Merge pull request #57 from YunoHost-Apps/testing

Multiple fixes
2024-09-03 18:36:24 +02:00 · 2019-01-25 21:20:19 +01:00 · 2019-01-25 21:20:19 +01:00 · 8b7b3f0806
commit 8b7b3f0806
parent 806bcb0f32 422ab18dc4
12 changed files with 215 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,7 @@
 # Funkwhale
 A modern, convivial and free music server on YunoHost

+[![Integration level](https://dash.yunohost.org/integration/funkwhale.svg)](https://dash.yunohost.org/appci/app/funkwhale)  
 [![Install Funkwhale with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=funkwhale)

 Installation requires a dedicated domain for now. I hope subpath installation will be possible in the future.
--- a/8
+++ b/8
@ -16,8 +16,8 @@
 		setup_private=1
 		setup_public=1
 		upgrade=1
-		upgrade=1		from_commit=11c81c1f503691272df5002dad8278bd82f34535
 		upgrade=1		from_commit=80a5044d13a6782063fee2d7fb7a01832a6aa767
+		upgrade=1               from_commit=806bcb0f320d8e3e28711a9ae1d2b175b95c65ce
 		backup_restore=1
 		multi_instance=1
 		incorrect_path=0
@ -40,9 +40,9 @@
 Email=jean-baptiste@holcroft.fr
 Notification=all
 ;;; Upgrade options
-	; commit=11c81c1f503691272df5002dad8278bd82f34535
-		name=Upgrade from 0.15~ynh2
-manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1
 	; commit=80a5044d13a6782063fee2d7fb7a01832a6aa767
 		name=Upgrade from 0.16.3
+manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1
+	; commit=806bcb0f320d8e3e28711a9ae1d2b175b95c65ce
+		name=Upgrade from 0.17.0~ynh2
 manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1
--- a/conf/funkwhale-beat.service
+++ b/conf/funkwhale-beat.service
@ -8,7 +8,9 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/code/api
 EnvironmentFile=__FINALPATH__/code/config/.env
-ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO
+
+ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat \
+	--loglevel INFO --logfile=/var/log/__APP__/beat.log

 NoNewPrivileges=true
 PrivateDevices=true
@ -18,7 +20,7 @@ ProtectSystem=strict
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
-ReadWritePaths=__FINALPATH__/media __FINALPATH__/import __FINALPATH__/code/api
+ReadWritePaths=__FINALPATH__/media __FINALPATH__/import __FINALPATH__/code/api /var/log/__APP__

 StandardOutput=syslog
 StandardError=syslog
--- a/conf/funkwhale-server.service
+++ b/conf/funkwhale-server.service
@ -8,7 +8,9 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/code/api
 EnvironmentFile=__FINALPATH__/code/config/.env
-ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers
+
+ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers \
+	--verbosity 1 --access-log=/var/log/__APP__/server.log

 NoNewPrivileges=true
 PrivateDevices=true
@ -18,7 +20,7 @@ ProtectSystem=strict
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
-ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
+ReadWritePaths=__FINALPATH__/media __FINALPATH__/import /var/log/__APP__

 StandardOutput=syslog
 StandardError=syslog
--- a/conf/funkwhale-worker.service
+++ b/conf/funkwhale-worker.service
@ -8,7 +8,9 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/code/api
 EnvironmentFile=__FINALPATH__/code/config/.env
-ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO
+
+ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO \
+	--loglevel INFO --logfile=/var/log/__APP__/worker.log

 NoNewPrivileges=true
 PrivateDevices=true
@ -18,7 +20,7 @@ ProtectSystem=strict
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
-ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
+ReadWritePaths=__FINALPATH__/media __FINALPATH__/import /var/log/__APP__

 StandardOutput=syslog
 StandardError=syslog
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -15,7 +15,7 @@ location @rewrites {
 location /api/ {
 	include __FINALPATH__/code/deploy/funkwhale_proxy.conf;
 	# this is needed if you have file import via upload enabled
-	client_max_body_size 30M;
+	client_max_body_size 100M;
 	proxy_pass   http://127.0.0.1:__PORT__/api/;
 }

--- a/manifest.json
+++ b/manifest.json
@ -8,7 +8,7 @@
 	"description": {
 		"en": "A modern, convivial and free music server"
 	},
-	"version": "0.17.0~ynh2",
+	"version": "0.17.0~ynh3",
 	"url": "https://funkwhale.audio",
 	"license": "BSD-3-Clause",
 	"maintainer": {
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -106,3 +106,71 @@ $(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')"
 	echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients"
 }

+#=================================================
+# fail2ban helpers
+# taken from https://github.com/YunoHost-Apps/shaarli_ynh
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+	local logpath
+	local failregex
+	local max_retry
+	local ports
+
+	logpath=$1
+	failregex=$2
+	max_retry=${3:-3}
+	ports=${4:-http,https}
+
+	test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+	test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+
+	finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+	finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+	ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+	ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+
+	sudo tee "$finalfail2banjailconf" <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+	sudo tee "$finalfail2banfilterconf" <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+	ynh_store_file_checksum "$finalfail2banjailconf"
+	ynh_store_file_checksum "$finalfail2banfilterconf"
+
+	systemctl restart fail2ban
+	local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+	if [ -n "$fail2ban_error" ]
+	then
+		echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+		echo "WARNING${fail2ban_error#*WARNING}" >&2
+	fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+	ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+	ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+	systemctl reload fail2ban
+}
--- a/scripts/install
+++ b/scripts/install
@ -63,7 +63,6 @@ ynh_app_setting_set "$app" admin "$admin"
 # Find a free port
 port=$(ynh_find_port 5000)
 # Open this port
-yunohost firewall allow --no-upnp TCP "$port" 2>&1
 ynh_app_setting_set "$app" port "$port"

 #=================================================
@ -71,7 +70,7 @@ ynh_app_setting_set "$app" port "$port"
 #=================================================

 ynh_install_app_dependencies build-essential curl ffmpeg \
-	libjpeg-dev libmagic-dev libpq-dev postgresql python3-dev python3-venv \
+	libjpeg-dev libmagic-dev libpq-dev postgresql python3-dev virtualenv \
 	redis-server libldap2-dev libsasl2-dev \
 	`# add arm support` \
 	zlib1g-dev libffi-dev libssl-dev
@ -139,7 +138,7 @@ ynh_system_user_create "$app" "$final_path"
 # PYTHON DEPENDENCIES
 #=================================================

-python3 -m venv "$final_path/code/virtualenv"
+virtualenv -p python3 "$final_path/code/virtualenv"
 (
 	set +o nounset
 	source "${final_path}/code/virtualenv/bin/activate"
@ -173,12 +172,16 @@ ynh_replace_string "__DBNAME__"    "$app"         "$configfile"
 ynh_replace_string "__FINALPATH__" "$final_path"  "$configfile"
 ynh_replace_string "__KEY__"       "$key"         "$configfile"

-cat > "$final_path/code/load_env" <<'EOL'
+loadfile="$final_path/code/load_env"
+
+cat > "$loadfile" <<'EOL'
 #!/bin/bash
-export $(cat "$final_path/code/config/.env" | grep -v ^# | xargs)
+export $(cat "__FINALPATH__/code/config/.env" | grep -v ^# | xargs)
 EOL

-chmod +x "$final_path/code/load_env"
+chmod +x "$loadfile"
+
+ynh_replace_string "__FINALPATH__" "$final_path"  "$loadfile"

 #=================================================
 # MODIFY THE CONFIG FILE
@ -188,7 +191,7 @@ admin_mail=$(ynh_user_get_info "$admin" "mail")
 (
 	set +o nounset
 	source "${final_path}/code/virtualenv/bin/activate"
-	source "${final_path}/code/load_env"
+	source "$loadfile"
 	set -o nounset
 	cd "$final_path/code/"

@ -223,6 +226,24 @@ systemctl restart "$app".target
 chown -R "$app": "$final_path"
 chmod -R 755 "$final_path/code/front/dist/"

+mkdir -p "/var/log/$app"
+chown -R "$app": "/var/log/$app"
+
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" 5
+
+
+#=================================================
+# ADVERTISE SERVICE IN ADMIN PANEL
+#=================================================
+
+yunohost service add "$app-server" --log "/var/log/$app/server.log"
+yunohost service add "$app-worker" --log "/var/log/$app/worker.log"
+yunohost service add "$app-beat"   --log "/var/log/$app/beat.log"
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -24,6 +24,29 @@ redis_db=$(ynh_app_setting_get $app redis_db)

 #=================================================
 # STANDARD REMOVE
+#=================================================
+# REMOVE SERVICE FROM ADMIN PANEL
+#=================================================
+
+# Remove a service from the admin panel, added by `yunohost service add`
+if yunohost service status | grep -q "$app-server"
+then
+	echo "Remove $app-server service"
+	yunohost service remove "$app-server"
+fi
+
+if yunohost service status | grep -q "$app-worker"
+then
+	echo "Remove $app-worker service"
+	yunohost service remove "$app-worker"
+fi
+
+if yunohost service status | grep -q "$app-beat"
+then
+	echo "Remove $app-beat service"
+	yunohost service remove "$app-beat"
+fi
+
 #=================================================
 # STOP AND REMOVE SERVICE
 #=================================================
@ -65,6 +88,8 @@ ynh_remove_app_dependencies
 # Remove the app directory securely
 ynh_secure_remove "$final_path"

+ynh_secure_remove "/var/log/$app"
+
 #=================================================
 # REMOVE NGINX CONFIGURATION
 #=================================================
@ -91,6 +116,12 @@ fi

 #=================================================
 # GENERIC FINALIZATION
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -79,6 +79,7 @@ then
 	mv "$final_path/media" "$final_path/code/data/media"
 	mv "$final_path/import" "$final_path/code/data/music"
 	ynh_secure_remove "$final_path/code"
+	ynh_app_setting_delete "$app" code_migration
 fi

 #=================================================
@ -95,7 +96,7 @@ ynh_system_user_create "$app"
 #=================================================

 ynh_install_app_dependencies build-essential curl ffmpeg \
-	libjpeg-dev libmagic-dev libpq-dev postgresql python3-dev python3-venv \
+	libjpeg-dev libmagic-dev libpq-dev postgresql python3-dev virtualenv \
 	redis-server libldap2-dev libsasl2-dev \
 	`# add arm support` \
 	zlib1g-dev libffi-dev libssl-dev
@ -115,6 +116,17 @@ ynh_psql_execute_file_as_root ./db.sql "$db_name"
 # Restore permissions on app files
 chown -R "$app": "$final_path"

+mkdir -p "/var/log/$app"
+chown -R "$app": "/var/log/$app"
+
+#=================================================
+# ADVERTISE SERVICE IN ADMIN PANEL
+#=================================================
+
+yunohost service add "$app-server" --log "/var/log/$app/server.log"
+yunohost service add "$app-worker" --log "/var/log/$app/worker.log"
+yunohost service add "$app-beat"   --log "/var/log/$app/beat.log"
+
 #=================================================
 # RESTORE SYSTEMD
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -24,6 +24,7 @@ db_user=$db_name
 port=$(ynh_app_setting_get "$app" port)
 db_pwd=$(ynh_app_setting_get "$app" psqlpwd)
 redis_db=$(ynh_app_setting_get "$app" redis_db)
+code_migration=$(ynh_app_setting_get "$app" code_migration)

 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
@ -37,10 +38,15 @@ fi

 # make sure we have the last code organization
 if [ ! -d "$final_path/code/" ]; then
+	mkdir "$final_path-tmp"
+	mv "$final_path"/* "$final_path-tmp/"
+
 	mkdir "$final_path/code"
-	mv "$final_path/!(code)" "$final_path/code/"
-	mv "$final_path/code/data/media" "$final_path/media"
-	mv "$final_path/code/data/music" "$final_path/import"
+	mv "$final_path-tmp/data/media" "$final_path/media"
+	mv "$final_path-tmp/data/music" "$final_path/import"
+	mv "$final_path-tmp"/* "$final_path/code"
+
+	ynh_secure_remove "$final_path-tmp/"
 	ynh_app_setting_set "$app" code_migration 1
 fi

@ -60,6 +66,14 @@ ynh_clean_setup () {
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors

+#=================================================
+# STOP SERVICES
+#=================================================
+
+systemctl stop "$app-beat.service"
+systemctl stop "$app-server.service"
+systemctl stop "$app-worker.service"
+
 #=================================================
 # CHECK THE PATH
 #=================================================
@ -69,6 +83,16 @@ path_url=$(ynh_normalize_url_path "$path_url")

 #=================================================
 # STANDARD UPGRADE STEPS
+#=================================================
+# CLOSE A PORT
+#=================================================
+
+if yunohost firewall list | grep -q "\- $port$"
+then
+	echo "Close port $port"
+	yunohost firewall disallow TCP $port 2>&1
+fi
+
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
 #=================================================
@ -119,7 +143,7 @@ ynh_system_user_create "$app"
 #=================================================

 ynh_install_app_dependencies build-essential curl ffmpeg \
-	libjpeg-dev libmagic-dev libpq-dev postgresql python3-dev python3-venv \
+	libjpeg-dev libmagic-dev libpq-dev postgresql python3-dev virtualenv \
 	redis-server libldap2-dev libsasl2-dev \
 	`# add arm support` \
 	zlib1g-dev libffi-dev libssl-dev
@ -130,7 +154,8 @@ ynh_install_app_dependencies build-essential curl ffmpeg \
 # PYTHON DEPENDENCIES
 #=================================================

-python3 -m venv "$final_path/code/virtualenv"
+ynh_secure_remove "$final_path/code/virtualenv"
+virtualenv -p python3 "$final_path/code/virtualenv"
 (
 	set +o nounset
 	source "${final_path}/code/virtualenv/bin/activate"
@ -165,12 +190,16 @@ ynh_replace_string "__DBNAME__"    "$app"         "$configfile"
 ynh_replace_string "__FINALPATH__" "$final_path"  "$configfile"
 ynh_replace_string "__KEY__"       "$key"         "$configfile"

-cat > "$final_path/code/load_env" <<'EOL'
+loadfile="$final_path/code/load_env"
+
+cat > "$loadfile" <<'EOL'
 #!/bin/bash
-export $(cat "$final_path/code/config/.env" | grep -v ^# | xargs)
+export $(cat "__FINALPATH__/code/config/.env" | grep -v ^# | xargs)
 EOL

-chmod +x "$final_path/code/load_env"
+chmod +x "$loadfile"
+
+ynh_replace_string "__FINALPATH__" "$final_path"  "$loadfile"

 #=================================================
 # MIGRATE
@ -179,7 +208,7 @@ chmod +x "$final_path/code/load_env"
 (
 	set +o nounset
 	source "${final_path}/code/virtualenv/bin/activate"
-	source "${final_path}/code/load_env"
+	source "$loadfile"
 	set -o nounset
 	cd "$final_path/code"

@ -222,6 +251,15 @@ systemctl restart "$app".target
 chown -R "$app": "$final_path"
 chmod -R 755 "$final_path/code/front/dist/"

+mkdir -p "/var/log/$app"
+chown -R "$app": "/var/log/$app"
+
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
@ -243,4 +281,10 @@ systemctl reload nginx
 # REMOVE CODE MIGRATION FLAG
 #=================================================

-ynh_app_setting_delete "$app" code_migration
+ynh_app_setting_set "$app" code_migration 2
+
+#=================================================
+# RESTART Funkwhale
+#=================================================
+
+systemctl restart "$app.target"