diff --git a/README.md b/README.md index 452b4fd..fd0b029 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ It shall NOT be edited by hand. # Monitorix for YunoHost -[![Integration level](https://dash.yunohost.org/integration/monitorix.svg)](https://dash.yunohost.org/appci/app/monitorix) ![Working status](https://ci-apps.yunohost.org/ci/badges/monitorix.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/monitorix.maintain.svg) +[![Integration level](https://dash.yunohost.org/integration/monitorix.svg)](https://dash.yunohost.org/appci/app/monitorix) ![Working status](https://ci-apps.yunohost.org/ci/badges/monitorix.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/monitorix.maintain.svg) [![Install Monitorix with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=monitorix) *[Lire ce readme en français.](./README_fr.md)* diff --git a/README_fr.md b/README_fr.md index e407c0f..7249e64 100644 --- a/README_fr.md +++ b/README_fr.md @@ -5,15 +5,15 @@ It shall NOT be edited by hand. # Monitorix pour YunoHost -[![Niveau d'intégration](https://dash.yunohost.org/integration/monitorix.svg)](https://dash.yunohost.org/appci/app/monitorix) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/monitorix.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/monitorix.maintain.svg) +[![Niveau d’intégration](https://dash.yunohost.org/integration/monitorix.svg)](https://dash.yunohost.org/appci/app/monitorix) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/monitorix.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/monitorix.maintain.svg) [![Installer Monitorix avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=monitorix) *[Read this readme in english.](./README.md)* -> *Ce package vous permet d'installer Monitorix rapidement et simplement sur un serveur YunoHost. -Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.* +> *Ce package vous permet d’installer Monitorix rapidement et simplement sur un serveur YunoHost. +Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l’installer et en profiter.* -## Vue d'ensemble +## Vue d’ensemble Monitorix is a free, open source, lightweight system monitoring tool designed to monitor as many services and system resources as possible. It has been created to be used under production Linux/UNIX servers, but due to its simplicity and small size can be used on embedded devices as well. @@ -22,9 +22,9 @@ Monitorix is a free, open source, lightweight system monitoring tool designed to **Démo :** https://www.fibranet.cat/monitorix/ -## Captures d'écran +## Captures d’écran -![Capture d'écran de Monitorix](./doc/screenshots/mail.png) +![Capture d’écran de Monitorix](./doc/screenshots/mail.png) ## Avertissements / informations importantes @@ -280,9 +280,9 @@ In this config we have : ## Documentations et ressources -* Site officiel de l'app : -* Documentation officielle de l'admin : -* Dépôt de code officiel de l'app : +* Site officiel de l’app : +* Documentation officielle de l’admin : +* Dépôt de code officiel de l’app : * Documentation YunoHost pour cette app : * Signaler un bug : @@ -298,4 +298,4 @@ ou sudo yunohost app upgrade monitorix -u https://github.com/YunoHost-Apps/monitorix_ynh/tree/testing --debug ``` -**Plus d'infos sur le packaging d'applications :** +**Plus d’infos sur le packaging d’applications :** \ No newline at end of file diff --git a/conf/monitorix.conf b/conf/monitorix.conf index 5b4e8d1..ce32f06 100644 --- a/conf/monitorix.conf +++ b/conf/monitorix.conf @@ -5,32 +5,32 @@ title = Yunohost Stats hostname = Yunohost Server -theme_color = black -refresh_rate = 150 -iface_mode = graph -enable_zoom = y +theme_color = black +refresh_rate = 150 +iface_mode = graph +enable_zoom = y netstats_in_bps = y -disable_javascript_void = y -temperature_scale = c +disable_javascript_void = y +temperature_scale = c show_gaps = n -global_zoom = 1 -max_historic_years = 5 -accept_selfsigned_certs = y +global_zoom = 1 +max_historic_years = 5 +accept_selfsigned_certs = y image_format = svg -include_dir = /etc/monitorix/conf.d +include_dir = /etc/monitorix/conf.d -base_dir = /var/lib/monitorix/www/ -base_lib = /var/lib/monitorix/ -base_url = __YNH_WWW_PATH__ -base_cgi = __YNH_WWW_PATH__/cgi +base_dir = /var/lib/monitorix/www/ +base_lib = /var/lib/monitorix/ +base_url = __YNH_WWW_PATH__ +base_cgi = __YNH_WWW_PATH__/cgi - - enabled = y + + enabled = y host = localhost port = __SERVICE_PORT__ user = www-data group = nogroup - log_file = /var/log/monitorix-httpd + log_file = /var/log/monitorix-httpd.log hosts_deny = hosts_allow = https_url = y @@ -44,7 +44,7 @@ base_cgi = __YNH_WWW_PATH__/cgi # Log files pathnames # ----------------------------------------------------------------------------- -log_file = /var/log/monitorix +log_file = /var/log/monitorix.log secure_log = /var/log/secure mail_log = /var/log/maillog milter_gl = /var/milter-greylist/greylist.db @@ -88,7 +88,7 @@ secure_log_date_format = %b %e du = n net = y netstat = y - tc = n + tc = n libvirt = n process = y serv = y @@ -385,7 +385,7 @@ secure_log_date_format = %b %e mta = postfix greylist = milter-greylist rigid = 0, 0, 0, 0, 0 - limit = 1, 1000, 1000, 1000, 1000 + limit = 1, 1000, 1000, 1000, 1000 diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..97d619c --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,45 @@ +[Unit] +Description=Monitorix + +[Service] +Type=simple +User=__SYSTEMD_USER__ +ExecStart=/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /var/run/monitorix.pid -n +Restart=always + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +# PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @cpu-emulation @swap + +# # Denying access to capabilities that should not be relevant for webapps +# # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index ec8cc40..33cbf6d 100644 --- a/manifest.json +++ b/manifest.json @@ -21,7 +21,7 @@ "email": "josue@familletille.ch" }, "requirements": { - "yunohost": ">= 4.3.0" + "yunohost": ">= 11.0.11" }, "multi_instance": false, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index 9b78876..7c64a2a 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -3,6 +3,7 @@ #================================================= app=$YNH_APP_INSTANCE_NAME +systemd_user=root #================================================= # DEFINE ALL COMMON FONCTIONS @@ -46,7 +47,7 @@ config_monitorix() { done monitorix_conf=/etc/monitorix/monitorix.conf - cp ../conf/monitorix.conf $monitorix_conf + cp ../conf/monitorix.conf $monitorix_conf ynh_replace_string --match_string __SERVICE_PORT__ --replace_string $port --target_file $monitorix_conf ynh_replace_string --match_string __YNH_DOMAIN__ --replace_string $domain --target_file $monitorix_conf ynh_replace_string --match_string __NGINX_STATUS_PORT__ --replace_string $nginx_status_port --target_file $monitorix_conf diff --git a/scripts/backup b/scripts/backup index 3b9b1e7..5140dd3 100755 --- a/scripts/backup +++ b/scripts/backup @@ -32,6 +32,9 @@ domain=$(ynh_app_setting_get --app $app --key domain) ynh_backup --src_path "/etc/nginx/conf.d/${domain}.d/${app}.conf" ynh_backup --src_path "/etc/nginx/conf.d/monitorix_status.conf" +# systemd config +ynh_backup --src_path "/etc/systemd/system/${app}.service" + # Copy hook ynh_backup --src_path "/etc/yunohost/hooks.d/post_iptable_rules/50-$app" diff --git a/scripts/install b/scripts/install index d42f818..797f730 100755 --- a/scripts/install +++ b/scripts/install @@ -55,6 +55,10 @@ install_dependances ynh_script_progression --message="Installing sources files..." --weight=7 get_install_source +# Configure init script +ynh_script_progression --message="Configuring a systemd service..." --weight=2 +ynh_add_systemd_config + # # Generate MySQL user ynh_script_progression --message="Configuring MySQL database..." dbuser=$app @@ -88,6 +92,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3 systemctl stop monitorix.service sleep 1 pkill -f "monitorix-httpd listening on" || true -ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix' +ynh_systemd_action -l ' - Ok, ready.' -p 'systemd' ynh_script_progression --message="Installation of $app completed" --last diff --git a/scripts/remove b/scripts/remove index 359a25a..ecf7d56 100755 --- a/scripts/remove +++ b/scripts/remove @@ -39,6 +39,10 @@ ynh_print_info --message="Due of the backup core only feature the data directory ynh_secure_remove --file="/etc/nginx/conf.d/monitorix_status.conf" ynh_remove_nginx_config +# Remove init script +ynh_script_progression --message="Removing systemd units..." +ynh_remove_systemd_config + # Autoremove package ynh_script_progression --message="Removing dependencies" --weight=10 ynh_remove_app_dependencies diff --git a/scripts/restore b/scripts/restore index cf77fc9..763ff9e 100755 --- a/scripts/restore +++ b/scripts/restore @@ -49,6 +49,10 @@ ynh_secure_remove --file=/etc/monitorix # we remove the directory because if it ynh_secure_remove --file=/var/lib/monitorix ynh_restore +# Restore systemd files +systemctl daemon-reload +systemctl enable "$app".service --quiet + #================================================= # GENERIC FINALIZATION #================================================= @@ -70,6 +74,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3 systemctl stop monitorix.service sleep 1 pkill -f "monitorix-httpd listening on" || true -ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix' +ynh_systemd_action -l ' - Ok, ready.' -p 'systemd' ynh_script_progression --message="Restoration completed for $app" --last diff --git a/scripts/upgrade b/scripts/upgrade index 4484961..1d5177d 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -55,6 +55,10 @@ ynh_script_progression --message="Upgrading source files..." --weight=6 test -e /etc/monitorix/conf.d/00-debian.conf || touch /etc/monitorix/conf.d/00-debian.conf get_install_source +# Configure init script +ynh_script_progression --message="Configuring a systemd service..." --weight=2 +ynh_add_systemd_config + # Update nginx config config_nginx @@ -83,6 +87,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3 systemctl stop monitorix.service sleep 1 pkill -f "monitorix-httpd listening on" || true -ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix' +ynh_systemd_action -l ' - Ok, ready.' -p 'systemd' ynh_script_progression --message="Upgrade of $app completed" --last