From 4a6fdbdfef2951d1c86ac0448e6c00ce14c333f7 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Tue, 26 Sep 2017 07:19:17 +0200 Subject: [PATCH] Complete refactoring * Refactoring * Fix typos and code spacing * Change user group --- check_process | 24 ++- conf/nginx.conf | 14 +- conf/php-fpm.conf | 389 ++++++++++++++++++++++++++++++++++++++++++---- manifest.json | 10 +- scripts/backup | 64 +++++--- scripts/install | 192 +++++++++++++++-------- scripts/remove | 89 +++++++---- scripts/restore | 152 +++++++++++------- scripts/upgrade | 187 ++++++++++++++++------ 9 files changed, 853 insertions(+), 268 deletions(-) diff --git a/check_process b/check_process index 120cae7..a270ddb 100644 --- a/check_process +++ b/check_process @@ -1,9 +1,8 @@ ;; Test complet - auto_remove=1 ; Manifest domain="domain.tld" (DOMAIN) path="/path" (PATH) - password="myreallystrengthpassword" (PASSWORD) + password="myreallystrengthpassword" is_public=1 (PUBLIC|public=1|private=0) with_mysql=1 ; Checks @@ -16,10 +15,21 @@ upgrade=1 backup_restore=1 multi_instance=1 - wrong_user=0 - wrong_path=1 incorrect_path=1 - corrupt_source=0 - fail_download_source=0 port_already_use=0 - final_path_already_use=0 + change_url=0 +;;; Levels + Level 1=auto + Level 2=auto + Level 3=auto + Level 4=na +# Level 5: https://github.com/YunoHost-Apps/my_webapp_ynh/issues/15 + Level 5=1 + Level 6=auto + Level 7=auto + Level 8=0 + Level 9=0 + Level 10=0 +;;; Options +Email= +Notification=none diff --git a/conf/nginx.conf b/conf/nginx.conf index 32c517c..d24f0d7 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,30 +1,30 @@ -location {LOCATION} { - alias {DESTDIR}/www/; +location __PATH__ { + alias __FINALPATH__/www/; # Default indexes and catch-all index index.html index.php; - try_files $uri $uri/ {PATH}/index.php?$args; + try_files $uri $uri/ __PATH__/index.php?$args; # Prevent useless logs - location = {PATH}/favicon.ico { + location = __PATH__/favicon.ico { log_not_found off; access_log off; } - location = {PATH}/robots.txt { + location = __PATH__/robots.txt { allow all; log_not_found off; access_log off; } # Deny access to hidden files and directories - location ~ ^{PATH}/(.+/|)\.(?!well-known\/) { + location ~ ^__PATH__/(.+/|)\.(?!well-known\/) { deny all; } # Execute and serve PHP files location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php5-fpm-{POOLNAME}.sock; + fastcgi_pass unix:/var/run/php5-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index f3feeee..0327114 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -1,68 +1,395 @@ -[{POOLNAME}] -; The address on which to accept FastCGI requests. -listen = /var/run/php5-fpm-{POOLNAME}.sock +; Start a new pool named 'www'. +; the variable $pool can we used in any directive and will be replaced by the +; pool name ('www' here) +[__NAMETOCHANGE__] -; Set permissions for unix socket, if one is used. +; Per pool prefix +; It only applies on the following directives: +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = __USER__ +group = __USER__ + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses on a +; specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /var/run/php5-fpm-__NAMETOCHANGE__.sock + +; Set listen(2) backlog. A value of '-1' means unlimited. +; Default Value: 128 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 128 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0660 listen.owner = www-data listen.group = www-data -listen.mode = 0600 +;listen.mode = 0660 + +; List of ipv4 addresses of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 -; Unix user/group of processes. -user = {USER} -group = www-data +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; priority = -19 ; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. pm = dynamic ; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -pm.max_children = 6 +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 10 ; The number of child processes created on startup. -pm.start_servers = 3 +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 2 ; The desired minimum number of idle server processes. -pm.min_spare_servers = 3 +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 ; The desired maximum number of idle server processes. -pm.max_spare_servers = 5 +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 3 +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + ; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 pm.max_requests = 500 ; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. -pm.status_path = /fpm-status +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: ${prefix}/share/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status ; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. -ping.path = /ping +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping -; The timeout for serving a single request after which the worker process will -; be killed. -request_terminate_timeout = 1d +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: ouput header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +slowlog = /var/log/nginx/__NAMETOCHANGE__.slow.log + ; The timeout for serving a single request after which a PHP backtrace will be ; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 request_slowlog_timeout = 5s - -; The log file for slow requests. -slowlog = /var/log/nginx/{POOLNAME}.slow.log - + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +request_terminate_timeout = 1d + ; Set open file descriptor rlimit. -rlimit_files = 4096 - +; Default Value: system defined value +;rlimit_files = 1024 + ; Set max core size rlimit. -rlimit_core = 0 +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = ; Chdir to this directory at the start. -chdir = {DESTDIR} +; Note: relative path can be used. +; Default Value: current directory or / when chroot +chdir = __FINALPATH__ -; Redirect worker stdout and stderr into main error log. +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no catch_workers_output = yes -; Do not clear environment in FPM workers. -clear_env = no +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; exectute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M ; Additional php.ini defines, specific to this pool of workers. php_value[upload_max_filesize] = 1G diff --git a/manifest.json b/manifest.json index edc2ce8..1152e2a 100644 --- a/manifest.json +++ b/manifest.json @@ -1,20 +1,22 @@ { - "packaging_format": 1, "id": "my_webapp", "name": "Custom Webapp", + "packaging_format": 1, "description": { "en": "Custom Web app with SFTP access", "fr": "Application Web personnalisée avec accès SFTP" }, - "license": "free", + "version": "1.0", + "url": "https://github.com/YunoHost-Apps/my_webapp_ynh", + "license": "GPLv3", "maintainer": { "name": "YunoHost Contributors", "email": "apps@yunohost.org" }, - "multi_instance": true, "requirements": { - "yunohost": ">= 2.4.0" + "yunohost": ">= 2.7.2" }, + "multi_instance": true, "services": [ "nginx", "php5-fpm" diff --git a/scripts/backup b/scripts/backup index 63f13fb..13b9193 100644 --- a/scripts/backup +++ b/scripts/backup @@ -1,31 +1,55 @@ #!/bin/bash -# Exit on command errors and treat unset variables as an error +#================================================= +# GENERIC START +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +# Exit on command errors and treat access to unset variables as an error set -eu -# Get multi-instances specific variables +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source /usr/share/yunohost/helpers + +#================================================= +# LOAD SETTINGS +#================================================= + app=$YNH_APP_INSTANCE_NAME -# Source app helpers -. /usr/share/yunohost/helpers +final_path=$(ynh_app_setting_get $app final_path) +domain=$(ynh_app_setting_get $app domain) +db_name=$(ynh_app_setting_get $app db_name) +with_mysql=$(ynh_app_setting_get $app with_mysql) -# Retrieve app settings -domain=$(ynh_app_setting_get "$app" domain) -path=$(ynh_app_setting_get "$app" path) -with_mysql=$(ynh_app_setting_get "$app" with_mysql) +#================================================= +# STANDARD BACKUP STEPS +#================================================= +# BACKUP THE APP MAIN DIR +#================================================= -# Copy the app files -DESTDIR="/var/www/${app}" -ynh_backup "$DESTDIR" "sources" 1 +ynh_backup "$final_path" -# Copy the conf files -ynh_backup "/etc/nginx/conf.d/${domain}.d/${app}.conf" "conf/nginx.conf" -ynh_backup "/etc/php5/fpm/pool.d/${app}.conf" "conf/php-fpm.conf" +#================================================= +# BACKUP THE NGINX CONFIGURATION +#================================================= -# Dump the database -if [[ $with_mysql -eq 1 ]]; then - dbname=$app - dbuser=$app - dbpass=$(ynh_app_setting_get "$app" mysqlpwd) - mysqldump -u "$dbuser" -p"$dbpass" --no-create-db "$dbname" > ./dump.sql +ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" + +#================================================= +# BACKUP THE PHP-FPM CONFIGURATION +#================================================= + +ynh_backup "/etc/php5/fpm/pool.d/$app.conf" + +#================================================= +# BACKUP THE MYSQL DATABASE +#================================================= + +if [ $with_mysql -eq 1 ]; then + ynh_mysql_dump_db "$db_name" > db.sql fi diff --git a/scripts/install b/scripts/install index 356058a..9b32084 100644 --- a/scripts/install +++ b/scripts/install @@ -1,48 +1,107 @@ #!/bin/bash -# Exit on command errors and treat unset variables as an error -set -eu +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source /usr/share/yunohost/helpers + +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + +#================================================= +# RETRIEVE ARGUMENTS FROM THE MANIFEST +#================================================= + +domain=$YNH_APP_ARG_DOMAIN +path_url=$YNH_APP_ARG_PATH +password=$YNH_APP_ARG_PASSWORD +is_public=$YNH_APP_ARG_IS_PUBLIC +with_mysql=$YNH_APP_ARG_WITH_MYSQL -# Get multi-instances specific variables app=$YNH_APP_INSTANCE_NAME app_nb=$YNH_APP_INSTANCE_NUMBER -# Retrieve arguments -domain=$1 -path=${2%/} -password=$3 -is_public=$4 -with_mysql=$5 +#================================================= +# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS +#================================================= -# Source app helpers -. /usr/share/yunohost/helpers - -# Check domain/path availability -sudo yunohost app checkurl "${domain}${path}" -a "$app" \ - || exit 1 +final_path=/var/www/$app +test ! -e "$final_path" || ynh_die "This path already contains a folder" # Check password strength [[ ${#password} -gt 5 ]] || ynh_die \ "The password is too weak, it must be longer than 5 characters" -# Check destination directory -DESTDIR="/var/www/${app}" -[[ -d "$DESTDIR" ]] && ynh_die \ -"The destination directory '${DESTDIR}' already exists.\ - You should safely delete it before installing this app." +# Normalize the url path syntax +path_url=$(ynh_normalize_url_path $path_url) -# Save app settings -user="webapp${app_nb}" -ynh_app_setting_set "$app" is_public "$is_public" -ynh_app_setting_set "$app" with_mysql "$with_mysql" -ynh_app_setting_set "$app" password "$password" -ynh_app_setting_set "$app" user "$user" +# Check web path availability +ynh_webpath_available $domain $path_url +# Register (book) web path +ynh_webpath_register $app $domain $path_url -# Create the user account -sudo useradd -c "${app} user account" \ - -d "$DESTDIR" -M -g www-data "$user" \ - || ynh_die "Unable to create user account" -sudo chpasswd <<< "${user}:${password}" +#================================================= +# STORE SETTINGS FROM MANIFEST +#================================================= + +user=webapp${app_nb} +ynh_app_setting_set $app domain $domain +ynh_app_setting_set $app path $path_url +ynh_app_setting_set $app is_public $is_public +ynh_app_setting_set $app with_mysql $with_mysql +ynh_app_setting_set $app password "$password" +ynh_app_setting_set $app user $user +ynh_app_setting_set $app final_path $final_path + +#================================================= +# STANDARD MODIFICATIONS +#================================================= +# CREATE A MYSQL DATABASE +#================================================= + +if [ $with_mysql -eq 1 ]; then + db_name=$(ynh_sanitize_dbid $app) + ynh_app_setting_set $app db_name $db_name + ynh_mysql_setup_db $db_name $db_name +fi + +#================================================= +# NGINX CONFIGURATION +#================================================= + +# Create a dedicated nginx config +ynh_add_nginx_config + +#================================================= +# CREATE DEDICATED USER +#================================================= + +# Create a standard user (not a system user for sftp) +ynh_system_user_exists "$user" || \ + useradd -d "$final_path" -M --user-group "$user" +# Add the password to this user +chpasswd <<< "${user}:${password}" + +#================================================= +# PHP-FPM CONFIGURATION +#================================================= + +# Create a dedicated php-fpm config +ynh_replace_string "__USER__" "$user" "../conf/php-fpm.conf" +ynh_add_fpm_config + +#================================================= +# SPECIFIC SETUP +#================================================= +# CONFIGURE SSH +#================================================= # Harden SSH connection for the user echo "##-> ${app} @@ -53,53 +112,50 @@ Match User ${user} AllowTcpForwarding no PermitTunnel no X11Forwarding no -##<- ${app}" | sudo tee -a /etc/ssh/sshd_config >/dev/null +##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null -# Specify the user and the domain in the home page -sed -i "s@{DOMAIN}@${domain}@g" ../sources/www/index.html -sed -i "s@{USER}@${user}@g" ../sources/www/index.html +systemctl reload ssh -# Initialize database as needed -if [[ $with_mysql -eq 1 ]]; then - dbname=$app - dbuser=$app - dbpass=$(ynh_string_random) - ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" +#================================================= +# FILL AND COPY SOURCE FILES +#================================================= +ynh_replace_string "{DOMAIN}" "$domain" ../sources/www/index.html +ynh_replace_string "{USER}" "$user" ../sources/www/index.html + +if [ $with_mysql -eq 1 ]; then # Store the database access echo -e "# MySQL Database -name: ${dbname}\nuser: ${dbuser}\npass: ${dbpass}" > ../sources/db_access.txt - ynh_app_setting_set "$app" mysqlpwd "$dbpass" + name: ${db_name}\nuser: ${db_name}\npass: ${db_pwd}" > ../sources/db_access.txt fi -# Copy files to the right place and set permissions -sudo cp -r ../sources "$DESTDIR" -sudo chown -hR "${user}:" "$DESTDIR" +# Copy files to the right place +cp -r ../sources "$final_path" -# Home directory of the user need to be owned by root to allow +#================================================= +# GENERIC FINALIZATION +#================================================= +# SECURE FILES AND DIRECTORIES +#================================================= + +# Set permissions to app files +chown -R $user: "$final_path" +# Home directory of the user needs to be owned by root to allow # SFTP connections -sudo chown root: "$DESTDIR" +chown root: "$final_path" -# Set SSOwat rules -[[ $is_public -eq 1 ]] \ - && ynh_app_setting_set "$app" skipped_uris "/" +#================================================= +# SETUP SSOWAT +#================================================= -# Copy and set nginx configuration -nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" -sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf -sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf -sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf -sed -i "s@{POOLNAME}@${app}@g" ../conf/nginx.conf -sudo cp ../conf/nginx.conf "$nginx_conf" +# Make app public if necessary +if [ $is_public -eq 1 ] +then + ynh_app_setting_set $app skipped_uris "/" +fi -# Copy and set php-fpm configuration -phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" -sed -i "s@{USER}@${user}@g" ../conf/php-fpm.conf -sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf -sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/php-fpm.conf -sudo cp ../conf/php-fpm.conf "$phpfpm_conf" +#================================================= +# RELOAD NGINX +#================================================= -# Reload services -sudo systemctl reload php5-fpm -sudo systemctl reload nginx -sudo systemctl reload ssh +systemctl reload nginx diff --git a/scripts/remove b/scripts/remove index ec54628..83e2ef3 100644 --- a/scripts/remove +++ b/scripts/remove @@ -1,40 +1,71 @@ #!/bin/bash -# Get multi-instances specific variables +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source /usr/share/yunohost/helpers + +#================================================= +# LOAD SETTINGS +#================================================= + app=$YNH_APP_INSTANCE_NAME -app_nb=$YNH_APP_INSTANCE_NUMBER -# Source app helpers -. /usr/share/yunohost/helpers +domain=$(ynh_app_setting_get $app domain) +with_mysql=$(ynh_app_setting_get $app with_mysql) +user=$(ynh_app_setting_get $app user) +db_name=$(ynh_app_setting_get $app db_name) +final_path=$(ynh_app_setting_get $app final_path) -# Retrieve app settings -domain=$(ynh_app_setting_get "$app" domain) -with_mysql=$(ynh_app_setting_get "$app" with_mysql) -user=$(ynh_app_setting_get "$app" user) +#================================================= +# STANDARD REMOVE +#================================================= +# REMOVE THE MYSQL DATABASE +#================================================= -# Drop MySQL database and user as needed -if [[ $with_mysql -eq 1 ]]; then - dbname=$app - dbuser=$app - dbpass=$(ynh_app_setting_get "$app" mysqlpwd) - ynh_mysql_drop_db $dbname || true - ynh_mysql_drop_user $dbuser || true +if [ $with_mysql -eq 1 ]; then + # Remove a database if it exists, along with the associated user + ynh_mysql_remove_db $db_name $db_name fi -# Delete app directory and configurations -sudo rm -rf "/var/www/${app}" -sudo rm -f "/etc/php5/fpm/pool.d/${app}.conf" -[[ -n $domain ]] && sudo rm -f "/etc/nginx/conf.d/${domain}.d/${app}.conf" +#================================================= +# REMOVE APP MAIN DIR +#================================================= -# Remove custom SSH configuration -sudo sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config +# Remove the app directory securely +ynh_secure_remove "$final_path" -# Reload services -sudo systemctl restart php5-fpm || true -sudo systemctl reload nginx || true -sudo systemctl reload ssh +#================================================= +# REMOVE NGINX CONFIGURATION +#================================================= -# Remove the user account -id "$user" >/dev/null 2>&1 \ - && sudo deluser --quiet --force "$user" >/dev/null \ - || true +# Remove the dedicated nginx config +ynh_remove_nginx_config + +#================================================= +# REMOVE PHP-FPM CONFIGURATION +#================================================= + +# Remove the dedicated php-fpm config +ynh_remove_fpm_config + +#================================================= +# SPECIFIC REMOVE +#================================================= +# REMOVE THE CUSTOM SSH CONFIG +#================================================= + +sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config +systemctl reload ssh + +#================================================= +# GENERIC FINALIZATION +#================================================= +# REMOVE DEDICATED USER +#================================================= + +# Delete an user +ynh_system_user_delete $user diff --git a/scripts/restore b/scripts/restore index 40b67a5..6c5a219 100644 --- a/scripts/restore +++ b/scripts/restore @@ -1,45 +1,98 @@ #!/bin/bash -set -e +#================================================= +# GENERIC START +#================================================= +# MANAGE SCRIPT FAILURE +#================================================= + +# Exit on command errors and treat access to unset variables as an error +set -eu + +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source /usr/share/yunohost/helpers + +#================================================= +# LOAD SETTINGS +#================================================= -# Get multi-instances specific variables app=$YNH_APP_INSTANCE_NAME -# Source app helpers -. /usr/share/yunohost/helpers +domain=$(ynh_app_setting_get $app domain) +path_url=$(ynh_app_setting_get $app path) +final_path=$(ynh_app_setting_get $app final_path) +db_name=$(ynh_app_setting_get $app db_name) +with_mysql=$(ynh_app_setting_get $app with_mysql) +password=$(ynh_app_setting_get $app password) +user=$(ynh_app_setting_get $app user) -# Retrieve old app settings -domain=$(ynh_app_setting_get "$app" domain) -path=$(ynh_app_setting_get "$app" path) -with_mysql=$(ynh_app_setting_get "$app" with_mysql) -password=$(ynh_app_setting_get "$app" password) -user=$(ynh_app_setting_get "$app" user) +#================================================= +# CHECK IF THE APP CAN BE RESTORED +#================================================= -# Check domain/path availability -sudo yunohost app checkurl "${domain}${path}" -a "$app" \ - || exit 1 +ynh_webpath_available $domain $path_url \ + || ynh_die "Path not available: ${domain}${path_url}" +test ! -d $final_path \ + || ynh_die "There is already a directory: $final_path " -# Check destination directory -DESTDIR="/var/www/$app" -[[ -d $DESTDIR ]] && ynh_die \ -"The destination directory '$DESTDIR' already exists.\ - You should safely delete it before restoring this app." +#================================================= +# STANDARD RESTORATION STEPS +#================================================= +# RESTORE THE NGINX CONFIGURATION +#================================================= -# Check configuration files -nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" -[[ -f $nginx_conf ]] && ynh_die \ -"The NGINX configuration already exists at '${nginx_conf}'. - You should safely delete it before restoring this app." -phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" -[[ -f $phpfpm_conf ]] && ynh_die \ -"The PHP FPM configuration already exists at '${phpfpm_conf}'. - You should safely delete it before restoring this app." +ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf" -# Create the user account -sudo useradd -c "${app} user account" \ - -d "$DESTDIR" -M -g www-data "$user" \ - || ynh_die "Unable to create user account" -sudo chpasswd <<< "${user}:${password}" +#================================================= +# RESTORE THE APP MAIN DIR +#================================================= + +ynh_restore_file "$final_path" + +#================================================= +# RESTORE THE MYSQL DATABASE +#================================================= + +if [ $with_mysql -eq 1 ]; then + db_pwd=$(ynh_app_setting_get $app mysqlpwd) + ynh_mysql_setup_db $db_name $db_name $db_pwd + ynh_mysql_connect_as $db_name $db_pwd $db_name < ./db.sql +fi + +#================================================= +# RECREATE THE DEDICATED USER +#================================================= + +# Create a standard user (not a system user for sftp) +ynh_system_user_exists "$user" || \ + useradd -d "$final_path" -M --user-group "$user" +# Add the password to this user +chpasswd <<< "${user}:${password}" + +#================================================= +# RESTORE USER RIGHTS +#================================================= + +# Restore permissions on app files +chown -R $user: "$final_path" +# Home directory of the user need to be owned by root to allow +# SFTP connections +chown root: "$final_path" + +#================================================= +# RESTORE THE PHP-FPM CONFIGURATION +#================================================= + +ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf" + +#================================================= +# SPECIFIC RESTORATION +#================================================= +# CONFIGURE SSH +#================================================= # Harden SSH connection for the user echo "##-> ${app} @@ -50,32 +103,15 @@ Match User ${user} AllowTcpForwarding no PermitTunnel no X11Forwarding no -##<- ${app}" | sudo tee -a /etc/ssh/sshd_config >/dev/null +##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null -# Restore the app files -sudo cp -a ./sources "$DESTDIR" -sudo chown -hR "${user}:" "$DESTDIR" +systemctl reload ssh -# Home directory of the user need to be owned by root to allow -# SFTP connections -sudo chown root: "$DESTDIR" +#================================================= +# GENERIC FINALIZATION +#================================================= +# RELOAD NGINX AND PHP-FPM +#================================================= -# Create and restore the database as needed -if [[ $with_mysql -eq 1 ]]; then - dbname=$app - dbuser=$app - dbpass=$(ynh_app_setting_get "$app" mysqlpwd) - ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" - [[ -f ./dump.sql ]] \ - && ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ./dump.sql \ - || echo "No MySQL dump has been found" >&2 -fi - -# Restore configuration files -sudo cp -a ./conf/nginx.conf "$nginx_conf" -sudo cp -a ./conf/php-fpm.conf "$phpfpm_conf" - -# Reload services -sudo systemctl reload php5-fpm || true -sudo systemctl reload nginx || true -sudo systemctl reload ssh +systemctl reload php5-fpm +systemctl reload nginx diff --git a/scripts/upgrade b/scripts/upgrade index 11afe83..abacad4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -1,35 +1,137 @@ #!/bin/bash -set -eu +#================================================= +# GENERIC START +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source /usr/share/yunohost/helpers + +#================================================= +# LOAD SETTINGS +#================================================= -# Get multi-instances specific variables app=$YNH_APP_INSTANCE_NAME -# Source app helpers -. /usr/share/yunohost/helpers +domain=$(ynh_app_setting_get $app domain) +path_url=$(ynh_app_setting_get $app path) +is_public=$(ynh_app_setting_get $app is_public) +final_path=$(ynh_app_setting_get $app final_path) +db_name=$(ynh_app_setting_get $app db_name) +with_mysql=$(ynh_app_setting_get $app with_mysql) +password=$(ynh_app_setting_get $app password) +user=$(ynh_app_setting_get $app user) -# Retrieve app settings -domain=$(ynh_app_setting_get "$app" domain) -path=$(ynh_app_setting_get "$app" path) -path=${path%/} -is_public=$(ynh_app_setting_get "$app" is_public) -with_mysql=$(ynh_app_setting_get "$app" with_mysql) -password=$(ynh_app_setting_get "$app" password) -user=$(ynh_app_setting_get "$app" user) +#================================================= +# CHECK IF THE UPGRADE CAN BE AUTOMATED +#================================================= ([[ -n "$with_mysql" ]] && [[ -n "$password" ]] && [[ -n "$user" ]]) \ || ynh_die "The app changed and can not be automatically upgraded. \ -You will have to manually upgrade it following those instructions: \ +You will have to manually upgrade it following these instructions: \ https://github.com/YunoHost-Apps/my_webapp_ynh#upgrade" -# Check destination directory -DESTDIR="/var/www/$app" -[[ ! -d $DESTDIR ]] && ynh_die \ -"The destination directory '$DESTDIR' does not exist.\ - The app is not correctly installed, you should remove it first." +#================================================= +# ENSURE DOWNWARD COMPATIBILITY +#================================================= -# Harden SSH connection for the user +# If db_name doesn't exist, create it +if [ -z $db_name ]; then + db_name=$(ynh_sanitize_dbid $app) + ynh_app_setting_set $app db_name $db_name +fi + +# If final_path doesn't exist, create it +if [ -z $final_path ]; then + final_path=/var/www/$app + ynh_app_setting_set $app final_path $final_path +fi + +#================================================= +# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +#================================================= + +ynh_backup_before_upgrade # Backup the current version of the app +ynh_clean_setup () { + ynh_restore_upgradebackup # restore it if the upgrade fails +} +ynh_abort_if_errors # Exit if an error occurs during the execution of the script + +#================================================= +# CHECK THE PATH +#================================================= + +# Normalize the URL path syntax +path_url=$(ynh_normalize_url_path $path_url) + +#================================================= +# STANDARD UPGRADE STEPS +#================================================= + +# Check if a config file was modified +is_checksum_different () { + local file=$1 + local checksum_setting_name=checksum_${file//[\/ ]/_} # Replace all '/' and ' ' by '_' + local checksum_value=$(ynh_app_setting_get $app $checksum_setting_name) + if [ -n "$checksum_value" ] + then # Proceed only if a value was stored into the app settings + if ! echo "$checksum_value $file" | sudo md5sum -c --status + then # If the checksum is now different + echo "File $file has been manually modified since the installation or last upgrade. So it will not be replaced." >&2 + echo "1" + else + echo "0" + fi + else + echo "0" + fi +} + +#================================================= +# NGINX CONFIGURATION +#================================================= + +if [ $(is_checksum_different "/etc/nginx/conf.d/$domain.d/$app.conf") -eq 0 ] +then + # Create a dedicated nginx config + ynh_add_nginx_config +fi + +#================================================= +# CREATE DEDICATED USER +#================================================= + +# Create a standard user (not a system user for sftp) +ynh_system_user_exists "$user" || \ + useradd -d "$final_path" -M --user-group "$user" +# Add the password to this user +chpasswd <<< "${user}:${password}" + +# Change the user group for previous my_webapp install script +groupadd -f "$user" +usermod -g "$user" "$user" + +#================================================= +# PHP-FPM CONFIGURATION +#================================================= + +if [ $(is_checksum_different "/etc/php5/fpm/pool.d/$app.conf") -eq 0 ] +then + # Create a dedicated php-fpm config + ynh_replace_string "__USER__" "$user" "../conf/php-fpm.conf" + ynh_add_fpm_config +fi + +#================================================= +# SPECIFIC UPGRADE +#================================================= +# CONFIGURE SSH +#================================================= + +# Remove the previous config for upgrading it sudo sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config +# Harden SSH connection for the user echo "##-> ${app} # Hardening user connection Match User ${user} @@ -38,35 +140,32 @@ Match User ${user} AllowTcpForwarding no PermitTunnel no X11Forwarding no -##<- ${app}" | sudo tee -a /etc/ssh/sshd_config >/dev/null +##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null -# Fix permissions -sudo chown -hR "${user}:" "$DESTDIR" +systemctl reload ssh -# Home directory of the user need to be owned by root to allow +#================================================= +# GENERIC FINALIZATION +#================================================= +# SECURE FILES AND DIRECTORIES +#================================================= + +# Home directory of the user needs to be owned by root to allow # SFTP connections -sudo chown root: "$DESTDIR" +chown root: "$final_path" -# Set SSOwat rules -[[ $is_public -eq 1 ]] \ - && ynh_app_setting_set "$app" skipped_uris "/" +#================================================= +# SETUP SSOWAT +#================================================= -# Copy and set nginx configuration -nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" -sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf -sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf -sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf -sed -i "s@{POOLNAME}@${app}@g" ../conf/nginx.conf -sudo cp ../conf/nginx.conf "$nginx_conf" +# Make app public if necessary +if [ $is_public -eq 1 ] +then + ynh_app_setting_set $app skipped_uris "/" +fi -# Copy and set php-fpm configuration -phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" -sed -i "s@{USER}@${user}@g" ../conf/php-fpm.conf -sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf -sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/php-fpm.conf -sudo cp ../conf/php-fpm.conf "$phpfpm_conf" +#================================================= +# RELOAD NGINX +#================================================= -# Reload services -sudo systemctl reload php5-fpm -sudo systemctl reload nginx -sudo systemctl reload ssh +systemctl reload nginx