- Configuring just php-fpm is easier compared to configuring Apache + mod_php.
There is no need to configure trusted proxies as the requests are made using the
FastCGI protocol.
- There is no need for a full web server as we already run Apache.
- Place nextcloud data in /var/lib/container so that non-PHP files can be served
directly without php-fpm involved. This location is more suitable for switching
to nextcloud based on a .deb file (if ever). This is done by configuring the
volume to serve a bind mounted directory of our choice.
- Update Apache configuration to proxy to php-fpm instead of another web server.
Include the changes needed for Apache configuration to serve non-php files
directly.
- Managed the volume using quadlet podman systemd generator.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This is not ideal and reduces security. However it simplifies quite a bit of
setup.
- Services on the host network are already exposed to the container (however,
they could easily be protected with firewall rules).
- Container has full access to external networks already. So this part does not
change.
- This setup would be at par with how other services run on FreedomBox right
now. We can think of generalized solution for all the apps later.
- FirewallLocalProtection for the single service the runs in the container works
as usual without change.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- See quadlet(5).
- Using 'podman generate systemd' is deprecated. Quadlets are recommended.
- When using the systemd generator, enable/disable is not possible. The
container is automatically started when system is booted or systemd is reloaded
after .container file changes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tested when minidlna app is running - after upgrade the ssdp
port is open.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Minidlna interface is still available to everybody in internal networks
at http://<ip-address>:8200. (Note that using mDNS name like
freedombox.local doesn't work here).
Remove 'minidlna' group and apache minidlna site configuration as
those are not useful any more.
Reconfigure minidlna front page shortcut to link to the app
description page.
Tests performed with stable and testing containers:
Create a user that belongs to minidlna group. Apply changes, after
minidlna app upgrade:
- the user is not in minidlna group any more.
- the users configuration page doesn't show minidlna group.
- Apache site /_minidlna is disabled.
Closes#2012, #2013, #2416.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
[sunil: Minor formatting, use single quotes for strings for consistency]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
It helps showing ssdp protocol ports in minidlna diagnostics.
Also avoid overwrite imported name 'firewall'.
Tested that ssdp port 1900 is shown in the minidlna diagnostics page.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Set check_id and domain for domain diagnostic check
- If there is an error, store it in thread local storage.
- Drop checking for case when no domain is configured. This is better done after
initial setup via notification rather than in diagnostics. Proposed change also
will not show the warning if a .local domain is configured (almost always). Keep
checking for Check id to deal with older stored diagnostic results.
- Call obtain when certificate is not available. Call re-obtain otherwise. This
is important for properly calling the post-obtain operations.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Drop check for case when no domain is configured]
[sunil: Call either obtain or re-obtain based on current state of certificate]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Repair is run within an operation.
- Diagnostics are run for the app first.
- Call app.repair, then re-run setup if needed.
- Add helper functions for apps or components to store error messages in thread
local storage. These error messages are shown at the end.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Undo minor reformatting, due to automatic tool]
[sunil: Fix passing incorrect Exception argument to operation.on_update]
[sunil: Add full stop at the end of the success message to match install message]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Allows apps and component to implement custom repair methods.
- Default implementation asks relevant components to repair, and then if
needed, requests re-run setup for the app.
- Component.repair will return True by default, indicating that setup should be
re-run.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Minor docstring styling fixes]
[sunil: Improve tests for repair]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
The form provides an option to select default directory, user specified
directory or samba shares if enabled.
The form also checks that the directory exists and is readable by the
minidlna user.
Tested that changing media directory to a samba share location works.
Closes#2084.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- During enable/disable of the component, status of the dropin configuration
files was being checked from non-privileged process. If the dropin configuration
file or its parent is readable only by root, then the operation fails. Fix this
by performing the status check in privileged mode.
Tests:
- Unit tests pass.
- Dropin configuration file for redis server works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Also restart the container after restoring the database and its password. This
seems to be required (perhaps to flush caches) for a successful database
connection.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Nextcloud has a built-in brute force protection[1]. Combined with good password
policies, fail2ban is not required. Built-in protection is better than fail2ban
because, fail2ban makes the service unavailable which causes some confusion to a
genuine user.
Links:
1) https://docs.nextcloud.com/server/19/admin_manual/configuration_server/bruteforce_configuration.html
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Put dump operation in a try/finally block.
- Create context manager to simplify.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add documentation URL for Nextcloud cron.php.
- Use '-f' flag to php to match what documentation recommends.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It choose highest security random number automatically.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- While nextcloud has a good prefix for all the keys it stores, flushing the
database (for nextcloud or other apps) is easier if it stores it's keys in a
separate database. Assign DB index at 8 (database number 9). Index 7 is taken by
rspamd on FreedomBox.
- Flush only Nextcloud's DB after restore instead of the entire server.
- Ignore errors during flush if redis server is not running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Before we can enable this added protection, we need to address a couple of
issues:
- Redis password is restored after a restore. This means that if nextcloud's
backup is restored on a machine where redis server already has a password set,
then the password won't match with the password configured for other apps that
are using redis.
- When email server is already installed before this patch and then nextcloud
is installed. rspamd will fail to connect to redis server. This even with the
changes intended on the email server as the setup version in those changes has
not been incremented.
- Restart redis-server only when needed. This avoids major disruption caused due
un-persisted cache and locks removed.
- Don't use Redis for caching of server-local data as this APCu seems to be
preferred by upstream containers.
- Don't set filelocking.enabled=true as this is already the default.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Eliminate the need for parsing the complex file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Install nextcloud and notice that the default phone region is 'Not set'.
Select phone region, it sets properly. Set it to 'Not set' and that works too.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Connecting using Unix socket allows us to drop having to make redis listen on
the containers IP address.
- Instead configure redis to listen on unix socket.
- Keep the configuration file separate and include it the main configuration
file. This allows easier configuration changes in the future.
- Ensure that the drop-in configuration is available during setup.
- Ensure that redis is running during setup. This is important when app is
upgraded while it is disabled. Or when setup is re-run.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- GRANT with IDENTIFIED BY is not recommended anymore by MySQL. Use separate
CREATE and GRANT statements.
- Ensure that CREATE USER only runs when the user does not exist.
- Ensure that database password is always updated with a separate ALTER USER
statement.
- Factor out database querying into a separate method.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
It is unlikely that other containers will need the same volume with path for
/var/www/html.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Database will be running if mysql has just been installed.
- However, after disabling all apps, it is no longer running. After this trying
to install/reinstall nextcloud fails. Fix this by ensuring that mysql is always
running during setup.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Running ldap:test-config before enabling the 'user_ldap' app lead to bad output.
'app:enable' and 'ldap:set-config' are idempotent. So, re-run them in setup.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Use the status command to retrieve the accurate status of installation instead
of checking for existence of admin user account.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This eliminates the need to reconfigure mysql.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
