Release v20.5 to unstable

-----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAl55VLsWHGp2YWxsZXJv
 eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICE7yD/0bN2Uc/vvJY1SMZdbxq63YX0K3
 fhqRLuxEBJckdcR0K5lm1lwymmLkuBASdojUwn+7ZJGbzNDiBY3SmIYQAhMrmhb+
 OGxnM4n2XUYWdC7PqrNlw5Bps4e5J32zDXhyGvx15hPwQS1gollJ1j9iSX8rswG6
 /UKFrA8ZuBbT5PLfH5WjubIsNsTcjBFJ2oDuhhn4FW3X9DjH624Mgg+EbrIBXG9D
 X1GEVN/+WoMXdDKC0FUpV4xf9ET8Q9kMaT/HPqN7AtVMhD0Pb/uNNL/X6CXo75VY
 HkPq6yc6s4YizWCOAIS9MIa3wYU2Gt4cIn0nLBWOG5fSZyB6VQiNfTiT/VXK6Oe9
 Vi55VhGKMW5k1tJN4mSZ7PkFXapmxS9TW+O7kguucIowUlhhp76iNZchrJW8GR2i
 cwa5rVnoCOy6QNqepsYvQT3gK5FUug50WbkaO4j/G/8Hn0+daJv97AjpZX8J5Rqy
 clTJBQeAypckgwsbBcBFA6Zh52UY3VWZAQcS1a3kvf+YyYtJVcPWt4sVE4tNxV9I
 lJceIKnqOgqB1ZgqCjpfuQF1q8XAQ2bPSKIvJxyi595AU4SSSU2fWEA3jMpLnSxn
 2oSMLgsUSSDULuprdWZegELd6LLUN61l73nZiNxKZKehnU6fkVtuWiaE05Wvy5jl
 kNiMCMkrcQyShfNrPA==
 =vtzD
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAl58g7sWHGp2YWxsZXJv
 eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICDmPEACldXi0e6+Msph7KB7Sx1JKqgbn
 baGbRYJAi/pzZ0ZBZP2BWreoDyrriFcjscW4IUFmqad+hq4SOM0vB7xA9s6dgGNf
 bNfWaEdRbKlU74b68+66XVm0QkQ4+nWOceJpqIiQTQpfQQN7XDHrFfAoKnKLR4jK
 PUyuhYiHdjVJtzlqZivEriOl5EcQldhIAFnOSYPwbTNMMOkyU8Pgy8YqziyKVRrF
 850AY2zJ0KqVVyoQnpk0N3bt5KxGQ4PMnCLmlAAVh90hhb/rn6nfqASFqnkV8Sn5
 ngQUL+3R9BCrmrYUAHbAdmqEyqo7zMw9M7MGBgp8ZaGqVUgN+FejsdEdnay5QFUl
 GGikVBdk3hJsKT7F9OZXpkuijXdPM6ZL5xdcLe/l4k6j4rNU5iYZbPRmlMliXHnz
 tm7R7The3A6SC7SUhHGVHtLGyDapB29Oat66S4b1k0I/JnThHsh9YhmX/R97WNfo
 klDXRIvMOXUOyFGnzXzYBBu78bdFMHEJse5Z+5AgcB0ksbSddukSolH/UIHO/oYo
 Y4WE5Tz8baHy+sdtO3Q8J3/M6KsSwXRjt/kdB6tTwcAVWoYIzOHJg8plyWnpJfuS
 3qhGGSHxX6zaS6SN87AmT+hEY6pSxAHDs0Bxb8okvr/HEuRMU38i6UyQZMOIUv3I
 Jf9JBpqheqHWoNUCnw==
 =816Z
 -----END PGP SIGNATURE-----

Merge tag 'v20.5' into debian/buster-backports

Release v20.5 to unstable

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>

.gitlab-ci.yml

@@ -1,12 +1,10 @@
-image: debian:testing
+# SPDX-License-Identifier: AGPL-3.0-or-later
+image: registry.salsa.debian.org/freedombox-team/plinth:gitlabci
 
 before_script:
   - export DEBIAN_FRONTEND=noninteractive
   - apt-get update
   - apt-get build-dep -y .  # Dependencies of the plinth Debian package
-  - apt-get install -y build-essential  # Build dependencies
-  - apt-get install -y sshpass parted  # Test dependencies
-  - apt-get install -y sudo
   - apt-mark hold fuse fuse3  # not installable in CI environment
   - apt-get install -y $(./run --list-dependencies)  # Module dependencies
 

Dockerfile.gitlabci

@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# This is an IaC pattern called "reheating a server template".
+# This is very fast but can accumulate cruft over time.
+# Use debian:testing if you want to build a fresh image.
+FROM registry.salsa.debian.org/freedombox-team/plinth:gitlabci
+
+USER root
+COPY . /plinth
+WORKDIR /plinth
+
+RUN echo "deb http://deb.debian.org/debian testing main" > /etc/apt/sources.list
+RUN echo "deb-src http://deb.debian.org/debian testing main" >> /etc/apt/sources.list
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update
+RUN apt-get build-dep -y .  # Dependencies of the freedombox Debian package
+RUN apt-get install -y build-essential # Build dependencies
+RUN apt-get install -y sshpass parted # Test dependencies
+RUN apt-get install -y sudo
+RUN apt-mark hold fuse fuse3 # not installable in CI environment
+RUN apt-get install -y $(./run --list-dependencies) # Module dependencies

actions/mediawiki

@@ -73,6 +73,7 @@ def subcommand_setup(_):
     subprocess.run(['chmod', '-R', 'o-rwx', data_dir], check=True)
     subprocess.run(['chown', '-R', 'www-data:www-data', data_dir], check=True)
     include_custom_config()
+    _fix_non_private_mode()
 
 
 def include_custom_config():
@@ -102,6 +103,21 @@ def include_custom_config():
         conf_file.writelines(lines)
 
 
+def _fix_non_private_mode():
+    """Drop the line that allows editing by anonymous users.
+
+    Remove this fix after the release of Debian 11.
+
+    """
+    with open(CONF_FILE, 'r') as conf_file:
+        lines = conf_file.readlines()
+
+    with open(CONF_FILE, 'w') as conf_file:
+        for line in lines:
+            if not line.startswith("$wgGroupPermissions['*']['edit']"):
+                conf_file.write(line)
+
+
 def subcommand_change_password(arguments):
     """Change the password for a given user"""
     new_password = ''.join(sys.stdin)
@@ -154,34 +170,26 @@ def subcommand_private_mode(arguments):
     with open(CONF_FILE, 'r') as conf_file:
         lines = conf_file.readlines()
 
-    def is_edit_line(line):
-        return line.startswith("$wgGroupPermissions['*']['edit']")
-
     def is_read_line(line):
         return line.startswith("$wgGroupPermissions['*']['read']")
 
-    edit_conf_lines = list(filter(is_edit_line, lines))
     read_conf_lines = list(filter(is_read_line, lines))
     if arguments.command == 'status':
-        if edit_conf_lines and read_conf_lines:
-            print('enabled' if ('false' in read_conf_lines[0]) and (
-                'false' in edit_conf_lines[0]) else 'disabled')
+        if read_conf_lines and 'false' in read_conf_lines[0]:
+            print('enabled')
         else:
             print('disabled')
     else:
         with open(CONF_FILE, 'w') as conf_file:
             conf_value = 'false;' if arguments.command == 'enable' else 'true;'
             for line in lines:
-                if is_edit_line(line) or is_read_line(line):
+                if is_read_line(line):
                     words = line.split()
                     words[-1] = conf_value
                     conf_file.write(" ".join(words) + '\n')
                 else:
                     conf_file.write(line)
 
-            if not edit_conf_lines:
-                conf_file.write("$wgGroupPermissions['*']['edit'] = " +
-                                conf_value + '\n')
             if not read_conf_lines:
                 conf_file.write("$wgGroupPermissions['*']['read'] = " +
                                 conf_value + '\n')

actions/pagekite

@@ -5,11 +5,12 @@ Configuration helper for PageKite interface.
 """
 
 import argparse
-import augeas
 import json
 import os
 import sys
 
+import augeas
+
 from plinth import action_utils
 from plinth.modules.pagekite import utils
 
@@ -36,31 +37,17 @@ def parse_arguments():
     parser = argparse.ArgumentParser()
     subparsers = parser.add_subparsers(dest='subcommand', help='Sub command')
 
-    # Enable/disable the pagekite service
-    subparsers.add_parser('start-and-enable', help='Enable PageKite service')
-    subparsers.add_parser('stop-and-disable', help='Disable PageKite service')
-    subparsers.add_parser('restart', help='Restart PageKite service')
-    subparsers.add_parser(
-        'is-disabled', help=('Whether PageKite is disabled in the file '
-                             '/etc/pagekite.d/10_accounts.rc'))
-
-    # Frontend
-    subparsers.add_parser('get-frontend', help='Get pagekite frontend')
-    set_frontend = subparsers.add_parser('set-frontend',
-                                         help='Set pagekite frontend')
-    set_frontend.add_argument('url', help='frontend url')
-
-    # Kite details (name + secret)
-    subparsers.add_parser('get-kite',
-                          help='Get configured kite name and secret')
-    set_kite = subparsers.add_parser(
-        'set-kite',
-        help='Configure kite name and its secret. Secret is read from stdin.')
-    set_kite.add_argument('--kite-name',
-                          help='Name of the kite (eg: mybox.pagekite.me)')
+    # Configuration
+    subparsers.add_parser('get-config', help='Return current configuration')
+    set_config = subparsers.add_parser(
+        'set-config',
+        help='Configure kite name, its secret and frontend. Secret is read '
+        'from stdin.')
+    set_config.add_argument('--kite-name',
+                            help='Name of the kite (eg: mybox.pagekite.me)')
+    set_config.add_argument('--frontend', help='Frontend url')
 
     # Add/remove pagekite services (service_on entries)
-    subparsers.add_parser('get-services', help='Get list of enabled services')
     add_service = subparsers.add_parser('add-service',
                                         help='Add a pagekite service')
     add_service.add_argument('--service', help='json service dictionary')
@@ -72,82 +59,102 @@ def parse_arguments():
     return parser.parse_args()
 
 
-def subcommand_restart(_):
-    """Restart the pagekite service"""
-    action_utils.service_restart('pagekite')
-    print('restarted')
-
-
-def subcommand_is_disabled(_):
+def subcommand_get_config(_):
+    """Print the current configuration as JSON dictionary."""
     if aug.match(PATHS['abort_not_configured']):
-        print('true')
-    else:
-        print('false')
-
-
-def subcommand_start_and_enable(_):
-    aug.remove(PATHS['abort_not_configured'])
-    aug.save()
-    # 'start' alone sometimes fails, even if the service is not running
-    action_utils.service_restart('pagekite')
-    print('enabled')
-
-
-def subcommand_stop_and_disable(_):
-    action_utils.service_stop('pagekite')
-    aug.set(PATHS['abort_not_configured'], '')
-    aug.save()
-    print('disabled')
-
-
-def subcommand_get_frontend(_):
-    """Get pagekite frontend url"""
-    if aug.match(PATHS['defaults']):
-        print("pagekite.net")
-    else:
-        url = aug.get(PATHS['frontend'])
-        print(url or '')
-
-
-def subcommand_set_frontend(arguments):
-    """Set pagekite frontend url, taking care of defaults and pagekite.net"""
-    frontend_domain = arguments.url.split(':')[0]
-    if frontend_domain in ('pagekite.net', 'defaults', 'default'):
-        enable_pagekitenet_frontend()
-    else:
-        aug.remove(PATHS['defaults'])
-        aug.set(PATHS['frontend'], arguments.url)
+        aug.remove(PATHS['abort_not_configured'])
         aug.save()
 
+    if aug.match(PATHS['defaults']):
+        frontend = 'pagekite.net'
+    else:
+        frontend = aug.get(PATHS['frontend']) or ''
 
-def enable_pagekitenet_frontend():
-    """Enable using default pageket.net frontend
+    frontend = frontend.split(':')
+    server_domain = frontend[0]
+    server_port = frontend[1] if len(frontend) >= 2 else '80'
 
-    This disables any other frontends.
-    """
-    aug.set(PATHS['defaults'], '')
-    aug.remove(PATHS['frontend'])
-    aug.save()
-    print("enabled")
+    status = {
+        'kite_name': aug.get(PATHS['kitename']),
+        'kite_secret': aug.get(PATHS['kitesecret']),
+        'server_domain': server_domain,
+        'server_port': server_port,
+        'predefined_services': {
+            proto: False
+            for proto in utils.PREDEFINED_SERVICES
+        },
+        'custom_services': [],
+    }
 
-
-def subcommand_get_services(arguments):
-    """ lists all available (enabled) services """
+    # 1. predefined_services: {'http': False, 'ssh': True, 'https': True}
+    # 2. custom_services: [{'protocol': 'http', 'secret' 'nono', ..}, [..]}
     for match in aug.match(PATHS['service_on']):
         service = dict([(param, aug.get(os.path.join(match, param)))
                         for param in utils.SERVICE_PARAMS])
-        print(json.dumps(service))
+        for name, predefined_service in utils.PREDEFINED_SERVICES.items():
+            if service == predefined_service['params']:
+                status['predefined_services'][name] = True
+                break
+        else:
+            status['custom_services'].append(service)
+            if '/' in service['protocol']:
+                service['protocol'], service['frontend_port'] = service[
+                    'protocol'].split('/')
+
+            service['subdomains'] = service['kitename'].startswith('*.')
+            kite_name = status['kite_name']
+            protocol = service['protocol']
+            if service['subdomains']:
+                kite_name = f'*.{kite_name}'
+
+            url = f'{protocol}://{kite_name}'
+            if 'frontend_port' in service and service['frontend_port']:
+                url = "%s:%s" % (url, service['frontend_port'])
+
+            service['url'] = url
+
+    print(json.dumps(status))
+
+
+def subcommand_set_config(arguments):
+    """Set pagekite kite name, secret and frontend URL."""
+    aug.remove(PATHS['abort_not_configured'])
+
+    aug.set(PATHS['kitename'], arguments.kite_name)
+    aug.set(PATHS['kitesecret'], sys.stdin.read())
+
+    frontend_domain = arguments.frontend.split(':')[0]
+    if frontend_domain in ('pagekite.net', 'defaults', 'default'):
+        aug.set(PATHS['defaults'], '')
+        aug.remove(PATHS['frontend'])
+    else:
+        aug.remove(PATHS['defaults'])
+        aug.set(PATHS['frontend'], arguments.frontend)
+
+    aug.save()
+
+    for service_name in utils.PREDEFINED_SERVICES.keys():
+        service = utils.PREDEFINED_SERVICES[service_name]['params']
+        try:
+            _add_service(service)
+        except RuntimeError:
+            pass
+
+    # Immediately after install, pagekite is enabled but not running. Restart
+    # based on enabled state instead of try-restart.
+    if action_utils.service_is_enabled('pagekite'):
+        action_utils.service_restart('pagekite')
 
 
 def subcommand_remove_service(arguments):
     """Searches and removes the service(s) that match all given parameters"""
     service = utils.load_service(arguments.service)
-    paths = get_existing_service_paths(service)
+    paths = _get_existing_service_paths(service)
     # TODO: theoretically, everything to do here is:
     # [aug.remove(path) for path in paths]
     # but augeas won't let you save the changed files and doesn't say why
     for path in paths:
-        filepath = convert_augeas_path_to_filepath(path)
+        filepath = _convert_augeas_path_to_filepath(path)
         service_found = False
         with open(filepath, 'r') as file:
             lines = file.readlines()
@@ -165,35 +172,40 @@ def subcommand_remove_service(arguments):
     action_utils.service_restart('pagekite')
 
 
-def get_existing_service_paths(service):
+def _get_existing_service_paths(service, keys=None):
     """Return paths of existing services that match the given service params"""
     # construct an augeas query path with patterns like:
     #     */service_on/*[protocol='http']
     path = PATHS['service_on']
-    for param, value in service.items():
-        path += "[%s='%s']" % (param, value)
+    for param in (keys or service.keys()):
+        path += "[%s='%s']" % (param, service[param])
     return aug.match(path)
 
 
+def _add_service(service):
+    """Add a new service into configuration."""
+    if _get_existing_service_paths(service, ['protocol', 'kitename']):
+        msg = "Service with the parameters %s already exists"
+        raise RuntimeError(msg % service)
+
+    root = _get_new_service_path(service['protocol'])
+    # TODO: after adding a service, augeas fails writing the config;
+    # so add the service_on entry manually instead
+    path = _convert_augeas_path_to_filepath(root)
+    with open(path, 'a') as servicefile:
+        line = "\nservice_on = %s\n" % utils.convert_service_to_string(service)
+        servicefile.write(line)
+
+
 def subcommand_add_service(arguments):
     """Add one service"""
     service = utils.load_service(arguments.service)
-    if get_existing_service_paths(service):
-        msg = "Service with the parameters %s already exists"
-        raise RuntimeError(msg % service)
-
-    root = get_new_service_path(service['protocol'])
-    # TODO: after adding a service, augeas fails writing the config;
-    # so add the service_on entry manually instead
-    path = convert_augeas_path_to_filepath(root)
-    with open(path, 'a') as servicefile:
-        line = "\nservice_on = %s\n" % utils.convert_service_to_string(service)
-        servicefile.write(line)
-    action_utils.service_restart('pagekite')
+    _add_service(service)
+    action_utils.service_try_restart('pagekite')
 
 
-def convert_augeas_path_to_filepath(augpath, prefix='/files',
-                                    suffix='service_on'):
+def _convert_augeas_path_to_filepath(augpath, prefix='/files',
+                                     suffix='service_on'):
     """Convert an augeas service_on path to the actual file path"""
     if augpath.startswith(prefix):
         augpath = augpath.replace(prefix, "", 1)
@@ -204,7 +216,7 @@ def convert_augeas_path_to_filepath(augpath, prefix='/files',
     return augpath.rstrip('/')
 
 
-def get_new_service_path(protocol):
+def _get_new_service_path(protocol):
     """Get the augeas path of a new service for a protocol
 
     This takes care of existing services using a /service_on/*/ query"""
@@ -213,21 +225,6 @@ def get_new_service_path(protocol):
     return os.path.join(root, str(new_index))
 
 
-def subcommand_get_kite(_):
-    """Print details of the currently configured kite"""
-    kitename = aug.get(PATHS['kitename'])
-    kitesecret = aug.get(PATHS['kitesecret'])
-    print(kitename or '')
-    print(kitesecret or '')
-
-
-def subcommand_set_kite(arguments):
-    """Set details of the kite"""
-    aug.set(PATHS['kitename'], arguments.kite_name)
-    aug.set(PATHS['kitesecret'], sys.stdin.read())
-    aug.save()
-
-
 def augeas_load():
     """Initialize Augeas."""
     global aug

actions/shadowsocks

@@ -7,8 +7,11 @@ Helper script for configuring Shadowsocks.
 import argparse
 import json
 import os
-import subprocess
+import pathlib
+import random
+import string
 import sys
+from shutil import move
 
 from plinth import action_utils
 from plinth.modules import shadowsocks
@@ -29,11 +32,6 @@ def parse_arguments():
     subparsers.add_parser('merge-config',
                           help='Merge JSON config from stdin with existing')
 
-    # Migrations
-    subparsers.add_parser(
-        'migrate-1-2',
-        help='Move shadowsocks config file to a secure location')
-
     subparsers.required = True
     return parser.parse_args()
 
@@ -43,9 +41,44 @@ def subcommand_setup(_):
     # Only client socks5 proxy is supported for now. Disable the
     # server component.
     action_utils.service_disable('shadowsocks-libev')
+
+    os.makedirs('/var/lib/private/shadowsocks-libev/freedombox/',
+                exist_ok=True)
+
+    # if existing configuration from version 1 which is normal file
+    # move it to new location.
+    if (not os.path.islink(SHADOWSOCKS_CONFIG_SYMLINK)
+            and os.path.isfile(SHADOWSOCKS_CONFIG_SYMLINK)):
+        move(SHADOWSOCKS_CONFIG_SYMLINK, SHADOWSOCKS_CONFIG_ACTUAL)
+
     if not os.path.islink(SHADOWSOCKS_CONFIG_SYMLINK):
         os.symlink(SHADOWSOCKS_CONFIG_ACTUAL, SHADOWSOCKS_CONFIG_SYMLINK)
 
+    if not os.path.isfile(SHADOWSOCKS_CONFIG_ACTUAL):
+        password = ''.join(
+            random.choice(string.ascii_letters) for _ in range(12))
+        initial_config = {
+            'server': '127.0.0.1',
+            'server_port': 8388,
+            'local_port': 1080,
+            'password': password,
+            'method': 'chacha20-ietf-poly1305'
+        }
+        _merge_config(initial_config)
+
+    # Commit 50e5608331330b37c0b9cce846e34ccc193d1b0d incorrectly sets the
+    # StateDirectory without setting DynamicUser. Buster's shadowsocks will
+    # then create directory /var/lib/shadowsocks-libev/freedombox/ and refuse
+    # to delete is in later versions when DynamicUser=yes needs it to be a
+    # symlink.
+    action_utils.service_daemon_reload()
+    wrong_state_dir = pathlib.Path('/var/lib/shadowsocks-libev/freedombox/')
+    if not wrong_state_dir.is_symlink() and wrong_state_dir.is_dir():
+        wrong_state_dir.rmdir()
+
+    if action_utils.service_is_enabled(shadowsocks.managed_services[0]):
+        action_utils.service_restart(shadowsocks.managed_services[0])
+
 
 def subcommand_get_config(_):
     """Read and print Shadowsocks configuration."""
@@ -55,11 +88,8 @@ def subcommand_get_config(_):
         sys.exit(1)
 
 
-def subcommand_merge_config(_):
-    """Configure Shadowsocks."""
-    config = sys.stdin.read()
-    config = json.loads(config)
-
+def _merge_config(config):
+    """Write merged configuration into file."""
     try:
         current_config = open(SHADOWSOCKS_CONFIG_SYMLINK, 'r').read()
         current_config = json.loads(current_config)
@@ -71,19 +101,17 @@ def subcommand_merge_config(_):
     new_config = json.dumps(new_config, indent=4, sort_keys=True)
     open(SHADOWSOCKS_CONFIG_SYMLINK, 'w').write(new_config)
 
-    action_utils.service_restart(shadowsocks.managed_services[0])
 
+def subcommand_merge_config(_):
+    """Configure Shadowsocks."""
+    config = sys.stdin.read()
+    config = json.loads(config)
+    _merge_config(config)
 
-def subcommand_migrate_1_2(_):
-    """Move shadowsocks config file to a secure location."""
-    if os.path.isfile(SHADOWSOCKS_CONFIG_SYMLINK):  # ignoring symlinks
-        os.makedirs('/var/lib/private/shadowsocks-libev/freedombox/',
-                    exist_ok=True)
-        os.replace(SHADOWSOCKS_CONFIG_SYMLINK, SHADOWSOCKS_CONFIG_ACTUAL)
-        os.symlink(SHADOWSOCKS_CONFIG_ACTUAL, SHADOWSOCKS_CONFIG_SYMLINK)
-
-    subprocess.check_call(['systemctl', 'daemon-reload'])
-    action_utils.service_restart(shadowsocks.managed_services[0])
+    # Don't try_restart because initial configuration may not be valid so
+    # shadowsocks will not be running even when enabled.
+    if action_utils.service_is_enabled(shadowsocks.managed_services[0]):
+        action_utils.service_restart(shadowsocks.managed_services[0])
 
 
 def main():

actions/upgrades

@@ -18,6 +18,37 @@ LOG_FILE = '/var/log/unattended-upgrades/unattended-upgrades.log'
 BUSTER_BACKPORTS_RELEASE_FILE_URL = \
     'https://deb.debian.org/debian/dists/buster-backports/Release'
 
+# Whenever these preferences needs to change, increment the version number
+# upgrades app. This ensures that setup is run again and the new contents are
+# overwritten on the old file.
+APT_PREFERENCES = '''Explanation: This file is managed by FreedomBox, do not edit.
+Explanation: Allow carefully selected updates to 'freedombox' from backports.
+Package: freedombox
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse 0.99.5 introduces room version 4. Older version
+Explanation: 0.99.2 in buster won't be able join newly created rooms.
+Package: matrix-synapse
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse >= 1.2 requires python3-service-identity >= 18.1
+Package: python3-service-identity
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse >= 1.5 requires python3-typing-extensions >= 3.7.4
+Package: python3-typing-extensions
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse >= 1.11 requires python3-signedjson >= 1.1.0
+Package: python3-signedjson
+Pin: release a=buster-backports
+Pin-Priority: 500
+'''
+
 
 def parse_arguments():
     """Return parsed command line arguments as dictionary"""
@@ -31,6 +62,7 @@ def parse_arguments():
     subparsers.add_parser('disable-auto', help='Disable automatic upgrades.')
     subparsers.add_parser('get-log', help='Print the automatic upgrades log')
 
+    subparsers.add_parser('setup', help='Setup apt preferences')
     subparsers.add_parser('setup-repositories',
                           help='Setup software repositories for FreedomBox')
 
@@ -156,11 +188,23 @@ def _check_and_backports_sources():
 
 def _add_apt_preferences():
     """Setup APT preferences to upgrade selected packages from backports."""
+    base_path = pathlib.Path('/etc/apt/preferences.d')
     for file_name in ['50freedombox.pref', '50freedombox2.pref']:
-        full_path = pathlib.Path('/etc/apt/preferences.d') / file_name
+        full_path = base_path / file_name
         if full_path.exists():
             full_path.unlink()
 
+    # Don't try to remove 50freedombox3.pref as this file is shipped with the
+    # Debian package and is removed using maintainer scripts.
+
+    with open(base_path / '50freedombox4.pref', 'w') as file_handle:
+        file_handle.write(APT_PREFERENCES)
+
+
+def subcommand_setup(_):
+    """Setup apt preferences."""
+    _add_apt_preferences()
+
 
 def subcommand_setup_repositories(_):
     """Setup software repositories needed for FreedomBox.
@@ -170,7 +214,6 @@ def subcommand_setup_repositories(_):
 
     """
     _check_and_backports_sources()
-    _add_apt_preferences()
 
 
 def main():

debian/changelog

@@ -1,3 +1,79 @@
+plinth (20.5) unstable; urgency=medium
+
+  [ Joseph Nuthalapati ]
+  * ci: Use pre-built container image to speed up CI
+  * ci: Add maintenance script for updating images
+  * ci: Optimize refreshing Docker image for GitLabCI
+
+  [ James Valleroy ]
+  * ci: Switch docker image to testing
+  * Translated using Weblate (Swedish)
+  * locale: Update translation strings
+  * doc: Fetch latest manual
+
+  [ Sunil Mohan Adapa ]
+  * app: Fix name of the block in templates, used for overriding
+  * views: Allow AppViews to set self.intial
+  * pagekite: Simplify code for form adding custom service
+  * pagekite: Remove unused templates
+  * pagekite: Drop ineffective base template
+  * pagekite: Minor cleanup
+  * pagekite: Merge all the configuration retrieval actions
+  * pagekite: Merge set-kite and set-frontend actions
+  * pagekite: Use Daemon component to simplify handling daemon actions
+  * pagekite: Don't signal new domain on init if app is disabled
+  * pagekite: Simplify code notifying domain name changes
+  * pagekite: Don't attempt to notify about domain if app is disabled
+  * pagekite: Remove app enabled checking from getting configuration
+  * pagekite: Fix functional tests by submitting the right form
+  * pagekite: Fix styling issues for custom services section
+  * pagekite: On enable/disable, add/remove domain from names module
+  * pagekite: Fix an error message in custom services form
+  * pagekite: Ensure transitioning for from old code
+  * matrixsynapse: Handle release of matrix-synapse 1.11
+  * setup: Fix regression to force-upgrade caused by Info changes
+  * pagekite: Don't allow non-unique custom services
+  * toolbar: Factor out the clients buttons into a separate template
+  * index: Reintroduce clients button in front page
+  * upgrades: Don't ship apt backport preferences file
+  * setup.py: Remove files shipped in the past
+  * upgrades: Use internal scheduler instead of systemd timer
+  * shadowsocks: Change default configuration
+  * action_utils: Add utility to call systemd daemon-reload
+  * shadowsocks: Fix incorrect setting of state directory
+  * shadowsocks: When editing configuration, don't re-enable
+  * mediawiki: Don't allow anonymous edits
+
+  [ Fioddor Superconcentrado ]
+  * Translated using Weblate (Spanish)
+  * Translated using Weblate (Spanish)
+  * Translated using Weblate (Spanish)
+  * Translated using Weblate (Spanish)
+  * Translated using Weblate (Spanish)
+
+  [ Luis A. Arizmendi ]
+  * Translated using Weblate (Spanish)
+  * Translated using Weblate (Spanish)
+  * Translated using Weblate (Spanish)
+  * Translated using Weblate (Spanish)
+
+  [ Fred ]
+  * Translated using Weblate (French)
+
+  [ Veiko Aasa ]
+  * names: Fix Local Network Domain is not shown
+
+  [ Thomas Vincent ]
+  * Translated using Weblate (French)
+
+  [ Nektarios Katakis ]
+  * shadowshocks: Fix setting configuration on Buster
+
+  [ Michael Breidenbach ]
+  * Translated using Weblate (Swedish)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 23 Mar 2020 19:42:28 -0400
+
 plinth (20.4~bpo10+1) buster-backports; urgency=medium
 
   * Rebuild for buster-backports.

debian/freedombox.lintian-overrides

@@ -15,6 +15,3 @@ freedombox binary: non-standard-apache2-configuration-name *
 # web servers. At some point we would like to work with other web servers but
 # that requires significant effort.
 freedombox binary: web-application-should-not-depend-unconditionally-on-apache2
-
-# FreedomBox takes over local administration of a system.
-freedombox binary: package-installs-apt-preferences etc/apt/preferences.d/50freedombox3.pref

debian/freedombox.maintscript

@@ -9,3 +9,4 @@ rm_conffile /etc/plinth/modules-enabled/disks 0.15.3+ds-1~
 rm_conffile /etc/plinth/modules-enabled/udiskie 0.39.0~
 rm_conffile /etc/plinth/modules-enabled/restore 20.1~
 rm_conffile /etc/plinth/modules-enabled/repro 20.1~
+rm_conffile /etc/apt/preferences.d/50freedombox3.pref 20.5~

debian/postrm

@@ -25,6 +25,10 @@ purge)
     if [ -e '/etc/apt/preferences.d/50freedombox2.pref' ]; then
         rm -f /etc/apt/preferences.d/50freedombox2.pref
     fi
+
+    if [ -e '/etc/apt/preferences.d/50freedombox4.pref' ]; then
+        rm -f /etc/apt/preferences.d/50freedombox4.pref
+    fi
     ;;
 esac
 

doc/manual/en/freedombox-manual.raw.xml

@@ -1794,7 +1794,9 @@ if [ -f /etc/default/radicale.dpkg-dist ] ; then cp /etc/default/radicale.dpkg-d
       </section>
       <section>
         <title>Setting up Matrix Synapse on your FreedomBox</title>
-        <para>To enable Matrix, first navigate to the Chat Server (Matrix Synapse) page and install it. Matrix needs a valid domain name to be configured.  After installation, you will be asked to configure it.  You will be able to select a domain from a drop down menu of available domains.  Domains are configured using System -&gt; Configure page.  After configuring a domain, you will see that the service is running. The service will be accessible on the configured FreedomBox domain. All the registered users will have their Matrix IDs as <code>@username:domain</code>. Currently, you will not be able to change the domain once is it configured. </para>
+        <para>To enable Matrix, first navigate to the Chat Server (Matrix Synapse) page and install it. Matrix needs a valid domain name to be configured.  After installation, you will be asked to configure it.  You will be able to select a domain from a drop down menu of available domains.  Domains are configured using System -&gt; Configure page.  After configuring a domain, you will see that the service is running. The service will be accessible on the configured FreedomBox domain. Currently, you will not be able to change the domain once is it configured. </para>
+        <para>Your router has to be configured to forward port 8448. </para>
+        <para>All the registered users of your FreedomBox will have their Matrix IDs as <code>@username:domain</code>. If public registration is enabled, also your chosen client can be used to register a user account. </para>
       </section>
       <section>
         <title>Federating with other Matrix instances</title>
@@ -10094,6 +10096,68 @@ wget https://www.thinkpenguin.com/files/ath9k_firmware_free-version/htc_7010.fw]
     <section>
       <title>Release Notes</title>
       <para>The following are the release notes for each FreedomBox version. </para>
+      <section>
+        <title>FreedomBox 20.5 (2020-03-23)</title>
+        <itemizedlist>
+          <listitem>
+            <para>app: Fix description block in app header </para>
+          </listitem>
+          <listitem>
+            <para>pagekite: Don't signal new domain on init if app is disabled </para>
+          </listitem>
+          <listitem>
+            <para>pagekite: Don't attempt to notify about domain if app is disabled </para>
+          </listitem>
+          <listitem>
+            <para>pagekite: Remove app enabled checking from getting configuration </para>
+          </listitem>
+          <listitem>
+            <para>pagekite: On enable/disable, add/remove domain from names module </para>
+          </listitem>
+          <listitem>
+            <para>pagekite: Fix an error message in custom services form </para>
+          </listitem>
+          <listitem>
+            <para>matrixsynapse: Handle release of matrix-synapse 1.11 </para>
+          </listitem>
+          <listitem>
+            <para>setup: Fix regression to force-upgrade caused by Info changes </para>
+          </listitem>
+          <listitem>
+            <para>pagekite: Don't allow non-unique custom services </para>
+          </listitem>
+          <listitem>
+            <para>index: Reintroduce clients button in front page </para>
+          </listitem>
+          <listitem>
+            <para>upgrades: Don't ship apt backport preferences file </para>
+          </listitem>
+          <listitem>
+            <para>upgrades: Use internal scheduler instead of systemd timer </para>
+          </listitem>
+          <listitem>
+            <para>shadowsocks: Change default configuration </para>
+          </listitem>
+          <listitem>
+            <para>shadowsocks: Fix incorrect setting of state directory </para>
+          </listitem>
+          <listitem>
+            <para>shadowsocks: When editing configuration, don't re-enable </para>
+          </listitem>
+          <listitem>
+            <para>mediawiki: Don't allow anonymous edits </para>
+          </listitem>
+          <listitem>
+            <para>names: Fix Local Network Domain is not shown </para>
+          </listitem>
+          <listitem>
+            <para>shadowshocks: Fix setting configuration on Buster </para>
+          </listitem>
+          <listitem>
+            <para>locale: Update translations for Swedish, Spanish, and French </para>
+          </listitem>
+        </itemizedlist>
+      </section>
       <section>
         <title>FreedomBox 20.4 (2020-03-09)</title>
         <itemizedlist>