diff --git a/.gitignore b/.gitignore index ec660e7d..4c3f96cb 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,6 @@ *swp +auto_update_config.sh +auto_update/Synapse_build_*.log +auto_update/synapse_build_temp.log diff --git a/README.md b/README.md index d6a646fe..fee4e225 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ @@ -21,197 +21,14 @@ Instant messaging server matrix network. Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org) -**Shipped version:** 1.101.0~ynh1 -## Disclaimers / important information - -## Configuration - -### Install for ARM arch (or slow arch) - -For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install. -You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null` -After that you can install it without problem. - -The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build -The script to build the binary is also available. - -### Web client - -If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh . - -### Access by federation - -If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation. - -If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation. - -``` -_matrix._tcp. IN SRV 10 0 -``` -for example -``` -_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com. -``` -You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port` - -For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md - -If it is not automatically done, you need to open this in your ISP box. - -You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en - -https://federationtester.matrix.org/ can be used to easily debug federation issues - -### Turnserver - -For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands: -``` -yunohost app setting synapse turnserver_tls_port -yunohost app setting synapse turnserver_alt_tls_port - -``` -The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193. - -For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command: - -``` -yunohost firewall allow Both 49153:49193 -``` - -You might also need to open these ports (if it is not automatically done) on your ISP box. - -To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config. - -If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`). - -``` -*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh; -``` - -#### OpenVPN - -In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content: -``` -#!/bin/bash - -( - sleep 5 - sudo systemctl restart coturn-synapse.service -) & -exit 0 -``` - -Add this line in you sudo config file `/etc/sudoers` -``` -openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service -``` - -And add this line in your OpenVPN config file -``` -ipchange /usr/local/bin/openvpn_up_script.sh -``` - -### Important Security Note - -We do not recommend running Element from the same domain name as your Matrix -homeserver (synapse). The reason is the risk of XSS (cross-site-scripting) -vulnerabilities that could occur if someone caused Element to load and render -malicious user generated content from a Matrix API which then had trusted -access to Element (or other apps) due to sharing the same domain. - -We have put some coarse mitigations into place to try to protect against this -situation, but it's still not a good practice to do it in the first place. See -https://github.com/vector-im/element-web/issues/1977 for more details. - -## YunoHost specific features - -## Limitations - -Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM. - -This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh) - -## Additional information - -## Administration - -**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.** - -Before any manipulation it's recommended to do a backup by this following command : - -`sudo yunohost backup create --apps synapse` - -### Set user as admin - -Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database. - -The following command will grant admin privilege to the specified user: -``` -su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'" -``` - -### Administration API - -Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission. -By default, no one has access to this path. - -If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh), -you need to give this permission to visitors. - -Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section). - -### Upgrade - -By default a backup is made before the upgrade. If for some reason you want to upgrade without backup: -- Call the command with the `-b` flag: `yunohost app upgrade synapse -b` -- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line: - -`yunohost app setting synapse backup_before_upgrade -v 0` - -After this settings will be applied for **all** next upgrade. - -From command line: - -`yunohost app upgrade synapse` - -### Backup - -This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this: - -- Stop synapse service with theses following command: - -`systemctl stop synapse.service` - -- Launch the backup of synapse with this following command: - -`yunohost backup create --app synapse` - -- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`. -- Restart the synapse service with these command: - -`systemctl start synapse.service` - -### Remove - -Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**. - -Use the `--purge` flag with the command, or remove it manually to purge app user data. - -### Multi instance support - -To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command: -``` -yunohost app setting synapse__ synapse_tls_port -``` - -Before installing a second instance of the app it's really recommended to update all existing instances. - +**Shipped version:** 1.102.0~ynh1 ## Documentation and resources -* Official app website: -* Upstream app code repository: -* YunoHost Store: -* Report a bug: +- Official app website: +- Official admin documentation: +- Upstream app code repository: +- YunoHost Store: +- Report a bug: ## Developer info diff --git a/README_fr.md b/README_fr.md index c97c7960..072ea31d 100644 --- a/README_fr.md +++ b/README_fr.md @@ -1,5 +1,5 @@ @@ -21,197 +21,14 @@ Instant messaging server matrix network. Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org) -**Version incluse :** 1.101.0~ynh1 -## Avertissements / informations importantes - -## Configuration - -### Install for ARM arch (or slow arch) - -For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install. -You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null` -After that you can install it without problem. - -The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build -The script to build the binary is also available. - -### Web client - -If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh . - -### Access by federation - -If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation. - -If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation. - -``` -_matrix._tcp. IN SRV 10 0 -``` -for example -``` -_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com. -``` -You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port` - -For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md - -If it is not automatically done, you need to open this in your ISP box. - -You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en - -https://federationtester.matrix.org/ can be used to easily debug federation issues - -### Turnserver - -For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands: -``` -yunohost app setting synapse turnserver_tls_port -yunohost app setting synapse turnserver_alt_tls_port - -``` -The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193. - -For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command: - -``` -yunohost firewall allow Both 49153:49193 -``` - -You might also need to open these ports (if it is not automatically done) on your ISP box. - -To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config. - -If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`). - -``` -*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh; -``` - -#### OpenVPN - -In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content: -``` -#!/bin/bash - -( - sleep 5 - sudo systemctl restart coturn-synapse.service -) & -exit 0 -``` - -Add this line in you sudo config file `/etc/sudoers` -``` -openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service -``` - -And add this line in your OpenVPN config file -``` -ipchange /usr/local/bin/openvpn_up_script.sh -``` - -### Important Security Note - -We do not recommend running Element from the same domain name as your Matrix -homeserver (synapse). The reason is the risk of XSS (cross-site-scripting) -vulnerabilities that could occur if someone caused Element to load and render -malicious user generated content from a Matrix API which then had trusted -access to Element (or other apps) due to sharing the same domain. - -We have put some coarse mitigations into place to try to protect against this -situation, but it's still not a good practice to do it in the first place. See -https://github.com/vector-im/element-web/issues/1977 for more details. - -## YunoHost specific features - -## Limitations - -Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM. - -This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh) - -## Additional information - -## Administration - -**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.** - -Before any manipulation it's recommended to do a backup by this following command : - -`sudo yunohost backup create --apps synapse` - -### Set user as admin - -Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database. - -The following command will grant admin privilege to the specified user: -``` -su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'" -``` - -### Administration API - -Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission. -By default, no one has access to this path. - -If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh), -you need to give this permission to visitors. - -Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section). - -### Upgrade - -By default a backup is made before the upgrade. If for some reason you want to upgrade without backup: -- Call the command with the `-b` flag: `yunohost app upgrade synapse -b` -- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line: - -`yunohost app setting synapse backup_before_upgrade -v 0` - -After this settings will be applied for **all** next upgrade. - -From command line: - -`yunohost app upgrade synapse` - -### Backup - -This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this: - -- Stop synapse service with theses following command: - -`systemctl stop synapse.service` - -- Launch the backup of synapse with this following command: - -`yunohost backup create --app synapse` - -- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`. -- Restart the synapse service with these command: - -`systemctl start synapse.service` - -### Remove - -Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**. - -Use the `--purge` flag with the command, or remove it manually to purge app user data. - -### Multi instance support - -To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command: -``` -yunohost app setting synapse__ synapse_tls_port -``` - -Before installing a second instance of the app it's really recommended to update all existing instances. - +**Version incluse :** 1.102.0~ynh1 ## Documentations et ressources -* Site officiel de l’app : -* Dépôt de code officiel de l’app : -* YunoHost Store: -* Signaler un bug : +- Site officiel de l’app : +- Documentation officielle de l’admin : +- Dépôt de code officiel de l’app : +- YunoHost Store : +- Signaler un bug : ## Informations pour les développeurs @@ -225,4 +42,4 @@ ou sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/testing --debug ``` -**Plus d’infos sur le packaging d’applications :** \ No newline at end of file +**Plus d’infos sur le packaging d’applications :** diff --git a/actions.toml b/actions.toml deleted file mode 100644 index d6721fcc..00000000 --- a/actions.toml +++ /dev/null @@ -1,33 +0,0 @@ -[update_turnserver_ip] -name = "Update turnserver ip" -command = "/opt/yunohost/matrix-$YNH_APP_INSTANCE_NAME/Coturn_config_rotate.sh" -user = "root" -accepted_return_codes = [0] -description = "Update the ip in the turnserver config" - -[open_turnserver_firewall_ports] -name = "Open ports for turnserver" -command = "yunohost firewall allow Both 49153:49193" -user = "root" -accepted_return_codes = [0] -description = "Open the ports range 49153:49193 with TCP and UDP to be able to use correctly the turnserver." - -[close_turnserver_firewall_ports] -name = "Close ports for turnserver" -command = "yunohost firewall disallow Both 49153:49193" -user = "root" -accepted_return_codes = [0] -description = "Close the ports range 49153:49193 with TCP and UDP. (Undo \"Open ports for turnserver\" action)" - -[set_admin_user] -name = "Set a user as admin" -command = "[[ \"$(su --command=\"psql matrix_synapse\" postgres <<< \"UPDATE users SET admin = 1 WHERE name = '@$YNH_ACTION_USERNAME:$(yunohost app setting $YNH_APP_INSTANCE_NAME server_name)'\")\" == 'UPDATE 1' ]]" -user = "root" -accepted_return_codes = [0] -description = "Set a synapse user as admin in the synapse server. It is mainly required to manage the community function." - - [set_admin_user.arguments] - [set_admin_user.arguments.username] - type = "string" - ask = "username of the user to set as admin" - example = "bob" diff --git a/auto_update/auto_update.sh b/auto_update/auto_update.sh new file mode 100644 index 00000000..4ed5b0de --- /dev/null +++ b/auto_update/auto_update.sh @@ -0,0 +1,167 @@ +#!/bin/bash + +set -eu + +source auto_update_config.sh + +readonly debian_version_name_1=bullseye +readonly debian_version_name_2=bookworm + +get_from_manifest() { + result=$(python3 <&1 | tee "synapse_build_temp.log" + return ${PIPESTATUS[0]} +} + +push_armv7_build() { + ## Make a draft release json with a markdown body + local release='"tag_name": "v'$synapse_version'", "target_commitish": "master", "name": "v'$synapse_version'", ' + local body="Synapse prebuilt bin for synapse_ynh\\n=========\\nPlease refer to upstream project for the change : https://github.com/element-hq/synapse/releases\\n\\nSha256sum for $debian_version_name_1 : $(cat $build_result_path_deb_1/SUM_matrix-synapse_${synapse_version}-$debian_version_name_1-bin1_armv7l.tar.gz)\\nSha256sum for $debian_version_name_2 : $(cat $build_result_path_deb_2/SUM_matrix-synapse_${synapse_version}-$debian_version_name_2-bin1_armv7l.tar.gz)" + release+='"body": "'$body'",' + release+='"draft": true, "prerelease": false' + release='{'$release'}' + local url="https://api.github.com/repos/$owner/$repo/releases" + local succ=$(curl -H "Authorization: token $perstok" --data "$release" $url) + + ## In case of success, we upload a file + local upload_generic=$(echo "$succ" | grep upload_url) + if [[ $? -eq 0 ]]; then + echo "Release created." + else + echo "Error creating release!" + return 1 + fi + + local upload_prefix + local upload_file + local upload_ok + local download + for archive_name in $build_result_path_deb_1/${result_prefix_name_deb_1}-bin1_armv7l.tar.gz \ + $build_result_path_deb_2/${result_prefix_name_deb_2}-bin1_armv7l.tar.gz + do + + # $upload_generic is like: + # "upload_url": "https://uploads.github.com/repos/:owner/:repo/releases/:ID/assets{?name,label}", + upload_prefix=$(echo $upload_generic | cut -d "\"" -f4 | cut -d "{" -f1) + upload_file="$upload_prefix?name=${archive_name##*/}" + + echo "Start uploading file" + i=0 + upload_ok=false + while [ $i -le 4 ]; do + i=$((i+1)) + # Download file + set +e + succ=$(curl -H "Authorization: token $perstok" \ + -H "Content-Type: $(file -b --mime-type $archive_name)" \ + -H "Accept: application/vnd.github.v3+json" \ + --data-binary @$archive_name $upload_file) + res=$? + set -e + if [ $res -ne 0 ]; then + echo "Curl upload failled" + continue + fi + echo "Upload done, check result" + + set +eu + download=$(echo "$succ" | egrep -o "browser_download_url.+?") + res=$? + if [ $res -ne 0 ] || [ -z "$download" ]; then + set -eu + echo "Result upload error" + continue + fi + set -eu + echo "$download" | cut -d: -f2,3 | cut -d\" -f2 + echo "Upload OK" + upload_ok=true + break + done + + if ! $upload_ok; then + echo "Upload completely failed, exit" + return 1 + fi + done +} + +synapse_version=$(get_from_manifest ".version" | cut -d'~' -f1) + +if check_synapse +then + set +eu + upgrade_synapse + res=$? + set -eu + if [ $res -eq 0 ]; then + result="Success" + else + result="Failed" + fi + msg="Build: synapse version $synapse_version\n" + msg+="$(cat synapse_build_temp.log)" + echo -e "$msg" | mail.mailutils -a "Content-Type: text/plain; charset=UTF-8" -s "Autoupgrade synapse : $result" "$notify_email" +fi diff --git a/auto_update/auto_update_config_example.sh b/auto_update/auto_update_config_example.sh new file mode 100644 index 00000000..88a926d8 --- /dev/null +++ b/auto_update/auto_update_config_example.sh @@ -0,0 +1,24 @@ + +build_cmd_deb_1() { + pushd ~ + sudo /root/build_synapse_bin.sh $1 $2 --chroot-yes + popd + sudo chown app_upgrader ~/$2* +} +build_cmd_deb_2() { + local target_dir=~ + sudo chroot /mnt/bookworm_build /root/build_synapse_bin.sh $1 $2 --chroot-yes + sudo mv -t $target_dir /mnt/bookworm_build/$2* + sudo chown app_upgrader $target_dir/$2* +} + + +build_result_path_deb_1=~ +build_result_path_deb_2=~ + +notify_email="hello@world.tld" + +# For github arm release +owner="YunoHost-Apps" +repo="synapse_python_build" +perstok="kkk" diff --git a/check_process b/check_process deleted file mode 100644 index 2508f0c6..00000000 --- a/check_process +++ /dev/null @@ -1,25 +0,0 @@ -;; General - ; Manifest - domain="domain.tld" - path="/_matrix/static/" - is_free_registration=1 - server_name="domain.tld" - ; Checks - pkg_linter=1 - setup_sub_dir=1 - setup_root=0 - setup_nourl=0 - setup_private=0 - setup_public=1 - upgrade=1 - upgrade=1 from_commit=b3bacec606f25c7f69de44da9e9e7eac405810c7 - backup_restore=1 - multi_instance=0 - incorrect_path=0 - port_already_use=1 (8448) - change_url=0 -;;; Levels - Level 5=auto -;;; Upgrade options - ; commit=ed9d550d69c168182aa9e070f265a141d8bd9fd2 - name=Post app user creation diff --git a/conf/armv7_bookworm.src b/conf/armv7_bookworm.src deleted file mode 100644 index dde29faa..00000000 --- a/conf/armv7_bookworm.src +++ /dev/null @@ -1,7 +0,0 @@ -SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.101.0/matrix-synapse_1.101.0-bookworm-bin1_armv7l.tar.gz -SOURCE_SUM=26b1e23d04bd23b924ea343eeff0cbddc33dff54de73034ed51c10872a0abf6f -# (Optional) Program to check the integrity (sha256sum, md5sum...) -# default: sha256 -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=tar.gz -SOURCE_IN_SUBDIR=true diff --git a/conf/armv7_bullseye.src b/conf/armv7_bullseye.src deleted file mode 100644 index a9ed05d8..00000000 --- a/conf/armv7_bullseye.src +++ /dev/null @@ -1,7 +0,0 @@ -SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.101.0/matrix-synapse_1.101.0-bullseye-bin1_armv7l.tar.gz -SOURCE_SUM=87046651724467fe504735a30debf518925b2995e2e2c8d34285c60bcb567a59 -# (Optional) Program to check the integrity (sha256sum, md5sum...) -# default: sha256 -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=tar.gz -SOURCE_IN_SUBDIR=true diff --git a/conf/default_matrix-synapse b/conf/default_matrix-synapse deleted file mode 100644 index abb2d4cb..00000000 --- a/conf/default_matrix-synapse +++ /dev/null @@ -1,3 +0,0 @@ -# Specify environment variables used when running Synapse -# SYNAPSE_CACHE_FACTOR=1 (default) - diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml index ed4b65e4..263384b9 100644 --- a/conf/homeserver.yaml +++ b/conf/homeserver.yaml @@ -5,7 +5,10 @@ # should have the same indentation. # # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html - +# +# For more information on how to configure Synapse, including a complete accounting of +# each option, go to docs/usage/configuration/config_documentation.md or +# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html ## Modules ## @@ -285,7 +288,7 @@ listeners: # will also need to give Synapse a TLS key and certificate: see the TLS section # below.) # - - port: __SYNAPSE_TLS_PORT__ + - port: __PORT_SYNAPSE_TLS__ type: http tls: true resources: @@ -297,7 +300,7 @@ listeners: # If you plan to use a reverse proxy, please see # https://matrix-org.github.io/synapse/latest/reverse_proxy.html. # - - port: __PORT__ + - port: __PORT_SYNAPSE__ tls: false type: http x_forwarded: true @@ -801,9 +804,9 @@ database: name: psycopg2 #txn_limit: 10000 args: - user: __SYNAPSE_DB_USER__ - password: __SYNAPSE_DB_PWD__ - database: __SYNAPSE_DB_NAME__ + user: __DB_USER__ + password: __DB_PWD__ + database: __DB_NAME__ host: localhost port: 5432 cp_min: 5 @@ -956,7 +959,7 @@ log_config: "/etc/matrix-__APP__/log.yaml" # Directory where uploaded images and attachments are stored. # -media_store_path: "/home/yunohost.app/matrix-__APP__/media" +media_store_path: "__DATA_DIR__/media" # Media storage providers allow media to be stored in different # locations. @@ -970,7 +973,7 @@ media_storage_providers: # Whether to wait for successful storage for local uploads store_synchronous: false config: - directory: "/home/yunohost.app/matrix-__APP__/media_storage" + directory: "__DATA_DIR__/media_storage" # The largest allowed upload size in bytes # @@ -1178,7 +1181,7 @@ oembed: # The public URIs of the TURN server to give to clients # -turn_uris: [ "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=udp", "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=tcp" ] +__TURN_SERVER_CONFIG__ # The shared secret used to compute passwords for the TURN server # @@ -1192,7 +1195,7 @@ turn_shared_secret: "__TURNSERVER_PWD__" # How long generated TURN credentials last # -turn_user_lifetime: 1h +turn_user_lifetime: 12h # Whether guests should be allowed to use the TURN server. # This defaults to True, otherwise VoIP will be unreliable for guests. @@ -1200,7 +1203,7 @@ turn_user_lifetime: 1h # connect to arbitrary endpoints without having first signed up for a # valid account (e.g. by passing a CAPTCHA). # -turn_allow_guests: __TURN_ALLOW_GUESTS__ +turn_allow_guests: __ALLOW_GUEST_ACCESS__ ## Registration ## @@ -1271,9 +1274,7 @@ enable_registration: __ENABLE_REGISTRATION__ # The user must provide all of the below types of 3PID when registering. # -registrations_require_3pid: - - email -# - msisdn +_REGISTRATION_REQUIRE_3PID_SED_PARAM_ # Explicitly disable asking for MSISDNs from the registration # flow (overrides registrations_require_3pid if MSISDNs are set as required) @@ -1283,6 +1284,7 @@ disable_msisdn_registration: __DISABLE_MSISDN_REGISTRATION__ # Mandate that users are only allowed to associate certain formats of # 3PIDs with accounts on this server. # +_ALLOWD_LOCAL_3PIDS_SED_PARAM_ #allowed_local_3pids: # - medium: email # pattern: '^[^@]+@vector\.im$' @@ -1356,9 +1358,9 @@ default_identity_server: __DEFAULT_IDENTITY_SERVER__ # by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # -# As email delegates is managed by the synapse server itself this email section is +# As email delegates is managed by the synapse server itself this email section is # not necessary but msisdn format is still composed by msisdn: on a new line -account_threepid_delegates: +account_threepid_delegates: msisdn: __ACCOUNT_THREEPID_DELEGATES_MSISDN__ #email: https://example.com # Delegate email sending to example.com #msisdn: http://localhost:8090 # Delegate SMS sending to this local process @@ -1395,8 +1397,7 @@ account_threepid_delegates: # If the room already exists, make certain it is a publicly joinable # room. The join rule of the room must be set to 'public'. # -auto_join_rooms: - - "#example:example.com" +_AUTO_JOIN_ROOMS_SED_PARAM_ # Where auto_join_rooms are specified, setting this flag ensures that the # the rooms exist by creating them when the first user on the @@ -2043,7 +2044,7 @@ cas_config: # Uncomment the following to enable authorization against a CAS server. # Defaults to false. # - enabled: __SSO_ENABLED__ + enabled: true # The URL of the CAS authorization endpoint. # @@ -2089,7 +2090,7 @@ sso: # By default, this list contains only the login fallback page. # client_whitelist: -__DOMAIN_WHITELIST_CLIENT__ +_DOMAIN_WHITELIST_CLIENT_ # Uncomment to keep a user's profile fields in sync with information from # the identity provider. Currently only syncing the displayname is @@ -2247,12 +2248,10 @@ password_providers: uid: "uid" mail: "mail" name: "givenName" - bind_dn: "uid=__SYNAPSE_USER_APP__,ou=users,dc=yunohost,dc=org" - bind_password: __SYNAPSE_USER_APP_PWD__ filter: "(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))" - + # Configuration for sending emails from Synapse. # # Server admins can configure custom templates for email content. See @@ -2261,7 +2260,7 @@ password_providers: email: # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. # - smtp_host: "__MAIN_DOMAIN__" + smtp_host: "__DOMAIN__" # The port on the mail server for outgoing SMTP. Defaults to 25. # @@ -2270,8 +2269,8 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. # - smtp_user: __SYNAPSE_USER_APP__ - smtp_pass: __SYNAPSE_USER_APP_PWD__ + smtp_user: __APP__ + smtp_pass: __MAIL_PWD__ # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to @@ -2298,7 +2297,7 @@ email: # Note that the placeholder must be written '%(app)s', including the # trailing 's'. # - notif_from: "Your Friendly %(app)s Home Server <__SYNAPSE_USER_APP__@__DOMAIN__>" + notif_from: "Your Friendly %(app)s Home Server <__APP__@__DOMAIN__>" # app_name defines the default value for '%(app)s' in notif_from and email # subjects. It defaults to 'Matrix'. diff --git a/conf/nginx.conf b/conf/nginx.conf index a968119d..a2e70d20 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,26 +1,31 @@ -location __PATH__/ { - proxy_pass http://localhost:__PORT__; +rewrite ^$ /; +location ~ ^/$ { + default_type text/plain; + return 200 "This is where Synapse is installed."; +} + +location /_matrix/ { + proxy_pass http://localhost:__PORT_SYNAPSE__; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - client_max_body_size 100M; - - # Use the specific path for the php file. It's more secure than global php path - location __PATH__/cas_server.php { - alias /var/www/__APP__/; - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-__NAME__.sock; - include fastcgi_params; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME cas_server.php; - } + client_max_body_size __MAX_UPLOAD_SIZE__; } +# Use the specific path for the php file. It's more secure than global php path +location /_matrix/cas_server.php/ { + alias /var/www/__APP__/; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-__NAME__.sock; + include fastcgi_params; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME cas_server.php; +} location /_synapse/ { - proxy_pass http://localhost:__PORT__; + proxy_pass http://localhost:__PORT_SYNAPSE__; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; diff --git a/conf/requirement_bookworm.txt b/conf/requirement_bookworm.txt index 7ac8ca7f..c241eeee 100644 --- a/conf/requirement_bookworm.txt +++ b/conf/requirement_bookworm.txt @@ -8,7 +8,7 @@ certifi==2024.2.2 cffi==1.16.0 charset-normalizer==3.3.2 constantly==23.10.4 -cryptography==42.0.2 +cryptography==42.0.5 hyperlink==21.0.0 idna==3.6 ijson==3.2.3 @@ -21,21 +21,21 @@ ldap3==2.9.1 lxml==5.1.0 MarkupSafe==2.1.5 matrix-common==1.3.0 -matrix-synapse==1.101.0 +matrix-synapse==1.102.0 matrix-synapse-ldap3==0.3.0 -msgpack==1.0.7 +msgpack==1.0.8 ndg-httpsclient==0.5.1 -netaddr==1.0.0 +netaddr==1.2.1 packaging==23.2 -phonenumbers==8.13.30 +phonenumbers==8.13.31 pillow==10.2.0 -prometheus-client==0.19.0 +prometheus_client==0.20.0 psycopg2==2.9.9 pyasn1==0.5.1 pyasn1-modules==0.3.0 pycparser==2.21 -pydantic==2.6.1 -pydantic_core==2.16.2 +pydantic==2.6.3 +pydantic_core==2.16.3 pymacaroons==0.13.0 PyNaCl==1.5.0 pyOpenSSL==24.0.0 @@ -45,14 +45,14 @@ requests==2.31.0 rpds-py==0.18.0 semantic-version==2.10.0 service-identity==24.1.0 -setuptools-rust==1.8.1 +setuptools-rust==1.9.0 signedjson==1.1.4 six==1.16.0 sortedcontainers==2.4.0 treq==23.11.0 -Twisted==23.10.0 -typing_extensions==4.9.0 +Twisted==24.3.0 +typing_extensions==4.10.0 unpaddedbase64==2.1.0 -urllib3==2.2.0 +urllib3==2.2.1 webencodings==0.5.1 -zope.interface==6.1 +zope.interface==6.2 diff --git a/conf/requirement_bullseye.txt b/conf/requirement_bullseye.txt index 545c3e5d..5e0f242c 100644 --- a/conf/requirement_bullseye.txt +++ b/conf/requirement_bullseye.txt @@ -8,7 +8,7 @@ certifi==2024.2.2 cffi==1.16.0 charset-normalizer==3.3.2 constantly==23.10.4 -cryptography==42.0.2 +cryptography==42.0.5 hyperlink==21.0.0 idna==3.6 ijson==3.2.3 @@ -21,22 +21,21 @@ ldap3==2.9.1 lxml==5.1.0 MarkupSafe==2.1.5 matrix-common==1.3.0 -matrix-synapse==1.101.0 +matrix-synapse==1.102.0 matrix-synapse-ldap3==0.3.0 -msgpack==1.0.7 +msgpack==1.0.8 ndg-httpsclient==0.5.1 -netaddr==1.0.0 +netaddr==1.2.1 packaging==23.2 -phonenumbers==8.13.30 +phonenumbers==8.13.31 pillow==10.2.0 -pkg_resources==0.0.0 -prometheus-client==0.19.0 +prometheus_client==0.20.0 psycopg2==2.9.9 pyasn1==0.5.1 pyasn1-modules==0.3.0 pycparser==2.21 -pydantic==2.6.1 -pydantic_core==2.16.2 +pydantic==2.6.3 +pydantic_core==2.16.3 pymacaroons==0.13.0 PyNaCl==1.5.0 pyOpenSSL==24.0.0 @@ -46,15 +45,15 @@ requests==2.31.0 rpds-py==0.18.0 semantic-version==2.10.0 service-identity==24.1.0 -setuptools-rust==1.8.1 +setuptools-rust==1.9.0 signedjson==1.1.4 six==1.16.0 sortedcontainers==2.4.0 tomli==2.0.1 treq==23.11.0 -Twisted==23.10.0 -typing_extensions==4.9.0 +Twisted==24.3.0 +typing_extensions==4.10.0 unpaddedbase64==2.1.0 -urllib3==2.2.0 +urllib3==2.2.1 webencodings==0.5.1 -zope.interface==6.1 +zope.interface==6.2 diff --git a/conf/server_name.conf b/conf/server_name.conf index 578cfa7e..9a8664f3 100644 --- a/conf/server_name.conf +++ b/conf/server_name.conf @@ -1,5 +1,5 @@ location = /.well-known/matrix/server { - return 200 '{"m.server": "__DOMAIN__:__SYNAPSE_TLS_PORT__"}'; + return 200 '{"m.server": "__DOMAIN__:__PORT_SYNAPSE_TLS__"}'; add_header Content-Type application/json; add_header Access-Control-Allow-Origin '*'; } @@ -8,7 +8,7 @@ location = /.well-known/matrix/client { return 200 '{ "m.homeserver": { "base_url": "https://__DOMAIN__" }, "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"}, - "im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT__ } + "im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT_CLIENT_CONFIG__ } }'; add_header Content-Type application/json; add_header Access-Control-Allow-Origin '*'; diff --git a/conf/coturn-synapse.service b/conf/synapse-coturn.service similarity index 93% rename from conf/coturn-synapse.service rename to conf/synapse-coturn.service index f07a6bf3..d02409b9 100644 --- a/conf/coturn-synapse.service +++ b/conf/synapse-coturn.service @@ -1,15 +1,17 @@ [Unit] Description=Coturn Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1) -After=syslog.target network.target +After=syslog.target network-online.target [Service] User=turnserver Group=turnserver -Type=simple +Type=notify EnvironmentFile=/etc/default/coturn-__APP__ ExecStart=/usr/bin/turnserver -c /etc/matrix-__APP__/coturn.conf $EXTRA_OPTIONS --pidfile= -Restart=on-abort +Restart=on-failure +InaccessibleDirectories=/home +PrivateTmp=yes LimitCORE=infinity LimitNOFILE=999999 diff --git a/conf/matrix-synapse.service b/conf/synapse.service similarity index 93% rename from conf/matrix-synapse.service rename to conf/synapse.service index bc689290..ab8a2fcf 100644 --- a/conf/matrix-synapse.service +++ b/conf/synapse.service @@ -4,10 +4,9 @@ After=network.target [Service] Type=simple -User=matrix-__APP__ +User=__APP__ WorkingDirectory=/opt/yunohost/matrix-__APP__ BindPaths=/etc/matrix-__APP__ -EnvironmentFile=/etc/default/matrix-__APP__ ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ --generate-keys ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/ Restart=always @@ -41,7 +40,7 @@ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target diff --git a/conf/turnserver.conf b/conf/turnserver.conf index 4d4494a8..35ee0ae1 100644 --- a/conf/turnserver.conf +++ b/conf/turnserver.conf @@ -3,11 +3,11 @@ use-auth-secret static-auth-secret=__TURNSERVER_PWD__ realm=__DOMAIN__ -tls-listening-port=__TURNSERVER_TLS_PORT__ -alt-tls-listening-port=__TURNSERVER_ALT_TLS_PORT__ +tls-listening-port=__PORT_TURNSERVER_TLS__ +alt-tls-listening-port=__PORT_TURNSERVER_ALT_TLS__ min-port=49153 max-port=49193 -cli-port=__CLI_PORT__ +cli-port=__PORT_CLI__ cert=/etc/yunohost/certs/__DOMAIN__/crt.pem pkey=/etc/yunohost/certs/__DOMAIN__/key.pem @@ -26,4 +26,11 @@ log-file=/var/log/matrix-__APP__/turnserver.log pidfile=/run/coturn-__APP__/turnserver.pid simple-log -__TURN_EXTERNAL_IP__ +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200 + +# Max time 12h +max-allocate-lifetime=43200 + +_TURN_EXTERNAL_IP_ diff --git a/conf/virtualenv_activate b/conf/virtualenv_activate deleted file mode 100644 index a3b5883b..00000000 --- a/conf/virtualenv_activate +++ /dev/null @@ -1,76 +0,0 @@ -# This file must be used with "source bin/activate" *from bash* -# you cannot run it directly - -deactivate () { - # reset old environment variables - if [ -n "${_OLD_VIRTUAL_PATH:-}" ] ; then - PATH="${_OLD_VIRTUAL_PATH:-}" - export PATH - unset _OLD_VIRTUAL_PATH - fi - if [ -n "${_OLD_VIRTUAL_PYTHONHOME:-}" ] ; then - PYTHONHOME="${_OLD_VIRTUAL_PYTHONHOME:-}" - export PYTHONHOME - unset _OLD_VIRTUAL_PYTHONHOME - fi - - # This should detect bash and zsh, which have a hash command that must - # be called to get it to forget past commands. Without forgetting - # past commands the $PATH changes we made may not be respected - if [ -n "${BASH:-}" -o -n "${ZSH_VERSION:-}" ] ; then - hash -r - fi - - if [ -n "${_OLD_VIRTUAL_PS1:-}" ] ; then - PS1="${_OLD_VIRTUAL_PS1:-}" - export PS1 - unset _OLD_VIRTUAL_PS1 - fi - - unset VIRTUAL_ENV - if [ ! "${1:-}" = "nondestructive" ] ; then - # Self destruct! - unset -f deactivate - fi -} - -# unset irrelevant variables -deactivate nondestructive - -VIRTUAL_ENV="__FINAL_PATH__" -export VIRTUAL_ENV - -_OLD_VIRTUAL_PATH="$PATH" -PATH="$VIRTUAL_ENV/bin:$PATH" -export PATH - -# unset PYTHONHOME if set -# this will fail if PYTHONHOME is set to the empty string (which is bad anyway) -# could use `if (set -u; : $PYTHONHOME) ;` in bash -if [ -n "${PYTHONHOME:-}" ] ; then - _OLD_VIRTUAL_PYTHONHOME="${PYTHONHOME:-}" - unset PYTHONHOME -fi - -if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then - _OLD_VIRTUAL_PS1="${PS1:-}" - if [ "x(new) " != x ] ; then - PS1="(new) ${PS1:-}" - else - if [ "`basename \"$VIRTUAL_ENV\"`" = "__" ] ; then - # special case for Aspen magic directories - # see http://www.zetadev.com/software/aspen/ - PS1="[`basename \`dirname \"$VIRTUAL_ENV\"\``] $PS1" - else - PS1="(`basename \"$VIRTUAL_ENV\"`)$PS1" - fi - fi - export PS1 -fi - -# This should detect bash and zsh, which have a hash command that must -# be called to get it to forget past commands. Without forgetting -# past commands the $PATH changes we made may not be respected -if [ -n "${BASH:-}" -o -n "${ZSH_VERSION:-}" ] ; then - hash -r -fi diff --git a/config_panel.toml b/config_panel.toml index 28c208f2..4a287659 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -2,88 +2,83 @@ version = "1.0" [main] name = "Main Settings" -services = ["matrix-__APP__"] +services = ["__APP__"] [main.welcome] name = "Experience for new Users" [main.welcome.enable_registration] - ask = "Enable Registration for new users." + ask = "Enable Registration for new users" type = "boolean" yes = "true" no = "false" help = "Defaults to 'false'. If 'true', it is highly recommended to use either captcha, email, or token-based verification to avoid SPAM." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [main.welcome.password_enabled] - ask = "Enable Password Login?" + ask = "Enable Password Login" type = "boolean" yes = "true" no = "false" help = "If disabled, Login with Non-YunoHost Users impossible. But it simplies Login process if your Matrix server only has YunoHost SSO Users." - bind = "password_config>enabled:/etc/matrix-__APP__/homeserver.yaml" - visible = "! enable_registration" + # Temporary disable the visible flag due of https://github.com/YunoHost/issues/issues/2331 + # visible = "! enable_registration" [main.welcome.registrations_require_3pid] - ask = "Registration requires all following 3PID personal identifier." + ask = "Registration requires all following 3PID personal identifier" type = "select" - choices = ["none","email", "msisdn", "email&msisdn"] - help = "! Warning msisdn (Phone number) registration require a third party service which send confirmation token by SMS.\n Do not select any option including msisdn if you don't know what to do. And don't user email nor msisdn if you don't understand privacy flow\nDefaults to: 'none'." + choices = ["email", "msisdn", "email&msisdn"] + help = "! Warning msisdn (Phone number) registration require a third party service which send confirmation token by SMS.\nDo not select msisdn if you don't know what to do. And don't select user msisdn if you don't understand privacy flow\nDefaults to: 'email'." visible = "enable_registration" [main.welcome.allowed_local_3pids_email] - ask = "Register only with given email formats." + ask = "Register only with given email formats" type = "tags" - help = '( e.g. ^[^@]+@matrix\\\\.org$ ) Note that \\\ will write \\ as suggested in homeserver.yaml' + help = '( e.g. ^[^@]+@matrix\\.org$ )' visible = 'enable_registration && (registrations_require_3pid == "email" || registrations_require_3pid == "email&msisdn")' [main.welcome.allowed_local_3pids_msisdn] - ask = "Register only with given phone number formats." + ask = "Register only with given phone number formats" type = "tags" - help = '( e.g. \\\\+33 ) Note that \\\ will write \\ as suggested in homeserver.yaml' + help = '( e.g. \\+33 )' visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")' [main.welcome.disable_msisdn_registration] - ask = "Disable asking Phone Number in Registration flow." + ask = "Disable asking Phone Number in Registration flow" type = "boolean" yes = "true" no = "false" help = "Overrides 3PID settings if MSISDNs are set as required." - bind = ":/etc/matrix-__APP__/homeserver.yaml" visible = "enable_registration" [main.welcome.account_threepid_delegates_msisdn] - ask = "Specify a third party server to send confirmation code by SMS." + ask = "Specify a third party server to send confirmation code by SMS" type = "string" help = "That should be an URL with port or API." - bind = "account_threepid_delegates>msisdn:/etc/matrix-__APP__/homeserver.yaml" visible = 'enable_registration && (registrations_require_3pid == "email&msisdn" || registrations_require_3pid == "msisdn")' - + [main.welcome.auto_join_rooms] - ask = "Auto Join new Users in following Rooms:" + ask = "Auto Join new Users in following Rooms" type = "tags" - help = "( e.g. \\\\#example:example.com ) Note that \\\\# will write # in homeserver.yaml. Users who register on this homeserver will automatically be joined to these rooms. If the room already exists, the join rule must be set to 'public'. See also next setting." - + help = "( e.g. #example:example.com ) Users who register on this homeserver will automatically be joined to these rooms. If the room already exists, the join rule must be set to 'public'. See also next setting." + [main.welcome.autocreate_auto_join_rooms] - ask = "Auto-Create room for Auto Join if not existing?" + ask = "Auto-Create room for Auto Join if not existing" type = "boolean" yes = "true" no = "false" help = "Setting to false means that if the rooms are not manually created, users cannot be auto-joined. Auto-created rooms will be public and federated by default, this can be customised in CLI with the settings auto_join_*." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [main.welcome.notif_for_new_users] - ask = "Enable email notifications for new users?" + ask = "Enable email notifications for new users" type = "boolean" yes = "true" no = "false" help = "Defaults to 'true'." - bind = ":/etc/matrix-__APP__/homeserver.yaml" visible = "enable_notifs" [main.privacy] name = "Data Privacy" - + [main.privacy.text] ask = ''' * "all": any locally-created room @@ -97,164 +92,145 @@ services = ["matrix-__APP__"] type = "select" choices = ["all", "invite", "off"] help = "Note that encryption can always be turned on manually, even after creation." - bind = "encryption_enabled_by_default_for_room_type:/etc/matrix-__APP__/homeserver.yaml" - + [main.privacy.allow_public_rooms_over_federation] - ask = "Access Public Rooms Directory over Federation?" + ask = "Access Public Rooms Directory over Federation" type = "boolean" yes = "true" no = "false" help = "Disabled by default. If disabled, users on other homeserver will not be able to look for a public room on your homeserver. They will have to type the ID of the room to join." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [main.privacy.push_include_content] - ask = "Disable content sharing inside push notification." + ask = "Disable content sharing inside push notification" type = "boolean" yes = "true" no = "false" help = "Send content message and sender information in push notification. Set to false increase privacy when GAFAM notification service is used (ie: when element client is downloaded thrue Gplay store)." - bind = "push>include_content:/etc/matrix-__APP__/homeserver.yaml" [main.experience] name = "User Experience" [main.experience.web_client_location] - ask = "Element instance your HomeServer should redirect to." + ask = "Element instance your HomeServer should redirect to" type = "url" help = "URL to the web client which / will redirect to." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [main.experience.enable_group_creation] - ask = "Allow non-server-admin Users to create Spaces?" + ask = "Allow non-server-admin Users to create Spaces" type = "boolean" yes = "true" no = "false" help = "Disabled by default: only server admins can create Spaces" - bind = ":/etc/matrix-__APP__/homeserver.yaml" [main.experience.enable_notifs] - ask = "Enable sending emails for messages the user missed?" + ask = "Enable sending emails for messages the user missed" type = "boolean" yes = "true" no = "false" help = "Defaults to 'false'." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [main.experience.client_base_url] - ask = "URL for client links within the email notifications." + ask = "URL for client links within the email notifications" type = "url" help = "Used to be called 'riot_base_url', still supported" - bind = ":/etc/matrix-__APP__/homeserver.yaml" visible = "enable_notifs" [resources] name = "Resource Usage" -services = ["matrix-__APP__", "nginx"] +services = ["__APP__"] [resources.media] name = "Manage Media growth and clean-up" [resources.media.max_upload_size] - ask = "Largest allowed media upload size in bytes." + ask = "Largest allowed media upload size in bytes" type = "string" help = "Defaults to: '10M' . Format : <[GMK]?>" - bind = ":/etc/matrix-__APP__/homeserver.yaml" [advanced] name = "Advanced Settings" services = ["matrix-__APP__"] - [advanced.help] - name = "SETTINGS FOR EXPERTS IN SERVER ADMINISTRATION" - - [advanced.help.text] - ask = ''' - !!There are security and privacy risks if you change these settings without knowing what you do!! - ''' - type = "markdown" + # Disabled as it don't work any more on bookworm + # + # [advanced.help] + # name = "SETTINGS FOR EXPERTS IN SERVER ADMINISTRATION" + # + # [advanced.help.text] + # ask = ''' + # !!There are security and privacy risks if you change these settings without knowing what you do!! + # ''' + # type = "markdown" [advanced.others] name = "Others" - [advanced.others.backup_before_upgrade] - ask = "Backup before upgrade?" - type = "boolean" - yes = "true" - no = "false" - help = "!! If disabled, do a manual backup before upgrade !! Disable if your Synapse instance is huge and you prefer to disable the backup that is normally automatically done before each upgrade." - - [advanced.others.server_statistics] + [advanced.others.report_stats] ask = "Server statistics" type = "boolean" yes = "true" no = "false" help = "Enable to send anonymous statistics to Synapse Developers to improve performance." - bind = "report_stats:/etc/matrix-__APP__/homeserver.yaml" [advanced.guests] name = "Experience for Guests / Anonymous" [advanced.guests.invite_client_location] - ask = "Web client location to direct users to during an invite." + ask = "Web client location to direct users to during an invite" type = "url" help = "This is passed to the identity server as the org.matrix.web_client_location key. Defaults to unset, giving no guidance to the identity server." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [advanced.guests.allow_guest_access] - ask = "Allow Users to Register as Guests?" + ask = "Allow Users to Register as Guests" type = "boolean" yes = "true" no = "false" help = "Guests can participate on this server in rooms with guest access enabled, without a password/email/etc." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [advanced.guests.auto_join_rooms_for_guests] - ask = "Enable Auto Join Room for Guests?" + ask = "Enable Auto Join Room for Guests" type = "boolean" yes = "true" no = "false" help = "Defaults to 'true'." - bind = ":/etc/matrix-__APP__/homeserver.yaml" visible = "allow_guest_access" [advanced.privacy] name = "Data Privacy" [advanced.privacy.enable_3pid_lookup] - ask = "Allow discovering friends with phone number or email?" + ask = "Allow discovering friends with phone number or email" type = "boolean" yes = "true" no = "false" help = "Enable 3PIDs lookup requests to identity servers from this server. See Settings->General->Discovery in Element." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [advanced.privacy.default_identity_server] - ask = "Identity server suggested to clients?" + ask = "Identity server suggested to clients" type = "url" help = "Identity server allows to discover, be discovered and invite people you know with phone number or email. If not set, users will probably chose centralized vector.im. See Settings->General->Discovery in Element." - bind = ":/etc/matrix-__APP__/homeserver.yaml" [advanced.privacy.allow_public_rooms_without_auth] - ask = "Access Public Rooms Directory without authentification?" + ask = "Access Public Rooms Directory without authentification" type = "boolean" yes = "true" no = "false" help = "Disabled by default. If enabled, anyone can query the Public Rooms Directory (access through the client API). This only makes sense if you want everyone to be able to scroll your public room to see what's interesting on your Homeserver" - bind = ":/etc/matrix-__APP__/homeserver.yaml" [advanced.registration] name = "Account Registration" [advanced.registration.registration_shared_secret] - ask = "Shared Secret for Registration." + ask = "Shared Secret for Registration" type = "string" help = "Allows registration of standard or admin accounts, even if Registration disabled." - bind = ":/etc/matrix-__APP__/homeserver.yaml" - [advanced.registration.turn_allow_guests] - ask = "Should guests be allowed to use the TURN server?" + [advanced.security] + name = "Security" + + [advanced.security.enable_dtls_for_audio_video_turn_call] + ask = "Enable TLS/DTLS on Audio/Video coll" type = "boolean" yes = "true" no = "false" - help = "This defaults to True, otherwise VoIP will be unreliable for guests. However, it does introduce a slight security risk as it allows users to connect to arbitrary endpoints without having first signed up for a valid account (e.g. by passing a CAPTCHA)." - bind = ":/etc/matrix-__APP__/homeserver.yaml" + help = "Enabling TLS/DTLS is really recommanded but it could bring some issues depending of the server certificate. There are some known issues with let's encrypt (https://github.com/element-hq/element-android/issues/1533), so if you have issues it could be better to disable this feature." diff --git a/doc/DISCLAIMER.md b/doc/ADMIN.md similarity index 52% rename from doc/DISCLAIMER.md rename to doc/ADMIN.md index 1ed72030..fc6a23d2 100644 --- a/doc/DISCLAIMER.md +++ b/doc/ADMIN.md @@ -1,34 +1,34 @@ -## Configuration +# Installation -### Install for ARM arch (or slow arch) +## Install for ARM arch (or slow arch) For all slow or arm architecture it's recommended to build the dh file before the install to have a quicker install. You could build it by this cmd : `openssl dhparam -out /etc/ssl/private/dh2048.pem 2048 > /dev/null` After that you can install it without problem. -The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/Josue-T/synapse_python_build +The package uses a prebuilt python virtual environnement. The binary are taken from this repository: https://github.com/YunoHost-Apps/synapse_python_build The script to build the binary is also available. -### Web client +## Web client If you want a web client you can also install Element with this package: https://github.com/YunoHost-Apps/element_ynh . -### Access by federation +## Access by federation If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation. -If not, you can add the following line in the dns configuration but you normally don't need it as a .well-known file is edited during the install to declare your server name and port to the federation. +If not, you can add the following line in the dns configuration but you normally don't need it as a `.well-known` file is edited during the install to declare your server name and port to the federation. ``` _matrix._tcp. IN SRV 10 0 ``` for example ``` -_matrix._tcp.example.com. 3600 IN SRV 10 0 SYNAPSE_PORT synapse.example.com. +_matrix._tcp.example.com. 3600 IN SRV 10 0 synapse.example.com. ``` -You need to replace SYNAPSE_PORT by the real port. This port can be obtained by the command: `yunohost app setting SYNAPSE_INSTANCE_NAME synapse_tls_port` +You need to replace `` by the real port. This port can be obtained by the command: `yunohost app setting port_synapse_tls` -For more details, see : https://github.com/matrix-org/synapse/blob/master/docs/federate.md +For more details, see : https://github.com/element-hq/synapse/blob/master/docs/federate.md If it is not automatically done, you need to open this in your ISP box. @@ -36,48 +36,47 @@ You also need a valid TLS certificate for the domain used by synapse. To do that https://federationtester.matrix.org/ can be used to easily debug federation issues -### Turnserver +## Turnserver For Voip and video conferencing a turnserver is also installed (and configured). The turnserver listens on two UDP and TCP ports. You can get them with these commands: -``` -yunohost app setting synapse turnserver_tls_port -yunohost app setting synapse turnserver_alt_tls_port - +```bash +yunohost app setting synapse port_turnserver_tls +yunohost app setting synapse port_turnserver_alt_tls ``` The turnserver will also choose a port dynamically when a new call starts. The range is between 49153 - 49193. For some security reason the ports range (49153 - 49193) isn't automatically open by default. If you want to use the synapse server for voip or conferencing you will need to open this port range manually. To do this just run this command: -``` +```bash yunohost firewall allow Both 49153:49193 ``` You might also need to open these ports (if it is not automatically done) on your ISP box. -To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh` to update your config. +To prevent the situation when the server is behind a NAT, the public IP is written in the turnserver config. By this the turnserver can send its real public IP to the client. For more information see [the coturn example config file](https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L102-L120).So if your IP changes, you could run the script `/opt/yunohost/matrix-/Coturn_config_rotate.sh` to update your config. -If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the __SYNAPSE_INSTANCE_NAME__ which could be `synapse` or maybe `synapse__2`). +If you have a dynamic IP address, you also might need to update this config automatically. To do that just edit a file named `/etc/cron.d/coturn_config_rotate` and add the following content (just adapt the `` which could be `synapse` or maybe `synapse__2`). ``` -*/15 * * * * root bash /opt/yunohost/__SYNAPSE_INSTANCE_NAME__/Coturn_config_rotate.sh; +*/15 * * * * root bash /opt/yunohost/matrix-/Coturn_config_rotate.sh; ``` -#### OpenVPN +## OpenVPN -In case of you have an OpenVPN server you might want than `coturn-synapse` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content: -``` +In case of you have an OpenVPN server you might want than `synapse-coturn` restart when the VPN restart. To do this create a file named `/usr/local/bin/openvpn_up_script.sh` with this content: +```bash #!/bin/bash ( sleep 5 - sudo systemctl restart coturn-synapse.service + sudo systemctl restart synapse-coturn.service ) & exit 0 ``` Add this line in you sudo config file `/etc/sudoers` ``` -openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart coturn-synapse.service +openvpn ALL=(ALL) NOPASSWD: /bin/systemctl restart synapse-coturn.service ``` And add this line in your OpenVPN config file @@ -85,7 +84,7 @@ And add this line in your OpenVPN config file ipchange /usr/local/bin/openvpn_up_script.sh ``` -### Important Security Note +## Important Security Note We do not recommend running Element from the same domain name as your Matrix homeserver (synapse). The reason is the risk of XSS (cross-site-scripting) @@ -97,15 +96,13 @@ We have put some coarse mitigations into place to try to protect against this situation, but it's still not a good practice to do it in the first place. See https://github.com/vector-im/element-web/issues/1977 for more details. -## YunoHost specific features - ## Limitations Synapse uses a lot of ressource. So on slow architecture (like small ARM board), this app could take a lot of CPU and RAM. This app doesn't provide any real good web interface. So it's recommended to use Element client to connect to this app. This app is available [here](https://github.com/YunoHost-Apps/element_ynh) -## Additional information +# Additional information ## Administration @@ -120,62 +117,92 @@ Before any manipulation it's recommended to do a backup by this following comman Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database. The following command will grant admin privilege to the specified user: -``` -su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'" +```bash +/opt/yunohost/matrix-/set_admin_user.sh '@user_to_be_admin:domain.tld' ``` ### Administration API -Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission. -By default, no one has access to this path. - -If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh), -you need to give this permission to visitors. +There are an admiminstration application available if needed for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh). Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section). -### Upgrade +### Change url -By default a backup is made before the upgrade. If for some reason you want to upgrade without backup: -- Call the command with the `-b` flag: `yunohost app upgrade synapse -b` -- Disable the setting `Backup before upgrade` in the Config Panel. Or with command line: +Synapse give the possibility to change the domain of the instance. Note that this will only change the domain on which the synapse server will run. **This won't change the domain name of the account which an other thing.** -`yunohost app setting synapse backup_before_upgrade -v 0` +The advantage of this is that you can put the app on a specific domain without impacting the domain name of the accounts. For instance you can have the synapse app on `matrix.yolo.net` and the user account will be something like that `@michu:yolo.net`. Note that it's the main difference between the domain of the app (which is `matrix.yolo.net`) and the "server name" which is `yolo.net`. -After this settings will be applied for **all** next upgrade. +**Note that this change will have some important implications:** +- **This will break the connection from all previous connected clients. So all client connected before this change won't be able to communicate with the server until users will do a logout and login (which can also be problematic for e2e keys).** [There are a workaround which are described below](#avoid-the-need-to-reconnect-all-client-after-change-url-operation). +- In some case the client configuration will need to be updated. By example on element we can configure a default matrix server, this settings by example will need to be updated to the new domain to work correctly. +- In case of the "server name" domain are not on the same server than the synapse domain, you will need to update the `.well-known` or your DNS. -From command line: +To do the change url of synapse you can do it by this following command or with the webadmin. -`yunohost app upgrade synapse` +```bash +yunohost app change-url synapse +``` -### Backup +#### Avoid the need to reconnect all client after change-url operation -This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this: +In case of you have changed the url of synapse and you don't wan't to reconnect all client there are this workaround which should solve the issue. -- Stop synapse service with theses following command: +The idea is to setup again a minimal configuration on the previous domain so the client configurated with the previous domain will still work correctly. -`systemctl stop synapse.service` +##### Nginx config -- Launch the backup of synapse with this following command: +Retrive the server port with this command: +```bash +yunohost app setting synapse port_synapse +``` -`yunohost backup create --app synapse` +Edit the file `/etc/nginx/conf.d/.d/synapse.conf` and add this text: +``` +location /_matrix/ { + proxy_pass http://localhost:; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; -- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`. -- Restart the synapse service with these command: + client_max_body_size 200M; +} +``` -`systemctl start synapse.service` +Then reload nginx config: +```bash +systemctl reload nginx.service +``` -### Remove +##### Add permanent rule on SSOWAT -Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**. +- Edit the file `/etc/ssowat/conf.json.persistent` +- Add `"/_matrix"` into the list in: `permissions` > `custom_skipped` > `uris` -Use the `--purge` flag with the command, or remove it manually to purge app user data. +Now the configured client before the change-url should work again. + +### Backup + +This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this: -### Multi instance support +- Stop synapse service with theses following command: +```bash +systemctl stop synapse.service +``` -To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command: +- Launch the backup of synapse with this following command: +```bash +yunohost backup create --app synapse ``` -yunohost app setting synapse__ synapse_tls_port + +- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/synapse`. +- Restart the synapse service with these command: +```bash +systemctl start synapse.service ``` -Before installing a second instance of the app it's really recommended to update all existing instances. +### Remove + +Due of the backup core only feature the data directory in `/home/yunohost.app/synapse` **is not removed**. + +Use the `--purge` flag with the command, or remove it manually to purge app user data. diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md new file mode 100644 index 00000000..bdf769f3 --- /dev/null +++ b/doc/POST_INSTALL.md @@ -0,0 +1,15 @@ +If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation. + +If not, you may need to put the following line in the dns configuration: + +_matrix._tcp.__DOMAIN__. 3600 IN SRV 10 0 __PORT_SYNAPSE_TLS__ __DOMAIN__. + +For more details, see : https://github.com/element-hq/synapse#setting-up-federation + +You also need to open the TCP port __PORT_SYNAPSE_TLS__ on your ISP box if it's not automatically done. + +Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh . + +If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh + +You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en diff --git a/manifest.json b/manifest.json deleted file mode 100644 index 9a23f773..00000000 --- a/manifest.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "name": "Synapse", - "id": "synapse", - "packaging_format": 1, - "description": { - "en": "Instant messaging server which uses Matrix", - "fr": "Serveur de messagerie instantané basé sur Matrix" - }, - "version": "1.101.0~ynh1", - "url": "http://matrix.org", - "license": "Apache-2.0", - "maintainer": { - "name": "Josué Tille", - "email": "josue@tille.ch" - }, - "upstream": { - "license": "Apache-2.0", - "website": "https://matrix.org/", - "code": "https://github.com/matrix-org/synapse" - }, - "requirements": { - "yunohost": ">= 11.2" - }, - "multi_instance": true, - "services": [ - "nginx" - ], - "arguments": { - "install" : [ - { - "name": "domain", - "type": "domain" - }, - { - "name": "server_name", - "type": "string", - "ask": { - "en": "If your Synapse domain is a subdomain, you can choose a name for your Synapse server to have your Matrix user-ids looking like @user:domain.org instead of @user:synapse.domain.org", - "fr": "Si votre domaine pour Synapse est un sous-domaine, vous pouvez choisir un nom pour votre serveur Synapse afin que vos identifiants Matrix soient @utilisateur:domain.org plutôt que @utilisateur:synapse.domain.org" - }, - "example": "domain.org", - "default": "Same than the domain" - }, - { - "name": "is_free_registration", - "type": "boolean", - "ask": { - "en": "Is it a server with free registration?", - "fr": "Est-ce un serveur avec création de compte libre ?" - }, - "default": false, - "help": { - "en": "A public server means that anybody will be able to register on this server.", - "fr": "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur." - } - }, - { - "name": "jitsi_server", - "type": "string", - "ask": { - "en": "Jitsi server address for conferencing?", - "fr": "Adresse du serveur Jitsi pour les conférences ?" - }, - "example": "domain.org", - "default": "jitsi.riot.im" - } - ] - } -} diff --git a/manifest.toml b/manifest.toml new file mode 100644 index 00000000..adc4ae69 --- /dev/null +++ b/manifest.toml @@ -0,0 +1,124 @@ +packaging_format = 2 + +id = "synapse" +name = "Synapse" +description.en = "Instant messaging server which uses Matrix" +description.fr = "Serveur de messagerie instantané basé sur Matrix" + +version = "1.102.0~ynh1" + +maintainers = ["Josué Tille"] + +[upstream] +license = "Apache-2.0" +website = "https://matrix.org/" +code = "https://github.com/element-hq/synapse" +admindoc = "https://matrix-org.github.io/synapse/latest/welcome_and_overview.html" +cpe = "cpe:2.3:a:matrix:synapse" +fund = "https://matrix.org/support/#" + +[integration] +yunohost = ">= 11.2.10" +architectures = "all" +multi_instance = true +ldap = true +sso = "not_relevant" +disk = "250M" +ram.build = "20M" +ram.runtime = "200M" + +[install] + [install.domain] + # this is a generic question - ask strings are automatically handled by Yunohost's core + type = "domain" + + [install.server_name] + ask.en = "If your Synapse domain is a subdomain, you can choose a name for your Synapse server to have your Matrix user-ids looking like @user:domain.org instead of @user:synapse.domain.org" + ask.fr = "Si votre domaine pour Synapse est un sous-domaine, vous pouvez choisir un nom pour votre serveur Synapse afin que vos identifiants Matrix soient @utilisateur:domain.org plutôt que @utilisateur:synapse.domain.org" + type = "string" + example = "domain.org" + default = "Same than the domain" + + [install.is_free_registration] + ask.en = "Is it a server with free registration?" + ask.fr = "Est-ce un serveur avec création de compte libre ?" + help.en = "A public server means that anybody will be able to register on this server." + help.fr = "Un serveur public signifie que n'importe qui pourra s'enregistrer sur ce serveur." + type = "boolean" + default = false + + [install.jitsi_server] + ask.en = "Jitsi server address for conferencing?" + ask.fr = "Adresse du serveur Jitsi pour les conférences ?" + type = "string" + example = "domain.org" + default = "jitsi.riot.im" + + [install.init_main_permission] + help.en = "Define the users allowed to access to synapse. Setting this to 'visitors' don't make sens in this case." + type = "group" + example = "all_users" + default = "all_users" + +[resources] + [resources.sources.synapse_prebuilt_armv7_bookworm] + prefetch = false + armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bookworm-bin1_armv7l.tar.gz" + armhf.sha256 = "5fd5296d76675cd7a109115e1eb035758c16b095cd953a65fc8cc840fb449e40" + + [resources.sources.synapse_prebuilt_armv7_bullseye] + prefetch = false + armhf.url = "https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.102.0/matrix-synapse_1.102.0-bullseye-bin1_armv7l.tar.gz" + armhf.sha256 = "4027b8e41950aeec151dfa19eda2402e7974de56d33abb9eee3879e211227eef" + + [resources.system_user] + allow_email = true + home = "/opt/yunohost/matrix-__APP__" + + [resources.install_dir] + dir = "/var/www/__APP__" + owner = "__APP__:rwX" + group = "__APP__:rX" + + [resources.data_dir] + dir = "/home/yunohost.app/__APP__" + + [resources.permissions] + main.url = "/" + main.additional_urls = ["/_matrix/cas_server.php/login"] + main.label = "Server SSO" + main.auth_header = true + main.show_tile=false + main.protected = true + + server_api.url = "/_matrix" + server_api.label = "Server access for client apps" + server_api.allowed = "visitors" + server_api.auth_header = false + server_api.show_tile = false + server_api.protected = true + + admin_api.url = "/_synapse" + admin_api.label = "Admin API" + admin_api.allowed = "visitors" + admin_api.auth_header = false + admin_api.show_tile = false + admin_api.protected = true + + [resources.ports] + synapse_tls.default = 8448 + synapse_tls.exposed = "TCP" + synapse.default = 8008 + turnserver_tls.default = 5349 + turnserver_tls.exposed = "Both" + turnserver_alt_tls.default = 5350 + turnserver_alt_tls.exposed = "Both" + cli.default = 5766 + + [resources.apt] + packages = ["coturn", "acl", "postgresql", "php-fpm", + "python3-dev", "python3-venv", "python3-pip", "python3-setuptools", "python3-lxml", + "build-essential", "libffi-dev", "libssl-dev", "libxml2-dev", "libxslt1-dev", "zlib1g-dev", "libjpeg-dev", "libpq-dev"] + + [resources.database] + type = "postgresql" diff --git a/scripts/_common.sh b/scripts/_common.sh index b78a3b23..5294183e 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -1,65 +1,180 @@ -dependances="coturn build-essential python3-dev libffi-dev python3-pip python3-setuptools sqlite3 libssl-dev python3-venv libxml2-dev libxslt1-dev python3-lxml zlib1g-dev libjpeg-dev libpq-dev postgresql acl" python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)" -app=$YNH_APP_INSTANCE_NAME +code_dir="/opt/yunohost/matrix-$app" install_sources() { # Install/upgrade synapse in virtualenv # Clean venv is it was on python2.7 or python3 with old version in case major upgrade of debian - if [ ! -e $final_path/bin/python3 ] || [ ! -e $final_path/lib/python$python_version ]; then - ynh_secure_remove --file=$final_path/bin - ynh_secure_remove --file=$final_path/lib - ynh_secure_remove --file=$final_path/lib64 - ynh_secure_remove --file=$final_path/include - ynh_secure_remove --file=$final_path/share - ynh_secure_remove --file=$final_path/pyvenv.cfg + if [ ! -e $code_dir/bin/python3 ] || [ ! -e $code_dir/lib/python$python_version ]; then + ynh_secure_remove --file=$code_dir/bin + ynh_secure_remove --file=$code_dir/lib + ynh_secure_remove --file=$code_dir/lib64 + ynh_secure_remove --file=$code_dir/include + ynh_secure_remove --file=$code_dir/share + ynh_secure_remove --file=$code_dir/pyvenv.cfg fi - mkdir -p $final_path - chown $synapse_user:root -R $final_path + mkdir -p $code_dir + chown $app:root -R $code_dir if [ -n "$(uname -m | grep arm)" ] then # Clean old file, sometimes it could make some big issues if we don't do this!! - ynh_secure_remove --file=$final_path/bin - ynh_secure_remove --file=$final_path/lib - ynh_secure_remove --file=$final_path/include - ynh_secure_remove --file=$final_path/share + ynh_secure_remove --file=$code_dir/bin + ynh_secure_remove --file=$code_dir/lib + ynh_secure_remove --file=$code_dir/include + ynh_secure_remove --file=$code_dir/share - ynh_setup_source --dest_dir=$final_path/ --source_id="armv7_$(lsb_release --codename --short)" + ynh_setup_source --dest_dir=$code_dir/ --source_id="synapse_prebuilt_armv7_$(lsb_release --codename --short)" # Fix multi-instance support - for f in $(ls $final_path/bin); do + for f in $(ls $code_dir/bin); do if ! [[ $f =~ "__" ]]; then - ynh_replace_special_string --match_string='#!/opt/yunohost/matrix-synapse' --replace_string='#!'$final_path --target_file=$final_path/bin/$f + ynh_replace_special_string --match_string='#!/opt/yunohost/matrix-synapse' --replace_string='#!'$code_dir --target_file=$code_dir/bin/$f fi done else # Install virtualenv if it don't exist - test -e $final_path/bin/python3 || python3 -m venv $final_path + test -e $code_dir/bin/python3 || python3 -m venv $code_dir # Install synapse in virtualenv + local pip3=$code_dir/bin/pip3 - # We set all necessary environement variable to create a python virtualenvironnement. - u_arg='u' - set +$u_arg; - source $final_path/bin/activate - set -$u_arg; - - pip3 install --upgrade setuptools wheel pip - pip3 install --upgrade cffi ndg-httpsclient psycopg2 lxml jinja2 - pip3 install --upgrade -r $YNH_APP_BASEDIR/conf/requirement_$(lsb_release --codename --short).txt - - # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does - set +$u_arg; - deactivate - set -$u_arg; + $pip3 install --upgrade setuptools wheel pip cffi + $pip3 install --upgrade -r $YNH_APP_BASEDIR/conf/requirement_$(lsb_release --codename --short).txt + fi + + # Apply patch for LDAP auth if needed + if ! grep -F -q '# LDAP Filter anonymous user Applied' $code_dir/lib/python$python_version/site-packages/ldap_auth_provider.py; then + pushd $code_dir/lib/python$python_version/site-packages + patch < $YNH_APP_BASEDIR/sources/ldap_auth_filter_anonymous_user.patch + popd fi } -get_domain_list() { - yunohost --output-as plain domain list | grep -E "^#" -v | sort | uniq | while read domain; do - echo -n " - https://$domain\n" - done +configure_synapse() { + local domain_whitelist_client=$(yunohost --output-as plain domain list \ + | grep -E "^#" -v \ + | sort | uniq \ + | sed -r 's|^(.*)$| - \1|' \ + | sed -z 's|\n|\\n|g') + local macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"' + local auto_join_rooms_sed_param="" + if [ -n "$auto_join_rooms" ]; then + auto_join_rooms_sed_param+='auto_join_rooms:' + while read -d, room; do + auto_join_rooms_sed_param+='\n - "'$room'"' + done <<< "${auto_join_rooms}," + fi + local registration_require_3pid_sed_param="" + case ${registrations_require_3pid} in + 'email') + registration_require_3pid_sed_param="registrations_require_3pid:\n - email" + ;; + 'msisdn') + registration_require_3pid_sed_param="registrations_require_3pid:\n - msisdn" + ;; + 'email&msisdn') + registration_require_3pid_sed_param="registrations_require_3pid:\n - email\n - msisdn" + ;; + esac + + local allowd_local_3pids_sed_param="" + if [ -n "$allowed_local_3pids_email" ] || [ -n "$allowed_local_3pids_msisdn" ]; then + allowd_local_3pids_sed_param="allowed_local_3pids:" + + if [ -n "$allowed_local_3pids_email" ]; then + while read -d, pattern ; do + allowd_local_3pids_sed_param+="\n - medium: email\n pattern: '$pattern'" + done <<< "${allowed_local_3pids_email}," + fi + if [ -n "$allowed_local_3pids_msisdn" ]; then + while read -d, pattern ; do + allowd_local_3pids_sed_param+="\n - medium: msisdn\n pattern: '$pattern'" + done <<< "${allowed_local_3pids_msisdn}," + fi + fi + local turn_server_config="" + if $enable_dtls_for_audio_video_turn_call; then + turn_server_config='turn_uris: [ "stuns:'$domain:$port_turnserver_tls'?transport=dtls", "stuns:'$domain:$port_turnserver_tls'?transport=tls", "turns:'$domain:$port_turnserver_tls'?transport=dtls", "turns:'$domain:$port_turnserver_tls'?transport=tls" ]' + else + turn_server_config='turn_uris: [ "turn:'$domain:$port_turnserver_tls'?transport=udp", "turn:'$domain:$port_turnserver_tls'?transport=tcp" ]' + fi + + ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" + sed -i "s|_DOMAIN_WHITELIST_CLIENT_|$domain_whitelist_client|g" /etc/matrix-$app/homeserver.yaml + sed -i "s|_AUTO_JOIN_ROOMS_SED_PARAM_|$auto_join_rooms_sed_param|g" /etc/matrix-$app/homeserver.yaml + sed -i "s|_REGISTRATION_REQUIRE_3PID_SED_PARAM_|$registration_require_3pid_sed_param|g" /etc/matrix-$app/homeserver.yaml + sed -i "s|_ALLOWD_LOCAL_3PIDS_SED_PARAM_|$allowd_local_3pids_sed_param|g" /etc/matrix-$app/homeserver.yaml + ynh_store_file_checksum --file=/etc/matrix-$app/homeserver.yaml + + ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" +} + +configure_coturn() { + # Get public IP and set as external IP for coturn + # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 + local public_ip4="$(curl -s ip.yunohost.org)" || true + local public_ip6="$(curl -s ipv6.yunohost.org)" || true + + local turn_external_ip="" + if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" + then + turn_external_ip+="external-ip=$public_ip4\\n" + fi + + if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" + then + turn_external_ip+="external-ip=$public_ip6\\n" + fi + + ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" + sed -i "s|_TURN_EXTERNAL_IP_|$turn_external_ip|g" /etc/matrix-$app/coturn.conf + ynh_store_file_checksum --file=/etc/matrix-$app/coturn.conf +} + +configure_nginx() { + local e2e_enabled_by_default_client_config + + # Create .well-known redirection for access by federation + if yunohost --output-as plain domain list | grep -q "^$server_name$" + then + local e2e_enabled_by_default_client_config + if [ $e2e_enabled_by_default == "off" ]; then + e2e_enabled_by_default_client_config=false + else + e2e_enabled_by_default_client_config=true + fi + ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" + fi + + # Create a dedicated NGINX config + ynh_add_nginx_config +} + +set_permissions() { + chown $app:$app -R $code_dir + chmod o= -R $code_dir + + chmod 770 $code_dir/Coturn_config_rotate.sh + chmod 700 $code_dir/update_synapse_for_appservice.sh + chmod 700 $code_dir/set_admin_user.sh + + if [ "${1:-}" == data ]; then + find $data_dir \( \! -perm -o= \ + -o \! -user $app \ + -o \! -group $app \) \ + -exec chown $app:$app {} \; \ + -exec chmod o= {} \; + fi + + chown $app:$app -R /etc/matrix-$app + chmod u=rwX,g=rX,o= -R /etc/matrix-$app + setfacl -R -m user:turnserver:rX /etc/matrix-$app + + chmod 600 /etc/matrix-$app/$server_name.signing.key + + chown $app:root -R /var/log/matrix-$app + setfacl -R -m user:turnserver:rwX /var/log/matrix-$app } diff --git a/scripts/backup b/scripts/backup index 775dbab1..4b419cba 100644 --- a/scripts/backup +++ b/scripts/backup @@ -14,37 +14,10 @@ source /usr/share/yunohost/helpers # MANAGE SCRIPT FAILURE #================================================= -# Exit if an error occurs during the execution of the script -ynh_abort_if_errors - -#================================================= -# LOAD SETTINGS -#================================================= -ynh_print_info --message="Loading installation settings..." - -app=$YNH_APP_INSTANCE_NAME - -domain=$(ynh_app_setting_get --app=$app --key=domain) -server_name=$(ynh_app_setting_get --app=$app --key=server_name) -final_path=$(ynh_app_setting_get --app=$app --key=final_path) -phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) - -if [[ ! "$(systemctl status matrix-$app.service)" =~ "Active: inactive (dead)" ]]; then - ynh_print_warn --message="It's hightly recommended to make your backup when the service is stopped. Please stop $app service with this command before to run the backup 'systemctl stop matrix-$app.service'" +if [[ ! "$(systemctl status $app.service)" =~ "Active: inactive (dead)" ]]; then + ynh_print_warn --message="It's hightly recommended to make your backup when the service is stopped. Please stop $app service with this command before to run the backup 'systemctl stop $app.service'" fi -#================================================= -# SET CONSTANTS -#================================================= - -synapse_user="matrix-$app" -synapse_db_name="matrix_$app" -synapse_db_user="matrix_$app" -synapse_db_name="matrix_$app" -upstream_version=$(ynh_app_upstream_version) -final_www_path="/var/www/$app" -data_path="/home/yunohost.app/matrix-$app" - #================================================= # DECLARE DATA AND CONF FILES TO BACKUP #================================================= @@ -56,8 +29,8 @@ ynh_print_info --message="Declaring files to be backed up..." # BACKUP THE APP MAIN DIR #================================================= -ynh_backup --src_path="$final_path" -ynh_backup --src_path="$final_www_path" +ynh_backup --src_path="$code_dir" +ynh_backup --src_path="$install_dir" #================================================= # BACKUP THE NGINX CONFIGURATION @@ -76,7 +49,7 @@ fi # BACKUP THE POSTGRESQL DATABASE #================================================= -ynh_psql_dump_db --database="$synapse_db_name" > ${YNH_CWD}/dump.sql +ynh_psql_dump_db --database="$db_name" > ${YNH_CWD}/dump.sql #================================================= # BACKUP FAIL2BAN CONFIGURATION @@ -97,16 +70,15 @@ ynh_backup --src_path="/etc/matrix-$app" # BACKUP SYSTEMD #================================================= -ynh_backup --src_path="/etc/default/matrix-$app" -ynh_backup --src_path="/etc/systemd/system/matrix-$app.service" +ynh_backup --src_path="/etc/systemd/system/$app.service" ynh_backup --src_path="/etc/default/coturn-$app" -ynh_backup --src_path="/etc/systemd/system/coturn-$app.service" +ynh_backup --src_path="/etc/systemd/system/$app-coturn.service" #================================================= # BACKUP SYNAPSE DATA #================================================= -ynh_backup --src_path="$data_path" --is_big=1 +ynh_backup --src_path="$data_dir" --is_big=1 #================================================= # BACKUP SYNAPSE LOG diff --git a/scripts/change_url b/scripts/change_url index 7439d93b..ef8c7462 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -5,62 +5,12 @@ #================================================= # IMPORT GENERIC HELPERS -source /usr/share/yunohost/helpers - -# Exit if an error occurs during the execution of the script -ynh_abort_if_errors - -# Import common cmd source ./experimental_helper.sh source ./_common.sh +source /usr/share/yunohost/helpers -ynh_script_progression --message="Loading installation settings..." - -# RETRIEVE ARGUMENTS -old_domain=$YNH_APP_OLD_DOMAIN -domain=$YNH_APP_NEW_DOMAIN -path_url=$(ynh_normalize_url_path --path_url $YNH_APP_NEW_PATH) -app=$YNH_APP_INSTANCE_NAME - -server_name=$(ynh_app_setting_get --app=$app --key=server_name) -final_path=$(ynh_app_setting_get --app=$app --key=final_path) -synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version) -jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server) -is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration) -port=$(ynh_app_setting_get --app=$app --key=synapse_port) -synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port) -turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port) -turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port) -cli_port=$(ynh_app_setting_get --app=$app --key=cli_port) -report_stats=$(ynh_app_setting_get --app=$app --key=report_stats) -allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms) -e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default) -synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd) -turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd) -registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret) -form_secret=$(ynh_app_setting_get --app=$app --key=form_secret) -macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key) -synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd) -main_domain=$(yunohost domain list --output-as json | jq -r .main) - -synapse_user="matrix-$app" -synapse_user_app="$app" -synapse_db_name="matrix_$app" -synapse_db_user="matrix_$app" -synapse_db_name="matrix_$app" -upstream_version=$(ynh_app_upstream_version) -domain_whitelist_client_=$(get_domain_list) -domain_whitelist_client=${domain_whitelist_client_%"\n"} - -# Check if the new path stay /_matrix if not exit - -if [[ $path_url != "/_matrix" ]] -then - ynh_die --message "You can't use an other path than '/_matrix'. You can only change the domain." -fi - -# We stop the service before to set ynh_clean_setup -ynh_systemd_action --service_name=matrix-$app.service --action=stop +# We stop the service +ynh_systemd_action --service_name=$app.service.service --action=stop #================================================= # STANDARD MODIFICATIONS @@ -70,21 +20,8 @@ ynh_systemd_action --service_name=matrix-$app.service --action=stop ynh_script_progression --message="Updating NGINX configuration..." -# MODIFY URL IN NGINX CONF -nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf - -# Change the domain for nginx -# Delete file checksum for the old conf file location -ynh_delete_file_checksum --file "$nginx_conf_path" -mv $nginx_conf_path /etc/nginx/conf.d/$domain.d/$app.conf -# Store file checksum for the new config file location -ynh_store_file_checksum --file "/etc/nginx/conf.d/$domain.d/$app.conf" - -# Create .well-known redirection for access by federation -if yunohost --output-as plain domain list | grep -q "^$server_name$" -then - ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" -fi +ynh_change_url_nginx_config +configure_nginx #================================================= # UPDATE SYNAPSE CONFIG @@ -92,45 +29,25 @@ fi ynh_script_progression --message="Updating Synapse config..." --weight=2 -# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) -# For any update do it in all files - -if [ -z $macaroon_secret_key ]; then - # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. - # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ - # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! - # So for the old install we just leave this as it is. And for the new install we use a real macaroon. - macaroon_secret_key_param='# macaroon_secret_key: ""' -else - macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"' -fi - -if [ $is_free_registration -eq 0 ] -then - allowed_access=False - sso_enabled=True -else - allowed_access=True - sso_enabled=False -fi - -ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" -ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" +configure_synapse #================================================= # SECURE FILES AND DIRECTORIES #================================================= -# Only setting permissions for the two config files updated above -chown $synapse_user:root -R /etc/matrix-$app -chmod u=rwX,g=rX,o= -R /etc/matrix-$app +ynh_script_progression --message="Protecting directories..." --weight=3 +set_permissions #================================================= # RELOAD SERVICES #================================================= ynh_script_progression --message="Restarting Synapse services..." --weight=5 -ynh_systemd_action --service_name=coturn-$app.service --action=restart -ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 +ynh_systemd_action --service_name=$app-coturn.service --action=restart +ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300 + +if ! yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then + ynh_print_warn "Note yunohost won't be able to manage the required config for $server_name. So please add the needed DNS config as described on the documentation" +fi ynh_script_progression --message="Change of URL completed for $app" --last diff --git a/scripts/config b/scripts/config index 59ce2f8e..3c256e63 100644 --- a/scripts/config +++ b/scripts/config @@ -6,161 +6,28 @@ # IMPORT GENERIC HELPERS #================================================= +source ./_common.sh source /usr/share/yunohost/helpers -# Stop script if errors -ynh_abort_if_errors -final_path=$(ynh_app_setting_get --app=$app --key=final_path) - -get__max_upload_size() { - max_upload_size=$(ynh_app_setting_get --app $app --key max_upload_size) - echo "${max_upload_size}" -} - -set__max_upload_size() { - ynh_write_var_in_file --file=/etc/matrix-$app/homeserver.yaml --key=max_upload_size --value="${max_upload_size}" - sed -i -r "s|client_max_body_size\s[[:digit:]]*[GMK]?;|client_max_body_size ${max_upload_size};|g" "/etc/nginx/conf.d/$domain.d/$app.conf" - ynh_add_nginx_conf -} - -get__registrations_require_3pid() { - registrations_require_3pid=$(ynh_app_setting_get --app $app --key registrations_require_3pid) - echo "${registrations_require_3pid}" -} - -# set__registrations_require_3pid() this function is setting datas for registrations_require_3pid field and allowed_local_3pids_(email/msisdn) -# it consist on comment or not "registrations_require_3pid:", " - email" and/or " - msisdn" -# then depending on the "registrations_require_3pid" value it comment or not "allowed_local_3pids:" lines -# and generate all it sub configuration : -# -# allowed_local_3pids: -# - medium: email -# pattern: * -# ... -# - medium: msisdn -# pattern: * -# -# sed -z and \n as new line carracter do the trick on this kind of multline replacement. - -set__registrations_require_3pid() { - - # search pattern to replace (it correspond to the complete section) - allowedLocal3pids="s;#?([^\S\n]*allowed_local_3pids:)\n(#?([^\S\n]*-[^\S\n]*medium:[^\S\n]*(email|msisdn)\n)#?([^\S\n]*pattern:[^\S\n]*[^\n]*\n))*;" - - case ${registrations_require_3pid} in - 'email') - # registrations_require_3pid: part - sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n - email\n# - msisdn|" "/etc/matrix-$app/homeserver.yaml" - - # allowed_local_3pids: part - allowedLocal3pids=${allowedLocal3pids}"\1" - - readarray -td, arr3pidemail < <(echo ${allowed_local_3pids_email}); - for pidemail in "${arr3pidemail[@]}"; do - # add it to regex substitution part - allowedLocal3pids=${allowedLocal3pids}"\n - medium: email"; - allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidemail})'"; - done; - ;; - - 'msisdn') - # registrations_require_3pid: part - sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n# - email\n - msisdn|" "/etc/matrix-$app/homeserver.yaml" - - # allowed_local_3pids: part - allowedLocal3pids=${allowedLocal3pids}"\1" - - readarray -td, arr3pidmsisdn < <(echo ${allowed_local_3pids_msisdn}); - for pidmsisdn in "${arr3pidmsisdn[@]}"; do - # add it to regex substitution part - allowedLocal3pids=${allowedLocal3pids}"\n - medium: msisdn"; - allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidmsisdn})'"; - done; - ;; - - 'email&msisdn') - # registrations_require_3pid: part - sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|registrations_require_3pid:\n - email\n - msisdn|" "/etc/matrix-$app/homeserver.yaml" - - # allowed_local_3pids: part - allowedLocal3pids=${allowedLocal3pids}"\1" - - readarray -td, arr3pidemail < <(echo ${allowed_local_3pids_email}); - for pidemail in "${arr3pidemail[@]}"; do - # add it to regex substitution part - allowedLocal3pids=${allowedLocal3pids}"\n - medium: email"; - allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidemail})'"; - done; - - readarray -td, arr3pidmsisdn < <(echo ${allowed_local_3pids_msisdn}); - for pidmsisdn in "${arr3pidmsisdn[@]}"; do - # add it to regex substitution part - allowedLocal3pids=${allowedLocal3pids}"\n - medium: msisdn"; - allowedLocal3pids=${allowedLocal3pids}"\n$(echo ' ')pattern: '$(echo ${pidmsisdn})'"; - done; - ;; - - *) - sed -i -z -r "s|#?[^\S\n]*registrations_require_3pid:\n#?[^\S\n]*-[^\S\n]*email\n#?[^\S\n]*-[^\S\n]*msisdn|#registrations_require_3pid:\n# - email\n# - msisdn|" "/etc/matrix-$app/homeserver.yaml" - - # empty fields and comment registration - allowedLocal3pids=${allowedLocal3pids}"#\1" - ;; - esac - - # finalize regex then apply sed command on the homeserver conf file - allowedLocal3pids="${allowedLocal3pids}\n;"; - sed -i -z -r "${allowedLocal3pids}" "/etc/matrix-$app/homeserver.yaml" - - - ynh_app_setting_set --app=$app --key=registrations_require_3pid --value="${registrations_require_3pid}" -} - -get__allowed_local_3pids_email() { - allowed_local_3pids_email=$(ynh_app_setting_get --app $app --key allowed_local_3pids_email) - echo "${allowed_local_3pids_email}" -} - -set__allowed_local_3pids_email() { - set__registrations_require_3pid; - ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value="${allowed_local_3pids_email}" -} - -get__allowed_local_3pids_msisdn() { - allowed_local_3pids_msisdn=$(ynh_app_setting_get --app $app --key allowed_local_3pids_msisdn) - echo "${allowed_local_3pids_msisdn}" -} - -set__allowed_local_3pids_msisdn() { - set__registrations_require_3pid; - ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value="${allowed_local_3pids_msisdn}" -} - -get__auto_join_rooms() { - auto_join_rooms=$(ynh_app_setting_get --app $app --key auto_join_rooms) - auto_join_rooms=$(echo ${auto_join_rooms} | sed "s~(\\\\)*\#~\\\\\#~g") - echo "${auto_join_rooms}" -} - -set__auto_join_rooms() { - - if [ -z ${auto_join_rooms} ] ; then - # remove all values comment header and example value - sed -i -z -r "s|#?([^\S\n]*auto_join_rooms:\n)#?([^\S\n]*-[^\n]*\n)*|#\1# - \"#example:example.com\"\n|" "/etc/matrix-$app/homeserver.yaml" - else - - readarray -td, arrroom < <(echo ${auto_join_rooms}); - - # print header then all space separated values - autoJoinRooms="s|#?([^\S\n]*auto_join_rooms:)\n(#?[^\S\n]*-[^\n]*\n)*|\1"; - for room in "${arrroom[@]}"; do - autoJoinRooms="${autoJoinRooms}\n - '$(echo ${room})'"; - done; - autoJoinRooms="${autoJoinRooms}\n|"; - sed -i -z -r "${autoJoinRooms}" "/etc/matrix-$app/homeserver.yaml" - fi - - ynh_app_setting_set --app=$app --key=auto_join_rooms --value="${auto_join_rooms}" +ynh_app_config_validate() { + # Depending of the status of the $enable_regirtration we should default value of the hidden fields + if $enable_registration; then + # Must enable password authentication when free registration is enabled as any user must be able to authenticate + password_enabled=true + else + registrations_require_3pid=email + allowed_local_3pids_email='' + allowed_local_3pids_msisdn='' + disable_msisdn_registration=true + fi + _ynh_app_config_validate +} + +ynh_app_config_apply() { + _ynh_app_config_apply + configure_nginx + configure_synapse + set_permissions } #================================================= diff --git a/scripts/experimental_helper.sh b/scripts/experimental_helper.sh index 14ff8a77..e69de29b 100644 --- a/scripts/experimental_helper.sh +++ b/scripts/experimental_helper.sh @@ -1,141 +0,0 @@ -#!/bin/bash - -# Send an email to inform the administrator -# -# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type] -# | arg: -m --app_message= - The file with the content to send to the administrator. -# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root -# example: "root admin@domain" -# If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you -# example: "root admin@domain user1 user2" -# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade' -ynh_send_readme_to_admin() { - # Declare an array to define the options of this helper. - declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= ) - local app_message - local recipients - local type - # Manage arguments with getopts - - ynh_handle_getopts_args "$@" - app_message="${app_message:-}" - recipients="${recipients:-root}" - type="${type:-install}" - - # Get the value of admin_mail_html - admin_mail_html=$(ynh_app_setting_get $app admin_mail_html) - admin_mail_html="${admin_mail_html:-0}" - - # Retrieve the email of users - find_mails () { - local list_mails="$1" - local mail - local recipients=" " - # Read each mail in argument - for mail in $list_mails - do - # Keep root or a real email address as it is - if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@" - then - recipients="$recipients $mail" - else - # But replace an user name without a domain after by its email - if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null) - then - recipients="$recipients $mail" - fi - fi - done - echo "$recipients" - } - recipients=$(find_mails "$recipients") - - # Subject base - local mail_subject="☁️🆈🅽🅷☁️: \`$app\`" - - # Adapt the subject according to the type of mail required. - if [ "$type" = "backup" ]; then - mail_subject="$mail_subject has just been backup." - elif [ "$type" = "change_url" ]; then - mail_subject="$mail_subject has just been moved to a new URL!" - elif [ "$type" = "remove" ]; then - mail_subject="$mail_subject has just been removed!" - elif [ "$type" = "restore" ]; then - mail_subject="$mail_subject has just been restored!" - elif [ "$type" = "upgrade" ]; then - mail_subject="$mail_subject has just been upgraded!" - else # install - mail_subject="$mail_subject has just been installed!" - fi - - local mail_message="This is an automated message from your beloved YunoHost server. - -Specific information for the application $app. - -$(if [ -n "$app_message" ] -then - cat "$app_message" -else - echo "...No specific information..." -fi) - ---- -Automatic diagnosis data from YunoHost - -__PRE_TAG1__$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')__PRE_TAG2__" - - # Store the message into a file for further modifications. - echo "$mail_message" > mail_to_send - - # If a html email is required. Apply html tags to the message. - if [ "$admin_mail_html" -eq 1 ] - then - # Insert 'br' tags at each ending of lines. - ynh_replace_string "$" "
" mail_to_send - - # Insert starting HTML tags - sed --in-place '1s@^@\n\n\n\n@' mail_to_send - - # Keep tabulations - ynh_replace_string " " "\ \ " mail_to_send - ynh_replace_string "\t" "\ \ " mail_to_send - - # Insert url links tags - ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "\1" mail_to_send - - # Insert pre tags - ynh_replace_string "__PRE_TAG1__" "
" mail_to_send
-		ynh_replace_string "__PRE_TAG2__" "<\pre>" mail_to_send
-
-		# Insert finishing HTML tags
-		echo -e "\n\n" >> mail_to_send
-
-	# Otherwise, remove tags to keep a plain text.
-	else
-		# Remove URL tags
-		ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
-		ynh_replace_string "__URL_TAG2__" ": " mail_to_send
-
-		# Remove PRE tags
-		ynh_replace_string "__PRE_TAG[1-2]__" "" mail_to_send
-	fi
-
-	# Define binary to use for mail command
-	if [ -e /usr/bin/bsd-mailx ]
-	then
-		local mail_bin=/usr/bin/bsd-mailx
-	else
-		local mail_bin=/usr/bin/mail.mailutils
-	fi
-
-	if [ "$admin_mail_html" -eq 1 ]
-	then
-		content_type="text/html"
-	else
-		content_type="text/plain"
-	fi
-
-	# Send the email to the recipients
-	cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
-}
-
diff --git a/scripts/install b/scripts/install
index 8271121f..8aa7a787 100644
--- a/scripts/install
+++ b/scripts/install
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-#=================================================
-# GENERIC START
 #=================================================
 # IMPORT GENERIC HELPERS
 #=================================================
@@ -10,107 +8,52 @@ source _common.sh
 source experimental_helper.sh
 source /usr/share/yunohost/helpers
 
-#=================================================
-# MANAGE SCRIPT FAILURE
-#=================================================
-
-ynh_clean_setup () {
-# Clean installation remainings that are not handled by the remove script.
-	ynh_clean_check_starting
-}
-# Exit if an error occurs during the execution of the script
-ynh_abort_if_errors
-
-#=================================================
-# SET CONSTANTS
-#=================================================
-
-synapse_user="matrix-$app"
-synapse_user_app="$app"
-synapse_user_app_pwd="$(ynh_string_random --length=30)"
-synapse_db_name="matrix_$app"
-synapse_db_user="matrix_$app"
-synapse_db_name="matrix_$app"
-upstream_version=$(ynh_app_upstream_version)
-report_stats="false"
-e2e_enabled_by_default="off"
-default_domain_value="Same than the domain"
-domain_whitelist_client_=$(get_domain_list)
-domain_whitelist_client=${domain_whitelist_client_%"\n"}
-
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
 #=================================================
 
-domain=$YNH_APP_ARG_DOMAIN
-server_name=$YNH_APP_ARG_SERVER_NAME
-is_free_registration=$YNH_APP_ARG_IS_FREE_REGISTRATION
-jitsi_server=$YNH_APP_ARG_JITSI_SERVER
-path_url="/_matrix"
-final_path="/opt/yunohost/matrix-$app"
-final_www_path="/var/www/$app"
-data_path="/home/yunohost.app/matrix-$app"
-main_domain=$(yunohost domain list --output-as json | jq -r .main)
-
-if [[ "$server_name" == "$default_domain_value" ]]; then
+if [ "$server_name" == "Same than the domain" ]; then
     server_name=$domain
+    ynh_app_setting_set --app=$app --key=server_name --value=$server_name
 fi
 
 #=================================================
-# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
+## SET STANDARD SETTINGS FROM DEFAULT CONFIG
 #=================================================
-ynh_script_progression --message="Validating installation parameters..." --weight=2
-test ! -e "/etc/nginx/conf.d/$domain.d/synapse*.conf" || ynh_die --message="$domain is not available as domain, please use an other domain."
-
-# Check Final Path availability
-test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
-
-if [ -e "$data_path" ]; then
-    old_data_dir_path="$data_path$(date '+%Y%m%d.%H%M%S')"
-    ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
-    mv "$data_path" "$old_data_dir_path"
-fi
 
-#=================================================
-# STORE SETTINGS FROM MANIFEST
-#=================================================
 ynh_script_progression --message="Storing installation settings..." --weight=1
 
-ynh_app_setting_set --app=$app --key=domain --value=$domain
-ynh_app_setting_set --app=$app --key=path --value=$path_url
-ynh_app_setting_set --app=$app --key=server_name --value=$server_name
-ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
-ynh_app_setting_set --app=$app --key=final_path --value=$final_path
-ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
-ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
-ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
-ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
+report_stats="false"
+e2e_enabled_by_default="off"
+allow_public_rooms_without_auth="false"
+allow_public_rooms_over_federation="false"
+max_upload_size="100M"
+disable_msisdn_registration="true"
+registrations_require_3pid=email
+allowed_local_3pids_email=""
+allowed_local_3pids_msisdn=""
+allow_guest_access="false"
+account_threepid_delegates_msisdn=""
+default_identity_server="https://matrix.org"
+auto_join_rooms=""
+autocreate_auto_join_rooms="false"
+auto_join_rooms_for_guests="true"
+enable_notifs="true"
+notif_for_new_users="true"
+enable_group_creation="true"
+push_include_content="true"
+enable_3pid_lookup=false
+enable_dtls_for_audio_video_turn_call=true
 
-if [ "$is_free_registration" -eq "0" ]
+if [ "$is_free_registration" -eq 0 ]
 then
     enable_registration="false"
-    turn_allow_guests="false"
-    sso_enabled="true"
     password_enabled="false"
-    enable_3pid_lookup="false"
 else
     enable_registration="true"
-    turn_allow_guests="true"
-    sso_enabled="false"
     password_enabled="true"
-    enable_3pid_lookup="true"
 fi
 
-ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
-ynh_app_setting_set --app=$app --key=turn_allow_guests --value=$turn_allow_guests
-ynh_app_setting_set --app=$app --key=sso_enabled --value=$sso_enabled
-ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
-ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
-
-#=================================================
-## SET STANDARD SETTINGS FROM DEFAULT CONFIG
-#=================================================
-
 element_ynh_url="https://matrix.to/"
 # Get app name of first Element Instance (can be changed later in Config Panel)
 element_instance="element"
@@ -123,30 +66,8 @@ web_client_location=$element_ynh_url
 client_base_url=$element_ynh_url
 invite_client_location=$element_ynh_url
 
-backup_before_upgrade="true"
-server_statistics="false"
-allow_public_rooms_without_auth="false"
-allow_public_rooms_over_federation="false"
-max_upload_size="10M"
-disable_msisdn_registration="true"
-registrations_require_3pid="none"
-# here we need sed magic to transform $server_name
-allowed_local_3pids_email=""
-allowed_local_3pids_msisdn=""
-allow_guest_access="false"
-account_threepid_delegates_msisdn=""
-default_identity_server="https://matrix.org"
-auto_join_rooms="#auto_join_room:""$server_name"
-autocreate_auto_join_rooms="false"
-auto_join_rooms_for_guests="true"
-password_enabled="true"
-enable_notifs="true"
-notif_for_new_users="true"
-enable_group_creation="true"
-push_include_content="true"
-
-ynh_app_setting_set --app=$app --key=backup_before_upgrade --value=$backup_before_upgrade
-ynh_app_setting_set --app=$app --key=server_statistics --value=$server_statistics
+ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
+ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
 ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
 ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
 ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
@@ -168,33 +89,23 @@ ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
 ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
 ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
 ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
-
+ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
+ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
+ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
+ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
 
 #=================================================
 # STANDARD MODIFICATIONS
 #=================================================
-# FIND AND OPEN A PORT
+# Check datadir empty
 #=================================================
-ynh_script_progression --message="Configuring firewall..." --weight=19
-
-# Find a free port
-synapse_tls_port=$(ynh_find_port --port=8448)
-port=$(ynh_find_port --port=8008)
-turnserver_tls_port=$(ynh_find_port --port=5349)
-turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
-cli_port=$(ynh_find_port --port=5766)
-
-# Open this port
-ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
-ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
-ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
 
-# Store opened ports
-ynh_app_setting_set --app=$app --key=synapse_port --value=$port
-ynh_app_setting_set --app=$app --key=synapse_tls_port --value=$synapse_tls_port
-ynh_app_setting_set --app=$app --key=turnserver_tls_port --value=$turnserver_tls_port
-ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
-ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
+if [ -n "$(ls -A $data_dir)" ]; then
+    old_data_dir_path="${data_dir}_$(date '+%Y%m%d.%H%M%S')"
+    ynh_print_warn "Data directory was not empty. Data was moved to $old_data_dir_path"
+    mkdir -p $old_data_dir_path
+    mv -t "$old_data_dir_path" "$data_dir"/*
+fi
 
 #=================================================
 # CREATE A DH FILE
@@ -207,49 +118,26 @@ ynh_script_progression --message="Creating a dh file..." --weight=3
 # Make dh cert for synapse if it doesn't exist
 if [ ! -e /etc/ssl/private/dh2048.pem ]
 then
-    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam
+    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
     chown root:ssl-cert /etc/ssl/private/dh2048.pem
     chmod 640 /etc/ssl/private/dh2048.pem
 fi
 
-#=================================================
-# INSTALL DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Installing dependencies..." --weight=80
-
-# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
-# For any update do it in all files
-ynh_exec_warn_less ynh_install_app_dependencies $dependances
-
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
-ynh_script_progression --message="Configuring system user..." --weight=3
+ynh_script_progression --message='Configuring system groups'
 
-ynh_system_user_create --username=$synapse_user --home_dir=$final_path
-# The format to create an user account varies depending on the version of YunoHost currently installed.
-ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
-if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
-    yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
-else
-    yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
-fi
-adduser $synapse_user ssl-cert
+adduser $app ssl-cert
 adduser turnserver ssl-cert
 
 #=================================================
-# CREATE A POSTGRESQL DATABASE
+# FIX DB CONFIG
 #=================================================
-ynh_script_progression --message="Creating a PostgreSQL database..." --weight=4
+ynh_script_progression --message="Fixing database type..." --weight=1
 
-synapse_db_pwd=$(ynh_string_random --length=30)
-ynh_app_setting_set --app=$app --key=synapse_db_pwd --value=$synapse_db_pwd
-
-# Create postgresql database
-ynh_psql_test_if_first_run
-ynh_psql_create_user $synapse_db_user $synapse_db_pwd
 ynh_psql_execute_as_root \
---sql="CREATE DATABASE $synapse_db_name ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $synapse_db_user;"
+    --sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';"
 
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@@ -260,7 +148,6 @@ ynh_script_progression --message="Setting up source files..." --weight=50
 
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
-mkdir -p $data_path
 mkdir -p /var/log/matrix-$app
 mkdir -p /etc/matrix-$app/conf.d
 mkdir -p /etc/matrix-$app/app-service
@@ -275,10 +162,9 @@ install_sources
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-mkdir -p $final_www_path
-cp ../sources/cas_server.php $final_www_path/
-chmod u=rwX,g=rX,o= -R $final_www_path
-chown $synapse_user:root -R $final_www_path
+cp ../sources/cas_server.php $install_dir/
+chmod u=rwX,g=rX,o= -R $install_dir
+chown $app:$app -R $install_dir
 
 #=================================================
 # CREATE SYNAPSE CONFIG
@@ -286,18 +172,8 @@ chown $synapse_user:root -R $final_www_path
 
 ynh_script_progression --message="Creating Synapse config..." --weight=3
 
-# Go in virtualenvironnement
-set +u;
-source $final_path/bin/activate
-set -u;
-
 # Generate config
-python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --server-name $server_name --report-stats=no -c homeserver.yml
-
-# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
-set +u;
-deactivate
-set -u;
+$code_dir/bin/python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --server-name $server_name --report-stats=no -c homeserver.yml
 
 # Get random values from config
 registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
@@ -315,11 +191,10 @@ ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secr
 ynh_script_progression --message="Configuring a systemd service..." --weight=2
 
 # Create systemd service for synapse and turnserver
-cp ../conf/default_matrix-synapse /etc/default/matrix-$app
-ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service
+ynh_add_systemd_config --service=$app --template=synapse.service
 
 cp ../conf/default_coturn /etc/default/coturn-$app
-ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service
+ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service
 
 #=================================================
 # NGINX CONFIGURATION
@@ -330,19 +205,8 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=2
 ynh_script_progression --message="Configuring application..."
 
 ynh_add_fpm_config --usage=low --footprint=low
-sed -i "s|user\s*=\s*$app|user = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
-sed -i "s|group\s*=\s*$app|group = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
-sed -i "s|chdir\s*=\s*/opt/yunohost/matrix-synapse.*|chdir = $final_www_path|g" /etc/php/7.*/fpm/pool.d/$app.conf
-ynh_store_file_checksum --file=$(ls /etc/php/7.*/fpm/pool.d/$app.conf)
-
-# Create .well-known redirection for access by federation
-if yunohost --output-as plain domain list | grep -q "^$server_name$"
-then
-    ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-fi
 
-# Create a dedicated nginx config
-ynh_add_nginx_config app
+configure_nginx
 
 #=================================================
 # SET SYNAPSE CONFIG
@@ -353,41 +217,14 @@ ynh_script_progression --message="Configuring Synapse..." --weight=2
 turnserver_pwd=$(ynh_string_random --length=30)
 ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
 
-# Configure Synapse
-
-# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
-# For any update do it in all files
-
-macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
-
-ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
-ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
+configure_synapse
 
 #=================================================
 # SET COTURN CONFIG
 #=================================================
 ynh_script_progression --message="Configuring Coturn..." --weight=1
 
-# WARNING : theses command are used in INSTALL, UPGRADE
-# For any update do it in all files
-
-# Get public IP and set as external IP for coturn
-# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
-public_ip4="$(curl -s ip.yunohost.org)" || true
-public_ip6="$(curl -s ipv6.yunohost.org)" || true
-
-turn_external_ip=""
-if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
-then
-    turn_external_ip+="external-ip="$public_ip4%"\n"
-fi
-
-if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
-then
-    turn_external_ip+="external-ip="$public_ip6%"\n"
-fi
-
-ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
+configure_coturn
 
 #=================================================
 # SETUP LOGROTATE
@@ -403,29 +240,24 @@ ynh_use_logrotate --logfile "/var/log/matrix-$app"
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
-ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
+ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$code_dir/Coturn_config_rotate.sh"
+ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$code_dir/update_synapse_for_appservice.sh"
+ynh_add_config --template=../sources/set_admin_user.sh --destination=$code_dir/set_admin_user.sh
 
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
 # SETUP PERMISSIONS
 #=================================================
-ynh_script_progression --message="Configuring permissions..." --weight=1
 
-ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
-ynh_permission_update --permission=main --show_tile=false --protected=true
+ynh_script_progression --message="Configuring permissions..." --weight=1
 
-ynh_permission_create --permission=server_api --url=$domain/_matrix \
-                      --label="Server access for client apps." --show_tile=false --allowed=visitors \
-                      --auth_header=false --protected=true
-ynh_permission_create --permission=admin_api --url=$domain/_synapse \
-                      --label="Server administration API." --show_tile=false \
-                      --auth_header=false --allowed=visitors
 if yunohost --output-as plain domain list | grep -q "^$server_name$"; then
-    ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
+    ynh_""permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
                           --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
                           --auth_header=false --protected=true
+else
+    ynh_print_warn "Note yunohost won't be able to manage the required config for $server_name. So please add the needed DNS config as described on the documentation"
 fi
 
 #=================================================
@@ -441,69 +273,31 @@ ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
-# For any update do it in all files
-chown $synapse_user:root -R $final_path
-chmod 770 $final_path/Coturn_config_rotate.sh
-chmod 700 $final_path/update_synapse_for_appservice.sh
-chown $synapse_user:root -R $data_path
-chown $synapse_user:root -R /var/log/matrix-$app
-chown $synapse_user:root -R /etc/matrix-$app
-chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/$server_name.signing.key
-setfacl -R -m user:turnserver:rX  /etc/matrix-$app
-setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app
+ynh_script_progression --message="Protecting directories..." --weight=3
+set_permissions data
 
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
 #=================================================
 
-yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port
-yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
+yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
+yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
 
 #=================================================
 # RELOAD SERVICES
 #=================================================
 ynh_script_progression --message="Restarting Synapse services..." --weight=11
 
-ynh_systemd_action --service_name=coturn-$app.service --action=restart
-ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
+ynh_systemd_action --service_name=$app-coturn.service --action=restart
+ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
 
 #=================================================
 # SETUP FAIL2BAN
 #=================================================
 ynh_script_progression --message="Configuring Fail2Ban..." --weight=10
 
-# WARNING : theses command are used in INSTALL, UPGRADE
-# For any update do it in all files
-
 ynh_add_fail2ban_config --use_template
 
-#=================================================
-# SEND A README FOR THE ADMIN
-#=================================================
-
-# WARNING : theses command are used in INSTALL, RESTORE
-# For any update do it in all files
-
-echo "If your server name is identical to the domain on which synapse is installed, and the default port 8448 is used, your server is normally already accessible by the federation.
-
-If not, you may need to put the following line in the dns configuration:
-
-_matrix._tcp.$domain. 3600    IN      SRV     10 0 $synapse_tls_port $domain.
-
-For more details, see : https://github.com/matrix-org/synapse#setting-up-federation
-
-You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done.
-
-Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
-
-If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh
-
-You also need a valid TLS certificate for the domain used by synapse. To do that you can refer to the documentation here : https://yunohost.org/#/certificate_en" > mail_to_send
-
-ynh_send_readme_to_admin --app_message="mail_to_send" --type="install"
-
 #=================================================
 # END OF SCRIPT
 #=================================================
diff --git a/scripts/remove b/scripts/remove
index fa86c1ac..9ca72db5 100755
--- a/scripts/remove
+++ b/scripts/remove
@@ -10,32 +10,6 @@ source _common.sh
 source experimental_helper.sh
 source /usr/share/yunohost/helpers
 
-#=================================================
-# LOAD SETTINGS
-#=================================================
-ynh_script_progression --message="Loading installation settings..." --weight=3
-
-app=$YNH_APP_INSTANCE_NAME
-
-domain=$(ynh_app_setting_get --app=$app --key=domain)
-server_name=$(ynh_app_setting_get --app=$app --key=server_name)
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
-turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
-turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
-
-#=================================================
-# SET CONSTANTS
-#=================================================
-
-synapse_user="matrix-$app"
-synapse_user_app="$app"
-synapse_db_name="matrix_$app"
-synapse_db_user="matrix_$app"
-synapse_db_name="matrix_$app"
-upstream_version=$(ynh_app_upstream_version)
-final_www_path="/var/www/$app"
-
 #=================================================
 # STANDARD REMOVE
 #=================================================
@@ -43,50 +17,25 @@ final_www_path="/var/www/$app"
 #=================================================
 
 # Remove a service from the admin panel, added by `yunohost service add`
-if yunohost service status matrix-$app >/dev/null 2>&1
-then
-	yunohost service remove matrix-$app
-fi
-
-if yunohost service status coturn-$app >/dev/null 2>&1
-then
-	yunohost service remove coturn-$app
-fi
+yunohost service remove $app
+yunohost service remove $app-coturn
 
 #=================================================
 # STOP AND REMOVE SERVICE
 #=================================================
 ynh_script_progression --message="Stopping and removing the systemd service" --weight=2
 
-ynh_remove_systemd_config --service=matrix-$app
-ynh_remove_systemd_config --service=coturn-$app
-
-#=================================================
-# REMOVE THE POSTGRESQL DATABASE
-#=================================================
-ynh_script_progression --message="Removing the PostgreSQL database" --weight=2
-
-# Remove a database if it exists, along with the associated user
-ynh_psql_remove_db --db_user=$synapse_db_name --db_name=$synapse_db_user
-
-#=================================================
-# REMOVE DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Removing dependencies" --weight=15
-
-# Remove metapackage and its dependencies
-ynh_remove_app_dependencies
+ynh_remove_systemd_config --service=$app
+ynh_remove_systemd_config --service=$app-coturn
 
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
 ynh_script_progression --message="Removing app main directory" --weight=2
 
-ynh_secure_remove --file=$final_path
-ynh_secure_remove --file=$final_www_path
+ynh_secure_remove --file=$code_dir
 ynh_secure_remove --file=/var/log/matrix-$app
 ynh_secure_remove --file=/etc/matrix-$app
-ynh_secure_remove --file=/etc/default/matrix-$app
 ynh_secure_remove --file=/etc/default/coturn-$app
 ynh_secure_remove --file=/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
 
@@ -109,23 +58,6 @@ ynh_script_progression --message="Removing logrotate configuration" --weight=1
 # Remove the app-specific logrotate config
 ynh_remove_logrotate
 
-#=================================================
-# CLOSE A PORT
-#=================================================
-
-closeport() {
-    local port=$1
-    if yunohost firewall list | grep -q "\- $port$"
-    then
-            ynh_script_progression --message="Closing port $port"
-            ynh_exec_warn_less yunohost firewall disallow Both $port
-    fi
-}
-
-closeport $synapse_tls_port
-closeport $turnserver_tls_port
-closeport $turnserver_alt_tls_port
-
 #=================================================
 # REMOVE FAIL2BAN CONFIGURATION
 #=================================================
@@ -137,18 +69,6 @@ ynh_remove_fail2ban_config
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
-# REMOVE DEDICATED USER
-#=================================================
-ynh_script_progression --message="Removing the dedicated system user" --weight=1
-
-# Delete a system user
-ynh_system_user_delete --username=$synapse_user
-yunohost user delete $synapse_user_app
-
-#=================================================
-# END OF SCRIPT
-#=================================================
-ynh_print_info --message="Due of the backup core only feature the data directory in '/home/yunohost.app/matrix-$app' was not removed. It need to be removed manually to purge app user data."
 
 ynh_script_progression --message="Removal of $app completed" --last
 sleep 1
diff --git a/scripts/remove_sso_conf_persistent.py b/scripts/remove_sso_conf_persistent.py
deleted file mode 100644
index b0fde800..00000000
--- a/scripts/remove_sso_conf_persistent.py
+++ /dev/null
@@ -1,39 +0,0 @@
-import json
-import sys
-
-with open("/etc/ssowat/" + "conf.json.persistent", "r", encoding='utf-8') as jsonFile:
-    data = json.load(jsonFile)
-
-    for domain in ("", sys.argv[1], sys.argv[2]):
-        for path in ("/_matrix", "/.well-known/matrix/", "/_matrix/cas_server.php/login"):
-            url = domain + path
-            try:
-                uri_list = data["skipped_urls"]
-                while url in uri_list:
-                    uri_list.remove(url)     
-            except:
-                pass
-
-            try:
-                uri_list = data["protected_urls"]
-                while url in uri_list:
-                    uri_list.remove(url)     
-            except:
-                pass
-
-            try:
-                uri_list = data["permissions"]["custom_protected"]["uris"]
-                while url in uri_list:
-                    uri_list.remove(url)     
-            except:
-                pass
-
-            try:
-                uri_list = data["permissions"]["custom_skipped"]["uris"]
-                while url in uri_list:
-                    uri_list.remove(url)     
-            except:
-                pass
-
-with open("/etc/ssowat/" + "conf.json.persistent", "w", encoding='utf-8') as jsonFile:
-    jsonFile.write(json.dumps(data, indent=4, sort_keys=True))
diff --git a/scripts/restore b/scripts/restore
index 8c9ddc77..bd41f6f8 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -11,84 +11,27 @@ source ../settings/scripts/_common.sh
 source ../settings/scripts/experimental_helper.sh
 source /usr/share/yunohost/helpers
 
-#=================================================
-# MANAGE SCRIPT FAILURE
-#=================================================
-
-ynh_clean_setup () {
-# Clean installation remainings that are not handled by the remove script.
-	ynh_clean_check_starting
-}
-# Exit if an error occurs during the execution of the script
-ynh_abort_if_errors
-
 #=================================================
 # LOAD SETTINGS
 #=================================================
 ynh_script_progression --message="Loading settings..."
 
-app=$YNH_APP_INSTANCE_NAME
-
-domain=$(ynh_app_setting_get --app=$app --key=domain)
-server_name=$(ynh_app_setting_get --app=$app --key=server_name)
-path_url=$(ynh_app_setting_get --app=$app --key=path)
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
-turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
-turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
-phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
-synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
-synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
-main_domain=$(yunohost domain list --output-as json | jq -r .main)
-
-#=================================================
-# SET ALL CONSTANT
-#=================================================
-
-synapse_user="matrix-$app"
-synapse_user_app="$app"
-synapse_db_name="matrix_$app"
-synapse_db_user="matrix_$app"
-synapse_db_name="matrix_$app"
-upstream_version=$(ynh_app_upstream_version)
-final_www_path="/var/www/$app"
-data_path="/home/yunohost.app/matrix-$app"
-
-#=================================================
-# CHECK IF THE APP CAN BE RESTORED
-#=================================================
-ynh_script_progression --message="Validating restoration parameters..." --weight=2
-
-test ! -d $final_path \
-	|| ynh_die --message="There is already a directory: $final_path "
-
 #=================================================
-# STANDARD RESTORATION STEPS
-#=================================================
-# REINSTALL DEPENDENCIES
+# RECREATE THE DEDICATED USER
 #=================================================
-ynh_script_progression --message="Reinstalling dependencies..." --weight=70
+ynh_script_progression --message='Configuring system groups'
 
-# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
-# For any update do it in all files
-ynh_exec_warn_less ynh_install_app_dependencies $dependances
+# Create the dedicated user (if not existing)
+adduser $app ssl-cert
+adduser turnserver ssl-cert
 
 #=================================================
-# RECREATE THE DEDICATED USER
+# FIX DB CONFIG
 #=================================================
-ynh_script_progression --message="Recreating the dedicated system user..." --weight=3
+ynh_script_progression --message="Fixing database type..." --weight=1
 
-# Create the dedicated user (if not existing)
-ynh_system_user_create --username=$synapse_user --home_dir=$final_path
-# The format to create an user account varies depending on the version of YunoHost currently installed.
-ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
-if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
-    yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
-else
-    yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
-fi
-adduser $synapse_user ssl-cert
-adduser turnserver ssl-cert
+ynh_psql_execute_as_root \
+    --sql="update pg_database set datcollate='C', datctype='C' where datname='$db_name';"
 
 #=================================================
 # RESTORE ALL CONFIG AND DATA
@@ -115,16 +58,7 @@ ynh_systemd_action --action=restart --service_name=fail2ban
 #=================================================
 ynh_script_progression --message="Restoring the PostgreSQL database..." --weight=13
 
-ynh_psql_test_if_first_run
-ynh_psql_create_user $synapse_db_user $synapse_db_pwd
-ynh_psql_execute_as_root \
---sql="CREATE DATABASE $synapse_db_name
- ENCODING 'UTF8'
- LC_COLLATE='C'
- LC_CTYPE='C'
- template=template0
- OWNER $synapse_db_user;"
-ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$synapse_db_name"
+ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$db_name"
 
 #=================================================
 # RESTORE SYSTEMD
@@ -132,15 +66,15 @@ ynh_psql_execute_file_as_root --file="${YNH_CWD}/dump.sql" --database="$synapse_
 ynh_script_progression --message="Enable systemd services" --weight=2
 
 # systemctl daemon-reload
-systemctl enable matrix-$app.service --quiet
-systemctl enable coturn-$app.service --quiet
+systemctl enable $app.service --quiet
+systemctl enable $app-coturn.service --quiet
 
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
 #=================================================
 
-yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port
-yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
+yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
+yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
 
 #=================================================
 # CREATE A DH FILE
@@ -153,7 +87,7 @@ ynh_script_progression --message="Creating a dh file..." --weight=40
 # Make dh cert for synapse if it doesn't exist
 if [ ! -e /etc/ssl/private/dh2048.pem ]
 then
-    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam
+    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
     chown root:ssl-cert /etc/ssl/private/dh2048.pem
     chmod 640 /etc/ssl/private/dh2048.pem
 fi
@@ -163,43 +97,7 @@ fi
 #=================================================
 ynh_script_progression --message="Reconfiguring Coturn..." --weight=23
 
-# To be sure that at the restoration the IP address in coturn config is the same as the real address we remake the coturn config
-
-# Retrieve specific settings
-turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
-turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
-cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
-turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
-
-# WARNING : these commands are used in INSTALL, UPGRADE
-# For any update do it in all files
-
-# Get public IP and set as external IP for coturn
-# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
-public_ip4="$(curl -s ip.yunohost.org)" || true
-public_ip6="$(curl -s ipv6.yunohost.org)" || true
-
-turn_external_ip=""
-if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
-then
-    turn_external_ip+="external-ip="$public_ip4%"\n"
-fi
-
-if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
-then
-    turn_external_ip+="external-ip="$public_ip6%"\n"
-fi
-
-ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
-
-#=================================================
-# OPEN THE PORT
-#=================================================
-
-# Ouvre le port dans le firewall
-ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
-ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
-ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
+configure_coturn
 
 #=================================================
 # SETUP LOGROTATE
@@ -214,48 +112,16 @@ ynh_use_logrotate --logfile /var/log/matrix-$app
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times)
-# For any update do it in all files
-ynh_script_progression --message="Configuring file permission..."
-chown $synapse_user:root -R $final_path
-chmod 770 $final_path/Coturn_config_rotate.sh
-chmod 700 $final_path/update_synapse_for_appservice.sh
-chown $synapse_user:root -R $data_path
-chown $synapse_user:root -R /var/log/matrix-$app
-chown $synapse_user:root -R /etc/matrix-$app
-chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/$server_name.signing.key
-setfacl -R -m user:turnserver:rX  /etc/matrix-$app
-setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app
-chmod u=rwX,g=rX,o= -R $final_www_path
-chown $synapse_user:root -R $final_www_path
+ynh_script_progression --message="Protecting directories..." --weight=3
+set_permissions data
 
 #=================================================
 # RELOAD NGINX, SYNAPSE AND COTURN
 #=================================================
 ynh_script_progression --message="Restarting Synapse services..." --weight=7
 
-ynh_systemd_action --service_name=coturn-$app.service --action=restart
-ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
-
-#=================================================
-# SEND A README FOR THE ADMIN
-#=================================================
-
-# WARNING : theses command are used in INSTALL, RESTORE
-# For any update do it in all files
-
-echo "To federate this app you need to add this line in your DNS configuration:
-
-_matrix._tcp.$domain. 3600    IN      SRV     10 0 $synapse_tls_port $domain.
-
-You also need to open the TCP port $synapse_tls_port on your ISP box if it's not automatically done.
-
-Your synapse server also implements a turnserver (for VoIP), to have this fully functional please read the 'Turnserver' section in the README available here: https://github.com/YunoHost-Apps/synapse_ynh .
-
-If you're facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/synapse_ynh" > mail_to_send
-
-ynh_send_readme_to_admin --app_message="mail_to_send" --type="restore"
+ynh_systemd_action --service_name=$app-coturn.service --action=restart
+ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
 
 #=================================================
 # GENERIC FINALIZATION
diff --git a/scripts/upgrade b/scripts/upgrade
index 0dee176e..6a4c882f 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -10,129 +10,11 @@ source _common.sh
 source experimental_helper.sh
 source /usr/share/yunohost/helpers
 
-# Exit if an error occurs during the execution of the script
-ynh_abort_if_errors
-
-#=================================================
-# LOAD SETTINGS
-#=================================================
-ynh_script_progression --message="Loading installation settings..." --weight=3
-
-app=$YNH_APP_INSTANCE_NAME
-
-domain=$(ynh_app_setting_get --app=$app --key=domain)
-server_name=$(ynh_app_setting_get --app=$app --key=server_name)
-jitsi_server=$(ynh_app_setting_get --app=$app --key=jitsi_server)
-path_url=$(ynh_app_setting_get --app=$app --key=path)
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-synapse_old_version=$(ynh_app_setting_get --app=$app --key=synapse_version)
-is_free_registration=$(ynh_app_setting_get --app=$app --key=is_free_registration)
-port=$(ynh_app_setting_get --app=$app --key=synapse_port)
-synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
-turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
-turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
-cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
-report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
-e2e_enabled_by_default=$(ynh_app_setting_get --app=$app --key=e2e_enabled_by_default)
-synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
-turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
-registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
-form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
-macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
-synapse_user_app_pwd=$(ynh_app_setting_get --app=$app --key=synapse_user_app_pwd)
-domain_whitelist_client_=$(get_domain_list)
-domain_whitelist_client=${domain_whitelist_client_%"\n"}
-main_domain=$(yunohost domain list --output-as json | jq -r .main)
-
 #=================================================
 # SET ALL CONSTANT
 #=================================================
 
-synapse_user="matrix-$app"
-synapse_user_app="$app"
-synapse_db_name="matrix_$app"
-synapse_db_user="matrix_$app"
-synapse_db_name="matrix_$app"
-upstream_version=$(ynh_app_upstream_version)
 upgrade_type=$(ynh_check_app_version_changed)
-final_www_path="/var/www/$app"
-data_path="/home/yunohost.app/matrix-$app"
-
-#=================================================
-# GET CONFIG PANEL SETTINGS
-#=================================================
-
-server_statistics=$(ynh_app_setting_get --app=$app --key=server_statistics)
-web_client_location=$(ynh_app_setting_get --app=$app --key=web_client_location)
-client_base_url=$(ynh_app_setting_get --app=$app --key=client_base_url)
-invite_client_location=$(ynh_app_setting_get --app=$app --key=invite_client_location)
-allow_public_rooms_without_auth=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_without_auth)
-allow_public_rooms_over_federation=$(ynh_app_setting_get --app=$app --key=allow_public_rooms_over_federation)
-max_upload_size=$(ynh_app_setting_get --app=$app --key=max_upload_size)
-disable_msisdn_registration=$(ynh_app_setting_get --app=$app --key=disable_msisdn_registration)
-registrations_require_3pid=$(ynh_app_setting_get --app=$app --key=registrations_require_3pid)
-allowed_local_3pids_email=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_email)
-allowed_local_3pids_msisdn=$(ynh_app_setting_get --app=$app --key=allowed_local_3pids_msisdn)
-account_threepid_delegates_msisdn=$(ynh_app_setting_get --app=$app --key=account_threepid_delegates_msisdn)
-allow_guest_access=$(ynh_app_setting_get --app=$app --key=allow_guest_access)
-default_identity_server=$(ynh_app_setting_get --app=$app --key=default_identity_server)
-auto_join_rooms=$(ynh_app_setting_get --app=$app --key=auto_join_rooms)
-autocreate_auto_join_rooms=$(ynh_app_setting_get --app=$app --key=autocreate_auto_join_rooms)
-auto_join_rooms_for_guests=$(ynh_app_setting_get --app=$app --key=auto_join_rooms_for_guests)
-enable_notifs=$(ynh_app_setting_get --app=$app --key=enable_notifs)
-notif_for_new_users=$(ynh_app_setting_get --app=$app --key=notif_for_new_users)
-enable_group_creation=$(ynh_app_setting_get --app=$app --key=enable_group_creation)
-
-enable_registration=$(ynh_app_setting_get --app=$app --key=enable_registration)
-turn_allow_guests=$(ynh_app_setting_get --app=$app --key=turn_allow_guests)
-sso_enabled=$(ynh_app_setting_get --app=$app --key=sso_enabled)
-password_enabled=$(ynh_app_setting_get --app=$app --key=password_enabled)
-enable_3pid_lookup=$(ynh_app_setting_get --app=$app --key=enable_3pid_lookup)
-push_include_content=$(ynh_app_setting_get --app=$app --key=push_include_content)
-
-#=================================================
-# ENSURE DOWNWARD COMPATIBILITY
-#=================================================
-ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
-
-# Following the discussion here https://github.com/YunoHost-Apps/synapse_ynh/pull/51 we decided to remove definitely the support of the old package migration.
-if [ -z "$synapse_old_version" ]
-then
-	ynh_die --message="Update from this synapse version is not available. You need to remove this package and reinstall the new package version."
-fi
-
-#=================================================
-# MIGRATION 7 : Working config panel v1
-#=================================================
-backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=backup_before_upgrade)
-if [ -z $backup_before_upgrade ] ; then
-    backup_before_upgrade="true"
-    disable_backup_before_upgrade=$(ynh_app_setting_get --app=$app --key=disable_backup_before_upgrade)
-    if [ "0$disable_backup_before_upgrade" -ne 0 ]; then
-        backup_before_upgrade="false"
-    fi
-    ynh_app_setting_set --app=$app --key=backup_before_upgrade --value=$backup_before_upgrade
-fi
-
-#=================================================
-# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
-#=================================================
-
-# We stop the service before to set ynh_clean_setup
-ynh_systemd_action --service_name=matrix-$app.service --action=stop
-
-# Backup the current version of the app
-if $backup_before_upgrade ; then
-    ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=30
-    ynh_backup_before_upgrade
-    ynh_clean_setup () {
-        # Clean installation remainings that are not handled by the remove script.
-        ynh_clean_check_starting
-        ynh_restore_upgradebackup
-    }
-else
-    ynh_script_progression --message="NOT Backing up the app before upgrading..." --weight=1
-fi
 
 #=================================================
 # STANDARD UPGRADE STEPS
@@ -141,312 +23,261 @@ fi
 #=================================================
 
 # Migrate from settings 'special_domain' to 'domain' and 'special_path' to 'path'
-if [ -z $domain ]; then
+if [ -z "${domain:-}" ]; then
     domain=$(ynh_app_setting_get --app=$app --key=special_domain)
-    path_url=$(ynh_app_setting_get --app=$app --key=special_path)
+    path=$(ynh_app_setting_get --app=$app --key=special_path)
     ynh_app_setting_set --app=$app --key=domain --value=$domain
-    ynh_app_setting_set --app=$app --key=path --value=$path_url
+    ynh_app_setting_set --app=$app --key=path --value=$path
     ynh_app_setting_delete --app=$app --key=special_domain
     ynh_app_setting_delete --app=$app --key=special_path
     ynh_app_setting_set --app=$app --key=no_sso --value true
 fi
 
 # Define $server_name if not already defined
-if [ -z $server_name ]; then
-   server_name=$domain
-   ynh_app_setting_set --app=$app --key=server_name --value=$domain
+if [ -z "${server_name:-}" ]; then
+    server_name=$domain
+    ynh_app_setting_set --app=$app --key=server_name --value=$domain
 fi
 
 # Define $jitsi_server if not already defined
-if [ -z $jitsi_server ]; then
-   jitsi_server='jitsi.riot.im'
-   ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
+if [ -z "${jitsi_server:-}" ]; then
+    jitsi_server='jitsi.riot.im'
+    ynh_app_setting_set --app=$app --key=jitsi_server --value=$jitsi_server
 fi
 
 # Define $e2e_enabled_by_default if not already defined
-if [ -z $e2e_enabled_by_default ] ; then
-   e2e_enabled_by_default="invite"
-   ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
+if [ -z "${e2e_enabled_by_default:-}" ] ; then
+    e2e_enabled_by_default="invite"
+    ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
 fi
 
 if [ "$e2e_enabled_by_default" = "true" ] ; then
-   e2e_enabled_by_default="all"
-   ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
+    e2e_enabled_by_default="all"
+    ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
 fi
 
 if [ "$e2e_enabled_by_default" = "false" ]; then
-   e2e_enabled_by_default="off"
-   ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
+    e2e_enabled_by_default="off"
+    ynh_app_setting_set --app=$app --key=e2e_enabled_by_default --value=$e2e_enabled_by_default
 fi
 
-if [ -z $report_stats ]; then
+if [ -z "${report_stats:-}" ]; then
     report_stats="false"
     ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
 fi
 
-if [ -z $is_free_registration ]; then
-    is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public)
-fi
+if [ -z "${web_client_location:-}" ]
+then
+    web_client_location="https://matrix.to/"
 
-if [ -z $synapse_user_app_pwd ]; then
-    synapse_user_app_pwd="$(ynh_string_random --length=30)"
-    ynh_app_setting_set --app=$app --key=synapse_user_app_pwd --value=$synapse_user_app_pwd
-    # The format to create an user account varies depending on the version of YunoHost currently installed.
-    ynh_current_version=$(dpkg-query --showformat='${Version}' --show yunohost)
-    if $(dpkg --compare-versions "$ynh_current_version" ge "11.1"); then
-        yunohost user create $synapse_user_app -F "Synapse Application" -d $domain -p "$synapse_user_app_pwd"
-    else
-        yunohost user create $synapse_user_app -f Synapse -l Application -d $domain -p "$synapse_user_app_pwd"
+    element_instance="element"
+    if yunohost --output-as plain app list | grep -q "^$element_instance"'$'; then
+        element_domain=$(ynh_app_setting_get --app $element_instance --key domain)
+        element_path=$(ynh_app_setting_get --app $element_instance --key path)
+        web_client_location="https://""$element_domain""$element_path"
     fi
+    ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
 fi
-
-#=================================================
-# MIGRATION 6 : Migrate data directory
-#=================================================
-
-if [ -e "/var/lib/matrix-$app" ]; then
-    ynh_script_progression --message="Moving data directory to $data_path..." --weight=1
-    if [ -e "$data_path" ]; then
-        old_data_dir_path="$data_path$(date '+%Y%m%d.%H%M%S')"
-        ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
-        mv "$data_path" "$old_data_dir_path"
-    fi
-    mv "/var/lib/matrix-$app" "$data_path"
-fi
-if ! grep -q "$final_path" /etc/passwd; then
-    # matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin
-    sed --in-place -r "s@matrix-$app\:x\:([[:digit:]]+\:[[:digit:]]+)\:\:/.*/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:\1\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd
-fi
-
-#=================================================
-# MIGRATION 7 : Working config panel v1
-#=================================================
-
-allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
-if [ -z $allow_public_rooms ]; then
-    allow_public_rooms="false"
+if [ -z "${client_base_url:-}" ]
+then
+    client_base_url=$web_client_location
+    ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
 fi
-
-# SET STANDARD SETTINGS FROM DEFAULT CONFIG
-
-# Get app name of first Element Instance
-element_ynh_url="https://matrix.to/"
-element_domain=""
-element_path=""
-web_client_location=$element_ynh_url
-client_base_url=$element_ynh_url
-invite_client_location=$element_ynh_url
-element_instance="element"
-if [ -z "$web_client_location" ]
+if [ -z "${invite_client_location:-}" ]
 then
-  if yunohost --output-as plain app list | grep -q "^$element_instance"'$'; then
-    element_domain=$(ynh_app_setting_get --app $element_instance --key domain)
-    element_path=$(ynh_app_setting_get --app $element_instance --key path)
-    element_ynh_url="https://""$element_domain""$element_path"
-  fi
-  web_client_location=$element_ynh_url
-  client_base_url=$element_ynh_url
-  invite_client_location=$element_ynh_url
-  ynh_app_setting_set --app=$app --key=web_client_location --value=$web_client_location
-  ynh_app_setting_set --app=$app --key=client_base_url --value=$client_base_url
-  ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
+    invite_client_location=$web_client_location
+    ynh_app_setting_set --app=$app --key=invite_client_location --value=$invite_client_location
 fi
-
-if [ -z "$server_statistics" ]
+if [ -z "${allow_public_rooms_without_auth:-}" ]
 then
-  server_statistics="false"
-  ynh_app_setting_set --app=$app --key=server_statistics --value=$server_statistics
+    allow_public_rooms_without_auth=${allow_public_rooms:-false}
+    ynh_app_setting_set --app=$app --key=allow_public_rooms_without_auth --value=$allow_public_rooms_without_auth
 fi
-if [ -z "$allow_public_rooms_without_auth" ]
+if [ -z "${allow_public_rooms_over_federation:-}" ]
 then
-  allow_public_rooms_without_auth=$allow_public_rooms
-  ynh_app_setting_set --app=$app --key=allow_public_rooms_without_auth --value=$allow_public_rooms_without_auth
+    allow_public_rooms_over_federation=${allow_public_rooms:-false}
+    ynh_app_setting_set --app=$app --key=allow_public_rooms_over_federation --value=$allow_public_rooms_over_federation
 fi
-if [ -z "$allow_public_rooms_over_federation" ]
+if [ -z "${max_upload_size:-}" ]
 then
-  allow_public_rooms_over_federation=$allow_public_rooms
-  ynh_app_setting_set --app=$app --key=allow_public_rooms_over_federation --value=$allow_public_rooms_over_federation
+    max_upload_size="100M"
+    ynh_app_setting_set --app=$app --key=max_upload_size --value=$max_upload_size
 fi
-if [ -z "$max_upload_size" ]
+if [ -z "${disable_msisdn_registration:-}" ]
 then
-  max_upload_size="10M"
-  ynh_app_setting_set --app=$app --key=max_upload_size --value=$max_upload_size
+    disable_msisdn_registration="true"
+    ynh_app_setting_set --app=$app --key=disable_msisdn_registration --value=$disable_msisdn_registration
 fi
-if [ -z "$disable_msisdn_registration" ]
+if [ -z "${registrations_require_3pid:-}" ] || [ "${registrations_require_3pid}" == none ]
 then
-  disable_msisdn_registration="true"
-  ynh_app_setting_set --app=$app --key=disable_msisdn_registration --value=$disable_msisdn_registration
+    registrations_require_3pid=email
+    ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid
 fi
-if [ -z "$registrations_require_3pid" ]
+if [ -z "${allowed_local_3pids_email:-}" ] || [[ "${allowed_local_3pids_email}" =~ "'.*'" ]] # Also remove shit value from previous config panel
 then
-  registrations_require_3pid="none"
-  ynh_app_setting_set --app=$app --key=registrations_require_3pid --value=$registrations_require_3pid
+    allowed_local_3pids_email=''
+    ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email
 fi
-if [ -z "$allowed_local_3pids_email" ]
+if [ -z "${allowed_local_3pids_msisdn:-}" ] || [[ "${allowed_local_3pids_msisdn}" =~ "'.*'" ]] # Also remove shit value from previous config panel
 then
-  allowed_local_3pids_email="'^[^@]+@""matrix""\.org$'"
-  ynh_app_setting_set --app=$app --key=allowed_local_3pids_email --value=$allowed_local_3pids_email
+    allowed_local_3pids_msisdn=''
+    ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn
 fi
-if [ -z "$allowed_local_3pids_msisdn" ]
+if [ -z "${account_threepid_delegates_msisdn:-}" ]
 then
-  allowed_local_3pids_msisdn="'\+33'"
-  ynh_app_setting_set --app=$app --key=allowed_local_3pids_msisdn --value=$allowed_local_3pids_msisdn
+    account_threepid_delegates_msisdn=""
+    ynh_app_setting_set --app=$app --key=account_threepid_delegates_msisdn --value=$account_threepid_delegates_msisdn
 fi
-if [ -z "$account_threepid_delegates_msisdn" ]
+if [ -z "${allow_guest_access:-}" ]
 then
-  account_threepid_delegates_msisdn=""
-  ynh_app_setting_set --app=$app --key=account_threepid_delegates_msisdn --value=$account_threepid_delegates_msisdn
+    allow_guest_access="false"
+    ynh_app_setting_set --app=$app --key=allow_guest_access --value=$allow_guest_access
 fi
-if [ -z "$allow_guest_access" ]
+if [ -z "${default_identity_server:-}" ]
 then
-  allow_guest_access="false"
-  ynh_app_setting_set --app=$app --key=allow_guest_access --value=$allow_guest_access
+    default_identity_server="https://matrix.org"
+    ynh_app_setting_set --app=$app --key=default_identity_server --value=$default_identity_server
 fi
-if [ -z "$default_identity_server" ]
+if [ -z "${auto_join_rooms:-}" ]
 then
-  default_identity_server="https://matrix.org"
-  ynh_app_setting_set --app=$app --key=default_identity_server --value=$default_identity_server
+    auto_join_rooms=""
+    ynh_app_setting_set --app=$app --key=auto_join_rooms --value=$auto_join_rooms
 fi
-if [ -z "$auto_join_rooms" ]
+if [ -z "${autocreate_auto_join_rooms:-}" ]
 then
-  auto_join_rooms="#auto_join_room:""$server_name"
-  ynh_app_setting_set --app=$app --key=auto_join_rooms --value=$auto_join_rooms
+    autocreate_auto_join_rooms="false"
+    ynh_app_setting_set --app=$app --key=autocreate_auto_join_rooms --value=$autocreate_auto_join_rooms
 fi
-if [ -z "$autocreate_auto_join_rooms" ]
+if [ -z "${auto_join_rooms_for_guests:-}" ]
 then
-  autocreate_auto_join_rooms="false"
-  ynh_app_setting_set --app=$app --key=autocreate_auto_join_rooms --value=$autocreate_auto_join_rooms
+    auto_join_rooms_for_guests="true"
+    ynh_app_setting_set --app=$app --key=auto_join_rooms_for_guests --value=$auto_join_rooms_for_guests
 fi
-if [ -z "$auto_join_rooms_for_guests" ]
+if [ -z "${enable_notifs:-}" ]
 then
-  auto_join_rooms_for_guests="true"
-  ynh_app_setting_set --app=$app --key=auto_join_rooms_for_guests --value=$auto_join_rooms_for_guests
+    enable_notifs="true"
+    ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
 fi
-if [ -z "$enable_notifs" ]
+if [ -z "${notif_for_new_users:-}" ]
 then
-  enable_notifs="true"
-  ynh_app_setting_set --app=$app --key=enable_notifs --value=$enable_notifs
+    notif_for_new_users="true"
+    ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
 fi
-if [ -z "$notif_for_new_users" ]
+if [ -z "${enable_group_creation:-}" ]
 then
-  notif_for_new_users="true"
-  ynh_app_setting_set --app=$app --key=notif_for_new_users --value=$notif_for_new_users
+    enable_group_creation="true"
+    ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
 fi
-if [ -z "$enable_group_creation" ]
+if [ -z "${enable_3pid_lookup:-}" ]
 then
-  enable_group_creation="true"
-  ynh_app_setting_set --app=$app --key=enable_group_creation --value=$enable_group_creation
+    enable_3pid_lookup=false
+    ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
 fi
 
-if [ -z "$enable_registration" ]
+
+if [ -z "${enable_registration:-}" ]
 then
+  if [ -z "${is_free_registration:-}" ]; then
+      is_free_registration=$(ynh_app_setting_get --app=$app --key=is_""public)
+  fi
+
   if [ "$is_free_registration" -eq "0" ]
   then
       enable_registration="false"
-      turn_allow_guests="false"
-      sso_enabled="true"
       password_enabled="false"
-      enable_3pid_lookup="false"
+
   else
       enable_registration="true"
-      turn_allow_guests="true"
-      sso_enabled="false"
       password_enabled="true"
-      enable_3pid_lookup="true"
   fi
   ynh_app_setting_set --app=$app --key=enable_registration --value=$enable_registration
-  ynh_app_setting_set --app=$app --key=turn_allow_guests --value=$turn_allow_guests
-  ynh_app_setting_set --app=$app --key=sso_enabled --value=$sso_enabled
   ynh_app_setting_set --app=$app --key=password_enabled --value=$password_enabled
-  ynh_app_setting_set --app=$app --key=enable_3pid_lookup --value=$enable_3pid_lookup
 fi
 
-if [ -z "$push_include_content" ]
+if [ -z "${push_include_content:-}" ]
+then
+    push_include_content="true"
+    ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
+fi
+if [ -z "${enable_dtls_for_audio_video_turn_call:-}" ]
 then
-  push_include_content="true"
-  ynh_app_setting_set --app=$app --key=push_include_content --value=$push_include_content
+    enable_dtls_for_audio_video_turn_call="true"
+    ynh_app_setting_set --app=$app --key=enable_dtls_for_audio_video_turn_call --value=$enable_dtls_for_audio_video_turn_call
 fi
 
 #=================================================
-# INSTALL DEPENDENCIES
+# MIGRATION 7 : STANDARDIZE SYSTEMD UNIT
 #=================================================
-ynh_script_progression --message="Upgrading dependencies..." --weight=6
 
-# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
-# For any update do it in all files
-ynh_exec_warn_less ynh_install_app_dependencies $dependances
+if [ -e /etc/systemd/system/matrix-$app.service ]
+then
+    ynh_script_progression --message='Migrating systemd unit to standard name...'
 
-#=================================================
-# DOWNLOAD, CHECK AND UNPACK SOURCE
-#=================================================
+    systemctl stop matrix-$app.service || true
+    systemctl stop coturn-$app.service || true
 
-if [ "$upgrade_type" == "UPGRADE_APP" ] || [ ! -e $final_path/bin/python3 ] || [ ! -e $final_path/lib/python$python_version ]
-then
-	ynh_script_progression --message="Upgrading source files..." --weight=6
-	install_sources
+    yunohost service remove matrix-$app || true
+    yunohost service remove coturn-$app || true
+
+    ynh_secure_remove --file=/etc/systemd/system/matrix-$app.service
+    ynh_secure_remove --file=/etc/systemd/system/coturn-$app.service
+
+    touch /etc/systemd/system/$app.service
+    systemctl daemon-reload || true
 fi
 
 #=================================================
-# CREATE SMALL CAS SERVER
+# STOP SERVICES
 #=================================================
-# WARNING : theses command are used in INSTALL, UPGRADE
-# For any update do it in all files
 
-mkdir -p $final_www_path
-cp ../sources/cas_server.php $final_www_path/
-chmod u=rwX,g=rX,o= -R $final_www_path
-chown $synapse_user:root -R $final_www_path
+# We stop the service
+ynh_systemd_action --service_name=$app.service --action=stop
+
+ynh_script_progression --message='Managing migrations...'
 
 #=================================================
-# MIGRATION 1 : GENERATE SYNAPSE SECRET
+# MIGRATION 6 : Migrate data directory
 #=================================================
 
-if [ -z "$registration_shared_secret" ] || [ "$form_secret" == "form_secret: " ]
-then
-    ynh_script_progression --message="Generating synapse secret..." --weight=1
-
-    # Go in virtualenvironnement
-    set +u
-    source $final_path/bin/activate
-    set -u
-
-    # Generate config and keys
-    python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
+if [ -e "/var/lib/matrix-$app" ]; then
+    ynh_script_progression --message="Moving data directory to $data_dir..." --weight=1
+    if [ -e "$data_dir" ]; then
+        old_data_dir_path="$data_dir$(date '+%Y%m%d.%H%M%S')"
+        ynh_print_warn "A data directory already exist. Data was renamed to $old_data_dir_path"
+        mv "$data_dir" "$old_data_dir_path"
+    fi
+    mv "/var/lib/matrix-$app" "$data_dir"
+fi
 
-    # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
-    set +u;
-    deactivate
-    set -u;
+#=================================================
+# MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE
+#=================================================
 
-    # Get random values from config
-    registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
-    form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
+# Fix issue about certificates access
+if [ ! $(grep "ssl-cert:x:[0-9]*:.*$app" /etc/group) ]
+then
+    ynh_script_progression --message="Use standard access for certificate..." --weight=1
 
-    # store in yunohost settings
-    ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
-    ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
+    adduser $app ssl-cert
+    adduser turnserver ssl-cert
 fi
 
 #=================================================
-# UPDATE SYNAPSE CONFIG
+# MIGRATION 4 : CREATE A DH FILE
 #=================================================
-ynh_script_progression --message="Updating synapse config..." --weight=2
 
-# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
+# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
 # For any update do it in all files
 
-if [ -z $macaroon_secret_key ]; then
-    # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
-    # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
-    # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
-    # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
-    macaroon_secret_key_param='# macaroon_secret_key: ""'
-else
-    macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
-fi
+# Make dh cert for synapse if it doesn't exist
+if [ ! -e /etc/ssl/private/dh2048.pem ]
+then
+    ynh_script_progression --message="Creating a dh file..." --weight=1
 
-ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
-ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
+    ynh_exec_warn_less openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
+    chown root:ssl-cert /etc/ssl/private/dh2048.pem
+    chmod 640 /etc/ssl/private/dh2048.pem
+fi
 
 #=================================================
 # MIGRATION 2 : MULTINSTANCE SUPPORT
@@ -463,15 +294,6 @@ then
     # Disable default config for turnserver and create a new service
     systemctl stop coturn.service
 
-    # Set a port for each service in turnserver
-    turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
-    cli_port=$(ynh_find_port --port=5766)
-
-    ynh_app_setting_set --app=$app --key=turnserver_alt_tls_port --value=$turnserver_alt_tls_port
-    ynh_app_setting_set --app=$app --key=cli_port --value=$cli_port
-
-    yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
-
     #=================================================
     # MAKE A CLEAN LOGROTATE CONFIG
     #=================================================
@@ -480,37 +302,108 @@ then
 fi
 
 #=================================================
-# MIGRATION 3 : USE STANDARD ACCESS FOR CERTIFCATE
+# MIGRATION 8 : Migrate database to managed database (Migrate db name from matrix_$app to $app)
 #=================================================
 
-# Fix issue about certificates access
-if [ ! $(grep "ssl-cert:x:[0-9]*:.*matrix-$app" /etc/group) ]
-then
-    ynh_script_progression --message="Use standard access for certificate..." --weight=1
+if ynh_psql_execute_as_root --sql='\list' | grep matrix_$app; then
+    ynh_''psql_remove_db --db_user="user_wich_must_dont_exist_and_keep_current_user" --db_name=$db_name
+    ynh_psql_execute_as_root --sql="ALTER DATABASE matrix_$app RENAME TO $db_name;"
+    ynh_psql_execute_as_root --database=$db_name --sql="REASSIGN OWNED BY matrix_$app TO $db_user;"
+    ynh_psql_execute_as_root --sql="UPDATE pg_database SET datcollate='C', datctype='C' WHERE datname='$db_name';"
+    ynh_psql_execute_as_root --sql="DROP USER matrix_$app;"
+    # for unknown reason we need to set again the password for synapse user. Without this synapse can't authenticate to postgresql
+    ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH ENCRYPTED PASSWORD '$db_pwd';"
+fi
 
-    adduser $synapse_user ssl-cert
-    adduser turnserver ssl-cert
+#=================================================
+# MIGRATION 9 : migrate data path (from matrix-$app to $app)
+#=================================================
+
+if [ -e /home/yunohost.app/matrix-$app ]; then
+    mv -t $data_dir /home/yunohost.app/matrix-$app/*
+    ynh_secure_remove --file=/home/yunohost.app/matrix-$app
 fi
 
 #=================================================
-# MIGRATION 4 : CREATE A DH FILE
+# MIGRATION 11 : make this app using full domain
 #=================================================
 
-# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
-# For any update do it in all files
+ynh_app_setting_set --app=$app --key=path --value=/
 
-# Make dh cert for synapse if it doesn't exist
-if [ ! -e /etc/ssl/private/dh2048.pem ]
+if yunohost app map -r --output-as json | jq -r '."'$domain'" | select( . != null ) | .[] | .id' | grep -v "$app" -q; then
+    ynh_print_warn 'An other app is installed on this domain. Now synapse require to be alone on the domain.'
+    ynh_print_warn 'To solve this you can:'
+    ynh_print_warn " - Remove or move all other app which use '$domain'"
+    ynh_print_warn ' - Change the domain of synapse. You can find more informations here: https://github.com/YunoHost-Apps/synapse_ynh/blob/ce38d582ea379f60574a438056893cac79525808/doc/ADMIN.md#change-url'
+fi
+
+#=================================================
+# MIGRATION 12 : update system user and drop yunohost user
+#=================================================
+
+if grep -q "^matrix-$app" /etc/passwd; then
+    # Must stop php before remove user as user is used by php
+    systemctl stop php$YNH_PHP_VERSION-fpm.service
+
+    ynh_''system_user_delete --username=matrix-$app
+    yunohost user delete $app || true
+    ynh_''system_user_create --username=$app --home_dir=$code_dir
+    adduser $app ssl-cert
+fi
+
+#=================================================
+# DOWNLOAD, CHECK AND UNPACK SOURCE
+#=================================================
+
+if [ "$upgrade_type" == "UPGRADE_APP" ] || [ ! -e $code_dir/bin/python3 ] || [ ! -e $code_dir/lib/python$python_version ]
 then
-    ynh_script_progression --message="Creating a dh file..." --weight=1
+    ynh_script_progression --message="Upgrading source files..." --weight=6
+    install_sources
+fi
 
-    openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null
-    chown root:ssl-cert /etc/ssl/private/dh2048.pem
-    chmod 640 /etc/ssl/private/dh2048.pem
+#=================================================
+# MIGRATION 1 : GENERATE SYNAPSE SECRET
+#=================================================
+
+if [ -z "${registration_shared_secret:-}" ] || [ "$form_secret" == "form_secret: " ]
+then
+    ynh_script_progression --message="Generating synapse secret..." --weight=1
+
+    # Generate config and keys
+    $code_dir/bin/python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
+
+    # Get random values from config
+    registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
+    form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
+
+    # store in yunohost settings
+    ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
+    ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
 fi
 
 #=================================================
 # STANDARD UPGRADE STEPS
+#=================================================
+
+#=================================================
+# UPDATE SYNAPSE CONFIG
+#=================================================
+ynh_script_progression --message="Updating synapse config..." --weight=2
+
+configure_synapse
+
+#=================================================
+# CREATE SMALL CAS SERVER
+#=================================================
+# WARNING : theses command are used in INSTALL, UPGRADE
+# For any update do it in all files
+
+mkdir -p $install_dir
+cp ../sources/cas_server.php $install_dir/
+chmod u=rwX,g=rX,o= -R $install_dir
+chown $app:root -R $install_dir
+
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@@ -520,19 +413,8 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -
 ynh_script_progression --message="Configuring application..."
 
 ynh_add_fpm_config --usage=low --footprint=low
-sed -i "s|user\s*=\s*$app|user = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
-sed -i "s|group\s*=\s*$app|group = matrix-$app|g" /etc/php/7.*/fpm/pool.d/$app.conf
-sed -i "s|chdir\s*=\s*/opt/yunohost/matrix-synapse.*|chdir = $final_www_path|g" /etc/php/7.*/fpm/pool.d/$app.conf
-ynh_store_file_checksum --file=$(ls /etc/php/7.*/fpm/pool.d/$app.conf)
 
-# Create .well-known redirection for access by federation
-if yunohost --output-as plain domain list | grep -q "^$server_name$"
-then
-    ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-fi
-
-# Create a dedicated NGINX config
-ynh_add_nginx_config app
+configure_nginx
 
 #=================================================
 # SPECIFIC UPGRADE
@@ -541,26 +423,7 @@ ynh_add_nginx_config app
 #=================================================
 ynh_script_progression --message="Updating Coturn config..." --weight=1
 
-# WARNING : theses command are used in INSTALL, UPGRADE
-# For any update do it in all files
-
-# Get public IP and set as external IP for coturn
-# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
-public_ip4="$(curl -s ip.yunohost.org)" || true
-public_ip6="$(curl -s ipv6.yunohost.org)" || true
-
-turn_external_ip=""
-if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
-then
-    turn_external_ip+="external-ip="$public_ip4%"\n"
-fi
-
-if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
-then
-    turn_external_ip+="external-ip="$public_ip6%"\n"
-fi
-
-ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
+configure_coturn
 
 #=================================================
 # ADD SCRIPT FOR COTURN CRON AND APP SERVICE
@@ -569,8 +432,9 @@ ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/cotu
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
-ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
+ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$code_dir/Coturn_config_rotate.sh"
+ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$code_dir/update_synapse_for_appservice.sh"
+ynh_add_config --template=../sources/set_admin_user.sh --destination=$code_dir/set_admin_user.sh
 
 # Ensure app-service folder has exists and the config file exit (Migration)
 mkdir -p /etc/matrix-$app/app-service
@@ -587,8 +451,8 @@ fi
 # ADVERTISE SERVICE IN ADMIN PANEL
 #=================================================
 
-yunohost service add matrix-$app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $synapse_tls_port
-yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
+yunohost service add $app --log "/var/log/matrix-$app/homeserver.log" --needs_exposed_ports $port_synapse_tls --description 'Main matrix server service.'
+yunohost service add $app-coturn --needs_exposed_ports $port_turnserver_tls --description 'Turn server for matrix server. Used for audio and video call.'
 
 #=================================================
 # UPDATE SYSTEMD
@@ -596,20 +460,16 @@ yunohost service add coturn-$app --needs_exposed_ports $turnserver_tls_port
 ynh_script_progression --message="Upgrading systemd configuration..." --weight=3
 
 # Create systemd service for synapse and turnserver
-cp ../conf/default_matrix-synapse /etc/default/matrix-$app
-ynh_add_systemd_config --service=matrix-$app --template=matrix-synapse.service
+ynh_add_systemd_config --service=$app --template=synapse.service
 
 cp ../conf/default_coturn /etc/default/coturn-$app
-ynh_add_systemd_config --service=coturn-$app --template=coturn-synapse.service
+ynh_add_systemd_config --service=$app-coturn --template=synapse-coturn.service
 
 #=================================================
 # UPGRADE FAIL2BAN
 #=================================================
 ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=8
 
-# WARNING : theses command are used in INSTALL, UPGRADE
-# For any update do it in all files
-
 ynh_add_fail2ban_config --use_template
 
 #=================================================
@@ -617,58 +477,28 @@ ynh_add_fail2ban_config --use_template
 #=================================================
 # SETUP PERMISSIONS
 #=================================================
-ynh_script_progression --message="Configuring permissions..." --weight=1
-ynh_legacy_permissions_delete_all
-
-ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
-ynh_permission_update --permission=main --show_tile=false --protected=true
 
-if ! ynh_permission_exists --permission=server_api; then
-    ynh_permission_create --permission=server_api --url=$domain/_matrix \
-                          --label="Server access for client apps." --show_tile=false --allowed=visitors \
-                          --auth_header=false --protected=true
-    python3 remove_sso_conf_persistent.py $domain $server_name \
-        || ynh_print_warn --message="Your file /etc/ssowat/""conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually."
-else
-    ynh_permission_url --permission=server_api --url=$domain/_matrix --remove_url=$server_name/.well-known/matrix \
-                       --auth_header=false
-    ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \
-                          --protected=true
-fi
-
-if yunohost --output-as plain domain list | grep -q "^$server_name"'$' && ! ynh_permission_exists --permission=server_client_infos; then
-    ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
-                          --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
-                          --auth_header=false --protected=true
-elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
-    ynh_permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \
-                       --auth_header=false
-    ynh_permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \
-                          --protected=true
-fi
+ynh_script_progression --message="Configuring permissions..." --weight=1
 
-if ! ynh_permission_exists --permission=admin_api; then
-    ynh_permission_create --permission=admin_api --url=$domain/_synapse \
-                          --label="Server administration API." --show_tile=false \
-                          --auth_header=false --allowed=visitors
+if yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
+    if ! ynh_""permission_exists --permission=server_client_infos; then
+        ynh_""permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
+                              --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \
+                              --auth_header=false --protected=true
+    else yunohost --output-as plain domain list | grep -q "^$server_name"'$'
+        ynh_""permission_url --permission=server_client_infos --url=$server_name/.well-known/matrix \
+                          --auth_header=false
+        ynh_""permission_update --permission=server_client_infos --label="Server info for clients. (well-known)" --show_tile=false \
+                              --protected=true
+    fi
 fi
 
 #=================================================
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE
-# For any update do it in all files
-chown $synapse_user:root -R $final_path
-chmod 770 $final_path/Coturn_config_rotate.sh
-chmod 700 $final_path/update_synapse_for_appservice.sh
-chown $synapse_user:root -R $data_path
-chown $synapse_user:root -R /var/log/matrix-$app
-chown $synapse_user:root -R /etc/matrix-$app
-chmod u=rwX,g=rX,o= -R /etc/matrix-$app
-chmod 600 /etc/matrix-$app/$server_name.signing.key
-setfacl -R -m user:turnserver:rX  /etc/matrix-$app
-setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app
+ynh_script_progression --message="Protecting directories... (note that it could take a long time depending of your install size)" --weight=3
+set_permissions data
 
 #=================================================
 # UPDATE HOOKS
@@ -679,19 +509,13 @@ setfacl -R -m user:turnserver:rwX  /var/log/matrix-$app
 ynh_replace_string __APP__ $app ../hooks/post_cert_update
 ynh_replace_string __DOMAIN__ $domain ../hooks/post_cert_update
 
-#=================================================
-# UPDATE VERSION SETTINGS
-#=================================================
-
-ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
-
 #=================================================
 # RELOAD SERVICES
 #=================================================
 ynh_script_progression --message="Restarting Synapse services..." --weight=5
 
-ynh_systemd_action --service_name=coturn-$app.service --action=restart
-ynh_systemd_action --service_name=matrix-$app --action=restart --line_match="Synapse now listening on TCP port $synapse_tls_port" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
+ynh_systemd_action --service_name=$app-coturn.service --action=restart
+ynh_systemd_action --service_name=$app.service --action=restart --line_match="Synapse now listening on TCP port $port_synapse_tls" --log_path="/var/log/matrix-$app/homeserver.log" --timeout=300
 
 #=================================================
 # END OF SCRIPT
diff --git a/sources/Coturn_config_rotate.sh b/sources/Coturn_config_rotate.sh
index 4cfa5e25..168e85b9 100644
--- a/sources/Coturn_config_rotate.sh
+++ b/sources/Coturn_config_rotate.sh
@@ -1,33 +1,28 @@
 #!/bin/bash
 
-app_instance=__APP__
+set -eu
 
-source /usr/share/yunohost/helpers
-
-coturn_config_path="/etc/matrix-$app_instance/coturn.conf"
-public_ip4="$(curl ip.yunohost.org)" || true
-public_ip6="$(curl ipv6.yunohost.org)" || true
+app=__APP__
 
-old_config_line=$(egrep "^external-ip=.*\$" $coturn_config_path)
-perl -i -pe 's/(^external-ip=.*\n)*//g' $coturn_config_path
-
-if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
-then
-    echo "external-ip=$public_ip4" >> "$coturn_config_path"
-fi
+pushd /etc/yunohost/apps/$app/conf
+source /usr/share/yunohost/helpers
+source ../scripts/_common.sh
 
-if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
-then
-    echo "external-ip=$public_ip6" >> "$coturn_config_path"
-fi
+domain=$(ynh_app_setting_get --app=$app --key=domain)
+port_cli=$(ynh_app_setting_get --app=$app --key=port_cli)
+turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
+port_turnserver_tls=$(ynh_app_setting_get --app=$app --key=port_turnserver_tls)
+port_turnserver_alt_tls=$(ynh_app_setting_get --app=$app --key=port_turnserver_alt_tls)
 
-new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
+previous_checksum=$(ynh_app_setting_get --app=$app --key=checksum__etc_matrix-synapse_coturn.conf)
+configure_coturn
+new_checksum=$(ynh_app_setting_get --app=$app --key=checksum__etc_matrix-synapse_coturn.conf)
 
-setfacl -R -m user:turnserver:rX  /etc/matrix-$app_instance
+setfacl -R -m user:turnserver:rX  /etc/matrix-$app
 
-if [ "$old_config_line" != "$new_config_line" ]
+if [ "$previous_checksum" != "$new_checksum" ]
 then
-    systemctl restart coturn-$app_instance.service
+    systemctl restart $app-coturn.service
 fi
 
 exit 0
diff --git a/sources/ldap_auth_filter_anonymous_user.patch b/sources/ldap_auth_filter_anonymous_user.patch
new file mode 100644
index 00000000..841f0f4f
--- /dev/null
+++ b/sources/ldap_auth_filter_anonymous_user.patch
@@ -0,0 +1,106 @@
+diff --git a/ldap_auth_provider.py b/ldap_auth_provider.py
+index 3646948..96296b6 100644
+--- a/ldap_auth_provider.py
++++ b/ldap_auth_provider.py
+@@ -373,9 +373,12 @@ class LdapAuthProvider:
+             ],
+         )
+ 
++        # LDAP Filter anonymous user Applied
+         ldap_config = _LdapConfig(
+             enabled=config.get("enabled", False),
+-            mode=LDAPMode.SIMPLE,
++            mode=LDAPMode.SEARCH
++            if config.get("mode", "simple") == "search"
++            else LDAPMode.SIMPLE,
+             uri=config["uri"],
+             start_tls=config.get("start_tls", False),
+             tls_options=config.get("tls_options"),
+@@ -403,6 +406,8 @@ class LdapAuthProvider:
+                 raise ValueError(
+                     "Either bind_password or bind_password_file must be set!"
+                 )
++
++        if ldap_config.mode == LDAPMode.SEARCH:
+             ldap_config.filter = config.get("filter", None)
+ 
+         # verify attribute lookup
+@@ -461,13 +466,16 @@ class LdapAuthProvider:
+         server = self._get_server(get_info=ldap3.DSA)
+ 
+         if self.ldap_bind_dn is None or self.ldap_bind_password is None:
+-            raise ValueError("Missing bind DN or bind password")
+-
+-        result, conn = await self._ldap_simple_bind(
+-            server=server,
+-            bind_dn=self.ldap_bind_dn,
+-            password=self.ldap_bind_password,
+-        )
++            result, conn = await self._ldap_simple_bind(
++                server=server,
++                auth_type=ldap3.ANONYMOUS,
++            )
++        else:
++            result, conn = await self._ldap_simple_bind(
++                server=server,
++                bind_dn=self.ldap_bind_dn,
++                password=self.ldap_bind_password,
++            )
+ 
+         if not result:
+             logger.warning("Unable to get root domain due to failed LDAP bind")
+@@ -503,7 +511,11 @@ class LdapAuthProvider:
+         return self.ldap_root_domain
+ 
+     async def _ldap_simple_bind(
+-        self, server: ldap3.ServerPool, bind_dn: str, password: str
++        self,
++        server: ldap3.ServerPool,
++        bind_dn: Optional[str] = None,
++        password: Optional[str] = None,
++        auth_type: str = ldap3.SIMPLE,
+     ) -> Tuple[bool, Optional[ldap3.Connection]]:
+         """Attempt a simple bind with the credentials given by the user against
+         the LDAP server.
+@@ -513,6 +525,8 @@ class LdapAuthProvider:
+         Returns False, None
+             if an error occured
+         """
++        if (bind_dn is None or password is None) and auth_type == ldap3.SIMPLE:
++            raise ValueError("Missing bind DN or bind password")
+ 
+         try:
+             # bind with the the local user's ldap credentials
+@@ -521,7 +535,7 @@ class LdapAuthProvider:
+                 server,
+                 bind_dn,
+                 password,
+-                authentication=ldap3.SIMPLE,
++                authentication=auth_type,
+                 read_only=True,
+             )
+             logger.debug("Established LDAP connection in simple bind mode: %s", conn)
+@@ -578,13 +592,16 @@ class LdapAuthProvider:
+ 
+         try:
+             if self.ldap_bind_dn is None or self.ldap_bind_password is None:
+-                raise ValueError("Missing bind DN or bind password")
+-
+-            result, conn = await self._ldap_simple_bind(
+-                server=server,
+-                bind_dn=self.ldap_bind_dn,
+-                password=self.ldap_bind_password,
+-            )
++                result, conn = await self._ldap_simple_bind(
++                    server=server,
++                    auth_type=ldap3.ANONYMOUS,
++                )
++            else:
++                result, conn = await self._ldap_simple_bind(
++                    server=server,
++                    bind_dn=self.ldap_bind_dn,
++                    password=self.ldap_bind_password,
++                )
+ 
+             if not result:
+                 return (False, None, None)
diff --git a/sources/set_admin_user.sh b/sources/set_admin_user.sh
new file mode 100644
index 00000000..2bbee3a3
--- /dev/null
+++ b/sources/set_admin_user.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -eu
+
+source /usr/share/yunohost/helpers
+
+app=__APP__
+
+db_name=$(ynh_app_setting_get --app=$app --key=db_name)
+db_user=$(ynh_app_setting_get --app=$app --key=db_user)
+db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
+server_name=$(ynh_app_setting_get --app=$app --key=server_name)
+
+if [ -z ${1:-} ]; then
+    echo "Usage: set_admin_user.sh user_to_set_as_admin"
+    exit 1
+fi
+
+ynh_psql_execute_as_root --database=$db_name --sql="UPDATE users SET admin = 1 WHERE name = '@$1:$server_name'"
+
+exit 0
diff --git a/sources/update_synapse_for_appservice.sh b/sources/update_synapse_for_appservice.sh
index 072c3ddb..bf6979cf 100644
--- a/sources/update_synapse_for_appservice.sh
+++ b/sources/update_synapse_for_appservice.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -eu
+
 app=__APP__
 service_config_file=/etc/matrix-$app/conf.d/app_service.yaml
 
@@ -21,7 +23,7 @@ chown matrix-$app /etc/matrix-$app/app-service/*
 chmod 600 $service_config_file
 chmod 600 /etc/matrix-$app/app-service/*
 
-systemctl restart matrix-$app
+systemctl restart $app.service
 
 if [ $? -eq 0 ]; then
     rm /tmp/app_service_backup.yaml
diff --git a/tests.toml b/tests.toml
new file mode 100644
index 00000000..eea65726
--- /dev/null
+++ b/tests.toml
@@ -0,0 +1,9 @@
+#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json
+
+test_format = 1.0
+
+[default]
+
+    test_upgrade_from.672791a51c1d239918562d7a0d4420ec137e6694.name = "Post app user creation (branch old_version_for_CI_7)"
+
+    test_upgrade_from.971f2eb590325fb1d6e1ca5723f59aacd639c9ce.name = "Before packaging v2 (branch old_version_for_CI_6)"