From be53f760a46d974c72d7b9107027be0c938fc057 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 20 Jan 2019 00:55:15 +0100 Subject: [PATCH 01/31] dh_params --- data/hooks/conf_regen/15-nginx | 4 ++++ data/templates/nginx/plain/yunohost_admin.conf | 4 +++- data/templates/nginx/server.tpl.conf | 6 ++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 461c10c0c0..a7e65b9f85 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -49,6 +49,10 @@ do_pre_regen() { | jq ".certificates.\"$domain\".CA_type" \ | tr -d '"') + if [[ -e "/etc/ssl/private/dh2048.pem" ]]; then + export dh_params=true; + fi + ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf" ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml" diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index 3de66e3e63..3dbeaaaa2d 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -43,9 +43,11 @@ server { #ssl_protocols TLSv1.2; #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + {% if dh_params %} # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 - #ssl_dhparam /etc/ssl/private/dh2048.pem; + ssl_dhparam /etc/ssl/private/dh2048.pem; + {% endif %} # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index ee20c29c9b..cad74ef3f2 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -44,10 +44,12 @@ server { #ssl_protocols TLSv1.2; #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + {% if dh_params %} # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 - #ssl_dhparam /etc/ssl/private/dh2048.pem; - + ssl_dhparam /etc/ssl/private/dh2048.pem; + {% endif %} + # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security # https://observatory.mozilla.org/ From 077f4132d60b6f5190951a40ad3fbace5ccf0797 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 20 Jan 2019 00:59:37 +0100 Subject: [PATCH 02/31] dh_params (forget :) ) --- src/yunohost/tools.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index 189b1db09f..bbafdee220 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -322,6 +322,17 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, else: dyndns = False + cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" + + command = "openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam && rm /etc/cron.hourly/yunohost-generate-dh-params\n" + + + with open(cron_job_file, "w") as f: + f.write("#!/bin/bash\n") + f.write(command) + + _set_permissions(cron_job_file, "root", "root", 0o755) + operation_logger.start() logger.info(m18n.n('yunohost_installing')) From 3bc82d608f2660652d1b3ea4f299e6b5c76b6de1 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 20 Jan 2019 01:04:41 +0100 Subject: [PATCH 03/31] typo --- data/hooks/conf_regen/15-nginx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index a7e65b9f85..f5d9674dc2 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -50,7 +50,9 @@ do_pre_regen() { | tr -d '"') if [[ -e "/etc/ssl/private/dh2048.pem" ]]; then - export dh_params=true; + export dh_params=true + else + export dh_params=false fi ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf" From 7dcef3acd7e6d1e66f095caa5d8c2929c5b1d8dd Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 20 Jan 2019 02:24:34 +0100 Subject: [PATCH 04/31] Update tools.py --- src/yunohost/tools.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index bbafdee220..b0e5c20ee1 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -324,7 +324,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" - command = "openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam && rm /etc/cron.hourly/yunohost-generate-dh-params\n" + command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam && rm /etc/cron.hourly/yunohost-generate-dh-params\n" with open(cron_job_file, "w") as f: From 4d446b2061d09a5db0ed131793da9ede83c31531 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 20 Jan 2019 02:34:50 +0100 Subject: [PATCH 05/31] avoid error log --- src/yunohost/tools.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index b0e5c20ee1..587065e6df 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -324,7 +324,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" - command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam && rm /etc/cron.hourly/yunohost-generate-dh-params\n" + command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null && rm /etc/cron.hourly/yunohost-generate-dh-params\n" with open(cron_job_file, "w") as f: @@ -332,7 +332,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, f.write(command) _set_permissions(cron_job_file, "root", "root", 0o755) - + operation_logger.start() logger.info(m18n.n('yunohost_installing')) @@ -463,6 +463,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, # (by default, i.e. first argument = None, it won't because it's too touchy) service_regen_conf(names=["ssh"], force=True) + service_regen_conf(['nginx'], force=True) logger.success(m18n.n('yunohost_configured')) logger.warning(m18n.n('recommend_to_add_first_user')) From 9789b9c10daa009bd8e0ed02ade6d10aa600d802 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 20 Jan 2019 02:40:34 +0100 Subject: [PATCH 06/31] redirect log to file /var/log/yunohost/dhparam_generation.log --- src/yunohost/tools.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index 587065e6df..29754807c3 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -324,7 +324,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" - command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /dev/null && rm /etc/cron.hourly/yunohost-generate-dh-params\n" + command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" with open(cron_job_file, "w") as f: From f16d42e75cb558c8302a4bf70694813e5425f738 Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 22 Jan 2019 21:18:58 +0100 Subject: [PATCH 07/31] add render for Yunohost-admin --- data/hooks/conf_regen/15-nginx | 1 + 1 file changed, 1 insertion(+) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index f5d9674dc2..1ffe47e0af 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -56,6 +56,7 @@ do_pre_regen() { fi ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf" + ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/yunohost-admin.conf" ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml" [[ $main_domain != $domain ]] \ From 761a01bf1c3953aaf2e578bb598fe78e43901ba3 Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 5 Feb 2019 17:56:15 +0100 Subject: [PATCH 08/31] Update 15-nginx --- data/hooks/conf_regen/15-nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 1ffe47e0af..ed8eea2ab2 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -56,7 +56,7 @@ do_pre_regen() { fi ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf" - ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/yunohost-admin.conf" + ynh_render_template "plain/yunohost_admin.conf" "${nginx_conf_dir}/yunohost-admin.conf" ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml" [[ $main_domain != $domain ]] \ From b7e97a72558ccbd2c527021eb1c1bc2d153ed3b1 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 8 Feb 2019 15:56:14 +0100 Subject: [PATCH 09/31] Update tools.py --- src/yunohost/tools.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index 29754807c3..f8686a8435 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -324,7 +324,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" - command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" + command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && rm /etc/cron.hourly/yunohost-generate-dh-params\n" with open(cron_job_file, "w") as f: From c4cd1359fb471835baff398f6ffe7b575bb30747 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 14:51:19 +0100 Subject: [PATCH 10/31] Strange migration --- .../data_migrations/0009_dh_params.py | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 src/yunohost/data_migrations/0009_dh_params.py diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py new file mode 100644 index 0000000000..55473bf977 --- /dev/null +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -0,0 +1,37 @@ +import re +import os + +from moulinette import m18n +from moulinette.utils.log import getActionLogger +from moulinette.utils.filesystem import chown + +from yunohost.tools import Migration +from yunohost.service import service_regen_conf +from yunohost.settings import settings_set, settings_get + +command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && rm /etc/cron.hourly/yunohost-generate-dh-params\n" +dhparams_file = "/etc/ssl/private/dh2048.pem" + +class MyMigration(Migration): + "This migration will add dh_params line and generate it in installed instance" + + def migrate(self): + + try: + file_open = open(dhparams_file) + with open(cron_job_file, "w") as f: + f.write("#!/bin/bash\n") + f.write(command) + + _set_permissions(cron_job_file, "root", "root", 0o755) + service_regen_conf(['nginx'], force=True) + except: + service_regen_conf(['nginx'], force=True) + + + def backward(self): + try: + file_open = open(dhparams_file) + os.remove(dhparams_file) + except: + pass From ed85df2c4b10aa2c6b21ffcfeb3d65ca030cc181 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 14:52:59 +0100 Subject: [PATCH 11/31] Update 0009_dh_params.py --- src/yunohost/data_migrations/0009_dh_params.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 55473bf977..6242149eed 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -19,14 +19,15 @@ def migrate(self): try: file_open = open(dhparams_file) + service_regen_conf(['nginx'], force=True) + + except: with open(cron_job_file, "w") as f: f.write("#!/bin/bash\n") f.write(command) _set_permissions(cron_job_file, "root", "root", 0o755) service_regen_conf(['nginx'], force=True) - except: - service_regen_conf(['nginx'], force=True) def backward(self): From b971ffff42511a2c6563793bac45902d1ae0cc28 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 16:09:59 +0100 Subject: [PATCH 12/31] indentation --- src/yunohost/data_migrations/0009_dh_params.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 6242149eed..6020d60c09 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -26,8 +26,8 @@ def migrate(self): f.write("#!/bin/bash\n") f.write(command) - _set_permissions(cron_job_file, "root", "root", 0o755) - service_regen_conf(['nginx'], force=True) + _set_permissions(cron_job_file, "root", "root", 0o755) + service_regen_conf(['nginx'], force=True) def backward(self): From d820cd8a25d4908f44710e5fd9a420b7473d4701 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 16:10:53 +0100 Subject: [PATCH 13/31] remove useless import --- src/yunohost/data_migrations/0009_dh_params.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 6020d60c09..fd0940eb62 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -1,13 +1,11 @@ import re import os -from moulinette import m18n from moulinette.utils.log import getActionLogger from moulinette.utils.filesystem import chown from yunohost.tools import Migration from yunohost.service import service_regen_conf -from yunohost.settings import settings_set, settings_get command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && rm /etc/cron.hourly/yunohost-generate-dh-params\n" dhparams_file = "/etc/ssl/private/dh2048.pem" From 04fdb9ae9f68911a80376e5b2518b3691eecd6f1 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 16:33:40 +0100 Subject: [PATCH 14/31] Update 0009_dh_params.py --- src/yunohost/data_migrations/0009_dh_params.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index fd0940eb62..60aaf90b4f 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -17,7 +17,7 @@ def migrate(self): try: file_open = open(dhparams_file) - service_regen_conf(['nginx'], force=True) + service_regen_conf(['nginx']) except: with open(cron_job_file, "w") as f: From d9f19dd67d9d8794d2ace26ae1dc2b57e81ad94e Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 16:34:38 +0100 Subject: [PATCH 15/31] Update tools.py --- src/yunohost/tools.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index f8686a8435..c853c72a43 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -462,8 +462,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, # We need to explicitly ask the regen conf to regen ssh # (by default, i.e. first argument = None, it won't because it's too touchy) service_regen_conf(names=["ssh"], force=True) - - service_regen_conf(['nginx'], force=True) + logger.success(m18n.n('yunohost_configured')) logger.warning(m18n.n('recommend_to_add_first_user')) From 29bc912da4625d84ce47276702d584e373677823 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 16:57:16 +0100 Subject: [PATCH 16/31] Update 0009_dh_params.py --- src/yunohost/data_migrations/0009_dh_params.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 60aaf90b4f..152010909e 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -7,7 +7,7 @@ from yunohost.tools import Migration from yunohost.service import service_regen_conf -command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && rm /etc/cron.hourly/yunohost-generate-dh-params\n" +command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" dhparams_file = "/etc/ssl/private/dh2048.pem" class MyMigration(Migration): @@ -25,7 +25,6 @@ def migrate(self): f.write(command) _set_permissions(cron_job_file, "root", "root", 0o755) - service_regen_conf(['nginx'], force=True) def backward(self): From f2ad8cb0129b59ce92fafbf3b0b372402009ef5a Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 17:09:23 +0100 Subject: [PATCH 17/31] Do some change --- data/templates/nginx/{plain => }/yunohost_admin.conf | 0 src/yunohost/data_migrations/0009_dh_params.py | 11 +++-------- src/yunohost/tools.py | 6 +++--- 3 files changed, 6 insertions(+), 11 deletions(-) rename data/templates/nginx/{plain => }/yunohost_admin.conf (100%) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/yunohost_admin.conf similarity index 100% rename from data/templates/nginx/plain/yunohost_admin.conf rename to data/templates/nginx/yunohost_admin.conf diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 152010909e..1e15b3cefa 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -15,11 +15,9 @@ class MyMigration(Migration): def migrate(self): - try: - file_open = open(dhparams_file) + if os.path.exists(dhparams_file): service_regen_conf(['nginx']) - - except: + else: with open(cron_job_file, "w") as f: f.write("#!/bin/bash\n") f.write(command) @@ -28,8 +26,5 @@ def migrate(self): def backward(self): - try: - file_open = open(dhparams_file) + if os.path.exists(dhparams_file): os.remove(dhparams_file) - except: - pass diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index c853c72a43..8f1d061e22 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -324,7 +324,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" - command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && rm /etc/cron.hourly/yunohost-generate-dh-params\n" + command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" with open(cron_job_file, "w") as f: @@ -332,7 +332,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, f.write(command) _set_permissions(cron_job_file, "root", "root", 0o755) - + operation_logger.start() logger.info(m18n.n('yunohost_installing')) @@ -462,7 +462,7 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, # We need to explicitly ask the regen conf to regen ssh # (by default, i.e. first argument = None, it won't because it's too touchy) service_regen_conf(names=["ssh"], force=True) - + logger.success(m18n.n('yunohost_configured')) logger.warning(m18n.n('recommend_to_add_first_user')) From 99c83f5ae016d4c1382de8e2d5c2240f6fcfd57a Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 17:16:14 +0100 Subject: [PATCH 18/31] correc --- data/hooks/conf_regen/15-nginx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index ed8eea2ab2..f276318372 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -53,10 +53,10 @@ do_pre_regen() { export dh_params=true else export dh_params=false - fi + fi ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf" - ynh_render_template "plain/yunohost_admin.conf" "${nginx_conf_dir}/yunohost-admin.conf" + ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost-admin.conf" ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml" [[ $main_domain != $domain ]] \ From 4660c605d9a2c1f39bfb49a3cd98dab24124dcf9 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 18 Feb 2019 17:28:42 +0100 Subject: [PATCH 19/31] Update 0009_dh_params.py --- src/yunohost/data_migrations/0009_dh_params.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 1e15b3cefa..f6c7b01f42 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -15,9 +15,7 @@ class MyMigration(Migration): def migrate(self): - if os.path.exists(dhparams_file): - service_regen_conf(['nginx']) - else: + if os.path.exists(dhparams_file) is False: with open(cron_job_file, "w") as f: f.write("#!/bin/bash\n") f.write(command) From 833ed86429648dd35d92ffbd08f7a4151d4a70c5 Mon Sep 17 00:00:00 2001 From: Bram Date: Fri, 1 Mar 2019 12:52:53 +0100 Subject: [PATCH 20/31] Better than False in os.path.exist : not Co-Authored-By: frju365 --- src/yunohost/data_migrations/0009_dh_params.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index f6c7b01f42..1ef560c951 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -15,7 +15,7 @@ class MyMigration(Migration): def migrate(self): - if os.path.exists(dhparams_file) is False: + if not os.path.exists(dhparams_file): with open(cron_job_file, "w") as f: f.write("#!/bin/bash\n") f.write(command) From 12c49074e35fb569e623fbf63aae2e57288890a1 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 1 Mar 2019 12:58:18 +0100 Subject: [PATCH 21/31] fix variable : cron_job_file --- src/yunohost/data_migrations/0009_dh_params.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 1ef560c951..82ea5ca952 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -7,6 +7,7 @@ from yunohost.tools import Migration from yunohost.service import service_regen_conf +cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" dhparams_file = "/etc/ssl/private/dh2048.pem" From f12244085da361cb2ea5d95d237b45cdb4ba7665 Mon Sep 17 00:00:00 2001 From: frju365 Date: Thu, 7 Mar 2019 13:00:19 +0100 Subject: [PATCH 22/31] Update 0009_dh_params.py --- src/yunohost/data_migrations/0009_dh_params.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0009_dh_params.py index 82ea5ca952..0cd2f1d5cb 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0009_dh_params.py @@ -18,7 +18,7 @@ def migrate(self): if not os.path.exists(dhparams_file): with open(cron_job_file, "w") as f: - f.write("#!/bin/bash\n") + f.write("#!/bin/bash\nset -eux\n") f.write(command) _set_permissions(cron_job_file, "root", "root", 0o755) From 2cbfb17e78d39539fd7c345f6f174baa30ddc5b3 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 29 Sep 2019 21:32:23 +0200 Subject: [PATCH 23/31] Change Name and add a function --- .../{0009_dh_params.py => 0013_dh_params.py} | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) rename src/yunohost/data_migrations/{0009_dh_params.py => 0013_dh_params.py} (88%) diff --git a/src/yunohost/data_migrations/0009_dh_params.py b/src/yunohost/data_migrations/0013_dh_params.py similarity index 88% rename from src/yunohost/data_migrations/0009_dh_params.py rename to src/yunohost/data_migrations/0013_dh_params.py index 0cd2f1d5cb..695d00ee03 100644 --- a/src/yunohost/data_migrations/0009_dh_params.py +++ b/src/yunohost/data_migrations/0013_dh_params.py @@ -5,6 +5,7 @@ from moulinette.utils.filesystem import chown from yunohost.tools import Migration +from yunohost.certificate import _set_permissions from yunohost.service import service_regen_conf cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" @@ -12,9 +13,10 @@ dhparams_file = "/etc/ssl/private/dh2048.pem" class MyMigration(Migration): - "This migration will add dh_params line and generate it in installed instance" + + "Add dh_params line and generate it in installed instance" - def migrate(self): + def run(self): if not os.path.exists(dhparams_file): with open(cron_job_file, "w") as f: From f083a2c8664c5a56661d1d27ec8e4f93be3cd411 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 29 Sep 2019 21:34:50 +0200 Subject: [PATCH 24/31] Import the function _set_permissions --- src/yunohost/tools.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index 0e4bd1233d..d3e8c36651 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -44,6 +44,7 @@ from yunohost.firewall import firewall_upnp from yunohost.service import service_status, service_start, service_enable from yunohost.regenconf import regen_conf +from yunohost.certificate import _set_permissions from yunohost.monitor import monitor_disk, monitor_system from yunohost.utils.packages import ynh_packages_version, _dump_sources_list, _list_upgradable_apt_packages from yunohost.utils.network import get_public_ip From e067aa68248e7e45afc650bef42be9aac8bcddb5 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sun, 29 Sep 2019 22:29:20 +0200 Subject: [PATCH 25/31] Enlever le regen_conf (inutile dans la PR). --- src/yunohost/data_migrations/0013_dh_params.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/yunohost/data_migrations/0013_dh_params.py b/src/yunohost/data_migrations/0013_dh_params.py index 695d00ee03..6c91eec7ae 100644 --- a/src/yunohost/data_migrations/0013_dh_params.py +++ b/src/yunohost/data_migrations/0013_dh_params.py @@ -6,7 +6,6 @@ from yunohost.tools import Migration from yunohost.certificate import _set_permissions -from yunohost.service import service_regen_conf cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" From d2b39d2bcea0f14b5f77f411c519191541759797 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 30 Sep 2019 16:11:01 +0200 Subject: [PATCH 26/31] Function cron_add --- src/yunohost/tools.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index d3e8c36651..987db97674 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -58,6 +58,13 @@ logger = getActionLogger('yunohost.tools') +def cron_add(command, cron_job_file): + with open(cron_job_file, "w") as f: + f.write("#!/bin/bash\n") + f.write(command) + + _set_permissions(cron_job_file, "root", "root", 0o755) + def tools_ldapinit(): """ YunoHost LDAP initialization @@ -326,12 +333,8 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" - - with open(cron_job_file, "w") as f: - f.write("#!/bin/bash\n") - f.write(command) - - _set_permissions(cron_job_file, "root", "root", 0o755) + cron_add(command, cron_job_file) + operation_logger.start() logger.info(m18n.n('yunohost_installing')) From fae7a99f27c58a44c8637d7af900d5c405848e6b Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 30 Sep 2019 17:08:57 +0200 Subject: [PATCH 27/31] Function cron add --- src/yunohost/data_migrations/0013_dh_params.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/yunohost/data_migrations/0013_dh_params.py b/src/yunohost/data_migrations/0013_dh_params.py index 6c91eec7ae..c5d016fc35 100644 --- a/src/yunohost/data_migrations/0013_dh_params.py +++ b/src/yunohost/data_migrations/0013_dh_params.py @@ -6,6 +6,7 @@ from yunohost.tools import Migration from yunohost.certificate import _set_permissions +from yunohost.tools import cron_add cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" @@ -16,13 +17,8 @@ class MyMigration(Migration): "Add dh_params line and generate it in installed instance" def run(self): - if not os.path.exists(dhparams_file): - with open(cron_job_file, "w") as f: - f.write("#!/bin/bash\nset -eux\n") - f.write(command) - - _set_permissions(cron_job_file, "root", "root", 0o755) + cron_add(command, cron_job_file) def backward(self): From cc8ebc0c541930b3854fb4efd1601b7583d7c876 Mon Sep 17 00:00:00 2001 From: frju365 Date: Mon, 30 Sep 2019 18:01:18 +0200 Subject: [PATCH 28/31] Add set -eux --- src/yunohost/tools.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index 987db97674..8eb1a17f91 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -61,6 +61,7 @@ def cron_add(command, cron_job_file): with open(cron_job_file, "w") as f: f.write("#!/bin/bash\n") + f.write("set -eux\n") f.write(command) _set_permissions(cron_job_file, "root", "root", 0o755) From 0b6db8ff98c017a1399f7fc73ddb0bf4722d96eb Mon Sep 17 00:00:00 2001 From: frju365 Date: Sat, 5 Oct 2019 19:15:25 +0200 Subject: [PATCH 29/31] Retry something --- data/templates/nginx/yunohost_admin.conf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/data/templates/nginx/yunohost_admin.conf b/data/templates/nginx/yunohost_admin.conf index 68f8090cad..ff49c54962 100644 --- a/data/templates/nginx/yunohost_admin.conf +++ b/data/templates/nginx/yunohost_admin.conf @@ -36,14 +36,13 @@ server { # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - + {% endif %} + {% if dh_params %} # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 ssl_dhparam /etc/ssl/private/dh2048.pem; {% endif %} - - {% endif %} # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security From f298e8c29e5c0b27fb8ebec54d1c8bd486dd22a4 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sat, 5 Oct 2019 19:16:09 +0200 Subject: [PATCH 30/31] Retry something : separate the two if (doesn't work) --- data/templates/nginx/server.tpl.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 1ab12b9ed2..7651a22c93 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -51,14 +51,15 @@ server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + {% endif %} + + {% if dh_params %} # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 ssl_dhparam /etc/ssl/private/dh2048.pem; {% endif %} - {% endif %} - # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security # https://observatory.mozilla.org/ From c706451d14c30e6ed7da6a5bb63f02b7e33214c1 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sat, 5 Oct 2019 19:20:52 +0200 Subject: [PATCH 31/31] Bug : double "/" in xml template --- data/hooks/conf_regen/15-nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index c8d67b5761..fd6b7982ff 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -71,7 +71,7 @@ do_pre_regen() { ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf" ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost-admin.conf" - ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml" + ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}config-v1.1.xml" [[ $main_domain != $domain ]] \ && touch "${domain_conf_dir}/yunohost_local.conf" \