1. Set temporary directory to /var/tmp
2. Drop MemoryFileUploadHandler
Tests:
- During upload notice that file are in /var/tmp/system-private... folder
instead of /var/tmp.
- Upload a file but rename with another extension instead of moving to
destination through changes in code. Notice that the file is available in
/var/tmp/systemd-private... directory after the upload operation is completed.
Stop the service and notice that the file has been deleted. Folder is empty
after the service starts again.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Add PrivateTmp=yes in plinth.service file]
[sunil: Update comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This is now the preferred location in Debian. See:
https://lintian.debian.org/tags/systemd-service-in-odd-locationhttps://bugs.debian.org/992465https://bugs.debian.org/987989d70caa69c6https://lists.debian.org/debian-devel/2021/08/msg00275.html
Tests:
- Lintian no longer shows errors:
E: freedombox: systemd-service-in-odd-location lib/.../calibre-server-freedombox.service
- Comparing the old .deb and newly generated .deb with these changes. All the
systemd files show that they are moved from /lib to /usr/lib/systemd.
- After upgrading the deb from older version to a version these changes,
services installed by the package are available (tested after restart with
wordpress and claibre). Services tweaked by the package have the changed
configuration reflected as shown by systemctl show
{service-name}.service (tested after restart with quassel).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
None of the files are installed into /etc/. They will unconditionally override
older versions of themselves. They are not likely to cause any configuration
file prompts.
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Without this fix, the daemon plinth will not able to acquire a DBus connection
and listen for the FreedomBox DBus service when running as user plinth user.
This is the case for production FreedomBox machines.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Implement listening for CacheUpdated notification.
- Configuration to allow only root to trigger the notification.
- Trigger the notification from an apt update hook.
- Retrieve the list of packages available for upgrade and print them to log.
- Add dependency on libglib2.0-bin for the gdbus command line tool.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
From freedombox-setup all the setup mechanisms and first-run mechanisms have
been removed. This script no longer does anything and is not needed. Ensuring
that the directories have proper permissions is now the duty of Plinth Debian
packaging.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
There is no need to restart firewalld after the setup steps run.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Essential modules enable their own services properly. There is no need to do
them as part of common setup.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Instead run all of the setup process during the first boot. This enables us to
someday remove the reboot step entirely.
Tests: After building a new image with the changes, call the modules have shown
to be properly setup. Running the setup wizard, creating admin user and logging
works as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Created basic plinth app which starts an introducer and a storage
node on the FreedomBox.
- Prompt user to set a domain name before creating Tahoe-LAFS nodes.
- Support adding and removing of introducers to the storage node.
- Serve Tahoe-LAFS from a different port.
- Start all nodes and introducers at system startup.
- Add utility class YAMLFile with test cases.
It is believed that ownCloud is unlikely to return to Debian in near future.
Removing module to ease maintenance.
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Change the configuration minimally and more reliably.
- Rename the Apache configuration and add comments.
- Rename firewalld description file.
- Enable the matrixsynapse module by default.
- Improve category, description texts and warnings.
- Remove unused variable.
- Add missing docstrings.
- Minor styling updates.
- Fix i18n in templates.
- Fix showing description in main service view.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
LDAP admin and basic structure setup requires running slapd. Move this
to first-run so we don't have to start slapd during setup. This should
avoid issues when running setup in a chroot.
- Remove extra newlines added to torrc.
- Remove comments added in random places to torrc.
- Enable tor instance during setup.
- Fix restarts to use tor instance.
- Revert change to augeas lens to attempt handling +.
- Add support for hyphens in values to augeas lens.
- Increment module version so setup can run again.
- RTP ports used for voice and video communication can span a wide range
of ports. Some servers seem to restrict the range. However, repro
does not seem to do that. So, open up the full range.
Allow Plinth to manage network connections even when running as 'plinth'
user and not root user. This is done by adding polkit rules that
Network Manager checks
- Add new style Javascript based rules file for newer versions of
polkit (>105). This is not fuly tested.
- Add old style .pkla file for older versions of polkit (<=105).
Since we are running PAM update script from users action file, it is
appropriate for the PAM configurations that are effected by it to stay
here in Plinth as well.
- Since SIP is a generic protocol implemented by various servers, the
firewall service must describe the protocol instead of the
application. This is similar to the way firewalld handles
http/https. This also make the service descriptions more acceptable
by upstream.
- Split unencrypted and encrypted services so that one can enabled
without the other (a possibility with SIP).
- Add 5061/UDP for SIP over DTLS and DCCP.
Set the default firewall zone. When network connections are configured
outside of FreedomBox/Plinth, they will not be able to serve the Plinth
web interface. This is because all such interfaces will fall in the
default firewall zone and that is, by default, 'public'. On 'public'
zone we don't allow Plinth web interface as this zone is not managed.
Configuration of network connections happen outside for
FreedomBox/Plinth for various reasons:
- Existing network connections before installation of freedombox-setup
- Connections configured in /etc/network/interfaces
- Connections manually configured using nmtui
- Connections created using GUI environments such as GNOME
Rather then clearing out /etc/network/interfaces during setup and
expecting the connections not to be created outside of Plinth, setting
the default firewall zone is a better approach. This default zone
selection fits with the main purpose of FreedomBox to be a router which
is also reflected by the fact that only 'external'
This is now properly handled by freedombox-setup network scripts. There
is no need to set it up here. Also there is chance they might by
configured wrong.
- Introduce Apache configuration for plinth.
- Remove Transmission service file for firewalld.
- Enable transmission on install.
- Enable/disable Apache configuration on Transmission on enable/disable.
- Remove IP address whilelisting as 127.0.0.1 is the default setting and
is sufficient for Apache to reverse proxy.
- Update UI URL.
- Don't hijack the entire SSL site for sake of Plinth.
- Serve both HTTP and HTTPS sites with default configuration.
- plinth-ssl configuration only make SSL compulsory.
- Document modules required for configuration to work properly.
- Don't disable default site during FreedomBox setup run. This is no
longer required.
The package license (AGPL3+) implicitly indicates the license of each
file. However, it is desirable to have license headers in each file.
This is the case for many prominent projects like GNU project, Mozilla
etc.
