diff --git a/README.md b/README.md index d81af7c..10554cd 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -This is a dummy description of this app features +BorgWarhouse is a fast and modern WebUI for a BorgBackup's central repository server. **Shipped version:** 2.0.0~ynh1 diff --git a/README_fr.md b/README_fr.md index dbe8ffc..e66a089 100644 --- a/README_fr.md +++ b/README_fr.md @@ -16,8 +16,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po ## Vue d’ensemble -Ceci est une fausse description des fonctionalités de l'app - +BorgWarhouse est une interface Web rapide et moderne pour BorgBackup. **Version incluse :** 2.0.0~ynh1 diff --git a/conf/.env b/conf/.env index f95d36b..53534b7 100644 --- a/conf/.env +++ b/conf/.env @@ -1,7 +1,7 @@ # Application's variables NEXTAUTH_URL=https://__DOMAIN__ -NEXTAUTH_SECRET=__SECRET__ -CRONJOB_KEY=__CRON_KEY__ +NEXTAUTH_SECRET='__SECRET__' +CRONJOB_KEY='__CRON_KEY__' # Wizard's variables UNIX_USER=__APP__ FQDN=__DOMAIN__ @@ -10,8 +10,8 @@ SSH_SERVER_FINGERPRINT_RSA=__RSA_KEY__ SSH_SERVER_FINGERPRINT_ED25519=__ED25519_KEY__ SSH_SERVER_FINGERPRINT_ECDSA=__ECDSA_KEY__ # SMTP's variables -MAIL_SMTP_FROM=borgwarehouse@__DOMAIN__ -MAIL_SMTP_HOST=localhost +MAIL_SMTP_FROM=borgwarehouse@__MAIN_DOMAIN__ +MAIL_SMTP_HOST=__MAIN_DOMAIN__ MAIL_SMTP_PORT=25 MAIL_SMTP_LOGIN=__APP__ MAIL_SMTP_PWD=__MAIL_PWD__ diff --git a/conf/systemd.service b/conf/systemd.service index 832f576..9360a93 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -7,10 +7,45 @@ After=network.target Type=simple User=__APP__ Group=__APP__ -WorkingDirectory=__INSTALL_DIR__/ +Environment="PATH=__ENV_PATH__" +WorkingDirectory=__INSTALL_DIR__/app Environment=PORT=__PORT__ ExecStart=__YNH_NPM__ run start Restart=on-failure +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md index 3f2e57a..a02019b 100644 --- a/doc/DESCRIPTION.md +++ b/doc/DESCRIPTION.md @@ -1 +1 @@ -This is a dummy description of this app features +BorgWarhouse is a fast and modern WebUI for a BorgBackup's central repository server. diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md index 13f4b64..3d9a28f 100644 --- a/doc/DESCRIPTION_fr.md +++ b/doc/DESCRIPTION_fr.md @@ -1 +1 @@ -Ceci est une fausse description des fonctionalités de l'app +BorgWarhouse est une interface Web rapide et moderne pour BorgBackup. \ No newline at end of file diff --git a/manifest.toml b/manifest.toml index e4ecd83..27675af 100644 --- a/manifest.toml +++ b/manifest.toml @@ -27,7 +27,7 @@ ldap = false sso = false disk = "50M" -ram.build = "50M" +ram.build = "700M" ram.runtime = "50M" [install] @@ -45,7 +45,6 @@ ram.runtime = "50M" [resources.sources.main] url = "https://github.com/Ravinou/borgwarehouse/archive/refs/tags/v2.0.0.tar.gz" sha256 = "73e5bed688e58a29485d1c1fd5834c83eed1fba0bb52289f6d6f1ea4e2284180" - autoupdate.strategy = "latest_github_tag" [resources.system_user] diff --git a/scripts/_common.sh b/scripts/_common.sh index b4d1a2f..b1923cd 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -6,6 +6,7 @@ nodejs_version=18 ssh_port=$(grep -P "Port\s+\d+" /etc/ssh/sshd_config | grep -P -o "\d+") +main_domain=$(cat /etc/yunohost/current_host) rsa_key=$(ssh-keygen -lf /etc/ssh/ssh_host_rsa_key | awk '{print $2}') ed25519_key=$(ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key | awk '{print $2}') diff --git a/scripts/backup b/scripts/backup index 010f6c5..a07766f 100755 --- a/scripts/backup +++ b/scripts/backup @@ -15,51 +15,18 @@ source /usr/share/yunohost/helpers #================================================= ynh_print_info --message="Declaring files to be backed up..." -### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs -### to be backuped and not an actual copy of any file. The actual backup that -### creates and fills the archive with the files happens in the core after this -### script is called. Hence ynh_backups calls take basically 0 seconds to run. - #================================================= # BACKUP THE APP MAIN DIR #================================================= ynh_backup --src_path="$install_dir" -#================================================= -# BACKUP THE DATA DIR -#================================================= - -# Only relevant if there is a "data_dir" resource for this app -ynh_backup --src_path="$data_dir" --is_big - #================================================= # BACKUP THE NGINX CONFIGURATION #================================================= ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" -#================================================= -# BACKUP THE PHP-FPM CONFIGURATION -#================================================= - -ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" - -#================================================= -# BACKUP FAIL2BAN CONFIGURATION -#================================================= - -ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf" -ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf" - -#================================================= -# SPECIFIC BACKUP -#================================================= -# BACKUP LOGROTATE -#================================================= - -ynh_backup --src_path="/etc/logrotate.d/$app" - #================================================= # BACKUP SYSTEMD #================================================= @@ -72,18 +39,6 @@ ynh_backup --src_path="/etc/systemd/system/$app.service" ynh_backup --src_path="/etc/cron.d/$app" -ynh_backup --src_path="/etc/$app/" - -#================================================= -# BACKUP THE MYSQL DATABASE -#================================================= -ynh_print_info --message="Backing up the MySQL database..." - -### (However, things like MySQL dumps *do* take some time to run, though the -### copy of the generated dump to the archive still happens later) - -ynh_mysql_dump_db --database="$db_name" > db.sql - #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/change_url b/scripts/change_url index f0964a6..43b84fb 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -16,7 +16,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= # MODIFY URL IN NGINX CONF @@ -26,10 +26,14 @@ ynh_script_progression --message="Updating NGINX web server configuration..." -- ynh_change_url_nginx_config #================================================= -# SPECIFIC MODIFICATIONS -#================================================= -# ... +# ADD A CONFIGURATION #================================================= +ynh_script_progression --message="Adding a configuration file..." --weight=1 + +ynh_add_config --template=".env" --destination="$install_dir/app/.env.local" + +chmod 400 "$install_dir/app/.env.local" +chown $app:$app "$install_dir/app/.env.local" #================================================= # GENERIC FINALISATION @@ -38,7 +42,7 @@ ynh_change_url_nginx_config #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 0e0624b..cf8db0d 100755 --- a/scripts/install +++ b/scripts/install @@ -9,8 +9,16 @@ source _common.sh source /usr/share/yunohost/helpers -secret=$(ynh_string_random --length=32 | base64) -cron_key=$(ynh_string_random --length=32 | base64) +secret=$(ynh_string_random --length=32) +cron_key=$(ynh_string_random --length=32) + +#================================================= +# STORE SETTINGS FROM MANIFEST +#================================================= +ynh_script_progression --message="Storing installation settings..." --weight=1 + +ynh_app_setting_set --app=$app --key=secret --value=$secret +ynh_app_setting_set --app=$app --key=cron_key --value=$cron_key #================================================= # INSTALL DEPENDENCIES @@ -28,31 +36,30 @@ ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version ynh_script_progression --message="Setting up source files..." --weight=1 # Download, check integrity, uncompress and patch the source from manifest.toml -ynh_setup_source --dest_dir="$install_dir" +ynh_setup_source --dest_dir="$install_dir/app" mkdir $install_dir/.ssh && chmod 700 $install_dir/.ssh touch $install_dir/.ssh/authorized_keys && chmod 600 $install_dir/.ssh/authorized_keys mkdir $install_dir/repos && chmod 700 $install_dir/repos -mkdir $install_dir/app chown -R $app:www-data "$install_dir" +chmod 700 $install_dir/app/helpers/shells/* #================================================= # SYSTEM CONFIGURATION #================================================= ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 -# Create a dedicated NGINX config using the conf/nginx.conf template ynh_add_nginx_config -# Create a dedicated systemd config +env_path="$PATH" ynh_add_systemd_config ynh_add_config --template="../conf/cron" --destination="/etc/cron.d/$app" chown root: "/etc/cron.d/$app" chmod 644 "/etc/cron.d/$app" -yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log" +yunohost service add $app --description="WebUI for BorgBackup" --log="/var/log/$app/$app.log" #================================================= # APP INITIAL CONFIGURATION @@ -61,10 +68,10 @@ yunohost service add $app --description="A short description of the app" --log=" #================================================= ynh_script_progression --message="Adding a configuration file..." --weight=1 -ynh_add_config --template=".env" --destination="$install_dir/.env.local" +ynh_add_config --template=".env" --destination="$install_dir/app/.env.local" -chmod 400 "$install_dir/.env.local" -chown $app:$app "$install_dir/.env.local" +chmod 400 "$install_dir/app/.env.local" +chown $app:$app "$install_dir/app/.env.local" #================================================= # INSTALL BORGWARHOUSE @@ -85,7 +92,7 @@ popd ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index b89ef85..3ec7dc4 100755 --- a/scripts/remove +++ b/scripts/remove @@ -16,8 +16,6 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 -# This should be a symetric version of what happens in the install script - # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) if ynh_exec_warn_less yunohost service status $app >/dev/null then @@ -29,6 +27,8 @@ ynh_remove_systemd_config ynh_remove_nginx_config +ynh_remove_nodejs + ynh_secure_remove --file="/etc/cron.d/$app" #================================================= diff --git a/scripts/restore b/scripts/restore index 72400ab..5c7b30d 100755 --- a/scripts/restore +++ b/scripts/restore @@ -17,11 +17,16 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" -# $install_dir will automatically be initialized with some decent -# permissions by default ... however, you may need to recursively reapply -# ownership to all files such as after the ynh_setup_source step chown -R $app:www-data "$install_dir" +#================================================= +# REINSTALL DEPENDENCIES +#================================================= +ynh_script_progression --message="Reinstalling dependencies..." --weight=7 + +# Install Nodejs +ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version + #================================================= # RESTORE SYSTEM CONFIGURATIONS #================================================= @@ -34,7 +39,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet -yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log" +yunohost service add $app --description="WebUI for BorgBackup" --log="/var/log/$app/$app.log" ynh_restore_file --origin_path="/etc/cron.d/$app" @@ -45,8 +50,7 @@ ynh_restore_file --origin_path="/etc/cron.d/$app" #================================================= ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 -# Typically you only have either $app or php-fpm but not both at the same time... -ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/upgrade b/scripts/upgrade index b028cd7..9c56584 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -11,12 +11,20 @@ source /usr/share/yunohost/helpers upgrade_type=$(ynh_check_app_version_changed) +#================================================= +# UPGRADE DEPENDENCIES +#================================================= +ynh_script_progression --message="Upgrading dependencies..." --weight=5 + +# Install Nodejs +ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version + #================================================= # STOP SYSTEMD SERVICE #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= # "REBUILD" THE APP (DEPLOY NEW SOURCES, RERUN NPM BUILD...) @@ -29,7 +37,7 @@ then ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from manifest.toml - ynh_setup_source --dest_dir="$install_dir" --keep=".env.local config/users.json config/repo.json" + ynh_setup_source --dest_dir="$install_dir" --keep="app/.env.local app/config/users.json app/config/repo.json" fi chown -R $app:www-data "$install_dir" @@ -41,9 +49,10 @@ ynh_script_progression --message="Upgrading system configurations related to $ap ynh_add_nginx_config +env_path="$PATH" ynh_add_systemd_config -yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log" +yunohost service add $app --description="WebUI for BorgBackup" --log="/var/log/$app/$app.log" #================================================= # RECONFIGURE THE APP (UPDATE CONF, APPLY MIGRATIONS...) @@ -52,17 +61,17 @@ yunohost service add $app --description="A short description of the app" --log=" #================================================= ynh_script_progression --message="Updating a configuration file..." --weight=1 -ynh_add_config --template=".env" --destination="$install_dir/.env.local" +ynh_add_config --template=".env" --destination="$install_dir/app/.env.local" -chmod 400 "$install_dir/.env.local" -chown $app:$app "$install_dir/.env.local" +chmod 400 "$install_dir/app/.env.local" +chown $app:$app "$install_dir/app/.env.local" #================================================= # START SYSTEMD SERVICE #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/tests.toml b/tests.toml index c298fc9..0a1acf6 100644 --- a/tests.toml +++ b/tests.toml @@ -4,4 +4,8 @@ test_format = 1.0 [default] - \ No newline at end of file + # ------------ + # Tests to run + # ------------ + + exclude = ["install.subdir"] \ No newline at end of file