Fixes: #2463.
- When FreedomBox service is run via systemd and if the unit has PrivateTmp=yes
as was recently introduced, then 'podman exec --user www-data' fails with error
'Error: unable to find user www-data: no matching entries in passwd file'.
- The problem seems isolated to this specific instance and does not seem to
effect the container start up (which happens via systemd).
Tests:
- Without the patch, start FreedomBox service via systemd and install Nextcloud.
It fails.
- With the patch, install succeeds and functional tests for Nextcloud succeed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Don't use title casing, instead use simple capitalization.
- Add some tags.
- Drop outdated tags like 'VoIP', 'IM' while emphasizing 'Audio chat', 'Video
chat', 'Encrypted messaging' instead.
- Try to clarify server vs. web client with tags.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Add tags to Info component of apps. Use only English tags for all operations.
Localized tags are used for presentation to the user only. Add tags to all the
apps. Conventions (English):
1. Tags describing use cases should be in kebab case.
2. Protocols in tag names should be in their canonical format.
3. Tags needn't be 100% technically correct. This can get in the way of
comparing apps using a tag. Words that describe use cases that users can
easily understand should be preferred over being pedantic.
4. Tags should be short, ideally not more than 2 words. Avoid conjunctions
like "and", "or" in tags.
5. Avoid redundant words like "server", or "web-clients". Most apps on
FreedomBox are either servers or web clients.
6. Keep your nouns singular in tags.
- Use query
params to filter the Apps page by tags. When all tags are removed, redirect to /apps.
- Add UI elements to add and remove tag filters in the Apps page. Make the UI
similar to GitLab issue tags. Since there are 40 apps, there will be at least 40
tags. Selecting a tag from a dropdown will be difficult on mobile devices. A
fuzzy search is useful to find tags to add to the filter. Allow user to find the
best match for the search term and highlight it visually. The user can then
press Enter to select the highlighted tag. Make tag search case-insensitive.
Make the dropdown menu scrollable with a fixed size. User input is debounced by
300 ms during search.
- tests: Add missing mock in test_module_loader.py
- Add functional tests
[sunil]
- 'list' can be used instead of 'List' for typing in recent Python versions.
- Reserve tripe-quoted strings for docstrings.
- Undo some changes in module initialization, use module_name for logging
errors.
- isort and yapf changes.
- Encode parameters before adding them to the URL.
Tests:
- Tested the functionality of filtering by tag with one tag and two tags.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes an issue where SSH server is available but users can't login because LDAP
user services are not yet started.
Tests performed:
- Installed new ssh systemd override conf, rebooted, ensured that the sshd
service starts after the nslcd service.
Relates to #2452.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- When a library is added to using the FreedomBox interface and immediately
Calibre interface is loaded, the library does not immediately get listed in the
list of libraries. We will have to fresh the page to see the new library. Do
this.
Tests:
- Run functional tests for calibre on Testing distribution multiple times
without failures.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- In versions of WordPress in Debian Trixie and up the editing widget is inside
of an iframe instead of as a direct child of the main document. Elements inside
these iframes can't be queried directly and one must be the 'context' of the
iframe before querying elements inside.
- Fix the failures by using the splinter API to query inside iframe.
Tests:
- Run functional tests on WordPress in stable and testing containers twice.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Syncthing from Debian testing uses new config directory if the
legacy configuration folder doesn't exist.
Tests performed in stable and testing containers:
- All syncthing tests pass when running twice.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
- Since there is no way to reach the next steps page from the interface, provide
a notification for it. Until the notification is dismissed, the user can reach
this page with the notification.
Tests:
- On testing and stable containers, remove the sqlite file start the service.
Complete the first setup wizard. After reaching the 'setup complete' page,
notice that there is a notification for next steps to take. Title, icon, message
and button text and styling are as expected.
- Clicking on 'See next steps' takes us to next steps page.
- Clicking on dismiss removes the notification.
- Restarting the service does not bring back the notification.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Currently, after the user arrives the 'next steps' page after completing the
first setup, trying to refresh the page takes us away from the page to the index
page.
- Since this page lists a lot of steps, user can't be expected to memorize the
contents of the page and perform them one after the another. Opening the links
in popups instead of navigating away from page helps but not full solve the
problem.
- If the page is a regular page and not part of the first step wizard, this page
is a simple Django page. It can be refreshed. Back button can be used to view
the page after navigating from it again.
Tests:
- On stable and testing containers, remove the sqlite3 file and start the
service. This will trigger the first setup wizard. As a last step of the wizard,
the 'setup complete! Next steps:' page is shown.
- Refreshing the page works.
- Navigating away from the page and using the back button to return to it works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- This is needed as we don't have software updates step during first setup
anymore.
Tests:
- Trigger first setup by removing /var/lib/plinth/plinth.sqlite3 and re-running
the service. After completing the setup, a notification is shown with correct
severity, title, app icon, message and options. Dismiss remove the
notifications. 'Go to Software Updates' takes us to updates app.
- After dismissing the notification, re-running the service does not show
notification again.
- Increasing the app version number also does not show notification again.
- Re-running the app setup does not show notification again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- We have not yet implemented the main reason they exist. To guide users to
establish reachability with Tor hidden services, Pagekite, Dynamic DNS, etc.
- We now have a 'Next steps' page that talks about configuring network
connections. The networks page linked from here has these steps prominently
listed.
- In the future we will implement a wizard for reachability and these steps will
still be used. However, they don't have to part of first setup. They can add
them as notification and as part of next steps page.
- It is good to have a simplified first setup wizard. It is seldom tested
properly.
Tests:
- Run the first setup wizard by removing /var/lib/plinth/plinth.sqlite3 and
running the service. Notice that the software update step is not shown and
wizard completes successfully.
[vexch: Minor quote fix in functional tests]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Remove the first setup wizard step to run security upgrades. At the time of
its introduction, it was felt that this is very important. Some things have
changed since then:
- We have mechanism for queuing package operations. Users can now trigger
software updates and start installing apps before that is completed. Or vice
versa. Earlier if the software updates were running, app install used to fail
with an error.
- There were no notifications. Since then we have added 'first setup'
notification for important topics such as Privacy. This step can be replaced
with a notification.
- Automatic diagnostics and a diagnostic to notify of updated packages also
helps bring attention to software updates if they are missed during first
setup.
- A proposed change will re-introduce an advice to run updates in the 'Next
steps' wizard step along with a button trigger it right there.
- The new notification for software updates will bring more attention to running
updates as part of first setup.
- It would be nice not be stuck in the first setup wizard for a long period and
make it look simple. It improves the fun factor of setting up FreedomBox.
- It would present an opportunity to utilize the parallel installation of
apps/updates to the full extent. Although this can also be done by skipping the
progress step after updates are run.
- First wizard steps tend to get less testing.
Tests:
- Run the first setup wizard by removing /var/lib/plinth/plinth.sqlite3 and
running the service. Notice that the software update step is not shown and
wizard completes successfully.
- On stable container, backports step is shown as expected (if not already
enabled).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Start first boot by removing /var/lib/plinth/plinth.sqlite3 and starting
service. Switch to responsive design mode and select a phone layout. Notice that
an inactive toggler appears during bootup/welcome/account first boot steps.
- With the patch, the toggler button does not appear during those steps. After
the account step, the toggler appears and is functional with help menu.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Fixes: #888.
- Suggest all the steps that a typical user should likely take.
- Custom styling to make the page look good.
- Open the links in new windows as this page can't be reached again.
- Add a button for software updates as this can be done easily and the most
important step.
Tests:
- Trigger first setup by removing plinth.sqlite3. Notice the improved setup
complete page. Text and icons are as expected. Links work and open in a new
window. Clicking on 'Update now' button opens a page to software updates with
manual upgrade triggered.
- Mobile view looks good.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Before rerunning setup operations.
Tests:
- Install version 28-fpm (one version older than the current stable). Then
change it stable-fpm and increment the nextcloud app version at the same time.
Start the service. Notice that nextcloud app setup is rerun, container will be
updated by podman to newer version. Setup completes successfully with the patch
but fails arbitrarily otherwise as the setup process does not wait for the
upgrade to complete and tries to prematurely re-run setup operations.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2433.
Tests:
- Without the patches, as described in the bug, create an installation that is
facing the problem. Ensure that 'podman exec --user www-data
nextcloud-freedombox /var/www/html/occ config:system:get overwrite.cli.url'
shows an empty value.
- Apply patches, nextcloud app is updated and configuration value is set to
'http://localhost/nextlcoud' by running 'podman exec --user www-data
nextcloud-freedombox /var/www/html/occ config:system:get overwrite.cli.url'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2453
- It will be installed later.
Tests:
- Build the Debian package with all the changes and notice that it neither has
dependency on resolvconf nor on systemd-resolved.
- Version 24.18 can upgrade to this package using unattended-upgrade. For this
place the package in a folder repository and add this repository to apt
sources.list and tweak unattened-upgrades settings to accept the new repository.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Don't schedule if the package is already installed.
Tests:
- With systemd-resolved installed and without internet connectivity start a
fresh instance (without first setup). Setup succeeds but systemd-resolved is not
installed.
- Wait in develop mode for 180 seconds. Setup for names app is re-run. Ensure
that internet connectivity is not available and systemd-package is not
installed. Setup still succeeds.
- On next run, ensure that internet connectivity is available, systemd-resolved
is installed. Setup succeeds.
- On next run, setup is not re-run for names app.
- When service is restarted, the task is not even scheduled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- If installing systemd-resolved for the first time, set fallback DNS setting to
True irrespective of the app version.
Tests:
- Ensure that systemd-resolved is not installed. On a fresh systemd without
first setup done, run service.
- Names app setup is run and systemd-resolved is installed if internet
connection is available. Setup succeeds. Fallback DNS setting is true in privacy
app. systemd-resolved has been restarted and current DNS known to Network
Manager has been populated in it. Name resolution works.
- If Internet connection is not available, setup still succeeds but
systemd-resolved package is not installed.
- Rerun setup without internet connectivity. Setup succeeds without installing
systemd-resolved.
- Rerun setup with internet connectivity. Setup succeeds and installs
systemd-resolved. Fallback DNS setting is true in privacy app. systemd-resolved
has been restarted and current DNS known to Network Manager has been populated
in it. Name resolution works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Ensure that systemd-resolved is not installed.
- There is no warning showing that systemd-resolved daemon is not running.
- When re-running setup, systemd-resolved is not enabled.
- Diagnostic shows a warning that systemd-resolved is not installed.
- Ensure that systemd-resolved is installed.
- If daemon is not running, warning shown that it is not running.
- If daemon is running, warning is not shown.
- When re-running setup, systemd-resolved is enabled.
- Diagnostic shows that the daemon is running when running and not running when
it is not.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Ensure that systemd-resolved package is not installed.
- Resolver status table is now shown.
- Instead a message is shown with button to re-run setup. Clicking the button
re-runs setup of the names app.
- Configuration form is also now shown.
- If systemd-resolved package is installed during re-run of setup, then status
table is shown.
- Message to install systemd-resolved is not shown.
- Configuration form is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Ensure that systemd-resolved is not installed. Run diagnostics on names app.
There should be no diagnostic related to resolving address for deb.debian.org.
- Ensure that systemd-resolved is installed. Run diagnostics on names app. There
should be diagnostic related to resolving address for deb.debian.org.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Ensure that systemd-resolved is not installed. The privacy section is entirely
hidden in the connection information page.
- Ensure that systemd-resolved is installed. The privacy section is shown in the
connection information page.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Ensure that systemd-resolved package is not installed. DNS-over-TLS field is
disabled.
- Submitting the form works with and without changes.
- Value of global DNS-over-TLS setting shows as 'unknown'.
- Current value of DNS-over-TLS for this connection is show in the form.
- Ensure that systemd-resolved package is installed. DNS-over-TLS field is
enabled.
- Submitting the form works with and without changes.
- Value of the global DNS-over-TLS setting shows the current value set in names
app.
- Current value of DNS-over-TLS for this connection is show in the form.
- Introduce an exception in get_resolved_configuration privileged action and
notice that value shows up as 'unknown' in the form.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Ensure that systemd-resolved is not installed.
- Notice that form field for Fallback DNS servers is disabled. Form value is
unchecked (default value when initial value is not provided).
- Submitting the form works with and without changes.
- Ensure that systemd-resolved is installed.
- Notice that form field for Fallback DNS servers is not disabled. Form value
reflects the current state of fallback dns as shown in names app.
- Submitting the form works with and without changes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests performed in stable and testing containers:
- Run all the transmission tests twice - all pass.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Without patch, upload an invalid zim file, 'Failed to add content'... message
is shown. The library's content directory contains that invalid file. Try to add
the file again and the message shown is 'File already exists'.
- With patch, upload an invalid zim file, 'Failed to add content'... message is
shown. The library's content directory does not contain that file. Try to add
the file again and the same message is shown.
- Functional tests for kiwix pass. Repeating just the test
test_add_invalid_zim_file works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Raise an error by editing code in create, upload, rename and delete
operations. Notice that the details error messages are shown with a drop-down.
- Upload a wiki and it works. The name is as expected.
- Upload the wiki again notice that the duplicate wiki error is shown.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Use new utility for uploading]
[sunil: Better error message display in the UI]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Raise an error by editing code in create, upload, rename and delete
operations. Notice that the details error messages are shown with a drop-down.
- Upload a wiki and it works. The name is as expected.
- Upload the wiki again notice that the duplicate wiki error is shown.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Use new utility for uploading]
[sunil: Better error message display in the UI]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Earlier, the uploaded ZIM file was being written to disk twice.
Manual Test
-----------
Without the changes in this commit, the English MediaWiki archive of
6.83 GB cannot be uploaded to the dev container of size 12 GB, since two
temporary files are created.
With the changes in this commit, the same file can be uploaded
successfully and accessed using Kiwix reader.
- Uploaded file has expected ownership and permissions.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Handle error for uploading duplicate content.]
[sunil: Set root:root ownership on the uploaded file.]
[sunil: Use the action utility for checking that the upload file and moving it.]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Fixes an error in testing container where installing dependencies for
functional tests wants to uninstall system installed urllib3.
Also minor quotes fixes.
Note that dependencies are upgraded only in new dev environments where
geckodriver is not yet installed.
Tests performed, in both stable and testing containers:
- Run all tests, no upgrade related failures found. There were some
seemingly unrelated test failures in apps: calibre, ejabberd, deluged,
minetest, users, transmission , wordpress, zoph.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Insider a container, it is not possible to use loopback devices without
additional permissions. Skips tests that need loopback devices. This will
results in fewer errors when running './container run-tests'.
Tests:
- Run './container run-tests --pytest-args
plinth/modules/stroage/test_storage.py'. Notice that all tests are either
skipped or succeed.
- Run the tests on host machine and they all run without skipping.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Reasons:
- Privileged action security: restoring Samba configuration from a backup file
could expose any folder in OS and allows to run any commmand as a root user.
- Samba backups aren't so useful as only app configuration is included.
Configured shares are trivial to enable without backups. Also, providing
backups could be misleading as stored user files aren't actually backupped.
Tests performed:
- All Samba functional tests pass.
- Restoring from an old backup that also includes Samba is not failing,
restoring Samba is skipped.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- This was supposed to removed in MR #2309 in the commit
253540fb3d12254c920b632cc484be6a79d27229. It was overlooked.
- Version number of users app has not been incremented as it has already been
incremented in this release.
Tests:
- There is no directory /etc/security/access.conf.d.
- There are not directives in /etc/security/access.conf that are not commented
out.
- After applying the patch (assuming previously setup version is 24.20) and
manually removing the destination file, app setup for users app runs. It
succeeds. /etc/pam.d/common-account no longer contains the line 'account
required pam_access.so'.
- After the upgrade, users who are root and non-root are able to login via SSH
and Cockpit. After a reboot, users are able to login via SSH and Cockpit.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Since previous release 24.20 already has a increment to version 6, users app
version must be incremented in order for the changes related to inactive users
to take effect.
Tests:
- On applying the patches and running the service, upgrade to new app version
runs and succeeds. If there are inactive users presets, then before the setup()
privileged method is run, setup_and_sync_user_states() is run.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Disable and mask the nmb service, which is alias to the already
disabled nmbd service.
Tests performed:
- Upgrading Samba app works.
- Systemd doesn't show nmb.service in erroneous state after upgrade.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Some trivial refactoring.
Tests:
- The default password policy works. Inactive users are unable to login via
console, SSH and cockpit.
- After the app is setup freshly and after it is upgraded from previous version,
the namedobject.schema has been ingested into the OpenLDAP configuration.
- Rerunning setup for users app works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Previously, users were inactivated only in plinth users database. This change
adds ability to inactivate users in LDAP database.
Changes:
- Inactive users in plinth users database are also inactivated in LDAP
during app upgrade.
- Inactivated users can't login using LDAP password.
- Apache2 single-sign-on module now requires LDAP connection. SSO
sessions are now invalidated when users are inactivated.
- PAM/nslcd now performs authorization checks against LDAP, which means
inactivated users can't do passwordless ssh logins and running their
crontabs are blocked.
- When inactivating a user, all user's processes are killed.
Also, update LDAP diagnostics:
- Fix LDAP checks returned always passed results.
- Fix `ou=people` entry doesn't exist in LDAP.
- Add diagnostics checks for `ou=policies` and `cn=DefaultPPolicy`.
Tests performed:
- App upgrade works.
- App upgrade with previously disabled user works, user is inactivated
also in LDAP.
- App upgrade with disabled user that doesn't exists in LDAP database works.
- Increment app version again, to 7, app upgrade works second time.
- Inactivate user and test logins:
- can't login using direct LDAP (nextcloud, ejabberd, matrixsynapse)
- can't login using Apache2 LDAP module (gitweb, ikiwiki, rssbridge,
transmission)
- can't login using apache sso module (featherwiki, gitweb, rssbridge,
sharing, syncthing, tiddlywiki, transmission, wordpress).
- can't login using ssh with password or passwordless
- Inactivate user and test exsisting sessions:
- ssh, cockpit and samba sessions are killed.
- Configure crontab, configured crontab is failing to run after user
is inactivated.
- All the users app tests pass.
Notes:
- Only Apache2 SSO sessions are disabled. Apps that create their own
sessions keep working, like nextcloud, ejabberd, matrix-synapse,
ikiwiki. In the future, we could add a feature that apps can implement
their own users locking functions.
- When testing inactivated users, users and IP-s can be banned by the system,
banned IP-s/users can be viewed with commands `fail2ban-client banned` and
`pam_abl`.
- Existing sessions keep working when deleting a user or removing
a user from an access group.
- I didn't test e-mail app.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
The latest version of miniflux can't connect to the database after a fresh
installation. This is due to incorrect ownership of /etc/miniflux/database file
which is owned by root (and correctly having the permissions 0600). After
changes in bug #1078416, miniflux no longer runs as root user and instead runs
as miniflux user. This user can't read the database file. The daemon silently
falls back to using built in defaults and fails to connect to PostgreSQL
database. This is originally caught by functional tests in FreedomBox's miniflux
integration.
Links:
1) https://bugs.debian.org/1081562
2) https://salsa.debian.org/go-team/packages/miniflux/-/merge_requests/2
Tests:
- Freshly install miniflux with the patch and the daemon is running. Ownership
for the file /etc/miniflux/database is as expected.
- Install miniflux without the patch. Daemon is not running. Apply patch and
restart service. miniflux app is updated. Daemon is running. Ownership for the
file /etc/miniflux/database is as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
nscd daemon caches queries made to NSS via glibc. In our case queries to passwd
and group databases are cached. But this leads to many problems.
See: https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520
The bug that this MR fixes, that is, the inaccuracy of the authentication data,
is horrible and only acceptable if the caching provides very important
functionality. Already, having to purge nscd caches after modifying user
accounts is not nice.
I believe that we have encountered this bug before and blamed libpam-abl due to
the time sensitive nature of the problem.
nscd itself recommends that it should be used if NSS lookup are expensive (such
as in case of NIS, NIS+ queries according to /etc/init.d/nscd). In case of
FreedomBox, LDAP queries are unlikely to be made using network. LDAP server is
likely always local. I believe we can safely remove nscd by masking and stopping
nscd.service and unscd.service.
Tests:
- After applying the patches, users app setup is re-run. Service nscd is stopped
and masked. unscd is also masked.
- Running 'id tester' shows expected value 'uid=10001(tester) gid=100(users)
groups=100(users),10002(admin)'.
- Adding, removing, renaming a user immediately reflects in 'id <user>'.
- Adding and removing a user from groups immediately reflects in 'id <user>'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Don't delete overwrite.cli.url when the Nextcloud app's settings are
updated with no domain configured. Instead, set it to the default value
of http://localhost/nextcloud
We might want to consider updating existing, faulty setups.
Helps: #2433
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes an issue where LDAP group membership info is not available long time
after system restart. This can happen when nscd cache is expired and name
service queries are made while nslcd is not yet started. As a result, nscd
group cache contains only local system groups and not LDAP groups. The issue
arises more likely in slow systems where slapd/nslcd startup can take minutes.
Could also depend on how long the device has been shut down before.
Tests performed:
- stop nscd service, start nslcd service, check form the logs that
nscd reload errors are ignored and nslcd service starts successfully.
- Test when nscd group cache is invalidated while nslcd is not running.
Run commands:
```
systemctl reload nscd
id tester
systemctl stop nslcd
nscd -i group
id tester
systemctl start nslcd
id tester
```
Result before patch applied.
```
uid=10001(tester) gid=100(users) groups=10002(admin),100(users)
uid=10001(tester) gid=100(users) groups=100(users)
uid=10001(tester) gid=100(users) groups=100(users)
```
Result after patch applied, tester is in the admins group at the end.
```
uid=10001(tester) gid=100(users) groups=10002(admin),100(users)
uid=10001(tester) gid=100(users) groups=100(users)
uid=10001(tester) gid=100(users) groups=10002(admin),100(users)
```
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes: #2271
When domain name is updated, it usually results in a error page as the HTTP
connection is broken in the middle of a page load. This is due to apache
restarting in the middle of domain change operation by letsencrypt component.
This also leads to several functional tests failing. To fix this, ensure that
letsencrypt does a reload on the apache2 daemon instead of restarting it.
'reload' operation on apache2 triggers the command 'apachectl graceful'. It
ensures that currently running continue to serve the open HTTP connection until
the page load has been completed. After that those connections stop. Meanwhile,
the server reloads configuration (and apparently the related TLS certificates too).
Tests:
- Unit tests pass.
- When self-signed certificate is updated with 'make-ssl-cert
generate-default-snakeoil --force-overwrite' and 'systemctl
try-reload-or-restart apache2' is called, the new certificate is loaded by
apache2. Browser shows the untrusted certificate warning again. The
certificate information in the connection details has been updated.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Config app description is as expected.
- Config form does not show domain name field anymore.
- Submitting the form with changes works.
- Names app has correct link for configuring static domain name. Clicking it
takes to page for setting domain name.
- On startup, static domian name signal is sent properly if set. Otherwise no
signal is send.
- Change domain name form shows correct value for current domain name.
- Change domain name form sets the value for domain name properly.
- Page title is correct.
- Validations works.
- Add/remove domain name signals are sent properly.
- Success message as shown expected
- /etc/hosts is updated as expected.
- Unit tests work.
- Functional tests on ejabberd, letsencrypt, matrix, email, jsxc, openvpn
- After freshly starting the service. Visiting names app shows correct list of
domains.
- ejabberd:
- Installs works as expected. Currently set domain_name is setup properly.
Copy certificate happens on proper domain.
- Changing the domain sets the domain properly in ejabberd configuration.
- Ejabberd app page shows link to name services instead of config app.
Clicking works as expected.
- letsencrypt:
- When no domains are configured, the link to 'Configure domains' is to the
names app.
- matrix-synapse:
- Domain name is properly shown in the status.
- email:
- Primary domain name is shows properly in the app page.
- Setting new primary domain works.
- When installing, domain set as static domain name is prioritized as primary
domain.
- jsxc:
- Show the current static domain name in the domain field. BOSH server is
available.
- openvpn:
- Show the current static domain in profile is set otherwise show the current
hostname.
- If domain name is not set, downloaded OpenVPN profile shows hostname.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
