1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/mygpo_ynh.git synced 2024-09-03 19:55:52 +02:00
mygpo_ynh/scripts/install
Jules Bertholet eff624b855 Don't run Python as root
We don't want to give code from the internet that hasn't been reviewed more privileges than it needs
2021-03-30 00:29:43 -04:00

248 lines
10 KiB
Bash
Executable file

#!/bin/bash
#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
ynh_clean_setup () {
true
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================
domain=$YNH_APP_ARG_DOMAIN
path_url="/"
admin=$YNH_APP_ARG_ADMIN
is_public=$YNH_APP_ARG_IS_PUBLIC
admin_email=$(ynh_user_get_info --username=$admin --key="mail")
secret_key=$(ynh_string_random --length=64)
staff_token=$(ynh_string_random --length=64)
app=$YNH_APP_INSTANCE_NAME
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_script_progression --message="Validating installation parameters..." --weight=1
final_path=/opt/yunohost/$app
test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
# Register (book) web path
ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=admin_email --value=$admin_email
ynh_app_setting_set --app=$app --key=random_key --value=$secret_key
#=================================================
# STANDARD MODIFICATIONS
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Installing dependencies..." --weight=3
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# CREATE A POSTGRESQL DATABASE
#=================================================
ynh_script_progression --message="Creating a PostgreSQL database..."
db_name=$(ynh_sanitize_dbid --db_name=$app)
db_user=$db_name
db_pwd=$(ynh_string_random --length=30)
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
ynh_app_setting_set --app=$app --key=db_pwd --value=$db_pwd
ynh_psql_test_if_first_run
ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
ynh_psql_execute_as_root --sql="ALTER ROLE $db_user SET statement_timeout = 5000;" --database=$db_name
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..." --weight=1
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring NGINX web server..." --weight=1
# Create a dedicated NGINX config
ynh_add_nginx_config
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..." --weight=1
# Create a q user
ynh_system_user_create --username=$app
#=================================================
# SPECIFIC SETUP
#=================================================
# CREATE THE DATA DIRECTORY
#=================================================
ynh_script_progression --message="Creating the data directory..."
# Define app's data directory
datadir="/home/yunohost.app/${app}"
mkdir $datadir
ynh_app_setting_set --app=$app --key=datadir --value="$datadir"
# Give permission to the datadir
chown -R $app:$app $datadir
chmod o-rwx $datadir
setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $datadir
ynh_app_setting_set --app=$app --key=datadir --value="$datadir"
#=================================================
# ENVDIR CONFIGURATION
#=================================================
ynh_script_progression --message="Building configuration..." --weight=1
env_path=$final_path/envs/prod
mkdir -p $env_path
echo "$admin <$admin_email>" > $env_path/ADMINS
echo "None" > $env_path/BROKER_POOL_LIMIT
echo "redis://localhost:6379" > $env_path/BROKER_URL
echo "postgres://$db_user:$db_pwd@localhost:5432/$db_name" > $env_path/DATABASE_URL
echo False > $env_path/DEBUG
echo $domain > $env_path/DEFAULT_BASE_URL
echo "$app@$domain" > $env_path/DEFAULT_FROM_EMAIL
echo "django.core.mail.backends.console.EmailBackend" > $env_path/EMAIL_BACKEND
echo "$datadir" > $env_path/MEDIA_ROOT
echo $secret_key > $env_path/SECRET_KEY
echo "$app@$domain" > $env_path/SERVER_EMAIL
echo $staff_token > $env_path/STAFF_TOKEN
#=================================================
# SET UP VIRTUALENV
#=================================================
ynh_script_progression --message="Initializing Python virtualenv..." --weight=20
pushd $final_path || ynh_die
chown -R $app:$app $final_path
sudo -u $app python3 -m venv $final_path/venv
sudo -u $app $final_path/venv/bin/python -m pip install -U wheel pip setuptools
sudo -u $app $final_path/venv/bin/python -m pip install -U --requirement $final_path/requirements.txt
sudo -u $app $final_path/venv/bin/python -m pip install -U --requirement $final_path/requirements-setup.txt
sudo -u $app $final_path/venv/bin/python -m pip install -U --requirement $final_path/requirements-ynh.txt
chown -R root:root $final_path
popd || ynh_die
#=================================================
# INITIALIZE DATABASE
#=================================================
pushd $final_path || ynh_die
chown -R root:$app $final_path
sudo -u $app $final_path/venv/bin/envdir $env_path python3 $final_path/manage.py makemigrations
sudo -u $app $final_path/venv/bin/envdir $env_path python3 $final_path/manage.py migrate
sudo -u $app $final_path/venv/bin/envdir $env_path python3 $final_path/manage.py createsuperuser --username "$admin" --email "$admin_email" --noinput -v 0
chown -R root:root $final_path
popd || ynh_die
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Configuring systemd services..." --weight=1
# Create a dedicated systemd config
ynh_add_systemd_config
ynh_add_systemd_config --service="$app-socket" --template systemd.socket
ynh_add_systemd_config --service="$app-celery" --template systemd-celery.service
ynh_add_systemd_config --service="$app-beat" --template systemd-beat.service
systemctl disable "$app-socket.service" --quiet
mv "/etc/systemd/system/$app-socket.service" "/etc/systemd/system/$app.socket"
systemctl daemon-reload --quiet
#=================================================
# GENERIC FINALIZATION
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================
# Set permissions to app files
chown -R root:$app $final_path
chmod -R o-rwx $final_path
chmod -R g-w $final_path
setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path
setfacl -n -R -m user:www-data:- -m default:user:www-data:- $final_path/envs
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
yunohost service add $app --description="Manage podcast subscriptions, and sync them between apps and devices" --log="/var/log/$app/$app.log"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting systemd services..." --weight=1
# Start systemd services
ynh_systemd_action --service_name=$app-celery --action="start" --log_path="/var/log/$app/$app.log"
ynh_systemd_action --service_name=$app-beat --action="start" --log_path="/var/log/$app/$app.log"
ynh_systemd_action --service_name=$app.socket --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Configuring permissions..." --weight=1
# Everyone can access to the api part
# We don't want to display the tile in the sso so we put --show_tile="false"
# And we don't want that the YunoHost Admin can remove visitors group to this permission, so we put --protected="true"
ynh_permission_create --permission="api" --url="/api" -A "/clientconfig.json" "/subscriptions" "/suggestions" --allowed="visitors" --show_tile="false" --protected="true"
ynh_permission_create --permission="api-noauth" --url="/toplist" -A "/api/2/data" "/api/2/tag" "/api/2/tags" "/search.opml" "/search.json" "/search.jsonp" "/search.txt" "/search.xml" "/toplist.opml" --show_tile="false"
ynh_permission_create --permission="api-lists" --url="/api/2/lists" --show_tile="false"
# Make app public if necessary
if [ $is_public -eq 1 ]
then
# Everyone can access the app.
# The "main" permission is automatically created before the install script.
ynh_permission_update --permission="main" --add="visitors"
ynh_permission_update --permission="api-noauth" --add="visitors"
ynh_permission_update --permission="api-lists" --add="visitors"
fi
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..." --weight=1
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Installation of $app completed" --last