Merge branch 'stretch' of https://github.com/bashrc/freedombone

code-of-conduct.md

@@ -1,11 +1,35 @@
-Instead of having some tedious *Code of Conduct* which tries to micro-manage how folks communicate privately with each other this project has a set of guiding principles, which are as follows:
-
- * Enable users to help themselves to provide their own personal software infrastructure.
- * Enable users to help each other to provide software infrastructure for a community.
- * Principle of self-management: apps should require miniumum configuration and maintain themselves as far as possible.
- * There should be no single point of failure. Assume that other servers can and will fail occasionally.
- * Minimum data retention. Only store the data which users actually want or need, and within apps implement the function which allows logging to be turned off.
- * Respect other users right to run their own stuff and have their own policies on their own hardware.
- * Remove as many intermediating organisations as possible. For example, Google tracking embedded within some Free Software apps.
- * No tollbooths, rent-seeking, gatekeepers or paywalls.
- * Maximize energy efficiency. No systems which fundamentally depend upon proof-of-work block solving or other compute-heavy methods. The target here is small single board computers.
+# Freedombone "Code of Conduct"
+
+## Be respectful
+
+In a project the size of Freedombone, inevitably there will be people with whom you may disagree, or find it difficult to cooperate. Accept that, but even so, remain respectful. Disagreement is no excuse for poor behaviour or personal attacks, and a community in which people feel threatened is not a healthy community.
+
+## Assume good faith
+
+Freedombone Contributors have many ways of reaching our common goal of providing freedom respecting internet or mesh systems which may differ from your ways. Assume that other people are working towards this goal.
+
+## Be collaborative
+
+Freedombone is a moderately complex project, though nothing big and professional like GNU. It's good to ask for help when you need it. Similarly, offers for help should be seen in the context of our shared goal of improving the system.
+
+When you make something for the benefit of the project, be willing to explain to others how it works, so that they can build on your work to make it even better.
+
+## Try to be concise
+
+If you're submitting documentation then keep in mind that what you write once could be read by many other people. To avoid TL;DR keep it as short and concise as possible. This will also reduce the amount of translations effort needed.
+
+If you're discussing an issue or bug, try to stay on topic, especially in discussions that are already fairly large.
+
+## Be open
+
+Most ways of communication used within Freedombone (eg Matrix/XMPP) allow for public and private communication. Prefer public methods of communication for Freedombone-related messages, unless posting something sensitive.
+
+This applies to messages for help, too; not only is a public support request much more likely to result in an answer to your question, it also makes sure that any inadvertent mistakes made by people answering your question will be more easily detected and corrected.
+
+## In case of problems
+
+While this code of conduct should be adhered to by participants, we recognize that sometimes people may have a bad day, or be unaware of some of the guidelines in this code of conduct. When that happens, you may reply to them and point out this code of conduct. Such messages may be in public or in private, whatever is most appropriate. However, regardless of whether the message is public or not, it should still adhere to the relevant parts of this code of conduct; in particular, it should not be abusive or disrespectful. Assume good faith; it is more likely that participants are unaware of their bad behaviour than that they intentionally try to degrade the quality of the discussion.
+
+Serious or persistent offenders will be kicked from chat rooms and any of their subsequent patches will be unlikely to be upstreamed.
+
+Complaints should be made (in private) to the maintainer or chat room admin. The typical email address can be found in the source code headers. Preferably use GPG/OpenPGP if you can, or XMPP with OTR/OMEMO to bob@freedombone.net.

src/freedombone-app-cryptpad

@@ -36,8 +36,9 @@ SHOW_ICANN_ADDRESS_ON_ABOUT=0
 
 CRYPTPAD_ONION_PORT=8119
 CRYPTPAD_PORT=9003
+CRYPTPAD_PORT2=9005
 CRYPTPAD_REPO="https://github.com/xwiki-labs/cryptpad"
-CRYPTPAD_COMMIT='52d344c3d1404d75d2bf4ae8845e5c024e85ec7f'
+CRYPTPAD_COMMIT='cfc9ce33d6c7034a13cb0e6d606de6fba38697e0'
 CRYPTPAD_DIR=/etc/cryptpad
 
 cryptpad_variables=(ONION_ONLY)
@@ -76,6 +77,18 @@ function reconfigure_cryptpad {
     fi
 }
 
+function cryptpad_generate_api_config {
+    if [ ! -d $CRYPTPAD_DIR/customize/api ]; then
+        mkdir -p $CRYPTPAD_DIR/customize/api
+    fi
+    wget 127.0.0.1:$CRYPTPAD_PORT/api/config -O $CRYPTPAD_DIR/customize/api/config
+    if [ ! -f $CRYPTPAD_DIR/customize/api/config ]; then
+        echo $'Unable to wget api/config'
+        exit 89252
+    fi
+    chown -R cryptpad:cryptpad $CRYPTPAD_DIR
+}
+
 function upgrade_cryptpad {
     CURR_CRYPTPAD_COMMIT=$(get_completion_param "cryptpad commit")
     if [[ "$CURR_CRYPTPAD_COMMIT" == "$CRYPTPAD_COMMIT" ]]; then
@@ -89,14 +102,17 @@ function upgrade_cryptpad {
     set_repo_commit $CRYPTPAD_DIR "cryptpad commit" "$CRYPTPAD_COMMIT" $CRYPTPAD_REPO
 
     cd $CRYPTPAD_DIR
+    cryptpad_create_config
+    npm upgrade
     npm install
+    su -c 'echo "2" | bower update' - cryptpad
+    su -c 'bower install --config.interactive=false' - cryptpad
+    cryptpad_generate_api_config
     chown -R cryptpad:cryptpad $CRYPTPAD_DIR
-    su -c 'bower install' - cryptpad
 
     systemctl start cryptpad
 }
 
-
 function backup_local_cryptpad {
     source_directory=$CRYPTPAD_DIR/datastore
     if [ -d $source_directory ]; then
@@ -215,6 +231,108 @@ function remove_cryptpad {
     userdel -r cryptpad
 }
 
+function cryptpad_create_config {
+    cryptpad_install_type=$1
+
+    cryptpad_prefix=
+    if [[ "$cryptpad_install_type" == "mesh" ]]; then
+        cryptpad_prefix=$rootdir
+    fi
+
+    echo '/*@flow*/' > $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '/*' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '  globals module' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '*/' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "var domain = ' http://localhost:${CRYPTPAD_PORT}/';" >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo 'module.exports = {' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        httpAddress: '::'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        httpHeaders: {' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "X-XSS-Protection": "1; mode=block",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "X-Content-Type-Options": "nosniff",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "Access-Control-Allow-Origin": "*"' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        },' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        contentSecurity: [' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"default-src 'none'\"," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"style-src 'unsafe-inline' 'self' \" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"script-src 'self'\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"font-src 'self' data:\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "child-src blob: *",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "frame-src blob: *",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "media-src * blob:",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"connect-src 'self' ws: wss: blob:\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"img-src 'self' data: blob:\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "frame-ancestors *",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        ].join('; ')," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        padContentSecurity: [' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"default-src 'none'\"," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"style-src 'unsafe-inline' 'self'\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"script-src 'self' 'unsafe-eval' 'unsafe-inline'\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"font-src 'self'\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "child-src *",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "frame-src *",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                \"connect-src 'self' ws: wss:\" + domain," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '                "img-src * blob:",' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        ].join('; ')," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        httpPort: ${CRYPTPAD_PORT}," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        // This is for allowing the cross-domain iframe to function when developing' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        httpSafePort: ${CRYPTPAD_PORT2}," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        websocketPath: '/cryptpad_websocket'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        logToStdout: false,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        verbose: false,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        mainPages: [' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "                'index'" >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        ],' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        removeDonateButton: true,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        allowSubscriptions: false,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    if [[ "$cryptpad_install_type" == "mesh" ]]; then
+        echo "        myDomain: 'http://P${PEER_ID}.local'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    else
+        CRYPTPAD_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_cryptpad/hostname)
+        echo "        myDomain: 'http://${CRYPTPAD_ONION_HOSTNAME}'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    fi
+    echo '        defaultStorageLimit: 50 * 1024 * 1024,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        customLimits: {' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        },' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        adminEmail: false,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        storage: './storage/file'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "       filePath: './datastore/'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        pinPath: './pins'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        blobPath: './blob'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        blobStagingPath: './blobstage'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        channelExpirationMs: 30000,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        openFileLimit: 1024,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo "        rpc: './rpc.js'," >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        suppressRPCErrors: false,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        enableUploads: true,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        //restrictUploads: false,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        maxUploadSize: 20 * 1024 * 1024,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        //logFeedback: true,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '        //logRPC: true,' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    echo '};' >> $cryptpad_prefix$CRYPTPAD_DIR/config.js
+    chown cryptpad:cryptpad $cryptpad_prefix$CRYPTPAD_DIR/config.js
+}
+
 function mesh_install_cryptpad {
     if [[ $VARIANT != "meshclient" && $VARIANT != "meshusb" ]]; then
         return
@@ -343,10 +461,7 @@ EOF
 
     rm $rootdir/usr/bin/install_cryptpad
 
-    sed -i "s|httpPort:.*|httpPort: $CRYPTPAD_PORT,|g" $rootdir$CRYPTPAD_DIR/config.js
-    sed -i "s|// domain:|domain:|g" $rootdir$CRYPTPAD_DIR/config.js
-    sed -i 's|openFileLimit:.*|openFileLimit: 1024,|g' $rootdir$CRYPTPAD_DIR/config.js
-    sed -i "s|domain:.*|domain: 'http://P${PEER_ID}.local',|g" $rootdir$CRYPTPAD_DIR/config.js
+    cryptpad_create_config mesh
 
     chroot "$rootdir" chown -R cryptpad:cryptpad $CRYPTPAD_DIR
 
@@ -422,6 +537,11 @@ function install_cryptpad_main {
     echo '' >> $cryptpad_nginx_site
     echo '  index index.html;' >> $cryptpad_nginx_site
     echo '' >> $cryptpad_nginx_site
+    echo '  if ($args ~ ver=) {' >> $cryptpad_nginx_site
+    echo '      set $cacheControl max-age=31536000;' >> $cryptpad_nginx_site
+    echo '  }' >> $cryptpad_nginx_site
+    echo '  add_header Cache-Control $cacheControl;' >> $cryptpad_nginx_site
+    echo '' >> $cryptpad_nginx_site
     echo '  add_header X-XSS-Protection "1; mode=block";' >> $cryptpad_nginx_site
     echo '  add_header X-Content-Type-Options nosniff;' >> $cryptpad_nginx_site
     echo '  add_header X-Frame-Options SAMEORIGIN;' >> $cryptpad_nginx_site
@@ -510,11 +630,7 @@ function install_cryptpad {
         exit 628252
     fi
 
-    sed -i "s|httpPort:.*|httpPort: $CRYPTPAD_PORT,|g" config.js
-    sed -i "s|// domain:|domain:|g" config.js
-    sed -i 's|openFileLimit:.*|openFileLimit: 1024,|g' config.js
-    sed -i "s|domain:.*|domain: 'http://$CRYPTPAD_ONION_HOSTNAME',|g" config.js
-
+    cryptpad_create_config
     chown -R cryptpad:cryptpad $CRYPTPAD_DIR
 
     # daemon
@@ -540,15 +656,7 @@ function install_cryptpad {
 
     sleep 6
 
-    if [ ! -d $CRYPTPAD_DIR/customize/api ]; then
-        mkdir -p $CRYPTPAD_DIR/customize/api
-    fi
-    wget 127.0.0.1:$CRYPTPAD_PORT/api/config -O $CRYPTPAD_DIR/customize/api/config
-    if [ ! -f $CRYPTPAD_DIR/customize/api/config ]; then
-        echo $'Unable to wget api/config'
-        exit 89252
-    fi
-    chown -R cryptpad:cryptpad $CRYPTPAD_DIR
+    cryptpad_generate_api_config
 
     # install again
     cd $CRYPTPAD_DIR

src/freedombone-app-fedwiki

@@ -28,7 +28,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-VARIANTS=""
+VARIANTS="full full-vim media"
 
 IN_DEFAULT_INSTALL=0
 SHOW_ON_ABOUT=1
@@ -39,9 +39,11 @@ FEDWIKI_VERSION='0.13.0'
 FEDWIKI_ONION_PORT=8131
 FEDWIKI_PORT=3053
 FEDWIKI_DATA=/var/lib/fedwiki
+FEDWIKI_COOKIE=
 
 fedwiki_variables=(FEDWIKI_DOMAIN_NAME
                    FEDWIKI_CODE
+                   FEDWIKI_COOKIE
                    FEDWIKI_ADMIN_PASSWORD
                    ONION_ONLY
                    DDNS_PROVIDER
@@ -80,6 +82,14 @@ function fedwiki_remove_bad_links {
     if [ -d /usr/local/lib/node_modules/wiki/node_modules/passport-oauth2 ]; then
         rm -rf /usr/local/lib/node_modules/wiki/node_modules/passport-oauth2
     fi
+
+    if [ -d /usr/local/lib/node_modules/wiki/node_modules/passport-twitter ]; then
+        rm -rf /usr/local/lib/node_modules/wiki/node_modules/passport-twitter
+    fi
+
+    if [ -d /usr/local/lib/node_modules/wiki/node_modules/passport-github ]; then
+        rm -rf /usr/local/lib/node_modules/wiki/node_modules/passport-github
+    fi
 }
 
 function logging_on_fedwiki {
@@ -303,6 +313,12 @@ function fedwiki_setup_web {
         function_check nginx_ssl
         nginx_ssl $FEDWIKI_DOMAIN_NAME mobile
 
+        sed -i '/Content-Security-Policy/d' $fedwiki_nginx_file
+        sed -i '/X-XSS-Protection/d' $fedwiki_nginx_file
+        sed -i '/X-Robots-Tag/d' $fedwiki_nginx_file
+        sed -i '/X-Download-Options/d' $fedwiki_nginx_file
+        sed -i '/X-Permitted-Cross-Domain-Policies/d' $fedwiki_nginx_file
+
         echo '  add_header X-Robots-Tag none;' >> $fedwiki_nginx_file
         echo '  add_header X-Download-Options noopen;' >> $fedwiki_nginx_file
         echo '  add_header X-Frame-Options DENY;' >> $fedwiki_nginx_file
@@ -395,8 +411,9 @@ function install_fedwiki {
 
     FEDWIKI_ONION_HOSTNAME=$(add_onion_service fedwiki 80 ${FEDWIKI_ONION_PORT})
 
-    #TODO add a config file for the identity system
-    # $FEDWIKI_DATA/config.json
+    if [ ! $FEDWIKI_COOKIE ]; then
+        FEDWIKI_COOKIE="$(create_password 30)$(create_password 30)$(create_password 30)"
+    fi
 
     echo '[Unit]' > /etc/systemd/system/fedwiki.service
     echo 'Description=Fedwiki Decentralized video streaming platform' >> /etc/systemd/system/fedwiki.service
@@ -407,7 +424,7 @@ function install_fedwiki {
     echo 'User=fedwiki' >> /etc/systemd/system/fedwiki.service
     echo 'Group=fedwiki' >> /etc/systemd/system/fedwiki.service
     echo "WorkingDirectory=/usr/local/lib/node_modules/wiki" >> /etc/systemd/system/fedwiki.service
-    echo "ExecStart=/usr/local/bin/wiki --config $FEDWIKI_DATA/config.json --data $FEDWIKI_DATA -p $FEDWIKI_PORT" >> /etc/systemd/system/fedwiki.service
+    echo "ExecStart=/usr/local/bin/wiki --security_type friends --cookieSecret '${FEDWIKI_COOKIE}' --session_duration 7 --data $FEDWIKI_DATA -p $FEDWIKI_PORT" >> /etc/systemd/system/fedwiki.service
     echo 'StandardOutput=syslog' >> /etc/systemd/system/fedwiki.service
     echo 'StandardError=syslog' >> /etc/systemd/system/fedwiki.service
     echo 'SyslogIdentifier=fedwiki' >> /etc/systemd/system/fedwiki.service

src/freedombone-image-mesh

@@ -155,6 +155,9 @@ function enable_cryptpad {
     if [ ! -d $CRYPTPAD_DIR/customize/api ]; then
         mkdir -p $CRYPTPAD_DIR/customize/api
     fi
+    if [ -f $CRYPTPAD_DIR/config.js ]; then
+        sed -i "s|myDomain:.*|myDomain: 'http://P${PEER_ID}.local',|g" $CRYPTPAD_DIR/config.js
+    fi
     wget 127.0.0.1:$CRYPTPAD_PORT/api/config -O $CRYPTPAD_DIR/customize/api/config
     if [ ! -f $CRYPTPAD_DIR/customize/api/config ]; then
         echo $'Unable to wget api/config'