From 77a7af95e94d037c980dfa75f3b837d9ac91a8df Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Sun, 3 Oct 2021 13:54:44 +0200 Subject: [PATCH 01/15] Add logrotate --- check_process | 6 +----- conf/app.src | 1 - manifest.json | 4 ++-- scripts/backup | 6 ++++++ scripts/install | 39 +++++++++++++++++++------------------ scripts/remove | 16 ++++++++++++++++ scripts/restore | 19 ++++++++++-------- scripts/upgrade | 51 +++++++++++++++++++++++++------------------------ 8 files changed, 82 insertions(+), 60 deletions(-) diff --git a/check_process b/check_process index 70c1485..f4e3327 100644 --- a/check_process +++ b/check_process @@ -11,10 +11,8 @@ setup_private=1 setup_public=1 upgrade=1 - # 4.3.3 - upgrade=1 from_commit=198004df76b0b3ef22a6dfe1b9a2738af62f0786 # 4.9.4 - upgrade=1 from_commit=7a150ab29ee969f72dd7846539ae12ac1975165b + upgrade=1 from_commit=7a150ab29ee969f72dd7846539ae12ac1975165b backup_restore=1 multi_instance=1 change_url=0 @@ -22,7 +20,5 @@ Email= Notification=none ;;; Upgrade options - ; commit=198004df76b0b3ef22a6dfe1b9a2738af62f0786 - name=4.3.3 ; commit=7a150ab29ee969f72dd7846539ae12ac1975165b name=4.9.4 diff --git a/conf/app.src b/conf/app.src index 01ef1dc..17ecce9 100644 --- a/conf/app.src +++ b/conf/app.src @@ -3,4 +3,3 @@ SOURCE_SUM=DE7041DA31362BB8DF1043864A94026D6B692EBCEF8FEBD886F635BEF8E3DA84 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false -SOURCE_FILENAME= diff --git a/manifest.json b/manifest.json index 131821b..503eea8 100644 --- a/manifest.json +++ b/manifest.json @@ -3,8 +3,8 @@ "id": "ghost", "packaging_format": 1, "description": { - "en": "Just a blogging platform", - "fr": "Plateforme de blogging" + "en": "Publishing, memberships, subscriptions and newsletters platform", + "fr": "Plateforme d'édition, d'adhésions, d'abonnements et de newsletters" }, "version": "4.16.0~ynh1", "url": "https://ghost.org/", diff --git a/scripts/backup b/scripts/backup index 63ac358..dceee37 100755 --- a/scripts/backup +++ b/scripts/backup @@ -50,6 +50,12 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # SPECIFIC BACKUP +#================================================= +# BACKUP LOGROTATE +#================================================= + +ynh_backup --src_path="/etc/logrotate.d/$app" + #================================================= # BACKUP SYSTEMD #================================================= diff --git a/scripts/install b/scripts/install index 6862964..964ff73 100644 --- a/scripts/install +++ b/scripts/install @@ -72,6 +72,14 @@ ynh_install_nodejs --nodejs_version=$NODEJS_VERSION # Install Yarn ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg" +#================================================= +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Configuring system user..." + +# Create a system user +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # CREATE A MYSQL DATABASE #================================================= @@ -81,15 +89,6 @@ db_name=$(ynh_sanitize_dbid --db_name=$app) db_user=$db_name ynh_app_setting_set --app=$app --key=db_name --value=$db_name ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name -db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) - -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Configuring system user..." - -# Create a system user -ynh_system_user_create --username=$app #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -104,6 +103,10 @@ ynh_setup_source --dest_dir="$final_path" mkdir -p $final_path/core/client/Admin ynh_setup_source --dest_dir="$final_path/core/client/Admin" --source_id="admin" +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= @@ -120,14 +123,15 @@ ynh_add_nginx_config ynh_script_progression --message="Modifying a config file..." ynh_add_config --template="../conf/config.production.json" --destination="$final_path/config.production.json" +chmod 400 "$final_path/config.production.json" +chown $app:$app "$final_path/config.production.json" #============================================== # BUILD GHOST #============================================== ynh_script_progression --message="Building $app... (this will take some time and resources!)" -pushd "$final_path" || ynh_die - +pushd "$final_path" ynh_use_nodejs ynh_exec_warn_less yarn install --non-interactive --silent ynh_exec_warn_less yarn global add knex-migrator @@ -135,8 +139,7 @@ pushd "$final_path" || ynh_die ynh_exec_warn_less yarn global add grunt-cli ember-cli ynh_exec_warn_less NODE_ENV=production grunt symlink ynh_exec_warn_less NODE_ENV=production grunt init --force - -popd || ynh_die +popd #================================================= # SETUP SYSTEMD @@ -147,14 +150,12 @@ ynh_script_progression --message="Configuring a systemd service..." ynh_add_systemd_config #================================================= -# GENERIC FINALIZATION +# SETUP LOGROTATE #================================================= -# SECURE FILES AND DIRECTORIES -#================================================= -ynh_script_progression --message="Securing files and directories..." +ynh_script_progression --message="Configuring log rotation..." -# Set permissions to app files -chown -R $app: $final_path +# Use logrotate to manage application logfile(s) +ynh_use_logrotate #================================================= # INTEGRATE SERVICE IN YUNOHOST diff --git a/scripts/remove b/scripts/remove index 063bd18..36494ad 100644 --- a/scripts/remove +++ b/scripts/remove @@ -43,6 +43,14 @@ ynh_script_progression --message="Stopping and removing the systemd service..." # Remove the dedicated systemd config ynh_remove_systemd_config +#================================================= +# REMOVE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Removing logrotate configuration..." + +# Remove the app-specific logrotate config +ynh_remove_logrotate + #================================================= # REMOVE THE MYSQL DATABASE #================================================= @@ -77,6 +85,14 @@ ynh_script_progression --message="Removing NGINX web server configuration..." # Remove the dedicated nginx config ynh_remove_nginx_config +#================================================= +# REMOVE VARIOUS FILES +#================================================= +ynh_script_progression --message="Removing log files..." + +# Remove the log files +ynh_secure_remove --file="/var/log/$app" + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index 405d5e9..36fcda4 100755 --- a/scripts/restore +++ b/scripts/restore @@ -57,7 +57,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_script_progression --message="Recreating the dedicated system user..." # Create the dedicated user (if not existing) -ynh_system_user_create --username=$app +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # RESTORE THE APP MAIN DIR @@ -66,13 +66,9 @@ ynh_script_progression --message="Restoring the app main directory..." ynh_restore_file --origin_path="$final_path" -#================================================= -# RESTORE USER RIGHTS -#================================================= -ynh_script_progression --message="Restoring user rights..." - -# Restore permissions on app files -chown -R $app: $final_path +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" #================================================= # SPECIFIC RESTORATION @@ -107,6 +103,13 @@ ynh_script_progression --message="Restoring the systemd configuration..." ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet +#================================================= +# RESTORE THE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the logrotate configuration..." + +ynh_restore_file --origin_path="/etc/logrotate.d/$app" + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index a2af1bc..1f54707 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -27,10 +27,24 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) #================================================= # CHECK VERSION #================================================= -ynh_script_progression --message="Checking version..." upgrade_type=$(ynh_check_app_version_changed) +#================================================= +# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +#================================================= +ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # restore it if the upgrade fails + ynh_clean_check_starting + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= @@ -49,21 +63,6 @@ if ynh_legacy_permissions_exists; then ynh_app_setting_delete --app=$app --key=is_public fi -#================================================= -# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP -#================================================= -ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." - -# Backup the current version of the app -ynh_backup_before_upgrade -ynh_clean_setup () { - # restore it if the upgrade fails - ynh_clean_check_starting - ynh_restore_upgradebackup -} -# Exit if an error occurs during the execution of the script -ynh_abort_if_errors - #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -79,7 +78,7 @@ ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$ ynh_script_progression --message="Making sure dedicated system user exists..." # Create a dedicated user (if not existing) -ynh_system_user_create --username=$app +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -147,23 +146,25 @@ ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ st ynh_script_progression --message="Modifying a config file..." ynh_add_config --template="../conf/config.production.json" --destination="$final_path/config.production.json" +chmod 400 "$final_path/config.production.json" +chown $app:$app "$final_path/config.production.json" #============================================== # BUILD GHOST #============================================== + if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Building $app... (this will take some time and resources!)" - pushd "$final_path" || ynh_die + pushd "$final_path" ynh_exec_warn_less yarn install ynh_exec_warn_less yarn global add knex-migrator ynh_exec_warn_less NODE_ENV=production knex-migrator init ynh_exec_warn_less yarn global add grunt ynh_exec_warn_less NODE_ENV=production grunt symlink ynh_exec_warn_less NODE_ENV=production grunt init --force - - popd || ynh_die + popd fi #================================================= @@ -173,16 +174,16 @@ ynh_script_progression --message="Upgrading systemd configuration..." # Create a dedicated systemd config ynh_add_systemd_config - + #================================================= # GENERIC FINALIZATION #================================================= -# SECURE FILES AND DIRECTORIES +# SETUP LOGROTATE #================================================= -ynh_script_progression --message="Securing files and directories..." +ynh_script_progression --message="Upgrading logrotate configuration..." -# Set permissions on app files -chown -R $app: $final_path +# Use logrotate to manage app-specific logfile(s) +ynh_use_logrotate --non-append #================================================= # INTEGRATE SERVICE IN YUNOHOST From 75b9f334bbee30299fc3bc8a41b3248f4aa5f8ae Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Sun, 3 Oct 2021 11:54:49 +0000 Subject: [PATCH 02/15] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e69e926..c7b2884 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -Just a blogging platform +Publishing, memberships, subscriptions and newsletters platform **Shipped version:** 4.16.0~ynh1 diff --git a/README_fr.md b/README_fr.md index bceeedb..04db3a6 100644 --- a/README_fr.md +++ b/README_fr.md @@ -11,7 +11,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour ## Vue d'ensemble -Plateforme de blogging +Plateforme d'édition, d'adhésions, d'abonnements et de newsletters **Version incluse :** 4.16.0~ynh1 From 89ba12bf6141bf73e8f9ddaf1a74f5ef8dc00602 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sun, 3 Oct 2021 11:55:30 +0000 Subject: [PATCH 03/15] Upgrade to v4.17.0 --- conf/admin.src | 4 ++-- conf/app.src | 5 ++--- manifest.json | 6 +++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/conf/admin.src b/conf/admin.src index d7ba541..92793d2 100644 --- a/conf/admin.src +++ b/conf/admin.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.16.0.zip -SOURCE_SUM=91b674c26838bd55a57a3cbc0cfbf873e6aa5dec625bc1245405d653f3410c99 +SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.17.0.zip +SOURCE_SUM=331d412a70b2b8d255f7becbbfc82449242d3a1e028c3ae62dfa9163a21dc80d SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index 01ef1dc..bb7e869 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,6 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.16.0/Ghost-4.16.0.zip -SOURCE_SUM=DE7041DA31362BB8DF1043864A94026D6B692EBCEF8FEBD886F635BEF8E3DA84 +SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.17.0/Ghost-4.17.0.zip +SOURCE_SUM=1fbfc57f53b5b31a38839cb8c8e753070d74e30601bee5ed46fb6a55599b3e3c SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false -SOURCE_FILENAME= diff --git a/manifest.json b/manifest.json index 131821b..7abd2bb 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Just a blogging platform", "fr": "Plateforme de blogging" }, - "version": "4.16.0~ynh1", + "version": "4.17.0~ynh1", "url": "https://ghost.org/", "upstream": { "license": "MIT", @@ -19,7 +19,7 @@ "name": "Julien Malik", "email": "julien.malik@paraiso.me" }, - "requirements": { + "requirements": { "yunohost": ">= 4.2.0" }, "multi_instance": true, @@ -28,7 +28,7 @@ "mysql" ], "arguments": { - "install" : [ + "install": [ { "name": "domain", "type": "domain" From a793c716d895725675664f4567c89fd0a4c54d9a Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Sun, 3 Oct 2021 11:55:34 +0000 Subject: [PATCH 04/15] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e69e926..7b9967d 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Just a blogging platform -**Shipped version:** 4.16.0~ynh1 +**Shipped version:** 4.17.0~ynh1 diff --git a/README_fr.md b/README_fr.md index bceeedb..34702c3 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Plateforme de blogging -**Version incluse :** 4.16.0~ynh1 +**Version incluse :** 4.17.0~ynh1 From 4385694c5aa5f85038fb031be275d9db5fa13160 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 6 Oct 2021 06:18:39 +0000 Subject: [PATCH 05/15] Upgrade to v4.17.1 --- conf/admin.src | 4 ++-- conf/app.src | 4 ++-- manifest.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conf/admin.src b/conf/admin.src index 92793d2..616504a 100644 --- a/conf/admin.src +++ b/conf/admin.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.17.0.zip -SOURCE_SUM=331d412a70b2b8d255f7becbbfc82449242d3a1e028c3ae62dfa9163a21dc80d +SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.17.1.zip +SOURCE_SUM=1f6631834bddd99a302734060a966b59fd69e924e14f560e9367428b1013a056 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index bb7e869..3dc8cd8 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.17.0/Ghost-4.17.0.zip -SOURCE_SUM=1fbfc57f53b5b31a38839cb8c8e753070d74e30601bee5ed46fb6a55599b3e3c +SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.17.1/Ghost-4.17.1.zip +SOURCE_SUM=71b8ae299a7f985e45ff60a583ad3d858450330d19b631b9fa1ca6bc0ee53032 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index f04e051..79f298e 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Publishing, memberships, subscriptions and newsletters platform", "fr": "Plateforme d'édition, d'adhésions, d'abonnements et de newsletters" }, - "version": "4.17.0~ynh1", + "version": "4.17.1~ynh1", "url": "https://ghost.org/", "upstream": { "license": "MIT", From 09f260c04435df35edca042486b6a8eb3160333b Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Fri, 8 Oct 2021 17:35:06 +0000 Subject: [PATCH 06/15] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f8757a9..7736e49 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Publishing, memberships, subscriptions and newsletters platform -**Shipped version:** 4.17.0~ynh1 +**Shipped version:** 4.17.1~ynh1 diff --git a/README_fr.md b/README_fr.md index ec2338d..032fa09 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Plateforme d'édition, d'adhésions, d'abonnements et de newsletters -**Version incluse :** 4.17.0~ynh1 +**Version incluse :** 4.17.1~ynh1 From 4b7aa322f4f4f8f4f9197053dc30a8996916944b Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sat, 23 Oct 2021 06:18:44 +0000 Subject: [PATCH 07/15] Upgrade to v4.20.1 --- conf/admin.src | 4 ++-- conf/app.src | 4 ++-- manifest.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conf/admin.src b/conf/admin.src index 616504a..13362ea 100644 --- a/conf/admin.src +++ b/conf/admin.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.17.1.zip -SOURCE_SUM=1f6631834bddd99a302734060a966b59fd69e924e14f560e9367428b1013a056 +SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.20.1.zip +SOURCE_SUM=be297eda8d618759de25abe7fed5c6d11345623e0e8b27f537566036d88945fa SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index 3dc8cd8..a7e7935 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.17.1/Ghost-4.17.1.zip -SOURCE_SUM=71b8ae299a7f985e45ff60a583ad3d858450330d19b631b9fa1ca6bc0ee53032 +SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.20.1/Ghost-4.20.1.zip +SOURCE_SUM=12d9850826676d7a402e12843f0832396cc302a3a9081c270250bdd6f1b55aa0 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index 79f298e..69ee970 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Publishing, memberships, subscriptions and newsletters platform", "fr": "Plateforme d'édition, d'adhésions, d'abonnements et de newsletters" }, - "version": "4.17.1~ynh1", + "version": "4.20.1~ynh1", "url": "https://ghost.org/", "upstream": { "license": "MIT", From 19072c02ac44695b24d9c48d87d0a865766d8b0b Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Sat, 23 Oct 2021 06:18:52 +0000 Subject: [PATCH 08/15] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7736e49..8cb8950 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Publishing, memberships, subscriptions and newsletters platform -**Shipped version:** 4.17.1~ynh1 +**Shipped version:** 4.20.1~ynh1 diff --git a/README_fr.md b/README_fr.md index 032fa09..673ee60 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Plateforme d'édition, d'adhésions, d'abonnements et de newsletters -**Version incluse :** 4.17.1~ynh1 +**Version incluse :** 4.20.1~ynh1 From a6f38d51c1b8c9b8c77c258e394cb458a4320b1b Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sat, 23 Oct 2021 20:14:15 +0200 Subject: [PATCH 09/15] Build as $app user --- scripts/install | 12 ++++++------ scripts/upgrade | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/scripts/install b/scripts/install index 964ff73..f3c54c6 100644 --- a/scripts/install +++ b/scripts/install @@ -133,12 +133,12 @@ ynh_script_progression --message="Building $app... (this will take some time and pushd "$final_path" ynh_use_nodejs - ynh_exec_warn_less yarn install --non-interactive --silent - ynh_exec_warn_less yarn global add knex-migrator - ynh_exec_warn_less NODE_ENV=production knex-migrator init - ynh_exec_warn_less yarn global add grunt-cli ember-cli - ynh_exec_warn_less NODE_ENV=production grunt symlink - ynh_exec_warn_less NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive --silent + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force popd #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 1f54707..149d381 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -158,12 +158,12 @@ then ynh_script_progression --message="Building $app... (this will take some time and resources!)" pushd "$final_path" - ynh_exec_warn_less yarn install - ynh_exec_warn_less yarn global add knex-migrator - ynh_exec_warn_less NODE_ENV=production knex-migrator init - ynh_exec_warn_less yarn global add grunt - ynh_exec_warn_less NODE_ENV=production grunt symlink - ynh_exec_warn_less NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force popd fi From 1bb284916579c26ef0ba977c8e6b1e40fabafe92 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 24 Oct 2021 12:09:49 +0200 Subject: [PATCH 10/15] Remove log monitoring In production mode, the log file name is hard to guess... --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/install b/scripts/install index f3c54c6..046b9b8 100644 --- a/scripts/install +++ b/scripts/install @@ -170,7 +170,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ ynh_script_progression --message="Starting a systemd service..." # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action="start" #================================================= # SETUP SSOWAT diff --git a/scripts/restore b/scripts/restore index 36fcda4..84008fc 100755 --- a/scripts/restore +++ b/scripts/restore @@ -122,7 +122,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ #================================================= ynh_script_progression --message="Starting a systemd service..." -ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action=start #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 149d381..0a66011 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -70,7 +70,7 @@ fi #================================================= ynh_script_progression --message="Stopping a systemd service..." -ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action=stop #================================================= # CREATE DEDICATED USER @@ -197,7 +197,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ #================================================= ynh_script_progression --message="Starting a systemd service..." -ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action=start #================================================= # RELOAD NGINX From 2ac2192c731c8b90081b2aa455c726bffc7c774e Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 24 Oct 2021 18:09:43 +0200 Subject: [PATCH 11/15] Fix building steps --- scripts/install | 14 +++++++------- scripts/upgrade | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/scripts/install b/scripts/install index 046b9b8..b95208f 100644 --- a/scripts/install +++ b/scripts/install @@ -129,16 +129,16 @@ chown $app:$app "$final_path/config.production.json" #============================================== # BUILD GHOST #============================================== -ynh_script_progression --message="Building $app... (this will take some time and resources!)" +ynh_script_progression --message="Building Ghost... (this will take some time and resources!)" pushd "$final_path" ynh_use_nodejs - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive --silent - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt-cli ember-cli - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force popd #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 0a66011..3e0561c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -155,15 +155,15 @@ chown $app:$app "$final_path/config.production.json" if [ "$upgrade_type" == "UPGRADE_APP" ] then - ynh_script_progression --message="Building $app... (this will take some time and resources!)" + ynh_script_progression --message="Building Ghost... (this will take some time and resources!)" pushd "$final_path" - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force popd fi From 9eb7dd6470112cf881d3148f2f1919cbc4f93b85 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Mon, 25 Oct 2021 18:06:11 +0200 Subject: [PATCH 12/15] Harden service security --- conf/systemd.service | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 42265a6..fcd502c 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,33 @@ Environment="NODE_ENV=production" ExecStart=__YNH_NODE__ index.js run Restart=always +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From afe60a0227bc7ebbaf652f425e3506bb25487846 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Mon, 25 Oct 2021 18:06:50 +0200 Subject: [PATCH 13/15] Enforce file ownership in upgrade --- scripts/upgrade | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index 3e0561c..725465f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -117,6 +117,10 @@ then ynh_secure_remove --file="$tmpdir" fi +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= From 6f70951fe9079e44c3e6c0d97bc16181c15db7ee Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Tue, 26 Oct 2021 06:19:31 +0000 Subject: [PATCH 14/15] Upgrade to v4.20.3 --- conf/admin.src | 4 ++-- conf/app.src | 4 ++-- manifest.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conf/admin.src b/conf/admin.src index 13362ea..39ea75c 100644 --- a/conf/admin.src +++ b/conf/admin.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.20.1.zip -SOURCE_SUM=be297eda8d618759de25abe7fed5c6d11345623e0e8b27f537566036d88945fa +SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.20.3.zip +SOURCE_SUM=7d65b09ead2096c4f8a424b680bfbbe64453d7ae10decd6f7b5f680e55e03f31 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index a7e7935..e3912fa 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.20.1/Ghost-4.20.1.zip -SOURCE_SUM=12d9850826676d7a402e12843f0832396cc302a3a9081c270250bdd6f1b55aa0 +SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.20.3/Ghost-4.20.3.zip +SOURCE_SUM=50d88c47cd9aa8d2b06a6b84729b015352a1cf311fdce5f441bb0e7def0c4fbf SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index 69ee970..f078d84 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Publishing, memberships, subscriptions and newsletters platform", "fr": "Plateforme d'édition, d'adhésions, d'abonnements et de newsletters" }, - "version": "4.20.1~ynh1", + "version": "4.20.3~ynh1", "url": "https://ghost.org/", "upstream": { "license": "MIT", From f043a91d28eb3ec8230d1197106f1934d1178278 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Tue, 26 Oct 2021 06:19:37 +0000 Subject: [PATCH 15/15] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8cb8950..b239d65 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Publishing, memberships, subscriptions and newsletters platform -**Shipped version:** 4.20.1~ynh1 +**Shipped version:** 4.20.3~ynh1 diff --git a/README_fr.md b/README_fr.md index 673ee60..84273d0 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Plateforme d'édition, d'adhésions, d'abonnements et de newsletters -**Version incluse :** 4.20.1~ynh1 +**Version incluse :** 4.20.3~ynh1