mirror of
https://github.com/YunoHost-Apps/ihatemoney_ynh.git
synced 2024-09-03 19:26:15 +02:00
Manage ADMIN_PASSWORD
This commit is contained in:
parent
fcb0b1150c
commit
b56654d4c1
9 changed files with 97 additions and 64 deletions
|
@ -3,6 +3,7 @@
|
||||||
domain="domain.tld"
|
domain="domain.tld"
|
||||||
path="/path"
|
path="/path"
|
||||||
is_public=1
|
is_public=1
|
||||||
|
password="1Strong-Password"
|
||||||
; Checks
|
; Checks
|
||||||
pkg_linter=1
|
pkg_linter=1
|
||||||
setup_sub_dir=1
|
setup_sub_dir=1
|
||||||
|
|
5
conf/hash_generator.py
Normal file
5
conf/hash_generator.py
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
import sys
|
||||||
|
from werkzeug.security import generate_password_hash
|
||||||
|
|
||||||
|
print(generate_password_hash(sys.argv[1]))
|
|
@ -3,10 +3,10 @@ SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://__DB_USER__:__DB_PWD__@localhost/__DB
|
||||||
SQLACHEMY_ECHO = False
|
SQLACHEMY_ECHO = False
|
||||||
SQLALCHEMY_TRACK_MODIFICATIONS = False
|
SQLALCHEMY_TRACK_MODIFICATIONS = False
|
||||||
SECRET_KEY = "__SECRET_KEY__"
|
SECRET_KEY = "__SECRET_KEY__"
|
||||||
MAIL_DEFAULT_SENDER = "Budget manager <__MAILS_SENDER__>"
|
MAIL_DEFAULT_SENDER = "Budget manager <no-reply@__DOMAIN__>"
|
||||||
SHOW_ADMIN_EMAIL = False
|
SHOW_ADMIN_EMAIL = False
|
||||||
ACTIVATE_DEMO_PROJECT = False
|
ACTIVATE_DEMO_PROJECT = False
|
||||||
ADMIN_PASSWORD = "RaidW00d"
|
ADMIN_PASSWORD = "__HASHED_PASSWORD__"
|
||||||
ALLOW_PUBLIC_PROJECT_CREATION = True
|
ALLOW_PUBLIC_PROJECT_CREATION = True
|
||||||
ACTIVATE_ADMIN_DASHBOARD = True
|
ACTIVATE_ADMIN_DASHBOARD = True
|
||||||
SESSION_COOKIE_SECURE = True
|
SESSION_COOKIE_SECURE = True
|
||||||
|
|
|
@ -50,6 +50,10 @@
|
||||||
"fr": "Les projets ihatemoney sont protégés par un mot de passe dans tous les cas"
|
"fr": "Les projets ihatemoney sont protégés par un mot de passe dans tous les cas"
|
||||||
},
|
},
|
||||||
"default": true
|
"default": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "password",
|
||||||
|
"type": "password"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,6 +23,8 @@ app=$YNH_APP_INSTANCE_NAME
|
||||||
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
|
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
|
||||||
db_user=$db_name
|
db_user=$db_name
|
||||||
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
|
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
|
||||||
|
secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
|
||||||
|
hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password)
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# LOAD SETTINGS
|
# LOAD SETTINGS
|
||||||
|
@ -115,18 +117,12 @@ fi
|
||||||
path_url="$new_path"
|
path_url="$new_path"
|
||||||
domain="$new_domain"
|
domain="$new_domain"
|
||||||
|
|
||||||
# Secret key for cookies encryption.
|
|
||||||
secret_key=$(ynh_string_random --length 32)
|
|
||||||
mails_sender="no-reply@$domain"
|
|
||||||
# Allows to comment some config lines if not using sub path
|
# Allows to comment some config lines if not using sub path
|
||||||
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
|
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
|
||||||
|
|
||||||
ynh_backup_if_checksum_is_different --file="$final_path/ihatemoney.cfg"
|
ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
|
||||||
ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg"
|
chmod 640 "$final_path/ihatemoney.cfg"
|
||||||
|
chown $app:$app "$final_path/ihatemoney.cfg"
|
||||||
chmod 750 "$final_path"
|
|
||||||
chmod -R o-rwx "$final_path"
|
|
||||||
chown -R $app:www-data "$final_path"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# GENERIC FINALISATION
|
# GENERIC FINALISATION
|
||||||
|
|
|
@ -26,8 +26,13 @@ ynh_abort_if_errors
|
||||||
domain=$YNH_APP_ARG_DOMAIN
|
domain=$YNH_APP_ARG_DOMAIN
|
||||||
path_url=$YNH_APP_ARG_PATH
|
path_url=$YNH_APP_ARG_PATH
|
||||||
is_public=$YNH_APP_ARG_IS_PUBLIC
|
is_public=$YNH_APP_ARG_IS_PUBLIC
|
||||||
|
password=$YNH_APP_ARG_PASSWORD
|
||||||
|
|
||||||
app=$YNH_APP_INSTANCE_NAME
|
app=$YNH_APP_INSTANCE_NAME
|
||||||
|
|
||||||
|
# Secret key for cookies encryption.
|
||||||
|
secret_key=$(ynh_string_random --length=32)
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
|
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -46,6 +51,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=1
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=domain --value=$domain
|
ynh_app_setting_set --app=$app --key=domain --value=$domain
|
||||||
ynh_app_setting_set --app=$app --key=path --value=$path_url
|
ynh_app_setting_set --app=$app --key=path --value=$path_url
|
||||||
|
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# STANDARD MODIFICATIONS
|
# STANDARD MODIFICATIONS
|
||||||
|
@ -73,20 +79,24 @@ db_name=$(ynh_sanitize_dbid --db_name=$app)
|
||||||
db_user=$db_name
|
db_user=$db_name
|
||||||
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
|
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
|
||||||
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
|
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
|
||||||
# defines $db_pwd and setting mysqlpwd
|
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SPECIFIC SETUP
|
# SPECIFIC SETUP
|
||||||
#=================================================
|
#=================================================
|
||||||
# Init venv
|
# BUILD VENV
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Configuring the app's installation..." --weight=6
|
ynh_script_progression --message="Building venv..." --weight=6
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
||||||
|
|
||||||
__ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}"
|
__ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}"
|
||||||
python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")
|
python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")
|
||||||
|
|
||||||
|
chmod 750 "$final_path"
|
||||||
|
chmod -R o-rwx "$final_path"
|
||||||
|
chown -R $app:www-data "$final_path"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# NGINX CONFIGURATION
|
# NGINX CONFIGURATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -97,35 +107,32 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1
|
||||||
ynh_add_nginx_config
|
ynh_add_nginx_config
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# Setup gunicorn
|
# ADD A CONFIGURATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
ynh_script_progression --message="Adding a configuration file..."
|
||||||
|
|
||||||
ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py"
|
#run source in a 'sub shell'
|
||||||
chmod 644 "$final_path/gunicorn.conf.py"
|
(
|
||||||
|
set +o nounset
|
||||||
|
source "${final_path}/venv/bin/activate"
|
||||||
|
set -o nounset
|
||||||
|
python3 ../conf/hash_generator.py $password > ${final_path}/key.txt
|
||||||
|
)
|
||||||
|
|
||||||
#=================================================
|
hashed_password=$(cat $final_path/key.txt)
|
||||||
# Setup ihatemoney
|
ynh_secure_remove --file="$final_path/key.txt"
|
||||||
#=================================================
|
ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
|
||||||
|
|
||||||
|
ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py"
|
||||||
|
chmod 640 "$final_path/gunicorn.conf.py"
|
||||||
|
chown $app:$app "$final_path/gunicorn.conf.py"
|
||||||
|
|
||||||
# Secret key for cookies encryption.
|
|
||||||
secret_key=$(ynh_string_random --length 32)
|
|
||||||
mails_sender="no-reply@$domain"
|
|
||||||
# Allows to comment some config lines if not using sub path
|
# Allows to comment some config lines if not using sub path
|
||||||
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
|
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
|
||||||
|
|
||||||
ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg"
|
ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
|
||||||
chmod 640 "$final_path/ihatemoney.cfg"
|
chmod 640 "$final_path/ihatemoney.cfg"
|
||||||
|
chown $app:$app "$final_path/ihatemoney.cfg"
|
||||||
|
|
||||||
# FIXME: this should be managed by the core in the future
|
|
||||||
# Here, as a packager, you may have to tweak the ownerhsip/permissions
|
|
||||||
# such that the appropriate users (e.g. maybe www-data) can access
|
|
||||||
# files in some cases.
|
|
||||||
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
|
|
||||||
# this will be treated as a security issue.
|
|
||||||
chmod 750 "$final_path"
|
|
||||||
chmod -R o-rwx "$final_path"
|
|
||||||
chown -R $app:www-data "$final_path"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP SYSTEMD
|
# SETUP SYSTEMD
|
||||||
|
@ -150,7 +157,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
|
||||||
ynh_script_progression --message="Starting a systemd service..." --weight=1
|
ynh_script_progression --message="Starting a systemd service..." --weight=1
|
||||||
|
|
||||||
# Start a systemd service
|
# Start a systemd service
|
||||||
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30
|
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"
|
||||||
|
|
||||||
# line_match isn't enough because ihatemoney may stop if database upgrades
|
# line_match isn't enough because ihatemoney may stop if database upgrades
|
||||||
for _ in {1..20}; do
|
for _ in {1..20}; do
|
||||||
|
|
|
@ -79,7 +79,7 @@ ynh_remove_app_dependencies
|
||||||
#=================================================
|
#=================================================
|
||||||
# REMOVE VARIOUS FILES
|
# REMOVE VARIOUS FILES
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Removing configuration files..." --weight=1
|
ynh_script_progression --message="Removing various files..." --weight=1
|
||||||
|
|
||||||
# Remove the log files
|
# Remove the log files
|
||||||
ynh_secure_remove --file="/var/log/$app"
|
ynh_secure_remove --file="/var/log/$app"
|
||||||
|
|
|
@ -108,7 +108,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Starting a systemd service..." --weight=1
|
ynh_script_progression --message="Starting a systemd service..." --weight=1
|
||||||
|
|
||||||
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30
|
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"
|
||||||
|
|
||||||
# line_match isn't enough because ihatemoney may stop if database upgrades
|
# line_match isn't enough because ihatemoney may stop if database upgrades
|
||||||
for _ in {1..20}; do
|
for _ in {1..20}; do
|
||||||
|
|
|
@ -22,6 +22,8 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
|
||||||
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
|
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
|
||||||
db_user=$db_name
|
db_user=$db_name
|
||||||
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
|
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
|
||||||
|
secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
|
||||||
|
hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password)
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CHECK VERSION
|
# CHECK VERSION
|
||||||
|
@ -104,6 +106,29 @@ if [[ "$upgrade_from_opt" == "true" ]]; then
|
||||||
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
|
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# If secret_key doesn't exist, create it
|
||||||
|
if [ -z "$secret_key" ]; then
|
||||||
|
secret_key=$(ynh_string_random --length=32)
|
||||||
|
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If hashed_password doesn't exist, create it
|
||||||
|
if [ -z "$hashed_password" ]; then
|
||||||
|
password=$(ynh_string_random --length=8)
|
||||||
|
#run source in a 'sub shell'
|
||||||
|
(
|
||||||
|
set +o nounset
|
||||||
|
source "${final_path}/venv/bin/activate"
|
||||||
|
set -o nounset
|
||||||
|
python3 ../conf/hash_generator.py $password > ${final_path}/key.txt
|
||||||
|
)
|
||||||
|
|
||||||
|
hashed_password=$(cat $final_path/key.txt)
|
||||||
|
ynh_secure_remove --file="$final_path/key.txt"
|
||||||
|
ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
|
||||||
|
ynh_script_progression --message="A new password for $app has been generated, it's $password ..."
|
||||||
|
fi
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# CREATE DEDICATED USER
|
# CREATE DEDICATED USER
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -122,17 +147,18 @@ ynh_install_app_dependencies "${pkg_dependencies[@]}"
|
||||||
#=================================================
|
#=================================================
|
||||||
# SPECIFIC UPGRADE
|
# SPECIFIC UPGRADE
|
||||||
#=================================================
|
#=================================================
|
||||||
# Init venv
|
# BUILD VENV
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Configuring the app's installation..." --weight=6
|
ynh_script_progression --message="Building venv..." --weight=6
|
||||||
|
|
||||||
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
ynh_secure_remove --file="$final_path/venv"
|
||||||
|
__ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}"
|
||||||
# MIGRATION: Upgrade venv
|
|
||||||
python3 -m venv --upgrade "$final_path/venv"
|
|
||||||
"$final_path/venv/bin/python3" -m pip install --upgrade pip "${pip_dependencies[@]}"
|
|
||||||
python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")
|
python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")
|
||||||
|
|
||||||
|
chmod 750 "$final_path"
|
||||||
|
chmod -R o-rwx "$final_path"
|
||||||
|
chown -R $app:www-data "$final_path"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# NGINX CONFIGURATION
|
# NGINX CONFIGURATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
@ -140,31 +166,23 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -
|
||||||
|
|
||||||
# Create a dedicated NGINX config
|
# Create a dedicated NGINX config
|
||||||
## Needs $python_venv_site_packages
|
## Needs $python_venv_site_packages
|
||||||
ynh_add_nginx_config "PYTHON_VERSION"
|
ynh_add_nginx_config
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# Setup gunicorn
|
# UPDATE A CONFIG FILE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
ynh_script_progression --message="Updating a configuration file..."
|
||||||
|
|
||||||
ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py"
|
ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py"
|
||||||
chmod 600 "$final_path/gunicorn.conf.py"
|
chmod 640 "$final_path/gunicorn.conf.py"
|
||||||
|
chown $app:$app "$final_path/gunicorn.conf.py"
|
||||||
|
|
||||||
#=================================================
|
|
||||||
# Setup ihatemoney
|
|
||||||
#=================================================
|
|
||||||
|
|
||||||
# Secret key for cookies encryption.
|
|
||||||
secret_key=$(ynh_string_random --length 32)
|
|
||||||
mails_sender="no-reply@$domain"
|
|
||||||
# Allows to comment some config lines if not using sub path
|
# Allows to comment some config lines if not using sub path
|
||||||
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
|
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
|
||||||
|
|
||||||
ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
|
ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
|
||||||
chmod 600 "$final_path/ihatemoney.cfg"
|
chmod 640 "$final_path/ihatemoney.cfg"
|
||||||
|
chown $app:$app "$final_path/ihatemoney.cfg"
|
||||||
chmod 750 "$final_path"
|
|
||||||
chmod -R o-rwx "$final_path"
|
|
||||||
chown -R $app:www-data "$final_path"
|
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SETUP SYSTEMD
|
# SETUP SYSTEMD
|
||||||
|
@ -188,11 +206,13 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Starting a systemd service..." --weight=1
|
ynh_script_progression --message="Starting a systemd service..." --weight=1
|
||||||
|
|
||||||
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30
|
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"
|
||||||
|
|
||||||
# line_match isn't enough because ihatemoney may stop if database upgrades
|
# line_match isn't enough because ihatemoney may stop if database upgrades
|
||||||
# FIXME: We need to wait for the db to upgrade and gunicorn to restart!
|
for _ in {1..20}; do
|
||||||
sleep 3
|
test -S /tmp/budget.gunicorn_$app.sock && break
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RELOAD NGINX
|
# RELOAD NGINX
|
||||||
|
|
Loading…
Reference in a new issue