From fe0c96481bdd53f531b3d751dcb4dd0d6d3b61dc Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Wed, 11 Jan 2023 23:35:50 +0100 Subject: [PATCH 1/9] fix: compile translation on install and update --- scripts/install | 1 + scripts/restore | 1 + scripts/upgrade | 1 + 3 files changed, 3 insertions(+) diff --git a/scripts/install b/scripts/install index 337a4a8..1eb3804 100755 --- a/scripts/install +++ b/scripts/install @@ -125,6 +125,7 @@ pushd $final_path venv/bin/pip install --upgrade pip venv/bin/pip install -r requirements.txt venv/bin/pip install gunicorn + venv/bin/pybabel compile -d locales/ mkdir -p /var/log/$app chown -R $app:www-data /var/log/$app chmod o-rwx /var/log/$app diff --git a/scripts/restore b/scripts/restore index cc35ab0..f2cb5e6 100755 --- a/scripts/restore +++ b/scripts/restore @@ -89,6 +89,7 @@ pushd $final_path venv/bin/pip install --upgrade pip venv/bin/pip install -r requirements.txt venv/bin/pip install gunicorn + venv/bin/pybabel compile -d locales/ mkdir -p /var/log/$app chown -R $app:www-data /var/log/$app chmod o-rwx /var/log/$app diff --git a/scripts/upgrade b/scripts/upgrade index 7b88a17..4f47c6d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -112,6 +112,7 @@ pushd $final_path venv/bin/pip install --upgrade pip venv/bin/pip install -r requirements.txt venv/bin/pip install gunicorn + venv/bin/pybabel compile -d locales/ mkdir -p /var/log/$app chown -R $app:www-data /var/log/$app chmod o-rwx /var/log/$app From b934068e6d6d6afc7880abd2e79ffcb2290302e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Fri, 12 Jan 2024 21:24:33 +0100 Subject: [PATCH 2/9] fix --- scripts/change_url | 4 ++-- scripts/install | 2 +- scripts/upgrade | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index 67e0fe3..c85b218 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -16,7 +16,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" --line_match="Stopped" +ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= # MODIFY URL IN NGINX CONF @@ -56,7 +56,7 @@ chmod o=--- $install_dir ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Started" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index a6cdd43..09b0386 100755 --- a/scripts/install +++ b/scripts/install @@ -106,7 +106,7 @@ chmod o=--- $install_dir ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Started" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/upgrade b/scripts/upgrade index d723313..2f94151 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -22,7 +22,7 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" --line_match="Stopped" +ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -109,7 +109,7 @@ chmod o=--- $install_dir #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Started" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT From c6fb8fea6b30f8fc38559ebec6c2a6f89c86ddc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Fri, 12 Jan 2024 23:33:25 +0100 Subject: [PATCH 3/9] Update restore --- scripts/restore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/restore b/scripts/restore index 598a32c..761278f 100755 --- a/scripts/restore +++ b/scripts/restore @@ -64,7 +64,7 @@ yunohost service add $app --description="Simple donation form" --log="/var/log/$ #================================================= ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Started" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" ynh_systemd_action --service_name=nginx --action=reload From 19b46eb43b707dad28e0fc2259ac6dee226502df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Fri, 12 Jan 2024 23:34:03 +0100 Subject: [PATCH 4/9] Update systemd.service --- conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 12aeccc..d6ee611 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,39 @@ ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID PrivateTmp=true +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From ea49ba03d0fa6da4f1167af93055dec74b78df74 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Sat, 13 Jan 2024 08:52:02 +0100 Subject: [PATCH 5/9] Update systemd.service --- conf/systemd.service | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index d6ee611..12aeccc 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,39 +12,5 @@ ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID PrivateTmp=true -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectClock=yes -ProtectHostname=yes -ProtectProc=invisible -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - [Install] WantedBy=multi-user.target From 617c659ef1c5d0276aa3bd4faad77c04aa7f70e9 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 15 Feb 2024 17:44:02 +0100 Subject: [PATCH 6/9] autoupdate.strategy = "latest_github_release" --- manifest.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifest.toml b/manifest.toml index aef4f98..a63539b 100644 --- a/manifest.toml +++ b/manifest.toml @@ -81,6 +81,7 @@ ram.runtime = "50M" [resources.sources.main] url = "https://github.com/YunoHost/pepettes/archive/v1.0.1.tar.gz" sha256 = "9792ed5589d4a55bd619edc7aa61a1a78f34c5a4e7095b2292ac09b66c8b9a58" + autoupdate.strategy = "latest_github_release" [resources.ports] From f1b50b5e68d410e0030a1b905a91e252c35c3c92 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 15 Feb 2024 16:44:05 +0000 Subject: [PATCH 7/9] Auto-update README --- README.md | 4 ++-- README_fr.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f39762a..cd48592 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ @@ -40,4 +40,4 @@ or sudo yunohost app upgrade pepettes -u https://github.com/YunoHost-Apps/pepettes_ynh/tree/testing --debug ``` -**More info regarding app packaging:** +**More info regarding app packaging:** \ No newline at end of file diff --git a/README_fr.md b/README_fr.md index 1ddf82c..8606409 100644 --- a/README_fr.md +++ b/README_fr.md @@ -1,5 +1,5 @@ From 4b5918a4d99e0ed4a3fba014827fce95d29c4886 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 15 Feb 2024 17:45:50 +0100 Subject: [PATCH 8/9] Update manifest.toml --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index a63539b..933e677 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Pepettes" description.en = "Simple donation form with stripe" description.fr = "Simple formulaire de don avec stripe" -version = "1.0.1~ynh5" +version = "1.0.1~ynh6" maintainers = ["ljf"] From ac2368aa02b79ea88898516ace5b26156716ea4a Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 15 Feb 2024 16:45:54 +0000 Subject: [PATCH 9/9] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cd48592..4bab49b 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in A simple donation form with stripe -**Shipped version:** 1.0.1~ynh5 +**Shipped version:** 1.0.1~ynh6 **Demo:** https://donate.yunohost.org ## Documentation and resources diff --git a/README_fr.md b/README_fr.md index 8606409..6ac3e9a 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po A simple donation form with stripe -**Version incluse :** 1.0.1~ynh5 +**Version incluse :** 1.0.1~ynh6 **Démo :** https://donate.yunohost.org ## Documentations et ressources