systemd.service

2024-09-03 18:36:30 +02:00 · 2024-04-11 19:53:18 +02:00 · 2024-04-11 19:53:18 +02:00 · 87b416a658
commit 87b416a658
parent 759b820e38
3 changed files with 72 additions and 5 deletions
--- a/conf/flohmarkt.conf
+++ b/conf/flohmarkt.conf
@ -6,7 +6,7 @@ JwtSecret = __JWTSECRET__
 DataPath = __DATA_DIR__

 [Database]
-Server = https://__APP__:__PASSWORD_COUCHDB_ADMIN__@127.0.0.1:__PORT_COUCHDB__/
+Server = http://__APP__:__PASSWORD_COUCHDB_ADMIN__@127.0.0.1:__PORT_COUCHDB__/

 [SMTP]
 Server = 127.0.0.1
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -0,0 +1,48 @@
+[Unit]
+Description=flohmarkt server
+After=network.target couchdb.service
+
+[Service]
+Type=simple
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__/__APP__
+Environment="UVICORN_PORT=__PORT__"
+Environment="VENV_DIR=__INSTALL_DIR__/venv/"
+Environment="UVICORN_HOST=__127.0.0.1__"
+ExecStart=__INSTALL_DIR__/venv/bin/uvicorn --reload flohmarkt:app
+StandardOutput=append:/var/log/__APP__/__APP__.log
+StandardError=inherit
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=multi-user.target
--- a/scripts/install
+++ b/scripts/install
@ -44,6 +44,10 @@ chmod 750 "$install_dir"
 chmod -R o-rwx "$install_dir"
 chown -R "$app:$app" "$install_dir"

+# INTEGRATE SERVICE IN YUNOHOST
+# ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
+# yunohost service add $app --description="war mal couchdb" --log="/var/log/$app/$app.log"
+
 # get flohmarkt
 ynh_setup_source --dest_dir="$install_dir/$app/"

@ -64,9 +68,18 @@ python3 -m venv --without-pip "$install_dir/venv"
 # JwtSecret
 jwtsecret=$(openssl rand 256 | base64 -w 0)

-# @@ configure
+# generate flohmarkt.conf
 ynh_add_config --template="../conf/flohmarkt.conf" --destination="$install_dir/$app/flohmarkt.conf"

+# setup couchdb
+(
+    set +o nounset
+    source "$install_dir/venv/bin/activate"
+    set -o nounset
+    cd "$install_dir/$app"
+    python3 initialize_couchdb.py bla42fasel bla42fasel
+)
+
 # SETUP LOGROTATE
 ynh_script_progression --message="Configuring log rotation..." --weight=2
 # Use logrotate to manage application logfile(s)
@ -78,9 +91,13 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=3
 # Create a dedicated NGINX config
 ynh_add_nginx_config

-# INTEGRATE SERVICE IN YUNOHOST
+# systemd.service
+ynh_script_progression --message="Configuring a systemd service..." --weight=1
+# Create a dedicated systemd config
+ynh_add_systemd_config
+# integrate into yunohost
 ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
-yunohost service add $app --description="Open-source document-oriented NoSQL database" --log="/var/log/$app/$app.log" --needs_exposed_ports "$port"
+yunohost service add $app --description="A self-hosted, single-user, ActivityPub powered microblog." --log="/var/log/$app/$app.log"

 # SETUP FAIL2BAN
 # no need for couchdb, because it will not listen externally
@ -89,5 +106,7 @@ yunohost service add $app --description="Open-source document-oriented NoSQL dat
 # # Create a dedicated Fail2Ban config
 # ynh_add_fail2ban_config --logpath="/var/log/couchdb/couchdb.log" --failregex="[warning] .*couch_httpd_auth: Authentication failed for user .+ from <HOST>" --max_retry=5

-# qed
+# @@ logrotation
+
 ynh_script_progression --message="Installation of $app completed" --last
+# qed