diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-05-05 17:45:15 +0200 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-05-05 17:45:15 +0200 |
commit | f0ead6efed2ce7078302b825ad6b98fbbeebc693 (patch) | |
tree | bf179638e23db1842284430970732034600c0a1c /app/cryptpad | |
parent | f27636dd14cc06b84f1564f48c148be7394540b3 (diff) | |
download | infrastructure-f0ead6efed2ce7078302b825ad6b98fbbeebc693.tar.gz infrastructure-f0ead6efed2ce7078302b825ad6b98fbbeebc693.zip |
WIP Cryptpad packaging
Diffstat (limited to 'app/cryptpad')
-rw-r--r-- | app/cryptpad/build/README.md | 16 | ||||
-rw-r--r-- | app/cryptpad/build/common.nix | 9 | ||||
m--------- | app/cryptpad/build/cryptpad | 0 | ||||
-rw-r--r-- | app/cryptpad/build/default.nix | 27 | ||||
-rw-r--r-- | app/cryptpad/build/docker.nix | 11 | ||||
-rw-r--r-- | app/cryptpad/build/shell.nix | 13 | ||||
-rw-r--r-- | app/cryptpad/config/config.js | 283 |
7 files changed, 359 insertions, 0 deletions
diff --git a/app/cryptpad/build/README.md b/app/cryptpad/build/README.md new file mode 100644 index 0000000..417b066 --- /dev/null +++ b/app/cryptpad/build/README.md @@ -0,0 +1,16 @@ +Currently there is now way to cleanly package Bower on Nix. +So we have to manually package cryptpad. + +To update, you have to: + +```bash +nix-shell +cd cryptpad +git pull +git checkout <tag> +bower update +npm install +cd .. +nix-build +nix-build docker.nix +``` diff --git a/app/cryptpad/build/common.nix b/app/cryptpad/build/common.nix new file mode 100644 index 0000000..61d02fa --- /dev/null +++ b/app/cryptpad/build/common.nix @@ -0,0 +1,9 @@ +{ + pkgsSrc = fetchTarball { + # Latest commit on https://github.com/NixOS/nixpkgs/tree/nixos-21.11 + # As of 2022-04-15 + url ="https://github.com/NixOS/nixpkgs/archive/2f06b87f64bc06229e05045853e0876666e1b023.tar.gz"; + sha256 = "sha256:1d7zg96xw4qsqh7c89pgha9wkq3rbi9as3k3d88jlxy2z0ns0cy2"; + }; + nodejs = "nodejs-slim-16_x"; +} diff --git a/app/cryptpad/build/cryptpad b/app/cryptpad/build/cryptpad new file mode 160000 +Subproject 5979aafdee90aab232658374b11aca8331fd042 diff --git a/app/cryptpad/build/default.nix b/app/cryptpad/build/default.nix new file mode 100644 index 0000000..2069a58 --- /dev/null +++ b/app/cryptpad/build/default.nix @@ -0,0 +1,27 @@ +let + common = import ./common.nix; + pkgs = import common.pkgsSrc {}; + nodejs = pkgs.${common.nodejs}; +in + pkgs.stdenv.mkDerivation { + name = "cryptpad"; + src = ./cryptpad; + + installPhase = '' + mkdir -p $out/{bin,opt} + + cp -r config customize.dist lib node_modules package.json package-lock.json server.js www $out/opt/ + ln -s / $out/opt/root + + cat > $out/bin/cryptpad <<EOF + cd $out/opt/ + #!${pkgs.bash}/bin/bash + ${nodejs}/bin/node server.js + EOF + + chmod +x $out/bin/cryptpad + ''; + + dontFixup = true; + } + diff --git a/app/cryptpad/build/docker.nix b/app/cryptpad/build/docker.nix new file mode 100644 index 0000000..818bbd1 --- /dev/null +++ b/app/cryptpad/build/docker.nix @@ -0,0 +1,11 @@ +let + common = import ./common.nix; + app = import ./default.nix; + pkgs = import common.pkgsSrc {}; +in + pkgs.dockerTools.buildImage { + name = "superboum/cryptpad"; + config = { + Cmd = [ "${app}/bin/backup-psql" ]; + }; + } diff --git a/app/cryptpad/build/shell.nix b/app/cryptpad/build/shell.nix new file mode 100644 index 0000000..d47a050 --- /dev/null +++ b/app/cryptpad/build/shell.nix @@ -0,0 +1,13 @@ +let + common = import ./common.nix; + pkgs = import common.pkgsSrc {}; + nodejs = pkgs.${common.nodejs}; +in + pkgs.mkShell { + buildInputs = [ + nodejs + pkgs.nodePackages.npm + pkgs.nodePackages.bower + ]; + } + diff --git a/app/cryptpad/config/config.js b/app/cryptpad/config/config.js new file mode 100644 index 0000000..89b179f --- /dev/null +++ b/app/cryptpad/config/config.js @@ -0,0 +1,283 @@ +/* globals module */ + +/* DISCLAIMER: + + There are two recommended methods of running a CryptPad instance: + + 1. Using a standalone nodejs server without HTTPS (suitable for local development) + 2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic + + We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration. + Support requests for such setups should be directed to their authors. + + If you're having difficulty difficulty configuring your instance + we suggest that you join the project's IRC/Matrix channel. + + If you don't have any difficulty configuring your instance and you'd like to + support us for the work that went into making it pain-free we are quite happy + to accept donations via our opencollective page: https://opencollective.com/cryptpad + +*/ +module.exports = { +/* CryptPad is designed to serve its content over two domains. + * Account passwords and cryptographic content is handled on the 'main' domain, + * while the user interface is loaded on a 'sandbox' domain + * which can only access information which the main domain willingly shares. + * + * In the event of an XSS vulnerability in the UI (that's bad) + * this system prevents attackers from gaining access to your account (that's good). + * + * Most problems with new instances are related to this system blocking access + * because of incorrectly configured sandboxes. If you only see a white screen + * when you try to load CryptPad, this is probably the cause. + * + * PLEASE READ THE FOLLOWING COMMENTS CAREFULLY. + * + */ + +/* httpUnsafeOrigin is the URL that clients will enter to load your instance. + * Any other URL that somehow points to your instance is supposed to be blocked. + * The default provided below assumes you are loading CryptPad from a server + * which is running on the same machine, using port 3000. + * + * In a production instance this should be available ONLY over HTTPS + * using the default port for HTTPS (443) ie. https://cryptpad.fr + * In such a case this should be also handled by NGINX, as documented in + * cryptpad/docs/example.nginx.conf (see the $main_domain variable) + * + */ + httpUnsafeOrigin: 'http://localhost:3000', + +/* httpSafeOrigin is the URL that is used for the 'sandbox' described above. + * If you're testing or developing with CryptPad on your local machine then + * it is appropriate to leave this blank. The default behaviour is to serve + * the main domain over port 3000 and to serve the sandbox content over port 3001. + * + * This is not appropriate in a production environment where invasive networks + * may filter traffic going over abnormal ports. + * To correctly configure your production instance you must provide a URL + * with a different domain (a subdomain is sufficient). + * It will be used to load the UI in our 'sandbox' system. + * + * This value corresponds to the $sandbox_domain variable + * in the example nginx file. + * + * Note that in order for the sandboxing system to be effective + * httpSafeOrigin must be different from httpUnsafeOrigin. + * + * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. + */ + // httpSafeOrigin: "https://some-other-domain.xyz", + +/* httpAddress specifies the address on which the nodejs server + * should be accessible. By default it will listen on 127.0.0.1 + * (IPv4 localhost on most systems). If you want it to listen on + * all addresses, including IPv6, set this to '::'. + * + */ + //httpAddress: '::', + +/* httpPort specifies on which port the nodejs server should listen. + * By default it will serve content over port 3000, which is suitable + * for both local development and for use with the provided nginx example, + * which will proxy websocket traffic to your node server. + * + */ + //httpPort: 3000, + +/* httpSafePort allows you to specify an alternative port from which + * the node process should serve sandboxed assets. The default value is + * that of your httpPort + 1. You probably don't need to change this. + * + */ + //httpSafePort: 3001, + +/* CryptPad will launch a child process for every core available + * in order to perform CPU-intensive tasks in parallel. + * Some host environments may have a very large number of cores available + * or you may want to limit how much computing power CryptPad can take. + * If so, set 'maxWorkers' to a positive integer. + */ + // maxWorkers: 4, + + /* ===================== + * Admin + * ===================== */ + + /* + * CryptPad contains an administration panel. Its access is restricted to specific + * users using the following list. + * To give access to the admin panel to a user account, just add their public signing + * key, which can be found on the settings page for registered users. + * Entries should be strings separated by a comma. + */ +/* + adminKeys: [ + //"[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", + ], +*/ + + /* ===================== + * STORAGE + * ===================== */ + + /* Pads that are not 'pinned' by any registered user can be set to expire + * after a configurable number of days of inactivity (default 90 days). + * The value can be changed or set to false to remove expiration. + * Expired pads can then be removed using a cron job calling the + * `evict-inactive.js` script with node + * + * defaults to 90 days if nothing is provided + */ + //inactiveTime: 90, // days + + /* CryptPad archives some data instead of deleting it outright. + * This archived data still takes up space and so you'll probably still want to + * remove these files after a brief period. + * + * cryptpad/scripts/evict-inactive.js is intended to be run daily + * from a crontab or similar scheduling service. + * + * The intent with this feature is to provide a safety net in case of accidental + * deletion. Set this value to the number of days you'd like to retain + * archived data before it's removed permanently. + * + * defaults to 15 days if nothing is provided + */ + //archiveRetentionTime: 15, + + /* It's possible to configure your instance to remove data + * stored on behalf of inactive accounts. Set 'accountRetentionTime' + * to the number of days an account can remain idle before its + * documents and other account data is removed. + * + * Leave this value commented out to preserve all data stored + * by user accounts regardless of inactivity. + */ + //accountRetentionTime: 365, + + /* Starting with CryptPad 3.23.0, the server automatically runs + * the script responsible for removing inactive data according to + * your configured definition of inactivity. Set this value to `true` + * if you prefer not to remove inactive data, or if you prefer to + * do so manually using `scripts/evict-inactive.js`. + */ + //disableIntegratedEviction: true, + + + /* Max Upload Size (bytes) + * this sets the maximum size of any one file uploaded to the server. + * anything larger than this size will be rejected + * defaults to 20MB if no value is provided + */ + //maxUploadSize: 20 * 1024 * 1024, + + /* Users with premium accounts (those with a plan included in their customLimit) + * can benefit from an increased upload size limit. By default they are restricted to the same + * upload size as any other registered user. + * + */ + //premiumUploadSize: 100 * 1024 * 1024, + + /* ===================== + * DATABASE VOLUMES + * ===================== */ + + /* + * CryptPad stores each document in an individual file on your hard drive. + * Specify a directory where files should be stored. + * It will be created automatically if it does not already exist. + */ + filePath: './root/tmp/mut/datastore/', + + /* CryptPad offers the ability to archive data for a configurable period + * before deleting it, allowing a means of recovering data in the event + * that it was deleted accidentally. + * + * To set the location of this archive directory to a custom value, change + * the path below: + */ + archivePath: './root/tmp/mut/data/archive', + + /* CryptPad allows logged in users to request that particular documents be + * stored by the server indefinitely. This is called 'pinning'. + * Pin requests are stored in a pin-store. The location of this store is + * defined here. + */ + pinPath: './root/tmp/mut/data/pins', + + /* if you would like the list of scheduled tasks to be stored in + a custom location, change the path below: + */ + taskPath: './root/tmp/mut/data/tasks', + + /* if you would like users' authenticated blocks to be stored in + a custom location, change the path below: + */ + blockPath: './root/tmp/mut/block', + + /* CryptPad allows logged in users to upload encrypted files. Files/blobs + * are stored in a 'blob-store'. Set its location here. + */ + blobPath: './root/tmp/mut/blob', + + /* CryptPad stores incomplete blobs in a 'staging' area until they are + * fully uploaded. Set its location here. + */ + blobStagingPath: './root/tmp/mut/data/blobstage', + + decreePath: './root/tmp/mut/data/decrees', + + /* CryptPad supports logging events directly to the disk in a 'logs' directory + * Set its location here, or set it to false (or nothing) if you'd rather not log + */ + logPath: './root/tmp/mut/data/logs', + + /* ===================== + * Debugging + * ===================== */ + + /* CryptPad can log activity to stdout + * This may be useful for debugging + */ + logToStdout: true, + + /* CryptPad can be configured to log more or less + * the various settings are listed below by order of importance + * + * silly, verbose, debug, feedback, info, warn, error + * + * Choose the least important level of logging you wish to see. + * For example, a 'silly' logLevel will display everything, + * while 'info' will display 'info', 'warn', and 'error' logs + * + * This will affect both logging to the console and the disk. + */ + logLevel: 'debug', + + /* clients can use the /settings/ app to opt out of usage feedback + * which informs the server of things like how much each app is being + * used, and whether certain clientside features are supported by + * the client's browser. The intent is to provide feedback to the admin + * such that the service can be improved. Enable this with `true` + * and ignore feedback with `false` or by commenting the attribute + * + * You will need to set your logLevel to include 'feedback'. Set this + * to false if you'd like to exclude feedback from your logs. + */ + logFeedback: false, + + /* CryptPad supports verbose logging + * (false by default) + */ + verbose: true, + + /* Surplus information: + * + * 'installMethod' is included in server telemetry to voluntarily + * indicate how many instances are using unofficial installation methods + * such as Docker. + * + */ + installMethod: 'unspecified', +}; |