Merge pull request #6 from YunoHost-Apps/testing

Testing

conf/systemd.service

@@ -1,14 +1,48 @@
 [Unit]
-Description=Cjdns network
+Description=Cjdns: Encrypted IPv6 network
 After=network.target cjdns.service
 
 [Service]
-User=root
+User=__APP__
-Group=root
+Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
 ExecStart=/bin/bash -c '__INSTALL_DIR__/cjdroute < __INSTALL_DIR__/cjdroute.conf'
 KillMode=process
 Restart=no
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target

doc/Admin.md

@@ -1,15 +1,15 @@
 # Setup your website on cjdns network
 
-1. Install Yunohost by following the detailed instructions provided [here](link-to-instructions).
+1. Install YunoHost by following the detailed instructions provided [here](link-to-instructions).
 2. Once the installation is complete, log in as an administrator at `yunohost.local`. Perform a system update, which may take some time.
 3. Return to `yunohost.local` after the update and navigate to the Applications menu. Click on Install, search for "wordpress," select it, and proceed with the installation.
 4. In the Applications menu, search for "cjdns" and install it. If it does not appear due to not being published yet. You can sideload it by pasting the following URL: `https://github.com/dkoukoul/cjdns_ynh` into the "Install custom app" section.
 5. Obtain your cjdns IPv6 address by navigating to Tools -> Logs -> Click on "Install the 'cjdns' app." Your IPv6 address should be displayed in the log.
-6. Reboot your Yunohost server to make the tun device available. Navigate to Tools->Shutdown and click Reboot.
+6. Reboot your YunoHost server to make the tun device available. Navigate to Tools->Shutdown and click Reboot.
 7. Navigate to Tools -> Yunohost Settings -> Security, and under NGINX, disable "Force HTTPS." Click Save to apply the changes.
 8. Edit `/etc/nginx/conf.d/[your-domain].conf`, add your cjdns-ipv6 to the list of `server_name`. 
 9. Finally, to allow public access for cjdns requests to your new wordpress site you can do the following:
-   1.  SSH into your yunohost server
+   1.  SSH into your yunoHost server
    2.  Copy current sso configuration file to persistent: `cp /etc/ssowat/conf.json /etc/ssowat/conf.json.persistent`
    3.  Then edit the persistent file: `nano /etc/ssowat/conf.json.persistent`
    4.  Change `public` to `true` and add this line under the `wordpress.main uris` section: `"re:^.fc.*"`. Remember to add a trailing “,” to the above entry. For example:

doc/POST_INSTALL.md

@@ -0,0 +1 @@
+Your cjdns IPv6: __CJDNS_IPV6__

manifest.toml

@@ -24,7 +24,7 @@ ldap = false
 sso = false
 
 disk = "50M"
-ram.build = "50M"
+ram.build = "200M"
 ram.runtime = "50M"
 
 [install]
@@ -48,4 +48,4 @@ ram.runtime = "50M"
     [resources.permissions]
 
     [resources.apt]
-    packages = "curl, nodejs, jq"
+    packages = "curl, jq"

scripts/install

@@ -67,7 +67,7 @@ do
 done
 
 cjdns_ipv6=$(jq -r '.ipv6' < $install_dir/cjdroute.conf)
-
+ynh_app_setting_set --app=$app --key=cjdns_ipv6 --value=$cjdns_ipv6
 
 #=================================================
 # SETUP SYSTEMD
@@ -85,7 +85,7 @@ ynh_use_logrotate
 #=================================================
 ynh_script_progression --message="Integrating cjdns service in YunoHost..."
 
-yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log"
+yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log"
 
 #=================================================
 # GENERIC FINALIZATION
@@ -96,7 +96,6 @@ ynh_script_progression --message="Launching cjdns service..." --weight=1
 
 # Start a systemd service
 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
-ynh_script_progression --message="Your cjdns IPv6: $cjdns_ipv6" --weight=1
 
 #=================================================
 # END OF SCRIPT

scripts/restore

@@ -17,9 +17,6 @@ ynh_script_progression --message="Restoring the app main directory..." --weight=
 
 ynh_restore_file --origin_path="$install_dir"
 
-# $install_dir will automatically be initialized with some decent 
-# permissions by default ... however, you may need to recursively reapply
-# ownership to all files such as after the ynh_setup_source step
 chown -R $app:www-data "$install_dir"
 
 #=================================================
@@ -39,13 +36,12 @@ chown -R $app:www-data "$data_dir"
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet
 
-yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log"
+yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log"
 
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
 
-# Typically you only have either $app or php-fpm but not both at the same time...
 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
 
 #=================================================

scripts/upgrade

@@ -38,6 +38,12 @@ chmod -R o-rwx "$install_dir"
 chown -R $app:www-data "$install_dir"
 chmod +x "$install_dir/cjdroute"
 
+#=================================================
+# INTEGRATE SERVICE IN YUNOHOST
+#=================================================
+ynh_script_progression --message="Integrating cjdns service in YunoHost..."
+
+yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log"
 
 #=================================================
 # START SYSTEMD SERVICE
@@ -45,6 +51,7 @@ chmod +x "$install_dir/cjdroute"
 ynh_script_progression --message="Restarting cjdns service..." --weight=1
 
 ynh_systemd_action --service_name=$app --action="restart" --log_path="systemd"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

tests.toml

@@ -5,3 +5,8 @@ test_format = 1.0
     # ------------
     # Tests to run
     # ------------
+
+    exclude = ["install.multi", "change_url"]  # The test IDs to be used in only/exclude statements are: install.root, install.subdir, install.nourl, install.multi, backup_restore, upgrade, upgrade.someCommitId change_url
+    # NB: you should NOT need this except if you really have a good reason...
+
+