TiddlyWiki uses almost the same Apache configuration as Feather Wiki,
with one difference - disabling gzip for the `HEAD` request.
The FreedomBox app for TiddlyWiki is identical to Feather Wiki in
every other aspect.
- Proxy download through freedombox.org. This serves two purposes:
1. Upstream's website cannot track the IP addresses of FreedomBox users.
2. We can update the versions of the empty quine files without making
code changes in FreedomBox.
[sunil]
- Update description to correct the list of users who can access the app.
- Update logo to adhere to the logo guidelines.
- Minor styling fix.
- Update the copyright on the logo based on information from upstream git
repository.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Uninstall deletes wikis & extensions
- Use Skylark (v1.8.0)
- Add option to upload existing wiki
- Open wiki links in new tab. Since Feather Wiki modifies browser history, it
takes several clicks to go back and reach the FreedomBox app for Feather Wiki if
the user wants to switch to another wiki file. Opening in a new tab also makes
it easy for the user to move text between wikis (i.e. the Refile use case).
- Improve HTML file path handling. Extract only the HTML file name from the URL.
Return a 404 status if the file cannot be found
- Place featherwiki_nest.cgi file in /usr/lib/cgi-bin. The file is installed as
part of the FreedomBox package, rather than a step in the installation of
Feather Wiki.
[sunil]
- Reorganized description to complete the introduction before talking about
FreedomBox implementation.
- Update description to say that only users of 'wiki' group can access.
- Update description to talk about where the wiki is downloaded from how to
upgrade it.
- Update short description to 'Personal Notebooks'.
- Add UsersAndGroups component and to reuse 'wiki' group properly.
- Reorder component to resemble other apps (could prove useful in future).
- Restrict frontpage shortcut to 'wiki' group users.
- Minor styling updates. Run isort.
- Use pathlib.Path object where possible instead of os.path.
- Perform sanitization in privileged methods instead of callers. This leads
better security if the service is compromised.
- Perform duplicate checking in privileged methods instead of callers.
- Check in privileged action that uploaded file originates from temporary
directory. Otherwise, arbitrary files can moved into DAV directory.
- Switch storage path to /var/lib/ which is an application data folder from
/var/www which is a user data folder.
- Add extra security to the DAV folder by explicitly rejecting .htaccess
directives, forcing mime type and removing all options.
- Update SVG/PNG logo icons to adhere to our guidelines.
- Minor template updates. Add required attributes. Improve i18n. Avoid <p>
inside <p>.
- Refactor tests for more code reuse and fewer globals.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
[sunil's changes]
- Add copyright information the logo.
- Deluge: undo an unintended change.
- Drop wrapper calls over privileged methods. The new privileged method
decorators make is easy to avoid these.
- Styling updates: docstrings, single quotes for strings, casing for UI strings.
- Drop "DO NOT EDIT" comment for files located in /usr as they are not expected
to be editable by the user.
- Fix 'miniflux' to 'Miniflux' in web client name.
- Overwrite FreedomBox settings onto the existing configuration file when setup
is re-run. This is to ensure that FreedomBox settings take priority.
- Use return value of the miniflux command to raise errors.
- Use pathlib module where possible.
- Move message parsing into the privileged module from views module.
- Resize SVG and PNG logo files for consistency with icon styling.
- Use hypens instead of underscores in URLs and Django URL names.
- Rename miniflux_configure.html to miniflux.html.
- Use base method for minor simplification in backup functional test. Ensure
that the test can be run independently when other tests are not run.
- Update tests to reflect code changes.
- Avoid concatenating internationalized strings so that they can be translated
properly.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Nextcloud has long been a desired app for FreedomBox, however, due to
difficulties around Debian packaging, it hasn't yet been implemented. This
branch creates an app for Nextcloud with the help of Podman. Podman is a
containarization technology, like Docker, but with some extra features
that make its integration into FreedomBox convenient. If the podman
approach turns out to be favorable, we should consider writing a podman
specific module.
How does this work?
The app installs the podman and default-mysql-server Debian packages.
In other apps, such as MediaWiki, FreedomBox chooses SQLite
which eases maintenance and backup/restore. However, this
would bring a significant performance degrade for Nextcloud, hence the
choice of Mysql. Other apps, like Wordpress already use Mysql, so it is
installed on the host as opposed to installing it in a sepatate
container. A firewalld rich rule is created, so the Nextcloud container
can communicate with the db and OpenLDAP.
The podman package comes with a systemd service and timer for
automatically upgrading containers that are labeled as
"io.containers.autoupdate=registry". podman-auto-update.timer is managed
by FreedomBox. We might add a drop-in file for the timer to make it
more consistent with unattended-upgrades.
Podman natively supports creating systemd services for individual
containers. The generated systemd service is then managed by FreedomBox.
The current container image is based on Debian and runs apache inside the container.
To avoid running apache redundantly (both on the host and inside the
container) it would be preferable to use the nextcloud:stable-fpm image
instead, which seems to require creating a new virtual host.
Configure /.well-known URIs to redirect to /nextcloud. There is a conflict with
Radicale if both apps are running.
Put the podman1 interface into the trusted firewalld zone. This results in the
container gaining Internet access which is necessary to downloading Nextcloud
applications and federating with other Nextcloud instances. After applying the
patches, I opened my instance to the Internet to make sure this configuration
doesn't accidentally expose services. I scanned TCP ports 3306 and 6379 (after
installing and binding redis-server to the bridge interface). After that, I
installed the Tor app and put the default WAN interface to the external zone to
confirm that port 9050/TCP does not get exposed through the bridge interface.
To-do:
* test the fpm image
* test running the container in rootless mode for better security
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
[sunil: Add missing docstrings]
[sunil: Make some methods private to module]
[sunil: Run yapf for formatting]
[sunil: Remove a comment to hide form when app is disabled]
[sunil: Update form labels]
[sunil: I18N for client names]
[sunil: Reduce number success messages in form for easy i18n and consistency]
[sunil: Reorganize patch series, squash fixes]
[sunil: Tweak auto update daemon component's ID]
[sunil: Add blank lines for formatting]
[sunil: Minor refactoring for _run_occ method]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Fix icon paths in copyright file.
- Minor refactoring.
- Add Kiwix library link to app page as well as users may want to see the
content available before installing the app.
- Consolidate terminology to 'content package' for UI and just 'package'
internally.
- Drop unused SYSTEM_USER constant.
- Simplify the ExecStart= in systemd service file.
- Fix incorrect i18n caused by non-lazy formatting of strings.
- Confirm that xml parsing is not vulnerable as expat library of required
version is used in Debian bookworm.
- Don't start the kiwix daemon when managing library if app is disabled.
- Ignore errors when removing files during uninstallation.
- Handle failures more gracefully when library XML file does not have required
attributes.
- Update SVG/PNG icons to adhere to FreedomBox guidelines.
- Trim block translations in templates.
- Drop comments/deadcode inside translation strings.
- Drop a comment inside add content page that only makes sense with multiple
methods for adding content.
- tests: Don't use pkg_resources library as it is deprecated. We can use
importlib.resources library in future if we run tests on zip installations.
- Fix potential security issues while writing file to tmp directory.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #729.
Tests:
- Install Shadowsocks Server. Install Shadowsocks Client, and set the
server to localhost, and set the same password as the server. Use
curl to connect to local SOCKS proxy on port 1080 and fetch a
website.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Update some docstring comments for shadowsocks clients]
[sunil: Use the term Censorship instead of network filters]
[sunil: Prevent enabling both apps when setup is re-run]
[sunil: Update typehint for a privileged method to be minimal]
[sunil: Accept connections from external IPs too]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- This improves modularity. Each app brings its own icons in its directory
instead of a centralized directory.
Tests:
- Install an app and notice that the installation notification has the icon.
- Visit an app's page in Apps and System (cockpit) section and ensure that the
app's icon is being shown.
- Visit the Apps and System section and notice that apps' icons are being shown.
- Visit the home page and notice that shortcuts' icons are being shown.
- Visit the URL /plinth/api/0/shortcuts and notice that the URLs for icons are
accessible and lead to proper icon files.
- Build developer documentation and notice that Tutorial -> View and Reference >
Menu pages show the expected updates.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Add doc/*.wiki to the section covered by CC-BY-SA-4.0.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
[sunil: Update description for simplicity, group info]
[sunil: Indentation fixes]
[sunil: End all URLs with a slash]
[sunil: Update frontpage shortcut to be a simple one]
[sunil: Enable single-sign-on for main interface only]
[sunil: In copyright file, merge with public-domain section]
[sunil: Simplify and vectorify the icon]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Add basic video room based on demo.
- Set port range to use for RTP.
- coturn: Add component for time-limited TURN configuration.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Don't error out when coturn is not installed/configured]
[sunil: Prepend data- to custom attribute in HTML]
[sunil: Convert SVG with embedded bitmap to vector graphics]
[sunil: Hide Javascript license information in footer]
[sunil: Minor changes to comments for styling]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2157.
Original author of the app J. Carlos Romero <juancarlos.romero@gmail.com> has
been contacted to see if there is interest in continuing to maintain the app.
There has been no response.
Since the app is not available even in the current stable (Bullseye), few users
are presumably using it on a supported FreedomBox distribution. Any users are
advised to maintain the manually instead of relying on FreedomBox for it.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Use php-fpm instead of using mod-php.
- Create database and setup permissions manually. Tables and initial data are
created during the initial setup process done by WordPress. Database upgrades
are handled by WordPress. Minor versions are upgraded automatically and major
version need user intervention.
- Backup/restore functionality including database.
- Install recommended extensions for performance.
- Setup and run cron jobs to ensure that scheduled publications are
completed (among other things). Service has systemd security features. Timer is
set to run every 10 minutes.
- Functional tests for adding/removing posts and backup/restore.
- Increase file upload size limit to 128MiB.
- A private mode (default) for keeping the setup process secure. Should be
disabled after first setup is completed. This uses a new approach using
file-based flag for different Apache configurations.
TODO:
- Find a nice way to allow WordPress to upload plugins/themes. Currently this
operation files and users are expected to manually scp the files to
/var/lib/wordpress/wp-content/{plugins,themes} directory.
Tests:
- Functional tests.
- Schedule publishing of a post. Notice that post got published.
- Test uploading a file larger than 2MiB.
- Test enabling permalinks. This leads to nicer looking URLs.
- Test adding images to posts/pages.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Identify Freedbombox admin who installed the app to be zoph admin.
- Implement backup and restore.
- Photos directory should remain at /var/lib/zoph, for proper operation of
backups.
- There remains an issue that the App is enabled before it is configured but
will not work correctly until configuration.
- OpenStreetMap mapping is enabled. These should be configurable before
installation.
- Add initial forms.py and views.py to Zoph app, however these are currently
unused as urls.py does not invoke the view. When the view is not invoked the
Zoph App installs, with single signon, currently as the first LDAP user, rather
than the plinth user.
- The first user's preferences are not set, and need to be manually set to avoid
other errors.
* Sunil's changes
- Squash commits and re-split them.
- Drop documentation as it will be auto populated from wiki later.
- Remove outdated validation code from manifest.
- Drop some dead code.
- Don't send MySQL password over command line for improved security. Instead
rely on Unix authentication of root user similar to backup/restore process.
- Use JSON for exchanging configuration dump to avoid encoding errors.
- Add username validation to avoid a potential SQL injection.
- Update description for neural tone and brevity. Add information about how user
accounts work in FreedomBox
- Fix functional tests.
- Drop all code related to changing photos path until it is ready.
- Update URL from /zoph to /zoph/ to avoid another redirect.
- Fix disabling the app.
- Use icon that Zoph uses for favicon as logo. Update copyright file.
- Fix spelling unzip.
- Minor refactors. Run yapf and isort.
- Use subprocess.run() instead of os.popen() everywhere for better security with
argument parsing.
- Enable OpenStreetMap by default. User have a choice to disable it before using
the app. Add label to explain privacy concerns.
- Fix dropping database by using --force argument.
- Cleanup enabling the app to not enable the app when updating configuration.
- Use AppView's default template instead of overriding.
- Update functional tests to just check if the app is enabled/disabled as
expected. Checking that Zoph site is available will require reliable handling of
admin user.
Signed-off-by: John Lines <john@paladyn.org>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Check the interface in apps page and in the Deluge app page that icon has
changed.
- No lintian warnings related to debian/copyright file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Affected sections/pages of the manual are: Firewall, Hardware and VirtualBox.
Confirm by diffing with manual generated without the code changes.
- Open all affected pages and the full manual page and confirm that images have
changed.
- Check all affected pages and the full manual page in FreedomBox interface and
confirm that images have changed.
- Check all affected sections in the generated PDF.
- Repeat tests for English and Spanish manuals.
- No lintian warnings related to debian/copyright file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Avoid a lintian info about network-freedombox.svg.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Add network-connection*.svg to list, also based on Tango icons]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Shows URLs and shared secret that communication servers like matrix-synapse
should be configured to. Later we will implement auto-configuring those servers.
- Allow selecting domain for the sake of TLS/DTLS certificate installation.
- Simplify systemd service file options. Drop log file and pid file support as
they are not needed with systemd. Add security options.
- Set custom configuration file by overriding systemd service file options so
that we don't have a problem with conffile prompts.
- Implement functional tests (and automatic diagnostics).
- Custom icon selected from the Noun project as Coturn project does not have
one.
- Backup/restore configuration file and certificates.
- Document some questions regarding configuration options.
Tests performed:
- App is not listed in the app page if 'advanced' flag is disabled.
- App name, icon and short description shows up correctly in apps page.
- App name, icon, short description, description, manual link, enable/disable
button and diagnostics link show up currently in app page.
- Verify that configuration used by coturn server is the FreedomBox
configuration by checking the cert path in the log output.
- PID file is not created in /var/run/turnserver/. It goes into /dev/null
according to the log output.
- No log file is created other than what is collected by systemd from command
line.
- systemctl show coturn.service shows all the intended restrictions such as
NoNewPrivileges, Protect* options.
- Run functional tests.
- Ensure that backup of configuration file works by taking backup, changing the
secret and restoring. During backup and restore coturn should be stopped and
started as per logs.
- Build Debian package. No warnings about the copyright file.
- Enabling the app enables the service and runs it.
- Disabling the app disables the service and stop it.
- All diagnostics tests pass.
- Diagnostic tests show firewall port coturn-freedombox for internal and
external networks, service coturn, and each listening port for udp4, udp6, tcp4
and tcp6.
- Information in the firewall page shows up properly. Enabling the app opens
firewall ports, and disabling it closes them.
- When the app is installed, if a cert domain is available, it will be used.
When multiple domains are available, one of them is picked.
- Status shows 4 URLs with the currently selected domain and secret key.
- Changing domain to another domain succeeds and reflects in the status
information.
- When no domain is configured. Installing the app succeeds. No domain is shown
in the list of domains.
- When domain is changed, the certificates files in /etc/coturn/certs are
overwritten.
- Certificates have the ownership turnserver:turnserver. Public key is cert.pem
has 644 permissions. Private is pkey.pem has 600 permissions. /etc/coturn/certs
is owned by root:root.
- Let's encrypt certificates are setup immediately after install.
- Port forwarding information shows all ports except for relay ports.
- Trying to create a user with username 'turnserver' throws an error. This
happens even when coturn is not installed yet.
- After installing coturn, the configuration file /etc/coturn/freedombox.conf is
created with ownership root:turnserver and permissions 640. The directory
/etc/coturn is created with ownership root:root and permissions 755.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[jvalleroy: Fix copied form_valid comment]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The repository has been renamed from 'plinth' to 'freedombox'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- Move all the unused image files into doc/visual_design directory.
- Reduces the size of the shipped .deb binary significantly.
Closes: #1840.
Tests performed:
- Ensure that each of the files moves are not referenced anywhere in the source
code.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
The repro app has been disabled for a long time. Its package has been
removed from Debian, and there is no sign of it returning soon.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
- This is completely reworked but based on /Developer page in the FreedomBox
Manual.
- This documentation can be made available as static site on
https://docs.freedombox.org and the /Developer page in the FreedomBox Manual
can be dropped.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Since Wiki Commons and Icons project seems to be referring to each other for
license about the git icon, point to the upstream git as source for copyright.
- Rename the is_running() method so that it won't clash with the semantics of
is_running method in other components.
- Fix incorrect call to have_public_repos() in is_enabled() method for gitweb
auth configuration.
- Use {{ block.super }} to avoid repeating inherited block.
- Send the repository data as context data rather than form data in AppView.
This seems more appropriate.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Move information from LICENSES to debian/copyright file where applicable.
- Generate fresh PNG files from SVG to simplify copyright information.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Create option --include-functional to run functional tests. Otherwise, they
are disabled by default. If pytest-bdd is not installed, functional tests are
not discovered at all.
- Make pytest-django discover the setting files by creating dummy manage.py in
top level directory.
- Make pytest run as './setup.py pytest'. Add alias from './setup.py test'. This
requires pytest-runner package.
- Merge .gitignore files from functional_tests/
- Update gitlab-ci.yml to run tests with coverage using pytest.
- Update HACKING.md to suggest using py.test-3 instead of old way of running.
Merge functional tests README.md into HACKING.md.
- Remove execution wrapper runtests.py as pytest-django is able to configure
Django settings before execution of tests. Update tests to explicitly ask for
Django database as database access is denied by default.
- Replace usage of python3-coverage with python3-pytest-coverage. Execution
wrappers are not required.
- Add build dependencies on pytest modules.
- Let all warnings be shown after running tests.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Robert Martinez the original author transferred all copyrights for the initial
logo work to the FreedomBox foundation. The icons are derivatives of this work.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
