mirror of
https://github.com/YunoHost-Apps/freshrss_ynh.git
synced 2024-09-03 18:36:33 +02:00
Fail2ban (#171)
* fix SC2086 linter alerts * tidying up * add fail2ban * add fail2ban * fix install: "Have not found any log file for freshrss jail" * sigh I'm dumdum... / fix touch path while installing fail2ban * while upgrading, create the logfile for fail2ban if it doesn't exist * reduce warns that freshrss returns and which may worry users
This commit is contained in:
parent
3a60dd3b2d
commit
8d51003b97
6 changed files with 149 additions and 20 deletions
|
@ -41,6 +41,13 @@ ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
|
||||||
|
|
||||||
ynh_backup --src_path="/etc/logrotate.d/$app"
|
ynh_backup --src_path="/etc/logrotate.d/$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# BACKUP FAIL2BAN CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf"
|
||||||
|
ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# BACKUP VARIOUS FILES
|
# BACKUP VARIOUS FILES
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -25,7 +25,7 @@ ynh_change_url_nginx_config
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Upgrading FreshRSS..." --weight=1
|
ynh_script_progression --message="Upgrading FreshRSS..." --weight=1
|
||||||
|
|
||||||
ynh_exec_as $app $install_dir/cli/reconfigure.php --auth_type http_auth --environment production --base_url https://$new_domain$new_path --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
|
ynh_exec_warn_less ynh_exec_as "$app" "$install_dir/cli/reconfigure.php" --auth_type http_auth --environment production --base_url "https://$new_domain$new_path" --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user "$db_name" --db-password "$db_pwd" --db-base "$db_name"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# END OF SCRIPT
|
# END OF SCRIPT
|
||||||
|
|
|
@ -18,7 +18,7 @@ ynh_script_progression --message="Setting up source files..." --weight=1
|
||||||
ynh_setup_source --dest_dir="$install_dir"
|
ynh_setup_source --dest_dir="$install_dir"
|
||||||
|
|
||||||
chmod -R o-rwx "$install_dir"
|
chmod -R o-rwx "$install_dir"
|
||||||
chown -R $app:www-data "$install_dir"
|
chown -R "$app":www-data "$install_dir"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SYSTEM CONFIGURATION
|
# SYSTEM CONFIGURATION
|
||||||
|
@ -36,11 +36,30 @@ chown root: "/etc/cron.d/$app"
|
||||||
chmod 644 "/etc/cron.d/$app"
|
chmod 644 "/etc/cron.d/$app"
|
||||||
|
|
||||||
log_path="/var/log/$app"
|
log_path="/var/log/$app"
|
||||||
mkdir -p $log_path
|
mkdir -p "$log_path"
|
||||||
chown $app:www-data $log_path
|
chown "$app":www-data "$log_path"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# GENERIC FINALIZATION
|
||||||
|
#=================================================
|
||||||
|
# SETUP LOGROTATE
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Configuring log rotation..." --weight=1
|
||||||
|
|
||||||
# Use logrotate to manage application logfile(s)
|
# Use logrotate to manage application logfile(s)
|
||||||
ynh_use_logrotate
|
ynh_use_logrotate
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# SETUP FAIL2BAN
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Upgrading fail2ban configuration..."
|
||||||
|
|
||||||
|
# Create the logfile, required before configuring fail2ban
|
||||||
|
touch "/var/log/${domain}-access.log"
|
||||||
|
|
||||||
|
# Create a dedicated Fail2Ban config
|
||||||
|
ynh_add_fail2ban_config --logpath="/var/log/${domain}-access.log" --failregex="<HOST> .* \"GET /api/.*\" 401" --max_retry=5
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SPECIFIC SETUP
|
# SPECIFIC SETUP
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -48,12 +67,12 @@ ynh_use_logrotate
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="FreshRSS setup..." --weight=1
|
ynh_script_progression --message="FreshRSS setup..." --weight=1
|
||||||
|
|
||||||
ynh_exec_as $app $install_dir/cli/do-install.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
|
ynh_exec_warn_less ynh_exec_as "$app" "$install_dir/cli/do-install.php" --default_user "$admin" --auth_type http_auth --environment production --base_url "https://$domain$path" --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user "$db_name" --db-password "$db_pwd" --db-base "$db_name"
|
||||||
|
|
||||||
for myuser in $(ynh_user_list)
|
for myuser in $(ynh_user_list)
|
||||||
do
|
do
|
||||||
user_token=$(ynh_string_random)
|
user_token=$(ynh_string_random)
|
||||||
ynh_exec_as $app $install_dir/cli/create-user.php --user $myuser --language $language --token $user_token
|
ynh_exec_as "$app" "$install_dir/cli/create-user.php" --user "$myuser" --language "$language" --token "$user_token"
|
||||||
done
|
done
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -16,18 +16,54 @@ source /usr/share/yunohost/helpers
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Removing system configurations related to $app..." --weight=1
|
ynh_script_progression --message="Removing system configurations related to $app..." --weight=1
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# REMOVE NGINX CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1
|
||||||
|
|
||||||
# Remove the dedicated NGINX config
|
# Remove the dedicated NGINX config
|
||||||
ynh_remove_nginx_config
|
ynh_remove_nginx_config
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# REMOVE PHP CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Removing PHP configuration..." --weight=1
|
||||||
|
|
||||||
# Remove the dedicated PHP-FPM config
|
# Remove the dedicated PHP-FPM config
|
||||||
ynh_remove_fpm_config
|
ynh_remove_fpm_config
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# REMOVE CRON CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Removing Cron configuration..." --weight=1
|
||||||
|
|
||||||
# Remove a cron file
|
# Remove a cron file
|
||||||
ynh_secure_remove --file="/etc/cron.d/$app"
|
ynh_secure_remove --file="/etc/cron.d/$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# REMOVE LOG FILES
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Removing log files..." --weight=1
|
||||||
|
|
||||||
# Remove the log files
|
# Remove the log files
|
||||||
ynh_secure_remove --file="/var/log/$app"
|
ynh_secure_remove --file="/var/log/$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# REMOVE LOGROTATE CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Removing logrotate configuration..." --weight=1
|
||||||
|
|
||||||
|
# Remove the app-specific logrotate config
|
||||||
|
ynh_remove_logrotate
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# REMOVE FAIL2BAN CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
ynh_script_progression --message="Removing fail2ban configuration..." --weight=1
|
||||||
|
|
||||||
|
ynh_remove_fail2ban_config
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# END OF SCRIPT
|
# END OF SCRIPT
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -18,14 +18,14 @@ ynh_script_progression --message="Restoring the app main directory..." --weight=
|
||||||
ynh_restore_file --origin_path="$install_dir"
|
ynh_restore_file --origin_path="$install_dir"
|
||||||
|
|
||||||
chmod -R o-rwx "$install_dir"
|
chmod -R o-rwx "$install_dir"
|
||||||
chown -R $app:www-data "$install_dir"
|
chown -R "$app":www-data "$install_dir"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RESTORE THE MYSQL DATABASE
|
# RESTORE THE MYSQL DATABASE
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Restoring the MySQL database..." --weight=1
|
ynh_script_progression --message="Restoring the MySQL database..." --weight=1
|
||||||
|
|
||||||
ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql
|
ynh_mysql_connect_as --user="$db_user" --password="$db_pwd" --database="$db_name" < ./db.sql
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RESTORE SYSTEM CONFIGURATIONS
|
# RESTORE SYSTEM CONFIGURATIONS
|
||||||
|
@ -36,15 +36,44 @@ ynh_script_progression --message="Restoring system configurations related to $ap
|
||||||
|
|
||||||
ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
|
ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# RESTORE THE NGINX CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1
|
||||||
|
|
||||||
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
|
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# RESTORE THE CRON CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Restoring the Cron configuration..." --weight=1
|
||||||
|
|
||||||
ynh_restore_file --origin_path="/etc/cron.d/$app"
|
ynh_restore_file --origin_path="/etc/cron.d/$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# RESTORE THE LOG FILES
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Restoring the log files..." --weight=1
|
||||||
|
|
||||||
log_path="/var/log/$app"
|
log_path="/var/log/$app"
|
||||||
mkdir -p $log_path
|
mkdir -p "$log_path"
|
||||||
chown $app:www-data $log_path
|
chown "$app":www-data "$log_path"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# RESTORE THE LOGROTATE CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Restoring the logrotate configuration..." --weight=1
|
||||||
|
|
||||||
ynh_restore_file --origin_path="/etc/logrotate.d/$app"
|
ynh_restore_file --origin_path="/etc/logrotate.d/$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# RESTORE THE FAIL2BAN CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
|
||||||
|
ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
|
||||||
|
ynh_systemd_action --action=restart --service_name=fail2ban
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# GENERIC FINALIZATION
|
# GENERIC FINALIZATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -52,7 +81,7 @@ ynh_restore_file --origin_path="/etc/logrotate.d/$app"
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1
|
ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1
|
||||||
|
|
||||||
ynh_systemd_action --service_name=php$phpversion-fpm --action=reload
|
ynh_systemd_action --service_name="php$phpversion-fpm" --action=reload
|
||||||
ynh_systemd_action --service_name=nginx --action=reload
|
ynh_systemd_action --service_name=nginx --action=reload
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -23,12 +23,12 @@ upgrade_type=$(ynh_check_app_version_changed)
|
||||||
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
|
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
|
||||||
|
|
||||||
if [ -z "$admin" ]; then
|
if [ -z "$admin" ]; then
|
||||||
admin=$(ynh_app_setting_get --app=$app --key=admin_user)
|
admin=$(ynh_app_setting_get --app="$app" --key=admin_user)
|
||||||
if [ -z $admin ]; then
|
if [ -z "$admin" ]; then
|
||||||
ynh_die --message="no admin user found"
|
ynh_die --message="no admin user found"
|
||||||
fi;
|
fi;
|
||||||
ynh_app_setting_delete --app=$app --key=admin_user
|
ynh_app_setting_delete --app="$app" --key=admin_user
|
||||||
ynh_app_setting_set --app=$app --key=admin --value=$admin
|
ynh_app_setting_set --app="$app" --key=admin --value="$admin"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -44,37 +44,75 @@ then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chmod -R o-rwx "$install_dir"
|
chmod -R o-rwx "$install_dir"
|
||||||
chown -R $app:www-data "$install_dir"
|
chown -R "$app":www-data "$install_dir"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# REAPPLY SYSTEM CONFIGURATIONS
|
# REAPPLY SYSTEM CONFIGURATIONS
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Upgrading system configurations related to $app..." --weight=1
|
ynh_script_progression --message="Upgrading system configurations related to $app..." --weight=1
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# PHP CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Upgrading PHP configuration..."
|
||||||
|
|
||||||
# Create a dedicated PHP-FPM config
|
# Create a dedicated PHP-FPM config
|
||||||
ynh_add_fpm_config
|
ynh_add_fpm_config
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# NGINX CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Upgrading NGINX web server configuration..."
|
||||||
|
|
||||||
# Create a dedicated NGINX config
|
# Create a dedicated NGINX config
|
||||||
ynh_add_nginx_config
|
ynh_add_nginx_config
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# CRON CONFIGURATION
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Upgrading Cron configuration..."
|
||||||
|
|
||||||
ynh_add_config --template="../conf/freshrss.cron" --destination="/etc/cron.d/$app"
|
ynh_add_config --template="../conf/freshrss.cron" --destination="/etc/cron.d/$app"
|
||||||
chown root: "/etc/cron.d/$app"
|
chown root: "/etc/cron.d/$app"
|
||||||
chmod 644 "/etc/cron.d/$app"
|
chmod 644 "/etc/cron.d/$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# LOG FILES
|
||||||
|
#=================================================
|
||||||
|
|
||||||
if [ -f /tmp/FreshRSS.log ]; then
|
if [ -f /tmp/FreshRSS.log ]; then
|
||||||
ynh_secure_remove --file="/tmp/FreshRSS.log"
|
ynh_secure_remove --file="/tmp/FreshRSS.log"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f $install_dir/$app.log ]; then
|
if [ -f "$install_dir/$app.log" ]; then
|
||||||
ynh_secure_remove --file="/var/www/$app/$app.log"
|
ynh_secure_remove --file="/var/www/$app/$app.log"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
log_path="/var/log/$app"
|
log_path="/var/log/$app"
|
||||||
mkdir -p $log_path
|
mkdir -p "$log_path"
|
||||||
chown $app:www-data "$log_path"
|
chown "$app":www-data "$log_path"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# SETUP LOGROTATE
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Upgrading logrotate configuration..."
|
||||||
|
|
||||||
# Use logrotate to manage app-specific logfile(s)
|
# Use logrotate to manage app-specific logfile(s)
|
||||||
ynh_use_logrotate --non-append
|
ynh_use_logrotate --non-append
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# SETUP FAIL2BAN
|
||||||
|
#=================================================
|
||||||
|
ynh_script_progression --message="Upgrading fail2ban configuration..."
|
||||||
|
|
||||||
|
# If it doesn't exist, create the logfile, required before configuring fail2ban
|
||||||
|
if [ ! -f "/var/log/${domain}-access.log" ]; then
|
||||||
|
touch "/var/log/${domain}-access.log"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create a dedicated Fail2Ban config
|
||||||
|
ynh_add_fail2ban_config --logpath="/var/log/${domain}-access.log" --failregex="<HOST> .* \"GET /api/.*\" 401" --max_retry=5
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SPECIFIC UPGRADE
|
# SPECIFIC UPGRADE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -83,7 +121,7 @@ ynh_use_logrotate --non-append
|
||||||
ynh_script_progression --message="Upgrading FreshRSS..." --weight=1
|
ynh_script_progression --message="Upgrading FreshRSS..." --weight=1
|
||||||
|
|
||||||
# reconfigure application with latest parameters
|
# reconfigure application with latest parameters
|
||||||
ynh_exec_as $app $install_dir/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
|
ynh_exec_warn_less ynh_exec_as "$app" "$install_dir/cli/reconfigure.php" --default_user "$admin" --auth_type http_auth --environment production --base_url "https://$domain$path" --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user "$db_name" --db-password "$db_pwd" --db-base "$db_name"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# END OF SCRIPT
|
# END OF SCRIPT
|
||||||
|
|
Loading…
Reference in a new issue