#!/bin/bash # _____ _ _ # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___ # | __| _| -_| -_| . | . | | . | . | | -_| # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___| # # Freedom in the Cloud # # cryptpad application # # License # ======= # # Copyright (C) 2017-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . VARIANTS='full full-vim writer' IN_DEFAULT_INSTALL=0 SHOW_ON_ABOUT=1 SHOW_ICANN_ADDRESS_ON_ABOUT=0 CRYPTPAD_ONION_PORT=8119 CRYPTPAD_PORT=9003 CRYPTPAD_PORT2=9005 CRYPTPAD_REPO="https://github.com/xwiki-labs/cryptpad" CRYPTPAD_COMMIT='756681211b0fcc631ad0477246959fe4d71eb6e7' CRYPTPAD_DIR=/etc/cryptpad cryptpad_variables=(ONION_ONLY) function logging_on_cryptpad { echo -n '' } function logging_off_cryptpad { echo -n '' } function remove_user_cryptpad { remove_username="$1" } function add_user_cryptpad { new_username="$1" new_user_password="$2" echo '0' } function install_interactive_cryptpad { echo -n '' APP_INSTALLED=1 } function change_password_cryptpad { curr_username="$1" new_user_password="$2" } function reconfigure_cryptpad { if [ -d $CRYPTPAD_DIR/datastore ]; then rm -rf $CRYPTPAD_DIR/datastore fi } function cryptpad_generate_api_config { if [ ! -d $CRYPTPAD_DIR/customize/api ]; then mkdir -p $CRYPTPAD_DIR/customize/api fi wget 127.0.0.1:$CRYPTPAD_PORT/api/config -O $CRYPTPAD_DIR/customize/api/config if [ ! -f $CRYPTPAD_DIR/customize/api/config ]; then echo $'Unable to wget api/config' exit 89252 fi chown -R cryptpad:cryptpad $CRYPTPAD_DIR } function upgrade_cryptpad { CURR_CRYPTPAD_COMMIT=$(get_completion_param "cryptpad commit") if [[ "$CURR_CRYPTPAD_COMMIT" == "$CRYPTPAD_COMMIT" ]]; then return fi systemctl stop cryptpad # update to the next commit function_check set_repo_commit set_repo_commit $CRYPTPAD_DIR "cryptpad commit" "$CRYPTPAD_COMMIT" $CRYPTPAD_REPO cd $CRYPTPAD_DIR || exit 254724 cryptpad_create_config npm upgrade npm install rm -rf $CRYPTPAD_DIR/.cache/bower su -c './node_modules/bower/bin/bower install --config.interactive=false' - cryptpad su -c './node_modules/bower/bin/bower update --config.interactive=false' - cryptpad cryptpad_generate_api_config chown -R cryptpad:cryptpad $CRYPTPAD_DIR systemctl start cryptpad } function backup_local_cryptpad { source_directory=$CRYPTPAD_DIR/datastore if [ -d $source_directory ]; then systemctl stop cryptpad dest_directory=cryptpad function_check suspend_site suspend_site cryptpad function_check backup_directory_to_usb backup_directory_to_usb $source_directory $dest_directory function_check restart_site restart_site systemctl start cryptpad fi } function restore_local_cryptpad { if [ -d $CRYPTPAD_DIR ]; then systemctl stop cryptpad temp_restore_dir=/root/tempcryptpad function_check restore_directory_from_usb restore_directory_from_usb $temp_restore_dir cryptpad if [ ! -d $temp_restore_dir$CRYPTPAD_DIR/datastore ]; then if [ -d $temp_restore_dir ]; then cp -r $temp_restore_dir/* $CRYPTPAD_DIR/datastore/ else systemctl start cryptpad echo 'Failed to restore cryptpad' rm -rf $temp_restore_dir exit 8736529 fi else cp -r $temp_restore_dir$CRYPTPAD_DIR/datastore/* $CRYPTPAD_DIR/datastore/ fi rm -rf $temp_restore_dir systemctl start cryptpad fi } function backup_remote_cryptpad { if grep -q "cryptpad domain" "$COMPLETION_FILE"; then temp_backup_dir=$CRYPTPAD_DIR/datastore if [ -d $temp_backup_dir ]; then systemctl stop cryptpad function_check suspend_site suspend_site cryptpad echo $"Backing up Cryptpad installation" function_check backup_directory_to_friend backup_directory_to_friend $temp_backup_dir cryptpad function_check restart_site restart_site systemctl start cryptpad else echo $"cryptpad domain specified but not found in ${temp_backup_dir}" fi fi } function restore_remote_cryptpad { if [ -d $CRYPTPAD_DIR ]; then systemctl stop cryptpad temp_restore_dir=/root/tempcryptpad function_check restore_directory_from_usb restore_directory_from_friend $temp_restore_dir cryptpad if [ ! -d $temp_restore_dir$CRYPTPAD_DIR/datastore ]; then if [ -d $temp_restore_dir ]; then cp -r $temp_restore_dir/* $CRYPTPAD_DIR/datastore/ else systemctl start cryptpad echo 'Failed to restore cryptpad' rm -rf $temp_restore_dir return fi else cp -r $temp_restore_dir$CRYPTPAD_DIR/datastore/* $CRYPTPAD_DIR/datastore/ fi rm -rf $temp_restore_dir systemctl start cryptpad fi } function remove_cryptpad { systemctl stop cryptpad systemctl disable cryptpad if [ -f /etc/systemd/system/cryptpad.service ]; then rm /etc/systemd/system/cryptpad.service fi systemctl daemon-reload function_check remove_nodejs remove_nodejs cryptpad nginx_dissite cryptpad if [ -d $CRYPTPAD_DIR ]; then rm -rf $CRYPTPAD_DIR fi if [ -f /etc/nginx/sites-available/cryptpad ]; then rm /etc/nginx/sites-available/cryptpad fi function_check remove_onion_service remove_onion_service cryptpad ${CRYPTPAD_ONION_PORT} remove_app cryptpad remove_completion_param install_cryptpad sed -i '/cryptpad/d' "$COMPLETION_FILE" userdel -r cryptpad } function cryptpad_create_config { cryptpad_install_type=$1 cryptpad_prefix= if [[ "$cryptpad_install_type" == "mesh" ]]; then # shellcheck disable=SC2154 cryptpad_prefix="$rootdir" fi { echo '/*@flow*/'; echo '/*'; echo ' globals module'; echo '*/'; echo "var domain = ' http://localhost:${CRYPTPAD_PORT}/';"; echo 'module.exports = {'; echo " httpAddress: '::',"; echo ' httpHeaders: {'; echo ' "X-XSS-Protection": "1; mode=block",'; echo ' "X-Content-Type-Options": "nosniff",'; echo ' "Access-Control-Allow-Origin": "*"'; echo ' },'; echo ''; echo ' contentSecurity: ['; echo " \"default-src 'none'\","; echo " \"style-src 'unsafe-inline' 'self' \" + domain,"; echo " \"script-src 'self'\" + domain,"; echo " \"font-src 'self' data:\" + domain,"; echo ''; echo ' "child-src blob: *",'; echo ' "frame-src blob: *",'; echo ' "media-src * blob:",'; echo ''; echo " \"connect-src 'self' ws: wss: blob:\" + domain,"; echo ''; echo " \"img-src 'self' data: blob:\" + domain,"; echo ''; echo ' "frame-ancestors *",'; echo " ].join('; '),"; echo ''; echo ' padContentSecurity: ['; echo " \"default-src 'none'\","; echo " \"style-src 'unsafe-inline' 'self'\" + domain,"; echo " \"script-src 'self' 'unsafe-eval' 'unsafe-inline'\" + domain,"; echo " \"font-src 'self'\" + domain,"; echo ''; echo ' "child-src *",'; echo ' "frame-src *",'; echo ''; echo " \"connect-src 'self' ws: wss:\" + domain,"; echo ''; echo ' "img-src * blob:",'; echo " ].join('; '),"; echo ''; echo " httpPort: ${CRYPTPAD_PORT},"; echo ''; echo ' // This is for allowing the cross-domain iframe to function when developing'; echo " httpSafePort: ${CRYPTPAD_PORT2},"; echo ''; echo " websocketPath: '/cryptpad_websocket',"; echo ''; echo ' logToStdout: false,'; echo ''; echo ' verbose: false,'; echo ''; echo ' mainPages: ['; echo " 'index'"; echo ' ],'; echo ''; echo ' removeDonateButton: true,'; echo ' allowSubscriptions: false,'; } > "$cryptpad_prefix$CRYPTPAD_DIR/config.js" if [[ "$cryptpad_install_type" == "mesh" ]]; then echo " myDomain: 'http://P${PEER_ID}.local'," >> "$cryptpad_prefix$CRYPTPAD_DIR/config.js" else CRYPTPAD_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_cryptpad/hostname) echo " myDomain: 'http://${CRYPTPAD_ONION_HOSTNAME}'," >> "$cryptpad_prefix$CRYPTPAD_DIR/config.js" fi { echo ' defaultStorageLimit: 50 * 1024 * 1024,'; echo ''; echo ' customLimits: {'; echo ' },'; echo ''; echo ' adminEmail: false,'; echo ''; echo " storage: './storage/file',"; echo ''; echo " filePath: './datastore/',"; echo " pinPath: './pins',"; echo " blobPath: './blob',"; echo " blobStagingPath: './blobstage',"; echo ' channelExpirationMs: 30000,'; echo ' openFileLimit: 1024,'; echo " rpc: './rpc.js',"; echo ' suppressRPCErrors: false,'; echo ' enableUploads: true,'; echo ' //restrictUploads: false,'; echo ' maxUploadSize: 20 * 1024 * 1024,'; echo ' //logFeedback: true,'; echo ' //logRPC: true,'; echo '};'; } >> "$cryptpad_prefix$CRYPTPAD_DIR/config.js" if [[ "$cryptpad_install_type" != "mesh" ]]; then chown cryptpad:cryptpad "$cryptpad_prefix$CRYPTPAD_DIR/config.js" else chroot "$rootdir" chown cryptpad:cryptpad $CRYPTPAD_DIR/config.js fi } function mesh_install_cryptpad { # shellcheck disable=SC2153 if [[ "$VARIANT" != "meshclient" && "$VARIANT" != "meshusb" ]]; then return fi if [ ! -d "$rootdir/var/www/cryptpad" ]; then mkdir "$rootdir/var/www/cryptpad" fi if [ -d "$rootdir$CRYPTPAD_DIR" ]; then rm -rf "$rootdir$CRYPTPAD_DIR" fi git_clone "$CRYPTPAD_REPO" "$rootdir$CRYPTPAD_DIR" if [ ! -d "$rootdir$CRYPTPAD_DIR" ]; then echo $'Unable to clone cryptpad repo' exit 783251 fi # an unprivileged user to run as chroot "$rootdir" useradd -d $CRYPTPAD_DIR/ cryptpad cd "$rootdir$CRYPTPAD_DIR" || exit 34683568 git checkout "$CRYPTPAD_COMMIT" -b "$CRYPTPAD_COMMIT" chroot "$rootdir" chown -R cryptpad:cryptpad $CRYPTPAD_DIR cryptpad_nginx_site=$rootdir/etc/nginx/sites-available/cryptpad { echo 'server {'; echo ' listen [::]:80 default_server;'; echo " server_name P${PEER_ID}.local;"; echo ''; echo ' # Logs'; echo ' access_log /dev/null;'; echo ' error_log /dev/null;'; echo ''; echo ' # Root'; echo " root $CRYPTPAD_DIR;"; echo ''; echo ' index index.html;'; echo ''; echo ' add_header X-XSS-Protection "1; mode=block";'; echo ' add_header X-Content-Type-Options nosniff;'; echo ' add_header X-Frame-Options SAMEORIGIN;'; echo ''; echo " if (\$uri = /pad/inner.html) {"; echo " set \$scriptSrc \"'self' 'unsafe-eval' 'unsafe-inline'\";"; echo ' }'; echo ''; echo ' location = /cryptpad_websocket {'; echo " proxy_pass http://[::]:$CRYPTPAD_PORT;"; echo " proxy_set_header X-Real-IP \$remote_addr;"; echo " proxy_set_header Host \$host;"; echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;"; echo ''; echo ' # WebSocket support (nginx 1.4)'; echo ' proxy_http_version 1.1;'; echo " proxy_set_header Upgrade \$http_upgrade;"; echo ' proxy_set_header Connection upgrade;'; echo ' }'; echo ''; echo ' location ^~ /customize.dist/ {'; echo ' # This is needed in order to prevent infinite recursion between /customize/ and the root'; echo ' }'; echo ' location ^~ /customize/ {'; echo " rewrite ^/customize/(.*)\$ \$1 break;"; echo " try_files /customize/\$uri /customize.dist/\$uri;"; echo ' }'; echo ' location = /api/config {'; echo " proxy_pass http://localhost:$CRYPTPAD_PORT;"; echo " proxy_set_header X-Real-IP \$remote_addr;"; echo " proxy_set_header Host \$host;"; echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;"; echo ' }'; echo ''; echo ' location ^~ /blob/ {'; echo ' add_header Cache-Control max-age=31536000;'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /datastore/ {'; echo ' add_header Cache-Control max-age=0;'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /register/ {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /login/ {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /about.html {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /contact.html {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /what-is-cryptpad.html {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media)$ {'; echo " rewrite ^(.*)\$ \$1/ redirect;"; echo ' }'; echo ''; echo " try_files /www/\$uri /www/\$uri/index.html /customize/\$uri;"; echo '}'; } > "$cryptpad_nginx_site" cd "$rootdir$CRYPTPAD_DIR" || exit 6246824624527 get_npm_arch cat < "$rootdir/usr/bin/install_cryptpad" #!/bin/bash cd $CRYPTPAD_DIR || exit 358735 npm install --arch=$NPM_ARCH --build-from-source npm install --arch=$NPM_ARCH bower@1.8.4 chown -R cryptpad:cryptpad $CRYPTPAD_DIR su -c './node_modules/bower/bin/bower install --config.interactive=false' - cryptpad cp config.example.js config.js EOF chmod +x "$rootdir/usr/bin/install_cryptpad" chroot "$rootdir" /usr/bin/install_cryptpad if [ ! -f "$rootdir$CRYPTPAD_DIR/config.js" ]; then echo $'Cryptpad config file not found' exit 628252 fi rm "$rootdir/usr/bin/install_cryptpad" cryptpad_create_config mesh chroot "$rootdir" chown -R cryptpad:cryptpad $CRYPTPAD_DIR # daemon { echo '[Unit]'; echo 'Description=Cryptpad'; echo 'After=syslog.target'; echo 'After=network.target'; echo ''; echo '[Service]'; echo 'User=cryptpad'; echo 'Group=cryptpad'; echo "WorkingDirectory=$CRYPTPAD_DIR"; echo "ExecStart=/usr/local/bin/node $CRYPTPAD_DIR/server.js"; echo 'Environment=PATH=/usr/bin:/usr/local/bin'; echo 'Environment=NODE_ENV=production'; echo 'Restart=on-failure'; echo ''; echo '[Install]'; echo 'WantedBy=multi-user.target'; } > "$rootdir/etc/systemd/system/cryptpad.service" chroot "$rootdir" systemctl enable cryptpad.service } function install_cryptpad_main { if [[ $(app_is_installed cryptpad_main) == "1" ]]; then return fi if [ ! -d /var/www/cryptpad ]; then mkdir /var/www/cryptpad fi if [ -d $CRYPTPAD_DIR ]; then rm -rf $CRYPTPAD_DIR fi if [ -d /repos/cryptpad ]; then mkdir $CRYPTPAD_DIR cp -r -p /repos/cryptpad/. $CRYPTPAD_DIR cd $CRYPTPAD_DIR || exit 3468356385 git pull else function_check git_clone git_clone $CRYPTPAD_REPO $CRYPTPAD_DIR fi if [ ! -d $CRYPTPAD_DIR ]; then echo $'Unable to clone cryptpad repo' exit 783251 fi # an unprivileged user to run as useradd -d $CRYPTPAD_DIR/ cryptpad cd $CRYPTPAD_DIR || exit 34683655 git checkout $CRYPTPAD_COMMIT -b $CRYPTPAD_COMMIT set_completion_param "cryptpad commit" "$CRYPTPAD_COMMIT" chown -R cryptpad:cryptpad $CRYPTPAD_DIR CRYPTPAD_ONION_HOSTNAME=$(add_onion_service cryptpad 80 ${CRYPTPAD_ONION_PORT}) cryptpad_nginx_site=/etc/nginx/sites-available/cryptpad { echo 'server {'; echo " listen 127.0.0.1:$CRYPTPAD_ONION_PORT default_server;"; echo " server_name $CRYPTPAD_ONION_HOSTNAME;"; echo ''; echo ' # Logs'; echo ' access_log /dev/null;'; echo ' error_log /dev/null;'; echo ''; echo ' # Root'; echo " root $CRYPTPAD_DIR;"; echo ''; echo ' index index.html;'; echo ''; echo " if (\$args ~ ver=) {"; echo " set \$cacheControl max-age=31536000;"; echo ' }'; echo " add_header Cache-Control \$cacheControl;"; echo ''; echo ' add_header X-XSS-Protection "1; mode=block";'; echo ' add_header X-Content-Type-Options nosniff;'; echo ' add_header X-Frame-Options SAMEORIGIN;'; echo ''; echo " if (\$uri = /pad/inner.html) {"; echo " set \$scriptSrc \"'self' 'unsafe-eval' 'unsafe-inline'\";"; echo ' }'; echo ''; echo ' location = /cryptpad_websocket {'; echo " proxy_pass http://localhost:$CRYPTPAD_PORT;"; echo " proxy_set_header X-Real-IP \$remote_addr;"; echo " proxy_set_header Host \$host;"; echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;"; echo ''; echo ' # WebSocket support (nginx 1.4)'; echo ' proxy_http_version 1.1;'; echo " proxy_set_header Upgrade \$http_upgrade;"; echo ' proxy_set_header Connection upgrade;'; echo ' }'; echo ''; echo ' location ^~ /customize.dist/ {'; echo ' # This is needed in order to prevent infinite recursion between /customize/ and the root'; echo ' }'; echo ' location ^~ /customize/ {'; echo " rewrite ^/customize/(.*)\$ \$1 break;"; echo " try_files /customize/\$uri /customize.dist/\$uri;"; echo ' }'; echo ' location = /api/config {'; echo " proxy_pass http://localhost:$CRYPTPAD_PORT;"; echo " proxy_set_header X-Real-IP \$remote_addr;"; echo " proxy_set_header Host \$host;"; echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;"; echo ' }'; echo ''; echo ' location ^~ /blob/ {'; echo ' add_header Cache-Control max-age=31536000;'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /datastore/ {'; echo ' add_header Cache-Control max-age=0;'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /register/ {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /login/ {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /about.html {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /contact.html {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ^~ /what-is-cryptpad.html {'; echo " try_files \$uri =404;"; echo ' }'; echo ''; echo ' location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media)$ {'; echo " rewrite ^(.*)\$ \$1/ redirect;"; echo ' }'; echo ''; echo " try_files /www/\$uri /www/\$uri/index.html /customize/\$uri;"; echo '}'; } > $cryptpad_nginx_site function_check nginx_ensite nginx_ensite cryptpad install_completed cryptpad_main } function install_cryptpad { function_check install_nodejs install_nodejs cryptpad install_cryptpad_main cd $CRYPTPAD_DIR || exit 35483548 npm install npm install bower@1.8.4 chown -R cryptpad:cryptpad $CRYPTPAD_DIR su -c './node_modules/bower/bin/bower install --config.interactive=false' - cryptpad su -c './node_modules/bower/bin/bower update --config.interactive=false' - cryptpad cp config.example.js config.js if [ ! -f config.js ]; then echo $'Cryptpad config file not found' exit 628252 fi cryptpad_create_config chown -R cryptpad:cryptpad $CRYPTPAD_DIR # daemon { echo '[Unit]'; echo 'Description=Cryptpad'; echo 'After=syslog.target'; echo 'After=network.target'; echo ''; echo '[Service]'; echo 'User=cryptpad'; echo 'Group=cryptpad'; echo "WorkingDirectory=$CRYPTPAD_DIR"; echo "ExecStart=/usr/local/bin/node $CRYPTPAD_DIR/server.js"; echo 'Environment=PATH=/usr/bin:/usr/local/bin'; echo 'Environment=NODE_ENV=production'; echo 'Restart=on-failure'; echo ''; echo '[Install]'; echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/cryptpad.service systemctl enable cryptpad.service systemctl daemon-reload systemctl start cryptpad.service sleep 8 cryptpad_generate_api_config # install again cd $CRYPTPAD_DIR || exit 73537453 su -c './node_modules/bower/bin/bower install --config.interactive=false' - cryptpad systemctl restart nginx APP_INSTALLED=1 } # NOTE: deliberately there is no "exit 0"