diff --git a/CloudronManifest.json b/CloudronManifest.json index 532799e..0aef829 100644 --- a/CloudronManifest.json +++ b/CloudronManifest.json @@ -7,32 +7,21 @@ "tagline": "standalone matrix server", "version": "0.4.1", "healthCheckPath": "/", - "httpPort": 8000, + "httpPort": 8008, "memoryLimit": 536870912, - "udpPorts": { - "TURN_TLS_PORT": { - "title": "Default TURN Port", - "description": "Default TURN Port (udp)", - "defaultValue": 3478 - } - }, "tcpPorts": { "FEDERATION_PORT": { "title": "Federation Port", "description": "Federation Port", "defaultValue": 8448 - }, - "WEBHOOKS_PORT": { - "title": "Webhooks Port", - "description": "Webhooks Port", - "defaultValue": 9000 } }, "addons": { "localstorage": {}, "ldap": {}, "postgresql": {}, - "sendmail": {} + "sendmail": {}, + "turn": {} }, "manifestVersion": 2, "website": "https://matrix.org", diff --git a/Dockerfile b/Dockerfile index ad5716d..daff725 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,67 +1,33 @@ FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617 -MAINTAINER Authors name - -RUN mkdir -p /app/code/nginx +RUN mkdir -p /app/pkg WORKDIR /app/code -ENV MATRIXVERSION=v1.12.2 +ARG VERSION=v1.12.3 -EXPOSE 8000 -EXPOSE 3478/udp -# addons wip -# EXPOSE 9000 - -# nginx -RUN rm /etc/nginx/sites-enabled/* -ADD nginx_matrix.conf /etc/nginx/sites-enabled/ -RUN rm -rf /var/lib/nginx && ln -sf /app/data/nginx /var/lib/nginx -RUN rm -rf /var/log/nginx && ln -sf /run/nginx_log /var/log/nginx - -# TURN -RUN apt update && apt-get install -y coturn -RUN sed -e 's,#TURNSERVER_ENABLED=1,TURNSERVER_ENABLED=1,' -i /etc/default/coturn && \ - rm /etc/turnserver.conf && \ - ln -s /app/data/turnserver.conf /etc/turnserver.conf - -# Synapse -# a local copy is needed because of the mail templates, else the pip installation would suffice -RUN git clone https://github.com/matrix-org/synapse.git -RUN cd /app/code/synapse && git pull origin master - -RUN apt-get install -y build-essential python3-dev libffi-dev \ - python3-pip python-setuptools sqlite3 libxml2-dev \ - libssl-dev python-virtualenv libjpeg-dev libxslt1-dev libldap2-dev libsasl2-dev && \ +RUN apt update && \ + apt install -y build-essential python3-dev libffi-dev \ + python3-pip python-setuptools sqlite3 libxml2-dev \ + libssl-dev python-virtualenv libjpeg-dev libxslt1-dev libldap2-dev libsasl2-dev && \ rm -rf /var/cache/apt /var/lib/apt/lists -RUN pip3 install --upgrade pip -RUN pip3 install --upgrade setuptools -RUN pip3 install psycopg2-binary python-ldap matrix-synapse-ldap3 lxml netaddr twisted jinja2 bleach bcrypt -RUN pip3 install https://github.com/matrix-org/synapse/archive/${MATRIXVERSION}.tar.gz +# https://pythonspeed.com/articles/activate-virtualenv-dockerfile/ +RUN virtualenv -p python3 /app/code/env +ENV VIRTUAL_ENV=/app/code/env +ENV PATH="$VIRTUAL_ENV/bin:$PATH" -# install addons -#RUN cd /app/code && git clone http://github.com/turt2live/matrix-appservice-webhooks -#RUN cd /app/code/matrix-appservice-webhooks && npm install -#RUN mv /app/code/matrix-appservice-webhooks/db /app/code/matrix-appservice-webhooks/db_orig && \ - #dir for sqlite db -# ln -sf /app/data/appservice/db /app/code/matrix-appservice-webhooks/db && \ - # config -# ln -sf /app/data/appservice/config/config.yaml /app/code/matrix-appservice-webhooks/config/config.yaml && \ - # hooks -# ln -sf /app/data/appservice/appservice-registration-webhooks.yaml /app/code/matrix-appservice-webhooks/appservice-registration-webhooks.yaml +# Synapse (https://github.com/matrix-org/synapse/blob/master/INSTALL.md) +# lxml - required for previews +RUN pip install --upgrade pip && \ + pip install --upgrade setuptools && \ + pip install matrix-synapse==${VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml +RUN curl -sL https://github.com/mikefarah/yq/releases/download/3.2.1/yq_linux_amd64 -o /usr/bin/yq && \ + chmod +x /usr/bin/yq -# todo: -# to create the config, run the following from /app/code/matrix-appservice-webhooks -# node index.js -r -u "http://localhost:9000" -c config/config.yaml -# add this to homeserver.yml and restart: -# app_service_config_files: ["appservice-registration-webhooks.yaml"] -# to start the appservice use -# node index.js -p 9000 -c config/config.yaml -f appservice-registration-webhooks.yaml +RUN chown -R cloudron.cloudron /app/code -RUN chown -R www-data.www-data /app/code +ADD homeserver.yaml.template start.sh /app/pkg/ -ADD start_matrix.sh /app/ - -CMD [ "/app/start_matrix.sh" ] +CMD [ "/app/pkg/start.sh" ] diff --git a/README.md b/README.md index e69de29..092911f 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,34 @@ +## Federation notes + +There are 2 ports - client port and federation port. On Cloudron, the client +port is reverse proxied, so we are good. The federation port is more complicated. + +Matrix used to accept self-signed certs on the federation port before. +This was based on some 'perspectives' approach. This was deemed a failure +and they decided to go to having valid certs. + +In [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md#background-the-failure-of-the-perspectives-approach), which happenned a Matrix 1.0 time, it was decided to use valid certs. +As part of this proposal, [MSC1708](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1708-well-known-for-federation.md) + aka .well-known support was added. + +The idea of `.well-known` is delegation. Site X can delegate to Matrix Site Y. +Both require valid certs nevertheless. + +The `_matrix._tcp.` SRV is: + +``` +$ host -t srv _matrix._tcp.example.org +_matrix._tcp.example.org has SRV record 0 0 8448 matrix.example.org. +``` + +The `.well-known/matrix/server` is: + +``` +{ + "m.server": "[:]" +} +``` + +Finally, to test federation go to [federationtester](https://federationtester.matrix.org/) - +[source](https://github.com/matrix-org/matrix-federation-tester). + diff --git a/homeserver.yaml.template b/homeserver.yaml.template new file mode 100644 index 0000000..379dcdf --- /dev/null +++ b/homeserver.yaml.template @@ -0,0 +1,110 @@ +# https://github.com/matrix-org/synapse/blob/master/docs/sample_config.yaml + +server_name: "matrix.example.com" + +pid_file: /run/synapse/homeserver.pid + +public_baseurl: https://example.com/ + +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['0.0.0.0'] + + resources: + - names: [client,federation] + compress: false + +database: + name: "psycopg2" + args: + # Path to the database + user: ${POSTGRESQL_USERNAME} + password: ${POSTGRESQL_PASSWORD} + database: ${POSTGRESQL_DATABASE} + host: ${POSTGRESQL_HOST} + cp_min: 5 + cp_max: 10 + +email: + smtp_host: mail.server + smtp_port: 587 + smtp_user: "exampleusername" + smtp_pass: "examplepassword" + require_transport_security: false + app_name: Matrix + notif_from: "Your Friendly %(app)s homeserver " + enable_notifs: true + notif_for_new_users: true + +password_providers: + - module: "synapse.util.ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: "ldap://ldap.example.com:389" + start_tls: true + base: "ou=users,dc=example,dc=com" + attributes: + uid: "username" + mail: "mail" + name: "username" + bind_dn: "ou=users,dc=cloudron" + bind_password: "password" + filter: "(objectClass=posixAccount)" + +# turn +turn_uris: [] +turn_shared_secret: "sharedsecret" +turn_allow_guests: true + +federation_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + +enable_registration: false +registration_shared_secret: "somesecret" +allow_guest_access: false + +enable_group_creation: true + +report_stats: False + +signing_key_path: "/app/data/configs/signing.key" + +url_preview_enabled: true +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + +media_store_path: "/app/data/data/media_store" +max_upload_size: 200M +max_image_pixels: "32M" +dynamic_thumbnails: false + +#auto_join_rooms: +# - "#discuss:example.com" + +trusted_key_servers: + - server_name: "matrix.org" +suppress_key_server_warning: true + +password_config: + enabled: true + localdb_enabled: false + diff --git a/nginx_matrix.conf b/nginx_matrix.conf deleted file mode 100644 index cfccfde..0000000 --- a/nginx_matrix.conf +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen 8000; - listen [::]:8000; - - server_name _; - - # required, else the limit is 1mb - client_max_body_size 200M; - - location / { - proxy_pass http://localhost:8008; - proxy_set_header X-Forwarded-For $remote_addr; - } - - location /.well-known/matrix/server { - return 200 '{"m.server": "$host:443"}'; - add_header Content-Type application/json; - } - -} diff --git a/start.sh b/start.sh new file mode 100755 index 0000000..9f9761e --- /dev/null +++ b/start.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +set -eu + +mkdir -p /app/data/data /app/data/configs /run/synapse + +if [[ ! -f /app/data/configs/homeserver.yaml ]]; then + echo "==> Detected first run" + + python3 -m synapse.app.homeserver \ + --server-name ${CLOUDRON_APP_DOMAIN} \ + --config-path /app/data/configs/homeserver.yaml \ + --config-directory /app/data/configs \ + --data-directory /app/data/data \ + --generate-config \ + --report-stats=no + + # fix logging configuration + cp /app/pkg/homeserver.yaml.template /app/data/configs/homeserver.yaml + mv /app/data/configs/${CLOUDRON_APP_DOMAIN}.log.config /app/data/configs/log.config + yq w -i /app/data/configs/homeserver.yaml log_config /app/data/configs/log.config + yq w -i /app/data/configs/log.config handlers.file.filename /run/synapse/homeserver.log + + mv /app/data/configs/${CLOUDRON_APP_DOMAIN}.signing.key /app/data/configs/signing.key + + yq w -i /app/data/configs/homeserver.yaml registration_shared_secret "$(pwgen -1s 64)" +fi + +echo "==> Configuring synapse" +yq w -i /app/data/configs/homeserver.yaml server_name "${CLOUDRON_APP_DOMAIN}" +yq w -i /app/data/configs/homeserver.yaml public_baseurl "${CLOUDRON_APP_ORIGIN}" + +# tls +yq w -i /app/data/configs/homeserver.yaml tls_certificate_path "/app/data/configs/${CLOUDRON_APP_DOMAIN}.tls.crt" +yq w -i /app/data/configs/homeserver.yaml tls_private_key_path "/app/data/configs/${CLOUDRON_APP_DOMAIN}.tls.key" + +# database +yq w -i /app/data/configs/homeserver.yaml database.args.user "${CLOUDRON_POSTGRESQL_USERNAME}" +yq w -i /app/data/configs/homeserver.yaml database.args.password "${CLOUDRON_POSTGRESQL_PASSWORD}" +yq w -i /app/data/configs/homeserver.yaml database.args.database "${CLOUDRON_POSTGRESQL_DATABASE}" +yq w -i /app/data/configs/homeserver.yaml database.args.host "${CLOUDRON_POSTGRESQL_HOST}" + +# email +yq w -i /app/data/configs/homeserver.yaml email.smtp_host "${CLOUDRON_MAIL_SMTP_SERVER}" +yq w -i /app/data/configs/homeserver.yaml email.smtp_port "${CLOUDRON_MAIL_SMTP_PORT}" +yq w -i /app/data/configs/homeserver.yaml email.smtp_user "${CLOUDRON_MAIL_SMTP_USERNAME}" +yq w -i /app/data/configs/homeserver.yaml email.smtp_pass "${CLOUDRON_MAIL_SMTP_PASSWORD}" +yq w -i /app/data/configs/homeserver.yaml email.notif_from "%(app)s <${CLOUDRON_MAIL_FROM}>" + +# ldap +yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.uri' "${CLOUDRON_LDAP_URL}" +yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.start_tls' false +yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.base' "${CLOUDRON_LDAP_USERS_BASE_DN}" +yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_dn' "${CLOUDRON_LDAP_BIND_DN}" +yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_password' "${CLOUDRON_LDAP_BIND_PASSWORD}" +yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.filter' "(objectClass=user)" + +# turn +yq w -i /app/data/configs/homeserver.yaml turn_uris "[\"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=udp\", \"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=tcp\"]" +yq w -i /app/data/configs/homeserver.yaml turn_shared_secret "${CLOUDRON_TURN_SECRET}" + +# fix permissions +echo "==> Fixing permissions" +chown -R cloudron.cloudron /app/data /run/synapse + +echo "==> Starting synapse" +gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml diff --git a/start_matrix.sh b/start_matrix.sh deleted file mode 100755 index 3bca5f5..0000000 --- a/start_matrix.sh +++ /dev/null @@ -1,164 +0,0 @@ -#!/bin/bash - -set -eux - -if [[ ! -f /app/data/synapse/homeserver.yaml ]]; then - echo "=> Detected first run" - - # create dirs (for whatever reason the nginx dir couldn't get created by nginx) - mkdir -p /app/data/synapse \ - /app/data/nginx/fastcgi \ - /run/nginx_log \ - /run/synapse \ - /run/turn_log \ - /app/data/appservice/config /app/data/appservice/db - - # copy matrix-appservice-webhooks config -# cp /app/code/matrix-appservice-webhooks/config/sample.yaml /app/data/appservice/config/config.yaml -# ln -sf /app/data/appservice/appservice-registration-webhooks.yaml /app/data/synapse/appservice-registration-webhooks.yaml - - # create certs - openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out /app/data/synapse/${CLOUDRON_APP_DOMAIN}.tls.crt -keyout /app/data/synapse/${CLOUDRON_APP_DOMAIN}.tls.key -subj "/C=DE/ST=Germany/L=Germany/O=Example/OU=Example/CN=${CLOUDRON_APP_DOMAIN}" - - # fix permissions - chown -R www-data.www-data /run/synapse \ - /run/turn_log \ - /app/data - - # copy turn config - cp /usr/share/coturn/examples/etc/turnserver.conf /app/data/turnserver.conf - - # copy email templates for matrix - cp -r /app/code/synapse/synapse/res/templates /app/data/templates - - # set default TURN listening port - if [ -z ${TURN_TLS_PORT+x} ]; then TURN_TLS_PORT="3478"; else echo "TURN_TLS_PORT is set to '$TURN_TLS_PORT'"; fi - - cd /app/data/synapse - python3 -m synapse.app.homeserver \ - --server-name ${CLOUDRON_APP_DOMAIN} \ - --config-path homeserver.yaml \ - --report-stats=no \ - --generate-config - - # synapse config - sed -i "s/server_name:.*/server_name: ${CLOUDRON_APP_DOMAIN}/" homeserver.yaml - sed -i "s/#public_baseurl:.*/public_baseurl: https:\/\/${CLOUDRON_APP_DOMAIN}/" homeserver.yaml - sed -i "s/web_client:.*/web_client: False/" homeserver.yaml - sed -i "s/bind_addresses: \['::1'.*/bind_addresses: \['0.0.0.0'\]/" homeserver.yaml - sed -i "s/sqlite3/psycopg2/" homeserver.yaml - sed -i "s/ database: .*/ user: ${CLOUDRON_POSTGRESQL_USERNAME}\n password: ${CLOUDRON_POSTGRESQL_PASSWORD}\n database: ${CLOUDRON_POSTGRESQL_DATABASE}\n host: ${CLOUDRON_POSTGRESQL_HOST}\n cp_min: 5\n cp_max: 10/" homeserver.yaml - sed -i "s/#enable_registration:.*/enable_registration: True/" homeserver.yaml - sed -i "s/#password_providers:/password_providers:/" homeserver.yaml - sed -i 's/# - module: "ldap_auth_provider.LdapAuthProvider"/ - module: "ldap_auth_provider.LdapAuthProvider"/' homeserver.yaml - sed -i 's/# config:/ config:/' homeserver.yaml - sed -i 's/# enabled: true/ enabled: true/' homeserver.yaml - sed -i "s,# uri: .*, uri: \"${CLOUDRON_LDAP_URL}\"," homeserver.yaml - sed -i 's/# start_tls: true/ start_tls: false/' homeserver.yaml - sed -i 's/# base: "ou=users,dc=example,dc=com"/ base: "ou=users,dc=cloudron"/' homeserver.yaml - sed -i 's/# attributes:/ attributes:/' homeserver.yaml - sed -i 's/# uid: "cn"/ uid: "username"/' homeserver.yaml - sed -i 's/# mail: "email"/ mail: "mail"/' homeserver.yaml - sed -i 's/# name: "givenName"/ name: "username"/' homeserver.yaml - sed -i 's/#max_upload_size:.*/max_upload_size: "500M"/' homeserver.yaml - sed -i 's/#auto_join_rooms:/auto_join_rooms:/' homeserver.yaml - sed -i 's/# - "#example:example.com"/ - "#example:example.com"/' homeserver.yaml - sed -i "s/example:example.com/discuss:${CLOUDRON_APP_DOMAIN}/" homeserver.yaml - sed -i "s/turn_allow_guests:.*/turn_allow_guests: False/" homeserver.yaml - sed -i "s/enable_group_creation:.*/enable_group_creation: True/" homeserver.yaml - sed -i "s/enable_group_creation:.*/enable_group_creation: True/" homeserver.yaml - sed -i "s/#url_preview_enabled:.*/url_preview_enabled: true/" homeserver.yaml - sed -i "s/#url_preview_ip_range_blacklist.*/url_preview_ip_range_blacklist:\n - '127.0.0.0\/8'\n - '10.0.0.0\/8'/" homeserver.yaml - - sed -i "s/## Server ##/## Server ##\n\nno_tls: True/" homeserver.yaml - - # also enable the tls port, not quite sure why this is needed, but without it, no integratiosn are possible - #sed -i "s/#- port: 8448/- port: 8448/" homeserver.yaml - #sed -i "s/# type: http/ type: http/" homeserver.yaml - #sed -i "s/# tls: true/ tls: true/" homeserver.yaml - #sed -i "s/# resources:/ resources:/" homeserver.yaml - #sed -i "s/# - names: \[client, federation\]/ - names: \[client, federation\]/" homeserver.yaml - #sed -i "s/#tls_certificate_path:/tls_certificate_path:/" homeserver.yaml - #sed -i "s/#tls_private_key_path:/tls_private_key_path:/" homeserver.yaml - - - # get synapse log name and set path - LOG_CONFIG=$(ls *.log.config) - sed -i "s/log_file: .*/log_file: \"\/run\/synapse\/homeserver.log\"/" homeserver.yaml - sed -i "s/ filename:.*/ filename: \/run\/synapse\/homeserver.log/" ${LOG_CONFIG} - - - # coturn - TURNPWD=$(pwgen -s 64 1) - sed -i "s/#tls-listening-port=5349/tls-listening-port=3478/" /app/data/turnserver.conf - sed -i "s/#realm=mycompany.org/realm=${CLOUDRON_APP_DOMAIN}/" /app/data/turnserver.conf - sed -i "s/#lt-cred-mech/lt-cred-mech/" /app/data/turnserver.conf - sed -i "s/#use-auth-secret/use-auth-secret/" /app/data/turnserver.conf - sed -i "s/#lt-cred-mech/lt-cred-mech/" /app/data/turnserver.conf - sed -i "s/#static-auth-secret=.*/static-auth-secret=${TURNPWD}/" /app/data/turnserver.conf - sed -i "s/#turn_uris: .*/turn_uris: [\"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=udp\", \"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=tcp\"]/" homeserver.yaml - sed -i "s/#turn_shared_secret: .*/turn_shared_secret: \"${TURNPWD}\"/" homeserver.yaml - sed -i "s/#cipher-list=.*/cipher-list=\"HIGH\"/" /app/data/turnserver.conf - sed -i "s/#log-file=.*/log-file=\/run\/turn_log\/turn.log/" /app/data/turnserver.conf - - - # get cert names from synapse - TLS_CRT=$(ls *.tls.crt) - TLS_KEY=$(ls *.tls.key) - #TLS_DH=$(ls *.tls.dh) - sed -i "s,#cert=.*,cert=/app/data/synapse/${TLS_CRT}," /app/data/turnserver.conf - sed -i "s,#pkey=.*,pkey=/app/data/synapse/${TLS_KEY}," /app/data/turnserver.conf - #sed -i "s,#dh-file=.*,dh-file=/app/data/synapse/${TLS_DH}," /app/data/turnserver.conf - - # set up email - sed -i 's/#email:/email:/' homeserver.yaml - sed -i 's/# enable_notifs: false/ enable_notifs: true/' homeserver.yaml - sed -i 's/# smtp_host: \"localhost\"/ smtp_host: \"${CLOUDRON_MAIL_SMTP_SERVER}\"/' homeserver.yaml - sed -i 's/# smtp_port: .*/ smtp_port: ${CLOUDRON_MAIL_SMTP_PORT}/' homeserver.yaml - sed -i 's/# smtp_user: \"exampleusername\"/ smtp_user: \"${CLOUDRON_MAIL_SMTP_USERNAME}\"/' homeserver.yaml - sed -i 's/# smtp_pass: \"examplepassword\"/ smtp_pass: \"${CLOUDRON_MAIL_SMTP_PASSWORD}\"/' homeserver.yaml - sed -i 's/# require_transport_security: False/ require_transport_security: false/' homeserver.yaml - sed -i "s/# notif_from: .*/ notif_from: \"Your Friendly Matrix Home Server <${CLOUDRON_MAIL_FROM}>\"/" homeserver.yaml - sed -i 's/# app_name: Matrix/ app_name: Matrix/' homeserver.yaml - sed -i 's/# notif_template_html: .*/ notif_template_html: notif_mail.html/' homeserver.yaml - sed -i 's/# notif_template_text: .*/ notif_template_text: notif_mail.txt/' homeserver.yaml - sed -i 's/# notif_for_new_users: True/ notif_for_new_users: True/' homeserver.yaml - - sed -i "s,#tls_fingerprints:.*,tls_fingerprints: [{sha256: \"${TLS_FINGERPRINT}\"}]," homeserver.yaml - - -fi - -# logs -mkdir -p /run/nginx_log /run/synapse /run/turn_log - -# fix permissions -chown -R www-data.www-data /run/synapse /run/turn_log /app/data -cd /app/data/synapse - -# check if TURN port has changed and update it -if [ -z ${TURN_TLS_PORT+x} ]; then TURN_TLS_PORT="3478"; fi -sed -i "s/turn_uris: .*/turn_uris: [\"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=udp\", \"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=tcp\"]/" homeserver.yaml -sed -i "s/tls-listening-port=.*/tls-listening-port=${TURN_TLS_PORT}/" /app/data/turnserver.conf - -# check if certificate changed and update fingerprint -TLS_FINGERPRINT=$(openssl s_client -connect ${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT} < /dev/null 2> /dev/null | openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=') -sed -i "s,^tls_fingerprints:.*,tls_fingerprints: [{sha256: \"${TLS_FINGERPRINT}\"}]," homeserver.yaml - -gosu www-data turnserver -c /app/data/turnserver.conf --daemon -v - -# update user and pass in case they changed -sed -i "s/ user: .*/ user: ${CLOUDRON_POSTGRESQL_USERNAME}/" homeserver.yaml -sed -i "s/ password: .*/ password: ${CLOUDRON_POSTGRESQL_PASSWORD}/" homeserver.yaml -sed -i "s/ database: .*/ database: ${CLOUDRON_POSTGRESQL_DATABASE}/" homeserver.yaml -sed -i "s, uri: .*, uri: \"${CLOUDRON_LDAP_URL}\"," homeserver.yaml - -#update email settings in case they changed -sed -i "s/ smtp_host:.*/ smtp_host: \"${CLOUDRON_MAIL_SMTP_SERVER}\"/" homeserver.yaml -sed -i "s/ smtp_port:.*/ smtp_port: ${CLOUDRON_MAIL_SMTP_PORT}/" homeserver.yaml -sed -i "s/ smtp_user:.*/ smtp_user: \"${CLOUDRON_MAIL_SMTP_USERNAME}\"/" homeserver.yaml -sed -i "s/ smtp_pass:.*/ smtp_pass: \"${CLOUDRON_MAIL_SMTP_PASSWORD}\"/" homeserver.yaml - -gosu www-data python3 -m synapse.app.homeserver --config-path homeserver.yaml &> /dev/null & - -exec /usr/sbin/nginx -g 'daemon off;'