Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
- Re-use the same validator in Matrix Synapse.
- Avoid importing plinth classes in actions files.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This implementation is very similar to that of Matrix Synapse with a lot
of code duplicated.
One major difference is that ejabberd doesn't have a conf.d/ directory.
So, the managed configuration and overridden configuration cannot be
cleanly separated.
Whether the configuration is managed or not is determined by the
presence of a file under `/etc/ejabberd`. Managed coturn configuration
isn't stored in ejabberd, since only one set of configuration can be
stored at a time. If the admin chooses to use the managed configuration,
the current coturn configuration is fetched and used to configure
ejabberd.
Fixes#1978
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #514.
Test: Ran diagnostics with all apps enabled.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Return a warning result if no domains are configured.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This was used before to ensure the domain name was ASCII. However, str
does not convert to ASCII in Python 3.
Note that in config module, which sets the system domain name, the
domain is already restricted to alphanumerics, hyphen, and period.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Domain name is not case sensitive, but Let's Encrypt certificate paths
use lower-case domain name.
Add an extra 1 second delay to tests that configure DynamicDNS domain.
Test: DynamicDNS functional tests are passing.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
After a domain name change, Let's Encrypt will restart the webserver
and could cause a connection failure.
Test: DynamicDNS functional tests are passing.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Domain name is not case sensitive, but Let's Encrypt certificate paths
use lower-case domain name.
Closes: #1964.
Tests: Config functional tests passed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Closes: #2074
sunil's changes:
- Ensure that secret is not asked for a second time after creating admin user
and logging in (this happens due to discarding of old session and creating new
one).
- Ensure that this logic is not applied to user using FreedomBox images who are
not required to input the first wizard secret.
- Change the name of the session variable for readability.
Tests performed:
- Without the patch, start first boot wizard on the first browser on a
FreedomBox image (or run the file `base64 < /dev/urandom | head -c 16 | sed -e
's+$+\n+' > /var/lib/plinth/firstboot-wizard-secret`). Finish the welcome step
with first wizard secret. Then open a second browser or from another computer
visit the web interface. The first wizard secret is not asked and user can
create an admin account.
- Repeat with fresh image again with the patch. To mimic fresh image, one may
run `sudo rm -f /var/lib/plinth/plinth.sqlite3` and `echo "password" | | sudo
/freedombox/actions/users remove-user tester`. This time when a different
browser other than the one that provided the first wizard secret try to access
the account creation page, a redirection will occur to welcome page. Providing
the first wizard secret takes the user to account creation page.
- Accessing network first wizard page or internal pages on second browser also
takes one back to the welcome page.
- Accessing help pages from second browser requires login.
- Accessing account login page from second browser is allowed. After creating
the account from first browser, second browser can login and continue the
wizard.
- Clearing cookies in the middle of the wizard takes the user back to welcome
page.
- Clear cookies in the middles of the wizard. Visit the wizard, go to first boot
welcome page. Provide secret and the wizard will continue where it was left
off.
- Clear cookies in the middles of the wizard. Visit the wizard, go to first boot
welcome page. Access login page, login as admin. Then first wizard secret is
not asked. First wizard can be continued.
- On a fresh image, simply complete the first wizard. No change to earlier flow
is noticed. First wizard secret is only asked once at the beginning.
- On a fresh image, remove the file /var/lib/plinth/firstboot-wizard-secret.
First wizard can be completed without the secret.
[sunil: improvements to original patch by Kirill Schmidt]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
When LDAP is set up but the first admin is not yet set up, some of the
users module tests fail because known admin users is deleted before other
users. A known admin user must exists to delete existing users.
Fix this by deleting a known admin user only after deleting other users
when cleaning up tests.
Tests performed on Debian stable and testing:
- All the users module unit tests pass:
- when LDAP is not set up yet
- after LDAP is set up but empty
- after first admin user has set up using the web UI
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Allow distribution to be passed as an environment variable.
Fixes#1914
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Improved readability.
- Changed hierarchy of headings.
- Reduced emphasis on unnecessary/redundant things.
- Added links to go back to the main websites.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Update security_report.html text to clarify what vulnerability total
numbers mean, and give more info to learn what the vulnerabilties are.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[jvalleroy: Make URL a link]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Closes: Debian #805108.
Primary motivation is to provide swap for FreedomBox machines. On all FreedomBox
images, currently there is no swap configured. Swap on disk may not be good for
SBCs most of which use SD card for storage. We wish for processes to not get
killed when hard memory limit is reached.
Zram seems like a good solution to the problem suitable not only for SBCs but
also for desktops and bigger machines. Fedora is currently using Zram as its
default swap solution configured by the installer. Zram creates a block device
with a configured size. Writing blocks into the device compresses them and
stores them in RAM. This block device can be configured as swap among other
things. See:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/blockdev/zram.rst
Set the size of the swap to be 50% of RAM. Expected compression is about 1:2.
That means, in an average case, 25% of RAM is consumed to provide the swap
device. This results in the system being able to consume about 125% of RAM
capacity to run processes. This value is inspired by Fedora.
https://fedoraproject.org/wiki/Changes/SwapOnZRAM .
Zram based swap takes priority over disk based swap (due the priority being set
to 100). This reduces IO and improves latency on machines that already have a
swap device.
On containers, zramswap.service fails to start as it will not be possible to
insert the 'zram' kernel module from within the container. This should not cause
any further problems.
Since 'config' app is an essential app, zram-tools now becomes a hard dependency
of freedombox package.
For FreedomBox images, zram-tools will be pre-installed and pre-configured. So,
it will work on first boot. For users installing FreedomBox via apt or those
upgrading from an older version, zram-tools will be newly installed but
configuration will not be picked up until the next reboot. Restarting
zramswap.service is not done because it may not be a safe/successful operation.
systemd-zram-generator is a project that essentially does what zram-tools. It
appears to be a better implementation and we may migrate to it when it becomes
available in Debian. Migration expected to be straight forward.
Tests performed:
- Running `sudo -u plinth ./run --list-dependencies` shows zram-tools as a
dependency.
- On a container, `systemctl status zramswap.service` shows as failed.
- On a virtual machine, confirm that configuration is installed properly. Run
`./setup.py install; systemctl daemon-reload; systemctl show zramswap.service |
grep Environment`.
- On a virtual machine, ensure that you have more than 512MiB or RAM. Then
restart zramswap.service. This should create a swap space of 50% of RAM
capacity. Confirm with `free` and `zramswap status`.
- Restarting the VM retains the swap that has been setup.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
