diff --git a/conf/flohmarkt.conf b/conf/flohmarkt.conf index 211f409..a4d4215 100644 --- a/conf/flohmarkt.conf +++ b/conf/flohmarkt.conf @@ -6,7 +6,7 @@ JwtSecret = __JWTSECRET__ DataPath = __DATA_DIR__ [Database] -Server = https://__APP__:__PASSWORD_COUCHDB_ADMIN__@127.0.0.1:__PORT_COUCHDB__/ +Server = http://__APP__:__PASSWORD_COUCHDB_ADMIN__@127.0.0.1:__PORT_COUCHDB__/ [SMTP] Server = 127.0.0.1 diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..2d1f911 --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,48 @@ +[Unit] +Description=flohmarkt server +After=network.target couchdb.service + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/__APP__ +Environment="UVICORN_PORT=__PORT__" +Environment="VENV_DIR=__INSTALL_DIR__/venv/" +Environment="UVICORN_HOST=__127.0.0.1__" +ExecStart=__INSTALL_DIR__/venv/bin/uvicorn --reload flohmarkt:app +StandardOutput=append:/var/log/__APP__/__APP__.log +StandardError=inherit + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/scripts/install b/scripts/install index 205739a..012550f 100755 --- a/scripts/install +++ b/scripts/install @@ -44,6 +44,10 @@ chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R "$app:$app" "$install_dir" +# INTEGRATE SERVICE IN YUNOHOST +# ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 +# yunohost service add $app --description="war mal couchdb" --log="/var/log/$app/$app.log" + # get flohmarkt ynh_setup_source --dest_dir="$install_dir/$app/" @@ -64,9 +68,18 @@ python3 -m venv --without-pip "$install_dir/venv" # JwtSecret jwtsecret=$(openssl rand 256 | base64 -w 0) -# @@ configure +# generate flohmarkt.conf ynh_add_config --template="../conf/flohmarkt.conf" --destination="$install_dir/$app/flohmarkt.conf" +# setup couchdb +( + set +o nounset + source "$install_dir/venv/bin/activate" + set -o nounset + cd "$install_dir/$app" + python3 initialize_couchdb.py bla42fasel bla42fasel +) + # SETUP LOGROTATE ynh_script_progression --message="Configuring log rotation..." --weight=2 # Use logrotate to manage application logfile(s) @@ -78,9 +91,13 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=3 # Create a dedicated NGINX config ynh_add_nginx_config -# INTEGRATE SERVICE IN YUNOHOST +# systemd.service +ynh_script_progression --message="Configuring a systemd service..." --weight=1 +# Create a dedicated systemd config +ynh_add_systemd_config +# integrate into yunohost ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add $app --description="Open-source document-oriented NoSQL database" --log="/var/log/$app/$app.log" --needs_exposed_ports "$port" +yunohost service add $app --description="A self-hosted, single-user, ActivityPub powered microblog." --log="/var/log/$app/$app.log" # SETUP FAIL2BAN # no need for couchdb, because it will not listen externally @@ -89,5 +106,7 @@ yunohost service add $app --description="Open-source document-oriented NoSQL dat # # Create a dedicated Fail2Ban config # ynh_add_fail2ban_config --logpath="/var/log/couchdb/couchdb.log" --failregex="[warning] .*couch_httpd_auth: Authentication failed for user .+ from " --max_retry=5 -# qed +# @@ logrotation + ynh_script_progression --message="Installation of $app completed" --last +# qed