Finalizing install #1

conf/api.service

@@ -0,0 +1,52 @@
+[Unit]
+Description=Firefox Sync Storage server
+After=network.target
+After=mariadb.service
+
+[Service]
+Type=simple
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__
+ExecStart=__INSTALL_DIR__/jdk/bin/java -server -Xmx1G -XX:+UnlockExperimentalVMOptions -XX:+HeapDumpOnOutOfMemoryError -XX:+OptimizeStringConcat -XX:+UseStringDeduplication -XX:+UseCompressedOops -XX:+UseNUMA -XX:+UseG1GC -jar piped.jar
+StandardOutput=append:/var/log/__APP__/__APP__-api.log
+StandardError=inherit
+Environment=JAVA_HOME="__INSTALL_DIR__/jdk"
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=multi-user.target
+

conf/config.properties

@@ -1,10 +1,10 @@
 # The port to Listen on.
-PORT:8080
+PORT:__PORT__
 # The number of workers to use for the server
 HTTP_WORKERS:2
 
 # Proxy
-PROXY_PART:https://__DOMAIN__/__PATH__/proxy
+PROXY_PART:https://__DOMAIN__/proxy
 
 # Proxy Hash Secret
 #PROXY_HASH_SECRET:INSERT_HERE
@@ -20,10 +20,10 @@ CAPTCHA_BASE_URL:https://api.capmonster.cloud/
 CAPTCHA_API_KEY:INSERT_HERE
 
 # Public API URL
-API_URL:https://__DOMAIN__/__PATH__/api
+API_URL:https://__DOMAIN__/api
 
 # Public Frontend URL
-FRONTEND_URL:https://__DOMAIN__/__PATH__
+FRONTEND_URL:https://__DOMAIN__
 
 # Enable haveibeenpwned compromised password API
 COMPROMISED_PASSWORD_CHECK:true

conf/nginx.conf

@@ -1,18 +1,56 @@
-#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
+rewrite ^__PATH__$ __PATH__/ permanent;
 
 location __PATH__/api/ {
 
   # Path to source
-  proxy_cache pipedapi;
-  proxy_pass http://127.0.0.1:__PORT__;
+  #proxy_cache pipedapi;
+  proxy_pass http://127.0.0.1:__PORT__/;
   proxy_http_version 1.1;
   proxy_set_header Connection "keep-alive";
 }
 
-location __PATH__/proxy/ {
+location ~ (__PATH__/proxy/videoplayback|__PATH__/proxy/api/v4/|__PATH__/proxy/api/manifest/) {
+  proxy_buffering on;
+  proxy_buffers 1024 16k;
+  proxy_set_header X-Forwarded-For "";
+  proxy_set_header CF-Connecting-IP "";
+  proxy_hide_header "alt-svc";
+  sendfile on;
+  sendfile_max_chunk 512k;
+  tcp_nopush on;
+  aio threads=default;
+  aio_write on;
+  directio 16m;
+  proxy_hide_header Cache-Control;
+  proxy_hide_header etag;
+  proxy_http_version 1.1;
+  proxy_set_header Connection keep-alive;
+  proxy_max_temp_file_size 32m;
+  access_log off;
+  proxy_pass http://127.0.0.1:__PORT_PROXY__;
+  add_header Cache-Control private always;
+}
 
-  # Path to source
-  alias __INSTALL_DIR__/dist/;
+location __PATH__/proxy/ {
+  proxy_buffering on;
+  proxy_buffers 1024 16k;
+  proxy_set_header X-Forwarded-For "";
+  proxy_set_header CF-Connecting-IP "";
+  proxy_hide_header "alt-svc";
+  sendfile on;
+  sendfile_max_chunk 512k;
+  tcp_nopush on;
+  aio threads=default;
+  aio_write on;
+  directio 16m;
+  proxy_hide_header Cache-Control;
+  proxy_hide_header etag;
+  proxy_http_version 1.1;
+  proxy_set_header Connection keep-alive;
+  proxy_max_temp_file_size 32m;
+  access_log off;
+  proxy_pass http://127.0.0.1:__PORT_PROXY__/;
+  add_header Cache-Control "public, max-age=604800";
 }
 
 

conf/proxy.service

@@ -0,0 +1,52 @@
+[Unit]
+Description=Firefox Sync Storage server
+After=network.target
+After=mariadb.service
+
+[Service]
+Type=simple
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__
+ExecStart=__INSTALL_DIR__/piped-proxy
+StandardOutput=append:/var/log/__APP__/__APP__-proxy.log
+StandardError=inherit
+Environment=BIND="127.0.0.1:__PORT_PROXY__"
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=multi-user.target
+

manifest.toml

@@ -69,4 +69,7 @@ ram.runtime = "50M"
     main.url = "/"
 
     [resources.database]
-    type = "postgresql"
+    type = "postgresql"
+
+    [resources.ports]
+        [resources.ports.proxy]

scripts/install

@@ -42,19 +42,16 @@ chown -R $app:www-data "$install_dir"
 ynh_script_progression --message="Building UI..." --weight=5
 
 pushd $install_dir/build
-	ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack enable
-	ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack prepare pnpm@latest --activate
-	ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH pnpm install
-	ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH NODE_ENV=production pnpm build
+    ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack enable
+    ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack prepare pnpm@latest --activate
+    ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH pnpm install
+    ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH NODE_ENV=production pnpm build
     ynh_exec_warn_less ynh_exec_as $app ./localizefonts.sh
 popd
 
 mv $install_dir/build/dist $install_dir
 pushd $install_dir/dist
-    domainandpath="$domain\\$path"
-    domainandpath=${domainandpath%%+(/)}
-    domainpathapi="$domainandpath\\/api"
-    sed -i s/pipedapi.kavin.rocks/"$domainpathapi"/g assets/*
+    sed -i s/pipedapi.kavin.rocks/"$domain\/api"/g assets/*
 popd
 chown -R $app:www-data "$install_dir/dist"
 chmod -R 755 "$install_dir/dist"
@@ -62,12 +59,13 @@ chmod -R 755 "$install_dir/dist"
 ynh_script_progression --message="Building API..." --weight=5
 
 pushd $install_dir/build_api
-    ynh_secure_remove --file="$install_dir/build_api/config.properties"
-    ynh_add_config --template="config.properties" --destination="$install_dir/build_api/config.properties"
     ynh_exec_warn_less ynh_exec_as $app JAVA_HOME=$install_dir/jdk ./gradlew shadowJar
 popd
 
 mv $install_dir/build_api/build/libs/piped-1.0-all.jar $install_dir/piped.jar
+ynh_add_config --template="config.properties" --destination="$install_dir/config.properties"
+chown $app:$app "$install_dir/config.properties"
+chmod 600 "$install_dir/config.properties"
 
 ynh_script_progression --message="Building Proxy..." --weight=5
 
@@ -77,6 +75,41 @@ popd
 
 mv $install_dir/build_proxy/target/release/piped-proxy $install_dir
 
+#=================================================
+# SYSTEM CONFIGURATION
+#=================================================
+ynh_script_progression --message="Adding system configurations related to $app..." --weight=1
+
+ynh_add_nginx_config
+
+### systemd
+
+mkdir -p /var/log/$app
+touch /var/log/$app/$app-api.log
+touch /var/log/$app/$app-proxy.log
+chown -R $app: /var/log/$app
+
+ynh_use_logrotate --logfile="/var/log/$app/$app-api.log"
+ynh_use_logrotate --logfile="/var/log/$app/$app-proxy.log"
+
+ynh_add_systemd_config --template="api.service" --destination="/etc/systemd/system/piped-api.service"
+yunohost service add "$app-api" --description="Piped backend API service" --log="/var/log/$app/$app-api.log"
+
+ynh_add_systemd_config --template="proxy.service" --destination="/etc/systemd/system/piped-proxy.service"
+yunohost service add "$app-proxy" --description="Piped HTTP proxy service" --log="/var/log/$app/$app-proxy.log"
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --weight=1
+
+# Start a systemd service
+ynh_systemd_action --service_name=$app-api --action="start" --log_path="/var/log/$app/$app-api.log" --line_match="HTTP Server is listening on"
+
+ynh_systemd_action --service_name=$app-proxy --action="start" --log_path="/var/log/$app/$app-proxy.log" --line_match="Running server!"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/remove

@@ -16,19 +16,26 @@ source /usr/share/yunohost/helpers
 ynh_script_progression --message="Removing system configurations related to $app..."
 
 # Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
-if ynh_exec_warn_less yunohost service status $app >/dev/null
+if ynh_exec_warn_less yunohost service status $app-api >/dev/null
 then
-	ynh_script_progression --message="Removing $app service integration..."
-	yunohost service remove $app
+    ynh_script_progression --message="Removing $app-api service integration..."
+    ynh_remove_systemd_config --service="$app-api"
+    yunohost service remove $app-api
 fi
 
-ynh_remove_systemd_config
+if ynh_exec_warn_less yunohost service status $app-proxy >/dev/null
+then
+    ynh_script_progression --message="Removing $app-proxy service integration..."
+    ynh_remove_systemd_config --service="$app-proxy"
+    yunohost service remove $app-proxy
+fi
 
 ynh_remove_nginx_config
 
 # Remove other various files specific to the app... such as :
 
 ynh_secure_remove --file="/var/log/$app"
+ynh_remove_logrotate
 
 #=================================================
 # END OF SCRIPT