diff --git a/conf/app.src b/conf/app.src new file mode 100644 index 0000000..5ff3053 --- /dev/null +++ b/conf/app.src @@ -0,0 +1,6 @@ +SOURCE_URL=https://download.dokuwiki.org/src/dokuwiki/dokuwiki-2017-02-19b.tgz +SOURCE_SUM=ea11e4046319710a2bc6fdf58b5cda86 +SOURCE_SUM_PRG=md5sum +SOURCE_FORMAT=tar.gz +SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= diff --git a/conf/nginx.conf b/conf/nginx.conf index 4311e99..ee61519 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,42 +1,56 @@ -location __PATHTOCHANGE__ { - alias __FINALPATH__/; +location __PATH__ { - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } + # Path to source + alias __FINALPATH__/ ; - index index.php; - try_files $uri $uri/ index.php; + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } - client_max_body_size 25M; - - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php5-fpm-__NAMETOCHANGE__.sock; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param HTTPS on if_not_empty; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME $request_filename; - } + # Example PHP configuration (remove if not used) + index index.php; - # Secure DokuWiki - location ~ ^__PATHTOCHANGE__/(data|conf|bin|inc)/ { - deny all; - } + # Common parameter to increase upload size limit in conjuction with dedicated php-fpm file + client_max_body_size 25M; - # Deny Access to htaccess-Files for Apache - location ~ /\.ht { - deny all; - } + try_files $uri $uri/ index.php; + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_pass unix:/var/run/php5-fpm-__NAME__.sock; - # Serve static files - location ~ ^/lib.*\.(gif|png|ico|jpg)$ { - expires 30d; - } + # If you don't use a dedicated fpm config for your app, + # use a general fpm pool. + # This is to be used INSTEAD of line above + # Don't forget to adjust scripts install/upgrade/remove/backup accordingly + # + #fastcgi_pass unix:/var/run/php5-fpm.sock; - #--PRIVATE--# Include SSOWAT user panel. - #--PRIVATE--include conf.d/yunohost_panel.conf.inc; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param HTTPS on if_not_empty; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + # PHP configuration end + + # Secure DokuWiki + # Try this ? + #location __PATH__/(data|conf|bin|inc)/ { { + location ~ ^__PATH__/(data|conf|bin|inc)/ { + deny all; + } + + # Deny Access to htaccess-Files for Apache + location ~ /\.ht { + deny all; + } + + # Serve static files + location ~ ^/lib.*\.(gif|png|ico|jpg)$ { + expires 30d; + } + + # Include SSOWAT user panel. + include conf.d/yunohost_panel.conf.inc; } - diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 7bad39e..2aec4a2 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -32,19 +32,19 @@ group = __USER__ ; Note: This value is mandatory. listen = /var/run/php5-fpm-__NAMETOCHANGE__.sock -; Set listen(2) backlog. +; Set listen(2) backlog. A value of '-1' means unlimited. ; Default Value: 128 (-1 on FreeBSD and OpenBSD) ;listen.backlog = 128 ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. +; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = www-data listen.group = www-data ;listen.mode = 0660 - + ; List of ipv4 addresses of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address @@ -117,7 +117,7 @@ pm.max_spare_servers = 3 ; Note: Used only when pm is set to 'ondemand' ; Default Value: 10s ;pm.process_idle_timeout = 10s; - + ; The number of requests each child process should execute before respawning. ; This can be useful to work around memory leaks in 3rd party libraries. For ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. @@ -170,7 +170,7 @@ pm.max_requests = 500 ; ; By default the status page only outputs short status. Passing 'full' in the ; query string will also return status for each pool process. -; Example: +; Example: ; http://www.foo.bar/status?full ; http://www.foo.bar/status?json&full ; http://www.foo.bar/status?html&full @@ -220,9 +220,9 @@ pm.max_requests = 500 ; Note: The value must start with a leading slash (/). The value can be ; anything, but it may not be a good idea to use the .php extension or it ; may conflict with a real PHP file. -; Default Value: not set +; Default Value: not set ;pm.status_path = /status - + ; The ping URI to call the monitoring page of FPM. If this value is not set, no ; URI will be recognized as a ping page. This could be used to test from outside ; that FPM is alive and responding, or to @@ -283,7 +283,7 @@ pm.max_requests = 500 ; - .... ; %p: PID of the child that serviced the request ; %P: PID of the parent of the child that serviced the request -; %q: the query string +; %q: the query string ; %Q: the '?' character if query string exists ; %r: the request URI (without the query string, see %q and %Q) ; %R: remote IP address @@ -298,50 +298,50 @@ pm.max_requests = 500 ; ; Default: "%R - %u %t \"%m %r\" %s" ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - + ; The log file for slow requests ; Default Value: not set ; Note: slowlog is mandatory if request_slowlog_timeout is set slowlog = /var/log/nginx/__NAMETOCHANGE__.slow.log - + ; The timeout for serving a single request after which a PHP backtrace will be ; dumped to the 'slowlog' file. A value of '0s' means 'off'. ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) ; Default Value: 0 request_slowlog_timeout = 5s - + ; The timeout for serving a single request after which the worker process will ; be killed. This option should be used when the 'max_execution_time' ini option ; does not stop script execution for some reason. A value of '0' means 'off'. ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) ; Default Value: 0 request_terminate_timeout = 1d - + ; Set open file descriptor rlimit. ; Default Value: system defined value ;rlimit_files = 1024 - + ; Set max core size rlimit. ; Possible Values: 'unlimited' or an integer greater or equal to 0 ; Default Value: system defined value ;rlimit_core = 0 - + ; Chroot to this directory at the start. This value must be defined as an ; absolute path. When this value is not set, chroot is not used. ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one ; of its subdirectories. If the pool prefix is not set, the global prefix ; will be used instead. -; Note: chrooting is a great security feature and should be used whenever +; Note: chrooting is a great security feature and should be used whenever ; possible. However, all PHP paths will be relative to the chroot ; (error_log, sessions.save_path, ...). ; Default Value: not set -;chroot = - +;chroot = + ; Chdir to this directory at the start. ; Note: relative path can be used. ; Default Value: current directory or / when chroot chdir = __FINALPATH__ - + ; Redirect worker stdout and stderr into main error log. If not set, stdout and ; stderr will be redirected to /dev/null according to FastCGI specs. ; Note: on highloaded environement, this can cause some delay in the page @@ -356,7 +356,7 @@ catch_workers_output = yes ; Note: set an empty value to allow all extensions. ; Default Value: .php ;security.limit_extensions = .php .php3 .php4 .php5 - + ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from ; the current environment. ; Default Value: clean env @@ -370,7 +370,7 @@ catch_workers_output = yes ; overwrite the values previously defined in the php.ini. The directives are the ; same as the PHP SAPI: ; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. +; be overwritten from PHP call 'ini_set'. ; php_admin_value/php_admin_flag - these directives won't be overwritten by ; PHP call 'ini_set' ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. @@ -389,4 +389,4 @@ catch_workers_output = yes ;php_flag[display_errors] = off ;php_admin_value[error_log] = /var/log/fpm-php.www.log ;php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 32M \ No newline at end of file +;php_admin_value[memory_limit] = 32M diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..76cdf64 --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,13 @@ +[Unit] +Description=Small description of the service +After=network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__FINALPATH__/ +ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1 + +[Install] +WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 776c0df..09e7c18 100644 --- a/manifest.json +++ b/manifest.json @@ -3,7 +3,7 @@ "id": "dokuwiki", "packaging_format": 1, "requirements": { - "yunohost": ">> 2.3.15" + "yunohost": ">> 2.6.4" }, "description": { "en": "DokuWiki is a simple to use and highly versatile Open Source wiki software that doesn't require a database.", diff --git a/scripts/_common.sh b/scripts/_common.sh new file mode 100644 index 0000000..bb04a03 --- /dev/null +++ b/scripts/_common.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# ============= FUTURE YUNOHOST HELPER ============= +# Delete a file checksum from the app settings +# +# $app should be defined when calling this helper +# +# usage: ynh_remove_file_checksum file +# | arg: file - The file for which the checksum will be deleted +ynh_delete_file_checksum () { + local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' + ynh_app_setting_delete $app $checksum_setting_name +} \ No newline at end of file diff --git a/scripts/install b/scripts/install index a7cdf9d..a5aa929 100755 --- a/scripts/install +++ b/scripts/install @@ -1,7 +1,30 @@ #!/bin/bash -# Exit on command errors and treat unset variables as an error -set -eu +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source _common.sh +source /usr/share/yunohost/helpers + +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# RETRIEVE ARGUMENTS FROM THE MANIFEST +#================================================= + +domain=$YNH_APP_ARG_DOMAIN +path_url=$YNH_APP_ARG_PATH +admin=$YNH_APP_ARG_ADMIN +is_public=$YNH_APP_ARG_IS_PUBLIC +#language=$YNH_APP_ARG_LANGUAGE # This is a multi-instance app, meaning it can be installed several times independently # The id of the app as stated in the manifest is available as $YNH_APP_ID @@ -13,55 +36,103 @@ set -eu # The app instance name is probably what you are interested the most, since this is # guaranteed to be unique. This is a good unique identifier to define installation path, # db names, ... -# Retrieve arguments - -source .fonctions # Loads the generic functions usually used in the script -# Source app helpers -source /usr/share/yunohost/helpers - -TRAP_ON # Active trap for strop script if detect error. - -domain=$YNH_APP_ARG_DOMAIN -path=$YNH_APP_ARG_PATH -admin=$YNH_APP_ARG_ADMIN -is_public=$YNH_APP_ARG_IS_PUBLIC - app=$YNH_APP_INSTANCE_NAME -CHECK_VAR "$app" "app name not set" +#================================================= +# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS +#================================================= -CHECK_USER "$admin" +final_path=/var/www/$app +test ! -e "$final_path" || ynh_die "This path already contains a folder" -CHECK_PATH +# Normalize the url path syntax +path_url=$(ynh_normalize_url_path $path_url) -CHECK_DOMAINPATH +# Check web path availability +ynh_webpath_available $domain $path_url +# Register (book) web path +ynh_webpath_register $app $domain $path_url -CHECK_FINALPATH +#================================================= +# STORE SETTINGS FROM MANIFEST +#================================================= -# Save app settings ynh_app_setting_set $app domain $domain -ynh_app_setting_set $app path $path +ynh_app_setting_set $app path $path_url ynh_app_setting_set $app admin $admin ynh_app_setting_set $app is_public $is_public +#ynh_app_setting_set $app language $language -# Create system user dedicace for this app +#================================================= +# STANDARD MODIFICATIONS +#================================================= +# DOWNLOAD, CHECK AND UNPACK SOURCE +#================================================= + +ynh_app_setting_set $app final_path $final_path +# Download, check integrity, uncompress and patch the source from app.src +ynh_setup_source "$final_path" + +#================================================= +# NGINX CONFIGURATION +#================================================= + +# Create a dedicated nginx config +ynh_add_nginx_config + +#================================================= +# CREATE DEDICATED USER +#================================================= + +# Create a system user ynh_system_user_create $app +#================================================= +# PHP-FPM CONFIGURATION +#================================================= + +# Create a dedicated php-fpm config +ynh_add_fpm_config + +#================================================= +# SPECIFIC SETUP +#================================================= +# ... +#================================================= + +#================================================= +# SETUP SYSTEMD +#================================================= + +# Create a dedicated systemd config +ynh_systemd_config + +#================================================= +# MODIFY A CONFIG FILE +#================================================= + # Modify dokuwiki conf -sed -i "s@YNH_ADMIN_USER@$admin@g" ../conf/dokuwiki.php - -# Copy files to the right place -sudo mkdir "$final_path" -ynh_app_setting_set $app final_path $final_path - -# Get source -SETUP_SOURCE +#sed -i "s@YNH_ADMIN_USER@$admin@g" ../conf/dokuwiki.php +ynh_replace_string "YNH_ADMIN_USER" "$admin" "../conf/dokuwiki.php" sudo cp ../conf/dokuwiki.php $final_path/conf sudo cp ../conf/acl.auth.php $final_path/conf +#================================================= +# STORE THE CHECKSUM OF THE CONFIG FILE +#================================================= + +# Calculate and store the config file checksum into the app settings +ynh_store_file_checksum "$final_path/conf/dokuwiki.php" + +#================================================= +# GENERIC FINALIZATION +#================================================= +# SECURE FILES AND DIRECTORIES +#================================================= + # Files owned by dokuwiki can just read -sudo chown -R root: $final_path +chown -R root: $final_path # except for conf, data, some data subfolders, and lib/plugin, where www-data must have write permissions sudo chown -R $app:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl} @@ -70,25 +141,37 @@ sudo chmod -R 700 $final_path/data sudo chmod -R 755 $final_path/lib/plugins sudo chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images} -# Modify Nginx configuration file and copy it to Nginx conf directory -sudo cp ../conf/nginx.conf /etc/nginx/conf.d/$domain.d/$app.conf -sudo sed -i "s@__PATHTOCHANGE__@$path@g" /etc/nginx/conf.d/$domain.d/$app.conf -sudo sed -i "s@__FINALPATH__@$final_path@g" /etc/nginx/conf.d/$domain.d/$app.conf -sudo sed -i "s@__NAMETOCHANGE__@$app@g" /etc/nginx/conf.d/$domain.d/$app.conf +#================================================= +# SETUP LOGROTATE +#================================================= -if [ "$is_public" = "Yes" ]; +# Use logrotate to manage application logfile(s) +ynh_use_logrotate + +#================================================= +# ADVERTISE SERVICE IN ADMIN PANEL +#================================================= + +#yunohost service add NAME_INIT.D --log "/var/log/FILE.log" +yunohost service add "$app" --log "/var/log/$app/$app.log" + +#================================================= +# SETUP SSOWAT +#================================================= + +if [ $is_public -eq 0 ] +then # Remove the public access + ynh_app_setting_delete $app skipped_uris +fi +# Make app public if necessary +if [ $is_public -eq 1 ] then - sudo sed -i "s@#--PRIVATE--@@g" /etc/nginx/conf.d/$domain.d/$app.conf + # unprotected_uris allows SSO credentials to be passed anyway. + ynh_app_setting_set $app unprotected_uris "/" fi -# Create the php-fpm pool config -POOL_FPM +#================================================= +# RELOAD NGINX +#================================================= -# If app is public, add url to SSOWat conf as skipped_uris -if [[ $is_public -eq 1 ]]; then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_app_setting_set "$app" unprotected_uris "/" -fi - -# Reload Nginx -sudo systemctl reload nginx \ No newline at end of file +systemctl reload nginx