1 files changed, 247 insertions, 194 deletions
diff --git a/wh.sh b/wh.sh
index db1c12d..35de2b6 100755
--- a/wh.sh
+++ b/wh.sh
@@ -1,5 +1,11 @@
 #!/bin/sh
 set -eu
+ESCALATE=$(command -v sudo || command -v doas) || {
+    echo "[ERROR] Neither sudo nor doas found. Cannot run as root." >&2
+    exit 1
+}
+[ "$(id -u)" -eq 0 ] || exec $ESCALATE "$0" "$@"
 BASE_DIR="/opt/matrix"
@@ -10,15 +16,15 @@ DOCKER_COMPOSE=$(command -v docker-compose || command -v docker compose) || {
 usage() {
    cat <<'EOF'
-whiterabbit: auto-configure Matrix homeservers (Dendrite or Synapse)
+whiterabbit: auto-configure [matrix] Homeservers 
 with a global Coturn instance and Nginx + Let's Encrypt proxy.
-Main actions:
+Usage:
-  turn       Install or configure the global Coturn server
+  wh turn <domain> <ip> <device> <secret>
-  dendrite   Add a new Matrix server (Dendrite)
+  wh dendrite <matrix_domain> <email> <server_ip>
-  synapse    Add a new Matrix server (Synapse)
+  wh tuwunel <domain> <email> <server_ip>  
-  list       Show all configured Matrix servers
+  wh list
-  remove     Remove a Matrix server by domain
+  wh remove <domain1> [domain2 ...]
 EOF
    exit 1
 }
@@ -38,36 +44,35 @@ list_servers() {
        [ -d "$dir" ] || continue
        name=$(basename "$dir")
-        status=$(docker ps --filter "name=^${name}$" --format "{{.Status}}")
+        container_info=$(docker ps --format "{{.Names}} {{.Status}} {{.Ports}}" | grep "^${name}") || container_info=""
-        ports=$(docker ps --filter "name=^${name}$" --format "{{.Ports}}" | sed 's/, /\n   /g')
-        [ -n "$status" ] && {
+        [ -n "$container_info" ] && {
            echo "- $name [RUNNING] on:"
-            echo "   $ports"
+            echo "$container_info" | while read line; do
+                cname=$(echo "$line" | awk '{print $1}')
+                cstatus=$(echo "$line" | awk '{print $2}')
+                cports=$(echo "$line" | awk '{$1=$2=""; print $0}' | sed 's/^ //')
+                echo "   $cname : $cstatus, ports: $cports"
+            done
        } || echo "- $name [STOPPED]"
    done
 }
 install_turn() {
-    echo "=== Installing global Coturn ==="
+    TURN_DOMAIN="$1"
-    printf "TURN domain (eg. turn.example.com): "
+    TURN_SERVER_IP="$2"
-    read -r TURN_DOMAIN
+    TURN_LISTENING_DEVICE="$3"
-    require_nonempty TURN_DOMAIN "$TURN_DOMAIN"
+    TURN_SECRET="$4"
-    printf "TURN IP (eg. 127.0.0.1): "
+    require_nonempty TURN_DOMAIN "$TURN_DOMAIN"
-    read -r TURN_SERVER_IP
    require_nonempty TURN_SERVER_IP "$TURN_SERVER_IP"
-    printf "Listening device (eg. eth0): "
-    read -r TURN_LISTENING_DEVICE
    require_nonempty TURN_LISTENING_DEVICE "$TURN_LISTENING_DEVICE"
-    printf "TURN shared secret: "
-    read -r TURN_SECRET
    require_nonempty TURN_SECRET "$TURN_SECRET"
+    echo "=== Installing global Coturn ($TURN_DOMAIN) ==="
    mkdir -p /etc/turn
-    cat <<EOF > /etc/turn/turnserver.conf
+    cat <<EOF > /etc/turnserver.conf
 listening-device=$TURN_LISTENING_DEVICE
 listening-port=3478
 tls-listening-port=5349
@@ -95,20 +100,20 @@ EOF
 }
 common_prompts() {
-    printf "Matrix domain (eg. matrix.example.com): "
+    MATRIX_DOMAIN="$1"
-    read -r MATRIX_DOMAIN
+    EMAIL="$2"
-    require_nonempty MATRIX_DOMAIN "$MATRIX_DOMAIN"
+    MATRIX_SERVER_IP="$3"
-    printf "Let's Encrypt certificate email: "
+    require_nonempty MATRIX_DOMAIN "$MATRIX_DOMAIN"
-    read -r EMAIL
    require_nonempty EMAIL "$EMAIL"
+    require_nonempty MATRIX_SERVER_IP "$MATRIX_SERVER_IP"
    DB_PASS=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
    REG_SECRET=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 64)
-    printf "MATRIX server IP (eg. 127.0.0.1): "
-    read -r MATRIX_SERVER_IP
-    require_nonempty MATRIX_SERVER_IP "$MATRIX_SERVER_IP"
    TURN_DOMAIN=$(cat /etc/turn/domain)
    TURN_SECRET=$(cat /etc/turn/secret)
    HASH=$(printf "%s" "$MATRIX_DOMAIN" | cksum | cut -d ' ' -f1)
    PORT_BASE=$(( (HASH % 1000) + 8000 ))
    PORT_HTTP=$PORT_BASE
@@ -151,24 +156,67 @@ EOF
    ln -sf "/etc/nginx/sites-available/$DOMAIN" "/etc/nginx/sites-enabled/$DOMAIN"
    nginx -t || { echo "[ERROR] Invalid nginx config"; exit 1; }
-    
    case $(command -v systemctl >/dev/null && echo y || echo n) in
        y) systemctl reload nginx ;;
        n) nginx -s reload ;;
    esac
    case $(command -v certbot >/dev/null && echo y || echo n) in
-    y) certbot --nginx --non-interactive --agree-tos -m "$EMAIL" -d "$DOMAIN" || {
+        y) certbot --nginx --non-interactive --agree-tos -m "$EMAIL" -d "$DOMAIN" || {
-         echo "[WARN] Certbot failed for $DOMAIN"
+             echo "[WARN] Certbot failed for $DOMAIN"
-         } ;;
+        } ;;
-     n) echo "[WARN] Certbot not installed, skipping TLS setup" ;;
+        n) echo "[WARN] Certbot not installed, skipping TLS setup" ;;
    esac
 }
+install_tuwunel() {
+ echo "=== Installing Tuwunel ==="
+    common_prompts "$@"
+    INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"
+    mkdir -p "$INSTALL_DIR/config"
+    cd "$INSTALL_DIR" || exit 1
+    cat <<EOF > .env
+TUWUNEL_SERVER_NAME=$MATRIX_DOMAIN
+TUWUNEL_DATABASE_PATH=/var/lib/tuwunel
+TUWUNEL_PORT=6167
+TUWUNEL_MAX_REQUEST_SIZE=20000000
+TUWUNEL_ALLOW_REGISTRATION=false
+TUWUNEL_REGISTRATION_TOKEN=$REG_SECRET
+TUWUNEL_ALLOW_ENCRYPTION=true
+TUWUNEL_ALLOW_FEDERATION=true
+TUWUNEL_TRUSTED_SERVERS='["matrix.org", "matrix.philw.dev"]'
+TUWUNEL_ADDRESS=0.0.0.0
+TUWUNEL_TURN_SECRET="$TURN_SECRET"
+TUWUNEL_TURN_URIS=["turn:$TURN_DOMAIN?transport=udp", "turn:$TURN_DOMAIN?transport=tcp"]
+TUWUNEL_NEW_USER_DISPLAYNAME_SUFFIX=""
+EOF
+cat <<EOF > compose.yml
+services:
+  homeserver:
+    image: jevolk/tuwunel:latest
+    container_name: tuw.philw.dev-tuwunel
+    restart: unless-stopped
+    ports:
+      - "$PORT_HTTP:6167"
+    volumes:
+      - db:/var/lib/tuwunel
+    env_file:
+      - .env
+volumes:
+  db:
+EOF
+    $DOCKER_COMPOSE up -d
+    configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"
+    echo "[OK] Tuwunel server ($MATRIX_DOMAIN) is running."
+}
 install_dendrite() {
-    echo "=== Installing Matrix Dendrite ==="
+    echo "=== Installing Dendrite ==="
-    common_prompts
+    common_prompts "$@"
    INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"
    mkdir -p "$INSTALL_DIR/config"
@@ -309,192 +357,197 @@ dns_cache:
 EOF
    echo "[INFO] Generating Dendrite keys..."
+    docker run --rm --entrypoint="" -v "$(pwd)":/mnt matrixdotorg/dendrite-monolith:latest \
-    docker run --rm --entrypoint=""   -v $(pwd):/mnt   matrixdotorg/dendrite-monolith:latest   /usr/bin/generate-keys   -private-key /mnt/matrix_key.pem   -tls-cert /mnt/server.crt   -tls-key /mnt/server.key
+      /usr/bin/generate-keys -private-key /mnt/matrix_key.pem -tls-cert /mnt/server.crt -tls-key /mnt/server.key
-        echo "[OK] Keys generated in $PWD"
+    echo "[OK] Keys generated in $PWD"
    $DOCKER_COMPOSE up -d
    configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"
    echo "[OK] Dendrite server ($MATRIX_DOMAIN) is running."
 }
-install_synapse() {
+# @TODO STILL BROKEN
-    echo "=== Installing Matrix Synapse ==="
+# install_synapse() {
-    common_prompts
+#     echo "=== Installing Synapse ==="
+#     MATRIX_DOMAIN="$1"
-    INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"
+#     EMAIL="$2"
-    mkdir -p "$INSTALL_DIR"
+#     MATRIX_SERVER_IP="$3"
-    cd "$INSTALL_DIR" || exit 1
+#
-    mkdir -p data db
+#     require_nonempty MATRIX_DOMAIN "$MATRIX_DOMAIN"
-    chown -R 991:991 data/
+#     require_nonempty EMAIL "$EMAIL"
-    chown -R 999:999 db/
+#     require_nonempty MATRIX_SERVER_IP "$MATRIX_SERVER_IP"
-    DB_USER="synapse"
+#
-    DB_NAME="synapse"
+#     INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"
-    DB_PASS=$(openssl rand -hex 16)
+#     mkdir -p "$INSTALL_DIR"
-    REG_SECRET=$(openssl rand -hex 32)
+#     cd "$INSTALL_DIR" || exit 1
+#     mkdir -p data db
-    : "${PORT_HTTP:=8008}"
+#
-    : "${PORT_HTTPS:=8448}"
+#     DB_USER="synapse"
+#     DB_NAME="synapse"
-    cat <<EOF > .env
+#     DB_PASS=$(openssl rand -hex 16)
-# Matrix Synapse environment
+#     REG_SECRET=$(openssl rand -hex 32)
-MATRIX_DOMAIN=$MATRIX_DOMAIN
+#     if command -v docker-compose >/dev/null 2>&1; then
-PORT_HTTP=$PORT_HTTP
+#         DOCKER_COMPOSE_CMD="docker-compose"
-PORT_HTTPS=$PORT_HTTPS
+#     elif command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
+#         DOCKER_COMPOSE_CMD="docker compose"
-DB_USER=$DB_USER
+#     else
-DB_NAME=$DB_NAME
+#         echo "[ERROR] Neither docker-compose nor docker compose available" >&2
-DB_PASS=$DB_PASS
+#         exit 1
+#     fi
-REG_SECRET=$REG_SECRET
+#
-TURN_DOMAIN=$TURN_DOMAIN
+#     PORT_HTTP=${PORT_HTTP:-8008}
-TURN_SECRET=$TURN_SECRET
+#     PORT_HTTPS=${PORT_HTTPS:-8448}
-EOF
+#     TURN_DOMAIN=$(cat /etc/turn/domain 2>/dev/null || true)
+#     TURN_SECRET=$(cat /etc/turn/secret 2>/dev/null || true)
+#     cat > .env <<EOF
-cat <<EOF > compose.yml
+# MATRIX_DOMAIN=${MATRIX_DOMAIN}
-services:
+# PORT_HTTP=${PORT_HTTP}
-  db:
+# PORT_HTTPS=${PORT_HTTPS}
-    image: postgres:15-alpine
+#
-    restart: always
+# DB_USER=${DB_USER}
-    environment:
+# DB_NAME=${DB_NAME}
-      POSTGRES_USER: ${DB_USER}
+# DB_PASS=${DB_PASS}
-      POSTGRES_PASSWORD: ${DB_PASS}
+#
-      POSTGRES_DB: ${DB_NAME}
+# REG_SECRET=${REG_SECRET}
-      LANG: C
+# TURN_DOMAIN=${TURN_DOMAIN}
-      LC_ALL: C
+# TURN_SECRET=${TURN_SECRET}
-    command: postgres -c lc_collate=C -c lc_ctype=C
+# EOF
-    volumes:
+#     cat > compose.yml <<EOF
-      - ./db:/var/lib/postgresql/data
+# services:
-    networks:
+#   db:
-      - synapse-net
+#     image: postgres:15-alpine
+#     container_name: ${MATRIX_DOMAIN}-db
-  synapse:
+#     restart: always
-    image: matrixdotorg/synapse:latest
+#     environment:
-    restart: always
+#       POSTGRES_USER: ${DB_USER}
-    depends_on:
+#       POSTGRES_PASSWORD: ${DB_PASS}
-      - db
+#       POSTGRES_DB: ${DB_NAME}
-    environment:
+#       LANG: C
-      SYNAPSE_SERVER_NAME: ${MATRIX_DOMAIN}
+#       LC_COLLATE: C
-      SYNAPSE_REPORT_STATS: "yes"
+#       LC_CTYPE: C
-    ports:
+#     volumes:
-      - "${PORT_HTTP}:8008"
+#       - ./db:/var/lib/postgresql/data
-      - "${PORT_HTTPS}:8448"
+#     healthcheck:
-    volumes:
+#       test: ["CMD-SHELL", "pg_isready -U ${DB_USER}"]
-      - ./data:/data
+#       interval: 5s
-    networks:
+#       timeout: 5s
-      - synapse-net
+#       retries: 5
+#
-networks:
+#   synapse:
-  synapse-net:
+#     image: matrixdotorg/synapse:latest
-    driver: bridge
+#     container_name: ${MATRIX_DOMAIN}-synapse
-EOF
+#     restart: always
+#     depends_on:
-$DOCKER_COMPOSE --env-file .env up -d
+#       db:
-docker run -it --rm -v ./data:/data -e SYNAPSE_SERVER_NAME=$MATRIX_DOMAIN -e SYNAPSE_REPORT_STATS=no matrixdotorg/synapse:latest generate
+#         condition: service_healthy
+#     environment:
-echo "[INFO] Generating homeserver.yaml for Postgres + TURN..."
+#       SYNAPSE_SERVER_NAME: ${MATRIX_DOMAIN}
-cat <<EOF > data/homeserver.yaml
+#       SYNAPSE_REPORT_STATS: "no"
-server_name: $MATRIX_DOMAIN
+#       POSTGRES_DB: ${DB_NAME}
-pid_file: /data/homeserver.pid
+#       POSTGRES_USER: ${DB_USER}
+#       POSTGRES_PASSWORD: ${DB_PASS}
-listeners:
+#       POSTGRES_HOST: db
-  - port: $PORT_HTTP
+#     volumes:
-    tls: false
+#       - ./data:/data
-    type: http
+#     ports:
-    x_forwarded: true
+#       - "${PORT_HTTP}:8008"
-    resources:
+#       - "${PORT_HTTPS}:8448"
-      - names: [client, federation]
+# EOF
-        compress: false
+# docker run --rm -v "$(pwd)/data:/data" \
+#   -e SYNAPSE_SERVER_NAME="${MATRIX_DOMAIN}" \
-database:
+#   -e SYNAPSE_REPORT_STATS="no" \
-  name: psycopg2
+#   matrixdotorg/synapse:latest generate
-  args:
+#     cat > data/homeserver.yaml <<EOF
-    user: $DB_USER
+# server_name: "${MATRIX_DOMAIN}"
-    password: $DB_PASS
+# pid_file: /data/homeserver.pid
-    host: db
+#
-    database: $DB_NAME
+# listeners:
-    cp_min: 5
+#   - port: ${PORT_HTTP}
-    cp_max: 10
+#     tls: false
+#     type: http
-enable_registration: false
+#     x_forwarded: true
-registration_shared_secret: "$REG_SECRET"
+#     resources:
+#       - names: [client, federation]
-turn_uris:
+#         compress: false
-  - turn:$TURN_DOMAIN?transport=udp
+#
-  - turn:$TURN_DOMAIN?transport=tcp
+# database:
-turn_shared_secret: "$TURN_SECRET"
+#   name: psycopg2
-turn_user_lifetime: "5m"
+#   args:
+#     user: "${DB_USER}"
-log_config: "/data/$MATRIX_DOMAIN.log.config"
+#     password: "${DB_PASS}"
-media_store_path: /data/media_store
+#     host: db
-report_stats: false
+#     database: "${DB_NAME}"
+#     cp_min: 5
-macaroon_secret_key: $REG_SECRET
+#     cp_max: 10
-form_secret: $REG_SECRET
+#
-signing_key_path: "/data/$MATRIX_DOMAIN.signing.key"
+# enable_registration: false
+# registration_shared_secret: "${REG_SECRET}"
-trusted_key_servers:
+#
-  - server_name: "matrix.org"
+# turn_uris:
-suppress_key_server_warning: true
+#   - turn:${TURN_DOMAIN}?transport=udp
-EOF
+#   - turn:${TURN_DOMAIN}?transport=tcp
+# turn_shared_secret: "${TURN_SECRET}"
-    echo "[INFO] Restarting Synapse with full config..."
+# turn_user_lifetime: "5m"
-    $DOCKER_COMPOSE --env-file .env restart synapse
+#
-    $DOCKER_COMPOSE --env-file .env restart synapse
+# log_config: "/data/${MATRIX_DOMAIN}.log.config"
+# media_store_path: /data/media_store
-    configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"
+# report_stats: false
-    echo "[OK] Synapse server ($MATRIX_DOMAIN) is running with Postgres."
+#
-}
+# macaroon_secret_key: "${REG_SECRET}"
+# form_secret: "${REG_SECRET}"
+# signing_key_path: "/data/${MATRIX_DOMAIN}.signing.key"
+#
+# trusted_key_servers:
+#   - server_name: "matrix.org"
+# suppress_key_server_warning: true
+# EOF
+#
+#     if [ "$DOCKER_COMPOSE_CMD" = "docker compose" ]; then
+#         eval "$DOCKER_COMPOSE_CMD --env-file .env up -d"
+#     else
+#         $DOCKER_COMPOSE_CMD --env-file .env up -d
+#     fi
+#
+#     sleep 3
+#     if [ "$DOCKER_COMPOSE_CMD" = "docker compose" ]; then
+#         eval "$DOCKER_COMPOSE_CMD --env-file .env restart synapse"
+#     else
+#         $DOCKER_COMPOSE_CMD --env-file .env restart synapse
+#     fi
+#
+#     configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"
+#     echo "[OK] Synapse server ($MATRIX_DOMAIN) is running with Postgres."
+# }
 remove_server() {
    [ "$#" -eq 0 ] && echo "Usage: remove_server <domain1> [domain2 ...]" && return 1
    for DOMAIN in "$@"; do
        SERVER_DIR="$BASE_DIR/$DOMAIN"
        case "$DOMAIN" in
            ""|"/"|".") 
                echo "[ERROR] Refusing to delete dangerous path ($DOMAIN)"
                continue
                ;;
        esac
        [ -d "$SERVER_DIR" ] && \
            echo "[INFO] Stopping and removing server: $DOMAIN" && \
            (cd "$SERVER_DIR" && $DOCKER_COMPOSE down -v) || \
            echo "[WARN] Failed to stop container for $DOMAIN"
        rm -rf "$SERVER_DIR"
        rm -f "/etc/nginx/sites-available/$DOMAIN" "/etc/nginx/sites-enabled/$DOMAIN"
    done
    nginx -t && (systemctl reload nginx 2>/dev/null || nginx -s reload)
    echo "[OK] Done removing servers: $*"
 }
 CMD="${1:-}"
 case "$CMD" in
-    -t) install_turn ;;
+    turn) shift; install_turn "$@" ;;
-    -d) install_dendrite ;;
+    dendrite) shift; install_dendrite "$@" ;;
-    -s) install_synapse ;;
+    # synapse) shift; install_synapse "$@" ;;
-    -l) list_servers ;;
+    tuwunel) shift; install_tuwunel "$@" ;;
-    -r) 
-        [ -z "$2" ] && { echo "Usage: $0 -r <domain1> [domain2 ...]"; exit 1; }
-        shift
-        remove_server "$@"
-        ;;
-    turn) install_turn ;;
-    dendrite) install_dendrite ;;
-    synapse) install_synapse ;;
    list) list_servers ;;
-    remove) 
+    remove) shift; remove_server "$@" ;;
-        [ -z "$2" ] && { echo "Usage: $0 remove <domain1> [domain2 ...]"; exit 1; }
-        shift
-        remove_server "$@"
-        ;;
    *) usage ;;
 esac

diff --git a/wh.sh b/wh.sh index db1c12d..35de2b6 100755 --- a/wh.sh +++ b/wh.sh
@@ -1,5 +1,11 @@
1	#!/bin/sh	1	#!/bin/sh
2	set -eu	2	set -eu
		3	ESCALATE=$(command -v sudo \|\| command -v doas) \|\| {
		4	echo "[ERROR] Neither sudo nor doas found. Cannot run as root." >&2
		5	exit 1
		6	}
		7
		8	[ "$(id -u)" -eq 0 ] \|\| exec $ESCALATE "$0" "$@"
3		9
4	BASE_DIR="/opt/matrix"	10	BASE_DIR="/opt/matrix"
5		11
@@ -10,15 +16,15 @@ DOCKER_COMPOSE=$(command -v docker-compose \|\| command -v docker compose) \|\| {
10		16
11	usage() {	17	usage() {
12	cat <<'EOF'	18	cat <<'EOF'
13	whiterabbit: auto-configure Matrix homeservers (Dendrite or Synapse)	19	whiterabbit: auto-configure [matrix] Homeservers
14	with a global Coturn instance and Nginx + Let's Encrypt proxy.	20	with a global Coturn instance and Nginx + Let's Encrypt proxy.
15		21
16	Main actions:	22	Usage:
17	turn Install or configure the global Coturn server	23	wh turn <domain> <ip> <device> <secret>
18	dendrite Add a new Matrix server (Dendrite)	24	wh dendrite <matrix_domain> <email> <server_ip>
19	synapse Add a new Matrix server (Synapse)	25	wh tuwunel <domain> <email> <server_ip>
20	list Show all configured Matrix servers	26	wh list
21	remove Remove a Matrix server by domain	27	wh remove <domain1> [domain2 ...]
22	EOF	28	EOF
23	exit 1	29	exit 1
24	}	30	}
@@ -38,36 +44,35 @@ list_servers() {
38	[ -d "$dir" ] \|\| continue	44	[ -d "$dir" ] \|\| continue
39	name=$(basename "$dir")	45	name=$(basename "$dir")
40		46
41	status=$(docker ps --filter "name=^${name}$" --format "{{.Status}}")	47	container_info=$(docker ps --format "{{.Names}} {{.Status}} {{.Ports}}" \| grep "^${name}") \|\| container_info=""
42	ports=$(docker ps --filter "name=^${name}$" --format "{{.Ports}}" \| sed 's/, /\n /g')
43		48
44	[ -n "$status" ] && {	49	[ -n "$container_info" ] && {
45	echo "- $name [RUNNING] on:"	50	echo "- $name [RUNNING] on:"
46	echo " $ports"	51	echo "$container_info" \| while read line; do
		52	cname=$(echo "$line" \| awk '{print $1}')
		53	cstatus=$(echo "$line" \| awk '{print $2}')
		54	cports=$(echo "$line" \| awk '{$1=$2=""; print $0}' \| sed 's/^ //')
		55	echo " $cname : $cstatus, ports: $cports"
		56	done
47	} \|\| echo "- $name [STOPPED]"	57	} \|\| echo "- $name [STOPPED]"
48	done	58	done
49	}	59	}
50		60
51	install_turn() {	61	install_turn() {
52	echo "=== Installing global Coturn ==="	62	TURN_DOMAIN="$1"
53	printf "TURN domain (eg. turn.example.com): "	63	TURN_SERVER_IP="$2"
54	read -r TURN_DOMAIN	64	TURN_LISTENING_DEVICE="$3"
55	require_nonempty TURN_DOMAIN "$TURN_DOMAIN"	65	TURN_SECRET="$4"
56		66
57	printf "TURN IP (eg. 127.0.0.1): "	67	require_nonempty TURN_DOMAIN "$TURN_DOMAIN"
58	read -r TURN_SERVER_IP
59	require_nonempty TURN_SERVER_IP "$TURN_SERVER_IP"	68	require_nonempty TURN_SERVER_IP "$TURN_SERVER_IP"
60
61	printf "Listening device (eg. eth0): "
62	read -r TURN_LISTENING_DEVICE
63	require_nonempty TURN_LISTENING_DEVICE "$TURN_LISTENING_DEVICE"	69	require_nonempty TURN_LISTENING_DEVICE "$TURN_LISTENING_DEVICE"
64
65	printf "TURN shared secret: "
66	read -r TURN_SECRET
67	require_nonempty TURN_SECRET "$TURN_SECRET"	70	require_nonempty TURN_SECRET "$TURN_SECRET"
68		71
		72	echo "=== Installing global Coturn ($TURN_DOMAIN) ==="
		73
69	mkdir -p /etc/turn	74	mkdir -p /etc/turn
70	cat <<EOF > /etc/turn/turnserver.conf	75	cat <<EOF > /etc/turnserver.conf
71	listening-device=$TURN_LISTENING_DEVICE	76	listening-device=$TURN_LISTENING_DEVICE
72	listening-port=3478	77	listening-port=3478
73	tls-listening-port=5349	78	tls-listening-port=5349
@@ -95,20 +100,20 @@ EOF
95	}	100	}
96		101
97	common_prompts() {	102	common_prompts() {
98	printf "Matrix domain (eg. matrix.example.com): "	103	MATRIX_DOMAIN="$1"
99	read -r MATRIX_DOMAIN	104	EMAIL="$2"
100	require_nonempty MATRIX_DOMAIN "$MATRIX_DOMAIN"	105	MATRIX_SERVER_IP="$3"
101		106
102	printf "Let's Encrypt certificate email: "	107	require_nonempty MATRIX_DOMAIN "$MATRIX_DOMAIN"
103	read -r EMAIL
104	require_nonempty EMAIL "$EMAIL"	108	require_nonempty EMAIL "$EMAIL"
		109	require_nonempty MATRIX_SERVER_IP "$MATRIX_SERVER_IP"
		110
105	DB_PASS=$(tr -dc 'A-Za-z0-9' </dev/urandom \| head -c 32)	111	DB_PASS=$(tr -dc 'A-Za-z0-9' </dev/urandom \| head -c 32)
106	REG_SECRET=$(tr -dc 'A-Za-z0-9' </dev/urandom \| head -c 64)	112	REG_SECRET=$(tr -dc 'A-Za-z0-9' </dev/urandom \| head -c 64)
107	printf "MATRIX server IP (eg. 127.0.0.1): "	113
108	read -r MATRIX_SERVER_IP
109	require_nonempty MATRIX_SERVER_IP "$MATRIX_SERVER_IP"
110	TURN_DOMAIN=$(cat /etc/turn/domain)	114	TURN_DOMAIN=$(cat /etc/turn/domain)
111	TURN_SECRET=$(cat /etc/turn/secret)	115	TURN_SECRET=$(cat /etc/turn/secret)
		116
112	HASH=$(printf "%s" "$MATRIX_DOMAIN" \| cksum \| cut -d ' ' -f1)	117	HASH=$(printf "%s" "$MATRIX_DOMAIN" \| cksum \| cut -d ' ' -f1)
113	PORT_BASE=$(( (HASH % 1000) + 8000 ))	118	PORT_BASE=$(( (HASH % 1000) + 8000 ))
114	PORT_HTTP=$PORT_BASE	119	PORT_HTTP=$PORT_BASE
@@ -151,24 +156,67 @@ EOF
151	ln -sf "/etc/nginx/sites-available/$DOMAIN" "/etc/nginx/sites-enabled/$DOMAIN"	156	ln -sf "/etc/nginx/sites-available/$DOMAIN" "/etc/nginx/sites-enabled/$DOMAIN"
152	nginx -t \|\| { echo "[ERROR] Invalid nginx config"; exit 1; }	157	nginx -t \|\| { echo "[ERROR] Invalid nginx config"; exit 1; }
153		158
154
155	case $(command -v systemctl >/dev/null && echo y \|\| echo n) in	159	case $(command -v systemctl >/dev/null && echo y \|\| echo n) in
156	y) systemctl reload nginx ;;	160	y) systemctl reload nginx ;;
157	n) nginx -s reload ;;	161	n) nginx -s reload ;;
158	esac	162	esac
159		163
160	case $(command -v certbot >/dev/null && echo y \|\| echo n) in	164	case $(command -v certbot >/dev/null && echo y \|\| echo n) in
161	y) certbot --nginx --non-interactive --agree-tos -m "$EMAIL" -d "$DOMAIN" \|\| {	165	y) certbot --nginx --non-interactive --agree-tos -m "$EMAIL" -d "$DOMAIN" \|\| {
162	echo "[WARN] Certbot failed for $DOMAIN"	166	echo "[WARN] Certbot failed for $DOMAIN"
163	} ;;	167	} ;;
164	n) echo "[WARN] Certbot not installed, skipping TLS setup" ;;	168	n) echo "[WARN] Certbot not installed, skipping TLS setup" ;;
165	esac	169	esac
166	}	170	}
167		171
		172	install_tuwunel() {
		173	echo "=== Installing Tuwunel ==="
		174	common_prompts "$@"
		175
		176	INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"
		177	mkdir -p "$INSTALL_DIR/config"
		178	cd "$INSTALL_DIR" \|\| exit 1
168		179
		180	cat <<EOF > .env
		181	TUWUNEL_SERVER_NAME=$MATRIX_DOMAIN
		182	TUWUNEL_DATABASE_PATH=/var/lib/tuwunel
		183	TUWUNEL_PORT=6167
		184	TUWUNEL_MAX_REQUEST_SIZE=20000000
		185	TUWUNEL_ALLOW_REGISTRATION=false
		186	TUWUNEL_REGISTRATION_TOKEN=$REG_SECRET
		187	TUWUNEL_ALLOW_ENCRYPTION=true
		188	TUWUNEL_ALLOW_FEDERATION=true
		189	TUWUNEL_TRUSTED_SERVERS='["matrix.org", "matrix.philw.dev"]'
		190
		191	TUWUNEL_ADDRESS=0.0.0.0
		192	TUWUNEL_TURN_SECRET="$TURN_SECRET"
		193	TUWUNEL_TURN_URIS=["turn:$TURN_DOMAIN?transport=udp", "turn:$TURN_DOMAIN?transport=tcp"]
		194	TUWUNEL_NEW_USER_DISPLAYNAME_SUFFIX=""
		195	EOF
		196
		197	cat <<EOF > compose.yml
		198	services:
		199	homeserver:
		200	image: jevolk/tuwunel:latest
		201	container_name: tuw.philw.dev-tuwunel
		202	restart: unless-stopped
		203	ports:
		204	- "$PORT_HTTP:6167"
		205	volumes:
		206	- db:/var/lib/tuwunel
		207	env_file:
		208	- .env
		209	volumes:
		210	db:
		211	EOF
		212
		213	$DOCKER_COMPOSE up -d
		214	configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"
		215	echo "[OK] Tuwunel server ($MATRIX_DOMAIN) is running."
		216	}
169	install_dendrite() {	217	install_dendrite() {
170	echo "=== Installing Matrix Dendrite ==="	218	echo "=== Installing Dendrite ==="
171	common_prompts	219	common_prompts "$@"
172		220
173	INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"	221	INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"
174	mkdir -p "$INSTALL_DIR/config"	222	mkdir -p "$INSTALL_DIR/config"
@@ -309,192 +357,197 @@ dns_cache:
309	EOF	357	EOF
310		358
311	echo "[INFO] Generating Dendrite keys..."	359	echo "[INFO] Generating Dendrite keys..."
312		360	docker run --rm --entrypoint="" -v "$(pwd)":/mnt matrixdotorg/dendrite-monolith:latest \
313	docker run --rm --entrypoint="" -v $(pwd):/mnt matrixdotorg/dendrite-monolith:latest /usr/bin/generate-keys -private-key /mnt/matrix_key.pem -tls-cert /mnt/server.crt -tls-key /mnt/server.key	361	/usr/bin/generate-keys -private-key /mnt/matrix_key.pem -tls-cert /mnt/server.crt -tls-key /mnt/server.key
314	echo "[OK] Keys generated in $PWD"	362	echo "[OK] Keys generated in $PWD"
315		363
316	$DOCKER_COMPOSE up -d	364	$DOCKER_COMPOSE up -d
317	configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"	365	configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"
318	echo "[OK] Dendrite server ($MATRIX_DOMAIN) is running."	366	echo "[OK] Dendrite server ($MATRIX_DOMAIN) is running."
319	}	367	}
320		368
321	install_synapse() {	369	# @TODO STILL BROKEN
322	echo "=== Installing Matrix Synapse ==="	370	# install_synapse() {
323	common_prompts	371	# echo "=== Installing Synapse ==="
324		372	# MATRIX_DOMAIN="$1"
325	INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"	373	# EMAIL="$2"
326	mkdir -p "$INSTALL_DIR"	374	# MATRIX_SERVER_IP="$3"
327	cd "$INSTALL_DIR" \|\| exit 1	375	#
328	mkdir -p data db	376	# require_nonempty MATRIX_DOMAIN "$MATRIX_DOMAIN"
329	chown -R 991:991 data/	377	# require_nonempty EMAIL "$EMAIL"
330	chown -R 999:999 db/	378	# require_nonempty MATRIX_SERVER_IP "$MATRIX_SERVER_IP"
331	DB_USER="synapse"	379	#
332	DB_NAME="synapse"	380	# INSTALL_DIR="$BASE_DIR/$MATRIX_DOMAIN"
333	DB_PASS=$(openssl rand -hex 16)	381	# mkdir -p "$INSTALL_DIR"
334	REG_SECRET=$(openssl rand -hex 32)	382	# cd "$INSTALL_DIR" \|\| exit 1
335		383	# mkdir -p data db
336	: "${PORT_HTTP:=8008}"	384	#
337	: "${PORT_HTTPS:=8448}"	385	# DB_USER="synapse"
338		386	# DB_NAME="synapse"
339	cat <<EOF > .env	387	# DB_PASS=$(openssl rand -hex 16)
340	# Matrix Synapse environment	388	# REG_SECRET=$(openssl rand -hex 32)
341	MATRIX_DOMAIN=$MATRIX_DOMAIN	389	# if command -v docker-compose >/dev/null 2>&1; then
342	PORT_HTTP=$PORT_HTTP	390	# DOCKER_COMPOSE_CMD="docker-compose"
343	PORT_HTTPS=$PORT_HTTPS	391	# elif command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
344		392	# DOCKER_COMPOSE_CMD="docker compose"
345	DB_USER=$DB_USER	393	# else
346	DB_NAME=$DB_NAME	394	# echo "[ERROR] Neither docker-compose nor docker compose available" >&2
347	DB_PASS=$DB_PASS	395	# exit 1
348		396	# fi
349	REG_SECRET=$REG_SECRET	397	#
350	TURN_DOMAIN=$TURN_DOMAIN	398	# PORT_HTTP=${PORT_HTTP:-8008}
351	TURN_SECRET=$TURN_SECRET	399	# PORT_HTTPS=${PORT_HTTPS:-8448}
352	EOF	400	# TURN_DOMAIN=$(cat /etc/turn/domain 2>/dev/null \|\| true)
353		401	# TURN_SECRET=$(cat /etc/turn/secret 2>/dev/null \|\| true)
354		402	# cat > .env <<EOF
355	cat <<EOF > compose.yml	403	# MATRIX_DOMAIN=${MATRIX_DOMAIN}
356	services:	404	# PORT_HTTP=${PORT_HTTP}
357	db:	405	# PORT_HTTPS=${PORT_HTTPS}
358	image: postgres:15-alpine	406	#
359	restart: always	407	# DB_USER=${DB_USER}
360	environment:	408	# DB_NAME=${DB_NAME}
361	POSTGRES_USER: ${DB_USER}	409	# DB_PASS=${DB_PASS}
362	POSTGRES_PASSWORD: ${DB_PASS}	410	#
363	POSTGRES_DB: ${DB_NAME}	411	# REG_SECRET=${REG_SECRET}
364	LANG: C	412	# TURN_DOMAIN=${TURN_DOMAIN}
365	LC_ALL: C	413	# TURN_SECRET=${TURN_SECRET}
366	command: postgres -c lc_collate=C -c lc_ctype=C	414	# EOF
367	volumes:	415	# cat > compose.yml <<EOF
368	- ./db:/var/lib/postgresql/data	416	# services:
369	networks:	417	# db:
370	- synapse-net	418	# image: postgres:15-alpine
371		419	# container_name: ${MATRIX_DOMAIN}-db
372	synapse:	420	# restart: always
373	image: matrixdotorg/synapse:latest	421	# environment:
374	restart: always	422	# POSTGRES_USER: ${DB_USER}
375	depends_on:	423	# POSTGRES_PASSWORD: ${DB_PASS}
376	- db	424	# POSTGRES_DB: ${DB_NAME}
377	environment:	425	# LANG: C
378	SYNAPSE_SERVER_NAME: ${MATRIX_DOMAIN}	426	# LC_COLLATE: C
379	SYNAPSE_REPORT_STATS: "yes"	427	# LC_CTYPE: C
380	ports:	428	# volumes:
381	- "${PORT_HTTP}:8008"	429	# - ./db:/var/lib/postgresql/data
382	- "${PORT_HTTPS}:8448"	430	# healthcheck:
383	volumes:	431	# test: ["CMD-SHELL", "pg_isready -U ${DB_USER}"]
384	- ./data:/data	432	# interval: 5s
385	networks:	433	# timeout: 5s
386	- synapse-net	434	# retries: 5
387		435	#
388	networks:	436	# synapse:
389	synapse-net:	437	# image: matrixdotorg/synapse:latest
390	driver: bridge	438	# container_name: ${MATRIX_DOMAIN}-synapse
391	EOF	439	# restart: always
392		440	# depends_on:
393	$DOCKER_COMPOSE --env-file .env up -d	441	# db:
394	docker run -it --rm -v ./data:/data -e SYNAPSE_SERVER_NAME=$MATRIX_DOMAIN -e SYNAPSE_REPORT_STATS=no matrixdotorg/synapse:latest generate	442	# condition: service_healthy
395		443	# environment:
396	echo "[INFO] Generating homeserver.yaml for Postgres + TURN..."	444	# SYNAPSE_SERVER_NAME: ${MATRIX_DOMAIN}
397	cat <<EOF > data/homeserver.yaml	445	# SYNAPSE_REPORT_STATS: "no"
398	server_name: $MATRIX_DOMAIN	446	# POSTGRES_DB: ${DB_NAME}
399	pid_file: /data/homeserver.pid	447	# POSTGRES_USER: ${DB_USER}
400		448	# POSTGRES_PASSWORD: ${DB_PASS}
401	listeners:	449	# POSTGRES_HOST: db
402	- port: $PORT_HTTP	450	# volumes:
403	tls: false	451	# - ./data:/data
404	type: http	452	# ports:
405	x_forwarded: true	453	# - "${PORT_HTTP}:8008"
406	resources:	454	# - "${PORT_HTTPS}:8448"
407	- names: [client, federation]	455	# EOF
408	compress: false	456	# docker run --rm -v "$(pwd)/data:/data" \
409		457	# -e SYNAPSE_SERVER_NAME="${MATRIX_DOMAIN}" \
410	database:	458	# -e SYNAPSE_REPORT_STATS="no" \
411	name: psycopg2	459	# matrixdotorg/synapse:latest generate
412	args:	460	# cat > data/homeserver.yaml <<EOF
413	user: $DB_USER	461	# server_name: "${MATRIX_DOMAIN}"
414	password: $DB_PASS	462	# pid_file: /data/homeserver.pid
415	host: db	463	#
416	database: $DB_NAME	464	# listeners:
417	cp_min: 5	465	# - port: ${PORT_HTTP}
418	cp_max: 10	466	# tls: false
419		467	# type: http
420	enable_registration: false	468	# x_forwarded: true
421	registration_shared_secret: "$REG_SECRET"	469	# resources:
422		470	# - names: [client, federation]
423	turn_uris:	471	# compress: false
424	- turn:$TURN_DOMAIN?transport=udp	472	#
425	- turn:$TURN_DOMAIN?transport=tcp	473	# database:
426	turn_shared_secret: "$TURN_SECRET"	474	# name: psycopg2
427	turn_user_lifetime: "5m"	475	# args:
428		476	# user: "${DB_USER}"
429	log_config: "/data/$MATRIX_DOMAIN.log.config"	477	# password: "${DB_PASS}"
430	media_store_path: /data/media_store	478	# host: db
431	report_stats: false	479	# database: "${DB_NAME}"
432		480	# cp_min: 5
433	macaroon_secret_key: $REG_SECRET	481	# cp_max: 10
434	form_secret: $REG_SECRET	482	#
435	signing_key_path: "/data/$MATRIX_DOMAIN.signing.key"	483	# enable_registration: false
436		484	# registration_shared_secret: "${REG_SECRET}"
437	trusted_key_servers:	485	#
438	- server_name: "matrix.org"	486	# turn_uris:
439	suppress_key_server_warning: true	487	# - turn:${TURN_DOMAIN}?transport=udp
440	EOF	488	# - turn:${TURN_DOMAIN}?transport=tcp
441		489	# turn_shared_secret: "${TURN_SECRET}"
442	echo "[INFO] Restarting Synapse with full config..."	490	# turn_user_lifetime: "5m"
443	$DOCKER_COMPOSE --env-file .env restart synapse	491	#
444	$DOCKER_COMPOSE --env-file .env restart synapse	492	# log_config: "/data/${MATRIX_DOMAIN}.log.config"
445		493	# media_store_path: /data/media_store
446	configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"	494	# report_stats: false
447	echo "[OK] Synapse server ($MATRIX_DOMAIN) is running with Postgres."	495	#
448	}	496	# macaroon_secret_key: "${REG_SECRET}"
449		497	# form_secret: "${REG_SECRET}"
		498	# signing_key_path: "/data/${MATRIX_DOMAIN}.signing.key"
		499	#
		500	# trusted_key_servers:
		501	# - server_name: "matrix.org"
		502	# suppress_key_server_warning: true
		503	# EOF
		504	#
		505	# if [ "$DOCKER_COMPOSE_CMD" = "docker compose" ]; then
		506	# eval "$DOCKER_COMPOSE_CMD --env-file .env up -d"
		507	# else
		508	# $DOCKER_COMPOSE_CMD --env-file .env up -d
		509	# fi
		510	#
		511	# sleep 3
		512	# if [ "$DOCKER_COMPOSE_CMD" = "docker compose" ]; then
		513	# eval "$DOCKER_COMPOSE_CMD --env-file .env restart synapse"
		514	# else
		515	# $DOCKER_COMPOSE_CMD --env-file .env restart synapse
		516	# fi
		517	#
		518	# configure_nginx "$MATRIX_DOMAIN" "$PORT_HTTP"
		519	# echo "[OK] Synapse server ($MATRIX_DOMAIN) is running with Postgres."
		520	# }
450		521
451	remove_server() {	522	remove_server() {
452	[ "$#" -eq 0 ] && echo "Usage: remove_server <domain1> [domain2 ...]" && return 1	523	[ "$#" -eq 0 ] && echo "Usage: remove_server <domain1> [domain2 ...]" && return 1
453
454	for DOMAIN in "$@"; do	524	for DOMAIN in "$@"; do
455	SERVER_DIR="$BASE_DIR/$DOMAIN"	525	SERVER_DIR="$BASE_DIR/$DOMAIN"
456
457	case "$DOMAIN" in	526	case "$DOMAIN" in
458	""\|"/"\|".")	527	""\|"/"\|".")
459	echo "[ERROR] Refusing to delete dangerous path ($DOMAIN)"	528	echo "[ERROR] Refusing to delete dangerous path ($DOMAIN)"
460	continue	529	continue
461	;;	530	;;
462	esac	531	esac
463
464	[ -d "$SERVER_DIR" ] && \	532	[ -d "$SERVER_DIR" ] && \
465	echo "[INFO] Stopping and removing server: $DOMAIN" && \	533	echo "[INFO] Stopping and removing server: $DOMAIN" && \
466	(cd "$SERVER_DIR" && $DOCKER_COMPOSE down -v) \|\| \	534	(cd "$SERVER_DIR" && $DOCKER_COMPOSE down -v) \|\| \
467	echo "[WARN] Failed to stop container for $DOMAIN"	535	echo "[WARN] Failed to stop container for $DOMAIN"
468
469	rm -rf "$SERVER_DIR"	536	rm -rf "$SERVER_DIR"
470	rm -f "/etc/nginx/sites-available/$DOMAIN" "/etc/nginx/sites-enabled/$DOMAIN"	537	rm -f "/etc/nginx/sites-available/$DOMAIN" "/etc/nginx/sites-enabled/$DOMAIN"
471	done	538	done
472
473	nginx -t && (systemctl reload nginx 2>/dev/null \|\| nginx -s reload)	539	nginx -t && (systemctl reload nginx 2>/dev/null \|\| nginx -s reload)
474	echo "[OK] Done removing servers: $*"	540	echo "[OK] Done removing servers: $*"
475	}	541	}
476		542
477	CMD="${1:-}"	543	CMD="${1:-}"
478
479	case "$CMD" in	544	case "$CMD" in
480	-t) install_turn ;;	545	turn) shift; install_turn "$@" ;;
481	-d) install_dendrite ;;	546	dendrite) shift; install_dendrite "$@" ;;
482	-s) install_synapse ;;	547	# synapse) shift; install_synapse "$@" ;;
483	-l) list_servers ;;	548	tuwunel) shift; install_tuwunel "$@" ;;
484	-r)
485	[ -z "$2" ] && { echo "Usage: $0 -r <domain1> [domain2 ...]"; exit 1; }
486	shift
487	remove_server "$@"
488	;;
489	turn) install_turn ;;
490	dendrite) install_dendrite ;;
491	synapse) install_synapse ;;
492	list) list_servers ;;	549	list) list_servers ;;
493	remove)	550	remove) shift; remove_server "$@" ;;
494	[ -z "$2" ] && { echo "Usage: $0 remove <domain1> [domain2 ...]"; exit 1; }
495	shift
496	remove_server "$@"
497	;;
498	*) usage ;;	551	*) usage ;;
499	esac	552	esac
500		553