diff --git a/README.md b/README.md index 90785e8..b082b20 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Shipped version:** 2.2.0~ynh1 - +**Shipped version:** 2.3.0~ynh2 **Demo:** https://demo.listmonk.app/ diff --git a/README_fr.md b/README_fr.md index bc2eb8b..f4f2b34 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,8 +18,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Version incluse :** 2.2.0~ynh1 - +**Version incluse :** 2.3.0~ynh2 **Démo :** https://demo.listmonk.app/ diff --git a/conf/amd64.src b/conf/amd64.src index 13d7501..ae67069 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.2.0/listmonk_2.2.0_linux_amd64.tar.gz -SOURCE_SUM=c2bdccd073d768d2b8dfbfad6469c5b41cf39b44a20c263cbaebf15876463709 +SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.3.0/listmonk_2.3.0_linux_amd64.tar.gz +SOURCE_SUM=4ad9ff7a04e13c9f8609c705e4850046ae8a3c9a03b0c4ac04e3c1d1c8fe8b7a SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index af92853..0d741d0 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.2.0.tar.gz -SOURCE_SUM=e3f1cc89972cafaab78cda38be54ab3fc115fd7846e2e7dae1b19fff002e1c77 +SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.3.0.tar.gz +SOURCE_SUM=54cab80ca16dbf58ce40b7fc1ae88a9f8ed4c9d9a54387a77b1a90cb4dba3404 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/config.toml b/conf/config.toml index 566e417..5ca5112 100644 --- a/conf/config.toml +++ b/conf/config.toml @@ -9,8 +9,8 @@ address = "127.0.0.1:__PORT__" # be replaced with a better multi-user, role-based authentication system. # IMPORTANT: Leave both values empty to disable authentication on admin # only where an external authentication is already setup. -admin_username = "__ADMIN__" -admin_password = "__PASSWORD__" +admin_username = "" +admin_password = "" # Database. [db] diff --git a/conf/systemd.service b/conf/systemd.service index a5fcd31..ad31981 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,14 +1,48 @@ [Unit] Description=Listmonk: newsletter and mailing list manager Documentation=https://listmonk.app/docs/ +ConditionPathExists=__FINALPATH__/config.toml +After=network.target [Service] Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ +ExecStartPre=/usr/bin/mkdir -p "__FINALPATH__/uploads" +ExecStartPre=__FINALPATH__/listmonk --config __FINALPATH__/config.toml --upgrade --yes ExecStart=__FINALPATH__/listmonk Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 9541a8d..b976221 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Newsletter and mailing list manager", "fr": "Manager de newsletter et mailing list" }, - "version": "2.2.0~ynh1", + "version": "2.3.0~ynh2", "url": "https://listmonk.app/", "upstream": { "license": "AGPL-3.0-only", @@ -38,14 +38,6 @@ "name": "is_public", "type": "boolean", "default": true - }, - { - "name": "admin", - "type": "user" - }, - { - "name": "password", - "type": "password" } ] } diff --git a/scripts/install b/scripts/install index 28325fa..81d5a7b 100755 --- a/scripts/install +++ b/scripts/install @@ -28,8 +28,8 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url="/" is_public=$YNH_APP_ARG_IS_PUBLIC -admin=$YNH_APP_ARG_ADMIN -password=$YNH_APP_ARG_PASSWORD +admin="" +password="" app=$YNH_APP_INSTANCE_NAME @@ -209,12 +209,12 @@ then fi # Only the admin can access the admin panel of the app (if the app has an admin panel) -ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false +ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false # Everyone can access the API part # We don't want to display the tile in the SSO so we put --show_tile="false" # And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true" -ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true" +ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true" #================================================= # RELOAD NGINX diff --git a/scripts/upgrade b/scripts/upgrade index 8f4f7e7..e031eb6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -70,14 +70,26 @@ fi if ! ynh_permission_exists --permission="admin"; then # Create the required permissions - ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false + ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false fi # Create a permission if needed if ! ynh_permission_exists --permission="api"; then - ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true" + ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true" fi +if ynh_compare_current_package_version --comparison le --version 2.3.0~ynh1 +then + mkdir -p "$final_path/uploads" + + ynh_permission_delete --permission="admin" + ynh_permission_delete --permission="api" + + ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false + ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true" +fi + + #================================================= # CREATE DEDICATED USER #================================================= @@ -93,11 +105,10 @@ ynh_system_user_create --username=$app --home_dir="$final_path" if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." --weight=5 - # Download, check integrity, uncompress and patch the source from app.src if [ $YNH_ARCH == "armhf" ] || [ $YNH_ARCH == "arm64" ] then - ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml" + ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml uploads" # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version # Install Yarn @@ -117,7 +128,7 @@ then ynh_remove_nodejs ynh_secure_remove --file="$final_path/build" else - ynh_setup_source --dest_dir="$final_path" --source_id=$YNH_ARCH --keep="$final_path/config.toml" + ynh_setup_source --dest_dir="$final_path" --source_id=$YNH_ARCH --keep="$final_path/config.toml uploads" fi fi @@ -144,12 +155,12 @@ ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies #================================================= # UPDATE A CONFIG FILE #================================================= -# ynh_script_progression --message="Updating a configuration file..." --time --weight=1 +ynh_script_progression --message="Updating a configuration file..." --time --weight=1 -# ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml" +ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml" -# chmod 400 "$final_path/config.toml" -# chown $app:$app "$final_path/config.toml" +chmod 400 "$final_path/config.toml" +chown $app:$app "$final_path/config.toml" #================================================= # DATABASE CONFIGURATION