Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
dienste:bytecluster0001 [05.06.2017 12:27] – Matrix hinzugefuegt mkzero | dienste:bytecluster0001 [03.05.2020 17:51] (aktuell) – Limit auf 20MB angehoben mape2k | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== bytecluster0001 ====== | + | ======= bytecluster0001 |
- | bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. Der Server wurde von der Firma Hetzner Online GmbH dankenswerter Weise zur Verfügung gestellt. | + | bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. |
- | ===== Administratoren ===== | + | ====== Administratoren |
* [[user: | * [[user: | ||
* [[user: | * [[user: | ||
* [[user: | * [[user: | ||
+ | * [[user: | ||
- | ===== Benutzer ===== | + | ====== Benutzer |
* Bernd (Webseiten) | * Bernd (Webseiten) | ||
- | ===== IPs /DNS ===== | + | ====== IPs /DNS ====== |
* bytecluster0001.bytespeicher.org | * bytecluster0001.bytespeicher.org | ||
Zeile 19: | Zeile 20: | ||
* 2a01: | * 2a01: | ||
- | ===== Installation ===== | + | ====== Installation |
* Debian 8.2 minimal | * Debian 8.2 minimal | ||
- | ==== User / Gruppen ==== | + | ===== User / Gruppen |
* mkzero -> sudo | * mkzero -> sudo | ||
* marcel -> sudo | * marcel -> sudo | ||
+ | * maddi -> sudo | ||
* stephan -> sudo | * stephan -> sudo | ||
* bernd -> sudo für www-data | * bernd -> sudo für www-data | ||
Zeile 36: | Zeile 38: | ||
* ffapi | * ffapi | ||
* synapse | * synapse | ||
- | ==== Pakete ==== | + | ===== Pakete |
* zsh | * zsh | ||
Zeile 46: | Zeile 48: | ||
* debian-goodies | * debian-goodies | ||
- | ==== Netzwerk ==== | + | ===== Netzwerk |
- | === Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) === | + | ==== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) |
< | < | ||
#!/bin/bash | #!/bin/bash | ||
Zeile 64: | Zeile 66: | ||
* //**chmod +x / | * //**chmod +x / | ||
- | === Konfiguration === | + | ==== Konfiguration |
< | < | ||
Zeile 84: | Zeile 86: | ||
</ | </ | ||
- | ==== Konfiguration SSH ==== | + | ===== Konfiguration SSH ===== |
* HostKey DSA entfernt | * HostKey DSA entfernt | ||
Zeile 101: | Zeile 103: | ||
</ | </ | ||
- | ==== SUDO ==== | + | ===== SUDO ===== |
* Administrative Benutzer sind Mitglied der Gruppe " | * Administrative Benutzer sind Mitglied der Gruppe " | ||
- | ==== IPTABLES ==== | + | ===== IPTABLES |
* iptables-persistent | * iptables-persistent | ||
Zeile 126: | Zeile 128: | ||
# Localhorst | # Localhorst | ||
-A INPUT -s 127.0.0.0/8 -j ACCEPT | -A INPUT -s 127.0.0.0/8 -j ACCEPT | ||
+ | |||
+ | # Turnserver | ||
+ | -A INPUT -p udp -m udp --dport 3478 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 5349 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT | ||
# SSH / mosh | # SSH / mosh | ||
Zeile 146: | Zeile 153: | ||
-A INPUT -p tcp --dport 4190 -j ACCEPT | -A INPUT -p tcp --dport 4190 -j ACCEPT | ||
+ | # Matrix | ||
+ | -A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT | ||
COMMIT | COMMIT | ||
</ | </ | ||
Zeile 165: | Zeile 175: | ||
# Garbage | # Garbage | ||
-A INPUT -m state --state INVALID -j DROP | -A INPUT -m state --state INVALID -j DROP | ||
+ | |||
+ | # Turnserver | ||
+ | -A INPUT -p udp -m udp --dport 3478 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 5349 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT | ||
# SSH / mosh | # SSH / mosh | ||
Zeile 185: | Zeile 200: | ||
-A INPUT -p tcp --dport 4190 -j ACCEPT | -A INPUT -p tcp --dport 4190 -j ACCEPT | ||
+ | # Matrix | ||
+ | -A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT | ||
COMMIT | COMMIT | ||
</ | </ | ||
- | ==== MySQL/ | + | ===== MySQL/ |
* mariadb-server | * mariadb-server | ||
Zeile 230: | Zeile 248: | ||
</ | </ | ||
- | ==== NGINX ==== | + | ===== NGINX ===== |
* nginx | * nginx | ||
+ | < | ||
+ | ssl_protocols TLSv1.2; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | |||
+ | ssl_ciphers " | ||
+ | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
+ | |||
+ | ssl_session_cache shared: | ||
+ | ssl_session_timeout 10m; | ||
+ | |||
+ | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
+ | ssl_stapling on; # Requires nginx >= 1.3.7 | ||
+ | ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
+ | |||
+ | #add_header Strict-Transport-Security " | ||
+ | add_header X-Frame-Options DENY; | ||
+ | add_header X-Content-Type-Options nosniff; | ||
+ | |||
+ | resolver 213.133.98.98 213.133.99.99 valid=300s; | ||
+ | resolver_timeout 5s; | ||
+ | </ | ||
< | < | ||
- | diff -Naur / | ||
- | --- / | ||
- | +++ / | ||
- | @@ -0,0 +1,12 @@ | ||
- | +ssl_ciphers " | ||
- | +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | +ssl_prefer_server_ciphers on; | ||
- | +ssl_session_cache shared: | ||
- | +add_header Strict-Transport-Security " | ||
- | +add_header X-Frame-Options DENY; | ||
- | +add_header X-Content-Type-Options nosniff; | ||
- | +ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
- | +ssl_stapling on; # Requires nginx >= 1.3.7 | ||
- | +ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
- | +resolver 213.133.98.98 213.133.99.99 valid=300s; | ||
- | +resolver_timeout 5s; | ||
diff -Naur / | diff -Naur / | ||
--- / | --- / | ||
Zeile 276: | Zeile 299: | ||
</ | </ | ||
- | ==== Let's Encrypt (SSL-Zertifikate) ==== | + | ===== Let's Encrypt (SSL-Zertifikate) |
=== Installation === | === Installation === | ||
Zeile 320: | Zeile 343: | ||
# Reload NGINX | # Reload NGINX | ||
sudo / | sudo / | ||
+ | |||
+ | # Copy erfurt.chat-Certificate/ | ||
+ | if [ ${DOMAIN} = " | ||
+ | cp -L ${KEYFILE} / | ||
+ | cp -L ${CERTFILE} / | ||
+ | cp -L ${FULLCHAINFILE} / | ||
+ | chgrp synapse / | ||
+ | chmod 640 / | ||
+ | fi | ||
# Restart Postfix/ | # Restart Postfix/ | ||
Zeile 345: | Zeile 377: | ||
23 4 * * * | 23 4 * * * | ||
</ | </ | ||
- | === Verwendung des Let' | + | === Verwendung des LetsEncrypt |
Pro Zertifikat können mehrere Domains/ | Pro Zertifikat können mehrere Domains/ | ||
Zeile 371: | Zeile 403: | ||
... | ... | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | add_header X-Content-Type-Options nosniff; | ||
ssl_certificate / | ssl_certificate / | ||
Zeile 387: | Zeile 411: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
... | ... | ||
Zeile 396: | Zeile 418: | ||
* **// | * **// | ||
- | ==== PHP ==== | + | ===== User-Agent-Filter ===== |
+ | < | ||
+ | ### Block Mastodon | ||
+ | if ($http_user_agent ~* (Mastodon)) { | ||
+ | return 403; | ||
+ | } | ||
+ | </ | ||
+ | ===== PHP ===== | ||
* php5-fpm | * php5-fpm | ||
Zeile 417: | Zeile 446: | ||
post_max_size = 64M | post_max_size = 64M | ||
</ | </ | ||
- | ==== Ruby ==== | + | ===== Ruby ===== |
* ruby | * ruby | ||
- | ==== Bytebot ==== | + | ===== Bytebot |
Pakete: | Pakete: | ||
Zeile 465: | Zeile 494: | ||
* // | * // | ||
- | ==== Twitterstatus / Twitterstatus Makerspace ==== | + | ===== Twitterstatus / Twitterstatus Makerspace |
Die Anleitung ist für " | Die Anleitung ist für " | ||
Zeile 529: | Zeile 558: | ||
</ | </ | ||
- | ==== Freifunk-API ==== | + | ===== Freifunk-API |
=== Pakete === | === Pakete === | ||
Zeile 581: | Zeile 610: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | add_header X-Content-Type-Options nosniff; | ||
ssl_certificate / | ssl_certificate / | ||
Zeile 597: | Zeile 618: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 635: | Zeile 654: | ||
* // | * // | ||
- | ==== paste.bytespeicher.org ==== | + | ===== paste.bytespeicher.org |
* Datenbank: bs_paste | * Datenbank: bs_paste | ||
Zeile 656: | Zeile 675: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 670: | Zeile 682: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 700: | Zeile 710: | ||
</ | </ | ||
- | ==== bytespeicher.org ==== | + | ===== bytespeicher.org |
* Datenbank: wp_bs | * Datenbank: wp_bs | ||
Zeile 712: | Zeile 722: | ||
| | ||
+ | | ||
| | ||
Zeile 729: | Zeile 740: | ||
| | ||
+ | |||
+ | | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
| | ||
- | | ||
| | ||
Zeile 747: | Zeile 752: | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 764: | Zeile 767: | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
| | ||
- | add_header X-Content-Type-Options nosniff; | + | |
| | ||
| | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 837: | Zeile 830: | ||
</ | </ | ||
- | ==== status.bytespeicher.org ==== | + | ===== status.bytespeicher.org |
* **//useradd spacestatus -m -G www-data// | * **//useradd spacestatus -m -G www-data// | ||
* **//sudo -u spacestatus / | * **//sudo -u spacestatus / | ||
* **//cd ~//** | * **//cd ~//** | ||
- | * **//git clone https:/ / | + | * **//< |
* **//mkdir www//** | * **//mkdir www//** | ||
* **// | * **// | ||
Zeile 901: | Zeile 894: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | add_header | + | add_header |
+ | |||
ssl_certificate / | ssl_certificate / | ||
ssl_certificate_key / | ssl_certificate_key / | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
} | } | ||
</ | </ | ||
- | ==== makerspace-erfurt.de / fablab-erfurt.de ==== | + | ===== makerspace-erfurt.de / fablab-erfurt.de |
* Datenbank: makerspace_wp | * Datenbank: makerspace_wp | ||
Zeile 946: | Zeile 930: | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
| | ||
- | add_header X-Content-Type-Options nosniff; | + | |
| | ||
| | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 1004: | Zeile 978: | ||
</ | </ | ||
- | ==== cloud.technikkultur-erfurt.de (Owncloud) ==== | + | ===== cloud.technikkultur-erfurt.de (Nextcloud) ===== |
* Datenbank: makerspace_oc | * Datenbank: makerspace_oc | ||
Zeile 1025: | Zeile 999: | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
Zeile 1037: | Zeile 1004: | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 1147: | Zeile 1112: | ||
</ | </ | ||
- | ==== Redmine ==== | + | ===== Redmine |
* Datenbank: redmine | * Datenbank: redmine | ||
Zeile 1268: | Zeile 1233: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 1282: | Zeile 1240: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 1302: | Zeile 1258: | ||
</ | </ | ||
- | ==== Dokuwiki ==== | + | ===== Dokuwiki |
* DocumentRoot: | * DocumentRoot: | ||
Zeile 1315: | Zeile 1271: | ||
listen [::]:443 ssl; | listen [::]:443 ssl; | ||
+ | include snippets/ | ||
include snippets/ | include snippets/ | ||
Zeile 1328: | Zeile 1285: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 1342: | Zeile 1292: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
- | # Maximum file upload size is 4MB - change accordingly if needed | + | # Maximum file upload size is 20MB - change accordingly if needed |
- | client_max_body_size | + | client_max_body_size |
client_body_buffer_size 128k; | client_body_buffer_size 128k; | ||
Zeile 1378: | Zeile 1326: | ||
</ | </ | ||
- | ==== Pad ==== | + | ===== Pad ===== |
* Software: Etherpad-lite | * Software: Etherpad-lite | ||
Zeile 1423: | Zeile 1371: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 1437: | Zeile 1378: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 1502: | Zeile 1441: | ||
* https:// | * https:// | ||
- | ==== wall.technikkultur-erfurt.de ==== | + | ===== wall.technikkultur-erfurt.de |
* Config: / | * Config: / | ||
Zeile 1525: | Zeile 1464: | ||
</ | </ | ||
- | ==== Piwik ==== | + | ===== opendata.bytespeicher.org ===== |
+ | |||
+ | * Webspace: / | ||
+ | |||
+ | < | ||
+ | server { | ||
+ | listen 80; | ||
+ | listen [::]:80; | ||
+ | |||
+ | listen 443 ssl; | ||
+ | listen [::]:443 ssl; | ||
+ | |||
+ | include snippets/ | ||
+ | |||
+ | root / | ||
+ | |||
+ | index index.html; | ||
+ | |||
+ | server_name opendata.bytespeicher.org; | ||
+ | |||
+ | location / { | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | # PHP | ||
+ | location ~ \.php$ { | ||
+ | fastcgi_pass | ||
+ | include | ||
+ | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
+ | fastcgi_param REDIRECT_STATUS 200; | ||
+ | } | ||
+ | |||
+ | ssl on; | ||
+ | |||
+ | # Use SSL as default | ||
+ | # if ($scheme != " | ||
+ | # | ||
+ | # } | ||
+ | # add_header Strict-Transport-Security " | ||
+ | |||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | ssl_dhparam / | ||
+ | |||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | ssl_trusted_certificate / | ||
+ | |||
+ | # Security options | ||
+ | add_header X-Frame-Options SAMEORIGIN; | ||
+ | add_header X-Content-Type-Options nosniff; | ||
+ | add_header Access-Control-Allow-Origin *; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ===== Piwik ===== | ||
* Datenbank: bs_piwik | * Datenbank: bs_piwik | ||
Zeile 1549: | Zeile 1544: | ||
</ | </ | ||
- | ==== Roundcube ==== | + | ===== Roundcube |
* Datenbank: roundcubemail | * Datenbank: roundcubemail | ||
Zeile 1607: | Zeile 1602: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | | + | |
ssl_certificate / | ssl_certificate / | ||
ssl_certificate_key / | ssl_certificate_key / | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
root / | root / | ||
+ | |||
+ | client_max_body_size 64m; | ||
index index.php index.html; | index index.php index.html; | ||
Zeile 1674: | Zeile 1661: | ||
* //**rm -rf / | * //**rm -rf / | ||
- | ==== Matrix/ | + | ===== Matrix/ |
* useradd -m synapse | * useradd -m synapse | ||
- | * apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev | + | * apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev |
- | * | + | |
- | ==== users.bytespeicher.org ==== | + | * mkdir / |
+ | * chown synapse: | ||
+ | * chmod 770 / | ||
+ | * usermod -G synapse letsencrypt | ||
+ | |||
+ | < | ||
+ | server { | ||
+ | listen | ||
+ | listen [::]:80; | ||
+ | listen | ||
+ | listen [::]:443 ssl; | ||
+ | |||
+ | server_name erfurt.chat www.erfurt.chat; | ||
+ | |||
+ | include snippets/ | ||
+ | |||
+ | if ($scheme != " | ||
+ | rewrite ^ https:// | ||
+ | } | ||
+ | if ($host | ||
+ | rewrite ^ https:// | ||
+ | } | ||
+ | root / | ||
+ | |||
+ | client_max_body_size 32m; | ||
+ | |||
+ | location /_matrix { | ||
+ | proxy_pass http:// | ||
+ | proxy_set_header X-Forwarded-For $remote_addr; | ||
+ | } | ||
+ | |||
+ | ssl on; | ||
+ | |||
+ | # add_header Strict-Transport-Security " | ||
+ | add_header X-Frame-Options SAMEORIGIN; | ||
+ | |||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | ssl_dhparam / | ||
+ | |||
+ | ssl_trusted_certificate / | ||
+ | |||
+ | access_log / | ||
+ | error_log / | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | TURNSERVER_ENABLED=1 | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | external-ip=88.198.111.196 | ||
+ | min-port=49152 | ||
+ | max-port=59999 | ||
+ | lt-cred-mech | ||
+ | use-auth-secret | ||
+ | static-auth-secret=[your secret key here] | ||
+ | realm=erfurt.chat | ||
+ | no-tcp | ||
+ | no-tls | ||
+ | no-tcp-relay | ||
+ | cert=/ | ||
+ | pkey=/ | ||
+ | cipher-list=" | ||
+ | syslog | ||
+ | denied-peer-ip=10.0.0.0-10.255.255.255 | ||
+ | denied-peer-ip=192.168.0.0-192.168.255.255 | ||
+ | denied-peer-ip=172.16.0.0-172.31.255.255 | ||
+ | allowed-peer-ip=172.31.1.100 | ||
+ | no-sslv2 | ||
+ | no-sslv3 | ||
+ | </ | ||
+ | |||
+ | * service coturn restart | ||
+ | * sudo -u synapse /bin/bash | ||
+ | * cd | ||
+ | * virtualenv -p python2.7 ~/ | ||
+ | * source ~/ | ||
+ | * pip install --upgrade pip | ||
+ | * pip install --upgrade setuptools | ||
+ | * pip install lxml | ||
+ | * pip install https:// | ||
+ | * cd ~/ | ||
+ | * python -m synapse.app.homeserver --server-name erfurt.chat --config-path homeserver.yaml --generate-config --report-stats=no | ||
+ | |||
+ | < | ||
+ | --- homeserver.yaml.orig 2017-06-05 12: | ||
+ | +++ homeserver.yaml 2018-04-17 13: | ||
+ | @@ -4,10 +4,10 @@ | ||
+ | # autogenerates on launch with your own SSL certificate + key pair | ||
+ | # if you like. Any required intermediary certificates can be | ||
+ | # appended after the primary certificate in hierarchical order. | ||
+ | -tls_certificate_path: | ||
+ | +tls_certificate_path: | ||
+ | |||
+ | # PEM encoded private key for TLS | ||
+ | -tls_private_key_path: | ||
+ | +tls_private_key_path: | ||
+ | |||
+ | # PEM dh parameters for ephemeral keys | ||
+ | | ||
+ | @@ -50,7 +50,7 @@ | ||
+ | | ||
+ | |||
+ | # Whether to serve a web client from the HTTP/HTTPS root resource. | ||
+ | -web_client: | ||
+ | +web_client: | ||
+ | |||
+ | # The root directory to server for the above web client. | ||
+ | # If left undefined, synapse will serve the matrix-angular-sdk web client. | ||
+ | @@ -59,7 +59,7 @@ | ||
+ | # web_client_location: | ||
+ | |||
+ | # The public-facing base URL for the client API (not including _matrix/ | ||
+ | -# public_baseurl: | ||
+ | +public_baseurl: | ||
+ | |||
+ | # Set the soft limit on the number of file descriptors synapse can use | ||
+ | # Zero is used to indicate synapse should set the soft limit to the | ||
+ | @@ -71,7 +71,9 @@ | ||
+ | |||
+ | # Set the limit on the returned events in the timeline in the get | ||
+ | # and sync operations. The default value is -1, means no upper limit. | ||
+ | -# filter_timeline_limit: | ||
+ | + | ||
+ | +## activated by maddi | ||
+ | +filter_timeline_limit: | ||
+ | |||
+ | # List of ports that Synapse should listen on, their purpose and their | ||
+ | # configuration. | ||
+ | @@ -85,11 +87,11 @@ | ||
+ | # Local addresses to listen on. | ||
+ | # This will listen on all IPv4 addresses by default. | ||
+ | | ||
+ | - - ' | ||
+ | + #- ' | ||
+ | # Uncomment to listen on all IPv6 interfaces | ||
+ | # N.B: On at least Linux this will also listen on all IPv4 | ||
+ | # addresses, so you will need to comment out the line above. | ||
+ | - # - '::' | ||
+ | + - '::' | ||
+ | |||
+ | # This is a ' | ||
+ | type: http | ||
+ | @@ -123,7 +125,7 @@ | ||
+ | | ||
+ | type: http | ||
+ | |||
+ | - x_forwarded: | ||
+ | + x_forwarded: | ||
+ | |||
+ | | ||
+ | - names: [client, webclient] | ||
+ | @@ -141,14 +143,18 @@ | ||
+ | # Database configuration | ||
+ | | ||
+ | # The database engine name | ||
+ | - name: " | ||
+ | + name: " | ||
+ | # Arguments to pass to the engine | ||
+ | | ||
+ | - # Path to the database | ||
+ | - database: "/ | ||
+ | + #user: synapse | ||
+ | + database: synapse | ||
+ | + #host: localhost | ||
+ | + # | ||
+ | + cp_min: 5 | ||
+ | + cp_max: 25 | ||
+ | |||
+ | # Number of events to cache in memory. | ||
+ | -event_cache_size: | ||
+ | +event_cache_size: | ||
+ | |||
+ | |||
+ | |||
+ | @@ -156,7 +162,7 @@ | ||
+ | | ||
+ | |||
+ | # File to write logging to. Ignored if log_config is specified. | ||
+ | -log_file: "/ | ||
+ | +log_file: "/ | ||
+ | |||
+ | # A yaml python logging config file | ||
+ | | ||
+ | @@ -171,7 +177,9 @@ | ||
+ | | ||
+ | |||
+ | # The federation window size in milliseconds | ||
+ | -federation_rc_window_size: | ||
+ | +## edit by maddi | ||
+ | +# federation_rc_window_size: | ||
+ | +federation_rc_window_size: | ||
+ | |||
+ | # The number of federation requests from a single server in a window | ||
+ | # before the server will delay processing the request. | ||
+ | @@ -183,14 +191,19 @@ | ||
+ | |||
+ | # The maximum number of concurrent federation requests allowed | ||
+ | # from a single server | ||
+ | -federation_rc_reject_limit: | ||
+ | +## edit by maddi | ||
+ | +# federation_rc_reject_limit: | ||
+ | +federation_rc_reject_limit: | ||
+ | |||
+ | # The number of federation requests to concurrently process from a | ||
+ | # single server | ||
+ | -federation_rc_concurrent: | ||
+ | - | ||
+ | - | ||
+ | - | ||
+ | +# | ||
+ | +## edit by maddi | ||
+ | +federation_rc_concurrent: | ||
+ | + | ||
+ | +## add by maddi | ||
+ | +federation_domain_whitelist: | ||
+ | + | ||
+ | # Directory where uploaded images and attachments are stored. | ||
+ | | ||
+ | |||
+ | @@ -231,7 +244,7 @@ | ||
+ | # Is the preview URL API enabled? | ||
+ | # an explicit url_preview_ip_range_blacklist of IPs that the spider is | ||
+ | # denied from accessing. | ||
+ | -url_preview_enabled: | ||
+ | +url_preview_enabled: | ||
+ | |||
+ | # List of IP address CIDR ranges that the URL preview spider is denied | ||
+ | # from accessing. | ||
+ | @@ -241,14 +254,14 @@ | ||
+ | # synapse to issue arbitrary GET requests to your internal services, | ||
+ | # causing serious security issues. | ||
+ | # | ||
+ | -# url_preview_ip_range_blacklist: | ||
+ | -# - ' | ||
+ | -# - ' | ||
+ | -# - ' | ||
+ | -# - ' | ||
+ | -# - ' | ||
+ | -# - ' | ||
+ | -# | ||
+ | +url_preview_ip_range_blacklist: | ||
+ | + - ' | ||
+ | + - ' | ||
+ | + - ' | ||
+ | + - ' | ||
+ | + - ' | ||
+ | + - ' | ||
+ | + | ||
+ | # List of IP address CIDR ranges that the URL preview spider is allowed | ||
+ | # to access even if they are specified in url_preview_ip_range_blacklist. | ||
+ | # This is useful for specifying exceptions to wide-ranging blacklisted | ||
+ | @@ -322,10 +335,10 @@ | ||
+ | ## Turn ## | ||
+ | |||
+ | # The public URIs of the TURN server to give to clients | ||
+ | -turn_uris: [] | ||
+ | +turn_uris: [ " | ||
+ | |||
+ | # The shared secret used to compute passwords for the TURN server | ||
+ | -turn_shared_secret: | ||
+ | +turn_shared_secret: | ||
+ | |||
+ | # The Username and password if the TURN server needs them and | ||
+ | # does not use a token | ||
+ | @@ -346,7 +359,7 @@ | ||
+ | ## Registration ## | ||
+ | |||
+ | # Enable registration for new users. | ||
+ | -enable_registration: | ||
+ | +enable_registration: | ||
+ | |||
+ | # If set, allows registration by anyone who also has the shared | ||
+ | # secret, even if registration is otherwise disabled. | ||
+ | @@ -360,7 +373,7 @@ | ||
+ | # Allows users to register as guests without a password/ | ||
+ | # participate in rooms hosted on this server which have been made | ||
+ | # accessible to anonymous users. | ||
+ | -allow_guest_access: | ||
+ | +allow_guest_access: | ||
+ | |||
+ | # The list of identity servers trusted to verify third party | ||
+ | # identifiers by this server. | ||
+ | @@ -388,7 +401,9 @@ | ||
+ | |||
+ | |||
+ | # A list of application service config file to use | ||
+ | -app_service_config_files: | ||
+ | +# | ||
+ | +## deactivated by maddi | ||
+ | +app_service_config_files: | ||
+ | |||
+ | |||
+ | | ||
+ | @@ -402,7 +417,7 @@ | ||
+ | | ||
+ | |||
+ | # The keys that the server used to sign messages with but won't use | ||
+ | -# to sign new messages. E.g. it has lost its private key | ||
+ | +# to sign new messages. dE.g. it has lost its private key | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | @@ -461,7 +476,8 @@ | ||
+ | enabled: true | ||
+ | # Uncomment and change to a secret random string for extra security. | ||
+ | # DO NOT CHANGE THIS AFTER INITIAL SETUP! | ||
+ | - # | ||
+ | + | ||
+ | + | ||
+ | |||
+ | |||
+ | |||
+ | @@ -473,20 +489,20 @@ | ||
+ | # If your SMTP server requires authentication, | ||
+ | # smtp_pass variables should be used | ||
+ | # | ||
+ | -#email: | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | -# | ||
+ | +email: | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
+ | |||
+ | |||
+ | # password_providers: | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | |||
+ | version: 1 | ||
+ | |||
+ | formatters: | ||
+ | precise: | ||
+ | | ||
+ | |||
+ | filters: | ||
+ | context: | ||
+ | (): synapse.util.logcontext.LoggingContextFilter | ||
+ | request: "" | ||
+ | |||
+ | handlers: | ||
+ | file: | ||
+ | class: logging.handlers.RotatingFileHandler | ||
+ | formatter: precise | ||
+ | filename: / | ||
+ | maxBytes: 104857600 | ||
+ | backupCount: | ||
+ | filters: [context] | ||
+ | console: | ||
+ | class: logging.StreamHandler | ||
+ | formatter: precise | ||
+ | filters: [context] | ||
+ | |||
+ | loggers: | ||
+ | synapse: | ||
+ | level: INFO | ||
+ | |||
+ | synapse.storage.SQL: | ||
+ | # beware: increasing this to DEBUG will make synapse log sensitive | ||
+ | # information such as access tokens. | ||
+ | level: INFO | ||
+ | |||
+ | root: | ||
+ | level: INFO | ||
+ | handlers: [file] | ||
+ | # handlers: [file, console] | ||
+ | </ | ||
+ | < | ||
+ | [Unit] | ||
+ | Description=Synapse Matrix homeserver | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | User=synapse | ||
+ | Group=synapse | ||
+ | # | ||
+ | WorkingDirectory=/ | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | |||
+ | * systemctl enable synapse | ||
+ | * systemctl start synapse | ||
+ | * wget -O / | ||
+ | * mkdir / | ||
+ | * tar --strip-components=1 -xf / | ||
+ | |||
+ | < | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | ] | ||
+ | }, | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== Matrix IRC Bridge ==== | ||
+ | |||
+ | * curl -sL https:// | ||
+ | * apt-get install -y nodejs | ||
+ | * npm install matrix-appservice-irc --global | ||
+ | |||
+ | < | ||
+ | homeserver: | ||
+ | url: " | ||
+ | |||
+ | # CAUTION: This is a very coarse heuristic. Federated homeservers may have different | ||
+ | # clock times and hence produce different origin_server_ts values, which may be old | ||
+ | # enough to cause *all* events from the homeserver to be dropped. | ||
+ | # Default: 0 (don't ever drop) | ||
+ | # dropMatrixMessagesAfterSecs: | ||
+ | |||
+ | domain: " | ||
+ | |||
+ | ircService: | ||
+ | servers: | ||
+ | " | ||
+ | name: " | ||
+ | networkId: " | ||
+ | port: 9999 | ||
+ | ssl: true | ||
+ | sslselfsign: | ||
+ | ca: | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | # The connection password to send for all clients as a PASS command. Optional. | ||
+ | # password: ' | ||
+ | |||
+ | sendConnectionMessages: | ||
+ | |||
+ | quitDebounce: | ||
+ | # Whether parts due to net-splits are debounced for delayMs, to allow | ||
+ | # time for the netsplit to resolve itself. A netsplit is detected as being | ||
+ | # a QUIT rate higher than quitsPerSecond. Default: false. | ||
+ | enabled: false | ||
+ | # The maximum number of quits per second acceptable above which a netsplit is | ||
+ | # considered ongoing. Default: 5. | ||
+ | quitsPerSecond: | ||
+ | # The ti | ||
+ | # a net | ||
+ | # is not sent many requests to leave rooms all at once if a netsplit occurs and many | ||
+ | # people to not rejoin. | ||
+ | # If the user with the same IRC nick as the one who sent the quit rejoins a channel | ||
+ | # they are considered back online and the quit is not bridged, so long as the rejoin | ||
+ | # occurs before the randomly-jittered timeout is not reached. | ||
+ | # Default: 3600000, = 1h | ||
+ | delayMinMs: 3600000 # 1h | ||
+ | # Default: 7200000, = 2h | ||
+ | delayMaxMs: 7200000 # 2h | ||
+ | |||
+ | modePowerMap: | ||
+ | o: 50 | ||
+ | |||
+ | botConfig: | ||
+ | enabled: true | ||
+ | nick: " | ||
+ | password: " | ||
+ | |||
+ | joinChannelsIfNoUsers: | ||
+ | |||
+ | privateMessages: | ||
+ | enabled: true | ||
+ | # exclude: [" | ||
+ | federate: true | ||
+ | |||
+ | # Configuration for mappings not explicitly listed in the ' | ||
+ | # section. | ||
+ | dynamicChannels: | ||
+ | # Enable the ability for Matrix users to join *any* channel on this IRC | ||
+ | # network. | ||
+ | # Default: false. | ||
+ | enabled: true | ||
+ | # Should the AS create a room alias for the new Matrix room? The form of | ||
+ | # the alias can be modified via ' | ||
+ | createAlias: | ||
+ | # Should the AS publish the new Matrix room to the public room list so | ||
+ | # anyone can see it? Default: true. | ||
+ | published: true | ||
+ | # What should the join_rule be for the new Matrix room? If ' | ||
+ | # anyone can join the room. If ' | ||
+ | # join the room. Note that if an IRC channel has +k or +i set on it, | ||
+ | # join_rules will be set to ' | ||
+ | # Default: " | ||
+ | joinRule: public | ||
+ | # Should created Matrix rooms be federated? If false, only users on the | ||
+ | # HS attached to this AS will be able to interact with this room. | ||
+ | # Default: true. | ||
+ | federate: true | ||
+ | # The room alias template to apply when creating new aliases. This only | ||
+ | # applies if createAlias is ' | ||
+ | # $SERVER => The IRC server address (e.g. " | ||
+ | # $CHANNEL => The IRC channel (e.g. "# | ||
+ | # This MUST have $CHANNEL somewhere in it. | ||
+ | # Default: '# | ||
+ | # | ||
+ | # A list of user IDs which the AS bot will send invites to in response | ||
+ | # to a !join. Only applies if joinRule is ' | ||
+ | # whitelist: | ||
+ | # - " | ||
+ | # - " | ||
+ | # | ||
+ | # Prevent the given list of channels from being mapped under any | ||
+ | # circumstances. | ||
+ | # exclude: ["# | ||
+ | |||
+ | # Configuration for controlling how Matrix and IRC membership lists are | ||
+ | # synced. | ||
+ | membershipLists: | ||
+ | # Enable the syncing of membership lists between IRC and Matrix. This | ||
+ | # can have a significant effect on performance on startup as the lists are | ||
+ | # synced. This must be enabled for anything else in this section to take | ||
+ | # effect. Default: false. | ||
+ | enabled: true | ||
+ | |||
+ | # Syncing membership lists at startup can result in hundreds of members to | ||
+ | # process all at once. This timer drip feeds membership entries at the | ||
+ | # specified rate. Default: 10000. (10s) | ||
+ | floodDelayMs: | ||
+ | |||
+ | global: | ||
+ | ircToMatrix: | ||
+ | # Get a snapshot of all real IRC users on a channel (via NAMES) and | ||
+ | # join their virtual matrix clients to the room. | ||
+ | initial: true | ||
+ | # Make virtual matrix clients join and leave rooms as their real IRC | ||
+ | # counterparts join/part channels. Default: false. | ||
+ | incremental: | ||
+ | |||
+ | matrixToIrc: | ||
+ | # Get a snapshot of all real Matrix users in the room and join all of | ||
+ | # them to the mapped IRC channel on startup. Default: false. | ||
+ | initial: true | ||
+ | # Make virtual IRC clients join and leave channels as their real Matrix | ||
+ | # counterparts join/leave rooms. Make sure your ' | ||
+ | # high enough! Default: false. | ||
+ | incremental: | ||
+ | |||
+ | # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. | ||
+ | rooms: | ||
+ | - room: " | ||
+ | matrixToIrc: | ||
+ | initial: false | ||
+ | incremental: | ||
+ | |||
+ | # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. | ||
+ | channels: | ||
+ | - channel: "# | ||
+ | ircToMatrix: | ||
+ | initial: false | ||
+ | incremental: | ||
+ | |||
+ | mappings: | ||
+ | # 1:many mappings from IRC channels to room IDs on this IRC server. | ||
+ | # The matrix room must already exist. Your matrix client should expose | ||
+ | # the room ID in a " | ||
+ | #"#bytespeicher-testing": | ||
+ | "# | ||
+ | |||
+ | # Configuration for virtual matrix users. The following variables are | ||
+ | # exposed: | ||
+ | # $NICK => The IRC nick | ||
+ | # $SERVER => The IRC server address (e.g. " | ||
+ | matrixClients: | ||
+ | # The user ID template to use when creating virtual matrix users. This | ||
+ | # MUST have $NICK somewhere in it. | ||
+ | # Optional. Default: " | ||
+ | # Example: " | ||
+ | userTemplate: | ||
+ | # The display name to use for created matrix clients. This should have | ||
+ | # $NICK somewhere in it if it is specified. Can also use $SERVER to | ||
+ | # insert the IRC domain. | ||
+ | # Optional. Default: "$NICK (IRC)" | ||
+ | displayName: | ||
+ | |||
+ | # Configuration for virtual IRC users. The following variables are exposed: | ||
+ | # $LOCALPART => The user ID localpart (" | ||
+ | # $USERID => The user ID | ||
+ | # $DISPLAY => The display name of this user, with excluded characters | ||
+ | # (e.g. space) removed. If the user has no display name, this | ||
+ | # falls back to $LOCALPART. | ||
+ | ircClients: | ||
+ | # The template to apply to every IRC client nick. This MUST have either | ||
+ | # $DISPLAY or $USERID or $LOCALPART somewhere in it. | ||
+ | # Optional. Default: " | ||
+ | nickTemplate: | ||
+ | # True to allow virtual IRC clients to change their nick on this server | ||
+ | # by issuing !nick < | ||
+ | # This is completely freeform: it will NOT follow the nickTemplate. | ||
+ | allowNickChanges: | ||
+ | # The max number of IRC clients that will connect. If the limit is | ||
+ | # reached, the client that spoke the longest time ago will be | ||
+ | # disconnected and replaced. | ||
+ | # Optional. Default: 30. | ||
+ | maxClients: 30 | ||
+ | # IPv6 configuration. | ||
+ | ipv6: | ||
+ | # Optional. Set to true to force IPv6 for outgoing connections. | ||
+ | only: false | ||
+ | # Optional. The IPv6 prefix to use for generating unique addresses for each | ||
+ | # connected user. If not specified, all users will connect from the same | ||
+ | # (default) address. This may require additional OS-specific work to allow | ||
+ | # for the node process to bind to multiple different source addresses | ||
+ | # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library | ||
+ | # https:// | ||
+ | prefix: " | ||
+ | # | ||
+ | # The maximum amount of time in seconds that the client can exist | ||
+ | # without sending another message before being disconnected. Use 0 to | ||
+ | # not apply an idle timeout. This value is ignored if this IRC server is | ||
+ | # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) | ||
+ | idleTimeout: | ||
+ | # The number of millseconds to wait between consecutive reconnections if a | ||
+ | # client gets disconnected. Setting to 0 will cause the scheduling to be | ||
+ | # disabled, i.e. it will be scheduled immediately (with jitter. | ||
+ | # Otherwise, the scheduling interval will be used such that one client | ||
+ | # reconnect for this server will be handled every reconnectIntervalMs ms using | ||
+ | # a FIFO queue. | ||
+ | # Default: 5000 (5 seconds) | ||
+ | reconnectIntervalMs: | ||
+ | # The number of lines to allow being sent by the IRC client that has received | ||
+ | # a large block of text to send from matrix. If the number of lines that would | ||
+ | # be sent is > lineLimit, the text will instead be uploaded to matrix and the | ||
+ | # resulting URI is treated as a file. As such, a link will be sent to the IRC | ||
+ | # side instead of potentially spamming IRC and getting the IRC client kicked. | ||
+ | # Default: 3. | ||
+ | lineLimit: 3 | ||
+ | # A list of user modes to set on every IRC client. For example, " | ||
+ | # +R, +i and +G on every IRC connection when they have successfully connected. | ||
+ | # User modes vary wildly depending on the IRC network you're connecting to, | ||
+ | # so check before setting this value. Some modes may not work as intended | ||
+ | # through the bridge e.g. caller ID as there is no way to /ACCEPT. | ||
+ | # Default: "" | ||
+ | # userModes: " | ||
+ | |||
+ | # Configuration for an ident server. If you are running a public bridge it is | ||
+ | # advised you setup an ident server so IRC mods can ban specific matrix users | ||
+ | # rather than the application service itself. | ||
+ | ident: | ||
+ | # True to listen for Ident requests and respond with the | ||
+ | # matrix user's user_id (converted to ASCII, respecting RFC 1413). | ||
+ | # Default: false. | ||
+ | enabled: false | ||
+ | # The port to listen on for incoming ident requests. | ||
+ | # Ports below 1024 require root to listen on, and you may not want this to | ||
+ | # run as root. Instead, you can get something like an Apache to yank up | ||
+ | # incoming requests to 113 to a high numbered port. Set the port to listen | ||
+ | # on instead of 113 here. | ||
+ | # Default: 113. | ||
+ | port: 1113 | ||
+ | |||
+ | # Configuration for logging. Optional. Default: console debug level logging | ||
+ | # only. | ||
+ | logging: | ||
+ | # Level to log on console/ | ||
+ | level: " | ||
+ | # The file location to log to. This is relative to the project directory. | ||
+ | logfile: " | ||
+ | # The file location to log errors to. This is relative to the project | ||
+ | # directory. | ||
+ | errfile: " | ||
+ | # Whether to log to the console or not. | ||
+ | toConsole: true | ||
+ | # The max size each file can get to in bytes before a new file is created. | ||
+ | maxFileSizeBytes: | ||
+ | # The max number of files to keep. Files will be overwritten eventually due | ||
+ | # to rotations. | ||
+ | maxFiles: 5 | ||
+ | |||
+ | # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: | ||
+ | # $ npm install prom-client@6.3.0 | ||
+ | # Metrics will then be available via GET /metrics on the bridge listening port (-p). | ||
+ | # metrics: | ||
+ | # | ||
+ | |||
+ | # The nedb database URI to connect to. This is the name of the directory to | ||
+ | # dump .db files to. This is relative to the project directory. | ||
+ | # Required. | ||
+ | databaseUri: | ||
+ | |||
+ | # Configuration options for the debug HTTP API. To access this API, you must | ||
+ | # append ? | ||
+ | # | ||
+ | # The debug API exposes the following endpoints: | ||
+ | # | ||
+ | # GET / | ||
+ | # | ||
+ | # POST / | ||
+ | # Format: new line delimited commands as per IRC protocol. | ||
+ | # | ||
+ | debugApi: | ||
+ | # True to enable the HTTP API endpoint. Default: false. | ||
+ | enabled: false | ||
+ | # The port to host the HTTP API. | ||
+ | port: 11100 | ||
+ | |||
+ | # Configuration for the provisioning API. | ||
+ | # | ||
+ | # GET / | ||
+ | # GET / | ||
+ | # GET / | ||
+ | # | ||
+ | provisioning: | ||
+ | # True to enable the provisioning HTTP endpoint. Default: false. | ||
+ | enabled: false | ||
+ | # The number of seconds to wait before giving up on getting a response from | ||
+ | # an IRC channel operator. If the channel operator does not respond within the | ||
+ | # allotted time period, the provisioning request will fail. | ||
+ | # Default: 300 seconds (5 mins) | ||
+ | requestTimeoutSeconds: | ||
+ | |||
+ | # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot | ||
+ | # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in | ||
+ | # the database. | ||
+ | # | ||
+ | # To generate a .pem file: | ||
+ | # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits: | ||
+ | # | ||
+ | # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords | ||
+ | # for storage in the database. Passwords are stored by using the admin room command | ||
+ | # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of | ||
+ | # the Matrix user, this password will be sent as the server password (PASS command). | ||
+ | passwordEncryptionKeyPath: | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | [Unit] | ||
+ | Description=Matrix IRC Bridge | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | User=synapse | ||
+ | Group=synapse | ||
+ | # | ||
+ | WorkingDirectory=/ | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | |||
+ | * matrix-appservice-irc -r -f ircbridge_registration.yaml -u " | ||
+ | * systemctl enable matrix-irc-bridge.service | ||
+ | * systemctl start matrix-irc-bridge.service | ||
+ | |||
+ | ==== Upgrade zu Postgres ==== | ||
+ | * wget -q https:// | ||
+ | * echo deb http:// | ||
+ | * apt update | ||
+ | * apt install postgresql-10 postgresql-client-10 libpq-dev | ||
+ | * sudo -u postgres createuser -e synapse | ||
+ | * sudo -u postgres psql -c " | ||
+ | * service synapse stop | ||
+ | * cp -a / | ||
+ | * cp -a / | ||
+ | |||
+ | < | ||
+ | [...] | ||
+ | |||
+ | # Database configuration | ||
+ | database: | ||
+ | # The database engine name | ||
+ | name: " | ||
+ | # Arguments to pass to the engine | ||
+ | args: | ||
+ | database: synapse | ||
+ | cp_min: 5 | ||
+ | cp_max: 25 | ||
+ | |||
+ | [...] | ||
+ | </ | ||
+ | |||
+ | * service synapse start | ||
+ | * sudo -u synapse bash | ||
+ | * source ~/ | ||
+ | * pip install psycopg2 | ||
+ | * cd ~/ | ||
+ | * synapse_port_db --sqlite-database homeserver.db.snapshot --postgres-config homeserver-postgres.yaml | ||
+ | * (as root) service synapse stop | ||
+ | * synapse_port_db --sqlite-database homeserver.db --postgres-config homeserver-postgres.yaml | ||
+ | * mv homeserver.yaml{, | ||
+ | * mv homeserver{-postgres, | ||
+ | * mv homeserver.db{, | ||
+ | * exit | ||
+ | * service synapse start | ||
+ | |||
+ | |||
+ | Es wurde https:// | ||
+ | |||
+ | ==== Externe Synapse Dokumentation ==== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | ===== users.bytespeicher.org ===== | ||
< | < | ||
Zeile 1703: | Zeile 2551: | ||
</ | </ | ||
- | ===== Datensicherung ===== | + | ====== Datensicherung |
Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user: | Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user: | ||
Zeile 1829: | Zeile 2677: | ||
30 2 * * * | 30 2 * * * | ||
</ | </ | ||
+ | |||
+ | ====== Postfächer und Forward-Konten ====== | ||
+ | |||
+ | Als Mailserver wird Postfix eingesetzt. | ||
+ | Aliase für Forwarding-Postfächer werden in der Datei ''/ | ||
+ | |||
+ | [mehr Dokumentation nötig…] | ||
+ | |||
+ | |||
+ | ===== Postfach anlegen ==== | ||
+ | |||
+ | mit '' | ||
+ | |||
+ | Passwort-Hash mit FQDN-Mail in / | ||
+ | |||
+ | |||
+ | in den mail-ordner Wechsel und Postfach-Ordner anlegen und Besitzer sowie Rechte anpassen | ||
+ | |||
+ | |||
+ | '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | |||
+ | |||
+ |