install/cryptpad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2019-11-03 02:58:08 +01:00
commit 77bc626b40
4 changed files with 570 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
README.copy-userdata-to-new-installation Normal file
View File

@@ -0,0 +1,9 @@
# =================
# Copy existing user data to new pad
# =================
backup_date="2019-11-03-0036"
cp -a /var/www/cryptpad.BAK.${backup_date}/{blob,blobstage,block,datastore} /var/www/cryptpad/

363
README.install Normal file
View File

@@ -0,0 +1,363 @@
# =================
# - Install Cryptad on Debian 9 (stretch)
# =================
# - See:
# - https://blog.cavebeat.org/2017/07/cryptpad-installation-on-debian-stretch/
# -
# - See also:
# - git repository: https://github.com/xwiki-labs/cryptpad
# - installation guide: https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide
# -
# ----------
# - Pre-requisites
# ----------
# - Install curl, git
# -
apt-get install curl git-core
# - Install Python
# -
apt-get install python-minimal python
# - Install compiler stuff
# -
# - apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
# - make automake autoconf libtool flex bison \
# - gettext pkg-config gnu-standards \
# - libssl-dev libreadline-dev libncurses-dev
# -
apt-get install gcc g++ make
# ---
# - Install Nginx webservice
# ---
apt-get install nginx
# - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# -
mkdir /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# - Create nginx configuration for CryptPad
# -
cryptpad_url=cpad-01.oopen.de
cat <<EOF > cpad-01.oopen.de.conf
# -- $cryptpad_url
server {
listen 80;
listen [::]:80;
server_name $cryptpad_url;
return 301 https://\$server_name\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $cryptpad_url;
ssl_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/$cryptpad_url/privkey.pem;
#ssl_trusted_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem;
# - Needed for (automated) updating certificate
# -
include snippets/letsencrypt-acme-challenge.conf;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#
# To generate a dhparam.pem file, run in a terminal
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Eable session resumption to improve https performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
# ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES)
# Everything better than SHA1 (deprecated)
#
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options "SAMEORIGIN";
root /var/www/cryptpad;
index index.html;
error_page 404 /customize.dist/404.html;
if (\$args ~ ver=) {
set \$cacheControl max-age=31536000;
}
# Will not set any header if it is emptystring
#
add_header Cache-Control \$cacheControl;
# - Does not work with CKEditor and OnlyOffice
# -
#set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url";
#set \$scriptSrc "'self' $cryptpad_url";
#set \$connectSrc "'self' https://$cryptpad_url wss://$cryptpad_url $cryptpad_url https://api.$cryptpad_url blob: $cryptpad_url";
#set \$fontSrc "'self' data: $cryptpad_url";
#set \$imgSrc "'self' data: * blob: $cryptpad_url";
#set \$frameSrc "'self' $cryptpad_url blob: $cryptpad_url";
#set \$mediaSrc "'self' data: * blob: $cryptpad_url";
#set \$childSrc "https://$cryptpad_url";
#set \$workerSrc "https://$cryptpad_url";
#
#set \$unsafe 0;
#if (\$uri = "/pad/inner.html") { set \$unsafe 1; }
#if (\$uri = "/sheet/inner.html") { set \$unsafe 1; }
#if (\$uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set \$unsafe 1; }
#if (\$host != sandbox.cryptpad.info) { set \$unsafe 0; }
#if (\$unsafe) {
# set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url";
#}
# - Make CKEditor and OnlyOffice working
# -
# - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity)
# -
set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url";
set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url";
set \$connectSrc "'self' ws: wss: $cryptpad_url";
set \$fontSrc "'self' data: $cryptpad_url";
set \$imgSrc " * blob:";
set \$frameSrc "*";
set \$mediaSrc "'self' data: * blob: $cryptpad_url";
set \$childSrc *;
set \$workerSrc "https://$cryptpad_url";
add_header Content-Security-Policy "default-src 'none'; child-src \$childSrc; worker-src \$workerSrc; media-src \$mediaSrc; style-src \$styleSrc; script-src \$scriptSrc; connect-src \$connectSrc; font-src \$fontSrc; img-src \$imgSrc; frame-src \$frameSrc;";
location ^~ /cryptpad_websocket {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection upgrade;
}
location ^~ /customize.dist/ {
# This is needed in order to prevent infinite recursion between /customize/ and the root
}
location ^~ /customize/ {
rewrite ^/customize/(.*)\$ \$1 break;
try_files /customize/\$uri /customize.dist/\$uri;
}
location = /api/config {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location ^~ /blob/ {
add_header Cache-Control max-age=31536000;
try_files \$uri =404;
}
location ^~ /block/ {
add_header Cache-Control max-age=0;
try_files \$uri =404;
}
location ^~ /datastore/ {
add_header Cache-Control max-age=0;
try_files \$uri =404;
}
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)\$ {
rewrite ^(.*)\$ \$1/ redirect;
}
try_files /www/\$uri /www/\$uri/index.html /customize/\$uri;
}
EOF
# ---
# - Install NodeJS v6.x on Debian 9 Stretch
# ---
# - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for
# - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring
# -
curl -sL https://deb.nodesource.com/setup_6.x | bash -
apt-get update
# - Install nodejs version 6.x from repository 'deb.nodesource.com'
# -
# - Tell the apt system to install nodejs from repository deb.nodesource.com
# -
# - You should pin the external source using the origin option to assign a high
# - priority to "the external source" instead of using the release name.
# -
# - e,g: Add the following lines to your /etc/apt/preferences.d/preferences:
# -
# - Package: *
# - Pin: origin deb.nodesource.com
# - Pin-Priority: 1001
# -
if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then
cat <<EOF >> /etc/apt/preferences.d/preferences
Package: *
Pin: origin deb.nodesource.com
Pin-Priority: 1001
EOF
fi
# - Install nodejs..
# -
apt-get install nodejs
# - An alternative possibility:
# -
# - 1. Show versions for nodejs
# -
# - # aptitude versions nodejs
# -
# - output may looks like:
# -
# - i 6.14.4-1nodesource1 <NULL> 500
# - p 10.15.2~dfsg-2 stable 500
# -
# - 2. install nodejs 6.14.4-1nodesource1
# -
# - apt-get install nodejs=6.14.4-1nodesource1
# - ^^^^^^^^^^^^^^^^^^^^^^^^^^
# -
# - Test if installation was successfully
# -
node -v
npm -v
# ---
# - Install bower
# ---
# - Install bower (global)
# -
npm install -g bower
# ---
# - Install cryptpad
# ---
cd /var/www
# - Create needed folders
# -
mkdir /var/www/{.cache,.config,.local,.node-gyp,.npm}
chown www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm}
# - Get cryptpad
# -
git clone https://github.com/xwiki-labs/cryptpad
chown -R www-data:www-data cryptpad
cd cryptpad
# - Complete Installation of cryptpad
# -
su www-data -s /bin/bash -c "npm install"
su www-data -s /bin/bash -c "bower install"
# ---
# - Configure CryptPad
# ---
# - Create configuration file 'config.js'. (Copy the example file)
# -
# - The defaults should be good enough for most cases, but you may want to edit
# - them. We recommend you read over the example file and change the values to
# - fit your needs.
cp -a config/config.example.js config/config.js
# - Some base configuration
# -
# - adminEmail: 'admin.de',
# - ...
# - myDomain: oopen.de,
# -
perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin@oopen.de',#" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s#(\s*)(myDomain:.*)#\1// \2\n\1myDomain: oopen.de,#" /var/www/cryptpad/config/config.js
# - Customizing CryptPad
# -
# - In order allow a variety of features to be changed and to allow site-specific
# - changes to CryptPad apps while still keeping the git repository pristine, this
# - directory exists to allow a set of hooks to be run.
# -
# - The server is configured to load files from the '/customize/' path
# - preferentially from 'cryptpad/customize/', and to fall back to
# - 'cryptpad/customize.dist/' if they are not found.
# -
# - If you wish to customize cryptpad, please **copy**
# - '/customize.dist/' to '/customize' and then edit it there, this way you will
# - still be able to pull from (and make pull requests to (!) the git repository.
# -
cp -a /var/www/cryptpad/customize.dist /var/www/cryptpad/customize
# - Copy 'favicon.ico' to '/var/www/cryptpad/customize/main-favicon.png'
# -
cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png
# - Run as daemon using systemd
# -
cat << EOF > /etc/systemd/system/cryptpad.service
[Unit]
Description=CryptPad service
[Service]
User=www-data
Group=www-data
ExecStart=/usr/bin/node /var/www/cryptpad/server.js
WorkingDirectory=/var/www/cryptpad
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable cryptpad
# - Start cryptpad
# -
systemctl start cryptpad

49
README.upgrade Normal file
View File

@@ -0,0 +1,49 @@
# ====================
# - Upgrading CryptPad
# ====================
# - Note!
# -
# - Always read the release notes before upgrading, as there may be changes
# - that require special consideration.
# - Stop cryptpad
# -
systemctl stop cryptpadsystemctl stop cryptpad
# - Backup existing installation
# -
cp -a /var/www/cryptpad /var/www/cryptpad.BAK.$(date +%Y-%m-%d-%H%M)
# - Change into installation directory
# -
cd /var/www/cryptpad
# - Update Git repository
# -
su www-data -s /bin/bash -c "git pull"
# - Update 'npm'
# -
su www-data -s /bin/bash -c "npm update"
# - Update 'bower'
# -
su www-data -s /bin/bash -c "bower update"
# - Maybe more updates
# -
╭─────────────────────────────────────╮
│ │
│ Update available 1.8.4 → 1.8.8 │
│ Run npm i -g bower to update │
│ │
╰─────────────────────────────────────╯
# - Start cryptpad
# -
systemctl start cryptpad

149
nginx_cryptpad.conf.tmpl Normal file
View File

@@ -0,0 +1,149 @@
server {
listen 80;
listen [::]:80;
server_name @cryptpad-url@;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name @cryptpad-url@;
ssl_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/@cryptpad-url@/privkey.pem;
#ssl_trusted_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem;
# - Needed for (automated) updating certificate
# -
include snippets/letsencrypt-acme-challenge.conf;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#
# To generate a dhparam.pem file, run in a terminal
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Eable session resumption to improve https performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
# ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES)
# Everything better than SHA1 (deprecated)
#
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options "SAMEORIGIN";
root /var/www/cryptpad;
index index.html;
error_page 404 /customize.dist/404.html;
if ($args ~ ver=) {
set $cacheControl max-age=31536000;
}
# Will not set any header if it is emptystring
#
add_header Cache-Control $cacheControl;
# - Does not work with CKEditor and OnlyOffice
# -
#set $styleSrc "'unsafe-inline' 'self'";
#set $scriptSrc "'self' @cryptpad-url@";
#set $connectSrc "'self' https://@cryptpad-url@ wss://@cryptpad-url@ @cryptpad-url@ https://api.@cryptpad-url@ blob: @cryptpad-url@";
#set $fontSrc "'self' data: @cryptpad-url@";
#set $imgSrc "'self' data: * blob: @cryptpad-url@";
#set $frameSrc "'self' @cryptpad-url@ blob: @cryptpad-url@";
#set $mediaSrc "'self' data: * blob: @cryptpad-url@";
#set $childSrc "https://@cryptpad-url@";
#set $workerSrc "https://@cryptpad-url@";
#
#set $unsafe 0;
#if ($uri = "/pad/inner.html") { set $unsafe 1; }
#if ($uri = "/sheet/inner.html") { set $unsafe 1; }
#if ($uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set $unsafe 1; }
#if ($host != sandbox.cryptpad.info) { set $unsafe 0; }
#if ($unsafe) {
# set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@";
#}
# - Make CKEditor and OnlyOffice working
# -
# - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity)
# -
set $styleSrc "'unsafe-inline' 'self' @cryptpad-url@";
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@";
set $connectSrc "'self' ws: wss: @cryptpad-url@";
set $fontSrc "'self' data: @cryptpad-url@";
set $imgSrc " * blob:";
set $frameSrc "*";
set $mediaSrc "'self' data: * blob: @cryptpad-url@";
set $childSrc *;
set $workerSrc "https://@cryptpad-url@";
add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc;";
location ^~ /cryptpad_websocket {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
}
location ^~ /customize.dist/ {
# This is needed in order to prevent infinite recursion between /customize/ and the root
}
location ^~ /customize/ {
rewrite ^/customize/(.*)$ $1 break;
try_files /customize/$uri /customize.dist/$uri;
}
location = /api/config {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ^~ /blob/ {
add_header Cache-Control max-age=31536000;
try_files $uri =404;
}
location ^~ /block/ {
add_header Cache-Control max-age=0;
try_files $uri =404;
}
location ^~ /datastore/ {
add_header Cache-Control max-age=0;
try_files $uri =404;
}
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)$ {
rewrite ^(.*)$ $1/ redirect;
}
try_files /www/$uri /www/$uri/index.html /customize/$uri;
}