diff --git a/README.md b/README.md index e861781..f59e30d 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,14 @@ CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. ## Configuration -Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator: +Once CryptPad is installed. + +We have created for you the mandatory sandbox domain. +You still need to install the certificate for it. +So first, hit the diagnosis page so we make sure your DNS configuration is correct. +Then, go into your domain SSL configuration to generate your Let's Encrypt certificate. + +Create an account via the Register button on the home page. To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key 2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder): diff --git a/check_process b/check_process index 86b0fb0..657867b 100644 --- a/check_process +++ b/check_process @@ -13,6 +13,8 @@ upgrade=1 #4.10.0 upgrade=1 from_commit=2a54cd03f90c93b07150a64644ffc7f208110a18 + #4.12.0 + upgrade=1 from_commit=1e36039893dc35533b320257ca7f93ef1d07a164 backup_restore=1 multi_instance=0 port_already_use=0 @@ -23,3 +25,6 @@ Notification=none ;;; Upgrade options ; commit=2a54cd03f90c93b07150a64644ffc7f208110a18 name=update to 4.10.0 +;;; Upgrade options + ; commit=1e36039893dc35533b320257ca7f93ef1d07a164 + name=update to 4.12.0 diff --git a/conf/app.src b/conf/app.src index b4fdbbf..aed8119 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,6 +1,6 @@ -SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/4.11.0.tar.gz -SOURCE_SUM=e529b484c297f73227f991971189c51f64da1ab53fc78334d1fb08e320d4385e +SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/5.1.0.tar.gz +SOURCE_SUM=e8971f8a6439958e8328a8433a696e5ae3915740c5f93cfce9a13776edd83084 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true -SOURCE_FILENAME=cryptpad.tar.gz \ No newline at end of file +SOURCE_FILENAME=cryptpad.tar.gz diff --git a/conf/config.js b/conf/config.js index e3dd5ad..41b1075 100644 --- a/conf/config.js +++ b/conf/config.js @@ -72,7 +72,7 @@ module.exports = { * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ - // httpSafeOrigin: "https://some-other-domain.xyz", + httpSafeOrigin: "https://sandbox-__DOMAIN__", /* httpAddress specifies the address on which the nodejs server * should be accessible. By default it will listen on 127.0.0.1 @@ -325,4 +325,4 @@ module.exports = { * */ installMethod: 'unspecified', -}; \ No newline at end of file +}; diff --git a/conf/nginx.conf b/conf/nginx.conf index c46b37c..9aeb854 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,19 +1,94 @@ -#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; -location __PATH__/ { - - proxy_pass http://127.0.0.1:__PORT__; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; - more_clear_input_headers 'Accept-Encoding'; +set $main_domain "__DOMAIN__"; +set $sandbox_domain "sandbox-__DOMAIN__"; +set $allowed_origins "https://${sandbox_domain}"; +set $api_domain "__DOMAIN__"; +set $files_domain "__DOMAIN__"; +ssl_ecdh_curve secp384r1; +more_set_headers "Strict-Transport-Security: 'max-age=31536000; includeSubDomains' always"; +more_set_headers "X-XSS-Protection: '1; mode=block'"; +more_set_headers "X-Content-Type-Options: nosniff"; +more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; +more_set_headers "Cross-Origin-Resource-Policy: cross-origin"; +more_set_headers "Cross-Origin-Embedder-Policy: require-corp"; +root /var/www/cryptpad; +index index.html; +error_page 404 /customize.dist/404.html; +if ($uri ~ ^(\/|.*\/|.*\.html)$) { + set $cacheControl no-cache; } +if ($args ~ ver=) { + set $cacheControl max-age=31536000; +} +more_set_headers "Cache-Control: $cacheControl"; +set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; +set $connectSrc "'self' blob: https://${main_domain} https://${sandbox_domain} wss://${main_domain}"; +set $fontSrc "'self' data: https://${main_domain}"; +set $imgSrc "'self' data: blob: https://${main_domain}"; +set $frameSrc "'self' https://${sandbox_domain} blob:"; +set $mediaSrc "blob:"; +set $childSrc "https://${main_domain}"; +set $workerSrc "'self'"; +set $scriptSrc "'self' resource: https://${main_domain}"; +set $frameAncestors "'self' https://${main_domain}"; +set $unsafe 0; +if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; } +if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; } +if ($host != $sandbox_domain) { set $unsafe 0; } +if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; } +if ($unsafe) { + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}"; +} +more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors"; +location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; +} +location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root +} +location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; +} +location ~ ^/api/.*$ { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_hide_header Cross-Origin-Resource-Policy; + more_set_headers "Cross-Origin-Resource-Policy: cross-origin"; + proxy_hide_header Cross-Origin-Embedder-Policy; + more_set_headers "Cross-Origin-Embedder-Policy: require-corp"; +} +location ^~ /blob/ { + if ($request_method = 'OPTIONS') { + more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; + more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'"; + more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'"; + more_set_headers "Access-Control-Max-Age: 1728000"; + more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'"; + more_set_headers "Content-Length: 0"; + return 204; + } + more_set_headers "X-Content-Type-Options: nosniff"; + more_set_headers "Cache-Control: max-age=31536000'"; + more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; + more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'"; + more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'"; + more_set_headers "Access-Control-Expose-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'"; + try_files $uri =404; +} +location ^~ /block/ { + more_set_headers "X-Content-Type-Options: nosniff"; + more_set_headers "Cache-Control: max-age=0"; + try_files $uri =404; +} +location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ { + rewrite ^(.*)$ $1/ redirect; +} +try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri; diff --git a/scripts/_common.sh b/scripts/_common.sh index f9d06de..af38340 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,7 +4,7 @@ # COMMON VARIABLES #================================================= -nodejs_version="14" +nodejs_version="16.14.2" #================================================= # PERSONAL HELPERS diff --git a/scripts/install b/scripts/install index 77ad500..eb995e5 100644 --- a/scripts/install +++ b/scripts/install @@ -66,6 +66,16 @@ ynh_app_setting_set --app=$app --key=port --value=$port porti=$(ynh_find_port --port=$(($port + 1))) ynh_app_setting_set --app=$app --key=porti --value=$porti +#================================================= +# CREATE A SANDBOX DOMAIN +#================================================= +sandboxdomain=sandbox-$domain +# We don't test that in CI +if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then + yunohost domain add $sandboxdomain + yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0" +fi + #================================================= # INSTALL DEPENDENCIES #================================================= @@ -131,6 +141,8 @@ pushd "$final_path" ynh_exec_warn_less npm install --allow-root ynh_exec_warn_less npm install -g bower ynh_exec_warn_less bower install --allow-root + ynh_exec_warn_less bower update --allow-root + ynh_exec_warn_less npm run build popd #================================================= @@ -161,6 +173,36 @@ then ynh_permission_update --permission="main" --add="visitors" fi +# We authorize access to sandbox domain +# We don't test that in CI +if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then + ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true + # there is a bug in core that add a slash at the end of domain in ssowat conf for uris var + # so we use ${sandboxdomain%/} to remove the eccessive trailing slash # it doesnt work + # we use jq to correct /etc/ssowat/conf.json + uri2=$sandboxdomain + touch /etc/ssowat/conf.json.persistent + cat /etc/ssowat/conf.json | jq --arg uri2 "$uri2" '(.permissions[] | select(.label=="CryptPad") | .uris[1]) |=$uri2' >> /etc/ssowat/conf.json.persistent +fi + +#================================================= +# APPLY FOLDER RIGHTS +#================================================= +chgrp -R www-data $final_path + +#================================================= +# COPY NGINX CONF IN SANDBOX DOMAIN +#================================================= +# We don't test that in CI +if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then + ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf" +fi + +#================================================= +# RELOAD YUNOHOST-API to refresh web admin domains after domain creation (normal?) +#================================================= +ynh_systemd_action --service_name=yunohost-api --action=reload + #================================================= # RELOAD NGINX #================================================= @@ -175,9 +217,10 @@ ynh_script_progression --message="Sending a readme for the admin..." --weight=1 message="CryptPad was successfully installed :) -Please open your $app domain: https://$domain$path_url +We have added a sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it. -Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator: +Then you can please open your $app domain: https://$domain$path_url +Create an account via the Register button on the home page. To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key 2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder): diff --git a/scripts/remove b/scripts/remove index e201fda..cdf4fee 100644 --- a/scripts/remove +++ b/scripts/remove @@ -64,6 +64,29 @@ ynh_script_progression --message="Removing dependencies..." --weight=3 ynh_remove_nodejs +#================================================= +# REMOVE SANDBOX DOMAIN +#================================================= +ynh_script_progression --message="Removing sandbox domain..." --weight=1 + +# We don't test that in CI +if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then + sandboxdomain=sandbox-$domain + + if yunohost domain list | grep -q $sandboxdomain + then #if domain exist we remove it + yunohost domain remove $sandboxdomain + # we clean the nginx configuration we added + ynh_secure_remove --file="/etc/nginx/conf.d/$sandboxdomain.d/" + fi +fi + + +#================================================= +# RELOAD YUNOHOST-API to refresh web admin domains after domain creation (bug core?) +#================================================= +#ynh_systemd_action --service_name=yunohost-api --action=reload + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index 81c92b5..8bea0d0 100644 --- a/scripts/restore +++ b/scripts/restore @@ -68,6 +68,11 @@ chmod -R o-rwx "$final_path" chown -R $app:$app "$final_path" chmod 600 "$final_path/config/config.js" +#================================================= +# APPLY FOLDER GROUP RIGHTS FOR WWW-DATA +#================================================= +chgrp -R www-data $final_path + #================================================= # REINSTALL DEPENDENCIES #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index fe89061..5aa6ad9 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -97,6 +97,21 @@ then chown -R $app:$app "$final_path" fi +#================================================= +# APPLY FOLDER GROUP RIGHTS FOR WWW-DATA +#================================================= +chgrp -R www-data $final_path + +#================================================= +# CREATE A SANDBOX DOMAIN +#================================================= +sandboxdomain=sandbox-$domain +# We don't test that in CI +if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then + yunohost domain add $sandboxdomain + yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0" +fi + #================================================= # NGINX CONFIGURATION #================================================= @@ -122,6 +137,7 @@ pushd "$final_path" ynh_exec_warn_less npm install -g bower ynh_exec_warn_less bower update --allow-root ynh_exec_warn_less npm i + ynh_exec_warn_less npm run build popd #================================================= @@ -142,6 +158,11 @@ ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 yunohost service add $app --description="Zero Knowledge realtime collaborative editor" --log="/var/log/$app/$app.log" +#================================================= +# ADD UPGRADED CONFIG WITH SANDBOX +#================================================= +ynh_add_config --template="../conf/config.js" --destination="$final_path/config/config.js" + #================================================= # START SYSTEMD SERVICE #================================================= @@ -149,6 +170,26 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available" +#================================================= +# COPY NGINX CONF IN SANDBOX DOMAIN +#================================================= +# We don't test that in CI +if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then + ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf" +fi + +# We authorize access to sandbox domain +# We don't test that in CI +if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then + ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true + # there is a bug in core that add a slash at the end of domain in ssowat conf for uris var + # so we use ${sandboxdomain%/} to remove the eccessive trailing slash # it doesnt work + # we use jq to correct /etc/ssowat/conf.json + uri2=$sandboxdomain + touch /etc/ssowat/conf.json.persistent + cat /etc/ssowat/conf.json | jq --arg uri2 "$uri2" '(.permissions[] | select(.label=="CryptPad") | .uris[1]) |=$uri2' >> /etc/ssowat/conf.json.persistent +fi + #================================================= # RELOAD NGINX #================================================= @@ -156,6 +197,25 @@ ynh_script_progression --message="Reloading NGINX web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload +#================================================= +# SEND A README FOR THE ADMIN +#================================================= +ynh_script_progression --message="Sending a readme for the admin..." --weight=1 + +message="CryptPad was successfully upgraded :) +We have added a sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it !! +If not already done, then you can please open your $app domain: https://$domain$path_url +Create an account via the Register button on the home page. To make this account an instance administrator: +1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key +2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder): +adminKeys: [ + "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", +], +If you are facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/cryptpad_ynh" + +ynh_send_readme_to_admin "$message" + + #================================================= # END OF SCRIPT #=================================================