diff --git a/README.md b/README.md index c01e5b3..0a3436e 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ It shall NOT be edited by hand. # FilePizza for YunoHost -[![Integration level](https://dash.yunohost.org/integration/filepizza.svg)](https://dash.yunohost.org/appci/app/filepizza) ![](https://ci-apps.yunohost.org/ci/badges/filepizza.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/filepizza.maintain.svg) +[![Integration level](https://dash.yunohost.org/integration/filepizza.svg)](https://dash.yunohost.org/appci/app/filepizza) ![Working status](https://ci-apps.yunohost.org/ci/badges/filepizza.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/filepizza.maintain.svg) [![Install FilePizza with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=filepizza) *[Lire ce readme en français.](./README_fr.md)* @@ -17,30 +17,31 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Using WebRTC, FilePizza eliminates the initial upload step required by other web-based file sharing services. When senders initialize a transfer, they receive a "tempalink" they can distribute to recipients. Upon visiting this link, recipients' browsers connect directly to the sender’s browser and may begin downloading the selected file. Because data is never stored in an intermediary server, the transfer is fast, private, and secure. -**Shipped version:** 1.1.0~ynh2 +**Shipped version:** 1.1.0~ynh3 **Demo:** https://file.pizza/ ## Screenshots -![](./doc/screenshots/screenshot.png) +![Screenshot of FilePizza](./doc/screenshots/screenshot.png) ## Documentation and resources -* Official app website: https://file.pizza/ -* Upstream app code repository: https://github.com/kern/filepizza -* YunoHost documentation for this app: https://yunohost.org/app_filepizza -* Report a bug: https://github.com/YunoHost-Apps/filepizza_ynh/issues +* Official app website: +* Upstream app code repository: +* YunoHost documentation for this app: +* Report a bug: ## Developer info Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/filepizza_ynh/tree/testing). To try the testing branch, please proceed like that. -``` + +``` bash sudo yunohost app install https://github.com/YunoHost-Apps/filepizza_ynh/tree/testing --debug or sudo yunohost app upgrade filepizza -u https://github.com/YunoHost-Apps/filepizza_ynh/tree/testing --debug ``` -**More info regarding app packaging:** https://yunohost.org/packaging_apps \ No newline at end of file +**More info regarding app packaging:** diff --git a/README_fr.md b/README_fr.md index 89f4fee..b711b57 100644 --- a/README_fr.md +++ b/README_fr.md @@ -1,10 +1,14 @@ + + # FilePizza pour YunoHost -[![Niveau d'intégration](https://dash.yunohost.org/integration/filepizza.svg)](https://dash.yunohost.org/appci/app/filepizza) ![](https://ci-apps.yunohost.org/ci/badges/filepizza.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/filepizza.maintain.svg) +[![Niveau d'intégration](https://dash.yunohost.org/integration/filepizza.svg)](https://dash.yunohost.org/appci/app/filepizza) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/filepizza.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/filepizza.maintain.svg) [![Installer FilePizza avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=filepizza) *[Read this readme in english.](./README.md)* -*[Lire ce readme en français.](./README_fr.md)* > *Ce package vous permet d'installer FilePizza rapidement et simplement sur un serveur YunoHost. Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.* @@ -13,30 +17,31 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Using WebRTC, FilePizza eliminates the initial upload step required by other web-based file sharing services. When senders initialize a transfer, they receive a "tempalink" they can distribute to recipients. Upon visiting this link, recipients' browsers connect directly to the sender’s browser and may begin downloading the selected file. Because data is never stored in an intermediary server, the transfer is fast, private, and secure. -**Version incluse :** 1.1.0~ynh2 +**Version incluse :** 1.1.0~ynh3 **Démo :** https://file.pizza/ ## Captures d'écran -![](./doc/screenshots/screenshot.png) +![Capture d'écran de FilePizza](./doc/screenshots/screenshot.png) ## Documentations et ressources -* Site officiel de l'app : https://file.pizza/ -* Dépôt de code officiel de l'app : https://github.com/kern/filepizza -* Documentation YunoHost pour cette app : https://yunohost.org/app_filepizza -* Signaler un bug : https://github.com/YunoHost-Apps/filepizza_ynh/issues +* Site officiel de l'app : +* Dépôt de code officiel de l'app : +* Documentation YunoHost pour cette app : +* Signaler un bug : ## Informations pour les développeurs Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/filepizza_ynh/tree/testing). Pour essayer la branche testing, procédez comme suit. -``` + +``` bash sudo yunohost app install https://github.com/YunoHost-Apps/filepizza_ynh/tree/testing --debug ou sudo yunohost app upgrade filepizza -u https://github.com/YunoHost-Apps/filepizza_ynh/tree/testing --debug ``` -**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps \ No newline at end of file +**Plus d'infos sur le packaging d'applications :** diff --git a/conf/nginx.conf b/conf/nginx.conf index ad719a0..afbf585 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,4 +1,5 @@ -location / { +#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; +location __PATH__/ { proxy_pass http://127.0.0.1:__PORT__/; proxy_set_header Host $host; diff --git a/conf/systemd.service b/conf/systemd.service index c75a80d..92b4ef1 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,5 +13,39 @@ Environment="NODE_ENV=production" ExecStart=__YNH_NODE__ ./dist/index.js Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index d020330..2bccb7b 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Peer-to-peer file transfers in your browser", "fr": "Transferts de fichiers pair-à-pair dans votre navigateur" }, - "version": "1.1.0~ynh2", + "version": "1.1.0~ynh3", "url": "https://file.pizza/", "upstream": { "license": "BSD-3-Clause", @@ -19,7 +19,7 @@ "name": "eric_G" }, "requirements": { - "yunohost": ">= 4.3.0" + "yunohost": ">= 11.0.9" }, "multi_instance": true, "services": [