Enable ssh support for dev

conf/dont-code-sudoers

@@ -0,0 +1 @@
+%__APP__ ALL=(root) NOPASSWD: /usr/bin/systemctl restart __APP__-*

conf/restart-services.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Restart all dont-code services
+sudo systemctl restart "__APP__-*"

manifest.json

@@ -6,7 +6,7 @@
         "en": "Install services and databases needed to support Dont-code platform",
         "fr": "Installe les services et base de données nécessaires pour utiliser la plateforme Dont-code"
     },
-    "version": "0.2~ynh1",
+    "version": "0.2~ynh2",
     "url": "https://dont-code.net",
     "upstream": {
         "license": "AGPL-3.0-or-later",

scripts/backup

@@ -65,6 +65,9 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 #=================================================
 # SPECIFIC BACKUP
 #=================================================
+ynh_backup --src_path="/etc/sudoers.d/$app-sudoers"
+
+
 # BACKUP LOGROTATE
 #=================================================
 

scripts/install

@@ -179,6 +179,7 @@ ynh_setup_source --dest_dir="$final_path"
 
 if [ -n "$public_key" ]
 then
+  ynh_script_progression --message="Enabling ssh access for dev..." --weight=1
   #enable ssh access to the files for updates
   #todo: Secure it more with https://github.com/YunoHost-Apps/ssh_chroot_dir_ynh
   mkdir --parents $final_path/.ssh
@@ -187,6 +188,22 @@ then
   chown -R $app:$app "$final_path/.ssh"
   chmod 700 "$final_path/.ssh"
   chmod 600 "$final_path/.ssh/authorized_keys"
+
+  #=================================================
+  # Create restart services file
+  #=================================================
+
+  # Enable restarting of services from ssh
+  ynh_add_config --template="restart-services.sh" --destination="$final_path/restart-services.sh"
+
+  # Enable root ownership to be able to call systemctl
+  chown $app:$app "$final_path/restart-services.sh"
+  chmod o-rwx,gu=rwx "$final_path/restart-services.sh"
+
+  ynh_add_config --template="dont-code-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+  chown root:root "/etc/sudoers.d/$app-sudoers"
+  chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers"
+
 fi
 
 
@@ -205,6 +222,7 @@ ynh_add_nginx_config
 #=================================================
 # Create document storage
 #=================================================
+ynh_script_progression --message="Configuring document storage..." --weight=1
 document_path=$html_path/docs
 test ! -e "$document_path" || ynh_die --message="This path already contains a folder"
 mkdir --parents $document_path

scripts/remove

@@ -102,6 +102,8 @@ ynh_script_progression --message="Removing NGINX web server configuration..." --
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
 
+ynh_secure_remove --file="/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # REMOVE DEPENDENCIES
 #=================================================

scripts/restore

@@ -54,7 +54,7 @@ test ! -d $final_path \
 ynh_script_progression --message="Recreating the dedicated system user..." --weight=1
 
 # Create the dedicated user (if not existing)
-ynh_system_user_create --username=$app --home_dir="$final_path"
+ynh_system_user_create --username=$app --home_dir="$final_path" --use_shell --groups="ssh.app"
 
 #=================================================
 # RESTORE THE APP MAIN DIR
@@ -79,6 +79,14 @@ then
   chown -R $app:$app "$final_path/.ssh"
   chmod 700 "$final_path/.ssh"
   chmod 600 "$final_path/.ssh/authorized_keys"
+  # Enable restart of services for the dont-code user
+  chown $app:$app "$final_path/restart-services.sh"
+  chmod o-rwx,gu=rwx "$final_path/restart-services.sh"
+
+  ynh_restore_file --origin_path="/etc/sudoers.d/$app-sudoers"
+
+  chown root:root "/etc/sudoers.d/$app-sudoers"
+  chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers"
 fi
 
 #=================================================

scripts/upgrade

@@ -29,6 +29,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 document_path=$(ynh_app_setting_get --app=$app --key=document_path)
 document_url=$(ynh_app_setting_get --app=$app --key=document_url)
 html_path=$(ynh_app_setting_get --app=$app --key=html_path)
+public_key=$(ynh_app_setting_get --app=$app --key=public_key)
 
 PORT_LIST=($port_ide $port_preview $port_project $port_data)
 
@@ -105,7 +106,6 @@ then
 	# Download, check integrity, uncompress and patch the source from app.src
 	ynh_setup_source --dest_dir="$final_path"
 
-	# No need to upgrade the .ssh authorization files
 fi
 
 # FIXME: this should be managed by the core in the future
@@ -195,6 +195,22 @@ if [ "$correct_document_url" != "$document_url" ]; then
   chown $app:$app "$final_path/.env"
 fi
 
+if [ -n "$public_key" ] && [ ! -f "$final_path/restart-services.sh" ];
+then
+  ynh_script_progression --message="Upgrading ssh access for dev..." --weight=1
+
+ # Enable restarting of services from ssh
+  ynh_add_config --template="restart-services.sh" --destination="$final_path/restart-services.sh"
+
+  # Enable root ownership to be able to call systemctl
+  chown $app:$app "$final_path/restart-services.sh"
+  chmod o-rwx,gu=rwx "$final_path/restart-services.sh"
+
+  ynh_add_config --template="dont-code-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+  chown root:root "/etc/sudoers.d/$app-sudoers"
+  chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers"
+fi
+
 #=================================================
 # UPDATE A CONFIG FILE
 #=================================================