From f0c6cb0686dd4a81d6728c29998e0e03a521a18b Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Mon, 12 Sep 2022 06:54:45 +0000 Subject: [PATCH 1/5] Upgrade to v2.1.7 --- conf/amd64.src | 7 ++++--- conf/arm64.src | 7 ++++--- conf/arm7.src | 7 ++++--- manifest.json | 2 +- 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/conf/amd64.src b/conf/amd64.src index cd813ee..decab07 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,6 +1,7 @@ -SOURCE_URL=https://github.com/gotify/server/releases/download/v2.1.4/gotify-linux-amd64.zip -SOURCE_SUM=98b126e5d934d45b1390b1a1b9136e7690518bfdbb731a75a45a55e86291af4b +SOURCE_URL=https://github.com/gotify/server/releases/download/v2.1.7/gotify-linux-amd64.zip +SOURCE_SUM=c1bead32dc1aafeceff5f9783be9e62294a84c3ceb03260c829a10ce7a9a8a10 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false -SOURCE_FILENAME=gotify-linux-amd64 +SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/arm64.src b/conf/arm64.src index d37686a..2fea1f1 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -1,6 +1,7 @@ -SOURCE_URL=https://github.com/gotify/server/releases/download/v2.1.4/gotify-linux-arm64.zip -SOURCE_SUM=1379a92844e9d632cc5fd01db1e1d1ef4303bb6e92e6ca7e2618f06ed463264c +SOURCE_URL=https://github.com/gotify/server/releases/download/v2.1.7/gotify-linux-arm64.zip +SOURCE_SUM=35da7810260521412b06ca169c602b6a84aba96d960fe4f7410ca49551ef0c09 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false -SOURCE_FILENAME=gotify-linux-arm64 +SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/arm7.src b/conf/arm7.src index 1c196de..b9b5c01 100644 --- a/conf/arm7.src +++ b/conf/arm7.src @@ -1,6 +1,7 @@ -SOURCE_URL=https://github.com/gotify/server/releases/download/v2.1.4/gotify-linux-arm-7.zip -SOURCE_SUM=ffbc8710f1ba6b2c3dc74171fd4e28fc74765e6dda2e6a304dc0685bbd167243 +SOURCE_URL=https://github.com/gotify/server/releases/download/v2.1.7/gotify-linux-arm-7.zip +SOURCE_SUM=52d5f75a73c5a6a987749e5ff2158335b62a97322dc96dc597c7c6329f2234ce SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false -SOURCE_FILENAME=gotify-linux-arm-7 +SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/manifest.json b/manifest.json index d1355c2..861a6f1 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "A simple server for sending and receiving messages.", "fr": "Un simple serveur pour envoyer et recevoir des messages." }, - "version": "2.1.4~ynh2", + "version": "2.1.7~ynh1", "url": "http://gotify.net", "upstream": { "license": "MIT", From 0f4120daeb184ab73ef3f33bb68aabcc17d8f5d9 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Mon, 12 Sep 2022 06:54:46 +0000 Subject: [PATCH 2/5] Update to version 2.1.7 --- conf/i386.src | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 conf/i386.src diff --git a/conf/i386.src b/conf/i386.src new file mode 100644 index 0000000..dffeaa2 --- /dev/null +++ b/conf/i386.src @@ -0,0 +1,7 @@ +SOURCE_URL=https://github.com/gotify/server/releases/download/v2.1.7/gotify-linux-386.zip +SOURCE_SUM=03ed0ace3065985c81531fc2f09ae3ee33e56bc86c6aff63603bea71c4f260f4 +SOURCE_SUM_PRG=sha256sum +SOURCE_FORMAT=zip +SOURCE_IN_SUBDIR=false +SOURCE_FILENAME= +SOURCE_EXTRACT=true From 4f62658115d44daf00bd8dc7d3a79cdfb9cc0f82 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Mon, 12 Sep 2022 06:54:50 +0000 Subject: [PATCH 3/5] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 440228c..b41423d 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Gotify is a simple server for sending and receiving messages in real-time per web socket. (Includes a sleek web-ui) -**Shipped version:** 2.1.4~ynh2 +**Shipped version:** 2.1.7~ynh1 ## Screenshots diff --git a/README_fr.md b/README_fr.md index ff8b5ca..7fecaa5 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Gotify est un serveur simple permettant d'envoyer et de recevoir des messages via websocket. -**Version incluse :** 2.1.4~ynh2 +**Version incluse :** 2.1.7~ynh1 ## Captures d'écran From 612efaaaadce147e4bac6111f27b8aed1e4791a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Tue, 13 Sep 2022 08:30:21 +0200 Subject: [PATCH 4/5] Cleaning --- check_process | 19 ++++++++----------- manifest.json | 11 +++-------- scripts/upgrade | 2 +- 3 files changed, 12 insertions(+), 20 deletions(-) diff --git a/check_process b/check_process index a55837d..6fa4032 100644 --- a/check_process +++ b/check_process @@ -5,11 +5,10 @@ ;; Test complet ; Manifest - domain="domain.tld" (DOMAIN) - path="/path" (PATH) - admin="john" (USER) - password="pass" - port="666" (PORT) + domain="domain.tld" + path="/path" + admin="john" + password="1Strong-Password" ; Checks pkg_linter=1 setup_sub_dir=1 @@ -18,14 +17,12 @@ setup_private=0 setup_public=0 upgrade=1 - upgrade=1 from_commit=e0fbbb9a6d2fd87b4d42e85c0fc8f4e479689abc - # 2.1.4~ynh1 - upgrade=1 from_commit=28288aaf8c675b5c4f9b738bf099e242a48bd27f + # 2.1.4~ynh2 + upgrade=1 from_commit=05cdef939dfb64e3a00c0f831ef6ef5dab109053 backup_restore=1 multi_instance=1 - port_already_use=1 change_url=1 ;;; Upgrade options - ; commit=e0fbbb9a6d2fd87b4d42e85c0fc8f4e479689abc - name=Mon Feb 18 21:55:49 2019 +0100 Merge branch 'master' of github.com:YunoHost-Apps/gotify_ynh + ; commit=05cdef939dfb64e3a00c0f831ef6ef5dab109053 + name=Merge pull request #39 from YunoHost-Apps/testing manifest_arg=domain=DOMAIN&admin=USER&password=pass&port=666&path=/&is_public=1 diff --git a/manifest.json b/manifest.json index 861a6f1..97af955 100644 --- a/manifest.json +++ b/manifest.json @@ -3,8 +3,8 @@ "id": "gotify", "packaging_format": 1, "description": { - "en": "A simple server for sending and receiving messages.", - "fr": "Un simple serveur pour envoyer et recevoir des messages." + "en": "Simple server for sending and receiving messages", + "fr": "Simple serveur pour envoyer et recevoir des messages" }, "version": "2.1.7~ynh1", "url": "http://gotify.net", @@ -45,12 +45,7 @@ }, { "name": "password", - "type": "password", - "ask": { - "en": "Set the administrator password", - "fr": "Définissez le mot de passe administrateur" - }, - "example": "Choose a password" + "type": "password" } ] } diff --git a/scripts/upgrade b/scripts/upgrade index 94a3e14..c288ce2 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -88,7 +88,7 @@ chown -R $app: $final_path/data ynh_script_progression --message="Making sure dedicated system user exists..." --weight=2 # Create a dedicated user (if not existing) -ynh_system_user_create $app +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE From 03611fcc51b7a074ef03108c40e07605baa8e0df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Tue, 13 Sep 2022 08:32:50 +0200 Subject: [PATCH 5/5] Update systemd.service --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 7d424a4..42b8b14 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -10,5 +10,35 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ ExecStart=__FINALPATH__/gotify-linux-__ARCHITECTURE__ +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target