1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00
synapse_ynh/scripts/install
2019-08-24 15:59:03 +02:00

387 lines
15 KiB
Bash

#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source /usr/share/yunohost/helpers
# Stop script if errors
ynh_abort_if_errors
# Import common fonctions
source ./psql.sh
source ./experimental_helper.sh
source ./_common.sh
#=================================================
# SET ALL CONSTANT
#=================================================
app=$YNH_APP_INSTANCE_NAME
synapse_user="matrix-$app"
synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app"
upstream_version=$(ynh_app_upstream_version)
report_stats="False"
default_domain_value="Same than the domain"
#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================
domain=$YNH_APP_ARG_DOMAIN
server_name=$YNH_APP_ARG_SERVER_NAME
if [[ "$server_name" == "$default_domain_value" ]]; then
server_name=$domain
fi
is_public=$YNH_APP_ARG_IS_PUBLIC
path_url="/_matrix"
final_path="/opt/yunohost/matrix-$app"
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_webpath_available $domain $path_url || ynh_die "$domain is not available as domain, please use an other domain."
test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die "$domain is not available as domain, please use an other domain."
# Check Final Path availability
test ! -e "$final_path" || ynh_die "This path already contains a folder"
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
# For the domain and the path we can't use the standard keys "domain" and "path" with the standard function ynh_webpath_register because it create automatically a button on the user pannel.
# The idea is to create a custom key (specia_domain and special_path instead of domain and key).
# By this the ssowatconf fonction don't create a button on the pannel.
# This hack solve the issue : https://github.com/YunoHost-Apps/synapse_ynh/issues/14
ynh_app_setting_set $app special_domain $domain
ynh_app_setting_set $app special_path $path_url
ynh_app_setting_set $app server_name $server_name
ynh_app_setting_set $app final_path $final_path
ynh_app_setting_set $app synapse_version $upstream_version
ynh_app_setting_set $app is_public $is_public
ynh_app_setting_set $app report_stats $report_stats
#=================================================
# STANDARD MODIFICATIONS
#=================================================
# FIND AND OPEN A PORT
#=================================================
# Find a free port
synapse_tls_port=$(ynh_find_port 8448)
port=$(ynh_find_port 8008)
turnserver_tls_port=$(ynh_find_port 5349)
turnserver_alt_tls_port=$(ynh_find_port $((turnserver_tls_port+1)))
cli_port=$(ynh_find_port 5766)
# Open this port
yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1
yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1
yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
# Store opened ports
ynh_app_setting_set $app synapse_port $port
ynh_app_setting_set $app synapse_tls_port $synapse_tls_port
ynh_app_setting_set $app turnserver_tls_port $turnserver_tls_port
ynh_app_setting_set $app turnserver_alt_tls_port $turnserver_alt_tls_port
ynh_app_setting_set $app cli_port $cli_port
#=================================================
# CREATE A DH FILE
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
# For any update do it in all files
# Make dh cert for synapse if doesn't exist
if [[ ! -e /etc/ssl/private/dh2048.pem ]]
then
openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
chown root:ssl-cert /etc/ssl/private/dh2048.pem
chmod 640 /etc/ssl/private/dh2048.pem
fi
#=================================================
# INSTALL DEPENDENCIES
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
# For any update do it in all files
ynh_install_app_dependencies $dependances
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_system_user_create $synapse_user /var/lib/matrix-$app
adduser $synapse_user ssl-cert
adduser turnserver ssl-cert
#=================================================
# CREATE A POSTGRESQL DATABASE
#=================================================
synapse_db_pwd=$(ynh_string_random 30)
ynh_app_setting_set $app synapse_db_pwd $synapse_db_pwd
# Create postgresql database
ynh_psql_test_if_first_run
ynh_psql_create_user $synapse_db_user $synapse_db_pwd
ynh_psql_execute_as_root \
"CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;"
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
# Create empty dir for synapse
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
mkdir -p /var/lib/matrix-$app
mkdir -p /var/log/matrix-$app
mkdir -p /etc/matrix-$app/conf.d
mkdir -p $final_path
# Install synapse in virtualenv
# WARNING : theses command are used in INSTALL, UPGRADE (2 times)
# For any update do it in all files
if [ -n "$(uname -m | grep arm)" ]
then
ynh_setup_source $final_path/ "armv7_$(lsb_release --codename --short)"
else
# Install virtualenv if it don't exist
test -e $final_path/bin/python3 || python3 -m venv $final_path
# Install synapse in virtualenv
cp ../conf/virtualenv_activate $final_path/bin/activate
ynh_replace_string __FINAL_PATH__ $final_path $final_path/bin/activate
# We set all necessary environement variable to create a python virtualenvironnement.
source $final_path/bin/activate
pip3 install --upgrade pip
pip3 install --upgrade setuptools wheel
pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml jinja2
pip3 install --upgrade matrix-synapse==$upstream_version matrix-synapse-ldap3
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
deactivate
fi
#=================================================
# CREATE SYNAPSE CONFIG
#=================================================
# Go in virtualenvironnement
PS1=${PS1:-}
source $final_path/bin/activate
# Generate config
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
deactivate
# Get random values from config
registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2)
form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f2)
# store in yunohost settings
ynh_app_setting_set $app registration_shared_secret "$registration_shared_secret"
ynh_app_setting_set $app form_secret "$form_secret"
#=================================================
# SETUP SYSTEMD
#=================================================
# Create systemd service for synapse and turnserver
cp ../conf/default_matrix-synapse /etc/default/matrix-$app
ynh_add_systemd_config matrix-$app matrix-synapse.service
cp ../conf/default_coturn /etc/default/coturn-$app
ynh_add_systemd_config coturn-$app coturn-synapse.service
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_add_nginx_config
#=================================================
# SET SYNAPSE CONFIG
#=================================================
# Find password for turnserver and database
turnserver_pwd=$(ynh_string_random 30)
ynh_app_setting_set $app turnserver_pwd $turnserver_pwd
# Configure Synapse
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG (3 times)
# For any update do it in all files
homeserver_config_path="/etc/matrix-$app/homeserver.yaml"
cp ../conf/homeserver.yaml "$homeserver_config_path"
cp ../conf/log.yaml /etc/matrix-$app/log.yaml
ynh_replace_string __APP__ $app "$homeserver_config_path"
ynh_replace_string __DOMAIN__ $domain "$homeserver_config_path"
ynh_replace_string __SERVER_NAME__ $server_name "$homeserver_config_path"
ynh_replace_string __SYNAPSE_DB_USER__ $synapse_db_user "$homeserver_config_path"
ynh_replace_string __SYNAPSE_DB_PWD__ $synapse_db_pwd "$homeserver_config_path"
ynh_replace_string __PORT__ $port "$homeserver_config_path"
ynh_replace_string __TLS_PORT__ $synapse_tls_port "$homeserver_config_path"
ynh_replace_string __TURNSERVER_TLS_PORT__ $turnserver_tls_port "$homeserver_config_path"
ynh_replace_special_string __TURNPWD__ $turnserver_pwd "$homeserver_config_path"
ynh_replace_special_string __REGISTRATION_SECRET__ "$registration_shared_secret" "$homeserver_config_path"
ynh_replace_string __FORM_SECRET__ "$form_secret" "$homeserver_config_path"
ynh_replace_string __REPORT_STATS__ "$report_stats" "$homeserver_config_path"
ynh_replace_string __APP__ $app "/etc/matrix-$app/log.yaml"
if [ "$is_public" = "0" ]
then
ynh_replace_string __ALLOWED_ACCESS__ False "$homeserver_config_path"
else
ynh_replace_string __ALLOWED_ACCESS__ True "$homeserver_config_path"
fi
ynh_store_file_checksum "$homeserver_config_path"
ynh_store_file_checksum "/etc/matrix-$app/log.yaml"
#=================================================
# SET COTURN CONFIG
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
coturn_config_path="/etc/matrix-$app/coturn.conf"
cp ../conf/turnserver.conf "$coturn_config_path"
ynh_replace_string __APP__ $app "$coturn_config_path"
ynh_replace_string __TURNPWD__ $turnserver_pwd "$coturn_config_path"
ynh_replace_string __DOMAIN__ $domain "$coturn_config_path"
ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path"
ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path"
ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path"
# Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
public_ip4="$(curl ip.yunohost.org)" || true
public_ip6="$(curl ipv6.yunohost.org)" || true
if [[ -n "$public_ip4" ]] && ynh_validate_ip4 "$public_ip4"
then
ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path"
else
ynh_replace_string '__IPV4__,' "" "$coturn_config_path"
fi
if [[ -n "$public_ip6" ]] && ynh_validate_ip6 "$public_ip6"
then
ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path"
else
ynh_replace_string ',__IPV6__' "" "$coturn_config_path"
fi
ynh_store_file_checksum "$coturn_config_path"
#=================================================
# SETUP LOGROTATE
#=================================================
ynh_use_logrotate /var/log/matrix-$app
#=================================================
# ADD SCRIPT FOR COTURN CRON
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
cp ../sources/Coturn_config_rotate.sh $final_path/
ynh_replace_string __APP__ $app "$final_path/Coturn_config_rotate.sh"
#=================================================
# GENERIC FINALIZATION
#=================================================
# SETUP SSOWAT
#=================================================
# Open access to server without a button the home
# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls".
python3 ../conf/add_sso_conf.py || ynh_die "Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
# For any update do it in all files
chown $synapse_user:root -R $final_path
chmod 770 $final_path/Coturn_config_rotate.sh
chown $synapse_user:root -R /var/lib/matrix-$app
chown $synapse_user:root -R /var/log/matrix-$app
chown $synapse_user:root -R /etc/matrix-$app
chmod u=rwX,g=rX,o= -R /etc/matrix-$app
chmod 600 /etc/matrix-$app/$server_name.signing.key
setfacl -R -m user:turnserver:rX /etc/matrix-$app
setfacl -R -m user:turnserver:rwX /var/log/matrix-$app
#=================================================
# ADVERTISE SERVICE IN ADMIN PANEL
#=================================================
yunohost service add matrix-$app -l "/var/log/matrix-$app/homeserver.log"
yunohost service add coturn-$app
#=================================================
# RELOAD SERVICES
#=================================================
systemctl restart coturn-$app.service
ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app"
#=================================================
# SETUP FAIL2BAN
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
ynh_add_fail2ban_config -t
#=================================================
# SEND A README FOR THE ADMIN
#=================================================
# WARNING : theses command are used in INSTALL, RESTORE
# For any update do it in all files
message="If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
If not, you may need to put the following line in the dns configuration:
_matrix._tcp.$domain. 3600 IN SRV 10 0 $synapse_tls_port $domain.
For more details, see : https://github.com/matrix-org/synapse#setting-up-federation
You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done.
Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en"
ynh_send_readme_to_admin "$message"