jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
16,408 Commits 33 Branches 583 Tags
4e0961ae5a58686ea31908aa13c750ac7b6e273c
Commit Graph

319 Commits

Author SHA1 Message Date
Girish Ramakrishnan
19c744b17d unbound-anchor is now part of ExecStartPre 
it seems unbound-anchor is not a dep of unbound in ubuntu 24. some
installations are thus missing this package.

in any case, ignore unbound-anchor exit status
 2024-09-20 10:00:01 +02:00
Girish Ramakrishnan
0647a3a233 unbound: prefer ip4 on ubuntu 24 and above 
ip6 queries seems to be blocked by spamhaus
 2024-09-12 17:13:50 +02:00
Girish Ramakrishnan
ba99e3b9b7 already in setup script now 2024-07-14 17:06:13 +02:00
Girish Ramakrishnan
082e659c7b disable rpcbind 
rpcbind is required for NFSv2 and v3 . It seems this gets installed
by nfs-common. It was never used by us since the firewall blocks
port 111 anyways.

NFSv3 needs 2049 for NFS, 111 for portmap, 635 for mountd, 4045 for NLM, 4046 for NSM, 4049 for rquota ...

NFSv4 works better because there's just a single target port, plus the "heartbeat" of lease renewal would keep the TCP/IP session alive.

https://serverfault.com/questions/949127/nfs-client-firewall-settings-and-rpcbind
https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-methodology-portmap.html#s2-nfs-methodology-portmap
https://community.netapp.com/t5/Tech-ONTAP-Blogs/NFSv3-and-NFSv4-What-s-the-difference/ba-p/441316
 2024-06-27 20:37:08 +02:00
Girish Ramakrishnan
8df97de8c6 Ubuntu 24.04 
* update docker to 26.0.1
* cloudron-syslog needs to have correct perms for fifo socket
 2024-04-29 11:07:10 +02:00
Girish Ramakrishnan
cd5cae33ce dns: switch over to systemd for the host 
this changes unbound to listen to 127.0.0.150 (150 is roman CL)

we cannot only bind on docker bridge because unbound is relied
upon for the initial domain setup. docker itself is only initialized
when the platform initializes
 2024-04-29 11:06:03 +02:00
Girish Ramakrishnan
608ce53e7d scripts: remove unused cloudron-logs 2024-04-29 10:21:33 +02:00
Johannes Zellner
ec990bd16a WIP: Add some portrange support 2024-02-08 17:39:22 +01:00
Girish Ramakrishnan
ff539e2669 remove crashnotifier 
it's not really used
 2023-05-15 11:08:00 +02:00
Girish Ramakrishnan
b26c8d20cd network: add trusted ips 
This allows the user to set trusted ips to Cloudflare or some other CDN
and have the logs have the correct IPs.

fixes #801
 2023-05-13 16:15:47 +02:00
Johannes Zellner
89c5b81eb0 Add very basic initial cloudron-logs helper 2023-05-11 12:30:00 +02:00
Johannes Zellner
9089616e85 Store oidc data in platformdata/oidc 2023-03-19 16:01:22 +01:00
Girish Ramakrishnan
495e54b54a cloudron.conf is long gone 2023-01-31 18:03:23 +01:00
Girish Ramakrishnan
89127e1df7 reverseproxy: rework cert logic 
9c8f78a059 already fixed many of the cert issues.

However, some issues were caught in the CI:

* The TLS addon has to be rebuilt and not just restarted. For this reason, we now
  move things to a directory instead of mounting files. This way the container is just restarted.

* Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore,
  the certs are left dangling forever in the db.

* Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want.
 2022-11-29 11:07:23 +01:00
Girish Ramakrishnan
00771d8197 reverseproxy: move dashboard config to subdir as well 2022-11-17 15:50:34 +01:00
Girish Ramakrishnan
4918d2099f remove json module (not used) 2022-11-05 15:15:53 +01:00
Girish Ramakrishnan
80a3ca0f46 remove 16.04 related task logic 2022-11-02 21:22:42 +01:00
Girish Ramakrishnan
ae66692eda Ensure collectd directory 2022-10-14 10:43:30 +02:00
Girish Ramakrishnan
3caffdb4e1 Rework app stats 
Previously, the du plugin was collecting data every 20 seconds but
carbon was configured to only keep data every 12 hours causing much
confusion.

In the process of reworking this, it was determined:

* No need to collect disk usage info over time. Not sure how that is useful
* Instead, collect CPU/Network/Block info over time. We get this now from docker stats
* We also collect info about the services (addon containers)
* No need to reconfigure collectd for each app change anymore since there is no per
app collectd configuration anymore.
 2022-10-10 21:13:26 +02:00
Girish Ramakrishnan
eafccde6cb Reset mysql password by detecting version (instead of ubuntu version) 2022-04-27 15:45:53 -07:00
Girish Ramakrishnan
6b85e11a22 update: collectd configuration can be removed 2022-04-27 15:41:28 -07:00
Girish Ramakrishnan
7ec1594428 create a separate support user 
This creates a separate user named 'cloudron-support' using which we
can provide remote support. The hyphen username convention follows the
systemd sytem username convention.

With a separate user, we don't need to ask users to keep changing PermitRootLogin
(and remind them to change it back).

Using a sudo user has various advantages:

* https://askubuntu.com/questions/687249/why-does-ubuntu-have-a-disabled-root-account
* https://wiki.debian.org/sudo
* https://askubuntu.com/questions/16178/why-is-it-bad-to-log-in-as-root

The yellowtent user is also locked down further - no password and no shell login.
 2022-03-30 15:08:20 -07:00
Girish Ramakrishnan
724f5643bc suppress grep message 2022-03-30 11:10:00 -07:00
Girish Ramakrishnan
dbb803ff5e cifs: use credentials file 
this supports special characters in passwords better

https://forum.cloudron.io/topic/6577/failed-to-mount-inactive-mount-error-13-when-mounting-cifs-from-synology
 2022-03-29 21:26:58 -07:00
Girish Ramakrishnan
cbc44da102 create sshfs dir in start.sh 2022-03-29 20:13:41 -07:00
Girish Ramakrishnan
ca83deb761 Docker IPv6 support 
Docker's initial IPv6 support is based on allocating public IPv6 to containers.
This approach has many issues:
* The server may not get a block of IPv6 assigned to it
* It's complicated to allocate a block of IPv6 to cloudron server on home setups
* It's unclear how dynamic IPv6 is. If it's dynamic, then should containers be recreated?
* DNS setup is complicated
* Not a issue for Cloudron itself, but with -P, it just exposed the full container into the world

Given these issues, IPv6 NAT is being considered. Even though NAT is not a security mechanism as such,
it does offer benefits that we care about:
* We can allocate some private IPv6 to containers
* Have docker NAT66 the exposed ports
* Works similar to IPv4

Currently, the IPv6 ports are always mapped and exposed. The "Enable IPv6" config option is only whether
to automate AAAA records or not. This way, user can enable it and 'sync' dns and we don't need to
re-create containers etc. There is no inherent benefit is not exposing IPv6 at all everywhere unless we find
it unstable.

Fixes #264
 2022-02-09 23:54:53 -08:00
Girish Ramakrishnan
c5f9c80f89 move comment to unbound.conf 2022-02-09 23:15:37 -08:00
Girish Ramakrishnan
852eebac4d move cloudron network creation to platform code 
this gives us more control on re-creating the network with different
arguments/options when needed.
 2022-02-09 23:15:37 -08:00
Girish Ramakrishnan
566def2b64 Disable IPv6 temporary address 2022-02-09 12:17:42 -08:00
Girish Ramakrishnan
fdefc780b4 docker: hardcode the bridge gateway IP 
on some environments like ESXi, the gateway gets the dynamic IP 172.18.0.2.
we have hardcoded 172.18.0.1 in many places in the code

https://forum.cloudron.io/topic/5987/install-cloudron-7-0-3-on-ubuntu-20-04-3-esxi
 2021-11-12 09:04:03 -08:00
Girish Ramakrishnan
e4cc431d35 Do not nuke all the logrotate configs on update 
this was added many releases ago to migrate to new logrotate configs.
looks like I forgot to remove this.

https://forum.cloudron.io/topic/4381/safe-to-truncate-home-yellowtent-platformdata-logs-when-large-disk-consumer
 2021-11-04 09:41:33 -07:00
Johannes Zellner
c81f40dd8c Ensure mail data dir is still created 2021-10-15 15:02:54 +02:00
Girish Ramakrishnan
004a264993 mail: dkim key update 2021-10-11 22:56:34 -07:00
Girish Ramakrishnan
dc8ec9dcd8 mail: move dkim keys into the database 2021-10-11 20:30:42 -07:00
Girish Ramakrishnan
73315a42fe setup: fix journalctl configuration 
/var/log/journal/*/system.journal does not exist on some systems

https://forum.cloudron.io/topic/4068/installation-failed-on-20-04-server
https://forum.cloudron.io/topic/5731/time4vps-installation-error
 2021-09-28 19:21:16 -07:00
Girish Ramakrishnan
ad3dbe8daa mail: keep mail backups separately from box backups 
part of #717
 2021-09-26 21:47:24 -07:00
Girish Ramakrishnan
9584990d7a remove old migration code 2021-09-26 18:10:39 -07:00
Girish Ramakrishnan
77989893df remove boxdata/well-known directory 
this has already moved into the domains table
 2021-06-17 11:37:03 -07:00
Girish Ramakrishnan
593038907c unbound: on ubuntu 16, sd_notify is not working 
not clear, when unbound added support for this.

on ubuntu 16, unbound is 1.5.8.
on ubuntu 20, unbound is 1.9.4
 2021-06-04 09:41:54 -07:00
Girish Ramakrishnan
84af9580a6 migrate certs into the blobs database 
use platformdata/nginx/cert to store the certs
 2021-05-07 21:26:49 -07:00
Girish Ramakrishnan
182918b13d add note 2021-05-07 20:20:15 -07:00
Girish Ramakrishnan
963e92b517 store fallback certs in the database 2021-05-04 22:30:28 -07:00
Girish Ramakrishnan
7de454911e migrate firewall configuration into database 
the ports.json is for the moment server specific
 2021-05-04 15:55:54 -07:00
Girish Ramakrishnan
dcea55cd81 chown the sftp directory 2021-05-04 00:27:45 -07:00
Girish Ramakrishnan
c17743d869 migrate secrets into the database 
the infra version is bumped because the nginx's dhparams path has changed
and the sftp server key path has changed.
 2021-05-03 22:11:18 -07:00
Girish Ramakrishnan
6a32291609 Move updatechecker.json into platform data 2021-04-29 14:01:24 -07:00
Girish Ramakrishnan
b8ea9de439 move profile icons into the database 2021-04-29 13:57:24 -07:00
Girish Ramakrishnan
7b8fd3596e well known is now stored in the database 2021-04-29 12:17:44 -07:00
Girish Ramakrishnan
32f385741a graphite: implement upgrade 
for the moment, we wipe out the old data and start afresh. this is because
the graphite web app keeps changing quite drastically.
 2021-03-23 16:34:32 -07:00
Girish Ramakrishnan
8048e68eb6 graphite: disable tagdb 2021-03-18 18:03:45 -07:00