Thanks to git blame I found why python3-tomli had been added back then:
6199718a19383d8d070b7bdc9d26ead71a9d26dd
python3-tomli is slowly being sunset in favor of tomllib from the Standard
Library: https://wiki.debian.org/Python/Backports
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Use docker container via registry.freedombox.org to obtain the package.
Specify this in the description.
- Mark the app as experimental.
- Show information that a dedicated domain is required to host Home Assistant.
- Use special YAML loader/dumper to deal with custom YAML tags in configuration
file.
- Obtain logo file from a test file in code repository with Apache license as
the actual logo files are freely licensed.
- Write functional tests without accessing the website as a dedicated domain is
necessary.
Tests:
- Functional tests work.
- Add a domain 'mydomain.example' using the Names app. Assign this domain in
Home Assistant app configuration. In /etc/hosts on the host machine add a
mapping from mydomain.example to the IP address of the container/VM. Access the
web interface using https://mydomain.example. Home Assistant web interface is
available and functional.
- After install of the app the configuration.yaml file contains the proxy
related lines are expected.
- Diagnostics work (expect the URL access).
- Re-run setup works.
- 'Launch web client' and frontpage shortcut work as expected.
- Non-admin users can't connect on port 8123.
- Home Assistant is able to establish websocket connection in its web UI.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
dnsutils package is not available anymore.
Closes: #1094944
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
SOGo is an open source webmail client and groupware available in Debian.
Make a new FreedomBox app for it to be used with the local
Postfix/Dovecot email server.
SOGo requires a database to store events/tasks as well as user settings. Memcached
is also required for caching.
Users log in with their username (as opposed to username + domain on
Roundcube). The host header seen from the first login will be
associated with the user profile. So, if a user logs into SOGo from
freedombox.local and later configures the email server to use
example.com, they will manually have to edit their account(s) to show
the updated domain.
Authentication is done via openldap. It is possible to authenticate with
apache, however it is limited to http basic auth, so mod_auth_tkt cannot
be used. See: b40d777a86/SoObjects/SOGo/SOGoProxyAuthenticator.m (L137)
Configuring http basic auth in my opinion wouldn't add much to
the user experience. It would actually take away the usage of SOGO's built
in TOTP feature.
SOGo only accepts configurations from /etc/sogo/sogo.conf, other configs
from sogo.d don't get recognised.
Use the sogo icon from upstream source. Update sogo.png and sogo.svg to be the
same image (but resized) that is provided in the upstream source. The previous
image was download from Wikimedia Commons.
Update smtp settings so that messages can be sent
Test result for mail deliverability sent with SOGo: https://www.mail-tester.com/test-pdf2yzy6n
The result shows that the message is not DKIM signed. This seems to be
an issue not specific to SOGo. Mails sent from Thunderbird don't get
signed either.
Tests:
- Install app and log in with a FreedomBox user. Create a new event
titled "Lunch with 🍕 and fries". Confirm the pizza character displays properly.
- Backup the app and uninstall it.
- Restore from the backup, log in and confirm the event gets restored.
To-do:
- test ActiveSync
- create a fail2ban jail
- include the icons in the copyright file
- test sending email in a production setup
- test sieve filters
- write tests
https://salsa.debian.org/freedombox-team/freedombox/-/issues/56
[Sunil]
- App:
- Update icons to be uniform size as all other apps and copyright information.
- Since SOGo is not configured to trust the authentication from Apache, it
does not require FirewallLocalProtection. Remove it.
- Expand app description. Talk about Email Server app.
- Update to match recent tags related changes.
- Make memcached a shared daemon as other processes might use it.
- Added shared daemon for PostgreSQL.
- Don't start services when rerunning setup if the app is currently disabled.
- Don't restart memcached during a restore operation.
- Security:
- Add system security restrictions to the daemon.
- Don't use fail2ban jail. SOGo has a mechanism to lock users for a few
minutes. Use that instead.
- Apache:
- Make /.well-known URLs work by moving their definitions to global section.
- Remove old (<2.4) Apache authorization keywords.
- Simplify, indentation, new line at EOF.
- Manifest:
- Add more tags.
- Add SOGo connector, DAVx5, and GNOME Calendar to list of clients.
- Add 'sogo' to list of service to bring down during backup/restore.
- Privileged:
- Switch from MySQL to PostgreSQL as it is recommended by SOGo.
- Use existing utility to generate database password.
- Use plget and plmerge utilities from gnustep-common package to parse/edit
the configuration instead of augeas which don't have a dedicated lens.
- Don't reset the domain when rerunning setup.
- Ensure that the configuration file has proper ownership and permissions even
when it did not exist previously.
- Add typing information for most methods.
- Remove configuration file after uninstall.
- Configuration:
- Define database URLs for all seven database tables.
- Set calendar default roles as suggested in the installation guide.
- Refresh view automatically every minute to check for new mail.
- Use the mechanism to lock account after failed login attempts.
- Add folder name for Junk folder too explicitly.
- Tests: Add basic functional tests.
Tests:
- Functional tests work.
- Rerunning setup does not change the domain back to the primary domain of the
email server.
- Login works. Sending mail and reading mail works. Creating calendar events and
contact works.
- Changing the domain sets the domain value properly in the configuration file.
Configured domain is shown properly on the form.
- Backup and restore work as expected.
- When configuration file is removed and setup is re-run, then the file is
created with proper ownership and permissions.
- 'systemd-analyze security sogo.service' shows a good score.
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Latest version of libjs-bootstrap5 depends on
node-popper2. However, version in Debian bookworm still continue to have
incorrect dependency. So, add explicit dependency on node-popper2 until we stop
supporting Bookworm.
Tests:
- In stable and testing VMs, install node-popper2 and notices that the following
work as expected:
- User menu dropdown in desktop and mobile layouts.
- Help menu dropdown in desktop and mobile layouts.
- Notification dropdown.
- App extra actions dropdown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- This app is useful for people who can connect a monitor, a keyboard, and a
mouse to their FreedomBox.
- Later this app allow a headless FreedomBox to be used as a remote desktop
server. Users will be able to connect and access desktop applications from LAN
or WAN.
- No functional tests as they will likely fail in CI and container setups.
Tests:
- In a VM, install the app. Installation succeeds.
- Disabling the app makes systemd switch to multi-user.target shutting down any
service that any mean for GUI such as gnome-remote-desktop.service. Graphical
login is not shown on the VM's virtual monitor.
- Enabling the app make systemd switch to graphical.target and all the services
are started again. Graphical login is shown on the VM's virtual monitor.
- Login to desktop using VM's graphical terminal works. Settings, apps, browser
etc. work.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- In current stable and testing, verifying SSH remote hosts using RSA is not
working. After selecting the verified RSA fingerprint, paramiko fails to connect
- A change introduced in paramiko 2.9 lead to failures when connecting to hosts
that have a verified RSA host key[1][2][3]. To fix the issue,
disabled_algorithms must be used to drop some of the other algorithms supported
by the server to force paramiko behavior. A better solution to the problem was
introduced in paramiko 3.2. Both these solutions require careful update to the
code. Considering the utility paramiko provides, the regression annoyance,
effort required for this fix, and the security implications (it is an completely
independent SSH implementation), the library does not seem to be worth the
effort in our case.
- Switch to using sshpass command line utility instead of paramiko library. The
only reason to use paramiko seems that 'ssh' command by default does not allow
us to input password easily while paramiko does.
- Another place where paramiko is being used is to check if a host is already
verified in the known_hosts file. This has been trivially replaced with
'ssh-keygen -F'.
- Exit codes provided by sshpass can replace the specific exception raised by
paramiko.
Links:
1) https://www.paramiko.org/changelog.html
2) https://github.com/paramiko/paramiko/issues/2017
3) https://github.com/paramiko/paramiko/issues/1984
Tests:
- Add a remote backup repository with and without encryption.
- Add remote backup repository with all three types of algorithms.
- Add a remote repository again with wrong password. Authentication error is
properly shown.
- Add a remote backup repository and remove it. Host remains verified. Add a
repository again.
- Add a remote backup repository and remove it. Host remains verified. Change
the fingerprint the /var/lib/plinth/.ssh/known_hosts file. Add a repository
again. A proper error is shown that remote host could not be verified.
- Add a remote backup repository and remove it. Host remains verified. Stop SSH
server on the remote host. A generic error is shown that ssh command on remote
host failed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #1528.
Closes: #2041.
Closes: #2438.
- In Bullseye and Bookworm the app is not available.
- i2pd (written is C++) is available in Debian, but it is not a drop-in
replacement for i2p. First, it is only a client. Then has a differently
philosophy of not integrating apps inside it and let outside apps connect to it.
If i2pd is ever added to FreedomBox, it has to be added as a new app with no
possibility of migration from an unlikely old setups.
- Updated wiki pages to remove references to I2P.
Tests:
- Looked for all string references to 'i2p'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- These tools are not strictly needed for FreedomBox operation in anyway.
- Slightly Reduce the size of the built images.
- Some of these tools are outdated or not typically used on a modern GNU/Linux
system and make FreedomBox seem less shiny.
- Originally thought of splitting them into a separate metapackage but it does
not seem worth it.
- killall from psmisc is used in the Makefile, it is kept for now.
- FreedomBox already has many dependency and so it is now important to start
paying attention to unnecessary ones.
Tests:
- For each binary executable provided in each of the packages, verify that it
not being used in our code anywhere.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- We don't support Debian Bullseye or older in latest versions of FreedomBox. We
can drop any minimum version specifications that are only relevant on those
release.
Tests:
- Potential issues with tomli/coverage will be caught during autopkgtests.
- For version specifications, it has been verified that for each of the
packages, version available in Bookworm is newer than the minimum version
specification.
- freedombox-setup and plinth packages don't exist on Bookworm or newer. We
don't support upgrade from older version with the latest code.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: Debian bug #1088760.
- OpenSSL.crypto.sign has been deprecated and in the current version of
python3-openssl in Debian testing, it has been dropped. The recommended
alternative is cryptography.hazmat.primitives. So, use this instead.
- The entire OpenSSL.crypto module is planned to be deprecated in the future.
So, stop using it entirely by using cryptography.hazmat.primitives.
- sso app does not use openssl anymore, so drop dependency on it. Other apps
such as Let's Encrypt do depend on it and but they have their own dependency
declared. The freedombox package on the overall retains on 'openssl' package.
- We are not using the python OpenSSL module anywhere else, so drop dependency
on it.
- Use pathlib to simplify some code.
- Ensure proper permissions on private and public keys as they are being written
to.
Tests:
- Freshly setup container and ensure that first run succeeds. Permission on the
public/private key files and the parent directly are correct. Users are able
login to FreedomBox. SSO works when accessing apps such as transmission.
- Without patches, setup freedombox container. Apply patches. Permission for
keys directory is updated but keys are not overwritten. Login to FreedomBox
works. SSO works when accessing apps such as transmission.
- Run code to perform signatures using old code and ensure that newer code
generates bit-identical signatures.
- Running ./run --list-dependencies show 'openssl' and python3-cryptography.
- Running unit tests works.
- Building debian package works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
This restriction is also used by systemd:
0992a823a4
This is another attempt to fix#2450.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
nscd daemon caches queries made to NSS via glibc. In our case queries to passwd
and group databases are cached. But this leads to many problems.
See: https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520
The bug that this MR fixes, that is, the inaccuracy of the authentication data,
is horrible and only acceptable if the caching provides very important
functionality. Already, having to purge nscd caches after modifying user
accounts is not nice.
I believe that we have encountered this bug before and blamed libpam-abl due to
the time sensitive nature of the problem.
nscd itself recommends that it should be used if NSS lookup are expensive (such
as in case of NIS, NIS+ queries according to /etc/init.d/nscd). In case of
FreedomBox, LDAP queries are unlikely to be made using network. LDAP server is
likely always local. I believe we can safely remove nscd by masking and stopping
nscd.service and unscd.service.
Tests:
- After applying the patches, users app setup is re-run. Service nscd is stopped
and masked. unscd is also masked.
- Running 'id tester' shows expected value 'uid=10001(tester) gid=100(users)
groups=100(users),10002(admin)'.
- Adding, removing, renaming a user immediately reflects in 'id <user>'.
- Adding and removing a user from groups immediately reflects in 'id <user>'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This is attempting to fix a test setup issue in Debian CI, see #2450.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Disable mDNS resolution. While we can migrate our DNS-SD service definition
files to systemd-resolved and switch from using avahi to systemd-resolved, many
programs still solely depend on avahi-daemon. Examples include cups and GNOME.
It is not clear if they will work any mDNS daemon or if they interact with
avahi-daemon in other ways that the mDNS protocol. So, for now, disable mDNS in
systemd-resolved and continue to use avahi-daemon for it. This is also Fedora's
default.
- Re-introduce Fallback DNS servers with the value same as the upstream systemd
project. Debian removes the default fallback DNS servers likely because they
could be considered a privacy violation. However, when systemd-resolved package
is first installed, the post install script recommends a reboot instead of
feeding the currently configured nameservers from /etc/resolve.conf into
systemd-resolved. Immediately, this causes the system not be able to connect to
any external servers. While this may be acceptable solution for interactive
systems and pre-built images, FreedomBox has to a) be available for remote
access b) perform upgrades without user intervention (and without reboot until a
day). To mitigate privacy concerns, an option to disable these fallback servers
will be provided in the UI.
- systemd-resolved's stub resolver runs on 127.0.0.53%lo:53 and 127.0.0.54. This
does not conflict either with shared connections which listen on 10.42.x.1 or
with bind which listens on 127.0.0.1 (and other IP addresses). This MR does not
address the existing conflict between bind and shared network connections.
However, it does not cause any further conflicts.
Tests:
* mDNS
- Avahi diagnostics works. daemon is running. mdns port is exposed in the
firewall.
- systemd-resolved does not listen on mDNS ports.
- Running avahi-browse shows freedombox on local network.
- Running avahi-browse shows the services ssh, sftp-ssh, http and ejabberd.
- Machine can be discovered in Gnome Files.
* NetworkManager shared connections
- After install/upgrade to systemd-resolved, 'shared' connections can be
created.
- With a 'shared' connection configured and active, it is possible to upgrade to
using systemd-resolved.
- Resolving domains from a machine on shared network goes via systemd-resolved
on FreedomBox.
* Bind
- Installing, running tests on bind works.
- Programs connecting from outside network can connect to bind as expected.
- Programs connecting from local machine can connect to bind as expected.
* Upgrading works
- Upgrading to new FreedomBox package works
- systemd-resolved is installed and running. 'resolvectl' shows a proper name
server (or fallback nameserver like 1.1.1.1).
- libnss-resolve is installed and configured in /etc/nsswitch.conf
- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf.
- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares freedombox.org.
- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved
- DNS resolution works after first setup. Installing packages works.
- 'resolvectl query' resolution works.
- Programs using glibc API resolution such as 'ping' work.
* Fresh image
- Building an image with new freedombox package works without error.
- Booting from fresh images works.
- systemd-resolved is installed and running. 'resolvectl' show proper name
server.
- libnss-resolve is installed and configured in /etc/nsswitch.conf
- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf
- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares wikipedia.org
- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved
- DNS resolution works after first setup. Installing packages works.
* Installing package on Debian
- Installing new freedombox package in Debian machine works.
- systemd-resolved is installed and running.
- libnss-resolve is installed and configured.
- /etc/resolv.conf has proper link to /run
- NetworkManager has passed on proper DNS entries to systemd-resolved using
'nmcli reload dns-rc'.
- Resolution works with fallback DNS servers when network interfaces are
configured with /etc/network/interfaces
* OpenVPNs works
- As a server, we don't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to OpenVPN server, route traffic to the internet, and resolve
DNS queries.
* WireGuard works
- As a server, we can't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to WireGuard server, route traffic to the internet, and
resolve DNS queries.
- As a client, server does not push DNS servers to the client. So, a client
continues to use its old DNS servers. With systemd-resolved running on the
client, the client is able to connect to WireGuard server, route traffic to the
internet, and resolve DNS queries.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
