commit f7328ca0da25cc367331e32a85d99116749d469b Author: ericgaspar Date: Mon Apr 18 11:09:01 2022 +0200 First commit diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..7d1e40b --- /dev/null +++ b/LICENSE @@ -0,0 +1,4 @@ +File containing the license of your package. + +More information here: +https://yunohost.org/packaging_apps_guidelines#yep-1-3 diff --git a/README.md b/README.md new file mode 100644 index 0000000..820e437 --- /dev/null +++ b/README.md @@ -0,0 +1,84 @@ + +# Packaging an app, starting from this example + +- Copy this app before working on it, using the ['Use this template'](https://github.com/YunoHost/example_ynh/generate) button on the Github repo. +- Edit the `manifest.json` with app specific info. +- Edit the `install`, `upgrade`, `remove`, `backup`, and `restore` scripts, and any relevant conf files in `conf/`. + - Using the [script helpers documentation.](https://yunohost.org/packaging_apps_helpers) +- Add a `LICENSE` file for the package. +- Edit `doc/DISCLAIMER*.md` +- The `README.md` files are to be automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator + + +--- + + + +# Example app for YunoHost + +[![Integration level](https://dash.yunohost.org/integration/example.svg)](https://dash.yunohost.org/appci/app/example) ![](https://ci-apps.yunohost.org/ci/badges/example.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/example.maintain.svg) +[![Install example with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=example) + +*[Lire ce readme en français.](./README_fr.md)* + +> *This package allows you to install example quickly and simply on a YunoHost server. +If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.* + +## Overview + +Explain in *a few (10~15) words* the purpose of the app or what it actually does (it is meant to give a rough idea to users browsing a catalog of 100+ apps) + +**Shipped version:** 1.0~ynh1 + +**Demo:** https://demo.example.com + + +## Screenshots + + + ![](./doc/screenshots/example.jpg) + + + + +## Disclaimers / important information + +* Any known limitations, constrains or stuff not working, such as (but not limited to): + * requiring a full dedicated domain ? + * architectures not supported ? + * not-working single-sign on or LDAP integration ? + * the app requires an important amount of RAM / disk / .. to install or to work properly + * etc... + +* Other infos that people should be aware of, such as: + * any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...) + * how to configure / administrate the application if it ain't obvious + * upgrade process / specificities / things to be aware of ? + * security considerations ? + + + +## Documentation and resources + +* Official app website: https://example.com +* Official user documentation: https://yunohost.org/apps +* Official admin documentation: https://yunohost.org/packaging_apps +* Upstream app code repository: https://some.forge.com/example/example +* YunoHost documentation for this app: https://yunohost.org/app_example +* Report a bug: https://github.com/YunoHost-Apps/example_ynh/issues + +## Developer info + +Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/example_ynh/tree/testing). + +To try the testing branch, please proceed like that. +``` +sudo yunohost app install https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug +or +sudo yunohost app upgrade example -u https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug +``` + +**More info regarding app packaging:** https://yunohost.org/packaging_apps diff --git a/README_fr.md b/README_fr.md new file mode 100644 index 0000000..d856bf9 --- /dev/null +++ b/README_fr.md @@ -0,0 +1,66 @@ +# Example app pour YunoHost + +[![Niveau d'intégration](https://dash.yunohost.org/integration/example.svg)](https://dash.yunohost.org/appci/app/example) ![](https://ci-apps.yunohost.org/ci/badges/example.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/example.maintain.svg) +[![Installer example avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=example) + +*[Read this readme in english.](./README.md)* +*[Lire ce readme en français.](./README_fr.md)* + +> *This package allows you to install example quickly and simply on a YunoHost server. +If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.* + +## Vue d'ensemble + +Expliquez en *quelques* (10~15) mots l'utilité de l'app ou ce qu'elle fait (l'objectif est de donner une idée grossière pour des utilisateurs qui naviguent dans un catalogue de 100+ apps) + +**Version incluse:** 1.0~ynh1 + +**Démo:** https://demo.example.com + + +## Captures d'écran + + + ![](./doc/screenshots/example.jpg) + + + + +## Avertissements / informations importantes + +* Any known limitations, constrains or stuff not working, such as (but not limited to): + * requiring a full dedicated domain ? + * architectures not supported ? + * not-working single-sign on or LDAP integration ? + * the app requires an important amount of RAM / disk / .. to install or to work properly + * etc... + +* Other infos that people should be aware of, such as: + * any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...) + * how to configure / administrate the application if it ain't obvious + * upgrade process / specificities / things to be aware of ? + * security considerations ? + + + +## Documentations et ressources + +* Site official de l'app : https://example.com +* Documentation officielle utilisateur: https://yunohost.org/apps +* Documentation officielle de l'admin: https://yunohost.org/packaging_apps +* Dépôt de code officiel de l'app: https://some.forge.com/example/example +* Documentation YunoHost pour cette app: https://yunohost.org/app_example +* Signaler un bug: https://github.com/YunoHost-Apps/example_ynh/issues + +## Informations pour les développeurs + +Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/example_ynh/tree/testing). + +Pour essayer la branche testing, procédez comme suit. +``` +sudo yunohost app install https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug +or +sudo yunohost app upgrade example -u https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug +``` + +**Plus d'infos sur le packaging d'applications:** https://yunohost.org/packaging_apps \ No newline at end of file diff --git a/check_process b/check_process new file mode 100644 index 0000000..9f8650a --- /dev/null +++ b/check_process @@ -0,0 +1,27 @@ +;; Test complet + ; Manifest + domain="domain.tld" + path="/path" + is_public=1 + language="fr" + admin="john" + password="1Strong-Password" + ; Checks + pkg_linter=1 + setup_sub_dir=1 + setup_root=1 + setup_nourl=0 + setup_private=1 + setup_public=1 + upgrade=1 + #upgrade=1 from_commit=CommitHash + backup_restore=1 + multi_instance=1 + change_url=1 +;;; Options +Email= +Notification=none +;;; Upgrade options + ; commit=CommitHash + name=Name and date of the commit. + manifest_arg=domain=DOMAIN&path=PATH&is_public=1&language=fr&admin=USER&password=pass&port=666& diff --git a/conf/amd64.src b/conf/amd64.src new file mode 100644 index 0000000..05d4325 --- /dev/null +++ b/conf/amd64.src @@ -0,0 +1,7 @@ +SOURCE_URL=https://github.com/ergochat/ergo/releases/download/v2.9.1/ergo-2.9.1-linux-x86_64.tar.gz +SOURCE_SUM=38ce7738a05b8e9980e86a26a3508b56771ef651c6d823146059776c95a9579f +SOURCE_SUM_PRG=sha256sum +SOURCE_FORMAT=tar.gz +SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/arm64.src b/conf/arm64.src new file mode 100644 index 0000000..a19ba78 --- /dev/null +++ b/conf/arm64.src @@ -0,0 +1,7 @@ +SOURCE_URL=https://github.com/ergochat/ergo/releases/download/v2.9.1/ergo-2.9.1-linux-arm64.tar.gz +SOURCE_SUM=1173dd01762e28710235491a8a2c3b786bf2848ca672b7d104ee870cdafd334b +SOURCE_SUM_PRG=sha256sum +SOURCE_FORMAT=tar.gz +SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/armhf.src b/conf/armhf.src new file mode 100644 index 0000000..b421d41 --- /dev/null +++ b/conf/armhf.src @@ -0,0 +1,7 @@ +SOURCE_URL=https://github.com/ergochat/ergo/releases/download/v2.9.1/ergo-2.9.1-linux-armv6.tar.gz +SOURCE_SUM=384261cf506ee0ac561807d500c878d012cc7c5c45a3b9996013a58aa642542b +SOURCE_SUM_PRG=sha256sum +SOURCE_FORMAT=tar.gz +SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/default.yaml b/conf/default.yaml new file mode 100644 index 0000000..0041605 --- /dev/null +++ b/conf/default.yaml @@ -0,0 +1,992 @@ +# This is the default config file for Ergo. +# It contains recommended defaults for all settings, including some behaviors +# that differ from conventional ircd+services setups. See traditional.yaml +# for a config with more "mainstream" behavior. +# +# If you are setting up a new Ergo server, you should copy this file +# to a new one named 'ircd.yaml', then look through the file to see which +# settings you want to customize. If you don't understand a setting, or +# aren't sure what behavior you want, most of the defaults are fine +# to start with (you can change them later, even on a running server). +# However, there are a few that you should probably change up front: +# 1. network.name (a human-readable name that identifies your network, +# no spaces or special characters) and server.name (consider using the +# domain name of your server) +# 2. if you have valid TLS certificates (for example, from letsencrypt.org), +# you should enable them in server.listeners in place of the default +# self-signed certificates +# 3. the operator password in the 'opers' section +# 4. by default, message history is enabled, using in-memory history storage +# and with messages expiring after 7 days. depending on your needs, you may +# want to disable history entirely, remove the expiration time, switch to +# persistent history stored in MySQL, or do something else entirely. See +# the 'history' section of the config. + +# network configuration +network: + # name of the network + name: ErgoTest + +# server configuration +server: + # server name + name: ergo.test + + # addresses to listen on + listeners: + # The standard plaintext port for IRC is 6667. Allowing plaintext over the + # public Internet poses serious security and privacy issues. Accordingly, + # we recommend using plaintext only on local (loopback) interfaces: + "127.0.0.1:6667": # (loopback ipv4, localhost-only) + "[::1]:6667": # (loopback ipv6, localhost-only) + # If you need to serve plaintext on public interfaces, comment out the above + # two lines and uncomment the line below (which listens on all interfaces): + # ":6667": + # Alternately, if you have a TLS certificate issued by a recognized CA, + # you can configure port 6667 as an STS-only listener that only serves + # "redirects" to the TLS port, but doesn't allow chat. See the manual + # for details. + + # The standard SSL/TLS port for IRC is 6697. This will listen on all interfaces: + ":6697": + # this is a standard TLS configuration with a single certificate; + # see the manual for instructions on how to configure SNI + tls: + cert: "/etc/yunohost/certs/__DOMAIN__/crt.pem" + key: "/etc/yunohost/certs/__DOMAIN__/key.pem" + # 'proxy' should typically be false. It's for cloud load balancers that + # always send a PROXY protocol header ahead of the connection. See the + # manual ("Reverse proxies") for more details. + proxy: false + # set the minimum TLS version: + min-tls-version: 1.2 + + # Example of a Unix domain socket for proxying: + # "/tmp/ergo_sock": + + # Example of a Tor listener: any connection that comes in on this listener will + # be considered a Tor connection. It is strongly recommended that this listener + # *not* be on a public interface --- it should be on 127.0.0.0/8 or unix domain: + # "/hidden_service_sockets/ergo_tor_sock": + # tor: true + + # Example of a WebSocket listener: + # ":8097": + # websocket: true + # tls: + # cert: fullchain.pem + # key: privkey.pem + + # sets the permissions for Unix listen sockets. on a typical Linux system, + # the default is 0775 or 0755, which prevents other users/groups from connecting + # to the socket. With 0777, it behaves like a normal TCP socket + # where anyone can connect. + unix-bind-mode: 0777 + + # configure the behavior of Tor listeners (ignored if you didn't enable any): + tor-listeners: + # if this is true, connections from Tor must authenticate with SASL + require-sasl: true + + # what hostname should be displayed for Tor connections? + vhost: "tor-network.onion" + + # allow at most this many connections at once (0 for no limit): + max-connections: 64 + + # connection throttling (limit how many connection attempts are allowed at once): + throttle-duration: 10m + # set to 0 to disable throttling: + max-connections-per-duration: 64 + + # strict transport security, to get clients to automagically use TLS + sts: + # whether to advertise STS + # + # to stop advertising STS, leave this enabled and set 'duration' below to "0". this will + # advertise to connecting users that the STS policy they have saved is no longer valid + enabled: false + + # how long clients should be forced to use TLS for. + # setting this to a too-long time will mean bad things if you later remove your TLS. + # the default duration below is 1 month, 2 days and 5 minutes. + duration: 1mo2d5m + + # tls port - you should be listening on this port above + port: 6697 + + # should clients include this STS policy when they ship their inbuilt preload lists? + preload: false + + websockets: + # Restrict the origin of WebSocket connections by matching the "Origin" HTTP + # header. This setting causes ergo to reject websocket connections unless + # they originate from a page on one of the whitelisted websites in this list. + # This prevents malicious websites from making their visitors connect to your + # ergo instance without their knowledge. An empty list means there are no + # restrictions. + allowed-origins: + # - "https://ergo.chat" + # - "https://*.ergo.chat" + + # casemapping controls what kinds of strings are permitted as identifiers (nicknames, + # channel names, account names, etc.), and how they are normalized for case. + # with the recommended default of 'precis', UTF8 identifiers that are "sane" + # (according to RFC 8265) are allowed, and the server additionally tries to protect + # against confusable characters ("homoglyph attacks"). + # the other options are 'ascii' (traditional ASCII-only identifiers), and 'permissive', + # which allows identifiers to contain unusual characters like emoji, but makes users + # vulnerable to homoglyph attacks. unless you're really confident in your decision, + # we recommend leaving this value at its default (changing it once the network is + # already up and running is problematic). + casemapping: "precis" + + # enforce-utf8 controls whether the server will preemptively discard non-UTF8 + # messages (since they cannot be relayed to websocket clients), or will allow + # them and relay them to non-websocket clients (as in traditional IRC). + enforce-utf8: true + + # whether to look up user hostnames with reverse DNS. there are 3 possibilities: + # 1. lookup-hostnames enabled, IP cloaking disabled; users will see each other's hostnames + # 2. lookup-hostnames disabled, IP cloaking disabled; users will see each other's numeric IPs + # 3. [the default] IP cloaking enabled; users will see cloaked hostnames + lookup-hostnames: false + # whether to confirm hostname lookups using "forward-confirmed reverse DNS", i.e., for + # any hostname returned from reverse DNS, resolve it back to an IP address and reject it + # unless it matches the connecting IP + forward-confirm-hostnames: true + + # use ident protocol to get usernames + check-ident: false + + # ignore the supplied user/ident string from the USER command, always setting user/ident + # to the following literal value; this can potentially reduce confusion and simplify bans. + # the value must begin with a '~' character. comment out / omit to disable: + coerce-ident: '~u' + + # password to login to the server, generated using `ergo genpasswd`: + #password: "$2a$04$0123456789abcdef0123456789abcdef0123456789abcdef01234" + + # motd filename + # if you change the motd, you should move it to ircd.motd + motd: ergo.motd + + # motd formatting codes + # if this is true, the motd is escaped using formatting codes like $c, $b, and $i + motd-formatting: true + + # relaying using the RELAYMSG command + relaymsg: + # is relaymsg enabled at all? + enabled: true + + # which character(s) are reserved for relayed nicks? + separators: "/" + + # can channel operators use RELAYMSG in their channels? + # our implementation of RELAYMSG makes it safe for chanops to use without the + # possibility of real users being silently spoofed + available-to-chanops: true + + # IPs/CIDRs the PROXY command can be used from + # This should be restricted to localhost (127.0.0.1/8, ::1/128, and unix sockets). + # Unless you have a good reason. you should also add these addresses to the + # connection limits and throttling exemption lists. + proxy-allowed-from: + - localhost + # - "192.168.1.1" + # - "192.168.10.1/24" + + # controls the use of the WEBIRC command (by IRC<->web interfaces, bouncers and similar) + webirc: + # one webirc block -- should correspond to one set of gateways + - + # SHA-256 fingerprint of the TLS certificate the gateway must use to connect + # (comment this out to use passwords only) + certfp: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789" + + # password the gateway uses to connect, made with `ergo genpasswd` + password: "$2a$04$abcdef0123456789abcdef0123456789abcdef0123456789abcde" + + # IPs/CIDRs that can use this webirc command + # you should also add these addresses to the connection limits and throttling exemption lists + hosts: + - localhost + # - "192.168.1.1" + # - "192.168.10.1/24" + + # maximum length of clients' sendQ in bytes + # this should be big enough to hold bursts of channel/direct messages + max-sendq: 96k + + # compatibility with legacy clients + compatibility: + # many clients require that the final parameter of certain messages be an + # RFC1459 trailing parameter, i.e., prefixed with :, whether or not this is + # actually required. this forces Ergo to send those parameters + # as trailings. this is recommended unless you're testing clients for conformance; + # defaults to true when unset for that reason. + force-trailing: true + + # some clients (ZNC 1.6.x and lower, Pidgin 2.12 and lower) do not + # respond correctly to SASL messages with the server name as a prefix: + # https://github.com/znc/znc/issues/1212 + # this works around that bug, allowing them to use SASL. + send-unprefixed-sasl: true + + # traditionally, IRC servers will truncate and send messages that are + # too long to be relayed intact. this behavior can be disabled by setting + # allow-truncation to false, in which case Ergo will reject the message + # and return an error to the client. (note that this option defaults to true + # when unset.) + allow-truncation: false + + # IP-based DoS protection + ip-limits: + # whether to limit the total number of concurrent connections per IP/CIDR + count: true + # maximum concurrent connections per IP/CIDR + max-concurrent-connections: 16 + + # whether to restrict the rate of new connections per IP/CIDR + throttle: true + # how long to keep track of connections for + window: 10m + # maximum number of new connections per IP/CIDR within the given duration + max-connections-per-window: 32 + + # how wide the CIDR should be for IPv4 (a /32 is a fully specified IPv4 address) + cidr-len-ipv4: 32 + # how wide the CIDR should be for IPv6 (a /64 is the typical prefix assigned + # by an ISP to an individual customer for their LAN) + cidr-len-ipv6: 64 + + # IPs/networks which are exempted from connection limits + exempted: + - "localhost" + # - "192.168.1.1" + # - "2001:0db8::/32" + + # custom connection limits for certain IPs/networks. + custom-limits: + #"irccloud": + # nets: + # - "192.184.9.108" # highgate.irccloud.com + # - "192.184.9.110" # ealing.irccloud.com + # - "192.184.9.112" # charlton.irccloud.com + # - "192.184.10.118" # brockwell.irccloud.com + # - "192.184.10.9" # tooting.irccloud.com + # - "192.184.8.73" # hathersage.irccloud.com + # - "192.184.8.103" # stonehaven.irccloud.com + # - "5.254.36.57" # tinside.irccloud.com + # - "5.254.36.56/29" # additional ipv4 net + # - "2001:67c:2f08::/48" + # - "2a03:5180:f::/64" + # max-concurrent-connections: 2048 + # max-connections-per-window: 2048 + + # pluggable IP ban mechanism, via subprocess invocation + # this can be used to check new connections against a DNSBL, for example + # see the manual for details on how to write an IP ban checking script + ip-check-script: + enabled: false + command: "/usr/local/bin/check-ip-ban" + # constant list of args to pass to the command; the actual query + # and result are transmitted over stdin/stdout: + args: [] + # timeout for process execution, after which we send a SIGTERM: + timeout: 9s + # how long after the SIGTERM before we follow up with a SIGKILL: + kill-timeout: 1s + # how many scripts are allowed to run at once? 0 for no limit: + max-concurrency: 64 + # if true, only check anonymous connections (not logged into an account) + # at the very end of the handshake: + exempt-sasl: false + + # IP cloaking hides users' IP addresses from other users and from channel admins + # (but not from server admins), while still allowing channel admins to ban + # offending IP addresses or networks. In place of hostnames derived from reverse + # DNS, users see fake domain names like pwbs2ui4377257x8.irc. These names are + # generated deterministically from the underlying IP address, but if the underlying + # IP is not already known, it is infeasible to recover it from the cloaked name. + # If you disable this, you should probably enable lookup-hostnames in its place. + ip-cloaking: + # whether to enable IP cloaking + enabled: true + + # whether to use these cloak settings (specifically, `netname` and `num-bits`) + # to produce unique hostnames for always-on clients. you can enable this even if + # you disabled IP cloaking for normal clients above. if this is disabled, + # always-on clients will all have an identical hostname (the server name). + enabled-for-always-on: true + + # fake TLD at the end of the hostname, e.g., pwbs2ui4377257x8.irc + # you may want to use your network name here + netname: "irc" + + # the cloaked hostname is derived only from the CIDR (most significant bits + # of the IP address), up to a configurable number of bits. this is the + # granularity at which bans will take effect for IPv4. Note that changing + # this value will invalidate any stored bans. + cidr-len-ipv4: 32 + + # analogous granularity for IPv6 + cidr-len-ipv6: 64 + + # number of bits of hash output to include in the cloaked hostname. + # more bits means less likelihood of distinct IPs colliding, + # at the cost of a longer cloaked hostname. if this value is set to 0, + # all users will receive simply `netname` as their cloaked hostname. + num-bits: 64 + + # secure-nets identifies IPs and CIDRs which are secure at layer 3, + # for example, because they are on a trusted internal LAN or a VPN. + # plaintext connections from these IPs and CIDRs will be considered + # secure (clients will receive the +Z mode and be allowed to resume + # or reattach to secure connections). note that loopback IPs are always + # considered secure: + secure-nets: + # - "10.0.0.0/8" + + # Ergo will write files to disk under certain circumstances, e.g., + # CPU profiling or data export. by default, these files will be written + # to the working directory. set this to customize: + #output-path: "/home/ergo/out" + + # the hostname used by "services", e.g., NickServ, defaults to "localhost", + # e.g., `NickServ!NickServ@localhost`. uncomment this to override: + #override-services-hostname: "example.network" + + # in a "closed-loop" system where you control the server and all the clients, + # you may want to increase the maximum (non-tag) length of an IRC line from + # the default value of 512. DO NOT change this on a public server: + # max-line-len: 512 + + # send all 0's as the LUSERS (user counts) output to non-operators; potentially useful + # if you don't want to publicize how popular the server is + suppress-lusers: false + +# account options +accounts: + # is account authentication enabled, i.e., can users log into existing accounts? + authentication-enabled: true + + # account registration + registration: + # can users register new accounts for themselves? if this is false, operators with + # the `accreg` capability can still create accounts with `/NICKSERV SAREGISTER` + enabled: true + + # can users use the REGISTER command to register before fully connecting? + allow-before-connect: true + + # global throttle on new account creation + throttling: + enabled: true + # window + duration: 10m + # number of attempts allowed within the window + max-attempts: 30 + + # this is the bcrypt cost we'll use for account passwords + # (note that 4 is the lowest value allowed by the bcrypt library) + bcrypt-cost: 4 + + # length of time a user has to verify their account before it can be re-registered + verify-timeout: "32h" + + # options for email verification of account registrations + email-verification: + enabled: false + sender: "admin@my.network" + require-tls: true + helo-domain: "my.network" # defaults to server name if unset + # options to enable DKIM signing of outgoing emails (recommended, but + # requires creating a DNS entry for the public key): + # dkim: + # domain: "my.network" + # selector: "20200229" + # key-file: "dkim.pem" + # to use an MTA/smarthost instead of sending email directly: + # mta: + # server: localhost + # port: 25 + # username: "admin" + # password: "hunter2" + blacklist-regexes: + # - ".*@mailinator.com" + timeout: 60s + # email-based password reset: + password-reset: + enabled: false + # time before we allow resending the email + cooldown: 1h + # time for which a password reset code is valid + timeout: 1d + + # throttle account login attempts (to prevent either password guessing, or DoS + # attacks on the server aimed at forcing repeated expensive bcrypt computations) + login-throttling: + enabled: true + + # window + duration: 1m + + # number of attempts allowed within the window + max-attempts: 3 + + # some clients (notably Pidgin and Hexchat) offer only a single password field, + # which makes it impossible to specify a separate server password (for the PASS + # command) and SASL password. if this option is set to true, a client that + # successfully authenticates with SASL will not be required to send + # PASS as well, so it can be configured to authenticate with SASL only. + skip-server-password: false + + # enable login to accounts via the PASS command, e.g., PASS account:password + # this is useful for compatibility with old clients that don't support SASL + login-via-pass-command: true + + # require-sasl controls whether clients are required to have accounts + # (and sign into them using SASL) to connect to the server + require-sasl: + # if this is enabled, all clients must authenticate with SASL while connecting. + # WARNING: for a private server, you MUST set accounts.registration.enabled + # to false as well, in order to prevent non-administrators from registering + # accounts. + enabled: false + + # IPs/CIDRs which are exempted from the account requirement + exempted: + - "localhost" + # - '10.10.0.0/16' + + # nick-reservation controls how, and whether, nicknames are linked to accounts + nick-reservation: + # is there any enforcement of reserved nicknames? + enabled: true + + # how many nicknames, in addition to the account name, can be reserved? + # (note that additional nicks are unusable under force-nick-equals-account + # or if the client is always-on) + additional-nick-limit: 0 + + # method describes how nickname reservation is handled + # strict: users must already be logged in to their account (via + # SASL, PASS account:password, or /NickServ IDENTIFY) + # in order to use their reserved nickname(s) + # optional: no enforcement by default, but allow users to opt in to + # the enforcement level of their choice + method: strict + + # allow users to set their own nickname enforcement status, e.g., + # to opt out of strict enforcement + allow-custom-enforcement: false + + # format for guest nicknames: + # 1. these nicknames cannot be registered or reserved + # 2. if a client is automatically renamed by the server, + # this is the template that will be used (e.g., Guest-nccj6rgmt97cg) + # 3. if enforce-guest-format (see below) is enabled, clients without + # a registered account will have this template applied to their + # nicknames (e.g., 'katie' will become 'Guest-katie') + guest-nickname-format: "Guest-*" + + # when enabled, forces users not logged into an account to use + # a nickname matching the guest template. a caveat: this may prevent + # users from choosing nicknames in scripts different from the guest + # nickname format. + force-guest-format: false + + # when enabled, forces users logged into an account to use the + # account name as their nickname. when combined with strict nickname + # enforcement, this lets users treat nicknames and account names + # as equivalent for the purpose of ban/invite/exception lists. + force-nick-equals-account: true + + # parallel setting to force-nick-equals-account: if true, this forbids + # anonymous users (i.e., users not logged into an account) to change their + # nickname after the initial connection is complete + forbid-anonymous-nick-changes: false + + # multiclient controls whether Ergo allows multiple connections to + # attach to the same client/nickname identity; this is part of the + # functionality traditionally provided by a bouncer like ZNC + multiclient: + # when disabled, each connection must use a separate nickname (as is the + # typical behavior of IRC servers). when enabled, a new connection that + # has authenticated with SASL can associate itself with an existing + # client + enabled: true + + # if this is disabled, clients have to opt in to bouncer functionality + # using nickserv or the cap system. if it's enabled, they can opt out + # via nickserv + allowed-by-default: true + + # whether to allow clients that remain on the server even + # when they have no active connections. The possible values are: + # "disabled", "opt-in", "opt-out", or "mandatory". + always-on: "opt-in" + + # whether to mark always-on clients away when they have no active connections: + auto-away: "opt-in" + + # QUIT always-on clients from the server if they go this long without connecting + # (use 0 or omit for no expiration): + #always-on-expiration: 90d + + # vhosts controls the assignment of vhosts (strings displayed in place of the user's + # hostname/IP) by the HostServ service + vhosts: + # are vhosts enabled at all? + enabled: true + + # maximum length of a vhost + max-length: 64 + + # regexp for testing the validity of a vhost + # (make sure any changes you make here are RFC-compliant) + valid-regexp: '^[0-9A-Za-z.\-_/]+$' + + # modes that are set by default when a user connects + # if unset, no user modes will be set by default + # +i is invisible (a user's channels are hidden from whois replies) + # see /QUOTE HELP umodes for more user modes + default-user-modes: +i + + # pluggable authentication mechanism, via subprocess invocation + # see the manual for details on how to write an authentication plugin script + auth-script: + enabled: false + command: "__FINALPATH__/ergo-ldap" + # constant list of args to pass to the command; the actual authentication + # data is transmitted over stdin/stdout: + args: ["__FINALPATH__/ldap-config.yaml"] + # should we automatically create users if the plugin returns success? + autocreate: true + # timeout for process execution, after which we send a SIGTERM: + timeout: 9s + # how long after the SIGTERM before we follow up with a SIGKILL: + kill-timeout: 1s + # how many scripts are allowed to run at once? 0 for no limit: + max-concurrency: 64 + +# channel options +channels: + # modes that are set when new channels are created + # +n is no-external-messages, +t is op-only-topic, + # +C is no CTCPs (besides ACTION) + # see /QUOTE HELP cmodes for more channel modes + default-modes: +ntC + + # how many channels can a client be in at once? + max-channels-per-client: 100 + + # if this is true, new channels can only be created by operators with the + # `chanreg` operator capability + operator-only-creation: false + + # channel registration - requires an account + registration: + # can users register new channels? + enabled: true + + # restrict new channel registrations to operators only? + # (operators can then transfer channels to regular users using /CS TRANSFER) + operator-only: false + + # how many channels can each account register? + max-channels-per-account: 15 + + # as a crude countermeasure against spambots, anonymous connections younger + # than this value will get an empty response to /LIST (a time period of 0 disables) + list-delay: 0s + + # INVITE to an invite-only channel expires after this amount of time + # (0 or omit for no expiration): + invite-expiration: 24h + +# operator classes: +# an operator has a single "class" (defining a privilege level), which can include +# multiple "capabilities" (defining privileged actions they can take). all +# currently available operator capabilities are associated with either the +# 'chat-moderator' class (less privileged) or the 'server-admin' class (full +# privileges) below: you can mix and match to create new classes. +oper-classes: + # chat moderator: can ban/unban users from the server, join channels, + # fix mode issues and sort out vhosts. + "chat-moderator": + # title shown in WHOIS + title: Chat Moderator + + # capability names + capabilities: + - "kill" # disconnect user sessions + - "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line") + - "nofakelag" # remove "fakelag" restrictions on rate of message sending + - "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block) + - "vhosts" # add and remove vhosts from users + - "sajoin" # join arbitrary channels, including private channels + - "samode" # modify arbitrary channel and user modes + - "snomasks" # subscribe to arbitrary server notice masks + - "roleplay" # use the (deprecated) roleplay commands in any channel + + # server admin: has full control of the ircd, including nickname and + # channel registrations + "server-admin": + # title shown in WHOIS + title: Server Admin + + # oper class this extends from + extends: "chat-moderator" + + # capability names + capabilities: + - "rehash" # rehash the server, i.e. reload the config at runtime + - "accreg" # modify arbitrary account registrations + - "chanreg" # modify arbitrary channel registrations + - "history" # modify or delete history messages + - "defcon" # use the DEFCON command (restrict server capabilities) + - "massmessage" # message all users on the server + +# ircd operators +opers: + # default operator named 'admin'; log in with /OPER admin + admin: + # which capabilities this oper has access to + class: "server-admin" + + # traditionally, operator status is visible to unprivileged users in + # WHO and WHOIS responses. this can be disabled with 'hidden'. + hidden: true + + # custom whois line (if `hidden` is enabled, visible only to other operators) + whois-line: is the server administrator + + # custom hostname (ignored if `hidden` is enabled) + #vhost: "staff" + + # modes are modes to auto-set upon opering-up. uncomment this to automatically + # enable snomasks ("server notification masks" that alert you to server events; + # see `/quote help snomasks` while opered-up for more information): + #modes: +is acdjknoqtuxv + + # operators can be authenticated either by password (with the /OPER command), + # or by certificate fingerprint, or both. if a password hash is set, then a + # password is required to oper up (e.g., /OPER dan mypassword). to generate + # the hash, use `ergo genpasswd`. + password: "$2a$04$0123456789abcdef0123456789abcdef0123456789abcdef01234" + + # if a SHA-256 certificate fingerprint is configured here, then it will be + # required to /OPER. if you comment out the password hash above, then you can + # /OPER without a password. + #certfp: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789" + # if 'auto' is set (and no password hash is set), operator permissions will be + # granted automatically as soon as you connect with the right fingerprint. + #auto: true + + # example of a moderator named 'alice' + # (log in with /OPER alice ): + #alice: + # class: "chat-moderator" + # whois-line: "can help with moderation issues!" + # password: "$2a$04$0123456789abcdef0123456789abcdef0123456789abcdef01234" + +# logging, takes inspiration from Insp +logging: + - + # how to log these messages + # + # file log to a file + # stdout log to stdout + # stderr log to stderr + # (you can specify multiple methods, e.g., to log to both stderr and a file) + method: stderr + + # filename to log to, if file method is selected + # filename: ircd.log + + # type(s) of logs to keep here. you can use - to exclude those types + # + # exclusions take precedent over inclusions, so if you exclude a type it will NEVER + # be logged, even if you explicitly include it + # + # useful types include: + # * everything (usually used with exclusing some types below) + # server server startup, rehash, and shutdown events + # accounts account registration and authentication + # channels channel creation and operations + # opers oper actions, authentication, etc + # services actions related to NickServ, ChanServ, etc. + # internal unexpected runtime behavior, including potential bugs + # userinput raw lines sent by users + # useroutput raw lines sent to users + type: "* -userinput -useroutput" + + # one of: debug info warn error + level: info + #- + # # example of a file log that avoids logging IP addresses + # method: file + # filename: ircd.log + # type: "* -userinput -useroutput -connect-ip" + # level: debug + +# debug options +debug: + # when enabled, Ergo will attempt to recover from certain kinds of + # client-triggered runtime errors that would normally crash the server. + # this makes the server more resilient to DoS, but could result in incorrect + # behavior. deployments that would prefer to "start from scratch", e.g., by + # letting the process crash and auto-restarting it with systemd, can set + # this to false. + recover-from-errors: true + + # optionally expose a pprof http endpoint: https://golang.org/pkg/net/http/pprof/ + # it is strongly recommended that you don't expose this on a public interface; + # if you need to access it remotely, you can use an SSH tunnel. + # set to `null`, "", leave blank, or omit to disable + # pprof-listener: "localhost:6060" + +# lock file preventing multiple instances of Ergo from accidentally being +# started at once. comment out or set to the empty string ("") to disable. +# this path is relative to the working directory; if your datastore.path +# is absolute, you should use an absolute path here as well. +lock-file: "ircd.lock" + +# datastore configuration +datastore: + # path to the datastore + path: ircd.db + + # if the database schema requires an upgrade, `autoupgrade` will attempt to + # perform it automatically on startup. the database will be backed + # up, and if the upgrade fails, the original database will be restored. + autoupgrade: true + + # connection information for MySQL (currently only used for persistent history): + mysql: + enabled: false + host: "localhost" + port: 3306 + # if socket-path is set, it will be used instead of host:port + #socket-path: "/var/run/mysqld/mysqld.sock" + user: "ergo" + password: "hunter2" + history-database: "ergo_history" + timeout: 3s + max-conns: 4 + # this may be necessary to prevent middleware from closing your connections: + #conn-max-lifetime: 180s + +# languages config +languages: + # whether to load languages + enabled: true + + # default language to use for new clients + # 'en' is the default English language in the code + default: en + + # which directory contains our language files + path: languages + +# limits - these need to be the same across the network +limits: + # nicklen is the max nick length allowed + nicklen: 32 + + # identlen is the max ident length allowed + identlen: 20 + + # channellen is the max channel length allowed + channellen: 64 + + # awaylen is the maximum length of an away message + awaylen: 390 + + # kicklen is the maximum length of a kick message + kicklen: 390 + + # topiclen is the maximum length of a channel topic + topiclen: 390 + + # maximum number of monitor entries a client can have + monitor-entries: 100 + + # whowas entries to store + whowas-entries: 100 + + # maximum length of channel lists (beI modes) + chan-list-modes: 60 + + # maximum number of messages to accept during registration (prevents + # DoS / resource exhaustion attacks): + registration-messages: 1024 + + # message length limits for the new multiline cap + multiline: + max-bytes: 4096 # 0 means disabled + max-lines: 100 # 0 means no limit + +# fakelag: prevents clients from spamming commands too rapidly +fakelag: + # whether to enforce fakelag + enabled: true + + # time unit for counting command rates + window: 1s + + # clients can send this many commands without fakelag being imposed + burst-limit: 5 + + # once clients have exceeded their burst allowance, they can send only + # this many commands per `window`: + messages-per-window: 2 + + # client status resets to the default state if they go this long without + # sending any commands: + cooldown: 2s + +# the roleplay commands are semi-standardized extensions to IRC that allow +# sending and receiving messages from pseudo-nicknames. this can be used either +# for actual roleplaying, or for bridging IRC with other protocols. +roleplay: + # are roleplay commands enabled at all? (channels and clients still have to + # opt in individually with the +E mode) + enabled: false + + # require the "roleplay" oper capability to send roleplay messages? + require-oper: false + + # require channel operator permissions to send roleplay messages? + require-chanops: false + + # add the real nickname, in parentheses, to the end of every roleplay message? + add-suffix: true + +# external services can integrate with the ircd using JSON Web Tokens (https://jwt.io). +# in effect, the server can sign a token attesting that the client is present on +# the server, is a member of a particular channel, etc. +extjwt: + # # default service config (for `EXTJWT #channel`). + # # expiration time for the token: + # expiration: 45s + # # you can configure tokens to be signed either with HMAC and a symmetric secret: + # secret: "65PHvk0K1_sM-raTsCEhatVkER_QD8a0zVV8gG2EWcI" + # # or with an RSA private key: + # #rsa-private-key-file: "extjwt.pem" + + # # named services (for `EXTJWT #channel service_name`): + # services: + # "jitsi": + # expiration: 30s + # secret: "qmamLKDuOzIzlO8XqsGGewei_At11lewh6jtKfSTbkg" + +# history message storage: this is used by CHATHISTORY, HISTORY, znc.in/playback, +# various autoreplay features, and the resume extension +history: + # should we store messages for later playback? + # by default, messages are stored in RAM only; they do not persist + # across server restarts. however, you may want to understand how message + # history interacts with the GDPR and/or any data privacy laws that apply + # in your country and the countries of your users. + enabled: true + + # how many channel-specific events (messages, joins, parts) should be tracked per channel? + channel-length: 2048 + + # how many direct messages and notices should be tracked per user? + client-length: 256 + + # how long should we try to preserve messages? + # if `autoresize-window` is 0, the in-memory message buffers are preallocated to + # their maximum length. if it is nonzero, the buffers are initially small and + # are dynamically expanded up to the maximum length. if the buffer is full + # and the oldest message is older than `autoresize-window`, then it will overwrite + # the oldest message rather than resize; otherwise, it will expand if possible. + autoresize-window: 3d + + # number of messages to automatically play back on channel join (0 to disable): + autoreplay-on-join: 0 + + # maximum number of CHATHISTORY messages that can be + # requested at once (0 disables support for CHATHISTORY) + chathistory-maxmessages: 1000 + + # maximum number of messages that can be replayed at once during znc emulation + # (znc.in/playback, or automatic replay on initial reattach to a persistent client): + znc-maxmessages: 2048 + + # options to delete old messages, or prevent them from being retrieved + restrictions: + # if this is set, messages older than this cannot be retrieved by anyone + # (and will eventually be deleted from persistent storage, if that's enabled) + expire-time: 1w + + # this restricts access to channel history (it can be overridden by channel + # owners). options are: 'none' (no restrictions), 'registration-time' + # (logged-in users cannot retrieve messages older than their account + # registration date, and anonymous users cannot retrieve messages older than + # their sign-on time, modulo the grace-period described below), and + # 'join-time' (users cannot retrieve messages older than the time they + # joined the channel, so only always-on clients can view history). + query-cutoff: 'none' + + # if query-cutoff is set to 'registration-time', this allows retrieval + # of messages that are up to 'grace-period' older than the above cutoff. + # if you use 'registration-time', this is recommended to allow logged-out + # users to query history after disconnections. + grace-period: 1h + + # options to store history messages in a persistent database (currently only MySQL). + # in order to enable any of this functionality, you must configure a MySQL server + # in the `datastore.mysql` section. + persistent: + enabled: false + + # store unregistered channel messages in the persistent database? + unregistered-channels: false + + # for a registered channel, the channel owner can potentially customize + # the history storage setting. as the server operator, your options are + # 'disabled' (no persistent storage, regardless of per-channel setting), + # 'opt-in', 'opt-out', and 'mandatory' (force persistent storage, ignoring + # per-channel setting): + registered-channels: "opt-out" + + # direct messages are only stored in the database for logged-in clients; + # you can control how they are stored here (same options as above). + # if you enable this, strict nickname reservation is strongly recommended + # as well. + direct-messages: "opt-out" + + # options to control how messages are stored and deleted: + retention: + # allow users to delete their own messages from history? + allow-individual-delete: false + + # if persistent history is enabled, create additional index tables, + # allowing deletion of JSON export of an account's messages. this + # may be needed for compliance with data privacy regulations. + enable-account-indexing: false + + # options to control storage of TAGMSG + tagmsg-storage: + # by default, should TAGMSG be stored? + default: false + + # if `default` is false, store TAGMSG containing any of these tags: + whitelist: + - "+draft/react" + - "+react" + + # if `default` is true, don't store TAGMSG containing any of these tags: + #blacklist: + # - "+draft/typing" + # - "typing" + +# whether to allow customization of the config at runtime using environment variables, +# e.g., ERGO__SERVER__MAX_SENDQ=128k. see the manual for more details. +allow-environment-overrides: true diff --git a/conf/ldap-config.yaml b/conf/ldap-config.yaml new file mode 100644 index 0000000..2398b25 --- /dev/null +++ b/conf/ldap-config.yaml @@ -0,0 +1,37 @@ +# this is an example config for the ergo-ldap plugin. +# consult the grafana docs for details on how to configure this: +# https://grafana.com/docs/grafana/latest/auth/ldap/ +# XXX: where grafana uses underscores in key names, we use hyphens + +# example configuration that works with Forum Systems's testing server: +# https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ +host: "ldap.forumsys.com" +port: 389 +timeout: 30s +# uncomment for TLS: +# use-ssl: true + +# example "single-bind" configuration, where we bind directly to the user's entry: +bind-dn: "uid=%s,dc=example,dc=com" + +# example "admin bind" configuration, where we bind to an initial admin user, +# then search for the user's entry with a search filter: +#search-base-dns: +# - "dc=example,dc=com" +#bind-dn: "cn=read-only-admin,dc=example,dc=com" +#bind-password: "password" +#search-filter: "(uid=%s)" + +# example of requiring that users be in a particular group +# (note that this is an OR over the listed groups, not an AND): +#require-groups: +# - "ou=mathematicians,dc=example,dc=com" +#group-search-filter-user-attribute: "dn" +#group-search-filter: "(uniqueMember=%s)" +#group-search-base-dns: +# - "dc=example,dc=com" + +# example of group membership testing via user attributes, as in AD +# or with OpenLDAP's "memberOf overlay" (overrides group-search-filter): +# attributes: +# member-of: "memberOf" \ No newline at end of file diff --git a/conf/ldap.src b/conf/ldap.src new file mode 100644 index 0000000..e69de29 diff --git a/conf/nginx.conf b/conf/nginx.conf new file mode 100644 index 0000000..a03bd49 --- /dev/null +++ b/conf/nginx.conf @@ -0,0 +1,15 @@ +#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; +location __PATH__/ { + + proxy_pass https://127.0.0.1:__PORT__; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; +} diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..e116b8d --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,45 @@ +[Unit] +Description=ergo +After=network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__FINALPATH__/ +ExecStart=__FINALPATH__/ergo run --conf __FINALPATH__//ircd.yaml +StandardOutput=append:/var/log/__APP__/__APP__.log +StandardError=inherit + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/config_panel.toml.example b/config_panel.toml.example new file mode 100644 index 0000000..c6bccd8 --- /dev/null +++ b/config_panel.toml.example @@ -0,0 +1,295 @@ + +## Config panel are available from webadmin > Apps > YOUR_APP > Config Panel Button +## Those panels let user configure some params on their apps using a friendly interface, +## and remove the need to manually edit files from the command line. + +## From a packager perspective, this .toml is coupled to the scripts/config script, +## which may be used to define custom getters/setters. However, most use cases +## should be covered automagically by the core, thus it may not be necessary +## to define a scripts/config at all! + +## ----------------------------------------------------------------------------- +## IMPORTANT: In accordance with YunoHost's spirit, please keep things simple and +## do not overwhelm the admin with tons of misunderstandable or advanced settings. +## ----------------------------------------------------------------------------- + +## The top level describe the entire config panels screen. + +## The version is a required property. +## Here a small reminder to associate config panel version with YunoHost version +## | Config | YNH | Config panel small change log | +## | ------ | --- | ------------------------------------------------------- | +## | 0.1 | 3.x | 0.1 config script not compatible with YNH >= 4.3 | +## | 1.0 | 4.3.x | The new config panel system with 'bind' property | +version = "1.0" + +## (optional) i18n property let you internationalize questions, however this feature +## is only available in core configuration panel (like yunohost domain config). +## So in app config panel this key is ignored for now, but you can internationalize +## by using a lang dictionary (see property name bellow) +# i18n = "prefix_translation_key" + +################################################################################ +#### ABOUT PANELS +################################################################################ + +## The next level describes web admin panels +## You have to choose an ID for each panel, in this example the ID is "main" +## Keep in mind this ID will be used in CLI to refer to your question, so choose +## something short and meaningfull. +## In the webadmin, each panel corresponds to a distinct tab / form +[main] + +## Define the label for your panel +## Internationalization works similarly to the 'description' and 'ask' questions in the manifest +# name.en = "Main configuration" +# name.fr = "Configuration principale" + +## (optional) If you need to trigger a service reload-or-restart after the user +## change a question in this panel, you can add your service in the list. +services = ["__APP__"] +# or services = ["nginx", "__APP__"] to also reload-or-restart nginx + +## (optional) This help properties is a short help displayed on the same line +## than the panel title but not displayed in the tab. +# help = "" + + ############################################################################ + #### ABOUT SECTIONS + ############################################################################ + + ## A panel is composed of one or several sections. + ## + ## Sections are meant to group questions together when they correspond to + ## a same subtopic. This impacts the rendering in terms of CLI prompts + ## and HTML forms + ## + ## You should choose an ID for your section, and prefix it with the panel ID + ## (Be sure to not make a typo in the panel ID, which would implicitly create + ## an other entire panel) + ## + ## We use the context of pepettes_ynh as an example, + ## which is a simple donation form app written in python, + ## and for which the admin will want to edit the configuration + [main.customization] + + ## (optional) Defining a proper title for sections is not mandatory + ## and depends on the exact rendering you're aiming for the CLI / webadmin + name = "" + + ## (optional) This help properties is a short help displayed on the same line + ## than the section title, meant to provide additional details + # help = "" + + ## (optional) As for panel, you can specify to trigger a service + ## reload-or-restart after the user change a question in this section. + ## This property is added to the panel property, it doesn't deactivate it. + ## So no need to replicate, the service list from panel services property. + # services = [] + + ## (optional) By default all questions are optionals, but you can specify a + ## default behaviour for question in the section + optional = false + + ## (optional) It's also possible with the 'visible' property to only + ## display the section depending on the user's answers to previous questions. + ## + ## Be careful that the 'visible' property should only refer to **previous** questions + ## Hence, it should not make sense to have a "visible" property on the very first section. + ## + ## Also, keep in mind that this feature only works in the webadmin and not in CLI + ## (therefore a user could be prompted in CLI for a question that may not be relevant) + # visible = true + + ######################################################################## + #### ABOUT QUESTIONS + ######################################################################## + + ## A section is compound of one or several questions. + + ## --------------------------------------------------------------------- + ## IMPORTANT: as for panel and section you have to choose an ID, but this + ## one should be unique in all this document, even if the question is in + ## an other panel. + ## --------------------------------------------------------------------- + + ## You can use same questions types and properties than in manifest.yml + ## install part. However, in YNH 4.3, a lot of change has been made to + ## extend availables questions types list. + ## See: TODO DOC LINK + + [main.customization.project_name] + + ## (required) The ask property is equivalent to the ask property in + ## the manifest. However, in config panels, questions are displayed on the + ## left side and therefore have less space to be rendered. Therefore, + ## it is better to use a short question, and use the "help" property to + ## provide additional details if necessary. + ask.en = "Name of the project" + + ## (required) The type property indicates how the question should be + ## displayed, validated and managed. Some types have specific properties. + ## + ## Types available: string, boolean, number, range, text, password, path + ## email, url, date, time, color, select, domain, user, tags, file. + ## + ## For a complete list with specific properties, see: TODO DOC LINK + type = "string" + + ######################################################################## + #### ABOUT THE BIND PROPERTY + ######################################################################## + + ## (recommended) 'bind' property is a powerful feature that let you + ## configure how and where the data will be read, validated and written. + + ## By default, 'bind property is in "settings" mode, it means it will + ## **only** read and write the value in application settings file. + ## bind = "settings" + + ## However, settings usually correspond to key/values in actual app configurations + ## Hence, a more useful mode is to have bind = ":FILENAME". In that case, YunoHost + ## will automagically find a line with "KEY=VALUE" in FILENAME + ## (with the adequate separator between KEY and VALUE) + ## + ## YunoHost will then use this value for the read/get operation. + ## During write/set operations, YunoHost will overwrite the value + ## in **both** FILENAME and in the app's settings.yml + + ## Configuration file format supported: yaml, toml, json, ini, env, php, + ## python. The feature probably works with others formats, but should be tested carefully. + + ## Note that this feature only works with relatively simple cases + ## such as `KEY: VALUE`, but won't properly work with + ## complex data structures like multilin array/lists or dictionnaries. + ## It also doesn't work with XML format, custom config function call, php define(), ... + + ## More info on TODO + # bind = ":/var/www/__APP__/settings.py" + + + ## By default, bind = ":FILENAME" will use the question ID as KEY + ## ... but the question ID may sometime not be the exact KEY name in the configuration file. + ## + ## In particular, in pepettes, the python variable is 'name' and not 'project_name' + ## (c.f. https://github.com/YunoHost-Apps/pepettes_ynh/blob/5cc2d3ffd6529cc7356ff93af92dbb6785c3ab9a/conf/settings.py##L11 ) + ## + ## In that case, the key name can be specified before the column ':' + + bind = "name:/var/www/__APP__/settings.py" + + ## --------------------------------------------------------------------- + ## IMPORTANT: other 'bind' mode exists: + ## + ## bind = "FILENAME" (with no column character before FILENAME) + ## may be used to bind to the **entire file content** (instead of a single KEY/VALUE) + ## This could be used to expose an entire configuration file, or binary files such as images + ## For example: + ## bind = "/var/www/__APP__/img/logo.png" + ## + ## bind = "null" can be used to disable reading / writing in settings. + ## This creates sort of a "virtual" or "ephemeral" question which is not related to any actual setting + ## In this mode, you are expected to define custom getter/setters/validators in scripts/config: + ## + ## getter: get__QUESTIONID() + ## setter: set__QUESTIONID() + ## validator: validate__QUESTIONID() + ## + ## You can also specify a common getter / setter / validator, with the + ## function 'bind' mode, for example here it will try to run + ## get__array_settings() first. + # bind = "array_settings()" + ## --------------------------------------------------------------------- + + ## --------------------------------------------------------------------- + ## IMPORTANT: with the exception of bind=null questions, + ## question IDs should almost **always** correspond to an app setting + ## initialized / reused during install/upgrade. + ## Not doing so may result in inconsistencies between the config panel mechanism + ## and the use of ynh_add_config + ## --------------------------------------------------------------------- + + ######################################################################## + #### OTHER GENERIC PROPERTY FOR QUESTIONS + ######################################################################## + + ## (optional) An help text for the question + help = "Fill the name of the project which will received donation" + + ## (optional) An example display as placeholder in web form + # example = "YunoHost" + + ## (optional) set to true in order to redact the value in operation logs + # redact = false + + ## (optional) A validation pattern + ## --------------------------------------------------------------------- + ## IMPORTANT: your pattern should be between simple quote, not double. + ## --------------------------------------------------------------------- + pattern.regexp = '^\w{3,30}$' + pattern.error = "The name should be at least 3 chars and less than 30 chars. Alphanumeric chars are accepted" + + ## Note: visible and optional properties are also available for questions + + + [main.customization.contact_url] + ask = "Contact url" + type = "url" + example = "mailto: contact@example.org" + help = "mailto: accepted" + pattern.regexp = '^mailto:[^@]+@[^@]+|https://$' + pattern.error = "Should be https or mailto:" + bind = ":/var/www/__APP__/settings.py" + + [main.customization.logo] + ask = "Logo" + type = "file" + accept = ".png" + help = "Fill with an already resized logo" + bind = "__FINALPATH__/img/logo.png" + + [main.customization.favicon] + ask = "Favicon" + type = "file" + accept = ".png" + help = "Fill with an already sized favicon" + bind = "__FINALPATH__/img/favicon.png" + + + [main.stripe] + name = "Stripe general info" + optional = false + + # The next alert is overwrited with a getter from the config script + [main.stripe.amount] + ask = "Donation in the month : XX € + type = "alert" + style = "success" + + [main.stripe.publishable_key] + ask = "Publishable key" + type = "string" + redact = true + help = "Indicate here the stripe publishable key" + bind = ":/var/www/__APP__/settings.py" + + [main.stripe.secret_key] + ask = "Secret key" + type = "string" + redact = true + help = "Indicate here the stripe secret key" + bind = ":/var/www/__APP__/settings.py" + + [main.stripe.prices] + ask = "Prices ID" + type = "tags" + help = """\ + Indicates here the prices ID of donation products you created in stripe interfaces. \ + Go on [Stripe products](https://dashboard.stripe.com/products) to create those donation products. \ + Fill it tag with 'FREQUENCY/CURRENCY/PRICE_ID' \ + FREQUENCY: 'one_time' or 'recuring' \ + CURRENCY: 'EUR' or 'USD' \ + PRICE_ID: ID from stripe interfaces starting with 'price_' \ + """ + pattern.regexp = '^(one_time|recuring)/(EUR|USD)/price_.*$' + pattern.error = "Please respect the format describe in help text for each price ID" diff --git a/doc/.gitkeep b/doc/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..df5179c --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1,9 @@ +Ergo (formerly known as Oragono) is a modern IRC server written in Go. Its core design + +### Features + +- Being simple to set up and use +- Combining the features of an ircd, a services framework, and a bouncer (integrated account management, history storage, and bouncer functionality) +- Bleeding-edge IRCv3 support, suitable for use as an IRCv3 reference implementation +- High customizability via a rehashable (i.e., reloadable at runtime) YAML config + diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md new file mode 100644 index 0000000..aded581 --- /dev/null +++ b/doc/DISCLAIMER.md @@ -0,0 +1,12 @@ +* Any known limitations, constrains or stuff not working, such as (but not limited to): + * requiring a full dedicated domain ? + * architectures not supported ? + * not-working single-sign on or LDAP integration ? + * the app requires an important amount of RAM / disk / .. to install or to work properly + * etc... + +* Other infos that people should be aware of, such as: + * any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...) + * how to configure / administrate the application if it ain't obvious + * upgrade process / specificities / things to be aware of ? + * security considerations ? diff --git a/doc/screenshots/.gitkeep b/doc/screenshots/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/doc/screenshots/example.jpg b/doc/screenshots/example.jpg new file mode 100644 index 0000000..a1efa1a Binary files /dev/null and b/doc/screenshots/example.jpg differ diff --git a/manifest.json b/manifest.json new file mode 100644 index 0000000..a942c36 --- /dev/null +++ b/manifest.json @@ -0,0 +1,51 @@ +{ + "name": "Ergo", + "id": "ergo", + "packaging_format": 1, + "description": { + "en": "A modern IRC server (daemon/ircd) written in Go", + "fr": "A modern IRC server (daemon/ircd) written in Go" + }, + "version": "2.9.1~ynh1", + "url": "https://ergo.chat/", + "upstream": { + "license": "MIT", + "website": "https://ergo.chat/", + "demo": "https://testnet.ergo.chat/", + "admindoc": "https://github.com/ergochat/ergo/blob/stable/docs/MANUAL.md", + "userdoc": "https://github.com/ergochat/ergo/blob/stable/docs/USERGUIDE.md", + "code": "https://github.com/ergochat/ergo" + }, + "license": "MIT", + "maintainer": { + "name": "", + "email": "" + }, + "requirements": { + "yunohost": ">= 4.3.0" + }, + "multi_instance": true, + "services": [ + "nginx", + "mysql" + ], + "arguments": { + "install" : [ + { + "name": "domain", + "type": "domain" + }, + { + "name": "path", + "type": "path", + "example": "/ergo", + "default": "/ergo" + }, + { + "name": "is_public", + "type": "boolean", + "default": true + } + ] + } +} diff --git a/scripts/_common.sh b/scripts/_common.sh new file mode 100644 index 0000000..572cd27 --- /dev/null +++ b/scripts/_common.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +#================================================= +# COMMON VARIABLES +#================================================= + +# dependencies used by the app +#pkg_dependencies="deb1 deb2 php$YNH_DEFAULT_PHP_VERSION-deb1 php$YNH_DEFAULT_PHP_VERSION-deb2" + +#================================================= +# PERSONAL HELPERS +#================================================= + +#================================================= +# EXPERIMENTAL HELPERS +#================================================= + +#================================================= +# FUTURE OFFICIAL HELPERS +#================================================= diff --git a/scripts/backup b/scripts/backup new file mode 100755 index 0000000..563b8b2 --- /dev/null +++ b/scripts/backup @@ -0,0 +1,77 @@ +#!/bin/bash + +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts +source ../settings/scripts/_common.sh +source /usr/share/yunohost/helpers + +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +ynh_clean_setup () { + ### Remove this function if there's nothing to clean before calling the remove script. + true +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# LOAD SETTINGS +#================================================= +ynh_print_info --message="Loading installation settings..." + +app=$YNH_APP_INSTANCE_NAME + +final_path=$(ynh_app_setting_get --app=$app --key=final_path) +domain=$(ynh_app_setting_get --app=$app --key=domain) +db_name=$(ynh_app_setting_get --app=$app --key=db_name) +datadir=$(ynh_app_setting_get --app=$app --key=datadir) + +#================================================= +# DECLARE DATA AND CONF FILES TO BACKUP +#================================================= +ynh_print_info --message="Declaring files to be backed up..." + +#================================================= +# BACKUP THE APP MAIN DIR +#================================================= + +ynh_backup --src_path="$final_path" + +#================================================= +# BACKUP THE DATA DIR +#================================================= + +ynh_backup --src_path="$datadir" --is_big + +#================================================= +# BACKUP THE NGINX CONFIGURATION +#================================================= + +ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" + +#================================================= +# SPECIFIC BACKUP +#================================================= +# BACKUP LOGROTATE +#================================================= + +ynh_backup --src_path="/etc/logrotate.d/$app" + +#================================================= +# BACKUP SYSTEMD +#================================================= + +ynh_backup --src_path="/etc/systemd/system/$app.service" + +#================================================= +# END OF SCRIPT +#================================================= + +ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." diff --git a/scripts/change_url b/scripts/change_url new file mode 100644 index 0000000..85f4573 --- /dev/null +++ b/scripts/change_url @@ -0,0 +1,124 @@ +#!/bin/bash + +#================================================= +# GENERIC STARTING +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source _common.sh +source /usr/share/yunohost/helpers + +#================================================= +# RETRIEVE ARGUMENTS +#================================================= + +old_domain=$YNH_APP_OLD_DOMAIN +old_path=$YNH_APP_OLD_PATH + +new_domain=$YNH_APP_NEW_DOMAIN +new_path=$YNH_APP_NEW_PATH + +app=$YNH_APP_INSTANCE_NAME + +#================================================= +# LOAD SETTINGS +#================================================= +ynh_script_progression --message="Loading installation settings..." --time --weight=1 + +# Needed for helper "ynh_add_nginx_config" +final_path=$(ynh_app_setting_get --app=$app --key=final_path) +port=$(ynh_app_setting_get --app=$app --key=port) + +#================================================= +# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP +#================================================= +ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --time --weight=1 + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. + ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" + + # Restore it if the upgrade fails + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# CHECK WHICH PARTS SHOULD BE CHANGED +#================================================= + +change_domain=0 +if [ "$old_domain" != "$new_domain" ] +then + change_domain=1 +fi + +change_path=0 +if [ "$old_path" != "$new_path" ] +then + change_path=1 +fi + +#================================================= +# STANDARD MODIFICATIONS +#================================================= +# STOP SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Stopping a systemd service..." --time --weight=1 + +ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" + +#================================================= +# MODIFY URL IN NGINX CONF +#================================================= +ynh_script_progression --message="Updating NGINX web server configuration..." --time --weight=1 + +nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf + +# Change the path in the NGINX config file +if [ $change_path -eq 1 ] +then + # Make a backup of the original NGINX config file if modified + ynh_backup_if_checksum_is_different --file="$nginx_conf_path" + # Set global variables for NGINX helper + domain="$old_domain" + path_url="$new_path" + # Create a dedicated NGINX config + ynh_add_nginx_config +fi + +# Change the domain for NGINX +if [ $change_domain -eq 1 ] +then + # Delete file checksum for the old conf file location + ynh_delete_file_checksum --file="$nginx_conf_path" + mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf + # Store file checksum for the new config file location + ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" +fi + +#================================================= +# GENERIC FINALISATION +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --time --weight=1 + +ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" + +#================================================= +# RELOAD NGINX +#================================================= +ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1 + +ynh_systemd_action --service_name=nginx --action=reload + +#================================================= +# END OF SCRIPT +#================================================= + +ynh_script_progression --message="Change of URL completed for $app" --time --last diff --git a/scripts/config b/scripts/config new file mode 100644 index 0000000..b9e79f8 --- /dev/null +++ b/scripts/config @@ -0,0 +1,102 @@ +#!/bin/bash +# In simple cases, you don't need a config script. + +# With a simple config_panel.toml, you can write in the app settings, in the +# upstream config file or replace complete files (logo ...) and restart services. + +# The config scripts allows you to go further, to handle specific cases +# (validation of several interdependent fields, specific getter/setter for a value, +# display dynamic informations or choices, pre-loading of config type .cube... ). + +#================================================= +# GENERIC STARTING +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source /usr/share/yunohost/helpers + +ynh_abort_if_errors + +#================================================= +# RETRIEVE ARGUMENTS +#================================================= + +final_path=$(ynh_app_setting_get $app final_path) + +#================================================= +# SPECIFIC GETTERS FOR TOML SHORT KEY +#================================================= + +get__amount() { + # Here we can imagine to have an API call to stripe to know the amount of donation during a month + local amount = 200 + + # It's possible to change some properties of the question by overriding it: + if [ $amount -gt 100 ] + then + cat << EOF +style: success +value: $amount +ask: + en: A lot of donation this month: **$amount €** +EOF + else + cat << EOF +style: danger +value: $amount +ask: + en: Not so much donation this month: $amount € +EOF + fi +} + +get__prices() { + local prices = "$(grep "DONATION\['" "$final_path/settings.py" | sed -r "s@^DONATION\['([^']*)'\]\['([^']*)'\] = '([^']*)'@\1/\2/\3@g" | sed -z 's/\n/,/g;s/,$/\n/')" + if [ "$prices" == "," ]; + then + # Return YNH_NULL if you prefer to not return a value at all. + echo YNH_NULL + else + echo $prices + fi +} + + +#================================================= +# SPECIFIC VALIDATORS FOR TOML SHORT KEYS +#================================================= +validate__publishable_key() { + + # We can imagine here we test if the key is really a publisheable key + (is_secret_key $publishable_key) && + echo 'This key seems to be a secret key' +} + +#================================================= +# SPECIFIC SETTERS FOR TOML SHORT KEYS +#================================================= +set__prices() { + + #--------------------------------------------- + # IMPORTANT: setter are trigger only if a change is detected + #--------------------------------------------- + for price in $(echo $prices | sed "s/,/ /"); do + frequency=$(echo $price | cut -d/ -f1) + currency=$(echo $price | cut -d/ -f2) + price_id=$(echo $price | cut -d/ -f3) + sed "d/DONATION\['$frequency'\]\['$currency'\]" "$final_path/settings.py" + + echo "DONATION['$frequency']['$currency'] = '$price_id'" >> "$final_path/settings.py" + done + + #--------------------------------------------- + # IMPORTANT: to be able to upgrade properly, you have to saved the value in settings too + #--------------------------------------------- + ynh_app_setting_set $app prices $prices +} + +#================================================= +# GENERIC FINALIZATION +#================================================= +ynh_app_config_run $1 diff --git a/scripts/install b/scripts/install new file mode 100755 index 0000000..09249b8 --- /dev/null +++ b/scripts/install @@ -0,0 +1,167 @@ +#!/bin/bash + +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source _common.sh +source /usr/share/yunohost/helpers + +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +ynh_clean_setup () { + ### Remove this function if there's nothing to clean before calling the remove script. + true +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# RETRIEVE ARGUMENTS FROM THE MANIFEST +#================================================= + +domain=$YNH_APP_ARG_DOMAIN +path_url=$YNH_APP_ARG_PATH +is_public=$YNH_APP_ARG_IS_PUBLIC + +app=$YNH_APP_INSTANCE_NAME + +#================================================= +# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS +#================================================= +ynh_script_progression --message="Validating installation parameters..." --time --weight=1 + +final_path=/var/www/$app +test ! -e "$final_path" || ynh_die --message="This path already contains a folder" + +# Register (book) web path +ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url + +#================================================= +# STORE SETTINGS FROM MANIFEST +#================================================= +ynh_script_progression --message="Storing installation settings..." --time --weight=1 + +ynh_app_setting_set --app=$app --key=domain --value=$domain +ynh_app_setting_set --app=$app --key=path --value=$path_url + +#================================================= +# STANDARD MODIFICATIONS +#================================================= +# FIND AND OPEN A PORT +#================================================= +ynh_script_progression --message="Finding an available port..." --time --weight=1 + +# Find an available port +port=$(ynh_find_port --port=6667) +ynh_app_setting_set --app=$app --key=port --value=$port + +#================================================= +# INSTALL DEPENDENCIES +#================================================= +# ynh_script_progression --message="Installing dependencies..." --time --weight=1 + +# ynh_install_app_dependencies $pkg_dependencies + +#================================================= +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Configuring system user..." --time --weight=1 + +# Create a system user +ynh_system_user_create --username=$app --home_dir="$final_path" + +#================================================= +# DOWNLOAD, CHECK AND UNPACK SOURCE +#================================================= +ynh_script_progression --message="Setting up source files..." --time --weight=1 + +ynh_app_setting_set --app=$app --key=final_path --value=$final_path +# Download, check integrity, uncompress and patch the source from app.src +ynh_setup_source --dest_dir="$final_path" --source_id=$YNH_ARCH + +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + +#================================================= +# NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Configuring NGINX web server..." --time --weight=1 + +# Create a dedicated NGINX config +ynh_add_nginx_config + +#================================================= +# ADD A CONFIGURATION +#================================================= +ynh_script_progression --message="Adding a configuration file..." --time --weight=1 + +ynh_add_config --template="../conf/default.yaml" --destination="$final_path/ircd.yaml" +ynh_add_config --template="../conf/ldap-config.yaml" --destination="$final_path/ldap-config.yaml" + +chmod 400 "$final_path/ircd.yaml" +chown $app:$app "$final_path/ircd.yaml" + +#================================================= +# SETUP SYSTEMD +#================================================= +ynh_script_progression --message="Configuring a systemd service..." --time --weight=1 + +# Create a dedicated systemd config +ynh_add_systemd_config + +#================================================= +# GENERIC FINALIZATION +#================================================= +# SETUP LOGROTATE +#================================================= +ynh_script_progression --message="Configuring log rotation..." --time --weight=1 + +# Use logrotate to manage application logfile(s) +ynh_use_logrotate + +#================================================= +# INTEGRATE SERVICE IN YUNOHOST +#================================================= +ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1 + +yunohost service add $app --description="A modern IRC server" --log="/var/log/$app/$app.log" + +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --time --weight=1 + +# Start a systemd service +ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" + +#================================================= +# SETUP SSOWAT +#================================================= +ynh_script_progression --message="Configuring permissions..." --time --weight=1 + +# Make app public if necessary +if [ $is_public -eq 1 ] +then + # Everyone can access the app. + # The "main" permission is automatically created before the install script. + ynh_permission_update --permission="main" --add="visitors" +fi + +#================================================= +# RELOAD NGINX +#================================================= +ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1 + +ynh_systemd_action --service_name=nginx --action=reload + +#================================================= +# END OF SCRIPT +#================================================= + +ynh_script_progression --message="Installation of $app completed" --time --last diff --git a/scripts/remove b/scripts/remove new file mode 100755 index 0000000..6d900f3 --- /dev/null +++ b/scripts/remove @@ -0,0 +1,90 @@ +#!/bin/bash + +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source _common.sh +source /usr/share/yunohost/helpers + +#================================================= +# LOAD SETTINGS +#================================================= +ynh_script_progression --message="Loading installation settings..." --time --weight=1 + +app=$YNH_APP_INSTANCE_NAME + +domain=$(ynh_app_setting_get --app=$app --key=domain) +port=$(ynh_app_setting_get --app=$app --key=port) +final_path=$(ynh_app_setting_get --app=$app --key=final_path) + +#================================================= +# STANDARD REMOVE +#================================================= +# REMOVE SERVICE INTEGRATION IN YUNOHOST +#================================================= + +# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) +if ynh_exec_warn_less yunohost service status $app >/dev/null +then + ynh_script_progression --message="Removing $app service integration..." --time --weight=1 + yunohost service remove $app +fi + +#================================================= +# STOP AND REMOVE SERVICE +#================================================= +ynh_script_progression --message="Stopping and removing the systemd service..." --time --weight=1 + +# Remove the dedicated systemd config +ynh_remove_systemd_config + +#================================================= +# REMOVE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Removing logrotate configuration..." --time --weight=1 + +# Remove the app-specific logrotate config +ynh_remove_logrotate + +#================================================= +# REMOVE APP MAIN DIR +#================================================= +ynh_script_progression --message="Removing app main directory..." --time --weight=1 + +# Remove the app directory securely +ynh_secure_remove --file="$final_path" + +#================================================= +# REMOVE NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Removing NGINX web server configuration..." --time --weight=1 + +# Remove the dedicated NGINX config +ynh_remove_nginx_config + +#================================================= +# REMOVE DEPENDENCIES +#================================================= +#ynh_script_progression --message="Removing dependencies..." --time --weight=1 + +# Remove metapackage and its dependencies +#ynh_remove_app_dependencies + +#================================================= +# GENERIC FINALIZATION +#================================================= +# REMOVE DEDICATED USER +#================================================= +ynh_script_progression --message="Removing the dedicated system user..." --time --weight=1 + +# Delete a system user +ynh_system_user_delete --username=$app + +#================================================= +# END OF SCRIPT +#================================================= + +ynh_script_progression --message="Removal of $app completed" --time --last diff --git a/scripts/restore b/scripts/restore new file mode 100755 index 0000000..4e4651e --- /dev/null +++ b/scripts/restore @@ -0,0 +1,123 @@ +#!/bin/bash + +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts +source ../settings/scripts/_common.sh +source /usr/share/yunohost/helpers + +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +ynh_clean_setup () { + #### Remove this function if there's nothing to clean before calling the remove script. + true +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# LOAD SETTINGS +#================================================= +ynh_script_progression --message="Loading installation settings..." --time --weight=1 + +app=$YNH_APP_INSTANCE_NAME + +domain=$(ynh_app_setting_get --app=$app --key=domain) +path_url=$(ynh_app_setting_get --app=$app --key=path) +final_path=$(ynh_app_setting_get --app=$app --key=final_path) + +#================================================= +# CHECK IF THE APP CAN BE RESTORED +#================================================= +ynh_script_progression --message="Validating restoration parameters..." --time --weight=1 + +test ! -d $final_path \ + || ynh_die --message="There is already a directory: $final_path " + +#================================================= +# STANDARD RESTORATION STEPS +#================================================= +# RESTORE THE NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the NGINX web server configuration..." --time --weight=1 + +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" + +#================================================= +# RECREATE THE DEDICATED USER +#================================================= +ynh_script_progression --message="Recreating the dedicated system user..." --time --weight=1 + +# Create the dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" + +#================================================= +# RESTORE THE APP MAIN DIR +#================================================= +ynh_script_progression --message="Restoring the app main directory..." --time --weight=1 + +ynh_restore_file --origin_path="$final_path" + +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + +#================================================= +# SPECIFIC RESTORATION +#================================================= +# REINSTALL DEPENDENCIES +#================================================= +ynh_script_progression --message="Reinstalling dependencies..." --time --weight=1 + +# Define and install dependencies +ynh_install_app_dependencies $pkg_dependencies + +#================================================= +# RESTORE SYSTEMD +#================================================= +ynh_script_progression --message="Restoring the systemd configuration..." --time --weight=1 + +ynh_restore_file --origin_path="/etc/systemd/system/$app.service" +systemctl enable $app.service --quiet + +#================================================= +# RESTORE THE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the logrotate configuration..." --time --weight=1 + +ynh_restore_file --origin_path="/etc/logrotate.d/$app" + +#================================================= +# INTEGRATE SERVICE IN YUNOHOST +#================================================= +ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1 + +yunohost service add $app --description="A modern IRC server" --log="/var/log/$app/$app.log" + +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --time --weight=1 + +ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" + +#================================================= +# GENERIC FINALIZATION +#================================================= +# RELOAD NGINX AND PHP-FPM +#================================================= +ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1 + +ynh_systemd_action --service_name=nginx --action=reload + +#================================================= +# END OF SCRIPT +#================================================= + +ynh_script_progression --message="Restoration completed for $app" --time --last diff --git a/scripts/upgrade b/scripts/upgrade new file mode 100644 index 0000000..43dbb64 --- /dev/null +++ b/scripts/upgrade @@ -0,0 +1,135 @@ +#!/bin/bash + +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source _common.sh +source /usr/share/yunohost/helpers + +#================================================= +# LOAD SETTINGS +#================================================= +ynh_script_progression --message="Loading installation settings..." --time --weight=1 + +app=$YNH_APP_INSTANCE_NAME + +domain=$(ynh_app_setting_get --app=$app --key=domain) +path_url=$(ynh_app_setting_get --app=$app --key=path) +final_path=$(ynh_app_setting_get --app=$app --key=final_path) +port=$(ynh_app_setting_get --app=$app --key=port) + +#================================================= +# CHECK VERSION +#================================================= + +upgrade_type=$(ynh_check_app_version_changed) + +#================================================= +# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +#================================================= +ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --time --weight=1 + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # Restore it if the upgrade fails + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# STANDARD UPGRADE STEPS +#================================================= +# STOP SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Stopping a systemd service..." --time --weight=1 + +ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" + +#================================================= +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Making sure dedicated system user exists..." --time --weight=1 + +# Create a dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" + +#================================================= +# DOWNLOAD, CHECK AND UNPACK SOURCE +#================================================= + +if [ "$upgrade_type" == "UPGRADE_APP" ] +then + ynh_script_progression --message="Upgrading source files..." --time --weight=1 + + # Download, check integrity, uncompress and patch the source from app.src + ynh_setup_source --dest_dir="$final_path" --source_id=$YNH_ARCH --keep="$final_path/ircd.yaml" +fi + +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + +#================================================= +# NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Upgrading NGINX web server configuration..." --time --weight=1 + +# Create a dedicated NGINX config +ynh_add_nginx_config + +#================================================= +# UPGRADE DEPENDENCIES +#================================================= +# ynh_script_progression --message="Upgrading dependencies..." --time --weight=1 + +# ynh_install_app_dependencies $pkg_dependencies + +#================================================= +# SETUP SYSTEMD +#================================================= +ynh_script_progression --message="Upgrading systemd configuration..." --time --weight=1 + +# Create a dedicated systemd config +ynh_add_systemd_config + +#================================================= +# GENERIC FINALIZATION +#================================================= +# SETUP LOGROTATE +#================================================= +ynh_script_progression --message="Upgrading logrotate configuration..." --time --weight=1 + +# Use logrotate to manage app-specific logfile(s) +ynh_use_logrotate --non-append + +#================================================= +# INTEGRATE SERVICE IN YUNOHOST +#================================================= +ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1 + +yunohost service add $app --description="A modern IRC server" --log="/var/log/$app/$app.log" + +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --time --weight=1 + +ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" + +#================================================= +# RELOAD NGINX +#================================================= +ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1 + +ynh_systemd_action --service_name=nginx --action=reload + +#================================================= +# END OF SCRIPT +#================================================= + +ynh_script_progression --message="Upgrade of $app completed" --time --last diff --git a/sources/extra_files/app/.gitignore b/sources/extra_files/app/.gitignore new file mode 100644 index 0000000..783a4ae --- /dev/null +++ b/sources/extra_files/app/.gitignore @@ -0,0 +1,2 @@ +*~ +*.sw[op] diff --git a/sources/patches/.gitignore b/sources/patches/.gitignore new file mode 100644 index 0000000..783a4ae --- /dev/null +++ b/sources/patches/.gitignore @@ -0,0 +1,2 @@ +*~ +*.sw[op]