#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source _common.sh source /usr/share/yunohost/helpers #================================================= # MANAGE SCRIPT FAILURE #================================================= # Exit if an error occurs during the execution of the script ynh_abort_if_errors #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH admin_user=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC language=$YNH_APP_ARG_LANGUAGE app=$YNH_APP_INSTANCE_NAME #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= ynh_script_progression --message="Validating installation parameters..." --weight=2 final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url #================================================= # STORE SETTINGS FROM MANIFEST #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=language --value=$language #================================================= # INSTALL DEPENDENCIES #================================================= ynh_script_progression --message="Installing dependencies..." --weight=1 ynh_install_app_dependencies $pkg_dependencies #================================================= # CREATE DEDICATED USER #================================================= ynh_script_progression --message="Configuring system user..." --weight=2 # Create a system user ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # STANDARD MODIFICATIONS #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= ynh_script_progression --message="Setting up source files..." --weight=2 ynh_app_setting_set --app=$app --key=final_path --value=$final_path # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" chmod 750 "$final_path" chmod -R o-rwx "$final_path" chown -R $app:www-data "$final_path" #================================================= # NGINX CONFIGURATION #================================================= ynh_script_progression --message="Configuring NGINX web server..." --weight=2 # Create a dedicated NGINX config ynh_add_nginx_config #================================================= # PHP-FPM CONFIGURATION #================================================= ynh_script_progression --message="Configuring PHP-FPM..." --weight=2 # Create a dedicated PHP-FPM config ynh_add_fpm_config --usage=low --footprint=low phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # SPECIFIC SETUP #================================================= # CUSTOMIZE DOKUWIKI #================================================= ynh_script_progression --message="Configuring DokuWiki..." --weight=2 # Loading order of configuration files # # By default DokuWiki loads its configuration files in the following order: # # 1. conf/dokuwiki.php # 2. conf/local.php # 3. conf/local.protected.php # # See https://www.dokuwiki.org/plugin:config#protecting_settings ### Copy YunoHost specific configuration # This File cannot be modified directly by DokuWiki, only by hand or by YunoHost # It will only be updated by YunoHost package or directly by adventurous users # Customize admin group in case of multiple wiki install managed by different admins # dokuwiki.admin; dokuwiki__1.admin; etc ynh_add_config --template="../conf/local.protected.php" --destination="$final_path/conf/local.protected.php" # This file might be modified by DokuWiki admin panel or by plugins # It will not be modified by Yunohost in order to keep user settings # Set the "language" ynh_add_config --template="../conf/local.php" --destination="$final_path/conf/local.php" # Restrict user rights by enforcing "read-only" mode for all users # See https://www.dokuwiki.org/acl#background_info # Default is "8" ynh_add_config --template="../conf/acl.auth.php" --destination="$final_path/conf/acl.auth.php" #================================================= # CREATE DEFAULT FILES #================================================= # For securing DokuWiki installation, create default files that will be writable in the "conf" folder. # Other files will be read ony and owned by root. # See https://www.dokuwiki.org/install:permissions cp $final_path/conf/local.php.dist $final_path/conf/local.php.bak cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php # This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport # Create it to be more "user friendly" as over the top security is not the main goal here # This file could be use for bad behaviour. # See https://www.dokuwiki.org/devel:preload?s[]=preload cp $final_path/inc/preload.php.dist $final_path/inc/preload.php # There is no template .dist provided inside DokuWiki installation folder # Create "empty" files to be able to manage linux permissions # Files content is taken from an existing DokuWiki installation cp ../conf/plugins.local.php $final_path/conf cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak #================================================= # STORE THE CHECKSUM OF THE CONFIG FILE #================================================= # Calculate and store the config file checksum into the app settings #ynh_store_file_checksum --file="$final_path/conf/local.protected.php" ### Files '$final_path/conf/local.php' and '$final_path/conf/acl.auth.php' can be modified by user, no need to store checksum as they cannot be overwritten safely by the upgrade script # #================================================= # # GENERIC FINALIZATION # #================================================= # # SECURE FILES AND DIRECTORIES # #================================================= # # Try to use "least privilege" to grant minimal access # # For details, see https://www.dokuwiki.org/install:permissions # # Files owned by DokuWiki can just read # chown -R root: $final_path # # DokuWiki needs to write inside these folders. Make "DokuWiki" owner # chown $app:root $final_path/{conf,inc} # # Make "DokuWiki" owner of configuration files that must be writable # chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} # # Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport # # See https://www.dokuwiki.org/devel:preload # chown $app:root $final_path/inc/preload.php # # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them # # There are only files in the folder and there are no sublevels. No need to use "find" # chmod -R a+r $final_path/{conf,inc} # # Give write access to "data" and subfolders # chown -R $app:root $final_path/data # # Remove access to "other" # chmod -R o-rwx $final_path/data # # Allow the web admin panel to run, aka "Extension Manager" # chown -R $app:root $final_path/lib/plugins # # Allow to install templates # chown -R $app:root $final_path/lib/tpl # # Allow access to public assets like style sheets # find $final_path/lib -type f -print0 | xargs -0 chmod 0644 # find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # # Using "find" instead of "chmod -R 755" so files does not become executable too # # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD #================================================= # SETUP FAIL2BAN #================================================= ynh_script_progression --message="Configuring Fail2Ban..." --weight=7 ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 #================================================= # SETUP SSOWAT #================================================= ynh_script_progression --message="Configuring permissions..." --weight=2 # Create the "admin" permission and add the "admin_user" to it ynh_permission_create --permission "admin" --allowed "$admin_user" # Make app public if necessary if [ $is_public -eq 1 ] then ynh_permission_update --permission="main" --add="visitors" fi #================================================= # RELOAD NGINX #================================================= ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload #================================================= # END OF SCRIPT #================================================= ynh_script_progression --message="Installation of $app completed" --last