#!/bin/bash #================================================= # GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= source _common.sh source /usr/share/yunohost/helpers #================================================= # MANAGE SCRIPT FAILURE #================================================= # Exit if an error occurs during the execution of the script ynh_abort_if_errors #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH admin=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC language=$YNH_APP_ARG_LANGUAGE # This is a multi-instance app, meaning it can be installed several times independently # The id of the app as stated in the manifest is available as $YNH_APP_ID # The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2", ...) # The app instance name is available as $YNH_APP_INSTANCE_NAME # - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample # - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2 # - ynhexample__{N} for the subsequent installations, with N=3,4, ... # The app instance name is probably what you are interested the most, since this is # guaranteed to be unique. This is a good unique identifier to define installation path, # db names, ... app=$YNH_APP_INSTANCE_NAME #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= final_path=/var/www/$app test ! -e "$final_path" || ynh_die "This path already contains a folder" # Normalize the url path syntax path_url=$(ynh_normalize_url_path $path_url) # Check web path availability ynh_webpath_available $domain $path_url # Register (book) web path ynh_webpath_register $app $domain $path_url #================================================= # STORE SETTINGS FROM MANIFEST #================================================= ynh_app_setting_set $app domain $domain ynh_app_setting_set $app path $path_url ynh_app_setting_set $app admin $admin ynh_app_setting_set $app is_public $is_public ynh_app_setting_set $app language $language #================================================= # STANDARD MODIFICATIONS #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= ynh_app_setting_set $app final_path $final_path # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source "$final_path" #================================================= # NGINX CONFIGURATION #================================================= # Create a dedicated nginx config ynh_add_nginx_config if [ "$path_url" != "/" ] then ynh_replace_string "^#sub_path_only" "" "/etc/nginx/conf.d/$domain.d/$app.conf" fi ynh_store_file_checksum "/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # CREATE DEDICATED USER #================================================= # Create a system user ynh_system_user_create $app #================================================= # PHP-FPM CONFIGURATION #================================================= # Create a dedicated php-fpm config ynh_add_fpm_config #================================================= # SPECIFIC SETUP #================================================= # CUSTOMIZE DOKUWIKI #================================================= # Set the "admin" user ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" # Set the "language" ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php" # Copy Yunohost specific configuration # Loading order of configuration files # # By default DokuWiki loads its configuration files in the following order: # # 1. conf/dokuwiki.php # 2. conf/local.php # 3. conf/local.protected.php # # See https://www.dokuwiki.org/plugin:config#protecting_settings cp ../conf/local.protected.php $final_path/conf # This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost # It will only be updated by Yunohost package or directly by adventurous users cp ../conf/local.php $final_path/conf # This file might be modified by dokuwiki admin panel or by plugins # It will not be modified by Yunohost in order to keep user settings # Restrict user rights by enforcing "read-only" mode for all users # See https://www.dokuwiki.org/acl#background_info # Default is "8" cp ../conf/acl.auth.php $final_path/conf #================================================= # CREATE DEFAULT FILES #================================================= # For securing DokuWiki installation, create default files that will be writable in the "conf" folder. # Other files will be read ony and owned by root. # See https://www.dokuwiki.org/install:permissions cp $final_path/conf/local.php.dist $final_path/conf/local.php.bak cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php cp $final_path/inc/preload.php.dist $final_path/inc/preload.php # This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport # Create it to be more "user friendly" as over the top security is not the main goal here # This file could be use for bad behaviour. # See https://www.dokuwiki.org/devel:preload?s[]=preload # There is no template .dist provided inside DokuWiki installation folder # Create "empty" files to be able to manage linux permissions # Files content is taken from an existing DokuWiki installation cp ../conf/plugins.local.php $final_path/conf cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak # Create file if it does not exist if [ ! -f "$final_path/conf/local.protected.php" ]; then # Set the default "admin" # Replace string in order to have a functionnal configuration file ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" cp ../conf/local.protected.php $final_path/conf fi #================================================= # STORE THE CHECKSUM OF THE CONFIG FILE #================================================= # Calculate and store the config file checksum into the app settings ynh_store_file_checksum "$final_path/conf/local.protected.php" ynh_store_file_checksum "$final_path/conf/local.php" ynh_store_file_checksum "$final_path/conf/acl.auth.php" #================================================= #================================================= # GENERIC FINALIZATION #================================================= # SECURE FILES AND DIRECTORIES #================================================= # Try to use "least privilege" to grant minimal access # For details, see https://www.dokuwiki.org/install:permissions # Files owned by DokuWiki can just read chown -R root: $final_path # DokuWiki needs to write inside these folders. Do "DokuWiki" owner chown $app:root $final_path/conf chown $app:root $final_path/inc # Do "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} # Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them # There are only files in the folder and there is sublevels. No need to use "find" chmod -R a+r $final_path/conf chmod -R a+r $final_path/inc # Give write access to "data" and subfolders chown -R $app:root $final_path/data # Remove access to "other" chmod -R o-rwx $final_path/data # Allow the web admin panel to run, aka "Extension Manager" chown -R $app:root $final_path/lib/plugins # Allow to install templates chown -R $app:root $final_path/lib/tpl # Allow access to public assets like style sheets find $final_path/lib -type f -print0 | xargs -0 chmod 0644 find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # Using "find" instead of "chmod -R 755" so files does not become executable too # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD #================================================= # SETUP SSOWAT #================================================= # Not needed as no skipped_uris have been added before. # Example : "ynh_app_setting_set $app skipped_uris ..." # See https://github.com/YunoHost-Apps/dokuwiki_ynh/pull/37 for explanation #if [ $is_public -eq 0 ] #then # Remove the public access # ynh_app_setting_delete $app skipped_uris #fi # Make app public if necessary if [ $is_public -eq 1 ] then # unprotected_uris allows SSO credentials to be passed anyway. ynh_app_setting_set $app unprotected_uris "/" fi #================================================= # RELOAD NGINX #================================================= systemctl reload nginx