gattes
/
matrix
Слідкувати 1
В обрані 0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Matrix server automated install
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
11 Коміти
1 Гілка
Дерево: 969187d956
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з '969187d956'
${ noResults }
matrix/install.sh

install.sh 7.1KB
Історія Неформатований

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229 
  1. #!/bin/bash

  2. 

  3. set -euo pipefail

  4. 

  5. DOMAIN=$1

  6. if [ -z ${DOMAIN} ]; then

  7.     echo "Script usage: ./install.sh <DOMAIN>"

  8.     return 1

  9. fi

  10. 

  11. BASE_DIR=/opt/matrix

  12. 

  13. # Create directory and copy configs + docker-compose YAML

  14. mkdir -p ${BASE_DIR}/db

  15. cp -R . ${BASE_DIR}

  16. cd ${BASE_DIR}

  17. 

  18. # Disable "Pending Kernel upgrade" banner

  19. sed -i "s|#\$nrconf{kernelhints} = -1;|\$nrconf{kernelhints} = -1;|g" /etc/needrestart/needrestart.conf

  20. 

  21. # Disable "Daemon Using Outdated Libraries" banner

  22. sed -i "s|#\$nrconf{restart} = 'i';|\$nrconf{restart} = 'a';|g" /etc/needrestart/needrestart.conf

  23. 

  24. # Baseline utils

  25. echo -e "Installing baseline utils\n"

  26. apt update

  27. apt upgrade -y

  28. apt install -y ca-certificates curl pwgen nginx python3-certbot-nginx ufw coturn

  29. 

  30. # Open only needed ports

  31. echo -e "Opening ports and enabling ufw\n"

  32. # SSH

  33. ufw allow 22/tcp

  34. 

  35. # Nginx (HTTP/HTTPS)

  36. ufw allow 80/tcp        

  37. ufw allow 443/tcp

  38. ufw allow 8448/tcp

  39. 

  40. # Coturn Ports

  41. ufw allow 3478/udp

  42. ufw allow 5443/udp

  43. ufw allow 49152:65535/udp

  44. 

  45. # Enable firewall

  46. ufw --force enable

  47. 

  48. # Configure Coturn TURN server

  49. echo -e "Install and configure coturn server\n"

  50. 

  51. echo "TURNSERVER_ENABLED=1" > /etc/default/coturn

  52. cp config/turnserver.conf /etc/

  53. 

  54. TURN_PWD=$(pwgen -s 28 -1)

  55. TURN_STATIC_SECRET=$(pwgen -s 64 1)

  56. EXTERNAL_IP=$(curl -s checkip.amazonaws.com)

  57. 

  58. sed -i "s|DOMAIN|${DOMAIN}|g" /etc/turnserver.conf

  59. sed -i "s|TURN_PWD|${TURN_PWD}|g" /etc/turnserver.conf

  60. sed -i "s|EXTERNAL_IP|${EXTERNAL_IP}|g" /etc/turnserver.conf

  61. sed -i "s|STATIC_SECRET|${TURN_STATIC_SECRET}|g" /etc/turnserver.conf

  62. 

  63. # Custom coturn SystemD service file to allow coturn access to Letsencrypt SSL certs

  64. cp "${BASE_DIR}/coturn.service" /lib/systemd/system/coturn.service

  65. systemctl daemon-reload

  66. 

  67. # Add Docker's official GPG key

  68. echo -e "Install docker\n"

  69. 

  70. install -m 0755 -d /etc/apt/keyrings

  71. curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc

  72. chmod a+r /etc/apt/keyrings/docker.asc

  73. 

  74. # Add the repository to APT sources

  75. echo \

  76.   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \

  77.   $(. /etc/os-release && echo "${VERSION_CODENAME}") stable" | \

  78.   tee /etc/apt/sources.list.d/docker.list > /dev/null

  79. apt update

  80. 

  81. # Install docker

  82. apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

  83. 

  84. # Create docker network `matrix_server`

  85. echo -e "Create docker network\n"

  86. 

  87. docker network create --driver=bridge --subnet=10.10.10.0/24 --gateway=10.10.10.1 matrix_server

  88. 

  89. # Randomly pick a DB password

  90. PG_PASS=$(pwgen -s 28 -1)

  91. 

  92. # Replace PG_PASS Password and DOMAIN in docker compose YAML

  93. sed -i "s|DOMAIN|${DOMAIN}|g" "${BASE_DIR}/docker-compose.yaml"

  94. sed -i "s|PG_PASS|${PG_PASS}|g" "${BASE_DIR}/docker-compose.yaml"

  95. 

  96. # Generate synapse file

  97. echo -e "Generating synapse file..\n"

  98. docker compose run --rm -e SYNAPSE_SERVER_NAME=${DOMAIN} -e SYNAPSE_REPORT_STATS=yes synapse generate

  99. 

  100. # Replace DB config in Synapse's homeserver.yaml

  101. echo -e "Configuring homeserver.yaml\n"

  102. 

  103. # Granting all read permissions to cert files

  104. chmod 444 ${BASE_DIR}/config/synapse/${DOMAIN}.*

  105. 

  106. # Config homeserver.yaml

  107. sed -i '$ d' "${BASE_DIR}/config/synapse/homeserver.yaml"

  108. sed -e '22r homeserver.yaml.db' -e '22,25d' "${BASE_DIR}/config/synapse/homeserver.yaml" > /tmp/homeserver.yaml

  109. cp /tmp/homeserver.yaml "${BASE_DIR}/config/synapse/homeserver.yaml"

  110. 

  111. # Configure User Directory and TURN

  112. cat <<EOF >> "${BASE_DIR}/config/synapse/homeserver.yaml"

  113. user_directory:

  114.     enabled: true

  115.     search_all_users: true

  116.     prefer_local_users: true

  117.     show_locked_users: true

  118. turn_allow_guests: False

  119. turn_user_lifetime: 86400000

  120. turn_shared_secret: "${TURN_STATIC_SECRET}"

  121. turn_uris: [ "turn:${DOMAIN}?transport=udp" ]

  122. suppress_key_server_warning: true

  123. EOF

  124. 

  125. # Replace Password in homeserver.yaml

  126. sed -i "s|PG_PASS|${PG_PASS}|g" "${BASE_DIR}/config/synapse/homeserver.yaml"

  127. 

  128. # Replace Sliding Sync key

  129. SLIDING_SYNC_KEY=$(openssl rand -hex 32)

  130. sed -i "s|SLIDING_SYNC_KEY|${SLIDING_SYNC_KEY}|g" "${BASE_DIR}/docker-compose.yaml"

  131. 

  132. # Replace domain in element config

  133. sed -i "s|DOMAIN|${DOMAIN}|g" "${BASE_DIR}/config/element/element-config.json"

  134. 

  135. # Copy SystemD file and start the service

  136. echo -e "Setting up SystemD service\n"

  137. 

  138. cp "${BASE_DIR}/matrix.service" /etc/systemd/system/

  139. systemctl daemon-reload

  140. systemctl enable --now matrix.service

  141. 

  142. # Configure Nginx

  143. echo -e "Configuring nginx\n"

  144. 

  145. cat <<EOF > /etc/nginx/sites-enabled/default

  146. server {

  147.     listen 80;

  148.     server_name ${DOMAIN};

  149. 

  150.     location /.well-known/matrix/client {

  151.         default_type application/json;

  152.         add_header Access-Control-Allow-Origin *;

  153.         return 200 '{"m.homeserver": {"base_url": "https://${DOMAIN}"}, "org.matrix.msc3575.proxy": {"url": "https://${DOMAIN}"}}';

  154.     }

  155. 

  156.     # Admin panel

  157.     location /admin/ {

  158.         proxy_pass http://10.10.10.6/;

  159.         proxy_set_header X-Forwarded-For \$remote_addr;

  160.         proxy_set_header X-Forwarded-Proto \$scheme;

  161.         proxy_set_header Host \$host;

  162.         proxy_http_version 1.1;

  163.     }

  164. 

  165.     # Sydent identity server

  166.     location ~ ^(/_matrix/identity) {

  167.         proxy_pass http://10.10.10.5:8090;

  168.         proxy_set_header X-Forwarded-For \$remote_addr;

  169.         proxy_set_header X-Forwarded-Proto \$scheme;

  170.         proxy_set_header Host \$host;

  171.         proxy_http_version 1.1;

  172.     }

  173. 

  174.     # Sliding Sync

  175.     location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {

  176.         proxy_pass http://10.10.10.7:8008;

  177.         proxy_set_header X-Forwarded-For \$remote_addr;

  178.         proxy_set_header X-Forwarded-Proto \$scheme;

  179.         proxy_set_header Host \$host;

  180.     }

  181. 

  182.     # Synapse Backend

  183.     location ~ ^(\/_matrix|\/_synapse\/(client|admin)) {

  184.         # Synapse Container Network IP

  185.         proxy_pass http://10.10.10.4:8008;

  186.         proxy_set_header X-Forwarded-For \$remote_addr;

  187.         proxy_set_header X-Forwarded-Proto \$scheme;

  188.         proxy_set_header Host \$host;

  189.         client_max_body_size 50M;

  190.         proxy_http_version 1.1;

  191.     }

  192. 

  193.     # Element Frontend

  194.     location / {

  195.         # Element chat Container Network IP

  196.         proxy_pass http://10.10.10.3;

  197.         proxy_set_header X-Forwarded-For \$remote_addr;

  198.         proxy_set_header X-Forwarded-Proto \$scheme;

  199.         proxy_set_header Host \$host;

  200. 

  201.         # Nginx by default only allows file uploads up to 1M in size

  202.         # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml

  203.         client_max_body_size 50M;

  204.  

  205.         # Synapse responses may be chunked, which is an HTTP/1.1 feature.

  206.         proxy_http_version 1.1;

  207.     }

  208. }

  209. EOF

  210. 

  211. systemctl restart nginx

  212. systemctl enable --now nginx

  213. 

  214. echo -e "Generate SSL cert\n"

  215. certbot --nginx -d ${DOMAIN} --agree-tos --register-unsafely-without-email

  216. 

  217. # Add certbot SSL cert renewal to crontab

  218. crontab -l | { cat; echo '43 6 * * * certbot renew --post-hook "systemctl reload nginx"'; } | crontab -

  219. 

  220. # Add custom 8448 SSL port for Matrix Federation

  221. sed -i '/listen\ 443\ ssl/a\\tlisten\ 8448\ ssl\;' /etc/nginx/sites-enabled/default

  222. nginx -s reload

  223. 

  224. # Enable coturn

  225. systemctl enable --now coturn

  226. 

  227. # Finally, start services

  228. # Ensuring the DB dir is clean before bootstrapping

  229. systemctl enable --now matrix.service