YunoHost-Apps/cryptpad_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/cryptpad_ynh.git synced 2024-09-03 18:26:14 +02:00
Code Issues Activity Actions

version 3.2.0

Browse source
This commit is contained in:
frju365 2019-09-28 19:00:20 +02:00
parent 2337bfa797
commit dde06fb821
No known key found for this signature in database
GPG key ID: C892BE847FF5635A
4 changed files with 260 additions and 200 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -4,7 +4,7 @@ Cryptad for Yunohost
[![Integration level](https://dash.yunohost.org/integration/cryptpad.svg)](https://dash.yunohost.org/appci/app/cryptpad) [![Integration level](https://dash.yunohost.org/integration/cryptpad.svg)](https://dash.yunohost.org/appci/app/cryptpad)
[![Install Cryptad with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=cryptpad) [![Install Cryptad with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=cryptpad)
**Shipped version:** 2.16.0 **Shipped version:** 3.2.0
## Demo ## Demo
https://cryptpad.fr/ https://cryptpad.fr/

4
conf/app.src
View file

@ -1,5 +1,5 @@
SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/2.16.0.tar.gz SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/3.2.0.tar.gz
SOURCE_SUM=d869bddb2e1222bef289163ae1d1644e2adcaa417a0a388f329f645c7ebc64f3 SOURCE_SUM=4f7576401e506aa24c032be675539b671ace27c5453b40edfe39f84daa0fcbfc
SOURCE_SUM_PRG=sha256sum SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=true SOURCE_IN_SUBDIR=true

362
conf/config.js
View file

@ -2,7 +2,7 @@
/* /*
globals module globals module
*/ */
var _domain = 'http://localhost:3000/'; var _domain = 'http://localhost:__PORT__/';
// You can `kill -USR2` the node process and it will write out a heap dump. // You can `kill -USR2` the node process and it will write out a heap dump.
// If your system doesn't support dumping, comment this out and install with // If your system doesn't support dumping, comment this out and install with
@ -12,33 +12,14 @@ var _domain = 'http://localhost:3000/';
// to enable this feature, uncomment the line below: // to enable this feature, uncomment the line below:
// require('heapdump'); // require('heapdump');
// we prepend a space because every usage expects it // we prepend a space because every usage expects it
// requiring admins to preserve it is unnecessarily confusing // requiring admins to preserve it is unnecessarily confusing
var domain = ' ' + _domain; var domain = ' ' + _domain;
module.exports = {
// the address you want to bind to, :: means all ipv4 and ipv6 addresses // Content-Security-Policy
// this may not work on all operating systems var baseCSP = [
httpAddress: '::',
// the port on which your httpd will listen
/* CryptPad can be configured to send customized HTTP Headers
* These settings may vary widely depending on your needs
* Examples are provided below
*/
httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
contentSecurity: [
"default-src 'none'", "default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain, "style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'" + domain,
"font-src 'self' data:" + domain, "font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains. /* child-src is used to restrict iframes to a set of allowed domains.
@ -51,8 +32,6 @@ module.exports = {
// IE/Edge // IE/Edge
"frame-src blob: *", "frame-src blob: *",
"media-src * blob:",
/* this allows connections over secure or insecure websockets /* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain the ws://* directive, and change '*' to your domain
@ -61,37 +40,44 @@ module.exports = {
// data: is used by codemirror // data: is used by codemirror
"img-src 'self' data: blob:" + domain, "img-src 'self' data: blob:" + domain,
"media-src * blob:",
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *", "frame-ancestors *",
].join('; '), ""
];
// CKEditor requires significantly more lax content security policy in order to function.
padContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be module.exports = {
* configured for best effect.
/* =====================
* Admin
* ===================== */
/*
* CryptPad now contains an administration panel. Its access is restricted to specific
* users using the following list.
* To give access to the admin panel to a user account, just add their user id,
* which can be found on the settings page for registered users.
* Entries should be strings separated by a comma.
*/ */
"child-src *", adminKeys: [
// IE/Edge //"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=",
"frame-src *", ],
// see the comment above in the 'contentSecurity' section /* =====================
"connect-src 'self' ws: wss:" + domain, * Infra setup
* ===================== */
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads // the address you want to bind to, :: means all ipv4 and ipv6 addresses
"img-src * blob:", // this may not work on all operating systems
].join('; '), httpAddress: '::',
httpPort: 3000, // the port on which your httpd will listen
httpPort: __PORT__,
// This is for allowing the cross-domain iframe to function when developing // This is for allowing the cross-domain iframe to function when developing
httpSafePort: 3001, httpSafePort: __PORTI__,
// This is for deployment in production, CryptPad uses a separate origin (domain) to host the // This is for deployment in production, CryptPad uses a separate origin (domain) to host the
// cross-domain iframe. It can simply host the same content as CryptPad. // cross-domain iframe. It can simply host the same content as CryptPad.
@ -109,15 +95,31 @@ module.exports = {
*/ */
websocketPath: '/cryptpad_websocket', websocketPath: '/cryptpad_websocket',
/* CryptPad can log activity to stdout /* CryptPad can be configured to send customized HTTP Headers
* This may be useful for debugging * These settings may vary widely depending on your needs
* Examples are provided below
*/ */
logToStdout: false, httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
/* CryptPad supports verbose logging contentSecurity: baseCSP.join('; ') +
* (false by default) "script-src 'self'" + domain,
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
padContentSecurity: baseCSP.join('; ') +
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/ */
verbose: false, //privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
/* Main pages /* Main pages
* add exceptions to the router so that we can access /privacy.html * add exceptions to the router so that we can access /privacy.html
@ -131,9 +133,14 @@ module.exports = {
'contact', 'contact',
'what-is-cryptpad', 'what-is-cryptpad',
'features', 'features',
'faq' 'faq',
'maintenance'
], ],
/* =====================
* Subscriptions
* ===================== */
/* Limits, Donations, Subscriptions and Contact /* Limits, Donations, Subscriptions and Contact
* *
* By default, CryptPad limits every registered user to 50MB of storage. It also shows a * By default, CryptPad limits every registered user to 50MB of storage. It also shows a
@ -149,9 +156,18 @@ module.exports = {
* If you chose B, set 'allowSubscriptions' to false. * If you chose B, set 'allowSubscriptions' to false.
* If you chose C, set 'removeDonateButton' to true * If you chose C, set 'removeDonateButton' to true
*/ */
allowSubscriptions: true, allowSubscriptions: false,
removeDonateButton: false, removeDonateButton: false,
/*
* By default, CryptPad also contacts our accounts server once a day to check for changes in
* the people who have accounts. This check-in will also send the version of your CryptPad
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
*/
adminEmail: '__ADMIN_EMAIL__',
/* Sales coming from your server will be identified by your domain /* Sales coming from your server will be identified by your domain
* *
* If you are using CryptPad in a business context, please consider taking a support contract * If you are using CryptPad in a business context, please consider taking a support contract
@ -192,62 +208,15 @@ module.exports = {
*/ */
}, },
/* some features may require that the server be able to schedule tasks /* =====================
far into the future, such as: * STORAGE
> "three months from now, this channel should expire" * ===================== */
To disable these features, set 'enableTaskScheduling' to false
*/
enableTaskScheduling: true,
/* if you would like the list of scheduled tasks to be stored in /* By default the CryptPad server will run scheduled tasks every five minutes
a custom location, change the path below: * If you want to run scheduled tasks in a separate process (like a crontab)
* you can disable this behaviour by setting the following value to true
*/ */
taskPath: './tasks', disableIntegratedTasks: false,
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: './block',
/*
* By default, CryptPad also contacts our accounts server once a day to check for changes in
* the people who have accounts. This check-in will also send the version of your CryptPad
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
*/
adminEmail: 'i.did.not.read.my.config@cryptpad.fr',
/*
You have the option of specifying an alternative storage adaptor.
These status of these alternatives are specified in their READMEs,
which are available at the following URLs:
mongodb: a noSQL database
https://github.com/xwiki-labs/cryptpad-mongo-store
amnesiadb: in memory storage
https://github.com/xwiki-labs/cryptpad-amnesia-store
leveldb: a simple, fast, key-value store
https://github.com/xwiki-labs/cryptpad-level-store
sql: an adaptor for a variety of sql databases via knexjs
https://github.com/xwiki-labs/cryptpad-sql-store
For the most up to date solution, use the default storage adaptor.
*/
storage: './storage/file',
/*
CryptPad stores each document in an individual file on your hard drive.
Specify a directory where files should be stored.
It will be created automatically if it does not already exist.
*/
filePath: './datastore/',
/* CryptPad allows logged in users to request that particular documents be
* stored by the server indefinitely. This is called 'pinning'.
* Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/
pinPath: './pins',
/* Pads that are not 'pinned' by any registered user can be set to expire /* Pads that are not 'pinned' by any registered user can be set to expire
* after a configurable number of days of inactivity (default 90 days). * after a configurable number of days of inactivity (default 90 days).
@ -257,15 +226,38 @@ module.exports = {
*/ */
inactiveTime: 90, // days inactiveTime: 90, // days
/* CryptPad allows logged in users to upload encrypted files. Files/blobs /* CryptPad can be configured to remove inactive data which has not been pinned.
* are stored in a 'blob-store'. Set its location here. * Deletion of data is always risky and as an operator you have the choice to
* archive data instead of deleting it outright. Set this value to true if
* you want your server to archive files and false if you want to keep using
* the old behaviour of simply removing files.
*
* WARNING: this is not implemented universally, so at the moment this will
* only apply to the removal of 'channels' due to inactivity.
*/ */
blobPath: './blob', retainData: true,
/* CryptPad stores incomplete blobs in a 'staging' area until they are /* As described above, CryptPad offers the ability to archive some data
* fully uploaded. Set its location here. * instead of deleting it outright. This archived data still takes up space
* and so you'll probably still want to remove these files after a brief period.
* The intent with this feature is to provide a safety net in case of accidental
* deletion. Set this value to the number of days you'd like to retain
* archived data before it's removed permanently.
*
* If 'retainData' is set to false, there will never be any archived data
* to remove.
*/ */
blobStagingPath: './blobstage', archiveRetentionTime: 15,
/* Max Upload Size (bytes)
* this sets the maximum size of any one file uploaded to the server.
* anything larger than this size will be rejected
*/
maxUploadSize: 20 * 1024 * 1024,
/* =====================
* HARDWARE RELATED
* ===================== */
/* CryptPad's file storage adaptor closes unused files after a configurable /* CryptPad's file storage adaptor closes unused files after a configurable
* number of milliseconds (default 30000 (30 seconds)) * number of milliseconds (default 30000 (30 seconds))
@ -277,40 +269,80 @@ module.exports = {
*/ */
openFileLimit: 2048, openFileLimit: 2048,
/* CryptPad's socket server can be extended to respond to RPC calls
* you can configure it to respond to custom RPC calls if you like.
* provide the path to your RPC module here, or `false` if you would
* like to disable the RPC interface completely
*/
rpc: './rpc.js',
/* RPC errors are shown by default, but if you really don't care, /* =====================
* you can suppress them * DATABASE VOLUMES
*/ * ===================== */
suppressRPCErrors: false,
/* Setting this value to anything other than true will cause file upload /*
* attempts to be rejected outright. * CryptPad stores each document in an individual file on your hard drive.
* Specify a directory where files should be stored.
* It will be created automatically if it does not already exist.
*/ */
enableUploads: true, filePath: './datastore/',
/* If you have enabled file upload, you have the option of restricting it /* CryptPad offers the ability to archive data for a configurable period
* to a list of users identified by their public keys. If this value is set * before deleting it, allowing a means of recovering data in the event
* to true, your server will query a file (cryptpad/privileged.conf) when * that it was deleted accidentally.
* users connect via RPC. Only users whose public keys can be found within
* the file will be allowed to upload.
* *
* privileged.conf uses '#' for line comments, and splits keys by newline. * To set the location of this archive directory to a custom value, change
* This is a temporary measure until a better quota system is in place. * the path below:
* registered users' public keys can be found on the settings page.
*/ */
//restrictUploads: false, archivePath: './data/archive',
/* Max Upload Size (bytes) /* CryptPad allows logged in users to request that particular documents be
* this sets the maximum size of any one file uploaded to the server. * stored by the server indefinitely. This is called 'pinning'.
* anything larger than this size will be rejected * Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/ */
maxUploadSize: 20 * 1024 * 1024, pinPath: './pins',
/* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below:
*/
taskPath: './tasks',
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: './block',
/* CryptPad allows logged in users to upload encrypted files. Files/blobs
* are stored in a 'blob-store'. Set its location here.
*/
blobPath: './blob',
/* CryptPad stores incomplete blobs in a 'staging' area until they are
* fully uploaded. Set its location here.
*/
blobStagingPath: './blobstage',
/* CryptPad supports logging events directly to the disk in a 'logs' directory
* Set its location here, or set it to false (or nothing) if you'd rather not log
*/
logPath: './data/logs',
/* =====================
* Debugging
* ===================== */
/* CryptPad can log activity to stdout
* This may be useful for debugging
*/
logToStdout: false,
/* CryptPad can be configured to log more or less
* the various settings are listed below by order of importance
*
* silly, verbose, debug, feedback, info, warn, error
*
* Choose the least important level of logging you wish to see.
* For example, a 'silly' logLevel will display everything,
* while 'info' will display 'info', 'warn', and 'error' logs
*
* This will affect both logging to the console and the disk.
*/
logLevel: 'info',
/* clients can use the /settings/ app to opt out of usage feedback /* clients can use the /settings/ app to opt out of usage feedback
* which informs the server of things like how much each app is being * which informs the server of things like how much each app is being
@ -318,22 +350,11 @@ module.exports = {
* the client's browser. The intent is to provide feedback to the admin * the client's browser. The intent is to provide feedback to the admin
* such that the service can be improved. Enable this with `true` * such that the service can be improved. Enable this with `true`
* and ignore feedback with `false` or by commenting the attribute * and ignore feedback with `false` or by commenting the attribute
*
* You will need to set your logLevel to include 'feedback'. Set this
* to false if you'd like to exclude feedback from your logs.
*/ */
//logFeedback: true, logFeedback: false,
/* If you wish to see which remote procedure calls clients request,
* set this to true
*/
//logRPC: true,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/
//privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
/* You can get a repl for debugging the server if you want it. /* You can get a repl for debugging the server if you want it.
* to enable this, specify the debugReplName and then you can * to enable this, specify the debugReplName and then you can
@ -342,4 +363,37 @@ module.exports = {
* repl names. * repl names.
*/ */
//debugReplName: "cryptpad" //debugReplName: "cryptpad"
/* =====================
* DEPRECATED
* ===================== */
/*
You have the option of specifying an alternative storage adaptor.
These status of these alternatives are specified in their READMEs,
which are available at the following URLs:
mongodb: a noSQL database
https://github.com/xwiki-labs/cryptpad-mongo-store
amnesiadb: in memory storage
https://github.com/xwiki-labs/cryptpad-amnesia-store
leveldb: a simple, fast, key-value store
https://github.com/xwiki-labs/cryptpad-level-store
sql: an adaptor for a variety of sql databases via knexjs
https://github.com/xwiki-labs/cryptpad-sql-store
For the most up to date solution, use the default storage adaptor.
*/
storage: './storage/file',
/* CryptPad's socket server can be extended to respond to RPC calls
* you can configure it to respond to custom RPC calls if you like.
* provide the path to your RPC module here, or `false` if you would
* like to disable the RPC interface completely
*/
rpc: './rpc.js',
/* CryptPad supports verbose logging
* (false by default)
*/
verbose: false,
}; };

44
scripts/install
View file

@ -61,6 +61,12 @@ port=$(ynh_find_port 4000)
yunohost firewall allow --no-upnp TCP $port 2>&1 yunohost firewall allow --no-upnp TCP $port 2>&1
ynh_app_setting_set $app port $port ynh_app_setting_set $app port $port
porti=$(ynh_find_port 5000)
# Open this port
yunohost firewall allow --no-upnp TCP $porti 2>&1
ynh_app_setting_set $app porti $porti
#================================================= #=================================================
# INSTALL NODEJS # INSTALL NODEJS
#================================================= #=================================================
@ -113,6 +119,25 @@ touch $install_log
chown $app: -R /var/log/$app chown $app: -R /var/log/$app
chown admin: -R $install_log chown admin: -R $install_log
#=================================================
# CONFIGURE SERVER.JS
#=================================================
# Copy default configuration file
mv "$final_path/config.example.js" "$final_path/config.js"
ynh_replace_string "_domain = 'http://localhost:3000/'" "_domain = 'https://$domain$path_url'" "$final_path/config.js"
# Set service port
ynh_replace_string "__PORT__" "$port" "$final_path/config.js"
ynh_replace_string "__PORT__" "$porti" "$final_path/config.js"
# Tune CSP to allow for YunoHost tile
#ynh_replace_string "\"script-src 'self'\"" "\"script-src 'self' 'unsafe-eval'\"" "$final_path/config.js"
# Remove donate button
ynh_replace_string "removeDonateButton: false" "removeDonateButton: true" "$final_path/config.js"
# Disable analytics unsolicited communications
ynh_replace_string "__ADMIN_EMAIL_" "$admin_email" "$final_path/config.js"
cp $final_path/config.js $final_path/config.example
# Store file checksum to detected user modifications on upgrade
ynh_store_file_checksum "$final_path/config.js"
#================================================= #=================================================
# INSTALL CRYPTPAD # INSTALL CRYPTPAD
@ -125,25 +150,6 @@ npm install -g bower --allow-root
bower install --allow-root bower install --allow-root
popd popd
#=================================================
# CONFIGURE SERVER.JS
#=================================================
# Copy default configuration file
mv "$final_path/config.example.js" "$final_path/config.js"
ynh_replace_string "_domain = 'http://localhost:3000/'" "_domain = 'https://$domain$path_url'" "$final_path/config.js"
# Set service port
ynh_replace_string "httpPort: 3000" "httpPort: $port" "$final_path/config.js"
# Tune CSP to allow for YunoHost tile
#ynh_replace_string "\"script-src 'self'\"" "\"script-src 'self' 'unsafe-eval'\"" "$final_path/config.js"
# Remove donate button
ynh_replace_string "removeDonateButton: false" "removeDonateButton: true" "$final_path/config.js"
# Disable analytics unsolicited communications
ynh_replace_string "adminEmail: 'i.did.not.read.my.config@cryptpad.fr'" "adminEmail: '$admin_email'" "$final_path/config.js"
cp $final_path/config.js $final_path/config.example
# Store file checksum to detected user modifications on upgrade
ynh_store_file_checksum "$final_path/config.js"
#================================================= #=================================================
# Set some permissions # Set some permissions
#================================================= #=================================================