From 5cd5b8dc2edced688c0b4e2c605d1ff84aa140b0 Mon Sep 17 00:00:00 2001
From: msbt <m@bits.at>
Date: Mon, 12 Feb 2018 15:56:24 +0100
Subject: [PATCH] Postgres, LDAP, etc, check changelog

---
 CHANGELOG             |  8 +++++
 CloudronManifest.json | 24 ++++++++-----
 Dockerfile            | 24 +++++++++----
 nginx_matrix.conf     |  4 +++
 start_matrix.sh       | 83 ++++++++++++++++++++++++++++++++++++++++---
 5 files changed, 125 insertions(+), 18 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0b6ac06..995efff 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,2 +1,10 @@
+[0.1.1]
+* Removed the Riot part of the installation due to security
+* Changed from Sqlite to Postgres
+* Added LDAP support
+* Fixed upload limit in nginx_matrix.conf
+* Added bogus index.html so cloudron recognizes the matrix server as online
+* Added coturn as TURN server
+
 [0.1.0]
 * Initial version
diff --git a/CloudronManifest.json b/CloudronManifest.json
index 2242089..143d637 100644
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -1,29 +1,37 @@
 {
-  "id": "org.matrix.synapse_riot",
-  "title": "Matrix synapse with Riot",
-  "author": "Matrix synapse & Riot authors",
+  "id": "org.matrix.synapse",
+  "title": "Synapse: Matrix homeserver without Riot",
+  "author": "Matrix synapse authors",
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG",
-  "tagline": "matrix server and web client",
-  "version": "0.1.0",
+  "tagline": "standalone matrix server",
+  "version": "0.1.1",
   "healthCheckPath": "/",
   "httpPort": 8000,
+  "memoryLimit": 536870912,
   "tcpPorts": {
      "FEDERATION_PORT": {
        "title": "Federation Port",
        "description": "Federation Port",
        "defaultValue": 8448
+     },
+     "TURN_TLS_PORT": {
+       "title": "TURN TLS port",
+       "description": "TURN TLS listening port for Voip",
+       "defaultValue": 5349
      }
-   },
+  },
   "addons": {
-    "localstorage": {}
+    "localstorage": {},
+    "ldap": {},
+    "postgresql": {}
   },
   "manifestVersion": 1,
   "website": "https://matrix.org",
   "contactEmail": "support@cloudron.io",
   "icon": "logo.png",
   "tags": [
-    "im", "collaboration"
+    "im", "collaboration", "voip", "videochat"
   ],
   "mediaLinks": [ ]
 }
diff --git a/Dockerfile b/Dockerfile
index da17acc..06659ad 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,27 +2,39 @@ FROM cloudron/base:0.10.0
 MAINTAINER Authors name <support@cloudron.io>
 
 RUN mkdir -p /app/code
+RUN mkdir -p /app/data
 WORKDIR /app/code
 
 EXPOSE 8000
 
-# Riot web
-RUN curl -L https://github.com/vector-im/riot-web/releases/download/v0.9.7/vector-v0.9.7.tar.gz | tar -xz --strip-components 1 -f -
-RUN ln -sf /app/data/riot_config.json /app/code/config.json
-
 # Nginx
 RUN rm /etc/nginx/sites-enabled/*
 ADD nginx_matrix.conf /etc/nginx/sites-enabled/
 RUN rm -rf /var/lib/nginx && ln -sf /app/data/nginx /var/lib/nginx
 RUN rm -rf /var/log/nginx && ln -sf /app/data/nginx_log /var/log/nginx
 
+
+# TURN
+RUN apt update && apt-get install -y coturn
+
+RUN sed -e 's,#TURNSERVER_ENABLED=1,TURNSERVER_ENABLED=1,' -i /etc/default/coturn \
+        && rm /etc/turnserver.conf \
+	&& ln -s /app/data/turnserver.conf /etc/turnserver.conf
+
+
 # Synapse
-RUN apt update && apt-get install -y build-essential python2.7-dev libffi-dev \
-	    python-wheel python-pip python-setuptools sqlite3 \
+RUN apt-get install -y build-essential python2.7-dev libffi-dev \
+	    python-pip python-setuptools sqlite3 \
 	    libssl-dev libjpeg-dev libxslt1-dev
+RUN pip install --upgrade pip
 RUN pip install --upgrade setuptools
+RUN pip install psycopg2-binary py-bcrypt
 RUN pip install https://github.com/matrix-org/synapse/tarball/master
 
+
+# copy index.html
+COPY index.html /app/code
+
 RUN chown -R www-data.www-data /app/code
 
 ADD start_matrix.sh /app/
diff --git a/nginx_matrix.conf b/nginx_matrix.conf
index 9b1332b..b3b9042 100644
--- a/nginx_matrix.conf
+++ b/nginx_matrix.conf
@@ -4,6 +4,9 @@ server {
 
     server_name _;
 
+    # required, else the limit is 1mb
+    client_max_body_size 20M;
+    
     location /_matrix {
         proxy_pass http://localhost:8008;
         proxy_set_header X-Forwarded-For $remote_addr;
@@ -14,3 +17,4 @@ server {
         index index.html;
     }
 }
+
diff --git a/start_matrix.sh b/start_matrix.sh
index a5a2e48..976295b 100755
--- a/start_matrix.sh
+++ b/start_matrix.sh
@@ -4,6 +4,14 @@ set -eux
 
 if [[ ! -d /app/data/synapse ]]; then
     echo "=> Detected first run"
+
+    # copy turn config
+    cp /usr/share/coturn/examples/etc/turnserver.conf /app/data/turnserver.conf
+
+    #set default TURN listening port
+    if [ -z ${TURN_TLS_PORT+x} ]; then TURN_TLS_PORT="5349"; else echo "TURN_TLS_PORT is set to '$TURN_TLS_PORT'"; fi
+
+
     mkdir -p /app/data/synapse
     cd /app/data/synapse
     python -m synapse.app.homeserver \
@@ -11,19 +19,86 @@ if [[ ! -d /app/data/synapse ]]; then
 	    --config-path homeserver.yaml \
 	    --report-stats=no \
 	    --generate-config
+
+    # synapse config
+    sed -i "s/server_name:.*/server_name: ${APP_DOMAIN}/" homeserver.yaml
+    sed -i "s/web_client:.*/web_client: False/" homeserver.yaml
+    sed -i "s,- webclient .*,# - webclient  # The bundled webclient," homeserver.yaml
+    sed -i "s/client, webclient/client/" homeserver.yaml
+    sed -i "s/sqlite3/psycopg2/" homeserver.yaml
+    sed -i "s/    database: .*/    user: ${POSTGRESQL_USERNAME}\n    password: ${POSTGRESQL_PASSWORD}\n    database: ${POSTGRESQL_DATABASE}\n    host: ${POSTGRESQL_HOST}\n    cp_min: 5\n    cp_max: 10/" homeserver.yaml
+    sed -i "s/enable_registration: .*/enable_registration: True/" homeserver.yaml
+    sed -i "s/# password_providers:/password_providers:/" homeserver.yaml
+    sed -i 's/#     - module: "ldap_auth_provider.LdapAuthProvider"/     - module: "ldap_auth_provider.LdapAuthProvider"/' homeserver.yaml
+    sed -i 's/#       config:/       config:/' homeserver.yaml
+    sed -i 's/#         enabled: true/         enabled: true/' homeserver.yaml
+    sed -i 's,#         uri: .*,         uri: "ldap://172.18.0.1:3002",' homeserver.yaml
+    sed -i 's/#         start_tls: true/         start_tls: false/' homeserver.yaml
+    sed -i 's/#         base: "ou=users,dc=example,dc=com"/         base: "ou=users,dc=cloudron"/' homeserver.yaml
+    sed -i 's/#         attributes:/         attributes:/' homeserver.yaml
+    sed -i 's/#            uid: "cn"/           uid: "username"/' homeserver.yaml
+    sed -i 's/#            mail: "email"/           mail: "mail"/' homeserver.yaml
+    sed -i 's/#            name: "givenName"/           name: "username"/' homeserver.yaml
+    sed -i 's/max_upload_size:.*/max_upload_size: "20M"/' homeserver.yaml
+    sed -i 's/#auto_join_rooms:/auto_join_rooms:/' homeserver.yaml
+    sed -i 's/#    - "#example:example.com"/    - "#example:example.com"/' homeserver.yaml
+    sed -i "s/example:example.com/discuss:${APP_DOMAIN}/" homeserver.yaml
+    sed -i "s/turn_allow_guests:.*/turn_allow_guests: False/" homeserver.yaml
+    sed -i "s/enable_group_creation:.*/enable_group_creation: True/" homeserver.yaml
+    sed -i "s/enable_group_creation:.*/enable_group_creation: True/" homeserver.yaml
+    sed -i "s/#user_directory:/user_directory:/" homeserver.yaml
+    sed -i "s/#   search_all_users:.*/   search_all_users: True/" homeserver.yaml
+
+
+    # coturn
+    TURNPWD=$(pwgen -s 64 1)
+    sed -i "s/#tls-listening-port=5349/tls-listening-port=5349/" /app/data/turnserver.conf
+    sed -i "s/#realm=mycompany.org/realm=${APP_DOMAIN}/" /app/data/turnserver.conf
+    sed -i "s/#lt-cred-mech/lt-cred-mech/" /app/data/turnserver.conf
+    sed -i "s/#use-auth-secret/use-auth-secret/" /app/data/turnserver.conf
+    sed -i "s/#lt-cred-mech/lt-cred-mech/" /app/data/turnserver.conf
+    sed -i "s/#static-auth-secret=.*/static-auth-secret=${TURNPWD}/" /app/data/turnserver.conf
+    sed -i "s/turn_uris: .*/turn_uris: [\"turn:${APP_DOMAIN}:${TURN_TLS_PORT}?transport=udp\", \"turn:${APP_DOMAIN}:${TURN_TLS_PORT}?transport=tcp\"]/" homeserver.yaml
+    sed -i "s/turn_shared_secret: .*/turn_shared_secret: \"${TURNPWD}\"/" homeserver.yaml
+    sed -i "s/#cipher-list=.*/cipher-list=\"HIGH\"/" /app/data/turnserver.conf
+    sed -i "s/#log-file=.*/log-file=\/app\/data\/turn_log\/turn.log/" /app/data/turnserver.conf
+
+
+    # get cert names from synapse
+    TLS_CRT=$(ls *.tls.crt)
+    TLS_KEY=$(ls *.tls.key)
+    TLS_DH=$(ls *.tls.dh)
+    sed -i "s,#cert=.*,cert=/app/data/synapse/${TLS_CRT}," /app/data/turnserver.conf
+    sed -i "s,#pkey=.*,pkey=/app/data/synapse/${TLS_KEY}," /app/data/turnserver.conf
+    sed -i "s,#dh-file=.*,dh-file=/app/data/synapse/${TLS_DH}," /app/data/turnserver.conf
+
 fi
 
-if [[ ! -e /app/data/riot_config.json ]]; then
-    cp /app/code/config.sample.json /app/data/riot_config.json
-    sed -i "s#https://matrix.org#https://$APP_DOMAIN#" /app/data/riot_config.json
-fi
 
 mkdir -p /app/data/nginx
 mkdir -p /app/data/nginx_log
+mkdir -p /app/data/turn_log
 
 chown -R www-data.www-data /app/data
 
 cd /app/data/synapse
+
+# check if TURN port has changed and update it
+if [ -z ${TURN_TLS_PORT+x} ]; then TURN_TLS_PORT="5349"; fi
+sed -i "s/turn_uris: .*/turn_uris: [\"turn:${APP_DOMAIN}:${TURN_TLS_PORT}?transport=udp\", \"turn:${APP_DOMAIN}:${TURN_TLS_PORT}?transport=tcp\"]/" homeserver.yaml
+sed -i "s/tls-listening-port=.*/tls-listening-port=${TURN_TLS_PORT}/" /app/data/turnserver.conf
+
+# check if certificate changed and update fingerprint
+TLS_FINGERPRINT=$(openssl s_client -connect ${APP_DOMAIN}:${TURN_TLS_PORT} < /dev/null 2> /dev/null | openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=')
+sed -i "s,^tls_fingerprints:.*,tls_fingerprints: [{sha256: \"${TLS_FINGERPRINT}\"}]," homeserver.yaml
+
+gosu www-data turnserver -c /app/data/turnserver.conf --daemon -v
+
+# update user and pass in case they changed
+sed -i "s/ user: .*/ user: ${POSTGRESQL_USERNAME}/" homeserver.yaml
+sed -i "s/ password: .*/ password: ${POSTGRESQL_PASSWORD}/" homeserver.yaml
+sed -i "s/ database: .*/ database: ${POSTGRESQL_DATABASE}/" homeserver.yaml
+
 gosu www-data python -m synapse.app.homeserver --config-path homeserver.yaml &> /dev/null &
 
 exec /usr/sbin/nginx -g 'daemon off;'