diff --git a/check_process b/check_process index c1a65ce..aa34bbd 100644 --- a/check_process +++ b/check_process @@ -14,7 +14,7 @@ upgrade=1 #upgrade=1 from_commit=CommitHash backup_restore=1 - multi_instance=0 + multi_instance=1 change_url=0 ;;; Options Email=oufmilo@protonmail.com diff --git a/conf/.env.production b/conf/.env.production new file mode 100644 index 0000000..156d259 --- /dev/null +++ b/conf/.env.production @@ -0,0 +1,116 @@ +# SECURITY WARNING: keep the secret key used in production secret! +SECRET_KEY="7(2w1sedok=aznpq)ta1mc4i%4h=xx@hxwx*o57ctsuml0x%fr" + +# SECURITY WARNING: don 't run with debug turned on in production! +DEBUG=false +USE_HTTPS=true + +DOMAIN=__DOMAIN__ + +# Instance defualt language (see options at bookwyrm/settings.py "LANGUAGES" +LANGUAGE_CODE="en-us" +# Used for deciding which editions to prefer +DEFAULT_LANGUAGE="English" + +## Leave unset to allow all hosts +# ALLOWED_HOSTS="localhost,127.0.0.1,[::1]" + +MEDIA_ROOT=images/ + +# Database configuration +PGPORT=5432 +POSTGRES_PASSWORD=__DB_PWD__ +POSTGRES_USER=__DB_USER__ +POSTGRES_DB=__DB_NAME__ +POSTGRES_HOST=localhost + +# Redis activity stream manager +MAX_STREAM_LENGTH=200 +REDIS_ACTIVITY_HOST=redis_activity +REDIS_ACTIVITY_PORT=6379 +REDIS_ACTIVITY_PASSWORD=redispassword345 +# Optional, use a different redis database (defaults to 0) +# REDIS_ACTIVITY_DB_INDEX=0 + +# Redis as celery broker +REDIS_BROKER_PORT=6379 +REDIS_BROKER_PASSWORD=redispassword123 +# Optional, use a different redis database (defaults to 0) +# REDIS_BROKER_DB_INDEX=0 + +# Monitoring for celery +FLOWER_PORT=8888 +FLOWER_USER=admin +FLOWER_PASSWORD=changeme + +# Email config +EMAIL_HOST=localhost +EMAIL_PORT=587 +#EMAIL_HOST_USER=mail@your.domain.here +#EMAIL_HOST_PASSWORD=emailpassword123 +EMAIL_USE_TLS=true +EMAIL_USE_SSL=false +EMAIL_SENDER_NAME=__ADMIN_MAIL__ +# defaults to DOMAIN +#EMAIL_SENDER_DOMAIN= + +# Query timeouts +SEARCH_TIMEOUT=5 +QUERY_TIMEOUT=5 + +# Thumbnails Generation +ENABLE_THUMBNAIL_GENERATION=false + +# S3 configuration +USE_S3=false +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= + +# Commented are example values if you use a non-AWS, S3-compatible service +# AWS S3 should work with only AWS_STORAGE_BUCKET_NAME and AWS_S3_REGION_NAME +# non-AWS S3-compatible services will need AWS_STORAGE_BUCKET_NAME, +# along with both AWS_S3_CUSTOM_DOMAIN and AWS_S3_ENDPOINT_URL + +# AWS_STORAGE_BUCKET_NAME= # "example-bucket-name" +# AWS_S3_CUSTOM_DOMAIN=None # "example-bucket-name.s3.fr-par.scw.cloud" +# AWS_S3_REGION_NAME=None # "fr-par" +# AWS_S3_ENDPOINT_URL=None # "https://s3.fr-par.scw.cloud" + + +# Preview image generation can be computing and storage intensive +ENABLE_PREVIEW_IMAGES=False + +# Specify RGB tuple or RGB hex strings, +# or use_dominant_color_light / use_dominant_color_dark +PREVIEW_BG_COLOR=use_dominant_color_light +# Change to #FFF if you use use_dominant_color_dark +PREVIEW_TEXT_COLOR=#363636 +PREVIEW_IMG_WIDTH=1200 +PREVIEW_IMG_HEIGHT=630 +PREVIEW_DEFAULT_COVER_COLOR=#002549 + +# Below are example keys if you want to enable automatically +# sending telemetry to an OTLP-compatible service. Many of +# the main monitoring apps have OLTP collectors, including +# NewRelic, DataDog, and Honeycomb.io - consult their +# documentation for setup instructions, and what exactly to +# put below! +# +# Service name is an arbitrary tag that is attached to any +# data sent, used to distinguish different sources. Useful +# for sending prod and dev metrics to the same place and +# keeping them separate, for instance! + +# API endpoint for your provider +OTEL_EXPORTER_OTLP_ENDPOINT= +# Any headers required, usually authentication info +OTEL_EXPORTER_OTLP_HEADERS= +# Service name to identify your app +OTEL_SERVICE_NAME= + +# Set HTTP_X_FORWARDED_PROTO ONLY to true if you know what you are doing. +# Only use it if your proxy is "swallowing" if the original request was made +# via https. Please refer to the Django-Documentation and assess the risks +# for your instance: +# https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header +HTTP_X_FORWARDED_PROTO=false diff --git a/conf/nginx.conf b/conf/nginx.conf index 1f1945c..fb4cd15 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,28 +1,48 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - # Path to source - alias __FINALPATH__/ ; + proxy_pass http://127.0.0.1:__PORT__; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_http_version 1.1; + proxy_redirect off; -### Example PHP configuration (remove it if not used) - index index.php; - - # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file - #client_max_body_size 50M; - - try_files $uri $uri/ index.php; - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; - - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME $request_filename; - } -### End of PHP configuration part + # For WebSocket + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + # Cache settings + #proxy_cache cache1; + proxy_cache_lock on; + proxy_cache_use_stale updating; + more_set_headers "X-Cache: $upstream_cache_status"; + # Change to upload limit + client_max_body_size 80m; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; + + + # rate limit the login or password reset pages + location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { + limit_req zone=loginlimit; + proxy_pass http://127.0.0.1:__PORT__; + } + + location /api/updates/ { + access_log off; + proxy_pass http://127.0.0.1:__PORT__; + } + + # directly serve images and static files from the + # bookwyrm filesystem using sendfile. + # make the logs quieter by not reporting these requests + location ~ ^/(images|static)/ { + root /app; + try_files $uri =404; + more_set_headers "X-Cache-Status: STATIC"; + access_log off; + } + } diff --git a/scripts/backup b/scripts/backup index defff3d..e8aa49b 100755 --- a/scripts/backup +++ b/scripts/backup @@ -66,10 +66,7 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # SPECIFIC BACKUP #================================================= -# BACKUP LOGROTATE -#================================================= -ynh_backup --src_path="/etc/logrotate.d/$app" #================================================= # BACKUP SYSTEMD @@ -77,13 +74,6 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/systemd/system/$app.service" -#================================================= -# BACKUP VARIOUS FILES -#================================================= - -ynh_backup --src_path="/etc/cron.d/$app" - -ynh_backup --src_path="/etc/$app/" #================================================= # BACKUP THE POSTGRESQL DATABASE diff --git a/scripts/install b/scripts/install index 277cdcc..495a271 100755 --- a/scripts/install +++ b/scripts/install @@ -134,18 +134,6 @@ chmod 750 "$datadir" chmod -R o-rwx "$datadir" chown -R $app:www-data "$datadir" -#================================================= -# ADD A CONFIGURATION -#================================================= -ynh_script_progression --message="Adding a configuration file..." --weight=1 - - -ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file" - - -chmod 400 "$final_path/some_config_file" -chown $app:$app "$final_path/some_config_file" - #================================================= # SETUP SYSTEMD diff --git a/scripts/restore b/scripts/restore index b0c0d06..0275776 100755 --- a/scripts/restore +++ b/scripts/restore @@ -118,14 +118,6 @@ ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd ynh_psql_execute_as_root --sql="ALTER USER $db_user CREATEDB;" ynh_psql_execute_file_as_root --file="./db.sql" --database="$db_name" -#================================================= -# RESTORE VARIOUS FILES -#================================================= -ynh_script_progression --message="Restoring various files..." --weight=1 - -ynh_restore_file --origin_path="/etc/cron.d/$app" - -ynh_restore_file --origin_path="/etc/$app/" #================================================= # RESTORE SYSTEMD diff --git a/scripts/upgrade b/scripts/upgrade index 378c148..af4a7fd 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -147,31 +147,6 @@ ynh_script_progression --message="Upgrading dependencies..." --weight=1 ynh_install_app_dependencies $pkg_dependencies -#================================================= -# UPDATE A CONFIG FILE -#================================================= -ynh_script_progression --message="Updating a configuration file..." --weight=1 - -### Same as during install -### -### The file will automatically be backed-up if it's found to be manually modified (because -### ynh_add_config keeps track of the file's checksum) - -ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file" - -# FIXME: this should be handled by the core in the future -# You may need to use chmod 600 instead of 400, -# for example if the app is expected to be able to modify its own config -chmod 400 "$final_path/some_config_file" -chown $app:$app "$final_path/some_config_file" - -### For more complex cases where you want to replace stuff using regexes, -### you shoud rely on ynh_replace_string (which is basically a wrapper for sed) -### When doing so, you also need to manually call ynh_store_file_checksum -### -### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file" -### ynh_store_file_checksum --file="$final_path/some_config_file" - #================================================= # SETUP SYSTEMD #=================================================