YunoHost-Apps/mautrix_telegram_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/mautrix_telegram_ynh.git synced 2024-09-03 19:45:55 +02:00
Code Issues Activity Actions 1

Fix restore script, linter issues and harden systemd script

Browse source
This commit is contained in:
Dante 2023-11-17 12:11:13 +01:00
parent 930891b60a
commit 6bdee24c4a
3 changed files with 34 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
conf/systemd.service
View file

@ -9,5 +9,39 @@ Group=__APP__
WorkingDirectory=__INSTALL_DIR__/ WorkingDirectory=__INSTALL_DIR__/
ExecStart=__INSTALL_DIR__/bin/python3 -m mautrix_telegram ExecStart=__INSTALL_DIR__/bin/python3 -m mautrix_telegram
# Optional hardening to improve security
ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__
NoNewPrivileges=yes
MemoryDenyWriteExecute=true
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ProtectControlGroups=true
RestrictSUIDSGID=true
RestrictRealtime=true
LockPersonality=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectHostname=true
ProtectKernelModules=true
PrivateUsers=true
ProtectClock=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

11
scripts/restore
View file

@ -42,17 +42,6 @@ ynh_script_progression --message="Restoring the PostgreSQL database..." --weight
ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name
#=================================================
# INSTALL MAUTRIX-BRIDGE PYTHON MODULE
#=================================================
ynh_script_progression --message="Installing Mautrix-Bridge Python Module..." --weight=6
mkdir -p /var/log/$app
# Configure Mautrix-Bridge
python3 -m venv $install_dir
export HOME=$install_dir
$install_dir/bin/pip3 install --upgrade pip setuptools wheel
#================================================= #=================================================
# REGISTER SYNAPSE APP-SERVICE # REGISTER SYNAPSE APP-SERVICE
#================================================= #=================================================

2
scripts/upgrade
View file

@ -84,8 +84,6 @@ ynh_backup_if_checksum_is_different --file="$install_dir/config.yaml"
# as_token hs_token are autogenerated, save them before regenerating the config # as_token hs_token are autogenerated, save them before regenerating the config
as_token=$(grep "as_token:" "$install_dir/config.yaml" | sed -r "s/ *as_token: *//") as_token=$(grep "as_token:" "$install_dir/config.yaml" | sed -r "s/ *as_token: *//")
hs_token=$(grep "hs_token:" "$install_dir/config.yaml" | sed -r "s/ *hs_token: *//") hs_token=$(grep "hs_token:" "$install_dir/config.yaml" | sed -r "s/ *hs_token: *//")
# ynh_replace_string --match_string=__AS_TOKEN__ --replace_string="$as_token" --target_file="$install_dir/config.yaml"
# ynh_replace_string --match_string=__HS_TOKEN__ --replace_string="$hs_token" --target_file="$install_dir/config.yaml"
is_encryption_enabled="$encryption" is_encryption_enabled="$encryption"
if [ $encryption -eq 1 ]; then if [ $encryption -eq 1 ]; then