From 4a2d4b8f8506f61be50f9ec060d57edb545b7994 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 18:50:22 +0100 Subject: [PATCH 01/15] Update install --- scripts/install | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/scripts/install b/scripts/install index 277cdcc..495a271 100755 --- a/scripts/install +++ b/scripts/install @@ -134,18 +134,6 @@ chmod 750 "$datadir" chmod -R o-rwx "$datadir" chown -R $app:www-data "$datadir" -#================================================= -# ADD A CONFIGURATION -#================================================= -ynh_script_progression --message="Adding a configuration file..." --weight=1 - - -ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file" - - -chmod 400 "$final_path/some_config_file" -chown $app:$app "$final_path/some_config_file" - #================================================= # SETUP SYSTEMD From 9decb8f9d0ae2329358d3c3a862d80d0975c3baf Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:29:06 +0100 Subject: [PATCH 02/15] Update backup --- scripts/backup | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/scripts/backup b/scripts/backup index defff3d..e8aa49b 100755 --- a/scripts/backup +++ b/scripts/backup @@ -66,10 +66,7 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # SPECIFIC BACKUP #================================================= -# BACKUP LOGROTATE -#================================================= -ynh_backup --src_path="/etc/logrotate.d/$app" #================================================= # BACKUP SYSTEMD @@ -77,13 +74,6 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/systemd/system/$app.service" -#================================================= -# BACKUP VARIOUS FILES -#================================================= - -ynh_backup --src_path="/etc/cron.d/$app" - -ynh_backup --src_path="/etc/$app/" #================================================= # BACKUP THE POSTGRESQL DATABASE From 52678d52484de1d4e22e9cd503667cea3a4b862f Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:30:51 +0100 Subject: [PATCH 03/15] Update upgrade --- scripts/upgrade | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 378c148..af4a7fd 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -147,31 +147,6 @@ ynh_script_progression --message="Upgrading dependencies..." --weight=1 ynh_install_app_dependencies $pkg_dependencies -#================================================= -# UPDATE A CONFIG FILE -#================================================= -ynh_script_progression --message="Updating a configuration file..." --weight=1 - -### Same as during install -### -### The file will automatically be backed-up if it's found to be manually modified (because -### ynh_add_config keeps track of the file's checksum) - -ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file" - -# FIXME: this should be handled by the core in the future -# You may need to use chmod 600 instead of 400, -# for example if the app is expected to be able to modify its own config -chmod 400 "$final_path/some_config_file" -chown $app:$app "$final_path/some_config_file" - -### For more complex cases where you want to replace stuff using regexes, -### you shoud rely on ynh_replace_string (which is basically a wrapper for sed) -### When doing so, you also need to manually call ynh_store_file_checksum -### -### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file" -### ynh_store_file_checksum --file="$final_path/some_config_file" - #================================================= # SETUP SYSTEMD #================================================= From a26ca1a90b4b2941ceecc83227565becdcbd2f2b Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 21:07:48 +0100 Subject: [PATCH 04/15] Update nginx.conf --- conf/nginx.conf | 63 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 50 insertions(+), 13 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 1f1945c..0d4ef5e 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -4,23 +4,60 @@ location __PATH__/ { # Path to source alias __FINALPATH__/ ; -### Example PHP configuration (remove it if not used) - index index.php; - # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file #client_max_body_size 50M; - try_files $uri $uri/ index.php; - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; + + # store responses to anonymous users for up to 1 minute + proxy_cache bookwyrm_cache; + proxy_cache_valid any 1m; + add_header X-Cache-Status $upstream_cache_status; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME $request_filename; - } + # ignore the set cookie header when deciding to + # store a response in the cache + proxy_ignore_headers Cache-Control Set-Cookie Expires; + + # PUT requests always bypass the cache + # logged in sessions also do not populate the cache + # to avoid serving personal data to anonymous users + proxy_cache_methods GET HEAD; + proxy_no_cache $cookie_sessionid; + proxy_cache_bypass $cookie_sessionid; + + # tell the web container the address of the outside client + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_redirect off; + + location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { + limit_req zone=loginlimit; + proxy_pass http://web; + } + + # do not log periodic polling requests from logged in users + location /api/updates/ { + access_log off; + proxy_pass http://web; + } + + location / { + proxy_pass http://127.0.0.1:__PORT__; + } + + try_files $uri $uri/ index.php; + location ~ ^/(images|static)/ { + root /app; + try_files $uri =404; + add_header X-Cache-Status STATIC; + access_log off; + } + + # monitor the celery queues with flower, no caching enabled + location /flower/ { + proxy_pass http://flower:8888; + proxy_cache_bypass 1; + } + ### End of PHP configuration part # Include SSOWAT user panel. From 0b04576057cd952face63e9ef11ca80f482e777a Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 21:14:43 +0100 Subject: [PATCH 05/15] Update nginx.conf --- conf/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 0d4ef5e..6593593 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -31,13 +31,13 @@ location __PATH__/ { location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { limit_req zone=loginlimit; - proxy_pass http://web; + proxy_pass http://127.0.0.1:__PORT__; } # do not log periodic polling requests from logged in users location /api/updates/ { access_log off; - proxy_pass http://web; + proxy_pass http://127.0.0.1:__PORT__; } location / { From 5ebca792a76ca849c01076f865484b1ec88c2dca Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 21:19:21 +0100 Subject: [PATCH 06/15] Update nginx.conf --- conf/nginx.conf | 74 ++++++++++++------------------------------------- 1 file changed, 17 insertions(+), 57 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 6593593..565b921 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,65 +1,25 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - # Path to source - alias __FINALPATH__/ ; + proxy_pass http://127.0.0.1:__PORT__; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_http_version 1.1; + proxy_redirect off; - # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file - #client_max_body_size 50M; - - - # store responses to anonymous users for up to 1 minute - proxy_cache bookwyrm_cache; - proxy_cache_valid any 1m; - add_header X-Cache-Status $upstream_cache_status; - - # ignore the set cookie header when deciding to - # store a response in the cache - proxy_ignore_headers Cache-Control Set-Cookie Expires; - - # PUT requests always bypass the cache - # logged in sessions also do not populate the cache - # to avoid serving personal data to anonymous users - proxy_cache_methods GET HEAD; - proxy_no_cache $cookie_sessionid; - proxy_cache_bypass $cookie_sessionid; - - # tell the web container the address of the outside client - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_redirect off; - - location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { - limit_req zone=loginlimit; - proxy_pass http://127.0.0.1:__PORT__; - } - - # do not log periodic polling requests from logged in users - location /api/updates/ { - access_log off; - proxy_pass http://127.0.0.1:__PORT__; - } - - location / { - proxy_pass http://127.0.0.1:__PORT__; - } - - try_files $uri $uri/ index.php; - location ~ ^/(images|static)/ { - root /app; - try_files $uri =404; - add_header X-Cache-Status STATIC; - access_log off; - } - - # monitor the celery queues with flower, no caching enabled - location /flower/ { - proxy_pass http://flower:8888; - proxy_cache_bypass 1; - } - -### End of PHP configuration part + # For WebSocket + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + # Cache settings + #proxy_cache cache1; + proxy_cache_lock on; + proxy_cache_use_stale updating; + more_set_headers "X-Cache: $upstream_cache_status"; + # Change to upload limit + client_max_body_size 80m; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; } From 9640519d49247666053cd3b62624b103e244db4b Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 21:35:42 +0100 Subject: [PATCH 07/15] Create .env.production --- conf/.env.production | 116 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 conf/.env.production diff --git a/conf/.env.production b/conf/.env.production new file mode 100644 index 0000000..156d259 --- /dev/null +++ b/conf/.env.production @@ -0,0 +1,116 @@ +# SECURITY WARNING: keep the secret key used in production secret! +SECRET_KEY="7(2w1sedok=aznpq)ta1mc4i%4h=xx@hxwx*o57ctsuml0x%fr" + +# SECURITY WARNING: don 't run with debug turned on in production! +DEBUG=false +USE_HTTPS=true + +DOMAIN=__DOMAIN__ + +# Instance defualt language (see options at bookwyrm/settings.py "LANGUAGES" +LANGUAGE_CODE="en-us" +# Used for deciding which editions to prefer +DEFAULT_LANGUAGE="English" + +## Leave unset to allow all hosts +# ALLOWED_HOSTS="localhost,127.0.0.1,[::1]" + +MEDIA_ROOT=images/ + +# Database configuration +PGPORT=5432 +POSTGRES_PASSWORD=__DB_PWD__ +POSTGRES_USER=__DB_USER__ +POSTGRES_DB=__DB_NAME__ +POSTGRES_HOST=localhost + +# Redis activity stream manager +MAX_STREAM_LENGTH=200 +REDIS_ACTIVITY_HOST=redis_activity +REDIS_ACTIVITY_PORT=6379 +REDIS_ACTIVITY_PASSWORD=redispassword345 +# Optional, use a different redis database (defaults to 0) +# REDIS_ACTIVITY_DB_INDEX=0 + +# Redis as celery broker +REDIS_BROKER_PORT=6379 +REDIS_BROKER_PASSWORD=redispassword123 +# Optional, use a different redis database (defaults to 0) +# REDIS_BROKER_DB_INDEX=0 + +# Monitoring for celery +FLOWER_PORT=8888 +FLOWER_USER=admin +FLOWER_PASSWORD=changeme + +# Email config +EMAIL_HOST=localhost +EMAIL_PORT=587 +#EMAIL_HOST_USER=mail@your.domain.here +#EMAIL_HOST_PASSWORD=emailpassword123 +EMAIL_USE_TLS=true +EMAIL_USE_SSL=false +EMAIL_SENDER_NAME=__ADMIN_MAIL__ +# defaults to DOMAIN +#EMAIL_SENDER_DOMAIN= + +# Query timeouts +SEARCH_TIMEOUT=5 +QUERY_TIMEOUT=5 + +# Thumbnails Generation +ENABLE_THUMBNAIL_GENERATION=false + +# S3 configuration +USE_S3=false +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= + +# Commented are example values if you use a non-AWS, S3-compatible service +# AWS S3 should work with only AWS_STORAGE_BUCKET_NAME and AWS_S3_REGION_NAME +# non-AWS S3-compatible services will need AWS_STORAGE_BUCKET_NAME, +# along with both AWS_S3_CUSTOM_DOMAIN and AWS_S3_ENDPOINT_URL + +# AWS_STORAGE_BUCKET_NAME= # "example-bucket-name" +# AWS_S3_CUSTOM_DOMAIN=None # "example-bucket-name.s3.fr-par.scw.cloud" +# AWS_S3_REGION_NAME=None # "fr-par" +# AWS_S3_ENDPOINT_URL=None # "https://s3.fr-par.scw.cloud" + + +# Preview image generation can be computing and storage intensive +ENABLE_PREVIEW_IMAGES=False + +# Specify RGB tuple or RGB hex strings, +# or use_dominant_color_light / use_dominant_color_dark +PREVIEW_BG_COLOR=use_dominant_color_light +# Change to #FFF if you use use_dominant_color_dark +PREVIEW_TEXT_COLOR=#363636 +PREVIEW_IMG_WIDTH=1200 +PREVIEW_IMG_HEIGHT=630 +PREVIEW_DEFAULT_COVER_COLOR=#002549 + +# Below are example keys if you want to enable automatically +# sending telemetry to an OTLP-compatible service. Many of +# the main monitoring apps have OLTP collectors, including +# NewRelic, DataDog, and Honeycomb.io - consult their +# documentation for setup instructions, and what exactly to +# put below! +# +# Service name is an arbitrary tag that is attached to any +# data sent, used to distinguish different sources. Useful +# for sending prod and dev metrics to the same place and +# keeping them separate, for instance! + +# API endpoint for your provider +OTEL_EXPORTER_OTLP_ENDPOINT= +# Any headers required, usually authentication info +OTEL_EXPORTER_OTLP_HEADERS= +# Service name to identify your app +OTEL_SERVICE_NAME= + +# Set HTTP_X_FORWARDED_PROTO ONLY to true if you know what you are doing. +# Only use it if your proxy is "swallowing" if the original request was made +# via https. Please refer to the Django-Documentation and assess the risks +# for your instance: +# https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header +HTTP_X_FORWARDED_PROTO=false From c130a1d9a1c224d4edb41ded17a429576050fd75 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 21:47:27 +0100 Subject: [PATCH 08/15] Update nginx.conf --- conf/nginx.conf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index 565b921..37e57c7 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -23,3 +23,31 @@ location __PATH__/ { # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; } + + # rate limit the login or password reset pages + location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { + limit_req zone=loginlimit; + proxy_pass http://127.0.0.1:__PORT__; + } + + location /api/updates/ { + access_log off; + proxy_pass http://127.0.0.1:__PORT__; + } + + # directly serve images and static files from the + # bookwyrm filesystem using sendfile. + # make the logs quieter by not reporting these requests + location ~ ^/(images|static)/ { + root /app; + try_files $uri =404; + add_header X-Cache-Status STATIC; + access_log off; + } + + # monitor the celery queues with flower, no caching enabled + location /flower/ { + proxy_pass http://flower:8888; + proxy_cache_bypass 1; + } +} From 7165fd534b62b871e4cf9515e50abadaf78460d3 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 21:52:27 +0100 Subject: [PATCH 09/15] Update nginx.conf --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 37e57c7..f444e7c 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -22,7 +22,7 @@ location __PATH__/ { client_max_body_size 80m; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; -} + # rate limit the login or password reset pages location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { From 703ceaf2142dacfd2997286996b90ea127a67fb9 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 22:03:07 +0100 Subject: [PATCH 10/15] Update nginx.conf --- conf/nginx.conf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index f444e7c..ba03db1 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -45,9 +45,4 @@ location __PATH__/ { access_log off; } - # monitor the celery queues with flower, no caching enabled - location /flower/ { - proxy_pass http://flower:8888; - proxy_cache_bypass 1; - } } From 131109e8c31c3875e4132b6f4ea025d65cf80c09 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 22:12:53 +0100 Subject: [PATCH 11/15] Update restore --- scripts/restore | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scripts/restore b/scripts/restore index b0c0d06..0275776 100755 --- a/scripts/restore +++ b/scripts/restore @@ -118,14 +118,6 @@ ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd ynh_psql_execute_as_root --sql="ALTER USER $db_user CREATEDB;" ynh_psql_execute_file_as_root --file="./db.sql" --database="$db_name" -#================================================= -# RESTORE VARIOUS FILES -#================================================= -ynh_script_progression --message="Restoring various files..." --weight=1 - -ynh_restore_file --origin_path="/etc/cron.d/$app" - -ynh_restore_file --origin_path="/etc/$app/" #================================================= # RESTORE SYSTEMD From b089588c9d4e4f904d43de84d7de0e706b541b64 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 22:17:03 +0100 Subject: [PATCH 12/15] Update nginx.conf --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index ba03db1..1133678 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -41,7 +41,7 @@ location __PATH__/ { location ~ ^/(images|static)/ { root /app; try_files $uri =404; - add_header X-Cache-Status STATIC; + more_set_headers X-Cache-Status STATIC; access_log off; } From 012c48eb63cea54b5b1f55c364f905f95b662966 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 22:29:03 +0100 Subject: [PATCH 13/15] Update nginx.conf --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 1133678..4e381f3 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -41,7 +41,7 @@ location __PATH__/ { location ~ ^/(images|static)/ { root /app; try_files $uri =404; - more_set_headers X-Cache-Status STATIC; + more_set_headers "X-Cache-Status STATIC"; access_log off; } From 426b8d7cfa0fc1b04d9b4c9b2ee16bccd48468bd Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 22:33:06 +0100 Subject: [PATCH 14/15] Update nginx.conf --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 4e381f3..fb4cd15 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -41,7 +41,7 @@ location __PATH__/ { location ~ ^/(images|static)/ { root /app; try_files $uri =404; - more_set_headers "X-Cache-Status STATIC"; + more_set_headers "X-Cache-Status: STATIC"; access_log off; } From b50c465bdb94db905dbe332a24a1786a72239a40 Mon Sep 17 00:00:00 2001 From: oufmilo <44617467+oufmilo@users.noreply.github.com> Date: Thu, 22 Dec 2022 22:41:35 +0100 Subject: [PATCH 15/15] Update check_process --- check_process | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check_process b/check_process index c1a65ce..aa34bbd 100644 --- a/check_process +++ b/check_process @@ -14,7 +14,7 @@ upgrade=1 #upgrade=1 from_commit=CommitHash backup_restore=1 - multi_instance=0 + multi_instance=1 change_url=0 ;;; Options Email=oufmilo@protonmail.com