add daemon

conf/cron

@@ -1,2 +0,0 @@
-# Run poller periodically to update Friendica
-*/10 * * * * __APP__ /usr/bin/php__PHPVERSION__ -f __INSTALL_DIR__/bin/worker.php

conf/systemd.service

@@ -0,0 +1,56 @@
+[Unit]
+Description=Friendica daemon
+After=network.target mariadb.service
+Requires=network.target remote-fs.target nss-lookup.target
+
+[Service]
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__/
+Type=simple
+StandardOutput=/var/log/__APP___/daemon.log
+StandardError=syslog
+ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php start
+ExecStop=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php stop
+PIDFile=friendica/daemon.pid
+PrivateTmp=true
+InaccessibleDirectories=/home /root /boot /opt /mnt /media
+ReadOnlyDirectories=/etc /usr
+Restart=always
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
+[Install]
+WantedBy=multi-user.target

scripts/backup

@@ -54,7 +54,7 @@ ynh_backup --src_path="/etc/logrotate.d/$app"
 # BACKUP VARIOUS FILES
 #=================================================
 
-ynh_backup --src_path="/etc/cron.d/$app"
+ynh_backup --src_path="/etc/systemd/system/$app.service"
 
 #=================================================
 # BACKUP THE MYSQL DATABASE

scripts/install

@@ -48,12 +48,12 @@ ynh_script_progression --message="Adding system configurations related to $app..
 # Create a dedicated PHP-FPM configy
 ynh_add_fpm_config
 
+ynh_add_systemd_config
+
 # Create a dedicated nginx config
 ynh_add_nginx_config
 
-ynh_add_config --template="cron" --destination="/etc/cron.d/$app"
-chown root: "/etc/cron.d/$app"
-chmod 644 "/etc/cron.d/$app"
+yunohost service add "$app" --description="Friendica daemon" --log="/var/log/$app/$app.log"
 
 # Use logrotate to manage application logfile(s)
 ynh_use_logrotate
@@ -88,6 +88,13 @@ pushd "$install_dir"
 
 popd
 
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --weight=1
+
+ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/remove

@@ -27,7 +27,7 @@ ynh_remove_logrotate
 
 ynh_remove_fail2ban_config
 
-ynh_secure_remove --file="/etc/cron.d/$app"
+ynh_remove_systemd_config
 
 #=================================================
 # END OF SCRIPT

scripts/upgrade

@@ -51,9 +51,13 @@ ynh_add_fpm_config
 
 ynh_use_logrotate --non-append
 
-ynh_add_config --template="cron" --destination="/etc/cron.d/$app"
-chown root: "/etc/cron.d/$app"
-chmod 644 "/etc/cron.d/$app"
+if [ -f "/etc/cron.d/$app" ]; then
+  ynh_secure_remove --file="/etc/cron.d/$app"
+fi
+
+ynh_add_systemd_config
+
+yunohost service add "$app" --description="Friendica daemon" --log="/var/log/$app/$app.log"
 
 # Create a dedicated Fail2Ban config
 ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="^.*authenticate\: failed login attempt.*\"ip\"\:\"<HOST>\".*$"
@@ -78,6 +82,13 @@ pushd "$install_dir"
  	ynh_exec_as "$app" "php$phpversion" bin/console.php dbstructure update
 popd
 
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --weight=1
+
+ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log"
+
 #=================================================
 # END OF SCRIPT
 #=================================================