# ================= # - Install Cryptad on Debian 9 (stretch) # ================= # - See: # - https://docs.cryptpad.org/en/admin_guide/installation.html # - # - See also: # - git repository: https://github.com/xwiki-labs/cryptpad # - installation guide: https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide # - cryptpad_url=cpad-01.oopen.de cryptpad_url=o13-pad.oopen.de cryptpad_url=o13-cryptpad.oopen.de cryptpad_url=pad.ra-kanzlei-kiel.de cryptpad_url=crpad.fluechtlingsrat-berlin.de # bei vorgeschalteter authentifizierung funktioniert # eine *extra* sandbox url nicht. in diesem falle die gleiche # adresse nehmen wie für die hautp seite # cryptpad_sandbox_url="$cryptpad_url" cryptpad_sandbox_url="cpadsb-01.oopen.de" cryptpad_sandbox_url="o13-padsb.oopen.de" cryptpad_sandbox_url="o13-cryptpadsb.oopen.de" cryptpad_sandbox_url="sandbox.pad.ra-kanzlei-kiel.de" cryptpad_sandbox_url="cpadsb.fluechtlingsrat-berlin.de" vhost_config_file="${cryptpad_url}.conf" cryptpad_user=cryptpad cryptpad_group=cryptpad cryptpad_gid=2010 cryptpad_uid=2010 cryptpad_base_dir=/var/www/cryptpad cryptpad_home_dir="${cryptpad_base_dir}" cryptpad_install_dir="${cryptpad_home_dir}/cryptpad" # ========== # - Create the user for the service: # ========== addgroup --gid $cryptpad_gid $cryptpad_group adduser --gid $cryptpad_uid --uid $cryptpad_uid --home $cryptpad_home_dir $cryptpad_user # ========== # - Install cryptpad # ========== su - ${cryptpad_user} cryptpad_base_dir=/var/www/cryptpad cryptpad_home_dir="${cryptpad_base_dir}" cryptpad_install_dir="${cryptpad_home_dir}/cryptpad" cryptpad_url=cpad-01.oopen.de cryptpad_url=o13-pad.oopen.de cryptpad_url=o13-cryptpad.oopen.de cryptpad_url=pad.ra-kanzlei-kiel.de cryptpad_url=crpad.fluechtlingsrat-berlin.de cryptpad_sandbox_url="cpadsb-01.oopen.de" cryptpad_sandbox_url="o13-padsb.oopen.de" cryptpad_sandbox_url="o13-cryptpadsb.oopen.de" cryptpad_sandbox_url="sandbox.pad.ra-kanzlei-kiel.de" cryptpad_sandbox_url="cpadsb.fluechtlingsrat-berlin.de" cd ${cryptpad_home_dir} # - Get cryptpad - Clone the CryptPad repository # - git clone https://github.com/cryptpad/cryptpad.git ${cryptpad_install_dir} # Switch to the latest published tag # # git checkout $(git tag -l | grep -v 'v1.*$' | sort -V | tail -n 1) cd ${cryptpad_install_dir} # !!! NOTE # # Switch of IPv4 and IPv6 firewall # ================================ # # You will run into connection limit if the setting is too sensitive # # !!! NOTE # - Complete Installation of cryptpad # - npm ci # - Maybe you haave to run # # # packages looking for funding # # # npm fund # # # To address issues that do not require attention, run: # # # npm audit fix # #npm fund #npm audit fix npm run install:components # Build static pages & Open Graph metadata # # To build some of CryptPad static pages & enable social media link previews, # run the following command: # npm run build # --- # - Configure CryptPad # --- # - Create configuration file 'config.js'. (Copy the example file) # - # - The defaults should be good enough for most cases, but you may want to edit # - them. We recommend you read over the example file and change the values to # - fit your needs. cp -a config/config.example.js config/config.js # - Some base configuration # - # - adminEmail: 'admin@oopen.de', # - ... # - httpUnsafeOrigin: http://localhost:3000 # - httpSafeOrigin: ${cryptpad_sandbox_url} # - httpAddress: '::', # - ... # - myDomain: oopen.de, # - if $(grep -q -E "\s*/?/?\s*adminEmail" /var/www/cryptpad/config/config.js 2> /dev/null) ; then perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" ${cryptpad_install_dir}/config/config.js else perl -i -n -p -e"s/(\s*})/ adminEmail: 'admin\@oopen.de',\n\1/" ${cryptpad_install_dir}/config/config.js fi perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" ${cryptpad_install_dir}/config/config.js perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" ${cryptpad_install_dir}/config/config.js perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" ${cryptpad_install_dir}/config/config.js # - deaktivate donate Button # - if $(grep -q -E "\s*/?/?\s*removeDonateButton" /var/www/cryptpad/config/config.js 2> /dev/null) ; then perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" ${cryptpad_install_dir}/config/config.js else perl -i -n -p -e"s/(\s*})/ removeDonateButton: true,\n\1/" ${cryptpad_install_dir}/config/config.js fi # - Set storage.. # - perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" ${cryptpad_install_dir}/config/config.js # - Instance customization # - # - The functionality as well as the look-and-feel of an instance can be customized # - by creating a customize folder and copying assets to be customized (images, # - stylesheets, page templates, etc) from customize.dist into it. If a file exists # -in customize, it will be served to users instead of its namesake in customize.dist. # - # - The purpose of the customize directory is to make it easier to upgrade CryptPad # - while maintaining customizations in place. Occasionally, a major new version may # - introduce breaking changes or require adjustments in the customizations. # - Administrators with customized instances are therefore encouraged to read # - instructions carefully before each upgrade. # - mkdir -p ${cryptpad_install_dir}/cryptpad/customize # - Application config # - # - A wide range of settings are available in www/common/application_config_internal.js. # - To modify them: # - # - 1. Make a copy of customize.dist/application_config.js in the customize folder. # - # - 2. Copy the default value(s) to modify from www/common/application_config_internal.js # - into customize/application_config.js. # - cp ${cryptpad_install_dir}/customize.dist/application_config.js ${cryptpad_install_dir}/customize/ # - Restricting guest access # - # - To disable unregistered use of CryptPad, add the following to # - customize/application_config.js: # - # - AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes; # --- # - for further configurations see: # - https://docs.cryptpad.org/en/admin_guide/customization.html#application-config # --- # - Customizing CryptPad # - # - In order allow a variety of features to be changed and to allow site-specific # - changes to CryptPad apps while still keeping the git repository pristine, this # - directory exists to allow a set of hooks to be run. # - # - The server is configured to load files from the '/customize/' path # - preferentially from 'cryptpad/customize/', and to fall back to # - 'cryptpad/customize.dist/' if they are not found. # - # - If you wish to customize cryptpad, please **copy** # - '/customize.dist/' to '/customize' and then edit it there, this way you will # - still be able to pull from (and make pull requests to (!) the git repository. # - #cp -a ${cryptpad_install_dir}/customize.dist ${cryptpad_install_dir}/cryptpad/customize # Install OnlyOffice - OnlyOffice is now a separate module # # OnlyOffice applications (Sheets, Document, Presentation) are not bundled with CryptPad # anymore. You can install/update them by running the installation script we provide: # # ./install-onlyoffice.sh # # press q to close the license screen # # and Y ⏎ to accept the OnlyOffice license # ./install-onlyoffice.sh # Exit from cryptpad user # exit # --- # Systemd Unit # --- cat < /etc/systemd/system/cryptpad.service [Unit] Description=CryptPad API server [Service] ExecStart=/usr/bin/node ${cryptpad_install_dir}/server.js # modify to match the location of your cryptpad repository WorkingDirectory=${cryptpad_install_dir} Restart=always # Restart service after 10 seconds if node service crashes RestartSec=2 # Proper logging to journald StandardOutput=journal StandardError=journal+console User=${cryptpad_user} Group=${cryptpad_group} # modify to match your working directory Environment='PWD="${cryptpad_install_dir}"' # systemd sets the open file limit to 4000 unless you override it # cryptpad stores its data with the filesystem, so you should increase this to match the value of `ulimit -n` # or risk EMFILE errors. LimitNOFILE=1000000 # hardening directives as per https://www.freedesktop.org/software/systemd/man/systemd.exec.html # check those with systemd-analyze security cryptpad.service for more information # Proc filesystem ProcSubset=all ProtectProc=invisible # Capabilities CapabilityBoundingSet= # Security NoNewPrivileges=true # Sandboxing ProtectSystem=strict PrivateTmp=true PrivateDevices=true ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectControlGroups=true RestrictAddressFamilies=AF_INET RestrictAddressFamilies=AF_INET6 RestrictAddressFamilies=AF_NETLINK RestrictAddressFamilies=AF_UNIX RestrictNamespaces=true LockPersonality=true RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true PrivateMounts=true ProtectClock=true # System Call Filtering SystemCallArchitectures=native SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid SystemCallFilter=@chown SystemCallFilter=pipe SystemCallFilter=pipe2 ReadWritePaths=${cryptpad_install_dir} [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable cryptpad # - Start cryptpad # - systemctl start cryptpad # ========== # nginx vhost configuration # ========== cat < /etc/nginx/sites-available/${vhost_config_file} # -- ${cryptpad_url} # we want restrict authentication to cryptpad sandbox urls "${cryptpad_sandbox_url}" # map \$http_host \$auth_type { default "off"; #This will turn off auth-basic ${cryptpad_sandbox_url} "Restricted"; #This or any other string will turn it back on } server { listen 80; listen [::]:80; server_name ${cryptpad_url}; return 301 https://\$server_name\$request_uri; } # This file is included strictly as an example of how Nginx can be configured # to work with CryptPad. This example WILL NOT WORK AS IS. For best results, # compare the sections of this configuration file against a working CryptPad # installation (http server by the Nodejs process). If you are using CryptPad # in production and require professional support please contact sales@cryptpad.fr server { listen 443 ssl http2; listen [::]:443 ssl http2; # Let's Encrypt webroot #include letsencrypt-webroot; # ---------- # !! inserted by ckubu !! # # Needed for (automated) updating certificate # include snippets/letsencrypt-acme-challenge.conf; # # ---------- # CryptPad serves static assets over these two domains. # \`your-main-domain\` is what users will enter in their address bar. # Privileged computation such as key management is handled in this scope # UI content is loaded via the \`your-sandbox-domain\`. # "Content Security Policy" headers prevent content loaded via the sandbox # from accessing privileged information. # This setup allows to take advantage of CryptPad's sandboxing techniques. # In the event of an XSS vulnerability in CryptPad's front-end code # this will limit the amount of information accessible to attackers. server_name ${cryptpad_url} ${cryptpad_sandbox_url}; # You'll need to Set the path to your certificates and keys here # IMPORTANT: this config is intended to serve assets for at least two domains # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate # that includes both domains in order for things to work as expected. ssl_certificate /var/lib/dehydrated/certs/${cryptpad_url}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/${cryptpad_url}/privkey.pem; # diffie-hellman parameters are used to negotiate keys for your session # generate strong parameters using the following command ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 # Speeds things up a little bit when resuming a session ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # replace with the IP address of your resolver resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220; location / { proxy_pass http://localhost:3000; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header Host \$host; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; client_max_body_size 150m; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection upgrade; } # ---------- # !! included by ckubu !! # # Only authenticated users # auth_basic "\$auth_type"; auth_basic_user_file /etc/nginx/.htpasswd-o13-pad; # # ---------- } EOF ln -s ../sites-available/${vhost_config_file} /etc/nginx/sites-enabled/${vhost_config_file} nginx -t systemctl restart nginx # --- # Basic Check of your configuration: # --- # In yout browser type: # # https://${cryptpad_url}/checkup/