mirror of
https://github.com/YunoHost-Apps/dokuwiki_ynh.git
synced 2024-09-03 18:26:20 +02:00
339 lines
12 KiB
Bash
Executable file
339 lines
12 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
#=================================================
|
|
# GENERIC START
|
|
#=================================================
|
|
# IMPORT GENERIC HELPERS
|
|
#=================================================
|
|
|
|
source _common.sh
|
|
source /usr/share/yunohost/helpers
|
|
|
|
#=================================================
|
|
# LOAD SETTINGS
|
|
#=================================================
|
|
ynh_script_progression --message="Loading installation settings..." --weight=2
|
|
|
|
app=$YNH_APP_INSTANCE_NAME
|
|
|
|
domain=$(ynh_app_setting_get --app=$app --key=domain)
|
|
path_url=$(ynh_app_setting_get --app=$app --key=path)
|
|
admin=$(ynh_app_setting_get --app=$app --key=admin)
|
|
is_public=$(ynh_app_setting_get --app=$app --key=is_public)
|
|
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
|
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
|
|
|
|
#=================================================
|
|
# CHECK VERSION
|
|
#=================================================
|
|
|
|
upgrade_type=$(ynh_check_app_version_changed)
|
|
|
|
#=================================================
|
|
# ENSURE DOWNWARD COMPATIBILITY
|
|
#=================================================
|
|
ynh_script_progression --message="Ensuring downward compatibility..."
|
|
|
|
# Fix is_public as a boolean value
|
|
if [ "$is_public" = "Yes" ]; then
|
|
ynh_app_setting_set --app=$app --key=is_public --value=1
|
|
is_public=1
|
|
elif [ "$is_public" = "No" ]; then
|
|
ynh_app_setting_set --app=$app --key=is_public --value=0
|
|
is_public=0
|
|
fi
|
|
|
|
# If final_path doesn't exist, create it
|
|
if [ -z "$final_path" ]; then
|
|
final_path=/var/www/$app
|
|
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
|
fi
|
|
|
|
# TODO Not sure if still needed ??
|
|
# admin default value, if not set
|
|
if [ -z "$admin" ]; then
|
|
admin=$(yunohost user list | grep 'username' -m1 | awk '{print $2}')
|
|
ynh_app_setting_set --app=$app --key=is_public --value=$is_public
|
|
fi
|
|
|
|
# language default value, if not set
|
|
if [ -z "$language" ]; then
|
|
language='en'
|
|
ynh_app_setting_set --app=$app --key=language --value=$language
|
|
fi
|
|
|
|
# YunoHost specific configuration, if it isn't exist already
|
|
|
|
# Previously, these settings were store in an unique "dokuwiki.php"
|
|
# Now, they are split in multiple files to ease upgrading process (separate YunoHost config from user config)
|
|
|
|
# Loading order of configuration files
|
|
#
|
|
# By default DokuWiki loads its configuration files in the following order:
|
|
#
|
|
# 1. conf/dokuwiki.php
|
|
# 2. conf/local.php
|
|
# 3. conf/local.protected.php
|
|
#
|
|
# See https://www.dokuwiki.org/plugin:config#protecting_settings
|
|
|
|
# Configuration dedicated to Yunohost (LDAP and admin mainly)
|
|
# Create an empty configuration file if it does not exist
|
|
# This file will be overwritten anyway later in the part "# LDAP Configuration"
|
|
# The file is created here to prevent a failure of the helper `ynh_backup_if_checksum_is_different`
|
|
if [ ! -f "$final_path/conf/local.protected.php" ]; then
|
|
touch $final_path/conf/local.protected.php
|
|
fi
|
|
|
|
# Do not overwrite existing dokuwiki configuration as it could have user customization's and settings.
|
|
# Create file if it does not exist
|
|
if [ ! -f "$final_path/conf/local.php" ]; then
|
|
cp ../conf/local.php $final_path/conf
|
|
|
|
# Set the default "language"
|
|
ynh_replace_string --match_string="__YNH_LANGUAGE__" --replace_string="$language" --target_file="$final_path/conf/local.php"
|
|
fi
|
|
|
|
# Do not overwrite existing ACL configuration file as it could have user customization's and settings.
|
|
# Create file if it does not exist
|
|
# See https://www.dokuwiki.org/acl#background_info
|
|
if [ ! -f "$final_path/conf/acl.auth.php" ]; then
|
|
cp ../conf/acl.auth.php $final_path/conf
|
|
fi
|
|
|
|
# For securing DokuWiki installation, create default files that will be writable in the "conf" folder.
|
|
# Other files will be read ony and owned by root.
|
|
# See https://www.dokuwiki.org/install:permissions
|
|
|
|
# If file does not exists
|
|
if [ ! -f "$final_path/conf/local.php.bak" ]; then
|
|
# if template exists
|
|
if [ -f "$final_path/conf/local.php.dist" ]; then
|
|
# Copy template to create default file
|
|
cp "$final_path/conf/local.php.dist" "$final_path/conf/local.php.bak"
|
|
fi
|
|
fi
|
|
|
|
if [ ! -f "$final_path/conf/users.auth.php" ]; then
|
|
if [ -f "$final_path/conf/users.auth.php.dist" ]; then
|
|
cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php
|
|
fi
|
|
fi
|
|
|
|
if [ ! -f "$final_path/conf/plugins.local.php" ]; then
|
|
cp ../conf/plugins.local.php $final_path/conf
|
|
fi
|
|
|
|
if [ ! -f "$final_path/conf/plugins.local.php.bak" ]; then
|
|
cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak
|
|
fi
|
|
|
|
|
|
if [ ! -f "$final_path/inc/preload.php" ]; then
|
|
# if template exists
|
|
if [ -f "$final_path/inc/preload.php.dist" ]; then
|
|
# Copy template to create default file
|
|
cp "$final_path/inc/preload.php.dist" "$final_path/inc/preload.php"
|
|
fi
|
|
fi
|
|
|
|
#=================================================
|
|
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
|
|
#=================================================
|
|
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=9
|
|
|
|
# Backup the current version of the app
|
|
ynh_backup_before_upgrade
|
|
ynh_clean_setup () {
|
|
# restore it if the upgrade fails
|
|
ynh_restore_upgradebackup
|
|
}
|
|
# Exit if an error occurs during the execution of the script
|
|
ynh_abort_if_errors
|
|
|
|
#=================================================
|
|
# CHECK THE PATH
|
|
#=================================================
|
|
|
|
# Normalize the URL path syntax
|
|
path_url=$(ynh_normalize_url_path --path_url=$path_url)
|
|
|
|
#=================================================
|
|
# STANDARD UPGRADE STEPS
|
|
#=================================================
|
|
# DOWNLOAD, CHECK AND UNPACK SOURCE
|
|
#=================================================
|
|
|
|
if [ "$upgrade_type" == "UPGRADE_APP" ]
|
|
then
|
|
ynh_script_progression --message="Upgrading source files..." --weight=2
|
|
|
|
# Download, check integrity, uncompress and patch the source from app.src
|
|
ynh_setup_source --dest_dir="$final_path"
|
|
fi
|
|
|
|
#=================================================
|
|
# NGINX CONFIGURATION
|
|
#=================================================
|
|
ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=2
|
|
|
|
# Create a dedicated NGINX config
|
|
ynh_add_nginx_config
|
|
|
|
#=================================================
|
|
# CREATE DEDICATED USER
|
|
#=================================================
|
|
ynh_script_progression --message="Making sure dedicated system user exists..."
|
|
|
|
# Create a system user
|
|
ynh_system_user_create --username=$app
|
|
|
|
#=================================================
|
|
# PHP-FPM CONFIGURATION
|
|
#=================================================
|
|
ynh_script_progression --message="Upgrading PHP-FPM configuration..."
|
|
|
|
# Create a dedicated PHP-FPM config
|
|
ynh_add_fpm_config
|
|
|
|
#=================================================
|
|
# SPECIFIC UPGRADE
|
|
#=================================================
|
|
|
|
if [ "$upgrade_type" == "UPGRADE_APP" ]
|
|
then
|
|
ynh_script_progression --message="Upgrading DokuWiki..." --weight=7
|
|
|
|
# Remove upgrade notification inside Dokuwiki's admin panel
|
|
# See https://www.dokuwiki.org/update_check
|
|
touch $final_path/doku.php
|
|
|
|
# Remove files not used anymore after upgrade
|
|
# See https://www.dokuwiki.org/install:unused_files
|
|
if [ -f "$final_path/data/deleted.files" ]; then
|
|
|
|
# Use a "sub process" to start a new shell to run these commands
|
|
# Allow to use only one "cd" and to be more efficent
|
|
(
|
|
# Move to the dokuwiki installation folder so the "official" commands can be used without adaptation
|
|
cd $final_path
|
|
|
|
grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 rm --force --dir || true
|
|
)
|
|
fi
|
|
|
|
# TODO Taken from old "upgrade" script. Should check if it is needed and what it does
|
|
# Update all plugins
|
|
for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F ':' '{print $3}');
|
|
do
|
|
# Get a official plugin for dokuwiki, not update a no-official
|
|
wget -nv --quiet "https://github.com/splitbrain/dokuwiki-plugin-$name_plugin/zipball/master" -O "${name_plugin}.zip" -o /dev/null || true
|
|
if [ -s "${name_plugin}.zip" ]; then
|
|
unzip ${name_plugin}.zip
|
|
cp -a splitbrain-dokuwiki-plugin-${name_plugin}*/. "$final_path/lib/plugins/$name_plugin/"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
#=================================================
|
|
# LDAP Configuration
|
|
#=================================================
|
|
|
|
### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script.
|
|
### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it.
|
|
ynh_backup_if_checksum_is_different --file="$final_path/conf/local.protected.php"
|
|
|
|
# Always overwrite local file with the one from package.
|
|
cp ../conf/local.protected.php $final_path/conf
|
|
|
|
# Set the "admin" user
|
|
ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin" --target_file="$final_path/conf/local.protected.php"
|
|
|
|
# Recalculate and store the checksum of the file for the next upgrade.
|
|
ynh_store_file_checksum --file="$final_path/conf/local.protected.php"
|
|
|
|
#=================================================
|
|
# INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN
|
|
#=================================================
|
|
ynh_script_progression --message="Upgrading logautherror plugin for Fail2Ban..." --weight=2
|
|
|
|
ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror
|
|
|
|
#=================================================
|
|
# GENERIC FINALIZATION
|
|
#=================================================
|
|
# SECURE FILES AND DIRECTORIES
|
|
#=================================================
|
|
|
|
# Try to use "least privilege" to grant minimal access
|
|
# For details, see https://www.dokuwiki.org/install:permissions
|
|
|
|
# Files owned by DokuWiki can just read
|
|
chown -R root: $final_path
|
|
|
|
# DokuWiki needs to write inside these folders. Make "DokuWiki" owner
|
|
chown $app:root $final_path/{conf,inc}
|
|
|
|
# Make "DokuWiki" owner of configuration files that must be writable
|
|
chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}
|
|
|
|
# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport
|
|
# See https://www.dokuwiki.org/devel:preload
|
|
chown $app:root $final_path/inc/preload.php
|
|
|
|
# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
|
|
# There are only files in the folder and there are no sublevels. No need to use "find"
|
|
chmod -R a+r $final_path/{conf,inc}
|
|
|
|
# Give write access to "data" and subfolders
|
|
chown -R $app:root $final_path/data
|
|
# Remove access to "other"
|
|
chmod -R o-rwx $final_path/data
|
|
|
|
# Allow the web admin panel to run, aka "Extension Manager"
|
|
chown -R $app:root $final_path/lib/plugins
|
|
# Allow to install templates
|
|
chown -R $app:root $final_path/lib/tpl
|
|
|
|
# Allow access to public assets like style sheets
|
|
find $final_path/lib -type f -print0 | xargs -0 chmod 0644
|
|
find $final_path/lib -type d -print0 | xargs -0 chmod 0755
|
|
# Using "find" instead of "chmod -R 755" so files does not become executable too
|
|
# chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD
|
|
# find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD
|
|
|
|
#=================================================
|
|
# SETUP FAIL2BAN
|
|
#=================================================
|
|
ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=7
|
|
|
|
ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: <HOST>,.*POST $path_url.*$" --max_retry=5
|
|
|
|
#=================================================
|
|
# SETUP SSOWAT
|
|
#=================================================
|
|
ynh_script_progression --message="Upgrading SSOwat configuration..."
|
|
|
|
if [ $is_public -eq 0 ]
|
|
then # Remove the public access
|
|
ynh_app_setting_delete --app=$app --key=skipped_uris
|
|
fi
|
|
# Make app public if necessary
|
|
if [ $is_public -eq 1 ]
|
|
then
|
|
# unprotected_uris allows SSO credentials to be passed anyway
|
|
ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
|
|
fi
|
|
|
|
#=================================================
|
|
# RELOAD NGINX
|
|
#=================================================
|
|
ynh_script_progression --message="Reloading NGINX web server..."
|
|
|
|
ynh_systemd_action --service_name=nginx --action=reload
|
|
|
|
#=================================================
|
|
# END OF SCRIPT
|
|
#=================================================
|
|
|
|
ynh_script_progression --message="Upgrade of $app completed" --last
|