diff --git a/conf/stt.service b/conf/stt.service new file mode 100644 index 0000000..01dd208 --- /dev/null +++ b/conf/stt.service @@ -0,0 +1,49 @@ +[Unit] +Description=Galène: Speech-to-text support for Galene +Documentation=https://galene.org +After=network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/stt/ +ExecStart=__INSTALL_DIR__/stt/galene-stt 127.0.0.1:__PORT_STT__:/group/public/stt +LimitNOFILE=65536 + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 3561a5e..1bb4b61 100644 --- a/manifest.toml +++ b/manifest.toml @@ -77,6 +77,17 @@ ram.runtime = "50M" autoupdate.upstream = "https://github.com/jech/galene-ldap" autoupdate.strategy = "latest_github_commit" + [resources.sources.whisper] + url = "https://github.com/ggerganov/whisper.cpp/archive/refs/tags/v1.6.2.tar.gz" + sha256 = "da7988072022acc3cfa61b370b3c51baad017f1900c3dc4e68cb276499f66894" + autoupdate.strategy = "latest_github_tag" + + [resources.sources.galene-stt] + url = "https://github.com/jech/galene-stt/archive/d2aa2ae4932cf04be33718bb39a08a91fa7777f4.tar.gz" + sha256 = "08bc36b5ff4ddff05c0522cfc5c0eef98da18725880c7ed6e2e22071e226ff3d" + autoupdate.upstream = "https://github.com/jech/galene-stt" + autoupdate.strategy = "latest_github_commit" + [resources.system_user] [resources.install_dir] @@ -90,6 +101,7 @@ ram.runtime = "50M" [resources.ports] main.default = 8095 ldap.default = 8096 + stt.default = 8443 turn.default = 1194 turn.exposed = "Both" diff --git a/scripts/backup b/scripts/backup index c2cadee..86a8d8a 100755 --- a/scripts/backup +++ b/scripts/backup @@ -35,6 +35,7 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_backup --src_path="/etc/systemd/system/$app.service" ynh_backup --src_path="/etc/systemd/system/${app}_ldap.service" +ynh_backup --src_path="/etc/systemd/system/${app}_stt.service" #================================================= # END OF SCRIPT diff --git a/scripts/change_url b/scripts/change_url index af6eb2d..5ae526d 100755 --- a/scripts/change_url +++ b/scripts/change_url @@ -26,6 +26,7 @@ ynh_script_progression --message="Stopping a systemd service..." --weight=1 ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" ynh_systemd_action --service_name=${app}_ldap --action="stop" --log_path="systemd" +ynh_systemd_action --service_name=${app}_stt --action="stop" --log_path="systemd" #================================================= # MODIFY URL IN NGINX CONF @@ -72,6 +73,7 @@ ynh_script_progression --message="Starting a systemd service..." --weight=3 # Start a systemd service ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" ynh_systemd_action --service_name=${app}_ldap --action="start" --log_path="systemd" +ynh_systemd_action --service_name=${app}_stt --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 0a2fcf1..921e543 100755 --- a/scripts/install +++ b/scripts/install @@ -34,6 +34,8 @@ ynh_script_progression --message="Setting up source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir/build" ynh_setup_source --dest_dir="$install_dir/build_ldap" --source_id="ldap" +ynh_setup_source --dest_dir="$install_dir/stt/whisper.cpp/" --source_id="whisper" +ynh_setup_source --dest_dir="$install_dir/build_stt" --source_id="stt" mkdir -p "$install_dir/live/data" mkdir -p "$install_dir/live_ldap/data" @@ -44,6 +46,19 @@ ynh_replace_string --match_string="
Galène
" - chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" + +#Build and install whisper.cpp: +pushd $install_dir/stt/whisper.cpp/ + mkdir build + cd build + cmake .. + make -j + sudo make install +popd + +#Download your favourite model: +$install_dir/stt/whisper.cpp/models/download-ggml-model.sh base.en + #================================================= # SPECIFIC SETUP #================================================= @@ -66,9 +81,16 @@ pushd $install_dir/build_ldap/ ynh_exec_warn_less ynh_exec_as $app CGO_ENABLED=0 $ynh_go build -ldflags='-s -w' -o $install_dir/live_ldap/ popd +pushd $install_dir/build_stt/ + ynh_exec_warn_less ynh_exec_as $app CGO_ENABLED=0 $ynh_go build -ldflags='-s -w' -o $install_dir/stt/ + ln -s $install_dir/stt/whisper.cpp/models . +popd + + ynh_remove_go ynh_secure_remove --file="$install_dir/build/" ynh_secure_remove --file="$install_dir/build_ldap/" +ynh_secure_remove --file="$install_dir/build_stt/" ynh_secure_remove --file="$install_dir/.cache/" ynh_secure_remove --file="$install_dir/go/" ynh_secure_remove --file="$install_dir/.go-version" @@ -118,9 +140,11 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config ynh_add_systemd_config --service=${app}_ldap --template="ldap.service" +ynh_add_systemd_config --service=${app}_stt --template="stt.service" yunohost service add $app --description="Videoconferencing server" --needs_exposed_ports="$port_turn" yunohost service add ${app}_ldap --description="LDAP integration for the videoconferencing server" +yunohost service add ${app}_stt --description="Speech-to-text support for Galene" #================================================= # START SYSTEMD SERVICE @@ -130,6 +154,7 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" ynh_systemd_action --service_name=${app}_ldap --action="start" --log_path="systemd" +ynh_systemd_action --service_name=${app}_stt --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index 7d80332..b7b1507 100755 --- a/scripts/remove +++ b/scripts/remove @@ -28,10 +28,17 @@ then ynh_script_progression --message="Removing ${app}_ldap service integration..." --weight=1 yunohost service remove ${app}_ldap fi +# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) +if ynh_exec_warn_less yunohost service status ${app}_stt >/dev/null +then + ynh_script_progression --message="Removing ${app}_stt service integration..." --weight=1 + yunohost service remove ${app}_stt +fi # Remove the dedicated systemd config ynh_remove_systemd_config ynh_remove_systemd_config --service=${app}_ldap +ynh_remove_systemd_config --service=${app}_stt # Remove the dedicated NGINX config ynh_remove_nginx_config diff --git a/scripts/restore b/scripts/restore index 9dbd5d9..4da5d1a 100755 --- a/scripts/restore +++ b/scripts/restore @@ -40,10 +40,12 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" ynh_restore_file --origin_path="/etc/systemd/system/${app}_ldap.service" +ynh_restore_file --origin_path="/etc/systemd/system/${app}_stt.service" systemctl enable $app.service --quiet yunohost service add $app --description="Videoconferencing server" --needs_exposed_ports="$port_turn" yunohost service add ${app}_ldap --description="LDAP integration for the videoconferencing server" +yunohost service add ${app}_stt --description="Speech-to-text support for Galene" #================================================= # GENERIC FINALIZATION @@ -54,6 +56,7 @@ ynh_script_progression --message="Reloading NGINX web server and $app's service. ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" ynh_systemd_action --service_name=${app}_ldap --action="start" --log_path="systemd" +ynh_systemd_action --service_name=${app}_stt --action="start" --log_path="systemd" ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/upgrade b/scripts/upgrade index 5bf9c01..1fd1310 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -137,9 +137,11 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config ynh_add_systemd_config --service=${app}_ldap --template="ldap.service" +ynh_add_systemd_config --service=${app}_stt --template="stt.service" yunohost service add $app --description="Videoconferencing server" --needs_exposed_ports="$port_turn" yunohost service add ${app}_ldap --description="LDAP integration for the videoconferencing server" +yunohost service add ${app}_stt --description="Speech-to-text support for Galene" #================================================= # START SYSTEMD SERVICE @@ -148,6 +150,7 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" ynh_systemd_action --service_name=${app}_ldap --action="start" --log_path="systemd" +ynh_systemd_action --service_name=${app}_stt --action="start" --log_path="systemd" #================================================= # END OF SCRIPT