Merge branch 'master' into v7

administrator-manual/en/.tx/config

@@ -322,3 +322,16 @@ file_filter = locale/<lang>/LC_MESSAGES/hotsync.po
 source_file = _build/locale/hotsync.pot
 source_lang = en
 type = PO
+
+[docs-v7.tlspolicy]
+file_filter = locale/<lang>/LC_MESSAGES/tlspolicy.po
+source_file = _build/locale/tlspolicy.pot
+source_lang = en
+type = PO
+
+[docs-v7.subscription]
+file_filter = locale/<lang>/LC_MESSAGES/subscription.po
+source_file = _build/locale/subscription.pot
+source_lang = en
+type = PO
+

administrator-manual/en/index.rst

@@ -44,6 +44,13 @@ Installation
    access
    registration
 
+.. only:: nscom
+
+    .. toctree::
+       :maxdepth: 1
+
+       subscription
+
 Configuration
 -------------
 
@@ -55,6 +62,7 @@ Configuration
    accounts
    dns
    dhcp
+   tlspolicy
 
 Modules
 -------

administrator-manual/en/migration.rst

@@ -37,12 +37,16 @@ starting the migration procedure.
 
 * In any other case, install a *local LDAP* accounts provider.
 
-.. warning:: 
+If you choose a *local Active Directory* accounts provider, remember to fully
+configure and start the DC before executing the ``migration-import`` event. See
+:ref:`account-providers`.
 
-    If you choose a local Active Directory accounts provider, remember to
-    fully configure and start the DC before executing the ``migration-import`` event.
-    See :ref:`account-providers`.
+Furthermore, the following accounts are ignored by the migration procedure
+because they are already provided by Active Directory:
 
+* ``administrator``
+* ``guest``
+* ``krbtgt``
 
 .. index::
    pair: migration; email

administrator-manual/en/subscription.rst

@@ -0,0 +1,26 @@
+======================
+|product| subscription
+======================
+
+A |product| installation can be registerd to a public or private Dartagnan [#Dartagnan]_ instance,
+getting access to monitoring portal and stable update repositories.
+
+The |product| Subscription by Nethesis [#Nethesis]_ enables access to a public ready-to-use Dartagnan instance,
+along with immediate professional support services for your |product| deployments.
+
+Detailed info available: https://my.nethserver.com
+
+Register an installation
+========================
+
+1. Access :guilabel:`Subscription` page from the Server Manager
+2. Click on :guilabel:`Subscribe`
+3. Login or register to https://my.nethserver.com to obtain a registration code
+4. Copy and paste the code inside the :guilabel:`Registration token` field
+5. Click on :guilabel:`Register now` button
+
+At the end, the subscription plan name and validity are reported inside the page.
+Monitoring and access to stable repositories are automatically enabeld.
+
+.. [#Dartagnan] Dartagnan documentation: https://nethesis.github.io/dartagnan/
+.. [#Nethesis] Nethesis official site: http://www.nethesis.it

administrator-manual/en/tlspolicy.rst

@@ -0,0 +1,48 @@
+.. _tlspolicy-section:
+
+==========
+TLS policy
+==========
+
+The :guilabel:`TLS policy` page controls how individual services configure the
+Transport Layer Security (TLS) protocol, by selecting a *policy identifier*.
+
+Each module implementation decides how to implement a specific policy
+identifier, providing a trade off between security and client compatibility.
+Newer policies are biased towards security, whilst older ones provide better
+compatibility with old clients.
+
+The following sections describe each policy identifier.
+
+Policy ``2018-03-30``
+---------------------
+
+Apache
+    * See https://bettercrypto.org/static/applied-crypto-hardening.pdf category B
+    * Cipher suite ::
+        
+        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+        
+    * Disabled SSLv2 and SSLv3
+
+Dovecot
+    * See https://bettercrypto.org/static/applied-crypto-hardening.pdf category B
+    * Cipher suite ::
+        
+        EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+        
+    * Disabled SSLv2 and SSLv3
+
+OpenSSH
+    * See https://github.com/NethServer/nethserver-openssh/pull/6
+    * Configuration snippet ::
+        
+        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
+        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
+
+
+Policy ``Legacy``
+-----------------
+
+Backward compatible settings, as implemented in |product| 7.4

administrator-manual/en/ui/TlsPolicy.rst

@@ -0,0 +1,8 @@
+.. _TlsPolicyUi-section:
+
+==========
+TLS policy
+==========
+
+Enforced security level
+    Configures the system services as described in the :ref:`tlspolicy-section` section

administrator-manual/en/upgrade.rst

@@ -45,6 +45,13 @@ select the :guilabel:`Upgrade to Active Directory` procedure.
 The button will be available only if network configuration has already been
 fixed accordingly to the new hardware.
 
+The following accounts are ignored by the upgrade procedure because they are
+already provided by Samba Active Directory:
+
+* ``administrator``
+* ``guest``
+* ``krbtgt``
+
 An additional, free, IP address from the *green* network is required by the
 Linux container to run the local Active Directory accounts provider.
 
@@ -178,16 +185,9 @@ However Owncloud 7 is still available to avoid service disruption after the upgr
    Nextcloud after the upgrade to Samba Active Directory has been completed.
 
 
-Migration from Owncloud to Nextcloud is manual and can be arranged according
-to user's need.
-The migration script will import all files and users from LDAP to Nextcloud,
-but shared resources **will not** be migrated.
-
-To migrate users and data, use following command: ::
-
-    /usr/share/doc/$(rpm -q --queryformat "%{NAME}-%{VERSION}" nethserver-nextcloud)/owncloud-migrate
+From Nextcloud 13, the migration from Owncloud to Nextcloud is not supported anymore.
 
-After the migration, please replace Owncloud clients with Nextcloud ones [#DownloadNC]_,
+Users should replace Owncloud clients with Nextcloud ones [#DownloadNC]_,
 then make sure to set the new application URL: ``https://<your_server_address>/nextcloud``.
 
 .. [#DownloadNC] Nextcloud clients download https://nextcloud.com/install/#install-clients
@@ -307,10 +307,27 @@ The script will:
 - sync all remaining data
 - execute ``restore-config`` on the destination machine
 
-At the end of ``rsync-upgrade`` run the following steps:
+If ``rsync-upgrade`` terminates without loosing the network connection,
+
+#. Disconnect the original ns6 from network, to avoid IP conflict with the destination server
 
 #. Access the server manager UI and fix the network configuration from the :guilabel:`Network` page
 
+Otherwise, if during ``rsync-upgrade`` **the network connection is lost**, it is likely
+that the source and destination servers have an **IP conflict**:
+
+#. Disconnect the original ns6 from network,
+
+#. From a ns7 root console run the command: ::
+
+    systemctl restart network
+
+#. Then grab the screen device: ::
+
+    screen -r -D
+
+At the end of ``rsync-upgrade`` run the following steps:
+
 #. If the source system was a NT Primary Domain Controller (Samba server role was
    :guilabel:`Primary Domain Controller` -- PDC) or a standalone file server
    (role was :guilabel:`Workstation` -- WS), refer to :ref:`pdc-upgrade-section`.
@@ -323,10 +340,6 @@ At the end of ``rsync-upgrade`` run the following steps:
 
     signal-event post-restore-data
 
-#. If you upgraded from PDC or WS to Active Directory, fix home directories permissions with the following command: ::
-    
-      getent group 'domain users' && { for D in /var/lib/nethserver/home/*; do chown -R $(basename D):'domain users' $D; done }
-
 #. Check the restore logs for any ``ERROR`` or ``FAIL`` message: ::
 
     /var/log/restore-data.log