From 3a1d10d852d04c41dda10c0acadf61a2e552f5db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Mon, 26 Feb 2024 21:20:00 +0100 Subject: [PATCH 1/9] First implementation of matrix sliding proxy --- conf/nginx.conf | 13 +++++++ conf/server_name.conf | 1 + conf/sliding_proxy.conf | 34 +++++++++++++++++ conf/synapse-sliding-proxy.service | 59 ++++++++++++++++++++++++++++++ manifest.toml | 24 +++++++++++- scripts/_common.sh | 10 ++++- scripts/backup | 1 + scripts/install | 10 ++++- scripts/remove | 9 +++++ scripts/restore | 3 ++ scripts/upgrade | 19 ++++++++++ tests.toml | 2 + 12 files changed, 182 insertions(+), 3 deletions(-) create mode 100644 conf/sliding_proxy.conf create mode 100644 conf/synapse-sliding-proxy.service diff --git a/conf/nginx.conf b/conf/nginx.conf index a2e70d2..a3c339a 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -12,6 +12,19 @@ location /_matrix/ { client_max_body_size __MAX_UPLOAD_SIZE__; } +location /_matrix/client/unstable/org.matrix.msc3575/ { + proxy_pass http://localhost:__PORT_SLIDING_PROXY__; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; +} + +location /client/ { + proxy_pass http://localhost:__PORT_SLIDING_PROXY__; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; +} # Use the specific path for the php file. It's more secure than global php path location /_matrix/cas_server.php/ { diff --git a/conf/server_name.conf b/conf/server_name.conf index 9a8664f..16833f0 100644 --- a/conf/server_name.conf +++ b/conf/server_name.conf @@ -7,6 +7,7 @@ location = /.well-known/matrix/server { location = /.well-known/matrix/client { return 200 '{ "m.homeserver": { "base_url": "https://__DOMAIN__" }, + "org.matrix.msc3575.proxy": { "url": "https://__DOMAIN__"}, "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"}, "im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT_CLIENT_CONFIG__ } }'; diff --git a/conf/sliding_proxy.conf b/conf/sliding_proxy.conf new file mode 100644 index 0000000..c1feeaf --- /dev/null +++ b/conf/sliding_proxy.conf @@ -0,0 +1,34 @@ +# Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' +SYNCV3_SERVER=https://__DOMAIN__ +# Required. The postgres connection string +SYNCV3_DB=postgresql://__DB_USER__:__DB_PWD__@localhost/__DB_NAME_SLIDINGPROXY__ +# Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database. +SYNCV3_SECRET=__SYNC_PROXY_SECRET__ +# Default: 0.0.0.0:8008. The interface and port to listen on. (Supports unix socket: /path/to/socket) +SYNCV3_BINDADDR=localhost:__PORT_SLIDING_PROXY__ +# Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address. +# SYNCV3_TLS_CERT= +# Default: unset. Path to a key file for the certificate. Must be provided along with the certificate file. +# SYNCV3_TLS_KEY= +# Default: unset. The bind addr for pprof debugging e.g ':6060'. If not set, does not listen. +# SYNCV3_PPROF= +# Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address. +# SYNCV3_PROM= +# Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces. +# SYNCV3_OTLP_URL= +# Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header. +# SYNCV3_OTLP_USERNAME= +# Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header. +# SYNCV3_OTLP_PASSWORD= +# Default: unset. The Sentry DSN to report events to e.g https://sliding-sync@sentry.example.com/123 - if unset does not send sentry events. +# SYNCV3_SENTRY_DSN= +# Default: info. The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal +# SYNCV3_LOG_LEVEL= +# Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit. +# SYNCV3_MAX_DB_CONN= +# Default: 3600. The maximum amount of time a database connection may be idle, in seconds. 0 means no limit. +# SYNCV3_DB_IDLE_TIMEOUT_SECS= +# Default: 300. The timeout in seconds for normal HTTP requests. +# SYNCV3_HTTP_TIMEOUT_SECS= +# Default: 1800. The timeout in seconds for initial sync requests. +# SYNCV3_HTTP_INITIAL_TIMEOUT_SECS= diff --git a/conf/synapse-sliding-proxy.service b/conf/synapse-sliding-proxy.service new file mode 100644 index 0000000..2e0fdee --- /dev/null +++ b/conf/synapse-sliding-proxy.service @@ -0,0 +1,59 @@ +[Unit] +Description=Matrix sliding proxy +After=network.target + +# +# Big fat warning +# + +# This unit file MUST be reworked completly when we will be on debian bookworm +# To make it working on debian bullseye many workaround was many, mainly chroot +# So mainly this unit should be completly reworkd and cleaned since we dropt debian bullseye support + + +[Service] +Type=simple +User=__APP__ +# WorkingDirectory=/opt/yunohost/matrix-__APP__ +EnvironmentFile=/etc/matrix-__APP__/sliding_proxy.conf +ExecStart=/bin/sliding-proxy +Restart=always +RestartSec=3 +RootDirectory=/opt/yunohost/matrix-__APP__/sliding-chroot +BindReadOnlyPaths=/etc +BindReadOnlyPaths=/usr/share/ca-certificates + +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +# SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index adc4ae6..8f0d525 100644 --- a/manifest.toml +++ b/manifest.toml @@ -19,7 +19,7 @@ fund = "https://matrix.org/support/#" [integration] yunohost = ">= 11.2.10" -architectures = "all" +architectures = ["amd64", "arm64"] multi_instance = true ldap = true sso = "not_relevant" @@ -71,6 +71,26 @@ ram.runtime = "200M" armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bullseye-bin1_armv7l.tar.gz" armhf.sha256 = "4027b8e41950aeec151dfa19eda2402e7974de56d33abb9eee3879e211227eef" + [resources.sources.sliding_proxy] + prefetch = true + extract = false + rename = "sliding-proxy" + + amd64.url = "https://github.com/matrix-org/sliding-sync/releases/download/v0.99.15/syncv3_linux_amd64" + amd64.sha256 = "f5a57a26a5a478470774d8f6387accf5ed7644c8258c8ff7570998b99f7afe01" + arm64.url = "https://github.com/matrix-org/sliding-sync/releases/download/v0.99.15/syncv3_linux_arm64" + arm64.sha256 = "24bd8c5ebf89806104465b8b218aba7e05b15c095d010aba2fb666172a106f75" + + [resources.sources.sliding_proxy_rootfs] + prefetch = true + extract = true + in_subdir = false + + amd64.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/sp-mfs-v1.0/min_rootfs_x86-64.tar.gz" + amd64.sha256 = "4626879513fedd8fca33eb98668a7d3967c6b04d2ea1eed86c5059ef394bc925" + arm64.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/sp-mfs-v1.0/min_rootfs_arm64.tar.gz" + arm64.sha256 = "3f71a0c1746d18cd5081fc68ba81d18d4dca717509b8de75ef1b23b99af325e0" + [resources.system_user] allow_email = true home = "/opt/yunohost/matrix-__APP__" @@ -92,6 +112,7 @@ ram.runtime = "200M" main.protected = true server_api.url = "/_matrix" + server_api.additional_urls = ["/client"] server_api.label = "Server access for client apps" server_api.allowed = "visitors" server_api.auth_header = false @@ -109,6 +130,7 @@ ram.runtime = "200M" synapse_tls.default = 8448 synapse_tls.exposed = "TCP" synapse.default = 8008 + sliding_proxy.default = 8009 turnserver_tls.default = 5349 turnserver_tls.exposed = "Both" turnserver_alt_tls.default = 5350 diff --git a/scripts/_common.sh b/scripts/_common.sh index 5294183..7c7ac26 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -1,6 +1,6 @@ python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)" code_dir="/opt/yunohost/matrix-$app" - +db_name_slidingproxy=${db_name}_slidingproxy install_sources() { # Install/upgrade synapse in virtualenv @@ -51,6 +51,13 @@ install_sources() { patch < $YNH_APP_BASEDIR/sources/ldap_auth_filter_anonymous_user.patch popd fi + + # Setup chroot for sliding proxy + # Note that on debian bullseye we can't support run directly sliding proxy as it require new version of libc not available on debian bullseye + mkdir -p $code_dir/sliding-chroot + ynh_setup_source -r --dest_dir=$code_dir/sliding-chroot/ --source_id=sliding_proxy_rootfs + mkdir -p $code_dir/sliding-chroot/bin + ynh_setup_source --dest_dir=$code_dir/sliding-chroot/bin/ --source_id=sliding_proxy } configure_synapse() { @@ -160,6 +167,7 @@ set_permissions() { chmod 770 $code_dir/Coturn_config_rotate.sh chmod 700 $code_dir/update_synapse_for_appservice.sh chmod 700 $code_dir/set_admin_user.sh + chmod 755 $code_dir/sliding-chroot/bin/sliding-proxy if [ "${1:-}" == data ]; then find $data_dir \( \! -perm -o= \ diff --git a/scripts/backup b/scripts/backup index 4b419cb..14a8c25 100644 --- a/scripts/backup +++ b/scripts/backup @@ -73,6 +73,7 @@ ynh_backup --src_path="/etc/matrix-$app" ynh_backup --src_path="/etc/systemd/system/$app.service" ynh_backup --src_path="/etc/default/coturn-$app" ynh_backup --src_path="/etc/systemd/system/$app-coturn.service" +ynh_backup --src_path=/etc/systemd/system/$app-sliding-proxy.service #================================================= # BACKUP SYNAPSE DATA diff --git a/scripts/install b/scripts/install index 8aa7a78..7d7bc88 100644 --- a/scripts/install +++ b/scripts/install @@ -132,12 +132,13 @@ adduser $app ssl-cert adduser turnserver ssl-cert #================================================= -# FIX DB CONFIG +# FIX DB CONFIG AND CREATE SYLING PROXY DB #================================================= ynh_script_progression --message="Fixing database type..." --weight=1 ynh_psql_execute_as_root \ --sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';" +ynh_''psql_setup_db --db_user=$db_user --db_pwd=$db_pwd --db_name=$db_name_slidingproxy #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -179,11 +180,13 @@ $code_dir/bin/python -m synapse.app.homeserver --keys-directory /etc/matrix-$app registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2) form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2) macaroon_secret_key=$(egrep "^macaroon_secret_key:" homeserver.yml | cut -d'"' -f2) +sync_proxy_secret=$(ynh_string_random -l 40) # store in yunohost settings ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret" ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret" ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secret_key" +ynh_app_setting_set --app=$app --key=sync_proxy_secret --value="$sync_proxy_secret" #================================================= # SETUP SYSTEMD @@ -196,6 +199,8 @@ ynh_add_systemd_config --service=$app --template=synapse.service cp ../conf/default_coturn /etc/default/coturn-$app ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service +ynh_add_systemd_config --service=$app-sliding-proxy --template=synapse-sliding-proxy.service + #================================================= # NGINX CONFIGURATION #================================================= @@ -218,6 +223,7 @@ turnserver_pwd=$(ynh_string_random --length=30) ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd configure_synapse +ynh_add_config --template=sliding_proxy.conf --destination=/etc/matrix-$app/sliding_proxy.conf #================================================= # SET COTURN CONFIG @@ -282,6 +288,7 @@ set_permissions data yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.' yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.' +yunohost service add $app-sliding-proxy --description 'Matrix v2 service for clients.' #================================================= # RELOAD SERVICES @@ -290,6 +297,7 @@ ynh_script_progression --message="Restarting Synapse services..." --weight=11 ynh_systemd_action --service_name=$app-coturn.service --action=restart ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 +ynh_systemd_action --service_name=$app-sliding-proxy.service --action=restart #================================================= # SETUP FAIL2BAN diff --git a/scripts/remove b/scripts/remove index 9ca72db..9ad158d 100755 --- a/scripts/remove +++ b/scripts/remove @@ -19,6 +19,7 @@ source /usr/share/yunohost/helpers # Remove a service from the admin panel, added by `yunohost service add` yunohost service remove $app yunohost service remove $app-coturn +yunohost service remove $app-sliding-proxy #================================================= # STOP AND REMOVE SERVICE @@ -27,6 +28,7 @@ ynh_script_progression --message="Stopping and removing the systemd service" --w ynh_remove_systemd_config --service=$app ynh_remove_systemd_config --service=$app-coturn +ynh_remove_systemd_config --service=$app-sliding-proxy #================================================= # REMOVE APP MAIN DIR @@ -39,6 +41,13 @@ ynh_secure_remove --file=/etc/matrix-$app ynh_secure_remove --file=/etc/default/coturn-$app ynh_secure_remove --file=/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf +#================================================= +# REMOVE DATABASE +#================================================= +ynh_script_progression --message="Removing database" --weight=2 + +ynh_''psql_remove_db --db_user=$db_user --db_name=$db_name_slidingproxy + #================================================= # REMOVE NGINX CONFIGURATION #================================================= diff --git a/scripts/restore b/scripts/restore index bd41f6f..a926713 100644 --- a/scripts/restore +++ b/scripts/restore @@ -68,6 +68,7 @@ ynh_script_progression --message="Enable systemd services" --weight=2 # systemctl daemon-reload systemctl enable $app.service --quiet systemctl enable $app-coturn.service --quiet +systemctl enable $app-sliding-proxy.service --quiet #================================================= # ADVERTISE SERVICE IN ADMIN PANEL @@ -75,6 +76,7 @@ systemctl enable $app-coturn.service --quiet yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.' yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.' +yunohost service add $app-sliding-proxy --description 'Matrix v2 service for clients.' #================================================= # CREATE A DH FILE @@ -122,6 +124,7 @@ ynh_script_progression --message="Restarting Synapse services..." --weight=7 ynh_systemd_action --service_name=$app-coturn.service --action=restart ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 +ynh_systemd_action --service_name=$app-sliding-proxy.service --action=restart #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 6a4c882..8977517 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -204,6 +204,11 @@ then enable_dtls_for_audio_video_turn_call="true" ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call fi +if [ -z "${sync_proxy_secret:-}" ] +then + sync_proxy_secret=$(ynh_string_random -l 40) + ynh_app_setting_set --app=$app --key=sync_proxy_secret --value=$sync_proxy_secret +fi #================================================= # MIGRATION 7 : STANDARDIZE SYSTEMD UNIT @@ -381,6 +386,15 @@ then ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret" fi +#================================================= +# MIGRATION 13 : ADD SLIDING PROXY DB +#================================================= +ynh_script_progression --message="Updating db if needed..." + +if ! ynh_''psql_database_exists -d $db_name_slidingproxy; then + ynh_''psql_setup_db --db_user=$db_user --db_pwd=$db_pwd --db_name=$db_name_slidingproxy +fi + #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -391,6 +405,7 @@ fi ynh_script_progression --message="Updating synapse config..." --weight=2 configure_synapse +ynh_add_config --template=sliding_proxy.conf --destination=/etc/matrix-$app/sliding_proxy.conf #================================================= # CREATE SMALL CAS SERVER @@ -453,6 +468,7 @@ fi yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.' yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.' +yunohost service add $app-sliding-proxy --description 'Matrix v2 service for clients.' #================================================= # UPDATE SYSTEMD @@ -465,6 +481,8 @@ ynh_add_systemd_config --service=$app --template=synapse.service cp ../conf/default_coturn /etc/default/coturn-$app ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service +ynh_add_systemd_config --service=$app-sliding-proxy --template=synapse-sliding-proxy.service + #================================================= # UPGRADE FAIL2BAN #================================================= @@ -516,6 +534,7 @@ ynh_script_progression --message="Restarting Synapse services..." --weight=5 ynh_systemd_action --service_name=$app-coturn.service --action=restart ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 +ynh_systemd_action --service_name=$app-sliding-proxy.service --action=restart #================================================= # END OF SCRIPT diff --git a/tests.toml b/tests.toml index eea6572..2632599 100644 --- a/tests.toml +++ b/tests.toml @@ -7,3 +7,5 @@ test_format = 1.0 test_upgrade_from.672791a51c1d239918562d7a0d4420ec137e6694.name = "Post app user creation (branch old_version_for_CI_7)" test_upgrade_from.971f2eb590325fb1d6e1ca5723f59aacd639c9ce.name = "Before packaging v2 (branch old_version_for_CI_6)" + + test_upgrade_from.214c337b35d34fbdb1ad28324e7c45437e7cae48.name = "Before Matrix v2 implementation" From 61add5e43126dbac2b2cb3ac8294e8f51599d3ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Mon, 26 Feb 2024 21:35:28 +0100 Subject: [PATCH 2/9] Make it less warning on remove --- scripts/remove | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/remove b/scripts/remove index 9ad158d..cb2a2f2 100755 --- a/scripts/remove +++ b/scripts/remove @@ -46,7 +46,7 @@ ynh_secure_remove --file=/etc/nginx/conf.d/${server_name}.d/${app}_server_name.c #================================================= ynh_script_progression --message="Removing database" --weight=2 -ynh_''psql_remove_db --db_user=$db_user --db_name=$db_name_slidingproxy +ynh_''psql_remove_db --db_user=user_wich_must_dont_exist_and_keep_current_user --db_name=$db_name_slidingproxy #================================================= # REMOVE NGINX CONFIGURATION From 8b4d2e1b45087816ff9d9874a0252cb1dc925e2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Mon, 26 Feb 2024 22:48:25 +0100 Subject: [PATCH 3/9] fix test --- tests.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests.toml b/tests.toml index 2632599..92c9100 100644 --- a/tests.toml +++ b/tests.toml @@ -8,4 +8,4 @@ test_format = 1.0 test_upgrade_from.971f2eb590325fb1d6e1ca5723f59aacd639c9ce.name = "Before packaging v2 (branch old_version_for_CI_6)" - test_upgrade_from.214c337b35d34fbdb1ad28324e7c45437e7cae48.name = "Before Matrix v2 implementation" + test_upgrade_from.0d433dc2d756cf39b13b1be8a7b9c00655edf4fb.name = "Before Matrix v2 implementation" From 632ecc4599e78b1c390cc8c44748282174e70396 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Fri, 8 Mar 2024 17:42:09 +0100 Subject: [PATCH 4/9] Fix upgrade with old 3pids_email values --- scripts/upgrade | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 8977517..c5e986d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -113,12 +113,12 @@ then registrations_require_3pid=email ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid fi -if [ -z "${allowed_local_3pids_email:-}" ] || [[ "${allowed_local_3pids_email}" =~ "'.*'" ]] # Also remove shit value from previous config panel +if [ -z "${allowed_local_3pids_email:-}" ] || [[ "${allowed_local_3pids_email}" =~ \'.*\' ]] # Also remove shit value from previous config panel then allowed_local_3pids_email='' ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email fi -if [ -z "${allowed_local_3pids_msisdn:-}" ] || [[ "${allowed_local_3pids_msisdn}" =~ "'.*'" ]] # Also remove shit value from previous config panel +if [ -z "${allowed_local_3pids_msisdn:-}" ] || [[ "${allowed_local_3pids_msisdn}" =~ \'.*\' ]] # Also remove shit value from previous config panel then allowed_local_3pids_msisdn='' ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn From 507ac9dd997810089931a1c70ecb06d7c2671cd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Tue, 19 Mar 2024 23:34:23 +0100 Subject: [PATCH 5/9] Force enable password authentication as some client need it to work correctly --- config_panel.toml | 13 +++++++------ scripts/_common.sh | 3 +++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index 4a28765..9bbcd9e 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -14,12 +14,13 @@ services = ["__APP__"] no = "false" help = "Defaults to 'false'. If 'true', it is highly recommended to use either captcha, email, or token-based verification to avoid SPAM." - [main.welcome.password_enabled] - ask = "Enable Password Login" - type = "boolean" - yes = "true" - no = "false" - help = "If disabled, Login with Non-YunoHost Users impossible. But it simplies Login process if your Matrix server only has YunoHost SSO Users." + # Disabled for matrix V2 because some client like Element X don't support cas and so require to have password authentication enabled + # [main.welcome.password_enabled] + # ask = "Enable Password Login" + # type = "boolean" + # yes = "true" + # no = "false" + # help = "If disabled, Login with Non-YunoHost Users impossible. But it simplies Login process if your Matrix server only has YunoHost SSO Users." # Temporary disable the visible flag due of https://github.com/YunoHost/issues/issues/2331 # visible = "! enable_registration" diff --git a/scripts/_common.sh b/scripts/_common.sh index e3b18ac..5cd7494 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -109,6 +109,9 @@ configure_synapse() { turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'", "turn:'$domain:$port_turnserver_alt_tls'" ]' fi + # Force enable it because some client like Element X don't support CAS and so require to have password authentication enabled + password_enabled=true + ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" sed -i "s|_DOMAIN_WHITELIST_CLIENT_|$domain_whitelist_client|g" /etc/matrix-$app/homeserver.yaml sed -i "s|_AUTO_JOIN_ROOMS_SED_PARAM_|$auto_join_rooms_sed_param|g" /etc/matrix-$app/homeserver.yaml From 72b21bf01cbd9978e16c60192963ed03ddef6211 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Tue, 19 Mar 2024 22:34:57 +0000 Subject: [PATCH 6/9] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 729ab04..373402b 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ Please send your pull request to the [testing branch](https://github.com/YunoHos To try the testing branch, please proceed like that. -``` bash +```bash sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug or sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug diff --git a/README_fr.md b/README_fr.md index 88d15db..b48b4b2 100644 --- a/README_fr.md +++ b/README_fr.md @@ -35,7 +35,7 @@ Merci de faire vos pull request sur la [branche testing](https://github.com/Yuno Pour essayer la branche testing, procédez comme suit. -``` bash +```bash sudo yunohost app install https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug ou sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug From 5cda6287a6381aac776e0ac79485003742d8becd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 18 May 2024 00:11:05 +0200 Subject: [PATCH 7/9] [fix] Force enable password authentication on matrixv2 --- scripts/change_url | 4 ++++ scripts/config | 4 ++++ scripts/install | 3 +++ scripts/upgrade | 3 +++ 4 files changed, 14 insertions(+) diff --git a/scripts/change_url b/scripts/change_url index 440e2c9..29d63ff 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -28,6 +28,10 @@ configure_nginx #================================================= ynh_script_progression --message="Updating Synapse config..." --weight=2 + +# Force enable it because some client like Element X don't support CAS and so require to have password authentication enabled +password_enabled=true + ynh_add_jinja_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" diff --git a/scripts/config b/scripts/config index 51ee2fe..d2ef516 100644 --- a/scripts/config +++ b/scripts/config @@ -27,6 +27,10 @@ ynh_app_config_validate() { ynh_app_config_apply() { _ynh_app_config_apply configure_nginx + + # Force enable it because some client like Element X don't support CAS and so require to have password authentication enabled + password_enabled=true + ynh_add_jinja_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" set_permissions diff --git a/scripts/install b/scripts/install index 9d6cd0e..b4f7711 100644 --- a/scripts/install +++ b/scripts/install @@ -159,6 +159,9 @@ configure_nginx #================================================= ynh_script_progression --message="Configuring Synapse..." --weight=2 +# Force enable it because some client like Element X don't support CAS and so require to have password authentication enabled +password_enabled=true + ynh_add_jinja_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" ynh_add_config --template=sliding_proxy.conf --destination=/etc/matrix-$app/sliding_proxy.conf diff --git a/scripts/upgrade b/scripts/upgrade index b9ecfd1..149f656 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -289,6 +289,9 @@ fi #================================================= ynh_script_progression --message="Updating synapse config..." --weight=2 +# Force enable it because some client like Element X don't support CAS and so require to have password authentication enabled +password_enabled=true + ynh_add_jinja_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" ynh_add_config --template=sliding_proxy.conf --destination=/etc/matrix-$app/sliding_proxy.conf From aa3437843cce41304b2af6a4b18d31da08afd877 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20Hannebert?= Date: Mon, 10 Jun 2024 16:20:59 +0200 Subject: [PATCH 8/9] Upgrade sliding sync proxy to v0.99.18 --- manifest.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifest.toml b/manifest.toml index f2aa24c..2f342cc 100644 --- a/manifest.toml +++ b/manifest.toml @@ -76,10 +76,10 @@ ram.runtime = "1G" extract = false rename = "sliding-proxy" - amd64.url = "https://github.com/matrix-org/sliding-sync/releases/download/v0.99.15/syncv3_linux_amd64" - amd64.sha256 = "f5a57a26a5a478470774d8f6387accf5ed7644c8258c8ff7570998b99f7afe01" - arm64.url = "https://github.com/matrix-org/sliding-sync/releases/download/v0.99.15/syncv3_linux_arm64" - arm64.sha256 = "24bd8c5ebf89806104465b8b218aba7e05b15c095d010aba2fb666172a106f75" + amd64.url = "https://github.com/matrix-org/sliding-sync/releases/download/v0.99.18/syncv3_linux_amd64" + amd64.sha256 = "852ffefe59332d0ad55db4518b2be44e0b120e563afe3fb52afe078a0feacb7c" + arm64.url = "https://github.com/matrix-org/sliding-sync/releases/download/v0.99.18/syncv3_linux_arm64" + arm64.sha256 = "bfff6be2f57e1a55698ea1945e29bdb5ffd7ed6043069edaf2f0e21c384e2872" [resources.sources.sliding_proxy_rootfs] prefetch = true From 695e2f01695b201ace21405c4e475626c1585d64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 22 Aug 2024 12:13:24 +0200 Subject: [PATCH 9/9] Add missing sliding sync proxy db on restore --- scripts/restore | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/restore b/scripts/restore index 3a4087d..462cf9a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -32,6 +32,7 @@ ynh_script_progression --message="Fixing database type..." --weight=1 ynh_psql_execute_as_root \ --sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';" +ynh_''psql_setup_db --db_user="$db_user" --db_pwd="$db_pwd" --db_name="$db_name_slidingproxy" #================================================= # RESTORE ALL CONFIG AND DATA