Permettre à PHP-FPM dans Nginx de modifier des fichiers

- Temps de lecture: ~1 minute
Permettre à PHP-FPM dans Nginx de modifier des fichiers

Si dans /usr/lib/systemd/system/php-fpm.service:
 

ProtectSystem=full

Mettre à jour les paths voulus dans /usr/lib/systemd/system/php-fpm.service :

[Service]
ReadWritePaths=

Mettre rapidement en place un serveur Matrix sur une ArchARM + bridge Discord

- Temps de lecture: 14 minutes
Mettre rapidement en place un serveur Matrix sur une ArchARM + bridge Discord

Table des Matières

Installation

yay -S matrix-synapse mx-puppet-discord-git nginx

Configuration

Matrix

/etc/synapse/homeserver.yaml :

# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "nibel.fr"
pid_file: /var/lib/synapse/homeserver.pid
listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    bind_addresses: ['::1', '127.0.0.1']
    resources:
      - names: [client, federation]
        compress: false
database:
  name: sqlite3
  args:
    database: /var/lib/synapse/homeserver.db
log_config: "/etc/synapse/nibelheim.ddns.net.log.config"
media_store_path: /var/lib/synapse/media_store
### REGISTRATION ###
enable_registration: false
enable_registration_without_verification: false
### REGISTRATION ###
registration_shared_secret: "XXX"
report_stats: true
macaroon_secret_key: "XXX"
form_secret: "XXX"
signing_key_path: "/etc/synapse/.key"
trusted_key_servers:
  - server_name: "matrix.org"
url_preview_enabled: true
url_preview_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '192.0.0.0/24'
  - '169.254.0.0/16'
  - '192.88.99.0/24'
  - '198.18.0.0/15'
  - '192.0.2.0/24'
  - '198.51.100.0/24'
  - '203.0.113.0/24'
  - '224.0.0.0/4'
  - '::1/128'
  - 'fe80::/10'
  - 'fc00::/7'
  - '2001:db8::/32'
  - 'ff00::/8'
  - 'fec0::/10'
suppress_key_server_warning: true
app_service_config_files:
  - '/etc/mx-puppet-discord/registration.yaml'

vim:ft=yaml


modules:


    

  • 

    module: shared_secret_authenticator.SharedSecretAuthProvider
config:
shared_secret: "XXX"
    

    # By default, only login requests of type `com.devture.shared_secret_auth` are supported.
# Below, we explicitly enable support for the old `m.login.password` login type,
# which was used in v1 of matrix-synapse-shared-secret-auth and still widely supported by external software.
# If you don't need such legacy support, consider setting this to `false` or omitting it entirely.
# m_login_password_support_enabled: true

# By default, only login requests of type `com.devture.shared_secret_auth` are supported.
# Advertising support for such an authentication type causes a problem with Element, however.
# See: https://github.com/vector-im/element-web/issues/19605
#
# Uncomment the line below to disable `com.devture.shared_secret_auth` support.
# You will then need to:
# - have `m_login_password_support_enabled: true` to enable the `m.login.password` login type
# - authenticate using `m.login.password` requests, instead of ``com.devture.shared_secret_auth` requests
# com_devture_shared_secret_auth_support_enabled: false

Nginx

/etc/nginx/nginx.conf :

#user http;
worker_processes  1;



events {
worker_connections  1024;
multi_accept on;
}


http {
include       mime.types;
default_type  application/octet-stream;


#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;
charset utf-8;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
client_max_body_size 16M;

# logging
#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log warn;

# load configs
#include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;


#gzip  on;


server {
listen 443 ssl http2;
listen [::]:443 ssl http2;


# For the federation port
listen 8448 http2 default_server;
listen [::]:8448 http2 default_server;

server_name nibel.fr;

location ~ ^(/_matrix|/_synapse/client) {
    # note: do not add a path (even a single /) after the port in `proxy_pass`,
    # otherwise nginx will canonicalise the URI and cause signature verification
    # errors.
    proxy_pass http://localhost:8008;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;

    # Nginx by default only allows file uploads up to 1M in size
    # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
    client_max_body_size 50M;

# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
ssl_certificate /etc/letsencrypt/live/nibel.fr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nibel.fr/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}


server {
listen 443 ssl http2;
listen [::]:443 ssl http2;


# For the federation port


listen 8448 http2 default_server;


listen [::]:8448 http2 default_server;


server_name www.nibel.fr;

location ~ ^(/_matrix|/_synapse/client) {
    # note: do not add a path (even a single /) after the port in `proxy_pass`,
    # otherwise nginx will canonicalise the URI and cause signature verification
    # errors.
    proxy_pass http://localhost:8008;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;

    # Nginx by default only allows file uploads up to 1M in size
    # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
    client_max_body_size 50M;

# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}

ssl_certificate /etc/letsencrypt/live/www.nibel.fr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.nibel.fr/privkey.pem; # managed by Certbot


}


server {
    server_name  nibel.fr;

    location / {
        root   /usr/share/nginx/html;
        index  index.htm index.html;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nibelheim.ddns.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nibelheim.ddns.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}


server {
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name blog.nibel.fr;
root /usr/share/nginx/html/blog.nibel.fr;
index index.php;


#access_log /var/log/nginx/example.log;
#error_log /var/log/nginx/example.log;

ssl_certificate /etc/letsencrypt/live/blog.nibel.fr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.nibel.fr/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


ssl_session_cache       shared:SSL:50m;


ssl_session_timeout     10m;


ssl_prefer_server_ciphers   on;


ssl_stapling            on;


ssl_stapling_verify     on;


ssl_protocols           TLSv1.1 TLSv1.2;


ssl_ciphers         "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";

location ~ \.(jpg|jpeg|gif|png|css|js|ico|svg|eot|ttf|woff|woff2|otf)$ {
    access_log        off;
    expires           30d;
}

location ~ \.php$ {
    fastcgi_pass    unix:/run/php-fpm/php-fpm.sock;
    fastcgi_index   index.php;
    include         fastcgi.conf;
    fastcgi_param   HTTPS on;
}

location / {
    try_files $uri $uri/ /index.php?$args;
}

location ^~ /bl-content/databases/ { deny all; }
location ^~ /bl-content/workspaces/ { deny all; }
location ^~ /bl-content/pages/ { deny all; }
location ^~ /bl-kernel/*.php { deny all; }


}


server {
if ($host = nibel.fr) {
    return 301 https://$host$request_uri;
} # managed by Certbot


    listen       80;
    server_name  nibel.fr;
return 404; # managed by Certbot


}


server {
if ($host = blog.nibel.fr) {
return 301 https://$host$request_uri;
} # managed by Certbot


listen 80;
listen [::]:80;

server_name blog.nibel.fr

root /usr/share/nginx/html/blog.nibel.fr;
return 301; # managed by Certbot


}}

Services Systemd

/etc/systemd/system/synapse.target.wants/synapse.service :

[Unit]
Description=Synapse Matrix homeserver (master)
After=network-online.target
Wants=network-online.target
PartOf=synapse.target
ReloadPropagatedFrom=synapse.target

[Service]
Type=notify
User=synapse
Group=synapse
SyslogIdentifier=synapse
Environment=LANG=en_US.UTF-8
WorkingDirectory=/var/lib/synapse
ExecStart=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/synapse/homeserver.yaml
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/synctl stop /etc/synapse/homeserver.yaml
EnvironmentFile=-/etc/default/synapse
Restart=always
RestartSec=3


[Install]
WantedBy=multi-user.target synapse.target

/usr/lib/systemd/system/mx-puppet-discord.service :

[Unit]
Description=Matrix-Discord puppeting bridge
After=network-online.target
After=synapse.service

[Service]
ExecStart=node /usr/lib/node_modules/mx-puppet-discord/build/index.js -c /etc/mx-puppet-discord/config.yaml -f /etc/mx-puppet-discord/registration.yaml
User=mx-puppet-discord
WorkingDirectory=~


LockPersonality=yes
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=no
ProtectHostname=yes
ProtectSystem=full
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
Restart=always
RestartSec=3


ReadWritePaths=/var/lib/mx-puppet-discord


[Install]
WantedBy=multi-user.target

Ressources utiles

Pages :