Permettre à PHP-FPM dans Nginx de modifier des fichiers
Si dans /usr/lib/systemd/system/php-fpm.service:
ProtectSystem=fullMettre à jour les paths voulus dans /usr/lib/systemd/system/php-fpm.service :
[Service]
ReadWritePaths=
Activer / Désactiver rapidement la vue TinyMCE dans l'admin Bludit
Petit script à placer dans Plugins --> Code HTML --> Paramètres --> Admin Area --> Header :
<script>
/// Fires when an editor is added to the EditorManager collection.
tinymce.on('addeditor', function( event ) {
$("<button id=\"switch-tinymce\" class=\"btn btn-sm btn-success\" type=\"button\" onclick=\"tinymce.execCommand('mceToggleEditor',false,'jseditor'); $('#switch-tinymce').toggleClass('btn-success btn-danger');\">ON/OFF</button>").insertAfter("#jsbuttonPreview");
$("#switch-tinymce").before(" ").append(" ");
}, true );
</script>Le script est un peu dégueu mais le rendu est largement acceptable :
Mettre rapidement en place un serveur Matrix sur une ArchARM + bridge Discord
Table des Matières
Installation
yay -S matrix-synapse mx-puppet-discord-git nginx
Configuration
Matrix
/etc/synapse/homeserver.yaml :
# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "nibel.fr"
pid_file: /var/lib/synapse/homeserver.pid
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses: ['::1', '127.0.0.1']
resources:
- names: [client, federation]
compress: false
database:
name: sqlite3
args:
database: /var/lib/synapse/homeserver.db
log_config: "/etc/synapse/nibelheim.ddns.net.log.config"
media_store_path: /var/lib/synapse/media_store
### REGISTRATION ###
enable_registration: false
enable_registration_without_verification: false
### REGISTRATION ###
registration_shared_secret: "XXX"
report_stats: true
macaroon_secret_key: "XXX"
form_secret: "XXX"
signing_key_path: "/etc/synapse/.key"
trusted_key_servers:
- server_name: "matrix.org"
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
suppress_key_server_warning: true
app_service_config_files:
- '/etc/mx-puppet-discord/registration.yaml'
# vim:ft=yaml
modules:
- module: shared_secret_authenticator.SharedSecretAuthProvider
config:
shared_secret: "XXX"
# By default, only login requests of type `com.devture.shared_secret_auth` are supported.
# Below, we explicitly enable support for the old `m.login.password` login type,
# which was used in v1 of matrix-synapse-shared-secret-auth and still widely supported by external software.
# If you don't need such legacy support, consider setting this to `false` or omitting it entirely.
# m_login_password_support_enabled: true
# By default, only login requests of type `com.devture.shared_secret_auth` are supported.
# Advertising support for such an authentication type causes a problem with Element, however.
# See: https://github.com/vector-im/element-web/issues/19605
#
# Uncomment the line below to disable `com.devture.shared_secret_auth` support.
# You will then need to:
# - have `m_login_password_support_enabled: true` to enable the `m.login.password` login type
# - authenticate using `m.login.password` requests, instead of ``com.devture.shared_secret_auth` requests
# com_devture_shared_secret_auth_support_enabled: false
Nginx
/etc/nginx/nginx.conf :
#user http;
worker_processes 1;
events {
worker_connections 1024;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
charset utf-8;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
client_max_body_size 16M;
# logging
#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log warn;
# load configs
#include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
#gzip on;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# For the federation port
listen 8448 http2 default_server;
listen [::]:8448 http2 default_server;
server_name nibel.fr;
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
ssl_certificate /etc/letsencrypt/live/nibel.fr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nibel.fr/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# # For the federation port
# listen 8448 http2 default_server;
# listen [::]:8448 http2 default_server;
server_name www.nibel.fr;
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
ssl_certificate /etc/letsencrypt/live/www.nibel.fr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.nibel.fr/privkey.pem; # managed by Certbot
}
server {
server_name nibel.fr;
location / {
root /usr/share/nginx/html;
index index.htm index.html;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nibelheim.ddns.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nibelheim.ddns.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name blog.nibel.fr;
root /usr/share/nginx/html/blog.nibel.fr;
index index.php;
#access_log /var/log/nginx/example.log;
#error_log /var/log/nginx/example.log;
ssl_certificate /etc/letsencrypt/live/blog.nibel.fr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.nibel.fr/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# ssl_session_cache shared:SSL:50m;
# ssl_session_timeout 10m;
# ssl_prefer_server_ciphers on;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_protocols TLSv1.1 TLSv1.2;
# ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
location ~ \.(jpg|jpeg|gif|png|css|js|ico|svg|eot|ttf|woff|woff2|otf)$ {
access_log off;
expires 30d;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param HTTPS on;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ^~ /bl-content/databases/ { deny all; }
location ^~ /bl-content/workspaces/ { deny all; }
location ^~ /bl-content/pages/ { deny all; }
location ^~ /bl-kernel/*.php { deny all; }
}
server {
if ($host = nibel.fr) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name nibel.fr;
return 404; # managed by Certbot
}
server {
if ($host = blog.nibel.fr) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name blog.nibel.fr
root /usr/share/nginx/html/blog.nibel.fr;
return 301; # managed by Certbot
}}
Services Systemd
/etc/systemd/system/synapse.target.wants/synapse.service :
[Unit]
Description=Synapse Matrix homeserver (master)
After=network-online.target
Wants=network-online.target
PartOf=synapse.target
ReloadPropagatedFrom=synapse.target
[Service]
Type=notify
User=synapse
Group=synapse
SyslogIdentifier=synapse
Environment=LANG=en_US.UTF-8
WorkingDirectory=/var/lib/synapse
ExecStart=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/synapse/homeserver.yaml
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/synctl stop /etc/synapse/homeserver.yaml
EnvironmentFile=-/etc/default/synapse
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target synapse.target
/usr/lib/systemd/system/mx-puppet-discord.service :
[Unit]
Description=Matrix-Discord puppeting bridge
After=network-online.target
After=synapse.service
[Service]
ExecStart=node /usr/lib/node_modules/mx-puppet-discord/build/index.js -c /etc/mx-puppet-discord/config.yaml -f /etc/mx-puppet-discord/registration.yaml
User=mx-puppet-discord
WorkingDirectory=~
LockPersonality=yes
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=no
ProtectHostname=yes
ProtectSystem=full
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
Restart=always
RestartSec=3
ReadWritePaths=/var/lib/mx-puppet-discord
[Install]
WantedBy=multi-user.target
Ressources utiles
Installer une ArchLinux ARM sur une Freebox Delta
Utiliser cet iso : https://pkgbuild.com/~tpowa/archboot/iso/aarch64/latest/
Installer grub en table de partition gpt ! Autrement ça ne bootera pas.
Packages archives ArchARM : http://tardis.tiny-vps.com/aarm/
Pages :