From 96ea2399c50d3e5171bdda207ea775c99b5a465c Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 18 Aug 2022 11:19:08 +0200 Subject: [PATCH 1/6] 0.191.0 --- conf/.env | 2 +- manifest.json | 4 ++-- scripts/_common.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/conf/.env b/conf/.env index f5ba6b9..ae10826 100644 --- a/conf/.env +++ b/conf/.env @@ -4,7 +4,7 @@ N8N_USER_FOLDER=__DATADIR__ # Authentication - IMPORTANT ALWAYS CHANGE! N8N_BASIC_AUTH_ACTIVE=true N8N_BASIC_AUTH_USER=__ADMIN__ -N8N_BASIC_AUTH_PASSWORD=__PASSWORD__ +N8N_BASIC_AUTH_PASSWORD="__PASSWORD__" # The path n8n is deployed to. N8N_PATH=__PATH__/ diff --git a/manifest.json b/manifest.json index d463e6a..a6ccc2e 100755 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Workflow Automation Tool. Easily automate tasks across different services", "fr": "Outil d'automatisation du flux de travail. Automatisez facilement les tâches sur différents services" }, - "version": "0.182.1~ynh1", + "version": "0.191.0~ynh1", "url": "https://n8n.io/", "upstream": { "license": "Apache-2.0", @@ -19,7 +19,7 @@ "name": "fflorent" }, "requirements": { - "yunohost": ">= 4.3.0" + "yunohost": ">= 11.0.9" }, "multi_instance": false, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index a592354..214709e 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -6,7 +6,7 @@ nodejs_version=16 -n8n_version=0.182.1 +n8n_version=0.191.0 #================================================= # PERSONAL HELPERS From 9baccf99ab20e7f374ffbac7bc16d9bac29afae4 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 18 Aug 2022 11:24:30 +0200 Subject: [PATCH 2/6] Fix --- check_process | 6 +++--- scripts/restore | 13 +++++++------ scripts/upgrade | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/check_process b/check_process index f0adfa2..18ca00e 100755 --- a/check_process +++ b/check_process @@ -11,7 +11,7 @@ setup_private=1 setup_public=1 upgrade=1 - #upgrade=1 from_commit= + upgrade=1 from_commit=0d34c8a15f95a3dc3b9e1d233bc03410d182628a backup_restore=1 multi_instance=0 change_url=1 @@ -19,6 +19,6 @@ Email= Notification=none ;;; Upgrade options - ; commit= - name= + ; commit=0d34c8a15f95a3dc3b9e1d233bc03410d182628a + name=#29 manifest_arg=domain=DOMAIN&path=PATH&admin=USER&language=fr&is_public=1&password=pass&port=9001& diff --git a/scripts/restore b/scripts/restore index f1141f7..8dd10dc 100755 --- a/scripts/restore +++ b/scripts/restore @@ -40,12 +40,6 @@ test ! -d $final_path #================================================= # STANDARD RESTORATION STEPS -#================================================= -# RESTORE THE NGINX CONFIGURATION -#================================================= - -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" - #================================================= # RECREATE THE DEDICATED USER #================================================= @@ -86,6 +80,13 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=7 # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version +#================================================= +# RESTORE THE NGINX CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 + +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" + #================================================= # RESTORE THE MYSQL DATABASE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 72cc1c2..114bc0d 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -56,7 +56,7 @@ ynh_abort_if_errors #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=42 -ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action=stop --log_path="systemd" #================================================= # CREATE DEDICATED USER From b317c2b77b5e5dd463aa7162f8cb65541a808003 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 18 Aug 2022 09:24:35 +0000 Subject: [PATCH 3/6] Auto-update README --- README.md | 3 ++- README_fr.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index af30d55..7810762 100755 --- a/README.md +++ b/README.md @@ -17,7 +17,8 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in n8n is an extendable workflow automation tool. With a fair-code distribution model, n8n will always have visible source code, be available to self-host, and allow you to add your own custom functions, logic and apps. n8n's node-based approach makes it highly versatile, enabling you to connect anything to everything. -**Shipped version:** 0.182.1~ynh1 +**Shipped version:** 0.191.0~ynh1 + ## Screenshots diff --git a/README_fr.md b/README_fr.md index 49a4bc2..cda102c 100755 --- a/README_fr.md +++ b/README_fr.md @@ -17,7 +17,8 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour n8n is an extendable workflow automation tool. With a fair-code distribution model, n8n will always have visible source code, be available to self-host, and allow you to add your own custom functions, logic and apps. n8n's node-based approach makes it highly versatile, enabling you to connect anything to everything. -**Version incluse :** 0.182.1~ynh1 +**Version incluse :** 0.191.0~ynh1 + ## Captures d'écran From 088d5b4250d55445afdabb2f4d70739d13f36758 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 18 Aug 2022 09:25:09 +0000 Subject: [PATCH 4/6] Auto-update README --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index dcf303f..7810762 100755 --- a/README.md +++ b/README.md @@ -20,7 +20,6 @@ n8n is an extendable workflow automation tool. With a fair-code distribution mod **Shipped version:** 0.191.0~ynh1 - ## Screenshots ![Screenshot of n8n](./doc/screenshots/n8n-screenshot.png) From bd0730381e88fa475502abec4c368b00703ebb62 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 18 Aug 2022 12:11:14 +0200 Subject: [PATCH 5/6] Update restore --- scripts/restore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/restore b/scripts/restore index 8dd10dc..a1ddfc0 100755 --- a/scripts/restore +++ b/scripts/restore @@ -35,7 +35,7 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=2 -test ! -d $final_path +test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " #================================================= From 9086ab0ab3f0fb1fd7dcc9ba48eb822540b9fe3b Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 18 Aug 2022 12:14:31 +0200 Subject: [PATCH 6/6] Update systemd.service --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 3033471..5083d48 100755 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,35 @@ Environment=NODE_ENV=production ExecStart=__FINALPATH__/node_modules/n8n/bin/n8n Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target