Merge pull request #13 from YunoHost-Apps/fixes

Fixes
2024-09-03 19:36:15 +02:00 · 2022-12-27 17:28:05 -05:00 · 2022-12-27 17:28:05 -05:00 · 342e50a366
commit 342e50a366
parent 89671b2cd4 316e6bc5e0
9 changed files with 67 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -18,8 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store.


-**Shipped version:** 2.2.0~ynh1
-
+**Shipped version:** 2.3.0~ynh2

 **Demo:** https://demo.listmonk.app/

--- a/README_fr.md
+++ b/README_fr.md
@ -18,8 +18,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store.


-**Version incluse :** 2.2.0~ynh1
-
+**Version incluse :** 2.3.0~ynh2

 **Démo :** https://demo.listmonk.app/

--- a/conf/amd64.src
+++ b/conf/amd64.src
@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.2.0/listmonk_2.2.0_linux_amd64.tar.gz
-SOURCE_SUM=c2bdccd073d768d2b8dfbfad6469c5b41cf39b44a20c263cbaebf15876463709
+SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.3.0/listmonk_2.3.0_linux_amd64.tar.gz
+SOURCE_SUM=4ad9ff7a04e13c9f8609c705e4850046ae8a3c9a03b0c4ac04e3c1d1c8fe8b7a
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=false
--- a/conf/app.src
+++ b/conf/app.src
@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.2.0.tar.gz
-SOURCE_SUM=e3f1cc89972cafaab78cda38be54ab3fc115fd7846e2e7dae1b19fff002e1c77
+SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.3.0.tar.gz
+SOURCE_SUM=54cab80ca16dbf58ce40b7fc1ae88a9f8ed4c9d9a54387a77b1a90cb4dba3404
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
--- a/conf/config.toml
+++ b/conf/config.toml
@ -9,8 +9,8 @@ address = "127.0.0.1:__PORT__"
 # be replaced with a better multi-user, role-based authentication system.
 # IMPORTANT: Leave both values empty to disable authentication on admin
 # only where an external authentication is already setup.
-admin_username = "__ADMIN__"
-admin_password = "__PASSWORD__"
+admin_username = ""
+admin_password = ""

 # Database.
 [db]
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -1,14 +1,48 @@
 [Unit]
 Description=Listmonk: newsletter and mailing list manager
 Documentation=https://listmonk.app/docs/
+ConditionPathExists=__FINALPATH__/config.toml
+After=network.target

 [Service]
 Type=simple
 User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/
+ExecStartPre=/usr/bin/mkdir -p "__FINALPATH__/uploads"
+ExecStartPre=__FINALPATH__/listmonk --config __FINALPATH__/config.toml --upgrade --yes
 ExecStart=__FINALPATH__/listmonk
 Restart=always

+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target
--- a/manifest.json
+++ b/manifest.json
@ -6,7 +6,7 @@
        "en": "Newsletter and mailing list manager",
        "fr": "Manager de newsletter et mailing list"
    },
-    "version": "2.2.0~ynh1",
+    "version": "2.3.0~ynh2",
    "url": "https://listmonk.app/",
    "upstream": {
        "license": "AGPL-3.0-only",
@ -38,14 +38,6 @@
                "name": "is_public",
                "type": "boolean",
                "default": true
-            },
-            {
-                "name": "admin",
-                "type": "user"
-            },
-            {
-                "name": "password",
-                "type": "password"
            }
        ]
    }
--- a/scripts/install
+++ b/scripts/install
@ -28,8 +28,8 @@ ynh_abort_if_errors
 domain=$YNH_APP_ARG_DOMAIN
 path_url="/"
 is_public=$YNH_APP_ARG_IS_PUBLIC
-admin=$YNH_APP_ARG_ADMIN
-password=$YNH_APP_ARG_PASSWORD
+admin=""
+password=""

 app=$YNH_APP_INSTANCE_NAME

@ -209,12 +209,12 @@ then
 fi

 # Only the admin can access the admin panel of the app (if the app has an admin panel)
-ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false
+ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false

 # Everyone can access the API part
 # We don't want to display the tile in the SSO so we put --show_tile="false"
 # And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true"
-ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
+ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true"

 #=================================================
 # RELOAD NGINX
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -70,14 +70,26 @@ fi

 if ! ynh_permission_exists --permission="admin"; then
 	# Create the required permissions
-	ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false
+	ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false
 fi

 # Create a permission if needed
 if ! ynh_permission_exists --permission="api"; then
-	ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
+	ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true"
 fi

+if ynh_compare_current_package_version --comparison le --version 2.3.0~ynh1
+then
+	mkdir -p "$final_path/uploads"
+
+	ynh_permission_delete --permission="admin"
+	ynh_permission_delete --permission="api"
+
+	ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false
+	ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true"
+fi
+
+
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -93,11 +105,10 @@ ynh_system_user_create --username=$app --home_dir="$final_path"
 if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	ynh_script_progression --message="Upgrading source files..." --weight=5
-
 	# Download, check integrity, uncompress and patch the source from app.src
 	if [ $YNH_ARCH == "armhf" ] || [ $YNH_ARCH == "arm64" ]
 	then
-		ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml"
+		ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml uploads"
 		# Install Nodejs
 		ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version
 		# Install Yarn
@ -117,7 +128,7 @@ then
 		ynh_remove_nodejs
 		ynh_secure_remove --file="$final_path/build"
 	else
-		ynh_setup_source --dest_dir="$final_path"  --source_id=$YNH_ARCH --keep="$final_path/config.toml"
+		ynh_setup_source --dest_dir="$final_path"  --source_id=$YNH_ARCH --keep="$final_path/config.toml uploads"
 	fi
 fi

@ -144,12 +155,12 @@ ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies
 #=================================================
 # UPDATE A CONFIG FILE
 #=================================================
-# ynh_script_progression --message="Updating a configuration file..." --time --weight=1
+ynh_script_progression --message="Updating a configuration file..." --time --weight=1

-# ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml"
+ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml"

-# chmod 400 "$final_path/config.toml"
-# chown $app:$app "$final_path/config.toml"
+chmod 400 "$final_path/config.toml"
+chown $app:$app "$final_path/config.toml"

 #=================================================
 # DATABASE CONFIGURATION