385 lines
11 KiB
Plaintext
385 lines
11 KiB
Plaintext
# =================
|
|
# - Install Cryptad on Debian 9 (stretch)
|
|
# =================
|
|
|
|
# - See:
|
|
# - https://blog.cavebeat.org/2017/07/cryptpad-installation-on-debian-stretch/
|
|
# -
|
|
# - See also:
|
|
# - git repository: https://github.com/xwiki-labs/cryptpad
|
|
# - installation guide: https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide
|
|
# -
|
|
|
|
|
|
# ----------
|
|
# - Pre-requisites
|
|
# ----------
|
|
|
|
# - Install curl, git
|
|
# -
|
|
apt-get install curl git-core
|
|
|
|
# - Install Python
|
|
# -
|
|
apt-get install python-minimal python
|
|
|
|
# - Install compiler stuff
|
|
# -
|
|
# - apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
|
|
# - make automake autoconf libtool flex bison \
|
|
# - gettext pkg-config gnu-standards \
|
|
# - libssl-dev libreadline-dev libncurses-dev
|
|
# -
|
|
apt-get install gcc g++ make
|
|
|
|
|
|
# ---
|
|
# - Install Nginx webservice
|
|
# ---
|
|
|
|
apt-get install nginx
|
|
|
|
# - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
|
# -
|
|
mkdir /etc/nginx/ssl
|
|
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
|
|
|
|
# - Create nginx configuration for CryptPad
|
|
# -
|
|
cryptpad_url=cpad-01.oopen.de
|
|
|
|
cat <<EOF > cpad-01.oopen.de.conf
|
|
# -- $cryptpad_url
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name $cryptpad_url;
|
|
return 301 https://\$server_name\$request_uri;
|
|
}
|
|
|
|
server {
|
|
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name $cryptpad_url;
|
|
|
|
ssl_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem;
|
|
ssl_certificate_key /var/lib/dehydrated/certs/$cryptpad_url/privkey.pem;
|
|
#ssl_trusted_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem;
|
|
|
|
# - Needed for (automated) updating certificate
|
|
# -
|
|
include snippets/letsencrypt-acme-challenge.conf;
|
|
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
|
#
|
|
# To generate a dhparam.pem file, run in a terminal
|
|
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
|
|
#
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
|
|
|
# Eable session resumption to improve https performance
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
|
|
|
|
# ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES)
|
|
# Everything better than SHA1 (deprecated)
|
|
#
|
|
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Content-Type-Options nosniff;
|
|
#add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
root /var/www/cryptpad;
|
|
index index.html;
|
|
error_page 404 /customize.dist/404.html;
|
|
|
|
if (\$args ~ ver=) {
|
|
set \$cacheControl max-age=31536000;
|
|
}
|
|
# Will not set any header if it is emptystring
|
|
#
|
|
add_header Cache-Control \$cacheControl;
|
|
|
|
|
|
# - Does not work with CKEditor and OnlyOffice
|
|
# -
|
|
#set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url";
|
|
#set \$scriptSrc "'self' $cryptpad_url";
|
|
#set \$connectSrc "'self' https://$cryptpad_url wss://$cryptpad_url $cryptpad_url https://api.$cryptpad_url blob: $cryptpad_url";
|
|
#set \$fontSrc "'self' data: $cryptpad_url";
|
|
#set \$imgSrc "'self' data: * blob: $cryptpad_url";
|
|
#set \$frameSrc "'self' $cryptpad_url blob: $cryptpad_url";
|
|
#set \$mediaSrc "'self' data: * blob: $cryptpad_url";
|
|
#set \$childSrc "https://$cryptpad_url";
|
|
#set \$workerSrc "https://$cryptpad_url";
|
|
#
|
|
#set \$unsafe 0;
|
|
#if (\$uri = "/pad/inner.html") { set \$unsafe 1; }
|
|
#if (\$uri = "/sheet/inner.html") { set \$unsafe 1; }
|
|
#if (\$uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set \$unsafe 1; }
|
|
#if (\$host != sandbox.cryptpad.info) { set \$unsafe 0; }
|
|
#if (\$unsafe) {
|
|
# set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url";
|
|
#}
|
|
|
|
|
|
# - Make CKEditor and OnlyOffice working
|
|
# -
|
|
# - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity)
|
|
# -
|
|
set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url";
|
|
set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url";
|
|
set \$connectSrc "'self' ws: wss: $cryptpad_url";
|
|
set \$fontSrc "'self' data: $cryptpad_url";
|
|
set \$imgSrc " * blob:";
|
|
set \$frameSrc "*";
|
|
set \$mediaSrc "'self' data: * blob: $cryptpad_url";
|
|
set \$childSrc *;
|
|
set \$workerSrc "https://$cryptpad_url";
|
|
|
|
add_header Content-Security-Policy "default-src 'none'; child-src \$childSrc; worker-src \$workerSrc; media-src \$mediaSrc; style-src \$styleSrc; script-src \$scriptSrc; connect-src \$connectSrc; font-src \$fontSrc; img-src \$imgSrc; frame-src \$frameSrc;";
|
|
|
|
location ^~ /cryptpad_websocket {
|
|
proxy_pass http://localhost:3000;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
|
|
# WebSocket support (nginx 1.4)
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection upgrade;
|
|
}
|
|
|
|
location ^~ /customize.dist/ {
|
|
# This is needed in order to prevent infinite recursion between /customize/ and the root
|
|
}
|
|
location ^~ /customize/ {
|
|
rewrite ^/customize/(.*)\$ \$1 break;
|
|
try_files /customize/\$uri /customize.dist/\$uri;
|
|
}
|
|
|
|
location = /api/config {
|
|
proxy_pass http://localhost:3000;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
}
|
|
|
|
location ^~ /blob/ {
|
|
add_header Cache-Control max-age=31536000;
|
|
try_files \$uri =404;
|
|
}
|
|
|
|
location ^~ /block/ {
|
|
add_header Cache-Control max-age=0;
|
|
try_files \$uri =404;
|
|
}
|
|
|
|
location ^~ /datastore/ {
|
|
add_header Cache-Control max-age=0;
|
|
try_files \$uri =404;
|
|
}
|
|
|
|
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)\$ {
|
|
rewrite ^(.*)\$ \$1/ redirect;
|
|
}
|
|
|
|
try_files /www/\$uri /www/\$uri/index.html /customize/\$uri;
|
|
|
|
}
|
|
EOF
|
|
|
|
|
|
# ---
|
|
# - Install NodeJS v6.x on Debian 9 Stretch
|
|
# ---
|
|
|
|
# - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for
|
|
# - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring
|
|
# -
|
|
# - curl -sL https://deb.nodesource.com/setup_6.x | bash -
|
|
# -
|
|
# - Hope nodejs version 14.x will work
|
|
# -
|
|
# - nodejs 6.0 does not yet work for actuall etherpad, which ist also installed
|
|
# - on this server.
|
|
# -
|
|
curl -sL https://deb.nodesource.com/setup_14.x | bash -
|
|
apt-get update
|
|
|
|
# - Install nodejs version 6.x from repository 'deb.nodesource.com'
|
|
# -
|
|
|
|
# - Tell the apt system to install nodejs from repository deb.nodesource.com
|
|
# -
|
|
# - You should pin the external source using the origin option to assign a high
|
|
# - priority to "the external source" instead of using the release name.
|
|
# -
|
|
# - e,g: Add the following lines to your /etc/apt/preferences.d/preferences:
|
|
# -
|
|
# - Package: *
|
|
# - Pin: origin deb.nodesource.com
|
|
# - Pin-Priority: 1001
|
|
# -
|
|
if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then
|
|
cat <<EOF >> /etc/apt/preferences.d/preferences
|
|
Package: *
|
|
Pin: origin deb.nodesource.com
|
|
Pin-Priority: 1001
|
|
EOF
|
|
fi
|
|
|
|
# - Verify with 'apt-cache policy nodejs'
|
|
# -
|
|
# - Output must conatin somethin liek that:
|
|
# - Installationskandidat: 6.14.4-1nodesource1
|
|
# -
|
|
apt-cache policy nodejs
|
|
|
|
# - Install nodejs..
|
|
# -
|
|
apt-get install nodejs
|
|
|
|
# - An alternative possibility:
|
|
# -
|
|
# - 1. Show versions for nodejs
|
|
# -
|
|
# - # aptitude versions nodejs
|
|
# -
|
|
# - output may looks like:
|
|
# -
|
|
# - i 6.14.4-1nodesource1 <NULL> 500
|
|
# - p 10.15.2~dfsg-2 stable 500
|
|
# -
|
|
# - 2. install nodejs 6.14.4-1nodesource1
|
|
# -
|
|
# - apt-get install nodejs=6.14.4-1nodesource1
|
|
# - ^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
# -
|
|
|
|
# - Test if installation was successfully
|
|
# -
|
|
node -v
|
|
npm -v
|
|
|
|
|
|
# ---
|
|
# - Install bower
|
|
# ---
|
|
|
|
# - Install bower (global)
|
|
# -
|
|
npm install -g bower
|
|
|
|
|
|
# ---
|
|
# - Install cryptpad
|
|
# ---
|
|
|
|
cd /var/www
|
|
|
|
# - Create needed folders
|
|
# -
|
|
mkdir /var/www/{.cache,.config,.local,.node-gyp,.npm}
|
|
chown www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm}
|
|
|
|
# - Get cryptpad
|
|
# -
|
|
git clone https://github.com/xwiki-labs/cryptpad
|
|
chown -R www-data:www-data cryptpad
|
|
cd cryptpad
|
|
|
|
# - Complete Installation of cryptpad
|
|
# -
|
|
su www-data -s /bin/bash -c "npm install"
|
|
|
|
su www-data -s /bin/bash -c "bower install"
|
|
|
|
|
|
# ---
|
|
# - Configure CryptPad
|
|
# ---
|
|
|
|
# - Create configuration file 'config.js'. (Copy the example file)
|
|
# -
|
|
# - The defaults should be good enough for most cases, but you may want to edit
|
|
# - them. We recommend you read over the example file and change the values to
|
|
# - fit your needs.
|
|
cp -a config/config.example.js config/config.js
|
|
|
|
# - Some base configuration
|
|
# -
|
|
# - adminEmail: 'admin.de',
|
|
# - ...
|
|
# - myDomain: oopen.de,
|
|
# -
|
|
perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js
|
|
perl -i -n -p -e"s#(\s*)(myDomain:.*)#\1// \2\n\1myDomain: oopen.de,#" /var/www/cryptpad/config/config.js
|
|
|
|
# - deaktivate donate Button
|
|
# -
|
|
perl -i -n -p -e"s#(\s*)(//removeDonateButton:.*)#\1\2\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js
|
|
|
|
# - Set storage..
|
|
# -
|
|
perl -i -n -p -e"s#(\s*)(//defaultStorageLimit:.*)#\1\2\n\1defaultStorageLimit: 250 * 1024 * 1024,#" /var/www/cryptpad/config/config.js
|
|
|
|
# - Customizing CryptPad
|
|
# -
|
|
# - In order allow a variety of features to be changed and to allow site-specific
|
|
# - changes to CryptPad apps while still keeping the git repository pristine, this
|
|
# - directory exists to allow a set of hooks to be run.
|
|
# -
|
|
# - The server is configured to load files from the '/customize/' path
|
|
# - preferentially from 'cryptpad/customize/', and to fall back to
|
|
# - 'cryptpad/customize.dist/' if they are not found.
|
|
# -
|
|
# - If you wish to customize cryptpad, please **copy**
|
|
# - '/customize.dist/' to '/customize' and then edit it there, this way you will
|
|
# - still be able to pull from (and make pull requests to (!) the git repository.
|
|
# -
|
|
cp -a /var/www/cryptpad/customize.dist /var/www/cryptpad/customize
|
|
|
|
# - Copy 'favicon.ico' to '/var/www/cryptpad/customize/main-favicon.png'
|
|
# -
|
|
cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png
|
|
|
|
# - Run as daemon using systemd
|
|
# -
|
|
cat << EOF > /etc/systemd/system/cryptpad.service
|
|
[Unit]
|
|
Description=CryptPad service
|
|
|
|
[Service]
|
|
User=www-data
|
|
Group=www-data
|
|
|
|
ExecStart=/usr/bin/node /var/www/cryptpad/server.js
|
|
WorkingDirectory=/var/www/cryptpad
|
|
Restart=always
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
systemctl daemon-reload
|
|
systemctl enable cryptpad
|
|
|
|
# - Start cryptpad
|
|
# -
|
|
systemctl start cryptpad
|
|
|