From fc0797bb30c37abf45c7479630655e6f415880d6 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 15 Aug 2024 08:23:42 +0200 Subject: [PATCH 1/4] fix --- .gitignore | 3 +++ manifest.toml | 3 ++- scripts/_common.sh | 14 +------------- scripts/backup | 19 +++++-------------- scripts/change_url | 12 +++--------- scripts/install | 26 ++++++++++---------------- scripts/remove | 21 ++++++++------------- scripts/restore | 33 ++++++++++++--------------------- scripts/upgrade | 34 +++++++++++++--------------------- 9 files changed, 57 insertions(+), 108 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8f144f3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*~ +*.sw[op] +.DS_Store diff --git a/manifest.toml b/manifest.toml index 449ffd2..d1b4c15 100644 --- a/manifest.toml +++ b/manifest.toml @@ -16,7 +16,8 @@ demo = "https://libreddit.spike.codes/" code = "https://github.com/spikecodes/libreddit" [integration] -yunohost = ">= 11.2.27" +yunohost = ">= 11.2.18" +helpers_version = "2.1" architectures = ["amd64"] multi_instance = true ldap = false diff --git a/scripts/_common.sh b/scripts/_common.sh index 944a65e..3d7f008 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -1,17 +1,5 @@ #!/bin/bash #================================================= -# COMMON VARIABLES -#================================================= - -#================================================= -# PERSONAL HELPERS -#================================================= - -#================================================= -# EXPERIMENTAL HELPERS -#================================================= - -#================================================= -# FUTURE OFFICIAL HELPERS +# COMMON VARIABLES AND CUSTOM HELPERS #================================================= diff --git a/scripts/backup b/scripts/backup index cd7a903..4ed49b4 100755 --- a/scripts/backup +++ b/scripts/backup @@ -1,35 +1,26 @@ #!/bin/bash -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers -#================================================= -# DECLARE DATA AND CONF FILES TO BACKUP -#================================================= -ynh_print_info --message="Declaring files to be backed up..." +ynh_print_info "Declaring files to be backed up..." #================================================= # BACKUP THE APP MAIN DIR #================================================= -ynh_backup --src_path="$install_dir" +ynh_backup "$install_dir" #================================================= # BACKUP THE NGINX CONFIGURATION #================================================= -ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" -ynh_backup --src_path="/etc/systemd/system/$app.service" +ynh_backup "/etc/systemd/system/$app.service" #================================================= # END OF SCRIPT #================================================= -ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." +ynh_print_info "Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." diff --git a/scripts/change_url b/scripts/change_url index ab2d658..2678882 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -1,22 +1,16 @@ #!/bin/bash -#================================================= -# GENERIC STARTING -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source /usr/share/yunohost/helpers #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating NGINX web server configuration..." --weight=1 +ynh_script_progression "Updating NGINX web server configuration..." -ynh_change_url_nginx_config +ynh_config_change_url_nginx #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --last +ynh_script_progression "Change of URL completed for $app" diff --git a/scripts/install b/scripts/install index aa80988..84fbe5c 100755 --- a/scripts/install +++ b/scripts/install @@ -1,44 +1,38 @@ #!/bin/bash -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source _common.sh source /usr/share/yunohost/helpers #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= -ynh_script_progression --message="Setting up source files..." --weight=1 +ynh_script_progression "Setting up source files..." # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" -chown -R $app:www-data "$install_dir" +#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chown -R $app:www-data "$install_dir" chmod +x $install_dir/redlib #================================================= # SYSTEM CONFIGURATION #================================================= -ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 +ynh_script_progression "Adding system configurations related to $app..." # Create a dedicated NGINX config -ynh_add_nginx_config +ynh_config_add_nginx # Create a dedicated systemd config -ynh_add_systemd_config +ynh_config_add_systemd yunohost service add $app --description="Alternative to Reddit" --log="/var/log/$app/$app.log" #================================================= # ADD A CONFIGURATION #================================================= -ynh_script_progression --message="Adding a configuration file..." --weight=1 +ynh_script_progression "Adding $app's configuration..." -ynh_add_config --template="redlib.conf" --destination="$install_dir/redlib.conf" +ynh_config_add --template="redlib.conf" --destination="$install_dir/redlib.conf" chmod 400 "$install_dir/redlib.conf" chown $app:$app "$install_dir/redlib.conf" @@ -46,13 +40,13 @@ chown $app:$app "$install_dir/redlib.conf" #================================================= # START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --weight=1 +ynh_script_progression "Starting $app's systemd service..." # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" +ynh_systemctl --service=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Installation of $app completed" --last +ynh_script_progression "Installation of $app completed" diff --git a/scripts/remove b/scripts/remove index 4c29204..098e9c9 100755 --- a/scripts/remove +++ b/scripts/remove @@ -1,36 +1,31 @@ #!/bin/bash -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source _common.sh source /usr/share/yunohost/helpers #================================================= # REMOVE SYSTEM CONFIGURATIONS #================================================= -# REMOVE SYSTEMD SERVICE +# REMOVE SYSTEMD SERVICE + #================================================= -ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 +ynh_script_progression "Removing system configurations related to $app..." # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) -if ynh_exec_warn_less yunohost service status $app >/dev/null +if ynh_hide_warnings yunohost service status $app >/dev/null then - ynh_script_progression --message="Removing $app service integration..." --weight=1 + ynh_script_progression "Removing $app service integration..." yunohost service remove $app fi # Remove the dedicated systemd config -ynh_remove_systemd_config +ynh_config_remove_systemd # Remove the dedicated NGINX config -ynh_remove_nginx_config +ynh_config_remove_nginx #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Removal of $app completed" --last +ynh_script_progression "Removal of $app completed" diff --git a/scripts/restore b/scripts/restore index 8f15010..7da6af8 100755 --- a/scripts/restore +++ b/scripts/restore @@ -1,53 +1,44 @@ #!/bin/bash -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= # RESTORE THE APP MAIN DIR #================================================= -ynh_script_progression --message="Restoring the app main directory..." --weight=1 +ynh_script_progression "Restoring the app main directory..." -ynh_restore_file --origin_path="$install_dir" - -chmod -R o-rwx "$install_dir" -chown -R $app:www-data "$install_dir" +ynh_restore "$install_dir" +#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chmod -R o-rwx "$install_dir" +#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chown -R $app:www-data "$install_dir" #================================================= # RESTORE SYSTEM CONFIGURATIONS #================================================= # RESTORE THE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Restoring system configurations related to $app..." --weight=1 +ynh_script_progression "Restoring system configurations related to $app..." -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore "/etc/nginx/conf.d/$domain.d/$app.conf" -ynh_restore_file --origin_path="/etc/systemd/system/$app.service" +ynh_restore "/etc/systemd/system/$app.service" systemctl enable $app.service --quiet yunohost service add $app --description="Alternative to Reddit" --log="/var/log/$app/$app.log" -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" +ynh_systemctl --service=$app --action="start" --log_path="systemd" -#================================================= -# GENERIC FINALIZATION #================================================= # RELOAD NGINX AND PHP-FPM OR THE APP SERVICE #================================================= -ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 +ynh_script_progression "Reloading NGINX web server and $app's service..." -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" +ynh_systemctl --service=$app --action="start" --log_path="systemd" -ynh_systemd_action --service_name=nginx --action=reload +ynh_systemctl --service=nginx --action=reload #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Restoration completed for $app" --last +ynh_script_progression "Restoration completed for $app" diff --git a/scripts/upgrade b/scripts/upgrade index df2d3b3..9f91570 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -1,53 +1,45 @@ #!/bin/bash -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source _common.sh source /usr/share/yunohost/helpers -#================================================= -# STANDARD UPGRADE STEPS #================================================= # STOP SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Stopping a systemd service..." --weight=1 +ynh_script_progression "Stopping $app's systemd service..." -ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" +ynh_systemctl --service=$app --action="stop" --log_path="systemd" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= -ynh_script_progression --message="Upgrading source files..." --weight=5 +ynh_script_progression "Upgrading source files..." # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$install_dir" --keep="redlib.conf" --full_replace=1 +ynh_setup_source --dest_dir="$install_dir" --keep="redlib.conf" --full_replace -chown -R $app:www-data "$install_dir" +#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chown -R $app:www-data "$install_dir" chmod +x $install_dir/redlib #================================================= # REAPPLY SYSTEM CONFIGURATIONS #================================================= -ynh_script_progression --message="Upgrading system configurations related to $app..." --weight=1 +ynh_script_progression "Upgrading system configurations related to $app..." # Create a dedicated NGINX config -ynh_add_nginx_config +ynh_config_add_nginx # Create a dedicated systemd config -ynh_add_systemd_config +ynh_config_add_systemd yunohost service add $app --description="Alternative to Reddit" --log="/var/log/$app/$app.log" #================================================= # UPDATE A CONFIG FILE #================================================= -ynh_script_progression --message="Updating a configuration file..." --weight=1 +ynh_script_progression "Updating configuration..." -ynh_add_config --template="redlib.conf" --destination="$install_dir/redlib.conf" +ynh_config_add --template="redlib.conf" --destination="$install_dir/redlib.conf" chmod 400 "$install_dir/redlib.conf" chown $app:$app "$install_dir/redlib.conf" @@ -55,12 +47,12 @@ chown $app:$app "$install_dir/redlib.conf" #================================================= # START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --weight=2 +ynh_script_progression "Starting $app's systemd service..." -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" +ynh_systemctl --service=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Upgrade of $app completed" --last +ynh_script_progression "Upgrade of $app completed" From b8a1c0ab973aa1c73c356ce2d4e7700ed80e2da2 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 15 Aug 2024 08:24:22 +0200 Subject: [PATCH 2/4] Update manifest.toml --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index d1b4c15..adaa3dc 100644 --- a/manifest.toml +++ b/manifest.toml @@ -16,7 +16,7 @@ demo = "https://libreddit.spike.codes/" code = "https://github.com/spikecodes/libreddit" [integration] -yunohost = ">= 11.2.18" +yunohost = ">= 11.2.27" helpers_version = "2.1" architectures = ["amd64"] multi_instance = true From fda1e85b14a6bec6fd7534c635fea6f0838b529c Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 15 Aug 2024 08:35:56 +0200 Subject: [PATCH 3/4] fix --- conf/.env | 52 ------------------------------------------------- scripts/install | 5 ----- scripts/remove | 4 ---- scripts/restore | 2 -- scripts/upgrade | 4 ---- 5 files changed, 67 deletions(-) delete mode 100644 conf/.env diff --git a/conf/.env b/conf/.env deleted file mode 100644 index 72c62d9..0000000 --- a/conf/.env +++ /dev/null @@ -1,52 +0,0 @@ -# Redlib configuration -# See the Configuration section of the README for a more detailed explanation of these settings. - -# Instance-specific settings -# Enable SFW-only mode for the instance -REDLIB_SFW_ONLY=off -# Set a banner message for the instance -REDLIB_BANNER= -# Disable search engine indexing -REDLIB_ROBOTS_DISABLE_INDEXING=off -# Set the Pushshift frontend for "removed" links -REDLIB_PUSHSHIFT_FRONTEND=undelete.pullpush.io - -# Default user settings -# Set the default theme (options: system, light, dark, black, dracula, nord, laserwave, violet, gold, rosebox, gruvboxdark, gruvboxlight) -REDLIB_DEFAULT_THEME=system -# Set the default front page (options: default, popular, all) -REDLIB_DEFAULT_FRONT_PAGE=default -# Set the default layout (options: card, clean, compact) -REDLIB_DEFAULT_LAYOUT=card -# Enable wide mode by default -REDLIB_DEFAULT_WIDE=off -# Set the default post sort method (options: hot, new, top, rising, controversial) -REDLIB_DEFAULT_POST_SORT=hot -# Set the default comment sort method (options: confidence, top, new, controversial, old) -REDLIB_DEFAULT_COMMENT_SORT=confidence -# Enable blurring Spoiler content by default -REDLIB_DEFAULT_BLUR_SPOILER=off -# Enable showing NSFW content by default -REDLIB_DEFAULT_SHOW_NSFW=off -# Enable blurring NSFW content by default -REDLIB_DEFAULT_BLUR_NSFW=off -# Enable HLS video format by default -REDLIB_DEFAULT_USE_HLS=off -# Hide HLS notification by default -REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION=off -# Disable autoplay videos by default -REDLIB_DEFAULT_AUTOPLAY_VIDEOS=off -# Define a default list of subreddit subscriptions (format: sub1+sub2+sub3) -REDLIB_DEFAULT_SUBSCRIPTIONS= -# Define a default list of subreddit filters (format: sub1+sub2+sub3) -REDLIB_DEFAULT_FILTERS= -# Hide awards by default -REDLIB_DEFAULT_HIDE_AWARDS=off -# Hide sidebar and summary -REDLIB_DEFAULT_HIDE_SIDEBAR_AND_SUMMARY=off -# Disable the confirmation before visiting Reddit -REDLIB_DEFAULT_DISABLE_VISIT_REDDIT_CONFIRMATION=off -# Hide score by default -REDLIB_DEFAULT_HIDE_SCORE=off -# Enable fixed navbar by default -REDLIB_DEFAULT_FIXED_NAVBAR=on \ No newline at end of file diff --git a/scripts/install b/scripts/install index 84fbe5c..8cbb255 100755 --- a/scripts/install +++ b/scripts/install @@ -8,10 +8,8 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression "Setting up source files..." -# Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" -#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chown -R $app:www-data "$install_dir" chmod +x $install_dir/redlib #================================================= @@ -19,10 +17,8 @@ chmod +x $install_dir/redlib #================================================= ynh_script_progression "Adding system configurations related to $app..." -# Create a dedicated NGINX config ynh_config_add_nginx -# Create a dedicated systemd config ynh_config_add_systemd yunohost service add $app --description="Alternative to Reddit" --log="/var/log/$app/$app.log" @@ -42,7 +38,6 @@ chown $app:$app "$install_dir/redlib.conf" #================================================= ynh_script_progression "Starting $app's systemd service..." -# Start a systemd service ynh_systemctl --service=$app --action="start" --log_path="systemd" #================================================= diff --git a/scripts/remove b/scripts/remove index 098e9c9..ed34c62 100755 --- a/scripts/remove +++ b/scripts/remove @@ -7,21 +7,17 @@ source /usr/share/yunohost/helpers # REMOVE SYSTEM CONFIGURATIONS #================================================= # REMOVE SYSTEMD SERVICE - #================================================= ynh_script_progression "Removing system configurations related to $app..." -# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) if ynh_hide_warnings yunohost service status $app >/dev/null then ynh_script_progression "Removing $app service integration..." yunohost service remove $app fi -# Remove the dedicated systemd config ynh_config_remove_systemd -# Remove the dedicated NGINX config ynh_config_remove_nginx #================================================= diff --git a/scripts/restore b/scripts/restore index 7da6af8..c99b967 100755 --- a/scripts/restore +++ b/scripts/restore @@ -10,8 +10,6 @@ ynh_script_progression "Restoring the app main directory..." ynh_restore "$install_dir" -#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chmod -R o-rwx "$install_dir" -#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chown -R $app:www-data "$install_dir" #================================================= # RESTORE SYSTEM CONFIGURATIONS #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 9f91570..bde0b92 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -15,10 +15,8 @@ ynh_systemctl --service=$app --action="stop" --log_path="systemd" #================================================= ynh_script_progression "Upgrading source files..." -# Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" --keep="redlib.conf" --full_replace -#REMOVEME? Assuming the install dir is setup using ynh_setup_source, the proper chmod/chowns are now already applied and it shouldn't be necessary to tweak perms | chown -R $app:www-data "$install_dir" chmod +x $install_dir/redlib #================================================= @@ -26,10 +24,8 @@ chmod +x $install_dir/redlib #================================================= ynh_script_progression "Upgrading system configurations related to $app..." -# Create a dedicated NGINX config ynh_config_add_nginx -# Create a dedicated systemd config ynh_config_add_systemd yunohost service add $app --description="Alternative to Reddit" --log="/var/log/$app/$app.log" From 2395397a9452f495f74c777853be10b2a270be6f Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 15 Aug 2024 08:37:15 +0200 Subject: [PATCH 4/4] Update systemd.service --- conf/systemd.service | 46 ++++++++++++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index e2fd1f8..443cc25 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -10,27 +10,39 @@ DynamicUser=yes EnvironmentFile=-__INSTALL_DIR__/redlib.conf ExecStart=__INSTALL_DIR__/redlib -a 127.0.0.1 -p __PORT__ -# Hardening -DeviceAllow= -LockPersonality=yes -MemoryDenyWriteExecute=yes +### Depending on specificities of your service/app, you may need to tweak these +### .. but this should be a good baseline +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes PrivateDevices=yes -ProcSubset=pid -ProtectClock=yes -ProtectControlGroups=yes -ProtectHome=yes -ProtectHostname=yes -ProtectKernelLogs=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -ProtectProc=invisible -RestrictAddressFamilies=AF_INET AF_INET6 +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes -RestrictSUIDSGID=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes SystemCallArchitectures=native -SystemCallFilter=@system-service ~@privileged ~@resources -UMask=0077 +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target