Use sandbox domain and upgrade to v5.1.0

Co-authored-by: Éric Gaspar <46165813+ericgaspar@users.noreply.github.com>
2024-09-03 18:26:14 +02:00 · 2022-12-09 17:01:27 +00:00 · 2022-12-09 17:01:27 +00:00 · 16ecb70d87
commit 16ecb70d87
parent 3f627932fb
10 changed files with 245 additions and 27 deletions
--- a/README.md
+++ b/README.md
@ -30,7 +30,14 @@ CryptPad is a collaboration suite that is end-to-end-encrypted and open-source.
 ## Configuration
-Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
+Once CryptPad is installed.
 We have created for you the mandatory sandbox domain.
 You still need to install the certificate for it.
 So first, hit the diagnosis page so we make sure your DNS configuration is correct.
 Then, go into your domain SSL configuration to generate your Let's Encrypt certificate. 
 Create an account via the Register button on the home page. To make this account an instance administrator:
 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
 2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder):
--- a/5
+++ b/5
@ -13,6 +13,8 @@
 		upgrade=1
 		#4.10.0
 		upgrade=1	from_commit=2a54cd03f90c93b07150a64644ffc7f208110a18
 		#4.12.0
 		upgrade=1	from_commit=1e36039893dc35533b320257ca7f93ef1d07a164
 		backup_restore=1
 		multi_instance=0
 		port_already_use=0
@ -23,3 +25,6 @@ Notification=none
 ;;; Upgrade options
 	; commit=2a54cd03f90c93b07150a64644ffc7f208110a18
 		name=update to 4.10.0
 ;;; Upgrade options
 	; commit=1e36039893dc35533b320257ca7f93ef1d07a164
 		name=update to 4.12.0
--- a/conf/app.src
+++ b/conf/app.src
@ -1,6 +1,6 @@
-SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/4.11.0.tar.gz
+SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/5.1.0.tar.gz
-SOURCE_SUM=e529b484c297f73227f991971189c51f64da1ab53fc78334d1fb08e320d4385e
+SOURCE_SUM=e8971f8a6439958e8328a8433a696e5ae3915740c5f93cfce9a13776edd83084
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=cryptpad.tar.gz
+SOURCE_FILENAME=cryptpad.tar.gz
--- a/conf/config.js
+++ b/conf/config.js
@ -72,7 +72,7 @@ module.exports = {
 *
 *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
 */
-    // httpSafeOrigin: "https://some-other-domain.xyz",
+    httpSafeOrigin: "https://sandbox-__DOMAIN__",
 /*  httpAddress specifies the address on which the nodejs server
 *  should be accessible. By default it will listen on 127.0.0.1
@ -325,4 +325,4 @@ module.exports = {
     *
     */
    installMethod: 'unspecified',
-};
+};
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -1,19 +1,94 @@
-#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
+set $main_domain "__DOMAIN__";
-location __PATH__/ {
+set $sandbox_domain "sandbox-__DOMAIN__";
-
+set $allowed_origins "https://${sandbox_domain}";
-  proxy_pass http://127.0.0.1:__PORT__;
+set $api_domain "__DOMAIN__";
-  proxy_redirect    off;
+set $files_domain "__DOMAIN__";
-  proxy_set_header  Host $host;
+ssl_ecdh_curve secp384r1;
-  proxy_set_header  X-Real-IP $remote_addr;
+more_set_headers "Strict-Transport-Security: 'max-age=31536000; includeSubDomains' always";
-  proxy_set_header  X-Forwarded-Proto $scheme;
+more_set_headers "X-XSS-Protection: '1; mode=block'";
-  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+more_set_headers "X-Content-Type-Options: nosniff";
-  proxy_set_header  X-Forwarded-Host $server_name;
+more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
-
+more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
-  proxy_http_version 1.1;
+more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
-  proxy_set_header Upgrade $http_upgrade;
+root /var/www/cryptpad;
-  proxy_set_header Connection "upgrade";
+index index.html;
-
+error_page 404 /customize.dist/404.html;
-  # Include SSOWAT user panel.
+if ($uri ~ ^(\/|.*\/|.*\.html)$) {
-  include conf.d/yunohost_panel.conf.inc;
+    set $cacheControl no-cache;
  more_clear_input_headers 'Accept-Encoding';
 }
 if ($args ~ ver=) {
    set $cacheControl max-age=31536000;
 }
 more_set_headers "Cache-Control: $cacheControl";
 set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
 set $connectSrc "'self' blob: https://${main_domain} https://${sandbox_domain} wss://${main_domain}";
 set $fontSrc    "'self' data: https://${main_domain}";
 set $imgSrc     "'self' data: blob: https://${main_domain}";
 set $frameSrc   "'self' https://${sandbox_domain} blob:";
 set $mediaSrc   "blob:";
 set $childSrc   "https://${main_domain}";
 set $workerSrc  "'self'";
 set $scriptSrc  "'self' resource: https://${main_domain}";
 set $frameAncestors "'self' https://${main_domain}";
 set $unsafe 0;
 if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
 if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
 if ($host != $sandbox_domain) { set $unsafe 0; }
 if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
 if ($unsafe) {
    set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
 }
 more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
 location ^~ /cryptpad_websocket {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection upgrade;
 }
 location ^~ /customize.dist/ {
    # This is needed in order to prevent infinite recursion between /customize/ and the root
 }
 location ^~ /customize/ {
    rewrite ^/customize/(.*)$ $1 break;
    try_files /customize/$uri /customize.dist/$uri;
 }
 location ~ ^/api/.*$ {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_hide_header Cross-Origin-Resource-Policy;
    more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
    proxy_hide_header Cross-Origin-Embedder-Policy;
    more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
 }
 location ^~ /blob/ {
    if ($request_method = 'OPTIONS') {
        more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
        more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
        more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'";
        more_set_headers "Access-Control-Max-Age: 1728000";
        more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
        more_set_headers "Content-Length: 0";
        return 204;
    }
    more_set_headers "X-Content-Type-Options: nosniff";
    more_set_headers "Cache-Control: max-age=31536000'";
    more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
    more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
    more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'";
    more_set_headers "Access-Control-Expose-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'";
    try_files $uri =404;
 }
 location ^~ /block/ {
    more_set_headers "X-Content-Type-Options: nosniff";
    more_set_headers "Cache-Control: max-age=0";
    try_files $uri =404;
 }
 location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
    rewrite ^(.*)$ $1/ redirect;
 }
 try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -4,7 +4,7 @@
 # COMMON VARIABLES
 #=================================================
-nodejs_version="14"
+nodejs_version="16.14.2"
 #=================================================
 # PERSONAL HELPERS
--- a/scripts/install
+++ b/scripts/install
@ -66,6 +66,16 @@ ynh_app_setting_set --app=$app --key=port --value=$port
 porti=$(ynh_find_port --port=$(($port + 1)))
 ynh_app_setting_set --app=$app --key=porti --value=$porti
 #=================================================
 # CREATE A SANDBOX DOMAIN
 #=================================================
 sandboxdomain=sandbox-$domain
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	yunohost domain add $sandboxdomain
 	yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0"
 fi
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@ -131,6 +141,8 @@ pushd "$final_path"
 	ynh_exec_warn_less npm install --allow-root
 	ynh_exec_warn_less npm install -g bower
 	ynh_exec_warn_less bower install --allow-root
 	ynh_exec_warn_less bower update --allow-root
 	ynh_exec_warn_less npm run build
 popd
 #=================================================
@ -161,6 +173,36 @@ then
 	ynh_permission_update --permission="main" --add="visitors"
 fi
 # We authorize access to sandbox domain
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true
 	# there is a bug in core that add a slash at the end of domain in ssowat conf for uris var
 	# so we use ${sandboxdomain%/} to remove the eccessive trailing slash # it doesnt work
 	# we use jq to correct /etc/ssowat/conf.json
 	uri2=$sandboxdomain
 	touch /etc/ssowat/conf.json.persistent
 	cat /etc/ssowat/conf.json | jq --arg uri2 "$uri2" '(.permissions[] | select(.label=="CryptPad") | .uris[1]) |=$uri2' >> /etc/ssowat/conf.json.persistent
 fi
 #=================================================
 # APPLY FOLDER RIGHTS
 #=================================================
 chgrp -R www-data $final_path
 #=================================================
 # COPY NGINX CONF IN SANDBOX DOMAIN
 #=================================================
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf"
 fi
 #=================================================
 # RELOAD YUNOHOST-API to refresh web admin domains after domain creation (normal?)
 #=================================================
 ynh_systemd_action --service_name=yunohost-api --action=reload
 #=================================================
 # RELOAD NGINX
 #=================================================
@ -175,9 +217,10 @@ ynh_script_progression --message="Sending a readme for the admin..." --weight=1
 message="CryptPad was successfully installed :)
-Please open your $app domain: https://$domain$path_url
+We have added a sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it.
-Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
+Then you can please open your $app domain: https://$domain$path_url
 Create an account via the Register button on the home page. To make this account an instance administrator:
 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
 2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder):
--- a/scripts/remove
+++ b/scripts/remove
@ -64,6 +64,29 @@ ynh_script_progression --message="Removing dependencies..." --weight=3
 ynh_remove_nodejs
 #=================================================
 # REMOVE SANDBOX DOMAIN
 #=================================================
 ynh_script_progression --message="Removing sandbox domain..." --weight=1
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	sandboxdomain=sandbox-$domain
 	if yunohost domain list | grep -q $sandboxdomain
 	then #if domain exist we remove it
 		yunohost domain remove $sandboxdomain
 		# we clean the nginx configuration we added
 		ynh_secure_remove --file="/etc/nginx/conf.d/$sandboxdomain.d/"
 	fi
 fi
 #=================================================
 # RELOAD YUNOHOST-API to refresh web admin domains after domain creation (bug core?)
 #=================================================
 #ynh_systemd_action --service_name=yunohost-api --action=reload
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -68,6 +68,11 @@ chmod -R o-rwx "$final_path"
 chown -R $app:$app "$final_path"
 chmod 600 "$final_path/config/config.js"
 #=================================================
 # APPLY FOLDER GROUP RIGHTS FOR WWW-DATA
 #=================================================
 chgrp -R www-data $final_path
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -97,6 +97,21 @@ then
 	chown -R $app:$app "$final_path"
 fi
 #=================================================
 # APPLY FOLDER GROUP RIGHTS FOR WWW-DATA
 #=================================================
 chgrp -R www-data $final_path
 #=================================================
 # CREATE A SANDBOX DOMAIN
 #=================================================
 sandboxdomain=sandbox-$domain
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	yunohost domain add $sandboxdomain
 	yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0"
 fi
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -122,6 +137,7 @@ pushd "$final_path"
 	ynh_exec_warn_less npm install -g bower
 	ynh_exec_warn_less bower update --allow-root
 	ynh_exec_warn_less npm i
 	ynh_exec_warn_less npm run build
 popd
 #=================================================
@ -142,6 +158,11 @@ ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
 yunohost service add $app --description="Zero Knowledge realtime collaborative editor" --log="/var/log/$app/$app.log"
 #=================================================
 # ADD UPGRADED CONFIG WITH SANDBOX
 #=================================================
 ynh_add_config --template="../conf/config.js" --destination="$final_path/config/config.js"
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
@ -149,6 +170,26 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1
 ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available"
 #=================================================
 # COPY NGINX CONF IN SANDBOX DOMAIN
 #=================================================
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf"
 fi
 # We authorize access to sandbox domain
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true
 	# there is a bug in core that add a slash at the end of domain in ssowat conf for uris var
 	# so we use ${sandboxdomain%/} to remove the eccessive trailing slash # it doesnt work
 	# we use jq to correct /etc/ssowat/conf.json
 	uri2=$sandboxdomain
 	touch /etc/ssowat/conf.json.persistent
 	cat /etc/ssowat/conf.json | jq --arg uri2 "$uri2" '(.permissions[] | select(.label=="CryptPad") | .uris[1]) |=$uri2' >> /etc/ssowat/conf.json.persistent
 fi
 #=================================================
 # RELOAD NGINX
 #=================================================
@ -156,6 +197,25 @@ ynh_script_progression --message="Reloading NGINX web server..." --weight=1
 ynh_systemd_action --service_name=nginx --action=reload
 #=================================================
 # SEND A README FOR THE ADMIN
 #=================================================
 ynh_script_progression --message="Sending a readme for the admin..." --weight=1
 message="CryptPad was successfully upgraded :)
 We have added a sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it !!
 If not already done, then you can please open your $app domain: https://$domain$path_url
 Create an account via the Register button on the home page. To make this account an instance administrator:
 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
 2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder):
 adminKeys: [
        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
 ],
 If you are facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/cryptpad_ynh"
 ynh_send_readme_to_admin "$message"
 #=================================================
 # END OF SCRIPT
 #=================================================