2024-03-25 23:23:07 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
DOMAIN=$1
|
|
|
|
if [ -z ${DOMAIN} ]; then
|
|
|
|
echo "Script usage: ./install.sh <DOMAIN>"
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
BASE_DIR=/opt/matrix
|
|
|
|
|
|
|
|
# Create directory and copy configs + docker-compose YAML
|
2024-04-10 01:28:31 +00:00
|
|
|
mkdir -p ${BASE_DIR}/db
|
2024-03-25 23:23:07 +00:00
|
|
|
cp -R . ${BASE_DIR}
|
|
|
|
cd ${BASE_DIR}
|
|
|
|
|
2024-04-06 08:10:26 +00:00
|
|
|
# Disable "Pending Kernel upgrade" banner
|
|
|
|
sed -i "s|#\$nrconf{kernelhints} = -1;|\$nrconf{kernelhints} = -1;|g" /etc/needrestart/needrestart.conf
|
|
|
|
|
2024-04-10 15:13:15 +00:00
|
|
|
# Disable "Daemon Using Outdated Libraries" banner
|
|
|
|
sed -i "s|#\$nrconf{restart} = 'i';|\$nrconf{restart} = 'a';|g" /etc/needrestart/needrestart.conf
|
|
|
|
|
2024-03-25 23:23:07 +00:00
|
|
|
# Baseline utils
|
|
|
|
echo -e "Installing baseline utils\n"
|
|
|
|
apt update
|
|
|
|
apt upgrade -y
|
|
|
|
apt install -y ca-certificates curl pwgen nginx python3-certbot-nginx ufw coturn
|
|
|
|
|
|
|
|
# Open only needed ports
|
|
|
|
echo -e "Opening ports and enabling ufw\n"
|
|
|
|
# SSH
|
|
|
|
ufw allow 22/tcp
|
|
|
|
|
|
|
|
# Nginx (HTTP/HTTPS)
|
|
|
|
ufw allow 80/tcp
|
|
|
|
ufw allow 443/tcp
|
|
|
|
ufw allow 8448/tcp
|
|
|
|
|
|
|
|
# Coturn Ports
|
2024-03-30 13:29:03 +00:00
|
|
|
ufw allow 3478/udp
|
|
|
|
ufw allow 5443/udp
|
2024-03-25 23:23:07 +00:00
|
|
|
ufw allow 49152:65535/udp
|
|
|
|
|
|
|
|
# Enable firewall
|
|
|
|
ufw --force enable
|
|
|
|
|
|
|
|
# Configure Coturn TURN server
|
|
|
|
echo -e "Install and configure coturn server\n"
|
|
|
|
|
|
|
|
echo "TURNSERVER_ENABLED=1" > /etc/default/coturn
|
|
|
|
cp config/turnserver.conf /etc/
|
|
|
|
|
|
|
|
TURN_PWD=$(pwgen -s 28 -1)
|
|
|
|
TURN_STATIC_SECRET=$(pwgen -s 64 1)
|
|
|
|
EXTERNAL_IP=$(curl -s checkip.amazonaws.com)
|
|
|
|
|
|
|
|
sed -i "s|DOMAIN|${DOMAIN}|g" /etc/turnserver.conf
|
|
|
|
sed -i "s|TURN_PWD|${TURN_PWD}|g" /etc/turnserver.conf
|
|
|
|
sed -i "s|EXTERNAL_IP|${EXTERNAL_IP}|g" /etc/turnserver.conf
|
|
|
|
sed -i "s|STATIC_SECRET|${TURN_STATIC_SECRET}|g" /etc/turnserver.conf
|
|
|
|
|
2024-03-30 13:29:03 +00:00
|
|
|
# Custom coturn SystemD service file to allow coturn access to Letsencrypt SSL certs
|
|
|
|
cp "${BASE_DIR}/coturn.service" /lib/systemd/system/coturn.service
|
|
|
|
systemctl daemon-reload
|
|
|
|
|
2024-03-25 23:23:07 +00:00
|
|
|
# Add Docker's official GPG key
|
|
|
|
echo -e "Install docker\n"
|
|
|
|
|
|
|
|
install -m 0755 -d /etc/apt/keyrings
|
|
|
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
|
|
|
|
chmod a+r /etc/apt/keyrings/docker.asc
|
|
|
|
|
|
|
|
# Add the repository to APT sources
|
|
|
|
echo \
|
|
|
|
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
|
|
|
|
$(. /etc/os-release && echo "${VERSION_CODENAME}") stable" | \
|
|
|
|
tee /etc/apt/sources.list.d/docker.list > /dev/null
|
|
|
|
apt update
|
|
|
|
|
|
|
|
# Install docker
|
|
|
|
apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
|
|
|
|
|
|
|
# Create docker network `matrix_server`
|
|
|
|
echo -e "Create docker network\n"
|
|
|
|
|
|
|
|
docker network create --driver=bridge --subnet=10.10.10.0/24 --gateway=10.10.10.1 matrix_server
|
2024-04-25 07:14:07 +00:00
|
|
|
docker network create --driver=bridge --subnet=10.100.0.0/24 --gateway=10.100.0.1 --internal matrix_db
|
2024-03-25 23:23:07 +00:00
|
|
|
|
2024-04-10 17:05:17 +00:00
|
|
|
# Randomly pick a DB password
|
|
|
|
PG_PASS=$(pwgen -s 28 -1)
|
|
|
|
|
|
|
|
# Replace PG_PASS Password and DOMAIN in docker compose YAML
|
|
|
|
sed -i "s|DOMAIN|${DOMAIN}|g" "${BASE_DIR}/docker-compose.yaml"
|
|
|
|
sed -i "s|PG_PASS|${PG_PASS}|g" "${BASE_DIR}/docker-compose.yaml"
|
|
|
|
|
2024-03-25 23:23:07 +00:00
|
|
|
# Generate synapse file
|
|
|
|
echo -e "Generating synapse file..\n"
|
|
|
|
docker compose run --rm -e SYNAPSE_SERVER_NAME=${DOMAIN} -e SYNAPSE_REPORT_STATS=yes synapse generate
|
|
|
|
|
|
|
|
# Replace DB config in Synapse's homeserver.yaml
|
|
|
|
echo -e "Configuring homeserver.yaml\n"
|
|
|
|
|
|
|
|
# Granting all read permissions to cert files
|
|
|
|
chmod 444 ${BASE_DIR}/config/synapse/${DOMAIN}.*
|
|
|
|
|
|
|
|
# Config homeserver.yaml
|
|
|
|
sed -i '$ d' "${BASE_DIR}/config/synapse/homeserver.yaml"
|
|
|
|
sed -e '22r homeserver.yaml.db' -e '22,25d' "${BASE_DIR}/config/synapse/homeserver.yaml" > /tmp/homeserver.yaml
|
|
|
|
cp /tmp/homeserver.yaml "${BASE_DIR}/config/synapse/homeserver.yaml"
|
|
|
|
|
|
|
|
# Configure User Directory and TURN
|
|
|
|
cat <<EOF >> "${BASE_DIR}/config/synapse/homeserver.yaml"
|
|
|
|
user_directory:
|
|
|
|
enabled: true
|
|
|
|
search_all_users: true
|
|
|
|
prefer_local_users: true
|
|
|
|
show_locked_users: true
|
|
|
|
turn_allow_guests: False
|
|
|
|
turn_user_lifetime: 86400000
|
|
|
|
turn_shared_secret: "${TURN_STATIC_SECRET}"
|
2024-03-28 22:54:58 +00:00
|
|
|
turn_uris: [ "turn:${DOMAIN}?transport=udp" ]
|
2024-04-10 17:05:17 +00:00
|
|
|
suppress_key_server_warning: true
|
2024-05-03 17:34:39 +00:00
|
|
|
retention:
|
|
|
|
enabled: true
|
|
|
|
default_policy:
|
|
|
|
min_lifetime: 1s
|
|
|
|
max_lifetime: 1s
|
2024-05-03 17:39:38 +00:00
|
|
|
allowed_lifetime_min: 1s
|
|
|
|
allowed_lifetime_max: 1s
|
2024-03-25 23:23:07 +00:00
|
|
|
EOF
|
|
|
|
|
|
|
|
# Replace Password in homeserver.yaml
|
2024-04-10 01:28:31 +00:00
|
|
|
sed -i "s|PG_PASS|${PG_PASS}|g" "${BASE_DIR}/config/synapse/homeserver.yaml"
|
2024-03-25 23:23:07 +00:00
|
|
|
|
|
|
|
# Replace Sliding Sync key
|
|
|
|
SLIDING_SYNC_KEY=$(openssl rand -hex 32)
|
|
|
|
sed -i "s|SLIDING_SYNC_KEY|${SLIDING_SYNC_KEY}|g" "${BASE_DIR}/docker-compose.yaml"
|
|
|
|
|
|
|
|
# Replace domain in element config
|
|
|
|
sed -i "s|DOMAIN|${DOMAIN}|g" "${BASE_DIR}/config/element/element-config.json"
|
|
|
|
|
|
|
|
# Copy SystemD file and start the service
|
|
|
|
echo -e "Setting up SystemD service\n"
|
|
|
|
|
|
|
|
cp "${BASE_DIR}/matrix.service" /etc/systemd/system/
|
|
|
|
systemctl daemon-reload
|
|
|
|
systemctl enable --now matrix.service
|
|
|
|
|
|
|
|
# Configure Nginx
|
|
|
|
echo -e "Configuring nginx\n"
|
|
|
|
|
|
|
|
cat <<EOF > /etc/nginx/sites-enabled/default
|
|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
server_name ${DOMAIN};
|
|
|
|
|
2024-04-25 07:14:07 +00:00
|
|
|
# Hardening
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
|
|
add_header Content-Security-Policy "default-src 'self' ${DOMAIN} http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
|
2024-03-25 23:23:07 +00:00
|
|
|
location /.well-known/matrix/client {
|
|
|
|
default_type application/json;
|
|
|
|
add_header Access-Control-Allow-Origin *;
|
|
|
|
return 200 '{"m.homeserver": {"base_url": "https://${DOMAIN}"}, "org.matrix.msc3575.proxy": {"url": "https://${DOMAIN}"}}';
|
|
|
|
}
|
|
|
|
|
|
|
|
# Admin panel
|
|
|
|
location /admin/ {
|
|
|
|
proxy_pass http://10.10.10.6/;
|
|
|
|
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header Host \$host;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Sydent identity server
|
|
|
|
location ~ ^(/_matrix/identity) {
|
|
|
|
proxy_pass http://10.10.10.5:8090;
|
|
|
|
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header Host \$host;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Sliding Sync
|
|
|
|
location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {
|
|
|
|
proxy_pass http://10.10.10.7:8008;
|
|
|
|
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header Host \$host;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Synapse Backend
|
|
|
|
location ~ ^(\/_matrix|\/_synapse\/(client|admin)) {
|
|
|
|
# Synapse Container Network IP
|
|
|
|
proxy_pass http://10.10.10.4:8008;
|
|
|
|
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header Host \$host;
|
|
|
|
client_max_body_size 50M;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
}
|
|
|
|
|
2024-04-24 07:02:38 +00:00
|
|
|
# Hydrogen web
|
|
|
|
location ~ ^/(hydrogen|assets) {
|
|
|
|
rewrite /hydrogen/(.*) /\$1 break;
|
|
|
|
proxy_pass http://10.10.10.8:8080;
|
|
|
|
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header Host \$host;
|
|
|
|
client_max_body_size 50M;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
}
|
|
|
|
|
2024-03-25 23:23:07 +00:00
|
|
|
# Element Frontend
|
|
|
|
location / {
|
|
|
|
# Element chat Container Network IP
|
|
|
|
proxy_pass http://10.10.10.3;
|
|
|
|
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header Host \$host;
|
|
|
|
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
|
|
client_max_body_size 50M;
|
|
|
|
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
|
|
|
|
systemctl restart nginx
|
|
|
|
systemctl enable --now nginx
|
|
|
|
|
|
|
|
echo -e "Generate SSL cert\n"
|
|
|
|
certbot --nginx -d ${DOMAIN} --agree-tos --register-unsafely-without-email
|
|
|
|
|
2024-04-10 02:16:37 +00:00
|
|
|
# Add custom 8448 SSL port for Matrix Federation
|
|
|
|
sed -i '/listen\ 443\ ssl/a\\tlisten\ 8448\ ssl\;' /etc/nginx/sites-enabled/default
|
|
|
|
nginx -s reload
|
|
|
|
|
|
|
|
# Enable coturn
|
|
|
|
systemctl enable --now coturn
|
|
|
|
|
2024-03-25 23:23:07 +00:00
|
|
|
# Finally, start services
|
|
|
|
# Ensuring the DB dir is clean before bootstrapping
|
|
|
|
systemctl enable --now matrix.service
|
2024-04-10 17:16:08 +00:00
|
|
|
|
|
|
|
# Add certbot SSL cert renewal to crontab
|
|
|
|
crontab -l | { cat; echo '43 6 * * * certbot renew --post-hook "systemctl reload nginx"'; } | crontab -
|