From 13aa0f876c61e14554412f2696c795bbdfd2e473 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:25:19 +0100 Subject: [PATCH 1/8] Update upgrade --- scripts/upgrade | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index d5ed1aa..b4b652f 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -38,6 +38,12 @@ chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" chmod +x "$install_dir/cjdroute" +#================================================= +# INTEGRATE SERVICE IN YUNOHOST +#================================================= +ynh_script_progression --message="Integrating cjdns service in YunoHost..." + +yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE @@ -45,6 +51,7 @@ chmod +x "$install_dir/cjdroute" ynh_script_progression --message="Restarting cjdns service..." --weight=1 ynh_systemd_action --service_name=$app --action="restart" --log_path="systemd" + #================================================= # END OF SCRIPT #================================================= From ffbfcf2705cf19847565d11df11b3cca1c78bca2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:26:06 +0100 Subject: [PATCH 2/8] Update systemd.service --- conf/systemd.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 0b2071d..adb4ce5 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -3,8 +3,8 @@ Description=Cjdns network After=network.target cjdns.service [Service] -User=root -Group=root +User=__APP__ +Group=__APP__ WorkingDirectory=__INSTALL_DIR__/ ExecStart=/bin/bash -c '__INSTALL_DIR__/cjdroute < __INSTALL_DIR__/cjdroute.conf' KillMode=process From 7f004253871fa6aa2615236b46f622fd3e27dfc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:26:40 +0100 Subject: [PATCH 3/8] Update systemd.service --- conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index adb4ce5..85da84e 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -10,5 +10,39 @@ ExecStart=/bin/bash -c '__INSTALL_DIR__/cjdroute < __INSTALL_DIR__/cjdroute.conf KillMode=process Restart=no +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From d57bbb7a65e05e58bb3d5ee24717d4a559fbf220 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:31:13 +0100 Subject: [PATCH 4/8] Update Admin.md --- doc/Admin.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Admin.md b/doc/Admin.md index 4acfc9c..16e8a42 100644 --- a/doc/Admin.md +++ b/doc/Admin.md @@ -1,6 +1,6 @@ # Setup your website on cjdns network -1. Install Yunohost by following the detailed instructions provided [here](link-to-instructions). +1. Install YunoHost by following the detailed instructions provided [here](link-to-instructions). 2. Once the installation is complete, log in as an administrator at `yunohost.local`. Perform a system update, which may take some time. 3. Return to `yunohost.local` after the update and navigate to the Applications menu. Click on Install, search for "wordpress," select it, and proceed with the installation. 4. In the Applications menu, search for "cjdns" and install it. If it does not appear due to not being published yet. You can sideload it by pasting the following URL: `https://github.com/dkoukoul/cjdns_ynh` into the "Install custom app" section. @@ -9,7 +9,7 @@ 7. Navigate to Tools -> Yunohost Settings -> Security, and under NGINX, disable "Force HTTPS." Click Save to apply the changes. 8. Edit `/etc/nginx/conf.d/[your-domain].conf`, add your cjdns-ipv6 to the list of `server_name`. 9. Finally, to allow public access for cjdns requests to your new wordpress site you can do the following: - 1. SSH into your yunohost server + 1. SSH into your yunoHost server 2. Copy current sso configuration file to persistent: `cp /etc/ssowat/conf.json /etc/ssowat/conf.json.persistent` 3. Then edit the persistent file: `nano /etc/ssowat/conf.json.persistent` 4. Change `public` to `true` and add this line under the `wordpress.main uris` section: `"re:^.fc.*"`. Remember to add a trailing “,” to the above entry. For example: From 65f15052dd1cffa011360e46f9facb2c7dd6d722 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:34:58 +0100 Subject: [PATCH 5/8] cleaning --- doc/POST_INSTALL.md | 1 + scripts/install | 3 +-- scripts/restore | 4 ---- tests.toml | 7 ++++++- 4 files changed, 8 insertions(+), 7 deletions(-) create mode 100644 doc/POST_INSTALL.md diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md new file mode 100644 index 0000000..336c158 --- /dev/null +++ b/doc/POST_INSTALL.md @@ -0,0 +1 @@ +Your cjdns IPv6: __CJDNS_IPV6__ diff --git a/scripts/install b/scripts/install index cd4ee5c..9102671 100755 --- a/scripts/install +++ b/scripts/install @@ -67,7 +67,7 @@ do done cjdns_ipv6=$(jq -r '.ipv6' < $install_dir/cjdroute.conf) - +ynh_app_setting_set --app=$app --key=cjdns_ipv6 --value=$cjdns_ipv6 #================================================= # SETUP SYSTEMD @@ -96,7 +96,6 @@ ynh_script_progression --message="Launching cjdns service..." --weight=1 # Start a systemd service ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" -ynh_script_progression --message="Your cjdns IPv6: $cjdns_ipv6" --weight=1 #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 6b548fe..6e509ca 100755 --- a/scripts/restore +++ b/scripts/restore @@ -17,9 +17,6 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" -# $install_dir will automatically be initialized with some decent -# permissions by default ... however, you may need to recursively reapply -# ownership to all files such as after the ynh_setup_source step chown -R $app:www-data "$install_dir" #================================================= @@ -45,7 +42,6 @@ yunohost service add $app --description="$app service" --log="/var/log/$app/$app # GENERIC FINALIZATION #================================================= -# Typically you only have either $app or php-fpm but not both at the same time... ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= diff --git a/tests.toml b/tests.toml index 91daf17..ee11dba 100644 --- a/tests.toml +++ b/tests.toml @@ -4,4 +4,9 @@ test_format = 1.0 # ------------ # Tests to run - # ------------ \ No newline at end of file + # ------------ + + exclude = ["install.multi", "change_url"] # The test IDs to be used in only/exclude statements are: install.root, install.subdir, install.nourl, install.multi, backup_restore, upgrade, upgrade.someCommitId change_url + # NB: you should NOT need this except if you really have a good reason... + + From da33f2d85bda85d96bbcd0ee1c79dcd95a42f46d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:39:34 +0100 Subject: [PATCH 6/8] cleaning --- conf/systemd.service | 2 +- doc/Admin.md | 2 +- manifest.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 85da84e..7915a85 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,5 +1,5 @@ [Unit] -Description=Cjdns network +Description=Cjdns: Encrypted IPv6 network After=network.target cjdns.service [Service] diff --git a/doc/Admin.md b/doc/Admin.md index 16e8a42..bfa96ef 100644 --- a/doc/Admin.md +++ b/doc/Admin.md @@ -5,7 +5,7 @@ 3. Return to `yunohost.local` after the update and navigate to the Applications menu. Click on Install, search for "wordpress," select it, and proceed with the installation. 4. In the Applications menu, search for "cjdns" and install it. If it does not appear due to not being published yet. You can sideload it by pasting the following URL: `https://github.com/dkoukoul/cjdns_ynh` into the "Install custom app" section. 5. Obtain your cjdns IPv6 address by navigating to Tools -> Logs -> Click on "Install the 'cjdns' app." Your IPv6 address should be displayed in the log. -6. Reboot your Yunohost server to make the tun device available. Navigate to Tools->Shutdown and click Reboot. +6. Reboot your YunoHost server to make the tun device available. Navigate to Tools->Shutdown and click Reboot. 7. Navigate to Tools -> Yunohost Settings -> Security, and under NGINX, disable "Force HTTPS." Click Save to apply the changes. 8. Edit `/etc/nginx/conf.d/[your-domain].conf`, add your cjdns-ipv6 to the list of `server_name`. 9. Finally, to allow public access for cjdns requests to your new wordpress site you can do the following: diff --git a/manifest.toml b/manifest.toml index 24601a2..bb4694c 100644 --- a/manifest.toml +++ b/manifest.toml @@ -24,7 +24,7 @@ ldap = false sso = false disk = "50M" -ram.build = "50M" +ram.build = "200M" ram.runtime = "50M" [install] From 85ccd5470decc09134447cb239d32601a30c0f1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:40:00 +0100 Subject: [PATCH 7/8] Update manifest.toml --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index bb4694c..4687299 100644 --- a/manifest.toml +++ b/manifest.toml @@ -48,4 +48,4 @@ ram.runtime = "50M" [resources.permissions] [resources.apt] - packages = "curl, nodejs, jq" + packages = "curl, jq" From a2b3d57e6fefda348d8f5ee58355aac7c1a033fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:41:27 +0100 Subject: [PATCH 8/8] add description --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 9102671..0ed4ee2 100755 --- a/scripts/install +++ b/scripts/install @@ -85,7 +85,7 @@ ynh_use_logrotate #================================================= ynh_script_progression --message="Integrating cjdns service in YunoHost..." -yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log" +yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log" #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index 6e509ca..9a91205 100755 --- a/scripts/restore +++ b/scripts/restore @@ -36,7 +36,7 @@ chown -R $app:www-data "$data_dir" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet -yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log" +yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log" #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index b4b652f..d190780 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -43,7 +43,7 @@ chmod +x "$install_dir/cjdroute" #================================================= ynh_script_progression --message="Integrating cjdns service in YunoHost..." -yunohost service add $app --description="$app service" --log="/var/log/$app/$app.log" +yunohost service add $app --description="Encrypted IPv6 network" --log="/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE