Nextcloud has long been a desired app for FreedomBox, however, due to
difficulties around Debian packaging, it hasn't yet been implemented. This
branch creates an app for Nextcloud with the help of Podman. Podman is a
containarization technology, like Docker, but with some extra features
that make its integration into FreedomBox convenient. If the podman
approach turns out to be favorable, we should consider writing a podman
specific module.
How does this work?
The app installs the podman and default-mysql-server Debian packages.
In other apps, such as MediaWiki, FreedomBox chooses SQLite
which eases maintenance and backup/restore. However, this
would bring a significant performance degrade for Nextcloud, hence the
choice of Mysql. Other apps, like Wordpress already use Mysql, so it is
installed on the host as opposed to installing it in a sepatate
container. A firewalld rich rule is created, so the Nextcloud container
can communicate with the db and OpenLDAP.
The podman package comes with a systemd service and timer for
automatically upgrading containers that are labeled as
"io.containers.autoupdate=registry". podman-auto-update.timer is managed
by FreedomBox. We might add a drop-in file for the timer to make it
more consistent with unattended-upgrades.
Podman natively supports creating systemd services for individual
containers. The generated systemd service is then managed by FreedomBox.
The current container image is based on Debian and runs apache inside the container.
To avoid running apache redundantly (both on the host and inside the
container) it would be preferable to use the nextcloud:stable-fpm image
instead, which seems to require creating a new virtual host.
Configure /.well-known URIs to redirect to /nextcloud. There is a conflict with
Radicale if both apps are running.
Put the podman1 interface into the trusted firewalld zone. This results in the
container gaining Internet access which is necessary to downloading Nextcloud
applications and federating with other Nextcloud instances. After applying the
patches, I opened my instance to the Internet to make sure this configuration
doesn't accidentally expose services. I scanned TCP ports 3306 and 6379 (after
installing and binding redis-server to the bridge interface). After that, I
installed the Tor app and put the default WAN interface to the external zone to
confirm that port 9050/TCP does not get exposed through the bridge interface.
To-do:
* test the fpm image
* test running the container in rootless mode for better security
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
[sunil: Add missing docstrings]
[sunil: Make some methods private to module]
[sunil: Run yapf for formatting]
[sunil: Remove a comment to hide form when app is disabled]
[sunil: Update form labels]
[sunil: I18N for client names]
[sunil: Reduce number success messages in form for easy i18n and consistency]
[sunil: Reorganize patch series, squash fixes]
[sunil: Tweak auto update daemon component's ID]
[sunil: Add blank lines for formatting]
[sunil: Minor refactoring for _run_occ method]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- This allows those tests to be invoked on console and not just in CI pipelines.
Tests:
- Running make check works.
- CI pipeline succeeds.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[jvalleroy: Remove phony test target]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- setuptools aims to a build library instead of being invoked by setup.py.
Launching setup tools using ./setup.py is deprecated. Launching it using
generic build tools that use pyproject.toml is recommended.
- With the new approach customizing the build is not possible to the earlier
extent. So, introduce is a simple and sufficient build system using 'make'.
Tests:
- Check the pyproject.toml using validate-pyproject tool.
- Run diffoscope on old and new packages and verify that no unexpected changes
were introduced by the build system change.
- None of the files part of .deb package have different file permissions
compared to before.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Fix icon paths in copyright file.
- Minor refactoring.
- Add Kiwix library link to app page as well as users may want to see the
content available before installing the app.
- Consolidate terminology to 'content package' for UI and just 'package'
internally.
- Drop unused SYSTEM_USER constant.
- Simplify the ExecStart= in systemd service file.
- Fix incorrect i18n caused by non-lazy formatting of strings.
- Confirm that xml parsing is not vulnerable as expat library of required
version is used in Debian bookworm.
- Don't start the kiwix daemon when managing library if app is disabled.
- Ignore errors when removing files during uninstallation.
- Handle failures more gracefully when library XML file does not have required
attributes.
- Update SVG/PNG icons to adhere to FreedomBox guidelines.
- Trim block translations in templates.
- Drop comments/deadcode inside translation strings.
- Drop a comment inside add content page that only makes sense with multiple
methods for adding content.
- tests: Don't use pkg_resources library as it is deprecated. We can use
importlib.resources library in future if we run tests on zip installations.
- Fix potential security issues while writing file to tmp directory.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Add explicit dependency on django-ipware >=3. django-axes >= 6 adds
only and optional dependency on django-ipware. Adding explicit dependency make
the behavior safer.
- Depend on django-axes >= 5 where the authentication backend and other features
are available. The new code won't work with older versions. The new approach
uses and authentication backend to deny access to the login form on lockout and
a middleware to redirect user to locked out form when limit of attempts have
been reached.
- Drop old code used for compatibility with django-axes 3.x.
- Suppress verbose and debug messages as django-axes is too chatty.
- Re-implment the CAPTCHA form entirely. In the old style, we have a login form
with CAPTCHA field. That would not work with the new django-axes authentication
middle. On submission of the form, auth.authenticate() will be called. This
call invokes various authentication backends include django-axes authentication
backend. This backend's behavior is to reject all authentication attempts when
the IP is listed in locked table. The new approach is to provide a simple
CAPTCHA form with just the CAPTCHA field. If the form is successfully
validated (correct CAPTCHA is provided), then the lock on the IP address is
reset. The user is then free to perform 3 more attempts to login.
- Update firstboot form to send the request parameter when using
auth.authenticate() method. This needed by Django axes' authentication method
which will be triggered.
Tests:
- Run tests on Debian Bookworm and Debian testing.
- Axes verbose messages and debug messages are not printed on the console when
running FreedomBox in debug mode.
- Only three invalid attempts are allowed at the login page. After the final
incorrect attempt, user is redirected to CAPTCHA page. Visiting the login page
using the URL works but entering the correct credentials still takes the user to
CAPTCHA page.
- CAPTCHA form appears as expected. Clicking the CAPTCHA images downloads the
audio file corresponding to the image. Incorrect CAPTCHA shows an error. Correct
CAPTCHA takes the user to login form where they are able to login with correct
credentials. Entering incorrect credentials 3 times will take the user again to
CAPTCHA page.
- Creating user account during firstboot works.
- Blocked IP address the IP of the client such as 10.42.0.1 and not the local IP
address 127.0.0.1 according the django-axes log messages. While one client IP
address is blocked, another IP is able to login to the same user account that
was attempted by the blocked client.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Since 23.10 is already in experimental, change the prior-version to
23.11~ for removed drop-in /etc config files.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- jsxc is able to connect to jabber server
- When ssh is enabled avahi-browse -a shows SSH and SFTP services. The avahi
service files are created in /etc/avahi/services/. When service is disabled,
files are removed and avahi-browse -a does not show the services.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface is available
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- calibre web interface is available
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- bepasty uwsgi service is running
- bepasty web interface is available
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- ttrss app's web interface works
- Incorrect password attempts in LDAP login with /tt-rss-app/ get registered by
fail2ban
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works
- Adding a plugin using auto-download works
- fail2ban-client status shows wordpress-freedombox
- fail2ban catches invalid login attempts
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- LDAP auth works for /tt-rss-app/
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Running 'apt update' sends a DBus signal to freedombox service
- unattended-upgrade works
- Many service were restart when unattended-upgrade was run
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Single-sing-on for searx works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- fail2ban-client show shows sshd in jail list
- When ssh is enabled avahi-browse -a shows SSH and SFTP services. The avahi
service files are created in /etc/avahi/services/. When service is disabled,
files are removed and avahi-browse -a does not show the services.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Sharing folders works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- 'fail2ban-client get logtarget' shows sysout
- fail2ban logs to journald
- fail2ban identifies failures logged by apache in journald
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works
- Web interface authentication works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works
- fail2ban jail is enabled
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- Web interface works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
