Merge pull request #325 from YunoHost-Apps/testing

Testing

README.md

@@ -20,7 +20,8 @@ Instant messaging server matrix network.
 Yunohost chatroom with matrix : [https://riot.im/app/#/room/#yunohost:matrix.org](https://riot.im/app/#/room/#yunohost:matrix.org)
 
 
-**Shipped version:** 1.59.0~ynh1
+**Shipped version:** 1.65.0~ynh1
+
 ## Disclaimers / important information
 
 ## Configuration

README_fr.md

@@ -20,7 +20,8 @@ Instant messaging server matrix network.
 Yunohost chatroom with matrix : [https://riot.im/app/#/room/#yunohost:matrix.org](https://riot.im/app/#/room/#yunohost:matrix.org)
 
 
-**Version incluse :** 1.59.0~ynh1
+**Version incluse :** 1.65.0~ynh1
+
 ## Avertissements / informations importantes
 
 ## Configuration

check_process

@@ -2,7 +2,7 @@
     ; Manifest
         domain="domain.tld"    (DOMAIN)
         path="/_matrix/static/"	(PATH)
-        is_public=1 (PUBLIC|public=1|private=0)
+        is_free_registration=1 (PUBLIC|public=1|private=0)
         server_name="domain.tld"    (DOMAIN)
     ; Checks
         pkg_linter=1
@@ -13,6 +13,7 @@
         setup_public=1
         upgrade=1
         upgrade=1   from_commit=0a485e0d6bcd14392b9203b3b27e7e1a7ba21d19
+        upgrade=1   from_commit=6af39e6e086e70e2063eb8f63c48a1e4a597300d
         backup_restore=1
         multi_instance=0
         incorrect_path=0
@@ -23,3 +24,5 @@
 ;;; Upgrade options
     ; commit=0a485e0d6bcd14392b9203b3b27e7e1a7ba21d19
         name=Before permission implementation (branch old_version_for_CI_4)
+    ; commit=6af39e6e086e70e2063eb8f63c48a1e4a597300d
+        name=Before app user creation

conf/armv7_bullseye.src

@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.59.0/matrix-synapse_1.59.0-bullseye-bin1_armv7l.tar.gz
+SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.65.0/matrix-synapse_1.65.0-bullseye-bin1_armv7l.tar.gz
-SOURCE_SUM=aedd3fe868dc9ad9359da0ce5124c602945267e9ab69a5ed0249367391cd44e7
+SOURCE_SUM=b0af6c40001712618ee7e270c6386bdb0f9f159af936ad7e9d2e9f57e5016fca
 # (Optional) Program to check the integrity (sha256sum, md5sum...)
 # default: sha256
 SOURCE_SUM_PRG=sha256sum

conf/armv7_buster.src

@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.59.0/matrix-synapse_1.59.0-buster-bin1_armv7l.tar.gz
+SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.65.0/matrix-synapse_1.65.0-buster-bin1_armv7l.tar.gz
-SOURCE_SUM=3a1e4602507594d4a38c5613edd1e16ebeef6e67cb7d40a7847fb0a32aeade22
+SOURCE_SUM=52f80e375c21d9e65e1eb48719140daef80cf4d12e0a80ab35d2ff021bce9e3d
 # (Optional) Program to check the integrity (sha256sum, md5sum...)
 # default: sha256
 SOURCE_SUM_PRG=sha256sum

conf/coturn-synapse.service

@@ -23,5 +23,34 @@ LimitRTTIME=7000000
 CPUSchedulingPolicy=other
 UMask=0007
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target

conf/matrix-synapse.service

@@ -6,12 +6,42 @@ After=network.target
 Type=simple
 User=matrix-__APP__
 WorkingDirectory=/opt/yunohost/matrix-__APP__
+BindPaths=/etc/matrix-__APP__
 EnvironmentFile=/etc/default/matrix-__APP__
 ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ --generate-keys
 ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/
 Restart=always
 RestartSec=3
-RuntimeDirectory=%i
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
 
 [Install]
 WantedBy=multi-user.target

conf/nginx.conf

@@ -1,4 +1,4 @@
-location __PATH__ {
+location __PATH__/ {
         proxy_pass http://localhost:__PORT__;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;

config_panel.toml

@@ -13,11 +13,11 @@ name = "Synapse configuration"
         default = false
         help = "True to send anonymous statistics about synapse to improve the performances"
 
-        [synapse_config.server_config.is_public]
+        [synapse_config.server_config.is_free_registration]
-        ask = "Server public"
+        ask = "Server with free registration"
         type = "boolean"
         default = false
-        help = "Is it a public server"
+        help = "A public server means that anybody will be able to register on this server."
 
         [synapse_config.server_config.allow_public_rooms]
         ask = "Public rooms directory"

manifest.json

@@ -6,7 +6,7 @@
 		"en": "Instant messaging server which uses Matrix",
 		"fr": "Un serveur de messagerie instantané basé sur Matrix"
 	},
-	"version": "1.59.0~ynh1",
+	"version": "1.65.0~ynh1",
 	"url": "http://matrix.org",
 	"license": "Apache-2.0",
 	"maintainer": {
@@ -14,7 +14,7 @@
 		"email": "josue@tille.ch"
 	},
     "upstream": {
-        "license": "free",
+        "license": "Apache-2.0",
         "website": "https://matrix.org/",
         "code": "https://github.com/matrix-org/synapse"
     },
@@ -29,12 +29,7 @@
 		"install" : [
 			{
 				"name": "domain",
-				"type": "domain",
+				"type": "domain"
-				"ask": {
-					"en": "Choose a domain for Synapse",
-					"fr": "Choisissez un domaine pour Synapse"
-				},
-				"example": "synapse.domain.org"
 			},
 			{
 				"name": "server_name",
@@ -47,14 +42,14 @@
 				"default": "Same than the domain"
 			},
 			{
-				"name": "is_public",
+				"name": "is_free_registration",
 				"type": "boolean",
 				"ask": {
-					"en": "Is it a public server?",
+					"en": "Is it a server with free registration ?",
-					"fr": "Est-ce un serveur public ?"
+					"fr": "Est-ce un serveur avec création de compte libre ?"
 				},
 				"default": false,
-				"help": { 
+				"help": {
 					"en": "A public server means that anybody will be able to register on this server.",
 					"fr": "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur."
 				}

scripts/_common.sh

@@ -1,5 +1,6 @@
 dependances="coturn build-essential python3-dev libffi-dev python3-pip python3-setuptools sqlite3 libssl-dev python3-venv libxml2-dev libxslt1-dev python3-lxml zlib1g-dev libjpeg-dev libpq-dev postgresql acl"
 python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)"
+app=$YNH_APP_INSTANCE_NAME
 
 install_sources() {
     # Install/upgrade synapse in virtualenv
@@ -45,7 +46,12 @@ install_sources() {
         set +$u_arg;
         source $final_path/bin/activate
         set -$u_arg;
-        pip3 install --upgrade setuptools wheel pip
+        if [ $(lsb_release --codename --short) == "bullseye" ]; then
+            pip3 install --upgrade setuptools==60.8.2 wheel pip
+        else
+            pip3 install --upgrade setuptools wheel pip
+        fi
+        
         chown $synapse_user:root -R $final_path
         sudo -u $synapse_user env PATH=$PATH pip3 install --upgrade 'cryptography>=3.4.7'
         pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml jinja2
@@ -62,3 +68,9 @@ install_sources() {
         ynh_secure_remove --file=$final_path/.cargo
     fi
 }
+
+get_domain_list() {
+    yunohost --output-as plain domain list | grep -E "^#" -v | sort | uniq | while read domain; do
+        echo -n "        - https://$domain\n"
+    done
+}

scripts/change_url

@@ -26,7 +26,7 @@ server_name=$(ynh_app_setting_get --app=$app --key=server_name)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
 jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
+is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
 port=$(ynh_app_setting_get --app=$app --key=synapse_port)
 synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
 turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
@@ -35,19 +35,21 @@ cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
 report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
 allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
 e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
-ynh_print_OFF
 synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
 turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
 registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
 form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
 macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
-ynh_print_ON
+synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
+main_domain=$(yunohost domain list --output-as json | jq -r .main)
 
 synapse_user="matrix-$app"
+synapse_user_app="$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
 synapse_db_name="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
+domain_whitelist_client=$(get_domain_list)
 
 # Check if the new path stay /_matrix if not exit
 
@@ -102,7 +104,7 @@ else
     macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
 fi
 
-if [ $is_public -eq 0 ]
+if [ $is_free_registration -eq 0 ]
 then
     allowed_access=False
     sso_enabled=True

scripts/config

@@ -23,9 +23,12 @@ app=$YNH_APP_INSTANCE_NAME
 report_stats=$(ynh_app_setting_get --app $app --key report_stats)
 allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
 disable_backup_before_upgrade=$(ynh_app_setting_get --app $app --key disable_backup_before_upgrade)
-is_public=$(ynh_app_setting_get --app $app --key is_public)
+is_free_registration=$(ynh_app_setting_get --app $app --key is_free_registration)
 jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
 e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
+synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
+domain_whitelist_client=$(get_domain_list)
+main_domain=$(yunohost domain list --output-as json | jq -r .main)
 
 #=================================================
 # SHOW_CONFIG FUNCTION FOR 'SHOW' COMMAND
@@ -37,7 +40,7 @@ show_config() {
     ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS=$report_stats"
     ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_ALLOW_PUBLIC_ROOMS=$allow_public_rooms"
     ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_JITSI_SERVER=$jitsi_server"
-    ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC=${is_public}"
+    ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_FREE_REGISTRATION=${is_free_registration}"
     ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_E2E_ENABLED_BY_DEFAULT=${e2e_enabled_by_default}"
 
     if [[ ${disable_backup_before_upgrade:-0} -eq 1 ]]
@@ -56,7 +59,7 @@ apply_config() {
     report_stats=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS:-$report_stats}
     allow_public_rooms=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_ALLOW_PUBLIC_ROOMS:-$allow_public_rooms}
     do_backup_before_upgrade=${YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE:-}
-    is_public=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC:-$is_public}
+    is_free_registration=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_FREE_REGISTRATION:-$is_free_registration}
     jitsi_server=${YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_JITSI_SERVER:-$jitsi_server}
     e2e_enabled_by_default=${YNH_CONFIG_SYNAPSE_CONFIG_CLIENT_CONFIG_E2E_ENABLED_BY_DEFAULT:-$e2e_enabled_by_default}
 
@@ -81,7 +84,7 @@ apply_config() {
 
     ynh_app_setting_set --app $app --key report_stats --value $report_stats
     ynh_app_setting_set --app $app --key allow_public_rooms --value $allow_public_rooms
-    ynh_app_setting_set --app $app --key is_public --value $is_public
+    ynh_app_setting_set --app $app --key is_free_registration --value $is_free_registration
     ynh_app_setting_set --app $app --key jitsi_server --value $jitsi_server
     ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
 
@@ -96,7 +99,7 @@ apply_config() {
     domain=$(ynh_app_setting_get --app $app --key domain)
     server_name=$(ynh_app_setting_get --app $app --key server_name)
     synapse_db_pwd=$(ynh_app_setting_get --app $app --key synapse_db_pwd)
-    is_public=$(ynh_app_setting_get --app $app --key is_public)
+    is_free_registration=$(ynh_app_setting_get --app $app --key is_free_registration)
     port=$(ynh_app_setting_get --app $app --key synapse_port)
     synapse_tls_port=$(ynh_app_setting_get --app $app --key synapse_tls_port)
     turnserver_tls_port=$(ynh_app_setting_get --app $app --key turnserver_tls_port)
@@ -124,7 +127,7 @@ apply_config() {
         macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
     fi
 
-    if [ $is_public -eq 0 ]
+    if [ $is_free_registration -eq 0 ]
     then
         allowed_access=False
         sso_enabled=True

scripts/install

@@ -21,20 +21,13 @@ ynh_clean_setup () {
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors
 
-#=================================================
-# RETRIEVE ARGUMENTS FROM THE MANIFEST
-#=================================================
-
-domain=$YNH_APP_ARG_DOMAIN
-is_public=$YNH_APP_ARG_IS_PUBLIC
-
-app=$YNH_APP_INSTANCE_NAME
-
 #=================================================
 # SET CONSTANTS
 #=================================================
 
 synapse_user="matrix-$app"
+synapse_user_app="$app"
+synapse_user_app_pwd="$(ynh_string_random --length=30)"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
 synapse_db_name="matrix_$app"
@@ -43,6 +36,7 @@ report_stats="false"
 allow_public_rooms="false"
 e2e_enabled_by_default="true"
 default_domain_value="Same than the domain"
+domain_whitelist_client=$(get_domain_list)
 
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
@@ -50,12 +44,13 @@ default_domain_value="Same than the domain"
 
 domain=$YNH_APP_ARG_DOMAIN
 server_name=$YNH_APP_ARG_SERVER_NAME
-is_public=$YNH_APP_ARG_IS_PUBLIC
+is_free_registration=$YNH_APP_ARG_IS_FREE_REGISTRATION
 jitsi_server=$YNH_APP_ARG_JITSI_SERVER
 path_url="/_matrix"
 final_path="/opt/yunohost/matrix-$app"
 final_www_path="/var/www/$app"
 data_path="/home/yunohost.app/matrix-$app"
+main_domain=$(yunohost domain list --output-as json | jq -r .main)
 
 if [[ "$server_name" == "$default_domain_value" ]]; then
     server_name=$domain    
@@ -65,8 +60,6 @@ fi
 # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
 #=================================================
 ynh_script_progression --message="Validating installation parameters..." --weight=2
-
-[ $(ynh_webpath_available --domain=$domain --path_url=$path_url) == "True" ] || ynh_die --message="$domain is not available as domain, please use an other domain."
 test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die --message="$domain is not available as domain, please use an other domain."
 
 # Check Final Path availability
@@ -90,10 +83,11 @@ ynh_app_setting_set --app=$app --key=server_name --value=$server_name
 ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
 ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
-ynh_app_setting_set --app=$app --key=is_public --value=$is_public
+ynh_app_setting_set --app=$app --key=is_free_registration --value=$is_free_registration
 ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
 ynh_app_setting_set --app=$app --key=allow_public_rooms --value=$allow_public_rooms
 ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
+ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
 
 #=================================================
 # STANDARD MODIFICATIONS
@@ -152,6 +146,7 @@ ynh_install_app_dependencies $dependances
 ynh_script_progression --message="Configuring system user..." --weight=3
 
 ynh_system_user_create --username=$synapse_user --home_dir=$final_path
+yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
 adduser $synapse_user ssl-cert
 adduser turnserver ssl-cert
 
@@ -160,16 +155,12 @@ adduser turnserver ssl-cert
 #=================================================
 ynh_script_progression --message="Creating a PostgreSQL database..." --weight=4
 
-ynh_print_OFF
 synapse_db_pwd=$(ynh_string_random --length=30)
 ynh_app_setting_set --app=$app --key=synapse_db_pwd --value=$synapse_db_pwd
-ynh_print_ON
 
 # Create postgresql database
 ynh_psql_test_if_first_run
-ynh_print_OFF
 ynh_psql_create_user $synapse_db_user $synapse_db_pwd
-ynh_print_ON
 ynh_psql_execute_as_root \
 --sql="CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;"
 
@@ -222,7 +213,6 @@ deactivate
 set -u;
 
 # Get random values from config
-ynh_print_OFF
 registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
 form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
 macaroon_secret_key=$(egrep "^macaroon_secret_key:" homeserver.yml | cut -d'"' -f2)
@@ -231,7 +221,6 @@ macaroon_secret_key=$(egrep "^macaroon_secret_key:" homeserver.yml | cut -d'"' -
 ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
 ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
 ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secret_key"
-ynh_print_ON
 
 #=================================================
 # SETUP SYSTEMD
@@ -279,7 +268,7 @@ ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
 
 macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
 
-if [ $is_public -eq 0 ]
+if [ $is_free_registration -eq 0 ]
 then
     allowed_access=False
     sso_enabled=True

scripts/remove

@@ -29,6 +29,7 @@ turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tl
 #=================================================
 
 synapse_user="matrix-$app"
+synapse_user_app="$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
 synapse_db_name="matrix_$app"
@@ -142,6 +143,7 @@ ynh_script_progression --message="Removing the dedicated system user" --weight=1
 
 # Delete a system user
 ynh_system_user_delete --username=$synapse_user
+yunohost user delete $synapse_user_app
 
 #=================================================
 # END OF SCRIPT

scripts/restore

@@ -37,15 +37,16 @@ synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
 turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
 turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
 phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
-ynh_print_OFF
 synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
-ynh_print_ON
+synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
+main_domain=$(yunohost domain list --output-as json | jq -r .main)
 
 #=================================================
 # SET ALL CONSTANT
 #=================================================
 
 synapse_user="matrix-$app"
+synapse_user_app="$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
 synapse_db_name="matrix_$app"
@@ -58,8 +59,6 @@ data_path="/home/yunohost.app/matrix-$app"
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..." --weight=2
 
-ynh_webpath_available --domain=$domain --path_url=$path_url \
-	|| ynh_die --message="Path not available: ${domain}${path_url}"
 test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "
 
@@ -81,6 +80,7 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei
 
 # Create the dedicated user (if not existing)
 ynh_system_user_create --username=$synapse_user --home_dir=$final_path
+yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
 adduser $synapse_user ssl-cert
 adduser turnserver ssl-cert
 
@@ -110,9 +110,7 @@ ynh_systemd_action --action=restart --service_name=fail2ban
 ynh_script_progression --message="Restoring the PostgreSQL database..." --weight=13
 
 ynh_psql_test_if_first_run
-ynh_print_OFF
 ynh_psql_create_user $synapse_db_user $synapse_db_pwd
-ynh_print_ON
 ynh_psql_execute_as_root \
 --sql="CREATE DATABASE $synapse_db_name
  ENCODING 'UTF8'
@@ -165,9 +163,7 @@ ynh_script_progression --message="Reconfiguring coturn..." --weight=23
 turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
 turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
 cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
-ynh_print_OFF
 turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
-ynh_print_ON
 
 # WARNING : these commands are used in INSTALL, UPGRADE
 # For any update do it in all files

scripts/upgrade

@@ -26,7 +26,7 @@ jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
-is_public=$(ynh_app_setting_get --app=$app --key=is_public)
+is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
 port=$(ynh_app_setting_get --app=$app --key=synapse_port)
 synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
 turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
@@ -35,19 +35,21 @@ cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
 report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
 allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
 e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
-ynh_print_OFF
 synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
 turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
 registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
 form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
 macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
-ynh_print_ON
+synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
+domain_whitelist_client=$(get_domain_list)
+main_domain=$(yunohost domain list --output-as json | jq -r .main)
 
 #=================================================
 # SET ALL CONSTANT
 #=================================================
 
 synapse_user="matrix-$app"
+synapse_user_app="$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
 synapse_db_name="matrix_$app"
@@ -131,6 +133,17 @@ if [ -z $allow_public_rooms ]; then
     ynh_app_setting_set --app=$app --key=allow_public_rooms --value=$allow_public_rooms
 fi
 
+if [ -z $is_free_registration ]; then
+    is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public)
+    ynh_app_setting_set --app=$app --key=is_free_registration --value=$is_free_registration
+fi
+
+if [ -z $synapse_user_app_pwd ]; then
+    synapse_user_app_pwd="$(ynh_string_random --length=30)"
+    ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
+    yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
+fi
+
 #=================================================
 # MIGRATION 6 : Migrate data directory
 #=================================================
@@ -183,10 +196,8 @@ chown $synapse_user:root -R $final_www_path
 # MIGRATION 1 : GENERATE SYNAPSE SECRET
 #=================================================
 
-ynh_print_OFF
 if [ -z "$registration_shared_secret" ] || [ "$form_secret" == "form_secret: " ]
 then
-    ynh_print_ON
     ynh_script_progression --message="Generating synapse secret..." --weight=1
 
     # Go in virtualenvironnement
@@ -203,16 +214,13 @@ then
     set -u;
 
     # Get random values from config
-    ynh_print_OFF
     registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
     form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
 
     # store in yunohost settings
     ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
     ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
-    ynh_print_ON
 fi
-ynh_print_ON
 
 #=================================================
 # UPDATE SYNAPSE CONFIG
@@ -232,7 +240,7 @@ else
     macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
 fi
 
-if [ $is_public -eq 0 ]
+if [ $is_free_registration -eq 0 ]
 then
     allowed_access=False
     sso_enabled=True