Add Synapse-Admin (#51)

* Update backups to use new eOS APIs * latest synapse upstream version * Add vps build * Introducing Synapse-Admin * persist config and timing bump * multiple config changes (#50) * disable federation health check if federation disabled * add back privoxy settings * persist config and timing bump * singel equals * nginx config fix * Add admin interface * disable federation port * fix nginx creation * secure synapse and seperate admin * clean for vps tar image * release-notes update * config fix * only client and federation * fix email * fix health check, better naming, better instructions * timeout adjustments and fresh install fix --------- Co-authored-by: Mariusz Kogen <[email protected]> Co-authored-by: Matt Hill <[email protected]>
Start9Labs · Feb 23, 2023 · f46ca57 · f46ca57
1 parent 6c0a41e
commit f46ca57
Show file tree

Hide file tree

Showing 18 changed files with 305 additions and 186 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,7 @@
 .env/
 synapse.s9pk
 image.tar
-base-image.tar
+synapse-vps.tar
 .vscode/
 .DS_Store
 scripts/*.js

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,6 @@
-FROM matrixdotorg/synapse:v1.74.0
+FROM awesometechnologies/synapse-admin:0.8.7 as synapse-admin
+
+FROM matrixdotorg/synapse:v1.75.0
 
 ARG PLATFORM
 ENV YQ_VER v4.3.2
@@ -28,9 +30,9 @@ RUN wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/
     && chmod a+x /usr/local/bin/yq
 
 ADD ./www /var/www
+COPY --from=synapse-admin /app /var/www/admin
 ADD ./cert.conf /etc/ssl/cert.conf
 ADD ./priv-config-forward-onion /root
-ADD ./priv-config-forward-all /root
 ADD ./docker_entrypoint.sh /usr/local/bin/docker_entrypoint.sh
 RUN chmod a+x /usr/local/bin/docker_entrypoint.sh
 ADD ./check-federation.sh /usr/local/bin/check-federation.sh
@@ -39,11 +41,12 @@ ADD ./user-signups-off.sh /usr/local/bin/user-signups-off.sh
 RUN chmod a+x /usr/local/bin/user-signups-off.sh
 ADD ./configurator.py /configurator.py
 RUN chmod a+x /configurator.py
+RUN sed -i 's#timeout=10000#timeout=20000#g' /usr/local/lib/python3*/site-packages/synapse/crypto/keyring.py
+RUN sed -i 's#timeout=10000#timeout=20000#g' /usr/local/lib/python3*/site-packages/synapse/federation/transport/client.py
+RUN sed -i 's#timeout=10000#timeout=20000#g' /usr/local/lib/python3*/site-packages/synapse/federation/federation_client.py
 
 WORKDIR /data
 
 RUN mkdir /run/nginx
 
 EXPOSE 8448 443 80
-
-ENTRYPOINT ["/usr/local/bin/docker_entrypoint.sh"]
diff --git a/Dockerfile.vps b/Dockerfile.vps
@@ -0,0 +1,5 @@
+FROM matrixdotorg/synapse:v1.75.0
+
+RUN sed -i 's#timeout=10000#timeout=20000#g' /usr/local/lib/python3*/site-packages/synapse/crypto/keyring.py
+RUN sed -i 's#timeout=10000#timeout=20000#g' /usr/local/lib/python3*/site-packages/synapse/federation/transport/client.py
+RUN sed -i 's#timeout=10000#timeout=20000#g' /usr/local/lib/python3*/site-packages/synapse/federation/federation_client.py
diff --git a/Makefile b/Makefile
@@ -7,7 +7,7 @@ TS_FILES := $(shell find ./ -name \*.ts)
 all: verify
 
 install:
-ifeq (,$(wildcard ~/.embassy/config.yaml1))
+ifeq (,$(wildcard ~/.embassy/config.yaml))
 	@echo; echo "You must define \"host: http://embassy-server-name.local\" in ~/.embassy/config.yaml config file first"; echo
 else
 	embassy-cli package install $(PKG_ID).s9pk
@@ -18,6 +18,7 @@ clean:
 	rm -f $(PKG_ID).s9pk
 	rm -f scripts/*.js
 	rm -rf docker-images
+	rm -f synapse-vps.tar
 
 verify: $(PKG_ID).s9pk
 	@embassy-sdk verify s9pk $(PKG_ID).s9pk
@@ -34,14 +35,14 @@ else
 endif
 	@embassy-sdk pack
 
-docker-images/aarch64.tar: Dockerfile docker_entrypoint.sh check-federation.sh priv-config-forward-all priv-config-forward-onion configurator.py $(shell find ./www)
+docker-images/aarch64.tar: Dockerfile docker_entrypoint.sh check-federation.sh priv-config-forward-onion configurator.py $(shell find ./www)
 ifeq ($(ARCH),x86_64)
 else
 	mkdir -p docker-images
 	DOCKER_CLI_EXPERIMENTAL=enabled docker buildx build --build-arg PLATFORM=arm64 --tag start9/$(PKG_ID)/main:$(PKG_VERSION) --platform=linux/arm64 -o type=docker,dest=docker-images/aarch64.tar .
 endif
 
-docker-images/x86_64.tar: Dockerfile docker_entrypoint.sh check-federation.sh priv-config-forward-all priv-config-forward-onion configurator.py $(shell find ./www)
+docker-images/x86_64.tar: Dockerfile docker_entrypoint.sh check-federation.sh priv-config-forward-onion configurator.py $(shell find ./www)
 ifeq ($(ARCH),aarch64)
 else
 	mkdir -p docker-images
@@ -50,3 +51,7 @@ endif
 
 scripts/embassy.js: $(TS_FILES)
 	deno bundle scripts/embassy.ts scripts/embassy.js
+
+vps: Dockerfile.vps
+	DOCKER_CLI_EXPERIMENTAL=enabled docker buildx build --build-arg PLATFORM=amd64 -f Dockerfile --tag matrixdotorg/synapse:v$(PKG_VERSION) --platform=linux/amd64 -o type=docker,dest=synapse-vps.tar .
+
diff --git a/check-federation.sh b/check-federation.sh
@@ -1,10 +1,16 @@
 #!/bin/bash
 
+FEDERATION=$(yq e '.federation' /data/start9/config.yaml)
+
+if [ $FEDERATION = 'false' ]; then
+    exit 59
+fi
+
 DURATION=$(</dev/stdin)
-if (($DURATION <= 30000 )); then
+if (($DURATION <= 40000 )); then
     exit 60
 else
-    curl -s -k https://synapse.embassy/_matrix/federation/v1/version &>/dev/null
+    curl -skf https://synapse.embassy/_matrix/federation/v1/version &>/dev/null
     exit_code=$?
     if test "$exit_code" != 0; then
         echo "Homeserver is unreachable" >&2

diff --git a/configurator.py b/configurator.py
@@ -22,20 +22,17 @@ def main():
         s9.close()
 
     homeserver_cfg["public_baseurl"] = "http://" + os.getenv("TOR_ADDRESS")
-    if s9_cfg.get("enable-registration"):
+    if s9_cfg.get("advanced").get("enable-registration"):
         homeserver_cfg["enable_registration"] = True
     else:
         homeserver_cfg["enable_registration"] = False
 
     homeserver_email_cfg = None
     if s9_cfg.get("email-notifications").get("enabled") == "true":
-        s9_email_cfg = s9_cfg.get("email-notifications").get("smtp-settings")
+        s9_email_cfg = s9_cfg.get("email-notifications")
         homeserver_email_cfg = {
             "enable_notifs": True,
             "notif_from": s9_email_cfg["from-name"]
-            + "<"
-            + s9_email_cfg["smtp-user"]
-            + ">",
         }
         for s9_key in EMAIL_CFG_KEYS:
             if s9_email_cfg.get(s9_key):
@@ -49,6 +46,22 @@ def main():
         stats = {
             "version": 2,
             "data": {
+                "Admin Username": {
+                    "type": "string",
+                    "value": "admin",
+                    "description": "Username for your Admin Portal",
+                    "copyable": True,
+                    "qr": False,
+                    "masked": False,
+                },
+                "Admin Password": {
+                    "type": "string",
+                    "value": os.popen("cat /data/start9/adm.key").read().strip(),
+                    "description": "Password for your Admin Portal",
+                    "copyable": True,
+                    "qr": False,
+                    "masked": True,
+                },
                 "SSL Cert SHA256 Fingerprint": {
                     "type": "string",
                     "value": os.popen(
@@ -61,7 +74,7 @@ def main():
                     "copyable": True,
                     "qr": False,
                     "masked": False,
-                }
+                },
             },
         }
         yaml.dump(stats, s)

diff --git a/docker_entrypoint.sh b/docker_entrypoint.sh
@@ -4,7 +4,7 @@ set -e
 
 export HOST_IP=$(ip -4 route list match 0/0 | awk '{print $3}')
 export TOR_ADDRESS=$(yq e '.tor-address' /data/start9/config.yaml)
-export TIMEOUT=20000
+FEDERATION=$(yq e '.federation' /data/start9/config.yaml)
 echo "$HOST_IP   tor" >> /etc/hosts
 
 if ! [ -f /data/homeserver.yaml ]; then
@@ -25,19 +25,22 @@ EOF
     yq e -i ".listeners[0].bind_addresses = [\"127.0.0.1\"]" /data/homeserver.yaml
 fi
 
-echo "" > /etc/nginx/conf.d/default.conf
-cat >> /etc/nginx/conf.d/default.conf <<"EOT"
+cat << EOT > /etc/nginx/conf.d/default.conf
 server_names_hash_bucket_size 128;
 server {
     listen 80;
     listen 443 ssl;
+EOT
+if [ $FEDERATION = "true" ]; then
+cat << EOT >> /etc/nginx/conf.d/default.conf
     listen 8448 ssl;
+EOT
+fi
+cat << "EOT" >> /etc/nginx/conf.d/default.conf
     ssl_certificate /mnt/cert/main.cert.pem;
     ssl_certificate_key /mnt/cert/main.key.pem;
-EOT
-echo "    server_name ${TOR_ADDRESS};" >> /etc/nginx/conf.d/default.conf
-cat >> /etc/nginx/conf.d/default.conf <<"EOT"
-    root /var/www;
+    server_name TOR_ADDRESS;
+    root /var/www/synapse;
     location ~* ^(\/_matrix|\/_synapse\/client) {
         proxy_pass http://127.0.0.1:8008;
         proxy_set_header X-Forwarded-For $remote_addr;
@@ -49,24 +52,31 @@ cat >> /etc/nginx/conf.d/default.conf <<"EOT"
         client_max_body_size 50M;
     }
 }
+server {
+    listen 8080;
+    listen 4433 ssl;
+    ssl_certificate /mnt/cert/admin.cert.pem;
+    ssl_certificate_key /mnt/cert/admin.key.pem;
+    server_name synapse-admin;
+    root /var/www/admin;
+    location ~* ^(\/_matrix|\/_synapse\/client|\/_synapse\/admin) {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+    }
+}
 EOT
-
-cat /var/www/index.html.template > /var/www/index.html
-
-if [ "$(yq e ".advanced.tor-only-mode" /data/start9/config.yaml)" = "true" ]; then
-    cp /root/priv-config-forward-all /etc/privoxy/config
-else
-    cp /root/priv-config-forward-onion /etc/privoxy/config
-fi
-
+sed -i 's#TOR_ADDRESS#'$TOR_ADDRESS'#g' /etc/nginx/conf.d/default.conf
 
 if [ "$1" = "reset-first-user" ]; then
     query() {
         sqlite3 /data/homeserver.db "$*"
     }
     password=$(cat /dev/urandom | base64 | head -c 16)
     hashed_password=$(hash_password -p "$password" -c "/data/homeserver.yaml")
-    first_user_name=$(query "select name from users where creation_ts = (select min(creation_ts) from users) limit 1;")
+    first_user_name=$(query "SELECT name FROM users WHERE creation_ts = (SELECT MIN(creation_ts) FROM users) AND name NOT LIKE '@admin:%' LIMIT 1;")
+#    first_user_name=$(query "select name from users where creation_ts = (select min(creation_ts) from users) limit 1;")
     query "update users set password_hash=\"$hashed_password\" where name=\"$first_user_name\""
     cat << EOF
 {
@@ -82,12 +92,33 @@ fi
 
 python /configurator.py
 #Fixes and last minute config changes
-echo "enable_registration_without_verification: true" >> /data/homeserver.yaml
-echo "suppress_key_server_warning: true" >> /data/homeserver.yaml
-sed -i 's#timeout=10000#timeout='$TIMEOUT'#g' /usr/local/lib/python3*/site-packages/synapse/crypto/keyring.py
-sed -i 's#timeout=10000#timeout='$TIMEOUT'#g' /usr/local/lib/python3*/site-packages/synapse/federation/transport/client.py
-sed -i 's#timeout=10000#timeout='$TIMEOUT'#g' /usr/local/lib/python3*/site-packages/synapse/federation/federation_client.py
+
+if [ -e /data/start9/adm.key ]; then
+    echo "Synapse-admin user found! Continuing ..."
+else
+    echo
+    echo "Synapse-admin user not found. Creating ..."
+    echo
+    admin_password=$(cat /dev/urandom | base64 | head -c 16)
+    timeout 25s /start.py &
+    sleep 20
+    register_new_matrix_user --config /data/homeserver.yaml --user admin --password $admin_password --admin
+    echo $admin_password > /data/start9/adm.key
+    python /configurator.py
+fi
+
+if [ $FEDERATION = "true" ]; then
+echo "Federation enabled"
+    yq e -i '.listeners[0].resources[0].names |= ["client", "federation"]' /data/homeserver.yaml
+    yq e -i 'del(.federation_domain_whitelist)' /data/homeserver.yaml
+else
+echo "Federation disabled"
+    yq e -i '.listeners[0].resources[0].names |= ["client"]' /data/homeserver.yaml
+    yq e -i ".federation_domain_whitelist = []" /data/homeserver.yaml
+fi
+yq e -i ".enable_registration_without_verification = true" /data/homeserver.yaml
+yq e -i ".suppress_key_server_warning = true" /data/homeserver.yaml
 nginx
-privoxy /etc/privoxy/config
+privoxy /root/priv-config-forward-onion
 export https_proxy="127.0.0.1:8118"
 exec tini /start.py