diff --git a/README.md b/README.md index cc9750c..70b03a9 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,8 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in A gemini server written in rust. -**Shipped version:** 0.4.5~ynh1 + +**Shipped version:** 0.6.3~ynh1 diff --git a/README_fr.md b/README_fr.md index 065dc46..abef5e4 100644 --- a/README_fr.md +++ b/README_fr.md @@ -11,9 +11,10 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour ## Vue d'ensemble +A gemini server written in rust. -**Version incluse :** 0.4.5~ynh1 +**Version incluse :** 0.6.3~ynh1 diff --git a/check_process b/check_process index f4efec3..a75248c 100644 --- a/check_process +++ b/check_process @@ -1,8 +1,3 @@ -# See here for more information -# https://github.com/YunoHost/package_check#syntax-check_process-file - -# Move this file from check_process.default to check_process when you have filled it. - ;; Test complet ; Manifest port="1965" @@ -16,6 +11,8 @@ upgrade=1 # 0.4.4~ynh1 upgrade=1 from_commit=3fcde5a7829938763b393ac1e878929bdc35297f + # 0.4.5~ynh1 + upgrade=1 from_commit=d1e78f8cb47fc61dc3ede3e9cbb8445e364f0ab0 backup_restore=1 multi_instance=0 port_already_use=0 @@ -25,4 +22,6 @@ Email=yalh@yahoo.com Notification=all ;;; Upgrade options ; commit=3fcde5a7829938763b393ac1e878929bdc35297f - name=0.4.4~ynh1. + name=0.4.4~ynh1 + ; commit=d1e78f8cb47fc61dc3ede3e9cbb8445e364f0ab0 + name=0.4.5~ynh1 diff --git a/conf/app.src b/conf/app.src index ca65e49..9d95499 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://git.sr.ht/~int80h/gemserv/archive/v0.4.5.tar.gz -SOURCE_SUM=7aeb5edc8af6ebefc2331aebc0c360798711c2fb16ee9cbde8c5c4f9502c491f +SOURCE_URL=https://git.sr.ht/~int80h/gemserv/archive/v0.6.3.tar.gz +SOURCE_SUM=e84656f1a3274d2becdecd731afe767477ead7f2c265c0d7ae8ee9e8bc81ded8 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/systemd.service b/conf/systemd.service index 33c9d25..a7758cd 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -15,5 +15,35 @@ StandardError=inherit Restart=always RestartSec=5 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..241011b --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1 @@ +A gemini server written in rust. diff --git a/manifest.json b/manifest.json index db210cb..375404a 100644 --- a/manifest.json +++ b/manifest.json @@ -5,7 +5,7 @@ "description": { "en": "A gemini server written in rust." }, - "version": "0.4.5~ynh1", + "version": "0.6.3~ynh1", "url": "https://git.sr.ht/~int80h/gemserv/", "upstream": { "license": "MIT", @@ -13,10 +13,10 @@ }, "license": "MIT", "maintainer": { - "name": "yalh76" + "name": "yalh76" }, "requirements": { - "yunohost": ">= 4.1.3" + "yunohost": ">= 4.3.0" }, "multi_instance": false, "services": [ diff --git a/scripts/install b/scripts/install index 91e0c93..250b2ae 100755 --- a/scripts/install +++ b/scripts/install @@ -61,7 +61,7 @@ ynh_install_app_dependencies $pkg_dependencies ynh_script_progression --message="Configuring system user..." # Create a system user -ynh_system_user_create --username=$app --home_dir="$final_path" +ynh_system_user_create --username=$app --home_dir=$final_path usermod -a -G ssl-cert $app @@ -89,14 +89,14 @@ ynh_script_progression --message="Making install..." # Install rustup with the toolchain needed by Gemserv pushd "$final_path" - sudo -u "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly' + ynh_exec_as "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly' popd export PATH="$PATH:$final_path/.cargo/bin:$final_path/.local/bin:/usr/local/sbin" # Compile Gemserv pushd "$final_path"/build - ynh_exec_warn_less sudo -u "$app" env PATH="$PATH" cargo build --release + ynh_exec_warn_less ynh_exec_as "$app" env PATH="$PATH" cargo build --release popd # Install Gemserv diff --git a/scripts/remove b/scripts/remove index 028ffac..fb7ba04 100755 --- a/scripts/remove +++ b/scripts/remove @@ -41,12 +41,12 @@ ynh_script_progression --message="Stopping and removing the systemd service..." ynh_remove_systemd_config #================================================= -# REMOVE DEPENDENCIES +# REMOVE LOGROTATE CONFIGURATION #================================================= -ynh_script_progression --message="Removing dependencies..." +ynh_script_progression --message="Removing logrotate configuration..." -# Remove metapackage and its dependencies -ynh_remove_app_dependencies +# Remove the app-specific logrotate config +ynh_remove_logrotate #================================================= # REMOVE APP MAIN DIR @@ -57,12 +57,12 @@ ynh_script_progression --message="Removing app main directory..." ynh_secure_remove --file="$final_path" #================================================= -# REMOVE LOGROTATE CONFIGURATION +# REMOVE DEPENDENCIES #================================================= -ynh_script_progression --message="Removing logrotate configuration..." +ynh_script_progression --message="Removing dependencies..." -# Remove the app-specific logrotate config -ynh_remove_logrotate +# Remove metapackage and its dependencies +ynh_remove_app_dependencies #================================================= # CLOSE A PORT diff --git a/scripts/restore b/scripts/restore index b4e97f6..bea2570 100755 --- a/scripts/restore +++ b/scripts/restore @@ -45,7 +45,7 @@ test ! -d $final_path \ ynh_script_progression --message="Recreating the dedicated system user..." # Create the dedicated user (if not existing) -ynh_system_user_create --username=$app --home_dir="$final_path" +ynh_system_user_create --username=$app --home_dir=$final_path #================================================= # RESTORE THE APP MAIN DIR @@ -83,6 +83,13 @@ ynh_script_progression --message="Restoring the systemd configuration..." ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet +#================================================= +# RESTORE THE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the logrotate configuration..." + +ynh_restore_file --origin_path="/etc/logrotate.d/$app" + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= @@ -97,13 +104,6 @@ ynh_script_progression --message="Starting a systemd service..." ynh_systemd_action --service_name=$app --action="start" --line_match="Started" --log_path="systemd" -#================================================= -# RESTORE THE LOGROTATE CONFIGURATION -#================================================= -ynh_script_progression --message="Restoring the logrotate configuration..." - -ynh_restore_file --origin_path="/etc/logrotate.d/$app" - #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index ac745a0..8b13bbc 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -59,7 +59,7 @@ ynh_script_progression --message="Ensuring downward compatibility..." ynh_script_progression --message="Making sure dedicated system user exists..." # Create a dedicated user (if not existing) -ynh_system_user_create --username=$app --home_dir="$final_path" +ynh_system_user_create --username=$app --home_dir=$final_path usermod -a -G ssl-cert $app @@ -99,14 +99,14 @@ if [ "$upgrade_type" == "UPGRADE_APP" ] then # Install rustup with the toolchain needed by Gemserv pushd "$final_path" - sudo -u "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly' + ynh_exec_as "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly' popd export PATH="$PATH:$final_path/.cargo/bin:$final_path/.local/bin:/usr/local/sbin" # Compile Gemserv pushd "$final_path"/build - ynh_exec_warn_less sudo -u "$app" env PATH="$PATH" cargo build --release + ynh_exec_warn_less ynh_exec_as "$app" env PATH="$PATH" cargo build --release popd # Install Gemserv