Merge branch 'master' into v7

NethServer · Apr 9, 2018 · 9c6360a · 9c6360a
2 parents dc1b737 + bf3a6fa
commit 9c6360a
Show file tree

Hide file tree

Showing 10 changed files with 198 additions and 10 deletions.
diff --git a/README.rst b/README.rst
@@ -187,7 +187,7 @@ If you wish to build documentation locally on your machine, make sure to install
 
 On Fedora 24 or later use: ::
 
-  sudo dnf install python2-sphinx
+  sudo dnf install python2-sphinx python2-sphinx-bootstrap-theme
 
 Then, install all required modules: ::
 

diff --git a/administrator-manual/en/.tx/config b/administrator-manual/en/.tx/config
@@ -335,3 +335,9 @@ source_file = _build/locale/subscription.pot
 source_lang = en
 type = PO
 
+[docs-v7.team_chat]
+file_filter = locale/<lang>/LC_MESSAGES/team_chat.po
+source_file = _build/locale/team_chat.pot
+source_lang = en
+type = PO
+
diff --git a/administrator-manual/en/hotsync.rst b/administrator-manual/en/hotsync.rst
@@ -36,9 +36,25 @@ Terminology
 Installation
 ============
 
-Install nethserver-hotsync on both MASTER and SLAVE, execute from command line: ::
+.. only:: nscom
+
+    Install nethserver-hotsync on both MASTER and SLAVE, execute from command line: ::
+    
+      yum install nethserver-hotsync
+
+.. only:: nsent
+
+    Install nethserver-hotsync on both MASTER and SLAVE.
+
+    To install the module on MASTER execute from command line: ::
+
+      yum install nethserver-hotsync
+
+    To install the module on SLAVE execute from command line: ::
+
+      yum install --disablerepo=nethesis-updates,nethesis-upstream nethserver-hotsync
+
 
-  yum install nethserver-hotsync
 
 If you want to tests the Cockpit-based web interface, execute also: ::
 

diff --git a/administrator-manual/en/index.rst b/administrator-manual/en/index.rst
@@ -79,6 +79,7 @@ Modules
    pop3_proxy
    pop3_connector
    chat
+   team_chat
    ups
    fax_server
    firewall

diff --git a/administrator-manual/en/nsent/_static/nethesis.css b/administrator-manual/en/nsent/_static/nethesis.css
@@ -197,8 +197,13 @@ img[alt="|product|"] {
     display: none;
 }
 .guilabel {
-    font-style: italic;
-    font-weight: bolder;
+    border: 1px solid #7fbbe3;
+    background: #e7f2fa;
+    font-size: 80%;
+    font-weight: 700;
+    border-radius: 4px;
+    padding: 2.4px 6px;
+    margin: auto 2px;
 }
 .table>tbody>tr>td, .table>tfoot>tr>td {
     word-break: break-word;

diff --git a/administrator-manual/en/team_chat.rst b/administrator-manual/en/team_chat.rst
@@ -0,0 +1,56 @@
+.. _team_chat-section:
+
+======================
+Team chat (Mattermost)
+======================
+
+The :index:`team chat` module installs Mattermost Team Edition platform inside |product|.
+
+Mattermost is an Open Source, private cloud :index:`Slack`-alternative. Check out the excellent official documentation: https://docs.mattermost.com/.
+
+Configuration
+=============
+
+Mattermost installation needs a dedicated virtual host, an FQDN like ``chat.nethserver.org``.
+
+Before proceeding with the configuration, make sure to create the corresponding DNS record. If |product| act as the DNS server of your LAN, please refer to :ref:`dns-section`.
+
+If your server is using a Let's Encrypt certificate as default, make also sure to have a corresponding public DNS record. See :ref:`server_certificate-section` for more info.
+
+How to configure:
+
+1. Access :guilabel:`Team chat` page inside the Server Manager
+2. Check :guilabel:`Enable Mattermost Team Edition`, then enter a valid FQDN inside :guilabel:`Virtual host name` field (eg. ``chat.nethserver.org``)
+3. Open the entered host name inside the browser, eg: ``https://chat.nethserver.org``.
+   At first access, a wizard will create the administrator user
+
+The following features are enabled by default:
+
+- mail notifications
+- push notifications for mobile apps
+- redirect from HTTP to HTTPS
+
+
+Authentication
+==============
+
+Mattermost authentication is *not* integrated with any Account Provider.
+The Mattermost administrator should take care of users and teams creation.
+To ease this task, the system administrator can use the :guilabel:`Import users` button..
+
+The command will:
+
+- create a default team named as the Company from :ref:`organization_contacts-section`
+- read all users from local or remote Account Providers and create them inside Mattermost
+
+Please note that:
+
+- users disabled in the Server Manager, or already existing in Mattermost, will be skipped
+- a random password will be generated for each user
+
+.. note::
+
+   Users are not automatically synced inside Mattermost.
+   Each time a user is created or removed, remember to execute ``mattermost-bulk-user-create`` command or
+   manually create the user using Mattermost administration web interface.
+
diff --git a/administrator-manual/en/tlspolicy.rst b/administrator-manual/en/tlspolicy.rst
@@ -14,8 +14,8 @@ compatibility with old clients.
 
 The following sections describe each policy identifier.
 
-Policy ``2018-03-30``
----------------------
+Policy 2018-03-30
+-----------------
 
 Apache
     * See https://bettercrypto.org/static/applied-crypto-hardening.pdf category B
@@ -24,6 +24,7 @@ Apache
         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
         
     * Disabled SSLv2 and SSLv3
+    * Ignore ``httpd/SSLCipherSuite`` property settings (see :ref:`Default upstream policy`)
 
 Dovecot
     * See https://bettercrypto.org/static/applied-crypto-hardening.pdf category B
@@ -41,8 +42,19 @@ OpenSSH
         MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
         KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
 
+Postfix
+    * See https://bettercrypto.org/static/applied-crypto-hardening.pdf category B
+    * Use TLS in outbound connections, if remote server supports it
+    * Disable SSLv2 and SSLv3 on submission ports
+    * Cipher suite ::
+        
+        EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:kEDH:CAMELLIA128-SHA:AES128-SHA
+        
+    * Exclude ciphers ::
+        
+        aNULL:eNULL:LOW:3DES:MD5:EXP:PSK:DSS:RC4:SEED:IDEA:ECDSA
 
-Policy ``Legacy``
------------------
+Default upstream policy
+-----------------------
 
-Backward compatible settings, as implemented in |product| 7.4
+The goal of this policy is retaining upstream settings. This is the original goal since |product| 7.
diff --git a/developer-manual/en/modules b/developer-manual/en/modules
@@ -40,3 +40,4 @@ nethserver-subscription
 nethserver-yum-cron
 nethserver-rh-php71-php-fpm
 nethserver-rh-php56-php-fpm
+nethserver-mattermost
diff --git a/developer-manual/en/nethserver-base.rst b/developer-manual/en/nethserver-base.rst
@@ -255,3 +255,25 @@ Keep logs for 6 months, rotate once a week: ::
   config setprop logrotate Times 24
   signal-event nethserver-base-update
 
+
+Transport Layer Security
+========================
+
+
+The ``TLS policy`` page controls how individual services configure the
+Transport Layer Security (TLS) protocol, by selecting a *policy identifier*.
+
+Each module implementation decides how to implement a specific policy
+identifier, providing a trade off between security and client compatibility.
+Newer policies are biased towards security, whilst older ones provide better
+compatibility with old clients.
+
+You can enforce the TLS policy (20180330), or choose the legacy one (empty policy property) if your 
+clients are not supported/maintained anymore (Windows XP for example).
+
+TLS db property in configuration database: ::
+  tls=configuration
+    policy=
+
+The event to expand the templates of all rpm which use TLS is ``tls-policy-save``
+
diff --git a/developer-manual/en/nethserver-mattermost.rst b/developer-manual/en/nethserver-mattermost.rst
@@ -0,0 +1,69 @@
+=====================
+nethserver-mattermost
+=====================
+
+Stack:
+
+- Mattermost
+- PostgreSQL 9.4 listening on non-standard port 55432
+- Apache as proxy server
+
+Apache configuration derived from: https://github.com/mattermost/docs/issues/1114
+
+
+First configuration
+===================
+
+Mattermost requires a dedicated virtualhost and it's accessibile only from HTTPS.
+
+To start Mattermost, execute:
+
+:: 
+
+  config setprop mattermost VirtualHost mattermost.yourdomain.com status enabled
+  signal-event nethserver-mattermost-update
+
+Then, access ``https://mattermost.yourdomain.com`` and perform the first configuration.
+
+
+Database
+========
+
+Properties:
+
+- ``TCPPort``: Mattermost listen port, change only for development purpose
+- ``VirtualHost``: dedicated FQDN for virtual host
+- ``status``: can be ``enabled`` or ``disabled``, default to ``disabled``
+- ``access``: firewall access, leave blank or at least set to ``none``
+
+Example: ::
+
+ mattermost=service
+    TCPPort=5432
+    VirtualHost=mattermost.local.neth.eu
+    access=
+    status=enabled
+
+Account synchronization
+=======================
+
+The ``mattermost-bulk-user-create`` command will:
+
+- create a default team named as the ``Company`` from ``OrganizationContact``
+- read all users from local or remote Account Providers and create them inside Mattermost
+
+Please note that:
+
+- users disabled in the Server Manager or already existing in Mattermost will be skipped
+- a random password will be generated for each user
+
+Forcing a common default password
+---------------------------------
+
+It's possible to set a default password for each new Mattermost user, just append the default
+password to command invocation.
+
+Example: ::
+
+  mattermost-bulk-user-create Password,1234
+