Replaced file 'README.install' with chnanged new installation instructions.

2023-12-11 18:03:32 +01:00 · 2023-12-11 18:03:32 +01:00 · d665f126aa
commit d665f126aa
parent f238b5fbd7
1 changed files with 223 additions and 186 deletions
--- a/README.install
+++ b/README.install
@ -12,186 +12,77 @@
 cryptpad_url=cpad-01.oopen.de
 cryptpad_url=o13-pad.oopen.de
 cryptpad_url=o13-cryptpad.oopen.de
 # bei vorgeschalteter authentifizierung funktioniert 
 # eine *extra* sandbox url nicht. in diesem falle die gleiche
 # adresse nehmen wie für die hautp seite
 #
 #cryptpad_sandbox_url=cpadsb-01.oopen.de
 #cryptpad_sandbox_url=o13-padsb.oopen.de
 cryptpad_sandbox_url="$cryptpad_url"
 cryptpad_sandbox_url="cpadsb-01.oopen.de"
 cryptpad_sandbox_url="o13-padsb.oopen.de"
 cryptpad_sandbox_url="o13-cryptpadsb.oopen.de"
 vhost_config_file="${cryptpad_url}.conf"
 cryptpad_user=cryptpad
 cryptpad_group=cryptpad
 cryptpad_gid=2010
 cryptpad_uid=2010
-# ----------
+cryptpad_base_dir=/var/www/cryptpad
-# - Pre-requisites
+cryptpad_home_dir="${cryptpad_base_dir}"
-# ----------
+cryptpad_install_dir="${cryptpad_home_dir}/cryptpad"
 # - Install curl, git
 # -
 apt-get install curl git-core
 # - Install Python
 # -
 apt-get install python-minimal python
 # debian bullseye:
 apt install python-is-python2 python2-minimal
 # - Install compiler stuff
 # -
 # -    apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
 # -       make automake autoconf libtool flex bison \
 # -       gettext pkg-config gnu-standards \
 # -       libssl-dev libreadline-dev libncurses-dev
 # -
 apt-get install gcc g++ make
-# ---
+# ==========
 # - Install Nginx webservice
 # ---
 apt-get install nginx
 # - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 # -
 mkdir /etc/nginx/ssl
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
 # ----------
 # - Create nginx configuration for CryptPad
 # -
 # - see: https://github.com/xwiki-labs/cryptpad/blob/main/docs/example.nginx.conf
 # -
 # ----------
 # ---
 # - Install NodeJS v6.x on Debian 9 Stretch
 # ---
 # - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for 
 # - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring
 # -
 # -    curl -sL https://deb.nodesource.com/setup_6.x | bash -
 # -
 # - Hope nodejs version 14.x will work 
 # -
 # -     nodejs 6.0 does not yet work for actuall etherpad, which ist also installed 
 # -     on this server. 
 # -
 curl -sL https://deb.nodesource.com/setup_14.x | bash -
 apt-get update
 # - Install nodejs version 6.x from repository 'deb.nodesource.com'
 # -
 # - Tell the apt system to install nodejs from repository deb.nodesource.com
 # -
 # - You should pin the external source using the origin option to assign a high 
 # - priority to "the external source" instead of using the release name.
 # -
 # - e,g: Add the following lines to your /etc/apt/preferences.d/preferences:
 # -
 # -    Package: *
 # -    Pin: origin deb.nodesource.com
 # -    Pin-Priority: 1001
 # -
 if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then
   cat <<EOF >> /etc/apt/preferences.d/preferences
 Package: *
 Pin: origin deb.nodesource.com
 Pin-Priority: 1001
 EOF
 fi
 # - Verify with 'apt-cache policy nodejs'
 # -
 # - Output must conatin somethin liek that:
 # -    Installationskandidat: 6.14.4-1nodesource1
 # -
 apt-cache policy nodejs
 # - Install nodejs..
 # -
 apt-get install nodejs
 # - An alternative possibility:
 # -
 # - 1. Show versions for nodejs
 # -
 # -    # aptitude versions nodejs
 # -
 # -    output may looks like:
 # -
 # -       i   6.14.4-1nodesource1                                     <NULL>                              500
 # -       p   10.15.2~dfsg-2                                          stable                              500
 # -
 # - 2. install nodejs 6.14.4-1nodesource1
 # -
 # -    apt-get install nodejs=6.14.4-1nodesource1
 # -                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
 # -
 # - Test if installation was successfully
 # -
 node -v
 npm -v
 # ---
 # - Install bower
 # ---
 # - Install bower (global)
 # -
 npm install -g bower
 # ---
 # - Create the user for the service:
-# ---
+# ==========
 mkdir -p /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
 chown -R www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
 addgroup --gid $cryptpad_gid $cryptpad_group
 adduser --gid $cryptpad_uid --uid $cryptpad_uid --home $cryptpad_home_dir $cryptpad_user
-# ---
+
 # ==========
 # - Install cryptpad
-# ---
+# ==========
-cd /var/www/
+su - ${cryptpad_user}
-chown www-data:www-data /var/www
+
 cd ${cryptpad_home_dir}
-# - Get cryptpad
+# - Get cryptpad - Clone the CryptPad repository
 # -
-su www-data -s /bin/bash -c "git clone https://github.com/xwiki-labs/cryptpad /var/www/cryptpad"
+git clone https://github.com/cryptpad/cryptpad.git ${cryptpad_install_dir}
 su www-data -s /bin/bash -c "git clone https://github.com/cryptpad/cryptpad.git /var/www/cryptpad"
 # Switch to the latest published tag
 #
-#su www-data -s /bin/bash -c "git checkout $(git tag -l | grep -v 'v1.*$' | sort -V | tail -n 1)"
+# git checkout $(git tag -l | grep -v 'v1.*$' | sort -V | tail -n 1)
-cd cryptpad
+cd ${cryptpad_install_dir}
 # - Complete Installation of cryptpad
 # -
-su www-data -s /bin/bash -c "npm install"
+npm ci
-# - Maybe you haave to run 
+# - Maybe you haave to run
 #
-#    su www-data -s /bin/bash -c "npm fund"
+#    # packages looking for funding
-#    su www-data -s /bin/bash -c "npm audit fix --force"
+#    #
 #    npm fund
 #
 #    # To address issues that do not require attention, run:
 #    #
 #    npm audit fix
 #
 npm fund
 npm audit fix
-su www-data -s /bin/bash -c "bower install"
+npm run install:components
 # ---
@ -216,29 +107,29 @@ cp -a config/config.example.js config/config.js
 # -    myDomain: oopen.de,
 # -
 if $(grep -q -E "\s*/?/?\s*adminEmail" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
-   perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" ${cryptpad_install_dir}/config/config.js
 else
-   perl -i -n -p -e"s/(\s*})/    adminEmail: 'admin\@oopen.de',\n\1/" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s/(\s*})/    adminEmail: 'admin\@oopen.de',\n\1/" ${cryptpad_install_dir}/config/config.js
 fi
-perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" ${cryptpad_install_dir}/config/config.js
-perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" ${cryptpad_install_dir}/config/config.js
-perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" ${cryptpad_install_dir}/config/config.js
 # - deaktivate donate Button
 # -
 if $(grep -q -E "\s*/?/?\s*removeDonateButton" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
-   perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" ${cryptpad_install_dir}/config/config.js
 else
-   perl -i -n -p -e"s/(\s*})/    removeDonateButton: true,\n\1/" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s/(\s*})/    removeDonateButton: true,\n\1/" ${cryptpad_install_dir}/config/config.js
 fi
 # - Set storage..
 # -
-perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" ${cryptpad_install_dir}/config/config.js
 # - Customizing CryptPad
 # -
@ -264,44 +155,85 @@ chown www-data:www-data /var/www/cryptpad/customize/main-favicon.png
 chown www-data:www-data /var/www/cryptpad/customize.dist/favicon.ico
 # Build static pages & Open Graph metadata
 #
 # To build some of CryptPad static pages & enable social media link previews, 
 # run the following command:
 #
 npm run build
 # Exit from cryptpad user
 #
 exit
 # ---
 # Systemd Unit
 # ---
-# - Run as daemon using systemd
+cat <<EOF > /etc/systemd/system/cryptpad.service
 # -
 cat << EOF > /etc/systemd/system/cryptpad.service
 [Unit]
-Description=CryptPad Service
+Description=CryptPad API server
 After=syslog.target network.target
 Requires=nginx.service
 [Service]
-Type=simple
+ExecStart=/usr/bin/node ${cryptpad_install_dir}/server.js
 User=www-data
 Group=www-data
 Environment='PWD="/var/www/cryptpad"'
 # modify to match the location of your cryptpad repository
-WorkingDirectory=/var/www/cryptpad
+WorkingDirectory=${cryptpad_install_dir}
 ExecStart=/usr/bin/node /var/www/cryptpad/server.js
-TimeoutSec=30
+Restart=always
 # Restart service after 10 seconds if node service crashes
 RestartSec=2
 Restart=always
-# Output to syslog
+# Proper logging to journald
-StandardOutput=syslog
+StandardOutput=journal
-StandardError=syslog
+StandardError=journal+console
 SyslogIdentifier=cryptpad
-## Modify these two values and uncomment them if you have lots of files and get an HTTP error 500 because of that
+User=${cryptpad_user}
-LimitMEMLOCK=infinity
+Group=${cryptpad_group}
-LimitNOFILE=65535
+# modify to match your working directory
-### If you want to bind CryptPad to a port below 1024 uncomment the two values below
+Environment='PWD="${cryptpad_install_dir}"'
-#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
-#AmbientCapabilities=CAP_NET_BIND_SERVICE
+# systemd sets the open file limit to 4000 unless you override it
 # cryptpad stores its data with the filesystem, so you should increase this to match the value of `ulimit -n`
 # or risk EMFILE errors.
 LimitNOFILE=1000000
 # hardening directives as per https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 # check those with systemd-analyze security cryptpad.service for more information
 # Proc filesystem
 ProcSubset=all
 ProtectProc=invisible
 # Capabilities
 CapabilityBoundingSet=
 # Security
 NoNewPrivileges=true
 # Sandboxing
 ProtectSystem=strict
 PrivateTmp=true
 PrivateDevices=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
 RestrictAddressFamilies=AF_INET
 RestrictAddressFamilies=AF_INET6
 RestrictAddressFamilies=AF_NETLINK
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=true
 LockPersonality=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 RemoveIPC=true
 PrivateMounts=true
 ProtectClock=true
 # System Call Filtering
 SystemCallArchitectures=native
 SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
 SystemCallFilter=@chown
 SystemCallFilter=pipe
 SystemCallFilter=pipe2
 ReadWritePaths=${cryptpad_install_dir}
 [Install]
 WantedBy=multi-user.target
@ -315,6 +247,119 @@ systemctl enable cryptpad
 systemctl start cryptpad
 # ==========
 # nginx vhost configuration
 # ==========
 cat <<EOF > /etc/nginx/sites-available/${vhost_config_file}
 # -- ${cryptpad_url}
 # we want restrict authentication to cryptpad sandbox urls "${cryptpad_sandbox_url}"
 #
 map \$http_host \$auth_type {
    default "off";               #This will turn off auth-basic
    ${cryptpad_sandbox_url} "Restricted";   #This or any other string will turn it back on
 }
 server {
   listen 80;
   listen [::]:80;
   server_name ${cryptpad_url};
   return 301 https://\$server_name\$request_uri;
 }
 #   This file is included strictly as an example of how Nginx can be configured
 #   to work with CryptPad. This example WILL NOT WORK AS IS. For best results,
 #   compare the sections of this configuration file against a working CryptPad
 #   installation (http server by the Nodejs process). If you are using CryptPad
 #   in production and require professional support please contact sales@cryptpad.fr
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # Let's Encrypt webroot
    #include letsencrypt-webroot;
    # ----------
    # !! inserted by ckubu !!
    #
    # Needed for (automated) updating certificate
    #
    include snippets/letsencrypt-acme-challenge.conf;
    #
    # ----------
    # CryptPad serves static assets over these two domains.
    # \`your-main-domain\` is what users will enter in their address bar.
    # Privileged computation such as key management is handled in this scope
    # UI content is loaded via the \`your-sandbox-domain\`.
    # "Content Security Policy" headers prevent content loaded via the sandbox
    # from accessing privileged information.
    # This setup allows to take advantage of CryptPad's sandboxing techniques.
    # In the event of an XSS vulnerability in CryptPad's front-end code
    # this will limit the amount of information accessible to attackers.
    server_name ${cryptpad_url} ${cryptpad_sandbox_url};
    # You'll need to Set the path to your certificates and keys here
    # IMPORTANT: this config is intended to serve assets for at least two domains
    # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate
    # that includes both domains in order for things to work as expected.
    ssl_certificate /var/lib/dehydrated/certs/${cryptpad_url}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${cryptpad_url}/privkey.pem;
    # diffie-hellman parameters are used to negotiate keys for your session
    # generate strong parameters using the following command
    ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    # Speeds things up a little bit when resuming a session
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    # replace with the IP address of your resolver
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;
    location / {
        proxy_pass            http://localhost:3000;
        proxy_set_header      X-Real-IP \$remote_addr;
        proxy_set_header      Host \$host;
        proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
        client_max_body_size  150m;
        proxy_http_version    1.1;
        proxy_set_header      Upgrade \$http_upgrade;
        proxy_set_header      Connection upgrade;
    }
    # ----------
    # !! included by ckubu !!
    #
    # Only authenticated users
    #
    auth_basic "\$auth_type";
    auth_basic_user_file /etc/nginx/.htpasswd-o13-pad;
    #
    # ----------
 }
 EOF
 # ---
 # Basic Check of your configuration:
 # ---
@ -322,11 +367,3 @@ systemctl start cryptpad
 # In yout browser type:
 #
 #    https://${cryptpad_url}/checkup/
 # Maybe the the 'checkup' script recommends to run:
 #
 #  npm run build
 #
 # we have to do this under the webservice user www-data
 #
 su www-data -s /bin/bash -c "npm run build"