Merge branch 'master' of https://git.oopen.de/install/cryptpad

Add 'cp-flr.oopen.de':
OnlyOffice is now a separate module.
2024-09-30 01:03:15 +02:00 · 2024-09-30 01:02:30 +02:00 · 2024-09-30 00:59:44 +02:00 · 2024-04-18 19:27:13 +02:00 · 2024-01-06 14:21:36 +01:00 · 2023-12-29 15:11:13 +01:00
7 changed files with 860 additions and 223 deletions
--- a/README.OnlyOffice
+++ b/README.OnlyOffice
@ -0,0 +1,34 @@
 # ---
 # OnlyOffice is now a separate module
 #
 # OnlyOffice applications (Sheets, Document, Presentation) are not bundled with CryptPad
 # anymore. You can install/update them by running the installation script we provide:
 # ---
 cryptpad_user=cryptpad
 # - Stop cryptpad
 # -
 systemctl stop cryptpad
 # Stop iptables firewall
 #
 ipt-firewall-server flush
 ip6t-firewall-server flush
 # Login as CryptPad user
 #
 su - ${cryptpad_user}
 cd cryptpad
 # Install OnlyOffice 
 #
 #     ./install-onlyoffice.sh
 #     # press q to close the license screen
 #     # and Y ⏎ to accept the OnlyOffice license
 #
 ./install-onlyoffice.sh
--- a/README.copy-userdata-to-new-installation
+++ b/README.copy-userdata-to-new-installation
@ -2,8 +2,59 @@
 # Copy existing user data to new pad
 # =================
 cryptpad_user=cryptpad
-backup_date="2022-09-22-1001"
+# Stop cryptpad service
 #
 systemctl stop cryptpad.service
-cp -a  /var/www/cryptpad.BAK.${backup_date}/{blob,blobstage,block,datastore} /var/www/cryptpad/
+# login as cryptpad user
 # 
 su - ${cryptpad_user}
 backup_date="2023-12-12-1442"
 # Backup current installation
 #
 cp -a cryptpad cryptpad.CURRENT
 # Copy configuration file
 #
 cp cryptpad.BAK.${backup_date}/config/config.js cryptpad/config/config.js
 # Instanzkonfiguration
 #
 # Note:
 #    some settings cannot be changed once user accounts have been created.
 #
 cp cryptpad.BAK.${backup_date}/customize/application_config.js cryptpad/customize/application_config.js
 # Copy user data
 #
 #for i in blob blobstage block datastore ; do
 for i in data datastore block blob ; do
   echo""
   echo -e "   Syncing directory '${i}'.."
   rsync -a --delete /var/www/cryptpad/cryptpad.BAK.${backup_date}/$i /var/www/cryptpad/cryptpad/
   chown cryptpad:cryptpad /var/www/cryptpad/cryptpad/$i
 done
 # logoff from cryptpad user
 #
 exit
 # Start cryptpad service
 #
 systemctl start cryptpad.service
--- a/README.install
+++ b/README.install
@ -3,7 +3,7 @@
 # =================
 # - See: 
-# -    https://blog.cavebeat.org/2017/07/cryptpad-installation-on-debian-stretch/
+# -    https://docs.cryptpad.org/en/admin_guide/installation.html
 # -
 # - See also:
 # -    git repository:     https://github.com/xwiki-labs/cryptpad
@ -12,180 +12,122 @@
 cryptpad_url=cpad-01.oopen.de
 cryptpad_url=o13-pad.oopen.de
 cryptpad_url=o13-cryptpad.oopen.de
 cryptpad_url=pad.ra-kanzlei-kiel.de
 cryptpad_url=crpad.fluechtlingsrat-berlin.de
 # bei vorgeschalteter authentifizierung funktioniert 
 # eine *extra* sandbox url nicht. in diesem falle die gleiche
 # adresse nehmen wie für die hautp seite
 #
 #cryptpad_sandbox_url=cpadsb-01.oopen.de
 #cryptpad_sandbox_url=o13-padsb.oopen.de
 cryptpad_sandbox_url="$cryptpad_url"
 cryptpad_sandbox_url="cpadsb-01.oopen.de"
 cryptpad_sandbox_url="o13-padsb.oopen.de"
 cryptpad_sandbox_url="o13-cryptpadsb.oopen.de"
 cryptpad_sandbox_url="sandbox.pad.ra-kanzlei-kiel.de"
 cryptpad_sandbox_url="cpadsb.fluechtlingsrat-berlin.de"
 vhost_config_file="${cryptpad_url}.conf"
 cryptpad_user=cryptpad
 cryptpad_group=cryptpad
 cryptpad_gid=2010
 cryptpad_uid=2010
-# ----------
+cryptpad_base_dir=/var/www/cryptpad
-# - Pre-requisites
+cryptpad_home_dir="${cryptpad_base_dir}"
-# ----------
+cryptpad_install_dir="${cryptpad_home_dir}/cryptpad"
 # - Install curl, git
 # -
 apt-get install curl git-core
 # - Install Python
 # -
 apt-get install python-minimal python
 # debian bullseye:
 apt install python-is-python2 python2-minimal
 # - Install compiler stuff
 # -
 # -    apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
 # -       make automake autoconf libtool flex bison \
 # -       gettext pkg-config gnu-standards \
 # -       libssl-dev libreadline-dev libncurses-dev
 # -
 apt-get install gcc g++ make
-# ---
+# ==========
 # - Install Nginx webservice
 # ---
 apt-get install nginx
 # - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 # -
 mkdir /etc/nginx/ssl
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
 # ----------
 # - Create nginx configuration for CryptPad
 # -
 # - see: https://github.com/xwiki-labs/cryptpad/blob/main/docs/example.nginx.conf
 # -
 # ----------
 # ---
 # - Install NodeJS v6.x on Debian 9 Stretch
 # ---
 # - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for 
 # - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring
 # -
 # -    curl -sL https://deb.nodesource.com/setup_6.x | bash -
 # -
 # - Hope nodejs version 14.x will work 
 # -
 # -     nodejs 6.0 does not yet work for actuall etherpad, which ist also installed 
 # -     on this server. 
 # -
 curl -sL https://deb.nodesource.com/setup_14.x | bash -
 apt-get update
 # - Install nodejs version 6.x from repository 'deb.nodesource.com'
 # -
 # - Tell the apt system to install nodejs from repository deb.nodesource.com
 # -
 # - You should pin the external source using the origin option to assign a high 
 # - priority to "the external source" instead of using the release name.
 # -
 # - e,g: Add the following lines to your /etc/apt/preferences.d/preferences:
 # -
 # -    Package: *
 # -    Pin: origin deb.nodesource.com
 # -    Pin-Priority: 1001
 # -
 if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then
   cat <<EOF >> /etc/apt/preferences.d/preferences
 Package: *
 Pin: origin deb.nodesource.com
 Pin-Priority: 1001
 EOF
 fi
 # - Verify with 'apt-cache policy nodejs'
 # -
 # - Output must conatin somethin liek that:
 # -    Installationskandidat: 6.14.4-1nodesource1
 # -
 apt-cache policy nodejs
 # - Install nodejs..
 # -
 apt-get install nodejs
 # - An alternative possibility:
 # -
 # - 1. Show versions for nodejs
 # -
 # -    # aptitude versions nodejs
 # -
 # -    output may looks like:
 # -
 # -       i   6.14.4-1nodesource1                                     <NULL>                              500
 # -       p   10.15.2~dfsg-2                                          stable                              500
 # -
 # - 2. install nodejs 6.14.4-1nodesource1
 # -
 # -    apt-get install nodejs=6.14.4-1nodesource1
 # -                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
 # -
 # - Test if installation was successfully
 # -
 node -v
 npm -v
 # ---
 # - Install bower
 # ---
 # - Install bower (global)
 # -
 npm install -g bower
 # ---
 # - Create the user for the service:
-# ---
+# ==========
 mkdir -p /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
 chown -R www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
 addgroup --gid $cryptpad_gid $cryptpad_group
 adduser --gid $cryptpad_uid --uid $cryptpad_uid --home $cryptpad_home_dir $cryptpad_user
-# ---
+
 # ==========
 # - Install cryptpad
-# ---
+# ==========
-cd /var/www/
+su - ${cryptpad_user}
-chown www-data:www-data /var/www
+
 cryptpad_base_dir=/var/www/cryptpad
 cryptpad_home_dir="${cryptpad_base_dir}"
 cryptpad_install_dir="${cryptpad_home_dir}/cryptpad"
 cryptpad_url=cpad-01.oopen.de
 cryptpad_url=o13-pad.oopen.de
 cryptpad_url=o13-cryptpad.oopen.de
 cryptpad_url=pad.ra-kanzlei-kiel.de
 cryptpad_url=crpad.fluechtlingsrat-berlin.de
-# - Get cryptpad
+cryptpad_sandbox_url="cpadsb-01.oopen.de"
 cryptpad_sandbox_url="o13-padsb.oopen.de"
 cryptpad_sandbox_url="o13-cryptpadsb.oopen.de"
 cryptpad_sandbox_url="sandbox.pad.ra-kanzlei-kiel.de"
 cryptpad_sandbox_url="cpadsb.fluechtlingsrat-berlin.de"
 cd ${cryptpad_home_dir}
 # - Get cryptpad - Clone the CryptPad repository
 # -
-su www-data -s /bin/bash -c "git clone https://github.com/xwiki-labs/cryptpad /var/www/cryptpad"
+git clone https://github.com/cryptpad/cryptpad.git ${cryptpad_install_dir}
 # Switch to the latest published tag
 #
 # git checkout $(git tag -l | grep -v 'v1.*$' | sort -V | tail -n 1)
 cd ${cryptpad_install_dir}
 # !!! NOTE
 # 
 #    Switch of IPv4 and IPv6 firewall
 #    ================================
 #
 #    You will run into connection limit if the setting is too sensitive
 #
 # !!! NOTE
 cd cryptpad
 # - Complete Installation of cryptpad
 # -
-su www-data -s /bin/bash -c "npm install"
+npm ci
-# - Maybe you haave to run 
+# - Maybe you haave to run
 #
-#    su www-data -s /bin/bash -c "npm fund"
+#    # packages looking for funding
-#    su www-data -s /bin/bash -c "npm audit fix --force"
+#    #
 #    npm fund
 #
 #    # To address issues that do not require attention, run:
 #    #
 #    npm audit fix
 #
 #npm fund
 #npm audit fix
 npm run install:components
 # Build static pages & Open Graph metadata
 #
 # To build some of CryptPad static pages & enable social media link previews, 
 # run the following command:
 #
 npm run build
 su www-data -s /bin/bash -c "bower install"
 # ---
@ -210,29 +152,71 @@ cp -a config/config.example.js config/config.js
 # -    myDomain: oopen.de,
 # -
 if $(grep -q -E "\s*/?/?\s*adminEmail" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
-   perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" ${cryptpad_install_dir}/config/config.js
 else
-   perl -i -n -p -e"s/(\s*})/    adminEmail: 'admin\@oopen.de',\n\1/" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s/(\s*})/    adminEmail: 'admin\@oopen.de',\n\1/" ${cryptpad_install_dir}/config/config.js
 fi
-perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" ${cryptpad_install_dir}/config/config.js
-perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" ${cryptpad_install_dir}/config/config.js
-perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" ${cryptpad_install_dir}/config/config.js
 # - deaktivate donate Button
 # -
 if $(grep -q -E "\s*/?/?\s*removeDonateButton" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
-   perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" ${cryptpad_install_dir}/config/config.js
 else
-   perl -i -n -p -e"s/(\s*})/    removeDonateButton: true,\n\1/" /var/www/cryptpad/config/config.js
+   perl -i -n -p -e"s/(\s*})/    removeDonateButton: true,\n\1/" ${cryptpad_install_dir}/config/config.js
 fi
 # - Set storage..
 # -
-perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" /var/www/cryptpad/config/config.js
+perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" ${cryptpad_install_dir}/config/config.js
 # - Instance customization
 # -
 # - The functionality as well as the look-and-feel of an instance can be customized 
 # - by creating a customize folder and copying assets to be customized (images, 
 # - stylesheets, page templates, etc) from customize.dist into it. If a file exists 
 # -in customize, it will be served to users instead of its namesake in customize.dist.
 # -
 # - The purpose of the customize directory is to make it easier to upgrade CryptPad 
 # - while maintaining customizations in place. Occasionally, a major new version may 
 # - introduce breaking changes or require adjustments in the customizations. 
 # - Administrators with customized instances are therefore encouraged to read 
 # - instructions carefully before each upgrade.
 # -
 mkdir -p ${cryptpad_install_dir}/cryptpad/customize
 # - Application config
 # -
 # - A wide range of settings are available in www/common/application_config_internal.js. 
 # - To modify them:
 # -
 # -   1. Make a copy of customize.dist/application_config.js in the customize folder.
 # -
 # -   2. Copy the default value(s) to modify from www/common/application_config_internal.js 
 # -      into customize/application_config.js.
 # -
 cp ${cryptpad_install_dir}/customize.dist/application_config.js ${cryptpad_install_dir}/customize/
 # - Restricting guest access
 # -
 # - To disable unregistered use of CryptPad, add the following to 
 # - customize/application_config.js:
 # - 
 # -    AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes;
 # ---
 # - for further configurations see: 
 # -    https://docs.cryptpad.org/en/admin_guide/customization.html#application-config
 # ---
 # - Customizing CryptPad
 # -
@ -248,54 +232,93 @@ perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorage
 # - '/customize.dist/' to '/customize' and then edit it there, this way you will
 # - still be able to pull from (and make pull requests to (!) the git repository.
 # -
-cp -a /var/www/cryptpad/customize.dist /var/www/cryptpad/customize
+#cp -a ${cryptpad_install_dir}/customize.dist ${cryptpad_install_dir}/cryptpad/customize
 # - Copy 'favicon.ico' to '/var/www/cryptpad/customize/main-favicon.png'
 # -
 cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png
 cp ~chris/favicon.ico /var/www/cryptpad/customize.dist/
 chown www-data:www-data /var/www/cryptpad/customize/main-favicon.png
 chown www-data:www-data /var/www/cryptpad/customize.dist/favicon.ico
 # Install OnlyOffice - OnlyOffice is now a separate module
 #
 # OnlyOffice applications (Sheets, Document, Presentation) are not bundled with CryptPad 
 # anymore. You can install/update them by running the installation script we provide:
 #
 #     ./install-onlyoffice.sh
 #     # press q to close the license screen
 #     # and Y ⏎ to accept the OnlyOffice license
 #
 ./install-onlyoffice.sh
 # Exit from cryptpad user
 #
 exit
 # ---
 # Systemd Unit
 # ---
-# - Run as daemon using systemd
+cat <<EOF > /etc/systemd/system/cryptpad.service
 # -
 cat << EOF > /etc/systemd/system/cryptpad.service
 [Unit]
-Description=CryptPad Service
+Description=CryptPad API server
 After=syslog.target network.target
 Requires=nginx.service
 [Service]
-Type=simple
+ExecStart=/usr/bin/node ${cryptpad_install_dir}/server.js
 User=www-data
 Group=www-data
 Environment='PWD="/var/www/cryptpad"'
 # modify to match the location of your cryptpad repository
-WorkingDirectory=/var/www/cryptpad
+WorkingDirectory=${cryptpad_install_dir}
 ExecStart=/usr/bin/node /var/www/cryptpad/server.js
-TimeoutSec=30
+Restart=always
 # Restart service after 10 seconds if node service crashes
 RestartSec=2
 Restart=always
-# Output to syslog
+# Proper logging to journald
-StandardOutput=syslog
+StandardOutput=journal
-StandardError=syslog
+StandardError=journal+console
 SyslogIdentifier=cryptpad
-## Modify these two values and uncomment them if you have lots of files and get an HTTP error 500 because of that
+User=${cryptpad_user}
-LimitMEMLOCK=infinity
+Group=${cryptpad_group}
-LimitNOFILE=65535
+# modify to match your working directory
-### If you want to bind CryptPad to a port below 1024 uncomment the two values below
+Environment='PWD="${cryptpad_install_dir}"'
-#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
-#AmbientCapabilities=CAP_NET_BIND_SERVICE
+# systemd sets the open file limit to 4000 unless you override it
 # cryptpad stores its data with the filesystem, so you should increase this to match the value of `ulimit -n`
 # or risk EMFILE errors.
 LimitNOFILE=1000000
 # hardening directives as per https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 # check those with systemd-analyze security cryptpad.service for more information
 # Proc filesystem
 ProcSubset=all
 ProtectProc=invisible
 # Capabilities
 CapabilityBoundingSet=
 # Security
 NoNewPrivileges=true
 # Sandboxing
 ProtectSystem=strict
 PrivateTmp=true
 PrivateDevices=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
 RestrictAddressFamilies=AF_INET
 RestrictAddressFamilies=AF_INET6
 RestrictAddressFamilies=AF_NETLINK
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=true
 LockPersonality=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 RemoveIPC=true
 PrivateMounts=true
 ProtectClock=true
 # System Call Filtering
 SystemCallArchitectures=native
 SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
 SystemCallFilter=@chown
 SystemCallFilter=pipe
 SystemCallFilter=pipe2
 ReadWritePaths=${cryptpad_install_dir}
 [Install]
 WantedBy=multi-user.target
@ -309,6 +332,124 @@ systemctl enable cryptpad
 systemctl start cryptpad
 # ==========
 # nginx vhost configuration
 # ==========
 cat <<EOF > /etc/nginx/sites-available/${vhost_config_file}
 # -- ${cryptpad_url}
 # we want restrict authentication to cryptpad sandbox urls "${cryptpad_sandbox_url}"
 #
 map \$http_host \$auth_type {
    default "off";               #This will turn off auth-basic
    ${cryptpad_sandbox_url} "Restricted";   #This or any other string will turn it back on
 }
 server {
   listen 80;
   listen [::]:80;
   server_name ${cryptpad_url};
   return 301 https://\$server_name\$request_uri;
 }
 #   This file is included strictly as an example of how Nginx can be configured
 #   to work with CryptPad. This example WILL NOT WORK AS IS. For best results,
 #   compare the sections of this configuration file against a working CryptPad
 #   installation (http server by the Nodejs process). If you are using CryptPad
 #   in production and require professional support please contact sales@cryptpad.fr
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # Let's Encrypt webroot
    #include letsencrypt-webroot;
    # ----------
    # !! inserted by ckubu !!
    #
    # Needed for (automated) updating certificate
    #
    include snippets/letsencrypt-acme-challenge.conf;
    #
    # ----------
    # CryptPad serves static assets over these two domains.
    # \`your-main-domain\` is what users will enter in their address bar.
    # Privileged computation such as key management is handled in this scope
    # UI content is loaded via the \`your-sandbox-domain\`.
    # "Content Security Policy" headers prevent content loaded via the sandbox
    # from accessing privileged information.
    # This setup allows to take advantage of CryptPad's sandboxing techniques.
    # In the event of an XSS vulnerability in CryptPad's front-end code
    # this will limit the amount of information accessible to attackers.
    server_name ${cryptpad_url} ${cryptpad_sandbox_url};
    # You'll need to Set the path to your certificates and keys here
    # IMPORTANT: this config is intended to serve assets for at least two domains
    # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate
    # that includes both domains in order for things to work as expected.
    ssl_certificate /var/lib/dehydrated/certs/${cryptpad_url}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${cryptpad_url}/privkey.pem;
    # diffie-hellman parameters are used to negotiate keys for your session
    # generate strong parameters using the following command
    ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    # Speeds things up a little bit when resuming a session
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    # replace with the IP address of your resolver
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;
    location / {
        proxy_pass            http://localhost:3000;
        proxy_set_header      X-Real-IP \$remote_addr;
        proxy_set_header      Host \$host;
        proxy_set_header      X-Forwarded-For \$proxy_add_x_forwarded_for;
        client_max_body_size  150m;
        proxy_http_version    1.1;
        proxy_set_header      Upgrade \$http_upgrade;
        proxy_set_header      Connection upgrade;
    }
    # ----------
    # !! included by ckubu !!
    #
    # Only authenticated users
    #
    auth_basic "\$auth_type";
    auth_basic_user_file /etc/nginx/.htpasswd-o13-pad;
    #
    # ----------
 }
 EOF
 ln -s ../sites-available/${vhost_config_file} /etc/nginx/sites-enabled/${vhost_config_file}
 nginx -t
 systemctl restart nginx
 # ---
 # Basic Check of your configuration:
 # ---
@ -316,11 +457,3 @@ systemctl start cryptpad
 # In yout browser type:
 #
 #    https://${cryptpad_url}/checkup/
 # Maybe the the 'checkup' script recommends to run:
 #
 #  npm run build
 #
 # we have to do this under the webservice user www-data
 #
 su www-data -s /bin/bash -c "npm run build"
--- a/README.install-node.js
+++ b/README.install-node.js
@ -1,28 +1,48 @@
 # ----------
 # - Install nodejs - (we use the official NodeJs LTS release)
 # ----------
-
+# Install Prerequisites
-apt update && apt full-upgrade
+#
 apt install curl \
-   gpg \
+   ca-certificates \
-   gnupg2 \
+   curl \
-   software-properties-common \
+   gnupg \
   apt-transport-https \
-   lsb-release ca-certificates
+   lsb-release
 # Download and import the Nodesource GPG key
 #
 mkdir -p /etc/apt/keyrings
 curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
-
+# Create debian repository
 # NODE_MAJOR=16
 # NODE_MAJOR=18
 # NODE_MAJOR=20
 #
-NODE_MAJOR=21
+NODE_MAJOR=20
 echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list
 # Run update
 #
 apt update
 # Install nodejs
 #
 apt install nodejs
 node -v
 npm -v
 # ----------
 # Uninstall nodejs Ubuntu & Debian packages
 # ----------
 # To completely remove Node.js installed from the deb.nodesource.com package methods above:
 #
 apt-get purge nodejs
 rm -r /etc/apt/sources.list.d/nodesource.list
 rm -r /etc/apt/keyrings/nodesource.gpg
 apt update
--- a/README.install.00
+++ b/README.install.00
@ -0,0 +1,326 @@
 # =================
 # - Install Cryptad on Debian 9 (stretch)
 # =================
 # - See: 
 # -    https://blog.cavebeat.org/2017/07/cryptpad-installation-on-debian-stretch/
 # -
 # - See also:
 # -    git repository:     https://github.com/xwiki-labs/cryptpad
 # -    installation guide: https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide
 # - 
 cryptpad_url=cpad-01.oopen.de
 cryptpad_url=o13-pad.oopen.de
 # bei vorgeschalteter authentifizierung funktioniert 
 # eine *extra* sandbox url nicht. in diesem falle die gleiche
 # adresse nehmen wie für die hautp seite
 #
 #cryptpad_sandbox_url=cpadsb-01.oopen.de
 #cryptpad_sandbox_url=o13-padsb.oopen.de
 cryptpad_sandbox_url="$cryptpad_url"
 cryptpad_sandbox_url="cpadsb-01.oopen.de"
 cryptpad_sandbox_url="o13-padsb.oopen.de"
 vhost_config_file="${cryptpad_url}.conf"
 # ----------
 # - Pre-requisites
 # ----------
 # - Install curl, git
 # -
 apt-get install curl git-core
 # - Install Python
 # -
 apt-get install python-minimal python
 # debian bullseye:
 apt install python-is-python2 python2-minimal
 # - Install compiler stuff
 # -
 # -    apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
 # -       make automake autoconf libtool flex bison \
 # -       gettext pkg-config gnu-standards \
 # -       libssl-dev libreadline-dev libncurses-dev
 # -
 apt-get install gcc g++ make
 # ---
 # - Install Nginx webservice
 # ---
 apt-get install nginx
 # - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 # -
 mkdir /etc/nginx/ssl
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
 # ----------
 # - Create nginx configuration for CryptPad
 # -
 # - see: https://github.com/xwiki-labs/cryptpad/blob/main/docs/example.nginx.conf
 # -
 # ----------
 # ---
 # - Install NodeJS v6.x on Debian 9 Stretch
 # ---
 # - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for 
 # - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring
 # -
 # -    curl -sL https://deb.nodesource.com/setup_6.x | bash -
 # -
 # - Hope nodejs version 14.x will work 
 # -
 # -     nodejs 6.0 does not yet work for actuall etherpad, which ist also installed 
 # -     on this server. 
 # -
 curl -sL https://deb.nodesource.com/setup_14.x | bash -
 apt-get update
 # - Install nodejs version 6.x from repository 'deb.nodesource.com'
 # -
 # - Tell the apt system to install nodejs from repository deb.nodesource.com
 # -
 # - You should pin the external source using the origin option to assign a high 
 # - priority to "the external source" instead of using the release name.
 # -
 # - e,g: Add the following lines to your /etc/apt/preferences.d/preferences:
 # -
 # -    Package: *
 # -    Pin: origin deb.nodesource.com
 # -    Pin-Priority: 1001
 # -
 if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then
   cat <<EOF >> /etc/apt/preferences.d/preferences
 Package: *
 Pin: origin deb.nodesource.com
 Pin-Priority: 1001
 EOF
 fi
 # - Verify with 'apt-cache policy nodejs'
 # -
 # - Output must conatin somethin liek that:
 # -    Installationskandidat: 6.14.4-1nodesource1
 # -
 apt-cache policy nodejs
 # - Install nodejs..
 # -
 apt-get install nodejs
 # - An alternative possibility:
 # -
 # - 1. Show versions for nodejs
 # -
 # -    # aptitude versions nodejs
 # -
 # -    output may looks like:
 # -
 # -       i   6.14.4-1nodesource1                                     <NULL>                              500
 # -       p   10.15.2~dfsg-2                                          stable                              500
 # -
 # - 2. install nodejs 6.14.4-1nodesource1
 # -
 # -    apt-get install nodejs=6.14.4-1nodesource1
 # -                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
 # -
 # - Test if installation was successfully
 # -
 node -v
 npm -v
 # ---
 # - Install bower
 # ---
 # - Install bower (global)
 # -
 npm install -g bower
 # ---
 # - Create the user for the service:
 # ---
 mkdir -p /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
 chown -R www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm,.private}
 # ---
 # - Install cryptpad
 # ---
 cd /var/www/
 chown www-data:www-data /var/www
 # - Get cryptpad
 # -
 su www-data -s /bin/bash -c "git clone https://github.com/xwiki-labs/cryptpad /var/www/cryptpad"
 cd cryptpad
 # - Complete Installation of cryptpad
 # -
 su www-data -s /bin/bash -c "npm install"
 # - Maybe you haave to run 
 #
 #    su www-data -s /bin/bash -c "npm fund"
 #    su www-data -s /bin/bash -c "npm audit fix --force"
 su www-data -s /bin/bash -c "bower install"
 # ---
 # - Configure CryptPad
 # ---
 # - Create configuration file 'config.js'. (Copy the example file)
 # -
 # - The defaults should be good enough for most cases, but you may want to edit
 # - them. We recommend you read over the example file and change the values to
 # - fit your needs.
 cp -a config/config.example.js config/config.js
 # - Some base configuration
 # -
 # -    adminEmail: 'admin@oopen.de',
 # -    ...
 # -    httpUnsafeOrigin: http://localhost:3000
 # -    httpSafeOrigin: ${cryptpad_sandbox_url}
 # -    httpAddress: '::',
 # -    ...
 # -    myDomain: oopen.de,
 # -
 if $(grep -q -E "\s*/?/?\s*adminEmail" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
   perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js
 else
   perl -i -n -p -e"s/(\s*})/    adminEmail: 'admin\@oopen.de',\n\1/" /var/www/cryptpad/config/config.js
 fi
 perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" /var/www/cryptpad/config/config.js
 perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" /var/www/cryptpad/config/config.js
 perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" /var/www/cryptpad/config/config.js
 # - deaktivate donate Button
 # -
 if $(grep -q -E "\s*/?/?\s*removeDonateButton" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
   perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js
 else
   perl -i -n -p -e"s/(\s*})/    removeDonateButton: true,\n\1/" /var/www/cryptpad/config/config.js
 fi
 # - Set storage..
 # -
 perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" /var/www/cryptpad/config/config.js
 # - Customizing CryptPad
 # -
 # - In order allow a variety of features to be changed and to allow site-specific
 # - changes to CryptPad apps while still keeping the git repository pristine, this
 # - directory exists to allow a set of hooks to be run.
 # -
 # - The server is configured to load files from the '/customize/' path
 # - preferentially from 'cryptpad/customize/', and to fall back to 
 # - 'cryptpad/customize.dist/' if they are not found.
 # -
 # - If you wish to customize cryptpad, please **copy**
 # - '/customize.dist/' to '/customize' and then edit it there, this way you will
 # - still be able to pull from (and make pull requests to (!) the git repository.
 # -
 cp -a /var/www/cryptpad/customize.dist /var/www/cryptpad/customize
 # - Copy 'favicon.ico' to '/var/www/cryptpad/customize/main-favicon.png'
 # -
 cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png
 cp ~chris/favicon.ico /var/www/cryptpad/customize.dist/
 chown www-data:www-data /var/www/cryptpad/customize/main-favicon.png
 chown www-data:www-data /var/www/cryptpad/customize.dist/favicon.ico
 # ---
 # Systemd Unit
 # ---
 # - Run as daemon using systemd
 # -
 cat << EOF > /etc/systemd/system/cryptpad.service
 [Unit]
 Description=CryptPad Service
 After=syslog.target network.target
 Requires=nginx.service
 [Service]
 Type=simple
 User=www-data
 Group=www-data
 Environment='PWD="/var/www/cryptpad"'
 # modify to match the location of your cryptpad repository
 WorkingDirectory=/var/www/cryptpad
 ExecStart=/usr/bin/node /var/www/cryptpad/server.js
 TimeoutSec=30
 # Restart service after 10 seconds if node service crashes
 RestartSec=2
 Restart=always
 # Output to syslog
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=cryptpad
 ## Modify these two values and uncomment them if you have lots of files and get an HTTP error 500 because of that
 LimitMEMLOCK=infinity
 LimitNOFILE=65535
 ### If you want to bind CryptPad to a port below 1024 uncomment the two values below
 #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 #AmbientCapabilities=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl daemon-reload
 systemctl enable cryptpad
 # - Start cryptpad
 # -
 systemctl start cryptpad
 # ---
 # Basic Check of your configuration:
 # ---
 # In yout browser type:
 #
 #    https://${cryptpad_url}/checkup/
 # Maybe the the 'checkup' script recommends to run:
 #
 #  npm run build
 #
 # we have to do this under the webservice user www-data
 #
 su www-data -s /bin/bash -c "npm run build"
--- a/README.upgrade
+++ b/README.upgrade
@ -3,44 +3,68 @@
 # - Upgrading CryptPad
 # ====================
 # see: https://docs.cryptpad.org/en/admin_guide/maintenance.html#upgrading-cryptpad
 # - Note!
 # -
 # - Always read the release notes before upgrading, as there may be changes
 # - that require special consideration.
 cryptpad_user=cryptpad
 # - Stop cryptpad
 # -
 systemctl stop cryptpad
 # Stop iptables firewall
 #
 ipt-firewall-server flush
 ip6t-firewall-server flush
 # Login as CryptPad user
 #
 su - ${cryptpad_user}
 # - Backup existing installation
 # -
-cp -a /var/www/cryptpad /var/www/cryptpad.BAK.$(date +%Y-%m-%d-%H%M)
+cp -a cryptpad cryptpad.BAK.$(date +%Y-%m-%d-%H%M)
 # - Change into installation directory
 # -
-cd /var/www/cryptpad
+cd cryptpad
 # - Update Git repository
 # -
-su www-data -s /bin/bash -c "git pull"
+git pull
 npm update
 npm run install:components
 # - Update 'npm'
 # -
 su www-data -s /bin/bash -c "npm update"
-# - Update 'bower'
+# OnlyOffice is now a separate module
-# -
+#
-su www-data -s /bin/bash -c "bower update"
+# OnlyOffice applications (Sheets, Document, Presentation) are not bundled with CryptPad 
 # anymore. You can install/update them by running the installation script we provide:
 #
 #     ./install-onlyoffice.sh
 #     # press q to close the license screen
 #     # and Y ⏎ to accept the OnlyOffice license
 #
 ./install-onlyoffice.sh
-# - Maybe more updates
+
-# -
+exit
-   ╭─────────────────────────────────────╮
+
-   │                                     │
+
-   │   Update available 1.8.4 → 1.8.8    │
+# Restart firewll
-   │   Run npm i -g bower to update      │
+#
-   │                                     │
+ipt-firewall-server
-   ╰─────────────────────────────────────╯
+ip6t-firewall-server
 # - Start cryptpad
--- a/README.upgrade.00
+++ b/README.upgrade.00
@ -0,0 +1,49 @@
 # ====================
 # - Upgrading CryptPad
 # ====================
 # - Note!
 # -
 # - Always read the release notes before upgrading, as there may be changes
 # - that require special consideration.
 # - Stop cryptpad
 # -
 systemctl stop cryptpad
 # - Backup existing installation
 # -
 cp -a /var/www/cryptpad /var/www/cryptpad.BAK.$(date +%Y-%m-%d-%H%M)
 # - Change into installation directory
 # -
 cd /var/www/cryptpad
 # - Update Git repository
 # -
 su www-data -s /bin/bash -c "git pull"
 # - Update 'npm'
 # -
 su www-data -s /bin/bash -c "npm update"
 # - Update 'bower'
 # -
 su www-data -s /bin/bash -c "bower update"
 # - Maybe more updates
 # -
   ╭─────────────────────────────────────╮
   │                                     │
   │   Update available 1.8.4 → 1.8.8    │
   │   Run npm i -g bower to update      │
   │                                     │
   ╰─────────────────────────────────────╯
 # - Start cryptpad
 # -
 systemctl start cryptpad
Author	SHA1	Message	Date
Christoph	7fefa364a3	Merge branch 'master' of https://git.oopen.de/install/cryptpad	2024-09-30 01:03:15 +02:00
Christoph	e54a3045dc	Add 'cp-flr.oopen.de':	2024-09-30 01:02:30 +02:00
Christoph	e45e308e8e	OnlyOffice is now a separate module.	2024-09-30 00:59:44 +02:00
Christoph	8ed9555262	Update README.upgrade	2024-04-18 19:27:13 +02:00
Christoph	52657a71af	Update documentation.	2024-01-06 14:21:36 +01:00
Christoph	fa0cbc561b	README.install: add docu for 'pad.ra-kanzlei-kiel.de'.	2023-12-29 15:11:13 +01:00
Christoph	ea629fd5a1	Update README files..	2023-12-18 00:12:50 +01:00
Christoph	56df88d4f5	README.install: add notice about switching off firewall.	2023-12-17 18:41:23 +01:00
Christoph	f21dfa6edc	Update dokumentation.	2023-12-12 16:28:41 +01:00
Christoph	7bf365d747	file 'README.upgrade' is obsolete.	2023-12-11 19:42:59 +01:00
Christoph	21dbbe20f1	Adjust file 'README.copy-userdata-to-new-installation'.	2023-12-11 19:41:26 +01:00
Christoph	1020168077	README.install: chnages on 'look and feel' mybe later.	2023-12-11 18:34:04 +01:00
Christoph	d665f126aa	Replaced file 'README.install' with chnanged new installation instructions.	2023-12-11 18:03:32 +01:00
Christoph	f238b5fbd7	save old file 'README.install' to 'README.install.00'.	2023-12-11 15:51:42 +01:00
Christoph	9062d788ab	Add file 'README.install-node.js'.	2023-12-11 14:59:47 +01:00
Christoph	7bb08995f9	README.install: some minor changes..	2023-12-11 14:59:12 +01:00