Add systemd unit to manage service

conf/systemd.service

@@ -0,0 +1,44 @@
+[Unit]
+Description=Monitorix
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p  /var/run/monitorix.pid -n
+Restart=always
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+# PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @cpu-emulation @swap
+
+# # Denying access to capabilities that should not be relevant for webapps
+# # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=multi-user.target

manifest.json

@@ -21,7 +21,7 @@
         "email": "josue@familletille.ch"
     },
     "requirements": {
-        "yunohost": ">= 4.3.0"
+        "yunohost": ">= 11.0.11"
     },
     "multi_instance": false,
     "services": [

scripts/backup

@@ -32,6 +32,9 @@ domain=$(ynh_app_setting_get --app $app --key domain)
 ynh_backup --src_path "/etc/nginx/conf.d/${domain}.d/${app}.conf"
 ynh_backup --src_path "/etc/nginx/conf.d/monitorix_status.conf"
 
+# systemd config
+ynh_backup --src_path "/etc/systemd/system/${app}.service"
+
 # Copy hook
 ynh_backup --src_path "/etc/yunohost/hooks.d/post_iptable_rules/50-$app"
 

scripts/install

@@ -55,6 +55,10 @@ install_dependances
 ynh_script_progression --message="Installing sources files..." --weight=7
 get_install_source
 
+# Configure init script
+ynh_script_progression --message="Configuring a systemd service..." --weight=2
+ynh_add_systemd_config
+
 # # Generate MySQL user
 ynh_script_progression --message="Configuring MySQL database..."
 dbuser=$app
@@ -88,6 +92,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3
 systemctl stop monitorix.service
 sleep 1
 pkill -f "monitorix-httpd listening on" || true
-ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix'
+ynh_systemd_action -l ' - Ok, ready.' -p 'systemd'
 
 ynh_script_progression --message="Installation of $app completed" --last

scripts/remove

@@ -39,6 +39,10 @@ ynh_print_info --message="Due of the backup core only feature the data directory
 ynh_secure_remove --file="/etc/nginx/conf.d/monitorix_status.conf"
 ynh_remove_nginx_config
 
+# Remove init script
+ynh_script_progression --message="Removing systemd units..."
+ynh_remove_systemd_config
+
 # Autoremove package
 ynh_script_progression --message="Removing dependencies" --weight=10
 ynh_remove_app_dependencies

scripts/restore

@@ -49,6 +49,10 @@ ynh_secure_remove --file=/etc/monitorix # we remove the directory because if it
 ynh_secure_remove --file=/var/lib/monitorix
 ynh_restore
 
+# Restore systemd files
+systemctl daemon-reload
+systemctl enable "$app".service --quiet
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
@@ -70,6 +74,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3
 systemctl stop monitorix.service
 sleep 1
 pkill -f "monitorix-httpd listening on" || true
-ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix'
+ynh_systemd_action -l ' - Ok, ready.' -p 'systemd'
 
 ynh_script_progression --message="Restoration completed for $app" --last

scripts/upgrade

@@ -55,6 +55,10 @@ ynh_script_progression --message="Upgrading source files..." --weight=6
 test -e /etc/monitorix/conf.d/00-debian.conf || touch /etc/monitorix/conf.d/00-debian.conf
 get_install_source
 
+# Configure init script
+ynh_script_progression --message="Configuring a systemd service..." --weight=2
+ynh_add_systemd_config
+
 # Update nginx config
 config_nginx
 
@@ -83,6 +87,6 @@ ynh_script_progression --message="Starting monitorix services..." --weight=3
 systemctl stop monitorix.service
 sleep 1
 pkill -f "monitorix-httpd listening on" || true
-ynh_systemd_action -l ' - Ok, ready.' -p '/var/log/monitorix'
+ynh_systemd_action -l ' - Ok, ready.' -p 'systemd'
 
 ynh_script_progression --message="Upgrade of $app completed" --last