From a9a49c27253079a66f7226bf206fc9be64365c0d Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 6 Oct 2022 00:00:31 +0200 Subject: [PATCH 1/5] Apply last example_ynh --- .github/workflows/updater.sh | 74 +++++++++++----------- check_process | 4 +- conf/app.src | 2 + conf/nginx.conf | 104 +++++++++++++++--------------- conf/php-fpm.conf | 63 ++++++++++++++----- doc/DESCRIPTION.md | 1 + doc/DESCRIPTION_fr.md | 1 + manifest.json | 8 +-- scripts/_common.sh | 11 ++-- scripts/backup | 9 +-- scripts/change_url | 14 ++--- scripts/install | 84 ++++++++++++------------- scripts/remove | 30 ++++----- scripts/restore | 61 +++++++++--------- scripts/upgrade | 118 +++++++++++++++++------------------ 15 files changed, 308 insertions(+), 276 deletions(-) create mode 100644 doc/DESCRIPTION.md create mode 100644 doc/DESCRIPTION_fr.md diff --git a/.github/workflows/updater.sh b/.github/workflows/updater.sh index 3080808..386be22 100755 --- a/.github/workflows/updater.sh +++ b/.github/workflows/updater.sh @@ -17,56 +17,58 @@ echo "${#ASSETS[@]} available asset(s)" # Let's loop over the array of assets URLs for asset_url in ${ASSETS[@]}; do -echo "Handling asset at $asset_url" + echo "Handling asset at $asset_url" -# Assign the asset to a source file in conf/ directory -# Leave $src empty to ignore the asset -case $asset_url in - *"admin"*) - src="app" - ;; - *"update"*) - src="app-upgrade" - ;; - *) - src="" - ;; -esac + # Assign the asset to a source file in conf/ directory + # Leave $src empty to ignore the asset + case $asset_url in + *"admin"*) + src="app" + ;; + *"update"*) + src="app-upgrade" + ;; + *) + src="" + ;; + esac -# If $src is not empty, let's process the asset -if [ ! -z "$src" ]; then + # If $src is not empty, let's process the asset + if [ ! -z "$src" ]; then -# Create the temporary directory -tempdir="$(mktemp -d)" + # Create the temporary directory + tempdir="$(mktemp -d)" -# Download sources and calculate checksum -filename=${asset_url##*/} -curl --silent -4 -L $asset_url -o "$tempdir/$filename" -checksum=$(sha256sum "$tempdir/$filename" | head -c 64) + # Download sources and calculate checksum + filename=${asset_url##*/} + curl --silent -4 -L $asset_url -o "$tempdir/$filename" + checksum=$(sha256sum "$tempdir/$filename" | head -c 64) -# Delete temporary directory -rm -rf $tempdir + # Delete temporary directory + rm -rf $tempdir -# Get extension -if [[ $filename == *.tar.gz ]]; then - extension=tar.gz -else - extension=${filename##*.} -fi + # Get extension + if [[ $filename == *.tar.gz ]]; then + extension=tar.gz + else + extension=${filename##*.} + fi -# Rewrite source file -cat < conf/$src.src + # Rewrite source file + cat < conf/$src.src SOURCE_URL=$asset_url SOURCE_SUM=$checksum SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=$extension SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= +SOURCE_EXTRACT=true EOT -echo "... conf/$src.src updated" + echo "... conf/$src.src updated" -else -echo "... asset ignored" -fi + else + echo "... asset ignored" + fi done echo "Done!" diff --git a/check_process b/check_process index 743a33e..290566d 100644 --- a/check_process +++ b/check_process @@ -6,9 +6,9 @@ ; Manifest domain="domain.tld" path="/path" - admin="john" - language="fr_FR" is_public=1 + language="fr_FR" + admin="john" ; Actions action_argument=arg1|arg2 is_public=1|0 diff --git a/conf/app.src b/conf/app.src index 4e4deac..919ba5e 100644 --- a/conf/app.src +++ b/conf/app.src @@ -3,3 +3,5 @@ SOURCE_SUM=6f916a7d6ca1b44ceb4844516cfacba9e5a1c733c4bc1cb00148a1de70e6e70e SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/nginx.conf b/conf/nginx.conf index 348e2ca..25f5699 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,65 +1,65 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - alias __FINALPATH__/; - index index.php; + alias __FINALPATH__/; + index index.php; - client_max_body_size 30m; + client_max_body_size 30m; - # Add headers to serve security related headers - more_set_headers "Strict-Transport-Security: max-age=15768000"; - more_set_headers "X-Content-Type-Options: nosniff"; - more_set_headers "X-Frame-Options: SAMEORIGIN"; - more_set_headers "X-XSS-Protection: 1; mode=block"; - more_set_headers "X-Download-Options: noopen"; - more_set_headers "X-Permitted-Cross-Domain-Policies: none"; + # Add headers to serve security related headers + more_set_headers "Strict-Transport-Security: max-age=15768000"; + more_set_headers "X-Content-Type-Options: nosniff"; + more_set_headers "X-Frame-Options: SAMEORIGIN"; + more_set_headers "X-XSS-Protection: 1; mode=block"; + more_set_headers "X-Download-Options: noopen"; + more_set_headers "X-Permitted-Cross-Domain-Policies: none"; - # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 ) - try_files $uri $uri/ __PATH__/__PATH__/index.php?$query_string; + # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 ) + try_files $uri $uri/ __PATH__/__PATH__/index.php?$query_string; - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; - fastcgi_index index.php; - include fastcgi_params; - # https://learn.getgrav.org/webservers-hosting/servers/nginx#fix-against-httpoxy-vulnerability - fastcgi_param HTTP_PROXY ""; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME $request_filename; - } + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; + fastcgi_index index.php; + include fastcgi_params; + # https://learn.getgrav.org/webservers-hosting/servers/nginx#fix-against-httpoxy-vulnerability + fastcgi_param HTTP_PROXY ""; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $request_filename; + } - location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { - expires 30d; - more_set_headers "Vary: Accept-Encoding"; - log_not_found off; - } + location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { + expires 30d; + more_set_headers "Vary: Accept-Encoding"; + log_not_found off; + } - location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ { - access_log off; - expires 30d; - more_set_headers "Cache-Control: public"; + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ { + access_log off; + expires 30d; + more_set_headers "Cache-Control: public"; - ## No need to bleed constant updates. Send the all shebang in one fell swoop. - tcp_nodelay off; + ## No need to bleed constant updates. Send the all shebang in one fell swoop. + tcp_nodelay off; - ## Set the OS file cache. - open_file_cache max=3000 inactive=120s; - open_file_cache_valid 45s; - open_file_cache_min_uses 2; - open_file_cache_errors off; - } + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } - ## Begin - Security - # deny all direct access for these folders - location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; } - # deny running scripts inside core system folders - location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } - # deny running scripts inside user folder - location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } - # deny access to specific files in the root folder - location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; } - ## End - Security + ## Begin - Security + # deny all direct access for these folders + location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; } + # deny running scripts inside core system folders + location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny running scripts inside user folder + location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny access to specific files in the root folder + location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; } + ## End - Security - #--PRIVATE--# Include SSOWAT user panel. - #--PRIVATE--include conf.d/yunohost_panel.conf.inc; + #--PRIVATE--# Include SSOWAT user panel. + #--PRIVATE--include conf.d/yunohost_panel.conf.inc; } diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index d34fb95..1c4acc9 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -1,10 +1,11 @@ ; Start a new pool named 'www'. -; the variable $pool can we used in any directive and will be replaced by the +; the variable $pool can be used in any directive and will be replaced by the ; pool name ('www' here) [__NAMETOCHANGE__] ; Per pool prefix ; It only applies on the following directives: +; - 'access.log' ; - 'slowlog' ; - 'listen' (unixsocket) ; - 'chroot' @@ -24,17 +25,19 @@ group = __USER__ ; The address on which to accept FastCGI requests. ; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on ; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock ; Set listen(2) backlog. -; Default Value: 128 (-1 on FreeBSD and OpenBSD) -;listen.backlog = 128 +; Default Value: 511 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 511 ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many @@ -44,8 +47,13 @@ listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock listen.owner = www-data listen.group = www-data ;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = -; List of ipv4 addresses of FastCGI clients which are allowed to connect. +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address ; must be separated by a comma. If this value is left blank, connections will be @@ -59,7 +67,13 @@ listen.group = www-data ; - The pool processes will inherit the master process priority ; unless it specified otherwise ; Default Value: no set -; priority = -19 +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is differrent than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes ; Choose how the process manager will control the number of child processes. ; Possible Values: @@ -215,7 +229,7 @@ pm.max_requests = 500 ; last request memory: 0 ; ; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: ${prefix}/share/fpm/status.html +; It's available in: /usr/share/php/7.0/fpm/status.html ; ; Note: The value must start with a leading slash (/). The value can be ; anything, but it may not be a good idea to use the .php extension or it @@ -275,7 +289,7 @@ pm.max_requests = 500 ; - %{megabytes}M ; - %{mega}M ; %n: pool name -; %o: ouput header +; %o: output header ; it must be associated with embraces to specify the name of the header: ; - %{Content-Type}o ; - %{X-Powered-By}o @@ -291,9 +305,13 @@ pm.max_requests = 500 ; %t: server time the request was received ; it can accept a strftime(3) format: ; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t ; %T: time the log has been written (the request has finished) ; it can accept a strftime(3) format: ; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t ; %u: remote user ; ; Default: "%R - %u %t \"%m %r\" %s" @@ -349,13 +367,22 @@ chdir = __FINALPATH__ ; Default Value: no catch_workers_output = yes +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + ; Limits the extensions of the main script FPM will allow to parse. This can ; prevent configuration mistakes on the web server side. You should only limit ; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. +; execute php code. ; Note: set an empty value to allow all extensions. ; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 +;security.limit_extensions = .php .php3 .php4 .php5 .php7 ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from ; the current environment. @@ -391,5 +418,13 @@ catch_workers_output = yes ;php_admin_flag[log_errors] = on ;php_admin_value[memory_limit] = 32M -;php_admin_value[upload_max_filesize] =30M -;php_admin_value[post_max_size] =30M +; Common values to change to increase file upload limit +; php_admin_value[upload_max_filesize] = 50M +; php_admin_value[post_max_size] = 50M +; php_admin_flag[mail.add_x_header] = Off + +; Other common parameters +; php_admin_value[max_execution_time] = 600 +; php_admin_value[max_input_time] = 300 +; php_admin_value[memory_limit] = 256M +; php_admin_flag[short_open_tag] = On diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..e2700c1 --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1 @@ +Grav is a modern open source flat-file CMS. diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md new file mode 100644 index 0000000..f51fab0 --- /dev/null +++ b/doc/DESCRIPTION_fr.md @@ -0,0 +1 @@ +Un CMS moderne basé sur des fichiers plats diff --git a/manifest.json b/manifest.json index 59b3d02..2f1eb34 100644 --- a/manifest.json +++ b/manifest.json @@ -55,10 +55,6 @@ "example": "/grav", "default": "/grav" }, - { - "name": "admin", - "type": "user" - }, { "name": "is_public", "type": "boolean", @@ -80,6 +76,10 @@ "fr_FR" ], "default": "fr_FR" + }, + { + "name": "admin", + "type": "user" } ] } diff --git a/scripts/_common.sh b/scripts/_common.sh index 51e19ec..febad80 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,11 +4,14 @@ # COMMON VARIABLES #================================================= -# Version numbers -YNH_PHP_VERSION="7.3" +php_dependencies="php$YNH_DEFAULT_PHP_VERSION-zip php$YNH_DEFAULT_PHP_VERSION-mbstring php$YNH_DEFAULT_PHP_VERSION-curl php$YNH_DEFAULT_PHP_VERSION-dom php$YNH_DEFAULT_PHP_VERSION-gd php$YNH_DEFAULT_PHP_VERSION-xml php$YNH_DEFAULT_PHP_VERSION-ldap" -# dependencies used by the app -pkg_dependencies="php${YNH_PHP_VERSION}-zip php${YNH_PHP_VERSION}-mbstring php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-dom php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-xml php${YNH_PHP_VERSION}-ldap" +# dependencies used by the app (must be on a single line) +pkg_dependencies="$php_dependencies" + +#================================================= +# PERSONAL HELPERS +#================================================= #================================================= # EXPERIMENTAL HELPERS diff --git a/scripts/backup b/scripts/backup index 553bb8f..441f732 100644 --- a/scripts/backup +++ b/scripts/backup @@ -6,6 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= +# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers @@ -33,8 +34,6 @@ phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= ynh_print_info --message="Declaring files to be backed up..." -#================================================= -# STANDARD BACKUP STEPS #================================================= # BACKUP THE APP MAIN DIR #================================================= @@ -51,10 +50,12 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" # BACKUP THE PHP-FPM CONFIGURATION #================================================= -ynh_backup --src_path="/etc/php/${phpversion}/fpm/pool.d/$app.conf" +ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" #================================================= -# BACKUP CRON +# SPECIFIC BACKUP +#================================================= +# BACKUP VARIOUS FILES #================================================= ynh_backup --src_path="/etc/cron.d/$app" diff --git a/scripts/change_url b/scripts/change_url index 0828722..abf1be5 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -30,7 +30,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1 final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= -# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP #================================================= ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=1 @@ -40,7 +40,7 @@ ynh_clean_setup () { # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" - # restore it if the upgrade fails + # Restore it if the upgrade fails ynh_restore_upgradebackup } # Exit if an error occurs during the execution of the script @@ -71,19 +71,19 @@ ynh_script_progression --message="Updating NGINX web server configuration..." -- nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf -# Change the path in the nginx config file +# Change the path in the NGINX config file if [ $change_path -eq 1 ] then - # Make a backup of the original nginx config file if modified + # Make a backup of the original NGINX config file if modified ynh_backup_if_checksum_is_different --file="$nginx_conf_path" - # Set global variables for nginx helper + # Set global variables for NGINX helper domain="$old_domain" path_url="$new_path" - # Create a dedicated nginx config + # Create a dedicated NGINX config ynh_add_nginx_config fi -# Change the domain for nginx +# Change the domain for NGINX if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location diff --git a/scripts/install b/scripts/install index 87e836e..0880ae8 100644 --- a/scripts/install +++ b/scripts/install @@ -22,9 +22,9 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -admin=$YNH_APP_ARG_ADMIN -language=$YNH_APP_ARG_LANGUAGE is_public=$YNH_APP_ARG_IS_PUBLIC +language=$YNH_APP_ARG_LANGUAGE +admin=$YNH_APP_ARG_ADMIN app=$YNH_APP_INSTANCE_NAME @@ -34,7 +34,7 @@ app=$YNH_APP_INSTANCE_NAME ynh_script_progression --message="Validating installation parameters..." --weight=1 final_path=/var/www/$app -test ! -e "$final_path" || ynh_die "This path already contains a folder" +test ! -e "$final_path" || ynh_die --message="This path already contains a folder" # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url @@ -46,11 +46,13 @@ ynh_script_progression --message="Storing installation settings..." --weight=1 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=language --value=$language +ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=with_sftp --value="false" ynh_app_setting_set --app=$app --key=password --value=$(ynh_string_random) +#================================================= +# STANDARD MODIFICATIONS #================================================= # INSTALL DEPENDENCIES #================================================= @@ -64,10 +66,8 @@ ynh_install_app_dependencies $pkg_dependencies ynh_script_progression --message="Configuring system user..." --weight=1 # Create a system user -ynh_system_user_create --username=$app --home_dir=$final_path +ynh_system_user_create --username=$app --home_dir="$final_path" -#================================================= -# STANDARD MODIFICATIONS #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -75,29 +75,8 @@ ynh_script_progression --message="Setting up source files..." --weight=2 ynh_app_setting_set --app=$app --key=final_path --value=$final_path # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir=$final_path - -#================================================= -# NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Configuring NGINX web server..." --weight=1 - -# Create a dedicated nginx config -ynh_add_nginx_config - -#================================================= -# PHP-FPM CONFIGURATION -#================================================= -ynh_script_progression --message="Configuring PHP-FPM..." --weight=3 - -# Create a dedicated php-fpm config -ynh_add_fpm_config --usage=medium --footprint=medium - -#================================================= -# GENERIC FINALIZATION -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= +ynh_setup_source --dest_dir="$final_path" +ynh_setup_source --dest_dir="$final_path/user/plugins/login-ldap" --source_id="ldap" # Set permissions on app files chown -R $app:www-data "$final_path" @@ -107,12 +86,27 @@ find "$final_path" -type d -exec chmod 750 {} \; find "$final_path" -type d -exec chmod +s {} \; #================================================= -# INSTALL LDAP PLUGIN +# PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Installing and configuring LDAP plugin..." --weight=1 +ynh_script_progression --message="Configuring PHP-FPM..." --weight=3 -# Download LDAP source -ynh_setup_source --dest_dir="$final_path/user/plugins/login-ldap" --source_id="ldap" +# Create a dedicated PHP-FPM config +ynh_add_fpm_config --usage=medium --footprint=medium + +#================================================= +# NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Configuring NGINX web server..." --weight=1 + +# Create a dedicated NGINX config +ynh_add_nginx_config + +#================================================= +# SPECIFIC SETUP +#================================================= +# ADD A CONFIGURATION +#================================================= +ynh_script_progression --message="Adding a configuration file..." --weight=1 # Preparing config ynh_exec_as $app mkdir -p "$final_path/user/config/plugins/login-ldap" @@ -126,29 +120,33 @@ chmod 640 "$final_path/user/config/plugins/login-ldap.yaml" #================================================= # CREATE A CRON TASK #================================================= +ynh_script_progression --message="Creating a cron task..." --weight=1 -echo "* * * * * $app php${YNH_PHP_VERSION} $final_path/bin/grav scheduler 1>> /dev/null 2>&1" > /etc/cron.d/$app +echo "* * * * * $app php$phpversion $final_path/bin/grav scheduler 1>> /dev/null 2>&1" > /etc/cron.d/$app chmod 644 /etc/cron.d/$app + #================================================= -# SETUP PERMISSIONS +# GENERIC FINALIZATION +#================================================= +# SETUP SSOWAT #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 -# Giving admin permission to the specified used -ynh_permission_create --permission "admin" --allowed $admin - -# Creating user permission -ynh_permission_create --permission "user" - # Make app public if necessary if [ $is_public -eq 1 ] then # Everyone can access the app. # The "main" permission is automatically created before the install script. - ynh_permission_update --permission "main" --add "visitors" + ynh_permission_update --permission="main" --add="visitors" fi +# Giving admin permission to the specified used +ynh_permission_create --permission="admin" --allowed=$admin + +# Creating user permission +ynh_permission_create --permission="user" + #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/remove b/scripts/remove index f9d63cd..d9d704e 100644 --- a/scripts/remove +++ b/scripts/remove @@ -14,29 +14,13 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Loading installation settings..." --weight=1 -# Get multi-instances specific variables app=$YNH_APP_INSTANCE_NAME -# Retrieve app settings domain=$(ynh_app_setting_get --app=$app --key=domain) final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= # STANDARD REMOVE -#================================================= -# REMOVE DEPENDENCIES -#================================================= -ynh_script_progression --message="Removing dependencies..." --weight=2 - -# Remove metapackage and its dependencies -ynh_remove_app_dependencies - -#================================================= -# REMOVE THE CRON -#================================================= - -ynh_secure_remove --file="/etc/cron.d/$app" - #================================================= # REMOVE APP MAIN DIR #================================================= @@ -50,7 +34,7 @@ ynh_secure_remove --file="$final_path" #================================================= ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1 -# Remove the dedicated nginx config +# Remove the dedicated NGINX config ynh_remove_nginx_config #================================================= @@ -58,7 +42,7 @@ ynh_remove_nginx_config #================================================= ynh_script_progression --message="Removing PHP-FPM configuration..." --weight=2 -# Remove the dedicated php-fpm config +# Remove the dedicated PHP-FPM config ynh_remove_fpm_config #================================================= @@ -69,6 +53,16 @@ ynh_script_progression --message="Removing dependencies..." --weight=1 # Remove metapackage and its dependencies ynh_remove_app_dependencies +#================================================= +# SPECIFIC REMOVE +#================================================= +# REMOVE VARIOUS FILES +#================================================= +ynh_script_progression --message="Removing various files..." --weight=1 + +# Remove a cron file +ynh_secure_remove --file="/etc/cron.d/$app" + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index 65e62a1..843210c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -6,6 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= +# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers @@ -14,24 +15,22 @@ source /usr/share/yunohost/helpers #================================================= ynh_clean_setup () { - #### Remove this function if there's nothing to clean before calling the remove script. true } # Exit if an error occurs during the execution of the script ynh_abort_if_errors - #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading settings..." --weight=1 +ynh_script_progression --message="Loading installation settings..." --weight=1 app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) - +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) fpm_footprint=$(ynh_app_setting_get --app=$app --key=fpm_footprint) fpm_usage=$(ynh_app_setting_get --app=$app --key=fpm_usage) @@ -40,23 +39,18 @@ fpm_usage=$(ynh_app_setting_get --app=$app --key=fpm_usage) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -test ! -d $final_path || ynh_die --message="There is already a directory: $final_path " +test ! -d $final_path \ + || ynh_die --message="There is already a directory: $final_path " #================================================= # STANDARD RESTORATION STEPS -#================================================= -# RESTORE THE NGINX CONFIGURATION -#================================================= - -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" - #================================================= # RECREATE THE DEDICATED USER #================================================= ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 # Create the dedicated user (if not existing) -ynh_system_user_create --username=$app --home_dir=$final_path +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # RESTORE THE APP MAIN DIR @@ -65,11 +59,6 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$final_path" -#================================================= -# RESTORE USER RIGHTS -#================================================= - -# Restore permissions on app files chown -R $app:www-data "$final_path" find "$final_path" -type f -exec chmod 640 {} \; find "$final_path/bin" -type f -exec chmod 750 {} \; @@ -77,19 +66,7 @@ find "$final_path" -type d -exec chmod 750 {} \; find "$final_path" -type d -exec chmod +s {} \; #================================================= -# RESTORE THE CRON -#================================================= - -ynh_restore_file --origin_path="/etc/cron.d/$app" -chmod 644 /etc/cron.d/$app - -#================================================= -# RESTORE THE PHP-FPM CONFIGURATION -#================================================= - -# Restore the file first, so it can have a backup if different -ynh_restore_file --origin_path="/etc/php/$YNH_PHP_VERSION/fpm/pool.d/$app.conf" - +# SPECIFIC RESTORATION #================================================= # REINSTALL DEPENDENCIES #================================================= @@ -98,6 +75,28 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=1 # Define and install dependencies ynh_install_app_dependencies $pkg_dependencies +#================================================= +# RESTORE THE PHP-FPM CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the PHP-FPM configuration..." --weight=1 + +ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" + +#================================================= +# RESTORE THE NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 + +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" + +#================================================= +# RESTORE VARIOUS FILES +#================================================= +ynh_script_progression --message="Restoring various files..." --weight=1 + +ynh_restore_file --origin_path="/etc/cron.d/$app" +chmod 644 /etc/cron.d/$app + #================================================= # GENERIC FINALIZATION #================================================= @@ -105,7 +104,7 @@ ynh_install_app_dependencies $pkg_dependencies #================================================= ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --weight=1 -ynh_systemd_action --service_name=php${YNH_PHP_VERSION}-fpm --action=restart +ynh_systemd_action --service_name=php$phpversion-fpm --action=reload ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 4abb584..7e88cf4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -18,10 +18,9 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) +language=$(ynh_app_setting_get --app=$app --key=language) admin=$(ynh_app_setting_get --app=$app --key=admin) final_path=$(ynh_app_setting_get --app=$app --key=final_path) -language=$(ynh_app_setting_get --app=$app --key=language) - fpm_footprint=$(ynh_app_setting_get --app=$app --key=fpm_footprint) fpm_usage=$(ynh_app_setting_get --app=$app --key=fpm_usage) @@ -31,9 +30,26 @@ password=$(ynh_app_setting_get --app=$app --key=password) #================================================= # CHECK VERSION #================================================= +ynh_script_progression --message="Checking version..." --weight=1 upgrade_type=$(ynh_check_app_version_changed) +#================================================= +# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +#================================================= +ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=4 + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # Restore it if the upgrade fails + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# STANDARD UPGRADE STEPS #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= @@ -59,15 +75,15 @@ if ynh_legacy_permissions_exists; then fi # Giving admin permission to the specified used -if ! ynh_permission_exists --permission "admin" +if ! ynh_permission_exists --permission="admin" then - ynh_permission_create --permission "admin" --allowed "$admin" + ynh_permission_create --permission="admin" --allowed="$admin" fi # Creating user permission -if ! ynh_permission_exists --permission "user" +if ! ynh_permission_exists --permission="user" then - ynh_permission_create --permission "user" + ynh_permission_create --permission="user" fi # If fpm_footprint doesn't exist, create it @@ -88,22 +104,19 @@ if [ -z "$with_sftp" ] || [ -z "$password" ]; then ynh_app_setting_set --app=$app --key=password --value=$(ynh_string_random) fi -#================================================= -# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP -#================================================= -ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=4 - -# Backup the current version of the app -ynh_backup_before_upgrade -ynh_clean_setup () { - # restore it if the upgrade fails - ynh_restore_upgradebackup -} -# Exit if an error occurs during the execution of the script -ynh_abort_if_errors +# Delete existing ini configuration file (backward compatibility) +if [ -f /etc/php/$YNH_PHP_VERSION/fpm/conf.d/20-$app.ini ]; then + ynh_secure_remove --file=/etc/php/$YNH_PHP_VERSION/fpm/conf.d/20-$app.ini +fi #================================================= -# STANDARD UPGRADE STEPS +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Making sure dedicated system user exists..." --weight=3 + +# Create a dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -114,15 +127,15 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" --source_id="app-upgrade" + ynh_setup_source --dest_dir="$final_path/user/plugins/login-ldap" --source_id="ldap" fi -#================================================= -# NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=2 - -# Create a dedicated nginx config -ynh_add_nginx_config +# Set permissions on app files +chown -R $app:www-data "$final_path" +find "$final_path" -type f -exec chmod 640 {} \; +find "$final_path/bin" -type f -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod +s {} \; #================================================= # UPGRADE DEPENDENCIES @@ -131,36 +144,28 @@ ynh_script_progression --message="Upgrading dependencies..." --weight=1 ynh_install_app_dependencies $pkg_dependencies -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Making sure dedicated system user exists..." --weight=3 - -# Create a dedicated user (if not existing) -ynh_system_user_create --username=$app --home_dir=$final_path - #================================================= # PHP-FPM CONFIGURATION #================================================= ynh_script_progression --message="Upgrading PHP-FPM configuration..." --weight=1 -# Create a dedicated php-fpm config +# Create a dedicated PHP-FPM config ynh_add_fpm_config --usage=$fpm_usage --footprint=$fpm_footprint -# Delete existing ini configuration file (backward compatibility) -if [ -f /etc/php/$YNH_PHP_VERSION/fpm/conf.d/20-$app.ini ]; then - ynh_secure_remove --file=/etc/php/$YNH_PHP_VERSION/fpm/conf.d/20-$app.ini -fi +#================================================= +# NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=2 + +# Create a dedicated NGINX config +ynh_add_nginx_config #================================================= # SPECIFIC UPGRADE #================================================= -# UPGRADE LDAP PLUGIN +# UPDATE A CONFIG FILE #================================================= -ynh_script_progression --message="Installing and configuring LDAP plugin..." --weight=3 - -# Download LDAP source -ynh_setup_source --dest_dir="$final_path/user/plugins/login-ldap" --source_id="ldap" +ynh_script_progression --message="Updating a configuration file..." --weight=3 mkdir -p "$final_path/user/config/plugins/login-ldap" touch "$final_path/user/accounts/admin.yaml" @@ -169,17 +174,6 @@ ynh_add_config --template="../conf/login-ldap.yaml" --destination="$final_path/u chown $app:$app "$final_path/user/config/plugins/login-ldap.yaml" chmod 640 "$final_path/user/config/plugins/login-ldap.yaml" -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= - -# Set permissions on app files -chown -R $app:www-data "$final_path" -find "$final_path" -type f -exec chmod 640 {} \; -find "$final_path/bin" -type f -exec chmod 750 {} \; -find "$final_path" -type d -exec chmod 750 {} \; -find "$final_path" -type d -exec chmod +s {} \; - #================================================= # UPGRADE PLUGINS #================================================= @@ -190,18 +184,20 @@ pushd "$final_path" popd #================================================= -# CREATE A CRON TASK -#================================================= +# UPDATE A CRON TASK +#================================================ +ynh_script_progression --message="Updating a cron task..." --weight=1 echo "* * * * * $app php${YNH_PHP_VERSION} $final_path/bin/grav scheduler 1>> /dev/null 2>&1" > /etc/cron.d/$app chmod 644 /etc/cron.d/$app #================================================= -# RELOAD NGINX AND PHP-FPM +# GENERIC FINALIZATION #================================================= -ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --weight=1 +# RELOAD NGINX +#================================================= +ynh_script_progression --message="Reloading NGINX web server..." --weight=1 -ynh_systemd_action --service_name=php${YNH_PHP_VERSION}-fpm --action=restart ynh_systemd_action --service_name=nginx --action=reload #================================================= From 6fb084e3a0bc05c69da597623efd10ba3cea8648 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 6 Oct 2022 00:02:28 +0200 Subject: [PATCH 2/5] Fix #114 --- conf/nginx.conf | 3 ++- conf/php-fpm.conf | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 25f5699..5985a89 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -3,7 +3,8 @@ location __PATH__/ { alias __FINALPATH__/; index index.php; - client_max_body_size 30m; + # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file + client_max_body_size 50M; # Add headers to serve security related headers more_set_headers "Strict-Transport-Security: max-age=15768000"; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 1c4acc9..9ea382b 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -419,8 +419,8 @@ catch_workers_output = yes ;php_admin_value[memory_limit] = 32M ; Common values to change to increase file upload limit -; php_admin_value[upload_max_filesize] = 50M -; php_admin_value[post_max_size] = 50M +php_admin_value[upload_max_filesize] = 50M +php_admin_value[post_max_size] = 50M ; php_admin_flag[mail.add_x_header] = Off ; Other common parameters From 63b617cd770fbf6d443686877ed1169f64f6efc8 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 5 Oct 2022 22:02:35 +0000 Subject: [PATCH 3/5] Auto-update README --- README.md | 3 ++- README_fr.md | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 656407e..9a0cb8a 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,8 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -A modern open source flat-file CMS +Grav is a modern open source flat-file CMS. + **Shipped version:** 1.7.36~ynh1 diff --git a/README_fr.md b/README_fr.md index 26d4039..7e1701c 100644 --- a/README_fr.md +++ b/README_fr.md @@ -17,6 +17,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Un CMS moderne basé sur des fichiers plats + **Version incluse :** 1.7.36~ynh1 From f419bbf334fb55ccc3519db3ca52d6ee48d14e52 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 6 Oct 2022 01:22:04 +0200 Subject: [PATCH 4/5] Fix phpversion --- scripts/install | 1 + scripts/upgrade | 1 + 2 files changed, 2 insertions(+) diff --git a/scripts/install b/scripts/install index 0880ae8..8e12fb4 100644 --- a/scripts/install +++ b/scripts/install @@ -92,6 +92,7 @@ ynh_script_progression --message="Configuring PHP-FPM..." --weight=3 # Create a dedicated PHP-FPM config ynh_add_fpm_config --usage=medium --footprint=medium +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # NGINX CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 7e88cf4..e9eda47 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -151,6 +151,7 @@ ynh_script_progression --message="Upgrading PHP-FPM configuration..." --weight=1 # Create a dedicated PHP-FPM config ynh_add_fpm_config --usage=$fpm_usage --footprint=$fpm_footprint +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # NGINX CONFIGURATION From 610ce8172ad20fb18e7b7abc6b74ba7aeee6eb64 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 6 Oct 2022 04:17:55 +0200 Subject: [PATCH 5/5] Clean db_name --- scripts/backup | 1 - scripts/upgrade | 6 ------ 2 files changed, 7 deletions(-) diff --git a/scripts/backup b/scripts/backup index 441f732..df79dd9 100644 --- a/scripts/backup +++ b/scripts/backup @@ -26,7 +26,6 @@ app=$YNH_APP_INSTANCE_NAME final_path=$(ynh_app_setting_get --app=$app --key=final_path) domain=$(ynh_app_setting_get --app=$app --key=domain) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index e9eda47..a5b85e3 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -55,12 +55,6 @@ ynh_abort_if_errors #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -# If db_name doesn't exist, create it -if [ -z "$db_name" ]; then - db_name=$(ynh_sanitize_dbid --db_name=$app) - ynh_app_setting_set --app=$app --key=db_name --value=$db_name -fi - # If final_path doesn't exist, create it if [ -z "$final_path" ]; then final_path=/var/www/$app