From f2bd90492ab675c7513595fe3a15d101bd6ac6ff Mon Sep 17 00:00:00 2001 From: Fabian Wilkens Date: Fri, 30 Dec 2022 19:30:56 +0100 Subject: [PATCH] Update to 1.11.0 --- conf/app.src | 4 +- ...uster.service => systemd-consumer.service} | 8 ++-- conf/systemd-scheduler.service | 43 ++++++++++++++++++ conf/systemd-task-queue.service | 44 +++++++++++++++++++ conf/systemd.service | 3 +- manifest.json | 2 +- scripts/_common.sh | 3 +- scripts/backup | 4 +- scripts/change_url | 8 +++- scripts/install | 12 +++-- scripts/remove | 8 +++- scripts/restore | 16 +++++-- scripts/upgrade | 20 ++++++--- 13 files changed, 147 insertions(+), 28 deletions(-) rename conf/{systemd-qcluster.service => systemd-consumer.service} (88%) create mode 100644 conf/systemd-scheduler.service create mode 100644 conf/systemd-task-queue.service diff --git a/conf/app.src b/conf/app.src index cb5eca2..eacaec9 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/paperless-ngx/paperless-ngx/releases/download/v1.9.2/paperless-ngx-v1.9.2.tar.xz -SOURCE_SUM=7da7e355745fcc5ac837323f22f7e6d556386297a61e41f04e104fe785e85cce +SOURCE_URL=https://github.com/paperless-ngx/paperless-ngx/releases/download/v1.11.0/paperless-ngx-v1.11.0.tar.xz +SOURCE_SUM=6b175daf2b9c7411b9a63f747ad62661c9733d87072c16a494394a189d2e240f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/systemd-qcluster.service b/conf/systemd-consumer.service similarity index 88% rename from conf/systemd-qcluster.service rename to conf/systemd-consumer.service index 5f6c9e3..f3f4d06 100644 --- a/conf/systemd-qcluster.service +++ b/conf/systemd-consumer.service @@ -1,7 +1,5 @@ [Unit] -Description=Paperless qcluster -After=network.target -Wants=network.target +Description=Paperless consumer Requires=redis.service [Service] @@ -9,8 +7,8 @@ Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/src/ -ExecStart=__FINALPATH__/venv/bin/python manage.py qcluster -StandardOutput=append:/var/log/__APP__/__APP__.log +ExecStart=__FINALPATH__/venv/bin/python3 manage.py document_consumer +StandardOutput=append:/var/log/__APP__/__APP__-consumer.log StandardError=inherit # Sandboxing options to harden security diff --git a/conf/systemd-scheduler.service b/conf/systemd-scheduler.service new file mode 100644 index 0000000..1bc4d39 --- /dev/null +++ b/conf/systemd-scheduler.service @@ -0,0 +1,43 @@ +[Unit] +Description=Paperless scheduler +Requires=redis.service + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__FINALPATH__/src/ +ExecStart=__FINALPATH__/venv/bin/celery --app paperless beat --loglevel INFO +StandardOutput=append:/var/log/__APP__/__APP__-scheduler.log +StandardError=inherit + +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/conf/systemd-task-queue.service b/conf/systemd-task-queue.service new file mode 100644 index 0000000..ea6d556 --- /dev/null +++ b/conf/systemd-task-queue.service @@ -0,0 +1,44 @@ +[Unit] +Description=Paperless task-queue +Requires=redis.service + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__FINALPATH__/src/ +ExecStart=__FINALPATH__/venv/bin/celery --app paperless worker --loglevel INFO +StandardOutput=append:/var/log/__APP__/__APP__-task-queue.log +StandardError=inherit + +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +#PrivateTmp - Must be disabled for full functionality +#PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/conf/systemd.service b/conf/systemd.service index 1ddc2dd..636126f 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -16,7 +16,8 @@ StandardError=inherit # Sandboxing options to harden security # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html NoNewPrivileges=yes -PrivateTmp=yes +#PrivateTmp - Must be disabled for full functionality +#PrivateTmp=yes PrivateDevices=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes diff --git a/manifest.json b/manifest.json index 308ff02..00c3583 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Scan, index and archive all your physical documents", "fr": "Scannez, triez et archivez tous vos documents papiers" }, - "version": "1.9.2~ynh1", + "version": "1.11.0~ynh1", "url": "https://paperless-ngx.com", "upstream": { "license": "GPL-3.0-or-later", diff --git a/scripts/_common.sh b/scripts/_common.sh index 295eeda..ff70f8e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -5,8 +5,7 @@ #================================================= # dependencies used by the app -#pkg_dependencies="redis-tools redis-server postgresql postgresql-contrib python3 python3-pip python3-dev python3-venv imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support" -pkg_dependencies="build-essential postgresql postgresql-contrib python3 python3-pip python3-dev python3-venv imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support libzbar0 poppler-utils default-libmysqlclient-dev" +pkg_dependencies="python3 python3-pip python3-dev python3-venv default-libmysqlclient-dev fonts-liberation imagemagick gnupg libpq-dev libmagic-dev mime-support libzbar0 poppler-utils postgresql postgresql-contrib " ocr_pkg_dependencies="unpaper ghostscript icc-profiles-free qpdf liblept5 libxml2 pngquant zlib1g tesseract-ocr" raspberry_pkg_dependencies="libatlas-base-dev libxslt1-dev" diff --git a/scripts/backup b/scripts/backup index a2fef40..f2ae68d 100755 --- a/scripts/backup +++ b/scripts/backup @@ -81,7 +81,9 @@ ynh_backup --src_path="/etc/logrotate.d/$app" #================================================= ynh_backup --src_path="/etc/systemd/system/$app.service" -ynh_backup --src_path="/etc/systemd/system/$app-qcluster.service" +ynh_backup --src_path="/etc/systemd/system/$app-consumer.service" +ynh_backup --src_path="/etc/systemd/system/$app-scheduler.service" +ynh_backup --src_path="/etc/systemd/system/$app-task-queue.service" #================================================= # BACKUP VARIOUS FILES diff --git a/scripts/change_url b/scripts/change_url index 2bdd623..18bf00c 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -77,7 +77,9 @@ fi ynh_script_progression --message="Stopping a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-qcluster" --action="stop" --log_path="/var/log/$app/$app-qcluster.log" +ynh_systemd_action --service_name="$app-consumer" --action="stop" --log_path="/var/log/$app/$app-consumer.log" +ynh_systemd_action --service_name="$app-scheduler" --action="stop" --log_path="/var/log/$app/$app-scheduler.log" +ynh_systemd_action --service_name="$app-task-queue" --action="stop" --log_path="/var/log/$app/$app-task-queue.log" #================================================= # MODIFY URL IN NGINX CONF @@ -131,7 +133,9 @@ chown $app:$app "$final_path/paperless.conf" ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log" +ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log" +ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log" +ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log" #================================================= # RELOAD NGINX diff --git a/scripts/install b/scripts/install index a36da18..05a1509 100755 --- a/scripts/install +++ b/scripts/install @@ -198,7 +198,9 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config --service="$app" --template="systemd.service" -ynh_add_systemd_config --service="$app-qcluster" --template="systemd-qcluster.service" +ynh_add_systemd_config --service="$app-consumer" --template="systemd-consumer.service" +ynh_add_systemd_config --service="$app-scheduler" --template="systemd-scheduler.service" +ynh_add_systemd_config --service="$app-task-queue" --template="systemd-task-queue.service" #================================================= # GENERIC FINALIZATION @@ -216,7 +218,9 @@ ynh_use_logrotate ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 yunohost service add "$app" --log="/var/log/$app/$app.log" -yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log" +yunohost service add "$app-consumer" --log="/var/log/$app/$app-consumer.log" +yunohost service add "$app-scheduler" --log="/var/log/$app/$app-scheduler.log" +yunohost service add "$app-task-queue" --log="/var/log/$app/$app-task-queue.log" #================================================= # START SYSTEMD SERVICE @@ -224,7 +228,9 @@ yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log" ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log" +ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log" +ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log" +ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log" #================================================= # SETUP FAIL2BAN diff --git a/scripts/remove b/scripts/remove index 290caa2..0730658 100755 --- a/scripts/remove +++ b/scripts/remove @@ -36,7 +36,9 @@ if ynh_exec_warn_less yunohost service status $app >/dev/null then ynh_script_progression --message="Removing $app service integration..." --weight=1 yunohost service remove "$app" - yunohost service remove "$app-qcluster" + yunohost service remove "$app-consumer" + yunohost service remove "$app-scheduler" + yunohost service remove "$app-task-queue" fi #================================================= @@ -46,7 +48,9 @@ ynh_script_progression --message="Stopping and removing the systemd service..." # Remove the dedicated systemd config ynh_remove_systemd_config --service="$app" -ynh_remove_systemd_config --service="$app-cluster" +ynh_remove_systemd_config --service="$app-consumer" +ynh_remove_systemd_config --service="$app-scheduler" +ynh_remove_systemd_config --service="$app-task-queue" #================================================= # REMOVE LOGROTATE CONFIGURATION diff --git a/scripts/restore b/scripts/restore index 9441f78..a6933ea 100755 --- a/scripts/restore +++ b/scripts/restore @@ -161,9 +161,13 @@ ynh_psql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./d ynh_script_progression --message="Restoring the systemd configuration..." --weight=1 ynh_restore_file --origin_path="/etc/systemd/system/$app.service" -ynh_restore_file --origin_path="/etc/systemd/system/$app-qcluster.service" +ynh_restore_file --origin_path="/etc/systemd/system/$app-consumer.service" +ynh_restore_file --origin_path="/etc/systemd/system/$app-scheduler.service" +ynh_restore_file --origin_path="/etc/systemd/system/$app-task-queue.service" systemctl enable "$app.service" --quiet -systemctl enable "$app-qcluster.service" --quiet +systemctl enable "$app-consumer.service" --quiet +systemctl enable "$app-scheduler.service" --quiet +systemctl enable "$app-task-queue.service" --quiet #================================================= # RESTORE THE LOGROTATE CONFIGURATION @@ -181,7 +185,9 @@ ynh_restore_file --origin_path="/etc/logrotate.d/$app" ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 yunohost service add "$app" --log="/var/log/$app/$app.log" -yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log" +yunohost service add "$app-consumer" --log="/var/log/$app/$app-consumer.log" +yunohost service add "$app-scheduler" --log="/var/log/$app/$app-scheduler.log" +yunohost service add "$app-task-queue" --log="/var/log/$app/$app-task-queue.log" #================================================= # START SYSTEMD SERVICE @@ -189,7 +195,9 @@ yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log" ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log" +ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log" +ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log" +ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log" #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 87abce3..16a65f5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -56,7 +56,9 @@ ynh_abort_if_errors ynh_script_progression --message="Stopping a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-qcluster" --action="stop" --log_path="/var/log/$app/$app-qcluster.log" +ynh_systemd_action --service_name="$app-consumer" --action="stop" --log_path="/var/log/$app/$app-consumer.log" +ynh_systemd_action --service_name="$app-scheduler" --action="stop" --log_path="/var/log/$app/$app-scheduler.log" +ynh_systemd_action --service_name="$app-task-queue" --action="stop" --log_path="/var/log/$app/$app-task-queue.log" #================================================= # ENSURE DOWNWARD COMPATIBILITY @@ -187,7 +189,9 @@ ynh_script_progression --message="Upgrading systemd configuration..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config --service="$app" --template="systemd.service" -ynh_add_systemd_config --service="$app-qcluster" --template="systemd-qcluster.service" +ynh_add_systemd_config --service="$app-consumer" --template="systemd-consumer.service" +ynh_add_systemd_config --service="$app-scheduler" --template="systemd-scheduler.service" +ynh_add_systemd_config --service="$app-task-queue" --template="systemd-task-queue.service" #================================================= # GENERIC FINALIZATION @@ -198,7 +202,9 @@ ynh_script_progression --message="Upgrading logrotate configuration..." --weight # Use logrotate to manage app-specific logfile(s) ynh_use_logrotate --logfile="/var/log/$app/$app.log" -ynh_use_logrotate --logfile="/var/log/$app/$app-qcluster.log" +ynh_use_logrotate --logfile="/var/log/$app/$app-consumer.log" +ynh_use_logrotate --logfile="/var/log/$app/$app-scheduler.log" +ynh_use_logrotate --logfile="/var/log/$app/$app-task-queue.log" #================================================= # INTEGRATE SERVICE IN YUNOHOST @@ -206,7 +212,9 @@ ynh_use_logrotate --logfile="/var/log/$app/$app-qcluster.log" ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 yunohost service add "$app" --log="/var/log/$app/$app.log" -yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log" +yunohost service add "$app-consumer" --log="/var/log/$app/$app-consumer.log" +yunohost service add "$app-scheduler" --log="/var/log/$app/$app-scheduler.log" +yunohost service add "$app-task-queue" --log="/var/log/$app/$app-task-queue.log" #================================================= # START SYSTEMD SERVICE @@ -214,7 +222,9 @@ yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log" ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log" +ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log" +ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log" +ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log" #================================================= # UPGRADE FAIL2BAN