diff --git a/README.md b/README.md
index 03fd693..c3eb6e6 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
A movie collection manager for Usenet and BitTorrent users.
-**Shipped version:** 3.2.2.5080~ynh1
+**Shipped version:** 3.2.2.5080~ynh3
diff --git a/README_fr.md b/README_fr.md
index a985260..85ef1db 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
Un gestionnaire de filmothèque pour utilisateurs de Usenet et BitTorrent.
-**Version incluse :** 3.2.2.5080~ynh1
+**Version incluse :** 3.2.2.5080~ynh3
diff --git a/check_process b/check_process
index 513b501..40e68ea 100644
--- a/check_process
+++ b/check_process
@@ -8,7 +8,6 @@
domain="domain.tld"
path="/path"
admin="john"
- port="666"
; Checks
pkg_linter=1
setup_sub_dir=1
@@ -19,6 +18,7 @@
upgrade=1
#upgrade=1 from_commit=CommitHash
upgrade=1 from_commit=164fa2341225bc8ce7671d0f70cc696ed8ab58a7
+ upgrade=1 from_commit=35c7ebe40c8893321c39570608ac0deacc9407c0
backup_restore=1
multi_instance=1
port_already_use=0
@@ -29,4 +29,7 @@ Notification=none
;;; Upgrade options
; commit=164fa2341225bc8ce7671d0f70cc696ed8ab58a7
name=2021-06-03 v3.2.0.5048
- manifest_arg=domain=DOMAIN&path=PATH&admin=USER&port=666&
+ manifest_arg=domain=DOMAIN&path=PATH&admin=USER&
+ ; commit=35c7ebe40c8893321c39570608ac0deacc9407c0
+ name=2021-06-13 3.2.2.5080~ynh1
+ manifest_arg=domain=DOMAIN&path=PATH&admin=USER&
diff --git a/conf/config.xml b/conf/config.xml
new file mode 100644
index 0000000..93d4be9
--- /dev/null
+++ b/conf/config.xml
@@ -0,0 +1,16 @@
+
+ info
+ 127.0.0.1
+ False
+
+ __PORT__
+ __PATH__
+ __API_KEY__
+ None
+ BuiltIn
+ master
+ __PORT__
+ False
+
+ False
+
diff --git a/conf/nginx.conf b/conf/nginx.conf
index 1331f6f..b374ab5 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,11 +1,6 @@
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
location __PATH__ {
- # Force usage of https
- if ($scheme = http) {
- rewrite ^ https://$server_name$request_uri? permanent;
- }
-
proxy_pass http://127.0.0.1:__PORT____PATH__;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/conf/systemd.service b/conf/systemd.service
index c928967..24f0d6d 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -7,11 +7,41 @@ Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__FINALPATH__/
-ExecStart=__FINALPATH__/Radarr -nobrowser -data=__FINALPATH__/.data
+ExecStart=__FINALPATH__/Radarr -nobrowser -data=__DATA_PATH__
TimeoutStopSec=20
KillMode=process
Restart=always
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
[Install]
WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index aa95954..8888052 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
"en": "A movie collection manager for Usenet and BitTorrent users.",
"fr": "Un gestionnaire de filmothèque pour utilisateurs de Usenet et BitTorrent."
},
- "version": "3.2.2.5080~ynh1",
+ "version": "3.2.2.5080~ynh3",
"url": "https://radarr.video",
"upstream": {
"license": "GPL-3.0-only",
@@ -20,7 +20,7 @@
"email": "tituspijean@outlook.com"
},
"requirements": {
- "yunohost": ">= 4.2"
+ "yunohost": ">= 4.3"
},
"multi_instance": true,
"services": [
@@ -32,19 +32,17 @@
"install" : [
{
"name": "domain",
- "type": "domain",
- "example": "example.com"
+ "type": "domain"
},
{
"name": "path",
"type": "path",
- "example": "/radarr",
- "default": "/radarr"
+ "default": "/radarr",
+ "example": "/radarr"
},
{
"name": "admin",
- "type": "user",
- "example": "johndoe"
+ "type": "user"
}
]
}
diff --git a/scripts/backup b/scripts/backup
index 0670178..8555a32 100755
--- a/scripts/backup
+++ b/scripts/backup
@@ -29,6 +29,7 @@ ynh_print_info --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+data_path=$(ynh_app_setting_get --app=$app --key=data_path)
domain=$(ynh_app_setting_get --app=$app --key=domain)
#=================================================
@@ -47,6 +48,12 @@ ynh_print_info --message="Declaring files to be backed up..."
ynh_backup --src_path="$final_path"
+#=================================================
+# BACKUP THE APP DATA DIR
+#=================================================
+
+ynh_backup --src_path="$data_path"
+
#=================================================
# BACKUP THE NGINX CONFIGURATION
#=================================================
diff --git a/scripts/change_url b/scripts/change_url
index 1339e40..0a5fd03 100644
--- a/scripts/change_url
+++ b/scripts/change_url
@@ -24,16 +24,18 @@ app=$YNH_APP_INSTANCE_NAME
#=================================================
# LOAD SETTINGS
#=================================================
-ynh_script_progression --message="Loading installation settings..." --time --weight=1
+ynh_script_progression --message="Loading installation settings..." --weight=1
# Needed for helper "ynh_add_nginx_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+data_path=$(ynh_app_setting_get --app=$app --key=data_path)
port=$(ynh_app_setting_get --app=$app --key=port)
+api_key=$(ynh_app_setting_get --app=$app --key=api_key)
#=================================================
# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP
#=================================================
-ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --time --weight=1
+ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=3
# Backup the current version of the app
ynh_backup_before_upgrade
@@ -68,14 +70,14 @@ fi
#=================================================
# STOP SYSTEMD SERVICE
#=================================================
-ynh_script_progression --message="Stopping a systemd service..." --time --weight=1
+ynh_script_progression --message="Stopping a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
#=================================================
# MODIFY URL IN NGINX CONF
#=================================================
-ynh_script_progression --message="Updating NGINX web server configuration..." --time --weight=1
+ynh_script_progression --message="Updating NGINX web server configuration..." --weight=1
nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
@@ -87,8 +89,11 @@ then
# Set global variables for NGINX helper
domain="$old_domain"
path_url="$new_path"
+ path="$new_path"
# Create a dedicated NGINX config
ynh_add_nginx_config
+else
+ path="$old_path"
fi
# Change the domain for NGINX
@@ -104,22 +109,28 @@ fi
#=================================================
# SPECIFIC MODIFICATIONS
#=================================================
-# ...
+# UPDATE CONFIGURATION FILE
#=================================================
+ynh_exec_warn_less 'ynh_add_config --template="../conf/config.xml" --destination="$data_path/config.xml"'
+
+chmod 750 "$data_path/config.xml"
+chmod o-rwx "$data_path/config.xml"
+chown $app "$data_path/config.xml"
+
#=================================================
# GENERIC FINALISATION
#=================================================
# START SYSTEMD SERVICE
#=================================================
-ynh_script_progression --message="Starting a systemd service..." --time --weight=1
+ynh_script_progression --message="Starting a systemd service..." --weight=2
-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30
#=================================================
# RELOAD NGINX
#=================================================
-ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1
+ynh_script_progression --message="Reloading NGINX web server..." --weight=1
ynh_systemd_action --service_name=nginx --action=reload
@@ -127,4 +138,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
-ynh_script_progression --message="Change of URL completed for $app" --time --last
+ynh_script_progression --message="Change of URL completed for $app" --last
diff --git a/scripts/install b/scripts/install
index e8f9e19..d6afdad 100755
--- a/scripts/install
+++ b/scripts/install
@@ -35,8 +35,11 @@ app=$YNH_APP_INSTANCE_NAME
#=================================================
ynh_script_progression --message="Validating installation parameters..." --weight=1
-final_path=/opt/yunohost.app/$app
-test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
+final_path=/opt/yunohost/$app
+test ! -e "$final_path" || ynh_die --message="Installation path ($final_path) already exists"
+
+data_path=/home/yunohost.app/$app
+test ! -e "$data_path" || ynh_die --message="Data directory ($data_path) already exists"
# Register (book) web path
ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
@@ -87,10 +90,8 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path" --source_id="app.$architecture"
-mkdir -p "$final_path/.data/logs"
-chmod 750 "$final_path"
-chmod -R o-rwx "$final_path"
-chown -R $app:$app "$final_path"
+ynh_app_setting_set --app=$app --key=data_path --value=$data_path
+mkdir -p "$data_path/logs"
#=================================================
# NGINX CONFIGURATION
@@ -115,14 +116,23 @@ ynh_add_systemd_config
#=================================================
ynh_script_progression --message="Configuring Radarr..." --weight=2
-# Start a systemd service
-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server"
-# Start a systemd service
-ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
+api_key=$(ynh_string_random --length=32)
+ynh_app_setting_set --app=$app --key=api_key --value=$api_key
-ynh_replace_string --match_string="7878" --replace_string="$port" --target_file="$final_path/.data/config.xml"
-ynh_replace_string --match_string="" --replace_string="$path_url" --target_file="$final_path/.data/config.xml"
-ynh_replace_string --match_string="\*" --replace_string="127.0.0.1" --target_file="$final_path/.data/config.xml"
+ynh_add_config --template="../conf/config.xml" --destination="$data_path/config.xml"
+
+#=================================================
+# SETUP FILE PERMISSIONS
+#=================================================
+ynh_script_progression --message="Setting files permissions and ownership..." --weight=1
+
+chmod 750 "$final_path"
+chmod -R o-rwx "$final_path"
+chown -R $app: "$final_path"
+
+chmod 750 "$data_path"
+chmod -R o-rwx "$data_path"
+chown -R $app: "$data_path"
#=================================================
# YUNOHOST MULTIMEDIA INTEGRATION
@@ -143,14 +153,14 @@ ynh_script_progression --message="Configuring log rotation..." --weight=1
# Use logrotate to manage application logfile(s)
ynh_use_logrotate
-ynh_use_logrotate --logfile="$final_path/.data/logs"
+ynh_use_logrotate --logfile="$data_path/logs"
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
-yunohost service add $app --description="Radarr daemon" --log="$final_path/.data/logs/radarr.txt"
+yunohost service add $app --description="Radarr daemon" --log="$data_path/logs/radarr.txt"
#=================================================
# START SYSTEMD SERVICE
@@ -158,7 +168,7 @@ yunohost service add $app --description="Radarr daemon" --log="$final_path/.data
ynh_script_progression --message="Starting a systemd service..." --weight=2
# Start a systemd service
-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30
#=================================================
# SETUP SSOWAT
diff --git a/scripts/remove b/scripts/remove
index 6a5a83e..582f1c6 100755
--- a/scripts/remove
+++ b/scripts/remove
@@ -19,6 +19,7 @@ app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
port=$(ynh_app_setting_get --app=$app --key=port)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+data_path=$(ynh_app_setting_get --app=$app --key=data_path)
#=================================================
# STANDARD REMOVE
@@ -57,6 +58,14 @@ ynh_script_progression --message="Removing app main directory..." --weight=1
# Remove the app directory securely
ynh_secure_remove --file="$final_path"
+#=================================================
+# REMOVE APP DATA DIR
+#=================================================
+ynh_script_progression --message="Removing app data directory..." --weight=1
+
+# Remove the app directory securely
+ynh_secure_remove --file="$data_path"
+
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
diff --git a/scripts/restore b/scripts/restore
index 16de336..a1729f5 100755
--- a/scripts/restore
+++ b/scripts/restore
@@ -31,17 +31,19 @@ app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+data_path=$(ynh_app_setting_get --app=$app --key=data_path)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
ynh_script_progression --message="Validating restoration parameters..." --weight=1
-ynh_webpath_available --domain=$domain --path_url=$path_url \
- || ynh_die --message="Path not available: ${domain}${path_url}"
test ! -d $final_path \
|| ynh_die --message="There is already a directory: $final_path "
+test ! -d $data_path \
+ || ynh_die --message="There is already a directory: $data_path "
+
#=================================================
# STANDARD RESTORATION STEPS
#=================================================
@@ -66,16 +68,21 @@ ynh_script_progression --message="Restoring the app main directory..." --weight=
ynh_restore_file --origin_path="$final_path"
-# FIXME: this should be managed by the core in the future
-# Here, as a packager, you may have to tweak the ownerhsip/permissions
-# such that the appropriate users (e.g. maybe www-data) can access
-# files in some cases.
-# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
-# this will be treated as a security issue.
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:$app "$final_path"
+#=================================================
+# RESTORE THE APP DATA DIR
+#=================================================
+ynh_script_progression --message="Restoring the app data directory..." --weight=2
+
+ynh_restore_file --origin_path="$data_path"
+
+chmod 750 "$data_path"
+chmod -R o-rwx "$data_path"
+chown -R $app: "$data_path"
+
#=================================================
# YUNOHOST MULTIMEDIA INTEGRATION
#=================================================
@@ -109,14 +116,14 @@ systemctl enable $app.service --quiet
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
-yunohost service add $app --description="Radarr daemon" --log="$final_path/.data/logs/radarr.txt"
+yunohost service add $app --description="Radarr daemon" --log="$data_path/logs/radarr.txt"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=2
-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30
#=================================================
# RESTORE THE LOGROTATE CONFIGURATION
diff --git a/scripts/upgrade b/scripts/upgrade
index b78dc2a..eee93d9 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -21,6 +21,7 @@ path_url=$(ynh_app_setting_get --app=$app --key=path)
admin=$(ynh_app_setting_get --app=$app --key=admin)
port=$(ynh_app_setting_get --app=$app --key=port)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+data_path=$(ynh_app_setting_get --app=$app --key=data_path)
#=================================================
# CHECK VERSION
@@ -67,6 +68,13 @@ if ! ynh_permission_exists --permission="api"; then
ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
fi
+# Move data directory if needed
+if [ -z "$data_path" ]; then
+ data_path=/home/yunohost.app/$app
+ ynh_app_setting_set --app=$app --key=data_path --value=$data_path
+ mv "$final_path/.data" "/home/yunohost.app/$app"
+fi
+
#=================================================
# CREATE DEDICATED USER
#=================================================
@@ -89,10 +97,14 @@ then
ynh_setup_source --dest_dir="$final_path" --source_id="app.$architecture"
fi
-mkdir -p "$final_path/.data/logs"
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
-chown -R $app:www-data "$final_path"
+chown -R $app: "$final_path"
+
+mkdir -p "$data_path/logs"
+chmod 750 "$data_path"
+chmod -R o-rwx "$data_path"
+chown -R $app: "$data_path"
#=================================================
# NGINX CONFIGURATION
@@ -128,21 +140,21 @@ ynh_script_progression --message="Upgrading logrotate configuration..." --weight
# Use logrotate to manage app-specific logfile(s)
ynh_use_logrotate --non-append
-ynh_use_logrotate --non-append --logfile="$final_path/.data/logs"
+ynh_use_logrotate --non-append --logfile="$data_path/logs"
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
-yunohost service add $app --description="Radarr daemon" --log="$final_path/.data/logs/radarr.txt"
+yunohost service add $app --description="Radarr daemon" --log="$data_path/logs/radarr.txt"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=2
-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Starting Web Server" --timeout=30
#=================================================
# RELOAD NGINX