diff --git a/conf/.env b/conf/.env new file mode 100644 index 0000000..afa1777 --- /dev/null +++ b/conf/.env @@ -0,0 +1,14 @@ +# Database configuration +DB_DRIVER=pgsql +DB_HOST=127.0.0.1 +DB_PORT=5432 +DB_DATABASE=__DB_NAME__ +DB_USERNAME=__DB_USER__ +DB_PASSWORD=__DB_PWD__ + +# Daemon configuration +DAEMON_URL=https://__DOMAIN____PATH__/ # Public URL of your Movim instance +DAEMON_PORT=__PORT__ # Port on which the daemon will listen +DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP +DAEMON_DEBUG=true +DAEMON_VERBOSE=true diff --git a/conf/db.example.inc.php b/conf/db.example.inc.php deleted file mode 100644 index 26e9bfb..0000000 --- a/conf/db.example.inc.php +++ /dev/null @@ -1,17 +0,0 @@ - 'pgsql', - # The database username - 'username' => '__DB_USER__', - # The password - 'password' => '__DB_PWD__', - # Where can we find the database ? - 'host' => 'localhost', - # The port number, 3306 for MySQL and 5432 for PostgreSQL - 'port' => 5432, - # The database name - 'database' => '__DB_NAME__' -]; diff --git a/conf/systemd.service b/conf/systemd.service index 7403f00..1e415e4 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,6 +1,6 @@ [Unit] Description=Movim: responsive web-based XMPP client -After=nginx.service network.target local-fs.target postgresql.service +After=nginx.service network.target local-fs.target [Service] Type=simple @@ -8,13 +8,44 @@ User=__APP__ Group=__APP__ Environment=PUBLIC_URL=https://__DOMAIN____PATH__/ Environment=WS_PORT=__PORT__ +EnvironmentFile__INSTALL_DIR__/ WorkingDirectory=__INSTALL_DIR__/ -ExecStart=/usr/bin/php__PHPVERSION__ daemon.php start --url=${PUBLIC_URL} --port=${WS_PORT} +ExecStart=/usr/bin/php__PHPVERSION__ daemon.php start StandardOutput=syslog SyslogIdentifier=__APP__ PIDFile=/run/movim.pid Restart=on-failure RestartSec=10 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 9fe7d0c..c8f755d 100644 --- a/manifest.toml +++ b/manifest.toml @@ -23,8 +23,11 @@ cpe = "cpe:2.3:a:movim:movim" yunohost = ">= 11.2" architectures = "all" multi_instance = false + ldap = false -sso = false + +sso = true + disk = "50M" ram.build = "100M" ram.runtime = "50M" @@ -51,7 +54,6 @@ ram.runtime = "50M" [resources.sources.main] url = "https://github.com/movim/movim/archive/refs/tags/v0.23.tar.gz" sha256 = "f0acd671c8e7e6979c75265ea696101ebd68f47d74cb7e5908eb8071a89026c3" - autoupdate.strategy = "latest_github_tag" [resources.ports] @@ -69,6 +71,7 @@ ram.runtime = "50M" "php8.2-mbstring", "php8.2-imagick", "php8.2-gd", + "php8.2-dom", "php8.2-pgsql", "php8.2-xml", "postgresql", diff --git a/scripts/_common.sh b/scripts/_common.sh index ff3a014..0df6e80 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,7 +4,7 @@ # COMMON VARIABLES #================================================= -YNH_COMPOSER_VERSION="2.2.5" +YNH_COMPOSER_VERSION="2.4.3" #================================================= # PERSONAL HELPERS diff --git a/scripts/install b/scripts/install index 9326fbb..fd127bd 100644 --- a/scripts/install +++ b/scripts/install @@ -10,35 +10,18 @@ source _common.sh source /usr/share/yunohost/helpers #================================================= -# INITIALIZE AND STORE SETTINGS +# RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= -fpm_footprint="low" -fpm_free_footprint=0 -fpm_usage="low" -ynh_app_setting_set --app="$app" --key=fpm_footprint --value="$fpm_footprint" -ynh_app_setting_set --app="$app" --key=fpm_free_footprint --value="$fpm_free_footprint" -ynh_app_setting_set --app="$app" --key=fpm_usage --value="$fpm_usage" - -#================================================= -# CONFIGURING A POSTGRESQL DATABASE -#================================================= -ynh_script_progression --message="Configuring a PostgreSQL database..." - -ynh_psql_execute_as_root --database="$db_name" --sql="CREATE EXTENSION IF NOT EXISTS unaccent;" -ynh_psql_execute_as_root --database="$db_name" --sql="CREATE EXTENSION IF NOT EXISTS pg_trgm;" +timezone=$(cat /etc/timezone) #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= ynh_script_progression --message="Setting up source files..." -# Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" -# Temporary workaround to fix movim.ERROR: Error: Call to undefined function GuzzleHttp\Psr7\uri_for() -ynh_replace_string --match_string="0.3.5" --replace_string="0.4.1" --target_file="$install_dir/composer.json" - chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" @@ -49,10 +32,10 @@ chown -R "$app:www-data" "$install_dir" #================================================= ynh_script_progression --message="Adding a configuration file..." -ynh_add_config --template="db.example.inc.php" --destination="$install_dir/config/db.inc.php" +ynh_add_config --template=".env" --destination="$install_dir/.env" -chmod 400 "$install_dir/config/db.inc.php" -chown "$app:$app" "$install_dir/config/db.inc.php" +chmod 650 "$install_dir/.env" +chown "$app:$app" "$install_dir/.env" #================================================= # BUILD MOVIM @@ -60,32 +43,29 @@ chown "$app:$app" "$install_dir/config/db.inc.php" ynh_script_progression --message="Building Movim..." # Install composer -ynh_exec_warn_less ynh_install_composer --phpversion="$phpversion" --workdir="$install_dir" +ynh_install_composer + +ynh_exec_warn_less ynh_composer_exec --commands="install" +ynh_exec_warn_less ynh_composer_exec --commands="movim:migrate" -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="movim:migrate" -ynh_exec_as "$app" "php$phpversion" "$install_dir/daemon.php" config --username="$admin" --password="$password" --quiet #================================================= # SYSTEM CONFIGURATION #================================================= ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 -# Create a dedicated PHP-FPM config -ynh_add_fpm_config --usage=$fpm_usage --footprint=$fpm_footprint +ynh_add_fpm_config -# Create a dedicated NGINX config ynh_add_nginx_config -# Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Responsive web-based XMPP client" +yunohost service add "$app" --description="Responsive web-based XMPP client" --log="/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE #================================================= ynh_script_progression --message="Starting a systemd service..." -# Start a systemd service ynh_systemd_action --service_name="$app" --action="start" --log_path="systemd" --line_match="Movim daemon launched" #================================================= diff --git a/scripts/remove b/scripts/remove index 24adb09..8781ccd 100644 --- a/scripts/remove +++ b/scripts/remove @@ -19,13 +19,10 @@ if ynh_exec_warn_less yunohost service status "$app" >/dev/null; then yunohost service remove "$app" fi -# Remove the dedicated systemd config ynh_remove_systemd_config -# Remove the dedicated NGINX config ynh_remove_nginx_config -# Remove the dedicated PHP-FPM config ynh_remove_fpm_config #================================================= diff --git a/scripts/restore b/scripts/restore index 1a6977b..e35873a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -10,6 +10,12 @@ source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers +#================================================= +# LOAD SETTINGS +#================================================= + +timezone=$(cat /etc/timezone) + #================================================= # RESTORE THE APP MAIN DIR #================================================= @@ -17,7 +23,6 @@ ynh_script_progression --message="Restoring the app main directory..." ynh_restore_file --origin_path="$install_dir" -chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" @@ -35,14 +40,14 @@ ynh_script_progression --message="Restoring system configurations related to $ap ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" -# Recreate a dedicated PHP-FPM config -ynh_add_fpm_config --usage=$fpm_usage --footprint=$fpm_footprint --phpversion=$phpversion +ynh_add_fpm_config ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable "$app.service" --quiet -yunohost service add "$app" --description="Responsive web-based XMPP client" + +yunohost service add "$app" --description="Responsive web-based XMPP client" --log="/var/log/$app/$app.log" #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 7c13422..57a00df 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -9,6 +9,12 @@ source _common.sh source /usr/share/yunohost/helpers +#================================================= +# LOAD SETTINGS +#================================================= + +timezone=$(cat /etc/timezone) + #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -18,39 +24,12 @@ ynh_script_progression --message="Stopping a systemd service..." ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" -#================================================= -# ENSURE DOWNWARD COMPATIBILITY -#================================================= -ynh_script_progression --message="Ensuring downward compatibility..." - -# If fpm_footprint doesn't exist, create it -if [ -z "${fpm_footprint:-}" ]; then - fpm_footprint=low - ynh_app_setting_set --app="$app" --key=fpm_footprint --value="$fpm_footprint" -fi - -# If fpm_free_footprint doesn't exist, create it -if [ -z "${fpm_free_footprint:-}" ]; then - fpm_free_footprint=0 - ynh_app_setting_set --app="$app" --key=fpm_free_footprint --value="$fpm_free_footprint" -fi - -# If fpm_usage doesn't exist, create it -if [ -z "${fpm_usage:-}" ]; then - fpm_usage=low - ynh_app_setting_set --app="$app" --key=fpm_usage --value="$fpm_usage" -fi - #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= ynh_script_progression --message="Upgrading source files..." -# Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$install_dir" --full_replace=1 --keep="config/db.inc.php" - -# Temporary workaround to fix movim.ERROR: Error: Call to undefined function GuzzleHttp\Psr7\uri_for() -ynh_replace_string --match_string="0.3.5" --replace_string="0.4.1" --target_file="$install_dir/composer.json" +ynh_setup_source --dest_dir="$install_dir" --full_replace=1 chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" @@ -62,35 +41,33 @@ chown -R "$app:www-data" "$install_dir" #================================================= ynh_script_progression --message="Updating a configuration file..." -ynh_add_config --template="db.example.inc.php" --destination="$install_dir/config/db.inc.php" +ynh_add_config --template=".env" --destination="$install_dir/.env" -chmod 400 "$install_dir/config/db.inc.php" -chown "$app:$app" "$install_dir/config/db.inc.php" +chmod 400 "$install_dir/.env" +chown "$app:$app" "$install_dir/.env" #================================================= # BUILD MOVIM #================================================= ynh_script_progression --message="Building Movim..." -ynh_exec_warn_less ynh_install_composer --phpversion="$phpversion" --workdir="$install_dir" -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="config --global discard-changes true --quiet" -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="update --no-interaction --quiet" -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="movim:migrate --quiet" +ynh_exec_warn_less ynh_install_composer + +ynh_exec_warn_less ynh_composer_exec --commands="config --global discard-changes true --quiet" +ynh_exec_warn_less ynh_composer_exec --commands="update --no-interaction --quiet" +ynh_exec_warn_less ynh_composer_exec --commands="movim:migrate --quiet" #================================================= # REAPPLY SYSTEM CONFIGURATIONS #================================================= ynh_script_progression --message="Upgrading system configurations related to $app..." --weight=1 -# Create a dedicated PHP-FPM config -ynh_add_fpm_config --phpversion="$phpversion" --usage="$fpm_usage" --footprint="$fpm_footprint" +ynh_add_fpm_config -# Create a dedicated NGINX config ynh_add_nginx_config -# Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Responsive web-based XMPP client" +yunohost service add "$app" --description="Responsive web-based XMPP client" --log="/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE