#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source _common.sh source /usr/share/yunohost/helpers #================================================= # MANAGE SCRIPT FAILURE #================================================= # Exit if an error occurs during the execution of the script ynh_abort_if_errors #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH admin_user=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC language=$YNH_APP_ARG_LANGUAGE app=$YNH_APP_INSTANCE_NAME #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= ynh_script_progression --message="Validating installation parameters..." --weight=2 final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url #================================================= # STORE SETTINGS FROM MANIFEST #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=language --value=$language #================================================= # STANDARD MODIFICATIONS #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= ynh_script_progression --message="Setting up source files..." --weight=2 ynh_app_setting_set --app=$app --key=final_path --value=$final_path # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" #================================================= # NGINX CONFIGURATION #================================================= ynh_script_progression --message="Configuring nginx web server..." --weight=2 # Create a dedicated nginx config ynh_add_nginx_config #================================================= # CREATE DEDICATED USER #================================================= ynh_script_progression --message="Configuring system user..." --weight=2 # Create a system user ynh_system_user_create --username=$app #================================================= # PHP-FPM CONFIGURATION #================================================= ynh_script_progression --message="Configuring php-fpm..." --weight=2 # Create a dedicated php-fpm config ynh_add_fpm_config #================================================= # SPECIFIC SETUP #================================================= # CUSTOMIZE DOKUWIKI #================================================= ynh_script_progression --message="Configuring dokuwiki..." --weight=2 # Loading order of configuration files # # By default DokuWiki loads its configuration files in the following order: # # 1. conf/dokuwiki.php # 2. conf/local.php # 3. conf/local.protected.php # # See https://www.dokuwiki.org/plugin:config#protecting_settings ### Copy Yunohost specific configuration # This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost # It will only be updated by Yunohost package or directly by adventurous users cp ../conf/local.protected.php $final_path/conf # Create the "admin" group and add the "admin" user ynh_permission_create --permission "admin" --allowed "$admin_user" # Customize admin group in case of multiple wiki install managed by different admins # dokuwiki.admin; dokuwiki__1.admin; etc ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$final_path/conf/local.protected.php" # This file might be modified by dokuwiki admin panel or by plugins # It will not be modified by Yunohost in order to keep user settings cp ../conf/local.php $final_path/conf # Set the "language" ynh_replace_string --match_string="__YNH_LANGUAGE__" --replace_string="$language" --target_file="$final_path/conf/local.php" # Restrict user rights by enforcing "read-only" mode for all users # See https://www.dokuwiki.org/acl#background_info # Default is "8" cp ../conf/acl.auth.php $final_path/conf #================================================= # CREATE DEFAULT FILES #================================================= # For securing DokuWiki installation, create default files that will be writable in the "conf" folder. # Other files will be read ony and owned by root. # See https://www.dokuwiki.org/install:permissions cp $final_path/conf/local.php.dist $final_path/conf/local.php.bak cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php # This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport # Create it to be more "user friendly" as over the top security is not the main goal here # This file could be use for bad behaviour. # See https://www.dokuwiki.org/devel:preload?s[]=preload cp $final_path/inc/preload.php.dist $final_path/inc/preload.php # There is no template .dist provided inside DokuWiki installation folder # Create "empty" files to be able to manage linux permissions # Files content is taken from an existing DokuWiki installation cp ../conf/plugins.local.php $final_path/conf cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak #================================================= # STORE THE CHECKSUM OF THE CONFIG FILE #================================================= # Calculate and store the config file checksum into the app settings ynh_store_file_checksum --file="$final_path/conf/local.protected.php" ### Files '$final_path/conf/local.php' and '$final_path/conf/acl.auth.php' can be modified by user, no need to store checksum as they cannot be overwritten safely by the upgrade script #================================================= # INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN #================================================= ynh_script_progression --message="Installing logautherror plugin for fail2ban..." --weight=2 ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror #================================================= # GENERIC FINALIZATION #================================================= # SECURE FILES AND DIRECTORIES #================================================= # Try to use "least privilege" to grant minimal access # For details, see https://www.dokuwiki.org/install:permissions # Files owned by DokuWiki can just read chown -R root: $final_path # DokuWiki needs to write inside these folders. Make "DokuWiki" owner chown $app:root $final_path/{conf,inc} # Make "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} # Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them # There are only files in the folder and there are no sublevels. No need to use "find" chmod -R a+r $final_path/{conf,inc} # Give write access to "data" and subfolders chown -R $app:root $final_path/data # Remove access to "other" chmod -R o-rwx $final_path/data # Allow the web admin panel to run, aka "Extension Manager" chown -R $app:root $final_path/lib/plugins # Allow to install templates chown -R $app:root $final_path/lib/tpl # Allow access to public assets like style sheets find $final_path/lib -type f -print0 | xargs -0 chmod 0644 find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # Using "find" instead of "chmod -R 755" so files does not become executable too # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD #================================================= # SETUP FAIL2BAN #================================================= ynh_script_progression --message="Configuring fail2ban..." --weight=7 ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 #================================================= # SETUP SSOWAT #================================================= ynh_script_progression --message="Configuring permissions..." --weight=2 # Make app public if necessary if [ $is_public -eq 1 ] then # Everyone can access the app. # The "main" permission is automatically created before the install script. ynh_permission_update --permission "main" --add "visitors" fi #================================================= # RELOAD NGINX #================================================= ynh_script_progression --message="Reloading nginx web server..." ynh_systemd_action --service_name=nginx --action=reload #================================================= # END OF SCRIPT #================================================= ynh_script_progression --message="Installation of $app completed" --last