- Let the .container file be created and modified even when quadlets are not
available. This is harmless.
- When upgrading from bookworm to trixie, the fallback service file is removed
if setup is re-run.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[jvalleroy: Add daemon-reload after creating service file]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Rename 'domain' to 'override domain'. See below.
- If override domain is not set and trusted domains list is properly maintained,
then Nextcloud can be accessed using a domain from list of trusted domains. This
is ideal as accessing from .onion domain and a regular domain will
simultaneously without forcing a single domain. However, non-localhost IP
addresses will not work with this approach and 'override domain' will be needed.
- When override domain is set to an IP address or a domain, then that domain
will forced. Also hostname are accepted on a request but after the first page
load, access will be forcefully redirected to the configured override domain.
Multiple domains, even trusted domains, will thus not work. This option should
be used as a last resort.
- All un-setting the override domain to an empty value so that trusted domains
can be used again.
- Update diagnostic checks to ensure that above logic is used with checking
domains.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Enable the redis drop-in configurations before redis-server is started so that
the configuration is effective.
- When app is disabled and re-running setup, disable it after running setup
because setup() enables it.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When there message strings containing substrings of the form
"{object.property}", an AttributeError is raised instead of KeyError during
string formatting. Catch these errors.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Retrieve a database password from configuration if one is set instead of
generating new one.
- Create database after starting the container. This is okay as database
configuration is not set until maintenance:install operation is run.
- Minor change to setting administrator password during install.
Tests:
- Update profile in Nextcloud and re-run setup. The updated settings are still
available.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is required because when services are restarted, their Unix domain sockets
are removed and new ones are created. The container will still be using the old
sockets and will fail to connect to the service.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This prevents timeout of the service if the image pull is slow.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- First wait until the files are copied into /var/www/html from
/usr/src/nextcloud.
- Then wait until init-sync lock is released.
- This allows for re-running setup as CAN_INSTALL file is removed after install
process in completed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Configuring just php-fpm is easier compared to configuring Apache + mod_php.
There is no need to configure trusted proxies as the requests are made using the
FastCGI protocol.
- There is no need for a full web server as we already run Apache.
- Place nextcloud data in /var/lib/container so that non-PHP files can be served
directly without php-fpm involved. This location is more suitable for switching
to nextcloud based on a .deb file (if ever). This is done by configuring the
volume to serve a bind mounted directory of our choice.
- Update Apache configuration to proxy to php-fpm instead of another web server.
Include the changes needed for Apache configuration to serve non-php files
directly.
- Managed the volume using quadlet podman systemd generator.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This is not ideal and reduces security. However it simplifies quite a bit of
setup.
- Services on the host network are already exposed to the container (however,
they could easily be protected with firewall rules).
- Container has full access to external networks already. So this part does not
change.
- This setup would be at par with how other services run on FreedomBox right
now. We can think of generalized solution for all the apps later.
- FirewallLocalProtection for the single service the runs in the container works
as usual without change.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- See quadlet(5).
- Using 'podman generate systemd' is deprecated. Quadlets are recommended.
- When using the systemd generator, enable/disable is not possible. The
container is automatically started when system is booted or systemd is reloaded
after .container file changes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tested when minidlna app is running - after upgrade the ssdp
port is open.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Minidlna interface is still available to everybody in internal networks
at http://<ip-address>:8200. (Note that using mDNS name like
freedombox.local doesn't work here).
Remove 'minidlna' group and apache minidlna site configuration as
those are not useful any more.
Reconfigure minidlna front page shortcut to link to the app
description page.
Tests performed with stable and testing containers:
Create a user that belongs to minidlna group. Apply changes, after
minidlna app upgrade:
- the user is not in minidlna group any more.
- the users configuration page doesn't show minidlna group.
- Apache site /_minidlna is disabled.
Closes#2012, #2013, #2416.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
[sunil: Minor formatting, use single quotes for strings for consistency]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
It helps showing ssdp protocol ports in minidlna diagnostics.
Also avoid overwrite imported name 'firewall'.
Tested that ssdp port 1900 is shown in the minidlna diagnostics page.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Set check_id and domain for domain diagnostic check
- If there is an error, store it in thread local storage.
- Drop checking for case when no domain is configured. This is better done after
initial setup via notification rather than in diagnostics. Proposed change also
will not show the warning if a .local domain is configured (almost always). Keep
checking for Check id to deal with older stored diagnostic results.
- Call obtain when certificate is not available. Call re-obtain otherwise. This
is important for properly calling the post-obtain operations.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Drop check for case when no domain is configured]
[sunil: Call either obtain or re-obtain based on current state of certificate]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Repair is run within an operation.
- Diagnostics are run for the app first.
- Call app.repair, then re-run setup if needed.
- Add helper functions for apps or components to store error messages in thread
local storage. These error messages are shown at the end.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Undo minor reformatting, due to automatic tool]
[sunil: Fix passing incorrect Exception argument to operation.on_update]
[sunil: Add full stop at the end of the success message to match install message]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Allows apps and component to implement custom repair methods.
- Default implementation asks relevant components to repair, and then if
needed, requests re-run setup for the app.
- Component.repair will return True by default, indicating that setup should be
re-run.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Minor docstring styling fixes]
[sunil: Improve tests for repair]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
