diff --git a/README.md b/README.md index d44239c..7e28f8e 100644 --- a/README.md +++ b/README.md @@ -15,13 +15,12 @@ Kresus is an open-source libre self-hosted personal finance manager. It allows y * to be added: * [ ] Email support - * [ ] Restrict more file access ($app is owner of everything, we should limit it more) + * [ ] Improve log file and add logrotate * [ ] Add user who will access the app (by default every one has access to the installed app) - * [ ] Email admin about installation with ynh_send_readme_to_admin helper ## Links * Report a bug about this package: https://github.com/YunoHost-Apps/kresus_ynh * Report a bug about Kresus itself: https://framagit.org/kresusapp/kresus * Kresus website: https://kresus.org - * YunoHost website: https://yunohost.org/ + * YunoHost website: https://yunohost.org diff --git a/conf/app.src b/conf/app.src index af0a8a2..e13638d 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://framagit.org/bnjbvr/kresus/-/archive/0.13.2/kresus-0.13.2.tar.bz2 -SOURCE_SUM=f5185dc12da185515df205a0a24f94c30b3fe28d3f4775d3c297779dc0503a16 +SOURCE_URL=https://framagit.org/kresusapp/kresus/-/archive/0.13.3/kresus-0.13.3.tar.bz2 +SOURCE_SUM=b1c4af2cab68dc0c02dcc625be416c1fa59105b1cbd3ec3cd93244296e047f68 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.bz2 SOURCE_IN_SUBDIR=true diff --git a/conf/nginx.conf b/conf/nginx.conf index d3ae0b8..406079b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -3,6 +3,14 @@ location __PATH__/ { proxy_pass http://127.0.0.1:__PORT__; proxy_set_header Host $host; proxy_redirect off; + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 600; + + # allow "big" imports + client_max_body_size 8M; + # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; diff --git a/conf/systemd.service b/conf/systemd.service index 3a10453..f336a02 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,6 +13,14 @@ Environment=NODE_ENV=production Environment=HOME=__NODEPATH__ ExecStart=__FINALPATH__/bin/kresus.js --config __FINALPATH__/config.ini Restart=always +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelModules=yes +ReadWritePaths=__FINALPATH__/config.ini __FINALPATH__/data/ StandardOutput=syslog StandardError=syslog diff --git a/manifest.json b/manifest.json index 8944e6c..91753a8 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "requirements": { "yunohost": ">= 2.7.14" }, - "version": "0.13.2~ynh2", + "version": "0.13.3~ynh1", "multi_instance": true, "services": [ "nginx" diff --git a/scripts/_common.sh b/scripts/_common.sh index c7e475c..c92fb21 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -164,3 +164,64 @@ EOF chmod +x "/etc/cron.daily/node_update" } + +# Send an email to inform the administrator +# +# usage: ynh_send_readme_to_admin app_message [recipients] +# | arg: app_message - The message to send to the administrator. +# | arg: recipients - The recipients of this email. Use spaces to separate multiples recipients. - default: root +# example: "root admin@domain" +# If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you +# example: "root admin@domain user1 user2" +ynh_send_readme_to_admin() { + local app_message="${1:-...No specific information...}" + local recipients="${2:-root}" + + # Retrieve the email of users + find_mails () { + local list_mails="$1" + local mail + local recipients=" " + # Read each mail in argument + for mail in $list_mails + do + # Keep root or a real email address as it is + if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@" + then + recipients="$recipients $mail" + else + # But replace an user name without a domain after by its email + if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null) + then + recipients="$recipients $mail" + fi + fi + done + echo "$recipients" + } + recipients=$(find_mails "$recipients") + + local mail_subject="☁️🆈🅽🅷☁️: \`$app\` was just installed!" + + local mail_message="This is an automated message from your beloved YunoHost server. + +Specific information for the application $app. + +$app_message + +--- +Automatic diagnosis data from YunoHost + +$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')" + + # Define binary to use for mail command + if [ -e /usr/bin/bsd-mailx ] + then + local mail_bin=/usr/bin/bsd-mailx + else + local mail_bin=/usr/bin/mail.mailutils + fi + + # Send the email to the recipients + echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients" +} diff --git a/scripts/install b/scripts/install index 204de79..57b01c4 100644 --- a/scripts/install +++ b/scripts/install @@ -102,7 +102,7 @@ ynh_install_nodejs 8 # Install weboob with pip #================================================= -virtualenv "${final_path}/venv" +virtualenv --system-site-packages "${final_path}/venv" ( set +o nounset source "${final_path}/venv/bin/activate" @@ -151,8 +151,15 @@ ynh_add_systemd_config # SECURE FILES AND DIRECTORIES #================================================= +# Reset permissions +chown -R root:root "$final_path" + # Set permissions to app files -chown -R $app: $final_path +chown -R "$app":"$app" "$final_path/data/" +chmod -R 750 "$final_path/data/" + +# Set permissions to config file +chown "$app" "$final_path/config.ini" chmod 600 "$final_path/config.ini" #================================================= @@ -161,3 +168,23 @@ chmod 600 "$final_path/config.ini" service "$app" start service nginx reload + +#================================================= +# SEND README TO ADMIN +#================================================= + +message=" +Domain: $domain +Path : $path_url +Config: $final_path/config.ini + +Please remember the default behavior of YunoHost when installing a new app is: everyone has access to the app. +This may be an issue for Kresus as it is a personnal tool. Please remember to edit access rights in the YunoHost web administration panel or using command line interface. + +Note about config.ini: this package will regenerate the config file on upgrade. +If you changed it manually and upgrade Kresus, you'll find a backup in $final_path. + +Are you facing an issue, want to improve this app or say thank you? +Please open a new issue in this project: https://github.com/YunoHost-Apps/kresus_ynh +" +ynh_send_readme_to_admin "$message" diff --git a/scripts/upgrade b/scripts/upgrade index bc1f861..d0a37d7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -16,8 +16,6 @@ source /usr/share/yunohost/helpers # Exit if an error occurs during the execution of the script ynh_abort_if_errors -# TODO: handle "/home/ynh$app" to final_path migration - app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get $app domain) @@ -111,7 +109,7 @@ ynh_install_nodejs 8 # Install weboob with pip #================================================= -virtualenv "${final_path}/venv" +virtualenv --system-site-packages "${final_path}/venv" ( set +o nounset source "${final_path}/venv/bin/activate" @@ -136,6 +134,8 @@ ynh_use_nodejs # CONFIGURE HASTE #================================================= +ynh_backup_if_checksum_is_different "$final_path/config.ini" + cp ../conf/config.ini "$final_path/config.ini" ynh_replace_string "__PORT__" "$port" "$final_path/config.ini" @@ -162,8 +162,15 @@ ynh_add_systemd_config # SECURE FILES AND DIRECTORIES #================================================= -# Set right permissions for curl installation -chown -R $app: $final_path +# Reset permissions +chown -R root:root "$final_path" + +# Set permissions to app files +chown -R "$app":"$app" "$final_path/data/" +chmod -R 750 "$final_path/data/" + +# Set permissions to config file +chown "$app" "$final_path/config.ini" chmod 600 "$final_path/config.ini" #================================================= @@ -172,3 +179,25 @@ chmod 600 "$final_path/config.ini" service "$app" restart systemctl reload nginx + +#================================================= +# SEND README TO ADMIN +#================================================= + +message=" +Kresus was updated! + +Domain: $domain +Path : $path_url +Config: $final_path/config.ini + +Please remember the default behavior of YunoHost when installing a new app is: everyone has access to the app. +This may be an issue for Kresus as it is a personnal tool. Please remember to edit access rights in the YunoHost web administration panel or using command line interface. + +Note about config.ini: this package will regenerate the config file on upgrade. +If you changed it manually and upgrade Kresus, you'll find a backup in $final_path. + +Are you facing an issue, want to improve this app or say thank you? +Please open a new issue in this project: https://github.com/YunoHost-Apps/kresus_ynh +" +ynh_send_readme_to_admin "$message" \ No newline at end of file