YunoHost-Apps/mautrix_discord_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/mautrix_discord_ynh.git synced 2024-09-03 19:36:35 +02:00
Code Issues Activity Actions

Clean and UP this package v2 (#2)

Browse source 
* Clean

* Update v0.6.5 + systemd

* Review fflorent

* Fix restore script

* Fix install

* Fix description

* Fix upgrade

* Rollback

* Allow encryption

* Test

* Test

* Fix permissions

* Fix

* Fix permissions + version

* Set encryption false
This commit is contained in:
oufmilo 2024-02-10 09:15:49 +01:00 committed by GitHub
parent cf16f0a9f3
commit 58c8c75eca
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 36 additions and 353 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
conf/systemd.service
View file

@ -8,38 +8,30 @@ User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__/
ExecStart=__INSTALL_DIR__/mautrix-discord -c __INSTALL_DIR__/config.yaml
StandardOutput=append:/var/log/__APP__/__APP__.log
StandardError=inherit
Restart=always
RestartSec=3
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
ReadWritePaths=__INSTALL_DIR__ /var/log/__APP__
# Optional hardening to improve security
ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__
NoNewPrivileges=yes
MemoryDenyWriteExecute=true
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ProtectControlGroups=true
RestrictSUIDSGID=true
DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictRealtime=true
LockPersonality=true
ProtectKernelLogs=true
LockPersonality=yes
ProtectKernelTunables=true
ProtectHostname=true
ProtectKernelModules=true
PrivateUsers=true
ProtectClock=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
SystemCallFilter=@system-service
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
@ -54,4 +46,4 @@ CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target

302
config_panel.toml.example
View file

@ -1,302 +0,0 @@
## Config panel are available from webadmin > Apps > YOUR_APP > Config Panel Button
## Those panels let user configure some params on their apps using a friendly interface,
## and remove the need to manually edit files from the command line.
## From a packager perspective, this .toml is coupled to the scripts/config script,
## which may be used to define custom getters/setters. However, most use cases
## should be covered automagically by the core, thus it may not be necessary
## to define a scripts/config at all!
## -----------------------------------------------------------------------------
## IMPORTANT: In accordance with YunoHost's spirit, please keep things simple and
## do not overwhelm the admin with tons of misunderstandable or advanced settings.
## -----------------------------------------------------------------------------
## The top level describe the entire config panels screen.
## The version is a required property.
## Here a small reminder to associate config panel version with YunoHost version
## | Config | YNH | Config panel small change log |
## | ------ | --- | ------------------------------------------------------- |
## | 0.1 | 3.x | 0.1 config script not compatible with YNH >= 4.3 |
## | 1.0 | 4.3.x | The new config panel system with 'bind' property |
version = "1.0"
## (optional) i18n property let you internationalize questions, however this feature
## is only available in core configuration panel (like yunohost domain config).
## So in app config panel this key is ignored for now, but you can internationalize
## by using a lang dictionary (see property name bellow)
# i18n = "prefix_translation_key"
################################################################################
#### ABOUT PANELS
################################################################################
## The next level describes web admin panels
## You have to choose an ID for each panel, in this example the ID is "main"
## Keep in mind this ID will be used in CLI to refer to your question, so choose
## something short and meaningfull.
## In the webadmin, each panel corresponds to a distinct tab / form
[main]
## Define the label for your panel
## Internationalization works similarly to the 'description' and 'ask' questions in the manifest
# name.en = "Main configuration"
# name.fr = "Configuration principale"
## (optional) If you need to trigger a service reload-or-restart after the user
## change a question in this panel, you can add your service in the list.
services = ["__APP__"]
# or services = ["nginx", "__APP__"] to also reload-or-restart nginx
## (optional) This help properties is a short help displayed on the same line
## than the panel title but not displayed in the tab.
# help = ""
############################################################################
#### ABOUT SECTIONS
############################################################################
## A panel is composed of one or several sections.
##
## Sections are meant to group questions together when they correspond to
## a same subtopic. This impacts the rendering in terms of CLI prompts
## and HTML forms
##
## You should choose an ID for your section, and prefix it with the panel ID
## (Be sure to not make a typo in the panel ID, which would implicitly create
## an other entire panel)
##
## We use the context of pepettes_ynh as an example,
## which is a simple donation form app written in python,
## and for which the admin will want to edit the configuration
[main.customization]
## (optional) Defining a proper title for sections is not mandatory
## and depends on the exact rendering you're aiming for the CLI / webadmin
name = ""
## (optional) This help properties is a short help displayed on the same line
## than the section title, meant to provide additional details
# help = ""
## (optional) As for panel, you can specify to trigger a service
## reload-or-restart after the user change a question in this section.
## This property is added to the panel property, it doesn't deactivate it.
## So no need to replicate, the service list from panel services property.
# services = []
## (optional) By default all questions are optionals, but you can specify a
## default behaviour for question in the section
optional = false
## (optional) It's also possible with the 'visible' property to only
## display the section depending on the user's answers to previous questions.
##
## Be careful that the 'visible' property should only refer to **previous** questions
## Hence, it should not make sense to have a "visible" property on the very first section.
##
## Also, keep in mind that this feature only works in the webadmin and not in CLI
## (therefore a user could be prompted in CLI for a question that may not be relevant)
# visible = true
########################################################################
#### ABOUT QUESTIONS
########################################################################
## A section is compound of one or several questions.
## ---------------------------------------------------------------------
## IMPORTANT: as for panel and section you have to choose an ID, but this
## one should be unique in all this document, even if the question is in
## an other panel.
## ---------------------------------------------------------------------
## You can use same questions types and properties than in manifest.yml
## install part. However, in YNH 4.3, a lot of change has been made to
## extend availables questions types list.
## See: TODO DOC LINK
[main.customization.project_name]
## (required) The ask property is equivalent to the ask property in
## the manifest. However, in config panels, questions are displayed on the
## left side and therefore have less space to be rendered. Therefore,
## it is better to use a short question, and use the "help" property to
## provide additional details if necessary.
ask.en = "Name of the project"
## (required) The type property indicates how the question should be
## displayed, validated and managed. Some types have specific properties.
##
## Types available: string, boolean, number, range, text, password, path
## email, url, date, time, color, select, domain, user, tags, file.
##
## For a complete list with specific properties, see: TODO DOC LINK
type = "string"
########################################################################
#### ABOUT THE BIND PROPERTY
########################################################################
## (recommended) 'bind' property is a powerful feature that let you
## configure how and where the data will be read, validated and written.
## By default, 'bind property is in "settings" mode, it means it will
## **only** read and write the value in application settings file.
## bind = "settings"
## However, settings usually correspond to key/values in actual app configurations
## Hence, a more useful mode is to have bind = ":FILENAME". In that case, YunoHost
## will automagically find a line with "KEY=VALUE" in FILENAME
## (with the adequate separator between KEY and VALUE)
##
## YunoHost will then use this value for the read/get operation.
## During write/set operations, YunoHost will overwrite the value
## in **both** FILENAME and in the app's settings.yml
## Configuration file format supported: yaml, toml, json, ini, env, php,
## python. The feature probably works with others formats, but should be tested carefully.
## Note that this feature only works with relatively simple cases
## such as `KEY: VALUE`, but won't properly work with
## complex data structures like multilin array/lists or dictionnaries.
## It also doesn't work with XML format, custom config function call, php define(), ...
## More info on TODO
# bind = ":/var/www/__APP__/settings.py"
## By default, bind = ":FILENAME" will use the question ID as KEY
## ... but the question ID may sometime not be the exact KEY name in the configuration file.
##
## In particular, in pepettes, the python variable is 'name' and not 'project_name'
## (c.f. https://github.com/YunoHost-Apps/pepettes_ynh/blob/5cc2d3ffd6529cc7356ff93af92dbb6785c3ab9a/conf/settings.py##L11 )
##
## In that case, the key name can be specified before the column ':'
bind = "name:/var/www/__APP__/settings.py"
## ---------------------------------------------------------------------
## IMPORTANT: other 'bind' mode exists:
##
## bind = "FILENAME" (with no column character before FILENAME)
## may be used to bind to the **entire file content** (instead of a single KEY/VALUE)
## This could be used to expose an entire configuration file, or binary files such as images
## For example:
## bind = "/var/www/__APP__/img/logo.png"
##
## bind = "null" can be used to disable reading / writing in settings.
## This creates sort of a "virtual" or "ephemeral" question which is not related to any actual setting
## In this mode, you are expected to define custom getter/setters/validators in scripts/config:
##
## getter: get__QUESTIONID()
## setter: set__QUESTIONID()
## validator: validate__QUESTIONID()
##
## You can also specify a common getter / setter / validator, with the
## function 'bind' mode, for example here it will try to run
## get__array_settings() first.
# bind = "array_settings()"
## ---------------------------------------------------------------------
## ---------------------------------------------------------------------
## IMPORTANT: with the exception of bind=null questions,
## question IDs should almost **always** correspond to an app setting
## initialized / reused during install/upgrade.
## Not doing so may result in inconsistencies between the config panel mechanism
## and the use of ynh_add_config
## ---------------------------------------------------------------------
########################################################################
#### OTHER GENERIC PROPERTY FOR QUESTIONS
########################################################################
## (optional) An help text for the question
help = "Fill the name of the project which will received donation"
## (optional) An example display as placeholder in web form
# example = "YunoHost"
## (optional) set to true in order to redact the value in operation logs
# redact = false
## (optional) for boolean questions you can specify replacement values
## bound to true and false, in case property is bound to config file
# useful if bound property in config file expects something else than integer 1
yes = "Enable"
# useful if bound property in config file expects something else than integer 0
no = "Disable"
## (optional) A validation pattern
## ---------------------------------------------------------------------
## IMPORTANT: your pattern should be between simple quote, not double.
## ---------------------------------------------------------------------
pattern.regexp = '^\w{3,30}$'
pattern.error = "The name should be at least 3 chars and less than 30 chars. Alphanumeric chars are accepted"
## Note: visible and optional properties are also available for questions
[main.customization.contact_url]
ask = "Contact url"
type = "url"
example = "mailto: contact@example.org"
help = "mailto: accepted"
pattern.regexp = '^mailto:[^@]+@[^@]+|https://$'
pattern.error = "Should be https or mailto:"
bind = ":/var/www/__APP__/settings.py"
[main.customization.logo]
ask = "Logo"
type = "file"
accept = ".png"
help = "Fill with an already resized logo"
bind = "__INSTALL_DIR__/img/logo.png"
[main.customization.favicon]
ask = "Favicon"
type = "file"
accept = ".png"
help = "Fill with an already sized favicon"
bind = "__INSTALL_DIR__/img/favicon.png"
[main.stripe]
name = "Stripe general info"
optional = false
# The next alert is overwrited with a getter from the config script
[main.stripe.amount]
ask = "Donation in the month : XX
type = "alert"
style = "success"
[main.stripe.publishable_key]
ask = "Publishable key"
type = "string"
redact = true
help = "Indicate here the stripe publishable key"
bind = ":/var/www/__APP__/settings.py"
[main.stripe.secret_key]
ask = "Secret key"
type = "string"
redact = true
help = "Indicate here the stripe secret key"
bind = ":/var/www/__APP__/settings.py"
[main.stripe.prices]
ask = "Prices ID"
type = "tags"
help = """\
Indicates here the prices ID of donation products you created in stripe interfaces. \
Go on [Stripe products](https://dashboard.stripe.com/products) to create those donation products. \
Fill it tag with 'FREQUENCY/CURRENCY/PRICE_ID' \
FREQUENCY: 'one_time' or 'recuring' \
CURRENCY: 'EUR' or 'USD' \
PRICE_ID: ID from stripe interfaces starting with 'price_' \
"""
pattern.regexp = '^(one_time|recuring)/(EUR|USD)/price_.*$'
pattern.error = "Please respect the format describe in help text for each price ID"

3
doc/ADMIN.md
View file

@ -1,3 +0,0 @@
This is a dummy admin doc for this app
The app install dir is `__INSTALL_DIR__`

3
doc/ADMIN_fr.md
View file

@ -1,3 +0,0 @@
Ceci est une fausse doc d'admin pour cette app
Le dossier d'install de l'app est `__INSTALL_DIR__`

2
doc/DESCRIPTION.md
View file

@ -1,3 +1,3 @@
A puppeting bridge between Matrix and Discord packaged as a YunoHost service. Messages, media and notifications are bridged between a Discord user and a matrix user. The "Mautrix-Discord" bridge consists in a synapse app service and relies on postgresql (mysql also available). Therefore, Synapse for YunoHost should be installed beforehand.
A puppeting bridge between Matrix and Discord packaged as a YunoHost service. Messages, media and notifications are bridged between a Discord user and a matrix user. The "Mautrix-Discord" bridge consists in a synapse app service and relies on postgresql. Therefore, Synapse for YunoHost should be installed beforehand.
**Attention: always backup and restore the Yunohost matrix_synapse et mautrix_discord apps together!**

4
doc/DESCRIPTION_fr.md
View file

@ -1 +1,3 @@
Ceci est une fausse description des fonctionalités de l'app
Un pont entre Matrix et Discord présenté comme un service YunoHost. Les messages, les médias et les notifications sont transférés entre un utilisateur de Discord et un utilisateur de Matrix. Le pont "Mautrix-Discord" consiste en un service synapse app et repose sur postgresql. Par conséquent, Synapse pour YunoHost doit être installé au préalable.
**Attention : toujours sauvegarder et restaurer les applications matrix_synapse et mautrix_discord de Yunohost ensemble !

25
manifest.toml
View file

@ -7,7 +7,7 @@ name = "Matrix-Discord bridge"
description.en = "Matrix / Synapse puppeting bridge for Discord"
description.fr = "Passerelle Matrix / Synapse pour Discord"
version = "0.6.4~ynh1"
version = "0.6.5~ynh1"
maintainers = ["fflorent"]
@ -63,12 +63,6 @@ ram.runtime = "1024M"
type = "string"
example = "@johndoe:server.name or server.name or *"
# FIXME this help make the installation crash when installing through the CLI.
# help.en = """A remote or local user (@johndoe:server.name),the local server (server.name), a remote server (matrix.org), or all remote/local servers (*) can be authorized.
# Give the Matrix server_name, not the full domain/URL.
# It is also possible to specify multiple values by separating them with comma. Example: @johndoe:server.name,domain.tld,matrix.org"""
# help.fr = """Un compte local ou distant (@johndoe:server.name), le serveur local (server.name), un serveur distant (matrix.org), ou tous les serveurs remote/local (*).
# Donner le nom du serveur Matrix, pas le domaine/URL complet.
# Il est également possible de spécifier plusieurs valeurs en les séparant par une virgule. Exemple : @johndoe:server.name,domain.tld,matrix.org"""
[install.bot_synapse_adm]
ask.en = "Give the Discord bot administrator rights to the Synapse instance?"
@ -79,8 +73,6 @@ ram.runtime = "1024M"
default = true
[resources]
# See the packaging documentation for the full set
# of explanation regarding the behavior and properties for each of those
[resources.sources]
@ -89,12 +81,12 @@ ram.runtime = "1024M"
extract = false
rename = "mautrix-discord"
amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-amd64"
amd64.sha256 = "1510838d4128d401fceb3d92ba7571b980f06d5030bde3fdba73dd1b335a5868"
arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm64"
arm64.sha256 = "a9c33bed28763f182382110748f72bd866e90ab1bf62c90abcabe0d634f901aa"
armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.4/mautrix-discord-arm"
armhf.sha256 = "31ddf6c5ed5fc5b2ca4224e7bd1bfdc856a6da85d7422538a1e8f6f06523e7f7"
amd64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-amd64"
amd64.sha256 = "c89e2fdd6f5de28ae84d7f8ced27e174e8592364efd69c0ca6e8679e5c151489"
arm64.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm64"
arm64.sha256 = "080b520871a51ddbe866ad83c889d47323452e6c25ee1b785e04a690884a77d9"
armhf.url = "https://github.com/mautrix/discord/releases/download/v0.6.5/mautrix-discord-arm"
armhf.sha256 = "e3a9eb3f64dc6d9e568f34f79b0b22cd08584c01779d22788ee6e966f5cde827"
[resources.system_user]
@ -111,10 +103,7 @@ ram.runtime = "1024M"
main.default = 29334
[resources.apt]
# This will automatically install/uninstall the following apt packages
# and implicitly define the $phpversion setting as 8.0 (if phpX.Y-foobar dependencies are listed)
packages = "postgresql"
[resources.database]
# This will automatically provision/deprovison a MySQL DB and store the corresponding credentials in settings $db_user, $db_name, $db_pwd
type = "postgresql"

12
scripts/restore
View file

@ -26,6 +26,9 @@ ynh_restore_file --origin_path="$install_dir"
chown -R $app:www-data "$install_dir"
chmod 750 "$install_dir/$APP_BIN"
chmod 750 "$install_dir"
chmod -R 750 "$install_dir"
chown -R $app:$app "$install_dir"
#=================================================
# RESTORE THE POSTGRESQL DATABASE
@ -54,9 +57,14 @@ ynh_script_progression --message="Restoring system configurations related to $ap
ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
systemctl enable $app.service --quiet
yunohost service add $app --description="Matrix Discord pupetting bridge for YunoHost" --log="/var/log/$app/$app.log"
ynh_restore_file --origin_path="/etc/logrotate.d/$app"
# Use logrotate to manage application logfile(s)
mkdir --parents "/var/log/$app"
chmod -R 600 "/var/log/$app"
chmod 700 "/var/log/$app"
chown -R $app:$app /var/log/$app
yunohost service add $app --description="Matrix Discord pupetting bridge for YunoHost" --log="/var/log/$app/$app.log"
#=================================================
# GENERIC FINALIZATION