diff --git a/conf/app.src b/conf/app.src index 5901248..50cce5a 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,6 +1,5 @@ -SOURCE_URL=https://framagit.org/luc/lufi/-/archive/7efebff4bfa3722796a80a783fb332d6e50d41de/lufi-7efebff4bfa3722796a80a783fb332d6e50d41de.tar.gz -SOURCE_SUM=cf69c08ae7aa2e696b5c275fc7d3bedf74946361e0114f819266c43ce33fac72 +SOURCE_URL=https://framagit.org/fiat-tux/hat-softwares/lufi/-/archive/0.03.5/lufi-0.03.5.tar.gz +SOURCE_SUM=aeb4bb4e7b4d5a7a12a7b8a49578e98c4ef8b6cb606b266b4531767a6ea6debe SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=zip +SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true -SOURCE_FILENAME= diff --git a/conf/lufi.conf.template b/conf/lufi.conf.template index 7052d31..4fc1e86 100644 --- a/conf/lufi.conf.template +++ b/conf/lufi.conf.template @@ -6,19 +6,31 @@ # see http://mojolicio.us/perldoc/Mojo/Server/Hypnotoad for a full list of settings hypnotoad => { # array of IP addresses and ports you want to listen to + # you can specify a unix socket too, like 'http+unix://%2Ftmp%2Flufi.sock' listen => ['http://127.0.0.1:__PORT__'], - # if you use Lufi behind a reverse proxy like Nginx, you want ro set proxy to 1 + # if you use Lufi behind a reverse proxy like Nginx, you want to set proxy to 1 # if you use Lufi directly, let it commented - proxy => 1, + proxy => 1, + + # Please read http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers + # to adjust this to your server + workers => 30, + clients => 1, }, # put a way to contact you here and uncomment it + # you can put some HTML in it # MANDATORY - contact => 'webmaster@__DOMAIN__', + contact => 'Contact page', + + # put an URL or an email address to receive file reports and uncomment it + # it's for make reporting illegal files easy for users + # MANDATORY + report => 'webmaster@__DOMAIN__', # array of random strings used to encrypt cookies # optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT - secrets => ['__SECRET__'], + secrets => ['__SECRET__'], # choose a theme. See the available themes in `themes` directory # optional, default is 'default' @@ -43,7 +55,7 @@ # max file size, in octets # you can write it 100*1024*1024 # optional, no default - #max_file_size => 104857600, + max_file_size => __MAX_FILE_SIZE__*1024*1024, # if you want to have piwik statistics, provide a piwik image tracker # only the image tracker is allowed, no javascript @@ -78,7 +90,7 @@ # example: you want to have Lufi under https://example.org/lufi/ # => set prefix to '/lufi' or to '/lufi/', it doesn't matter # optional, defaut is / - prefix => '__PATH__', + prefix => '__PATH__', # array of authorized domains for API calls. # if you want to authorize everyone to use the API: ['*'] @@ -102,12 +114,48 @@ # Optional, default to no-reply@lufi.io #mail_sender => 'no-reply@lufi.io', + # choose what database you want to use + # valid choices are sqlite, postgresql and mysql (all lowercase) + # optional, default is sqlite + dbtype => 'postgresql', + + # SQLite ONLY - only used if dbtype is set to sqlite # define a path to the SQLite database # you can define it relative to lufi directory or set an absolute path # remember that it has to be in a directory writable by Lufi user # optional, default is lufi.db #db_path => 'lufi.db', + # PostgreSQL ONLY - only used if dbtype is set to postgresql + # these are the credentials to access the PostgreSQL database + # mandatory if you choosed postgresql as dbtype + pgdb => { + database => '__DB_NAME__', + host => 'localhost', + # optional, default is 5432 + #port => 5432, + user => '__DB_USER__', + pwd => '__DB_PWD__', + # https://mojolicious.org/perldoc/Mojo/Pg#max_connections + # optional, default is 1 + #max_connections => 1, + }, + + # MySQL ONLY - only used if dbtype is set to mysql + # these are the credentials to access the MySQL database + # mandatory if you choosed mysql as dbtype + #mysqldb => { + # database => 'lufi', + # host => 'localhost', + # # optional, default is 3306 + # #port => 3306, + # user => 'DBUSER', + # pwd => 'DBPASSWORD', + # # https://metacpan.org/pod/Mojo::mysql#max_connections + # # optional, default is 5 (set to 0 to disable persistent connections) + # #max_connections => 5, + #}, + # define a path to the upload directory, where the uploaded files will be stored # you can define it relative to lufi directory or set an absolute path # remember that it has to be in a directory writable by Lufi user @@ -118,20 +166,79 @@ # set `ldap` if you want that only authenticated users can upload files # please note that everybody can still download files # optional, no default - #ldap => { - # uri => 'ldaps://ldap.example.org', - # user_tree => 'ou=users,dc=example,dc=org', - # bind_dn => ',ou=users,dc=example,dc=org', - # bind_user => 'uid=ldap_user', - # bind_pwd => 'secr3t', - # user_filter => '!(uid=ldap_user)' - #}, + __IS_PUBLIC__ldap => { + __IS_PUBLIC__ uri => 'ldap://localhost:389', # server URI + __IS_PUBLIC__ user_tree => 'dc=yunohost,dc=org', # search base DN + __IS_PUBLIC__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN + __IS_PUBLIC__ #bind_pwd => 'secr3t', # search bind password + __IS_PUBLIC__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) + __IS_PUBLIC__ #user_filter => '(!(uid=ldap_user))', # user filter (to exclude some users, etc.) + __IS_PUBLIC__ # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls + __IS_PUBLIC__ # don't set or uncomment if you don't want to configure it + __IS_PUBLIC__ #start_tls => { + __IS_PUBLIC__ # verify => 'optional', + __IS_PUBLIC__ # clientcert => '/etc/ssl/certs/ca-bundle.pem' + __IS_PUBLIC__ #} + __IS_PUBLIC__}, + + # set `htpasswd` if you want to use an htpasswd file instead of ldap + # see 'man htpasswd' to know how to create such file + #htpasswd => 'lufi.passwd', # if you've set ldap above, the session will last `session_duration` seconds before # the user needs to reauthenticate # optional, default is 3600 #session_duration => 3600, + # allow to add a password on files, asked before allowing to download files + # optional, default is 0 + allow_pwd_on_files => 1, + + # force all files to be in "Burn after reading mode" + # optional, default is 0 + #force_burn_after_reading => 0, + + # if set, the files' URLs will always use this domain + # optional, no default + #fixed_domain => 'example.org', + + # abuse reasons + # set an integer in the abuse field of a file in the database and it will not be downloadable anymore + # the reason will be displayed to the downloader, according to the reasons you will configure here. + # optional, no default + #abuse => { + # 0 => 'Copyright infringment', + # 1 => 'Illegal content', + #}, + + # Content-Security-Policy header that will be sent by Lufi + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self' ws://YOUR_HOST; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' blob:; media-src blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + #csp => "", + + # X-Frame-Options header that will be sent by Lufi + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lufi + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lufi + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ######################### # Lufi cron jobs settings ######################### @@ -144,13 +251,13 @@ # max size of the files directory, in octets # used by script/lufi cron watch to trigger an action # optional, no default - max_total_size => 1024*1024*1024, + #max_total_size => 10*1024*1024*1024, # default action when files directory is over max_total_size (used with script/lufi cron watch) # valid values are 'warn', 'stop-upload' and 'delete' # please, see readme # optional, default is 'warn' - policy_when_full => 'stop-upload', + #policy_when_full => 'warn', # images which are not viewed since delete_no_longer_viewed_files days will be deleted by the cron cleanfiles task # if delete_no_longer_viewed_files is not set, the no longer viewed files will NOT be deleted diff --git a/conf/nginx.conf b/conf/nginx.conf index d761ca3..5c1fa5b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -3,37 +3,30 @@ location __PATH__ { rewrite ^ https://$server_name$request_uri? permanent; } - # This is important for user's privacy ! - access_log off; + access_log /var/log/nginx/lufi.access.log; error_log /var/log/nginx/lufi.error.log; # This is important ! Make it OK with your Lutim configuration - client_max_body_size 40M; + client_max_body_size __MAX_FILE_SIZE__M; - if ($request_uri ~* ^/(img|css|font|js)/) { - add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT"; - add_header Cache-Control "public, max-age=315360000"; - } - - proxy_pass http://127.0.0.1:__PORT____PATH__; + proxy_pass http://127.0.0.1:__PORT__; # Really important ! Lufi uses WebSocket, it won't work without this proxy_set_header Upgrade $http_upgrade ; proxy_set_header Connection "upgrade" ; - proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Remote-Port $remote_port; + proxy_set_header X-Forwarded-Proto $scheme; # If you want to log the remote port of the file senders, you'll need that proxy_set_header X-Remote-Port $remote_port; - proxy_set_header X-Forwarded-Proto $scheme; - # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrite$ proxy_redirect off; - #--PRIVATE--# Include SSOWAT user panel. - #--PRIVATE--include conf.d/yunohost_panel.conf.inc; + # Include SSOWAT user panel. + include conf.d/yunohost_panel.conf.inc; } diff --git a/conf/lufi.service b/conf/systemd.service similarity index 51% rename from conf/lufi.service rename to conf/systemd.service index 67afd49..a8b2a68 100644 --- a/conf/lufi.service +++ b/conf/systemd.service @@ -5,15 +5,15 @@ Requires=network.target After=network.target [Service] -Type=forking +Type=simple User=__APP__ Group=__APP__ RemainAfterExit=yes WorkingDirectory=__FINALPATH__ PIDFile=__FINALPATH__script/hypnotoad.pid -ExecStart=/usr/local/bin/carton exec hypnotoad script/lufi >> /var/log/lufi/production.log 2>&1 -ExecStop=/usr/local/bin/carton exec hypnotoad -s script/lufi >> /var/log/lufi/production.log 2>&1 -ExecReload=/usr/local/bin/carton exec hypnotoad script/lufi >> /var/log/lufi/production.log 2>&1 +ExecStart=/usr/local/bin/carton exec hypnotoad script/lufi +ExecStop=/usr/local/bin/carton exec hypnotoad -s script/lufi +ExecReload=/usr/local/bin/carton exec hypnotoad script/lufi [Install] WantedBy=multi-user.target