install/cryptpad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replaced file 'README.install' with chnanged new installation instructions.

Browse Source
This commit is contained in:
Christoph 2023-12-11 18:03:32 +01:00
parent f238b5fbd7
commit d665f126aa
1 changed files with 223 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

409
README.install
View File

@ -12,186 +12,77 @@
cryptpad_url=cpad-01.oopen.de
cryptpad_url=o13-pad.oopen.de
cryptpad_url=o13-cryptpad.oopen.de
# bei vorgeschalteter authentifizierung funktioniert
# eine *extra* sandbox url nicht. in diesem falle die gleiche
# adresse nehmen wie für die hautp seite
#
#cryptpad_sandbox_url=cpadsb-01.oopen.de
#cryptpad_sandbox_url=o13-padsb.oopen.de
cryptpad_sandbox_url="$cryptpad_url"
cryptpad_sandbox_url="cpadsb-01.oopen.de"
cryptpad_sandbox_url="o13-padsb.oopen.de"
cryptpad_sandbox_url="o13-cryptpadsb.oopen.de"
vhost_config_file="${cryptpad_url}.conf"
cryptpad_user=cryptpad
cryptpad_group=cryptpad
cryptpad_gid=2010
cryptpad_uid=2010
# ----------
# - Pre-requisites
# ----------
# - Install curl, git
# -
apt-get install curl git-core
# - Install Python
# -
apt-get install python-minimal python
# debian bullseye:
apt install python-is-python2 python2-minimal
# - Install compiler stuff
# -
# - apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
# - make automake autoconf libtool flex bison \
# - gettext pkg-config gnu-standards \
# - libssl-dev libreadline-dev libncurses-dev
# -
apt-get install gcc g++ make
cryptpad_base_dir=/var/www/cryptpad
cryptpad_home_dir="${cryptpad_base_dir}"
cryptpad_install_dir="${cryptpad_home_dir}/cryptpad"
# ---
# - Install Nginx webservice
# ---
apt-get install nginx
# - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# -
mkdir /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# ----------
# - Create nginx configuration for CryptPad
# -
# - see: https://github.com/xwiki-labs/cryptpad/blob/main/docs/example.nginx.conf
# -
# ----------
# ---
# - Install NodeJS v6.x on Debian 9 Stretch
# ---
# - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for
# - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring
# -
# - curl -sL https://deb.nodesource.com/setup_6.x | bash -
# -
# - Hope nodejs version 14.x will work
# -
# - nodejs 6.0 does not yet work for actuall etherpad, which ist also installed
# - on this server.
# -
curl -sL https://deb.nodesource.com/setup_14.x | bash -
apt-get update
# - Install nodejs version 6.x from repository 'deb.nodesource.com'
# -
# - Tell the apt system to install nodejs from repository deb.nodesource.com
# -
# - You should pin the external source using the origin option to assign a high
# - priority to "the external source" instead of using the release name.
# -
# - e,g: Add the following lines to your /etc/apt/preferences.d/preferences:
# -
# - Package: *
# - Pin: origin deb.nodesource.com
# - Pin-Priority: 1001
# -
if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then
cat <<EOF >> /etc/apt/preferences.d/preferences
Package: *
Pin: origin deb.nodesource.com
Pin-Priority: 1001
EOF
fi
# - Verify with 'apt-cache policy nodejs'
# -
# - Output must conatin somethin liek that:
# - Installationskandidat: 6.14.4-1nodesource1
# -
apt-cache policy nodejs
# - Install nodejs..
# -
apt-get install nodejs
# - An alternative possibility:
# -
# - 1. Show versions for nodejs
# -
# - # aptitude versions nodejs
# -
# - output may looks like:
# -
# - i 6.14.4-1nodesource1 <NULL> 500
# - p 10.15.2~dfsg-2 stable 500
# -
# - 2. install nodejs 6.14.4-1nodesource1
# -
# - apt-get install nodejs=6.14.4-1nodesource1
# - ^^^^^^^^^^^^^^^^^^^^^^^^^^
# -
# - Test if installation was successfully
# -
node -v
npm -v
# ---
# - Install bower
# ---
# - Install bower (global)
# -
npm install -g bower
# ---
# ==========
# - Create the user for the service:
# ---
mkdir -p /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
chown -R www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
# ==========
addgroup --gid $cryptpad_gid $cryptpad_group
adduser --gid $cryptpad_uid --uid $cryptpad_uid --home $cryptpad_home_dir $cryptpad_user
# ---
# ==========
# - Install cryptpad
# ---
# ==========
cd /var/www/
chown www-data:www-data /var/www
su - ${cryptpad_user}
cd ${cryptpad_home_dir}
# - Get cryptpad
# - Get cryptpad - Clone the CryptPad repository
# -
su www-data -s /bin/bash -c "git clone https://github.com/xwiki-labs/cryptpad /var/www/cryptpad"
su www-data -s /bin/bash -c "git clone https://github.com/cryptpad/cryptpad.git /var/www/cryptpad"
git clone https://github.com/cryptpad/cryptpad.git ${cryptpad_install_dir}
# Switch to the latest published tag
#
#su www-data -s /bin/bash -c "git checkout $(git tag -l | grep -v 'v1.*$' | sort -V | tail -n 1)"
# git checkout $(git tag -l | grep -v 'v1.*$' | sort -V | tail -n 1)
cd cryptpad
cd ${cryptpad_install_dir}
# - Complete Installation of cryptpad
# -
su www-data -s /bin/bash -c "npm install"
npm ci
# - Maybe you haave to run
# - Maybe you haave to run
#
# su www-data -s /bin/bash -c "npm fund"
# su www-data -s /bin/bash -c "npm audit fix --force"
# # packages looking for funding
# #
# npm fund
#
# # To address issues that do not require attention, run:
# #
# npm audit fix
#
npm fund
npm audit fix
su www-data -s /bin/bash -c "bower install"
npm run install:components
# ---
@ -216,29 +107,29 @@ cp -a config/config.example.js config/config.js
# - myDomain: oopen.de,
# -
if $(grep -q -E "\s*/?/?\s*adminEmail" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" ${cryptpad_install_dir}/config/config.js
else
perl -i -n -p -e"s/(\s*})/ adminEmail: 'admin\@oopen.de',\n\1/" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s/(\s*})/ adminEmail: 'admin\@oopen.de',\n\1/" ${cryptpad_install_dir}/config/config.js
fi
perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" ${cryptpad_install_dir}/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" ${cryptpad_install_dir}/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" ${cryptpad_install_dir}/config/config.js
# - deaktivate donate Button
# -
if $(grep -q -E "\s*/?/?\s*removeDonateButton" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" ${cryptpad_install_dir}/config/config.js
else
perl -i -n -p -e"s/(\s*})/ removeDonateButton: true,\n\1/" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s/(\s*})/ removeDonateButton: true,\n\1/" ${cryptpad_install_dir}/config/config.js
fi
# - Set storage..
# -
perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" /var/www/cryptpad/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" ${cryptpad_install_dir}/config/config.js
# - Customizing CryptPad
# -
@ -264,44 +155,85 @@ chown www-data:www-data /var/www/cryptpad/customize/main-favicon.png
chown www-data:www-data /var/www/cryptpad/customize.dist/favicon.ico
# Build static pages & Open Graph metadata
#
# To build some of CryptPad static pages & enable social media link previews,
# run the following command:
#
npm run build
# Exit from cryptpad user
#
exit
# ---
# Systemd Unit
# ---
# - Run as daemon using systemd
# -
cat << EOF > /etc/systemd/system/cryptpad.service
cat <<EOF > /etc/systemd/system/cryptpad.service
[Unit]
Description=CryptPad Service
After=syslog.target network.target
Requires=nginx.service
Description=CryptPad API server
[Service]
Type=simple
User=www-data
Group=www-data
Environment='PWD="/var/www/cryptpad"'
ExecStart=/usr/bin/node ${cryptpad_install_dir}/server.js
# modify to match the location of your cryptpad repository
WorkingDirectory=/var/www/cryptpad
ExecStart=/usr/bin/node /var/www/cryptpad/server.js
WorkingDirectory=${cryptpad_install_dir}
TimeoutSec=30
Restart=always
# Restart service after 10 seconds if node service crashes
RestartSec=2
Restart=always
# Output to syslog
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=cryptpad
# Proper logging to journald
StandardOutput=journal
StandardError=journal+console
## Modify these two values and uncomment them if you have lots of files and get an HTTP error 500 because of that
LimitMEMLOCK=infinity
LimitNOFILE=65535
### If you want to bind CryptPad to a port below 1024 uncomment the two values below
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
User=${cryptpad_user}
Group=${cryptpad_group}
# modify to match your working directory
Environment='PWD="${cryptpad_install_dir}"'
# systemd sets the open file limit to 4000 unless you override it
# cryptpad stores its data with the filesystem, so you should increase this to match the value of `ulimit -n`
# or risk EMFILE errors.
LimitNOFILE=1000000
# hardening directives as per https://www.freedesktop.org/software/systemd/man/systemd.exec.html
# check those with systemd-analyze security cryptpad.service for more information
# Proc filesystem
ProcSubset=all
ProtectProc=invisible
# Capabilities
CapabilityBoundingSet=
# Security
NoNewPrivileges=true
# Sandboxing
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictAddressFamilies=AF_NETLINK
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
PrivateMounts=true
ProtectClock=true
# System Call Filtering
SystemCallArchitectures=native
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
SystemCallFilter=@chown
SystemCallFilter=pipe
SystemCallFilter=pipe2
ReadWritePaths=${cryptpad_install_dir}
[Install]
WantedBy=multi-user.target
@ -315,6 +247,119 @@ systemctl enable cryptpad
systemctl start cryptpad
# ==========
# nginx vhost configuration
# ==========
cat <<EOF > /etc/nginx/sites-available/${vhost_config_file}
# -- ${cryptpad_url}
# we want restrict authentication to cryptpad sandbox urls "${cryptpad_sandbox_url}"
#
map \$http_host \$auth_type {
default "off"; #This will turn off auth-basic
${cryptpad_sandbox_url} "Restricted"; #This or any other string will turn it back on
}
server {
listen 80;
listen [::]:80;
server_name ${cryptpad_url};
return 301 https://\$server_name\$request_uri;
}
# This file is included strictly as an example of how Nginx can be configured
# to work with CryptPad. This example WILL NOT WORK AS IS. For best results,
# compare the sections of this configuration file against a working CryptPad
# installation (http server by the Nodejs process). If you are using CryptPad
# in production and require professional support please contact sales@cryptpad.fr
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Let's Encrypt webroot
#include letsencrypt-webroot;
# ----------
# !! inserted by ckubu !!
#
# Needed for (automated) updating certificate
#
include snippets/letsencrypt-acme-challenge.conf;
#
# ----------
# CryptPad serves static assets over these two domains.
# \`your-main-domain\` is what users will enter in their address bar.
# Privileged computation such as key management is handled in this scope
# UI content is loaded via the \`your-sandbox-domain\`.
# "Content Security Policy" headers prevent content loaded via the sandbox
# from accessing privileged information.
# This setup allows to take advantage of CryptPad's sandboxing techniques.
# In the event of an XSS vulnerability in CryptPad's front-end code
# this will limit the amount of information accessible to attackers.
server_name ${cryptpad_url} ${cryptpad_sandbox_url};
# You'll need to Set the path to your certificates and keys here
# IMPORTANT: this config is intended to serve assets for at least two domains
# (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate
# that includes both domains in order for things to work as expected.
ssl_certificate /var/lib/dehydrated/certs/${cryptpad_url}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${cryptpad_url}/privkey.pem;
# diffie-hellman parameters are used to negotiate keys for your session
# generate strong parameters using the following command
ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
# Speeds things up a little bit when resuming a session
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# replace with the IP address of your resolver
resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;
location / {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
client_max_body_size 150m;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection upgrade;
}
# ----------
# !! included by ckubu !!
#
# Only authenticated users
#
auth_basic "\$auth_type";
auth_basic_user_file /etc/nginx/.htpasswd-o13-pad;
#
# ----------
}
EOF
# ---
# Basic Check of your configuration:
# ---
@ -322,11 +367,3 @@ systemctl start cryptpad
# In yout browser type:
#
# https://${cryptpad_url}/checkup/
# Maybe the the 'checkup' script recommends to run:
#
# npm run build
#
# we have to do this under the webservice user www-data
#
su www-data -s /bin/bash -c "npm run build"