From 748dcfd8c5f869dd6d78fe471c9a1eb30d1a3334 Mon Sep 17 00:00:00 2001 From: pitchum Date: Sat, 4 Apr 2020 14:36:01 +0200 Subject: [PATCH 1/5] Setup XMPP components for each domain, not only the main domain. --- data/hooks/conf_regen/12-metronome | 8 +-- data/templates/metronome/domain.tpl.cfg.lua | 56 +++++++++++++++++++++ data/templates/metronome/metronome.cfg.lua | 47 ----------------- src/yunohost/certificate.py | 16 +++--- 4 files changed, 67 insertions(+), 60 deletions(-) diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome index 5c9c67f11..903e9fb2e 100755 --- a/data/hooks/conf_regen/12-metronome +++ b/data/hooks/conf_regen/12-metronome @@ -48,11 +48,11 @@ do_post_regen() { # create metronome directories for domains for domain in $domain_list; do mkdir -p "/var/lib/metronome/${domain//./%2e}/pep" + # http_upload directory must be writable by metronome and readable by nginx + mkdir -p "/var/xmpp-upload/${domain}/upload" + chmod g+s "/var/xmpp-upload/${domain}/upload" + chown -R metronome:www-data "/var/xmpp-upload/${domain}" done - # http_upload directory must be writable by metronome and readable by nginx - mkdir -p "/var/xmpp-upload/${main_domain}/upload" - chmod g+s "/var/xmpp-upload/${main_domain}/upload" - chown -R metronome:www-data "/var/xmpp-upload/${main_domain}" # fix some permissions diff --git a/data/templates/metronome/domain.tpl.cfg.lua b/data/templates/metronome/domain.tpl.cfg.lua index e7f6bcef7..aa2f45e5a 100644 --- a/data/templates/metronome/domain.tpl.cfg.lua +++ b/data/templates/metronome/domain.tpl.cfg.lua @@ -1,4 +1,5 @@ VirtualHost "{{ domain }}" + enable = true ssl = { key = "/etc/yunohost/certs/{{ domain }}/key.pem"; certificate = "/etc/yunohost/certs/{{ domain }}/crt.pem"; @@ -13,3 +14,58 @@ VirtualHost "{{ domain }}" namefield = "cn", }, } + + -- Discovery items + disco_items = { + { "muc.{{ domain }}" }, + { "pubsub.{{ domain }}" }, + { "jabber.{{ domain }}" }, + { "vjud.{{ domain }}" }, + { "xmpp-upload.{{ domain }}" }, + }; + +-- contact_info = { +-- abuse = { "mailto:abuse@{{ domain }}", "xmpp:admin@{{ domain }}" }; +-- admin = { "mailto:root@{{ domain }}", "xmpp:admin@{{ domain }}" }; +-- }; + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. + +---Set up a MUC (multi-user chat) room server +Component "muc.{{ domain }}" "muc" + name = "{{ domain }} Chatrooms" + + modules_enabled = { + "muc_limits"; + "muc_log"; + "muc_log_mam"; + "muc_log_http"; + "muc_vcard"; + } + + muc_event_rate = 0.5 + muc_burst_factor = 10 + +---Set up a PubSub server +Component "pubsub.{{ domain }}" "pubsub" + name = "{{ domain }} Publish/Subscribe" + + unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server) + +---Set up a HTTP Upload service +Component "xmpp-upload.{{ domain }}" "http_upload" + name = "{{ domain }} Sharing Service" + + http_file_path = "/var/xmpp-upload/{{ domain }}/upload" + http_external_url = "https://xmpp-upload.{{ domain }}:443" + http_file_base_path = "/upload" + http_file_size_limit = 6*1024*1024 + http_file_quota = 60*1024*1024 + http_upload_file_size_limit = 100 * 1024 * 1024 -- bytes + http_upload_quota = 10 * 1024 * 1024 * 1024 -- bytes + +---Set up a VJUD service +Component "vjud.{{ domain }}" "vjud" + vjud_disco_name = "{{ domain }} User Directory" diff --git a/data/templates/metronome/metronome.cfg.lua b/data/templates/metronome/metronome.cfg.lua index b35684add..c1ea83281 100644 --- a/data/templates/metronome/metronome.cfg.lua +++ b/data/templates/metronome/metronome.cfg.lua @@ -81,14 +81,6 @@ http_interfaces = { "127.0.0.1", "::1" } -- Enable IPv6 use_ipv6 = true --- Discovery items -disco_items = { - { "muc.{{ main_domain }}" }, - { "pubsub.{{ main_domain }}" }, - { "xmpp-upload.{{ main_domain }}" }, - { "vjud.{{ main_domain }}" } -}; - -- BOSH configuration (mod_bosh) consider_bosh_secure = true cross_domain_bosh = true @@ -119,45 +111,6 @@ log = { Component "localhost" "http" modules_enabled = { "bosh" } ----Set up a MUC (multi-user chat) room server -Component "muc.{{ main_domain }}" "muc" - name = "{{ main_domain }} Chatrooms" - - modules_enabled = { - "muc_limits"; - "muc_log"; - "muc_log_mam"; - "muc_log_http"; - "muc_vcard"; - } - - muc_event_rate = 0.5 - muc_burst_factor = 10 - ----Set up a PubSub server -Component "pubsub.{{ main_domain }}" "pubsub" - name = "{{ main_domain }} Publish/Subscribe" - - unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server) - ----Set up a HTTP Upload service -Component "xmpp-upload.{{ main_domain }}" "http_upload" - name = "{{ main_domain }} Sharing Service" - - http_file_path = "/var/xmpp-upload/{{ main_domain }}/upload" - http_external_url = "https://xmpp-upload.{{ main_domain }}:443" - http_file_base_path = "/upload" - http_file_size_limit = 6*1024*1024 - http_file_quota = 60*1024*1024 - http_upload_file_size_limit = 100 * 1024 * 1024 -- bytes - http_upload_quota = 10 * 1024 * 1024 * 1024 -- bytes - - ----Set up a VJUD service -Component "vjud.{{ main_domain }}" "vjud" - ud_disco_name = "{{ main_domain }} User Directory" - - ----------- Virtual hosts ----------- -- You need to add a VirtualHost entry for each domain you wish Metronome to serve. -- Settings under each VirtualHost entry apply *only* to that host. diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index 5fae59060..c6f520b4e 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -639,15 +639,13 @@ def _prepare_certificate_signing_request(domain, key_file, output_folder): # Set the domain csr.get_subject().CN = domain - from yunohost.domain import _get_maindomain - if domain == _get_maindomain(): - # Include xmpp-upload subdomain in subject alternate names - subdomain="xmpp-upload." + domain - try: - _dns_ip_match_public_ip(get_public_ip(), subdomain) - csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:" + subdomain)]) - except YunohostError: - logger.warning(m18n.n('certmanager_warning_subdomain_dns_record', subdomain=subdomain, domain=domain)) + # Include xmpp-upload subdomain in subject alternate names + subdomain="xmpp-upload." + domain + try: + _dns_ip_match_public_ip(get_public_ip(), subdomain) + csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:" + subdomain)]) + except YunohostError: + logger.warning(m18n.n('certmanager_warning_subdomain_dns_record', subdomain=subdomain, domain=domain)) # Set the key with open(key_file, 'rt') as f: From cf3b98b5237db1f67a28af7d9fd4f5852dc0a593 Mon Sep 17 00:00:00 2001 From: pitchum Date: Sat, 4 Apr 2020 15:06:44 +0200 Subject: [PATCH 2/5] Fix nginx config for xmpp-upload. --- data/templates/nginx/server.tpl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 6316960c4..5a5176688 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -71,7 +71,7 @@ server { root /dev/null; location /upload/ { - alias /var/xmpp-upload/{{ domain }}/upload; + alias /var/xmpp-upload/{{ domain }}/upload/; # Pass all requests to metronome, except for GET and HEAD requests. limit_except GET HEAD { proxy_pass http://localhost:5290; From 22c88dc47e57980058265ae1083a5a8ef4284310 Mon Sep 17 00:00:00 2001 From: pitchum Date: Mon, 6 Apr 2020 20:38:42 +0200 Subject: [PATCH 3/5] Enable XMPP features only on "parent domains". --- data/actionsmap/yunohost.yml | 4 ++++ data/hooks/conf_regen/12-metronome | 2 +- src/yunohost/domain.py | 11 ++++++++--- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/data/actionsmap/yunohost.yml b/data/actionsmap/yunohost.yml index 3a4c9db97..cd1c4916f 100644 --- a/data/actionsmap/yunohost.yml +++ b/data/actionsmap/yunohost.yml @@ -399,6 +399,10 @@ domain: list: action_help: List domains api: GET /domains + arguments: + --exclude-subdomains: + help: Filter out domains that are obviously subdomains of other declared domains + action: store_true ### domain_add() add: diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome index 903e9fb2e..25ccd40ac 100755 --- a/data/hooks/conf_regen/12-metronome +++ b/data/hooks/conf_regen/12-metronome @@ -43,7 +43,7 @@ do_post_regen() { # retrieve variables main_domain=$(cat /etc/yunohost/current_host) - domain_list=$(yunohost domain list --output-as plain --quiet) + domain_list=$(yunohost domain list --exclude-subdomains --output-as plain --quiet) # create metronome directories for domains for domain in $domain_list; do diff --git a/src/yunohost/domain.py b/src/yunohost/domain.py index 23b5a4179..a1ac65b81 100644 --- a/src/yunohost/domain.py +++ b/src/yunohost/domain.py @@ -41,7 +41,7 @@ from yunohost.hook import hook_callback logger = getActionLogger('yunohost.domain') -def domain_list(): +def domain_list(exclude_subdomains=False): """ List domains @@ -49,16 +49,21 @@ def domain_list(): filter -- LDAP filter used to search offset -- Starting number for domain fetching limit -- Maximum number of domain fetched + exclude_subdomains -- Filter out domains that are subdomains of other declared domains """ from yunohost.utils.ldap import _get_ldap_interface ldap = _get_ldap_interface() - result = ldap.search('ou=domains,dc=yunohost,dc=org', 'virtualdomain=*', ['virtualdomain']) + result = [entry['virtualdomain'][0] for entry in ldap.search('ou=domains,dc=yunohost,dc=org', 'virtualdomain=*', ['virtualdomain'])] result_list = [] for domain in result: - result_list.append(domain['virtualdomain'][0]) + if exclude_subdomains: + parent_domain = domain.split(".", 1)[1] + if parent_domain in result: + continue + result_list.append(domain) return {'domains': result_list} From c42f7172f7a4ada26209cac392c844a2d57c6d01 Mon Sep 17 00:00:00 2001 From: pitchum Date: Wed, 22 Apr 2020 10:34:40 +0200 Subject: [PATCH 4/5] Do not include xmpp-upload in certificates of "child" domains Co-Authored-By: Alexandre Aubin --- src/yunohost/certificate.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py index c6f520b4e..aa137c784 100644 --- a/src/yunohost/certificate.py +++ b/src/yunohost/certificate.py @@ -639,13 +639,15 @@ def _prepare_certificate_signing_request(domain, key_file, output_folder): # Set the domain csr.get_subject().CN = domain - # Include xmpp-upload subdomain in subject alternate names - subdomain="xmpp-upload." + domain - try: - _dns_ip_match_public_ip(get_public_ip(), subdomain) - csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:" + subdomain)]) - except YunohostError: - logger.warning(m18n.n('certmanager_warning_subdomain_dns_record', subdomain=subdomain, domain=domain)) + from yunohost.domain import domain_list + # For "parent" domains, include xmpp-upload subdomain in subject alternate names + if domain in domain_list(exclude_subdomains=True)["domains"]: + subdomain="xmpp-upload." + domain + try: + _dns_ip_match_public_ip(get_public_ip(), subdomain) + csr.add_extensions([crypto.X509Extension("subjectAltName", False, "DNS:" + subdomain)]) + except YunohostError: + logger.warning(m18n.n('certmanager_warning_subdomain_dns_record', subdomain=subdomain, domain=domain)) # Set the key with open(key_file, 'rt') as f: From b9e226caed6d6fc9f775a9d3121a30ad258c0a70 Mon Sep 17 00:00:00 2001 From: pitchum Date: Fri, 24 Apr 2020 19:07:05 +0200 Subject: [PATCH 5/5] Remove deprecated docstrings. --- src/yunohost/domain.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/yunohost/domain.py b/src/yunohost/domain.py index a1ac65b81..85d804584 100644 --- a/src/yunohost/domain.py +++ b/src/yunohost/domain.py @@ -46,9 +46,6 @@ def domain_list(exclude_subdomains=False): List domains Keyword argument: - filter -- LDAP filter used to search - offset -- Starting number for domain fetching - limit -- Maximum number of domain fetched exclude_subdomains -- Filter out domains that are subdomains of other declared domains """