Merge pull request #61 from YunoHost-Apps/testing

Testing
2024-09-03 19:16:02 +02:00 · 2021-10-26 23:13:55 +02:00 · 2021-10-26 23:13:55 +02:00 · 8b926a1e45
commit 8b926a1e45
parent d9bf3b7aae f5d71e213e
12 changed files with 143 additions and 89 deletions
--- a/README.md
+++ b/README.md
@ -15,9 +15,9 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in

 ## Overview

-Just a blogging platform
+Publishing, memberships, subscriptions and newsletters platform

-**Shipped version:** 4.16.0~ynh1
+**Shipped version:** 4.20.3~ynh1



--- a/README_fr.md
+++ b/README_fr.md
@ -11,9 +11,9 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour

 ## Vue d'ensemble

-Plateforme de blogging
+Plateforme d'édition, d'adhésions, d'abonnements et de newsletters

-**Version incluse :** 4.16.0~ynh1
+**Version incluse :** 4.20.3~ynh1



--- a/6
+++ b/6
@ -11,10 +11,8 @@
 		setup_private=1
 		setup_public=1
 		upgrade=1
-		# 4.3.3
-		upgrade=1	from_commit=198004df76b0b3ef22a6dfe1b9a2738af62f0786
 		# 4.9.4
-                upgrade=1       from_commit=7a150ab29ee969f72dd7846539ae12ac1975165b
+        upgrade=1       from_commit=7a150ab29ee969f72dd7846539ae12ac1975165b
 		backup_restore=1
 		multi_instance=1
 		change_url=0
@ -22,7 +20,5 @@
 Email=
 Notification=none
 ;;; Upgrade options
-	; commit=198004df76b0b3ef22a6dfe1b9a2738af62f0786
-		name=4.3.3
 	; commit=7a150ab29ee969f72dd7846539ae12ac1975165b
 		name=4.9.4
--- a/conf/admin.src
+++ b/conf/admin.src
@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.16.0.zip
-SOURCE_SUM=91b674c26838bd55a57a3cbc0cfbf873e6aa5dec625bc1245405d653f3410c99
+SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.20.3.zip
+SOURCE_SUM=7d65b09ead2096c4f8a424b680bfbbe64453d7ae10decd6f7b5f680e55e03f31
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=zip
 SOURCE_IN_SUBDIR=false
--- a/conf/app.src
+++ b/conf/app.src
@ -1,6 +1,5 @@
-SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.16.0/Ghost-4.16.0.zip
-SOURCE_SUM=DE7041DA31362BB8DF1043864A94026D6B692EBCEF8FEBD886F635BEF8E3DA84
+SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.20.3/Ghost-4.20.3.zip
+SOURCE_SUM=50d88c47cd9aa8d2b06a6b84729b015352a1cf311fdce5f441bb0e7def0c4fbf
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=zip
 SOURCE_IN_SUBDIR=false
-SOURCE_FILENAME=
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -12,5 +12,33 @@ Environment="NODE_ENV=production"
 ExecStart=__YNH_NODE__ index.js run
 Restart=always

+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target
--- a/manifest.json
+++ b/manifest.json
@ -3,10 +3,10 @@
    "id": "ghost",
    "packaging_format": 1,
    "description": {
-        "en": "Just a blogging platform",
-        "fr": "Plateforme de blogging"
+        "en": "Publishing, memberships, subscriptions and newsletters platform",
+        "fr": "Plateforme d'édition, d'adhésions, d'abonnements et de newsletters"
    },
-    "version": "4.16.0~ynh1",
+    "version": "4.20.3~ynh1",
    "url": "https://ghost.org/",
    "upstream": {
        "license": "MIT",
@ -19,7 +19,7 @@
        "name": "Julien Malik",
        "email": "julien.malik@paraiso.me"
    },
-   "requirements": {
+    "requirements": {
        "yunohost": ">= 4.2.0"
    },
    "multi_instance": true,
@ -28,7 +28,7 @@
        "mysql"
    ],
    "arguments": {
-        "install" : [
+        "install": [
            {
                "name": "domain",
                "type": "domain"
--- a/scripts/backup
+++ b/scripts/backup
@ -50,6 +50,12 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"

 #=================================================
 # SPECIFIC BACKUP
+#=================================================
+# BACKUP LOGROTATE
+#=================================================
+
+ynh_backup --src_path="/etc/logrotate.d/$app"
+
 #=================================================
 # BACKUP SYSTEMD
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -72,6 +72,14 @@ ynh_install_nodejs --nodejs_version=$NODEJS_VERSION
 # Install Yarn
 ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg"

+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..."
+
+# Create a system user
+ynh_system_user_create --username=$app --home_dir="$final_path"
+
 #=================================================
 # CREATE A MYSQL DATABASE
 #=================================================
@ -81,15 +89,6 @@ db_name=$(ynh_sanitize_dbid --db_name=$app)
 db_user=$db_name
 ynh_app_setting_set --app=$app --key=db_name --value=$db_name
 ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
-db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
-
-#=================================================
-# CREATE DEDICATED USER
-#=================================================
-ynh_script_progression --message="Configuring system user..."
-
-# Create a system user
-ynh_system_user_create --username=$app

 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@ -104,6 +103,10 @@ ynh_setup_source --dest_dir="$final_path"
 mkdir -p $final_path/core/client/Admin
 ynh_setup_source --dest_dir="$final_path/core/client/Admin" --source_id="admin"

+chmod 750 "$final_path"
+chmod -R o-rwx "$final_path"
+chown -R $app:www-data "$final_path"
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -120,23 +123,23 @@ ynh_add_nginx_config
 ynh_script_progression --message="Modifying a config file..."

 ynh_add_config --template="../conf/config.production.json" --destination="$final_path/config.production.json"
+chmod 400 "$final_path/config.production.json"
+chown $app:$app "$final_path/config.production.json"

 #==============================================
 # BUILD GHOST
 #==============================================
-ynh_script_progression --message="Building $app... (this will take some time and resources!)"
-
-pushd "$final_path" || ynh_die
+ynh_script_progression --message="Building Ghost... (this will take some time and resources!)"

+pushd "$final_path"
 	ynh_use_nodejs
-	ynh_exec_warn_less yarn install --non-interactive --silent
-	ynh_exec_warn_less yarn global add knex-migrator
-	ynh_exec_warn_less NODE_ENV=production knex-migrator init
-	ynh_exec_warn_less yarn global add grunt-cli ember-cli
-	ynh_exec_warn_less NODE_ENV=production grunt symlink
-	ynh_exec_warn_less NODE_ENV=production grunt init --force
-
-popd || ynh_die
+	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive
+	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator
+	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init
+	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli
+	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink
+	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force
+popd

 #=================================================
 # SETUP SYSTEMD
@ -147,14 +150,12 @@ ynh_script_progression --message="Configuring a systemd service..."
 ynh_add_systemd_config

 #=================================================
-# GENERIC FINALIZATION
+# SETUP LOGROTATE
 #=================================================
-# SECURE FILES AND DIRECTORIES
-#=================================================
-ynh_script_progression --message="Securing files and directories..."
+ynh_script_progression --message="Configuring log rotation..."

-# Set permissions to app files
-chown -R $app: $final_path
+# Use logrotate to manage application logfile(s)
+ynh_use_logrotate

 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
@ -169,7 +170,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/
 ynh_script_progression --message="Starting a systemd service..."

 # Start a systemd service
-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Ghost boot"
+ynh_systemd_action --service_name=$app --action="start"

 #=================================================
 # SETUP SSOWAT
--- a/scripts/remove
+++ b/scripts/remove
@ -43,6 +43,14 @@ ynh_script_progression --message="Stopping and removing the systemd service..."
 # Remove the dedicated systemd config
 ynh_remove_systemd_config

+#=================================================
+# REMOVE LOGROTATE CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing logrotate configuration..."
+
+# Remove the app-specific logrotate config
+ynh_remove_logrotate
+
 #=================================================
 # REMOVE THE MYSQL DATABASE
 #=================================================
@ -77,6 +85,14 @@ ynh_script_progression --message="Removing NGINX web server configuration..."
 # Remove the dedicated nginx config
 ynh_remove_nginx_config

+#=================================================
+# REMOVE VARIOUS FILES
+#=================================================
+ynh_script_progression --message="Removing log files..."
+
+# Remove the log files
+ynh_secure_remove --file="/var/log/$app"
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -57,7 +57,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 ynh_script_progression --message="Recreating the dedicated system user..."

 # Create the dedicated user (if not existing)
-ynh_system_user_create --username=$app
+ynh_system_user_create --username=$app --home_dir="$final_path"

 #=================================================
 # RESTORE THE APP MAIN DIR
@ -66,13 +66,9 @@ ynh_script_progression --message="Restoring the app main directory..."

 ynh_restore_file --origin_path="$final_path"

-#=================================================
-# RESTORE USER RIGHTS
-#=================================================
-ynh_script_progression --message="Restoring user rights..."
-
-# Restore permissions on app files
-chown -R $app: $final_path
+chmod 750 "$final_path"
+chmod -R o-rwx "$final_path"
+chown -R $app:www-data "$final_path"

 #=================================================
 # SPECIFIC RESTORATION
@ -107,6 +103,13 @@ ynh_script_progression --message="Restoring the systemd configuration..."
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet

+#=================================================
+# RESTORE THE LOGROTATE CONFIGURATION
+#=================================================
+ynh_script_progression --message="Restoring the logrotate configuration..."
+
+ynh_restore_file --origin_path="/etc/logrotate.d/$app"
+
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
@ -119,7 +122,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/
 #=================================================
 ynh_script_progression --message="Starting a systemd service..."

-ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot"
+ynh_systemd_action --service_name=$app --action=start

 #=================================================
 # GENERIC FINALIZATION
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -27,10 +27,24 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
 #=================================================
 # CHECK VERSION
 #=================================================
-ynh_script_progression --message="Checking version..."

 upgrade_type=$(ynh_check_app_version_changed)

+#=================================================
+# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
+#=================================================
+ynh_script_progression --message="Backing up the app before upgrading (may take a while)..."
+
+# Backup the current version of the app
+ynh_backup_before_upgrade
+ynh_clean_setup () {
+	# restore it if the upgrade fails
+	ynh_clean_check_starting
+	ynh_restore_upgradebackup
+}
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
@ -49,21 +63,6 @@ if ynh_legacy_permissions_exists; then
 	ynh_app_setting_delete --app=$app --key=is_public
 fi

-#=================================================
-# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
-#=================================================
-ynh_script_progression --message="Backing up the app before upgrading (may take a while)..."
-
-# Backup the current version of the app
-ynh_backup_before_upgrade
-ynh_clean_setup () {
-	# restore it if the upgrade fails
-	ynh_clean_check_starting
-	ynh_restore_upgradebackup
-}
-# Exit if an error occurs during the execution of the script
-ynh_abort_if_errors
-
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@ -71,7 +70,7 @@ ynh_abort_if_errors
 #=================================================
 ynh_script_progression --message="Stopping a systemd service..."

-ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=$app --action=stop

 #=================================================
 # CREATE DEDICATED USER
@ -79,7 +78,7 @@ ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$
 ynh_script_progression --message="Making sure dedicated system user exists..."

 # Create a dedicated user (if not existing)
-ynh_system_user_create --username=$app
+ynh_system_user_create --username=$app --home_dir="$final_path"

 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@ -118,6 +117,10 @@ then
 	ynh_secure_remove --file="$tmpdir"
 fi

+chmod 750 "$final_path"
+chmod -R o-rwx "$final_path"
+chown -R $app:www-data "$final_path"
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -147,23 +150,25 @@ ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ st
 ynh_script_progression --message="Modifying a config file..."

 ynh_add_config --template="../conf/config.production.json" --destination="$final_path/config.production.json"
+chmod 400 "$final_path/config.production.json"
+chown $app:$app "$final_path/config.production.json"

 #==============================================
 # BUILD GHOST
 #==============================================
+
 if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
-	ynh_script_progression --message="Building $app... (this will take some time and resources!)"
+	ynh_script_progression --message="Building Ghost... (this will take some time and resources!)"

-	pushd "$final_path" || ynh_die
-		ynh_exec_warn_less yarn install
-		ynh_exec_warn_less yarn global add knex-migrator
-		ynh_exec_warn_less NODE_ENV=production knex-migrator init
-		ynh_exec_warn_less yarn global add grunt
-		ynh_exec_warn_less NODE_ENV=production grunt symlink
-		ynh_exec_warn_less NODE_ENV=production grunt init --force
-
-	popd || ynh_die
+	pushd "$final_path"
+		ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive
+		ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator
+		ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init
+		ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli
+		ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink
+		ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force
+	popd
 fi

 #=================================================
@ -173,16 +178,16 @@ ynh_script_progression --message="Upgrading systemd configuration..."

 # Create a dedicated systemd config
 ynh_add_systemd_config
- 
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
-# SECURE FILES AND DIRECTORIES
+# SETUP LOGROTATE
 #=================================================
-ynh_script_progression --message="Securing files and directories..."
+ynh_script_progression --message="Upgrading logrotate configuration..."

-# Set permissions on app files
-chown -R $app: $final_path
+# Use logrotate to manage app-specific logfile(s)
+ynh_use_logrotate --non-append

 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
@ -196,7 +201,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/
 #=================================================
 ynh_script_progression --message="Starting a systemd service..."

-ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot"
+ynh_systemd_action --service_name=$app --action=start

 #=================================================
 # RELOAD NGINX