diff --git a/README.md b/README.md index ec5b59f..49e9173 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Pelican is a static site generator, written in Python. * Official app website: * Official admin documentation: * Upstream app code repository: -* YunoHost documentation for this app: +* YunoHost Store: * Report a bug: ## Developer info diff --git a/README_fr.md b/README_fr.md index d25cd4c..d09c395 100644 --- a/README_fr.md +++ b/README_fr.md @@ -30,7 +30,7 @@ Pelican is a static site generator, written in Python. * Site officiel de l’app : * Documentation officielle de l’admin : * Dépôt de code officiel de l’app : -* Documentation YunoHost pour cette app : +* YunoHost Store: * Signaler un bug : ## Informations pour les développeurs diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..6dae439 --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,48 @@ +[Unit] +Description=__APP__ monitor, to automatically rebuild your website + +[Service] +Type=simple +User=__APP__ +Group=www-data +WorkingDirectory=__INSTALL_DIR__/ +ExecStart=__INSTALL_DIR__/venv/bin/pelican --autoreload +StandardOutput=journal +StandardError=inherit + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 8af15c9..7e5b619 100644 --- a/manifest.toml +++ b/manifest.toml @@ -16,11 +16,14 @@ admindoc = "https://docs.getpelican.com/en/latest/index.html" code = "https://github.com/getpelican/pelican" [integration] -yunohost = ">= 11.1.19" +yunohost = ">= 11.2" architectures = "all" multi_instance = true + ldap = false + sso = true + disk = "50M" ram.build = "50M" ram.runtime = "50M" @@ -41,7 +44,6 @@ ram.runtime = "50M" ask.en = "Choose an author" ask.fr = "Choisissez l'auteur" type = "user" - default = "John Doe" [install.title] ask.en = "Choose a default title for your website" @@ -51,6 +53,8 @@ ram.runtime = "50M" [resources] [resources.system_user] + allow_ssh = true + allow_sftp = true [resources.install_dir] @@ -58,4 +62,4 @@ ram.runtime = "50M" main.url = "/" [resources.apt] - packages = "python3-pip python3-virtualenv python3-dev libldap2-dev libsasl2-dev libssl-dev python3-venv" + packages = "python3-pip, python3-virtualenv, python3-dev, libldap2-dev, libsasl2-dev, libssl-dev, python3-venv" diff --git a/scripts/backup b/scripts/backup index 52eea5b..f8e82aa 100644 --- a/scripts/backup +++ b/scripts/backup @@ -27,6 +27,12 @@ ynh_backup --src_path="$install_dir" ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +#================================================= +# BACKUP SYSTEMD +#================================================= + +ynh_backup --src_path="/etc/systemd/system/$app.service" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index 279609f..ba24a72 100644 --- a/scripts/install +++ b/scripts/install @@ -12,7 +12,7 @@ source /usr/share/yunohost/helpers #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= -ynh_script_progression --message="Setting up source files..." +ynh_script_progression --message="Setting up source files..." --weight=1 date=`date +%Y-%m-%d` mkdir -p $install_dir @@ -30,20 +30,12 @@ chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" -#================================================= -# NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Configuring NGINX web server..." - -# Create a dedicated NGINX config -ynh_add_nginx_config - #================================================= # SPECIFIC SETUP #================================================= # BUILD APP #================================================= -ynh_script_progression --message="Building app..." +ynh_script_progression --message="Building app..." --weight=2 pushd $install_dir python3 -m venv $install_dir/venv @@ -51,12 +43,39 @@ pushd $install_dir pip install --upgrade pip ynh_exec_warn_less pip install pelican markdown pelican -s pelicanconf.py -D + deactivate popd +# Somehow this directory is monitored, but not present upon install +mkdir -p "$install_dir/content/images" + chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" +#================================================= +# SYSTEM CONFIGURATION +#================================================= +ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 + +# Create a dedicated NGINX config +ynh_add_nginx_config + +# Create a dedicated systemd config +ynh_add_systemd_config + +yunohost service add $app --description="$app monitor, to automatically rebuild your website" + +#================================================= +# GENERIC FINALIZATION +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +# Start a systemd service +ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/remove b/scripts/remove index bb21364..158d621 100644 --- a/scripts/remove +++ b/scripts/remove @@ -10,11 +10,19 @@ source _common.sh source /usr/share/yunohost/helpers #================================================= -# REMOVE NGINX CONFIGURATION +# REMOVE SYSTEM CONFIGURATIONS #================================================= -ynh_script_progression --message="Removing NGINX web server configuration..." +ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 + +# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) +if ynh_exec_warn_less yunohost service status $app >/dev/null +then + ynh_script_progression --message="Removing $app service integration..." --weight=1 + yunohost service remove $app +fi + +ynh_remove_systemd_config -# Remove the dedicated NGINX config ynh_remove_nginx_config #================================================= diff --git a/scripts/restore b/scripts/restore index 8fae958..1b78b0a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -13,12 +13,16 @@ source /usr/share/yunohost/helpers #================================================= # STANDARD RESTORATION STEPS #================================================= -# RESTORE THE NGINX CONFIGURATION +# RESTORE THE SYSTEM CONFIGURATIONS #================================================= -ynh_script_progression --message="Restoring the NGINX web server configuration..." +ynh_script_progression --message="Restoring system configurations related to $app..." --weight=1 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/systemd/system/$app.service" +systemctl enable $app.service --quiet +yunohost service add $app --description="$app monitor, to automatically rebuild your website" + #================================================= # RESTORE THE APP MAIN DIR #================================================= @@ -32,11 +36,12 @@ chown -R $app:www-data "$install_dir" #================================================= # GENERIC FINALIZATION #================================================= -# RELOAD NGINX +# RELOAD SERVICES #================================================= -ynh_script_progression --message="Reloading NGINX web server..." +ynh_script_progression --message="Reloading services.." ynh_systemd_action --service_name=nginx --action=reload +ynh_systemd_action --service_name=$app --action="start" #================================================= # END OF SCRIPT diff --git a/scripts/upgrade b/scripts/upgrade index 13a8a7a..94a8501 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -15,13 +15,20 @@ source /usr/share/yunohost/helpers upgrade_type=$(ynh_check_app_version_changed) +#================================================= +# STOP SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Stopping a systemd service..." --weight=1 + +ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= if [ "$upgrade_type" == "UPGRADE_APP" ] then - ynh_script_progression --message="Upgrading source files..." + ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src date=`date +%Y-%m-%d` @@ -31,30 +38,25 @@ then ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="../sources/pelicanconf.py" ynh_replace_string --match_string="__PATH__" --replace_string="$path" --target_file="../sources/pelicanconf.py" ynh_replace_string --match_string="__AUTHOR__" --replace_string="$author" --target_file="../sources/pelicanconf.py" - ynh_replace_string --match_string="__TITEL__" --replace_string="$title" --target_file="../sources/pelicanconf.py" + ynh_replace_string --match_string="__TITLE__" --replace_string="$title" --target_file="../sources/pelicanconf.py" ynh_replace_string --match_string="__AUTHOR__" --replace_string="$author" --target_file="../sources/content/first-article.md" ynh_replace_string --match_string="__DATE__" --replace_string="$date" --target_file="../sources/content/first-article.md" cp -a ../sources/. $install_dir fi +# Somehow this directory is monitored, but not present upon install +[ ! -d "$install_dir/content/images" ] && mkdir -p "$install_dir/content/images" + chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" -#================================================= -# NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Upgrading NGINX web server configuration..." - -# Create a dedicated NGINX config -ynh_add_nginx_config - #================================================= # SPECIFIC UPGRADE #================================================= # BUILD APP #================================================= -ynh_script_progression --message="Building app..." +ynh_script_progression --message="Building app..." --weight=2 pushd $install_dir ynh_secure_remove --file="$install_dir/venv" @@ -63,12 +65,36 @@ pushd $install_dir pip install --upgrade pip ynh_exec_warn_less pip install pelican markdown pelican -s pelicanconf.py -D + deactivate popd chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" +#================================================= +# SYSTEM CONFIGURATION +#================================================= +ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 + +# Create a dedicated NGINX config +ynh_add_nginx_config + +# Create a dedicated systemd config +ynh_add_systemd_config + +yunohost service add $app --description="$app monitor, to automatically rebuild your website" + +#================================================= +# GENERIC FINALIZATION +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +# Start a systemd service +ynh_systemd_action --service_name=$app --action="start" + #================================================= # END OF SCRIPT #=================================================