From 24979b7fe829ccc218f131c19191a825dec6f786 Mon Sep 17 00:00:00 2001 From: Limezy Date: Tue, 21 Sep 2021 02:09:11 +0200 Subject: [PATCH] First install script version --- conf/.env | 156 +++++++++++++++++++++++++++++++++++++++++++ conf/app.src | 2 +- conf/nginx.conf | 40 ++++------- conf/systemd.service | 8 ++- manifest.json | 5 -- scripts/_common.sh | 3 +- scripts/install | 117 ++++++++------------------------ 7 files changed, 204 insertions(+), 127 deletions(-) create mode 100644 conf/.env diff --git a/conf/.env b/conf/.env new file mode 100644 index 0000000..9ee654f --- /dev/null +++ b/conf/.env @@ -0,0 +1,156 @@ +# 👋 Welcome, we're glad you're setting up an installation of Outline. Copy this +# file to .env or set the variables in your local environment manually. For +# development with docker this should mostly work out of the box other than +# setting the Slack keys and the SECRET_KEY. + + + + +# –––––––––––––––– REQUIRED –––––––––––––––– + +# Generate a hex-encoded 32-byte random key. You should use `openssl rand -hex 32` +# in your terminal to generate a random value. +SECRET_KEY=generate_a_new_key + +# Generate a unique random key. The format is not important but you could still use +# `openssl rand -hex 32` in your terminal to produce this. +UTILS_SECRET=generate_a_new_key + +# For production point these at your databases, in development the default +# should work out of the box. +DATABASE_URL=postgres://__DB_USER__:__DB_PWD__@localhost:5432/___APP__ +# Uncomment this to disable SSL for connecting to Postgres +PGSSLMODE=disable +REDIS_URL=redis://localhost:6379 + +# URL should point to the fully qualified, publicly accessible URL. If using a +# proxy the port in URL and PORT may be different. +URL=__DOMAIN__ +PORT=__PORT__ + +# To support uploading of images for avatars and document attachments an +# s3-compatible storage must be provided. AWS S3 is recommended for redundency +# however if you want to keep all file storage local an alternative such as +# minio (https://github.com/minio/minio) can be used. + +# A more detailed guide on setting up S3 is available here: +# => https://wiki.generaloutline.com/share/125de1cc-9ff6-424b-8415-0d58c809a40f +# +AWS_ACCESS_KEY_ID=get_a_key_from_aws +AWS_SECRET_ACCESS_KEY=get_the_secret_of_above_key +AWS_REGION=xx-xxxx +AWS_S3_UPLOAD_BUCKET_URL=http://s3:4569 +AWS_S3_UPLOAD_BUCKET_NAME=bucket_name_here +AWS_S3_UPLOAD_MAX_SIZE=26214400 +AWS_S3_FORCE_PATH_STYLE=true +AWS_S3_ACL=private + + +# –––––––––––––– AUTHENTICATION –––––––––––––– + +# Third party signin credentials, at least ONE OF EITHER Google, Slack, +# or Microsoft is required for a working installation or you'll have no sign-in +# options. + +# To configure Slack auth, you'll need to create an Application at +# => https://api.slack.com/apps +# +# When configuring the Client ID, add a redirect URL under "OAuth & Permissions": +# https:///auth/slack.callback +SLACK_KEY=get_a_key_from_slack +SLACK_SECRET=get_the_secret_of_above_key + +# To configure Google auth, you'll need to create an OAuth Client ID at +# => https://console.cloud.google.com/apis/credentials +# +# When configuring the Client ID, add an Authorized redirect URI: +# https:///auth/google.callback +GOOGLE_CLIENT_ID= +GOOGLE_CLIENT_SECRET= + +# To configure Microsoft/Azure auth, you'll need to create an OAuth Client. See +# the guide for details on setting up your Azure App: +# => https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4 +AZURE_CLIENT_ID= +AZURE_CLIENT_SECRET= +AZURE_RESOURCE_APP_ID= + +# To configure generic OIDC auth, you'll need some kind of identity provider. +# See documentation for whichever IdP you use to acquire the following info: +# Redirect URI is https:///auth/oidc.callback +OIDC_CLIENT_ID= +OIDC_CLIENT_SECRET= +OIDC_AUTH_URI= +OIDC_TOKEN_URI= +OIDC_USERINFO_URI= + +# Display name for OIDC authentication +OIDC_DISPLAY_NAME=OpenID Connect + +# Space separated auth scopes. +OIDC_SCOPES=openid profile email + + +# –––––––––––––––– OPTIONAL –––––––––––––––– + +# If using a Cloudfront/Cloudflare distribution or similar it can be set below. +# This will cause paths to javascript, stylesheets, and images to be updated to +# the hostname defined in CDN_URL. In your CDN configuration the origin server +# should be set to the same as URL. +CDN_URL= + +# Auto-redirect to https in production. The default is true but you may set to +# false if you can be sure that SSL is terminated at an external loadbalancer. +FORCE_HTTPS=true + +# Have the installation check for updates by sending anonymized statistics to +# the maintainers +ENABLE_UPDATES=true + +# How many processes should be spawned. As a reasonable rule divide your servers +# available memory by 512 for a rough estimate +WEB_CONCURRENCY=1 + +# Override the maxium size of document imports, could be required if you have +# especially large Word documents with embedded imagery +MAXIMUM_IMPORT_SIZE=5120000 + +# You may enable or disable debugging categories to increase the noisiness of +# logs. The default is a good balance +DEBUG=cache,presenters,events,emails,mailer,utils,http,server,processors + +# Comma separated list of domains to be allowed to signin to the wiki. If not +# set, all domains are allowed by default when using Google OAuth to signin +ALLOWED_DOMAINS= + +# For a complete Slack integration with search and posting to channels the +# following configs are also needed, some more details +# => https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a +# +SLACK_VERIFICATION_TOKEN=your_token +SLACK_APP_ID=A0XXXXXXX +SLACK_MESSAGE_ACTIONS=true + +# Optionally enable google analytics to track pageviews in the knowledge base +GOOGLE_ANALYTICS_ID= + +# Optionally enable Sentry (sentry.io) to track errors and performance +SENTRY_DSN= + +# To support sending outgoing transactional emails such as "document updated" or +# "you've been invited" you'll need to provide authentication for an SMTP server +SMTP_HOST= +SMTP_PORT= +SMTP_USERNAME= +SMTP_PASSWORD= +SMTP_FROM_EMAIL= +SMTP_REPLY_EMAIL= +SMTP_TLS_CIPHERS= +SMTP_SECURE=true + +# Custom logo that displays on the authentication screen, scaled to height: 60px +# TEAM_LOGO=https://example.com/images/logo.png + +# The default interface language. See translate.getoutline.com for a list of +# available language codes and their rough percentage translated. +DEFAULT_LANGUAGE=en_US \ No newline at end of file diff --git a/conf/app.src b/conf/app.src index 17489bf..b7a9f9a 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,4 +1,4 @@ -SOURCE_URL=url of app's source +SOURCE_URL=https://github.com/outline/outline/archive/refs/tags/v0.59.0.tar.gz SOURCE_SUM=sha256 checksum SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz diff --git a/conf/nginx.conf b/conf/nginx.conf index 37de41d..a806275 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,33 +1,19 @@ -#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; -location __PATH__/ { - - # Path to source - alias __FINALPATH__/ ; +location / { # Force usage of https if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } -### Example PHP configuration (remove it if not used) - index index.php; - - # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file - #client_max_body_size 50M; - - try_files $uri $uri/ index.php; - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; - - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME $request_filename; - } -### End of PHP configuration part - - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; -} + proxy_pass https://127.0.0.1:__PORT__; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; +} \ No newline at end of file diff --git a/conf/systemd.service b/conf/systemd.service index 31e9da3..abe39d6 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,13 +1,17 @@ [Unit] -Description=Small description of the service -After=network.target +Description=Outline server +After=network.target postgresql.service redis-server.service [Service] Type=simple +Environment=NODE_ENV=production + + User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ ExecStart=__FINALPATH__/script +### TODO : ADD SERVER START StandardOutput=append:/var/log/__APP__/__APP__.log StandardError=inherit diff --git a/manifest.json b/manifest.json index 76ec439..526c142 100644 --- a/manifest.json +++ b/manifest.json @@ -40,11 +40,6 @@ "example": "/example", "default": "/example" }, - { - "name": "admin", - "type": "user", - "example": "johndoe" - }, { "name": "is_public", "type": "boolean", diff --git a/scripts/_common.sh b/scripts/_common.sh index 7e55ac0..380ab94 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -5,8 +5,9 @@ #================================================= # dependencies used by the app -pkg_dependencies="deb1 deb2 php$YNH_DEFAULT_PHP_VERSION-deb1 php$YNH_DEFAULT_PHP_VERSION-deb2" +pkg_dependencies="postgresql postgresql-client redis-server redis-tools" +NODEJS_VERSION=14 #================================================= # PERSONAL HELPERS #================================================= diff --git a/scripts/install b/scripts/install index 231876a..3670f57 100755 --- a/scripts/install +++ b/scripts/install @@ -26,10 +26,8 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -admin=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC language=$YNH_APP_ARG_LANGUAGE -password=$YNH_APP_ARG_PASSWORD ### If it's a multi-instance app, meaning it can be installed several times independently ### The id of the app as stated in the manifest is available as $YNH_APP_ID @@ -58,7 +56,7 @@ ynh_script_progression --message="Validating installation parameters..." --time ### If the app uses NGINX as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app". ### If the app provides an internal web server (or uses another application server such as uWSGI), the final path should be "/opt/yunohost/$app" -final_path=/var/www/$app +final_path=/opt/yunohost/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" # Register (book) web path @@ -71,7 +69,6 @@ ynh_script_progression --message="Storing installation settings..." --time --wei ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=language --value=$language #================================================= @@ -87,7 +84,7 @@ ynh_script_progression --message="Finding an available port..." --time --weight= ### - Remove the section "CLOSE A PORT" in the remove script # Find an available port -port=$(ynh_find_port --port=8095) +port=$(ynh_find_port --port=2410) ynh_app_setting_set --app=$app --key=port --value=$port # Optional: Expose this port publicly @@ -113,6 +110,10 @@ ynh_script_progression --message="Installing dependencies..." --time --weight=1 ynh_install_app_dependencies $pkg_dependencies +# Install Yarn +ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg" + + #================================================= # CREATE DEDICATED USER #================================================= @@ -122,9 +123,9 @@ ynh_script_progression --message="Configuring system user..." --time --weight=1 ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= -# CREATE A MYSQL DATABASE +# CREATE A POSTGRESQL DATABASE #================================================= -ynh_script_progression --message="Creating a MySQL database..." --time --weight=1 +ynh_script_progression --message="Creating a PostgreSQL database..." --time --weight=1 ### Use these lines if you need a database for the application. ### `ynh_mysql_setup_db` will create a database, an associated user and a ramdom password. @@ -135,10 +136,13 @@ ynh_script_progression --message="Creating a MySQL database..." --time --weight= ### - Remove also the section "REMOVE THE MYSQL DATABASE" in the remove script ### - As well as the section "RESTORE THE MYSQL DATABASE" in the restore script -db_name=$(ynh_sanitize_dbid --db_name=$app) -db_user=$db_name +db_name=$app +db_user=$app +db_pwd=$(ynh_string_random --length=30) ynh_app_setting_set --app=$app --key=db_name --value=$db_name -ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name +ynh_app_setting_set --app=$app --key=db_pwd --value=$db_pwd +ynh_psql_test_if_first_run +ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -174,56 +178,16 @@ ynh_script_progression --message="Configuring NGINX web server..." --time --weig ynh_add_nginx_config #================================================= -# PHP-FPM CONFIGURATION +# BUILD YARN DEPENDENCIES #================================================= -ynh_script_progression --message="Configuring PHP-FPM..." --time --weight=1 +ynh_script_progression --message="Building Yarn dependencies..." -### `ynh_add_fpm_config` is used to set up a PHP config. -### You can remove it if your app doesn't use PHP. -### `ynh_add_fpm_config` will use the files conf/php-fpm.conf -### If you're not using these lines: -### - You can remove these files in conf/. -### - Remove the section "BACKUP THE PHP-FPM CONFIGURATION" in the backup script -### - Remove also the section "REMOVE PHP-FPM CONFIGURATION" in the remove script -### - As well as the section "RESTORE THE PHP-FPM CONFIGURATION" in the restore script -### with the reload at the end of the script. -### - And the section "PHP-FPM CONFIGURATION" in the upgrade script - -# Create a dedicated PHP-FPM config -ynh_add_fpm_config - -#================================================= -# SPECIFIC SETUP -#================================================= -# ... -#================================================= - -#================================================= -# CREATE DATA DIRECTORY -#================================================= -ynh_script_progression --message="Creating a data directory..." --time --weight=1 - -### Use these lines if you need to create a directory to store "persistent files" for the application. -### Usually this directory is used to store uploaded files or any file that won't be updated during -### an upgrade and that won't be deleted during app removal -### If you're not using these lines: -### - Remove the section "BACKUP THE DATA DIR" in the backup script -### - As well as the section "RESTORE THE DATA DIRECTORY" in the restore script - -datadir=/home/yunohost.app/$app -ynh_app_setting_set --app=$app --key=datadir --value=$datadir - -mkdir -p $datadir - -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. -chmod 750 "$datadir" -chmod -R o-rwx "$datadir" -chown -R $app:www-data "$datadir" +pushd "$final_path" + ynh_use_nodejs + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH yarn install --production --frozen-lockfile + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH yarn cache clean + ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH yarn build +popd #================================================= # ADD A CONFIGURATION @@ -242,13 +206,13 @@ ynh_script_progression --message="Adding a configuration file..." --time --weigh ### ### Check the documentation of `ynh_add_config` for more info. -ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file" +ynh_add_config --template="../conf/.env" --destination="$final_path/.env" # FIXME: this should be handled by the core in the future # You may need to use chmod 600 instead of 400, # for example if the app is expected to be able to modify its own config -chmod 400 "$final_path/some_config_file" -chown $app:$app "$final_path/some_config_file" +chmod 400 "$final_path/.env" +chown $app:$app "$final_path/.env" ### For more complex cases where you want to replace stuff using regexes, ### you shoud rely on ynh_replace_string (which is basically a wrapper for sed) @@ -276,27 +240,6 @@ ynh_script_progression --message="Configuring a systemd service..." --time --wei # Create a dedicated systemd config ynh_add_systemd_config -#================================================= -# SETUP APPLICATION WITH CURL -#================================================= - -### Use these lines only if the app installation needs to be finalized through -### web forms. We generally don't want to ask the final user, -### so we're going to use curl to automatically fill the fields and submit the -### forms. - -# Set the app as temporarily public for curl call -ynh_script_progression --message="Configuring SSOwat..." --time --weight=1 -# Making the app public for curl -ynh_permission_update --permission="main" --add="visitors" - -# Installation with curl -ynh_script_progression --message="Finalizing installation..." --time --weight=1 -ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3" - -# Remove the public access -ynh_permission_update --permission="main" --remove="visitors" - #================================================= # GENERIC FINALIZATION #================================================= @@ -329,7 +272,7 @@ ynh_script_progression --message="Integrating service in YunoHost..." --time --w ### - As well as the section "INTEGRATE SERVICE IN YUNOHOST" in the restore script ### - And the section "INTEGRATE SERVICE IN YUNOHOST" in the upgrade script -yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log" +yunohost service add $app --description="Outline server" --log="/var/log/$app/$app.log" ### Additional options starting with 3.8: ### @@ -387,14 +330,6 @@ fi ### N.B. : the following extra permissions only make sense if your app ### does have for example an admin interface or an API. -# Only the admin can access the admin panel of the app (if the app has an admin panel) -ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin - -# Everyone can access the API part -# We don't want to display the tile in the SSO so we put --show_tile="false" -# And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true" -ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true" - #================================================= # RELOAD NGINX #=================================================