diff --git a/conf/config.example.js b/conf/config.example.js index c1a6242..8952402 100644 --- a/conf/config.example.js +++ b/conf/config.example.js @@ -1,3 +1,10 @@ // Here you can overwite the default configuration values window.owntracks = window.owntracks || {}; -window.owntracks.config = {}; +window.owntracks.config = { + api: { + baseUrl: "https://__DOMAIN__/__PATH__/recorder/", + }, + router: { + basePath: "/__PATH__", + }, +}; diff --git a/conf/env b/conf/env new file mode 100644 index 0000000..59f3afb --- /dev/null +++ b/conf/env @@ -0,0 +1,25 @@ +# ---------------------- # +# RECORDER CONFIGURATION # +# ---------------------- # + +OTR_STORAGEDIR=__DATA_DIR__ +OTR_SERVERLABEL=OwnTrack + +# MQTT +#OTR_HOST=127.0.0.1 +OTR_PORT=0 +#OTR_USER +#OTR_PASS +#OTR_QOS +#OTR_TOPICS +#OTR_CAFILE +#OTR_CAPATH +#OTR_CERTFILE +#OTR_KEYFILE +#OTR_IDENTITY +#OTR_PSK + +# REVERSE PROXY +OTR_HTTPHOST=127.0.0.1 +OTR_HTTPPORT=__PORT__ +OTR_HTTPPREFIX=https://__DOMAIN____PATH__/recorder diff --git a/conf/nginx.conf b/conf/nginx.conf index 1e5a760..6af3015 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -10,6 +10,67 @@ location __PATH__/ { more_set_headers "X-XSS-Protection: '1; mode=block'"; more_set_headers "Content-Security-Policy: frame-ancestors 'self'"; + # Proxy and upgrade WebSocket connection + location __PATH__/recorder/ws { + rewrite ^__PATH__/recorder/(.*) /$1 break; + proxy_pass http://127.0.0.1:__PORT__; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location __PATH__/recorder/ { + proxy_pass http://127.0.0.1:__PORT__/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + } + + # OwnTracks Recorder Views (requires /view, /static, /utils) + location __PATH__/recorder/view/ { + proxy_buffering off; # Chrome + proxy_pass http://127.0.0.1:__PORT__/view/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + } + location __PATH__/recorder/static/ { + proxy_pass http://127.0.0.1:__PORT__/static/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + } + location __PATH__/recorder/utils/ { + proxy_pass http://127.0.0.1:__PORT__/utils/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + } + + # HTTP Mode + location __PATH__/recorder/pub { + # Basic auth is disabled in favour of YunoHost's SSO + #auth_basic "OwnTracks pub"; + #auth_basic_user_file /usr/local/etc/nginx/owntracks.htpasswd; + proxy_pass http://127.0.0.1:__PORT__/pub; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + # Optionally force Recorder to use username from Basic + # authentication user. Whether or not client sets + # X-Limit-U and/or uses ?u= parameter, the user will + # be set to $remote_user. + proxy_set_header X-Limit-U $remote_user; + } + # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; } diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..ebe4d83 --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,49 @@ +[Unit] +Description=OwnTracks Recorder +After=network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +EnvironmentFile=__INSTALL_DIR__/.env +ExecStart=/usr/sbin/ot-recorder +StandardOutput=append:/var/log/__APP__/__APP__.log +StandardError=inherit + +### Depending on specificities of your service/app, you may need to tweak these +### .. but this should be a good baseline +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 9c1178f..cf1b805 100644 --- a/manifest.toml +++ b/manifest.toml @@ -47,6 +47,15 @@ ram.runtime = "50M" default = "visitors" [resources] + [resources.apt] + extras.recorder.repo = "deb http://repo.owntracks.org/debian __YNH_DEBIAN_VERSION__ main" + extras.recorder.key = "https://raw.githubusercontent.com/owntracks/recorder/master/etc/repo.owntracks.org.gpg.key" + extras.recorder.packages = ["ot-recorder"] + + extras.yarn.repo = "deb https://dl.yarnpkg.com/debian/ stable main" + extras.yarn.key = "https://dl.yarnpkg.com/debian/pubkey.gpg" + extras.yarn.packages = "yarn" + [resources.sources.main] url = "https://github.com/owntracks/frontend/archive/refs/tags/v2.12.0.tar.gz" sha256 = "1695c3e39f5b276fc6d07c7685eaa3df033e37979b240bc8422663e8aa22e130" @@ -58,15 +67,13 @@ ram.runtime = "50M" [resources.install_dir] + [resources.data_dir] + + [resources.ports] + [resources.permissions] main.url = "/" api.url = "/api" api.auth_header = false api.show_tile = false api.protected= true - - [resources.apt] - packages = "" - extras.yarn.repo = "deb https://dl.yarnpkg.com/debian/ stable main" - extras.yarn.key = "https://dl.yarnpkg.com/debian/pubkey.gpg" - extras.yarn.packages = "yarn" diff --git a/scripts/backup b/scripts/backup index 73ab5e6..f72b257 100644 --- a/scripts/backup +++ b/scripts/backup @@ -22,11 +22,19 @@ ynh_print_info --message="Declaring files to be backed up..." ynh_backup --src_path="$install_dir" #================================================= -# BACKUP THE NGINX CONFIGURATION +# BACKUP THE DATA DIR +#================================================= + +ynh_backup --src_path="$data_dir" --is_big + +#================================================= +# SYSTEM CONFIGURATION #================================================= ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_backup --src_path="/etc/systemd/system/$app.service" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index d202fe4..241f773 100644 --- a/scripts/install +++ b/scripts/install @@ -45,21 +45,43 @@ ynh_secure_remove "$install_dir/source" #================================================= # ADD A CONFIGURATION #================================================= -ynh_script_progression --message="Adding a configuration file..." --weight=1 +ynh_script_progression --message="Adding configuration files..." --weight=1 ynh_add_config --template="config.example.js" --destination="$install_dir/www/config/config.js" -chmod 400 "$install_dir/www/config/config.js" +chmod 640 "$install_dir/www/config/config.js" chown "$app:www-data" "$install_dir/www/config/config.js" +ynh_add_config --template="env" --destination="$install_dir/.env" + +chmod 600 "$install_dir/.env" +chown "$app:$app" "$install_dir/.env" + #================================================= # SYSTEM CONFIGURATION #================================================= ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 +# Create a dedicated systemd config +ynh_add_systemd_config + +# Add log files +mkdir -p "/var/log/$app/" +chmod 660 "/var/log/$app/" +chown "$app:$app" "/var/log/$app/" + +yunohost service add "$app" --description="Owntracks recorder" --log="/var/log/$app/$app.log" + # Create a dedicated nginx config ynh_add_nginx_config +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting $app's systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/restore b/scripts/restore index 613f291..725730c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -27,6 +27,12 @@ ynh_script_progression --message="Restoring system configurations related to $ap ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/systemd/system/$app.service" +systemctl unmask "$app.service" --quiet +systemctl enable "$app.service" --quiet + +yunohost service add "$app" --description="Owntracks recorder" --log="/var/log/$app/$app.log" + #================================================= # GENERIC FINALIZATION #================================================= @@ -34,6 +40,8 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= ynh_script_progression --message="Reloading NGINX web server..." +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" + ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 90681fb..e6c3a80 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -9,16 +9,6 @@ source _common.sh source /usr/share/yunohost/helpers -#================================================= -# ENSURE DOWNWARD COMPATIBILITY -#================================================= -ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 - -# Cleanup previous package that ynh_setup_source on install_dir -if [ ! -d "$install_dir/www" ]; then - ynh_secure_remove "$install_dir"/* "$install_dir"/.* -fi - #================================================= # INSTALL DEPENDENCIES #================================================= @@ -45,6 +35,9 @@ chown -R $app:www-data "$install_dir" #================================================= ynh_script_progression --message="Installing $app..." --weight=10 +# Delete current build +ynh_secure_remove "$install_dir/www" + pushd "$install_dir/source" ynh_use_nodejs ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" yarn install @@ -57,20 +50,35 @@ ynh_secure_remove "$install_dir/source" #================================================= # ADD A CONFIGURATION #================================================= -ynh_script_progression --message="Adding a configuration file..." --weight=1 +ynh_script_progression --message="Adding configuration files..." --weight=1 ynh_add_config --template="config.example.js" --destination="$install_dir/www/config/config.js" chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" -chmod 400 "$install_dir/www/config/config.js" +chmod 640 "$install_dir/www/config/config.js" + +ynh_add_config --template="env" --destination="$install_dir/.env" + +chmod 600 "$install_dir/.env" +chown "$app:$app" "$install_dir/.env" #================================================= # NGINX CONFIGURATION #================================================= ynh_script_progression --message="Upgrading NGINX web server configuration..." +# Create a dedicated systemd config +ynh_add_systemd_config + +# Add log files +mkdir -p "/var/log/$app/" +chmod 660 "/var/log/$app/" +chown "$app:$app" "/var/log/$app/" + +yunohost service add "$app" --description="Owntracks recorder" --log="/var/log/$app/$app.log" + # Create a dedicated nginx config ynh_add_nginx_config