diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..6dae439 --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,48 @@ +[Unit] +Description=__APP__ monitor, to automatically rebuild your website + +[Service] +Type=simple +User=__APP__ +Group=www-data +WorkingDirectory=__INSTALL_DIR__/ +ExecStart=__INSTALL_DIR__/venv/bin/pelican --autoreload +StandardOutput=journal +StandardError=inherit + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 8af15c9..06eb0e9 100644 --- a/manifest.toml +++ b/manifest.toml @@ -51,6 +51,8 @@ ram.runtime = "50M" [resources] [resources.system_user] + allow_ssh = true + allow_sftp = true [resources.install_dir] diff --git a/scripts/backup b/scripts/backup index 52eea5b..f8e82aa 100644 --- a/scripts/backup +++ b/scripts/backup @@ -27,6 +27,12 @@ ynh_backup --src_path="$install_dir" ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +#================================================= +# BACKUP SYSTEMD +#================================================= + +ynh_backup --src_path="/etc/systemd/system/$app.service" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index 279609f..722c9e3 100644 --- a/scripts/install +++ b/scripts/install @@ -12,7 +12,7 @@ source /usr/share/yunohost/helpers #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= -ynh_script_progression --message="Setting up source files..." +ynh_script_progression --message="Setting up source files..." --weight=1 date=`date +%Y-%m-%d` mkdir -p $install_dir @@ -30,20 +30,12 @@ chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" -#================================================= -# NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Configuring NGINX web server..." - -# Create a dedicated NGINX config -ynh_add_nginx_config - #================================================= # SPECIFIC SETUP #================================================= # BUILD APP #================================================= -ynh_script_progression --message="Building app..." +ynh_script_progression --message="Building app..." --weight=2 pushd $install_dir python3 -m venv $install_dir/venv @@ -51,12 +43,39 @@ pushd $install_dir pip install --upgrade pip ynh_exec_warn_less pip install pelican markdown pelican -s pelicanconf.py -D + deactivate popd +# Somehow this directory is monitored, but not present upon install +mkdir -p "$install_dir/content/images" + chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" +#================================================= +# SYSTEM CONFIGURATION +#================================================= +ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 + +# Create a dedicated NGINX config +ynh_add_nginx_config + +# Create a dedicated systemd config +ynh_add_systemd_config + +yunohost service add $app --description="$app monitor, to automatically rebuild your website" --log="/var/log/$app/$app.log" + +#================================================= +# GENERIC FINALIZATION +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +# Start a systemd service +ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 13a8a7a..3e5d4fd 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -15,13 +15,20 @@ source /usr/share/yunohost/helpers upgrade_type=$(ynh_check_app_version_changed) +#================================================= +# STOP SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Stopping a systemd service..." --weight=1 + +ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= if [ "$upgrade_type" == "UPGRADE_APP" ] then - ynh_script_progression --message="Upgrading source files..." + ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src date=`date +%Y-%m-%d` @@ -37,24 +44,19 @@ then cp -a ../sources/. $install_dir fi +# Somehow this directory is monitored, but not present upon install +[ ! -d "$install_dir/content/images" ] && mkdir -p "$install_dir/content/images" + chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" -#================================================= -# NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Upgrading NGINX web server configuration..." - -# Create a dedicated NGINX config -ynh_add_nginx_config - #================================================= # SPECIFIC UPGRADE #================================================= # BUILD APP #================================================= -ynh_script_progression --message="Building app..." +ynh_script_progression --message="Building app..." --weight=2 pushd $install_dir ynh_secure_remove --file="$install_dir/venv" @@ -63,12 +65,36 @@ pushd $install_dir pip install --upgrade pip ynh_exec_warn_less pip install pelican markdown pelican -s pelicanconf.py -D + deactivate popd chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" +#================================================= +# SYSTEM CONFIGURATION +#================================================= +ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 + +# Create a dedicated NGINX config +ynh_add_nginx_config + +# Create a dedicated systemd config +ynh_add_systemd_config + +yunohost service add $app --description="$app monitor, to automatically rebuild your website" --log="/var/log/$app/$app.log" + +#================================================= +# GENERIC FINALIZATION +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +# Start a systemd service +ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #=================================================