aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArmaël Guéneau <armael.gueneau@ens-lyon.org>2024-12-01 12:00:39 +0100
committerArmaël Guéneau <armael.gueneau@ens-lyon.org>2024-12-01 12:00:39 +0100
commitd1de8cb2b42dce0a73ee0f76ad9c7da635a02ab5 (patch)
treebd7032d317bc198fd0de39484b7d035c78d83739
parente87942dad3ddcd0bca222c96d8ae4c99265b382e (diff)
downloadnixcfg-d1de8cb2b42dce0a73ee0f76ad9c7da635a02ab5.tar.gz
nixcfg-d1de8cb2b42dce0a73ee0f76ad9c7da635a02ab5.zip
staging: déploiement de test de cryptpad
-rw-r--r--cluster/staging/app/core/deploy/tricot.hcl2
-rw-r--r--cluster/staging/app/cryptpad/config/application_config.js40
-rw-r--r--cluster/staging/app/cryptpad/config/config.js296
-rw-r--r--cluster/staging/app/cryptpad/deploy/cryptpad.hcl80
4 files changed, 417 insertions, 1 deletions
diff --git a/cluster/staging/app/core/deploy/tricot.hcl b/cluster/staging/app/core/deploy/tricot.hcl
index d642708..c0540bd 100644
--- a/cluster/staging/app/core/deploy/tricot.hcl
+++ b/cluster/staging/app/core/deploy/tricot.hcl
@@ -77,7 +77,7 @@ TRICOT_HTTP_BIND_ADDR=[::]:80
TRICOT_HTTPS_BIND_ADDR=[::]:443
TRICOT_METRICS_BIND_ADDR=[::]:9334
TRICOT_WARMUP_CERT_MEMORY_STORE=true
-RUST_LOG=tricot=debug
+RUST_LOG=tricot=trace
RUST_BACKTRACE=1
EOH
destination = "secrets/env"
diff --git a/cluster/staging/app/cryptpad/config/application_config.js b/cluster/staging/app/cryptpad/config/application_config.js
new file mode 100644
index 0000000..94a613d
--- /dev/null
+++ b/cluster/staging/app/cryptpad/config/application_config.js
@@ -0,0 +1,40 @@
+/*
+ * You can override the configurable values from this file.
+ * The recommended method is to make a copy of this file (/customize.dist/application_config.js)
+ in a 'customize' directory (/customize/application_config.js).
+ * If you want to check all the configurable values, you can open the internal configuration file
+ but you should not change it directly (/common/application_config_internal.js)
+*/
+define(['/common/application_config_internal.js'], function (AppConfig) {
+ // To inform users of the support ticket panel which languages your admins speak:
+ AppConfig.supportLanguages = [ 'en', 'fr' ];
+
+ /* Select the buttons displayed on the main page to create new collaborative sessions.
+ * Removing apps from the list will prevent users from accessing them. They will instead be
+ * redirected to the drive.
+ * You should never remove the drive from this list.
+ */
+ AppConfig.availablePadTypes = ['drive', 'teams', 'doc', 'presentation', 'pad', 'kanban', 'code', 'form', 'poll', 'whiteboard',
+ 'file', 'contacts', 'slide', 'convert'];
+ // disabled: sheet
+
+ /* You can display a link to your own privacy policy in the static pages footer.
+ * Since this is different for each individual or organization there is no default value.
+ * See the comments above for a description of possible configurations.
+ */
+ AppConfig.privacy = {
+ "default": "https://deuxfleurs.fr/CGU.html",
+ };
+
+ /* You can display a link to your instances's terms of service in the static pages footer.
+ * A default is included for backwards compatibility, but we recommend replacing this
+ * with your own terms.
+ *
+ * See the comments above for a description of possible configurations.
+ */
+ AppConfig.terms = {
+ "default": "https://deuxfleurs.fr/CGU.html",
+ };
+
+ return AppConfig;
+});
diff --git a/cluster/staging/app/cryptpad/config/config.js b/cluster/staging/app/cryptpad/config/config.js
new file mode 100644
index 0000000..590d4c6
--- /dev/null
+++ b/cluster/staging/app/cryptpad/config/config.js
@@ -0,0 +1,296 @@
+/* globals module */
+
+/* DISCLAIMER:
+
+ There are two recommended methods of running a CryptPad instance:
+
+ 1. Using a standalone nodejs server without HTTPS (suitable for local development)
+ 2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic
+
+ We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration.
+ Support requests for such setups should be directed to their authors.
+
+ If you're having difficulty difficulty configuring your instance
+ we suggest that you join the project's IRC/Matrix channel.
+
+ If you don't have any difficulty configuring your instance and you'd like to
+ support us for the work that went into making it pain-free we are quite happy
+ to accept donations via our opencollective page: https://opencollective.com/cryptpad
+
+*/
+module.exports = {
+/* CryptPad is designed to serve its content over two domains.
+ * Account passwords and cryptographic content is handled on the 'main' domain,
+ * while the user interface is loaded on a 'sandbox' domain
+ * which can only access information which the main domain willingly shares.
+ *
+ * In the event of an XSS vulnerability in the UI (that's bad)
+ * this system prevents attackers from gaining access to your account (that's good).
+ *
+ * Most problems with new instances are related to this system blocking access
+ * because of incorrectly configured sandboxes. If you only see a white screen
+ * when you try to load CryptPad, this is probably the cause.
+ *
+ * PLEASE READ THE FOLLOWING COMMENTS CAREFULLY.
+ *
+ */
+
+/* httpUnsafeOrigin is the URL that clients will enter to load your instance.
+ * Any other URL that somehow points to your instance is supposed to be blocked.
+ * The default provided below assumes you are loading CryptPad from a server
+ * which is running on the same machine, using port 3000.
+ *
+ * In a production instance this should be available ONLY over HTTPS
+ * using the default port for HTTPS (443) ie. https://cryptpad.fr
+ * In such a case this should be also handled by NGINX, as documented in
+ * cryptpad/docs/example.nginx.conf (see the $main_domain variable)
+ *
+ */
+ httpUnsafeOrigin: 'https://pad.staging.deuxfleurs.org',
+
+/* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
+ * If you're testing or developing with CryptPad on your local machine then
+ * it is appropriate to leave this blank. The default behaviour is to serve
+ * the main domain over port 3000 and to serve the sandbox content over port 3001.
+ *
+ * This is not appropriate in a production environment where invasive networks
+ * may filter traffic going over abnormal ports.
+ * To correctly configure your production instance you must provide a URL
+ * with a different domain (a subdomain is sufficient).
+ * It will be used to load the UI in our 'sandbox' system.
+ *
+ * This value corresponds to the $sandbox_domain variable
+ * in the example nginx file.
+ *
+ * Note that in order for the sandboxing system to be effective
+ * httpSafeOrigin must be different from httpUnsafeOrigin.
+ *
+ * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
+ */
+ httpSafeOrigin: "https://pad-sandbox.staging.deuxfleurs.org",
+
+/* httpAddress specifies the address on which the nodejs server
+ * should be accessible. By default it will listen on 127.0.0.1
+ * (IPv4 localhost on most systems). If you want it to listen on
+ * all addresses, including IPv6, set this to '::'.
+ *
+ */
+ httpAddress: '::',
+
+/* httpPort specifies on which port the nodejs server should listen.
+ * By default it will serve content over port 3000, which is suitable
+ * for both local development and for use with the provided nginx example,
+ * which will proxy websocket traffic to your node server.
+ *
+ */
+ httpPort: 3000,
+
+/* httpSafePort allows you to specify an alternative port from which
+ * the node process should serve sandboxed assets. The default value is
+ * that of your httpPort + 1. You probably don't need to change this.
+ *
+ */
+ // httpSafePort: 3001,
+
+/* CryptPad will launch a child process for every core available
+ * in order to perform CPU-intensive tasks in parallel.
+ * Some host environments may have a very large number of cores available
+ * or you may want to limit how much computing power CryptPad can take.
+ * If so, set 'maxWorkers' to a positive integer.
+ */
+ // maxWorkers: 4,
+
+ /* =====================
+ * Admin
+ * ===================== */
+
+ /*
+ * CryptPad contains an administration panel. Its access is restricted to specific
+ * users using the following list.
+ * To give access to the admin panel to a user account, just add their public signing
+ * key, which can be found on the settings page for registered users.
+ * Entries should be strings separated by a comma.
+ */
+ adminKeys: [
+ "[quentin@pad.deuxfleurs.fr/EWtzm-CiqJnM9RZL9mj-YyTgAtX-Zh76sru1K5bFpN8=]",
+ "[adrn@pad.deuxfleurs.fr/PxDpkPwd-jDJWkfWdAzFX7wtnLpnPlBeYZ4MmoEYS6E=]",
+ "[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]",
+ "[trinity-1686a@pad.deuxfleurs.fr/Pu6Ef03jEsAGBbZI6IOdKd6+5pORD5N51QIYt4-Ys1c=]",
+ "[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
+ "[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
+ "[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
+ "[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]",
+ "[armael@pad.deuxfleurs.fr/CIKMvNdFxGavwTmni0TnR3x9GM0ypgx3DMcFyzppplU=]",
+ "[bjonglez@pad.deuxfleurs.fr/+RRzwcLPj5ZCWELUXMjmt3u+-lvYnyhpDt4cqAn9nh8=]"
+ ],
+
+ /* =====================
+ * STORAGE
+ * ===================== */
+
+ /* Pads that are not 'pinned' by any registered user can be set to expire
+ * after a configurable number of days of inactivity (default 90 days).
+ * The value can be changed or set to false to remove expiration.
+ * Expired pads can then be removed using a cron job calling the
+ * `evict-inactive.js` script with node
+ *
+ * defaults to 90 days if nothing is provided
+ */
+ //inactiveTime: 90, // days
+
+ /* CryptPad archives some data instead of deleting it outright.
+ * This archived data still takes up space and so you'll probably still want to
+ * remove these files after a brief period.
+ *
+ * cryptpad/scripts/evict-inactive.js is intended to be run daily
+ * from a crontab or similar scheduling service.
+ *
+ * The intent with this feature is to provide a safety net in case of accidental
+ * deletion. Set this value to the number of days you'd like to retain
+ * archived data before it's removed permanently.
+ *
+ * defaults to 15 days if nothing is provided
+ */
+ //archiveRetentionTime: 15,
+
+ /* It's possible to configure your instance to remove data
+ * stored on behalf of inactive accounts. Set 'accountRetentionTime'
+ * to the number of days an account can remain idle before its
+ * documents and other account data is removed.
+ *
+ * Leave this value commented out to preserve all data stored
+ * by user accounts regardless of inactivity.
+ */
+ //accountRetentionTime: 365,
+
+ /* Starting with CryptPad 3.23.0, the server automatically runs
+ * the script responsible for removing inactive data according to
+ * your configured definition of inactivity. Set this value to `true`
+ * if you prefer not to remove inactive data, or if you prefer to
+ * do so manually using `scripts/evict-inactive.js`.
+ */
+ //disableIntegratedEviction: true,
+
+
+ /* Max Upload Size (bytes)
+ * this sets the maximum size of any one file uploaded to the server.
+ * anything larger than this size will be rejected
+ * defaults to 20MB if no value is provided
+ */
+ //maxUploadSize: 20 * 1024 * 1024,
+
+ /* Users with premium accounts (those with a plan included in their customLimit)
+ * can benefit from an increased upload size limit. By default they are restricted to the same
+ * upload size as any other registered user.
+ *
+ */
+ //premiumUploadSize: 100 * 1024 * 1024,
+
+ /* =====================
+ * DATABASE VOLUMES
+ * ===================== */
+
+ /*
+ * We need this config entry, else CryptPad will try to mkdir
+ * some stuff into Nix store apparently...
+ */
+ base: '/mnt/data',
+
+ /*
+ * CryptPad stores each document in an individual file on your hard drive.
+ * Specify a directory where files should be stored.
+ * It will be created automatically if it does not already exist.
+ */
+ filePath: '/mnt/datastore/',
+
+ /* CryptPad offers the ability to archive data for a configurable period
+ * before deleting it, allowing a means of recovering data in the event
+ * that it was deleted accidentally.
+ *
+ * To set the location of this archive directory to a custom value, change
+ * the path below:
+ */
+ archivePath: '/mnt/data/archive',
+
+ /* CryptPad allows logged in users to request that particular documents be
+ * stored by the server indefinitely. This is called 'pinning'.
+ * Pin requests are stored in a pin-store. The location of this store is
+ * defined here.
+ */
+ pinPath: '/mnt/data/pins',
+
+ /* if you would like the list of scheduled tasks to be stored in
+ a custom location, change the path below:
+ */
+ taskPath: '/mnt/data/tasks',
+
+ /* if you would like users' authenticated blocks to be stored in
+ a custom location, change the path below:
+ */
+ blockPath: '/mnt/block',
+
+ /* CryptPad allows logged in users to upload encrypted files. Files/blobs
+ * are stored in a 'blob-store'. Set its location here.
+ */
+ blobPath: '/mnt/blob',
+
+ /* CryptPad stores incomplete blobs in a 'staging' area until they are
+ * fully uploaded. Set its location here.
+ */
+ blobStagingPath: '/mnt/data/blobstage',
+
+ decreePath: '/mnt/data/decrees',
+
+ /* CryptPad supports logging events directly to the disk in a 'logs' directory
+ * Set its location here, or set it to false (or nothing) if you'd rather not log
+ */
+ logPath: false,
+
+ /* =====================
+ * Debugging
+ * ===================== */
+
+ /* CryptPad can log activity to stdout
+ * This may be useful for debugging
+ */
+ logToStdout: true,
+
+ /* CryptPad can be configured to log more or less
+ * the various settings are listed below by order of importance
+ *
+ * silly, verbose, debug, feedback, info, warn, error
+ *
+ * Choose the least important level of logging you wish to see.
+ * For example, a 'silly' logLevel will display everything,
+ * while 'info' will display 'info', 'warn', and 'error' logs
+ *
+ * This will affect both logging to the console and the disk.
+ */
+ logLevel: 'silly',
+
+ /* clients can use the /settings/ app to opt out of usage feedback
+ * which informs the server of things like how much each app is being
+ * used, and whether certain clientside features are supported by
+ * the client's browser. The intent is to provide feedback to the admin
+ * such that the service can be improved. Enable this with `true`
+ * and ignore feedback with `false` or by commenting the attribute
+ *
+ * You will need to set your logLevel to include 'feedback'. Set this
+ * to false if you'd like to exclude feedback from your logs.
+ */
+ logFeedback: false,
+
+ /* CryptPad supports verbose logging
+ * (false by default)
+ */
+ verbose: true,
+
+ /* Surplus information:
+ *
+ * 'installMethod' is included in server telemetry to voluntarily
+ * indicate how many instances are using unofficial installation methods
+ * such as Docker.
+ *
+ */
+ installMethod: 'deuxfleurs.fr',
+};
diff --git a/cluster/staging/app/cryptpad/deploy/cryptpad.hcl b/cluster/staging/app/cryptpad/deploy/cryptpad.hcl
new file mode 100644
index 0000000..5cda46e
--- /dev/null
+++ b/cluster/staging/app/cryptpad/deploy/cryptpad.hcl
@@ -0,0 +1,80 @@
+job "cryptpad" {
+ datacenters = ["neptune"]
+ type = "service"
+
+ group "cryptpad" {
+ count = 1
+
+ network {
+ port "http" {
+ to = 3000
+ }
+ }
+
+ restart {
+ attempts = 10
+ delay = "30s"
+ }
+
+ task "main" {
+ driver = "docker"
+
+ constraint {
+ attribute = "${attr.unique.hostname}"
+ operator = "="
+ value = "caribou"
+ }
+
+ config {
+ image = "kokakiwi/cryptpad:2024.9.0"
+ ports = [ "http" ]
+
+ volumes = [
+ "/mnt/ssd/cryptpad:/mnt",
+ "secrets/config.js:/cryptpad/config.js",
+ ]
+ }
+ env {
+ CRYPTPAD_CONFIG = "/cryptpad/config.js"
+ }
+
+ template {
+ data = file("../config/config.js")
+ destination = "secrets/config.js"
+ }
+
+ /* Disabled because it requires modifications to the docker image and I do not want to invest the time yet
+ template {
+ data = file("../config/application_config.js")
+ destination = "secrets/config.js"
+ }
+ */
+
+ resources {
+ memory = 1000
+ cpu = 500
+ }
+
+ service {
+ name = "cryptpad"
+ port = "http"
+ tags = [
+ "tricot pad.staging.deuxfleurs.org",
+ "tricot pad-sandbox.staging.deuxfleurs.org",
+ "tricot-add-header Cross-Origin-Resource-Policy cross-origin",
+ "tricot-add-header Cross-Origin-Embedder-Policy require-corp",
+ "tricot-add-header Access-Control-Allow-Origin *",
+ "tricot-add-header Access-Control-Allow-Credentials true",
+ "d53-cname pad.staging.deuxfleurs.org",
+ "d53-cname pad-sandbox.staging.deuxfleurs.org",
+ ]
+ check {
+ type = "http"
+ path = "/"
+ interval = "10s"
+ timeout = "2s"
+ }
+ }
+ }
+ }
+}