YunoHost-Apps/headscale_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/headscale_ynh.git synced 2024-09-03 19:25:53 +02:00
Code Issues Activity Actions

Initial commit

Browse source
This commit is contained in:
tituspijean 2022-10-16 11:57:49 +02:00
commit 703c468939
No known key found for this signature in database
GPG key ID: EF3B0D7CC0A94720
25 changed files with 1923 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
.github/ISSUE_TEMPLATE.md vendored Normal file
View file

@ -0,0 +1,55 @@
---
name: Bug report
about: When creating a bug report, please use the following template to provide all the relevant information and help debugging efficiently.
---
**How to post a meaningful bug report**
1. *Read this whole template first.*
2. *Determine if you are on the right place:*
- *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!*
- *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.*
- *When in doubt, post here and we will figure it out together.*
3. *Delete the italic comments as you write over them below, and remove this guide.*
---
### Describe the bug
*A clear and concise description of what the bug is.*
### Context
- Hardware: *VPS bought online / Old laptop or computer / Raspberry Pi at home / Internet Cube with VPN / Other ARM board / ...*
- YunoHost version: x.x.x
- I have access to my server: *Through SSH | through the webadmin | direct access via keyboard / screen | ...*
- Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: *no / yes*
- If yes, please explain:
- Using, or trying to install package version/branch:
- If upgrading, current package version: *can be found in the admin, or with `yunohost app info $app_id`*
### Steps to reproduce
- *If you performed a command from the CLI, the command itself is enough. For example:*
```sh
sudo yunohost app install the_app
```
- *If you used the webadmin, please perform the equivalent command from the CLI first.*
- *If the error occurs in your browser, explain what you did:*
1. *Go to '...'*
2. *Click on '...'*
3. *Scroll down to '...'*
4. *See error*
### Expected behavior
*A clear and concise description of what you expected to happen. You can remove this section if the command above is enough to understand your intent.*
### Logs
*When an operation fails, YunoHost provides a simple way to share the logs.*
- *In the webadmin, the error message contains a link to the relevant log page. On that page, you will be able to 'Share with Yunopaste'. If you missed it, the logs of previous operations are also available under Tools > Logs.*
- *In command line, the command to share the logs is displayed at the end of the operation and looks like `yunohost log display [log name] --share`. If you missed it, you can find the log ID of a previous operation using `yunohost log list`.*
*After sharing the log, please copypaste directly the link provided by YunoHost (to help readability, no need to copypaste the entire content of the log here, just the link is enough...)*
*If applicable and useful, add screenshots to help explain your problem.*

16
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View file

@ -0,0 +1,16 @@
## Problem
- *Description of why you made this PR*
## Solution
- *And how do you fix that problem*
## PR Status
- [ ] Code finished and ready to be reviewed/tested
- [ ] The fix/enhancement were manually tested (if applicable)
## Automatic tests
Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ *after creating the PR*, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

137
.github/workflows/updater.sh vendored Executable file
View file

@ -0,0 +1,137 @@
#!/bin/bash
#=================================================
# PACKAGE UPDATING HELPER
#=================================================
# This script is meant to be run by GitHub Actions
# The YunoHost-Apps organisation offers a template Action to run this script periodically
# Since each app is different, maintainers can adapt its contents so as to perform
# automatic actions when a new upstream release is detected.
# Remove this exit command when you are ready to run this Action
exit 1
#=================================================
# FETCHING LATEST RELEASE AND ITS ASSETS
#=================================================
# Fetching information
current_version=$(cat manifest.json | jq -j '.version|split("~")[0]')
repo=$(cat manifest.json | jq -j '.upstream.code|split("https://github.com/")[1]')
# Some jq magic is needed, because the latest upstream release is not always the latest version (e.g. security patches for older versions)
version=$(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '.[] | select( .prerelease != true ) | .tag_name' | sort -V | tail -1)
assets=($(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '[ .[] | select(.tag_name=="'$version'").assets[].browser_download_url ] | join(" ") | @sh' | tr -d "'"))
# Later down the script, we assume the version has only digits and dots
# Sometimes the release name starts with a "v", so let's filter it out.
# You may need more tweaks here if the upstream repository has different naming conventions.
if [[ ${version:0:1} == "v" || ${version:0:1} == "V" ]]; then
version=${version:1}
fi
# Setting up the environment variables
echo "Current version: $current_version"
echo "Latest release from upstream: $version"
echo "VERSION=$version" >> $GITHUB_ENV
echo "REPO=$repo" >> $GITHUB_ENV
# For the time being, let's assume the script will fail
echo "PROCEED=false" >> $GITHUB_ENV
# Proceed only if the retrieved version is greater than the current one
if ! dpkg --compare-versions "$current_version" "lt" "$version" ; then
echo "::warning ::No new version available"
exit 0
# Proceed only if a PR for this new version does not already exist
elif git ls-remote -q --exit-code --heads https://github.com/$GITHUB_REPOSITORY.git ci-auto-update-v$version ; then
echo "::warning ::A branch already exists for this update"
exit 0
fi
# Each release can hold multiple assets (e.g. binaries for different architectures, source code, etc.)
echo "${#assets[@]} available asset(s)"
#=================================================
# UPDATE SOURCE FILES
#=================================================
# Here we use the $assets variable to get the resources published in the upstream release.
# Here is an example for Grav, it has to be adapted in accordance with how the upstream releases look like.
# Let's loop over the array of assets URLs
for asset_url in ${assets[@]}; do
echo "Handling asset at $asset_url"
# Assign the asset to a source file in conf/ directory
# Here we base the source file name upon a unique keyword in the assets url (admin vs. update)
# Leave $src empty to ignore the asset
case $asset_url in
*"admin"*)
src="app"
;;
*"update"*)
src="app-upgrade"
;;
*)
src=""
;;
esac
# If $src is not empty, let's process the asset
if [ ! -z "$src" ]; then
# Create the temporary directory
tempdir="$(mktemp -d)"
# Download sources and calculate checksum
filename=${asset_url##*/}
curl --silent -4 -L $asset_url -o "$tempdir/$filename"
checksum=$(sha256sum "$tempdir/$filename" | head -c 64)
# Delete temporary directory
rm -rf $tempdir
# Get extension
if [[ $filename == *.tar.gz ]]; then
extension=tar.gz
else
extension=${filename##*.}
fi
# Rewrite source file
cat <<EOT > conf/$src.src
SOURCE_URL=$asset_url
SOURCE_SUM=$checksum
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=$extension
SOURCE_IN_SUBDIR=true
SOURCE_FILENAME=
EOT
echo "... conf/$src.src updated"
else
echo "... asset ignored"
fi
done
#=================================================
# SPECIFIC UPDATE STEPS
#=================================================
# Any action on the app's source code can be done.
# The GitHub Action workflow takes care of committing all changes after this script ends.
#=================================================
# GENERIC FINALIZATION
#=================================================
# Replace new version in manifest
echo "$(jq -s --indent 4 ".[] | .version = \"$version~ynh1\"" manifest.json)" > manifest.json
# No need to update the README, yunohost-bot takes care of it
# The Action will proceed only if the PROCEED environment variable is set to true
echo "PROCEED=true" >> $GITHUB_ENV
exit 0

2
.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
*~
*.sw[op]

17
LICENSE Normal file
View file

@ -0,0 +1,17 @@
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

84
README.md Normal file
View file

@ -0,0 +1,84 @@
# Packaging an app, starting from this example
* Copy this app before working on it, using the ['Use this template'](https://github.com/YunoHost/example_ynh/generate) button on the Github repo.
* Edit the `manifest.json` with app specific info.
* Edit the `install`, `upgrade`, `remove`, `backup`, and `restore` scripts, and any relevant conf files in `conf/`.
* Using the [script helpers documentation.](https://yunohost.org/packaging_apps_helpers)
* Add a `LICENSE` file for the package.
* Edit `doc/DISCLAIMER*.md`
* The `README.md` files are to be automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
---
<!--
N.B.: This README was automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
It shall NOT be edited by hand.
-->
# Example app for YunoHost
[![Integration level](https://dash.yunohost.org/integration/example.svg)](https://dash.yunohost.org/appci/app/example) ![Working status](https://ci-apps.yunohost.org/ci/badges/example.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/example.maintain.svg)
[![Install Example app with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=example)
*[Lire ce readme en français.](./README_fr.md)*
> *This package allows you to install Example app quickly and simply on a YunoHost server.
If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.*
## Overview
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
### Features
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."
**Shipped version:** 1.0~ynh1
**Demo:** https://demo.example.com
## Screenshots
![Screenshot of Example app](./doc/screenshots/example.jpg)
## Disclaimers / important information
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?
## Documentation and resources
* Official app website: <https://example.com>
* Official user documentation: <https://yunohost.org/apps>
* Official admin documentation: <https://yunohost.org/packaging_apps>
* Upstream app code repository: <https://some.forge.com/example/example>
* YunoHost documentation for this app: <https://yunohost.org/app_example>
* Report a bug: <https://github.com/YunoHost-Apps/example_ynh/issues>
## Developer info
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/example_ynh/tree/testing).
To try the testing branch, please proceed like that.
``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
or
sudo yunohost app upgrade example -u https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
```
**More info regarding app packaging:** <https://yunohost.org/packaging_apps>

34
check_process Normal file
View file

@ -0,0 +1,34 @@
# See here for more information
# https://github.com/YunoHost/package_check#syntax-check_process-file
# Move this file from check_process.default to check_process when you have filled it.
;; Test complet
; Manifest
domain="domain.tld"
path="/path"
is_public=1
language="fr"
admin="john"
password="1Strong-Password"
port="666"
; Checks
pkg_linter=1
setup_sub_dir=1
setup_root=1
setup_nourl=0
setup_private=1
setup_public=1
upgrade=1
upgrade=1 from_commit=CommitHash
backup_restore=1
multi_instance=1
port_already_use=0
change_url=1
;;; Options
Email=
Notification=none
;;; Upgrade options
; commit=CommitHash
name=Name and date of the commit.
manifest_arg=domain=DOMAIN&path=PATH&is_public=1&language=fr&admin=USER&password=pass&port=666&

318
conf/config.yaml Normal file
View file

@ -0,0 +1,318 @@
# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
#
# - `/etc/headscale`
# - `~/.headscale`
# - current working directory
# The url clients will connect to.
# Typically this will be a domain like:
#
# https://myheadscale.example.com:443
#
server_url: https://__DOMAIN__
# Address to listen to / bind to on the server
#
# For production:
listen_addr: 127.0.0.1:__PORT__
# Address to listen to /metrics, you may want
# to keep this endpoint private to your internal
# network
#
metrics_listen_addr: 127.0.0.1:__PORT_METRICS__
# Address to listen for gRPC.
# gRPC is used for controlling a headscale server
# remotely with the CLI
# Note: Remote access _only_ works if you have
# valid certificates.
grpc_listen_addr: 127.0.0.1:__PORT_GRPC__
# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
grpc_allow_insecure: false
# Private key used to encrypt the traffic between headscale
# and Tailscale clients.
# The private key file will be autogenerated if it's missing.
private_key_path: __INSTALL_DIR__/private.key
# The Noise section includes specific configuration for the
# TS2021 Noise protocol
noise:
# The Noise private key is used to encrypt the
# traffic between headscale and Tailscale clients when
# using the new Noise-based protocol. It must be different
# from the legacy private key.
private_key_path: __INSTALL_DIR__/noise_private.key
# List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash.
# It must be within IP ranges supported by the Tailscale
# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
# See below:
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
ip_prefixes:
- fd7a:115c:a1e0::/48
- 100.64.0.0/10
# DERP is a relay system that Tailscale uses when a direct
# connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
#
# headscale needs a list of DERP servers that can be presented
# to the clients.
derp:
server:
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled: false
# Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides with other region ID coming from
# the regular DERP config.
region_id: 999
# Region code and name are displayed in the Tailscale UI to identify a DERP region
region_code: "headscale"
region_name: "Headscale Embedded DERP"
# Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
# When the embedded DERP server is enabled stun_listen_addr MUST be defined.
#
# For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
stun_listen_addr: "0.0.0.0:3478"
# List of externally available DERP maps encoded in JSON
urls:
- https://controlplane.tailscale.com/derpmap/default
# Locally available DERP map files encoded in YAML
#
# This option is mostly interesting for people hosting
# their own DERP servers:
# https://tailscale.com/kb/1118/custom-derp-servers/
#
# paths:
# - /etc/headscale/derp-example.yaml
paths: []
# If enabled, a worker will be set up to periodically
# refresh the given sources and update the derpmap
# will be set up.
auto_update_enabled: true
# How often should we check for DERP updates?
update_frequency: 24h
# Disables the automatic check for headscale updates on startup
disable_check_updates: true
# Time before an inactive ephemeral node is deleted?
ephemeral_node_inactivity_timeout: 30m
# Period to check for node updates within the tailnet. A value too low will severely affect
# CPU consumption of Headscale. A value too high (over 60s) will cause problems
# for the nodes, as they won't get updates or keep alive messages frequently enough.
# In case of doubts, do not touch the default 10s.
node_update_check_interval: 10s
# SQLite config
db_type: sqlite3
# For production:
db_path: __INSTALL_DIR__/db.sqlite
# FIXME: Disabled due to 'Error initializing error="simple protocol queries must be run with client_encoding=UTF8"'
# # Postgres config
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
#db_type: postgres
#db_host: localhost
#db_port: 5432
#db_name: __DB_NAME
#db_user: __DB_USER
#db_pass: __DB_PWD
# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
#db_ssl: false
### TLS configuration
#
## Let's encrypt / ACME
#
# headscale supports automatically requesting and setting up
# TLS for a domain with Let's Encrypt.
#
# URL to ACME directory
acme_url: https://acme-v02.api.letsencrypt.org/directory
# Email to register with ACME provider
acme_email: ""
# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: ""
# Path to store certificates and metadata needed by
# letsencrypt
tls_letsencrypt_cache_dir: __INSTALL_DIR__/cache
# Type of ACME challenge to use, currently supported types:
# HTTP-01 or TLS-ALPN-01
# See [docs/tls.md](docs/tls.md) for more information
tls_letsencrypt_challenge_type: HTTP-01
# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80
tls_letsencrypt_listen: ":http"
## Use already defined certificates:
tls_cert_path: ""
tls_key_path: ""
log:
# Output formatting for logs: text or json
format: text
level: warn
# Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/
acl_policy_path: ""
## DNS
#
# headscale supports Tailscale's DNS configuration and MagicDNS.
# Please have a look to their KB to better understand the concepts:
#
# - https://tailscale.com/kb/1054/dns/
# - https://tailscale.com/kb/1081/magicdns/
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
#
dns_config:
# Whether to prefer using Headscale provided DNS or use local.
override_local_dns: true
# List of DNS servers to expose to clients.
nameservers:
- 1.1.1.1
# NextDNS (see https://tailscale.com/kb/1218/nextdns/).
# "abc123" is example NextDNS ID, replace with yours.
#
# With metadata sharing:
# nameservers:
# - https://dns.nextdns.io/abc123
#
# Without metadata sharing:
# nameservers:
# - 2a07:a8c0::ab:c123
# - 2a07:a8c1::ab:c123
# Split DNS (see https://tailscale.com/kb/1054/dns/),
# list of search domains and the DNS to query for each one.
#
# restricted_nameservers:
# foo.bar.com:
# - 1.1.1.1
# darp.headscale.net:
# - 1.1.1.1
# - 8.8.8.8
# Search domains to inject.
domains: []
# Extra DNS records
# so far only A-records are supported (on the tailscale side)
# See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
# extra_records:
# - name: "grafana.myvpn.example.com"
# type: "A"
# value: "100.64.0.3"
#
# # you can also put it in one line
# - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
# Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
# Only works if there is at least a nameserver defined.
magic_dns: true
# Defines the base domain to create the hostnames for MagicDNS.
# `base_domain` must be a FQDNs, without the trailing dot.
# The FQDN of the hosts will be
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
base_domain: __BASE_DOMAIN__
# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:
unix_socket: /var/run/__APP__.sock
unix_socket_permission: "0770"
#
# headscale supports experimental OpenID connect support,
# it is still being tested and might have some bugs, please
# help us test it.
# OpenID Connect
oidc:
only_start_if_oidc_is_available: true
issuer: "https://__DEX_DOMAIN____DEX_PATH__"
client_id: "__OIDC_NAME__"
client_secret: "__OIDC_SECRET__"
# # Alternatively, set `client_secret_path` to read the secret from the file.
# # It resolves environment variables, making integration to systemd's
# # `LoadCredential` straightforward:
# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
# # client_secret and client_secret_path are mutually exclusive.
#
# # The amount of time from a node is authenticated with OpenID until it
# # expires and needs to reauthenticate.
# # Setting the value to "0" will mean no expiry.
# expiry: 180d
#
# # Use the expiry from the token received from OpenID when the user logged
# # in, this will typically lead to frequent need to reauthenticate and should
# # only been enabled if you know what you are doing.
# # Note: enabling this will cause `oidc.expiry` to be ignored.
# use_expiry_from_token: false
#
# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
#
scope: ["openid", "profile", "email", "custom"]
extra_params:
domain_hint: __DOMAIN__
#
# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
# # authentication request will be rejected.
#
# allowed_domains:
# - example.com
# # Note: Groups from keycloak have a leading '/'
# allowed_groups:
# - /headscale
# allowed_users:
# - alice@example.com
#
# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
# user: `first-name.last-name.example.com`
#
# strip_email_domain: true
# Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
# to instruct tailscale nodes to log their activity to a remote server.
logtail:
# Enable logtail for this headscales clients.
# As there is currently no support for overriding the log server in headscale, this is
# disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
enabled: false
# Enabling this option makes devices prefer a random port for WireGuard traffic over the
# default static port 41641. This option is intended as a workaround for some buggy
# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
randomize_client_port: false

12
conf/nginx.conf Normal file
View file

@ -0,0 +1,12 @@
location / {
proxy_pass http://127.0.0.1:__PORT__;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
}

45
conf/systemd.service Normal file
View file

@ -0,0 +1,45 @@
[Unit]
Description=Small description of the service
After=network.target
[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__/
ExecStart=__INSTALL_DIR__/headscale serve
StandardOutput=append:/var/log/__APP__/__APP__.log
StandardError=inherit
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target

295
config_panel.toml.example Normal file
View file

@ -0,0 +1,295 @@
## Config panel are available from webadmin > Apps > YOUR_APP > Config Panel Button
## Those panels let user configure some params on their apps using a friendly interface,
## and remove the need to manually edit files from the command line.
## From a packager perspective, this .toml is coupled to the scripts/config script,
## which may be used to define custom getters/setters. However, most use cases
## should be covered automagically by the core, thus it may not be necessary
## to define a scripts/config at all!
## -----------------------------------------------------------------------------
## IMPORTANT: In accordance with YunoHost's spirit, please keep things simple and
## do not overwhelm the admin with tons of misunderstandable or advanced settings.
## -----------------------------------------------------------------------------
## The top level describe the entire config panels screen.
## The version is a required property.
## Here a small reminder to associate config panel version with YunoHost version
## | Config | YNH | Config panel small change log |
## | ------ | --- | ------------------------------------------------------- |
## | 0.1 | 3.x | 0.1 config script not compatible with YNH >= 4.3 |
## | 1.0 | 4.3.x | The new config panel system with 'bind' property |
version = "1.0"
## (optional) i18n property let you internationalize questions, however this feature
## is only available in core configuration panel (like yunohost domain config).
## So in app config panel this key is ignored for now, but you can internationalize
## by using a lang dictionary (see property name bellow)
# i18n = "prefix_translation_key"
################################################################################
#### ABOUT PANELS
################################################################################
## The next level describes web admin panels
## You have to choose an ID for each panel, in this example the ID is "main"
## Keep in mind this ID will be used in CLI to refer to your question, so choose
## something short and meaningfull.
## In the webadmin, each panel corresponds to a distinct tab / form
[main]
## Define the label for your panel
## Internationalization works similarly to the 'description' and 'ask' questions in the manifest
# name.en = "Main configuration"
# name.fr = "Configuration principale"
## (optional) If you need to trigger a service reload-or-restart after the user
## change a question in this panel, you can add your service in the list.
services = ["__APP__"]
# or services = ["nginx", "__APP__"] to also reload-or-restart nginx
## (optional) This help properties is a short help displayed on the same line
## than the panel title but not displayed in the tab.
# help = ""
############################################################################
#### ABOUT SECTIONS
############################################################################
## A panel is composed of one or several sections.
##
## Sections are meant to group questions together when they correspond to
## a same subtopic. This impacts the rendering in terms of CLI prompts
## and HTML forms
##
## You should choose an ID for your section, and prefix it with the panel ID
## (Be sure to not make a typo in the panel ID, which would implicitly create
## an other entire panel)
##
## We use the context of pepettes_ynh as an example,
## which is a simple donation form app written in python,
## and for which the admin will want to edit the configuration
[main.customization]
## (optional) Defining a proper title for sections is not mandatory
## and depends on the exact rendering you're aiming for the CLI / webadmin
name = ""
## (optional) This help properties is a short help displayed on the same line
## than the section title, meant to provide additional details
# help = ""
## (optional) As for panel, you can specify to trigger a service
## reload-or-restart after the user change a question in this section.
## This property is added to the panel property, it doesn't deactivate it.
## So no need to replicate, the service list from panel services property.
# services = []
## (optional) By default all questions are optionals, but you can specify a
## default behaviour for question in the section
optional = false
## (optional) It's also possible with the 'visible' property to only
## display the section depending on the user's answers to previous questions.
##
## Be careful that the 'visible' property should only refer to **previous** questions
## Hence, it should not make sense to have a "visible" property on the very first section.
##
## Also, keep in mind that this feature only works in the webadmin and not in CLI
## (therefore a user could be prompted in CLI for a question that may not be relevant)
# visible = true
########################################################################
#### ABOUT QUESTIONS
########################################################################
## A section is compound of one or several questions.
## ---------------------------------------------------------------------
## IMPORTANT: as for panel and section you have to choose an ID, but this
## one should be unique in all this document, even if the question is in
## an other panel.
## ---------------------------------------------------------------------
## You can use same questions types and properties than in manifest.yml
## install part. However, in YNH 4.3, a lot of change has been made to
## extend availables questions types list.
## See: TODO DOC LINK
[main.customization.project_name]
## (required) The ask property is equivalent to the ask property in
## the manifest. However, in config panels, questions are displayed on the
## left side and therefore have less space to be rendered. Therefore,
## it is better to use a short question, and use the "help" property to
## provide additional details if necessary.
ask.en = "Name of the project"
## (required) The type property indicates how the question should be
## displayed, validated and managed. Some types have specific properties.
##
## Types available: string, boolean, number, range, text, password, path
## email, url, date, time, color, select, domain, user, tags, file.
##
## For a complete list with specific properties, see: TODO DOC LINK
type = "string"
########################################################################
#### ABOUT THE BIND PROPERTY
########################################################################
## (recommended) 'bind' property is a powerful feature that let you
## configure how and where the data will be read, validated and written.
## By default, 'bind property is in "settings" mode, it means it will
## **only** read and write the value in application settings file.
## bind = "settings"
## However, settings usually correspond to key/values in actual app configurations
## Hence, a more useful mode is to have bind = ":FILENAME". In that case, YunoHost
## will automagically find a line with "KEY=VALUE" in FILENAME
## (with the adequate separator between KEY and VALUE)
##
## YunoHost will then use this value for the read/get operation.
## During write/set operations, YunoHost will overwrite the value
## in **both** FILENAME and in the app's settings.yml
## Configuration file format supported: yaml, toml, json, ini, env, php,
## python. The feature probably works with others formats, but should be tested carefully.
## Note that this feature only works with relatively simple cases
## such as `KEY: VALUE`, but won't properly work with
## complex data structures like multilin array/lists or dictionnaries.
## It also doesn't work with XML format, custom config function call, php define(), ...
## More info on TODO
# bind = ":/var/www/__APP__/settings.py"
## By default, bind = ":FILENAME" will use the question ID as KEY
## ... but the question ID may sometime not be the exact KEY name in the configuration file.
##
## In particular, in pepettes, the python variable is 'name' and not 'project_name'
## (c.f. https://github.com/YunoHost-Apps/pepettes_ynh/blob/5cc2d3ffd6529cc7356ff93af92dbb6785c3ab9a/conf/settings.py##L11 )
##
## In that case, the key name can be specified before the column ':'
bind = "name:/var/www/__APP__/settings.py"
## ---------------------------------------------------------------------
## IMPORTANT: other 'bind' mode exists:
##
## bind = "FILENAME" (with no column character before FILENAME)
## may be used to bind to the **entire file content** (instead of a single KEY/VALUE)
## This could be used to expose an entire configuration file, or binary files such as images
## For example:
## bind = "/var/www/__APP__/img/logo.png"
##
## bind = "null" can be used to disable reading / writing in settings.
## This creates sort of a "virtual" or "ephemeral" question which is not related to any actual setting
## In this mode, you are expected to define custom getter/setters/validators in scripts/config:
##
## getter: get__QUESTIONID()
## setter: set__QUESTIONID()
## validator: validate__QUESTIONID()
##
## You can also specify a common getter / setter / validator, with the
## function 'bind' mode, for example here it will try to run
## get__array_settings() first.
# bind = "array_settings()"
## ---------------------------------------------------------------------
## ---------------------------------------------------------------------
## IMPORTANT: with the exception of bind=null questions,
## question IDs should almost **always** correspond to an app setting
## initialized / reused during install/upgrade.
## Not doing so may result in inconsistencies between the config panel mechanism
## and the use of ynh_add_config
## ---------------------------------------------------------------------
########################################################################
#### OTHER GENERIC PROPERTY FOR QUESTIONS
########################################################################
## (optional) An help text for the question
help = "Fill the name of the project which will received donation"
## (optional) An example display as placeholder in web form
# example = "YunoHost"
## (optional) set to true in order to redact the value in operation logs
# redact = false
## (optional) A validation pattern
## ---------------------------------------------------------------------
## IMPORTANT: your pattern should be between simple quote, not double.
## ---------------------------------------------------------------------
pattern.regexp = '^\w{3,30}$'
pattern.error = "The name should be at least 3 chars and less than 30 chars. Alphanumeric chars are accepted"
## Note: visible and optional properties are also available for questions
[main.customization.contact_url]
ask = "Contact url"
type = "url"
example = "mailto: contact@example.org"
help = "mailto: accepted"
pattern.regexp = '^mailto:[^@]+@[^@]+|https://$'
pattern.error = "Should be https or mailto:"
bind = ":/var/www/__APP__/settings.py"
[main.customization.logo]
ask = "Logo"
type = "file"
accept = ".png"
help = "Fill with an already resized logo"
bind = "__FINALPATH__/img/logo.png"
[main.customization.favicon]
ask = "Favicon"
type = "file"
accept = ".png"
help = "Fill with an already sized favicon"
bind = "__FINALPATH__/img/favicon.png"
[main.stripe]
name = "Stripe general info"
optional = false
# The next alert is overwrited with a getter from the config script
[main.stripe.amount]
ask = "Donation in the month : XX €
type = "alert"
style = "success"
[main.stripe.publishable_key]
ask = "Publishable key"
type = "string"
redact = true
help = "Indicate here the stripe publishable key"
bind = ":/var/www/__APP__/settings.py"
[main.stripe.secret_key]
ask = "Secret key"
type = "string"
redact = true
help = "Indicate here the stripe secret key"
bind = ":/var/www/__APP__/settings.py"
[main.stripe.prices]
ask = "Prices ID"
type = "tags"
help = """\
Indicates here the prices ID of donation products you created in stripe interfaces. \
Go on [Stripe products](https://dashboard.stripe.com/products) to create those donation products. \
Fill it tag with 'FREQUENCY/CURRENCY/PRICE_ID' \
FREQUENCY: 'one_time' or 'recuring' \
CURRENCY: 'EUR' or 'USD' \
PRICE_ID: ID from stripe interfaces starting with 'price_' \
"""
pattern.regexp = '^(one_time|recuring)/(EUR|USD)/price_.*$'
pattern.error = "Please respect the format describe in help text for each price ID"

0
doc/.gitkeep Normal file
View file

9
doc/DESCRIPTION.md Normal file
View file

@ -0,0 +1,9 @@
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
### Features
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."

12
doc/DISCLAIMER.md Normal file
View file

@ -0,0 +1,12 @@
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?

0
doc/screenshots/.gitkeep Normal file
View file

BIN
doc/screenshots/example.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 35 KiB

84
manifest.toml Normal file
View file

@ -0,0 +1,84 @@
packaging_format = 2
id = "headscale"
name = "Headscale"
description.en = "Open-source implementation of the Tailscale control server, a WireGuard-based VPN"
version = "0.22.3~ynh1"
maintainers = ["tituspijean"]
[upstream]
license = "BSD-3-Clause"
admindoc = "https://github.com/juanfont/headscale/tree/main/docs"
userdoc = "https://tailscale.com/kb/"
code = "https://github.com/juanfont/headscale"
website = "https://tailscale.com/"
cpe = "cpe:2.3:a:tailscale:tailscale"
[integration]
yunohost = ">= 11.0.0"
architectures = "all"
multi_instance = false
ldap = "?" # FIXME: replace with true, false, or "not_relevant". Not to confuse with the "sso" key : the "ldap" key corresponds to wether or not a user *can* login on the app using its YunoHost credentials.
sso = "?" # FIXME: replace with true, false, or "not_relevant". Not to confuse with the "ldap" key : the "sso" key corresponds to wether or not a user is *automatically logged-in* on the app when logged-in on the YunoHost portal.
disk = "50M" # FIXME: replace with an **estimate** minimum disk requirement. e.g. 20M, 400M, 1G, ...
ram.build = "50M" # FIXME: replace with an **estimate** minimum ram requirement. e.g. 50M, 400M, 1G, ...
ram.runtime = "50M" # FIXME: replace with an **estimate** minimum ram requirement. e.g. 50M, 400M, 1G, ...
[install]
[install.domain]
type = "domain"
[install.dex_domain]
type = "domain"
ask.en = "Choose the domain to install Dex on."
help.en = "It should be different than Headscale's domain"
[install.dex_path]
type = "path"
ask.en = "Choose the path to install Dex on."
default = "/dex"
[install.base_domain]
type = "domain"
ask.en = "Choose the base domain for Headscale's MagicDNS feature"
help.en = "MagiDNS will allow you to access your hosts with a domain like `myhost.mynamespace.basedomain.tld`"
[resources]
[resources.sources.main]
rename = "headscale"
i386.url = "https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_386"
i386.sha256 = "5e1c23c2ca269041d1040e273d9f164c3703d3b7c38aea5a293c8059b24d9712"
amd64.url = "https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_amd64"
amd64.sha256 = "41eb475ba94d2f4efdd5b90ca76d3926a0fc0b561baabf6190ca32335c9102d2"
arm64.url = "https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_arm64"
arm64.sha256 = "5835d282fdfcb42b30802e76bf1fac5e4dd6b3bec8b2daead2d226269307bee8"
armhf.url = "https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_armv7"
armhf.sha256 = "4711fd03c9f5d814eb4c85be9939f167ce7aa40510cda2133c9f63810ead395d"
armel.url = "https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_armv5"
armel.sha256 = "3a983ea320b05372b5493ece01bab1252907e0864a26f1857dbcd7307dfc463f"
autoupdate.strategy = "latest_github_release"
autoupdate.asset.i386 = ".*_386"
autoupdate.asset.amd64 = ".*_amd64"
autoupdate.asset.arm64 = ".*_arm64"
autoupdate.asset.armhf = ".*_armv7"
autoupdate.asset.armel = ".*_armv5"
[resources.system_user]
[resources.install_dir]
[resources.permissions]
main.url = "/"
[resources.ports]
main.default = 8080
metrics.default = 9090
grpc.default = 50443
# FIXME: cf. config file
# [resources.database]
# type = "postgresql"

17
scripts/_common.sh Normal file
View file

@ -0,0 +1,17 @@
#!/bin/bash
#=================================================
# COMMON VARIABLES
#=================================================
#=================================================
# PERSONAL HELPERS
#=================================================
#=================================================
# EXPERIMENTAL HELPERS
#=================================================
#=================================================
# FUTURE OFFICIAL HELPERS
#=================================================

58
scripts/backup Executable file
View file

@ -0,0 +1,58 @@
#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts
source ../settings/scripts/_common.sh
source /usr/share/yunohost/helpers
#=================================================
# DECLARE DATA AND CONF FILES TO BACKUP
#=================================================
ynh_print_info --message="Declaring files to be backed up..."
#=================================================
# BACKUP THE APP MAIN DIR
#=================================================
ynh_backup --src_path="$install_dir"
#=================================================
# BACKUP THE NGINX CONFIGURATION
#=================================================
ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# SPECIFIC BACKUP
#=================================================
# BACKUP LOGROTATE
#=================================================
ynh_backup --src_path="/etc/logrotate.d/$app"
#=================================================
# BACKUP SYSTEMD
#=================================================
ynh_backup --src_path="/etc/systemd/system/$app.service"
#=================================================
# BACKUP THE MYSQL DATABASE
#=================================================
ynh_print_info --message="Backing up the MySQL database..."
### (However, things like MySQL dumps *do* take some time to run, though the
### copy of the generated dump to the archive still happens later)
ynh_mysql_dump_db --database="$db_name" > db.sql
#=================================================
# END OF SCRIPT
#=================================================
ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)."

136
scripts/change_url Normal file
View file

@ -0,0 +1,136 @@
#!/bin/bash
#=================================================
# GENERIC STARTING
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# RETRIEVE ARGUMENTS
#=================================================
#REMOVEME? old_domain=$YNH_APP_OLD_DOMAIN
#REMOVEME? old_path=$YNH_APP_OLD_PATH
#REMOVEME? new_domain=$YNH_APP_NEW_DOMAIN
#REMOVEME? new_path=$YNH_APP_NEW_PATH
#REMOVEME? app=$YNH_APP_INSTANCE_NAME
#=================================================
# LOAD SETTINGS
#=================================================
#REMOVEME? ynh_script_progression --message="Loading installation settings..." --weight=1
#REMOVEME? # Needed for helper "ynh_add_nginx_config"
#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir)
# Add settings here as needed by your application
#REMOVEME? #db_name=$(ynh_app_setting_get --app=$app --key=db_name)
#db_user=$db_name
#REMOVEME? #db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
#=================================================
# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP
#=================================================
#REMOVEME? ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=1
# Backup the current version of the app
#REMOVEME? ynh_backup_before_upgrade
#REMOVEME? ynh_clean_setup () {
# Remove the new domain config file, the remove script won't do it as it doesn't know yet its location.
#REMOVEME? ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
# Restore it if the upgrade fails
#REMOVEME? ynh_restore_upgradebackup
}
# Exit if an error occurs during the execution of the script
#REMOVEME? ynh_abort_if_errors
#=================================================
# CHECK WHICH PARTS SHOULD BE CHANGED
#=================================================
#REMOVEME? change_domain=0
#REMOVEME? if [ "$old_domain" != "$new_domain" ]
then
#REMOVEME? change_domain=1
fi
#REMOVEME? change_path=0
#REMOVEME? if [ "$old_path" != "$new_path" ]
then
#REMOVEME? change_path=1
fi
#=================================================
# STANDARD MODIFICATIONS
#=================================================
# STOP SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Stopping a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
#=================================================
# MODIFY URL IN NGINX CONF
#=================================================
ynh_script_progression --message="Updating NGINX web server configuration..." --weight=1
ynh_change_url_nginx_config
#REMOVEME? nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
# Change the path in the NGINX config file
if [ $change_path -eq 1 ]
then
# Make a backup of the original NGINX config file if modified
#REMOVEME? ynh_backup_if_checksum_is_different --file="$nginx_conf_path"
# Set global variables for NGINX helper
#REMOVEME? domain="$old_domain"
#REMOVEME? path="$new_path"
# Create a dedicated NGINX config
#REMOVEME? ynh_add_nginx_config
fi
# Change the domain for NGINX
if [ $change_domain -eq 1 ]
then
# Delete file checksum for the old conf file location
#REMOVEME? ynh_delete_file_checksum --file="$nginx_conf_path"
#REMOVEME? mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf
# Store file checksum for the new config file location
#REMOVEME? ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
fi
#=================================================
# SPECIFIC MODIFICATIONS
#=================================================
# ...
#=================================================
#=================================================
# GENERIC FINALISATION
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# RELOAD NGINX
#=================================================
#REMOVEME? ynh_script_progression --message="Reloading NGINX web server..." --weight=1
#REMOVEME? #REMOVEME? ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Change of URL completed for $app" --last

102
scripts/config Normal file
View file

@ -0,0 +1,102 @@
#!/bin/bash
# In simple cases, you don't need a config script.
# With a simple config_panel.toml, you can write in the app settings, in the
# upstream config file or replace complete files (logo ...) and restart services.
# The config scripts allows you to go further, to handle specific cases
# (validation of several interdependent fields, specific getter/setter for a value,
# display dynamic informations or choices, pre-loading of config type .cube... ).
#=================================================
# GENERIC STARTING
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source /usr/share/yunohost/helpers
ynh_abort_if_errors
#=================================================
# RETRIEVE ARGUMENTS
#=================================================
final_path=$(ynh_app_setting_get $app final_path)
#=================================================
# SPECIFIC GETTERS FOR TOML SHORT KEY
#=================================================
get__amount() {
# Here we can imagine to have an API call to stripe to know the amount of donation during a month
local amount = 200
# It's possible to change some properties of the question by overriding it:
if [ $amount -gt 100 ]
then
cat << EOF
style: success
value: $amount
ask:
en: A lot of donation this month: **$amount €**
EOF
else
cat << EOF
style: danger
value: $amount
ask:
en: Not so much donation this month: $amount €
EOF
fi
}
get__prices() {
local prices = "$(grep "DONATION\['" "$final_path/settings.py" | sed -r "s@^DONATION\['([^']*)'\]\['([^']*)'\] = '([^']*)'@\1/\2/\3@g" | sed -z 's/\n/,/g;s/,$/\n/')"
if [ "$prices" == "," ];
then
# Return YNH_NULL if you prefer to not return a value at all.
echo YNH_NULL
else
echo $prices
fi
}
#=================================================
# SPECIFIC VALIDATORS FOR TOML SHORT KEYS
#=================================================
validate__publishable_key() {
# We can imagine here we test if the key is really a publisheable key
(is_secret_key $publishable_key) &&
echo 'This key seems to be a secret key'
}
#=================================================
# SPECIFIC SETTERS FOR TOML SHORT KEYS
#=================================================
set__prices() {
#---------------------------------------------
# IMPORTANT: setter are trigger only if a change is detected
#---------------------------------------------
for price in $(echo $prices | sed "s/,/ /"); do
frequency=$(echo $price | cut -d/ -f1)
currency=$(echo $price | cut -d/ -f2)
price_id=$(echo $price | cut -d/ -f3)
sed "d/DONATION\['$frequency'\]\['$currency'\]" "$final_path/settings.py"
echo "DONATION['$frequency']['$currency'] = '$price_id'" >> "$final_path/settings.py"
done
#---------------------------------------------
# IMPORTANT: to be able to upgrade properly, you have to saved the value in settings too
#---------------------------------------------
ynh_app_setting_set $app prices $prices
}
#=================================================
# GENERIC FINALIZATION
#=================================================
ynh_app_config_run $1

113
scripts/install Executable file
View file

@ -0,0 +1,113 @@
#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# INSTALL DEX FOR OIDC
#=================================================
ynh_script_progression --message="Installing Dex..." --weight=1
oidc_secret="$(echo $(ynh_string_random --length=64 --filter='A-F0-9'))"
oidc_name="$app"
oidc_callback="$domain/oidc/callback"
ynh_app_setting_set --app=$app --key=oidc_secret --value=$oidc_secret
ynh_app_setting_set --app=$app --key=oidc_name --value=$oidc_name
ynh_app_setting_set --app=$app --key=oidc_callback --value=$oidc_callback
if yunohost app list | grep -q "$YNH_APP_ARG_DEX_DOMAIN$YNH_APP_ARG_DEX_PATH"; then
ynh_die "The domain and path provided for Dex is already used by another app. Please chose another one !"
fi
yunohost app install https://github.com/YunoHost-Apps/dex_ynh --force --args "domain=$dex_domain&path=$dex_path&OIDC_name=$oidc_name&OIDC_secret=$oidc_secret&OIDC_callback=$oidc_callback" 2>&1 | tee dexlog.txt
dex_app=$(gawk 'match($0, /Installation of (.+) completed/, app) {print app[1]}' dexlog.txt)
rm dexlog.txt
# Create Dex URIs
if [ $dex_path = "/" ]
then
dex_auth_uri="https://$dex_domain/auth"
dex_token_uri="https://$dex_domain/token"
dex_user_uri="https://$dex_domain/userinfo"
else
dex_auth_uri="https://$dex_domain$dex_path/auth"
dex_token_uri="https://$dex_domain$dex_path/token"
dex_user_uri="https://$dex_domain$dex_path/userinfo"
fi
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..." --weight=1
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$install_dir"
chmod 750 "$install_dir"
chmod -R o-rwx "$install_dir"
chown -R $app:$app "$install_dir"
chmod -R ug+x "$install_dir/headscale"
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring NGINX web server..." --weight=1
# Create a dedicated NGINX config
ynh_add_nginx_config
#=================================================
# ADD A CONFIGURATION
#=================================================
ynh_script_progression --message="Adding a configuration file..." --weight=1
ynh_add_config --template="config.yaml" --destination="$install_dir/config.yaml"
chmod 400 "$install_dir/config.yaml"
chown $app:$app "$install_dir/config.yaml"
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Configuring a systemd service..." --weight=1
# Create a dedicated systemd config
ynh_add_systemd_config
#=================================================
# GENERIC FINALIZATION
#=================================================
# SETUP LOGROTATE
#=================================================
ynh_script_progression --message="Configuring log rotation..." --weight=1
# Use logrotate to manage application logfile(s)
ynh_use_logrotate
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
yunohost service add $app --description="Control server for the WireGuard-based VPN" --log="/var/log/$app/$app.log"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1
# Start a systemd service
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Installation of $app completed" --last

97
scripts/remove Executable file
View file

@ -0,0 +1,97 @@
#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# STANDARD REMOVE
#=================================================
# REMOVE SERVICE INTEGRATION IN YUNOHOST
#=================================================
# Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
if ynh_exec_warn_less yunohost service status $app >/dev/null
then
ynh_script_progression --message="Removing $app service integration..." --weight=1
yunohost service remove $app
fi
#=================================================
# STOP AND REMOVE SERVICE
#=================================================
ynh_script_progression --message="Stopping and removing the systemd service..." --weight=1
# Remove the dedicated systemd config
ynh_remove_systemd_config
#=================================================
# REMOVE LOGROTATE CONFIGURATION
#=================================================
ynh_script_progression --message="Removing logrotate configuration..." --weight=1
# Remove the app-specific logrotate config
ynh_remove_logrotate
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1
# Remove the dedicated NGINX config
ynh_remove_nginx_config
#=================================================
# CLOSE A PORT
#=================================================
if yunohost firewall list | grep -q "\- $port$"
then
ynh_script_progression --message="Closing port $port..." --weight=1
ynh_exec_warn_less yunohost firewall disallow TCP $port
fi
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_script_progression --message="Removing Fail2Ban configuration..." --weight=1
# Remove the dedicated Fail2Ban config
ynh_remove_fail2ban_config
#=================================================
# SPECIFIC REMOVE
#=================================================
# REMOVE VARIOUS FILES
#=================================================
ynh_script_progression --message="Removing various files..." --weight=1
# Remove a cron file
ynh_secure_remove --file="/etc/cron.d/$app"
# Remove a directory securely
ynh_secure_remove --file="/etc/$app"
# Remove the log files
ynh_secure_remove --file="/var/log/$app"
#=================================================
# GENERIC FINALIZATION
#=================================================
# REMOVE DEDICATED USER
#=================================================
#REMOVEME? ynh_script_progression --message="Removing the dedicated system user..." --weight=1
# Delete a system user
#REMOVEME? ynh_system_user_delete --username=$app
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Removal of $app completed" --last

187
scripts/restore Executable file
View file

@ -0,0 +1,187 @@
#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts
source ../settings/scripts/_common.sh
source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
#REMOVEME? ynh_clean_setup () {
#### Remove this function if there's nothing to clean before calling the remove script.
true
}
# Exit if an error occurs during the execution of the script
#REMOVEME? ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
#REMOVEME? ynh_script_progression --message="Loading installation settings..." --weight=1
#REMOVEME? app=$YNH_APP_INSTANCE_NAME
#REMOVEME? domain=$(ynh_app_setting_get --app=$app --key=domain)
#REMOVEME? path=$(ynh_app_setting_get --app=$app --key=path)
#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir)
#REMOVEME? db_name=$(ynh_app_setting_get --app=$app --key=db_name)
#REMOVEME? db_user=$db_name
#REMOVEME? phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#REMOVEME? data_dir=$(ynh_app_setting_get --app=$app --key=data_dir)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
#REMOVEME? ynh_script_progression --message="Validating restoration parameters..." --weight=1
#REMOVEME? test ! -d $install_dir \
|| ynh_die --message="There is already a directory: $install_dir "
#=================================================
# STANDARD RESTORATION STEPS
#=================================================
# RECREATE THE DEDICATED USER
#=================================================
#REMOVEME? ynh_script_progression --message="Recreating the dedicated system user..." --weight=1
# Create the dedicated user (if not existing)
#REMOVEME? ynh_system_user_create --username=$app --home_dir="$install_dir"
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Restoring the app main directory..." --weight=1
ynh_restore_file --origin_path="$install_dir"
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$install_dir"
chmod -R o-rwx "$install_dir"
chown -R $app:www-data "$install_dir"
#=================================================
# RESTORE THE DATA DIRECTORY
#=================================================
ynh_script_progression --message="Restoring the data directory..." --weight=1
ynh_restore_file --origin_path="$data_dir" --not_mandatory
mkdir -p $data_dir
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$data_dir"
chmod -R o-rwx "$data_dir"
chown -R $app:www-data "$data_dir"
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the Fail2Ban configuration..." --weight=1
ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
ynh_systemd_action --action=restart --service_name=fail2ban
#=================================================
# SPECIFIC RESTORATION
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
#REMOVEME? ynh_script_progression --message="Reinstalling dependencies..." --weight=1
# Define and install dependencies
#REMOVEME? ynh_install_app_dependencies $pkg_dependencies
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the PHP-FPM configuration..." --time --weight=1
ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
#=================================================
# RESTORE THE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the NGINX web server configuration..." --time --weight=1
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# RESTORE THE MYSQL DATABASE
#=================================================
#REMOVEME? ynh_script_progression --message="Restoring the MySQL database..." --weight=1
#REMOVEME? db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
#REMOVEME? ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql
#=================================================
# RESTORE VARIOUS FILES
#=================================================
ynh_script_progression --message="Restoring various files..." --weight=1
ynh_restore_file --origin_path="/etc/cron.d/$app"
ynh_restore_file --origin_path="/etc/$app/"
#=================================================
# RESTORE SYSTEMD
#=================================================
ynh_script_progression --message="Restoring the systemd configuration..." --weight=1
ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
systemctl enable $app.service --quiet
#=================================================
# RESTORE THE LOGROTATE CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the logrotate configuration..." --weight=1
ynh_restore_file --origin_path="/etc/logrotate.d/$app"
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# GENERIC FINALIZATION
#=================================================
# RELOAD NGINX AND PHP-FPM
#=================================================
ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --weight=1
ynh_systemd_action --service_name=php$phpversion-fpm --action=reload
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Restoration completed for $app" --last

93
scripts/upgrade Normal file
View file

@ -0,0 +1,93 @@
#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source _common.sh
source /usr/share/yunohost/helpers
upgrade_type=$(ynh_check_app_version_changed)
#=================================================
# STANDARD UPGRADE STEPS
#=================================================
# STOP SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Stopping a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
if [ "$upgrade_type" == "UPGRADE_APP" ]
then
ynh_script_progression --message="Upgrading source files..." --weight=1
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$install_dir"
fi
chmod 750 "$install_dir"
chmod -R o-rwx "$install_dir"
chown -R $app:www-data "$install_dir"
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading NGINX web server configuration..." --time --weight=1
# Create a dedicated NGINX config
ynh_add_nginx_config
#=================================================
# UPDATE A CONFIG FILE
#=================================================
ynh_script_progression --message="Updating a configuration file..." --weight=1
ynh_add_config --template="config.yaml" --destination="$install_dir/config.yaml"
chmod 400 "$install_dir/config.yaml"
chown $app:$app "$install_dir/config.yaml"
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Upgrading systemd configuration..." --weight=1
# Create a dedicated systemd config
ynh_add_systemd_config
#=================================================
# GENERIC FINALIZATION
#=================================================
# SETUP LOGROTATE
#=================================================
ynh_script_progression --message="Upgrading logrotate configuration..." --weight=1
# Use logrotate to manage app-specific logfile(s)
ynh_use_logrotate --non-append
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
yunohost service add $app --description="Control server for the WireGuard-based VPN" --log="/var/log/$app/$app.log"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Upgrade of $app completed" --last