From 7c3ed39eea1f39951d972cadddd59a58b08967a6 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 24 Mar 2023 07:27:18 +0000 Subject: [PATCH 1/9] Update nginx.conf --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index fba1cd7..f07531d 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -21,7 +21,7 @@ if ($args ~ ver=) { } more_set_headers "Cache-Control: $cacheControl"; set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; -set $connectSrc "'self' blob: https://${main_domain} https://${sandbox_domain} wss://${main_domain}"; +set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}"; set $fontSrc "'self' data: https://${main_domain}"; set $imgSrc "'self' data: blob: https://${main_domain}"; set $frameSrc "'self' https://${sandbox_domain} blob:"; From f1d3e8b1d877ea0fe78e6b60f2435d7b47ea5798 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 24 Mar 2023 08:25:13 +0000 Subject: [PATCH 2/9] Update nginx.conf --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index f07531d..eb2e105 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -4,7 +4,7 @@ set $allowed_origins "https://${sandbox_domain}"; set $api_domain "__DOMAIN__"; set $files_domain "__DOMAIN__"; ssl_ecdh_curve secp384r1; -more_set_headers "Strict-Transport-Security: 'max-age=31536000; includeSubDomains' always"; +more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; always"; more_set_headers "X-XSS-Protection: '1; mode=block'"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; From bb1d1f155d31308f3c477eaa9622806419746365 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 24 Mar 2023 08:35:15 +0000 Subject: [PATCH 3/9] Update nginx.conf --- conf/nginx.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index eb2e105..4d9c445 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -67,9 +67,9 @@ location ~ ^/api/.*$ { } location ^~ /blob/ { if ($request_method = 'OPTIONS') { - more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; + more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}"; more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'"; - more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'"; + more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range"; more_set_headers "Access-Control-Max-Age: 1728000"; more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'"; more_set_headers "Content-Length: 0"; @@ -77,10 +77,10 @@ location ^~ /blob/ { } more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "Cache-Control: max-age=31536000'"; - more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; + more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}"; more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'"; - more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'"; - more_set_headers "Access-Control-Expose-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'"; + more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"; + more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"; try_files $uri =404; } location ^~ /block/ { From 57d43bde9aeb39e8f35fe984f6c3c82ddcd0dd81 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 24 Mar 2023 13:36:43 +0100 Subject: [PATCH 4/9] Tweak POST_INSTALL.md --- doc/POST_INSTALL.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md index d617b01..9c530ab 100644 --- a/doc/POST_INSTALL.md +++ b/doc/POST_INSTALL.md @@ -2,12 +2,15 @@ We have added a sandbox domain: __SANDBOXDOMAIN__ for you but you still need to You will need also to restart CryptPad service after this is done. Then you can please open CryptPad domain: https://__DOMAIN__ + Once CryptPad is installed, create an account via the Sign Up button on the home page which will take you to the Register page. To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key -2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder): +2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder): +``` adminKeys: [ "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", ], +``` From b62f7ab37429a58afb370ba4e01016bb9de45b52 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 24 Mar 2023 14:14:29 +0000 Subject: [PATCH 5/9] Update manifest.toml --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 2dfcaf7..d5d49c9 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "CryptPad" description.en = "Zero Knowledge realtime collaborative office suite" description.fr = "Suite bureautique chiffrée pour la collaboration en temps réel" -version = "5.2.1~ynh7" +version = "5.2.1~ynh8" maintainers = ["ddataa"] From 263fd461550a18b7e82c9b8ed13313b3b2c87604 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Fri, 24 Mar 2023 14:14:33 +0000 Subject: [PATCH 6/9] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 19ec395..b54a955 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. It is built to enable collaboration, synchronizing changes to documents in real time. Because all data is encrypted, the service and its administrators have no way of seeing the content being edited and stored. -**Shipped version:** 5.2.1~ynh7 +**Shipped version:** 5.2.1~ynh8 **Demo:** https://cryptpad.fr/ diff --git a/README_fr.md b/README_fr.md index 42aac78..cf6df27 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po CryptPad est une suite de collaboration chiffrée de bout en bout et open source. Il est conçu pour permettre la collaboration, en synchronisant les modifications apportées aux documents en temps réel. Étant donné que toutes les données sont chiffrées, le service et ses administrateurs n'ont aucun moyen de voir le contenu modifié et stocké. -**Version incluse :** 5.2.1~ynh7 +**Version incluse :** 5.2.1~ynh8 **Démo :** https://cryptpad.fr/ From 870d575160dae824632792626a9003f3f292acec Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 24 Mar 2023 14:27:58 +0000 Subject: [PATCH 7/9] Update nginx.conf Not super comfortable with those three lines :/ There's already https://github.com/YunoHost/yunohost/blob/dev/conf/nginx/server.tpl.conf#L52 and https://github.com/YunoHost/yunohost/blob/dev/conf/nginx/security.conf.inc#L33-L34 --- conf/nginx.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 4d9c445..f3e1778 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -4,9 +4,6 @@ set $allowed_origins "https://${sandbox_domain}"; set $api_domain "__DOMAIN__"; set $files_domain "__DOMAIN__"; ssl_ecdh_curve secp384r1; -more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; always"; -more_set_headers "X-XSS-Protection: '1; mode=block'"; -more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'"; more_set_headers "Cross-Origin-Resource-Policy: cross-origin"; more_set_headers "Cross-Origin-Embedder-Policy: require-corp"; From 39ea716bdbe14d74544bde5477a255b7d9d3ce8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Tue, 4 Apr 2023 16:21:56 +0200 Subject: [PATCH 8/9] add autoupdater --- .github/workflows/updater.sh | 127 ---------------------------------- .github/workflows/updater.yml | 48 ------------- manifest.toml | 3 +- 3 files changed, 2 insertions(+), 176 deletions(-) delete mode 100644 .github/workflows/updater.sh delete mode 100644 .github/workflows/updater.yml diff --git a/.github/workflows/updater.sh b/.github/workflows/updater.sh deleted file mode 100644 index 6274d07..0000000 --- a/.github/workflows/updater.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/bash - -#================================================= -# PACKAGE UPDATING HELPER -#================================================= - -# This script is meant to be run by GitHub Actions -# The YunoHost-Apps organisation offers a template Action to run this script periodically -# Since each app is different, maintainers can adapt its contents so as to perform -# automatic actions when a new upstream release is detected. - -# Remove this exit command when you are ready to run this Action -#exit 1 - -#================================================= -# FETCHING LATEST RELEASE AND ITS ASSETS -#================================================= - -# Fetching information -current_version=$(cat manifest.json | jq -j '.version|split("~")[0]') -repo=$(cat manifest.json | jq -j '.upstream.code|split("https://github.com/")[1]') -# Some jq magic is needed, because the latest upstream release is not always the latest version (e.g. security patches for older versions) -version=$(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '.[] | select( .prerelease != true ) | .tag_name' | sort -V | tail -1) -assets=($(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '[ .[] | select(.tag_name=="'$version'").assets[].browser_download_url ] | join(" ") | @sh' | tr -d "'")) - -if [[ ${version:0:1} == "v" || ${version:0:1} == "V" ]]; then - version=${version:1} -fi - -# Setting up the environment variables -echo "Current version: $current_version" -echo "Latest release from upstream: $version" -echo "VERSION=$version" >> $GITHUB_ENV -# For the time being, let's assume the script will fail -echo "PROCEED=false" >> $GITHUB_ENV - -# Proceed only if the retrieved version is greater than the current one -if ! dpkg --compare-versions "$current_version" "lt" "$version" ; then - echo "::warning ::No new version available" - exit 0 -# Proceed only if a PR for this new version does not already exist -elif git ls-remote -q --exit-code --heads https://github.com/$GITHUB_REPOSITORY.git ci-auto-update-v$version ; then - echo "::warning ::A branch already exists for this update" - exit 0 -fi - -# Each release can hold multiple assets (e.g. binaries for different architectures, source code, etc.) -echo "${#assets[@]} available asset(s)" - -#================================================= -# UPDATE SOURCE FILES -#================================================= - -# Here we use the $assets variable to get the resources published in the upstream release. -# Here is an example for Grav, it has to be adapted in accordance with how the upstream releases look like. - -# Let's loop over the array of assets URLs -for asset_url in ${assets[@]}; do - -echo "Handling asset at $asset_url" - -# Assign the asset to a source file in conf/ directory -# Here we base the source file name upon a unique keyword in the assets url (admin vs. update) -# Leave $src empty to ignore the asset -case $asset_url in - *".tar.gz") - src="app" - ;; -esac - -# If $src is not empty, let's process the asset -if [ ! -z "$src" ]; then - -# Create the temporary directory -tempdir="$(mktemp -d)" - -# Download sources and calculate checksum -filename=${asset_url##*/} -curl --silent -4 -L $asset_url -o "$tempdir/$filename" -checksum=$(sha256sum "$tempdir/$filename" | head -c 64) - -# Delete temporary directory -rm -rf $tempdir - -# Get extension -if [[ $filename == *.tar.gz ]]; then - extension=tar.gz -else - extension=${filename##*.} -fi - -# Rewrite source file -cat < conf/$src.src -SOURCE_URL=$asset_url -SOURCE_SUM=$checksum -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=$extension -SOURCE_IN_SUBDIR=true -SOURCE_FILENAME=cryptpad.tar.gz -EOT -echo "... conf/$src.src updated" - -else -echo "... asset ignored" -fi - -done - -#================================================= -# SPECIFIC UPDATE STEPS -#================================================= - -# Any action on the app's source code can be done. -# The GitHub Action workflow takes care of committing all changes after this script ends. - -#================================================= -# GENERIC FINALIZATION -#================================================= - -# Replace new version in manifest -echo "$(jq -s --indent 4 ".[] | .version = \"$version~ynh1\"" manifest.json)" > manifest.json - -# No need to update the README, yunohost-bot takes care of it - -# The Action will proceed only if the PROCEED environment variable is set to true -echo "PROCEED=true" >> $GITHUB_ENV -exit 0 diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml deleted file mode 100644 index ac12a56..0000000 --- a/.github/workflows/updater.yml +++ /dev/null @@ -1,48 +0,0 @@ -# This workflow allows GitHub Actions to automagically update your app whenever a new upstream release is detected. -# You need to enable Actions in your repository settings, and fetch this Action from the YunoHost-Apps organization. -# This file should be enough by itself, but feel free to tune it to your needs. -# It calls updater.sh, which is where you should put the app-specific update steps. -name: Check for new upstream releases -on: - # Allow to manually trigger the workflow - workflow_dispatch: - # Run it every day at 6:00 UTC - schedule: - - cron: '0 6 * * *' -jobs: - updater: - runs-on: ubuntu-latest - steps: - - name: Fetch the source code - uses: actions/checkout@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Run the updater script - id: run_updater - run: | - # Setting up Git user - git config --global user.name 'yunohost-bot' - git config --global user.email 'yunohost-bot@users.noreply.github.com' - # Run the updater script - /bin/bash .github/workflows/updater.sh - - name: Commit changes - id: commit - if: ${{ env.PROCEED == 'true' }} - run: | - git commit -am "Upgrade to v$VERSION" - - name: Create Pull Request - id: cpr - if: ${{ env.PROCEED == 'true' }} - uses: peter-evans/create-pull-request@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: Update to version ${{ env.VERSION }} - committer: 'yunohost-bot ' - author: 'yunohost-bot ' - signoff: false - branch: ci-auto-update-v${{ env.VERSION }} - delete-branch: true - title: 'Upgrade to version ${{ env.VERSION }}' - body: | - Upgrade to v${{ env.VERSION }} - draft: false diff --git a/manifest.toml b/manifest.toml index d5d49c9..b15b0d1 100644 --- a/manifest.toml +++ b/manifest.toml @@ -19,7 +19,7 @@ cpe = "cpe:2.3:a:xwiki:cryptpad" fund = "https://opencollective.com/cryptpad/contribute?language=fr" [integration] -yunohost = ">= 11.1.15" +yunohost = ">= 11.1.16" architectures = "all" multi_instance = false ldap = false @@ -48,6 +48,7 @@ ram.runtime = "50M" [resources.sources.main] url = "https://github.com/xwiki-labs/cryptpad/archive/5.2.1.tar.gz" sha256 = "945abe5bae0da25a4e2ef8e02730aaa5bb5e5a0b8bfd7a23a09ec38422d7c47f" + autoupdate.strategy = "latest_github_tag" [resources.ports] main.default = 3000 From ef89fff4ee4124994920a992838faf13d3d40c01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Sun, 9 Apr 2023 16:44:08 +0200 Subject: [PATCH 9/9] Update manifest.toml --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index b15b0d1..ac7aa3b 100644 --- a/manifest.toml +++ b/manifest.toml @@ -19,7 +19,7 @@ cpe = "cpe:2.3:a:xwiki:cryptpad" fund = "https://opencollective.com/cryptpad/contribute?language=fr" [integration] -yunohost = ">= 11.1.16" +yunohost = ">= 11.1.17" architectures = "all" multi_instance = false ldap = false