Arch Linux User Repository

I uploaded the SSO plugin for cryptpad to AUR. If you like, you could add it as an optdepends. https://aur.archlinux.org/packages/cryptpad-sso

I just updated from 5.7.0 to 2024.6.0 and I can no longer open my spreadsheets. It seems like since 2024.3.0 OnlyOffice is no longer included by default and needs to be download with a script?

Edit: Calling the new script seems to work fine. The following patch solves the issue for me (though it produces some "Package contains reference to $srcdir" warnings, which could be fixed by removing the www/common/onlyoffice/dist/*/.git files which are not needed anyway):

diff --git a/PKGBUILD b/PKGBUILD
index cd6eefe..22b086a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -4,13 +4,13 @@

 pkgname=cryptpad
 pkgver=2024.6.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Realtime collaborative visual editor with zero knowlege server"
 arch=('any')
 url="https://github.com/$pkgname/$pkgname"
 license=(AGPL-3.0-or-later)
 depends=(nodejs)
-makedepends=(npm git)
+makedepends=(npm git unzip)
 optdepends=('nginx: HTTP server providing TLS'
             'certbot: Let’s Encrypt – automatically receive and install X.509 certificates to enable TLS'
             'certbot-nginx: Nginx plugin for Let’s Encrypt client')
@@ -31,6 +31,7 @@ build() {
     export NODE_ENV=production
     npm install --cache "$srcdir"/npm-cache
     npm run install:components --cache "$srcdir"/npm-cache
+    ./install-onlyoffice.sh --accept-license
 }

 package() {

@buzo @ChrisTX I see the cryptpad:http combinations for e.g. blob, however, the combination cryptpad:cryptpad and 0750 still does not allow read access for nginx for e.g. blob, so login is still prohibited in the current situation. At least on my machine, so please recheck. Thanks.

@buzo @ChrisTX This approach only works for me, if /var/lib/cryptpad is world readable. Otherwise I can not log in, aka I receive a "Permission denied" from nginx, when trying to read a block. Please check from your side.

Thanks ChrisTX – I've adjusted the permissions in the package as suggested.

Sorry, misleading description: groups http = http cryptpad and groups cryptpad = cryptpad. Gives http the theoretical access to some unneeded folders, but it is very simple. I do not think that this is a security issue, however, as soon as it is implemented in the package, I would follow the approach of choice there.

No, I mean, cryptpad shouldn't be part of http. That will allow it to read all files available to the web services, a permission which it doesn't need to have. Disregarding POSIX ACLs, the only 'proper' way of doing this is changing ownership to cryptpad:http and then setting the setgid bit on each of the subfolders nginx needs to access. I've done that right now in my own setup, but the package should do that.

@ChrisTX Yes, you are right. I replaced again the LTS version with nodejs, and it seems to work. It is the read access of http to the folders you mention. Currently, I added http to the group cryptpad, which then allows for it, and which I think is not part of the PKGBUILD right now, right?

@RoKoInfo No you're not wrong. The way cryptpad handles /blob and /block is by using try_files with nginx - so the server needs to be able to access those folders. Cryptpad should run fine with nodejs, and not require the LTS variant.

This is a bit of a mess, but the only reasonable solution I can see is to make the blob, block and datastore (that's for debugging purposes only tho) readable by nginx, i.e. http. Additionally, this will need the setgid bit on the folder. It's not necessary to make data or logs readable by nginx, they'll only be accessed by the nodejs service.

There's no real beautiful solution for cryptpad overall, as the app is supposed to be run in its source folder, and not really the way you'd package it.