diff --git a/conf/cron b/conf/cron deleted file mode 100644 index e7e5fd1..0000000 --- a/conf/cron +++ /dev/null @@ -1,2 +0,0 @@ -# Run poller periodically to update Friendica -*/10 * * * * __APP__ /usr/bin/php__PHPVERSION__ -f __INSTALL_DIR__/bin/worker.php \ No newline at end of file diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..84ff38c --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,56 @@ +[Unit] +Description=Friendica daemon +After=network.target mariadb.service +Requires=network.target remote-fs.target nss-lookup.target + +[Service] +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/ +Type=simple +StandardOutput=/var/log/__APP___/daemon.log +StandardError=syslog +ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php start +ExecStop=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php stop +PIDFile=friendica/daemon.pid +PrivateTmp=true +InaccessibleDirectories=/home /root /boot /opt /mnt /media +ReadOnlyDirectories=/etc /usr +Restart=always + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/scripts/backup b/scripts/backup index ae1d9ef..eb45a9b 100644 --- a/scripts/backup +++ b/scripts/backup @@ -54,7 +54,7 @@ ynh_backup --src_path="/etc/logrotate.d/$app" # BACKUP VARIOUS FILES #================================================= -ynh_backup --src_path="/etc/cron.d/$app" +ynh_backup --src_path="/etc/systemd/system/$app.service" #================================================= # BACKUP THE MYSQL DATABASE diff --git a/scripts/install b/scripts/install index bc07915..01e9c29 100644 --- a/scripts/install +++ b/scripts/install @@ -48,12 +48,12 @@ ynh_script_progression --message="Adding system configurations related to $app.. # Create a dedicated PHP-FPM configy ynh_add_fpm_config +ynh_add_systemd_config + # Create a dedicated nginx config ynh_add_nginx_config -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" +yunohost service add "$app" --description="Friendica daemon" --log="/var/log/$app/$app.log" # Use logrotate to manage application logfile(s) ynh_use_logrotate @@ -88,6 +88,13 @@ pushd "$install_dir" popd +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/remove b/scripts/remove index 6f01b8e..f8305bc 100644 --- a/scripts/remove +++ b/scripts/remove @@ -27,7 +27,7 @@ ynh_remove_logrotate ynh_remove_fail2ban_config -ynh_secure_remove --file="/etc/cron.d/$app" +ynh_remove_systemd_config #================================================= # END OF SCRIPT diff --git a/scripts/upgrade b/scripts/upgrade index 0ff2f28..7ad29dd 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -51,9 +51,13 @@ ynh_add_fpm_config ynh_use_logrotate --non-append -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" +if [ -f "/etc/cron.d/$app" ]; then + ynh_secure_remove --file="/etc/cron.d/$app" +fi + +ynh_add_systemd_config + +yunohost service add "$app" --description="Friendica daemon" --log="/var/log/$app/$app.log" # Create a dedicated Fail2Ban config ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="^.*authenticate\: failed login attempt.*\"ip\"\:\"\".*$" @@ -78,6 +82,13 @@ pushd "$install_dir" ynh_exec_as "$app" "php$phpversion" bin/console.php dbstructure update popd +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #=================================================