#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= # MANAGE SCRIPT FAILURE #================================================= # Exit if an error occurs during the execution of the script ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get $app domain) path_url=$(ynh_app_setting_get $app path) final_path=$(ynh_app_setting_get $app final_path) #================================================= # CHECK IF THE APP CAN BE RESTORED #================================================= ynh_webpath_available $domain $path_url \ || ynh_die "Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die "There is already a directory: $final_path " #================================================= # STANDARD RESTORATION STEPS #================================================= # RESTORE THE NGINX CONFIGURATION #================================================= ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # RESTORE THE APP MAIN DIR #================================================= ynh_restore_file "$final_path" #================================================= # RECREATE THE DEDICATED USER #================================================= # Create the dedicated user (if not existing) ynh_system_user_create $app #================================================= # RESTORE USER RIGHTS #================================================= # Try to use "least privilege" to grant minimal access # For details, see https://www.dokuwiki.org/install:permissions # Files owned by DokuWiki can just read chown -R root: $final_path # DokuWiki needs to write inside these folders. Do "DokuWiki" owner chown $app:root $final_path/conf chown $app:root $final_path/inc # Do "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} # Useful for some plugins like https://www.dokuwiki.org/plugin:siteexport # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them # There are only files in the folder and there are no sublevels. No need to use "find" chmod -R a+r $final_path/conf chmod -R a+r $final_path/inc # Give write access to "data" and subfolders chown -R $app:root $final_path/data # Remove access to "other" chmod -R o-rwx $final_path/data # Allow the web admin panel to run, aka "Extension Manager" chown -R $app:root $final_path/lib/plugins # Allow to install templates chown -R $app:root $final_path/lib/tpl # Allow access to public assets like style sheets find $final_path/lib -type f -print0 | xargs -0 chmod 0644 find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # Using "find" instead of "chmod -R 755" so files does not become executable too # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD #================================================= # RESTORE THE PHP-FPM CONFIGURATION #================================================= ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf" ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini" #================================================= # SPECIFIC RESTORATION #================================================= #================================================= # RESTORE FAIL2BAN CONFIGURATION #================================================= ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" systemctl restart fail2ban #================================================= # GENERIC FINALIZATION #================================================= # RELOAD NGINX AND PHP-FPM #================================================= systemctl reload php5-fpm systemctl reload nginx