diff --git a/README.md b/README.md index 6ba8bd8..2f5f729 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ @@ -20,7 +20,7 @@ Friendica is a decentralised communications platform that integrates social comm Friendica connects you effortlessly to a federated communications network of several thousand servers, with more than half a million user registrations. You can directly connect to anyone on Friendica, Mastodon, Diaspora, GnuSocial, Pleroma, or Hubzilla, regardless where each user profile is hosted. -**Shipped version:** 2023.12~ynh2 +**Shipped version:** 2023.12~ynh3 **Demo:** https://dir.friendica.social/servers @@ -49,4 +49,4 @@ or sudo yunohost app upgrade friendica -u https://github.com/YunoHost-Apps/friendica_ynh/tree/testing --debug ``` -**More info regarding app packaging:** +**More info regarding app packaging:** \ No newline at end of file diff --git a/README_fr.md b/README_fr.md index e36af15..c3a0b53 100644 --- a/README_fr.md +++ b/README_fr.md @@ -1,5 +1,5 @@ @@ -20,7 +20,7 @@ Friendica is a decentralised communications platform that integrates social comm Friendica connects you effortlessly to a federated communications network of several thousand servers, with more than half a million user registrations. You can directly connect to anyone on Friendica, Mastodon, Diaspora, GnuSocial, Pleroma, or Hubzilla, regardless where each user profile is hosted. -**Version incluse :** 2023.12~ynh2 +**Version incluse :** 2023.12~ynh3 **Démo :** https://dir.friendica.social/servers diff --git a/conf/addon.config.php b/conf/addon.config.php index c2800ff..d8e4949 100644 --- a/conf/addon.config.php +++ b/conf/addon.config.php @@ -1,6 +1,7 @@ [ 'ldap_server' => 'localhost', diff --git a/conf/cron b/conf/cron deleted file mode 100644 index e7e5fd1..0000000 --- a/conf/cron +++ /dev/null @@ -1,2 +0,0 @@ -# Run poller periodically to update Friendica -*/10 * * * * __APP__ /usr/bin/php__PHPVERSION__ -f __INSTALL_DIR__/bin/worker.php \ No newline at end of file diff --git a/conf/local-sample.config.php b/conf/local-sample.config.php index be4e5a4..9865bb8 100644 --- a/conf/local-sample.config.php +++ b/conf/local-sample.config.php @@ -1,20 +1,8 @@ [ @@ -37,11 +25,17 @@ return [ 'sitename' => 'Friendica Social Network', 'register_policy' => \Friendica\Module\Register::OPEN, 'max_import_size' => 200000, + 'register_text' => '', ], 'system' => [ 'url' => 'https://__DOMAIN__', 'basepath' => '__INSTALL_DIR__', 'default_timezone' => '__TIMEZONE__', 'language' => '__LANGUAGE__', + 'pidfile' => '__INSTALL_DIR__/daemon.pid', + // Blocks search for users who are not logged in to prevent crawlers from blocking your system. + 'local_search' => false, + 'logfile' => '/var/log/friendica/friendica.log', + 'loglevel' => 'notice', ], ]; diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..337fc3e --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,59 @@ +[Unit] +Description=Friendica daemon +After=network.target mariadb.service +Requires=network.target remote-fs.target nss-lookup.target + +[Service] +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/ +Type=simple +StandardOutput=append:/var/log/__APP__/daemon.log +StandardError=inherit +ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php start +ExecStop=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php stop +PIDFile=__INSTALL_DIR__/daemon.pid +PrivateTmp=true +InaccessibleDirectories=/home /root /boot /opt /mnt /media +ReadOnlyDirectories=/etc /usr +Restart=always +RestartSec=10 +StartLimitBurst=1 +StartLimitIntervalSec=10 + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md new file mode 100644 index 0000000..2ebd035 --- /dev/null +++ b/doc/POST_INSTALL.md @@ -0,0 +1 @@ +You can now login to using `__EMAIL__` and your usual YunoHost password. diff --git a/doc/POST_INSTALL_fr.md b/doc/POST_INSTALL_fr.md new file mode 100644 index 0000000..35a987b --- /dev/null +++ b/doc/POST_INSTALL_fr.md @@ -0,0 +1 @@ +Vous pouvez désormais vous connecter à en utilisant `__EMAIL__` et votre mot de passe YunoHost habituel. diff --git a/doc/PRE_UPGRADE.d/2023.12~ynh3.md b/doc/PRE_UPGRADE.d/2023.12~ynh3.md new file mode 100644 index 0000000..18b5ca9 --- /dev/null +++ b/doc/PRE_UPGRADE.d/2023.12~ynh3.md @@ -0,0 +1 @@ +This update will make your Friendica instance use a daemon to handle background tasks, instead of a cron. diff --git a/manifest.toml b/manifest.toml index 5af6989..0c6a3b0 100644 --- a/manifest.toml +++ b/manifest.toml @@ -1,3 +1,5 @@ +#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/manifest.v2.schema.json + packaging_format = 2 id = "friendica" @@ -5,7 +7,7 @@ name = "Friendica" description.en = "Decentralized Social Network" description.fr = "Réseau social décentralisé" -version = "2023.12~ynh2" +version = "2023.12~ynh3" maintainers = [ "" ] @@ -31,10 +33,6 @@ ram.runtime = "50M" [install.domain] type = "domain" - [install.init_main_permission] - type = "group" - default = "visitors" - [install.admin] type = "user" @@ -65,6 +63,9 @@ ram.runtime = "50M" [resources.permissions] main.url = "/" +main.show_tile = true +main.allowed = [ "visitors", "all_users" ] +main.protected = true [resources.apt] packages = "mariadb-server, php8.2-curl, php8.2-mbstring, php8.2-imagick, php8.2-xml, php8.2-zip, php8.2-mysql, php8.2-gd, php8.2-gmp, php8.2-intl" diff --git a/scripts/backup b/scripts/backup index ae1d9ef..572b62f 100644 --- a/scripts/backup +++ b/scripts/backup @@ -54,7 +54,8 @@ ynh_backup --src_path="/etc/logrotate.d/$app" # BACKUP VARIOUS FILES #================================================= -ynh_backup --src_path="/etc/cron.d/$app" +ynh_backup --src_path="/var/log/$app" +ynh_backup --src_path="/etc/systemd/system/$app-daemon.service" #================================================= # BACKUP THE MYSQL DATABASE diff --git a/scripts/change_url b/scripts/change_url index df843ac..c277451 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -16,6 +16,15 @@ ynh_script_progression --message="Updating NGINX web server configuration..." -- ynh_change_url_nginx_config +#================================================= +# MODIFY URL IN FRIENDICA CONF +#================================================= + +ynh_print_info --message="Updating the Friendica config..." + +ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php" +ynh_store_file_checksum --file="$install_dir/config/local.config.php" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index bc07915..9693a9e 100644 --- a/scripts/install +++ b/scripts/install @@ -48,12 +48,12 @@ ynh_script_progression --message="Adding system configurations related to $app.. # Create a dedicated PHP-FPM configy ynh_add_fpm_config +ynh_add_systemd_config --service="$app-daemon" + # Create a dedicated nginx config ynh_add_nginx_config -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" +yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log" # Use logrotate to manage application logfile(s) ynh_use_logrotate @@ -79,15 +79,19 @@ pushd "$install_dir" ynh_exec_as "$app" "php$phpversion" bin/composer.phar install --no-dev --quiet # Install application - ynh_exec_as "$app" "php$phpversion" bin/console.php autoinstall\ - --dbhost "localhost" --dbdata "$db_name" --dbuser "$db_user" --dbpass "$db_pwd"\ - --admin "$email" --tz "$timezone" --lang "$language" --url "https://$domain" + ynh_exec_as "$app" "php$phpversion" bin/console.php -f "$install_dir/config/local.config.php" # Enable LDAP Auth addon ynh_exec_as "$app" "php$phpversion" bin/console.php addon enable ldapauth - popd +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/remove b/scripts/remove index 6f01b8e..4ac1569 100644 --- a/scripts/remove +++ b/scripts/remove @@ -11,6 +11,17 @@ source /usr/share/yunohost/helpers #================================================= # REMOVE SYSTEM CONFIGURATIONS +#================================================= +# REMOVE SERVICE INTEGRATION IN YUNOHOST +#================================================= + +# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) +if ynh_exec_warn_less yunohost service status "$app" >/dev/null +then + ynh_script_progression --message="Removing $app service integration..." --weight=1 + yunohost service remove "$app-daemon" +fi + #================================================= # REMOVE SYSTEMD SERVICE #================================================= @@ -27,7 +38,7 @@ ynh_remove_logrotate ynh_remove_fail2ban_config -ynh_secure_remove --file="/etc/cron.d/$app" +ynh_remove_systemd_config --service="$app-daemon" #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 496e7a4..ecc27d9 100644 --- a/scripts/restore +++ b/scripts/restore @@ -17,6 +17,9 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" +if [ -f "$install_dir/daemon.pid" ]; then ynh_secure_remove --file="$install_dir/daemon.pid"; fi + +chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" chmod -R 775 "$install_dir/view/smarty3" @@ -38,14 +41,19 @@ ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/systemd/system/$app-daemon.service" +systemctl enable "$app-daemon.service" --quiet + +yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log" + +ynh_restore_file --origin_path="/var/log/$app" + ynh_restore_file --origin_path="/etc/logrotate.d/$app" ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf" ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf" ynh_systemd_action --action=restart --service_name=fail2ban -ynh_restore_file --origin_path="/etc/cron.d/$app" - #================================================= # GENERIC FINALIZATION #================================================= @@ -57,6 +65,8 @@ ynh_systemd_action --service_name="php$phpversion-fpm" --action=reload ynh_systemd_action --service_name=nginx --action=reload +ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log" + #============== # FINALIZATION #============== diff --git a/scripts/upgrade b/scripts/upgrade index 0ff2f28..4a1ca5b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -20,7 +20,7 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app-daemon" --action="stop" --log_path="/var/log/$app/daemon.log" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -51,9 +51,14 @@ ynh_add_fpm_config ynh_use_logrotate --non-append -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" +if [ -f "/etc/cron.d/$app" ]; then + ynh_print_info --message="Removing the legacy cron..." + ynh_secure_remove --file="/etc/cron.d/$app" +fi + +ynh_add_systemd_config --service="$app-daemon" + +yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log" # Create a dedicated Fail2Ban config ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="^.*authenticate\: failed login attempt.*\"ip\"\:\"\".*$" @@ -65,7 +70,16 @@ ynh_script_progression --message="Updating a configuration file..." --weight=1 # fix the url if necessary (there should be no trailing slash) if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "'url' => 'https://$domain'," "$install_dir/config/local.config.php"; then + ynh_print_info --message="Patching the Friendica config file: fix the domain setting..." ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php" + ynh_store_file_checksum --file="$install_dir/config/local.config.php" +fi + +# add the path to the pidfile if missing +if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "pidfile" "$install_dir/config/local.config.php"; then + ynh_print_info --message="Patching the Friendica config file: add the PID file path for the daemon..." + ynh_replace_string --match_string="'basepath' => '$install_dir'," --replace_string="'basepath' => '$install_dir',\n 'pidfile' => '$install_dir/daemon.pid'," --target_file="$install_dir/config/local.config.php" + ynh_store_file_checksum --file="$install_dir/config/local.config.php" fi #================================================= @@ -78,6 +92,13 @@ pushd "$install_dir" ynh_exec_as "$app" "php$phpversion" bin/console.php dbstructure update popd +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/tests.toml b/tests.toml index d83170e..5071587 100644 --- a/tests.toml +++ b/tests.toml @@ -1,9 +1,13 @@ +#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json + test_format = 1.0 [default] - # ------------------------------- - # Commits to test upgrade from - # ------------------------------- +exclude = [ "install.private" ] - test_upgrade_from.dc7cd3eabe212708375c0dcd4ee994a1373a8122.name = "Upgrade from 2023.01~ynh1" \ No newline at end of file +# ------------------------------- +# Commits to test upgrade from +# ------------------------------- + +test_upgrade_from.dc7cd3eabe212708375c0dcd4ee994a1373a8122.name = "Upgrade from 2023.01~ynh1"