diff --git a/conf/immich-microservices.service b/conf/immich-microservices.service new file mode 100644 index 0000000..c03d59d --- /dev/null +++ b/conf/immich-microservices.service @@ -0,0 +1,54 @@ +[Unit] +Description=Immich microservices +Documentation=https://github.com/immich-app/immich +Requires=redis-server.service +Requires=postgresql.service +After=network.target +PartOf=immich-server.service +Before=immich-server.service + +[Service] +Type=simple +Restart=on-failure +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/app +Environment="__YNH_NODE_LOAD_PATH__" +EnvironmentFile=__INSTALL_DIR__/env-server +ExecStart=__YNH_NODE__ __INSTALL_DIR__/app/dist/main microservices +StandardOutput=append:/var/log/__APP__/__APP__-microservices.log +StandardError=inherit +Restart=on-failure + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=immich-server.service diff --git a/conf/immich-server.service b/conf/immich-server.service index ef6a067..6d32ddb 100644 --- a/conf/immich-server.service +++ b/conf/immich-server.service @@ -4,6 +4,7 @@ Documentation=https://github.com/immich-app/immich Requires=redis-server.service Requires=postgresql.service Requires=immich-machine-learning.service +Requires=immich-microservices.service After=network.target [Service] diff --git a/scripts/backup b/scripts/backup index c6814b6..016ed91 100755 --- a/scripts/backup +++ b/scripts/backup @@ -28,6 +28,7 @@ ynh_backup --src_path="$data_dir" --is_big ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_backup --src_path="/etc/systemd/system/$app-server.service" +ynh_backup --src_path="/etc/systemd/system/$app-microservices.service" ynh_backup --src_path="/etc/systemd/system/$app-machine-learning.service" ynh_backup --src_path="/etc/logrotate.d/$app" diff --git a/scripts/change_url b/scripts/change_url index 2a06284..8a127a8 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -11,6 +11,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Stopping $app's systemd service..." --weight=1 +ynh_systemd_action --service_name="$app-microservices" --action="stop" --log_path="/var/log/$app/$app-microservices.log" ynh_systemd_action --service_name="$app-machine-learning" --action="stop" --log_path="/var/log/$app/$app-machine-learning.log" ynh_systemd_action --service_name="$app-server" --action="stop" --log_path="/var/log/$app/$app-server.log" @@ -30,6 +31,7 @@ ynh_change_url_nginx_config #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 +ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log" ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log" ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log" diff --git a/scripts/install b/scripts/install index 9484993..3707e5c 100755 --- a/scripts/install +++ b/scripts/install @@ -72,9 +72,11 @@ ynh_script_progression --message="Adding system configurations related to $app.. ynh_add_nginx_config ynh_add_systemd_config --service="$app-server" --template="immich-server.service" +ynh_add_systemd_config --service="$app-microservices" --template="immich-microservices.service" ynh_add_systemd_config --service="$app-machine-learning" --template="immich-machine-learning.service" yunohost service add "$app-server" --description="Immich Server" --log="/var/log/$app/$app-server.log" +yunohost service add "$app-microservices" --description="Immich Microservices" --log="/var/log/$app/$app-microservices.log" yunohost service add "$app-machine-learning" --description="Immich Machine Learning" --log="/var/log/$app/$app-machine-learning.log" ynh_multimedia_build_main_dir @@ -89,6 +91,7 @@ ynh_add_fail2ban_config --logpath="/var/log/$app/$app-server.log" --failregex="$ #================================================= ynh_script_progression --message="Starting a systemd service..." +ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log" ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log" ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log" diff --git a/scripts/remove b/scripts/remove index 231ca12..770c186 100755 --- a/scripts/remove +++ b/scripts/remove @@ -15,12 +15,16 @@ ynh_script_progression --message="Removing system configurations related to $app if ynh_exec_warn_less yunohost service status "$app-server" >/dev/null; then yunohost service remove "$app-server" fi +if ynh_exec_warn_less yunohost service status "$app-microservices" >/dev/null; then + yunohost service remove "$app-microservices" +fi if ynh_exec_warn_less yunohost service status "$app-machine-learning" >/dev/null; then yunohost service remove "$app-machine-learning" fi # Remove the dedicated systemd config ynh_remove_systemd_config --service="immich-server" +ynh_remove_systemd_config --service="immich-microservices" ynh_remove_systemd_config --service="immich-machine-learning" # Remove the app-specific fail2ban config diff --git a/scripts/restore b/scripts/restore index c82f41d..a268b3f 100755 --- a/scripts/restore +++ b/scripts/restore @@ -59,12 +59,15 @@ ynh_script_progression --message="Restoring system configurations related to $ap ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app-server.service" +ynh_restore_file --origin_path="/etc/systemd/system/$app-microservices.service" ynh_restore_file --origin_path="/etc/systemd/system/$app-machine-learning.service" systemctl enable "$app-server.service" --quiet +systemctl enable "$app-microservices.service" --quiet systemctl enable "$app-machine-learning.service" --quiet yunohost service add "$app-server" --description="Immich Server" --log="/var/log/$app/$app-server.log" +yunohost service add "$app-microservices" --description="Immich Microservices" --log="/var/log/$app/$app-microservices.log" yunohost service add "$app-machine-learning" --description="Immich Machine Learning" --log="/var/log/$app/$app-machine-learning.log" ynh_multimedia_build_main_dir @@ -86,6 +89,7 @@ ynh_restore_file --origin_path="/var/log/$app/" #================================================= ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 +ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log" ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log" ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log" diff --git a/scripts/upgrade b/scripts/upgrade index ffbbadd..2c094a5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -12,22 +12,13 @@ source /usr/share/yunohost/helpers ynh_script_progression --message="Stopping a systemd service..." --weight=1 ynh_systemd_action --service_name="$app-server" --action="stop" +ynh_systemd_action --service_name="$app-microservices" --action="stop" ynh_systemd_action --service_name="$app-machine-learning" --action="stop" #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= -ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 - -if ynh_compare_current_package_version --comparison lt --version 1.106.4~ynh1 -then - ynh_systemd_action --service_name="$app-microservices" --action="stop" - if ynh_exec_warn_less yunohost service status "$app-microservices" >/dev/null; then - yunohost service remove "$app-microservices" - fi - ynh_remove_systemd_config --service="immich-microservices" - ynh_secure_remove --file="/var/log/$app/$app-microservices.log" -fi +#ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -85,8 +76,10 @@ ynh_script_progression --message="Upgrading system configurations related to $ap ynh_add_nginx_config ynh_add_systemd_config --service="$app-server" --template="immich-server.service" +ynh_add_systemd_config --service="$app-microservices" --template="immich-microservices.service" ynh_add_systemd_config --service="$app-machine-learning" --template="immich-machine-learning.service" +yunohost service add "$app-microservices" --description="Immich Microservices" --log="/var/log/$app/$app-microservices.log" yunohost service add "$app-machine-learning" --description="Immich Machine Learning" --log="/var/log/$app/$app-machine-learning.log" yunohost service add "$app-server" --description="Immich Server" --log="/var/log/$app/$app-server.log" @@ -101,6 +94,7 @@ ynh_add_fail2ban_config --logpath="/var/log/$app/$app-server.log" --failregex="$ # START SYSTEMD SERVICE #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 +ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log" ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log" ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log"