From 531696fddf804a7702ca03ea57cdfd132b291323 Mon Sep 17 00:00:00 2001 From: orhtej2 <2871798+orhtej2@users.noreply.github.com> Date: Sun, 28 Jan 2024 17:42:26 +0100 Subject: [PATCH] Finalizing install #1 --- conf/api.service | 52 +++++++++++++++++++++++++++++++++++++++++ conf/config.properties | 8 +++---- conf/nginx.conf | 50 ++++++++++++++++++++++++++++++++++----- conf/proxy.service | 52 +++++++++++++++++++++++++++++++++++++++++ manifest.toml | 5 +++- scripts/install | 53 ++++++++++++++++++++++++++++++++++-------- scripts/remove | 15 ++++++++---- 7 files changed, 210 insertions(+), 25 deletions(-) create mode 100644 conf/api.service create mode 100644 conf/proxy.service diff --git a/conf/api.service b/conf/api.service new file mode 100644 index 0000000..b3a8aa9 --- /dev/null +++ b/conf/api.service @@ -0,0 +1,52 @@ +[Unit] +Description=Firefox Sync Storage server +After=network.target +After=mariadb.service + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__ +ExecStart=__INSTALL_DIR__/jdk/bin/java -server -Xmx1G -XX:+UnlockExperimentalVMOptions -XX:+HeapDumpOnOutOfMemoryError -XX:+OptimizeStringConcat -XX:+UseStringDeduplication -XX:+UseCompressedOops -XX:+UseNUMA -XX:+UseG1GC -jar piped.jar +StandardOutput=append:/var/log/__APP__/__APP__-api.log +StandardError=inherit +Environment=JAVA_HOME="__INSTALL_DIR__/jdk" + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target + diff --git a/conf/config.properties b/conf/config.properties index d6752f5..2e34d2c 100644 --- a/conf/config.properties +++ b/conf/config.properties @@ -1,10 +1,10 @@ # The port to Listen on. -PORT:8080 +PORT:__PORT__ # The number of workers to use for the server HTTP_WORKERS:2 # Proxy -PROXY_PART:https://__DOMAIN__/__PATH__/proxy +PROXY_PART:https://__DOMAIN__/proxy # Proxy Hash Secret #PROXY_HASH_SECRET:INSERT_HERE @@ -20,10 +20,10 @@ CAPTCHA_BASE_URL:https://api.capmonster.cloud/ CAPTCHA_API_KEY:INSERT_HERE # Public API URL -API_URL:https://__DOMAIN__/__PATH__/api +API_URL:https://__DOMAIN__/api # Public Frontend URL -FRONTEND_URL:https://__DOMAIN__/__PATH__ +FRONTEND_URL:https://__DOMAIN__ # Enable haveibeenpwned compromised password API COMPROMISED_PASSWORD_CHECK:true diff --git a/conf/nginx.conf b/conf/nginx.conf index ec3d9d5..98cfd93 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,18 +1,56 @@ -#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; +rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/api/ { # Path to source - proxy_cache pipedapi; - proxy_pass http://127.0.0.1:__PORT__; + #proxy_cache pipedapi; + proxy_pass http://127.0.0.1:__PORT__/; proxy_http_version 1.1; proxy_set_header Connection "keep-alive"; } -location __PATH__/proxy/ { +location ~ (__PATH__/proxy/videoplayback|__PATH__/proxy/api/v4/|__PATH__/proxy/api/manifest/) { + proxy_buffering on; + proxy_buffers 1024 16k; + proxy_set_header X-Forwarded-For ""; + proxy_set_header CF-Connecting-IP ""; + proxy_hide_header "alt-svc"; + sendfile on; + sendfile_max_chunk 512k; + tcp_nopush on; + aio threads=default; + aio_write on; + directio 16m; + proxy_hide_header Cache-Control; + proxy_hide_header etag; + proxy_http_version 1.1; + proxy_set_header Connection keep-alive; + proxy_max_temp_file_size 32m; + access_log off; + proxy_pass http://127.0.0.1:__PORT_PROXY__; + add_header Cache-Control private always; +} - # Path to source - alias __INSTALL_DIR__/dist/; +location __PATH__/proxy/ { + proxy_buffering on; + proxy_buffers 1024 16k; + proxy_set_header X-Forwarded-For ""; + proxy_set_header CF-Connecting-IP ""; + proxy_hide_header "alt-svc"; + sendfile on; + sendfile_max_chunk 512k; + tcp_nopush on; + aio threads=default; + aio_write on; + directio 16m; + proxy_hide_header Cache-Control; + proxy_hide_header etag; + proxy_http_version 1.1; + proxy_set_header Connection keep-alive; + proxy_max_temp_file_size 32m; + access_log off; + proxy_pass http://127.0.0.1:__PORT_PROXY__/; + add_header Cache-Control "public, max-age=604800"; } diff --git a/conf/proxy.service b/conf/proxy.service new file mode 100644 index 0000000..00cd021 --- /dev/null +++ b/conf/proxy.service @@ -0,0 +1,52 @@ +[Unit] +Description=Firefox Sync Storage server +After=network.target +After=mariadb.service + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__ +ExecStart=__INSTALL_DIR__/piped-proxy +StandardOutput=append:/var/log/__APP__/__APP__-proxy.log +StandardError=inherit +Environment=BIND="127.0.0.1:__PORT_PROXY__" + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target + diff --git a/manifest.toml b/manifest.toml index dd614c2..ae51a37 100644 --- a/manifest.toml +++ b/manifest.toml @@ -69,4 +69,7 @@ ram.runtime = "50M" main.url = "/" [resources.database] - type = "postgresql" \ No newline at end of file + type = "postgresql" + + [resources.ports] + [resources.ports.proxy] \ No newline at end of file diff --git a/scripts/install b/scripts/install index 55b67f0..a161885 100644 --- a/scripts/install +++ b/scripts/install @@ -42,19 +42,16 @@ chown -R $app:www-data "$install_dir" ynh_script_progression --message="Building UI..." --weight=5 pushd $install_dir/build - ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack enable - ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack prepare pnpm@latest --activate - ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH pnpm install - ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH NODE_ENV=production pnpm build + ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack enable + ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH corepack prepare pnpm@latest --activate + ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH pnpm install + ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH NODE_ENV=production pnpm build ynh_exec_warn_less ynh_exec_as $app ./localizefonts.sh popd mv $install_dir/build/dist $install_dir pushd $install_dir/dist - domainandpath="$domain\\$path" - domainandpath=${domainandpath%%+(/)} - domainpathapi="$domainandpath\\/api" - sed -i s/pipedapi.kavin.rocks/"$domainpathapi"/g assets/* + sed -i s/pipedapi.kavin.rocks/"$domain\/api"/g assets/* popd chown -R $app:www-data "$install_dir/dist" chmod -R 755 "$install_dir/dist" @@ -62,12 +59,13 @@ chmod -R 755 "$install_dir/dist" ynh_script_progression --message="Building API..." --weight=5 pushd $install_dir/build_api - ynh_secure_remove --file="$install_dir/build_api/config.properties" - ynh_add_config --template="config.properties" --destination="$install_dir/build_api/config.properties" ynh_exec_warn_less ynh_exec_as $app JAVA_HOME=$install_dir/jdk ./gradlew shadowJar popd mv $install_dir/build_api/build/libs/piped-1.0-all.jar $install_dir/piped.jar +ynh_add_config --template="config.properties" --destination="$install_dir/config.properties" +chown $app:$app "$install_dir/config.properties" +chmod 600 "$install_dir/config.properties" ynh_script_progression --message="Building Proxy..." --weight=5 @@ -77,6 +75,41 @@ popd mv $install_dir/build_proxy/target/release/piped-proxy $install_dir +#================================================= +# SYSTEM CONFIGURATION +#================================================= +ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 + +ynh_add_nginx_config + +### systemd + +mkdir -p /var/log/$app +touch /var/log/$app/$app-api.log +touch /var/log/$app/$app-proxy.log +chown -R $app: /var/log/$app + +ynh_use_logrotate --logfile="/var/log/$app/$app-api.log" +ynh_use_logrotate --logfile="/var/log/$app/$app-proxy.log" + +ynh_add_systemd_config --template="api.service" --destination="/etc/systemd/system/piped-api.service" +yunohost service add "$app-api" --description="Piped backend API service" --log="/var/log/$app/$app-api.log" + +ynh_add_systemd_config --template="proxy.service" --destination="/etc/systemd/system/piped-proxy.service" +yunohost service add "$app-proxy" --description="Piped HTTP proxy service" --log="/var/log/$app/$app-proxy.log" + +#================================================= +# GENERIC FINALIZATION +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting a systemd service..." --weight=1 + +# Start a systemd service +ynh_systemd_action --service_name=$app-api --action="start" --log_path="/var/log/$app/$app-api.log" --line_match="HTTP Server is listening on" + +ynh_systemd_action --service_name=$app-proxy --action="start" --log_path="/var/log/$app/$app-proxy.log" --line_match="Running server!" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/remove b/scripts/remove index 97ae1b9..2cd9f20 100644 --- a/scripts/remove +++ b/scripts/remove @@ -16,19 +16,26 @@ source /usr/share/yunohost/helpers ynh_script_progression --message="Removing system configurations related to $app..." # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) -if ynh_exec_warn_less yunohost service status $app >/dev/null +if ynh_exec_warn_less yunohost service status $app-api >/dev/null then - ynh_script_progression --message="Removing $app service integration..." - yunohost service remove $app + ynh_script_progression --message="Removing $app-api service integration..." + ynh_remove_systemd_config --service="$app-api" + yunohost service remove $app-api fi -ynh_remove_systemd_config +if ynh_exec_warn_less yunohost service status $app-proxy >/dev/null +then + ynh_script_progression --message="Removing $app-proxy service integration..." + ynh_remove_systemd_config --service="$app-proxy" + yunohost service remove $app-proxy +fi ynh_remove_nginx_config # Remove other various files specific to the app... such as : ynh_secure_remove --file="/var/log/$app" +ynh_remove_logrotate #================================================= # END OF SCRIPT