fix: bump deps, added dhparam support, added specific node version su…

…pport to ansible
forwardemail · Oct 19, 2023 · 8f12cc0 · 8f12cc0
1 parent 9bf07f7
commit 8f12cc0
Show file tree

Hide file tree

Showing 12 changed files with 98 additions and 28,044 deletions.
diff --git a/.env.defaults b/.env.defaults
@@ -64,6 +64,8 @@ WEB_URL={{WEB_PROTOCOL}}://{{WEB_HOST}}:{{WEB_PORT}}
 WEB_SSL_KEY_PATH=
 WEB_SSL_CERT_PATH=
 WEB_SSL_CA_PATH=
+# `openssl dhparam -outform PEM -out .ssl-dhparam 2048`
+WEB_SSL_DHPARAM_PATH=
 
 ################
 ## api server ##
@@ -75,6 +77,8 @@ API_URL={{API_PROTOCOL}}://{{API_HOST}}:{{API_PORT}}
 API_SSL_KEY_PATH=
 API_SSL_CERT_PATH=
 API_SSL_CA_PATH=
+# `openssl dhparam -outform PEM -out .ssl-dhparam 2048`
+API_SSL_DHPARAM_PATH=
 API_RATELIMIT_WHITELIST=138.197.213.185,104.248.224.170
 
 #########

diff --git a/.gitignore b/.gitignore
@@ -85,3 +85,4 @@ temp/
 .ssl-ca
 .ssl-cert
 .ssl-key
+.ssl-dhparam
diff --git a/.npmrc b/.npmrc
@@ -1,2 +1,2 @@
-package-lock=true
+package-lock=false
 strict-peer-dependencies=false
diff --git a/ansible/playbooks/certificates.yml b/ansible/playbooks/certificates.yml
@@ -6,13 +6,16 @@
   name: Certificates
   vars_prompt:
     - name: input_key
-      prompt: Enter path to certificate private key file (e.g. /path/to/example.key)
+      prompt: Enter path to certificate private key file (e.g. /path/to/.ssl-key)
       private: false
     - name: input_cert
-      prompt: Enter path to certificate full chain/certificate file (e.g. /path/to/example.crt)
+      prompt: Enter path to certificate full chain/certificate file (e.g. /path/to/.ssl-cert)
       private: false
     - name: input_bundle
-      prompt: "Optional: Leave blank or enter path to certificate CA bundle file (e.g. /path/to/example.ca-bundle)"
+      prompt: "Optional: Leave blank or enter path to certificate CA bundle file (e.g. /path/to/.ssl-ca)"
+      private: false
+    - name: input_dhparam
+      prompt: "Optional: Leave blank or enter path to certificate DHPARAM file (e.g. /path/to/.ssl-dhparam)"
       private: false
 
   tasks:
@@ -49,6 +52,18 @@
         msg: "bundle file does not exist: {{ input_bundle }}"
       when: (input_bundle is defined) and (input_bundle | length > 0) and (not local_bundle_file.stat.exists)
 
+    # dhparam file
+    - name: Check if dhparam file exists
+      local_action: stat path={{ input_dhparam }}
+      register: local_dhparam_file
+      become: false
+      when: (input_dhparam is defined) and (input_dhparam | length > 0)
+
+    - name: Fail when local dhparam file does not exist
+      fail:
+        msg: "dhparam file does not exist: {{ input_dhparam }}"
+      when: (input_dhparam is defined) and (input_dhparam | length > 0) and (not local_dhparam_file.stat.exists)
+
     # remote dir
     - name: Check if remote dir exists
       stat:
@@ -87,3 +102,13 @@
         # https://chmodcommand.com/chmod-660/
         mode: "0660"
       when: (input_bundle is defined) and (input_bundle | length > 0)
+
+    # copy local dhparam
+    - name: Copy local dhparam file to server
+      copy:
+        src: "{{ input_dhparam }}"
+        dest: /var/www/production/.ssl-dhparam
+        owner: deploy
+        # https://chmodcommand.com/chmod-660/
+        mode: "0660"
+      when: (input_dhparam is defined) and (input_dhparam | length > 0)
diff --git a/ansible/playbooks/node.yml b/ansible/playbooks/node.yml
@@ -6,6 +6,8 @@
   name: Node.js
   become: true
   become_user: root
+  vars:
+    node_version: "18.16.0"
   tasks:
     # install n and node lts
     - name: Check that n exists
@@ -16,8 +18,35 @@
       become: true
       become_user: deploy
       shell:
-        cmd: curl -L https://raw.githubusercontent.com/mklement0/n-install/stable/bin/n-install | bash -s -- -y
+        cmd: curl -L https://raw.githubusercontent.com/mklement0/n-install/stable/bin/n-install | bash -s -- -y {{node_version}}
       when: not n_result.stat.exists
+
+    - name: Debug Node version
+      debug:
+        var: node_version
+
+    - name: Check Node version
+      become: true
+      become_user: deploy
+      shell: test "$(node -v 2> /dev/null)" = v{{node_version}}
+      register: node_version_installed
+      ignore_errors: True
+
+    - name: Debug Check Node version
+      debug:
+        var: node_version_installed
+
+    - name: Debug n exists
+      debug:
+        var: n_result.stat.exists
+
+    - name: Setup Node
+      become: true
+      become_user: deploy
+      shell:
+        cmd: "n install {{node_version}} && n prune"
+      when: not node_version_installed and n_result.stat.exists
+
     # install pm2 and pnpm
     - name: Check if pm2 exists
       stat:

diff --git a/imap-server.js b/imap-server.js
@@ -138,7 +138,14 @@ class IMAP {
         ? {
             key: fs.readFileSync(env.WEB_SSL_KEY_PATH),
             cert: fs.readFileSync(env.WEB_SSL_CERT_PATH),
-            ca: fs.readFileSync(env.WEB_SSL_CA_PATH)
+            ca: fs.readFileSync(env.WEB_SSL_CA_PATH),
+            // perfect forward secrecy
+            // <https://github.com/nodemailer/wildduck/issues/541>
+            dhparam:
+              isSANB(env.WEB_SSL_DHPARAM_PATH) &&
+              env.WEB_SSL_DHPARAM_PATH.toLowerCase() !== 'auto'
+                ? fs.readFileSync(env.WEB_SSL_DHPARAM_PATH)
+                : 'auto'
           }
         : {})
     });

diff --git a/package.json b/package.json
@@ -23,7 +23,7 @@
     "@hapi/boom": "10.0.1",
     "@ioredis/commands": "1.2.0",
     "@koa/router": "12.0.1",
-    "@ladjs/api": "14.1.8",
+    "@ladjs/api": "14.1.9",
     "@ladjs/assets": "2.1.22",
     "@ladjs/consolidate": "1.0.3",
     "@ladjs/env": "4.0.0",
@@ -36,14 +36,14 @@
     "@ladjs/policies": "11.1.1",
     "@ladjs/proxy": "4.0.0",
     "@ladjs/redis": "1.1.1",
-    "@ladjs/shared-config": "9.1.2",
-    "@ladjs/web": "21.0.8",
+    "@ladjs/shared-config": "9.1.3",
+    "@ladjs/web": "21.0.9",
     "@octokit/core": "4.2.4",
     "@sidoshi/random-string": "1.0.0",
     "@tkrotoff/bootstrap-floating-label": "0.8",
     "adm-zip": "0.5.10",
     "ansi-html-community": "0.0.8",
-    "apexcharts": "3.43.0",
+    "apexcharts": "3.44.0",
     "array-join-conjunction": "1.0.0",
     "async-ratelimiter": "1.3.11",
     "axe": "12.2.3",
@@ -116,8 +116,8 @@
     "markdown-it-highlightjs": "4.0.1",
     "markdown-it-task-checkbox": "1.0.6",
     "memoizee": "0.4.15",
-    "mongodb-memory-server": "8.15.1",
-    "mongodb-query-parser": "2.5.0",
+    "mongodb-memory-server": "9.0.1",
+    "mongodb-query-parser": "3.1.3",
     "mongodb-short-id": "0.3.3",
     "mongoose": "6.11.1",
     "mongoose-common-plugin": "4.0.0",
@@ -180,14 +180,14 @@
     "sweetalert2": "8",
     "tangerine": "1.5.4",
     "titleize": "2",
-    "twilio": "4.18.1",
+    "twilio": "4.19.0",
     "uncaught": "0.0.5",
-    "undici": "5.26.3",
+    "undici": "5.26.4",
     "url-parse": "1.5.10",
     "url-regex-safe": "4.0.0",
     "validator": "13.11.0",
     "web-resource-inliner": "6.0.1",
-    "wildduck": "1.40.9",
+    "wildduck": "1.40.10",
     "wkhtmltopdf": "0.4.0",
     "zone-mta": "3.6.13",
     "zxcvbn": "4.4.2"
@@ -197,8 +197,8 @@
     "@babel/core": "7.23.2",
     "@babel/polyfill": "7.12.1",
     "@babel/preset-env": "7.23.2",
-    "@commitlint/cli": "17.7.2",
-    "@commitlint/config-conventional": "17.7.0",
+    "@commitlint/cli": "17.8.0",
+    "@commitlint/config-conventional": "17.8.0",
     "@ladjs/browserslist-config": "1.0.0",
     "@ladjs/gulp-envify": "2.0.1",
     "@ladjs/pug-lint": "2.6.1",
@@ -246,10 +246,10 @@
     "imagemin-pngquant": "9.0.2",
     "ioredis": "5.3.2",
     "ioredis-mock": "8.9.0",
-    "lint-staged": "14.0.1",
+    "lint-staged": "15.0.2",
     "make-dir": "3.1.0",
-    "node-sass": "8.0.0",
-    "nodemon": "2.0.22",
+    "node-sass": "9.0.0",
+    "nodemon": "3.0.1",
     "npm-run-all": "4.1.5",
     "nps": "5.10.0",
     "nps-utils": "1.7.0",
@@ -260,24 +260,24 @@
     "postcss-preset-env": "9.2.0",
     "postcss-reporter": "7.0.5",
     "postcss-scss": "4.0.9",
-    "prettier": "2.8.8",
+    "prettier": "2",
     "pump": "3.0.0",
     "purgecss-from-pug": "5.0.0",
     "rc": "1.2.8",
     "remark-cli": "11.0.0",
     "remark-license": "6.1.0",
     "remark-preset-github": "4.0.4",
-    "sass": "1.69.3",
-    "sinon": "15.1.2",
-    "stylelint": "15.10.3",
-    "stylelint-config-recommended-scss": "12.0.0",
+    "sass": "1.69.4",
+    "sinon": "16.1.3",
+    "stylelint": "15.11.0",
+    "stylelint-config-recommended-scss": "13.0.0",
     "stylelint-scss": "5.2.1",
     "supertest": "6.3.3",
     "through2": "4.0.2",
     "xo": "0.53.1"
   },
   "engines": {
-    "node": ">=14.8"
+    "node": ">=18.16.0"
   },
   "homepage": "https://github.com/forwardemail/forwardemail.net",
   "imports": {