diff options
author | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-09-01 16:09:32 +0200 |
---|---|---|
committer | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-09-01 16:09:32 +0200 |
commit | 63ac25e3cead0e1788d6c91a03faef05d0cd8eaf (patch) | |
tree | 6e452b5c8d619d0422f5b53fa7c3d722b13153ea /machines/jormungand | |
parent | 6542fcf47e4a1ff6a41111146c0af4de2473fadf (diff) |
jormungand: add cryptpad
Diffstat (limited to 'machines/jormungand')
-rw-r--r-- | machines/jormungand/configuration.nix | 1 | ||||
-rw-r--r-- | machines/jormungand/cryptpad.config.js | 411 | ||||
-rw-r--r-- | machines/jormungand/cryptpad.nix | 8 | ||||
-rw-r--r-- | machines/jormungand/nginx.nix | 17 |
4 files changed, 437 insertions, 0 deletions
diff --git a/machines/jormungand/configuration.nix b/machines/jormungand/configuration.nix index 4a012cf..5604ce2 100644 --- a/machines/jormungand/configuration.nix +++ b/machines/jormungand/configuration.nix @@ -10,6 +10,7 @@ ../../profiles/users.nix ../../profiles/vaderetro.nix ../../profiles/zramswap.nix + ./cryptpad.nix ./mumble.nix ./matrix.nix ./mpd.nix diff --git a/machines/jormungand/cryptpad.config.js b/machines/jormungand/cryptpad.config.js new file mode 100644 index 0000000..eb53f4e --- /dev/null +++ b/machines/jormungand/cryptpad.config.js @@ -0,0 +1,411 @@ +/*@flow*/ +/* + globals module +*/ +var _domain = 'https://cryptpad.codewreck.org/'; + +// You can `kill -USR2` the node process and it will write out a heap dump. +// If your system doesn't support dumping, comment this out and install with +// `npm install --production` +// See: https://strongloop.github.io/strongloop.com/strongblog/how-to-heap-snapshots/ + +// to enable this feature, uncomment the line below: +// require('heapdump'); + +// we prepend a space because every usage expects it +// requiring admins to preserve it is unnecessarily confusing +var domain = ' ' + _domain; + +// Content-Security-Policy +var baseCSP = [ + "default-src 'none'", + "style-src 'unsafe-inline' 'self' " + domain, + "font-src 'self' data:" + domain, + + /* child-src is used to restrict iframes to a set of allowed domains. + * connect-src is used to restrict what domains can connect to the websocket. + * + * it is recommended that you configure these fields to match the + * domain which will serve your CryptPad instance. + */ + "child-src blob: *", + // IE/Edge + "frame-src blob: *", + + /* this allows connections over secure or insecure websockets + if you are deploying to production, you'll probably want to remove + the ws://* directive, and change '*' to your domain + */ + "connect-src 'self' ws: wss: blob:" + domain, + + // data: is used by codemirror + "img-src 'self' data: blob:" + domain, + "media-src * blob:", + + // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox + "frame-ancestors *", + "" +]; + + +module.exports = { + /* ===================== + * Admin + * ===================== */ + + /* + * CryptPad now contains an administration panel. Its access is restricted to specific + * users using the following list. + * To give access to the admin panel to a user account, just add their user id, + * which can be found on the settings page for registered users. + * Entries should be strings separated by a comma. + */ + adminKeys: [ + "https://cryptpad.codewreck.org/user/#/1/asmadeus/aBb6070INVTJMCC1Q9LfaOtMDjSnaPd3FJhXSWBSmhg=", + ], + + /* CryptPad's administration panel includes a "support" tab + * wherein administrators with a secret key can view messages + * sent from users via the encrypted forms on the /support/ page + * + * To enable this functionality: + * run `node ./scripts/generate-admin-keys.js` + * save the public key in your config in the value below + * add the private key via the admin panel + * and back it up in a secure manner + * + */ + // supportMailboxPublicKey: "", + + /* ===================== + * Infra setup + * ===================== */ + + // the address you want to bind to, :: means all ipv4 and ipv6 addresses + // this may not work on all operating systems + httpAddress: '::1', + + // the port on which your httpd will listen + httpPort: 3000, + + // This is for allowing the cross-domain iframe to function when developing + httpSafePort: 3001, + + // This is for deployment in production, CryptPad uses a separate origin (domain) to host the + // cross-domain iframe. It can simply host the same content as CryptPad. + httpSafeOrigin: "https://cryptpad-sandbox.codewreck.org", + + httpUnsafeOrigin: domain, + + /* your server's websocket url is configurable + * (default: '/cryptpad_websocket') + * + * websocketPath can be relative, of the form '/path/to/websocket' + * or absolute, specifying a particular URL + * + * 'wss://cryptpad.fr:3000/cryptpad_websocket' + */ + websocketPath: '/cryptpad_websocket', + + /* CryptPad can be configured to send customized HTTP Headers + * These settings may vary widely depending on your needs + * Examples are provided below + */ + httpHeaders: { + "X-XSS-Protection": "1; mode=block", + "X-Content-Type-Options": "nosniff", + "Access-Control-Allow-Origin": "*" + }, + + contentSecurity: baseCSP.join('; ') + + "script-src 'self'" + domain, + + // CKEditor and OnlyOffice require significantly more lax content security policy in order to function. + padContentSecurity: baseCSP.join('; ') + + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain, + + /* it is recommended that you serve CryptPad over https + * the filepaths below are used to configure your certificates + */ + //privKeyAndCertFiles: [ + // '/etc/apache2/ssl/my_secret.key', + // '/etc/apache2/ssl/my_public_cert.crt', + // '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca' + //], + + /* Main pages + * add exceptions to the router so that we can access /privacy.html + * and other odd pages + */ + mainPages: [ + 'index', + 'privacy', + 'terms', + 'about', + 'contact', + 'what-is-cryptpad', + 'features', + 'faq', + 'maintenance' + ], + + /* ===================== + * Subscriptions + * ===================== */ + + /* Limits, Donations, Subscriptions and Contact + * + * By default, CryptPad limits every registered user to 50MB of storage. It also shows a + * subscribe button which allows them to upgrade to a paid account. We handle payment, + * and keep 50% of the proceeds to fund ongoing development. + * + * You can: + * A: leave things as they are + * B: disable accounts but display a donate button + * C: hide any reference to paid accounts or donation + * + * If you chose A then there's nothing to do. + * If you chose B, set 'allowSubscriptions' to false. + * If you chose C, set 'removeDonateButton' to true + */ + allowSubscriptions: false, + removeDonateButton: true, + + /* + * By default, CryptPad also contacts our accounts server once a day to check for changes in + * the people who have accounts. This check-in will also send the version of your CryptPad + * instance and your email so we can reach you if we are aware of a serious problem. We will + * never sell it or send you marketing mail. If you want to block this check-in and remain + * completely invisible, set this and allowSubscriptions both to false. + */ + adminEmail: false, + + /* Sales coming from your server will be identified by your domain + * + * If you are using CryptPad in a business context, please consider taking a support contract + * by contacting sales@cryptpad.fr + */ + myDomain: _domain, + + /* + * If you are using CryptPad internally and you want to increase the per-user storage limit, + * change the following value. + * + * Please note: This limit is what makes people subscribe and what pays for CryptPad + * development. Running a public instance that provides a "better deal" than cryptpad.fr + * is effectively using the project against itself. + */ + defaultStorageLimit: 1024 * 1024 * 1024, + + /* + * CryptPad allows administrators to give custom limits to their friends. + * add an entry for each friend, identified by their user id, + * which can be found on the settings page. Include a 'limit' (number of bytes), + * a 'plan' (string), and a 'note' (string). + * + * hint: 1GB is 1024 * 1024 * 1024 bytes + */ + customLimits: { + /* + "https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=": { + limit: 20 * 1024 * 1024 * 1024, + plan: 'insider', + note: 'storage space donated by my.awesome.website' + }, + "https://my.awesome.website/user/#/1/cryptpad-user2/GdflkgdlkjeworijfkldfsdflkjeEAsdlEnkbx1vVOo=": { + limit: 10 * 1024 * 1024 * 1024, + plan: 'insider', + note: 'storage space donated by my.awesome.website' + } + */ + }, + + /* ===================== + * STORAGE + * ===================== */ + + /* By default the CryptPad server will run scheduled tasks every five minutes + * If you want to run scheduled tasks in a separate process (like a crontab) + * you can disable this behaviour by setting the following value to true + */ + disableIntegratedTasks: false, + + /* Pads that are not 'pinned' by any registered user can be set to expire + * after a configurable number of days of inactivity (default 90 days). + * The value can be changed or set to false to remove expiration. + * Expired pads can then be removed using a cron job calling the + * `delete-inactive.js` script with node + */ + inactiveTime: 90, // days + + /* CryptPad can be configured to remove inactive data which has not been pinned. + * Deletion of data is always risky and as an operator you have the choice to + * archive data instead of deleting it outright. Set this value to true if + * you want your server to archive files and false if you want to keep using + * the old behaviour of simply removing files. + * + * WARNING: this is not implemented universally, so at the moment this will + * only apply to the removal of 'channels' due to inactivity. + */ + retainData: true, + + /* As described above, CryptPad offers the ability to archive some data + * instead of deleting it outright. This archived data still takes up space + * and so you'll probably still want to remove these files after a brief period. + * The intent with this feature is to provide a safety net in case of accidental + * deletion. Set this value to the number of days you'd like to retain + * archived data before it's removed permanently. + * + * If 'retainData' is set to false, there will never be any archived data + * to remove. + */ + archiveRetentionTime: 15, + + /* Max Upload Size (bytes) + * this sets the maximum size of any one file uploaded to the server. + * anything larger than this size will be rejected + */ + maxUploadSize: 256 * 1024 * 1024, + + /* ===================== + * HARDWARE RELATED + * ===================== */ + + /* CryptPad's file storage adaptor closes unused files after a configurable + * number of milliseconds (default 30000 (30 seconds)) + */ + channelExpirationMs: 30000, + + /* CryptPad's file storage adaptor is limited by the number of open files. + * When the adaptor reaches openFileLimit, it will clean up older files + */ + openFileLimit: 2048, + + + /* ===================== + * DATABASE VOLUMES + * ===================== */ + + /* + * CryptPad stores each document in an individual file on your hard drive. + * Specify a directory where files should be stored. + * It will be created automatically if it does not already exist. + */ + filePath: './datastore/', + + /* CryptPad offers the ability to archive data for a configurable period + * before deleting it, allowing a means of recovering data in the event + * that it was deleted accidentally. + * + * To set the location of this archive directory to a custom value, change + * the path below: + */ + archivePath: './data/archive', + + /* CryptPad allows logged in users to request that particular documents be + * stored by the server indefinitely. This is called 'pinning'. + * Pin requests are stored in a pin-store. The location of this store is + * defined here. + */ + pinPath: './pins', + + /* if you would like the list of scheduled tasks to be stored in + a custom location, change the path below: + */ + taskPath: './tasks', + + /* if you would like users' authenticated blocks to be stored in + a custom location, change the path below: + */ + blockPath: './block', + + /* CryptPad allows logged in users to upload encrypted files. Files/blobs + * are stored in a 'blob-store'. Set its location here. + */ + blobPath: './blob', + + /* CryptPad stores incomplete blobs in a 'staging' area until they are + * fully uploaded. Set its location here. + */ + blobStagingPath: './blobstage', + + /* CryptPad supports logging events directly to the disk in a 'logs' directory + * Set its location here, or set it to false (or nothing) if you'd rather not log + */ + logPath: './data/logs', + + /* ===================== + * Debugging + * ===================== */ + + /* CryptPad can log activity to stdout + * This may be useful for debugging + */ + logToStdout: false, + + /* CryptPad can be configured to log more or less + * the various settings are listed below by order of importance + * + * silly, verbose, debug, feedback, info, warn, error + * + * Choose the least important level of logging you wish to see. + * For example, a 'silly' logLevel will display everything, + * while 'info' will display 'info', 'warn', and 'error' logs + * + * This will affect both logging to the console and the disk. + */ + logLevel: 'info', + + /* clients can use the /settings/ app to opt out of usage feedback + * which informs the server of things like how much each app is being + * used, and whether certain clientside features are supported by + * the client's browser. The intent is to provide feedback to the admin + * such that the service can be improved. Enable this with `true` + * and ignore feedback with `false` or by commenting the attribute + * + * You will need to set your logLevel to include 'feedback'. Set this + * to false if you'd like to exclude feedback from your logs. + */ + logFeedback: false, + + /* You can get a repl for debugging the server if you want it. + * to enable this, specify the debugReplName and then you can + * connect to it with `nc -U /tmp/repl/<your name>.sock` + * If you run multiple cryptpad servers, you need to use different + * repl names. + */ + //debugReplName: "cryptpad" + + /* ===================== + * DEPRECATED + * ===================== */ + /* + You have the option of specifying an alternative storage adaptor. + These status of these alternatives are specified in their READMEs, + which are available at the following URLs: + + mongodb: a noSQL database + https://github.com/xwiki-labs/cryptpad-mongo-store + amnesiadb: in memory storage + https://github.com/xwiki-labs/cryptpad-amnesia-store + leveldb: a simple, fast, key-value store + https://github.com/xwiki-labs/cryptpad-level-store + sql: an adaptor for a variety of sql databases via knexjs + https://github.com/xwiki-labs/cryptpad-sql-store + + For the most up to date solution, use the default storage adaptor. + */ + storage: './storage/file', + + /* CryptPad's socket server can be extended to respond to RPC calls + * you can configure it to respond to custom RPC calls if you like. + * provide the path to your RPC module here, or `false` if you would + * like to disable the RPC interface completely + */ + rpc: './rpc.js', + + /* CryptPad supports verbose logging + * (false by default) + */ + verbose: false, +}; diff --git a/machines/jormungand/cryptpad.nix b/machines/jormungand/cryptpad.nix new file mode 100644 index 0000000..5d408d5 --- /dev/null +++ b/machines/jormungand/cryptpad.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + services.cryptpad = { + enable = true; + configFile = ./cryptpad.config.js; + }; +} diff --git a/machines/jormungand/nginx.nix b/machines/jormungand/nginx.nix index 8432dc1..c10d7f0 100644 --- a/machines/jormungand/nginx.nix +++ b/machines/jormungand/nginx.nix @@ -53,5 +53,22 @@ }; }; }; + + "cryptpad.codewreck.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:3000"; + proxyWebsockets = true; + }; + }; + "cryptpad-sandbox.codewreck.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:3001"; + proxyWebsockets = true; + }; + }; }; } |