From 2ddfdd5b30753cc27633dac6d97b5ac0556c5fd0 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 30 Sep 2021 10:01:17 +0200 Subject: [PATCH 1/5] Cleaning up --- manifest.json | 10 +++------- scripts/backup | 8 ++++++++ scripts/install | 12 +++++++++++- scripts/remove | 10 ++++++++++ scripts/restore | 23 ++++++++++++++--------- scripts/upgrade | 10 +++++++++- 6 files changed, 55 insertions(+), 18 deletions(-) diff --git a/manifest.json b/manifest.json index f1a7807..14f9af7 100644 --- a/manifest.json +++ b/manifest.json @@ -13,7 +13,6 @@ "website": "https://etherpad.org/", "demo": "https://video.etherpad.com/", "admindoc": "http://etherpad.org/doc/v1.8.14", - "userdoc": "https://yunohost.org/en/app_etherpad", "code": "https://github.com/ether/etherpad-lite" }, "license": "Apache-2.0", @@ -31,8 +30,7 @@ "install" : [ { "name": "domain", - "type": "domain", - "example": "example.com" + "type": "domain" }, { "name": "path", @@ -71,13 +69,11 @@ }, { "name": "admin", - "type": "user", - "example": "johndoe" + "type": "user" }, { "name": "password", - "type": "password", - "example": "Choose a password" + "type": "password" } ] } diff --git a/scripts/backup b/scripts/backup index f3d4699..617ef5e 100644 --- a/scripts/backup +++ b/scripts/backup @@ -43,6 +43,14 @@ ynh_backup --src_path="$final_path" ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +#================================================= +# SPECIFIC BACKUP +#================================================= +# BACKUP LOGROTATE +#================================================= + +ynh_backup --src_path="/etc/logrotate.d/$app" + #================================================= # BACKUP SYSTEMD #================================================= diff --git a/scripts/install b/scripts/install index 799c735..4a144ef 100644 --- a/scripts/install +++ b/scripts/install @@ -171,6 +171,16 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=4 # Create a dedicated systemd config ynh_add_systemd_config +#================================================= +# GENERIC FINALIZATION +#================================================= +# SETUP LOGROTATE +#================================================= +ynh_script_progression --message="Configuring log rotation..." --weight=1 + +# Use logrotate to manage application logfile(s) +ynh_use_logrotate + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= @@ -197,7 +207,7 @@ then ynh_permission_update --permission="main" --add="visitors" fi -ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin +ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false #================================================= # RELOAD NGINX diff --git a/scripts/remove b/scripts/remove index 986943c..8dc44e3 100644 --- a/scripts/remove +++ b/scripts/remove @@ -86,6 +86,16 @@ ynh_script_progression --message="Removing NGINX web server configuration..." -- # Remove the dedicated NGINX config ynh_remove_nginx_config +#================================================= +# SPECIFIC REMOVE +#================================================= +# REMOVE VARIOUS FILES +#================================================= +ynh_script_progression --message="Removing various files..." --weight=1 + +# Remove the log files +ynh_secure_remove --file="/var/log/$app" + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index 93f0d13..b157204 100644 --- a/scripts/restore +++ b/scripts/restore @@ -38,8 +38,6 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=2 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " @@ -92,13 +90,6 @@ ynh_psql_test_if_first_run ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name -#================================================= -# INTEGRATE SERVICE IN YUNOHOST -#================================================= -ynh_script_progression --message="Integrating service in YunoHost..." --weight=3 - -yunohost service add $app --description="Collaborative editor" --log="/var/log/$app/$app.log" - #================================================= # RESTORE SYSTEMD #================================================= @@ -107,6 +98,20 @@ ynh_script_progression --message="Restoring the systemd configuration..." --weig ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet +#================================================= +# RESTORE THE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the logrotate configuration..." --weight=1 + +ynh_restore_file --origin_path="/etc/logrotate.d/$app" + +#================================================= +# INTEGRATE SERVICE IN YUNOHOST +#================================================= +ynh_script_progression --message="Integrating service in YunoHost..." --weight=3 + +yunohost service add $app --description="Collaborative editor" --log="/var/log/$app/$app.log" + #================================================= # START SYSTEMD SERVICE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index ec324c3..a43eb05 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -58,7 +58,7 @@ fi if ! ynh_permission_exists --permission="admin"; then # Create the required permissions - ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin + ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false fi #================================================= @@ -155,6 +155,14 @@ ynh_script_progression --message="Upgrading systemd configuration..." --weight=2 # Create a dedicated systemd config ynh_add_systemd_config +#================================================= +# SETUP LOGROTATE +#================================================= +ynh_script_progression --message="Upgrading logrotate configuration..." --weight=1 + +# Use logrotate to manage app-specific logfile(s) +ynh_use_logrotate --non-append + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= From d85e7b008d4591421ea6d4cc34a310330951f0bf Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 30 Sep 2021 08:01:23 +0000 Subject: [PATCH 2/5] Auto-update README --- README.md | 1 - README_fr.md | 1 - 2 files changed, 2 deletions(-) diff --git a/README.md b/README.md index 143de13..0c1267c 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,6 @@ You can access Etherpad's admin panel at `domain.tld/admin`. The configuration f ## Documentation and resources * Official app website: https://etherpad.org/ -* Official user documentation: https://yunohost.org/en/app_etherpad * Official admin documentation: http://etherpad.org/doc/v1.8.14 * Upstream app code repository: https://github.com/ether/etherpad-lite * YunoHost documentation for this app: https://yunohost.org/app_etherpad diff --git a/README_fr.md b/README_fr.md index ba3a269..fc33e24 100644 --- a/README_fr.md +++ b/README_fr.md @@ -32,7 +32,6 @@ Vous pouvez accéder au panneau d'administration d'Etherpad à l'adresse `domain ## Documentations et ressources * Site officiel de l'app : https://etherpad.org/ -* Documentation officielle utilisateur : https://yunohost.org/en/app_etherpad * Documentation officielle de l'admin : http://etherpad.org/doc/v1.8.14 * Dépôt de code officiel de l'app : https://github.com/ether/etherpad-lite * Documentation YunoHost pour cette app : https://yunohost.org/app_etherpad From 8f0e71bbd6844851f13415184efb8f9835a198f4 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 30 Sep 2021 10:58:24 +0200 Subject: [PATCH 3/5] Hardening systemd --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ doc/DESCRIPTION.md | 1 + doc/DESCRIPTION_fr.md | 1 + 3 files changed, 32 insertions(+) create mode 100644 doc/DESCRIPTION.md create mode 100644 doc/DESCRIPTION_fr.md diff --git a/conf/systemd.service b/conf/systemd.service index cd402e8..c9004e3 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,35 @@ Environment="__YNH_NODE_LOAD_PATH__" ExecStart=__FINALPATH__/src/bin/run.sh Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..5ecb79a --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1 @@ +Etherpad is a real-time collaborative editor scalable to thousands of simultaneous real time users. It provides full data export capabilities, and runs on your server, under your control. diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md new file mode 100644 index 0000000..519f648 --- /dev/null +++ b/doc/DESCRIPTION_fr.md @@ -0,0 +1 @@ +Etherpad est un éditeur collaboratif en temps réel évolutif pour des milliers d'utilisateurs simultanés en temps réel. Il fournit des capacités complètes d'exportation de données et s'exécute sur votre serveur, sous votre contrôle. \ No newline at end of file From ced7101ee24e00beb9f9b135171555244c81815c Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 30 Sep 2021 08:58:34 +0000 Subject: [PATCH 4/5] Auto-update README --- README.md | 3 ++- README_fr.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0c1267c..cf56500 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,8 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -Online editor providing collaborative editing in real-time +Etherpad is a real-time collaborative editor scalable to thousands of simultaneous real time users. It provides full data export capabilities, and runs on your server, under your control. + **Shipped version:** 1.8.14~ynh1 diff --git a/README_fr.md b/README_fr.md index fc33e24..6de9bf4 100644 --- a/README_fr.md +++ b/README_fr.md @@ -11,7 +11,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour ## Vue d'ensemble -Éditeur en ligne fournissant l'édition collaborative en temps réel +Etherpad est un éditeur collaboratif en temps réel évolutif pour des milliers d'utilisateurs simultanés en temps réel. Il fournit des capacités complètes d'exportation de données et s'exécute sur votre serveur, sous votre contrôle. **Version incluse :** 1.8.14~ynh1 From f70c136656c947a46263d91af320fc411d3eff47 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 30 Sep 2021 11:00:49 +0200 Subject: [PATCH 5/5] Update install --- scripts/install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 4a144ef..0cc4bea 100644 --- a/scripts/install +++ b/scripts/install @@ -130,10 +130,10 @@ ynh_script_progression --message="Installing Etherpad..." --weight=60 chown -R $app $final_path -pushd $final_path || ynh_die +pushd $final_path ynh_use_nodejs ynh_exec_as $app env $ynh_node_load_PATH src/bin/installDeps.sh -popd || ynh_die +popd #================================================= # MODIFY A CONFIG FILE