Newer versions of Django axes have newly way to get the IP address of a client
using ipware library. This has multiple security issues
https://github.com/jazzband/django-axes/issues/286 . Workaround them by
controlling the X-FORWARDED-FOR header sent from Apache to FreedomBox and by
limiting the headers that ipware uses.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Adds the basic application framework
- Adds the sharing page for index and adding share
- Adds the action for sharing for adding and listing shares
Signed-off-by: Prachi Srivastava <prachisr@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
- Use 32-bit key for HMAC-256
- Use secrets library instead of os.urandom
- uwsgi enable/disable along with webserver enable/disable
- Text changes
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Add settings in Service View
- Fixes for maximum file setting
- Don't allow negative values for max. file size in UI
- Minor text changes to django messages
- Minor correction to maximum file size calculation
- Rename apache conf file to coquelicot-freedombox.conf
- Remove all hacks to adjust file size.
- Fix permissions issues for settings file
- Show status block in UI
- try-restart on settings change instead of restart
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Installs and configures MediaWiki. SSO integration is not included yet.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- More user-friendly treatment of groups and their permissions
Closes#690
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add logos for desktop operating systems
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
django-simple-captcha's /refresh url's regex was matching anything that ends
with the word "refresh". This was clashing with sso/refresh. Changed the regex
for captcha's url to captcha/refresh.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Change sso refresh url to refresh-pubtkt since refresh was conflicting with
captcha's image refresh url.
- Fix datetime.timedelta calculation for refresh interval. Now validity of
ticket is 30 seconds as it was intended to be. It was wrongly set to 30 days
earlier.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Make the service a subtype of _http._tcp.
- Remove incorrect host tag.
- Add text record to indicate the patch to use.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Disabled login using username and password.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
All users can login. Only admin users can see logs and make changes.
LIMITATION: Only certain functions such as service management is possible.
Functions such as networking and user management is read-only. This problem does
not occur for user belonging to the 'sudo' group.
- Move to system section from applications section.
- Rename action script to cockpit instead of cockpit.
- Deal with .socket/.service correctly.
- Implement hooks on domain name changes and update configuration correctly.
- Host the application under /_cockpit instead of /cockpit because it is
reserved.
- Update description.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Partially fixes#958
The user still has to enable API access from Preferences in the tt-rss app.
Ideally, this should be automated, but this setting wasn't trivial to find. Will
try to automate this in a future pull request.
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
From freedombox-setup all the setup mechanisms and first-run mechanisms have
been removed. This script no longer does anything and is not needed. Ensuring
that the directories have proper permissions is now the duty of Plinth Debian
packaging.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Avahi daemon is being managed in Plinth, so it makes sense for Plinth to be
providing the service files. Service files can be managed so that when service
is not available, it is not advertised using Avahi.
Install service files.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Signed-off-by: Prachi Srivastava <prachi@swecha.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
There is no need to restart firewalld after the setup steps run.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Essential modules enable their own services properly. There is no need to do
them as part of common setup.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
If pubtkt module is not enabled (rare) and if repro is enabled, Apache fails to
start. Make sure this effects only repro module. The single-sign-on
configuration already ensures that access is denied if pubtkt module is not
enabled, preventing unauthorized access.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Instead run all of the setup process during the first boot. This enables us to
someday remove the reboot step entirely.
Tests: After building a new image with the changes, call the modules have shown
to be properly setup. Running the setup wizard, creating admin user and logging
works as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- using latest version of lib-apache2-mod-authpubtkt
- upgraded keys to 4096-bit RSA
- upgraded hashing algorithm to sha512
Plinth needs dependency on libapache2-mod-auth-pubtkt >= 0.11
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Solves bug #890
- Since Apache might be started before Plinth setup is ever run, we
have to handle the case where the auth_pubtkt module may not be available.
- Created basic plinth app which starts an introducer and a storage
node on the FreedomBox.
- Prompt user to set a domain name before creating Tahoe-LAFS nodes.
- Support adding and removing of introducers to the storage node.
- Serve Tahoe-LAFS from a different port.
- Start all nodes and introducers at system startup.
- Add utility class YAMLFile with test cases.
- Install mod_auth_pubtkt and generate public/private key-pair.
- Redirect user to login page if no cookie is presented.
- Add check for authenticated user for login page.
- Temporarily switched to DSA because of a bug in mod_auth_pubtkt
which causes it to accept only DSA and not RSA. Also had to use SHA1
instead of SHA256.
- Enabled SSO for Syncthing, Repro and TT-RSS.
- Using tokens to authorize by user groups.
- Generate keys during first boot.
