Use yq to generate configs

2020-04-05 19:35:54 -07:00
parent 14bd0410e5
commit 47950864ce
7 changed files with 234 additions and 252 deletions
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -7,32 +7,21 @@
  "tagline": "standalone matrix server",
  "version": "0.4.1",
  "healthCheckPath": "/",
-  "httpPort": 8000,
+  "httpPort": 8008,
  "memoryLimit": 536870912,
-  "udpPorts": {
-     "TURN_TLS_PORT": {
-       "title": "Default TURN Port",
-       "description": "Default TURN Port (udp)",
-       "defaultValue": 3478
-     }
-  },
  "tcpPorts": {
     "FEDERATION_PORT": {
       "title": "Federation Port",
       "description": "Federation Port",
       "defaultValue": 8448
-     },
-     "WEBHOOKS_PORT": {
-       "title": "Webhooks Port",
-       "description": "Webhooks Port",
-       "defaultValue": 9000
     }
  },
  "addons": {
    "localstorage": {},
    "ldap": {},
    "postgresql": {},
-    "sendmail": {}
+    "sendmail": {},
+    "turn": {}
  },
  "manifestVersion": 2,
  "website": "https://matrix.org",
--- a/70
+++ b/70
@@ -1,67 +1,33 @@
 FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617

-MAINTAINER Authors name <support@cloudron.io>
-
-RUN mkdir -p /app/code/nginx
+RUN mkdir -p /app/pkg

 WORKDIR /app/code

-ENV MATRIXVERSION=v1.12.2
+ARG VERSION=v1.12.3

-EXPOSE 8000
-EXPOSE 3478/udp
-# addons wip
-# EXPOSE 9000
-
-# nginx
-RUN rm /etc/nginx/sites-enabled/*
-ADD nginx_matrix.conf /etc/nginx/sites-enabled/
-RUN rm -rf /var/lib/nginx && ln -sf /app/data/nginx /var/lib/nginx
-RUN rm -rf /var/log/nginx && ln -sf /run/nginx_log /var/log/nginx
-
-# TURN
-RUN apt update && apt-get install -y coturn
-RUN sed -e 's,#TURNSERVER_ENABLED=1,TURNSERVER_ENABLED=1,' -i /etc/default/coturn && \
-    rm /etc/turnserver.conf && \
-    ln -s /app/data/turnserver.conf /etc/turnserver.conf
-
-# Synapse
-# a local copy is needed because of the mail templates, else the pip installation would suffice
-RUN git clone https://github.com/matrix-org/synapse.git
-RUN cd /app/code/synapse && git pull origin master
-
-RUN apt-get install -y build-essential python3-dev libffi-dev \
+RUN apt update && \
+    apt install -y build-essential python3-dev libffi-dev \
        python3-pip python-setuptools sqlite3 libxml2-dev \
        libssl-dev python-virtualenv libjpeg-dev libxslt1-dev libldap2-dev libsasl2-dev && \
    rm -rf /var/cache/apt /var/lib/apt/lists

-RUN pip3 install --upgrade pip
-RUN pip3 install --upgrade setuptools
-RUN pip3 install psycopg2-binary python-ldap matrix-synapse-ldap3 lxml netaddr twisted jinja2 bleach bcrypt
-RUN pip3 install https://github.com/matrix-org/synapse/archive/${MATRIXVERSION}.tar.gz
+# https://pythonspeed.com/articles/activate-virtualenv-dockerfile/
+RUN virtualenv -p python3 /app/code/env
+ENV VIRTUAL_ENV=/app/code/env
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"

-# install addons
-#RUN cd /app/code && git clone http://github.com/turt2live/matrix-appservice-webhooks
-#RUN cd /app/code/matrix-appservice-webhooks && npm install
-#RUN mv /app/code/matrix-appservice-webhooks/db /app/code/matrix-appservice-webhooks/db_orig && \
-    #dir for sqlite db
-#    ln -sf /app/data/appservice/db /app/code/matrix-appservice-webhooks/db && \
-    # config
-#    ln -sf /app/data/appservice/config/config.yaml /app/code/matrix-appservice-webhooks/config/config.yaml && \
-    # hooks
-#    ln -sf /app/data/appservice/appservice-registration-webhooks.yaml /app/code/matrix-appservice-webhooks/appservice-registration-webhooks.yaml
+# Synapse (https://github.com/matrix-org/synapse/blob/master/INSTALL.md)
+# lxml - required for previews
+RUN pip install --upgrade pip && \
+    pip install --upgrade setuptools && \
+    pip install matrix-synapse==${VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml

+RUN curl -sL https://github.com/mikefarah/yq/releases/download/3.2.1/yq_linux_amd64 -o /usr/bin/yq && \
+    chmod +x /usr/bin/yq

-# todo:
-# to create the config, run the following from /app/code/matrix-appservice-webhooks
-# node index.js -r -u "http://localhost:9000" -c config/config.yaml
-# add this to homeserver.yml and restart:
-# app_service_config_files: ["appservice-registration-webhooks.yaml"]
-# to start the appservice use
-# node index.js -p 9000 -c config/config.yaml -f appservice-registration-webhooks.yaml
+RUN chown -R cloudron.cloudron /app/code

-RUN chown -R www-data.www-data /app/code
+ADD homeserver.yaml.template start.sh /app/pkg/

-ADD start_matrix.sh /app/
-
-CMD [ "/app/start_matrix.sh" ]
+CMD [ "/app/pkg/start.sh" ]
--- a/README.md
+++ b/README.md
@@ -0,0 +1,34 @@
+## Federation notes
+
+There are 2 ports - client port and federation port. On Cloudron, the client
+port is reverse proxied, so we are good. The federation port is more complicated.
+
+Matrix used to accept self-signed certs on the federation port before.
+This was based on some 'perspectives' approach. This was deemed a failure
+and they decided to go to having valid certs.
+
+In [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md#background-the-failure-of-the-perspectives-approach), which happenned a Matrix 1.0 time, it was decided to use valid certs.
+As part of this proposal, [MSC1708](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1708-well-known-for-federation.md)
+ aka .well-known support was added.
+
+The idea of `.well-known` is delegation. Site X can delegate to Matrix Site Y.
+Both require valid certs nevertheless.
+
+The `_matrix._tcp.` SRV is:
+
+```
+$ host -t srv _matrix._tcp.example.org
+_matrix._tcp.example.org has SRV record 0 0 8448 matrix.example.org.
+```
+
+The `.well-known/matrix/server` is:
+
+```
+{
+   "m.server": "<server>[:<port>]"
+}
+```
+
+Finally, to test federation go to [federationtester](https://federationtester.matrix.org/) - 
+[source](https://github.com/matrix-org/matrix-federation-tester).
+
--- a/homeserver.yaml.template
+++ b/homeserver.yaml.template
@@ -0,0 +1,110 @@
+# https://github.com/matrix-org/synapse/blob/master/docs/sample_config.yaml
+
+server_name: "matrix.example.com"
+
+pid_file: /run/synapse/homeserver.pid
+
+public_baseurl: https://example.com/
+
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: ['0.0.0.0']
+
+    resources:
+      - names: [client,federation]
+        compress: false
+
+database:
+  name: "psycopg2"
+  args:
+    # Path to the database
+    user: ${POSTGRESQL_USERNAME}
+    password: ${POSTGRESQL_PASSWORD}
+    database: ${POSTGRESQL_DATABASE}
+    host: ${POSTGRESQL_HOST}
+    cp_min: 5
+    cp_max: 10
+
+email:
+    smtp_host: mail.server
+    smtp_port: 587
+    smtp_user: "exampleusername"
+    smtp_pass: "examplepassword"
+    require_transport_security: false
+    app_name: Matrix
+    notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
+    enable_notifs: true
+    notif_for_new_users: true
+
+password_providers:
+    - module: "synapse.util.ldap_auth_provider.LdapAuthProvider"
+      config:
+        enabled: true
+        uri: "ldap://ldap.example.com:389"
+        start_tls: true
+        base: "ou=users,dc=example,dc=com"
+        attributes:
+           uid: "username"
+           mail: "mail"
+           name: "username"
+        bind_dn: "ou=users,dc=cloudron"
+        bind_password: "password"
+        filter: "(objectClass=posixAccount)"
+
+# turn
+turn_uris: []
+turn_shared_secret: "sharedsecret"
+turn_allow_guests: true
+
+federation_ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'
+
+enable_registration: false
+registration_shared_secret: "somesecret"
+allow_guest_access: false
+
+enable_group_creation: true
+
+report_stats: False
+
+signing_key_path: "/app/data/configs/signing.key"
+
+url_preview_enabled: true
+url_preview_ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'
+
+media_store_path: "/app/data/data/media_store"
+max_upload_size: 200M
+max_image_pixels: "32M"
+dynamic_thumbnails: false
+
+#auto_join_rooms:
+#  - "#discuss:example.com"
+
+trusted_key_servers:
+  - server_name: "matrix.org"
+suppress_key_server_warning: true
+
+password_config:
+   enabled: true
+   localdb_enabled: false
+
--- a/nginx_matrix.conf
+++ b/nginx_matrix.conf
@@ -1,20 +0,0 @@
-server {
-    listen 8000;
-    listen [::]:8000;
-
-    server_name _;
-
-    # required, else the limit is 1mb
-    client_max_body_size 200M;
-
-    location / {
-        proxy_pass http://localhost:8008;
-        proxy_set_header X-Forwarded-For $remote_addr;
-    }
-
-    location /.well-known/matrix/server {
-        return 200 '{"m.server": "$host:443"}';
-        add_header Content-Type application/json;
-    }
-
-}
--- a/start.sh
+++ b/start.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+set -eu
+
+mkdir -p /app/data/data /app/data/configs /run/synapse
+
+if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
+    echo "==> Detected first run"
+
+    python3 -m synapse.app.homeserver \
+        --server-name ${CLOUDRON_APP_DOMAIN} \
+        --config-path /app/data/configs/homeserver.yaml \
+        --config-directory /app/data/configs \
+        --data-directory /app/data/data \
+        --generate-config \
+        --report-stats=no 
+
+    # fix logging configuration
+    cp /app/pkg/homeserver.yaml.template /app/data/configs/homeserver.yaml
+    mv /app/data/configs/${CLOUDRON_APP_DOMAIN}.log.config /app/data/configs/log.config
+    yq w -i /app/data/configs/homeserver.yaml log_config /app/data/configs/log.config
+    yq w -i /app/data/configs/log.config handlers.file.filename /run/synapse/homeserver.log
+
+    mv /app/data/configs/${CLOUDRON_APP_DOMAIN}.signing.key /app/data/configs/signing.key
+
+    yq w -i /app/data/configs/homeserver.yaml registration_shared_secret "$(pwgen -1s 64)"
+fi
+
+echo "==> Configuring synapse"
+yq w -i /app/data/configs/homeserver.yaml server_name "${CLOUDRON_APP_DOMAIN}"
+yq w -i /app/data/configs/homeserver.yaml public_baseurl "${CLOUDRON_APP_ORIGIN}"
+
+# tls
+yq w -i /app/data/configs/homeserver.yaml tls_certificate_path "/app/data/configs/${CLOUDRON_APP_DOMAIN}.tls.crt"
+yq w -i /app/data/configs/homeserver.yaml tls_private_key_path "/app/data/configs/${CLOUDRON_APP_DOMAIN}.tls.key"
+
+# database
+yq w -i /app/data/configs/homeserver.yaml database.args.user "${CLOUDRON_POSTGRESQL_USERNAME}"
+yq w -i /app/data/configs/homeserver.yaml database.args.password "${CLOUDRON_POSTGRESQL_PASSWORD}"
+yq w -i /app/data/configs/homeserver.yaml database.args.database "${CLOUDRON_POSTGRESQL_DATABASE}"
+yq w -i /app/data/configs/homeserver.yaml database.args.host "${CLOUDRON_POSTGRESQL_HOST}"
+
+# email
+yq w -i /app/data/configs/homeserver.yaml email.smtp_host "${CLOUDRON_MAIL_SMTP_SERVER}"
+yq w -i /app/data/configs/homeserver.yaml email.smtp_port "${CLOUDRON_MAIL_SMTP_PORT}"
+yq w -i /app/data/configs/homeserver.yaml email.smtp_user "${CLOUDRON_MAIL_SMTP_USERNAME}"
+yq w -i /app/data/configs/homeserver.yaml email.smtp_pass "${CLOUDRON_MAIL_SMTP_PASSWORD}"
+yq w -i /app/data/configs/homeserver.yaml email.notif_from "%(app)s <${CLOUDRON_MAIL_FROM}>"
+
+# ldap
+yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.uri' "${CLOUDRON_LDAP_URL}"
+yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.start_tls' false
+yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.base' "${CLOUDRON_LDAP_USERS_BASE_DN}"
+yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_dn' "${CLOUDRON_LDAP_BIND_DN}"
+yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_password' "${CLOUDRON_LDAP_BIND_PASSWORD}"
+yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.filter' "(objectClass=user)"
+
+# turn
+yq w -i /app/data/configs/homeserver.yaml turn_uris "[\"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=udp\", \"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=tcp\"]"
+yq w -i /app/data/configs/homeserver.yaml turn_shared_secret "${CLOUDRON_TURN_SECRET}"
+
+# fix permissions
+echo "==> Fixing permissions"
+chown -R cloudron.cloudron /app/data /run/synapse
+
+echo "==> Starting synapse"
+gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml
--- a/start_matrix.sh
+++ b/start_matrix.sh
@@ -1,164 +0,0 @@
-#!/bin/bash
-
-set -eux
-
-if [[ ! -f /app/data/synapse/homeserver.yaml ]]; then
-    echo "=> Detected first run"
-
-    # create dirs (for whatever reason the nginx dir couldn't get created by  nginx)
-    mkdir -p /app/data/synapse \
-             /app/data/nginx/fastcgi \
-             /run/nginx_log \
-             /run/synapse \
-             /run/turn_log \
-	     /app/data/appservice/config /app/data/appservice/db
-
-    # copy matrix-appservice-webhooks config
-#    cp /app/code/matrix-appservice-webhooks/config/sample.yaml /app/data/appservice/config/config.yaml
-#    ln -sf /app/data/appservice/appservice-registration-webhooks.yaml /app/data/synapse/appservice-registration-webhooks.yaml
-
-    # create certs
-    openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out /app/data/synapse/${CLOUDRON_APP_DOMAIN}.tls.crt -keyout /app/data/synapse/${CLOUDRON_APP_DOMAIN}.tls.key -subj "/C=DE/ST=Germany/L=Germany/O=Example/OU=Example/CN=${CLOUDRON_APP_DOMAIN}"
-
-    # fix permissions
-    chown -R www-data.www-data /run/synapse \
-                               /run/turn_log \
-                               /app/data
-
-    # copy turn config
-    cp /usr/share/coturn/examples/etc/turnserver.conf /app/data/turnserver.conf
-
-    # copy email templates for matrix
-    cp -r /app/code/synapse/synapse/res/templates /app/data/templates
-
-    # set default TURN listening port
-    if [ -z ${TURN_TLS_PORT+x} ]; then TURN_TLS_PORT="3478"; else echo "TURN_TLS_PORT is set to '$TURN_TLS_PORT'"; fi
-
-    cd /app/data/synapse
-    python3 -m synapse.app.homeserver \
-	    --server-name ${CLOUDRON_APP_DOMAIN} \
-	    --config-path homeserver.yaml \
-	    --report-stats=no \
-	    --generate-config
-
-    # synapse config
-    sed -i "s/server_name:.*/server_name: ${CLOUDRON_APP_DOMAIN}/" homeserver.yaml
-    sed -i "s/#public_baseurl:.*/public_baseurl: https:\/\/${CLOUDRON_APP_DOMAIN}/" homeserver.yaml
-    sed -i "s/web_client:.*/web_client: False/" homeserver.yaml
-    sed -i "s/bind_addresses: \['::1'.*/bind_addresses: \['0.0.0.0'\]/" homeserver.yaml
-    sed -i "s/sqlite3/psycopg2/" homeserver.yaml
-    sed -i "s/    database: .*/    user: ${CLOUDRON_POSTGRESQL_USERNAME}\n    password: ${CLOUDRON_POSTGRESQL_PASSWORD}\n    database: ${CLOUDRON_POSTGRESQL_DATABASE}\n    host: ${CLOUDRON_POSTGRESQL_HOST}\n    cp_min: 5\n    cp_max: 10/" homeserver.yaml
-    sed -i "s/#enable_registration:.*/enable_registration: True/" homeserver.yaml
-    sed -i "s/#password_providers:/password_providers:/" homeserver.yaml
-    sed -i 's/#    - module: "ldap_auth_provider.LdapAuthProvider"/    - module: "ldap_auth_provider.LdapAuthProvider"/' homeserver.yaml
-    sed -i 's/#      config:/      config:/' homeserver.yaml
-    sed -i 's/#        enabled: true/        enabled: true/' homeserver.yaml
-    sed -i "s,#        uri: .*,        uri: \"${CLOUDRON_LDAP_URL}\"," homeserver.yaml
-    sed -i 's/#        start_tls: true/        start_tls: false/' homeserver.yaml
-    sed -i 's/#        base: "ou=users,dc=example,dc=com"/        base: "ou=users,dc=cloudron"/' homeserver.yaml
-    sed -i 's/#        attributes:/        attributes:/' homeserver.yaml
-    sed -i 's/#           uid: "cn"/          uid: "username"/' homeserver.yaml
-    sed -i 's/#           mail: "email"/          mail: "mail"/' homeserver.yaml
-    sed -i 's/#           name: "givenName"/          name: "username"/' homeserver.yaml
-    sed -i 's/#max_upload_size:.*/max_upload_size: "500M"/' homeserver.yaml
-    sed -i 's/#auto_join_rooms:/auto_join_rooms:/' homeserver.yaml
-    sed -i 's/#  - "#example:example.com"/  - "#example:example.com"/' homeserver.yaml
-    sed -i "s/example:example.com/discuss:${CLOUDRON_APP_DOMAIN}/" homeserver.yaml
-    sed -i "s/turn_allow_guests:.*/turn_allow_guests: False/" homeserver.yaml
-    sed -i "s/enable_group_creation:.*/enable_group_creation: True/" homeserver.yaml
-    sed -i "s/enable_group_creation:.*/enable_group_creation: True/" homeserver.yaml
-    sed -i "s/#url_preview_enabled:.*/url_preview_enabled: true/" homeserver.yaml
-    sed -i "s/#url_preview_ip_range_blacklist.*/url_preview_ip_range_blacklist:\n  - '127.0.0.0\/8'\n  - '10.0.0.0\/8'/" homeserver.yaml
-
-    sed -i "s/## Server ##/## Server ##\n\nno_tls: True/" homeserver.yaml
-
-    # also enable the tls port, not quite sure why this is needed, but without it, no integratiosn are possible
-    #sed -i "s/#- port: 8448/- port: 8448/" homeserver.yaml
-    #sed -i "s/#  type: http/  type: http/" homeserver.yaml
-    #sed -i "s/#  tls: true/  tls: true/" homeserver.yaml
-    #sed -i "s/#  resources:/  resources:/" homeserver.yaml
-    #sed -i "s/#    - names: \[client, federation\]/    - names: \[client, federation\]/" homeserver.yaml
-    #sed -i "s/#tls_certificate_path:/tls_certificate_path:/" homeserver.yaml
-    #sed -i "s/#tls_private_key_path:/tls_private_key_path:/" homeserver.yaml
-
-
-    # get synapse log name and set path
-    LOG_CONFIG=$(ls *.log.config)
-    sed -i "s/log_file: .*/log_file: \"\/run\/synapse\/homeserver.log\"/" homeserver.yaml
-    sed -i "s/    filename:.*/    filename: \/run\/synapse\/homeserver.log/" ${LOG_CONFIG}
-
-
-    # coturn
-    TURNPWD=$(pwgen -s 64 1)
-    sed -i "s/#tls-listening-port=5349/tls-listening-port=3478/" /app/data/turnserver.conf
-    sed -i "s/#realm=mycompany.org/realm=${CLOUDRON_APP_DOMAIN}/" /app/data/turnserver.conf
-    sed -i "s/#lt-cred-mech/lt-cred-mech/" /app/data/turnserver.conf
-    sed -i "s/#use-auth-secret/use-auth-secret/" /app/data/turnserver.conf
-    sed -i "s/#lt-cred-mech/lt-cred-mech/" /app/data/turnserver.conf
-    sed -i "s/#static-auth-secret=.*/static-auth-secret=${TURNPWD}/" /app/data/turnserver.conf
-    sed -i "s/#turn_uris: .*/turn_uris: [\"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=udp\", \"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=tcp\"]/" homeserver.yaml
-    sed -i "s/#turn_shared_secret: .*/turn_shared_secret: \"${TURNPWD}\"/" homeserver.yaml
-    sed -i "s/#cipher-list=.*/cipher-list=\"HIGH\"/" /app/data/turnserver.conf
-    sed -i "s/#log-file=.*/log-file=\/run\/turn_log\/turn.log/" /app/data/turnserver.conf
-
-
-    # get cert names from synapse
-    TLS_CRT=$(ls *.tls.crt)
-    TLS_KEY=$(ls *.tls.key)
-    #TLS_DH=$(ls *.tls.dh)
-    sed -i "s,#cert=.*,cert=/app/data/synapse/${TLS_CRT}," /app/data/turnserver.conf
-    sed -i "s,#pkey=.*,pkey=/app/data/synapse/${TLS_KEY}," /app/data/turnserver.conf
-    #sed -i "s,#dh-file=.*,dh-file=/app/data/synapse/${TLS_DH}," /app/data/turnserver.conf
-
-    # set up email
-    sed -i 's/#email:/email:/' homeserver.yaml
-    sed -i 's/#   enable_notifs: false/   enable_notifs: true/' homeserver.yaml
-    sed -i 's/#   smtp_host: \"localhost\"/   smtp_host: \"${CLOUDRON_MAIL_SMTP_SERVER}\"/' homeserver.yaml
-    sed -i 's/#   smtp_port: .*/   smtp_port: ${CLOUDRON_MAIL_SMTP_PORT}/' homeserver.yaml
-    sed -i 's/#   smtp_user: \"exampleusername\"/   smtp_user: \"${CLOUDRON_MAIL_SMTP_USERNAME}\"/' homeserver.yaml
-    sed -i 's/#   smtp_pass: \"examplepassword\"/   smtp_pass: \"${CLOUDRON_MAIL_SMTP_PASSWORD}\"/' homeserver.yaml
-    sed -i 's/#   require_transport_security: False/   require_transport_security: false/' homeserver.yaml
-    sed -i "s/#   notif_from: .*/   notif_from: \"Your Friendly Matrix Home Server <${CLOUDRON_MAIL_FROM}>\"/" homeserver.yaml
-    sed -i 's/#   app_name: Matrix/   app_name: Matrix/' homeserver.yaml
-    sed -i 's/#   notif_template_html: .*/   notif_template_html: notif_mail.html/' homeserver.yaml
-    sed -i 's/#   notif_template_text: .*/   notif_template_text: notif_mail.txt/' homeserver.yaml
-    sed -i 's/#   notif_for_new_users: True/   notif_for_new_users: True/' homeserver.yaml
-
-    sed -i "s,#tls_fingerprints:.*,tls_fingerprints: [{sha256: \"${TLS_FINGERPRINT}\"}]," homeserver.yaml
-
-
-fi
-
-# logs
-mkdir -p /run/nginx_log /run/synapse /run/turn_log
-
-# fix permissions
-chown -R www-data.www-data /run/synapse /run/turn_log /app/data
-cd /app/data/synapse
-
-# check if TURN port has changed and update it
-if [ -z ${TURN_TLS_PORT+x} ]; then TURN_TLS_PORT="3478"; fi
-sed -i "s/turn_uris: .*/turn_uris: [\"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=udp\", \"turn:${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT}?transport=tcp\"]/" homeserver.yaml
-sed -i "s/tls-listening-port=.*/tls-listening-port=${TURN_TLS_PORT}/" /app/data/turnserver.conf
-
-# check if certificate changed and update fingerprint
-TLS_FINGERPRINT=$(openssl s_client -connect ${CLOUDRON_APP_DOMAIN}:${TURN_TLS_PORT} < /dev/null 2> /dev/null | openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=')
-sed -i "s,^tls_fingerprints:.*,tls_fingerprints: [{sha256: \"${TLS_FINGERPRINT}\"}]," homeserver.yaml
-
-gosu www-data turnserver -c /app/data/turnserver.conf --daemon -v
-
-# update user and pass in case they changed
-sed -i "s/ user: .*/ user: ${CLOUDRON_POSTGRESQL_USERNAME}/" homeserver.yaml
-sed -i "s/ password: .*/ password: ${CLOUDRON_POSTGRESQL_PASSWORD}/" homeserver.yaml
-sed -i "s/ database: .*/ database: ${CLOUDRON_POSTGRESQL_DATABASE}/" homeserver.yaml
-sed -i "s,         uri: .*,         uri: \"${CLOUDRON_LDAP_URL}\"," homeserver.yaml
-
-#update email settings in case they changed
-sed -i "s/   smtp_host:.*/   smtp_host: \"${CLOUDRON_MAIL_SMTP_SERVER}\"/" homeserver.yaml
-sed -i "s/   smtp_port:.*/   smtp_port: ${CLOUDRON_MAIL_SMTP_PORT}/" homeserver.yaml
-sed -i "s/   smtp_user:.*/   smtp_user: \"${CLOUDRON_MAIL_SMTP_USERNAME}\"/" homeserver.yaml
-sed -i "s/   smtp_pass:.*/   smtp_pass: \"${CLOUDRON_MAIL_SMTP_PASSWORD}\"/" homeserver.yaml
-
-gosu www-data python3 -m synapse.app.homeserver --config-path homeserver.yaml &> /dev/null &
-
-exec /usr/sbin/nginx -g 'daemon off;'