- This will leave /etc/{plinth,freedombox} empty by default making service more
robust to run across various environments and situations. See systemd's
explanation for more details.
- Use Debian maintainer scripts remove all the existing files in
/etc/plinth/modules-enabled.
- Read from /usr/share/freedombox/modules-enabled then from
/etc/plinth/modules-enabled and finally from /etc/freedombox/modules-enabled.
Later read ones override previously read files. Any file pointing to /dev/null
will mean the module must be ignored.
Tests:
- Clean up /etc/plinth, /etc/freedombox and
/usr/share/freedombox/modules-enabled. Run service and notice that files are
getting loaded from development folder using a debug message.
- Run setup.py and notice that files get installed in
/usr/share/freedombox/modules-enabled/ and in the next run they get loaded from
there.
- Create a override file in /etc/plinth/modules-enabled/transmission and notice
that overriden file gets priority over the one in
/usr/share/freedombox/modules-enabled.
- Link the file /etc/plinth/modules-enabled/transmission to /dev/null and notice
that is not loaded.
- Create another file in /etc/freedombox/modules-enabled/transmission and notice
that it overrides the previous two files.
- All affected modules are loaded.
- Build a new Debian package and ensure that upgrading 23.8 to new version
removes are all configuration files.
- Build developer documentation and test that Tutorial -> Full Code and Tutorial
-> Skeleton sections have been updated with references to
-.../modules-enabled/... paths.
- Install quassel and notice that certificates were copied to /var/lib/quassel
directory. Change domain to another domain and notice that certificates were
copied again to that directory.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2264.
- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.
- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.
- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.
- There is also file with CustomLog directive that logs for other vhosts.
- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.
- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.
- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This allows disabling syslog daemons.
- Fall back to using file based monitoring for Apache.
Tests performed:
- Before and after the patch, connecting via SSH and typing in incorrect
password leads to a entry in fail2ban.log. 10 incorrect attempts result in a 10
minute ban.
- Before and after the patch, typing in incorrect password for radicale leads to
a entry in fail2ban.log. 10 incorrect attempts result in a 10 minute ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Directory /etc/php/7.4 became available before php7.4-fpm became available.
Handle this by checking the run time socket of the fpm daemon instead of the
directory.
Discussed and tested in
https://discuss.freedombox.org/t/mediawiki-service-unavailable/711/23
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
