From 9b2f8730bb7123a29c09e87cc60b681b1b8ec3c1 Mon Sep 17 00:00:00 2001 From: Marcel Date: Tue, 6 Apr 2021 12:26:47 +0000 Subject: [PATCH 1/4] fix: Do not run conduit as root instead use a separate user --- DEPLOY.md | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/DEPLOY.md b/DEPLOY.md index b547b644..0faa2776 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -18,6 +18,14 @@ $ sudo wget -O /usr/local/bin/matrix-conduit $ sudo chmod +x /usr/local/bin/matrix-conduit ``` +## Adding a conduit user + +While conduit can run as any user it is usually better to use dedicated users for different services. +This also allows you to make sure that the file permissions are correctly set up. + +In debian you can use this command to create a conduit user: + +`sudo adduser --system conduit --no-create-home` ## Setting up a systemd service @@ -33,8 +41,8 @@ After=network.target [Service] Environment="CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml" -User=root -Group=root +User=conduit +Group=nogroup Restart=always ExecStart=/usr/local/bin/matrix-conduit @@ -91,6 +99,16 @@ allow_federation = true address = "127.0.0.1" # This makes sure Conduit can only be reached using the reverse proxy ``` +## Setting the correct file permissions + +As we are using a conduit specific user we need to allow it to read the config. +To do that you can run this command on debian: + +`sudo chown -R conduit:nogroup /etc/matrix-conduit` + +If you use the default database path you also need to run this. (It might be that you first need to create that folder): + +`sudo chown -R conduit:nogroup /var/lib/matrix-conduit/conduit_db` ## Setting up the Reverse Proxy From c267c0f09e8733e29efbc6bd0611a85826aae720 Mon Sep 17 00:00:00 2001 From: Marcel Date: Tue, 6 Apr 2021 13:17:39 +0000 Subject: [PATCH 2/4] fix: use full codeblocks and capitalize Conduit and Debian --- DEPLOY.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/DEPLOY.md b/DEPLOY.md index 0faa2776..f801e295 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -18,14 +18,16 @@ $ sudo wget -O /usr/local/bin/matrix-conduit $ sudo chmod +x /usr/local/bin/matrix-conduit ``` -## Adding a conduit user +## Adding a Conduit user While conduit can run as any user it is usually better to use dedicated users for different services. This also allows you to make sure that the file permissions are correctly set up. -In debian you can use this command to create a conduit user: +In Debian you can use this command to create a Conduit user: -`sudo adduser --system conduit --no-create-home` +``` +sudo adduser --system conduit --no-create-home +``` ## Setting up a systemd service @@ -101,14 +103,20 @@ address = "127.0.0.1" # This makes sure Conduit can only be reached using the re ## Setting the correct file permissions -As we are using a conduit specific user we need to allow it to read the config. -To do that you can run this command on debian: +As we are using a Conduit specific user we need to allow it to read the config. +To do that you can run this command on Debian: -`sudo chown -R conduit:nogroup /etc/matrix-conduit` +``` +sudo chown -R conduit:nogroup /etc/matrix-conduit +``` -If you use the default database path you also need to run this. (It might be that you first need to create that folder): +If you use the default database path you also need to run this: + +``` +sudo mkdir -p /var/lib/matrix-conduit/conduit_db +sudo chown -R conduit:nogroup /var/lib/matrix-conduit/conduit_db +``` -`sudo chown -R conduit:nogroup /var/lib/matrix-conduit/conduit_db` ## Setting up the Reverse Proxy From dd6985059899c22ca10a76684f5fe2696d36033f Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 11 Apr 2021 10:50:38 +0000 Subject: [PATCH 3/4] docs: Fix missing _matrix in apache config --- DEPLOY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DEPLOY.md b/DEPLOY.md index f801e295..53ca2ea5 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -133,8 +133,8 @@ Listen 8448 ServerName your.server.name # EDIT THIS AllowEncodedSlashes NoDecode -ProxyPass /_matrix/ http://localhost:6167/ -ProxyPassReverse /_matrix/ http://localhost:6167/ +ProxyPass /_matrix/ http://localhost:6167/_matrix/ +ProxyPassReverse /_matrix/ http://localhost:6167/_matrix/ Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/your.server.name/fullchain.pem # EDIT THIS From ac99e05714767bfcca27dbbbc3725b2e7548f61c Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 11 Apr 2021 10:51:43 +0000 Subject: [PATCH 4/4] docs: capitalize a "conduit" that was missed --- DEPLOY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DEPLOY.md b/DEPLOY.md index 53ca2ea5..4601ab57 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -20,7 +20,7 @@ $ sudo chmod +x /usr/local/bin/matrix-conduit ## Adding a Conduit user -While conduit can run as any user it is usually better to use dedicated users for different services. +While Conduit can run as any user it is usually better to use dedicated users for different services. This also allows you to make sure that the file permissions are correctly set up. In Debian you can use this command to create a Conduit user: