diff --git a/README.md b/README.md index af30d55..7810762 100755 --- a/README.md +++ b/README.md @@ -17,7 +17,8 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in n8n is an extendable workflow automation tool. With a fair-code distribution model, n8n will always have visible source code, be available to self-host, and allow you to add your own custom functions, logic and apps. n8n's node-based approach makes it highly versatile, enabling you to connect anything to everything. -**Shipped version:** 0.182.1~ynh1 +**Shipped version:** 0.191.0~ynh1 + ## Screenshots diff --git a/README_fr.md b/README_fr.md index 49a4bc2..cda102c 100755 --- a/README_fr.md +++ b/README_fr.md @@ -17,7 +17,8 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour n8n is an extendable workflow automation tool. With a fair-code distribution model, n8n will always have visible source code, be available to self-host, and allow you to add your own custom functions, logic and apps. n8n's node-based approach makes it highly versatile, enabling you to connect anything to everything. -**Version incluse :** 0.182.1~ynh1 +**Version incluse :** 0.191.0~ynh1 + ## Captures d'écran diff --git a/check_process b/check_process index f0adfa2..18ca00e 100755 --- a/check_process +++ b/check_process @@ -11,7 +11,7 @@ setup_private=1 setup_public=1 upgrade=1 - #upgrade=1 from_commit= + upgrade=1 from_commit=0d34c8a15f95a3dc3b9e1d233bc03410d182628a backup_restore=1 multi_instance=0 change_url=1 @@ -19,6 +19,6 @@ Email= Notification=none ;;; Upgrade options - ; commit= - name= + ; commit=0d34c8a15f95a3dc3b9e1d233bc03410d182628a + name=#29 manifest_arg=domain=DOMAIN&path=PATH&admin=USER&language=fr&is_public=1&password=pass&port=9001& diff --git a/conf/.env b/conf/.env index f5ba6b9..ae10826 100644 --- a/conf/.env +++ b/conf/.env @@ -4,7 +4,7 @@ N8N_USER_FOLDER=__DATADIR__ # Authentication - IMPORTANT ALWAYS CHANGE! N8N_BASIC_AUTH_ACTIVE=true N8N_BASIC_AUTH_USER=__ADMIN__ -N8N_BASIC_AUTH_PASSWORD=__PASSWORD__ +N8N_BASIC_AUTH_PASSWORD="__PASSWORD__" # The path n8n is deployed to. N8N_PATH=__PATH__/ diff --git a/conf/systemd.service b/conf/systemd.service index 3033471..5083d48 100755 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,35 @@ Environment=NODE_ENV=production ExecStart=__FINALPATH__/node_modules/n8n/bin/n8n Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index d463e6a..a6ccc2e 100755 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Workflow Automation Tool. Easily automate tasks across different services", "fr": "Outil d'automatisation du flux de travail. Automatisez facilement les tâches sur différents services" }, - "version": "0.182.1~ynh1", + "version": "0.191.0~ynh1", "url": "https://n8n.io/", "upstream": { "license": "Apache-2.0", @@ -19,7 +19,7 @@ "name": "fflorent" }, "requirements": { - "yunohost": ">= 4.3.0" + "yunohost": ">= 11.0.9" }, "multi_instance": false, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index a592354..214709e 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -6,7 +6,7 @@ nodejs_version=16 -n8n_version=0.182.1 +n8n_version=0.191.0 #================================================= # PERSONAL HELPERS diff --git a/scripts/install b/scripts/install index a4056be..83c5601 100755 --- a/scripts/install +++ b/scripts/install @@ -52,7 +52,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin -ynh_app_setting_set --app=$app --key=password --value=$password +ynh_app_setting_set --app=$app --key=password --value="$password" ynh_app_setting_set --app=$app --key=email --value=$email #================================================= diff --git a/scripts/restore b/scripts/restore index 7d4a9f0..a1ddfc0 100755 --- a/scripts/restore +++ b/scripts/restore @@ -35,16 +35,11 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=2 -test ! -d $final_path || ynh_die --message="There is already a directory: $final_path " +test ! -d $final_path \ + || ynh_die --message="There is already a directory: $final_path " #================================================= # STANDARD RESTORATION STEPS -#================================================= -# RESTORE THE NGINX CONFIGURATION -#================================================= - -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" - #================================================= # RECREATE THE DEDICATED USER #================================================= @@ -85,6 +80,13 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=7 # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version +#================================================= +# RESTORE THE NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 + +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" + #================================================= # RESTORE THE MYSQL DATABASE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 72cc1c2..114bc0d 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -56,7 +56,7 @@ ynh_abort_if_errors #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=42 -ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action=stop --log_path="systemd" #================================================= # CREATE DEDICATED USER