#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source _common.sh source experimental_helper.sh source /usr/share/yunohost/helpers #================================================= # MANAGE SCRIPT FAILURE #================================================= ynh_clean_setup () { # Clean installation remainings that are not handled by the remove script. ynh_clean_check_starting } # Exit if an error occurs during the execution of the script ynh_abort_if_errors #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= domain=$YNH_APP_ARG_DOMAIN is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME #================================================= # SET CONSTANTS #================================================= synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" upstream_version=$(ynh_app_upstream_version) report_stats="false" allow_public_rooms="false" default_domain_value="Same than the domain" #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= domain=$YNH_APP_ARG_DOMAIN server_name=$YNH_APP_ARG_SERVER_NAME is_public=$YNH_APP_ARG_IS_PUBLIC jitsi_server=$YNH_APP_ARG_JITSI_SERVER path_url="/_matrix" final_path="/opt/yunohost/matrix-$app" final_www_path="/var/www/$app" if [[ "$server_name" == "$default_domain_value" ]]; then server_name=$domain fi #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= ynh_script_progression --message="Validating installation parameters..." --weight=2 [ $(ynh_webpath_available --domain=$domain --path_url=$path_url) == "True" ] || ynh_die --message="$domain is not available as domain, please use an other domain." test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die --message="$domain is not available as domain, please use an other domain." # Check Final Path availability test ! -e "$final_path" || ynh_die --message="This path already contains a folder" #================================================= # STORE SETTINGS FROM MANIFEST #================================================= ynh_script_progression --message="Storing installation settings..." --weight=1 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=no_sso --value true ynh_app_setting_set --app=$app --key=server_name --value=$server_name ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats ynh_app_setting_set --app=$app --key=allow_public_rooms --value=$allow_public_rooms #================================================= # STANDARD MODIFICATIONS #================================================= # FIND AND OPEN A PORT #================================================= ynh_script_progression --message="Configuring firewall..." --weight=19 # Find a free port synapse_tls_port=$(ynh_find_port --port=8448) port=$(ynh_find_port --port=8008) turnserver_tls_port=$(ynh_find_port --port=5349) turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1))) cli_port=$(ynh_find_port --port=5766) # Open this port ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port # Store opened ports ynh_app_setting_set --app=$app --key=synapse_port --value=$port ynh_app_setting_set --app=$app --key=synapse_tls_port --value=$synapse_tls_port ynh_app_setting_set --app=$app --key=turnserver_tls_port --value=$turnserver_tls_port ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port #================================================= # CREATE A DH FILE #================================================= ynh_script_progression --message="Creating a dh file..." --weight=3 # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files # Make dh cert for synapse if it doesn't exist if [ ! -e /etc/ssl/private/dh2048.pem ] then ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam chown root:ssl-cert /etc/ssl/private/dh2048.pem chmod 640 /etc/ssl/private/dh2048.pem fi #================================================= # INSTALL DEPENDENCIES #================================================= ynh_script_progression --message="Installing dependencies..." --weight=80 # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files ynh_install_app_dependencies $dependances #================================================= # CREATE DEDICATED USER #================================================= ynh_script_progression --message="Configuring system user..." --weight=3 ynh_system_user_create --username=$synapse_user --home_dir=/var/lib/matrix-$app adduser $synapse_user ssl-cert adduser turnserver ssl-cert #================================================= # CREATE A POSTGRESQL DATABASE #================================================= ynh_script_progression --message="Creating a PostgreSQL database..." --weight=4 ynh_print_OFF synapse_db_pwd=$(ynh_string_random --length=30) ynh_app_setting_set --app=$app --key=synapse_db_pwd --value=$synapse_db_pwd ynh_print_ON # Create postgresql database ynh_psql_test_if_first_run ynh_print_OFF ynh_psql_create_user $synapse_db_user $synapse_db_pwd ynh_print_ON ynh_psql_execute_as_root \ --sql="CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= ynh_script_progression --message="Setting up source files..." --weight=50 # Create empty dir for synapse # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files mkdir -p /var/lib/matrix-$app mkdir -p /var/log/matrix-$app mkdir -p /etc/matrix-$app/conf.d mkdir -p $final_path # Install synapse in virtualenv # WARNING : theses command are used in INSTALL, UPGRADE (2 times) # For any update do it in all files if [ -n "$(uname -m | grep arm)" ] then ynh_setup_source --dest_dir=$final_path/ --source_id="armv7_$(lsb_release --codename --short)" # Fix multi-instance support for f in $(ls $final_path/bin); do if ! [[ $f =~ "__" ]]; then ynh_replace_special_string --match_string='#!/opt/yunohost/matrix-synapse' --replace_string='#!'$final_path --target_file=$final_path/bin/$f fi done else # Install virtualenv if it don't exist test -e $final_path/bin/python3 || python3 -m venv $final_path # Install synapse in virtualenv cp ../conf/virtualenv_activate $final_path/bin/activate ynh_replace_string --match_string=__FINAL_PATH__ --replace_string=$final_path --target_file=$final_path/bin/activate # We set all necessary environement variable to create a python virtualenvironnement. source $final_path/bin/activate pip3 install --upgrade pip pip3 install --upgrade setuptools wheel pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml jinja2 pip3 install --upgrade matrix-synapse==$upstream_version matrix-synapse-ldap3 # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does deactivate fi #================================================= # CREATE SMALL CAS SERVER #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files mkdir -p $final_www_path cp ../sources/cas_server.php $final_www_path/ chmod u=rwX,g=rX,o= -R $final_www_path chown $synapse_user:root -R $final_www_path #================================================= # CREATE SYNAPSE CONFIG #================================================= ynh_script_progression --message="Creating synapse config..." --weight=3 # Go in virtualenvironnement PS1=${PS1:-} source $final_path/bin/activate # Generate config python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does deactivate # Get random values from config ynh_print_OFF registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2) form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2) macaroon_secret_key=$(egrep "^macaroon_secret_key:" homeserver.yml | cut -d'"' -f2) # store in yunohost settings ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret" ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret" ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secret_key" ynh_print_ON #================================================= # SETUP SYSTEMD #================================================= ynh_script_progression --message="Configuring a systemd service..." --weight=2 # Create systemd service for synapse and turnserver cp ../conf/default_matrix-synapse /etc/default/matrix-$app ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service cp ../conf/default_coturn /etc/default/coturn-$app ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service #================================================= # NGINX CONFIGURATION #================================================= ynh_script_progression --message="Configuring nginx web server..." --weight=2 # Create a dedicated php-fpm config ynh_script_progression --message="Configuring application..." ynh_add_fpm_config # Create .well-known redirection for access by federation if yunohost --output-as plain domain list | grep -q "^$server_name$" then cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi # Create a dedicated nginx config ynh_add_nginx_config app #================================================= # SET SYNAPSE CONFIG #================================================= ynh_script_progression --message="Configuring synapse..." --weight=2 # Find password for turnserver and database ynh_print_OFF turnserver_pwd=$(ynh_string_random --length=30) ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd ynh_print_ON # Configure Synapse # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # For any update do it in all files homeserver_config_path="/etc/matrix-$app/homeserver.yaml" cp ../conf/homeserver.yaml "$homeserver_config_path" cp ../conf/log.yaml /etc/matrix-$app/log.yaml ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path" ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path" ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path" ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path" ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path" ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path" ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path" ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path" ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path" ynh_print_OFF ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path" ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path" ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path" ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path" ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" ynh_print_ON ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml" if [ $is_public -eq 0 ] then ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" else ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" fi ynh_store_file_checksum --file="$homeserver_config_path" ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml" #================================================= # SET COTURN CONFIG #================================================= ynh_script_progression --message="Configuring coturn..." --weight=1 # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files coturn_config_path="/etc/matrix-$app/coturn.conf" cp ../conf/turnserver.conf "$coturn_config_path" ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path" ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path" ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path" ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path" ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path" ynh_print_OFF ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path" ynh_print_ON # Get public IP and set as external IP for coturn # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 public_ip4="$(curl ip.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then echo "external-ip=$public_ip4" >> "$coturn_config_path" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then echo "external-ip=$public_ip6" >> "$coturn_config_path" fi ynh_store_file_checksum --file="$coturn_config_path" #================================================= # SETUP LOGROTATE #================================================= ynh_script_progression --message="Configuring log rotation..." --weight=2 ynh_use_logrotate --logfile "/var/log/matrix-$app" #================================================= # ADD SCRIPT FOR COTURN CRON #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files cp ../sources/Coturn_config_rotate.sh $final_path/ ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh" #================================================= # GENERIC FINALIZATION #================================================= # SETUP SSOWAT #================================================= ynh_script_progression --message="Configuring SSOwat..." --weight=1 # Open access to server without a button the home # The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls". python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32" ynh_permission_url --permission main --url $domain/_matrix/cas_server.php/login #================================================= # UPDATE HOOKS #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files ynh_replace_string __APP__ $app ../hooks/post_cert_update ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update #================================================= # SECURE FILES AND DIRECTORIES #================================================= # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files chown $synapse_user:root -R $final_path chmod 770 $final_path/Coturn_config_rotate.sh chown $synapse_user:root -R /var/lib/matrix-$app chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app chmod 600 /etc/matrix-$app/$server_name.signing.key setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app #================================================= # ADVERTISE SERVICE IN ADMIN PANEL #================================================= yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port $turnserver_alt_tls_port #================================================= # RELOAD SERVICES #================================================= ynh_script_progression --message="Restarting synapse services..." --weight=11 ynh_systemd_action --service_name=coturn-$app.service --action=restart ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 #================================================= # SETUP FAIL2BAN #================================================= ynh_script_progression --message="Configuring fail2ban..." --weight=10 # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files ynh_add_fail2ban_config --use_template #================================================= # SEND A README FOR THE ADMIN #================================================= # WARNING : theses command are used in INSTALL, RESTORE # For any update do it in all files echo "If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation. If not, you may need to put the following line in the dns configuration: _matrix._tcp.$domain. 3600 IN SRV 10 0 $synapse_tls_port $domain. For more details, see : https://github.com/matrix-org/synapse#setting-up-federation You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done. Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh . If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en" > mail_to_send ynh_send_readme_to_admin --app_message="mail_to_send" --type="install" #================================================= # END OF SCRIPT #================================================= ynh_script_progression --message="Installation of $app completed" --last