#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source _common.sh source experimental_helper.sh source /usr/share/yunohost/helpers # Exit if an error occurs during the execution of the script ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= ynh_script_progression --message="Loading installation settings..." --weight=3 app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) server_name=$(ynh_app_setting_get --app=$app --key=server_name) jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version) is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration) port=$(ynh_app_setting_get --app=$app --key=synapse_port) synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port) turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port) turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port) cli_port=$(ynh_app_setting_get --app=$app --key=cli_port) report_stats=$(ynh_app_setting_get --app=$app --key=report_stats) e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default) synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd) turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd) registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret) form_secret=$(ynh_app_setting_get --app=$app --key=form_secret) macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key) synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd) domain_whitelist_client_=$(get_domain_list) domain_whitelist_client=${domain_whitelist_client_%"\n"} main_domain=$(yunohost domain list --output-as json | jq -r .main) #================================================= # SET ALL CONSTANT #================================================= synapse_user="matrix-$app" synapse_user_app="$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" synapse_db_name="matrix_$app" upstream_version=$(ynh_app_upstream_version) upgrade_type=$(ynh_check_app_version_changed) final_www_path="/var/www/$app" data_path="/home/yunohost.app/matrix-$app" #================================================= # GET CONFIG PANEL SETTINGS #================================================= server_statistics=$(ynh_app_setting_get --app=$app --key=server_statistics) web_client_location=$(ynh_app_setting_get --app=$app --key=web_client_location) client_base_url=$(ynh_app_setting_get --app=$app --key=client_base_url) invite_client_location=$(ynh_app_setting_get --app=$app --key=invite_client_location) allow_public_rooms_without_auth=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_without_auth) allow_public_rooms_over_federation=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_over_federation) max_upload_size=$(ynh_app_setting_get --app=$app --key=max_upload_size) disable_msisdn_registration=$(ynh_app_setting_get --app=$app --key=disable_msisdn_registration) registrations_require_3pid=$(ynh_app_setting_get --app=$app --key=registrations_require_3pid) allowed_local_3pids_email=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_email) allowed_local_3pids_msisdn=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_msisdn) account_threepid_delegates_msisdn=$(ynh_app_setting_get --app=$app --key=account_threepid_delegates_msisdn) allow_guest_access=$(ynh_app_setting_get --app=$app --key=allow_guest_access) default_identity_server=$(ynh_app_setting_get --app=$app --key=default_identity_server) auto_join_rooms=$(ynh_app_setting_get --app=$app --key=auto_join_rooms) autocreate_auto_join_rooms=$(ynh_app_setting_get --app=$app --key=autocreate_auto_join_rooms) auto_join_rooms_for_guests=$(ynh_app_setting_get --app=$app --key=auto_join_rooms_for_guests) enable_notifs=$(ynh_app_setting_get --app=$app --key=enable_notifs) notif_for_new_users=$(ynh_app_setting_get --app=$app --key=notif_for_new_users) enable_group_creation=$(ynh_app_setting_get --app=$app --key=enable_group_creation) enable_registration=$(ynh_app_setting_get --app=$app --key=enable_registration) turn_allow_guests=$(ynh_app_setting_get --app=$app --key=turn_allow_guests) sso_enabled=$(ynh_app_setting_get --app=$app --key=sso_enabled) password_enabled=$(ynh_app_setting_get --app=$app --key=password_enabled) enable_3pid_lookup=$(ynh_app_setting_get --app=$app --key=enable_3pid_lookup) push_include_content=$(ynh_app_setting_get --app=$app --key=push_include_content) #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 # Following the discussion here https://github.com/YunoHost-Apps/synapse_ynh/pull/51 we decided to remove definitely the support of the old package migration. if [ -z "$synapse_old_version" ] then ynh_die --message="Update from this synapse version is not available. You need to remove this package and reinstall the new package version." fi #================================================= # MIGRATION 7 : Working config panel v1 #================================================= backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=backup_before_upgrade) if [ -z $backup_before_upgrade ] ; then backup_before_upgrade="true" disable_backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=disable_backup_before_upgrade) if [ "0$disable_backup_before_upgrade" -ne 0 ]; then backup_before_upgrade="false" fi ynh_app_setting_set --app=$app --key=backup_before_upgrade --value=$backup_before_upgrade fi #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= # We stop the service before to set ynh_clean_setup ynh_systemd_action --service_name=matrix-$app.service --action=stop # Backup the current version of the app if $backup_before_upgrade ; then ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=30 ynh_backup_before_upgrade ynh_clean_setup () { # Clean installation remainings that are not handled by the remove script. ynh_clean_check_starting ynh_restore_upgradebackup } else ynh_script_progression --message="NOT Backing up the app before upgrading..." --weight=1 fi #================================================= # STANDARD UPGRADE STEPS #================================================= # MIGRATION 5 : Manage old settings #================================================= # Migrate from settings 'special_domain' to 'domain' and 'special_path' to 'path' if [ -z $domain ]; then domain=$(ynh_app_setting_get --app=$app --key=special_domain) path_url=$(ynh_app_setting_get --app=$app --key=special_path) ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_delete --app=$app --key=special_domain ynh_app_setting_delete --app=$app --key=special_path ynh_app_setting_set --app=$app --key=no_sso --value true fi # Define $server_name if not already defined if [ -z $server_name ]; then server_name=$domain ynh_app_setting_set --app=$app --key=server_name --value=$domain fi # Define $jitsi_server if not already defined if [ -z $jitsi_server ]; then jitsi_server='jitsi.riot.im' ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server fi # Define $e2e_enabled_by_default if not already defined if [ -z $e2e_enabled_by_default ] ; then e2e_enabled_by_default="invite" ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default fi if [ "$e2e_enabled_by_default" = "true" ] ; then e2e_enabled_by_default="all" ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default fi if [ "$e2e_enabled_by_default" = "false" ]; then e2e_enabled_by_default="off" ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default fi if [ -z $report_stats ]; then report_stats="false" ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats fi if [ -z $is_free_registration ]; then is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public) fi if [ -z $synapse_user_app_pwd ]; then synapse_user_app_pwd="$(ynh_string_random --length=30)" ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd # The format to create an user account varies depending on the version of YunoHost currently installed. ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost) if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd" else yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd" fi fi #================================================= # MIGRATION 6 : Migrate data directory #================================================= if [ -e "/var/lib/matrix-$app" ]; then ynh_script_progression --message="Moving data directory to $data_path..." --weight=1 if [ -e "$data_path" ]; then old_data_dir_path="$data_path$(date '+%Y%m%d.%H%M%S')" ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path" mv "$data_path" "$old_data_dir_path" fi mv "/var/lib/matrix-$app" "$data_path" fi if ! grep -q "$final_path" /etc/passwd; then # matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin sed --in-place -r "s@matrix-$app\:x\:([[:digit:]]+\:[[:digit:]]+)\:\:/.*/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:\1\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd fi #================================================= # MIGRATION 7 : Working config panel v1 #================================================= allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms) if [ -z $allow_public_rooms ]; then allow_public_rooms="false" fi # SET STANDARD SETTINGS FROM DEFAULT CONFIG # Get app name of first Element Instance element_ynh_url="https://matrix.to/" element_domain="" element_path="" web_client_location=$element_ynh_url client_base_url=$element_ynh_url invite_client_location=$element_ynh_url element_instance="element" if [ -z "$web_client_location" ] then if yunohost --output-as plain app list | grep -q "^$element_instance"'$'; then element_domain=$(ynh_app_setting_get --app $element_instance --key domain) element_path=$(ynh_app_setting_get --app $element_instance --key path) element_ynh_url="https://""$element_domain""$element_path" fi web_client_location=$element_ynh_url client_base_url=$element_ynh_url invite_client_location=$element_ynh_url ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location fi if [ -z "$server_statistics" ] then server_statistics="false" ynh_app_setting_set --app=$app --key=server_statistics --value=$server_statistics fi if [ -z "$allow_public_rooms_without_auth" ] then allow_public_rooms_without_auth=$allow_public_rooms ynh_app_setting_set --app=$app --key=allow_public_rooms_without_auth --value=$allow_public_rooms_without_auth fi if [ -z "$allow_public_rooms_over_federation" ] then allow_public_rooms_over_federation=$allow_public_rooms ynh_app_setting_set --app=$app --key=allow_public_rooms_over_federation --value=$allow_public_rooms_over_federation fi if [ -z "$max_upload_size" ] then max_upload_size="10M" ynh_app_setting_set --app=$app --key=max_upload_size --value=$max_upload_size fi if [ -z "$disable_msisdn_registration" ] then disable_msisdn_registration="true" ynh_app_setting_set --app=$app --key=disable_msisdn_registration --value=$disable_msisdn_registration fi if [ -z "$registrations_require_3pid" ] then registrations_require_3pid="none" ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid fi if [ -z "$allowed_local_3pids_email" ] then allowed_local_3pids_email="'^[^@]+@""matrix""\.org$'" ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email fi if [ -z "$allowed_local_3pids_msisdn" ] then allowed_local_3pids_msisdn="'\+33'" ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn fi if [ -z "$account_threepid_delegates_msisdn" ] then account_threepid_delegates_msisdn="" ynh_app_setting_set --app=$app --key=account_threepid_delegates_msisdn --value=$account_threepid_delegates_msisdn fi if [ -z "$allow_guest_access" ] then allow_guest_access="false" ynh_app_setting_set --app=$app --key=allow_guest_access --value=$allow_guest_access fi if [ -z "$default_identity_server" ] then default_identity_server="https://matrix.org" ynh_app_setting_set --app=$app --key=default_identity_server --value=$default_identity_server fi if [ -z "$auto_join_rooms" ] then auto_join_rooms="#auto_join_room:""$server_name" ynh_app_setting_set --app=$app --key=auto_join_rooms --value=$auto_join_rooms fi if [ -z "$autocreate_auto_join_rooms" ] then autocreate_auto_join_rooms="false" ynh_app_setting_set --app=$app --key=autocreate_auto_join_rooms --value=$autocreate_auto_join_rooms fi if [ -z "$auto_join_rooms_for_guests" ] then auto_join_rooms_for_guests="true" ynh_app_setting_set --app=$app --key=auto_join_rooms_for_guests --value=$auto_join_rooms_for_guests fi if [ -z "$enable_notifs" ] then enable_notifs="true" ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs fi if [ -z "$notif_for_new_users" ] then notif_for_new_users="true" ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users fi if [ -z "$enable_group_creation" ] then enable_group_creation="true" ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation fi if [ -z "$enable_registration" ] then if [ "$is_free_registration" -eq "0" ] then enable_registration="false" turn_allow_guests="false" sso_enabled="true" password_enabled="false" enable_3pid_lookup="false" else enable_registration="true" turn_allow_guests="true" sso_enabled="false" password_enabled="true" enable_3pid_lookup="true" fi ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration ynh_app_setting_set --app=$app --key=turn_allow_guests --value=$turn_allow_guests ynh_app_setting_set --app=$app --key=sso_enabled --value=$sso_enabled ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup fi if [ -z "$push_include_content" ] then push_include_content="true" ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content fi #================================================= # INSTALL DEPENDENCIES #================================================= ynh_script_progression --message="Upgrading dependencies..." --weight=6 # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files ynh_exec_warn_less ynh_install_app_dependencies $dependances #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= if [ "$upgrade_type" == "UPGRADE_APP" ] || [ ! -e $final_path/bin/python3 ] || [ ! -e $final_path/lib/python$python_version ] then ynh_script_progression --message="Upgrading source files..." --weight=6 install_sources fi #================================================= # CREATE SMALL CAS SERVER #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files mkdir -p $final_www_path cp ../sources/cas_server.php $final_www_path/ chmod u=rwX,g=rX,o= -R $final_www_path chown $synapse_user:root -R $final_www_path #================================================= # MIGRATION 1 : GENERATE SYNAPSE SECRET #================================================= if [ -z "$registration_shared_secret" ] || [ "$form_secret" == "form_secret: " ] then ynh_script_progression --message="Generating synapse secret..." --weight=1 # Go in virtualenvironnement set +u source $final_path/bin/activate set -u # Generate config and keys python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does set +u; deactivate set -u; # Get random values from config registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2) form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2) # store in yunohost settings ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret" ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret" fi #================================================= # UPDATE SYNAPSE CONFIG #================================================= ynh_script_progression --message="Updating synapse config..." --weight=2 # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # For any update do it in all files if [ -z $macaroon_secret_key ]; then # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! # So for the old install we just leave this as it is. And for the new install we use a real macaroon. macaroon_secret_key_param='# macaroon_secret_key: ""' else macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"' fi ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" #================================================= # MIGRATION 2 : MULTINSTANCE SUPPORT #================================================= if [ ! -e /etc/matrix-$app/coturn.conf ] then ynh_script_progression --message="Creating an independant service for coturn..." --weight=1 #================================================= # CREATE AN INDEPENDANT SERVICE FOR COTURN #================================================= # Disable default config for turnserver and create a new service systemctl stop coturn.service # Set a port for each service in turnserver turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1))) cli_port=$(ynh_find_port --port=5766) ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1 #================================================= # MAKE A CLEAN LOGROTATE CONFIG #================================================= ynh_use_logrotate --logfile /var/log/matrix-$app --nonappend fi #================================================= # MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE #================================================= # Fix issue about certificates access if [ ! $(grep "ssl-cert:x:[0-9]*:.*matrix-$app" /etc/group) ] then ynh_script_progression --message="Use standard access for certificate..." --weight=1 adduser $synapse_user ssl-cert adduser turnserver ssl-cert fi #================================================= # MIGRATION 4 : CREATE A DH FILE #================================================= # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files # Make dh cert for synapse if it doesn't exist if [ ! -e /etc/ssl/private/dh2048.pem ] then ynh_script_progression --message="Creating a dh file..." --weight=1 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null chown root:ssl-cert /etc/ssl/private/dh2048.pem chmod 640 /etc/ssl/private/dh2048.pem fi #================================================= # STANDARD UPGRADE STEPS #================================================= # NGINX CONFIGURATION #================================================= ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=2 # Create a dedicated php-fpm config ynh_script_progression --message="Configuring application..." ynh_add_fpm_config --usage=low --footprint=low sed -i "s|user\s*=\s*$app|user = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf sed -i "s|group\s*=\s*$app|group = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf sed -i "s|chdir\s*=\s*/opt/yunohost/matrix-synapse.*|chdir = $final_www_path|g" /etc/php/7.*/fpm/pool.d/$app.conf ynh_store_file_checksum --file=$(ls /etc/php/7.*/fpm/pool.d/$app.conf) # Create .well-known redirection for access by federation if yunohost --output-as plain domain list | grep -q "^$server_name$" then ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi # Create a dedicated NGINX config ynh_add_nginx_config app #================================================= # SPECIFIC UPGRADE #================================================= # UPDATE COTURN CONFIG #================================================= ynh_script_progression --message="Updating Coturn config..." --weight=1 # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files # Get public IP and set as external IP for coturn # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 public_ip4="$(curl -s ip.yunohost.org)" || true public_ip6="$(curl -s ipv6.yunohost.org)" || true turn_external_ip="" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then turn_external_ip+="external-ip="$public_ip4%"\n" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then turn_external_ip+="external-ip="$public_ip6%"\n" fi ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" #================================================= # ADD SCRIPT FOR COTURN CRON AND APP SERVICE #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh" ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh" # Ensure app-service folder has exists and the config file exit (Migration) mkdir -p /etc/matrix-$app/app-service if [ -e /etc/matrix-$app/conf.d/app_service.yaml ]; then # ensure that the file is empty if no app service are installed (fix issue #385) if [ ! "$(ls -A /etc/matrix-$app/app-service)" ]; then echo "" > /etc/matrix-$app/conf.d/app_service.yaml fi else touch /etc/matrix-$app/conf.d/app_service.yaml fi #================================================= # ADVERTISE SERVICE IN ADMIN PANEL #================================================= yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port #================================================= # UPDATE SYSTEMD #================================================= ynh_script_progression --message="Upgrading systemd configuration..." --weight=3 # Create systemd service for synapse and turnserver cp ../conf/default_matrix-synapse /etc/default/matrix-$app ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service cp ../conf/default_coturn /etc/default/coturn-$app ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service #================================================= # UPGRADE FAIL2BAN #================================================= ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=8 # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files ynh_add_fail2ban_config --use_template #================================================= # GENERIC FINALIZATION #================================================= # SETUP PERMISSIONS #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 ynh_legacy_permissions_delete_all ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true ynh_permission_update --permission=main --show_tile=false --protected=true if ! ynh_permission_exists --permission=server_api; then ynh_permission_create --permission=server_api --url=$domain/_matrix \ --label="Server access for client apps." --show_tile=false --allowed=visitors \ --auth_header=false --protected=true python3 remove_sso_conf_persistent.py $domain $server_name \ || ynh_print_warn --message="Your file /etc/ssowat/""conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually." else ynh_permission_url --permission=server_api --url=$domain/_matrix --remove_url=$server_name/.well-known/matrix \ --auth_header=false ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \ --protected=true fi if yunohost --output-as plain domain list | grep -q "^$server_name"'$' && ! ynh_permission_exists --permission=server_client_infos; then ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \ --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \ --auth_header=false --protected=true elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then ynh_permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \ --auth_header=false ynh_permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \ --protected=true fi if ! ynh_permission_exists --permission=admin_api; then ynh_permission_create --permission=admin_api --url=$domain/_synapse \ --label="Server administration API." --show_tile=false \ --auth_header=false --allowed=visitors fi #================================================= # SECURE FILES AND DIRECTORIES #================================================= # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE # For any update do it in all files chown $synapse_user:root -R $final_path chmod 770 $final_path/Coturn_config_rotate.sh chmod 700 $final_path/update_synapse_for_appservice.sh chown $synapse_user:root -R $data_path chown $synapse_user:root -R /var/log/matrix-$app chown $synapse_user:root -R /etc/matrix-$app chmod u=rwX,g=rX,o= -R /etc/matrix-$app chmod 600 /etc/matrix-$app/$server_name.signing.key setfacl -R -m user:turnserver:rX /etc/matrix-$app setfacl -R -m user:turnserver:rwX /var/log/matrix-$app #================================================= # UPDATE HOOKS #================================================= # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files ynh_replace_string __APP__ $app ../hooks/post_cert_update ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update #================================================= # UPDATE VERSION SETTINGS #================================================= ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version #================================================= # RELOAD SERVICES #================================================= ynh_script_progression --message="Restarting Synapse services..." --weight=5 ynh_systemd_action --service_name=coturn-$app.service --action=restart ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 #================================================= # END OF SCRIPT #================================================= ynh_script_progression --message="Upgrade of $app completed" --last