#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source /usr/share/yunohost/helpers # Stop script if errors ynh_abort_if_errors # Import common fonctions source ./psql.sh source ./experimental_helper.sh source ./_common.sh #================================================= # SET ALL CONSTANT #================================================= app=$YNH_APP_INSTANCE_NAME synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" upstream_version=$(ynh_app_upstream_version) report_stats="False" #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= domain=$YNH_APP_ARG_DOMAIN is_public=$YNH_APP_ARG_IS_PUBLIC path_url="/_matrix" final_path="/opt/yunohost/matrix-$app" #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= ynh_webpath_available $domain $path_url || ynh_die "$domain is not available as domain, please use an other domain." test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die "$domain is not available as domain, please use an other domain." # Check Final Path availability test ! -e "$final_path" || ynh_die "This path already contains a folder" #================================================= # STORE SETTINGS FROM MANIFEST #================================================= # For the domain and the path we can't use the standard keys "domain" and "path" with the standard function ynh_webpath_register because it create automatically a button on the user pannel. # The idea is to create a custom key (specia_domain and special_path instead of domain and key). # By this the ssowatconf fonction don't create a button on the pannel. # This hack solve the issue : https://github.com/YunoHost-Apps/synapse_ynh/issues/14 ynh_app_setting_set $app special_domain $domain ynh_app_setting_set $app special_path $path_url ynh_app_setting_set $app final_path $final_path ynh_app_setting_set $app synapse_version $upstream_version ynh_app_setting_set $app is_public $is_public ynh_app_setting_set $app report_stats $report_stats #================================================= # STANDARD MODIFICATIONS #================================================= # FIND AND OPEN A PORT #================================================= # Find a free port synapse_tls_port=$(ynh_find_port 8448) port=$(ynh_find_port 8008) turnserver_tls_port=$(ynh_find_port 5349) turnserver_alt_tls_port=$(ynh_find_port $((turnserver_tls_port+1))) cli_port=$(ynh_find_port 5766) # Open this port yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1 yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1 yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1 # Store opened ports ynh_app_setting_set $app synapse_port $port ynh_app_setting_set $app synapse_tls_port $synapse_tls_port ynh_app_setting_set $app turnserver_tls_port $turnserver_tls_port ynh_app_setting_set $app turnserver_alt_tls_port $turnserver_alt_tls_port ynh_app_setting_set $app cli_port $cli_port #================================================= # CREATE A DH FILE #================================================= # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files # Make dh cert for synapse if doesn't exist if [[ ! -e /etc/ssl/private/dh2048.pem ]] then openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null chown root:ssl-cert /etc/ssl/private/dh2048.pem chmod 640 /etc/ssl/private/dh2048.pem fi #================================================= # INSTALL DEPENDENCIES #================================================= # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files ynh_install_app_dependencies $dependances #================================================= # CREATE DEDICATED USER #================================================= ynh_system_user_create $synapse_user /var/lib/matrix-$app adduser $synapse_user ssl-cert adduser turnserver ssl-cert #================================================= # CREATE A POSTGRESQL DATABASE #================================================= synapse_db_pwd=$(ynh_string_random 30) ynh_app_setting_set $app synapse_db_pwd $synapse_db_pwd # Create postgresql database ynh_psql_test_if_first_run ynh_psql_create_user $synapse_db_user $synapse_db_pwd ynh_psql_execute_as_root \ "CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= # Create empty dir for synapse # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files mkdir -p /var/lib/matrix-$app mkdir -p /var/log/matrix-$app mkdir -p /etc/matrix-$app/conf.d mkdir -p $final_path # Install synapse in virtualenv # WARNING : theses command are used in INSTALL, UPGRADE (2 times) # For any update do it in all files if [ -n "$(uname -m | grep arm)" ] then ynh_setup_source $final_path/ "armv7_$(lsb_release --codename --short)" else # Install virtualenv if it don't exist test -e $final_path/bin/python3 || python3 -m venv $final_path # Install synapse in virtualenv cp ../conf/virtualenv_activate $final_path/bin/activate ynh_replace_string __FINAL_PATH__ $final_path $final_path/bin/activate # We set all necessary environement variable to create a python virtualenvironnement. source $final_path/bin/activate pip3 install --upgrade pip pip3 install --upgrade setuptools wheel pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml pip3 install --upgrade matrix-synapse==$upstream_version matrix-synapse-ldap3 # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does deactivate fi #================================================= # CREATE SYNAPSE CONFIG #================================================= # Go in virtualenvironnement PS1=${PS1:-} source $final_path/bin/activate # Generate config python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $domain --report-stats=no -c homeserver.yml # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does deactivate # Get random values from config registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2) form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f2) # store in yunohost settings ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret" ynh_app_setting_set $app form_secret "$form_secret" #================================================= # SETUP SYSTEMD #================================================= # Create systemd service for synapse and turnserver cp ../conf/default_matrix-synapse /etc/default/matrix-$app ynh_add_systemd_config matrix-$app matrix-synapse.service cp ../conf/default_coturn /etc/default/coturn-$app ynh_add_systemd_config coturn-$app coturn-synapse.service #================================================= # NGINX CONFIGURATION #================================================= ynh_add_nginx_config #================================================= # SET SYNAPSE CONFIG #================================================= # Find password for turnserver and database turnserver_pwd=$(ynh_string_random 30) ynh_app_setting_set $app turnserver_pwd $turnserver_pwd # Configure Synapse # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG (3 times) # For any update do it in all files homeserver_config_path="/etc/matrix-$app/homeserver.yaml" cp ../conf/homeserver.yaml "$homeserver_config_path" cp ../conf/log.yaml /etc/matrix-$app/log.yaml ynh_replace_string __APP__ $app "$homeserver_config_path" ynh_replace_string __DOMAIN__ $domain "$homeserver_config_path" ynh_replace_string __SYNAPSE_DB_USER__ $synapse_db_user "$homeserver_config_path" ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path" ynh_replace_string __PORT__ $port "$homeserver_config_path" ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path" ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path" ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path" ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path" ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path" ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path" ynh_replace_string __APP__ $app "/etc/matrix-$app/log.yaml" if [ "$is_public" = "0" ] then ynh_replace_string __ALLOWED_ACCESS__ False "$homeserver_config_path" else ynh_replace_string __ALLOWED_ACCESS__ True "$homeserver_config_path" fi ynh_store_file_checksum "$homeserver_config_path" ynh_store_file_checksum "/etc/matrix-$app/log.yaml" #================================================= # SET COTURN CONFIG #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files coturn_config_path="/etc/matrix-$app/coturn.conf" cp ../conf/turnserver.conf "$coturn_config_path" ynh_replace_string __APP__ $app "$coturn_config_path" ynh_replace_string __TURNPWD__ $turnserver_pwd "$coturn_config_path" ynh_replace_string __DOMAIN__ $domain "$coturn_config_path" ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path" ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path" ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path" # Get public IP and set as external IP for coturn # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 public_ip4="$(curl ip.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true if [[ -n "$public_ip4" ]] && ynh_validate_ip4 "$public_ip4" then ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path" else ynh_replace_string '__IPV4__,' "" "$coturn_config_path" fi if [[ -n "$public_ip6" ]] && ynh_validate_ip6 "$public_ip6" then ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path" else ynh_replace_string ',__IPV6__' "" "$coturn_config_path" fi ynh_store_file_checksum "$coturn_config_path" #================================================= # SETUP LOGROTATE #================================================= ynh_use_logrotate /var/log/matrix-$app #================================================= # ADD SCRIPT FOR COTURN CRON #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files cp ../sources/Coturn_config_rotate.sh $final_path/ ynh_replace_string __APP__ $app "$final_path/Coturn_config_rotate.sh" #================================================= # GENERIC FINALIZATION #================================================= # SETUP SSOWAT #================================================= # Open access to server without a button the home # The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls". python3 ../conf/add_sso_conf.py || ynh_die "Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32" #================================================= # SECURE FILES AND DIRECTORIES #================================================= # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files chown $synapse_user:root -R $final_path chmod 770 $final_path/Coturn_config_rotate.sh chown $synapse_user:root -R /var/lib/matrix-$app chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app chmod 600 /etc/matrix-$app/$domain.signing.key setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app #================================================= # ADVERTISE SERVICE IN ADMIN PANEL #================================================= yunohost service add matrix-$app -l "/var/log/matrix-$app/homeserver.log" yunohost service add coturn-$app #================================================= # RELOAD SERVICES #================================================= systemctl restart coturn-$app.service ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app" #================================================= # SETUP FAIL2BAN #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files ynh_add_fail2ban_config -t #================================================= # SEND A README FOR THE ADMIN #================================================= # WARNING : theses command are used in INSTALL, RESTORE # For any update do it in all files message="If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation. If not, you may need to put the following line in the dns configuration: _matrix._tcp.$domain. 3600 IN SRV 10 0 $synapse_tls_port $domain. For more details, see : https://github.com/matrix-org/synapse#setting-up-federation You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done. Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh . If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en" ynh_send_readme_to_admin "$message"