1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/friendica_ynh.git synced 2024-09-03 18:36:14 +02:00
* add schema

* add daemon

* finalization

* fixes

* systemd config renamed to $app-daemon

* fixes

* fixes

* gorgotten yunohost service remove "$app"

* fixes

* fix StandardOutput

* fix this damn pidfile

* better comment for posterity

* fix yunohost service remove

* update config files

* fix domain name change

* use the provided config file template at install

* Auto-update README

* post install: show explicitely the admin login (email)

* trying to fix the systemd config

* fix pidfile config indentation

* add log path

* remove irrelevant comment

* delete an eventual remaining daemon.pid at restoration

* fixes

* fix a typo for all_users

* adding comment: "Removing the cron..."

* use ynh_secure_remove instead of rm

* add pre upgrade message about the daemon

* fix service name

* comment

---------

Co-authored-by: yunohost-bot <yunohost@yunohost.org>
This commit is contained in:
OniriCorpe 2024-02-22 05:04:11 +01:00 committed by GitHub
parent f1890e8612
commit f3168788a6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
15 changed files with 145 additions and 32 deletions

View file

@ -1,6 +1,7 @@
<?php
// Addon configuration
// Copy this configuration file to addon.config.php and edit it if you want to configure addons, see below example for the twitter addon
// LDAP config for YunoHost
return [
'ldapauth' => [
'ldap_server' => 'localhost',

View file

@ -1,2 +0,0 @@
# Run poller periodically to update Friendica
*/10 * * * * __APP__ /usr/bin/php__PHPVERSION__ -f __INSTALL_DIR__/bin/worker.php

View file

@ -1,20 +1,8 @@
<?php
// Local configuration
// Docs: https://github.com/friendica/friendica/blob/stable/static/settings.config.php
/* If automatic system installation fails:
*
* Copy this file to local.config.php
*
* Why local.config.php? Because it contains sensitive information which could
* give somebody complete control of your database. Apache's default
* configuration will interpret any .php file as a script and won't show the values
*
* Then set the following for your MySQL installation
*
* If you're unsure about what any of the config keys below do, please check the static/defaults.config.php file for
* detailed documentation of their data type and behavior.
*/
return [
'database' => [
@ -37,11 +25,17 @@ return [
'sitename' => 'Friendica Social Network',
'register_policy' => \Friendica\Module\Register::OPEN,
'max_import_size' => 200000,
'register_text' => '',
],
'system' => [
'url' => 'https://__DOMAIN__',
'basepath' => '__INSTALL_DIR__',
'default_timezone' => '__TIMEZONE__',
'language' => '__LANGUAGE__',
'pidfile' => '__INSTALL_DIR__/daemon.pid',
// Blocks search for users who are not logged in to prevent crawlers from blocking your system.
'local_search' => false,
'logfile' => '/var/log/friendica/friendica.log',
'loglevel' => 'notice',
],
];

59
conf/systemd.service Normal file
View file

@ -0,0 +1,59 @@
[Unit]
Description=Friendica daemon
After=network.target mariadb.service
Requires=network.target remote-fs.target nss-lookup.target
[Service]
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__/
Type=simple
StandardOutput=append:/var/log/__APP__/daemon.log
StandardError=inherit
ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php start
ExecStop=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php stop
PIDFile=__INSTALL_DIR__/daemon.pid
PrivateTmp=true
InaccessibleDirectories=/home /root /boot /opt /mnt /media
ReadOnlyDirectories=/etc /usr
Restart=always
RestartSec=10
StartLimitBurst=1
StartLimitIntervalSec=10
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target

1
doc/POST_INSTALL.md Normal file
View file

@ -0,0 +1 @@
You can now login to <https://__DOMAIN__> using `__EMAIL__` and your usual YunoHost password.

1
doc/POST_INSTALL_fr.md Normal file
View file

@ -0,0 +1 @@
Vous pouvez désormais vous connecter à <https://__DOMAIN__> en utilisant `__EMAIL__` et votre mot de passe YunoHost habituel.

View file

@ -0,0 +1 @@
This update will make your Friendica instance use a daemon to handle background tasks, instead of a cron.

View file

@ -64,7 +64,7 @@ ram.runtime = "50M"
[resources.permissions]
main.url = "/"
main.show_tile = true
main.allowed = [ "visitors", "all-users" ]
main.allowed = [ "visitors", "all_users" ]
main.protected = true
[resources.apt]

View file

@ -54,7 +54,8 @@ ynh_backup --src_path="/etc/logrotate.d/$app"
# BACKUP VARIOUS FILES
#=================================================
ynh_backup --src_path="/etc/cron.d/$app"
ynh_backup --src_path="/var/log/$app"
ynh_backup --src_path="/etc/systemd/system/$app-daemon.service"
#=================================================
# BACKUP THE MYSQL DATABASE

View file

@ -16,6 +16,15 @@ ynh_script_progression --message="Updating NGINX web server configuration..." --
ynh_change_url_nginx_config
#=================================================
# MODIFY URL IN FRIENDICA CONF
#=================================================
ynh_print_info --message="Updating the Friendica config..."
ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php"
ynh_store_file_checksum --file="$install_dir/config/local.config.php"
#=================================================
# END OF SCRIPT
#=================================================

View file

@ -48,12 +48,12 @@ ynh_script_progression --message="Adding system configurations related to $app..
# Create a dedicated PHP-FPM configy
ynh_add_fpm_config
ynh_add_systemd_config --service="$app-daemon"
# Create a dedicated nginx config
ynh_add_nginx_config
ynh_add_config --template="cron" --destination="/etc/cron.d/$app"
chown root: "/etc/cron.d/$app"
chmod 644 "/etc/cron.d/$app"
yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log"
# Use logrotate to manage application logfile(s)
ynh_use_logrotate
@ -79,15 +79,19 @@ pushd "$install_dir"
ynh_exec_as "$app" "php$phpversion" bin/composer.phar install --no-dev --quiet
# Install application
ynh_exec_as "$app" "php$phpversion" bin/console.php autoinstall\
--dbhost "localhost" --dbdata "$db_name" --dbuser "$db_user" --dbpass "$db_pwd"\
--admin "$email" --tz "$timezone" --lang "$language" --url "https://$domain"
ynh_exec_as "$app" "php$phpversion" bin/console.php -f "$install_dir/config/local.config.php"
# Enable LDAP Auth addon
ynh_exec_as "$app" "php$phpversion" bin/console.php addon enable ldapauth
popd
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log"
#=================================================
# END OF SCRIPT
#=================================================

View file

@ -11,6 +11,17 @@ source /usr/share/yunohost/helpers
#=================================================
# REMOVE SYSTEM CONFIGURATIONS
#=================================================
# REMOVE SERVICE INTEGRATION IN YUNOHOST
#=================================================
# Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
if ynh_exec_warn_less yunohost service status "$app" >/dev/null
then
ynh_script_progression --message="Removing $app service integration..." --weight=1
yunohost service remove "$app-daemon"
fi
#=================================================
# REMOVE SYSTEMD SERVICE
#=================================================
@ -27,7 +38,7 @@ ynh_remove_logrotate
ynh_remove_fail2ban_config
ynh_secure_remove --file="/etc/cron.d/$app"
ynh_remove_systemd_config --service="$app-daemon"
#=================================================
# END OF SCRIPT

View file

@ -17,6 +17,9 @@ ynh_script_progression --message="Restoring the app main directory..." --weight=
ynh_restore_file --origin_path="$install_dir"
if [ -f "$install_dir/daemon.pid" ]; then ynh_secure_remove --file="$install_dir/daemon.pid"; fi
chmod -R o-rwx "$install_dir"
chown -R "$app:www-data" "$install_dir"
chmod -R 775 "$install_dir/view/smarty3"
@ -38,14 +41,19 @@ ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
ynh_restore_file --origin_path="/etc/systemd/system/$app-daemon.service"
systemctl enable "$app-daemon.service" --quiet
yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log"
ynh_restore_file --origin_path="/var/log/$app"
ynh_restore_file --origin_path="/etc/logrotate.d/$app"
ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
ynh_systemd_action --action=restart --service_name=fail2ban
ynh_restore_file --origin_path="/etc/cron.d/$app"
#=================================================
# GENERIC FINALIZATION
#=================================================
@ -57,6 +65,8 @@ ynh_systemd_action --service_name="php$phpversion-fpm" --action=reload
ynh_systemd_action --service_name=nginx --action=reload
ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log"
#==============
# FINALIZATION
#==============

View file

@ -20,7 +20,7 @@ upgrade_type=$(ynh_check_app_version_changed)
#=================================================
ynh_script_progression --message="Stopping a systemd service..." --weight=1
ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log"
ynh_systemd_action --service_name="$app-daemon" --action="stop" --log_path="/var/log/$app/daemon.log"
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
@ -51,9 +51,14 @@ ynh_add_fpm_config
ynh_use_logrotate --non-append
ynh_add_config --template="cron" --destination="/etc/cron.d/$app"
chown root: "/etc/cron.d/$app"
chmod 644 "/etc/cron.d/$app"
if [ -f "/etc/cron.d/$app" ]; then
ynh_print_info --message="Removing the legacy cron..."
ynh_secure_remove --file="/etc/cron.d/$app"
fi
ynh_add_systemd_config --service="$app-daemon"
yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log"
# Create a dedicated Fail2Ban config
ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="^.*authenticate\: failed login attempt.*\"ip\"\:\"<HOST>\".*$"
@ -65,7 +70,16 @@ ynh_script_progression --message="Updating a configuration file..." --weight=1
# fix the url if necessary (there should be no trailing slash)
if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "'url' => 'https://$domain'," "$install_dir/config/local.config.php"; then
ynh_print_info --message="Patching the Friendica config file: fix the domain setting..."
ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php"
ynh_store_file_checksum --file="$install_dir/config/local.config.php"
fi
# add the path to the pidfile if missing
if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "pidfile" "$install_dir/config/local.config.php"; then
ynh_print_info --message="Patching the Friendica config file: add the PID file path for the daemon..."
ynh_replace_string --match_string="'basepath' => '$install_dir'," --replace_string="'basepath' => '$install_dir',\n 'pidfile' => '$install_dir/daemon.pid'," --target_file="$install_dir/config/local.config.php"
ynh_store_file_checksum --file="$install_dir/config/local.config.php"
fi
#=================================================
@ -78,6 +92,13 @@ pushd "$install_dir"
ynh_exec_as "$app" "php$phpversion" bin/console.php dbstructure update
popd
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log"
#=================================================
# END OF SCRIPT
#=================================================

View file

@ -1,3 +1,5 @@
#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json
test_format = 1.0
[default]