From 34d122037a4f346da6d3fc5ed05dbc7f1e934786 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Wed, 27 Mar 2024 13:39:37 +0100 Subject: [PATCH 1/6] Harden security of Systemd service --- conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index d47720a..7d6aa2d 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,5 +13,39 @@ ExecStart=__YNH_NPM__ start TimeoutSec=60 Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From cf046e47cb712bd8fb86e08506aac5ce918c7375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Wed, 27 Mar 2024 14:03:19 +0100 Subject: [PATCH 2/6] Use pnpm instead of yarn --- manifest.toml | 5 ----- scripts/_common.sh | 21 +++++++++++++++++---- scripts/upgrade | 2 +- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/manifest.toml b/manifest.toml index c3f6455..ccaedea 100644 --- a/manifest.toml +++ b/manifest.toml @@ -60,10 +60,5 @@ ram.runtime = "50M" # FIXME: replace with an **estimate** minimum ram requiremen "postgresql" ] - [resources.apt.extras.yarn] - repo = "deb https://dl.yarnpkg.com/debian/ stable main" - key = "https://dl.yarnpkg.com/debian/pubkey.gpg" - packages = ["yarn"] - [resources.database] type = "postgresql" diff --git a/scripts/_common.sh b/scripts/_common.sh index 022eb88..f1246d1 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,7 +4,7 @@ # COMMON VARIABLES #================================================= -NODEJS_VERSION="16.15.0" +NODEJS_VERSION="20" #================================================= # PERSONAL HELPERS @@ -13,9 +13,22 @@ NODEJS_VERSION="16.15.0" misskey_build() { pushd "$install_dir" ynh_use_nodejs - ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" NODE_ENV=production yarn add ts-node webpack - ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" NODE_ENV=production yarn build - ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" NODE_ENV=production yarn run init + corepack enable + ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" pnpm install --frozen-lockfile + ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" NODE_ENV=production pnpm build + ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" pnpm run init + popd + + ynh_secure_remove --file="$install_dir/.cache" +} + +misskey_upgrade() { + pushd "$install_dir" + ynh_use_nodejs + ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" pnpm clean-all + ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" pnpm install --frozen-lockfile + ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" NODE_ENV=production pnpm build + ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" pnpm migrate popd ynh_secure_remove --file="$install_dir/.cache" diff --git a/scripts/upgrade b/scripts/upgrade index 3c28cd8..61fa91a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -51,7 +51,7 @@ chown -R "$app:www-data" "$install_dir" #================================================= ynh_script_progression --message="Building app..." -misskey_build +misskey_upgrade #================================================= # REAPPLY SYSTEM CONFIGURATIONS From 0be7803bf4b043423a0a312a0009d67ef539274b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Wed, 27 Mar 2024 14:03:36 +0100 Subject: [PATCH 3/6] Upgrade to v13 --- manifest.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/manifest.toml b/manifest.toml index ccaedea..8f53d2d 100644 --- a/manifest.toml +++ b/manifest.toml @@ -7,7 +7,7 @@ name = "Misskey" description.en = "Microblogging platform" description.fr = "Platforme de Microblogging" -version = "12.119.2~ynh1" +version = "13.14.2~ynh1" maintainers = [""] @@ -40,9 +40,8 @@ ram.runtime = "50M" # FIXME: replace with an **estimate** minimum ram requiremen [resources] [resources.sources.main] - url = "https://github.com/misskey-dev/misskey/archive/refs/tags/12.119.2.tar.gz" - sha256 = "0620c8d4ee82f3bfa5749197b719cff606628413875589918df58f71cae9df57" - + url = "https://github.com/misskey-dev/misskey/archive/refs/tags/13.14.2.tar.gz" + sha256 = "05afd89b8d4fe0163caef691ea1eabf59eb166498ed49867c0ff2f102c44f066" autoupdate.strategy = "latest_github_tag" [resources.system_user] From 014ac0d3a2674d594952ab9924a1dd321e213465 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 27 Mar 2024 13:04:46 +0000 Subject: [PATCH 4/6] Auto-update READMEs --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a6be1e8..0e0e81b 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ It shall NOT be edited by hand. Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**Shipped version:** 12.119.2~ynh1 +**Shipped version:** 13.14.2~ynh1 ## Screenshots diff --git a/README_fr.md b/README_fr.md index 234d74e..dde7e3a 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Il NE doit PAS être modifié à la main. Misskey est une plateforme de microblogging décentralisée. Puisqu'il existe au sein du Fediverse (un univers où diverses plateformes de médias sociaux sont organisées), il est mutuellement lié à d'autres plateformes de médias sociaux. -**Version incluse :** 12.119.2~ynh1 +**Version incluse :** 13.14.2~ynh1 ## Captures d’écran From 93842af657e802639a7101402aa56b0cac8d009c Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Fri, 10 May 2024 10:02:42 +0000 Subject: [PATCH 5/6] Auto-update READMEs --- README_eu.md | 2 +- README_gl.md | 2 +- README_zh_Hans.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README_eu.md b/README_eu.md index cc7665d..284d228 100644 --- a/README_eu.md +++ b/README_eu.md @@ -19,7 +19,7 @@ EZ editatu eskuz. Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**Paketatutako bertsioa:** 12.119.2~ynh2 +**Paketatutako bertsioa:** 13.14.2~ynh1 ## Pantaila-argazkiak diff --git a/README_gl.md b/README_gl.md index ca60c95..97ae59b 100644 --- a/README_gl.md +++ b/README_gl.md @@ -19,7 +19,7 @@ NON debe editarse manualmente. Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**Versión proporcionada:** 12.119.2~ynh2 +**Versión proporcionada:** 13.14.2~ynh1 ## Capturas de pantalla diff --git a/README_zh_Hans.md b/README_zh_Hans.md index 602febd..93e53ce 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -3,7 +3,7 @@ 请勿手动编辑。 --> -# YunoHost 的 Misskey +# YunoHost 上的 Misskey [![集成程度](https://dash.yunohost.org/integration/misskey.svg)](https://dash.yunohost.org/appci/app/misskey) ![工作状态](https://ci-apps.yunohost.org/ci/badges/misskey.status.svg) ![维护状态](https://ci-apps.yunohost.org/ci/badges/misskey.maintain.svg) @@ -19,7 +19,7 @@ Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**分发版本:** 12.119.2~ynh2 +**分发版本:** 13.14.2~ynh1 ## 截图 From c3c456af0c544c0288df0df88f4fc2c641231d73 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sun, 12 May 2024 17:48:26 +0000 Subject: [PATCH 6/6] Auto-update READMEs --- README.md | 2 +- README_eu.md | 2 +- README_fr.md | 2 +- README_gl.md | 2 +- README_zh_Hans.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a865be6..57865ac 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ It shall NOT be edited by hand. Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**Shipped version:** 13.14.2~ynh1 +**Shipped version:** 2024.3.1~ynh1 ## Screenshots diff --git a/README_eu.md b/README_eu.md index 284d228..8a00398 100644 --- a/README_eu.md +++ b/README_eu.md @@ -19,7 +19,7 @@ EZ editatu eskuz. Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**Paketatutako bertsioa:** 13.14.2~ynh1 +**Paketatutako bertsioa:** 2024.3.1~ynh1 ## Pantaila-argazkiak diff --git a/README_fr.md b/README_fr.md index dde7e3a..dc06c03 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Il NE doit PAS être modifié à la main. Misskey est une plateforme de microblogging décentralisée. Puisqu'il existe au sein du Fediverse (un univers où diverses plateformes de médias sociaux sont organisées), il est mutuellement lié à d'autres plateformes de médias sociaux. -**Version incluse :** 13.14.2~ynh1 +**Version incluse :** 2024.3.1~ynh1 ## Captures d’écran diff --git a/README_gl.md b/README_gl.md index 97ae59b..d364377 100644 --- a/README_gl.md +++ b/README_gl.md @@ -19,7 +19,7 @@ NON debe editarse manualmente. Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**Versión proporcionada:** 13.14.2~ynh1 +**Versión proporcionada:** 2024.3.1~ynh1 ## Capturas de pantalla diff --git a/README_zh_Hans.md b/README_zh_Hans.md index 93e53ce..e287f3e 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -19,7 +19,7 @@ Misskey is a decentralized microblogging platform. Since it exists within the Fediverse (a universe where various social media platforms are organized), it is mutually linked with other social media platforms. -**分发版本:** 13.14.2~ynh1 +**分发版本:** 2024.3.1~ynh1 ## 截图