blob: ae8f7a71de8af867707db092c67cefdbf1b9dac2 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
#!/bin/sh
: ${synapse_signing_key:='changeme'}
: ${synapse_macaroon_secret_key:='changeme'}
: ${synapse_form_secret:='changeme'}
: ${synapse_ldap_password:='changeme'}
: ${synapse_domain:="$email_domain"}
: ${synapse_public_fqdn:="$fqdn"}
: ${synapse_email_from:="Matrix <matrix-noreply@${email_domain}>"}
: ${synapse_username:='s-synapse'}
: ${synapse_local_media_retention:='365d'}
: ${synapse_remote_media_retention:='90d'}
: ${synapse_upload_sizelimit:='104857600'} # 100 MB
: ${synapse_turn_host:="$turn_domain"}
: ${synapse_turn_secret:="$turn_secret"}
: ${synapse_access_role:='matrix-access'}
: ${synapse_dbhost:="$postgres_host"}
: ${synapse_dbname:='synapse'}
synapse_db_dir=/var/db/matrix-synapse
synapse_conf_dir=/usr/local/etc/matrix-synapse
synapse_local_user=synapse
synapse_dn="uid=${synapse_username},${robots_basedn}"
synapse_client_keytab="${keytab_dir}/synapse.client.keytab"
synapse_https_cacert="${acme_cert_dir}/nginx.ca.crt"
synapse_https_cert="${acme_cert_dir}/nginx.crt"
synapse_https_key="${acme_cert_dir}/nginx.key"
synapse_local_client_port=8008
synapse_local_federation_port=8009
synapse_element_webroot=/usr/local/www/element
# Install required packages.
pkg install -y \
py${python_version}-matrix-synapse \
py${python_version}-matrix-synapse-ldap3 \
nginx \
element-web
# Create ZFS dataset for HTTP upload files.
create_dataset -o "mountpoint=${synapse_db_dir}" "${state_dataset}/synapse"
install_directory -o "$synapse_local_user" -g wheel -m 0700 "$synapse_db_dir"
# Create synapse principal.
ldap_add "$synapse_dn" <<EOF
objectClass: account
objectClass: simpleSecurityObject
uid: ${synapse_username}
userPassword: {SSHA-512}
EOF
ldap_passwd "$synapse_dn" "$synapse_ldap_password"
add_principal -nokey -x "dn=${synapse_dn}" "$synapse_username"
ktadd -k "$synapse_client_keytab" "$synapse_username"
chgrp "$synapse_local_user" "$synapse_client_keytab"
chmod 640 "$synapse_client_keytab"
synapse_uid=$(id -u "$synapse_local_user")
install_directory -o "$synapse_local_user" -m 0700 "/var/krb5/user/${synapse_uid}"
ln -snfv "$synapse_client_keytab" "/var/krb5/user/${synapse_uid}/client.keytab"
# Create postgres user and database.
postgres_create_role "$synapse_dbhost" "$synapse_username"
postgres_create_database "$synapse_dbhost" "$synapse_dbname" "$synapse_username" UTF8 C
# Generate synapse configuration.
install_template -o "$synapse_local_user" -g "$synapse_local_user" -m 0600 \
"${synapse_conf_dir}/homeserver.yaml" \
"${synapse_conf_dir}/signing.key"
install_file -o "$synapse_local_user" -g "$synapse_local_user" -m 0644 \
"${synapse_conf_dir}/log.config"
# Configure nginx.
install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
sysrc -v nginx_enable=YES
service nginx restart
install_file -m 0644 /etc/newsyslog.conf.d/nginx.conf
# Retrieve webserver certificate via ACME.
install_template -m 0600 /usr/local/etc/sudoers.d/acme
acme_install_certificate \
-g "$nginx_user" \
-r 'sudo service nginx reload' \
nginx \
"$synapse_public_fqdn"
# Now that we have the ACME certs, add the vhosts.
install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
service nginx restart
# Enable and start daemons.
sysrc -v synapse_enable=YES
service synapse restart
service nginx restart
# Create access role.
ldap_add "cn=${synapse_access_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${synapse_access_role}
EOF
# Generate element-web config file.
install_template -m 0644 "${synapse_element_webroot}/config.json"
|
