diff --git a/conf/.env b/conf/.env index 13d68f92..31e386b4 100644 --- a/conf/.env +++ b/conf/.env @@ -148,5 +148,5 @@ MEDIA_HLS_P2P=true MEDIA_HLS_BITRATE=2000 # average quality and limited storage use ## Remove the "upgrade needed" warning -# comment this if you (as an admin user) want to have a permanent reminder of an available update (upstream, not necessarily in Yunohost !) +# comment this if you (as an admin user) want to have a permanent reminder of an available update (upstream, not necessarily in Yunohost!) INSTANCE_SOFTWARE_UPDATE_DISABLE_FAILED_WARNING=true diff --git a/conf/horizon.conf b/conf/horizon.conf deleted file mode 100644 index f65edfb2..00000000 --- a/conf/horizon.conf +++ /dev/null @@ -1,9 +0,0 @@ -[program:__APP__-horizon] -process_name=%(program_name)s -command=php__PHPVERSION__ __INSTALL_DIR__/artisan horizon -autostart=true -autorestart=true -user=__APP__ -redirect_stderr=true -stdout_logfile=/var/log/__APP__/__APP__-horizon.log -stopwaitsecs=3600 \ No newline at end of file diff --git a/conf/systemd.conf b/conf/systemd.conf new file mode 100644 index 00000000..f5392cd7 --- /dev/null +++ b/conf/systemd.conf @@ -0,0 +1,50 @@ +[Unit] +Description=Pixelfed +After=network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/ +ExecStart=php__PHPVERSION__ __INSTALL_DIR__/artisan horizon +Restart=on-failure +StandardOutput=append:/var/log/__APP__/__APP__.log +StandardError=inherit + +### Depending on specificities of your service/app, you may need to tweak these +### .. but this should be a good baseline +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/scripts/backup b/scripts/backup index 535642d5..54db3d27 100644 --- a/scripts/backup +++ b/scripts/backup @@ -27,29 +27,11 @@ ynh_backup --src_path="$install_dir" ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" -#================================================= -# BACKUP THE PHP-FPM CONFIGURATION -#================================================= - ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" -#================================================= -# SPECIFIC BACKUP -#================================================= -# BACKUP LOGROTATE -#================================================= - ynh_backup --src_path="/etc/logrotate.d/$app" -#================================================= -# BACKUP SUPERVISOR CONFIGURATION -#================================================= - -ynh_backup --src_path="/etc/supervisor/conf.d/${app}-horizon.conf" - -#================================================= -# BACKUP VARIOUS FILES -#================================================= +ynh_backup --src_path="/etc/systemd/system/$app.service" ynh_backup --src_path="/etc/cron.d/$app" diff --git a/scripts/change_url b/scripts/change_url index 6aa0860a..ccd29a6b 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -14,9 +14,9 @@ source /usr/share/yunohost/helpers #================================================= # STOP SUPERVISOR SERVICE #================================================= -ynh_script_progression --message="Stopping a supervisor service..." --weight=1 +ynh_script_progression --message="Stopping $app's systemd service..." --weight=1 -ynh_supervisor_action --service_name="${app}-horizon" --action="stop" --log_path="/var/log/$app/${app}-horizon.log" +ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" #================================================= # MODIFY URL IN NGINX CONF @@ -60,9 +60,9 @@ popd #================================================= # START SUPERVISOR SERVICE #================================================= -ynh_script_progression --message="Starting a supervisor service..." --weight=1 +ynh_script_progression --message="Starting $app's systemd service..." --weight=1 -ynh_supervisor_action --service_name="${app}-horizon" --action="start" --log_path="systemd" --line_match="success: ${app}-horizon" +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 9b385c3b..88a41da2 100644 --- a/scripts/install +++ b/scripts/install @@ -47,6 +47,17 @@ ynh_setup_source --dest_dir="$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" +#================================================= +# ADD A CONFIGURATION +#================================================= +ynh_script_progression --message="Adding a configuration file..." --weight=1 + +ynh_add_config --template=".env" --destination="$install_dir/.env" + +# Pixelfed app should be able to edit its settings from the admin panel +chmod 600 "$install_dir/.env" +chown $app:$app "$install_dir/.env" + #================================================= # PATCHING SOURCE #================================================= @@ -57,14 +68,29 @@ ynh_script_progression --message="Patching source files..." --weight=1 ynh_replace_string --match_string="'/usr/sbin/sendmail -bs'" --replace_string="'/usr/sbin/sendmail -bs -- '" --target_file=$install_dir/config/mail.php #================================================= -# PHP-FPM CONFIGURATION +# SYSTEM CONFIGURATION #================================================= -ynh_script_progression --message="Configuring PHP-FPM..." --weight=1 +ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 ynh_add_fpm_config --usage=$fpm_usage --footprint=$fpm_footprint --group=www-data ynh_add_nginx_config +ynh_add_systemd_config + +yunohost service add "$app" --description="A short description of the app" --log="/var/log/$app/$app.log" + +mkdir -p "/var/log/$app/" +touch "/var/log/$app/${app}-horizon.log" +chown -R $app: "/var/log/$app/" +chmod -R 600 "/var/log/$app/" + +# Use logrotate to manage application logfile(s) +ynh_use_logrotate --logfile="/var/log/$app/${app}-horizon.log" +ynh_use_logrotate --logfile="/var/www/$app/storage/logs/laravel.log" --specific_user=$app/www-data + +ynh_add_config --template="cron" --destination="/etc/cron.d/$app" + #================================================= # SPECIFIC SETUP #================================================= @@ -74,35 +100,6 @@ ynh_script_progression --message="Installing composer dependencies..." --weight= ynh_exec_warn_less ynh_install_composer --phpversion="$phpversion" --composerversion="$YNH_COMPOSER_VERSION" --workdir="$install_dir" -#================================================= -# CREATE LOG FILE -#================================================= -ynh_script_progression --message="Creating log file..." --weight=1 - -mkdir -p "/var/log/$app/" -touch "/var/log/$app/${app}-horizon.log" -chown -R $app: "/var/log/$app/" -chmod -R 600 "/var/log/$app/" - -#================================================= -# ADD A CONFIGURATION -#================================================= -ynh_script_progression --message="Adding a configuration file..." --weight=1 - -ynh_add_config --template="../conf/.env" --destination="$install_dir/.env" - -# Pixelfed app should be able to edit its settings from the admin panel -chmod 600 "$install_dir/.env" -chown $app:$app "$install_dir/.env" - -#================================================= -# SETUP SUPERVISOR -#================================================= -ynh_script_progression --message="Configuring a supervisor service..." --weight=1 - -# Create a dedicated supervisor config -ynh_add_supervisor_config --service="${app}-horizon" --template=horizon.conf - #================================================= # DEPLOY #================================================= @@ -126,24 +123,6 @@ pushd "$install_dir" php$phpversion artisan passport:client --personal <<< "\\n" popd -#================================================= -# INSTALL THE CRON FILE -#================================================= -ynh_script_progression --message="Installing the cron file..." --weight=1 - -ynh_add_config --template="../conf/cron" --destination="/etc/cron.d/$app" - -#================================================= -# GENERIC FINALIZATION -#================================================= -# SETUP LOGROTATE -#================================================= -ynh_script_progression --message="Configuring log rotation..." --weight=1 - -# Use logrotate to manage application logfile(s) -ynh_use_logrotate --logfile="/var/log/$app/${app}-horizon.log" -ynh_use_logrotate --logfile="/var/www/$app/storage/logs/laravel.log" --specific_user=$app/www-data - #================================================= # PATCH PERMISSIONS for v0.11.5 versions and higher #================================================= @@ -160,20 +139,12 @@ if [ -d "$install_dir/public/storage/m/_v2/" ]; then chown -R :www-data "$install_dir/public/storage/m/_v2/" # Fix the mess following packaging v2 upgrade - and make sure proper group owner is set. fi -#================================================= -# INTEGRATE SERVICE IN YUNOHOST -#================================================= -ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 - -yunohost service add "supervisor" --description="Supervisor daemon for $app" --log="/var/log/$app/${app}-horizon.log" - #================================================= # START SUPERVISOR SERVICE #================================================= -ynh_script_progression --message="Starting a supervisor service..." --weight=1 +ynh_script_progression --message="Starting $app's systemd service..." --weight=1 -# Start a supervisor service -ynh_supervisor_action --service_name="${app}-horizon" --action="reload" --log_path="systemd" --line_match="success: ${app}-horizon" +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index c1ff05ae..e321ed3f 100644 --- a/scripts/remove +++ b/scripts/remove @@ -10,64 +10,31 @@ source _common.sh source /usr/share/yunohost/helpers #================================================= -# STANDARD REMOVE -#================================================= -# REMOVE SERVICE INTEGRATION IN YUNOHOST +# REMOVE SYSTEM CONFIGURATIONS #================================================= +ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 + +### This should be a symetric version of what happens in the install script # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) -if ynh_exec_warn_less yunohost service status "supervisor" >/dev/null -then - ynh_script_progression --message="Removing supervisor service..." - yunohost service remove "supervisor" +if ynh_exec_warn_less yunohost service status "$app" >/dev/null; then + ynh_script_progression --message="Removing $app service integration..." --weight=1 + yunohost service remove "$app" fi -#================================================= -# STOP AND REMOVE SERVICE -#================================================= -ynh_script_progression --message="Stopping and removing the supervisor service..." --weight=1 - -# Remove the dedicated supervisor config -ynh_remove_supervisor_config --service="${app}-horizon" - -#================================================= -# REMOVE LOGROTATE CONFIGURATION -#================================================= -ynh_script_progression --message="Removing logrotate configuration..." --weight=1 +ynh_remove_systemd_config # Remove the app-specific logrotate config ynh_remove_logrotate -#================================================= -# REMOVE THE REDIS DATABASE -#================================================= -ynh_script_progression --message="Removing the Redis database..." --weight=1 - ynh_redis_remove_db "$redis_db" -#================================================= -# REMOVE NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1 - # Remove the dedicated NGINX config ynh_remove_nginx_config -#================================================= -# REMOVE PHP-FPM CONFIGURATION -#================================================= -ynh_script_progression --message="Removing PHP-FPM configuration..." --weight=1 - # Remove the dedicated PHP-FPM config ynh_remove_fpm_config -#================================================= -# SPECIFIC REMOVE -#================================================= -# REMOVE VARIOUS FILES -#================================================= -ynh_script_progression --message="Removing various files..." --weight=1 - # Remove a cron file ynh_secure_remove --file="/etc/cron.d/$app" diff --git a/scripts/restore b/scripts/restore index 085b019e..1e52142c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -29,20 +29,6 @@ ynh_script_progression --message="Patching source files..." --weight=1 # This described in more detail on the manpage https://www.postfix.org/sendmail.1.html under security ynh_replace_string --match_string="'/usr/sbin/sendmail -bs'" --replace_string="'/usr/sbin/sendmail -bs -- '" --target_file=$install_dir/config/mail.php -#================================================= -# RESTORE THE PHP-FPM CONFIGURATION -#================================================= -ynh_script_progression --message="Restoring PHP-FPM configuration..." --weight=1 - -ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" - -#================================================= -# RESTORE THE NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 - -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" - #================================================= # RESTORE THE POSTGRESQL DATABASE #================================================= @@ -51,9 +37,13 @@ ynh_script_progression --message="Restoring the PostgreSQL database..." --weight ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name #================================================= -# RESTORE VARIOUS FILES +# RESTORE THE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Restoring various files..." --weight=1 +ynh_script_progression --message="Restoring PHP-FPM configuration..." --weight=1 + +ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" + +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/cron.d/$app" @@ -61,35 +51,13 @@ mkdir -p "/var/log/$app/" touch "/var/log/$app/${app}-horizon.log" chown -R $app: "/var/log/$app/" -#================================================= -# RESTORE SUPERVISOR CONFIGURATION -#================================================= -ynh_script_progression --message="Restoring the supervisor configuration..." --weight=1 +ynh_restore_file --origin_path="/etc/systemd/system/$app.service" +systemctl enable "$app.service" --quiet -ynh_restore_file --origin_path="/etc/supervisor/conf.d/${app}-horizon.conf" -supervisorctl reread && supervisorctl update - -#================================================= -# RESTORE THE LOGROTATE CONFIGURATION -#================================================= -ynh_script_progression --message="Restoring the logrotate configuration..." --weight=1 +yunohost service add "$app" --description="A short description of the app" --log="/var/log/$app/$app.log" ynh_restore_file --origin_path="/etc/logrotate.d/$app" -#================================================= -# INTEGRATE SERVICE IN YUNOHOST -#================================================= -ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 - -yunohost service add "supervisor" --description="Supervisor daemon for $app" --log="/var/log/$app/${app}-horizon.log" - -#================================================= -# START SUPERVISOR SERVICE -#================================================= -ynh_script_progression --message="Starting a supervisor service..." --weight=1 - -ynh_supervisor_action --service_name="${app}-horizon" --action="reload" --log_path="systemd" --line_match="success: ${app}-horizon" - #================================================= # GENERIC FINALIZATION #================================================= @@ -97,7 +65,9 @@ ynh_supervisor_action --service_name="${app}-horizon" --action="reload" --log_pa #================================================= ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --weight=1 +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" ynh_systemd_action --service_name=php$phpversion-fpm --action=reload + ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 76ef052e..a5b0b099 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -10,19 +10,11 @@ source _common.sh source /usr/share/yunohost/helpers #================================================= -# CHECK VERSION +# STOP SYSTEMD SERVICE #================================================= +ynh_script_progression --message="Stopping $app's systemd service..." --weight=1 -upgrade_type=$(ynh_check_app_version_changed) - -#================================================= -# STANDARD UPGRADE STEPS -#================================================= -# STOP SUPERVISOR SERVICE -#================================================= -ynh_script_progression --message="Stopping a supervisor service..." --weight=1 - -ynh_supervisor_action --service_name="${app}-horizon" --action="stop" --log_path="systemd" --line_match="stopped: ${app}-horizon" +ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" #================================================= # ENSURE DOWNWARD COMPATIBILITY @@ -104,14 +96,10 @@ fi #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= +ynh_script_progression --message="Upgrading source files..." --weight=1 -if [ "$upgrade_type" == "UPGRADE_APP" ] -then - ynh_script_progression --message="Upgrading source files..." --weight=1 - - # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir="$install_dir" --keep=".env" -fi +# Download, check integrity, uncompress and patch the source from app.src +ynh_setup_source --dest_dir="$install_dir" --keep=".env" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" @@ -135,14 +123,22 @@ ynh_script_progression --message="Upgrading PHP-FPM configuration..." --weight=1 # Create a dedicated PHP-FPM config ynh_add_fpm_config --usage=$fpm_usage --footprint=$fpm_footprint --group=www-data -#================================================= -# NGINX CONFIGURATION -#================================================= -ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=1 - # Create a dedicated NGINX config ynh_add_nginx_config +mkdir -p "/var/log/$app/" +touch "/var/log/$app/${app}-horizon.log" +chown -R $app: "/var/log/$app/" +chmod -R 600 "/var/log/$app/" + +ynh_add_config --template="cron" --destination="/etc/cron.d/$app" + +ynh_add_systemd_config + +ynh_use_logrotate --non-append + +yunohost service add "$app" --description="A short description of the app" --log="/var/log/$app/$app.log" + #================================================= # SPECIFIC UPGRADE #================================================= @@ -195,53 +191,11 @@ pushd "$install_dir" popd #================================================= -# CREATE LOG FILE +# START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Creating log file..." --weight=1 +ynh_script_progression --message="Starting $app's systemd service..." --weight=1 -mkdir -p "/var/log/$app/" -touch "/var/log/$app/${app}-horizon.log" -chown -R $app: "/var/log/$app/" -chmod -R 600 "/var/log/$app/" - -#================================================= -# UPGRADE THE CRON FILE -#================================================= -ynh_script_progression --message="Upgrading cron file..." --weight=1 - -ynh_add_config --template="../conf/cron" --destination="/etc/cron.d/$app" - -#================================================= -# SETUP SUPERVISOR -#================================================= -ynh_script_progression --message="Upgrading supervisor configuration..." --weight=1 - -# Create a dedicated supervisor config -ynh_add_supervisor_config --service="${app}-horizon" --template=horizon.conf - -#================================================= -# GENERIC FINALIZATION -#================================================= -# SETUP LOGROTATE -#================================================= -ynh_script_progression --message="Upgrading logrotate configuration..." --weight=1 - -# Use logrotate to manage app-specific logfile(s) -ynh_use_logrotate --non-append - -#================================================= -# INTEGRATE SERVICE IN YUNOHOST -#================================================= -ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 - -yunohost service add "supervisor" --description="Supervisor daemon for $app" --log="/var/log/$app/${app}-horizon.log" - -#================================================= -# START SUPERVISOR SERVICE -#================================================= -ynh_script_progression --message="Starting a supervisor service..." --weight=1 - -ynh_supervisor_action --service_name="${app}-horizon" --action="start" --log_path="systemd" --line_match="success: ${app}-horizon" +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" #================================================= # END OF SCRIPT