gattes
/
matrix
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Matrix server automated install
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
23 Incheckningar
1 Gren
Träd: bf037fe2f9
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från 'bf037fe2f9'
${ noResults }
matrix/install.sh

install.sh 8.0KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255 
  1. #!/bin/bash

  2. 

  3. set -eo pipefail

  4. 

  5. DOMAIN=$1

  6. if [ -z ${DOMAIN} ]; then

  7.     echo "Script usage: ./install.sh <DOMAIN>"

  8.     return 1

  9. fi

  10. 

  11. BASE_DIR=/opt/matrix

  12. 

  13. # Create directory and copy configs + docker-compose YAML

  14. mkdir -p ${BASE_DIR}/db

  15. cp -R . ${BASE_DIR}

  16. cd ${BASE_DIR}

  17. 

  18. # Disable "Pending Kernel upgrade" banner

  19. sed -i "s|#\$nrconf{kernelhints} = -1;|\$nrconf{kernelhints} = -1;|g" /etc/needrestart/needrestart.conf

  20. 

  21. # Disable "Daemon Using Outdated Libraries" banner

  22. sed -i "s|#\$nrconf{restart} = 'i';|\$nrconf{restart} = 'a';|g" /etc/needrestart/needrestart.conf

  23. 

  24. # Baseline utils

  25. echo -e "Installing baseline utils\n"

  26. apt update

  27. apt upgrade -y

  28. apt install -y ca-certificates curl pwgen nginx python3-certbot-nginx ufw coturn

  29. 

  30. # Open only needed ports

  31. echo -e "Opening ports and enabling ufw\n"

  32. # SSH

  33. ufw allow 22/tcp

  34. 

  35. # Nginx (HTTP/HTTPS)

  36. ufw allow 80/tcp        

  37. ufw allow 443/tcp

  38. ufw allow 8448/tcp

  39. 

  40. # Coturn Ports

  41. ufw allow 3478/udp

  42. ufw allow 5443/udp

  43. ufw allow 49152:65535/udp

  44. 

  45. # Enable firewall

  46. ufw --force enable

  47. 

  48. # Configure Coturn TURN server

  49. echo -e "Install and configure coturn server\n"

  50. 

  51. echo "TURNSERVER_ENABLED=1" > /etc/default/coturn

  52. cp config/turnserver.conf /etc/

  53. 

  54. TURN_PWD=$(pwgen -s 28 -1)

  55. TURN_STATIC_SECRET=$(pwgen -s 64 1)

  56. EXTERNAL_IP=$(curl -s checkip.amazonaws.com)

  57. 

  58. sed -i "s|DOMAIN|${DOMAIN}|g" /etc/turnserver.conf

  59. sed -i "s|TURN_PWD|${TURN_PWD}|g" /etc/turnserver.conf

  60. sed -i "s|EXTERNAL_IP|${EXTERNAL_IP}|g" /etc/turnserver.conf

  61. sed -i "s|STATIC_SECRET|${TURN_STATIC_SECRET}|g" /etc/turnserver.conf

  62. 

  63. # Custom coturn SystemD service file to allow coturn access to Letsencrypt SSL certs

  64. cp "${BASE_DIR}/coturn.service" /lib/systemd/system/coturn.service

  65. systemctl daemon-reload

  66. 

  67. # Add Docker's official GPG key

  68. echo -e "Install docker\n"

  69. 

  70. install -m 0755 -d /etc/apt/keyrings

  71. curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc

  72. chmod a+r /etc/apt/keyrings/docker.asc

  73. 

  74. # Add the repository to APT sources

  75. echo \

  76.   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \

  77.   $(. /etc/os-release && echo "${VERSION_CODENAME}") stable" | \

  78.   tee /etc/apt/sources.list.d/docker.list > /dev/null

  79. apt update

  80. 

  81. # Install docker

  82. apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

  83. 

  84. # Create docker network `matrix_server`

  85. echo -e "Create docker network\n"

  86. 

  87. docker network create --driver=bridge --subnet=10.10.10.0/24 --gateway=10.10.10.1 matrix_server

  88. docker network create --driver=bridge --subnet=10.100.0.0/24 --gateway=10.100.0.1 --internal matrix_db

  89. 

  90. # Randomly pick a DB password

  91. PG_PASS=$(pwgen -s 28 -1)

  92. 

  93. # Replace PG_PASS Password and DOMAIN in docker compose YAML

  94. sed -i "s|DOMAIN|${DOMAIN}|g" "${BASE_DIR}/docker-compose.yaml"

  95. sed -i "s|PG_PASS|${PG_PASS}|g" "${BASE_DIR}/docker-compose.yaml"

  96. 

  97. # Generate synapse file

  98. echo -e "Generating synapse file..\n"

  99. docker compose run --rm synapse_homeserver --generate-config -H ${DOMAIN} -c /data/homeserver.yaml --report-stats=yes

  100. 

  101. # Replace DB config in Synapse's homeserver.yaml

  102. echo -e "Configuring homeserver.yaml\n"

  103. 

  104. # Granting all read permissions to cert files

  105. chmod 444 ${BASE_DIR}/config/synapse/${DOMAIN}.*

  106. 

  107. # Config homeserver.yaml

  108. sed -i '$ d' "${BASE_DIR}/config/synapse/homeserver.yaml"

  109. sed -e '22r homeserver.yaml.db' -e '22,25d' "${BASE_DIR}/config/synapse/homeserver.yaml" > /tmp/homeserver.yaml

  110. cp /tmp/homeserver.yaml "${BASE_DIR}/config/synapse/homeserver.yaml"

  111. 

  112. # Configure User Directory and TURN

  113. cat <<EOF >> "${BASE_DIR}/config/synapse/homeserver.yaml"

  114. user_directory:

  115.     enabled: true

  116.     search_all_users: true

  117.     prefer_local_users: true

  118.     show_locked_users: true

  119. turn_allow_guests: false

  120. turn_user_lifetime: 86400000

  121. turn_shared_secret: "${TURN_STATIC_SECRET}"

  122. turn_uris: [ "turn:${DOMAIN}?transport=udp" ]

  123. suppress_key_server_warning: true

  124. retention:

  125.   enabled: true

  126.   default_policy:

  127.     min_lifetime: 1s

  128.     max_lifetime: 1s

  129.   allowed_lifetime_min: 1s

  130.   allowed_lifetime_max: 1s

  131. EOF

  132. 

  133. # Replace Password in homeserver.yaml

  134. sed -i "s|PG_PASS|${PG_PASS}|g" "${BASE_DIR}/config/synapse/homeserver.yaml"

  135. 

  136. # Replace Sliding Sync key

  137. SLIDING_SYNC_KEY=$(openssl rand -hex 32)

  138. sed -i "s|SLIDING_SYNC_KEY|${SLIDING_SYNC_KEY}|g" "${BASE_DIR}/docker-compose.yaml"

  139. 

  140. # Replace domain in element config

  141. sed -i "s|DOMAIN|${DOMAIN}|g" "${BASE_DIR}/config/element/element-config.json"

  142. 

  143. # Copy SystemD file and start the service

  144. echo -e "Setting up SystemD service\n"

  145. 

  146. cp "${BASE_DIR}/matrix.service" /etc/systemd/system/

  147. systemctl daemon-reload

  148. systemctl enable --now matrix.service

  149. 

  150. # Configure Nginx

  151. echo -e "Configuring nginx\n"

  152. 

  153. cat <<EOF > /etc/nginx/sites-enabled/default

  154. server {

  155.     listen 80;

  156.     server_name ${DOMAIN};

  157. 

  158.     # Hardening

  159.     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

  160.     add_header Content-Security-Policy "default-src 'self' ${DOMAIN} http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;

  161.     add_header X-XSS-Protection "1; mode=block";

  162.     add_header X-Content-Type-Options nosniff;

  163.     add_header X-Frame-Options "SAMEORIGIN";

  164. 

  165.     location /.well-known/matrix/client {

  166.         default_type application/json;

  167.         add_header Access-Control-Allow-Origin *;

  168.         return 200 '{"m.homeserver": {"base_url": "https://${DOMAIN}"}, "org.matrix.msc3575.proxy": {"url": "https://${DOMAIN}"}}';

  169.     }

  170. 

  171.     # Admin panel

  172.     location /admin/ {

  173.         proxy_pass http://10.10.10.6/;

  174.         proxy_set_header X-Forwarded-For \$remote_addr;

  175.         proxy_set_header X-Forwarded-Proto \$scheme;

  176.         proxy_set_header Host \$host;

  177.         proxy_http_version 1.1;

  178.     }

  179. 

  180.     # Sydent identity server

  181.     location ~ ^(/_matrix/identity) {

  182.         proxy_pass http://10.10.10.5:8090;

  183.         proxy_set_header X-Forwarded-For \$remote_addr;

  184.         proxy_set_header X-Forwarded-Proto \$scheme;

  185.         proxy_set_header Host \$host;

  186.         proxy_http_version 1.1;

  187.     }

  188. 

  189.     # Sliding Sync

  190.     location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {

  191.         proxy_pass http://10.10.10.7:8008;

  192.         proxy_set_header X-Forwarded-For \$remote_addr;

  193.         proxy_set_header X-Forwarded-Proto \$scheme;

  194.         proxy_set_header Host \$host;

  195.     }

  196. 

  197.     # Synapse Backend

  198.     location ~ ^(\/_matrix|\/_synapse\/(client|admin)) {

  199.         # Synapse Container Network IP

  200.         proxy_pass http://10.10.10.4:8008;

  201.         proxy_set_header X-Forwarded-For \$remote_addr;

  202.         proxy_set_header X-Forwarded-Proto \$scheme;

  203.         proxy_set_header Host \$host;

  204.         client_max_body_size 50M;

  205.         proxy_http_version 1.1;

  206.     }

  207. 

  208.     # Hydrogen web

  209.     location ~ ^/(hydrogen|assets) {

  210.         rewrite /hydrogen/(.*) /\$1  break;

  211.         proxy_pass http://10.10.10.8:8080;

  212.         proxy_set_header X-Forwarded-For \$remote_addr;

  213.         proxy_set_header X-Forwarded-Proto \$scheme;

  214.         proxy_set_header Host \$host;

  215.         client_max_body_size 50M;

  216.         proxy_http_version 1.1;

  217.     }

  218. 

  219.     # Element Frontend

  220.     location / {

  221.         # Element chat Container Network IP

  222.         proxy_pass http://10.10.10.3;

  223.         proxy_set_header X-Forwarded-For \$remote_addr;

  224.         proxy_set_header X-Forwarded-Proto \$scheme;

  225.         proxy_set_header Host \$host;

  226. 

  227.         # Nginx by default only allows file uploads up to 1M in size

  228.         # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml

  229.         client_max_body_size 50M;

  230.  

  231.         # Synapse responses may be chunked, which is an HTTP/1.1 feature.

  232.         proxy_http_version 1.1;

  233.     }

  234. }

  235. EOF

  236. 

  237. systemctl restart nginx

  238. systemctl enable --now nginx

  239. 

  240. echo -e "Generate SSL cert\n"

  241. certbot --nginx -d ${DOMAIN} --agree-tos --register-unsafely-without-email

  242. 

  243. # Add custom 8448 SSL port for Matrix Federation

  244. sed -i '/listen\ 443\ ssl/a\\tlisten\ 8448\ ssl\;' /etc/nginx/sites-enabled/default

  245. nginx -s reload

  246. 

  247. # Enable coturn

  248. systemctl enable --now coturn

  249. 

  250. # Finally, start services

  251. # Ensuring the DB dir is clean before bootstrapping

  252. systemctl enable --now matrix.service

  253. 

  254. # Add certbot SSL cert renewal to crontab

  255. crontab -l | { cat; echo '43 6 * * * certbot renew --post-hook "systemctl reload nginx"'; } | crontab -