From 79692db45dfe2fec6d0fec280bfba2be740d58a5 Mon Sep 17 00:00:00 2001 From: Paul van Tilburg Date: Sun, 31 May 2020 22:49:07 +0200 Subject: [PATCH 1/6] First version of cargo-deb packaging setup --- Cargo.toml | 22 ++++++++++++++++ debian/config | 23 +++++++++++++++++ debian/env | 48 +++++++++++++++++++++++++++++++++++ debian/matrix-conduit.service | 21 +++++++++++++++ debian/postinst | 26 +++++++++++++++++++ debian/postrm | 22 ++++++++++++++++ debian/templates | 14 ++++++++++ 7 files changed, 176 insertions(+) create mode 100644 debian/config create mode 100644 debian/env create mode 100644 debian/matrix-conduit.service create mode 100644 debian/postinst create mode 100644 debian/postrm create mode 100644 debian/templates diff --git a/Cargo.toml b/Cargo.toml index 8b29be8..1feb7ca 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -72,3 +72,25 @@ required-features = ["conduit_bin"] [lib] name = "conduit" path = "src/lib.rs" + +[package.metadata.deb] +name = "matrix-conduit" +maintainer = "Paul van Tilburg " +copyright = "2020, Timo Kösters " +license-file = ["LICENSE", "3"] +depends = "$auto, ca-certificates" +extended-description = """\ +A fast Matrix homeserver that is optimized for smaller, personal servers, \ +instead of a server that has high scalability.""" +section = "net" +priority = "optional" +assets = [ + ["debian/env", "etc/matrix-conduit/env", "644"], + ["README.md", "usr/share/doc/matrix-conduit/", "644"], + ["target/release/conduit", "usr/sbin/matrix-conduit", "755"], +] +conf-files = [ + "/etc/matrix-conduit/env" +] +maintainer-scripts = "debian/" +systemd-units = { unit-name = "matrix-conduit" } diff --git a/debian/config b/debian/config new file mode 100644 index 0000000..a9ad498 --- /dev/null +++ b/debian/config @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +# Source debconf library. +. /usr/share/debconf/confmodule + +CONDUIT_CONFIG_PATH=/etc/matrix-conduit +CONDUIT_CONFIG_FILE="$CONDUIT_CONFIG_PATH/env" + +# Ask for the Matrix homeserver name and port. +db_input high matrix-conduit/hostname || true +db_go + +db_input medium matrix-conduit/port || true +db_go + +# Update the values in the config. +db_get matrix-conduit/hostname +sed -i -e "s/^ROCKET_SERVER_NAME=.*/ROCKET_SERVER_NAME=\"$RET\"/" $CONDUIT_CONFIG_FILE +db_get matrix-conduit/port +sed -i -e "s/^ROCKET_PORT=.*/ROCKET_PORT=\"$RET\"/" $CONDUIT_CONFIG_FILE + +exit 0 diff --git a/debian/env b/debian/env new file mode 100644 index 0000000..3f72c5b --- /dev/null +++ b/debian/env @@ -0,0 +1,48 @@ +# Conduit homeserver configuration +# +# Conduit is an application based on the Rocket web framework. +# Configuration of Conduit can happen either via a `Rocket.toml` file that +# is placed in /var/lib/matrix-conduit or via setting the environment +# variables below. + +# The server (host)name of the Matrix homeserver. +# +# This is the hostname the homeserver will be reachable at via a client. +ROCKET_SERVER_NAME="YOURSERVERNAME.HERE" + +# The address the Matrix homeserver listens on. +# +# By default the server listens on 0.0.0.0. Change this for example to +# 127.0.0.1 to only listen on the localhost when using a reverse proxy. +#ROCKET_ADDRESS="0.0.0.0" + +# The port of the Matrix homeserver. +# +# This port is often accessed by a reverse proxy. +ROCKET_PORT="14004" + +# The maximum size of a Matrix HTTP requests in bytes. +# +# This mostly affects the size of files that can be downloaded/uploaded. +ROCKET_MAX_REQUEST_SIZE=20000000 + +# Whether user registration is allowed. +# +# User registration is allowed by default. +#ROCKET_REGISTRATION_DISABLED=true + +# Whether encryption is enabled. +# +# (End-to-end) encryption is enabled by default. +#ROCKET_ENCRYPTION_DISABLED=true + +# Whether federation with other Matrix servers is enabled. +# +# Federation is disabled by default; it is still experimental. +#ROCKET_FEDERATION_ENABLED=true + +# The log level of the homeserver. +# +# The log level is "critical" by default. +# Allowed values are: "off", "normal", "debug", "critical" +#ROCKET_LOG="normal" diff --git a/debian/matrix-conduit.service b/debian/matrix-conduit.service new file mode 100644 index 0000000..96c4856 --- /dev/null +++ b/debian/matrix-conduit.service @@ -0,0 +1,21 @@ +[Unit] +Description=Conduit Matrix homeserver +After=network.target + +[Service] +User=_matrix-conduit +Group=_matrix-conduit +Type=simple + +Environment="ROCKET_ENV=production" +Environment="ROCKET_DATABASE_PATH=/var/lib/matrix-conduit" +EnvironmentFile=/etc/matrix-conduit/env + +ExecStart=/usr/sbin/matrix-conduit +Restart=on-failure +RestartSec=10 +StartLimitInterval=1m +StartLimitBurst=5 + +[Install] +WantedBy=multi-user.target diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..ee684da --- /dev/null +++ b/debian/postinst @@ -0,0 +1,26 @@ +#!/bin/sh +set -e + +CONDUIT_DATABASE_PATH=/var/lib/matrix-conduit + +case "$1" in + configure) + # Create the `_matrix-conduit` user if it does not exist yet. + if ! getent passwd _matrix-conduit > /dev/null ; then + echo 'Adding system user for the Conduit Matrix homeserver' 1>&2 + adduser --system --group --quiet \ + --home $CONDUIT_DATABASE_PATH \ + --disabled-login \ + --force-badname \ + _matrix-conduit + fi + + # Create the database path if it does not exist yet. + if [ ! -d "$CONDUIT_DATABASE_PATH" ]; then + mkdir -p "$CONDUIT_DATABASE_PATH" + chown _matrix-conduit "$CONDUIT_DATABASE_PATH" + fi + ;; +esac + +#DEBHELPER# diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..04ca325 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +CONDUIT_CONFIG_PATH=/etc/matrix-conduit +CONDUIT_DATABASE_PATH=/var/lib/matrix-conduit + +case $1 in + purge) + # Per https://www.debian.org/doc/debian-policy/ch-files.html#behavior + # "configuration files must be preserved when the package is removed, and + # only deleted when the package is purged." + if [ -d "$CONDUIT_CONFIG_PATH" ]; then + rm -r "$CONDUIT_CONFIG_PATH" + fi + + if [ -d "$CONDUIT_DATABASE_PATH" ]; then + rm -r "$CONDUIT_DATABASE_PATH" + fi + ;; +esac + +#DEBHELPER# diff --git a/debian/templates b/debian/templates new file mode 100644 index 0000000..66bf55c --- /dev/null +++ b/debian/templates @@ -0,0 +1,14 @@ +Template: matrix-conduit/hostname +Type: string +Default: localhost +Description: The server (host)name of the Matrix homeserver. + This is the hostname the homeserver will be reachable at via a client. + . + If set to "localhost", you can connect with a client locally and clients + from other hosts and also other servers will not be able to reach you! + +Template: matrix-conduit/port +Type: string +Default: 14004 +Description: The port of the Matrix homeserver + This port is often accessed by a reverse proxy. From f72554de1014eea6b5c224548e9d0aeb15553cf7 Mon Sep 17 00:00:00 2001 From: Paul van Tilburg Date: Fri, 13 Nov 2020 20:35:22 +0100 Subject: [PATCH 2/6] Split config into a Debian and local part * The Debian part will be generated and managed by Debconf and configure homeserver name, address and port * The local part will just be a config file that shows the other configuration options Added the address configuration and moved the config generation from the config to the postinst script. --- Cargo.toml | 4 +-- debian/config | 14 +++------- debian/env | 48 ----------------------------------- debian/env.local | 33 ++++++++++++++++++++++++ debian/matrix-conduit.service | 3 ++- debian/postinst | 47 ++++++++++++++++++++++++++++++++++ debian/templates | 13 +++++++--- 7 files changed, 98 insertions(+), 64 deletions(-) delete mode 100644 debian/env create mode 100644 debian/env.local diff --git a/Cargo.toml b/Cargo.toml index 1feb7ca..d0dfcf4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -85,12 +85,12 @@ instead of a server that has high scalability.""" section = "net" priority = "optional" assets = [ - ["debian/env", "etc/matrix-conduit/env", "644"], + ["debian/env.local", "etc/matrix-conduit/local", "644"], ["README.md", "usr/share/doc/matrix-conduit/", "644"], ["target/release/conduit", "usr/sbin/matrix-conduit", "755"], ] conf-files = [ - "/etc/matrix-conduit/env" + "/etc/matrix-conduit/local" ] maintainer-scripts = "debian/" systemd-units = { unit-name = "matrix-conduit" } diff --git a/debian/config b/debian/config index a9ad498..8710ef9 100644 --- a/debian/config +++ b/debian/config @@ -4,20 +4,14 @@ set -e # Source debconf library. . /usr/share/debconf/confmodule -CONDUIT_CONFIG_PATH=/etc/matrix-conduit -CONDUIT_CONFIG_FILE="$CONDUIT_CONFIG_PATH/env" - -# Ask for the Matrix homeserver name and port. +# Ask for the Matrix homeserver name, address and port. db_input high matrix-conduit/hostname || true db_go +db_input low matrix-conduit/address || true +db_go + db_input medium matrix-conduit/port || true db_go -# Update the values in the config. -db_get matrix-conduit/hostname -sed -i -e "s/^ROCKET_SERVER_NAME=.*/ROCKET_SERVER_NAME=\"$RET\"/" $CONDUIT_CONFIG_FILE -db_get matrix-conduit/port -sed -i -e "s/^ROCKET_PORT=.*/ROCKET_PORT=\"$RET\"/" $CONDUIT_CONFIG_FILE - exit 0 diff --git a/debian/env b/debian/env deleted file mode 100644 index 3f72c5b..0000000 --- a/debian/env +++ /dev/null @@ -1,48 +0,0 @@ -# Conduit homeserver configuration -# -# Conduit is an application based on the Rocket web framework. -# Configuration of Conduit can happen either via a `Rocket.toml` file that -# is placed in /var/lib/matrix-conduit or via setting the environment -# variables below. - -# The server (host)name of the Matrix homeserver. -# -# This is the hostname the homeserver will be reachable at via a client. -ROCKET_SERVER_NAME="YOURSERVERNAME.HERE" - -# The address the Matrix homeserver listens on. -# -# By default the server listens on 0.0.0.0. Change this for example to -# 127.0.0.1 to only listen on the localhost when using a reverse proxy. -#ROCKET_ADDRESS="0.0.0.0" - -# The port of the Matrix homeserver. -# -# This port is often accessed by a reverse proxy. -ROCKET_PORT="14004" - -# The maximum size of a Matrix HTTP requests in bytes. -# -# This mostly affects the size of files that can be downloaded/uploaded. -ROCKET_MAX_REQUEST_SIZE=20000000 - -# Whether user registration is allowed. -# -# User registration is allowed by default. -#ROCKET_REGISTRATION_DISABLED=true - -# Whether encryption is enabled. -# -# (End-to-end) encryption is enabled by default. -#ROCKET_ENCRYPTION_DISABLED=true - -# Whether federation with other Matrix servers is enabled. -# -# Federation is disabled by default; it is still experimental. -#ROCKET_FEDERATION_ENABLED=true - -# The log level of the homeserver. -# -# The log level is "critical" by default. -# Allowed values are: "off", "normal", "debug", "critical" -#ROCKET_LOG="normal" diff --git a/debian/env.local b/debian/env.local new file mode 100644 index 0000000..cd552de --- /dev/null +++ b/debian/env.local @@ -0,0 +1,33 @@ +# Conduit homeserver local configuration +# +# Conduit is an application based on the Rocket web framework. +# Configuration of Conduit happens via Debconf (see the resulting config in +# `/etc/matrix-conduit/debian`) and optionally by uncommenting and tweaking the +# variables in this file below. + +# The maximum size of a Matrix HTTP requests in bytes. +# +# This mostly affects the size of files that can be downloaded/uploaded. +# It defaults to 20971520 (20MB). +#ROCKET_MAX_REQUEST_SIZE=20971520 + +# Whether user registration is allowed. +# +# User registration is not disabled by default. +#ROCKET_REGISTRATION_DISABLED=false + +# Whether encryption is enabled. +# +# (End-to-end) encryption is not disabled by default. +#ROCKET_ENCRYPTION_DISABLED=false + +# Whether federation with other Matrix servers is enabled. +# +# Federation is not enabled by default; it is still experimental. +#ROCKET_FEDERATION_ENABLED=false + +# The log level of the homeserver. +# +# The log level is "critical" by default. +# Allowed values are: "off", "normal", "debug", "critical" +#ROCKET_LOG="critical" diff --git a/debian/matrix-conduit.service b/debian/matrix-conduit.service index 96c4856..42969c1 100644 --- a/debian/matrix-conduit.service +++ b/debian/matrix-conduit.service @@ -9,7 +9,8 @@ Type=simple Environment="ROCKET_ENV=production" Environment="ROCKET_DATABASE_PATH=/var/lib/matrix-conduit" -EnvironmentFile=/etc/matrix-conduit/env +EnvironmentFile=/etc/matrix-conduit/debian +EnvironmentFile=/etc/matrix-conduit/local ExecStart=/usr/sbin/matrix-conduit Restart=on-failure diff --git a/debian/postinst b/debian/postinst index ee684da..bd7fb85 100644 --- a/debian/postinst +++ b/debian/postinst @@ -1,6 +1,10 @@ #!/bin/sh set -e +. /usr/share/debconf/confmodule + +CONDUIT_CONFIG_PATH=/etc/matrix-conduit +CONDUIT_CONFIG_FILE="$CONDUIT_CONFIG_PATH/debian" CONDUIT_DATABASE_PATH=/var/lib/matrix-conduit case "$1" in @@ -20,6 +24,49 @@ case "$1" in mkdir -p "$CONDUIT_DATABASE_PATH" chown _matrix-conduit "$CONDUIT_DATABASE_PATH" fi + + # Write the debconf values in the config. + db_get matrix-conduit/hostname + ROCKET_SERVER_NAME="$RET" + db_get matrix-conduit/address + ROCKET_ADDRESS="$RET" + db_get matrix-conduit/port + ROCKET_PORT="$RET" + cat >"$CONDUIT_CONFIG_FILE" << EOF +# Conduit homeserver Debian configuration +# +# Conduit is an application based on the Rocket web framework. +# Configuration of Conduit happens via Debconf (of which the resulting config +# is in this file) and optionally by uncommenting and tweaking the variables in +# /etc/matrix-conduit/local. + +# THIS FILE IS GENERATED BY DEBCONF AND WILL BE OVERRIDDEN! +# +# Please make changes by running: +# +# \$ dpkg-reconfigure matrix-conduit +# +# or by providing overriding changes in /etc/matrix-conduit/local. + +# The server (host)name of the Matrix homeserver. +# +# This is the hostname the homeserver will be reachable at via a client. +ROCKET_SERVER_NAME="$ROCKET_SERVER_NAME" + +# The address the Matrix homeserver listens on. +# +# By default the server listens on address 0.0.0.0. Change this to 127.0.0.1 to +# only listen on the localhost when using a reverse proxy. +ROCKET_ADDRESS="$ROCKET_ADDRESS" + +# The port of the Matrix homeserver. +# +# This port is could be any available port if accessed by a reverse proxy. +# By default the server listens on port 8000. +ROCKET_PORT="$ROCKET_PORT" + +# THIS FILE IS GENERATED BY DEBCONF AND WILL BE OVERRIDDEN! +EOF ;; esac diff --git a/debian/templates b/debian/templates index 66bf55c..a408f84 100644 --- a/debian/templates +++ b/debian/templates @@ -1,14 +1,21 @@ Template: matrix-conduit/hostname Type: string Default: localhost -Description: The server (host)name of the Matrix homeserver. +Description: The server (host)name of the Matrix homeserver This is the hostname the homeserver will be reachable at via a client. . If set to "localhost", you can connect with a client locally and clients - from other hosts and also other servers will not be able to reach you! + from other hosts and also other homeservers will not be able to reach you! + +Template: matrix-conduit/address +Type: string +Default: 127.0.0.1 +Description: The listen address of the Matrix homeserver + This is the address the homeserver will listen on. Leave it set to 127.0.0.1 + when using a reverse proxy. Template: matrix-conduit/port Type: string Default: 14004 Description: The port of the Matrix homeserver - This port is often accessed by a reverse proxy. + This port is most often just accessed by a reverse proxy. From 1b4a79d47c7f91b6d3562520637d28f6f00ec6c9 Mon Sep 17 00:00:00 2001 From: Paul van Tilburg Date: Fri, 13 Nov 2020 20:50:58 +0100 Subject: [PATCH 3/6] Add and install README.Debian This file documents how the packaging is organized and how to configure and use it. It also details what the default deployment is like. --- Cargo.toml | 1 + debian/README.Debian | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 debian/README.Debian diff --git a/Cargo.toml b/Cargo.toml index d0dfcf4..76c52e5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -86,6 +86,7 @@ section = "net" priority = "optional" assets = [ ["debian/env.local", "etc/matrix-conduit/local", "644"], + ["debian/README.Debian", "usr/share/doc/matrix-conduit/", "644"], ["README.md", "usr/share/doc/matrix-conduit/", "644"], ["target/release/conduit", "usr/sbin/matrix-conduit", "755"], ] diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..69fb975 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,29 @@ +Conduit for Debian +================== + +Configuration +------------- + +When installed, Debconf handles the configuration of the homeserver (host)name, +the address and port it listens on. These configuration variables end up in +/etc/matrix-conduit/debian. + +You can tweak more detailed settings by uncommenting and setting the variables +in /etc/matrix-conduit/local. This involves settings such as the maximum file +size for download/upload, enabling federation, etc. + +Running +------- + +The package uses the matrix-conduit.service systemd unit file to start and +stop Conduit. It loads the configuration files mentioned above to set up the +environment before running the server. + +This package assumes by default that Conduit is placed behind a reverse proxy +such as Apache or nginx. This default deployment entails just listening on +127.0.0.1 and the free port 14004 and is reachable via a client using the URL +http://localhost:14004. + +At a later stage this packaging may support also setting up TLS and running +stand-alone. In this case, however, you need to set up some certificates and +renewal, for it to work properly. From 1a341543ba155e3b4416368344cbb705690aceca Mon Sep 17 00:00:00 2001 From: Paul van Tilburg Date: Fri, 13 Nov 2020 21:37:22 +0100 Subject: [PATCH 4/6] Lock down the Conduit process in the systemd unit This will secure the service more and allow only what is necessary. --- debian/matrix-conduit.service | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/debian/matrix-conduit.service b/debian/matrix-conduit.service index 42969c1..5ab7917 100644 --- a/debian/matrix-conduit.service +++ b/debian/matrix-conduit.service @@ -7,6 +7,33 @@ User=_matrix-conduit Group=_matrix-conduit Type=simple +AmbientCapabilities= +CapabilityBoundingSet= +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +PrivateDevices=yes +PrivateMounts=yes +PrivateTmp=yes +PrivateUsers=yes +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +StateDirectory=matrix-conduit + Environment="ROCKET_ENV=production" Environment="ROCKET_DATABASE_PATH=/var/lib/matrix-conduit" EnvironmentFile=/etc/matrix-conduit/debian From ebb38cd33043004bf3a7d4c453e5e904406d8994 Mon Sep 17 00:00:00 2001 From: Devon Hudson Date: Sat, 16 Jan 2021 14:48:24 -0700 Subject: [PATCH 5/6] improvement: respect logout_devices param on password change Move logout devices comment next to relevant loop remove unnecessary log --- src/client_server/account.rs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/client_server/account.rs b/src/client_server/account.rs index f48543e..3d6498f 100644 --- a/src/client_server/account.rs +++ b/src/client_server/account.rs @@ -572,16 +572,16 @@ pub async fn change_password_route( db.users.set_password(&sender_user, &body.new_password)?; - // TODO: Read logout_devices field when it's available and respect that, currently not supported in Ruma - // See: https://github.com/ruma/ruma/issues/107 - // Logout all devices except the current one - for id in db - .users - .all_device_ids(&sender_user) - .filter_map(|id| id.ok()) - .filter(|id| id != sender_device) - { - db.users.remove_device(&sender_user, &id)?; + if body.logout_devices { + // Logout all devices except the current one + for id in db + .users + .all_device_ids(&sender_user) + .filter_map(|id| id.ok()) + .filter(|id| id != sender_device) + { + db.users.remove_device(&sender_user, &id)?; + } } db.flush().await?; From a1e296374f2e42e4b22789cc1736f73bf5e85a1f Mon Sep 17 00:00:00 2001 From: Valkum Date: Fri, 22 Jan 2021 20:11:19 +0100 Subject: [PATCH 6/6] Allow the complement test image to use build artifacts --- tests/Complement.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Complement.Dockerfile b/tests/Complement.Dockerfile index 306105a..0ef8f90 100644 --- a/tests/Complement.Dockerfile +++ b/tests/Complement.Dockerfile @@ -9,7 +9,7 @@ ARG SCCACHE_ENDPOINT ARG SCCACHE_S3_USE_SSL COPY . . -RUN cargo build +RUN test -e target/release/cond_test || cargo build --release --offline FROM valkum/docker-rust-ci:latest WORKDIR /workdir