diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 0000000..2729a6b --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,55 @@ +--- +name: Bug report +about: When creating a bug report, please use the following template to provide all the relevant information and help debugging efficiently. + +--- + +**How to post a meaningful bug report** +1. *Read this whole template first.* +2. *Determine if you are on the right place:* + - *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!* + - *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.* + - *When in doubt, post here and we will figure it out together.* +3. *Delete the italic comments as you write over them below, and remove this guide.* +--- + +### Describe the bug + +*A clear and concise description of what the bug is.* + +### Context + +- Hardware: *VPS bought online / Old laptop or computer / Raspberry Pi at home / Internet Cube with VPN / Other ARM board / ...* +- YunoHost version: x.x.x +- I have access to my server: *Through SSH | through the webadmin | direct access via keyboard / screen | ...* +- Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: *no / yes* + - If yes, please explain: +- Using, or trying to install package version/branch: +- If upgrading, current package version: *can be found in the admin, or with `yunohost app info $app_id`* + +### Steps to reproduce + +- *If you performed a command from the CLI, the command itself is enough. For example:* + ```sh + sudo yunohost app install the_app + ``` +- *If you used the webadmin, please perform the equivalent command from the CLI first.* +- *If the error occurs in your browser, explain what you did:* + 1. *Go to '...'* + 2. *Click on '...'* + 3. *Scroll down to '...'* + 4. *See error* + +### Expected behavior + +*A clear and concise description of what you expected to happen. You can remove this section if the command above is enough to understand your intent.* + +### Logs + +*When an operation fails, YunoHost provides a simple way to share the logs.* +- *In the webadmin, the error message contains a link to the relevant log page. On that page, you will be able to 'Share with Yunopaste'. If you missed it, the logs of previous operations are also available under Tools > Logs.* +- *In command line, the command to share the logs is displayed at the end of the operation and looks like `yunohost log display [log name] --share`. If you missed it, you can find the log ID of a previous operation using `yunohost log list`.* + +*After sharing the log, please copypaste directly the link provided by YunoHost (to help readability, no need to copypaste the entire content of the log here, just the link is enough...)* + +*If applicable and useful, add screenshots to help explain your problem.* diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..ef70e18 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,16 @@ +## Problem + +- *Description of why you made this PR* + +## Solution + +- *And how do you fix that problem* + +## PR Status + +- [ ] Code finished and ready to be reviewed/tested +- [ ] The fix/enhancement were manually tested (if applicable) + +## Automatic tests + +Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ *after creating the PR*, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization) diff --git a/README.md b/README.md index 32f2004..eac68b3 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Overview Gitea is a fork of Gogs a self-hosted Git service written in Go. Alternative to Github. -**Shipped version:** 1.14.5 +**Shipped version:** 1.16.4 Screenshots ----------- @@ -68,12 +68,6 @@ Host domain.tld port 2222 # change this with the port you use ``` -You will also need to add the `gitea` user in the ssh permission with this command: - -``` -sudo adduser gitea ssh.app -``` - ### Architecture This package is compatible with amd64, i386 and arm. The package will try to detect it with the command uname -m and fail if it can't detect the architecture. If that happens please open an issue describing your hardware and the result of the command `uname -m`. diff --git a/conf/app.ini b/conf/app.ini index 9f00522..820082b 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -40,8 +40,8 @@ ENABLE_NOTIFY_MAIL = true DISABLE_REGISTRATION = true ENABLE_CAPTCHA = false REQUIRE_SIGNIN_VIEW = false -ENABLE_REVERSE_PROXY_AUTHENTICATION = false -ENABLE_REVERSE_PROXY_AUTO_REGISTERATION = false +ENABLE_REVERSE_PROXY_AUTHENTICATION = true +ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false [picture] AVATAR_UPLOAD_PATH = __DATA_PATH__/avatars @@ -73,3 +73,4 @@ XORM = file INSTALL_LOCK = true SECRET_KEY = __KEY__ REVERSE_PROXY_AUTHENTICATION_USER = REMOTE_USER +REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 diff --git a/conf/login_source.sql b/conf/login_source.sql index ee9da47..96f850a 100644 --- a/conf/login_source.sql +++ b/conf/login_source.sql @@ -1,5 +1,5 @@ INSERT INTO `__APP__`.`login_source` -(`id`, `type`, `name`, `is_actived`, `cfg`, `created_unix`, `updated_unix`) +(`id`, `type`, `name`, `is_active`, `cfg`, `created_unix`, `updated_unix`) VALUES ('1', '2', 'Yunohost LDAP', '1', '{"Name":"Yunohost LDAP","Host":"localhost","Port":389,"UseSSL":false,"BindDN":"","BindPassword":"","UserBase":"ou=users,dc=yunohost,dc=org","AttributeName":"givenName","AttributeSurname":"sn","AttributeMail":"mail","Filter":"(&(uid=%s)(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))","AdminFilter":"(permission=cn=__APP__.admin,ou=permission,dc=yunohost,dc=org)","Enabled":true}', '1464014433', '1464015955') ON DUPLICATE KEY diff --git a/conf/nginx.conf b/conf/nginx.conf index 536fa2e..29ffee3 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -3,7 +3,6 @@ location __PATH__/ { proxy_pass http://localhost:__PORT__/; proxy_set_header Host $host; proxy_buffering off; - fastcgi_param REMOTE_USER $remote_user; client_max_body_size 200M; proxy_set_header X-Real-IP $remote_addr; diff --git a/conf/source/arm.src b/conf/source/arm.src index df859ba..891125c 100644 --- a/conf/source/arm.src +++ b/conf/source/arm.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.5/gitea-1.14.5-linux-arm-6 -SOURCE_SUM=2808bea62a84389e123b94331de7b330f8b9b9149bff1e8758d6c7adae88ef5a +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.16.4/gitea-1.16.4-linux-arm-6 +SOURCE_SUM=ed5c2fd355c05111c74cdf1ac9f6d184071fa1cabf194cdd11b8eb945db87195 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/arm64.src b/conf/source/arm64.src index 2cb7de0..9d06aef 100644 --- a/conf/source/arm64.src +++ b/conf/source/arm64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.5/gitea-1.14.5-linux-arm64 -SOURCE_SUM=43a9b559d8a080cbf55aac8961074a25018e83edfe70d7dc8666b9acff794b09 +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.16.4/gitea-1.16.4-linux-arm64 +SOURCE_SUM=570e334a327f4dc1b8412bf0af6423efc52508300ef54a646d63d4838dba0273 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/arm64_1.14.src b/conf/source/arm64_1.14.src new file mode 100644 index 0000000..9bf2c89 --- /dev/null +++ b/conf/source/arm64_1.14.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.6/gitea-1.14.6-linux-arm64 +SOURCE_SUM=d0e177368445748dcbfc3a082e2f1c68317d1490e11574224fb12ca01e91e15e +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/arm64_1.15.src b/conf/source/arm64_1.15.src new file mode 100644 index 0000000..13f65f7 --- /dev/null +++ b/conf/source/arm64_1.15.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.15.11/gitea-1.15.11-linux-arm64 +SOURCE_SUM=a41a702d24e463c44dbc57a30551938a5e4c9377995065aca07e9dfbb22d5afc +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/arm_1.14.src b/conf/source/arm_1.14.src new file mode 100644 index 0000000..cb57028 --- /dev/null +++ b/conf/source/arm_1.14.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.6/gitea-1.14.6-linux-arm-6 +SOURCE_SUM=4c075c11ee6b89b6c436c94e47290cf7daeff2006bb7ca1fbe6f22db4482e16f +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/arm_1.15.src b/conf/source/arm_1.15.src new file mode 100644 index 0000000..25f4ee1 --- /dev/null +++ b/conf/source/arm_1.15.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.15.11/gitea-1.15.11-linux-arm-6 +SOURCE_SUM=c60d364d8cb7e25b341cb7d9988cbc7b3485ff5aa994e021980dc47996a870f9 +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/armv7.src b/conf/source/armv7.src index aa2f7c6..f4820a2 100644 --- a/conf/source/armv7.src +++ b/conf/source/armv7.src @@ -1,8 +1,8 @@ # The armv7 build is brocken # See : https://github.com/go-gitea/gitea/issues/6700 # Use temporary the armv6 binary -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.5/gitea-1.14.5-linux-arm-6 -SOURCE_SUM=2808bea62a84389e123b94331de7b330f8b9b9149bff1e8758d6c7adae88ef5a +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.16.4/gitea-1.16.4-linux-arm-6 +SOURCE_SUM=ed5c2fd355c05111c74cdf1ac9f6d184071fa1cabf194cdd11b8eb945db87195 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/armv7_1.14.src b/conf/source/armv7_1.14.src new file mode 100644 index 0000000..bd3cdc1 --- /dev/null +++ b/conf/source/armv7_1.14.src @@ -0,0 +1,8 @@ +# The armv7 build is brocken +# See : https://github.com/go-gitea/gitea/issues/6700 +# Use temporary the armv6 binary +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.6/gitea-1.14.6-linux-arm-6 +SOURCE_SUM=4c075c11ee6b89b6c436c94e47290cf7daeff2006bb7ca1fbe6f22db4482e16f +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/armv7_1.15.src b/conf/source/armv7_1.15.src new file mode 100644 index 0000000..3c2672e --- /dev/null +++ b/conf/source/armv7_1.15.src @@ -0,0 +1,8 @@ +# The armv7 build is brocken +# See : https://github.com/go-gitea/gitea/issues/6700 +# Use temporary the armv6 binary +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.15.11/gitea-1.15.11-linux-arm-6 +SOURCE_SUM=c60d364d8cb7e25b341cb7d9988cbc7b3485ff5aa994e021980dc47996a870f9 +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/i386.src b/conf/source/i386.src index 5546686..f9c7fac 100644 --- a/conf/source/i386.src +++ b/conf/source/i386.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.5/gitea-1.14.5-linux-386 -SOURCE_SUM=4d144f146f85d8b87fd93809019e3d1fd1b691d1fcb1bd5ea3801e0dc5a87e84 +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.16.4/gitea-1.16.4-linux-386 +SOURCE_SUM=016e4c7c99337edf4a44231e872aea4f29575a63efa9b15b39e3319efe962139 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/i386_1.14.src b/conf/source/i386_1.14.src new file mode 100644 index 0000000..b9868bd --- /dev/null +++ b/conf/source/i386_1.14.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.6/gitea-1.14.6-linux-386 +SOURCE_SUM=1a3382eb4faf60a5f5c590843f8e7cd1f7d0e78e99fe2511f86368340c0cfe2e +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/i386_1.15.src b/conf/source/i386_1.15.src new file mode 100644 index 0000000..53f0004 --- /dev/null +++ b/conf/source/i386_1.15.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.15.11/gitea-1.15.11-linux-386 +SOURCE_SUM=bad15648236e8da71de1a09b9fe0f21d955605c3aba92f6bcf7dc1f490791a8d +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/x86-64.src b/conf/source/x86-64.src index 4dd441b..4020a72 100644 --- a/conf/source/x86-64.src +++ b/conf/source/x86-64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.5/gitea-1.14.5-linux-amd64 -SOURCE_SUM=8a6f7983bd47690e6087e14b7a32d6fb0b8868b137da0ea5edff28c32763ca6d +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.16.4/gitea-1.16.4-linux-amd64 +SOURCE_SUM=49f2469a7aabe3f5dc432b2c967e2d2c6c5c4fad6aae4c1ab4197ebbd159ddd1 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/x86-64_1.14.src b/conf/source/x86-64_1.14.src new file mode 100644 index 0000000..be76bd3 --- /dev/null +++ b/conf/source/x86-64_1.14.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.14.6/gitea-1.14.6-linux-amd64 +SOURCE_SUM=20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/x86-64_1.15.src b/conf/source/x86-64_1.15.src new file mode 100644 index 0000000..b647844 --- /dev/null +++ b/conf/source/x86-64_1.15.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.15.11/gitea-1.15.11-linux-amd64 +SOURCE_SUM=e2f62b67c311116fbf8e52b4c162dbd7684ce9c7f0370642c1d402fece43aa8f +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/systemd.service b/conf/systemd.service index 821e0b9..31f9fe0 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -20,5 +20,35 @@ ExecStart=/opt/__APP__/gitea web Restart=always Environment=USER=__APP__ HOME=/home/__APP__ +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 7f9c989..143aa15 100644 --- a/manifest.json +++ b/manifest.json @@ -8,7 +8,7 @@ }, "url": "http://gitea.io", "license": "MIT", - "version": "1.14.5~ynh1", + "version": "1.16.4~ynh1", "maintainer": { "name": "Josué Tille", "email": "josue@tille.ch" @@ -63,7 +63,7 @@ "fr": "Est-ce un site public ?" }, "help": { - "en": "A public server means that everybody is able to access to the pain page of the forge, on the public profile of the user and on the public repository. But you still can limit the access to each repository if you set it as private. Note that to be able to use the remote Git command (clone, pull, push) with HTTP and to use the API by (by example with a smartphone), you need to set this application as public.", + "en": "A public server means that everybody is able to access to the main page of the forge, on the public profile of the user and on the public repository. But you still can limit the access to each repository if you set it as private. Note that to be able to use the remote Git command (clone, pull, push) with HTTP and to use the API by (by example with a smartphone), you need to set this application as public.", "fr": "Un serveur public signifie que tout le monde peut accéder à la page principale de la forge, au profil public des utilisateurs et aux dépôts publics. Vous pouvez également définir les dépôts comme étant privés. Notez que pour pouvoir utiliser les commandes Git distantes (clone, pull, push) avec HTTP et pour pouvoir utiliser l'API (par exemple avec un smartphone), vous devez paramétrer cette application comme étant publique." }, "default": true diff --git a/scripts/install b/scripts/install index 2fc9231..3bd19b0 100644 --- a/scripts/install +++ b/scripts/install @@ -66,6 +66,8 @@ ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" # Add users ynh_script_progression --message="Configuring system user..." ynh_system_user_create --username=$app --home_dir=/home/$app --use_shell +# Add ssh permission for gitea user +adduser $app ssh.app # create needed directories create_dir diff --git a/scripts/upgrade b/scripts/upgrade index 2b75536..d736f1c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -195,10 +195,19 @@ case $upstream_version in ynh_setup_source $final_path source/${architecture}_1.13 restart_gitea ;& +"1.13."* ) + ynh_setup_source $final_path source/${architecture}_1.14 + restart_gitea +;& +"1.14."* ) + ynh_setup_source $final_path source/${architecture}_1.15 + restart_gitea +;& esac # Install gitea source ynh_setup_source $final_path source/$architecture +restart_gitea # SETUP FAIL2BAN ynh_script_progression --message="Configuring fail2ban..." @@ -226,6 +235,9 @@ fi ynh_script_progression --message="Register gitea service..." yunohost service add "$app" --log "/var/log/$app/gitea.log" +# Add ssh permission for gitea user +adduser $app ssh.app + # Set permissions ynh_script_progression --message="Protecting directory" set_permission