summaryrefslogtreecommitdiffstats
path: root/machines/jormungand
diff options
context:
space:
mode:
authorDominique Martinet @ jormungand <asmadeus@codewreck.org>2020-09-01 16:57:40 +0200
committerDominique Martinet @ jormungand <asmadeus@codewreck.org>2020-09-01 16:57:40 +0200
commit1f40be29fe8cc60cf534e37404011f253dbb266e (patch)
tree887362581af7d0c03c178797aa675158c3e3221b /machines/jormungand
parent63ac25e3cead0e1788d6c91a03faef05d0cd8eaf (diff)
cryptpad: update to 3.20.1 (current version on nixpkgs master)
Diffstat (limited to 'machines/jormungand')
-rw-r--r--machines/jormungand/cryptpad.config.js393
1 files changed, 151 insertions, 242 deletions
diff --git a/machines/jormungand/cryptpad.config.js b/machines/jormungand/cryptpad.config.js
index eb53f4e..6963d16 100644
--- a/machines/jormungand/cryptpad.config.js
+++ b/machines/jormungand/cryptpad.config.js
@@ -1,60 +1,108 @@
-/*@flow*/
-/*
- globals module
-*/
-var _domain = 'https://cryptpad.codewreck.org/';
+/* globals module */
-// You can `kill -USR2` the node process and it will write out a heap dump.
-// If your system doesn't support dumping, comment this out and install with
-// `npm install --production`
-// See: https://strongloop.github.io/strongloop.com/strongblog/how-to-heap-snapshots/
+/* DISCLAIMER:
-// to enable this feature, uncomment the line below:
-// require('heapdump');
+ There are two recommended methods of running a CryptPad instance:
-// we prepend a space because every usage expects it
-// requiring admins to preserve it is unnecessarily confusing
-var domain = ' ' + _domain;
+ 1. Using a standalone nodejs server without HTTPS (suitable for local development)
+ 2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic
-// Content-Security-Policy
-var baseCSP = [
- "default-src 'none'",
- "style-src 'unsafe-inline' 'self' " + domain,
- "font-src 'self' data:" + domain,
+ We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration.
+ Support requests for such setups should be directed to their authors.
- /* child-src is used to restrict iframes to a set of allowed domains.
- * connect-src is used to restrict what domains can connect to the websocket.
- *
- * it is recommended that you configure these fields to match the
- * domain which will serve your CryptPad instance.
- */
- "child-src blob: *",
- // IE/Edge
- "frame-src blob: *",
+ If you're having difficulty difficulty configuring your instance
+ we suggest that you join the project's IRC/Matrix channel.
- /* this allows connections over secure or insecure websockets
- if you are deploying to production, you'll probably want to remove
- the ws://* directive, and change '*' to your domain
- */
- "connect-src 'self' ws: wss: blob:" + domain,
+ If you don't have any difficulty configuring your instance and you'd like to
+ support us for the work that went into making it pain-free we are quite happy
+ to accept donations via our opencollective page: https://opencollective.com/cryptpad
- // data: is used by codemirror
- "img-src 'self' data: blob:" + domain,
- "media-src * blob:",
+*/
+module.exports = {
+/* CryptPad is designed to serve its content over two domains.
+ * Account passwords and cryptographic content is handled on the 'main' domain,
+ * while the user interface is loaded on a 'sandbox' domain
+ * which can only access information which the main domain willingly shares.
+ *
+ * In the event of an XSS vulnerability in the UI (that's bad)
+ * this system prevents attackers from gaining access to your account (that's good).
+ *
+ * Most problems with new instances are related to this system blocking access
+ * because of incorrectly configured sandboxes. If you only see a white screen
+ * when you try to load CryptPad, this is probably the cause.
+ *
+ * PLEASE READ THE FOLLOWING COMMENTS CAREFULLY.
+ *
+ */
+
+/* httpUnsafeOrigin is the URL that clients will enter to load your instance.
+ * Any other URL that somehow points to your instance is supposed to be blocked.
+ * The default provided below assumes you are loading CryptPad from a server
+ * which is running on the same machine, using port 3000.
+ *
+ * In a production instance this should be available ONLY over HTTPS
+ * using the default port for HTTPS (443) ie. https://cryptpad.fr
+ * In such a case this should be handled by NGINX, as documented in
+ * cryptpad/docs/example.nginx.conf (see the $main_domain variable)
+ *
+ */
+ httpUnsafeOrigin: 'https://cryptpad.codewreck.org/',
+
+/* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
+ * If you're testing or developing with CryptPad on your local machine then
+ * it is appropriate to leave this blank. The default behaviour is to serve
+ * the main domain over port 3000 and to serve the content over port 3001.
+ *
+ * This is not appropriate in a production environment where invasive networks
+ * may filter traffic going over abnormal ports.
+ * To correctly configure your production instance you must provide a URL
+ * with a different domain (a subdomain is sufficient).
+ * It will be used to load the UI in our 'sandbox' system.
+ *
+ * This value corresponds to the $sandbox_domain variable
+ * in the example nginx file.
+ *
+ * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
+ */
+ httpSafeOrigin: "https://cryptpad-sandbox.codewreck.org/",
+
+/* httpAddress specifies the address on which the nodejs server
+ * should be accessible. By default it will listen on 127.0.0.1
+ * (IPv4 localhost on most systems). If you want it to listen on
+ * all addresses, including IPv6, set this to '::'.
+ *
+ */
+ httpAddress: '::1',
- // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
- "frame-ancestors *",
- ""
-];
+/* httpPort specifies on which port the nodejs server should listen.
+ * By default it will serve content over port 3000, which is suitable
+ * for both local development and for use with the provided nginx example,
+ * which will proxy websocket traffic to your node server.
+ *
+ */
+ //httpPort: 3000,
+
+/* httpSafePort allows you to specify an alternative port from which
+ * the node process should serve sandboxed assets. The default value is
+ * that of your httpPort + 1. You probably don't need to change this.
+ *
+ */
+ httpSafePort: 3001,
+/* CryptPad will launch a child process for every core available
+ * in order to perform CPU-intensive tasks in parallel.
+ * Some host environments may have a very large number of cores available
+ * or you may want to limit how much computing power CryptPad can take.
+ * If so, set 'maxWorkers' to a positive integer.
+ */
+ // maxWorkers: 4,
-module.exports = {
/* =====================
* Admin
* ===================== */
/*
- * CryptPad now contains an administration panel. Its access is restricted to specific
+ * CryptPad contains an administration panel. Its access is restricted to specific
* users using the following list.
* To give access to the admin panel to a user account, just add their user id,
* which can be found on the settings page for registered users.
@@ -77,125 +125,77 @@ module.exports = {
*/
// supportMailboxPublicKey: "",
- /* =====================
- * Infra setup
- * ===================== */
-
- // the address you want to bind to, :: means all ipv4 and ipv6 addresses
- // this may not work on all operating systems
- httpAddress: '::1',
-
- // the port on which your httpd will listen
- httpPort: 3000,
-
- // This is for allowing the cross-domain iframe to function when developing
- httpSafePort: 3001,
-
- // This is for deployment in production, CryptPad uses a separate origin (domain) to host the
- // cross-domain iframe. It can simply host the same content as CryptPad.
- httpSafeOrigin: "https://cryptpad-sandbox.codewreck.org",
-
- httpUnsafeOrigin: domain,
-
- /* your server's websocket url is configurable
- * (default: '/cryptpad_websocket')
+ /* We're very proud that CryptPad is available to the public as free software!
+ * We do, however, still need to pay our bills as we develop the platform.
*
- * websocketPath can be relative, of the form '/path/to/websocket'
- * or absolute, specifying a particular URL
+ * By default CryptPad will prompt users to consider donating to
+ * our OpenCollective campaign. We publish the state of our finances periodically
+ * so you can decide for yourself whether our expenses are reasonable.
*
- * 'wss://cryptpad.fr:3000/cryptpad_websocket'
+ * You can disable any solicitations for donations by setting 'removeDonateButton' to true,
+ * but we'd appreciate it if you didn't!
*/
- websocketPath: '/cryptpad_websocket',
+ removeDonateButton: true,
- /* CryptPad can be configured to send customized HTTP Headers
- * These settings may vary widely depending on your needs
- * Examples are provided below
+ /* CryptPad will display a point of contact for your instance on its contact page
+ * (/contact.html) if you provide it below.
*/
- httpHeaders: {
- "X-XSS-Protection": "1; mode=block",
- "X-Content-Type-Options": "nosniff",
- "Access-Control-Allow-Origin": "*"
- },
+ adminEmail: 'qlgpfhcrencz.nnqf@noclue.notk.org',
- contentSecurity: baseCSP.join('; ') +
- "script-src 'self'" + domain,
-
- // CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
- padContentSecurity: baseCSP.join('; ') +
- "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
-
- /* it is recommended that you serve CryptPad over https
- * the filepaths below are used to configure your certificates
+ /*
+ * By default, CryptPad contacts one of our servers once a day.
+ * This check-in will also send some very basic information about your instance including its
+ * version and the adminEmail so we can reach you if we are aware of a serious problem.
+ * We will never sell it or send you marketing mail.
+ *
+ * If you want to block this check-in and remain set 'blockDailyCheck' to true.
*/
- //privKeyAndCertFiles: [
- // '/etc/apache2/ssl/my_secret.key',
- // '/etc/apache2/ssl/my_public_cert.crt',
- // '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
- //],
-
- /* Main pages
- * add exceptions to the router so that we can access /privacy.html
- * and other odd pages
+ blockDailyCheck: true,
+
+ /*
+ * By default users get 50MB of storage by registering on an instance.
+ * You can set this value to whatever you want.
+ *
+ * hint: 50MB is 50 * 1024 * 1024
*/
- mainPages: [
- 'index',
- 'privacy',
- 'terms',
- 'about',
- 'contact',
- 'what-is-cryptpad',
- 'features',
- 'faq',
- 'maintenance'
- ],
+ defaultStorageLimit: 1024 * 1024 * 1024,
+
/* =====================
- * Subscriptions
+ * STORAGE
* ===================== */
- /* Limits, Donations, Subscriptions and Contact
- *
- * By default, CryptPad limits every registered user to 50MB of storage. It also shows a
- * subscribe button which allows them to upgrade to a paid account. We handle payment,
- * and keep 50% of the proceeds to fund ongoing development.
- *
- * You can:
- * A: leave things as they are
- * B: disable accounts but display a donate button
- * C: hide any reference to paid accounts or donation
+ /* Pads that are not 'pinned' by any registered user can be set to expire
+ * after a configurable number of days of inactivity (default 90 days).
+ * The value can be changed or set to false to remove expiration.
+ * Expired pads can then be removed using a cron job calling the
+ * `evict-inactive.js` script with node
*
- * If you chose A then there's nothing to do.
- * If you chose B, set 'allowSubscriptions' to false.
- * If you chose C, set 'removeDonateButton' to true
- */
- allowSubscriptions: false,
- removeDonateButton: true,
-
- /*
- * By default, CryptPad also contacts our accounts server once a day to check for changes in
- * the people who have accounts. This check-in will also send the version of your CryptPad
- * instance and your email so we can reach you if we are aware of a serious problem. We will
- * never sell it or send you marketing mail. If you want to block this check-in and remain
- * completely invisible, set this and allowSubscriptions both to false.
+ * defaults to 90 days if nothing is provided
*/
- adminEmail: false,
+ //inactiveTime: 90, // days
- /* Sales coming from your server will be identified by your domain
+ /* CryptPad archives some data instead of deleting it outright.
+ * This archived data still takes up space and so you'll probably still want to
+ * remove these files after a brief period.
*
- * If you are using CryptPad in a business context, please consider taking a support contract
- * by contacting sales@cryptpad.fr
+ * cryptpad/scripts/evict-inactive.js is intended to be run daily
+ * from a crontab or similar scheduling service.
+ *
+ * The intent with this feature is to provide a safety net in case of accidental
+ * deletion. Set this value to the number of days you'd like to retain
+ * archived data before it's removed permanently.
+ *
+ * defaults to 15 days if nothing is provided
*/
- myDomain: _domain,
+ //archiveRetentionTime: 15,
- /*
- * If you are using CryptPad internally and you want to increase the per-user storage limit,
- * change the following value.
- *
- * Please note: This limit is what makes people subscribe and what pays for CryptPad
- * development. Running a public instance that provides a "better deal" than cryptpad.fr
- * is effectively using the project against itself.
+ /* Max Upload Size (bytes)
+ * this sets the maximum size of any one file uploaded to the server.
+ * anything larger than this size will be rejected
+ * defaults to 20MB if no value is provided
*/
- defaultStorageLimit: 1024 * 1024 * 1024,
+ maxUploadSize: 256 * 1024 * 1024,
/*
* CryptPad allows administrators to give custom limits to their friends.
@@ -205,8 +205,8 @@ module.exports = {
*
* hint: 1GB is 1024 * 1024 * 1024 bytes
*/
+/*
customLimits: {
- /*
"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=": {
limit: 20 * 1024 * 1024 * 1024,
plan: 'insider',
@@ -217,70 +217,15 @@ module.exports = {
plan: 'insider',
note: 'storage space donated by my.awesome.website'
}
- */
},
+*/
- /* =====================
- * STORAGE
- * ===================== */
-
- /* By default the CryptPad server will run scheduled tasks every five minutes
- * If you want to run scheduled tasks in a separate process (like a crontab)
- * you can disable this behaviour by setting the following value to true
- */
- disableIntegratedTasks: false,
-
- /* Pads that are not 'pinned' by any registered user can be set to expire
- * after a configurable number of days of inactivity (default 90 days).
- * The value can be changed or set to false to remove expiration.
- * Expired pads can then be removed using a cron job calling the
- * `delete-inactive.js` script with node
- */
- inactiveTime: 90, // days
-
- /* CryptPad can be configured to remove inactive data which has not been pinned.
- * Deletion of data is always risky and as an operator you have the choice to
- * archive data instead of deleting it outright. Set this value to true if
- * you want your server to archive files and false if you want to keep using
- * the old behaviour of simply removing files.
+ /* Users with premium accounts (those with a plan included in their customLimit)
+ * can benefit from an increased upload size limit. By default they are restricted to the same
+ * upload size as any other registered user.
*
- * WARNING: this is not implemented universally, so at the moment this will
- * only apply to the removal of 'channels' due to inactivity.
*/
- retainData: true,
-
- /* As described above, CryptPad offers the ability to archive some data
- * instead of deleting it outright. This archived data still takes up space
- * and so you'll probably still want to remove these files after a brief period.
- * The intent with this feature is to provide a safety net in case of accidental
- * deletion. Set this value to the number of days you'd like to retain
- * archived data before it's removed permanently.
- *
- * If 'retainData' is set to false, there will never be any archived data
- * to remove.
- */
- archiveRetentionTime: 15,
-
- /* Max Upload Size (bytes)
- * this sets the maximum size of any one file uploaded to the server.
- * anything larger than this size will be rejected
- */
- maxUploadSize: 256 * 1024 * 1024,
-
- /* =====================
- * HARDWARE RELATED
- * ===================== */
-
- /* CryptPad's file storage adaptor closes unused files after a configurable
- * number of milliseconds (default 30000 (30 seconds))
- */
- channelExpirationMs: 30000,
-
- /* CryptPad's file storage adaptor is limited by the number of open files.
- * When the adaptor reaches openFileLimit, it will clean up older files
- */
- openFileLimit: 2048,
-
+ //premiumUploadSize: 100 * 1024 * 1024,
/* =====================
* DATABASE VOLUMES
@@ -307,12 +252,12 @@ module.exports = {
* Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/
- pinPath: './pins',
+ pinPath: './data/pins',
/* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below:
*/
- taskPath: './tasks',
+ taskPath: './data/tasks',
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
@@ -327,7 +272,7 @@ module.exports = {
/* CryptPad stores incomplete blobs in a 'staging' area until they are
* fully uploaded. Set its location here.
*/
- blobStagingPath: './blobstage',
+ blobStagingPath: './data/blobstage',
/* CryptPad supports logging events directly to the disk in a 'logs' directory
* Set its location here, or set it to false (or nothing) if you'd rather not log
@@ -368,42 +313,6 @@ module.exports = {
*/
logFeedback: false,
- /* You can get a repl for debugging the server if you want it.
- * to enable this, specify the debugReplName and then you can
- * connect to it with `nc -U /tmp/repl/<your name>.sock`
- * If you run multiple cryptpad servers, you need to use different
- * repl names.
- */
- //debugReplName: "cryptpad"
-
- /* =====================
- * DEPRECATED
- * ===================== */
- /*
- You have the option of specifying an alternative storage adaptor.
- These status of these alternatives are specified in their READMEs,
- which are available at the following URLs:
-
- mongodb: a noSQL database
- https://github.com/xwiki-labs/cryptpad-mongo-store
- amnesiadb: in memory storage
- https://github.com/xwiki-labs/cryptpad-amnesia-store
- leveldb: a simple, fast, key-value store
- https://github.com/xwiki-labs/cryptpad-level-store
- sql: an adaptor for a variety of sql databases via knexjs
- https://github.com/xwiki-labs/cryptpad-sql-store
-
- For the most up to date solution, use the default storage adaptor.
- */
- storage: './storage/file',
-
- /* CryptPad's socket server can be extended to respond to RPC calls
- * you can configure it to respond to custom RPC calls if you like.
- * provide the path to your RPC module here, or `false` if you would
- * like to disable the RPC interface completely
- */
- rpc: './rpc.js',
-
/* CryptPad supports verbose logging
* (false by default)
*/