#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source _common.sh source /usr/share/yunohost/helpers #================================================= # LOAD SETTINGS #================================================= ynh_script_progression --message="Loading installation settings..." --weight=2 app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) admin=$(ynh_app_setting_get --app=$app --key=admin) is_public=$(ynh_app_setting_get --app=$app --key=is_public) final_path=$(ynh_app_setting_get --app=$app --key=final_path) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # CHECK VERSION #================================================= upgrade_type=$(ynh_check_app_version_changed) #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= ynh_script_progression --message="Ensuring downward compatibility..." # Fix is_public as a boolean value if [ "$is_public" = "Yes" ]; then ynh_app_setting_set --app=$app --key=is_public --value=1 is_public=1 elif [ "$is_public" = "No" ]; then ynh_app_setting_set --app=$app --key=is_public --value=0 is_public=0 fi # If final_path doesn't exist, create it if [ -z "$final_path" ]; then final_path=/var/www/$app ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi # TODO Not sure if still needed ?? # admin default value, if not set if [ -z "$admin" ]; then admin=$(yunohost user list | grep 'username' -m1 | awk '{print $2}') ynh_app_setting_set --app=$app --key=is_public --value=$is_public fi # language default value, if not set if [ -z "$language" ]; then language='en' ynh_app_setting_set --app=$app --key=language --value=$language fi # YunoHost specific configuration, if it isn't exist already # Previously, these settings were store in an unique "dokuwiki.php" # Now, they are split in multiple files to ease upgrading process (separate YunoHost config from user config) # Loading order of configuration files # # By default DokuWiki loads its configuration files in the following order: # # 1. conf/dokuwiki.php # 2. conf/local.php # 3. conf/local.protected.php # # See https://www.dokuwiki.org/plugin:config#protecting_settings # Configuration dedicated to Yunohost (LDAP and admin mainly) # Create an empty configuration file if it does not exist # This file will be overwritten anyway later in the part "# LDAP Configuration" # The file is created here to prevent a failure of the helper `ynh_backup_if_checksum_is_different` if [ ! -f "$final_path/conf/local.protected.php" ]; then touch $final_path/conf/local.protected.php fi # Do not overwrite existing dokuwiki configuration as it could have user customization's and settings. # Create file if it does not exist if [ ! -f "$final_path/conf/local.php" ]; then cp ../conf/local.php $final_path/conf # Set the default "language" ynh_replace_string --match_string="__YNH_LANGUAGE__" --replace_string="$language" --target_file="$final_path/conf/local.php" fi # Do not overwrite existing ACL configuration file as it could have user customization's and settings. # Create file if it does not exist # See https://www.dokuwiki.org/acl#background_info if [ ! -f "$final_path/conf/acl.auth.php" ]; then cp ../conf/acl.auth.php $final_path/conf fi # For securing DokuWiki installation, create default files that will be writable in the "conf" folder. # Other files will be read ony and owned by root. # See https://www.dokuwiki.org/install:permissions # If file does not exists if [ ! -f "$final_path/conf/local.php.bak" ]; then # if template exists if [ -f "$final_path/conf/local.php.dist" ]; then # Copy template to create default file cp "$final_path/conf/local.php.dist" "$final_path/conf/local.php.bak" fi fi if [ ! -f "$final_path/conf/users.auth.php" ]; then if [ -f "$final_path/conf/users.auth.php.dist" ]; then cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php fi fi if [ ! -f "$final_path/conf/plugins.local.php" ]; then cp ../conf/plugins.local.php $final_path/conf fi if [ ! -f "$final_path/conf/plugins.local.php.bak" ]; then cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak fi if [ ! -f "$final_path/inc/preload.php" ]; then # if template exists if [ -f "$final_path/inc/preload.php.dist" ]; then # Copy template to create default file cp "$final_path/inc/preload.php.dist" "$final_path/inc/preload.php" fi fi #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=9 # Backup the current version of the app ynh_backup_before_upgrade ynh_clean_setup () { # restore it if the upgrade fails ynh_restore_upgradebackup } # Exit if an error occurs during the execution of the script ynh_abort_if_errors #================================================= # CHECK THE PATH #================================================= # Normalize the URL path syntax path_url=$(ynh_normalize_url_path --path_url=$path_url) #================================================= # STANDARD UPGRADE STEPS #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." --weight=2 # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" fi #================================================= # NGINX CONFIGURATION #================================================= ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=2 # Create a dedicated NGINX config ynh_add_nginx_config #================================================= # CREATE DEDICATED USER #================================================= ynh_script_progression --message="Making sure dedicated system user exists..." # Create a system user ynh_system_user_create --username=$app #================================================= # PHP-FPM CONFIGURATION #================================================= ynh_script_progression --message="Upgrading PHP-FPM configuration..." # Create a dedicated PHP-FPM config ynh_add_fpm_config --phpversion=$YNH_PHP_VERSION #================================================= # SPECIFIC UPGRADE #================================================= if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading DokuWiki..." --weight=7 # Remove upgrade notification inside Dokuwiki's admin panel # See https://www.dokuwiki.org/update_check touch $final_path/doku.php # Remove files not used anymore after upgrade # See https://www.dokuwiki.org/install:unused_files if [ -f "$final_path/data/deleted.files" ]; then # Use a "sub process" to start a new shell to run these commands # Allow to use only one "cd" and to be more efficent ( # Move to the dokuwiki installation folder so the "official" commands can be used without adaptation cd $final_path grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 rm --force --dir || true ) fi # TODO Taken from old "upgrade" script. Should check if it is needed and what it does # Update all plugins for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F ':' '{print $3}'); do # Get a official plugin for dokuwiki, not update a no-official wget -nv --quiet "https://github.com/splitbrain/dokuwiki-plugin-$name_plugin/zipball/master" -O "${name_plugin}.zip" -o /dev/null || true if [ -s "${name_plugin}.zip" ]; then unzip ${name_plugin}.zip cp -a splitbrain-dokuwiki-plugin-${name_plugin}*/. "$final_path/lib/plugins/$name_plugin/" fi done fi #================================================= # LDAP Configuration #================================================= ### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script. ### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it. ynh_backup_if_checksum_is_different --file="$final_path/conf/local.protected.php" # Always overwrite local file with the one from package. cp ../conf/local.protected.php $final_path/conf # Set the "admin" user ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin" --target_file="$final_path/conf/local.protected.php" # Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum --file="$final_path/conf/local.protected.php" #================================================= # INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN #================================================= ynh_script_progression --message="Upgrading logautherror plugin for Fail2Ban..." --weight=2 ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror #================================================= # GENERIC FINALIZATION #================================================= # SECURE FILES AND DIRECTORIES #================================================= # Try to use "least privilege" to grant minimal access # For details, see https://www.dokuwiki.org/install:permissions # Files owned by DokuWiki can just read chown -R root: $final_path # DokuWiki needs to write inside these folders. Make "DokuWiki" owner chown $app:root $final_path/{conf,inc} # Make "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} # Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them # There are only files in the folder and there are no sublevels. No need to use "find" chmod -R a+r $final_path/{conf,inc} # Give write access to "data" and subfolders chown -R $app:root $final_path/data # Remove access to "other" chmod -R o-rwx $final_path/data # Allow the web admin panel to run, aka "Extension Manager" chown -R $app:root $final_path/lib/plugins # Allow to install templates chown -R $app:root $final_path/lib/tpl # Allow access to public assets like style sheets find $final_path/lib -type f -print0 | xargs -0 chmod 0644 find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # Using "find" instead of "chmod -R 755" so files does not become executable too # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD #================================================= # SETUP FAIL2BAN #================================================= ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=7 ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 #================================================= # SETUP SSOWAT #================================================= ynh_script_progression --message="Upgrading SSOwat configuration..." if [ $is_public -eq 0 ] then # Remove the public access ynh_app_setting_delete --app=$app --key=skipped_uris fi # Make app public if necessary if [ $is_public -eq 1 ] then # unprotected_uris allows SSO credentials to be passed anyway ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" fi #================================================= # RELOAD NGINX #================================================= ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload #================================================= # END OF SCRIPT #================================================= ynh_script_progression --message="Upgrade of $app completed" --last