From 88a3c8cd2bb136c1ce5393ffe8ee607547ca901b Mon Sep 17 00:00:00 2001
From: Louis Maillard <louis.maillard@savoirfairelinux.com>
Date: Wed, 24 Jul 2024 16:25:45 -0400
Subject: [PATCH] packaging: disable postinst auto-setup
Disabled keys generation because it could lead to change of certificate
during an update => security issue.
Reconfiguration of yaml is disabled because user will now have to run
`dhtnet-crtmgr --interactive`, which create the file if needed.
Change-Id: I388ab1cebf75d248600f070be4eb108766bfe993
---
CMakeLists.txt | 14 ++++
extras/packaging/gnu-linux/debian/postinst | 93 ++++++----------------
extras/packaging/gnu-linux/debian/rules | 1 +
tools/dnc/systemd/dhtnet-dnc.preset | 1 +
4 files changed, 42 insertions(+), 67 deletions(-)
create mode 100644 tools/dnc/systemd/dhtnet-dnc.preset
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a35142c..2d8e0c7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -144,6 +144,15 @@ if (DNC_SYSTEMD AND BUILD_TOOLS AND NOT MSVC)
set(SYSTEMD_UNIT_INSTALL_DIR ${DNC_SYSTEMD_UNIT_FILE_LOCATION})
endif()
+ if (NOT DEFINED DNC_SYSTEMD_PRESET_FILE_LOCATION OR NOT DNC_SYSTEMD_PRESET_FILE_LOCATION)
+ execute_process(COMMAND ${PKG_CONFIG_EXECUTABLE} systemd --variable=systemdsystempresetdir
+ OUTPUT_VARIABLE SYSTEMD_PRESET_INSTALL_DIR)
+ message("-- Using Systemd preset installation directory by pkg-config: " ${SYSTEMD_PRESET_INSTALL_DIR})
+ else()
+ message("-- Using Systemd preset installation directory requested: " ${DNC_SYSTEMD_PRESET_FILE_LOCATION})
+ set(SYSTEMD_PRESET_INSTALL_DIR ${DNC_SYSTEMD_PRESET_FILE_LOCATION})
+ endif()
+
configure_file (
tools/dnc/systemd/dnc.service.in
systemd/dnc.service
@@ -153,6 +162,11 @@ if (DNC_SYSTEMD AND BUILD_TOOLS AND NOT MSVC)
string(REGEX REPLACE "[ \t\n]+" "" SYSTEMD_UNIT_INSTALL_DIR "${SYSTEMD_UNIT_INSTALL_DIR}")
set (systemdunitdir "${SYSTEMD_UNIT_INSTALL_DIR}")
install (FILES ${CMAKE_CURRENT_BINARY_DIR}/systemd/dnc.service DESTINATION ${systemdunitdir})
+
+ string(REGEX REPLACE "[ \t\n]+" "" SYSTEMD_PRESET_INSTALL_DIR "${SYSTEMD_PRESET_INSTALL_DIR}")
+ set (systemdpresetdir "${SYSTEMD_PRESET_INSTALL_DIR}")
+ install (FILES tools/dnc/systemd/dhtnet-dnc.preset DESTINATION ${systemdpresetdir})
+
install (FILES tools/dnc/dnc.yaml DESTINATION ${sysconfdir}/dhtnet/)
else()
message(WARNING "Systemd unit installation directory not found. The systemd unit won't be installed.")
diff --git a/extras/packaging/gnu-linux/debian/postinst b/extras/packaging/gnu-linux/debian/postinst
index d716e78..aeb8833 100644
--- a/extras/packaging/gnu-linux/debian/postinst
+++ b/extras/packaging/gnu-linux/debian/postinst
@@ -3,23 +3,21 @@ set -e
umask 022
-create_server_keys() {
- mkdir -p /etc/dhtnet/id
- if [ ! -f /etc/dhtnet/id/id-server.crt ] && [ ! -f /etc/dhtnet/id/id-server.pem ]; then
- echo "Generating server keys..."
- dhtnet-crtmgr --setup -o /etc/dhtnet/
- dhtnet-crtmgr -a -c /etc/dhtnet/id/id-server.crt -p /etc/dhtnet/id/id-server.pem
- configure_yaml
- disable_dnc_service
- fi
+main() {
+ mkdir -p /etc/dhtnet
+ # disabled because is shouldn't create key on behalf of user:
+ # create_key_pair_if_not_exist()
+
+ # disabled because we now use systemd preset system to disabled by default:
+ # disable_dnc_service
echo "===================="
- echo "dnc server installed and configured."
- echo "To configure it, edit /etc/dhtnet/dnc.yaml"
- echo "To enable and start server, run:"
+ echo "dnc server installed."
+ echo "To configure your dnc client and/or server, run:"
+ echo " dhtnet-crtmgr --interactive"
+ echo "Server configuration is in /etc/dhtnet/dnc.yaml"
+ echo "After configuration, enable and start server with:"
echo " systemctl enable dnc.service"
echo " systemctl start dnc.service"
- echo "To configure your dnc client, run:"
- echo " dhtnet-crtmgr --interactive"
echo "===================="
}
@@ -31,58 +29,19 @@ create_server_keys() {
# fi
# }
-disable_dnc_service() {
- systemctl stop dnc.service
- systemctl disable dnc.service
-}
+# disable_dnc_service() {
+# systemctl stop dnc.service
+# systemctl disable dnc.service
+# }
-configure_yaml() {
- if [ -f /etc/dhtnet/dnc.yaml ]; then
- sed -i 's/^#certificate:.*$/certificate: \"\/etc\/dhtnet\/id\/id-server.crt\"/' /etc/dhtnet/dnc.yaml
- sed -i 's/^#privateKey:.*$/privateKey: \"\/etc\/dhtnet\/id\/id-server.pem\"/' /etc/dhtnet/dnc.yaml
- else
- {
- echo "# The bootstrap node serves as the entry point to the DHT network."
- echo "# By default, bootstrap.jami.net is configured for the public DHT network and should be used for personal use only."
- echo "# For production environments, it is recommended to set up your own bootstrap node to establish your own DHT network."
- echo "# Documentation: https://docs.jami.net/en_US/user/lan-only.html#boostraping"
- echo "bootstrap: \"bootstrap.jami.net\""
- echo ""
- echo "# TURN server is used as a fallback for connections if the NAT block all possible connections."
- echo "# By default is turn.jami.net (which uses coturn) but can be any TURN."
- echo "# Developer must set up their own TURN server."
- echo "# Documentation: https://docs.jami.net/en_US/developer/going-further/setting-up-your-own-turn-server.html"
- echo "turn_host: \"turn.jami.net\""
- echo "turn_user: \"ring\""
- echo "turn_pass: \"ring\""
- echo "turn_realm: \"ring\""
- echo ""
- echo "# When verbose is set to true, the server logs all incoming connections"
- echo "verbose: false"
- echo ""
- echo "# If true, will send request to use UPNP if available"
- echo "enable_upnp: true"
- echo ""
- echo "# On server, identities are saved in /etc/dhtnet/id/"
- echo "certificate: \"/etc/dhtnet/id/id-server.crt\""
- echo "privateKey: \"/etc/dhtnet/id/id-server.pem\""
- echo ""
- echo "# When anonymous is set to true, the server accepts any connection without checking CA"
- echo "# When anonymous is set to false, the server allows only connection which are issued by the same CA as the server"
- echo "anonymous: false"
- echo ""
- echo "# List of authorized services"
- echo "# Each service is defined by an IP and a port"
- echo "authorized_services:"
- echo " - ip: \"127.0.0.1\""
- echo " port: 22"
- echo " # - ip: \"127.0.0.1\""
- echo " # port: 80"
- echo " # - ip: \"127.0.0.1\""
- echo " # port: 443"
- echo ""
- } > /etc/dhtnet/dnc.yaml
- fi
-}
+# create_key_pair_if_not_exist() {
+# mkdir -p /etc/dhtnet/id
+# mkdir -p /etc/dhtnet/CA
+# if [ ! -f /etc/dhtnet/id/id-server.crt ] && [ ! -f /etc/dhtnet/id/id-server.pem ]; then
+# echo "Generating server keys..."
+# dhtnet-crtmgr --setup -o /etc/dhtnet/
+# dhtnet-crtmgr -a -c /etc/dhtnet/id/id-server.crt -p /etc/dhtnet/id/id-server.pem
+# fi
+# }
-create_server_keys
+main
diff --git a/extras/packaging/gnu-linux/debian/rules b/extras/packaging/gnu-linux/debian/rules
index bb4a235..fc2266f 100755
--- a/extras/packaging/gnu-linux/debian/rules
+++ b/extras/packaging/gnu-linux/debian/rules
@@ -16,3 +16,4 @@ override_dh_auto_configure:
-DCMAKE_LIBRARY_ARCHITECTURE="$(DEB_TARGET_MULTIARCH)" \
-DBUILD_TESTING=OFF
-DBUILD_BENCHMARKS=OFF
+ -DDNC_SYSTEMD=ON
diff --git a/tools/dnc/systemd/dhtnet-dnc.preset b/tools/dnc/systemd/dhtnet-dnc.preset
new file mode 100644
index 0000000..aa76bef
--- /dev/null
+++ b/tools/dnc/systemd/dhtnet-dnc.preset
@@ -0,0 +1 @@
+disable dnc.service
--
GitLab