diff --git a/conf/systemd.service b/conf/systemd.service index 0b2071d..7915a85 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,14 +1,48 @@ [Unit] -Description=Cjdns network +Description=Cjdns: Encrypted IPv6 network After=network.target cjdns.service [Service] -User=root -Group=root +User=__APP__ +Group=__APP__ WorkingDirectory=__INSTALL_DIR__/ ExecStart=/bin/bash -c '__INSTALL_DIR__/cjdroute < __INSTALL_DIR__/cjdroute.conf' KillMode=process Restart=no +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/doc/Admin.md b/doc/Admin.md index 4acfc9c..bfa96ef 100644 --- a/doc/Admin.md +++ b/doc/Admin.md @@ -1,15 +1,15 @@ # Setup your website on cjdns network -1. Install Yunohost by following the detailed instructions provided [here](link-to-instructions). +1. Install YunoHost by following the detailed instructions provided [here](link-to-instructions). 2. Once the installation is complete, log in as an administrator at `yunohost.local`. Perform a system update, which may take some time. 3. Return to `yunohost.local` after the update and navigate to the Applications menu. Click on Install, search for "wordpress," select it, and proceed with the installation. 4. In the Applications menu, search for "cjdns" and install it. If it does not appear due to not being published yet. You can sideload it by pasting the following URL: `https://github.com/dkoukoul/cjdns_ynh` into the "Install custom app" section. 5. Obtain your cjdns IPv6 address by navigating to Tools -> Logs -> Click on "Install the 'cjdns' app." Your IPv6 address should be displayed in the log. -6. Reboot your Yunohost server to make the tun device available. Navigate to Tools->Shutdown and click Reboot. +6. Reboot your YunoHost server to make the tun device available. Navigate to Tools->Shutdown and click Reboot. 7. Navigate to Tools -> Yunohost Settings -> Security, and under NGINX, disable "Force HTTPS." Click Save to apply the changes. 8. Edit `/etc/nginx/conf.d/[your-domain].conf`, add your cjdns-ipv6 to the list of `server_name`. 9. Finally, to allow public access for cjdns requests to your new wordpress site you can do the following: - 1. SSH into your yunohost server + 1. SSH into your yunoHost server 2. Copy current sso configuration file to persistent: `cp /etc/ssowat/conf.json /etc/ssowat/conf.json.persistent` 3. Then edit the persistent file: `nano /etc/ssowat/conf.json.persistent` 4. Change `public` to `true` and add this line under the `wordpress.main uris` section: `"re:^.fc.*"`. Remember to add a trailing “,” to the above entry. For example: diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md new file mode 100644 index 0000000..336c158 --- /dev/null +++ b/doc/POST_INSTALL.md @@ -0,0 +1 @@ +Your cjdns IPv6: __CJDNS_IPV6__ diff --git a/manifest.toml b/manifest.toml index 24601a2..4687299 100644 --- a/manifest.toml +++ b/manifest.toml @@ -24,7 +24,7 @@ ldap = false sso = false disk = "50M" -ram.build = "50M" +ram.build = "200M" ram.runtime = "50M" [install] @@ -48,4 +48,4 @@ ram.runtime = "50M" [resources.permissions] [resources.apt] - packages = "curl, nodejs, jq" + packages = "curl, jq" diff --git a/scripts/install b/scripts/install index cd4ee5c..0ed4ee2 100755 --- a/scripts/install +++ b/scripts/install @@ -67,7 +67,7 @@ do done cjdns_ipv6=$(jq -r '.ipv6' < $install_dir/cjdroute.conf) - +ynh_app_setting_set --app=$app --key=cjdns_ipv6 --value=$cjdns_ipv6 #================================================= # SETUP SYSTEMD @@ -85,7 +85,7 @@ ynh_use_logrotate #================================================= ynh_script_progression --message="Integrating cjdns service in YunoHost..." -yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log" +yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log" #================================================= # GENERIC FINALIZATION @@ -96,7 +96,6 @@ ynh_script_progression --message="Launching cjdns service..." --weight=1 # Start a systemd service ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" -ynh_script_progression --message="Your cjdns IPv6: $cjdns_ipv6" --weight=1 #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 6b548fe..9a91205 100755 --- a/scripts/restore +++ b/scripts/restore @@ -17,9 +17,6 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" -# $install_dir will automatically be initialized with some decent -# permissions by default ... however, you may need to recursively reapply -# ownership to all files such as after the ynh_setup_source step chown -R $app:www-data "$install_dir" #================================================= @@ -39,13 +36,12 @@ chown -R $app:www-data "$data_dir" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet -yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log" +yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log" #================================================= # GENERIC FINALIZATION #================================================= -# Typically you only have either $app or php-fpm but not both at the same time... ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index d5ed1aa..d190780 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -38,6 +38,12 @@ chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" chmod +x "$install_dir/cjdroute" +#================================================= +# INTEGRATE SERVICE IN YUNOHOST +#================================================= +ynh_script_progression --message="Integrating cjdns service in YunoHost..." + +yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE @@ -45,6 +51,7 @@ chmod +x "$install_dir/cjdroute" ynh_script_progression --message="Restarting cjdns service..." --weight=1 ynh_systemd_action --service_name=$app --action="restart" --log_path="systemd" + #================================================= # END OF SCRIPT #================================================= diff --git a/tests.toml b/tests.toml index 91daf17..ee11dba 100644 --- a/tests.toml +++ b/tests.toml @@ -4,4 +4,9 @@ test_format = 1.0 # ------------ # Tests to run - # ------------ \ No newline at end of file + # ------------ + + exclude = ["install.multi", "change_url"] # The test IDs to be used in only/exclude statements are: install.root, install.subdir, install.nourl, install.multi, backup_restore, upgrade, upgrade.someCommitId change_url + # NB: you should NOT need this except if you really have a good reason... + +