From ed0da530bac75e9143ee0a6c2235298ff312fdd5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 22 May 2024 04:48:53 +0200 Subject: [PATCH 1/8] update to v1.1.1 --- manifest.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifest.toml b/manifest.toml index 933e677..8cfada0 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Pepettes" description.en = "Simple donation form with stripe" description.fr = "Simple formulaire de don avec stripe" -version = "1.0.1~ynh6" +version = "1.1.1~ynh1" maintainers = ["ljf"] @@ -79,8 +79,8 @@ ram.runtime = "50M" [resources] [resources.sources.main] - url = "https://github.com/YunoHost/pepettes/archive/v1.0.1.tar.gz" - sha256 = "9792ed5589d4a55bd619edc7aa61a1a78f34c5a4e7095b2292ac09b66c8b9a58" + url = "https://github.com/YunoHost/pepettes/archive/refs/tags/v1.1.1.tar.gz" + sha256 = "bbdc2f64afc7597b4a66d2ec3bfe87324f482ffe4681766c79b9938415c366f5" autoupdate.strategy = "latest_github_release" [resources.ports] From 9164d83f643bbf90819d9b0a76583c955b8e5971 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 22 May 2024 02:48:58 +0000 Subject: [PATCH 2/8] Auto-update READMEs --- README.md | 2 +- README_es.md | 2 +- README_eu.md | 2 +- README_fr.md | 2 +- README_gl.md | 2 +- README_zh_Hans.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 844d45a..0473a41 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ It shall NOT be edited by hand. A simple donation form with stripe -**Shipped version:** 1.0.1~ynh6 +**Shipped version:** 1.1.1~ynh1 **Demo:** ## Documentation and resources diff --git a/README_es.md b/README_es.md index 0a079c9..ae2f8d6 100644 --- a/README_es.md +++ b/README_es.md @@ -18,7 +18,7 @@ No se debe editar a mano. A simple donation form with stripe -**Versión actual:** 1.0.1~ynh6 +**Versión actual:** 1.1.1~ynh1 **Demo:** ## Documentaciones y recursos diff --git a/README_eu.md b/README_eu.md index 8241b41..74b6a14 100644 --- a/README_eu.md +++ b/README_eu.md @@ -18,7 +18,7 @@ EZ editatu eskuz. A simple donation form with stripe -**Paketatutako bertsioa:** 1.0.1~ynh6 +**Paketatutako bertsioa:** 1.1.1~ynh1 **Demoa:** ## Dokumentazioa eta baliabideak diff --git a/README_fr.md b/README_fr.md index 0e0d3e7..d91c2b7 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Il NE doit PAS être modifié à la main. A simple donation form with stripe -**Version incluse :** 1.0.1~ynh6 +**Version incluse :** 1.1.1~ynh1 **Démo :** ## Documentations et ressources diff --git a/README_gl.md b/README_gl.md index 1cd850a..453b2ee 100644 --- a/README_gl.md +++ b/README_gl.md @@ -18,7 +18,7 @@ NON debe editarse manualmente. A simple donation form with stripe -**Versión proporcionada:** 1.0.1~ynh6 +**Versión proporcionada:** 1.1.1~ynh1 **Demo:** ## Documentación e recursos diff --git a/README_zh_Hans.md b/README_zh_Hans.md index 3eb92c3..6bbb526 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -18,7 +18,7 @@ A simple donation form with stripe -**分发版本:** 1.0.1~ynh6 +**分发版本:** 1.1.1~ynh1 **演示:** ## 文档与资源 From 3a53aafff618210043f2a03e925df69efa317e03 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 22 May 2024 18:38:15 +0200 Subject: [PATCH 3/8] add sandboxing in the systemd config --- conf/systemd.service | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 12aeccc..4abad0b 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,37 @@ ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID PrivateTmp=true +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From 076901e045c99593eb370b280e074c495d3091d4 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 22 May 2024 19:11:11 +0200 Subject: [PATCH 4/8] fix systemd sandboxing config --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 4abad0b..6e0b50d 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -30,7 +30,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html From d88a6978cdf272b5887607d074e02a7e35f7423d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 22 May 2024 23:00:23 +0200 Subject: [PATCH 5/8] remove useless ynh ssowat thing --- conf/nginx.conf | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 1876b1e..6e9bf0d 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,16 +1,13 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://unix:__INSTALL_DIR__/sock; - - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://unix:__INSTALL_DIR__/sock; } location __PATH__/css/ { - alias __INSTALL_DIR__/assets/css; + alias __INSTALL_DIR__/assets/css; } From 9c276a799e3b72bfa24209d3f01ae6772f1b717d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 22 May 2024 23:01:01 +0200 Subject: [PATCH 6/8] remove bugged css proxying --- conf/nginx.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 6e9bf0d..afa05c9 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,7 +7,3 @@ location __PATH__/ { proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://unix:__INSTALL_DIR__/sock; } -location __PATH__/css/ { - alias __INSTALL_DIR__/assets/css; -} - From bc93e18af82a6271fb8c3bf545141fd4fc48052a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 22 May 2024 23:16:23 +0200 Subject: [PATCH 7/8] do not print a WARNING for locale compilations --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 09b0386..8a0a0fa 100755 --- a/scripts/install +++ b/scripts/install @@ -47,7 +47,7 @@ pushd $install_dir venv/bin/pip install --upgrade pip venv/bin/pip install -r requirements.txt venv/bin/pip install gunicorn - venv/bin/pybabel compile -d locales/ + ynh_exec_warn_less venv/bin/pybabel compile -d locales/ mkdir -p /var/log/$app chown -R $app:www-data /var/log/$app chmod o-rwx /var/log/$app diff --git a/scripts/restore b/scripts/restore index 761278f..14cff9a 100755 --- a/scripts/restore +++ b/scripts/restore @@ -30,7 +30,7 @@ pushd $install_dir venv/bin/pip install --upgrade pip venv/bin/pip install -r requirements.txt venv/bin/pip install gunicorn - venv/bin/pybabel compile -d locales/ + ynh_exec_warn_less venv/bin/pybabel compile -d locales/ mkdir -p /var/log/$app chown -R $app:www-data /var/log/$app chmod o-rwx /var/log/$app diff --git a/scripts/upgrade b/scripts/upgrade index 2f94151..97f8c1e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -51,7 +51,7 @@ pushd $install_dir venv/bin/pip install --upgrade pip venv/bin/pip install -r requirements.txt venv/bin/pip install gunicorn - venv/bin/pybabel compile -d locales/ + ynh_exec_warn_less venv/bin/pybabel compile -d locales/ mkdir -p /var/log/$app chown -R $app:www-data /var/log/$app chmod o-rwx /var/log/$app From 118c5dddd77e0e962bb66571b8fc1f889c2bf570 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 22 May 2024 23:25:03 +0200 Subject: [PATCH 8/8] update used disk space --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 8cfada0..9d90479 100644 --- a/manifest.toml +++ b/manifest.toml @@ -21,7 +21,7 @@ architectures = "all" multi_instance = true ldap = false sso = false -disk = "50M" +disk = "55M" ram.build = "50M" ram.runtime = "50M"