jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
15,983 Commits 33 Branches 583 Tags
cf40346e1af2e7385a8d2f0a6817ccbf5555475b
Commit Graph

86 Commits

Author SHA1 Message Date
Girish Ramakrishnan
08c48df862 add qbittorrent to blacklist 2023-11-01 23:54:20 +01:00
Girish Ramakrishnan
6aad89ae6e demo is just a constant, not a setting 2023-08-04 14:13:30 +05:30
Johannes Zellner
e9fc355ac5 Move openid provider into its own express server 2023-03-21 14:39:58 +01:00
Girish Ramakrishnan
5bbeb1196a add root as reserved name for gogs 2023-03-05 10:52:30 +01:00
Girish Ramakrishnan
582994b9d6 addons: stable IPv4 addresses 
give addons static IPv4 so one can reliably connect from outside via
SSH tunnel
 2023-02-21 12:20:44 +01:00
Johannes Zellner
db5e0b8fdf Disallow jupyter hub on demo 2022-11-30 21:36:29 +01:00
Girish Ramakrishnan
27dec3f61e bump test version 2022-11-30 19:56:51 +01:00
Girish Ramakrishnan
116cde19f9 constants: location -> subdomain 2022-07-14 15:18:17 +05:30
Johannes Zellner
923a9f6560 Rename RELAY_APPSTORE_ID to PROXY_APP_APPSTORE_ID 2022-06-09 13:57:57 +02:00
Johannes Zellner
a955457ee7 Support proxy app 2022-06-09 10:48:54 +02:00
Girish Ramakrishnan
0c13504928 Bump version 2022-06-02 11:02:06 -07:00
Girish Ramakrishnan
70695b1b0f backups: set label of backup and control it's retention 2022-04-02 19:30:54 -07:00
Girish Ramakrishnan
d47b39d90b eventlog: distinguish install vs update finish 2022-04-01 14:19:53 -07:00
Girish Ramakrishnan
7ec1594428 create a separate support user 
This creates a separate user named 'cloudron-support' using which we
can provide remote support. The hyphen username convention follows the
systemd sytem username convention.

With a separate user, we don't need to ask users to keep changing PermitRootLogin
(and remind them to change it back).

Using a sudo user has various advantages:

* https://askubuntu.com/questions/687249/why-does-ubuntu-have-a-disabled-root-account
* https://wiki.debian.org/sudo
* https://askubuntu.com/questions/16178/why-is-it-bad-to-log-in-as-root

The yellowtent user is also locked down further - no password and no shell login.
 2022-03-30 15:08:20 -07:00
Girish Ramakrishnan
37c8ca7617 mail: use port25check.cloudron.io to check outbound port 25 connectivity 2022-01-31 16:55:56 -08:00
Johannes Zellner
52385fcc9c Rename exposed ldap to user directory 2022-01-07 14:06:13 +01:00
Johannes Zellner
cc998ba805 Implement full exposed ldap auth 2022-01-07 13:11:27 +01:00
Johannes Zellner
3a8aaf72ba Expose LDAP via iptables 2021-11-23 12:37:03 +01:00
Johannes Zellner
735737b513 Initial attempt to expose the ldap server 2021-11-22 21:29:23 +01:00
Girish Ramakrishnan
515b1db9d0 Fix tests 2021-11-17 11:35:44 -08:00
Girish Ramakrishnan
9c096b18e1 demo: limit to 20 apps 2021-11-15 13:55:29 -08:00
Johannes Zellner
7277727307 Fixup some of app route tests 2021-09-16 17:20:19 +02:00
Johannes Zellner
0db62b4fd8 Make avatar apis buffer based 2021-07-08 11:17:13 +02:00
Johannes Zellner
81e6cd6195 Make gravatar support explicit only 2021-07-07 16:16:04 +02:00
Girish Ramakrishnan
44ac406e57 admin -> dashboard 2021-05-05 12:29:04 -07:00
Girish Ramakrishnan
8ff68331a8 proxyAuth: use default expiry time in cookie (1 year) 2021-04-30 10:31:09 -07:00
Girish Ramakrishnan
a5dc65bda7 blacklist couchpotato on demo 2021-01-11 22:29:21 -08:00
Girish Ramakrishnan
6c8be9a47a add sickchill to demo blacklist 2021-01-11 22:04:12 -08:00
Girish Ramakrishnan
79a7e5d4a1 Also blacklist transmission on the demo 2020-12-13 12:36:13 -08:00
Girish Ramakrishnan
c6fd922fcd Blacklist adguard on the demo 2020-12-04 23:01:47 -08:00
Girish Ramakrishnan
bcc9eda66c Remove ununsed constant 2020-11-25 10:33:40 -08:00
Girish Ramakrishnan
6ae1de6989 test: make apps test work 2020-11-21 23:25:28 -08:00
Girish Ramakrishnan
bd9c664b1a Free up port 53 
It's all very complicated.

Approach 1: Simple move unbound to not listen on 0.0.0.0 and only the internal
ones. However, docker has no way to bind only to the "public" interface.

Approach 2: Move the internal unbound to some other port. This required a PR
for haraka - https://github.com/haraka/Haraka/pull/2863 . This works and we use
systemd-resolved by default. However, it turns out systemd-resolved with hog the
lo and thus docker cannot bind again to port 53.

Approach 3: Get rid of systemd-resolved and try to put the dns server list in
/etc/resolv.conf. This is surprisingly hard because the DNS listing can come from
DHCP or netplan or wherever. We can hardcode some public DNS servers but this seems
not a good idea for privacy.

Approach 4: So maybe we don't move the unbound away to different port after all.
However, all the work for approach 2 is done and it's quite nice that the default
resolver is used with the default dns server of the network (probably a caching
server + also maybe has some home network firewalled dns).

So, the final solution is to bind to the make docker bind to the IP explicity.
It's unclear what will happen if the IP changes, maybe it needs a restart.
 2020-11-18 23:25:56 -08:00
Girish Ramakrishnan
71666a028b add support for protected sites 
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
https://gock.net/blog/2020/nginx-subrequest-authentication-server/
https://github.com/andygock/auth-server
 2020-11-10 01:06:39 -08:00
Girish Ramakrishnan
b5a83ab902 demo: blacklist alltube as well 2020-11-02 15:16:21 -08:00
Girish Ramakrishnan
2aa5c387c7 branding: add template variables 
we can now have %YEAR% and %VERSION% in the footer
 2020-10-18 10:19:13 -07:00
Johannes Zellner
00cff1a728 Mention that SECRET_PLACEHOLDER is also used in dashboard client.js 2020-05-14 23:04:08 +02:00
Girish Ramakrishnan
74b0ff338b Disallow cloudtorrent in demo mode 2020-05-04 14:56:10 -07:00
Girish Ramakrishnan
ef9aeb0772 Bump default version for tests 2020-04-08 14:24:58 -07:00
Girish Ramakrishnan
1e8a02f91a Make token expiry a year 
we now have a UI to invalid all tokens easily, so this should be OK.
 2020-03-23 21:51:13 -07:00
Girish Ramakrishnan
09ce27d74b bump default token expiry to a month 2020-03-21 18:46:38 -07:00
Girish Ramakrishnan
2ac0fe21c6 ghost file depends on base dir 2020-03-15 11:41:39 -07:00
Girish Ramakrishnan
6ee4b0da27 Move out ghost file to platformdata 
Since /tmp is world writable this might cause privilege escalation

https://forum.cloudron.io/topic/2222/impersonate-user-privilege-escalation
 2020-03-12 10:24:21 -07:00
Girish Ramakrishnan
46b6e319f5 add some spacing in the footer 2020-03-06 19:13:37 -08:00
Johannes Zellner
8f087e1c30 Take default footer from constants and keep settingsdb pristine 2020-03-06 18:08:26 -08:00
Girish Ramakrishnan
c9e96cd97a custom: remove support section 2020-02-04 13:07:36 -08:00
Girish Ramakrishnan
e97606ca87 Remove internal sysadmin server 
this is now unused
 2019-09-12 13:33:01 -07:00
Girish Ramakrishnan
77cf7d0da6 Bump test version 2019-08-05 06:39:16 -07:00
Girish Ramakrishnan
12eae1eff2 Make port a constant 2019-07-25 16:08:54 -07:00
Girish Ramakrishnan
c32718b164 Make ldap and docker proxy port as constants 2019-07-25 16:08:54 -07:00