diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..92eecf0 --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,44 @@ +[Unit] +Description=Monitorix + +[Service] +Type=simple +ExecStart=/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /var/run/monitorix.pid -n +Restart=always + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +# PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @cpu-emulation @swap + +# # Denying access to capabilities that should not be relevant for webapps +# # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index ec8cc40..33cbf6d 100644 --- a/manifest.json +++ b/manifest.json @@ -21,7 +21,7 @@ "email": "josue@familletille.ch" }, "requirements": { - "yunohost": ">= 4.3.0" + "yunohost": ">= 11.0.11" }, "multi_instance": false, "services": [ diff --git a/scripts/backup b/scripts/backup index 3b9b1e7..5140dd3 100755 --- a/scripts/backup +++ b/scripts/backup @@ -32,6 +32,9 @@ domain=$(ynh_app_setting_get --app $app --key domain) ynh_backup --src_path "/etc/nginx/conf.d/${domain}.d/${app}.conf" ynh_backup --src_path "/etc/nginx/conf.d/monitorix_status.conf" +# systemd config +ynh_backup --src_path "/etc/systemd/system/${app}.service" + # Copy hook ynh_backup --src_path "/etc/yunohost/hooks.d/post_iptable_rules/50-$app" diff --git a/scripts/install b/scripts/install index d42f818..797f730 100755 --- a/scripts/install +++ b/scripts/install @@ -55,6 +55,10 @@ install_dependances ynh_script_progression --message="Installing sources files..." --weight=7 get_install_source +# Configure init script +ynh_script_progression --message="Configuring a systemd service..." --weight=2 +ynh_add_systemd_config + # # Generate MySQL user ynh_script_progression --message="Configuring MySQL database..." dbuser=$app @@ -88,6 +92,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3 systemctl stop monitorix.service sleep 1 pkill -f "monitorix-httpd listening on" || true -ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix' +ynh_systemd_action -l ' - Ok, ready.' -p 'systemd' ynh_script_progression --message="Installation of $app completed" --last diff --git a/scripts/remove b/scripts/remove index 359a25a..ecf7d56 100755 --- a/scripts/remove +++ b/scripts/remove @@ -39,6 +39,10 @@ ynh_print_info --message="Due of the backup core only feature the data directory ynh_secure_remove --file="/etc/nginx/conf.d/monitorix_status.conf" ynh_remove_nginx_config +# Remove init script +ynh_script_progression --message="Removing systemd units..." +ynh_remove_systemd_config + # Autoremove package ynh_script_progression --message="Removing dependencies" --weight=10 ynh_remove_app_dependencies diff --git a/scripts/restore b/scripts/restore index cf77fc9..763ff9e 100755 --- a/scripts/restore +++ b/scripts/restore @@ -49,6 +49,10 @@ ynh_secure_remove --file=/etc/monitorix # we remove the directory because if it ynh_secure_remove --file=/var/lib/monitorix ynh_restore +# Restore systemd files +systemctl daemon-reload +systemctl enable "$app".service --quiet + #================================================= # GENERIC FINALIZATION #================================================= @@ -70,6 +74,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3 systemctl stop monitorix.service sleep 1 pkill -f "monitorix-httpd listening on" || true -ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix' +ynh_systemd_action -l ' - Ok, ready.' -p 'systemd' ynh_script_progression --message="Restoration completed for $app" --last diff --git a/scripts/upgrade b/scripts/upgrade index 4484961..1d5177d 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -55,6 +55,10 @@ ynh_script_progression --message="Upgrading source files..." --weight=6 test -e /etc/monitorix/conf.d/00-debian.conf || touch /etc/monitorix/conf.d/00-debian.conf get_install_source +# Configure init script +ynh_script_progression --message="Configuring a systemd service..." --weight=2 +ynh_add_systemd_config + # Update nginx config config_nginx @@ -83,6 +87,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3 systemctl stop monitorix.service sleep 1 pkill -f "monitorix-httpd listening on" || true -ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix' +ynh_systemd_action -l ' - Ok, ready.' -p 'systemd' ynh_script_progression --message="Upgrade of $app completed" --last