Instead of using a wildcard tun+ interface, use a fixed number of tun
interfaces and hope OpenVPN will use one of them.
Fixes: #1438.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Set permissions properly as if they are created newly.
- Ensure that configuration file is rewritten so that new certificate paths are
used.
- Run easyrsa init-pki to ensure that configuration file is present.
- Create necessary empty directories as per new structure.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Change file and directory structure from easy-rsa 2's flat format to easy-rsa
3's format.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Due to security risk that a compromised Plinth process will give adversary the
ability to write to any file on the system.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
While moving the home page configuration to a new file, also reset the home page
path in freedombox.conf to its default setting of /plinth.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Pass the `mail` attribute as an empty string instead of None (null in yaml)
Fixes#1484
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This includes list of packages for which conffile prompts will be shown. For
each package current version of the package, new version of the package and list
of configuration files that were modified.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Trying to enable cgi module results in cgid being enabled. Checking for cgi
being enabled always results in failure.
Your MPM seems to be threaded. Selecting cgid instead of cgi.
Module cgid already enabled
No module matches cgi (disabled by site administrator)
This is the reason why installing ikiwiki was causing Apache restart even though
the modules required by ikiwiki are already enabled.
Closes: #1448.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
To avoid Apache restart during installation (although sso is an essential app
and this is not an issue).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
To avoid restart during installation (although since letsencrypt is an essential
app and this is not an issue).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Use backup hooks to dump and restore database.
- Add functional test for backup and restore.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Given a list of packages, check with among those will result in showing a
configuration file prompt.
Irrespective of whether apt shows a conffile prompt, this logic mimics what
unattended-upgrades perceives as package needing a conffile prompt. This is
because when unattended-upgrades gives up, that is when this logic need to take
over.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When ORPort is set to 'auto', Tor automatically allocates a port for it. During
it's first run, we able to extract the port number and open the firewall port.
However, unlike for pluggable transports, Tor does not seem to store this port
for future reuse in the state file. It hence opens a new port every time it is
started. This leads to a new port being assigned on next Tor startup and leads
to relay functionality not being reachable from outside.
According to the documentation, only possible values for ORPort are a fixed
number or 0 (disable) or auto (current behavior). Choose 9001 as this is the
commonly used port number for ORPort. The recommended port number of 443 is not
possible in FreedomBox due it is use for other purposes.
Closes: #1495.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Whatever function is passed in post_exit can simply be called by the caller
itself as the next statement.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
If a valid certificate is available but not yet setup, the earlier code assumes
there is a valid certificate.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Immediately after the installation, a self-signed certificate is used because
domain name is not available. However, after domain name becomes available,
setup a Let's Encrypt certificate.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Setting permissions after copying the file will lead to momentary exposure of
the private key to other users on the system. Use umask instead.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Don't match the hook's domain against domain set in configuration. We already
check if the domain matches the Matrix Synapse configured domain.
- Fix un-checking letsencrypt option for matrixsynapse. Keep the old certificate
but don't throw error. This means future certificates are not renewed.
- Use utility get_configured_domain_name()
- Style function names without uppercase.
- Style multi-line docstrings correctly.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Matrix requires valid certificates for federation with other servers from
version 1.0 onward. If the FreedomBox server already has LE cert and private
key, copy them into /etc/matrix-synapse
- Add certificate renewal hooks for Matrix Synapse. Reusing the certificate
renewal mechanism built for ejabberd with matrix-synapse as well. One notable
difference is that Matrix Synapse doesn't support switching the domain name or
dropping the Let's Encrypt certificate.
- Use self-signed certificate if there is no LE certificate. Matrix Synapse
server startup fails if the files homeserver.tls.crt and homeserver.tls.key
are missing.
- Copy Apache's snakeoil certificates to /etc/matrix-synapse when LE
certificates are not available. Prefer LE certificates if available.
- Display warning if no valid LE certificate is found.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
This is optional and does not affect normal installations. However, when
performing configuration migration in FreedomBox (due to unattended-upgrades
refusing it), it is useful as a part of strategy to read configuration, force
install new configuration files and apply configuration again. This option can
be used on such cases.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
It is incorrect to check for backports availability, FreedomBox systems got
added buster-backports sources prematurely. This will lead to apt update
failures resulting in FreedomBox becoming unable to install new apps.
Fix this by removing old sources and adding new sources only after
performing (this time correct) backports URL check.
Closes: #1496.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
If we release version 50 into testing and version 49 into buster-backports and
assuming version 45 is in stable, then for stable users, version 49 is selected
properly and upgraded due non-availability of 50 for them and high
prioritization of buster-backports over buster/stable. This is as expected.
For the case of testing user, this does not work as expected, however.
buster-backports will be given 800 priority, testing will be given 500
priority (default) and version 49 will be picked instead of the expected 50.
Setting priority to 500 fixes the problem. It will equate the buster-backports
to all other repositories and will let the system pick the highest version
available.
Closes: #1498.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
It is easy to run into cases where SSH mounting takes more than 5 seconds.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Merge backports functionality into upgrades module.
- No need to enable systemd timer as dh_installsystemd automatically enables
this during package installation and upgrade.
- Use https:// and deb.debian.org for repository checking. When using Tor for
package installations request the URL via Tor.
- Make daily checking service more generic for all kind of future apt repository
updates.
- Force removal of repository file during purge to avoid failures.
- Don't add contrib/non-free as backports is intended to be enabled for just the
freedombox package and it is free. When the need arises, we can introduce
contrib/non-free. This also eliminates an issue that adding these components
doesn't work without the usage of tor.
- Allow generate apt preferences file to avoid lintian complaining about its
presence. Remove on purge.
- Add unattended upgrades origin pattern to allow it to upgrade from backports
repositories.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Downloaded archives can't be fully extracted as tar.gz is incomplete at the
end and corrupt. This is due to complete gzip streaming implementation that is
does not flush the final bytes of gzip stream. Remove custom implementation
and get gzipped stream directly from borg.
- Fix mimetype for .tar.gz to application/gzip.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When radicale 2.x is available in testing, the migration can be
triggered by bumping the module's version.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes#1442.
When disk is very busy, sending KILL signal to the process may not kill it
immediately. So wait upto 5 minutes for it. This does not increase the time in a
regular case if the kill works immediately.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Make command line arguments more readable.
- Don't collect and reprint the logs. Let them be printed directly.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
