mirror of
https://github.com/YunoHost-Apps/calibreweb_ynh.git
synced 2024-09-03 18:16:20 +02:00
0.6.18
remove 0.6.0 from check_process add werkzeug dependency in optionnal-requirement use venv to install pip package hardened systemd service
This commit is contained in:
Krakinou
parent
743bee0048
commit
592e71bee4
10 changed files with 120 additions and 59 deletions
|
|
@ -17,9 +17,7 @@
|
|||
setup_public=1
|
||||
upgrade=1
|
||||
#Last version
|
||||
upgrade=1 from_commit=79c6c4ad03f62d2ed4f4180ac6b7dac1c117a62a
|
||||
#v0.6.6
|
||||
# upgrade=1 from_commit=11f5b96df7d8850beff47f9904745fa53a6f7ed9
|
||||
upgrade=1 from_commit=581a4e1de5caa7aa19a64f63348b174b7602753
|
||||
backup_restore=1
|
||||
multi_instance=1
|
||||
port_already_use=1 (8083)
|
||||
|
|
@ -27,8 +25,4 @@
|
|||
;;; Options
|
||||
Email=nicolas@aubonalbanais.ovh
|
||||
Notification=none
|
||||
;;; Upgrade options
|
||||
; commit=11f5b96df7d8850beff47f9904745fa53a6f7ed9
|
||||
name=Version 0.96.0~ynh4
|
||||
manifest_arg=domain=DOMAIN&path=PATH&admin=USER&password=pass&is_public=1&
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
SOURCE_URL=https://github.com/janeczku/calibre-web/releases/download/0.6.17/calibre-web-0.6.17.zip
|
||||
SOURCE_SUM=3560aa9f793eead98d8df053963a569fbe08ace93418b6e8e70a2831a9314733
|
||||
SOURCE_URL=https://github.com/janeczku/calibre-web/releases/download/0.6.18/calibre-web-0.6.18.zip
|
||||
SOURCE_SUM=65a267fc44629f9373a391333154b277a3fb9124031c1e20cd1b3acac939c95a
|
||||
SOURCE_FORMAT=zip
|
||||
|
|
|
|||
|
|
@ -7,7 +7,37 @@ Type=simple
|
|||
User=__APP__
|
||||
Group=__APP__
|
||||
WorkingDirectory=__FINALPATH__/
|
||||
ExecStart=/bin/sh -c '/usr/bin/python3 __FINALPATH__/cps.py'
|
||||
ExecStart=/bin/sh -c '__FINALPATH__/venv/bin/python3 __FINALPATH__/cps.py'
|
||||
|
||||
# Sandboxing options to harden security
|
||||
# Depending on specificities of your service/app, you may need to tweak these
|
||||
# .. but this should be a good baseline
|
||||
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
DevicePolicy=closed
|
||||
ProtectSystem=full
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
LockPersonality=yes
|
||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
|
||||
|
||||
# Denying access to capabilities that should not be relevant for webapps
|
||||
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
|
||||
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
|
||||
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
|
||||
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
|
||||
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
||||
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
||||
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
|
||||
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -6,10 +6,10 @@
|
|||
"en": "Browsing, reading and downloading eBooks using a Calibre database",
|
||||
"fr": "Explorer, lire et télécharger des eBooks à partir d'une base de données Calibre"
|
||||
},
|
||||
"version": "0.96.17~ynh1",
|
||||
"version": "0.96.18~ynh1",
|
||||
"url": "https://github.com/janeczku/calibre-web",
|
||||
"upstream": {
|
||||
"version": "0.6.17",
|
||||
"version": "0.6.18",
|
||||
"license": "GPL-3.0-only",
|
||||
"admindoc": "https://github.com/janeczku/calibre-web/wiki",
|
||||
"code": "https://github.com/janeczku/calibre-web"
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/bash
|
||||
|
||||
PKG_DEPENDENCIES="sqlite3 libldap2-dev libsasl2-dev python3-dev imagemagick python3-lxml libjpeg-dev zlib1g-dev libffi-dev"
|
||||
PKG_DEPENDENCIES="sqlite3 imagemagick libldap2-dev libsasl2-dev python3-venv python3-dev python3-lxml libjpeg-dev zlib1g-dev libffi-dev"
|
||||
#PKG_DEPENDENCIES="sqlite3 python3-pip imagemagick"
|
||||
|
||||
DOSSIER_MEDIA=/home/yunohost.multimedia
|
||||
|
|
|
|||
|
|
@ -92,6 +92,14 @@ ynh_add_config --template="../sources/patches/app-constants.py.patch.src" --dest
|
|||
# Download, check integrity, uncompress and patch the source from app.src
|
||||
ynh_setup_source "$final_path"
|
||||
|
||||
#=================================================
|
||||
# CREATE DEDICATED USER
|
||||
#=================================================
|
||||
ynh_script_progression --message="Configuring system user..." --weight=1
|
||||
# Create a system user
|
||||
ynh_system_user_create --username="$app" --home_dir="$final_path" --use_shell
|
||||
|
||||
|
||||
#=================================================
|
||||
# INSTALL DEPENDENCIES
|
||||
#=================================================
|
||||
|
|
@ -99,15 +107,28 @@ ynh_setup_source "$final_path"
|
|||
ynh_script_progression --message="Installing package dependencies..." --weight=80
|
||||
ynh_install_app_dependencies $PKG_DEPENDENCIES
|
||||
|
||||
#use latest version of pip as per documentation in https://github.com/pypa/get-pip
|
||||
#cannot use helper as maintaining the checksum would be a pain in the a***
|
||||
ynh_exec_quiet curl https://bootstrap.pypa.io/get-pip.py | python3
|
||||
#Use venv to install pip requirements - Inspired from https://github.com/YunoHost-Apps/pyinventory_ynh/blob/master/scripts/install
|
||||
ynh_script_progression --message="Installing pip requirements..." --weight=70
|
||||
# Always recreate everything fresh with current python version
|
||||
if [ -d "${final_path}/venv" ] ; then
|
||||
ynh_secure_remove "${final_path}/venv"
|
||||
fi
|
||||
|
||||
ynh_script_progression --message="Installing pip requirements..." --weight=40
|
||||
pip3 install --no-cache-dir --target $final_path/vendor -r $final_path/requirements.txt
|
||||
# Skip pip because of: https://github.com/YunoHost/issues/issues/1960
|
||||
python3 -m venv --without-pip "${final_path}/venv"
|
||||
chown -R "$app:" "$final_path"
|
||||
|
||||
#run source in a 'sub shell'
|
||||
(
|
||||
set +o nounset
|
||||
source "${final_path}/venv/bin/activate"
|
||||
set -o nounset
|
||||
ynh_exec_as $app $final_path/venv/bin/python3 -m ensurepip
|
||||
ynh_exec_as $app $final_path/venv/bin/pip3 install --upgrade wheel pip setuptools
|
||||
ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/requirements.txt"
|
||||
ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/optional-requirements.txt"
|
||||
)
|
||||
|
||||
ynh_script_progression --message="Installing pip additionnal requirements..." --weight=40
|
||||
pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r $final_path/optional-requirements.txt
|
||||
|
||||
#=================================================
|
||||
# NGINX CONFIGURATION
|
||||
|
|
@ -123,15 +144,6 @@ fi
|
|||
# Create a dedicated nginx config
|
||||
ynh_add_nginx_config
|
||||
|
||||
#=================================================
|
||||
# CREATE DEDICATED USER
|
||||
#=================================================
|
||||
|
||||
# Create a system user
|
||||
ynh_system_user_create $app
|
||||
|
||||
chown -R $app: $final_path
|
||||
chmod 740 $final_path
|
||||
|
||||
#=================================================
|
||||
# SETUP SYSTEMD
|
||||
|
|
@ -195,6 +207,16 @@ ynh_replace_string --match_string="<policy domain="coder" rights="none" pattern=
|
|||
|
||||
yunohost service add $app --description="Browse eBook in the web" --log="/var/log/$app/$app.log"
|
||||
|
||||
|
||||
#=================================================
|
||||
# GENERIC FINALIZATION
|
||||
#=================================================
|
||||
# SECURE FILES AND DIRECTORIES
|
||||
#=================================================
|
||||
|
||||
chown -R $app: $final_path
|
||||
chmod 740 $final_path
|
||||
|
||||
#=================================================
|
||||
# SETUP SSOWAT
|
||||
#=================================================
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ ynh_remove_systemd_config
|
|||
#=================================================
|
||||
|
||||
# Remove metapackage and its dependencies
|
||||
ynh_script_progression --message="Removing Dependencies..." --weight=5
|
||||
ynh_script_progression --message="Removing Dependencies..." --weight=25
|
||||
ynh_remove_app_dependencies
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -85,13 +85,6 @@ chmod 740 $final_path
|
|||
ynh_script_progression --message="Reinstalling dependencies..." --weight=15
|
||||
ynh_install_app_dependencies $PKG_DEPENDENCIES
|
||||
|
||||
#use latest version of pip as per documentation in https://github.com/pypa/get-pip
|
||||
#cannot use helper as maintaining the checksum would be a pain in the a***
|
||||
curl https://bootstrap.pypa.io/get-pip.py | python3
|
||||
|
||||
#pip package not required as already in app directory
|
||||
#pip install --target $final_path/vendor -r $final_path/requirements.txt
|
||||
|
||||
#=================================================
|
||||
# RESTORE SYSTEMD
|
||||
#=================================================
|
||||
|
|
|
|||
|
|
@ -159,6 +159,17 @@ fi
|
|||
# Create a dedicated nginx config
|
||||
ynh_add_nginx_config
|
||||
|
||||
#=================================================
|
||||
# CREATE DEDICATED USER
|
||||
#=================================================
|
||||
|
||||
# Create a dedicated user (if not existing)
|
||||
ynh_script_progression --message="Making sure dedicated system user exists..." --weight=1
|
||||
ynh_system_user_create --username="$app" --home_dir="$final_path" --use_shell
|
||||
# Set permissions on app files (required to be able to update database)
|
||||
chown -R $app: $final_path
|
||||
|
||||
|
||||
#=================================================
|
||||
# UPGRADE DEPENDENCIES
|
||||
#=================================================
|
||||
|
|
@ -168,26 +179,30 @@ then
|
|||
ynh_script_progression --message="Installing package dependencies..." --weight=15
|
||||
ynh_install_app_dependencies $PKG_DEPENDENCIES
|
||||
|
||||
#use latest version of pip as per documentation in https://github.com/pypa/get-pip
|
||||
#cannot use helper as maintaining the checksum would be a pain in the a***
|
||||
ynh_exec_quiet curl https://bootstrap.pypa.io/get-pip.py | python3
|
||||
#Use venv to install pip requirements - Inspired from https://github.com/YunoHost-Apps/pyinventory_ynh/blob/master/scripts/install
|
||||
ynh_script_progression --message="Installing pip requirements..." --weight=70
|
||||
# Always recreate everything fresh with current python version
|
||||
if [ -d "${final_path}/venv" ] ; then
|
||||
ynh_secure_remove "${final_path}/venv"
|
||||
fi
|
||||
|
||||
ynh_script_progression --message="Installing pip requirements ..." --weight=30
|
||||
pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r $final_path/requirements.txt
|
||||
|
||||
ynh_script_progression --message="Installing pip additionnal requirements..." --weight=40
|
||||
pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r $final_path/optional-requirements.txt
|
||||
# Skip pip because of: https://github.com/YunoHost/issues/issues/1960
|
||||
python3 -m venv --without-pip "${final_path}/venv"
|
||||
chown -R "$app:" "$final_path"
|
||||
|
||||
#run source in a 'sub shell'
|
||||
(
|
||||
set +o nounset
|
||||
source "${final_path}/venv/bin/activate"
|
||||
set -o nounset
|
||||
ynh_exec_as $app $final_path/venv/bin/python3 -m ensurepip
|
||||
ynh_exec_as $app $final_path/venv/bin/pip3 install --upgrade wheel pip setuptools
|
||||
ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/requirements.txt"
|
||||
ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/optional-requirements.txt"
|
||||
)
|
||||
fi
|
||||
#=================================================
|
||||
# CREATE DEDICATED USER
|
||||
#=================================================
|
||||
|
||||
# Create a dedicated user (if not existing)
|
||||
ynh_script_progression --message="Making sure dedicated system user exists..." --weight=1
|
||||
ynh_system_user_create $app
|
||||
|
||||
# Set permissions on app files (required to be able to update database)
|
||||
chown -R $app: $final_path
|
||||
|
||||
#=================================================
|
||||
# SPECIFIC UPGRADE
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
--- a/optional-requirements.txt 2022-03-06 16:10:41.000000000 +0100
|
||||
+++ b/optional-requirements.txt 2022-03-08 21:08:06.964027001 +0100
|
||||
--- a/optional-requirements.txt 2022-04-03 20:17:34.000000000 +0200
|
||||
+++ b/optional-requirements.txt 2022-04-18 12:10:55.761291352 +0200
|
||||
@@ -1,19 +1,5 @@
|
||||
# GDrive Integration
|
||||
-google-api-python-client>=1.7.11,<2.37.0
|
||||
-google-api-python-client>=1.7.11,<2.43.0
|
||||
gevent>20.6.0,<22.0.0
|
||||
-greenlet>=0.4.17,<1.2.0
|
||||
-httplib2>=0.9.2,<0.21.0
|
||||
|
|
@ -15,8 +15,8 @@
|
|||
-rsa>=3.4.2,<4.9.0
|
||||
-
|
||||
-# Gmail
|
||||
-google-auth-oauthlib>=0.4.3,<0.5.0
|
||||
-google-api-python-client>=1.7.11,<2.37.0
|
||||
-google-auth-oauthlib>=0.4.3,<0.6.0
|
||||
-google-api-python-client>=1.7.11,<2.43.0
|
||||
|
||||
# goodreads
|
||||
goodreads>=0.3.2,<0.4.0
|
||||
|
|
@ -30,4 +30,11 @@
|
|||
-
|
||||
# metadata extraction
|
||||
rarfile>=3.2
|
||||
scholarly>=1.2.0,<1.6
|
||||
scholarly>=1.2.0,<1.7
|
||||
@@ -42,3 +24,6 @@
|
||||
|
||||
# Kobo integration
|
||||
jsonschema>=3.2.0,<4.5.0
|
||||
+
|
||||
+#readded to avoid 2.2 from dependencies
|
||||
+werkzeug<2.1.0
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue