YunoHost-Apps/rportd_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/rportd_ynh.git synced 2024-09-03 20:16:15 +02:00
Code Issues Activity Actions

Merge pull request #1 from YunoHost-Apps/testing

Browse source 
First implementation
This commit is contained in:
yalh76 2022-06-21 00:09:21 +02:00 committed by GitHub
commit b467e47b0b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
30 changed files with 740 additions and 1158 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,2 +0,0 @@
*~
*.sw[op]

23
LICENSE
View file

@ -1,4 +1,21 @@
File containing the license of your package.
MIT License
More information here:
https://yunohost.org/packaging_apps_guidelines#yep-1-3
Copyright (c) 2020 CloudRadar
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

67
README.md
View file

@ -1,84 +1,47 @@
# Packaging an app, starting from this example
* Copy this app before working on it, using the ['Use this template'](https://github.com/YunoHost/example_ynh/generate) button on the Github repo.
* Edit the `manifest.json` with app specific info.
* Edit the `install`, `upgrade`, `remove`, `backup`, and `restore` scripts, and any relevant conf files in `conf/`.
* Using the [script helpers documentation.](https://yunohost.org/packaging_apps_helpers)
* Add a `LICENSE` file for the package.
* Edit `doc/DISCLAIMER*.md`
* The `README.md` files are to be automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
---
<!--
N.B.: This README was automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
It shall NOT be edited by hand.
-->
# Example app for YunoHost
# Rportd for YunoHost
[![Integration level](https://dash.yunohost.org/integration/example.svg)](https://dash.yunohost.org/appci/app/example) ![Working status](https://ci-apps.yunohost.org/ci/badges/example.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/example.maintain.svg)
[![Install Example app with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=example)
[![Integration level](https://dash.yunohost.org/integration/rportd.svg)](https://dash.yunohost.org/appci/app/rportd) ![Working status](https://ci-apps.yunohost.org/ci/badges/rportd.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/rportd.maintain.svg)
[![Install Rportd with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=rportd)
*[Lire ce readme en français.](./README_fr.md)*
> *This package allows you to install Example app quickly and simply on a YunoHost server.
> *This package allows you to install Rportd quickly and simply on a YunoHost server.
If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.*
## Overview
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
### Features
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."
Rport helps you to manage your remote servers without the hassle of VPNs, chained SSH connections, jump-hosts, or the use of commercial tools like TeamViewer and its clones.
**Shipped version:** 1.0~ynh1
**Demo:** https://demo.example.com
**Shipped version:** 0.7.0~ynh1
## Screenshots
![Screenshot of Example app](./doc/screenshots/example.jpg)
## Disclaimers / important information
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?
![Screenshot of Rportd](./doc/screenshots/screenshot.jpg)
## Documentation and resources
* Official app website: <https://example.com>
* Official user documentation: <https://yunohost.org/apps>
* Official admin documentation: <https://yunohost.org/packaging_apps>
* Upstream app code repository: <https://some.forge.com/example/example>
* YunoHost documentation for this app: <https://yunohost.org/app_example>
* Report a bug: <https://github.com/YunoHost-Apps/example_ynh/issues>
* Official app website: <https://rport.io/>
* Official admin documentation: <https://kb.rport.io/>
* Upstream app code repository: <https://github.com/cloudradar-monitoring/rport>
* YunoHost documentation for this app: <https://yunohost.org/app_rportd>
* Report a bug: <https://github.com/YunoHost-Apps/rportd_ynh/issues>
## Developer info
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/example_ynh/tree/testing).
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/rportd_ynh/tree/testing).
To try the testing branch, please proceed like that.
``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app install https://github.com/YunoHost-Apps/rportd_ynh/tree/testing --debug
or
sudo yunohost app upgrade example -u https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app upgrade rportd -u https://github.com/YunoHost-Apps/rportd_ynh/tree/testing --debug
```
**More info regarding app packaging:** <https://yunohost.org/packaging_apps>

56
README_fr.md
View file

@ -3,71 +3,45 @@ N.B.: This README was automatically generated by https://github.com/YunoHost/app
It shall NOT be edited by hand.
-->
# Example app pour YunoHost
# Rportd pour YunoHost
[![Niveau d'intégration](https://dash.yunohost.org/integration/example.svg)](https://dash.yunohost.org/appci/app/example) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/example.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/example.maintain.svg)
[![Installer Example app avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=example)
[![Niveau d'intégration](https://dash.yunohost.org/integration/rportd.svg)](https://dash.yunohost.org/appci/app/rportd) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/rportd.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/rportd.maintain.svg)
[![Installer Rportd avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=rportd)
*[Read this readme in english.](./README.md)*
> *Ce package vous permet d'installer Example app rapidement et simplement sur un serveur YunoHost.
> *Ce package vous permet d'installer Rportd rapidement et simplement sur un serveur YunoHost.
Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
## Vue d'ensemble
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
### Features
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."
Rport helps you to manage your remote servers without the hassle of VPNs, chained SSH connections, jump-hosts, or the use of commercial tools like TeamViewer and its clones.
**Version incluse :** 1.0~ynh1
**Démo :** https://demo.example.com
**Version incluse :** 0.7.0~ynh1
## Captures d'écran
![Capture d'écran de Example app](./doc/screenshots/example.jpg)
## Avertissements / informations importantes
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?
![Capture d'écran de Rportd](./doc/screenshots/screenshot.jpg)
## Documentations et ressources
* Site officiel de l'app : <https://example.com>
* Documentation officielle utilisateur : <https://yunohost.org/apps>
* Documentation officielle de l'admin : <https://yunohost.org/packaging_apps>
* Dépôt de code officiel de l'app : <https://some.forge.com/example/example>
* Documentation YunoHost pour cette app : <https://yunohost.org/app_example>
* Signaler un bug : <https://github.com/YunoHost-Apps/example_ynh/issues>
* Site officiel de l'app : <https://rport.io/>
* Documentation officielle de l'admin : <https://kb.rport.io/>
* Dépôt de code officiel de l'app : <https://github.com/cloudradar-monitoring/rport>
* Documentation YunoHost pour cette app : <https://yunohost.org/app_rportd>
* Signaler un bug : <https://github.com/YunoHost-Apps/rportd_ynh/issues>
## Informations pour les développeurs
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/example_ynh/tree/testing).
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/rportd_ynh/tree/testing).
Pour essayer la branche testing, procédez comme suit.
``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app install https://github.com/YunoHost-Apps/rportd_ynh/tree/testing --debug
ou
sudo yunohost app upgrade example -u https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app upgrade rportd -u https://github.com/YunoHost-Apps/rportd_ynh/tree/testing --debug
```
**Plus d'infos sur le packaging d'applications :** <https://yunohost.org/packaging_apps>

21
check_process
View file

@ -1,34 +1,21 @@
# See here for more information
# https://github.com/YunoHost/package_check#syntax-check_process-file
# Move this file from check_process.default to check_process when you have filled it.
;; Test complet
; Manifest
domain="domain.tld"
path="/path"
is_public=1
language="fr"
admin="john"
password="1Strong-Password"
port="666"
; Checks
pkg_linter=1
setup_sub_dir=1
setup_sub_dir=0
setup_root=1
setup_nourl=0
setup_private=1
setup_private=0
setup_public=1
upgrade=1
upgrade=1 from_commit=CommitHash
# upgrade=1 from_commit=CommitHash
backup_restore=1
multi_instance=1
multi_instance=0
port_already_use=0
change_url=1
;;; Options
Email=
Notification=none
;;; Upgrade options
; commit=CommitHash
name=Name and date of the commit.
manifest_arg=domain=DOMAIN&path=PATH&is_public=1&language=fr&admin=USER&password=pass&port=666&

7
conf/amd64.src Normal file
View file

@ -0,0 +1,7 @@
SOURCE_URL=https://github.com/cloudradar-monitoring/rport/releases/download/0.7.0/rportd_0.7.0_Linux_x86_64.tar.gz
SOURCE_SUM=47ca9d1092523aa33af3938bbc0a1f81c75f1fbb9394a97a98c71a263ad86a92
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=false
SOURCE_FILENAME=
SOURCE_EXTRACT=true

7
conf/app.src
View file

@ -1,7 +0,0 @@
SOURCE_URL=url of app's source
SOURCE_SUM=sha256 checksum
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=true
SOURCE_FILENAME=
SOURCE_EXTRACT=true

7
conf/arm64.src Normal file
View file

@ -0,0 +1,7 @@
SOURCE_URL=https://github.com/cloudradar-monitoring/rport/releases/download/0.7.0/rportd_0.7.0_Linux_aarch64.tar.gz
SOURCE_SUM=9ea1119c796e41b1101f9931379ad55cbce9d3a0cf47e6a0477e6728c02a8a71
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=false
SOURCE_FILENAME=
SOURCE_EXTRACT=true

7
conf/armhf.src Normal file
View file

@ -0,0 +1,7 @@
SOURCE_URL=https://github.com/cloudradar-monitoring/rport/releases/download/0.7.0/rportd_0.7.0_Linux_armv7l.tar.gz
SOURCE_SUM=a3968ed81b83ef9f9452b1048040f5aa894710e069ef551ecfa43db60101d100
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=false
SOURCE_FILENAME=
SOURCE_EXTRACT=true

7
conf/frontend.src Normal file
View file

@ -0,0 +1,7 @@
SOURCE_URL=https://downloads.rport.io/frontend/stable/rport-frontend-stable-0.7.0-build-1026.zip
SOURCE_SUM=76cf75805fceb7e19a80bf170b638fa993f0c9e8e1f8d8776f7fe16504147fa4
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=zip
SOURCE_IN_SUBDIR=false
SOURCE_FILENAME=
SOURCE_EXTRACT=true

24
conf/mysql.sql Normal file
View file

@ -0,0 +1,24 @@
CREATE TABLE users (
username VARCHAR(150) NOT NULL,
password VARCHAR(255) NOT NULL,
token VARCHAR(36) DEFAULT NULL,
two_fa_send_to VARCHAR(150),
totp_secret VARCHAR(255) DEFAULT ''
);
CREATE UNIQUE INDEX main_username ON users (username);
CREATE TABLE groups (
username VARCHAR(150) NOT NULL,
`group` VARCHAR(150) NOT NULL
);
CREATE UNIQUE INDEX main_username_group ON groups (username,`group`);
INSERT INTO users VALUES('__ADMIN__','__PASSWORD_HASH__',null,'__ADMIN_MAIL__','');
INSERT INTO groups VALUES('__ADMIN__','Administrators');
CREATE TABLE `clients_auth` (
`id` varchar(100) PRIMARY KEY,
`password` varchar(100) NOT NULL
);

31
conf/nginx.conf
View file

@ -1,28 +1,15 @@
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
location __PATH__/ {
# Path to source
alias __FINALPATH__/;
### Example PHP configuration (remove it if not used)
index index.php;
# Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
#client_max_body_size 50M;
try_files $uri $uri/ index.php;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
### End of PHP configuration part
proxy_pass http://127.0.0.1:__API_PORT__;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
# include conf.d/yunohost_panel.conf.inc;
}

7
conf/novnc.src Normal file
View file

@ -0,0 +1,7 @@
SOURCE_URL=https://github.com/novnc/noVNC/archive/refs/tags/v1.3.0.zip
SOURCE_SUM=7f766c8a56e9d1c616b0f54714daf4ec88b8cf435738007140cd67117caffc43
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=zip
SOURCE_IN_SUBDIR=true
SOURCE_FILENAME=
SOURCE_EXTRACT=true

430
conf/php-fpm.conf
View file

@ -1,430 +0,0 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[__NAMETOCHANGE__]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = __USER__
group = __USER__
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.0/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
request_terminate_timeout = 1d
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
chdir = __FINALPATH__
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M
; Common values to change to increase file upload limit
; php_admin_value[upload_max_filesize] = 50M
; php_admin_value[post_max_size] = 50M
; php_admin_flag[mail.add_x_header] = Off
; Other common parameters
; php_admin_value[max_execution_time] = 600
; php_admin_value[max_input_time] = 300
; php_admin_value[memory_limit] = 256M
; php_admin_flag[short_open_tag] = On

398
conf/rportd.example.conf Normal file
View file

@ -0,0 +1,398 @@
#======================================================================================================================
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120
#======================================================================================================================
#
# FILE: rportd.example.config
#
# DESCRIPTION: Configuration file for the rport server
#
# BUGS: https://github.com/cloudradar-monitoring/rport/issues
#
# HELP: https://github.com/cloudradar-monitoring/rport/blob/master/README.md
#
# COPYRIGHT: (c) 2020 by the CloudRadar Team,
#
# LICENSE: MIT
# ORGANIZATION: cloudradar GmbH, Potsdam, Germany (cloudradar.io)
# CREATED: 10/10/2020
#======================================================================================================================
[server]
## Defines the IP address and port the HTTP server listens on.
## This is where the rport clients connect to.
## Defaults: "0.0.0.0:8080"
address = "0.0.0.0:__CLIENT_PORT__"
## Optionally defines full client connect URL(s).
## Defaults to http://{address}
## This setting is only used to return via an API call where rportd is listening for client connections.
## The pairing script generates a ready-to-use client configuration based on this {url}.
## Also useful, if you run the rportd behind a reverse proxy or a port forwarding
## and the external URL differs from the internal address and port.
## Accepts a single string like 'url = "http://rport.example.com"'
## or a list like 'url = ["http://rport.example.com", "http://192.168.1.1:8000"]
url = "http://__DOMAIN__:__CLIENT_PORT__"
## Optionally defines the hostname or IP address used to generate links pointing to running tunnels.
## By default, all links are relative to the URL of the API or UI.
## If you run the API/UI behind a reverse proxy that is incapable of forwarding raw TCP/UDP packets,
## you can specify a separated tunnel_host to access tunnels, bypassing the reverse proxy.
#tunnel_host = "tunnels.rport.example.com"
## Optionally defines a custom pairing service URL.
## Defaults to https://pairing.rport.io
## To run your own pairing service refer to https://github.com/cloudradar-monitoring/rport-pairing
## Accepts a single string like
#pairing_url = "https://pairing.example.com"
## An optional string to seed the generation of a ECDSA public and private key pair.
## Highly recommended. Not using it is a big security risk.
## Use "openssl rand -hex 18" to generate a secure key seed.
key_seed = "__KEY_SEED__"
## An optional string representing a single client auth credentials, in the form of <client-auth-id>:<password>.
## This is equivalent to creating an {auth_file} with '{"<client-auth-id>":"<password>"}'.
## Use either {auth_file}/{auth_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth = "clientAuth1:1234"
## An optional path to a json file with client credentials.
## This is for authentication of the rport tunnel clients.
## The file should contain a map with clients credentials defined like:
## {
## "<client-auth-id1>": "<password1>",
## "<client-auth-id2>": "<password2>"
## }
## Use either {auth_file}/{auth_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth_file = "/var/lib/rport/client-auth.json"
## An optional name of a database table for client authentication.
## Requires a global database connection. See below.
## The table must be created manually.
## Learn how to create them https://oss.rport.io/docs/no03-client-auth.html#using-a-database-table
auth_table = "clients_auth"
## When using an {auth_file} or a database table creating separate credentials for each client is recommended.
## It increases security because you can lock out clients individually.
## If {auth_multiuse_creds} is false a client is rejected if another client with the same id is connected
## or has been connected within the {keep_lost_clients} interval.
## Defaults: true
#auth_multiuse_creds = true
## Having set {auth_multiuse_creds} = false, you can omit specifying a client-id.
## You can use the client-auth-id as client-id to slim down the client configuration.
## Defaults: false
#equate_clientauthid_clientid = false
## If you want to delegate the creation and maintenance to an external tool
## you should turn {auth_write} off.
## The API will reject all writing access to the client auth with HTTP 403.
## Applies only to {auth_file} and {auth_table}.
## Default: true
#auth_write = true
## Specifies another HTTP server to proxy requests to when rportd receives a normal HTTP request.
#proxy = "http://intranet.lan:8080/"
## Defines a list of port numbers or ranges of server ports,
## that would be used for automatic and manual port assignment.
## Creating reverse tunnels will fail if the requested server port is not listed here.
## Defaults to ['20000-30000'].
## Example:
## used_ports = [ '1024-2000', '9000', '9090' ]
used_ports = ['__USED_START_PORT__-__USED_END_PORT__']
## Defines a list of port numbers or ranges of server ports,
## that would not be used for automatic and manual port assignment.
## Values that are not included in the {used_ports} are ignored.
## Defaults to ['1-1024'].
## If no ports should be excluded then set it to "[]".
#excluded_ports = ['1-1024']
## An optional param to define a local directory path to store internal data.
## By default, "/var/lib/rport" is used.
## If the directory doesn't exist, it will be created.
## On Linux you must create this directory because an unprivileged user
## don't have the right to create a directory in /var/lib.
## Ideally this directory is the homedir of the rport user and has been created along with the user.
## Example: useradd -r -d /var/lib/rport -m -s /bin/false -U -c "System user for rport client and server" rport
data_dir = "__DATADIR__"
## By default all Sqlite3 databases are opened with WAL enabled.
## This is a performance enhancement. Do not turn off, unless you have good reasons.
#sqlite_wal = true
## An optional param to define whether disconnected clients get cleaned up.
## By default the clients are cleaned up.
#cleanup_lost_clients = true
## An optional param to define a duration to keep info (clients, tunnels, etc) about active and disconnected clients.
## By default is "1h". To disable it set it to "0". Disconnected clients are purged immediately.
## When cleanup_lost_clients = false, this has no effect.
## It can contain "h"(hours), "m"(minutes), "s"(seconds).
## Maximum allowed: 168h (=7days)
keep_lost_clients = "168h"
## An optional param to define an interval to clean up internal storage from obsolete
## disconnected clients. It can contain "h"(hours), "m"(minutes), "s"(seconds).
## By default, 1 minute is used.
#cleanup-clients-interval = "1m"
## An optional param to define a limit for data that can be sent by API requests.
## By default is set to 10240(10Kb).
#max_request_bytes = 10240
## An optional param to define a limit for data that can be sent by rport clients.
## By default is set to 524288(512Kb).
#max_request_bytes_client = 524288
## The maximum upload size of a file in bytes.
## If exceeded, an error is returned. Please note that max_request_bytes is not affecting the file upload API
## https://oss.rport.io/docs/no18-file-upload.html
## Defaults: 10485760 bytes (ca 10,5 MB).
#max_filepush_size = 10485760
## An optional param to define a timeout in seconds to observe the remote command execution.
## Defaults: 60.
#run_remote_cmd_timeout_sec = 60
## An optional param to define a timeout to check whether a remote destination of a requested new tunnel is available,
## i.e. whether a given remote port is open on a client machine. By default, "2s" is used.
#check_port_timeout = "1s"
## There is no technical requirement to run the rport server under the root user.
## Running it as root is an unnecessary security risk.
## You don't even need root-rights to run rport on tcp ports below 1024.
## Use "setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/rportd" to allow the usage of any tcp ports.
## Hint: setcap must be applied after each update of the binary.
## Consider integrating it into the systemd service file as an ExecStartPre option.
## Rport exits with an error if started as root unless you explicitly allow it.
## Defaults to false
#allow_root = false
## Protect your server against password guessing.
## Force clients to wait N seconds (float) between unsuccessful login attempts.
## This is per client auth id.
## A message like
## 'client-listener: Failed login attempt for client auth id "abc", forcing to wait for {client_login_wait}s ({ip})'
## is logged to the info log.
## Consider changing the log_level to 'info' to trace failed login attempts.
## Learn more https://oss.rport.io/docs/no10-securing-the-server.html
## Defaults: 2.0
#client_login_wait = 2.0
## After {max_failed_login} consecutive failed login-in attempts ban the source IP address for {ban_time} seconds.
## HTTP Status 423 is returned.
## A message like
## 'Maximum of {max_failed_login} login attempts reached. Visitor ({remote-ip}) banned. Ban expiry: 2021-04-16T11:22:26+00:00'
## is logged to the info log.
## Banning happens on HTTP level.
## Consider banning on network level using fail2ban.
## Learn more https://oss.rport.io/docs/no10-securing-the-server.html
## Defaults: max_failed_login = 5, ban_time = 3600
#max_failed_login = 5
#ban_time = 3600
## To enable testing endpoints (/test/commands/ui and /test/scripts/ui) for ws endpoints (/ws/commands and /ws/scripts) provide
## true for `enable_ws_test_endpoints`
## Defaults: enable_ws_test_endpoints = false
#enable_ws_test_endpoints = false
## Enable the creation of tunnel proxies with giving certificate- and key-file
## Defaults: not enabled
tunnel_proxy_cert_file = "/etc/yunohost/certs/__DOMAIN__/crt.pem"
tunnel_proxy_key_file = "/etc/yunohost/certs/__DOMAIN__/key.pem"
## If specified, rportd will serve novnc javascript app from this directory.
novnc_root = "__FINALPATH__/noVNC"
## Host and port where guacd daemon is listening.
## If specified, rportd will serve remote desktop connections in browser through Apache Guacamole.
guacd_address = "127.0.0.1:__GUACD_PORT__"
## Maximum number of results to keep for commands, scripts and schedules execution
#jobs_max_results = 10000
[logging]
## Specifies log file path for global logging
## Not setting {log_file} turns logging off.
log_file = "/var/log/__APP__/__APP__.log"
## Specify log level. Values: 'error', 'info', 'debug'.
## Defaults to 'info'
log_level = "info"
[api]
## Defines the IP address and port the API server listens on.
## Specify non-empty {address} to enable API support.
address = "127.0.0.1:__API_PORT__"
## Defines <user>:<password> authentication pair for accessing the API. Enables access for a single user.
## Learn more about api auth options and get examples https://oss.rport.io/docs/no02-api-auth.html
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth = "admin:foobaz"
## Use a json file containing users, passwords and groups.
## Passwords are expected to be bcrypt encoded.
## Learn more about api auth options and get examples https://oss.rport.io/docs/no02-api-auth.html
## Use either {auth_file}/{auth_user_table} or {auth}. Not both.
## If multiple auth options are enabled, rportd exits with an error.
#auth_file = "/var/lib/rport/api-auth.json"
## An optional name of two database tables for api user authentication.
## Requires a global database connection. See below.
## Tables must be created manually.
## Learn how to create them https://oss.rport.io/docs/no02-api-auth.html#database
auth_user_table = "users"
auth_group_table = "groups"
## The rport server can treat all requests as pre-authenticated by a reverse proxy based on a http header.
## This option is enabled if auth_header is set.
## If the header exists, the request is considered valid and a session is created.
## Inside the same or a different header, the username must be submitted.
#auth_header = "Authentication-IsAuthenticated"
#user_header = "Authentication-User"
## If the user doesn't exist yet, it can be created on-the-fly.
## Disabled by default
#create_missing_users = true
## If users are created on-the-fly to which user group do they belong?
#default_user_group = "Administrators"
## Use two-factor authentication to generate auth tokens.
## Learn more on https://oss.rport.io/docs/no02-api-auth.html#two-factor-auth
## Using 2FA will disable HTTP basic authentication on all API endpoints except '/login'. It triggers sending 2FA
## verification code to a user using a chosen delivery method. This code can be further verified using '/verify-2fa' endpoint.
## Two-factor authentication requires either a valid SMTP or Pushover setup.
## Your user-password store (json files or DB table) needs an additional field 'two_fa_send_to'.
## 2FA is not available if you use a single static user-password pair set directly in the rportd.conf.
## Use either 'smtp', 'pushover' or a path to an executable binary or script.
## Executables must read recipients details from the environment. Check our examples from the link above.
## Sending the token has a default timeout of 10 seconds.
## 2FA is disabled by default.
## Token sent via the specified delivery method has a default lifetime of 600 seconds.
#two_fa_token_delivery = 'smtp'
#two_fa_token_ttl_seconds = 600
#two_fa_send_timeout = 10s
## When using an executable for token delivery, you can optionally specify how the two_fa_send_to is validated on changes.
## Ignored when using SMTP or Pushover for token delivery.
## Use two_fa_send_to_type = 'email' to accept only valid email address.
## Or use a regular expression, for example
## two_fa_send_to_type = 'regex'
## two_fa_send_to_regex = '[a-z0-9]{10}'
#two_fa_send_to_type = 'none'
## To enable time-based onetime tokens generated by apps likes Google or Microsoft Authenticator,
## set 'totp_enabled = true'.
## Your user-password store (json files or DB table) needs an additional text field 'totp_secret'.
#totp_enabled = false
## Learn more on https://oss.rport.io/docs/no02-api-auth.html#two-factor-auth
## Before sending the token generated by the authenticator app,
## users should do a login attempt. Otherwise thye can request tokens directly without login.
## 'totp_login_session_ttl' sets the timeout after which totp codes won't be accepted
#totp_login_session_ttl = '600s'
## If you run multiple RPort servers, you should give them different totp account names
## to differentiate them on your authenticator app.
totp_account_name = '__DOMAIN__'
## Defines JWT secret used to generate new tokens.
## If not set, it will be generated by server.
jwt_secret = "__JWT_SECRET__"
## If specified, rportd will serve static files from this directory on the same API address.
## This is the place where the frontend files (html/js) go.
## Learn how to install the frontend https://oss.rport.io/docs/no07-frontend.html
doc_root = "__FINALPATH__/frontend"
## If both cert_file and key_file are specified, then rportd will use them to serve the API with https.
## Intermediate certificates should be included in cert_file if required.
#cert_file = "/etc/yunohost/certs/__DOMAIN__/crt.pem"
#key_file = "/etc/yunohost/certs/__DOMAIN__/key.pem"
## Specifies file for API access logs. Logs will be written in Combined Log Format.
## If this is not set the API access logs are disabled.
access_log_file = "/var/log/__APP__/api-access.log"
## Protect your API server against password guessing.
## Force users to wait N seconds (float) between unsuccessful login attempts.
## This is per username.
## Defaults: 2.0
#user_login_wait = 2.0
## After X failed login-in attempts ban the source IP address for Z seconds.
#max_failed_login = 5
#ban_time = 3600
## Each action is logged and stored in a database to follow up who did what when.
## The audit log is enabled by default. The data is stored in {data_dir}.audit_log.db
#enable_audit_log = true
## Storing the full remote IP address of the API users might violate privacy protection regulations.
## Using obfuscation stores only the first three segments of the IP address (IPv4 only).
## Turned off by default.
#use_ip_obfuscation = false
## Depending on the number of actions your rport server performs, the audit log can grow fast.
## By default, the audit_log database file is changed every month.
## Consider changing to a faster rotation.
#audit_log_rotation = 'monthly' , possible values: yearly, monthly, weekly, daily
[database]
## Global configuration of a database connection.
## The database and the initial schema must be created manually.
## Learn how to use a database:
## for api auth: https://oss.rport.io/docs/no02-api-auth.html#database
## for clients auth: https://oss.rport.io/docs/no03-client-auth.html#using-a-database-table
## Supported: MySQL/MariaDB and Sqlite3
## For MySQL or MariaDB.
db_type = "mysql"
## For Sqlite3.
#db_type = "sqlite"
## Only for MySQL/Mariadb, ignored for Sqlite.
db_host = "127.0.0.1:3306"
#db_host = "socket:/var/run/mysqld/mysqld.sock"
## Credentials, only for MySQL/Mariadb, ignored for Sqlite.
db_user = "__DB_USER__"
db_password = "__DB_PWD__"
## For MySQL/MariaDB name of the database.
db_name = "__DB_NAME__"
## For Sqlite full path to the sqlite3 file.
#db_name = "/var/lib/rport/database.sqlite3"
[pushover]
## Pushover settings for sending push messages via Pushover.net. Currently used only for sending two-factor auth tokens.
## Learn more on https://oss.rport.io/docs/no15-messaging.html#pushover
## Required (only if pushover is specified as {api.two_fa_token_delivery}): pushover API token and user key
#api_token = 'abc123'
#user_key = 'user123'
[smtp]
## SMTP settings for sending email. Currently used only for sending two-factor auth tokens.
## Learn more on https://oss.rport.io/docs/no15-messaging.html#smtp
## Required (only if smtp is specified as {api.two_fa_token_delivery}):
## smtp server and port separated by a colon. e.g. server = 'smtp.gmail.com:2525'
## sender email - an email that is used to send 2FA tokens
## Optional:
## auth_username, specify a username for authentication
## auth_password, specify a password for the username.
## secure = true|false, enable if Implicit(Forced) TLS must be used.
server = 'localhost:25'
sender_email = '__APP__@__DOMAIN__'
#auth_username = 'john.doe'
#auth_password = 'secret'
secure = false
[monitoring]
## The rport server stores monitoring data of the clients for N days.
## https://oss.rport.io/docs/no17-monitoring.html
## Older data is purged automatically.
## Default: 30 days
data_storage_days = 30

45
conf/systemd.service
View file

@ -1,45 +1,24 @@
[Unit]
Description=Small description of the service
After=network.target
Description=Create reverse tunnels with ease.
ConditionFileIsExecutable=__FINALPATH__/bin/rportd
After=rport-guacd.service
[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__FINALPATH__/
ExecStart=__FINALPATH__/script
StandardOutput=append:/var/log/__APP__/__APP__.log
StandardError=inherit
EnvironmentFile=-/etc/sysconfig/rportd
ExecStart=__FINALPATH__/bin/rportd "-c" "__FINALPATH__/rportd.conf"
StartLimitInterval=5
StartLimitBurst=10
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
LimitNPROC=512
LimitNOFILE=1048576
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
RestartSec=120
[Install]
WantedBy=multi-user.target

10
doc/DESCRIPTION.md
View file

@ -1,9 +1 @@
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
### Features
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."
Rport helps you to manage your remote servers without the hassle of VPNs, chained SSH connections, jump-hosts, or the use of commercial tools like TeamViewer and its clones.

12
doc/DISCLAIMER.md
View file

@ -1,12 +0,0 @@
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?

BIN
doc/screenshots/example.jpg
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 35 KiB

BIN
doc/screenshots/screenshot.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 543 KiB

57
manifest.json
View file

@ -1,33 +1,29 @@
{
"name": "Example app",
"id": "example",
"name": "Rportd",
"id": "rportd",
"packaging_format": 1,
"description": {
"en": "Explain in *a few (10~15) words* the purpose of the app or what it actually does (it is meant to give a rough idea to users browsing a catalog of 100+ apps)",
"fr": "Expliquez en *quelques* (10~15) mots l'utilité de l'app ou ce qu'elle fait (l'objectif est de donner une idée grossière pour des utilisateurs qui naviguent dans un catalogue de 100+ apps)"
"en": "Manage your remote servers"
},
"version": "1.0~ynh1",
"url": "https://example.com",
"version": "0.7.0~ynh1",
"url": "https://rport.io/",
"upstream": {
"license": "free",
"website": "https://example.com",
"demo": "https://demo.example.com",
"admindoc": "https://yunohost.org/packaging_apps",
"userdoc": "https://yunohost.org/apps",
"code": "https://some.forge.com/example/example"
"license": "MIT",
"website": "https://rport.io/",
"admindoc": "https://kb.rport.io/",
"code": "https://github.com/cloudradar-monitoring/rport"
},
"license": "free",
"license": "MIT",
"maintainer": {
"name": "John doe",
"email": "john.doe@example.com"
"name": "",
"email": ""
},
"requirements": {
"yunohost": ">= 4.3.0"
},
"multi_instance": true,
"multi_instance": false,
"services": [
"nginx",
"php7.3-fpm",
"mysql"
],
"arguments": {
@ -36,38 +32,13 @@
"name": "domain",
"type": "domain"
},
{
"name": "path",
"type": "path",
"example": "/example",
"default": "/example"
},
{
"name": "is_public",
"type": "boolean",
"default": true
},
{
"name": "language",
"type": "string",
"ask": {
"en": "Choose the application language",
"fr": "Choisissez la langue de l'application"
},
"choices": ["fr", "en"],
"default": "fr"
},
{
"name": "admin",
"type": "user"
},
{
"name": "password",
"type": "password",
"help": {
"en": "Use the help field to add an information for the admin about this question.",
"fr": "Utilisez le champ aide pour ajouter une information à l'intention de l'administrateur à propos de cette question."
}
"type": "password"
}
]
}

2
scripts/_common.sh
View file

@ -5,7 +5,7 @@
#=================================================
# dependencies used by the app
pkg_dependencies="deb1 deb2 php$YNH_DEFAULT_PHP_VERSION-deb1 php$YNH_DEFAULT_PHP_VERSION-deb2"
pkg_dependencies="pwgen apache2-utils unzip curl sqlite3 netcat"
#=================================================
# PERSONAL HELPERS

31
scripts/backup
View file

@ -15,7 +15,6 @@ source /usr/share/yunohost/helpers
#=================================================
ynh_clean_setup () {
### Remove this function if there's nothing to clean before calling the remove script.
true
}
# Exit if an error occurs during the execution of the script
@ -31,7 +30,6 @@ app=$YNH_APP_INSTANCE_NAME
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
domain=$(ynh_app_setting_get --app=$app --key=domain)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
#=================================================
@ -39,11 +37,6 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir)
#=================================================
ynh_print_info --message="Declaring files to be backed up..."
### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs
### to be backuped and not an actual copy of any file. The actual backup that
### creates and fill the archive with the files happens in the core after this
### script is called. Hence ynh_backups calls takes basically 0 seconds to run.
#=================================================
# BACKUP THE APP MAIN DIR
#=================================================
@ -62,19 +55,6 @@ ynh_backup --src_path="$datadir" --is_big
ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# BACKUP THE PHP-FPM CONFIGURATION
#=================================================
ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
#=================================================
# BACKUP FAIL2BAN CONFIGURATION
#=================================================
ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf"
ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
#=================================================
# SPECIFIC BACKUP
#=================================================
@ -89,22 +69,11 @@ ynh_backup --src_path="/etc/logrotate.d/$app"
ynh_backup --src_path="/etc/systemd/system/$app.service"
#=================================================
# BACKUP VARIOUS FILES
#=================================================
ynh_backup --src_path="/etc/cron.d/$app"
ynh_backup --src_path="/etc/$app/"
#=================================================
# BACKUP THE MYSQL DATABASE
#=================================================
ynh_print_info --message="Backing up the MySQL database..."
### (However, things like MySQL dumps *do* take some time to run, though the
### copy of the generated dump to the archive still happens later)
ynh_mysql_dump_db --database="$db_name" > db.sql
#=================================================

20
scripts/change_url
View file

@ -17,14 +17,14 @@ old_domain=$YNH_APP_OLD_DOMAIN
old_path=$YNH_APP_OLD_PATH
new_domain=$YNH_APP_NEW_DOMAIN
new_path=$YNH_APP_NEW_PATH
new_path="/"
app=$YNH_APP_INSTANCE_NAME
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..."
# Needed for helper "ynh_add_nginx_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
@ -37,11 +37,12 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
#=================================================
# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --time --weight=1
ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..."
# Backup the current version of the app
ynh_backup_before_upgrade
ynh_clean_setup () {
ynh_clean_check_starting
# Remove the new domain config file, the remove script won't do it as it doesn't know yet its location.
ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
@ -72,14 +73,14 @@ fi
#=================================================
# STOP SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Stopping a systemd service..." --time --weight=1
ynh_script_progression --message="Stopping a systemd service..."
ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
#=================================================
# MODIFY URL IN NGINX CONF
#=================================================
ynh_script_progression --message="Updating NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Updating NGINX web server configuration..."
nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
@ -116,14 +117,15 @@ fi
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
ynh_script_progression --message="Starting a systemd service..."
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
# Start a systemd service
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" --line_match="API Listening on"
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=nginx --action=reload
@ -131,4 +133,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Change of URL completed for $app" --time --last
ynh_script_progression --message="Change of URL completed for $app"

318
scripts/install
View file

@ -14,8 +14,7 @@ source /usr/share/yunohost/helpers
#=================================================
ynh_clean_setup () {
### Remove this function if there's nothing to clean before calling the remove script.
true
ynh_clean_check_starting
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
@ -25,39 +24,21 @@ ynh_abort_if_errors
#=================================================
domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH
is_public=$YNH_APP_ARG_IS_PUBLIC
language=$YNH_APP_ARG_LANGUAGE
path_url="/"
admin=$YNH_APP_ARG_ADMIN
password=$YNH_APP_ARG_PASSWORD
### If it's a multi-instance app, meaning it can be installed several times independently
### The id of the app as stated in the manifest is available as $YNH_APP_ID
### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2"...)
### The app instance name is available as $YNH_APP_INSTANCE_NAME
### - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample
### - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2
### - ynhexample__{N} for the subsequent installations, with N=3,4...
### The app instance name is probably what interests you most, since this is
### guaranteed to be unique. This is a good unique identifier to define installation path,
### db names...
app=$YNH_APP_INSTANCE_NAME
key_seed=$(ynh_string_random --length=18 | xxd -p | head -n1 | cut -c 1-18)
jwt_secret=$(ynh_string_random --length=9 | xxd -p | head -n1 | cut -c 1-9)
admin_mail="$(ynh_user_get_info --username=$admin --key=mail)"
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
### About --weight and --time
### ynh_script_progression will show to your final users the progression of each scripts.
### In order to do that, --weight will represent the relative time of execution compared to the other steps in the script.
### --time is a packager option, it will show you the execution time since the previous call.
### This option should be removed before releasing your app.
### Use the execution time, given by --time, to estimate the weight of a step.
### A common way to do it is to set a weight equal to the execution time in second +1.
### The execution time is given for the duration since the previous call. So the weight should be applied to this previous call.
ynh_script_progression --message="Validating installation parameters..." --time --weight=1
ynh_script_progression --message="Validating installation parameters..."
### If the app uses NGINX as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app".
### If the app provides an internal web server (or uses another application server such as uWSGI), the final path should be "/opt/yunohost/$app"
final_path=/var/www/$app
test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
@ -67,73 +48,71 @@ ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..." --time --weight=1
ynh_script_progression --message="Storing installation settings..."
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=language --value=$language
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=key_seed --value=$key_seed
ynh_app_setting_set --app=$app --key=jwt_secret --value=$jwt_secret
#=================================================
# STANDARD MODIFICATIONS
#=================================================
# FIND AND OPEN A PORT
#=================================================
ynh_script_progression --message="Finding an available port..." --time --weight=1
### Use these lines if you have to open a port for the application
### `ynh_find_port` will find the first available port starting from the given port.
### If you're not using these lines:
### - Remove the section "CLOSE A PORT" in the remove script
ynh_script_progression --message="Finding an available port..."
# Find an available port
port=$(ynh_find_port --port=8095)
ynh_app_setting_set --app=$app --key=port --value=$port
# Optional: Expose this port publicly
# (N.B.: you only need to do this if the app actually needs to expose the port publicly.
# If you do this and the app doesn't actually need you are CREATING SECURITY HOLES IN THE SERVER !)
client_port=$(ynh_find_port --port=8095)
ynh_app_setting_set --app=$app --key=client_port --value=$client_port
# Open the port
# ynh_script_progression --message="Configuring firewall..." --time --weight=1
# ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
ynh_script_progression --message="Configuring firewall..."
ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $client_port
api_port=$(ynh_find_port --port=$(($client_port + 1)))
ynh_app_setting_set --app=$app --key=api_port --value=$api_port
guacd_port=$(ynh_find_port --port=$(($api_port + 1)))
ynh_app_setting_set --app=$app --key=guacd_port --value=$guacd_port
used_start_port=$(ynh_find_port --port=20000)
ynh_app_setting_set --app=$app --key=used_start_port --value=$used_start_port
used_end_port=$(ynh_find_port --port=30000)
ynh_app_setting_set --app=$app --key=used_end_port --value=$used_end_port
ynh_exec_warn_less yunohost firewall allow TCP $used_start_port:$used_end_port
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Installing dependencies..." --time --weight=1
### `ynh_install_app_dependencies` allows you to add any "apt" dependencies to the package.
### Those deb packages will be installed as dependencies of this package.
### If you're not using this helper:
### - Remove the section "REMOVE DEPENDENCIES" in the remove script
### - Remove the variable "pkg_dependencies" in _common.sh
### - As well as the section "REINSTALL DEPENDENCIES" in the restore script
### - And the section "UPGRADE DEPENDENCIES" in the upgrade script
ynh_script_progression --message="Installing dependencies..."
ynh_install_app_dependencies $pkg_dependencies
GUACD_PKG=rport-guacamole_1.4.0_$(lsb_release --id --short | tr '[:upper:]' '[:lower:]')_$(lsb_release --codename --short)_$(uname -m).deb
GUACD_DOWNLOAD=https://bitbucket.org/cloudradar/rport-guacamole/downloads/${GUACD_PKG}
tempdir="$(mktemp -d)"
pushd "$tempdir"
curl -fLOSs "$GUACD_DOWNLOAD" || (throw_error "Download failed" && return 0)
DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install ./"${GUACD_PKG}"
popd
ynh_replace_string --match_string="9445" --replace_string="$guacd_port" --target_file="/etc/default/rport-guacamole"
systemctl restart rport-guacd
ynh_secure_remove --file="$tempdir"
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..." --time --weight=1
ynh_script_progression --message="Configuring system user..."
# Create a system user
ynh_system_user_create --username=$app --home_dir="$final_path"
usermod -a -G ssl-cert "$app"
#=================================================
# CREATE A MYSQL DATABASE
#=================================================
ynh_script_progression --message="Creating a MySQL database..." --time --weight=1
### Use these lines if you need a database for the application.
### `ynh_mysql_setup_db` will create a database, an associated user and a ramdom password.
### The password will be stored as 'mysqlpwd' into the app settings,
### and will be available as $db_pwd
### If you're not using these lines:
### - Remove the section "BACKUP THE MYSQL DATABASE" in the backup script
### - Remove also the section "REMOVE THE MYSQL DATABASE" in the remove script
### - As well as the section "RESTORE THE MYSQL DATABASE" in the restore script
ynh_script_progression --message="Creating a MySQL database..."
db_name=$(ynh_sanitize_dbid --db_name=$app)
db_user=$db_name
@ -143,51 +122,22 @@ ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..." --time --weight=1
### `ynh_setup_source` is used to install an app from a zip or tar.gz file,
### downloaded from an upstream source, like a git repository.
### `ynh_setup_source` use the file conf/app.src
ynh_script_progression --message="Setting up source files..."
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"
ynh_setup_source --dest_dir="$final_path/bin" --source_id="$YNH_ARCH"
ynh_setup_source --dest_dir="$final_path/frontend" --source_id="frontend"
ynh_setup_source --dest_dir="$final_path/novnc" --source_id="novnc"
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring PHP-FPM..." --time --weight=1
### `ynh_add_fpm_config` is used to set up a PHP config.
### You can remove it if your app doesn't use PHP.
### `ynh_add_fpm_config` will use the files conf/php-fpm.conf
### If you're not using these lines:
### - You can remove these files in conf/.
### - Remove the section "BACKUP THE PHP-FPM CONFIGURATION" in the backup script
### - Remove also the section "REMOVE PHP-FPM CONFIGURATION" in the remove script
### - As well as the section "RESTORE THE PHP-FPM CONFIGURATION" in the restore script
### with the reload at the end of the script.
### - And the section "PHP-FPM CONFIGURATION" in the upgrade script
# Create a dedicated PHP-FPM config
ynh_add_fpm_config
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring NGINX web server..." --time --weight=1
### `ynh_add_nginx_config` will use the file conf/nginx.conf
ynh_script_progression --message="Configuring NGINX web server..."
# Create a dedicated NGINX config
ynh_add_nginx_config
@ -195,33 +145,24 @@ ynh_add_nginx_config
#=================================================
# SPECIFIC SETUP
#=================================================
# ...
# POPULATE DATABASE
#=================================================
ynh_script_progression --message="Populating database..."
password_hash=$(htpasswd -nbB password "$password"|cut -d: -f2)
ynh_add_config --template="../conf/mysql.sql" --destination="../conf/populated_mysql.sql"
ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < "../conf/populated_mysql.sql"
#=================================================
# CREATE DATA DIRECTORY
#=================================================
ynh_script_progression --message="Creating a data directory..." --time --weight=1
### Use these lines if you need to create a directory to store "persistent files" for the application.
### Usually this directory is used to store uploaded files or any file that won't be updated during
### an upgrade and that won't be deleted during app removal unless "--purge" option is used.
### If you're not using these lines:
### - Remove the section "BACKUP THE DATA DIR" in the backup script
### - Remove the section "RESTORE THE DATA DIRECTORY" in the restore script
### - As well as the section "REMOVE DATA DIR" in the remove script
ynh_script_progression --message="Creating a data directory..."
datadir=/home/yunohost.app/$app
ynh_app_setting_set --app=$app --key=datadir --value=$datadir
mkdir -p $datadir
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$datadir"
chmod -R o-rwx "$datadir"
chown -R $app:www-data "$datadir"
@ -229,89 +170,30 @@ chown -R $app:www-data "$datadir"
#=================================================
# ADD A CONFIGURATION
#=================================================
ynh_script_progression --message="Adding a configuration file..." --time --weight=1
ynh_script_progression --message="Adding a configuration file..."
### You can add specific configuration files.
###
### Typically, put your template conf file in ../conf/your_config_file
### The template may contain strings such as __FOO__ or __FOO_BAR__,
### which will automatically be replaced by the values of $foo and $foo_bar
###
### ynh_add_config will also keep track of the config file's checksum,
### which later during upgrade may allow to automatically backup the config file
### if it's found that the file was manually modified
###
### Check the documentation of `ynh_add_config` for more info.
ynh_add_config --template="../conf/rportd.example.conf" --destination="$final_path/rportd.conf"
ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
# FIXME: this should be handled by the core in the future
# You may need to use chmod 600 instead of 400,
# for example if the app is expected to be able to modify its own config
chmod 400 "$final_path/some_config_file"
chown $app:$app "$final_path/some_config_file"
### For more complex cases where you want to replace stuff using regexes,
### you shoud rely on ynh_replace_string (which is basically a wrapper for sed)
### When doing so, you also need to manually call ynh_store_file_checksum
###
### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file"
### ynh_store_file_checksum --file="$final_path/some_config_file"
chmod 400 "$final_path/rportd.conf"
chown $app:$app "$final_path/rportd.conf"
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Configuring a systemd service..." --time --weight=1
### `ynh_systemd_config` is used to configure a systemd script for an app.
### It can be used for apps that use sysvinit (with adaptation) or systemd.
### Have a look at the app to be sure this app needs a systemd script.
### `ynh_systemd_config` will use the file conf/systemd.service
### If you're not using these lines:
### - You can remove those files in conf/.
### - Remove the section "BACKUP SYSTEMD" in the backup script
### - Remove also the section "STOP AND REMOVE SERVICE" in the remove script
### - As well as the section "RESTORE SYSTEMD" in the restore script
### - And the section "SETUP SYSTEMD" in the upgrade script
ynh_script_progression --message="Configuring a systemd service..."
# Create a dedicated systemd config
ynh_add_systemd_config
#=================================================
# SETUP APPLICATION WITH CURL
#=================================================
### Use these lines only if the app installation needs to be finalized through
### web forms. We generally don't want to ask the final user,
### so we're going to use curl to automatically fill the fields and submit the
### forms.
# Set the app as temporarily public for curl call
ynh_script_progression --message="Configuring SSOwat..." --time --weight=1
# Making the app public for curl
ynh_permission_update --permission="main" --add="visitors"
# Installation with curl
ynh_script_progression --message="Finalizing installation..." --time --weight=1
ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3"
# Remove the public access
ynh_permission_update --permission="main" --remove="visitors"
#=================================================
# GENERIC FINALIZATION
#=================================================
# SETUP LOGROTATE
#=================================================
ynh_script_progression --message="Configuring log rotation..." --time --weight=1
ynh_script_progression --message="Configuring log rotation..."
### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
### Use this helper only if there is effectively a log file for this app.
### If you're not using this helper:
### - Remove the section "BACKUP LOGROTATE" in the backup script
### - Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script
### - As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script
### - And the section "SETUP LOGROTATE" in the upgrade script
mkdir -p /var/log/$app
chown -R $app:$app "/var/log/$app"
# Use logrotate to manage application logfile(s)
ynh_use_logrotate
@ -319,87 +201,31 @@ ynh_use_logrotate
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1
ynh_script_progression --message="Integrating service in YunoHost..."
### `yunohost service add` integrates a service in YunoHost. It then gets
### displayed in the admin interface and through the others `yunohost service` commands.
### (N.B.: this line only makes sense if the app adds a service to the system!)
### If you're not using these lines:
### - You can remove these files in conf/.
### - Remove the section "REMOVE SERVICE INTEGRATION IN YUNOHOST" in the remove script
### - As well as the section "INTEGRATE SERVICE IN YUNOHOST" in the restore script
### - And the section "INTEGRATE SERVICE IN YUNOHOST" in the upgrade script
yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
### Additional options starting with 3.8:
###
### --needs_exposed_ports "$port" a list of ports that needs to be publicly exposed
### which will then be checked by YunoHost's diagnosis system
### (N.B. DO NOT USE THIS is the port is only internal!!!)
###
### --test_status "some command" a custom command to check the status of the service
### (only relevant if 'systemctl status' doesn't do a good job)
###
### --test_conf "some command" some command similar to "nginx -t" that validates the conf of the service
###
### Re-calling 'yunohost service add' during the upgrade script is the right way
### to proceed if you later realize that you need to enable some flags that
### weren't enabled on old installs (be careful it'll override the existing
### service though so you should re-provide all relevant flags when doing so)
yunohost service add $app --log="/var/log/$app/$app.log" --needs_exposed_ports="$client_port"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
### `ynh_systemd_action` is used to start a systemd service for an app.
### Only needed if you have configure a systemd service
### If you're not using these lines:
### - Remove the section "STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the backup script
### - As well as the section "START SYSTEMD SERVICE" in the restore script
### - As well as the section"STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the upgrade script
### - And the section "STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the change_url script
ynh_script_progression --message="Starting a systemd service..."
# Start a systemd service
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_script_progression --message="Configuring Fail2Ban..." --time --weight=1
# Create a dedicated Fail2Ban config
ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" --line_match="API Listening on"
#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Configuring permissions..." --time --weight=1
ynh_script_progression --message="Configuring permissions..."
# Make app public if necessary
if [ $is_public -eq 1 ]
then
# Everyone can access the app.
# The "main" permission is automatically created before the install script.
ynh_permission_update --permission="main" --add="visitors"
fi
### N.B. : the following extra permissions only make sense if your app
### does have for example an admin interface or an API.
# Only the admin can access the admin panel of the app (if the app has an admin panel)
ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
# Everyone can access the API part
# We don't want to display the tile in the SSO so we put --show_tile="false"
# And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true"
ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
# Everyone can access the app.
# The "main" permission is automatically created before the install script.
ynh_permission_update --permission="main" --add="visitors"
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=nginx --action=reload
@ -407,4 +233,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Installation of $app completed" --time --last
ynh_script_progression --message="Installation of $app completed"

61
scripts/remove
View file

@ -12,12 +12,14 @@ source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
port=$(ynh_app_setting_get --app=$app --key=port)
client_port=$(ynh_app_setting_get --app=$app --key=client_port)
used_start_port=$(ynh_app_setting_get --app=$app --key=used_start_port)
used_end_port=$(ynh_app_setting_get --app=$app --key=used_end_port)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
@ -32,14 +34,14 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir)
# Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
if ynh_exec_warn_less yunohost service status $app >/dev/null
then
ynh_script_progression --message="Removing $app service integration..." --time --weight=1
ynh_script_progression --message="Removing $app service integration..."
yunohost service remove $app
fi
#=================================================
# STOP AND REMOVE SERVICE
#=================================================
ynh_script_progression --message="Stopping and removing the systemd service..." --time --weight=1
ynh_script_progression --message="Stopping and removing the systemd service..."
# Remove the dedicated systemd config
ynh_remove_systemd_config
@ -47,7 +49,7 @@ ynh_remove_systemd_config
#=================================================
# REMOVE LOGROTATE CONFIGURATION
#=================================================
ynh_script_progression --message="Removing logrotate configuration..." --time --weight=1
ynh_script_progression --message="Removing logrotate configuration..."
# Remove the app-specific logrotate config
ynh_remove_logrotate
@ -55,7 +57,7 @@ ynh_remove_logrotate
#=================================================
# REMOVE THE MYSQL DATABASE
#=================================================
ynh_script_progression --message="Removing the MySQL database..." --time --weight=1
ynh_script_progression --message="Removing the MySQL database..."
# Remove a database if it exists, along with the associated user
ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
@ -63,7 +65,7 @@ ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
#=================================================
# REMOVE APP MAIN DIR
#=================================================
ynh_script_progression --message="Removing app main directory..." --time --weight=1
ynh_script_progression --message="Removing app main directory..."
# Remove the app directory securely
ynh_secure_remove --file="$final_path"
@ -75,64 +77,49 @@ ynh_secure_remove --file="$final_path"
# Remove the data directory if --purge option is used
if [ "${YNH_APP_PURGE:-0}" -eq 1 ]
then
ynh_script_progression --message="Removing app data directory..." --time --weight=1
ynh_script_progression --message="Removing app data directory..."
ynh_secure_remove --file="$datadir"
fi
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Removing NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Removing NGINX web server configuration..."
# Remove the dedicated NGINX config
ynh_remove_nginx_config
#=================================================
# REMOVE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Removing PHP-FPM configuration..." --time --weight=1
# Remove the dedicated PHP-FPM config
ynh_remove_fpm_config
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_script_progression --message="Removing dependencies..." --time --weight=1
ynh_script_progression --message="Removing dependencies..."
# Remove metapackage and its dependencies
ynh_remove_app_dependencies
apt-get -y remove --purge rport-guacamole
#=================================================
# CLOSE A PORT
#=================================================
if yunohost firewall list | grep -q "\- $port$"
if yunohost firewall list | grep -q "\- $client_port$"
then
ynh_script_progression --message="Closing port $port..." --time --weight=1
ynh_exec_warn_less yunohost firewall disallow TCP $port
ynh_script_progression --message="Closing port $client_port..."
ynh_exec_warn_less yunohost firewall disallow TCP $client_port
fi
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_script_progression --message="Removing Fail2Ban configuration..." --time --weight=1
# Remove the dedicated Fail2Ban config
ynh_remove_fail2ban_config
if yunohost firewall list | grep -q "\- $used_start_port:$used_end_port$"
then
ynh_script_progression --message="Closing port $used_start_port:$used_end_port..."
ynh_exec_warn_less yunohost firewall disallow TCP $used_start_port:$used_end_port
fi
#=================================================
# SPECIFIC REMOVE
#=================================================
# REMOVE VARIOUS FILES
#=================================================
ynh_script_progression --message="Removing various files..." --time --weight=1
# Remove a cron file
ynh_secure_remove --file="/etc/cron.d/$app"
# Remove a directory securely
ynh_secure_remove --file="/etc/$app"
ynh_script_progression --message="Removing various files..."
# Remove the log files
ynh_secure_remove --file="/var/log/$app"
@ -142,7 +129,7 @@ ynh_secure_remove --file="/var/log/$app"
#=================================================
# REMOVE DEDICATED USER
#=================================================
ynh_script_progression --message="Removing the dedicated system user..." --time --weight=1
ynh_script_progression --message="Removing the dedicated system user..."
# Delete a system user
ynh_system_user_delete --username=$app
@ -151,4 +138,4 @@ ynh_system_user_delete --username=$app
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Removal of $app completed" --time --last
ynh_script_progression --message="Removal of $app completed"

92
scripts/restore
View file

@ -15,8 +15,7 @@ source /usr/share/yunohost/helpers
#=================================================
ynh_clean_setup () {
#### Remove this function if there's nothing to clean before calling the remove script.
true
ynh_clean_check_starting
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
@ -24,7 +23,7 @@ ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
@ -33,13 +32,14 @@ path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
guacd_port=$(ynh_app_setting_get --app=$app --key=guacd_port)
client_port=$(ynh_app_setting_get --app=$app --key=client_port)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
ynh_script_progression --message="Validating restoration parameters..." --time --weight=1
ynh_script_progression --message="Validating restoration parameters..."
test ! -d $final_path \
|| ynh_die --message="There is already a directory: $final_path "
@ -49,24 +49,19 @@ test ! -d $final_path \
#=================================================
# RECREATE THE DEDICATED USER
#=================================================
ynh_script_progression --message="Recreating the dedicated system user..." --time --weight=1
ynh_script_progression --message="Recreating the dedicated system user..."
# Create the dedicated user (if not existing)
ynh_system_user_create --username=$app --home_dir="$final_path"
usermod -a -G ssl-cert "$app"
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Restoring the app main directory..." --time --weight=1
ynh_script_progression --message="Restoring the app main directory..."
ynh_restore_file --origin_path="$final_path"
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
@ -74,77 +69,66 @@ chown -R $app:www-data "$final_path"
#=================================================
# RESTORE THE DATA DIRECTORY
#=================================================
ynh_script_progression --message="Restoring the data directory..." --time --weight=1
ynh_script_progression --message="Restoring the data directory..."
ynh_restore_file --origin_path="$datadir" --not_mandatory
mkdir -p $datadir
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$datadir"
chmod -R o-rwx "$datadir"
chown -R $app:www-data "$datadir"
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the Fail2Ban configuration..." --time --weight=1
ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
ynh_systemd_action --action=restart --service_name=fail2ban
#=================================================
# SPECIFIC RESTORATION
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Reinstalling dependencies..." --time --weight=1
ynh_script_progression --message="Reinstalling dependencies..."
# Define and install dependencies
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the PHP-FPM configuration..." --time --weight=1
ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
GUACD_PKG=rport-guacamole_1.4.0_$(lsb_release --id --short | tr '[:upper:]' '[:lower:]')_$(lsb_release --codename --short)_$(uname -m).deb
GUACD_DOWNLOAD=https://bitbucket.org/cloudradar/rport-guacamole/downloads/${GUACD_PKG}
tempdir="$(mktemp -d)"
pushd "$tempdir"
curl -fLOSs "$GUACD_DOWNLOAD" || (throw_error "Download failed" && return 0)
DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install ./"${GUACD_PKG}"
popd
ynh_replace_string --match_string="9445" --replace_string="$guacd_port" --target_file="/etc/default/rport-guacamole"
systemctl restart rport-guacd
ynh_secure_remove --file="$tempdir"
#=================================================
# RESTORE THE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Restoring the NGINX web server configuration..."
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# RESTORE THE MYSQL DATABASE
#=================================================
ynh_script_progression --message="Restoring the MySQL database..." --time --weight=1
ynh_script_progression --message="Restoring the MySQL database..."
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql
#=================================================
# RESTORE VARIOUS FILES
# OPEN A PORT
#=================================================
ynh_script_progression --message="Restoring various files..." --time --weight=1
ynh_script_progression --message="Opening a port..."
ynh_restore_file --origin_path="/etc/cron.d/$app"
ynh_restore_file --origin_path="/etc/$app/"
# Open the port
ynh_script_progression --message="Configuring firewall..."
ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $client_port
#=================================================
# RESTORE SYSTEMD
#=================================================
ynh_script_progression --message="Restoring the systemd configuration..." --time --weight=1
ynh_script_progression --message="Restoring the systemd configuration..."
ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
systemctl enable $app.service --quiet
@ -152,36 +136,38 @@ systemctl enable $app.service --quiet
#=================================================
# RESTORE THE LOGROTATE CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the logrotate configuration..." --time --weight=1
ynh_script_progression --message="Restoring the logrotate configuration..."
mkdir -p /var/log/$app
chown -R $app:$app "/var/log/$app"
ynh_restore_file --origin_path="/etc/logrotate.d/$app"
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1
ynh_script_progression --message="Integrating service in YunoHost..."
yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
yunohost service add $app --log="/var/log/$app/$app.log" --needs_exposed_ports="$client_port"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
ynh_script_progression --message="Starting a systemd service..."
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" --line_match="API Listening on"
#=================================================
# GENERIC FINALIZATION
#=================================================
# RELOAD NGINX AND PHP-FPM
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=php$phpversion-fpm --action=reload
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Restoration completed for $app" --time --last
ynh_script_progression --message="Restoration completed for $app"

152
scripts/upgrade
View file

@ -12,37 +12,42 @@ source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
language=$(ynh_app_setting_get --app=$app --key=language)
admin=$(ynh_app_setting_get --app=$app --key=admin)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
client_port=$(ynh_app_setting_get --app=$app --key=client_port)
used_start_port=$(ynh_app_setting_get --app=$app --key=used_start_port)
used_end_port=$(ynh_app_setting_get --app=$app --key=used_end_port)
api_port=$(ynh_app_setting_get --app=$app --key=api_port)
guacd_port=$(ynh_app_setting_get --app=$app --key=guacd_port)
key_seed=$(ynh_app_setting_get --app=$app --key=key_seed)
jwt_secret=$(ynh_app_setting_get --app=$app --key=jwt_secret)
#=================================================
# CHECK VERSION
#=================================================
ynh_script_progression --message="Checking version..."
### This helper will compare the version of the currently installed app and the version of the upstream package.
### $upgrade_type can have 2 different values
### - UPGRADE_APP if the upstream app version has changed
### - UPGRADE_PACKAGE if only the YunoHost package has changed
### ynh_check_app_version_changed will stop the upgrade if the app is up to date.
### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do.
upgrade_type=$(ynh_check_app_version_changed)
#=================================================
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --time --weight=1
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..."
# Backup the current version of the app
ynh_backup_before_upgrade
ynh_clean_setup () {
ynh_clean_check_starting
# Restore it if the upgrade fails
ynh_restore_upgradebackup
}
@ -54,60 +59,23 @@ ynh_abort_if_errors
#=================================================
# STOP SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Stopping a systemd service..." --time --weight=1
ynh_script_progression --message="Stopping a systemd service..."
ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
#=================================================
# ENSURE DOWNWARD COMPATIBILITY
#=================================================
ynh_script_progression --message="Ensuring downward compatibility..." --time --weight=1
#
# N.B. : the followings setting migrations snippets are provided as *EXAMPLES*
# of what you may want to do in some cases (e.g. a setting was not defined on
# some legacy installs and you therefore want to initiaze stuff during upgrade)
#
# If db_name doesn't exist, create it
#if [ -z "$db_name" ]; then
# db_name=$(ynh_sanitize_dbid --db_name=$app)
# ynh_app_setting_set --app=$app --key=db_name --value=$db_name
#fi
# If final_path doesn't exist, create it
#if [ -z "$final_path" ]; then
# final_path=/var/www/$app
# ynh_app_setting_set --app=$app --key=final_path --value=$final_path
#fi
### If nobody installed your app before 4.1,
### then you may safely remove these lines
# Cleaning legacy permissions
if ynh_legacy_permissions_exists; then
ynh_legacy_permissions_delete_all
ynh_app_setting_delete --app=$app --key=is_public
fi
if ! ynh_permission_exists --permission="admin"; then
# Create the required permissions
ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
fi
# Create a permission if needed
if ! ynh_permission_exists --permission="api"; then
ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
fi
ynh_script_progression --message="Ensuring downward compatibility..."
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Making sure dedicated system user exists..." --time --weight=1
ynh_script_progression --message="Making sure dedicated system user exists..."
# Create a dedicated user (if not existing)
ynh_system_user_create --username=$app --home_dir="$final_path"
usermod -a -G ssl-cert "$app"
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
@ -115,18 +83,14 @@ ynh_system_user_create --username=$app --home_dir="$final_path"
if [ "$upgrade_type" == "UPGRADE_APP" ]
then
ynh_script_progression --message="Upgrading source files..." --time --weight=1
ynh_script_progression --message="Upgrading source files..."
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"
ynh_setup_source --dest_dir="$final_path/bin" --source_id="$YNH_ARCH"
ynh_setup_source --dest_dir="$final_path/frontend" --source_id="frontend"
ynh_setup_source --dest_dir="$final_path/novnc" --source_id="novnc"
fi
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
@ -134,61 +98,45 @@ chown -R $app:www-data "$final_path"
#=================================================
# UPGRADE DEPENDENCIES
#=================================================
ynh_script_progression --message="Upgrading dependencies..." --time --weight=1
ynh_script_progression --message="Upgrading dependencies..."
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading PHP-FPM configuration..." --time --weight=1
# Create a dedicated PHP-FPM config
ynh_add_fpm_config
GUACD_PKG=rport-guacamole_1.4.0_$(lsb_release --id --short | tr '[:upper:]' '[:lower:]')_$(lsb_release --codename --short)_$(uname -m).deb
GUACD_DOWNLOAD=https://bitbucket.org/cloudradar/rport-guacamole/downloads/${GUACD_PKG}
tempdir="$(mktemp -d)"
pushd "$tempdir"
curl -fLOSs "$GUACD_DOWNLOAD" || (throw_error "Download failed" && return 0)
DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install ./"${GUACD_PKG}"
popd
ynh_replace_string --match_string="9445" --replace_string="$guacd_port" --target_file="/etc/default/rport-guacamole"
systemctl restart rport-guacd
ynh_secure_remove --file="$tempdir"
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Upgrading NGINX web server configuration..."
# Create a dedicated NGINX config
ynh_add_nginx_config
#=================================================
# SPECIFIC UPGRADE
#=================================================
# ...
#=================================================
#=================================================
# UPDATE A CONFIG FILE
#=================================================
ynh_script_progression --message="Updating a configuration file..." --time --weight=1
ynh_script_progression --message="Updating a configuration file..."
### Same as during install
###
### The file will automatically be backed-up if it's found to be manually modified (because
### ynh_add_config keeps track of the file's checksum)
ynh_add_config --template="../conf/rportd.example.conf" --destination="$final_path/rportd.conf"
ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
# FIXME: this should be handled by the core in the future
# You may need to use chmod 600 instead of 400,
# for example if the app is expected to be able to modify its own config
chmod 400 "$final_path/some_config_file"
chown $app:$app "$final_path/some_config_file"
### For more complex cases where you want to replace stuff using regexes,
### you shoud rely on ynh_replace_string (which is basically a wrapper for sed)
### When doing so, you also need to manually call ynh_store_file_checksum
###
### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file"
### ynh_store_file_checksum --file="$final_path/some_config_file"
chmod 400 "$final_path/rportd.conf"
chown $app:$app "$final_path/rportd.conf"
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Upgrading systemd configuration..." --time --weight=1
ynh_script_progression --message="Upgrading systemd configuration..."
# Create a dedicated systemd config
ynh_add_systemd_config
@ -198,7 +146,7 @@ ynh_add_systemd_config
#=================================================
# SETUP LOGROTATE
#=================================================
ynh_script_progression --message="Upgrading logrotate configuration..." --time --weight=1
ynh_script_progression --message="Upgrading logrotate configuration..."
# Use logrotate to manage app-specific logfile(s)
ynh_use_logrotate --non-append
@ -206,29 +154,21 @@ ynh_use_logrotate --non-append
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1
ynh_script_progression --message="Integrating service in YunoHost..."
yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
yunohost service add $app --log="/var/log/$app/$app.log" --needs_exposed_ports="$client_port"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
ynh_script_progression --message="Starting a systemd service..."
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# UPGRADE FAIL2BAN
#=================================================
ynh_script_progression --message="Reconfiguring Fail2Ban..." --time --weight=1
# Create a dedicated Fail2Ban config
ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" --line_match="API Listening on"
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=nginx --action=reload
@ -236,4 +176,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Upgrade of $app completed" --time --last
ynh_script_progression --message="Upgrade of $app completed"

2
sources/extra_files/app/.gitignore vendored
View file

@ -1,2 +0,0 @@
*~
*.sw[op]

2
sources/patches/.gitignore vendored
View file

@ -1,2 +0,0 @@
*~
*.sw[op]