First working setup

2024-09-03 18:26:22 +02:00 · 2022-03-23 17:09:33 +07:00 · 2022-03-23 17:09:33 +07:00 · b77a54b21b
commit b77a54b21b
parent 9ec4595755
10 changed files with 62 additions and 274 deletions
--- a/conf/app.src
+++ b/conf/app.src
@ -1,5 +1,5 @@
 SOURCE_URL=https://github.com/dexidp/dex/archive/refs/tags/v2.31.1.tar.gz
-SOURCE_SUM=sha256 a85f2f33a69954f9dc7da2255743d8befad24cd2c7afac4ab74c5b6d1072e67e
+SOURCE_SUM=a85f2f33a69954f9dc7da2255743d8befad24cd2c7afac4ab74c5b6d1072e67e
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
--- a/conf/config.yaml
+++ b/conf/config.yaml
@ -1,5 +1,5 @@
 # LDAP connector + Yunohost setup + staticClient as per manifest.json
-issuer: https://__DOMAIN__/__PATH_URL__
+issuer: https://__DOMAIN____PATH_URL__
 storage:
  type: sqlite3
  config:
@ -7,6 +7,12 @@ storage:
 web:
  http: 127.0.0.1:__PORT__

+frontend:
+  issuer: dex
+  logoURL: /usr/share/yunohost/admin/img/logo.08bab97e.png
+  dir: web/
+  theme: light
+
 connectors:
 - type: ldap
  name: OpenLDAP
@ -43,6 +49,6 @@ connectors:
 staticClients:
 - id: __OIDC_NAME__
  redirectURIs:
-  - '__OIDC_CALLBACK__'
-  name: '__OIDC_NAME__'
-  secret: __OIDC_SECRET__
+  - __OIDC_CALLBACK__
+  name: __OIDC_NAME__
+  secret: __OIDC_SECRET__
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -7,7 +7,7 @@ Type=simple
 User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/
-ExecStart=__FINALPATH__/./bin/dex serve config.yaml
+ExecStart=__FINALPATH__/bin/dex serve config.yaml
 StandardOutput=append:/var/log/__APP__/__APP__.log
 StandardError=inherit

--- a/scripts/backup
+++ b/scripts/backup
@ -28,34 +28,25 @@ ynh_print_info --message="Loading installation settings..."

 app=$YNH_APP_INSTANCE_NAME

-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 domain=$(ynh_app_setting_get --app=$app --key=domain)
-db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
-datadir=$(ynh_app_setting_get --app=$app --key=datadir)
+path_url=$(ynh_app_setting_get --app=$app --key=path)
+final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+port=$(ynh_app_setting_get --app=$app --key=port)
+oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name)
+oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret)
+oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback)

 #=================================================
 # DECLARE DATA AND CONF FILES TO BACKUP
 #=================================================
 ynh_print_info --message="Declaring files to be backed up..."

-### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs
-### to be backuped and not an actual copy of any file. The actual backup that
-### creates and fill the archive with the files happens in the core after this
-### script is called. Hence ynh_backups calls takes basically 0 seconds to run.
-
 #=================================================
 # BACKUP THE APP MAIN DIR
 #=================================================

 ynh_backup --src_path="$final_path"

-#=================================================
-# BACKUP THE DATA DIR
-#=================================================
-
-ynh_backup --src_path="$datadir" --is_big
-
 #=================================================
 # BACKUP THE NGINX CONFIGURATION
 #=================================================
@ -84,14 +75,6 @@ ynh_backup --src_path="/etc/logrotate.d/$app"

 ynh_backup --src_path="/etc/systemd/system/$app.service"

-#=================================================
-# BACKUP VARIOUS FILES
-#=================================================
-
-ynh_backup --src_path="/etc/cron.d/$app"
-
-ynh_backup --src_path="/etc/$app/"
-
 #=================================================
 # END OF SCRIPT
 #=================================================
--- a/scripts/change_url
+++ b/scripts/change_url
@ -29,11 +29,6 @@ ynh_script_progression --message="Loading installation settings..." --time --wei
 # Needed for helper "ynh_add_nginx_config"
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)

-# Add settings here as needed by your application
-#db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-#db_user=$db_name
-#db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
-
 #=================================================
 # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP
 #=================================================
@ -108,9 +103,17 @@ fi
 #=================================================
 # SPECIFIC MODIFICATIONS
 #=================================================
-# ...
+# MODIFY URL IN YAML CONF
 #=================================================

+# Make a backup of the original YAML config file if modified
+ynh_backup_if_checksum_is_different --file="$final_path/config.yaml"
+# Set global variables for YAML helper
+domain="$new_domain"
+path_url="$new_path"
+# Create a dedicated YAML config
+ynh_add_config --template="config.yaml" --destination="$final_path/config.yaml"
+
 #=================================================
 # GENERIC FINALISATION
 #=================================================
--- a/scripts/config
+++ b/scripts/config
@ -1,102 +0,0 @@
-#!/bin/bash
-# In simple cases, you don't need a config script. 
-
-# With a simple config_panel.toml, you can write in the app settings, in the 
-# upstream config file or replace complete files (logo ...) and restart services.
-
-# The config scripts allows you to go further, to handle specific cases 
-# (validation of several interdependent fields, specific getter/setter for a value,
-# display dynamic informations or choices, pre-loading of config type .cube... ).
-
-#=================================================
-# GENERIC STARTING
-#=================================================
-# IMPORT GENERIC HELPERS
-#=================================================
-
-source /usr/share/yunohost/helpers
-
-ynh_abort_if_errors
-
-#=================================================
-# RETRIEVE ARGUMENTS
-#=================================================
-
-final_path=$(ynh_app_setting_get $app final_path)
-
-#=================================================
-# SPECIFIC GETTERS FOR TOML SHORT KEY
-#=================================================
-
-get__amount() {
-    # Here we can imagine to have an API call to stripe to know the amount of donation during a month
-    local amount = 200
-
-    # It's possible to change some properties of the question by overriding it:
-    if [ $amount -gt 100 ]
-    then
-    cat << EOF
-style: success
-value: $amount
-ask:
-  en: A lot of donation this month: **$amount €**
-EOF
-    else
-    cat << EOF
-style: danger
-value: $amount
-ask:
-  en: Not so much donation this month: $amount €
-EOF
-    fi
-}
-
-get__prices() {
-    local prices = "$(grep "DONATION\['" "$final_path/settings.py" | sed -r "s@^DONATION\['([^']*)'\]\['([^']*)'\] = '([^']*)'@\1/\2/\3@g" | sed -z 's/\n/,/g;s/,$/\n/')"
-    if [ "$prices" == "," ];
-    then
-        # Return YNH_NULL if you prefer to not return a value at all.
-        echo YNH_NULL
-    else
-        echo $prices
-    fi
-}
-
-
-#=================================================
-# SPECIFIC VALIDATORS FOR TOML SHORT KEYS
-#=================================================
-validate__publishable_key() {
-
-    # We can imagine here we test if the key is really a publisheable key
-    (is_secret_key $publishable_key) &&
-        echo 'This key seems to be a secret key'
-}
-
-#=================================================
-# SPECIFIC SETTERS FOR TOML SHORT KEYS
-#=================================================
-set__prices() {
-
-    #---------------------------------------------
-    # IMPORTANT: setter are trigger only if a change is detected
-    #---------------------------------------------
-    for price in $(echo $prices | sed "s/,/ /"); do
-        frequency=$(echo $price | cut -d/ -f1)
-        currency=$(echo $price | cut -d/ -f2)
-        price_id=$(echo $price | cut -d/ -f3)
-        sed "d/DONATION\['$frequency'\]\['$currency'\]" "$final_path/settings.py"
-
-        echo "DONATION['$frequency']['$currency'] = '$price_id'" >> "$final_path/settings.py"
-    done
-    
-    #---------------------------------------------
-    # IMPORTANT: to be able to upgrade properly, you have to saved the value in settings too
-    #---------------------------------------------
-    ynh_app_setting_set $app prices $prices
-}
-
-#=================================================
-# GENERIC FINALIZATION
-#=================================================
-ynh_app_config_run $1
--- a/scripts/install
+++ b/scripts/install
@ -27,7 +27,7 @@ ynh_abort_if_errors

 domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
-is_public=true
+is_public=1

 oidc_name=$YNH_APP_ARG_OIDC_NAME
 oidc_secret=$YNH_APP_ARG_OIDC_SECRET
@ -73,7 +73,7 @@ ynh_app_setting_set --app=$app --key=port --value=$port
 #=================================================
 ynh_script_progression --message="Installing dependencies..." --time --weight=1

-ynh_install_app_dependencies $pkg_dependencies
+#ynh_install_app_dependencies $pkg_dependencies

 #=================================================
 # CREATE DEDICATED USER
@ -117,6 +117,7 @@ ynh_exec_warn_less ynh_install_go --go_version=$GO_VERSION
 pushd "$final_path"
 	# Build the sources
 	ynh_use_go
+	unset GOPATH
 	make build
 popd

@ -171,7 +172,7 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$ap
 ynh_script_progression --message="Configuring Fail2Ban..." --time --weight=1

 # Create a dedicated Fail2Ban config
-ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
+ynh_add_fail2ban_config --logpath="/var/log/dex/dex.log" --failregex="ldap: invalid password for user"

 #=================================================
 # SETUP SSOWAT
@ -186,12 +187,6 @@ then
 	ynh_permission_update --permission="main" --add="visitors"
 fi

-### N.B. : the following extra permissions only make sense if your app
-### does have for example an admin interface or an API.
-
-# Only the admin can access the admin panel of the app (if the app has an admin panel)
-ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
-
 #=================================================
 # RELOAD NGINX
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -17,11 +17,12 @@ ynh_script_progression --message="Loading installation settings..." --time --wei
 app=$YNH_APP_INSTANCE_NAME

 domain=$(ynh_app_setting_get --app=$app --key=domain)
-port=$(ynh_app_setting_get --app=$app --key=port)
-db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-db_user=$db_name
+path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-datadir=$(ynh_app_setting_get --app=$app --key=datadir)
+port=$(ynh_app_setting_get --app=$app --key=port)
+oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name)
+oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret)
+oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback)

 #=================================================
 # STANDARD REMOVE
--- a/scripts/restore
+++ b/scripts/restore
@ -31,10 +31,10 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-db_user=$db_name
-phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
-datadir=$(ynh_app_setting_get --app=$app --key=datadir)
+port=$(ynh_app_setting_get --app=$app --key=port)
+oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name)
+oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret)
+oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback)

 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
@ -68,35 +68,10 @@ ynh_script_progression --message="Restoring the app main directory..." --time --

 ynh_restore_file --origin_path="$final_path"

-# FIXME: this should be managed by the core in the future
-# Here, as a packager, you may have to tweak the ownerhsip/permissions
-# such that the appropriate users (e.g. maybe www-data) can access
-# files in some cases.
-# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
-# this will be treated as a security issue.
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"

-#=================================================
-# RESTORE THE DATA DIRECTORY
-#=================================================
-ynh_script_progression --message="Restoring the data directory..." --time --weight=1
-
-ynh_restore_file --origin_path="$datadir" --not_mandatory
-
-mkdir -p $datadir
-
-# FIXME: this should be managed by the core in the future
-# Here, as a packager, you may have to tweak the ownerhsip/permissions
-# such that the appropriate users (e.g. maybe www-data) can access
-# files in some cases.
-# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
-# this will be treated as a security issue.
-chmod 750 "$datadir"
-chmod -R o-rwx "$datadir"
-chown -R $app:www-data "$datadir"
-
 #=================================================
 # RESTORE FAIL2BAN CONFIGURATION
 #=================================================
@ -116,15 +91,6 @@ ynh_script_progression --message="Reinstalling dependencies..." --time --weight=
 # Define and install dependencies
 ynh_install_app_dependencies $pkg_dependencies

-#=================================================
-# RESTORE VARIOUS FILES
-#=================================================
-ynh_script_progression --message="Restoring various files..." --time --weight=1
-
-ynh_restore_file --origin_path="/etc/cron.d/$app"
-
-ynh_restore_file --origin_path="/etc/$app/"
-
 #=================================================
 # RESTORE SYSTEMD
 #=================================================
@ -159,9 +125,8 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$ap
 #=================================================
 # RELOAD NGINX AND PHP-FPM
 #=================================================
-ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --time --weight=1
+ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1

-ynh_systemd_action --service_name=php$phpversion-fpm --action=reload
 ynh_systemd_action --service_name=nginx --action=reload

 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -18,21 +18,16 @@ app=$YNH_APP_INSTANCE_NAME

 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
-language=$(ynh_app_setting_get --app=$app --key=language)
-admin=$(ynh_app_setting_get --app=$app --key=admin)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-db_name=$(ynh_app_setting_get --app=$app --key=db_name)
+port=$(ynh_app_setting_get --app=$app --key=port)
+oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name)
+oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret)
+oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback)

 #=================================================
 # CHECK VERSION
 #=================================================

-### This helper will compare the version of the currently installed app and the version of the upstream package.
-### $upgrade_type can have 2 different values
-### - UPGRADE_APP if the upstream app version has changed
-### - UPGRADE_PACKAGE if only the YunoHost package has changed
-### ynh_check_app_version_changed will stop the upgrade if the app is up to date.
-### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do.
 upgrade_type=$(ynh_check_app_version_changed)

 #=================================================
@ -58,49 +53,6 @@ ynh_script_progression --message="Stopping a systemd service..." --time --weight

 ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"

-#=================================================
-# ENSURE DOWNWARD COMPATIBILITY
-#=================================================
-ynh_script_progression --message="Ensuring downward compatibility..." --time --weight=1
-
-#
-# N.B. : the followings setting migrations snippets are provided as *EXAMPLES*
-# of what you may want to do in some cases (e.g. a setting was not defined on
-# some legacy installs and you therefore want to initiaze stuff during upgrade)
-#
-
-# If db_name doesn't exist, create it
-#if [ -z "$db_name" ]; then
-#	db_name=$(ynh_sanitize_dbid --db_name=$app)
-#	ynh_app_setting_set --app=$app --key=db_name --value=$db_name
-#fi
-
-# If final_path doesn't exist, create it
-#if [ -z "$final_path" ]; then
-#	final_path=/var/www/$app
-#	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
-#fi
-
-### If nobody installed your app before 4.1,
-### then you may safely remove these lines
-
-# Cleaning legacy permissions
-if ynh_legacy_permissions_exists; then
-	ynh_legacy_permissions_delete_all
-
-	ynh_app_setting_delete --app=$app --key=is_public
-fi
-
-if ! ynh_permission_exists --permission="admin"; then
-	# Create the required permissions
-	ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
-fi
-
-# Create a permission if needed
-if ! ynh_permission_exists --permission="api"; then
-	ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
-fi
-
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -121,12 +73,6 @@ then
 	ynh_setup_source --dest_dir="$final_path"
 fi

-# FIXME: this should be managed by the core in the future
-# Here, as a packager, you may have to tweak the ownerhsip/permissions
-# such that the appropriate users (e.g. maybe www-data) can access
-# files in some cases.
-# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
-# this will be treated as a security issue.
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"
@ -139,13 +85,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -
 # Create a dedicated NGINX config
 ynh_add_nginx_config

-#=================================================
-# UPGRADE DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Upgrading dependencies..." --time --weight=1
-
-ynh_install_app_dependencies $pkg_dependencies
-
 #=================================================
 # PHP-FPM CONFIGURATION
 #=================================================
@ -157,34 +96,32 @@ ynh_add_fpm_config
 #=================================================
 # SPECIFIC UPGRADE
 #=================================================
-# ...
+# BUILDING SOURCES AND SETTING UP THE SERVER
 #=================================================

+ynh_script_progression --message="Building the sources (it will take some time)..." --weight=6
+
+ynh_exec_warn_less ynh_install_go --go_version=$GO_VERSION
+
+pushd "$final_path"
+	# Build the sources
+	ynh_use_go
+	unset GOPATH
+	make build
+popd
+
+ynh_remove_go
+
 #=================================================
 # UPDATE A CONFIG FILE
 #=================================================
 ynh_script_progression --message="Updating a configuration file..." --time --weight=1

-### Same as during install
-###
-### The file will automatically be backed-up if it's found to be manually modified (because
-### ynh_add_config keeps track of the file's checksum)
+ynh_add_config --template="config.yaml" --destination="$final_path/config.yaml"

-ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
-
-# FIXME: this should be handled by the core in the future
-# You may need to use chmod 600 instead of 400,
-# for example if the app is expected to be able to modify its own config
-chmod 400 "$final_path/some_config_file"
+chmod 400 "$final_path/config.yaml"
 chown $app:$app "$final_path/some_config_file"

-### For more complex cases where you want to replace stuff using regexes,
-### you shoud rely on ynh_replace_string (which is basically a wrapper for sed)
-### When doing so, you also need to manually call ynh_store_file_checksum
-###
-### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file"
-### ynh_store_file_checksum --file="$final_path/some_config_file"
-
 #=================================================
 # SETUP SYSTEMD
 #=================================================
@ -223,7 +160,7 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$ap
 ynh_script_progression --message="Reconfiguring Fail2Ban..." --time --weight=1

 # Create a dedicated Fail2Ban config
-ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
+ynh_add_fail2ban_config --logpath="/var/log/dex/dex.log" --failregex="ldap: invalid password for user"

 #=================================================
 # RELOAD NGINX