conf_persistent.py $domain $server_name \
|
--auth_header=false
|
||||||
|| ynh_print_warn --message="Your file /etc/ssowat/""conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually."
|
ynh_""permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \
|
||||||
else
|
--protected=true
|
||||||
ynh_permission_url --permission=server_api --url=$domain/_matrix --remove_url=$server_name/.well-known/matrix \
|
fi
|
||||||
--auth_header=false
|
|
||||||
ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \
|
|
||||||
--protected=true
|
|
||||||
fi
|
|
||||||
|
|
||||||
if yunohost --output-as plain domain list | grep -q "^$server_name"'$' && ! ynh_permission_exists --permission=server_client_infos; then
|
|
||||||
ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
|
|
||||||
--label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
|
|
||||||
--auth_header=false --protected=true
|
|
||||||
elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
|
|
||||||
ynh_permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \
|
|
||||||
--auth_header=false
|
|
||||||
ynh_permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \
|
|
||||||
--protected=true
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! ynh_permission_exists --permission=admin_api; then
|
|
||||||
ynh_permission_create --permission=admin_api --url=$domain/_synapse \
|
|
||||||
--label="Server administration API." --show_tile=false \
|
|
||||||
--auth_header=false --allowed=visitors
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SECURE FILES AND DIRECTORIES
|
# SECURE FILES AND DIRECTORIES
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
|
ynh_script_progression --message="Protecting directories... (note that it could take a long time depending of your install size)" --weight=3
|
||||||
# For any update do it in all files
|
set_permissions data
|
||||||
chown $synapse_user:root -R $final_path
|
|
||||||
chmod 770 $final_path/Coturn_config_rotate.sh
|
|
||||||
chmod 700 $final_path/update_synapse_for_appservice.sh
|
|
||||||
chown $synapse_user:root -R $data_path
|
|
||||||
chown $synapse_user:root -R /var/log/matrix-$app
|
|
||||||
chown $synapse_user:root -R /etc/matrix-$app
|
|
||||||
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
|
|
||||||
chmod 600 /etc/matrix-$app/$server_name.signing.key
|
|
||||||
setfacl -R -m user:turnserver:rX /etc/matrix-$app
|
|
||||||
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# UPDATE HOOKS
|
# UPDATE HOOKS
|
||||||
|
@ -679,19 +513,13 @@ setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
|
||||||
ynh_replace_string __APP__ $app ../hooks/post_cert_update
|
ynh_replace_string __APP__ $app ../hooks/post_cert_update
|
||||||
ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update
|
ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# UPDATE VERSION SETTINGS
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RELOAD SERVICES
|
# RELOAD SERVICES
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Restarting Synapse services..." --weight=5
|
ynh_script_progression --message="Restarting Synapse services..." --weight=5
|
||||||
|
|
||||||
ynh_systemd_action --service_name=coturn-$app.service --action=restart
|
ynh_systemd_action --service_name=$app-coturn.service --action=restart
|
||||||
ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# END OF SCRIPT
|
# END OF SCRIPT
|
||||||
|
|
|
@ -1,33 +1,34 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
app_instance=__APP__
|
set -eu
|
||||||
|
|
||||||
|
app=__APP__
|
||||||
|
YNH_APP_BASEDIR=/etc/yunohost/apps/"$app"
|
||||||
|
|
||||||
|
pushd /etc/yunohost/apps/$app/conf
|
||||||
|
|
||||||
source /usr/share/yunohost/helpers
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
coturn_config_path="/etc/matrix-$app_instance/coturn.conf"
|
# Must load db_name var to load _common.sh
|
||||||
public_ip4="$(curl ip.yunohost.org)" || true
|
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
|
||||||
public_ip6="$(curl ipv6.yunohost.org)" || true
|
source ../scripts/_common.sh
|
||||||
|
|
||||||
old_config_line=$(egrep "^external-ip=.*\$" $coturn_config_path)
|
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
||||||
perl -i -pe 's/(^external-ip=.*\n)*//g' $coturn_config_path
|
port_cli=$(ynh_app_setting_get --app=$app --key=port_cli)
|
||||||
|
turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
|
||||||
|
port_turnserver_tls=$(ynh_app_setting_get --app=$app --key=port_turnserver_tls)
|
||||||
|
port_turnserver_alt_tls=$(ynh_app_setting_get --app=$app --key=port_turnserver_alt_tls)
|
||||||
|
enable_dtls_for_audio_video_turn_call=$(ynh_app_setting_get --app=$app --key=enable_dtls_for_audio_video_turn_call)
|
||||||
|
|
||||||
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
|
previous_checksum=$(ynh_app_setting_get --app=$app --key=checksum__etc_matrix-synapse_coturn.conf)
|
||||||
|
configure_coturn
|
||||||
|
new_checksum=$(ynh_app_setting_get --app=$app --key=checksum__etc_matrix-synapse_coturn.conf)
|
||||||
|
|
||||||
|
setfacl -R -m user:turnserver:rX /etc/matrix-$app
|
||||||
|
|
||||||
|
if [ "$previous_checksum" != "$new_checksum" ]
|
||||||
then
|
then
|
||||||
echo "external-ip=$public_ip4" >> "$coturn_config_path"
|
systemctl restart $app-coturn.service
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
|
|
||||||
then
|
|
||||||
echo "external-ip=$public_ip6" >> "$coturn_config_path"
|
|
||||||
fi
|
|
||||||
|
|
||||||
new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
|
|
||||||
|
|
||||||
setfacl -R -m user:turnserver:rX /etc/matrix-$app_instance
|
|
||||||
|
|
||||||
if [ "$old_config_line" != "$new_config_line" ]
|
|
||||||
then
|
|
||||||
systemctl restart coturn-$app_instance.service
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
21
sources/set_admin_user.sh
Normal file
21
sources/set_admin_user.sh
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
source /usr/share/yunohost/helpers
|
||||||
|
|
||||||
|
app=__APP__
|
||||||
|
|
||||||
|
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
|
||||||
|
db_user=$(ynh_app_setting_get --app=$app --key=db_user)
|
||||||
|
db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
|
||||||
|
server_name=$(ynh_app_setting_get --app=$app --key=server_name)
|
||||||
|
|
||||||
|
if [ -z ${1:-} ]; then
|
||||||
|
echo "Usage: set_admin_user.sh user_to_set_as_admin"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
ynh_psql_execute_as_root --database=$db_name --sql="UPDATE users SET admin = 1 WHERE name = '@$1:$server_name'"
|
||||||
|
|
||||||
|
exit 0
|
|
@ -1,5 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
app=__APP__
|
app=__APP__
|
||||||
service_config_file=/etc/matrix-$app/conf.d/app_service.yaml
|
service_config_file=/etc/matrix-$app/conf.d/app_service.yaml
|
||||||
|
|
||||||
|
@ -21,7 +23,7 @@ chown matrix-$app /etc/matrix-$app/app-service/*
|
||||||
chmod 600 $service_config_file
|
chmod 600 $service_config_file
|
||||||
chmod 600 /etc/matrix-$app/app-service/*
|
chmod 600 /etc/matrix-$app/app-service/*
|
||||||
|
|
||||||
systemctl restart matrix-$app
|
systemctl restart $app.service
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
rm /tmp/app_service_backup.yaml
|
rm /tmp/app_service_backup.yaml
|
||||||
|
|
9
tests.toml
Normal file
9
tests.toml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json
|
||||||
|
|
||||||
|
test_format = 1.0
|
||||||
|
|
||||||
|
[default]
|
||||||
|
|
||||||
|
test_upgrade_from.672791a51c1d239918562d7a0d4420ec137e6694.name = "Post app user creation (branch old_version_for_CI_7)"
|
||||||
|
|
||||||
|
test_upgrade_from.971f2eb590325fb1d6e1ca5723f59aacd639c9ce.name = "Before packaging v2 (branch old_version_for_CI_6)"
|
Loading…
Reference in a new issue