diff --git a/README.md b/README.md index b2d6a07..135881e 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. It is built to enable collaboration, synchronizing changes to documents in real time. Because all data is encrypted, the service and its administrators have no way of seeing the content being edited and stored. -**Shipped version:** 5.3.0~ynh1 +**Shipped version:** 5.6.0~ynh1 **Demo:** https://cryptpad.fr/ diff --git a/README_fr.md b/README_fr.md index 44d02be..fc697f2 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po CryptPad est une suite de collaboration chiffrée de bout en bout et open source. Il est conçu pour permettre la collaboration, en synchronisant les modifications apportées aux documents en temps réel. Étant donné que toutes les données sont chiffrées, le service et ses administrateurs n'ont aucun moyen de voir le contenu modifié et stocké. -**Version incluse :** 5.3.0~ynh1 +**Version incluse :** 5.6.0~ynh1 **Démo :** https://cryptpad.fr/ diff --git a/conf/config.js b/conf/config.js index 768b0bf..e893bd2 100644 --- a/conf/config.js +++ b/conf/config.js @@ -1,3 +1,7 @@ +// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team and contributors +// +// SPDX-License-Identifier: AGPL-3.0-or-later + /* globals module */ /* DISCLAIMER: @@ -11,7 +15,7 @@ Support requests for such setups should be directed to their authors. If you're having difficulty difficulty configuring your instance - we suggest that you join the project's IRC/Matrix channel. + we suggest that you join the project's Matrix channel. If you don't have any difficulty configuring your instance and you'd like to support us for the work that went into making it pain-free we are quite happy @@ -45,21 +49,13 @@ module.exports = { * In such a case this should be also handled by NGINX, as documented in * cryptpad/docs/example.nginx.conf (see the $main_domain variable) * - * Note: you may provide multiple origins for the purpose of accessing - * a development instance via different URLs, like so: - * httpUnsafeOrigin: 'http://127.0.0.1:3000/ http://localhost:3000/', - * - * Such configuration is not recommended for production instances, - * as the development team does not actively test such configuration - * and it may have unintended consequences in practice. - * */ httpUnsafeOrigin: 'https://__DOMAIN__', /* httpSafeOrigin is the URL that is used for the 'sandbox' described above. * If you're testing or developing with CryptPad on your local machine then * it is appropriate to leave this blank. The default behaviour is to serve - * the main domain over port 3000 and to serve the content over port 3001. + * the main domain over port 3000 and to serve the sandbox content over port 3001. * * This is not appropriate in a production environment where invasive networks * may filter traffic going over abnormal ports. @@ -70,14 +66,17 @@ module.exports = { * This value corresponds to the $sandbox_domain variable * in the example nginx file. * + * Note that in order for the sandboxing system to be effective + * httpSafeOrigin must be different from httpUnsafeOrigin. + * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ httpSafeOrigin: "https://__SANDBOXDOMAIN__", /* httpAddress specifies the address on which the nodejs server - * should be accessible. By default it will listen on 127.0.0.1 - * (IPv4 localhost on most systems). If you want it to listen on - * all addresses, including IPv6, set this to '::'. + * should be accessible. By default it will listen on localhost + * (IPv4 & IPv6 if enabled). If you want it to listen on + * a specific address, specify it here. e.g '192.168.0.1' * */ httpAddress: '::', @@ -97,6 +96,19 @@ module.exports = { */ httpSafePort: __PORT_PORTI__, +/* Websockets need to be exposed on a separate port from the rest of + * the platform's HTTP traffic. Port 3003 is used by default. + * You can change this to a different port if it is in use by a + * different service, but under most circumstances you can leave this + * commented and it will work. + * + * In production environments, your reverse proxy (usually NGINX) + * will need to forward websocket traffic (/cryptpad_websocket) + * to this port. + * + */ + // websocketPort: 3003, + /* CryptPad will launch a child process for every core available * in order to perform CPU-intensive tasks in parallel. * Some host environments may have a very large number of cores available @@ -105,6 +117,28 @@ module.exports = { */ // maxWorkers: 4, + /* ===================== + * Sessions + * ===================== */ + + /* Accounts can be protected with an OTP (One Time Password) system + * to add a second authentication layer. Such accounts use a session + * with a given lifetime after which they are logged out and need + * to be re-authenticated. You can configure the lifetime of these + * sessions here. + * + * defaults to 7 days + */ + //otpSessionExpiration: 7*24, // hours + + /* Registered users can be forced to protect their account + * with a Multi-factor Authentication (MFA) tool like a TOTP + * authenticator application. + * + * defaults to false + */ + //enforceMFA: false, + /* ===================== * Admin * ===================== */ @@ -115,12 +149,17 @@ module.exports = { * To give access to the admin panel to a user account, just add their public signing * key, which can be found on the settings page for registered users. * Entries should be strings separated by a comma. + * adminKeys: [ + * "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", + * "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]", + * ] + * */ -/* + adminKeys: [ - "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", + ], -*/ + /* CryptPad's administration panel includes a "support" tab * wherein administrators with a secret key can view messages diff --git a/conf/nginx.conf b/conf/nginx.conf index f3e1778..c272291 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -4,67 +4,147 @@ set $allowed_origins "https://${sandbox_domain}"; set $api_domain "__DOMAIN__"; set $files_domain "__DOMAIN__"; ssl_ecdh_curve secp384r1; -more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; + +more_set_headers "X-XSS-Protection: 1; mode=block"; +more_set_headers "X-Content-Type-Options: nosniff"; +more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}"; +more_set_headers "Access-Control-Allow-Credentials: true"; +# more_set_headers "X-Frame-Options: SAMEORIGIN"; + +# Enable SharedArrayBuffer in Firefox (for .xlsx export) more_set_headers "Cross-Origin-Resource-Policy: cross-origin"; more_set_headers "Cross-Origin-Embedder-Policy: require-corp"; + +# Insert the path to your CryptPad repository root here root __INSTALL_DIR__/; index index.html; error_page 404 /customize.dist/404.html; -if ($uri ~ ^(\/|.*\/|.*\.html)$) { - set $cacheControl no-cache; -} + +# any static assets loaded with "ver=" in their URL will be cached for a year if ($args ~ ver=) { set $cacheControl max-age=31536000; } +# This rule overrides the above caching directive and makes things somewhat less efficient. +# We had inverted them as an optimization, but Safari 16 introduced a bug that interpreted +# some important headers incorrectly when loading these files from cache. +# This is why we can't have nice things :( +if ($uri ~ ^(\/|.*\/|.*\.html)$) { + set $cacheControl no-cache; +} + +# Will not set any header if it is emptystring more_set_headers "Cache-Control: $cacheControl"; + +# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; + +# connect-src restricts URLs which can be loaded using script interfaces +# if you have configured your instance to use a dedicated $files_domain or $api_domain +# you will need to add them below as: https://${files_domain} and https://${api_domain} set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}"; + +# fonts can be loaded from data-URLs or the main domain set $fontSrc "'self' data: https://${main_domain}"; + +# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking set $imgSrc "'self' data: blob: https://${main_domain}"; + +# frame-src specifies valid sources for nested browsing contexts. +# this prevents loading any iframes from anywhere other than the sandbox domain set $frameSrc "'self' https://${sandbox_domain} blob:"; + +# specifies valid sources for loading media using video or audio set $mediaSrc "blob:"; + +# defines valid sources for webworkers and nested browser contexts +# deprecated in favour of worker-src and frame-src set $childSrc "https://${main_domain}"; + +# specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. +# supercedes child-src but is unfortunately not yet universally supported. set $workerSrc "'self'"; + +# script-src specifies valid sources for javascript, including inline handlers set $scriptSrc "'self' resource: https://${main_domain}"; + +# frame-ancestors specifies which origins can embed your CryptPad instance +# this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work +# if you have enabled remote embedding via the admin panel then this must be more permissive. +# note: cryptpad.fr permits web pages served via https: and vector: (element desktop app) set $frameAncestors "'self' https://${main_domain}"; + # set $frameAncestors "'self' https: vector:"; + set $unsafe 0; +# the following assets are loaded via the sandbox domain +# they unfortunately still require exceptions to the sandboxing to work correctly. if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; } if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; } + +# everything except the sandbox domain is a privileged scope, as they might be used to handle keys if ($host != $sandbox_domain) { set $unsafe 0; } + # this iframe is an exception. Office file formats are converted outside of the sandboxed scope +# because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable +# the use of some modern APIs that we require when javascript is run in a cross-origin context. +# We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; } + +# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied if ($unsafe) { set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}"; } + +# Finally, set all the rules you composed above. more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors"; + location ^~ /cryptpad_websocket { proxy_pass http://127.0.0.1:__PORT__; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; } + location ^~ /customize.dist/ { # This is needed in order to prevent infinite recursion between /customize/ and the root } +# try to load customizeable content via /customize/ and fall back to the default content +# located at /customize.dist/ +# This is what allows you to override behaviour. location ^~ /customize/ { rewrite ^/customize/(.*)$ $1 break; try_files /customize/$uri /customize.dist/$uri; } + +# /api/config is loaded once per page load and is used to retrieve +# the caching variable which is applied to every other resource +# which is loaded during that session. location ~ ^/api/.*$ { proxy_pass http://127.0.0.1:__PORT__; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_hide_header Cross-Origin-Resource-Policy; + + # These settings prevent both NGINX and the API server + # from setting the same headers and creating duplicates + proxy_hide_header "Cross-Origin-Resource-Policy"; more_set_headers "Cross-Origin-Resource-Policy: cross-origin"; - proxy_hide_header Cross-Origin-Embedder-Policy; + proxy_hide_header "Cross-Origin-Embedder-Policy"; more_set_headers "Cross-Origin-Embedder-Policy: require-corp"; } -location ^~ /blob/ { + +# Requests for blobs and blocks are now proxied to the API server +# This simplifies NGINX path configuration in the event they are being hosted in a non-standard location +# or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to +# enforce access control for them, though this is not yet implemented. +# Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives. +location ~ ^/(blob|block)/.*$ { if ($request_method = 'OPTIONS') { more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}"; + more_set_headers "Access-Control-Allow-Credentials: true"; more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'"; more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range"; more_set_headers "Access-Control-Max-Age: 1728000"; @@ -72,20 +152,23 @@ location ^~ /blob/ { more_set_headers "Content-Length: 0"; return 204; } - more_set_headers "X-Content-Type-Options: nosniff"; - more_set_headers "Cache-Control: max-age=31536000'"; - more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}"; - more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'"; - more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"; - more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"; - try_files $uri =404; + # Since we are proxying to the API server these headers can get duplicated + # so we hide them + proxy_hide_header 'X-Content-Type-Options'; + proxy_hide_header 'Access-Control-Allow-Origin'; + proxy_hide_header 'Permissions-Policy'; + proxy_hide_header 'X-XSS-Protection'; + proxy_hide_header 'Cross-Origin-Resource-Policy'; + proxy_hide_header 'Cross-Origin-Embedder-Policy'; + proxy_pass http://127.0.0.1:__PORT__; } -location ^~ /block/ { - more_set_headers "X-Content-Type-Options: nosniff"; - more_set_headers "Cache-Control: max-age=0"; - try_files $uri =404; -} -location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ { + +# The nodejs server has some built-in forwarding rules to prevent +# URLs like /pad from resulting in a 404. This simply adds a trailing slash +# to a variety of applications. +location ~ ^/(register|login|recovery|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup|diagram)$ { rewrite ^(.*)$ $1/ redirect; } + +# Finally, serve anything the above exceptions don't govern. try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri; diff --git a/conf/systemd.service b/conf/systemd.service index 91f3747..a8498bc 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,5 +1,5 @@ [Unit] -Description=CryptPad: Zero Knowledge realtime collaborative editor. +Description=CryptPad: Zero Knowledge realtime collaborative editor After=syslog.target network.target [Service] @@ -11,6 +11,10 @@ Environment=PATH=__ENV_PATH__ Environment=NODE_ENV=production ExecStart=__YNH_NPM__ start Restart=always +RestartSec=2 +StandardOutput=journal +StandardError=journal+console +LimitNOFILE=1000000 # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 697dfd8..15203f5 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -1,9 +1,9 @@ -We have added the mandatory sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it !! +We have added the mandatory sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it! Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key -2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder): +2. Paste this key in `__INSTALL_DIR__/config/config.js` in the following array (uncomment and replace the placeholder): ``` adminKeys: [ "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md index b349804..0181737 100644 --- a/doc/ADMIN_fr.md +++ b/doc/ADMIN_fr.md @@ -5,7 +5,7 @@ Nous avons ajouté le domaine obligatoire sandbox pour vous mais vous devez enco Une fois CryptPad installé, créez un compte via le bouton S'inscrire sur la page d'accueil. Pour faire de ce compte un administrateur d'instance : 1. Copiez la clé publique trouvée dans le menu utilisateur (avatar en haut à droite) > Paramètres > Compte > Clé de signature publique -2. Collez cette clé dans `/var/www/cryptpad/config/config.js` dans le tableau suivant (décommentez et remplacez l'espace réservé) : +2. Collez cette clé dans `__INSTALL_DIR__/config/config.js` dans le tableau suivant (décommentez et remplacez l'espace réservé) : ``` adminKeys: [ "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md index 9c530ab..72e066f 100644 --- a/doc/POST_INSTALL.md +++ b/doc/POST_INSTALL.md @@ -7,7 +7,7 @@ Once CryptPad is installed, create an account via the Sign Up button on the home To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key -2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder): +2. Paste this key in `__INSTALL_DIR__/config/config.js` in the following array (uncomment and replace the placeholder): ``` adminKeys: [ diff --git a/doc/POST_UPGRADE.md b/doc/POST_UPGRADE.md index 6023335..0b758a9 100644 --- a/doc/POST_UPGRADE.md +++ b/doc/POST_UPGRADE.md @@ -3,7 +3,7 @@ If not already done, then you can please open CryptPad domain: https://__DOMAIN_ Create an account via the Register button on the home page. To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key -2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder): +2. Paste this key in `__INSTALL_DIR__/config/config.js in the following array (uncomment and replace the placeholder): adminKeys: [ "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", ], diff --git a/doc/screenshots/screenshot.png b/doc/screenshots/screenshot.png index da04465..5cfd343 100644 Binary files a/doc/screenshots/screenshot.png and b/doc/screenshots/screenshot.png differ diff --git a/manifest.toml b/manifest.toml index 68eff11..5e6129f 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "CryptPad" description.en = "Zero Knowledge realtime collaborative office suite" description.fr = "Suite bureautique chiffrée pour la collaboration en temps réel" -version = "5.3.0~ynh1" +version = "5.6.0~ynh1" maintainers = ["ddataa"] @@ -22,8 +22,11 @@ fund = "https://opencollective.com/cryptpad/contribute?language=fr" yunohost = ">= 11.2" architectures = "all" multi_instance = false + ldap = false + sso = false + disk = "50M" ram.build = "350M" ram.runtime = "50M" @@ -45,8 +48,8 @@ ram.runtime = "50M" [resources] [resources.sources.main] - url = "https://github.com/xwiki-labs/cryptpad/archive/refs/tags/5.3.0.tar.gz" - sha256 = "470e75203e7080d19482bacf6216c50ec13070fc7d0ff2e4fc855f57668fb919" + url = "https://github.com/xwiki-labs/cryptpad/archive/refs/tags/5.6.0.tar.gz" + sha256 = "85a1b1781df750e250402fb095125e58b329feab4e542abb57fd886a616a0cfb" autoupdate.strategy = "latest_github_tag" [resources.ports] diff --git a/scripts/_common.sh b/scripts/_common.sh index 447f5df..ec0f54e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,7 +4,7 @@ # COMMON VARIABLES #================================================= -nodejs_version="16.14.2" +nodejs_version="20" #================================================= # PERSONAL HELPERS diff --git a/scripts/change_url b/scripts/change_url index 5d35e69..3a9b28d 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -16,7 +16,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= # MODIFY URL IN NGINX CONF @@ -32,7 +32,7 @@ ynh_change_url_nginx_config #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 5be5342..273c164 100644 --- a/scripts/install +++ b/scripts/install @@ -34,7 +34,7 @@ fi ynh_app_setting_set --app=$app --key=sandboxdomain --value=$sandboxdomain -ynh_script_progression --message="Setting up sandobx domain : $sandboxdomain" --weight=1 +ynh_script_progression --message="Setting up sandbox domain: $sandboxdomain" --weight=1 # We don't test that in CI if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then @@ -77,9 +77,9 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e #================================================= # ADD A CONFIGURATION #================================================= -ynh_script_progression --message="Adding a configuration file..." +ynh_script_progression --message="Adding a configuration file..." --weight=1 -ynh_add_config --template="../conf/config.js" --destination="$install_dir/config/config.js" +ynh_add_config --template="config.js" --destination="$install_dir/config/config.js" chmod 600 "$install_dir/config/config.js" chown $app "$install_dir/config/config.js" @@ -87,15 +87,13 @@ chown $app "$install_dir/config/config.js" #================================================= # INSTALL CRYPTPAD #================================================= -ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=60 +ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=30 pushd "$install_dir" ynh_use_nodejs - ynh_exec_warn_less npm install --allow-root - ynh_exec_warn_less npm install -g bower - ynh_exec_warn_less bower install --allow-root - ynh_exec_warn_less bower update --allow-root - ynh_exec_warn_less npm run build + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm ci + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run install:components + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run build popd #================================================= diff --git a/scripts/remove b/scripts/remove index dbc0282..c2e202f 100644 --- a/scripts/remove +++ b/scripts/remove @@ -16,24 +16,16 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 -# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) if ynh_exec_warn_less yunohost service status $app >/dev/null then ynh_script_progression --message="Removing $app service integration..." --weight=3 yunohost service remove $app fi -# Remove the dedicated systemd config ynh_remove_systemd_config -# Remove the dedicated NGINX config ynh_remove_nginx_config -#================================================= -# REMOVE DEPENDENCIES -#================================================= -ynh_script_progression --message="Removing dependencies..." --weight=3 - ynh_remove_nodejs #================================================= @@ -56,12 +48,12 @@ if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then sandboxdomain=sandbox-$domain fi - ynh_script_progression --message="Removing sandbox domain : $sandboxdomain" --weight=1 + ynh_script_progression --message="Removing sandbox domain: $sandboxdomain" --weight=1 if yunohost domain list | grep -q $sandboxdomain - then #if domain exist we remove it + then # if domain exist we remove it yunohost domain remove $sandboxdomain - # we clean the nginx configuration we added + # we clean the NGINX configuration we added ynh_secure_remove --file="/etc/nginx/conf.d/$sandboxdomain.d/" fi fi diff --git a/scripts/restore b/scripts/restore index b8a266e..c88954b 100644 --- a/scripts/restore +++ b/scripts/restore @@ -6,7 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers @@ -56,7 +55,7 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e #================================================= ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/upgrade b/scripts/upgrade index e55c805..c7750d4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,7 +29,7 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -39,7 +39,6 @@ if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." --weight=1 - # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" #--keep="config/config.js" chmod -R o-rwx "$install_dir" @@ -69,7 +68,7 @@ if [[ $domain == *".local" ]]; then sandboxdomain=sandbox-$domain fi -ynh_script_progression --message="Setting up sandobx domain: $sandboxdomain" --weight=1 +ynh_script_progression --message="Setting up sandbox domain: $sandboxdomain" --weight=1 # We don't test that in CI if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then @@ -80,6 +79,13 @@ if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then fi fi +#================================================= +# UPGRADE DEPENDENCIES +#================================================= +ynh_script_progression --message="Upgrading dependencies..." --weight=6 + +ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version + #================================================= # NGINX CONFIGURATION #================================================= @@ -89,30 +95,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - ynh_add_nginx_config env_path="$PATH" -#================================================= -# UPGRADE DEPENDENCIES -#================================================= -ynh_script_progression --message="Upgrading dependencies..." --weight=6 - -ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version - -#================================================= -# INSTALL CRYPTPAD -#================================================= -ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=60 - -pushd "$install_dir" - ynh_exec_warn_less npm install --allow-root - ynh_exec_warn_less npm install -g bower - ynh_exec_warn_less bower update --allow-root - ynh_exec_warn_less npm i - ynh_exec_warn_less npm run build -popd - -#================================================= -# CREATE SYSTEMD SERVICE -#================================================= -# Create a dedicated systemd config ynh_add_systemd_config yunohost service add $app --description="Zero Knowledge realtime collaborative editor" --log="/var/log/$app/$app.log" @@ -122,17 +104,29 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e #================================================= ynh_script_progression --message="Updating a configuration file..." --weight=1 -ynh_add_config --template="../conf/config.js" --destination="$install_dir/config/config.js" +ynh_add_config --template="config.js" --destination="$install_dir/config/config.js" chmod 600 "$install_dir/config/config.js" chown $app "$install_dir/config/config.js" +#================================================= +# INSTALL CRYPTPAD +#================================================= +ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=30 + +pushd "$install_dir" + ynh_use_nodejs + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm ci + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run install:components + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run build +popd + #================================================= # START SYSTEMD SERVICE #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # COPY NGINX CONF IN SANDBOX DOMAIN diff --git a/tests.toml b/tests.toml index c9ccc0e..0fad002 100644 --- a/tests.toml +++ b/tests.toml @@ -6,6 +6,6 @@ test_format = 1.0 # Commits to test upgrade from # ------------------------------- - test_upgrade_from.2a54cd03.name = "Upgrade from 4.10.0" - test_upgrade_from.1e360398.name = "Upgrade from 4.12.0" + + test_upgrade_from.7a024ca1.name = "Upgrade from 5.3.0"