diff --git a/conf/dont-code-sudoers b/conf/dont-code-sudoers new file mode 100644 index 0000000..29093e7 --- /dev/null +++ b/conf/dont-code-sudoers @@ -0,0 +1 @@ +%__APP__ ALL=(root) NOPASSWD: /usr/bin/systemctl restart __APP__-* diff --git a/conf/restart-services.sh b/conf/restart-services.sh new file mode 100644 index 0000000..faa8f8b --- /dev/null +++ b/conf/restart-services.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Restart all dont-code services +sudo systemctl restart "__APP__-*" diff --git a/manifest.json b/manifest.json index a82252e..673cfc0 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Install services and databases needed to support Dont-code platform", "fr": "Installe les services et base de données nécessaires pour utiliser la plateforme Dont-code" }, - "version": "0.2~ynh1", + "version": "0.2~ynh2", "url": "https://dont-code.net", "upstream": { "license": "AGPL-3.0-or-later", diff --git a/scripts/backup b/scripts/backup index 93f7145..672fc79 100755 --- a/scripts/backup +++ b/scripts/backup @@ -65,6 +65,9 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # SPECIFIC BACKUP #================================================= +ynh_backup --src_path="/etc/sudoers.d/$app-sudoers" + + # BACKUP LOGROTATE #================================================= diff --git a/scripts/install b/scripts/install index 442c282..e94a4a1 100755 --- a/scripts/install +++ b/scripts/install @@ -179,6 +179,7 @@ ynh_setup_source --dest_dir="$final_path" if [ -n "$public_key" ] then + ynh_script_progression --message="Enabling ssh access for dev..." --weight=1 #enable ssh access to the files for updates #todo: Secure it more with https://github.com/YunoHost-Apps/ssh_chroot_dir_ynh mkdir --parents $final_path/.ssh @@ -187,6 +188,22 @@ then chown -R $app:$app "$final_path/.ssh" chmod 700 "$final_path/.ssh" chmod 600 "$final_path/.ssh/authorized_keys" + + #================================================= + # Create restart services file + #================================================= + + # Enable restarting of services from ssh + ynh_add_config --template="restart-services.sh" --destination="$final_path/restart-services.sh" + + # Enable root ownership to be able to call systemctl + chown $app:$app "$final_path/restart-services.sh" + chmod o-rwx,gu=rwx "$final_path/restart-services.sh" + + ynh_add_config --template="dont-code-sudoers" --destination="/etc/sudoers.d/$app-sudoers" + chown root:root "/etc/sudoers.d/$app-sudoers" + chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers" + fi @@ -205,6 +222,7 @@ ynh_add_nginx_config #================================================= # Create document storage #================================================= +ynh_script_progression --message="Configuring document storage..." --weight=1 document_path=$html_path/docs test ! -e "$document_path" || ynh_die --message="This path already contains a folder" mkdir --parents $document_path diff --git a/scripts/remove b/scripts/remove index 9e45c75..21778b0 100755 --- a/scripts/remove +++ b/scripts/remove @@ -102,6 +102,8 @@ ynh_script_progression --message="Removing NGINX web server configuration..." -- # Remove the dedicated NGINX config ynh_remove_nginx_config +ynh_secure_remove --file="/etc/sudoers.d/$app-sudoers" + #================================================= # REMOVE DEPENDENCIES #================================================= diff --git a/scripts/restore b/scripts/restore index 5287907..340e6b6 100755 --- a/scripts/restore +++ b/scripts/restore @@ -54,7 +54,7 @@ test ! -d $final_path \ ynh_script_progression --message="Recreating the dedicated system user..." --weight=1 # Create the dedicated user (if not existing) -ynh_system_user_create --username=$app --home_dir="$final_path" +ynh_system_user_create --username=$app --home_dir="$final_path" --use_shell --groups="ssh.app" #================================================= # RESTORE THE APP MAIN DIR @@ -79,6 +79,14 @@ then chown -R $app:$app "$final_path/.ssh" chmod 700 "$final_path/.ssh" chmod 600 "$final_path/.ssh/authorized_keys" + # Enable restart of services for the dont-code user + chown $app:$app "$final_path/restart-services.sh" + chmod o-rwx,gu=rwx "$final_path/restart-services.sh" + + ynh_restore_file --origin_path="/etc/sudoers.d/$app-sudoers" + + chown root:root "/etc/sudoers.d/$app-sudoers" + chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers" fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 3862ab4..fab7b44 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,6 +29,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) document_path=$(ynh_app_setting_get --app=$app --key=document_path) document_url=$(ynh_app_setting_get --app=$app --key=document_url) html_path=$(ynh_app_setting_get --app=$app --key=html_path) +public_key=$(ynh_app_setting_get --app=$app --key=public_key) PORT_LIST=($port_ide $port_preview $port_project $port_data) @@ -105,7 +106,6 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" - # No need to upgrade the .ssh authorization files fi # FIXME: this should be managed by the core in the future @@ -195,6 +195,22 @@ if [ "$correct_document_url" != "$document_url" ]; then chown $app:$app "$final_path/.env" fi +if [ -n "$public_key" ] && [ ! -f "$final_path/restart-services.sh" ]; +then + ynh_script_progression --message="Upgrading ssh access for dev..." --weight=1 + + # Enable restarting of services from ssh + ynh_add_config --template="restart-services.sh" --destination="$final_path/restart-services.sh" + + # Enable root ownership to be able to call systemctl + chown $app:$app "$final_path/restart-services.sh" + chmod o-rwx,gu=rwx "$final_path/restart-services.sh" + + ynh_add_config --template="dont-code-sudoers" --destination="/etc/sudoers.d/$app-sudoers" + chown root:root "/etc/sudoers.d/$app-sudoers" + chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers" +fi + #================================================= # UPDATE A CONFIG FILE #=================================================