From 4c83c7d3b626480a815fff27844b2facf25946b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 31 May 2023 18:38:14 +0200 Subject: [PATCH 1/4] Fix linter --- check_process | 12 ++++++------ conf/systemd.service | 36 ++++++++++++++++++++++++++++++++++-- manifest.json | 9 ++++----- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 6 files changed, 47 insertions(+), 16 deletions(-) diff --git a/check_process b/check_process index 670e59f..0b0e093 100644 --- a/check_process +++ b/check_process @@ -5,18 +5,18 @@ ;; Test complet ; Manifest - domain="domain.tld" (DOMAIN) - path="/path" (PATH) - admin="john" (USER) - is_public=1 (PUBLIC|public=1|private=0) + domain="domain.tld" + path="/path" + admin="john" + is_public=1 password="pass" - port="666" (PORT) + port="666" ; Checks pkg_linter=1 setup_sub_dir=1 setup_root=1 setup_nourl=0 - setup_private=0 + setup_private=1 setup_public=1 upgrade=1 backup_restore=1 diff --git a/conf/systemd.service b/conf/systemd.service index 6b6cc92..7e4ce8a 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -6,12 +6,44 @@ After=redis.service postgresql.service User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ - ExecStart=__FINALPATH__/venv/bin/gunicorn --config __FINALPATH__/gunicorn.conf.py wsgi - StandardOutput=syslog StandardError=syslog SyslogIdentifier=__APP__-server +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index a3daab9..ff955af 100644 --- a/manifest.json +++ b/manifest.json @@ -3,14 +3,13 @@ "id": "scovie", "packaging_format": 1, "description": { - "en": "Digital signage system for high schools.", - "fr": "Affichage dynamique open-source pour les lycées." + "en": "Digital signage system for high schools", + "fr": "Affichage dynamique open-source pour les lycées" }, - "version": "0.0.5", - "url": "https://github.com/YunoHost-Apps/scovie_ynh", + "version": "0.0.5~ynh1", + "url": "https://github.com/eldertek/scovie", "upstream": { "license": "GPL-3.0", - "website": "https://github.com/eldertek/scovie", "code": "https://github.com/eldertek/scovie" }, "license": "GPL-3.0", diff --git a/scripts/install b/scripts/install index 730919e..a9b9106 100644 --- a/scripts/install +++ b/scripts/install @@ -188,7 +188,7 @@ ynh_use_logrotate "$log_file" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --description="$app server" --log="${log_file}" +yunohost service add $app --description="Digital signage system for high schools" --log="${log_file}" #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index a72837e..2056048 100644 --- a/scripts/restore +++ b/scripts/restore @@ -127,7 +127,7 @@ systemctl enable $app.service --quiet #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --log="${log_file}" +yunohost service add $app --description="Digital signage system for high schools" --log="${log_file}" #================================================= # RESTORE THE LOGROTATE CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 9bdc8f1..9df5111 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -189,7 +189,7 @@ ynh_use_logrotate --non-append #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --log="${log_file}" +yunohost service add $app --description="Digital signage system for high schools" --log="${log_file}" #================================================= # GENERIC FINALIZATION From 822a82ad14e0e261697dfe8aac216f442ca8c07c Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 31 May 2023 16:38:20 +0000 Subject: [PATCH 2/4] Auto-update README --- README.md | 3 +-- README_fr.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a214b40..3fec270 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in [Scovie](https://github.com/eldertek/scovie) is an open-source digital signage system for high schools, built using Python and Django. It provides an easy-to-use interface for administrators to upload and manage multimedia content, which is then displayed on screens throughout the school. -**Shipped version:** 0.0.5 +**Shipped version:** 0.0.5~ynh1 ## Disclaimers / important information ## local test @@ -155,7 +155,6 @@ root@yunohost:~# journalctl --unit=scovie_ynh --follow ## Documentation and resources -* Official app website: * Upstream app code repository: * YunoHost documentation for this app: * Report a bug: diff --git a/README_fr.md b/README_fr.md index e0bcfda..b9f4b46 100644 --- a/README_fr.md +++ b/README_fr.md @@ -19,7 +19,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po [Scovie](https://github.com/eldertek/scovie) is an open-source digital signage system for high schools, built using Python and Django. It provides an easy-to-use interface for administrators to upload and manage multimedia content, which is then displayed on screens throughout the school. -**Version incluse :** 0.0.5 +**Version incluse :** 0.0.5~ynh1 ## Avertissements / informations importantes ## local test @@ -155,7 +155,6 @@ root@yunohost:~# journalctl --unit=scovie_ynh --follow ## Documentations et ressources -* Site officiel de l’app : * Dépôt de code officiel de l’app : * Documentation YunoHost pour cette app : * Signaler un bug : From 96cddf0e5db86f9b12ef187b521ed8c88e60e324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 31 May 2023 18:46:06 +0200 Subject: [PATCH 3/4] Fix linter --- scripts/backup | 13 +++++++------ scripts/change_url | 4 ++-- scripts/install | 6 +++--- scripts/remove | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 6 files changed, 15 insertions(+), 14 deletions(-) diff --git a/scripts/backup b/scripts/backup index 308ba1c..a440220 100644 --- a/scripts/backup +++ b/scripts/backup @@ -42,12 +42,6 @@ ynh_backup --src_path="$public_path" ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" -#================================================= -# BACKUP THE PostgreSQL DATABASE -#================================================= - -ynh_psql_dump_db --database="$db_name" > db.sql - #================================================= # SPECIFIC BACKUP #================================================= @@ -62,6 +56,13 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/systemd/system/$app.service" +#================================================= +# BACKUP THE PostgreSQL DATABASE +#================================================= +ynh_print_info --message="Backing up the PostgreSQL database..." + +ynh_psql_dump_db --database="$db_name" > db.sql + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/change_url b/scripts/change_url index cb77f04..c4fa51a 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -95,7 +95,7 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating nginx web server configuration..." +ynh_script_progression --message="Updating NGINX web server configuration..." nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf @@ -145,7 +145,7 @@ ynh_systemd_action --service_name="$app" --action="start" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/install b/scripts/install index a9b9106..5bc75f7 100644 --- a/scripts/install +++ b/scripts/install @@ -93,7 +93,7 @@ ynh_psql_setup_db --db_user="$db_user" --db_name="$db_name" #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Configuring nginx web server..." +ynh_script_progression --message="Configuring NGINX web server..." # Create a dedicated nginx config # https://yunohost.org/en/contribute/packaging_apps/helpers @@ -103,7 +103,7 @@ ynh_add_nginx_config "public_path" "port" #================================================= # CREATE DEDICATED USER #================================================= -ynh_script_progression --message="Configuring system user '$app'..." +ynh_script_progression --message="Configuring system user $app..." # A home directory for venv and settings etc. ynh_system_user_create --username="$app" --home_dir="$final_path" --use_shell @@ -237,7 +237,7 @@ ynh_systemd_action --service_name="$app" --action="start" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name="nginx" --action="reload" diff --git a/scripts/remove b/scripts/remove index dc573b8..e9c4bbc 100644 --- a/scripts/remove +++ b/scripts/remove @@ -74,7 +74,7 @@ ynh_secure_remove --file="$final_path" #================================================= # REMOVE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Removing nginx web server configuration..." +ynh_script_progression --message="Removing NGINX web server configuration..." # Remove the dedicated nginx config ynh_remove_nginx_config diff --git a/scripts/restore b/scripts/restore index 2056048..eaf5475 100644 --- a/scripts/restore +++ b/scripts/restore @@ -165,7 +165,7 @@ ynh_systemd_action --service_name="$app" --action="start" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name="nginx" --action="reload" diff --git a/scripts/upgrade b/scripts/upgrade index 9df5111..56871cc 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -216,7 +216,7 @@ ynh_systemd_action --service_name="$app" --action="start" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload From 9a9624019ccfa9521495415568fe0dc8aa46ee09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 31 May 2023 19:20:53 +0200 Subject: [PATCH 4/4] Update systemd.service --- conf/systemd.service | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 7e4ce8a..02c2c7f 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -11,39 +11,5 @@ StandardOutput=syslog StandardError=syslog SyslogIdentifier=__APP__-server -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectClock=yes -ProtectHostname=yes -ProtectProc=invisible -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - [Install] WantedBy=multi-user.target