install/cryptpad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e45e308e8e
cryptpad/README.install

455 lines
14 KiB
Plaintext
Raw Blame History

# =================
# - Install Cryptad on Debian 9 (stretch)
# =================
# - See:
# - https://docs.cryptpad.org/en/admin_guide/installation.html
# -
# - See also:
# - git repository: https://github.com/xwiki-labs/cryptpad
# - installation guide: https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide
# -
cryptpad_url=cpad-01.oopen.de
cryptpad_url=o13-pad.oopen.de
cryptpad_url=o13-cryptpad.oopen.de
cryptpad_url=pad.ra-kanzlei-kiel.de
# bei vorgeschalteter authentifizierung funktioniert
# eine *extra* sandbox url nicht. in diesem falle die gleiche
# adresse nehmen wie für die hautp seite
#
cryptpad_sandbox_url="$cryptpad_url"
cryptpad_sandbox_url="cpadsb-01.oopen.de"
cryptpad_sandbox_url="o13-padsb.oopen.de"
cryptpad_sandbox_url="o13-cryptpadsb.oopen.de"
cryptpad_sandbox_url="sandbox.pad.ra-kanzlei-kiel.de"
vhost_config_file="${cryptpad_url}.conf"
cryptpad_user=cryptpad
cryptpad_group=cryptpad
cryptpad_gid=2010
cryptpad_uid=2010
cryptpad_base_dir=/var/www/cryptpad
cryptpad_home_dir="${cryptpad_base_dir}"
cryptpad_install_dir="${cryptpad_home_dir}/cryptpad"
# ==========
# - Create the user for the service:
# ==========
addgroup --gid $cryptpad_gid $cryptpad_group
adduser --gid $cryptpad_uid --uid $cryptpad_uid --home $cryptpad_home_dir $cryptpad_user
# ==========
# - Install cryptpad
# ==========
su - ${cryptpad_user}
cryptpad_base_dir=/var/www/cryptpad
cryptpad_home_dir="${cryptpad_base_dir}"
cryptpad_install_dir="${cryptpad_home_dir}/cryptpad"
cryptpad_url=cpad-01.oopen.de
cryptpad_url=o13-pad.oopen.de
cryptpad_url=o13-cryptpad.oopen.de
cryptpad_url=pad.ra-kanzlei-kiel.de
cryptpad_sandbox_url="cpadsb-01.oopen.de"
cryptpad_sandbox_url="o13-padsb.oopen.de"
cryptpad_sandbox_url="o13-cryptpadsb.oopen.de"
cryptpad_sandbox_url="sandbox.pad.ra-kanzlei-kiel.de"
cd ${cryptpad_home_dir}
# - Get cryptpad - Clone the CryptPad repository
# -
git clone https://github.com/cryptpad/cryptpad.git ${cryptpad_install_dir}
# Switch to the latest published tag
#
# git checkout $(git tag -l | grep -v 'v1.*$' | sort -V | tail -n 1)
cd ${cryptpad_install_dir}
# !!! NOTE
#
# Switch of IPv4 and IPv6 firewall
# ================================
#
# You will run into connection limit if the setting is too sensitive
#
# !!! NOTE
# - Complete Installation of cryptpad
# -
npm ci
# - Maybe you haave to run
#
# # packages looking for funding
# #
# npm fund
#
# # To address issues that do not require attention, run:
# #
# npm audit fix
#
#npm fund
#npm audit fix
npm run install:components
# Build static pages & Open Graph metadata
#
# To build some of CryptPad static pages & enable social media link previews,
# run the following command:
#
npm run build
# ---
# - Configure CryptPad
# ---
# - Create configuration file 'config.js'. (Copy the example file)
# -
# - The defaults should be good enough for most cases, but you may want to edit
# - them. We recommend you read over the example file and change the values to
# - fit your needs.
cp -a config/config.example.js config/config.js
# - Some base configuration
# -
# - adminEmail: 'admin@oopen.de',
# - ...
# - httpUnsafeOrigin: http://localhost:3000
# - httpSafeOrigin: ${cryptpad_sandbox_url}
# - httpAddress: '::',
# - ...
# - myDomain: oopen.de,
# -
if $(grep -q -E "\s*/?/?\s*adminEmail" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" ${cryptpad_install_dir}/config/config.js
else
perl -i -n -p -e"s/(\s*})/ adminEmail: 'admin\@oopen.de',\n\1/" ${cryptpad_install_dir}/config/config.js
fi
perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" ${cryptpad_install_dir}/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" ${cryptpad_install_dir}/config/config.js
perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#" ${cryptpad_install_dir}/config/config.js
# - deaktivate donate Button
# -
if $(grep -q -E "\s*/?/?\s*removeDonateButton" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" ${cryptpad_install_dir}/config/config.js
else
perl -i -n -p -e"s/(\s*})/ removeDonateButton: true,\n\1/" ${cryptpad_install_dir}/config/config.js
fi
# - Set storage..
# -
perl -i -n -p -e"s#(\s*)(/*\s*)(defaultStorageLimit:.*)#\1//\3\n\1defaultStorageLimit: 250 * 1024 * 1024,#" ${cryptpad_install_dir}/config/config.js
# - Instance customization
# -
# - The functionality as well as the look-and-feel of an instance can be customized
# - by creating a customize folder and copying assets to be customized (images,
# - stylesheets, page templates, etc) from customize.dist into it. If a file exists
# -in customize, it will be served to users instead of its namesake in customize.dist.
# -
# - The purpose of the customize directory is to make it easier to upgrade CryptPad
# - while maintaining customizations in place. Occasionally, a major new version may
# - introduce breaking changes or require adjustments in the customizations.
# - Administrators with customized instances are therefore encouraged to read
# - instructions carefully before each upgrade.
# -
mkdir -p ${cryptpad_install_dir}/cryptpad/customize
# - Application config
# -
# - A wide range of settings are available in www/common/application_config_internal.js.
# - To modify them:
# -
# - 1. Make a copy of customize.dist/application_config.js in the customize folder.
# -
# - 2. Copy the default value(s) to modify from www/common/application_config_internal.js
# - into customize/application_config.js.
# -
cp ${cryptpad_install_dir}/customize.dist/application_config.js ${cryptpad_install_dir}/customize/
# - Restricting guest access
# -
# - To disable unregistered use of CryptPad, add the following to
# - customize/application_config.js:
# -
# - AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes;
# ---
# - for further configurations see:
# - https://docs.cryptpad.org/en/admin_guide/customization.html#application-config
# ---
# - Customizing CryptPad
# -
# - In order allow a variety of features to be changed and to allow site-specific
# - changes to CryptPad apps while still keeping the git repository pristine, this
# - directory exists to allow a set of hooks to be run.
# -
# - The server is configured to load files from the '/customize/' path
# - preferentially from 'cryptpad/customize/', and to fall back to
# - 'cryptpad/customize.dist/' if they are not found.
# -
# - If you wish to customize cryptpad, please **copy**
# - '/customize.dist/' to '/customize' and then edit it there, this way you will
# - still be able to pull from (and make pull requests to (!) the git repository.
# -
#cp -a ${cryptpad_install_dir}/customize.dist ${cryptpad_install_dir}/cryptpad/customize
# Install OnlyOffice - OnlyOffice is now a separate module
#
# OnlyOffice applications (Sheets, Document, Presentation) are not bundled with CryptPad
# anymore. You can install/update them by running the installation script we provide:
#
# ./install-onlyoffice.sh
# # press q to close the license screen
# # and Y ⏎ to accept the OnlyOffice license
#
./install-onlyoffice.sh
# Exit from cryptpad user
#
exit
# ---
# Systemd Unit
# ---
cat <<EOF > /etc/systemd/system/cryptpad.service
[Unit]
Description=CryptPad API server
[Service]
ExecStart=/usr/bin/node ${cryptpad_install_dir}/server.js
# modify to match the location of your cryptpad repository
WorkingDirectory=${cryptpad_install_dir}
Restart=always
# Restart service after 10 seconds if node service crashes
RestartSec=2
# Proper logging to journald
StandardOutput=journal
StandardError=journal+console
User=${cryptpad_user}
Group=${cryptpad_group}
# modify to match your working directory
Environment='PWD="${cryptpad_install_dir}"'
# systemd sets the open file limit to 4000 unless you override it
# cryptpad stores its data with the filesystem, so you should increase this to match the value of `ulimit -n`
# or risk EMFILE errors.
LimitNOFILE=1000000
# hardening directives as per https://www.freedesktop.org/software/systemd/man/systemd.exec.html
# check those with systemd-analyze security cryptpad.service for more information
# Proc filesystem
ProcSubset=all
ProtectProc=invisible
# Capabilities
CapabilityBoundingSet=
# Security
NoNewPrivileges=true
# Sandboxing
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictAddressFamilies=AF_NETLINK
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
PrivateMounts=true
ProtectClock=true
# System Call Filtering
SystemCallArchitectures=native
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
SystemCallFilter=@chown
SystemCallFilter=pipe
SystemCallFilter=pipe2
ReadWritePaths=${cryptpad_install_dir}
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable cryptpad
# - Start cryptpad
# -
systemctl start cryptpad
# ==========
# nginx vhost configuration
# ==========
cat <<EOF > /etc/nginx/sites-available/${vhost_config_file}
# -- ${cryptpad_url}
# we want restrict authentication to cryptpad sandbox urls "${cryptpad_sandbox_url}"
#
map \$http_host \$auth_type {
default "off"; #This will turn off auth-basic
${cryptpad_sandbox_url} "Restricted"; #This or any other string will turn it back on
}
server {
listen 80;
listen [::]:80;
server_name ${cryptpad_url};
return 301 https://\$server_name\$request_uri;
}
# This file is included strictly as an example of how Nginx can be configured
# to work with CryptPad. This example WILL NOT WORK AS IS. For best results,
# compare the sections of this configuration file against a working CryptPad
# installation (http server by the Nodejs process). If you are using CryptPad
# in production and require professional support please contact sales@cryptpad.fr
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Let's Encrypt webroot
#include letsencrypt-webroot;
# ----------
# !! inserted by ckubu !!
#
# Needed for (automated) updating certificate
#
include snippets/letsencrypt-acme-challenge.conf;
#
# ----------
# CryptPad serves static assets over these two domains.
# \`your-main-domain\` is what users will enter in their address bar.
# Privileged computation such as key management is handled in this scope
# UI content is loaded via the \`your-sandbox-domain\`.
# "Content Security Policy" headers prevent content loaded via the sandbox
# from accessing privileged information.
# This setup allows to take advantage of CryptPad's sandboxing techniques.
# In the event of an XSS vulnerability in CryptPad's front-end code
# this will limit the amount of information accessible to attackers.
server_name ${cryptpad_url} ${cryptpad_sandbox_url};
# You'll need to Set the path to your certificates and keys here
# IMPORTANT: this config is intended to serve assets for at least two domains
# (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate
# that includes both domains in order for things to work as expected.
ssl_certificate /var/lib/dehydrated/certs/${cryptpad_url}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${cryptpad_url}/privkey.pem;
# diffie-hellman parameters are used to negotiate keys for your session
# generate strong parameters using the following command
ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
# Speeds things up a little bit when resuming a session
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# replace with the IP address of your resolver
resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;
location / {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
client_max_body_size 150m;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection upgrade;
}
# ----------
# !! included by ckubu !!
#
# Only authenticated users
#
auth_basic "\$auth_type";
auth_basic_user_file /etc/nginx/.htpasswd-o13-pad;
#
# ----------
}
EOF
ln -s ../sites-available/${vhost_config_file} /etc/nginx/sites-available/${vhost_config_file}
nginx -t
systemctl restart nginx
# ---
# Basic Check of your configuration:
# ---
# In yout browser type:
#
# https://${cryptpad_url}/checkup/
Reference in New Issue View Git Blame Copy Permalink