From b77a54b21bd9681ba9c49ac58de0e50b63508bbc Mon Sep 17 00:00:00 2001 From: Limezy Date: Wed, 23 Mar 2022 17:09:33 +0700 Subject: [PATCH] First working setup --- conf/app.src | 2 +- conf/config.yaml | 14 ++++-- conf/systemd.service | 2 +- scripts/backup | 29 +++--------- scripts/change_url | 15 ++++--- scripts/config | 102 ----------------------------------------- scripts/install | 13 ++---- scripts/remove | 9 ++-- scripts/restore | 45 +++---------------- scripts/upgrade | 105 +++++++++---------------------------------- 10 files changed, 62 insertions(+), 274 deletions(-) delete mode 100644 scripts/config diff --git a/conf/app.src b/conf/app.src index 97b99e9..58c620a 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ SOURCE_URL=https://github.com/dexidp/dex/archive/refs/tags/v2.31.1.tar.gz -SOURCE_SUM=sha256 a85f2f33a69954f9dc7da2255743d8befad24cd2c7afac4ab74c5b6d1072e67e +SOURCE_SUM=a85f2f33a69954f9dc7da2255743d8befad24cd2c7afac4ab74c5b6d1072e67e SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/config.yaml b/conf/config.yaml index 4827d02..6b6bcdb 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -1,5 +1,5 @@ # LDAP connector + Yunohost setup + staticClient as per manifest.json -issuer: https://__DOMAIN__/__PATH_URL__ +issuer: https://__DOMAIN____PATH_URL__ storage: type: sqlite3 config: @@ -7,6 +7,12 @@ storage: web: http: 127.0.0.1:__PORT__ +frontend: + issuer: dex + logoURL: /usr/share/yunohost/admin/img/logo.08bab97e.png + dir: web/ + theme: light + connectors: - type: ldap name: OpenLDAP @@ -43,6 +49,6 @@ connectors: staticClients: - id: __OIDC_NAME__ redirectURIs: - - '__OIDC_CALLBACK__' - name: '__OIDC_NAME__' - secret: __OIDC_SECRET__ \ No newline at end of file + - __OIDC_CALLBACK__ + name: __OIDC_NAME__ + secret: __OIDC_SECRET__ diff --git a/conf/systemd.service b/conf/systemd.service index ad6fb30..6efe1ef 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -7,7 +7,7 @@ Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ -ExecStart=__FINALPATH__/./bin/dex serve config.yaml +ExecStart=__FINALPATH__/bin/dex serve config.yaml StandardOutput=append:/var/log/__APP__/__APP__.log StandardError=inherit diff --git a/scripts/backup b/scripts/backup index a3a3048..5983129 100755 --- a/scripts/backup +++ b/scripts/backup @@ -28,34 +28,25 @@ ynh_print_info --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME -final_path=$(ynh_app_setting_get --app=$app --key=final_path) domain=$(ynh_app_setting_get --app=$app --key=domain) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) -phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) -datadir=$(ynh_app_setting_get --app=$app --key=datadir) +path_url=$(ynh_app_setting_get --app=$app --key=path) +final_path=$(ynh_app_setting_get --app=$app --key=final_path) +port=$(ynh_app_setting_get --app=$app --key=port) +oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name) +oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret) +oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback) #================================================= # DECLARE DATA AND CONF FILES TO BACKUP #================================================= ynh_print_info --message="Declaring files to be backed up..." -### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs -### to be backuped and not an actual copy of any file. The actual backup that -### creates and fill the archive with the files happens in the core after this -### script is called. Hence ynh_backups calls takes basically 0 seconds to run. - #================================================= # BACKUP THE APP MAIN DIR #================================================= ynh_backup --src_path="$final_path" -#================================================= -# BACKUP THE DATA DIR -#================================================= - -ynh_backup --src_path="$datadir" --is_big - #================================================= # BACKUP THE NGINX CONFIGURATION #================================================= @@ -84,14 +75,6 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/systemd/system/$app.service" -#================================================= -# BACKUP VARIOUS FILES -#================================================= - -ynh_backup --src_path="/etc/cron.d/$app" - -ynh_backup --src_path="/etc/$app/" - #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/change_url b/scripts/change_url index 495b7eb..d6d2791 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -29,11 +29,6 @@ ynh_script_progression --message="Loading installation settings..." --time --wei # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) -# Add settings here as needed by your application -#db_name=$(ynh_app_setting_get --app=$app --key=db_name) -#db_user=$db_name -#db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd) - #================================================= # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP #================================================= @@ -108,9 +103,17 @@ fi #================================================= # SPECIFIC MODIFICATIONS #================================================= -# ... +# MODIFY URL IN YAML CONF #================================================= +# Make a backup of the original YAML config file if modified +ynh_backup_if_checksum_is_different --file="$final_path/config.yaml" +# Set global variables for YAML helper +domain="$new_domain" +path_url="$new_path" +# Create a dedicated YAML config +ynh_add_config --template="config.yaml" --destination="$final_path/config.yaml" + #================================================= # GENERIC FINALISATION #================================================= diff --git a/scripts/config b/scripts/config deleted file mode 100644 index b9e79f8..0000000 --- a/scripts/config +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/bash -# In simple cases, you don't need a config script. - -# With a simple config_panel.toml, you can write in the app settings, in the -# upstream config file or replace complete files (logo ...) and restart services. - -# The config scripts allows you to go further, to handle specific cases -# (validation of several interdependent fields, specific getter/setter for a value, -# display dynamic informations or choices, pre-loading of config type .cube... ). - -#================================================= -# GENERIC STARTING -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - -source /usr/share/yunohost/helpers - -ynh_abort_if_errors - -#================================================= -# RETRIEVE ARGUMENTS -#================================================= - -final_path=$(ynh_app_setting_get $app final_path) - -#================================================= -# SPECIFIC GETTERS FOR TOML SHORT KEY -#================================================= - -get__amount() { - # Here we can imagine to have an API call to stripe to know the amount of donation during a month - local amount = 200 - - # It's possible to change some properties of the question by overriding it: - if [ $amount -gt 100 ] - then - cat << EOF -style: success -value: $amount -ask: - en: A lot of donation this month: **$amount €** -EOF - else - cat << EOF -style: danger -value: $amount -ask: - en: Not so much donation this month: $amount € -EOF - fi -} - -get__prices() { - local prices = "$(grep "DONATION\['" "$final_path/settings.py" | sed -r "s@^DONATION\['([^']*)'\]\['([^']*)'\] = '([^']*)'@\1/\2/\3@g" | sed -z 's/\n/,/g;s/,$/\n/')" - if [ "$prices" == "," ]; - then - # Return YNH_NULL if you prefer to not return a value at all. - echo YNH_NULL - else - echo $prices - fi -} - - -#================================================= -# SPECIFIC VALIDATORS FOR TOML SHORT KEYS -#================================================= -validate__publishable_key() { - - # We can imagine here we test if the key is really a publisheable key - (is_secret_key $publishable_key) && - echo 'This key seems to be a secret key' -} - -#================================================= -# SPECIFIC SETTERS FOR TOML SHORT KEYS -#================================================= -set__prices() { - - #--------------------------------------------- - # IMPORTANT: setter are trigger only if a change is detected - #--------------------------------------------- - for price in $(echo $prices | sed "s/,/ /"); do - frequency=$(echo $price | cut -d/ -f1) - currency=$(echo $price | cut -d/ -f2) - price_id=$(echo $price | cut -d/ -f3) - sed "d/DONATION\['$frequency'\]\['$currency'\]" "$final_path/settings.py" - - echo "DONATION['$frequency']['$currency'] = '$price_id'" >> "$final_path/settings.py" - done - - #--------------------------------------------- - # IMPORTANT: to be able to upgrade properly, you have to saved the value in settings too - #--------------------------------------------- - ynh_app_setting_set $app prices $prices -} - -#================================================= -# GENERIC FINALIZATION -#================================================= -ynh_app_config_run $1 diff --git a/scripts/install b/scripts/install index ce1a276..833cbb2 100755 --- a/scripts/install +++ b/scripts/install @@ -27,7 +27,7 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -is_public=true +is_public=1 oidc_name=$YNH_APP_ARG_OIDC_NAME oidc_secret=$YNH_APP_ARG_OIDC_SECRET @@ -73,7 +73,7 @@ ynh_app_setting_set --app=$app --key=port --value=$port #================================================= ynh_script_progression --message="Installing dependencies..." --time --weight=1 -ynh_install_app_dependencies $pkg_dependencies +#ynh_install_app_dependencies $pkg_dependencies #================================================= # CREATE DEDICATED USER @@ -117,6 +117,7 @@ ynh_exec_warn_less ynh_install_go --go_version=$GO_VERSION pushd "$final_path" # Build the sources ynh_use_go + unset GOPATH make build popd @@ -171,7 +172,7 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$ap ynh_script_progression --message="Configuring Fail2Ban..." --time --weight=1 # Create a dedicated Fail2Ban config -ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login" +ynh_add_fail2ban_config --logpath="/var/log/dex/dex.log" --failregex="ldap: invalid password for user" #================================================= # SETUP SSOWAT @@ -186,12 +187,6 @@ then ynh_permission_update --permission="main" --add="visitors" fi -### N.B. : the following extra permissions only make sense if your app -### does have for example an admin interface or an API. - -# Only the admin can access the admin panel of the app (if the app has an admin panel) -ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin - #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/remove b/scripts/remove index 4c37230..9c15c50 100755 --- a/scripts/remove +++ b/scripts/remove @@ -17,11 +17,12 @@ ynh_script_progression --message="Loading installation settings..." --time --wei app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) -port=$(ynh_app_setting_get --app=$app --key=port) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) -db_user=$db_name +path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) -datadir=$(ynh_app_setting_get --app=$app --key=datadir) +port=$(ynh_app_setting_get --app=$app --key=port) +oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name) +oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret) +oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback) #================================================= # STANDARD REMOVE diff --git a/scripts/restore b/scripts/restore index 4657ed8..f16a8f7 100755 --- a/scripts/restore +++ b/scripts/restore @@ -31,10 +31,10 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) -db_user=$db_name -phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) -datadir=$(ynh_app_setting_get --app=$app --key=datadir) +port=$(ynh_app_setting_get --app=$app --key=port) +oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name) +oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret) +oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback) #================================================= # CHECK IF THE APP CAN BE RESTORED @@ -68,35 +68,10 @@ ynh_script_progression --message="Restoring the app main directory..." --time -- ynh_restore_file --origin_path="$final_path" -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. chmod 750 "$final_path" chmod -R o-rwx "$final_path" chown -R $app:www-data "$final_path" -#================================================= -# RESTORE THE DATA DIRECTORY -#================================================= -ynh_script_progression --message="Restoring the data directory..." --time --weight=1 - -ynh_restore_file --origin_path="$datadir" --not_mandatory - -mkdir -p $datadir - -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. -chmod 750 "$datadir" -chmod -R o-rwx "$datadir" -chown -R $app:www-data "$datadir" - #================================================= # RESTORE FAIL2BAN CONFIGURATION #================================================= @@ -116,15 +91,6 @@ ynh_script_progression --message="Reinstalling dependencies..." --time --weight= # Define and install dependencies ynh_install_app_dependencies $pkg_dependencies -#================================================= -# RESTORE VARIOUS FILES -#================================================= -ynh_script_progression --message="Restoring various files..." --time --weight=1 - -ynh_restore_file --origin_path="/etc/cron.d/$app" - -ynh_restore_file --origin_path="/etc/$app/" - #================================================= # RESTORE SYSTEMD #================================================= @@ -159,9 +125,8 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$ap #================================================= # RELOAD NGINX AND PHP-FPM #================================================= -ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --time --weight=1 +ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1 -ynh_systemd_action --service_name=php$phpversion-fpm --action=reload ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index f52658e..b6e6a35 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -18,21 +18,16 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -language=$(ynh_app_setting_get --app=$app --key=language) -admin=$(ynh_app_setting_get --app=$app --key=admin) final_path=$(ynh_app_setting_get --app=$app --key=final_path) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) +port=$(ynh_app_setting_get --app=$app --key=port) +oidc_name=$(ynh_app_setting_get --app=$app --key=oidc_name) +oidc_secret=$(ynh_app_setting_get --app=$app --key=oidc_secret) +oidc_callback=$(ynh_app_setting_get --app=$app --key=oidc_callback) #================================================= # CHECK VERSION #================================================= -### This helper will compare the version of the currently installed app and the version of the upstream package. -### $upgrade_type can have 2 different values -### - UPGRADE_APP if the upstream app version has changed -### - UPGRADE_PACKAGE if only the YunoHost package has changed -### ynh_check_app_version_changed will stop the upgrade if the app is up to date. -### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do. upgrade_type=$(ynh_check_app_version_changed) #================================================= @@ -58,49 +53,6 @@ ynh_script_progression --message="Stopping a systemd service..." --time --weight ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" -#================================================= -# ENSURE DOWNWARD COMPATIBILITY -#================================================= -ynh_script_progression --message="Ensuring downward compatibility..." --time --weight=1 - -# -# N.B. : the followings setting migrations snippets are provided as *EXAMPLES* -# of what you may want to do in some cases (e.g. a setting was not defined on -# some legacy installs and you therefore want to initiaze stuff during upgrade) -# - -# If db_name doesn't exist, create it -#if [ -z "$db_name" ]; then -# db_name=$(ynh_sanitize_dbid --db_name=$app) -# ynh_app_setting_set --app=$app --key=db_name --value=$db_name -#fi - -# If final_path doesn't exist, create it -#if [ -z "$final_path" ]; then -# final_path=/var/www/$app -# ynh_app_setting_set --app=$app --key=final_path --value=$final_path -#fi - -### If nobody installed your app before 4.1, -### then you may safely remove these lines - -# Cleaning legacy permissions -if ynh_legacy_permissions_exists; then - ynh_legacy_permissions_delete_all - - ynh_app_setting_delete --app=$app --key=is_public -fi - -if ! ynh_permission_exists --permission="admin"; then - # Create the required permissions - ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin -fi - -# Create a permission if needed -if ! ynh_permission_exists --permission="api"; then - ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true" -fi - #================================================= # CREATE DEDICATED USER #================================================= @@ -121,12 +73,6 @@ then ynh_setup_source --dest_dir="$final_path" fi -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. chmod 750 "$final_path" chmod -R o-rwx "$final_path" chown -R $app:www-data "$final_path" @@ -139,13 +85,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - # Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# UPGRADE DEPENDENCIES -#================================================= -ynh_script_progression --message="Upgrading dependencies..." --time --weight=1 - -ynh_install_app_dependencies $pkg_dependencies - #================================================= # PHP-FPM CONFIGURATION #================================================= @@ -157,34 +96,32 @@ ynh_add_fpm_config #================================================= # SPECIFIC UPGRADE #================================================= -# ... +# BUILDING SOURCES AND SETTING UP THE SERVER #================================================= +ynh_script_progression --message="Building the sources (it will take some time)..." --weight=6 + +ynh_exec_warn_less ynh_install_go --go_version=$GO_VERSION + +pushd "$final_path" + # Build the sources + ynh_use_go + unset GOPATH + make build +popd + +ynh_remove_go + #================================================= # UPDATE A CONFIG FILE #================================================= ynh_script_progression --message="Updating a configuration file..." --time --weight=1 -### Same as during install -### -### The file will automatically be backed-up if it's found to be manually modified (because -### ynh_add_config keeps track of the file's checksum) +ynh_add_config --template="config.yaml" --destination="$final_path/config.yaml" -ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file" - -# FIXME: this should be handled by the core in the future -# You may need to use chmod 600 instead of 400, -# for example if the app is expected to be able to modify its own config -chmod 400 "$final_path/some_config_file" +chmod 400 "$final_path/config.yaml" chown $app:$app "$final_path/some_config_file" -### For more complex cases where you want to replace stuff using regexes, -### you shoud rely on ynh_replace_string (which is basically a wrapper for sed) -### When doing so, you also need to manually call ynh_store_file_checksum -### -### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file" -### ynh_store_file_checksum --file="$final_path/some_config_file" - #================================================= # SETUP SYSTEMD #================================================= @@ -223,7 +160,7 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$ap ynh_script_progression --message="Reconfiguring Fail2Ban..." --time --weight=1 # Create a dedicated Fail2Ban config -ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login" +ynh_add_fail2ban_config --logpath="/var/log/dex/dex.log" --failregex="ldap: invalid password for user" #================================================= # RELOAD NGINX