YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

global settings: various fixes

Browse source
This commit is contained in:
Alexandre Aubin 2022-08-05 15:47:13 +02:00
parent fded695b45
commit ed865dd3c0
5 changed files with 36 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
locales/en.json
View file

@ -369,6 +369,7 @@
"firewall_rules_cmd_failed": "Some firewall rule commands have failed. More info in log.",
"global_settings_reset_success": "Reset global settings",
"global_settings_setting_admin_strength": "Admin password strength",
"global_settings_setting_admin_strength_help": "These requirements are only enforced when defining the password",
"global_settings_setting_backup_compress_tar_archives": "Compress backups",
"global_settings_setting_backup_compress_tar_archives_help": "When creating new backups, compress the archives (.tar.gz) instead of uncompressed archives (.tar). N.B. : enabling this option means create lighter backup archives, but the initial backup procedure will be significantly longer and heavy on CPU.",
"global_settings_setting_nginx_compatibility": "NGINX Compatibility",
@ -392,12 +393,13 @@
"global_settings_setting_ssh_allow_deprecated_dsa_hostkey": "Allow DSA hostkey",
"global_settings_setting_ssh_allow_deprecated_dsa_hostkey_help": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration",
"global_settings_setting_ssh_compatibility": "SSH Compatibility",
"global_settings_setting_ssh_compatibility_help": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
"global_settings_setting_ssh_compatibility_help": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects). See https://infosec.mozilla.org/guidelines/openssh for more info.",
"global_settings_setting_ssh_password_authentication": "Password authentication",
"global_settings_setting_ssh_password_authentication_help": "Allow password authentication for SSH",
"global_settings_setting_ssh_port": "SSH port",
"global_settings_setting_ssowat_panel_overlay_enabled": "SSOwat panel overlay",
"global_settings_setting_user_strength": "User password strength",
"global_settings_setting_user_strength_help": "These requirements are only enforced when defining the password",
"global_settings_setting_webadmin_allowlist": "Webadmin IP allowlist",
"global_settings_setting_webadmin_allowlist_help": "IP adresses allowed to access the webadmin.",
"global_settings_setting_webadmin_allowlist_enabled": "Enable Webadmin IP allowlist",

2
maintenance/missing_i18n_keys.py
View file

@ -150,7 +150,7 @@ def find_expected_string_keys():
# Global settings
global_config = toml.load(open(ROOT + "share/config_global.toml"))
# Boring hard-coding because there's no simple other way idk
settings_without_help_key = ["admin_strength", "smtp_relay_host", "smtp_relay_password", "smtp_relay_port", "smtp_relay_user", "ssh_port", "ssowat_panel_overlay_enabled", "user_strength"]
settings_without_help_key = ["smtp_relay_host", "smtp_relay_password", "smtp_relay_port", "smtp_relay_user", "ssh_port", "ssowat_panel_overlay_enabled"]
for panel in global_config.values():
if not isinstance(panel, dict):

62
share/config_global.toml
View file

@ -5,20 +5,30 @@ i18n = "global_settings_setting"
name = "Security"
[security.password]
name = "Passwords"
[security.password.admin_strength]
type = "number"
type = "select"
choices.1 = "Require at least 8 chars"
choices.2 = "ditto, but also require at least one digit, one lower and one upper char"
choices.3 = "ditto, but also require at least one special char"
choices.4 = "ditto, but also require at least 12 chars"
default = 1
[security.password.user_strength]
type = "number"
type = "select"
choices.1 = "Require at least 8 chars"
choices.2 = "ditto, but also require at least one digit, one lower and one upper char"
choices.3 = "ditto, but also require at least one special char"
choices.4 = "ditto, but also require at least 12 chars"
default = 1
[security.ssh]
name = "SSH"
[security.ssh.ssh_compatibility]
type = "select"
choices.intermediate = "Intermediate (compatible with older softwares)"
choices.modern = "Modern (recommended)"
default = "modern"
choices = ["intermediate", "modern"]
[security.ssh.ssh_port]
type = "number"
@ -26,43 +36,37 @@ name = "Security"
[security.ssh.ssh_password_authentication]
type = "boolean"
yes = "True"
no = "False"
default = "False"
default = true
[security.ssh.ssh_allow_deprecated_dsa_hostkey]
type = "boolean"
yes = "True"
no = "False"
default = "False"
default = false
[security.nginx]
name = "NGINX"
[security.nginx.nginx_redirect_to_https]
type = "boolean"
yes = "True"
no = "False"
default = "True"
default = true
[security.nginx.nginx_compatibility]
type = "select"
choices.intermediate = "Intermediate (compatible with Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11, Opera 20, and Safari 9)"
choices.modern = "Modern (compatible with Firefox 63, Android 10.0, Chrome 70, Edge 75, Opera 57, and Safari 12.1)"
default = "intermediate"
choices = ["intermediate", "modern"]
[security.postfix]
name = "Postfix"
[security.postfix.postfix_compatibility]
type = "select"
choices.intermediate = "Intermediate (allows TLS 1.2)"
choices.modern = "Modern (TLS 1.3 only)"
default = "intermediate"
choices = ["intermediate", "modern"]
[security.webadmin]
name = "Webadmin"
[security.webadmin.webadmin_allowlist_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
default = false
[security.webadmin.webadmin_allowlist]
type = "tags"
@ -74,9 +78,7 @@ name = "Security"
name = "Experimental"
[security.experimental.security_experimental_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
default = false
[email]
@ -85,23 +87,17 @@ name = "Email"
name = "POP3"
[email.pop3.pop3_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
default = false
[email.smtp]
name = "SMTP"
[email.smtp.smtp_allow_ipv6]
type = "boolean"
yes = "True"
no = "False"
default = "True"
default = true
[email.smtp.smtp_relay_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
default = false
[email.smtp.smtp_relay_host]
type = "string"
@ -132,14 +128,10 @@ name = "Other"
name = "SSOwat"
[misc.ssowat.ssowat_panel_overlay_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "True"
default = true
[misc.backup]
name = "Backup"
[misc.backup.backup_compress_tar_archives]
type = "boolean"
yes = "True"
no = "False"
default = "False"
default = false

6
src/migrations/0024_global_settings_to_configpanel.py
View file

@ -29,12 +29,12 @@ class MyMigration(Migration):
raise YunohostError(f"Can't open setting file : {e}", raw_msg=True)
settings = {
translate_legacy_settings_to_configpanel_settings(k): v["value"]
translate_legacy_settings_to_configpanel_settings(k).split('.')[-1]: v["value"]
for k, v in old_settings.items()
}
if settings.get("email.smtp.smtp_relay_host") != "":
settings["email.smtp.smtp_relay_enabled"] = "True"
if settings.get("smtp_relay_host"):
settings["smtp_relay_enabled"] = True
# Here we don't use settings_set() from settings.py to prevent
# Questions to be asked when one run the migration from CLI.

2
src/utils/password.py
View file

@ -86,7 +86,7 @@ class PasswordValidator:
# use as a script by ssowat.
# (or at least that's my understanding -- Alex)
settings = yaml.load(open("/etc/yunohost/settings.yml", "r"))
setting_key = "security.password." + profile + "_strength"
setting_key = profile + "_strength"
self.validation_strength = int(settings[setting_key])
except Exception:
# Fallback to default value if we can't fetch settings for some reason