From 3376618a7f5a056e314355983b505094775938f9 Mon Sep 17 00:00:00 2001 From: Tobias Ollive Date: Wed, 8 Dec 2021 11:17:42 +0100 Subject: [PATCH] Use framemo colibris source and add subpath installation Framemo colibris is more maintained than scrumblr upstream repository. Moreover, it allows to use subpath installation --- conf/app.src | 4 ++-- conf/nginx.conf | 25 ++++++++++++------------- conf/systemd.service | 35 +++++++++++++++++++++++++++++++++-- manifest.json | 6 ++++++ scripts/change_url | 2 +- scripts/install | 5 ++--- scripts/upgrade | 1 - 7 files changed, 56 insertions(+), 22 deletions(-) diff --git a/conf/app.src b/conf/app.src index 4bd2178..e17cc12 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/aliasaria/scrumblr/archive/cb1475d4f40ea422c71a9596a7ae97b0cbcbb69a.tar.gz -SOURCE_SUM=6220540442d7327c518a948cbfb13f7f9065d24f6d4ce5c57c2b0b8e61b76714 +SOURCE_URL=https://framagit.org/colibris/framemo/-/archive/5183db5829767363ce31acafd376a1cdfffa3eca/framemo-5183db5829767363ce31acafd376a1cdfffa3eca.tar.gz +SOURCE_SUM=3f14e2316a5e4a8e1330c561f2506254567d7b71f0b36da9df0d9168f18e6b48 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/nginx.conf b/conf/nginx.conf index 86a0993..083b591 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,14 +1,13 @@ -location / { +location __PATH__/ { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Host $host; - proxy_pass http://127.0.0.1:__PORT__; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; - more_clear_input_headers 'Accept-Encoding'; -} \ No newline at end of file + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass http://localhost:__PORT____PATH__/; +} diff --git a/conf/systemd.service b/conf/systemd.service index bd8ca52..95ed7b9 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -7,10 +7,41 @@ Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__ -Environment="PATH=__ENV_PATH__" +Environment="PATH=_PATH__" Environment="NODE_ENV=production" -ExecStart=__YNH_NPM__ start --server:port=__PORT__ +ExecStart=__YNH_NODE__ server.js --port=__PORT__ --baseurl=__PATH__ Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target + diff --git a/manifest.json b/manifest.json index aa79406..4993d9b 100644 --- a/manifest.json +++ b/manifest.json @@ -32,6 +32,12 @@ "name": "domain", "type": "domain" }, + { + "name": "path", + "type": "path", + "example": "/scrumblr", + "default": "/scrumblr" + }, { "name": "is_public", "type": "boolean", diff --git a/scripts/change_url b/scripts/change_url index 47473c8..cb9855e 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -17,7 +17,7 @@ old_domain=$YNH_APP_OLD_DOMAIN old_path=$YNH_APP_OLD_PATH new_domain=$YNH_APP_NEW_DOMAIN -new_path="/" +new_path=$YNH_APP_NEW_PATH app=$YNH_APP_INSTANCE_NAME diff --git a/scripts/install b/scripts/install index edc3b45..57a424f 100644 --- a/scripts/install +++ b/scripts/install @@ -24,7 +24,7 @@ ynh_abort_if_errors #================================================= domain=$YNH_APP_ARG_DOMAIN -path_url="/" +path_url=$YNH_APP_ARG_PATH is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME @@ -110,7 +110,6 @@ ynh_use_logrotate #================================================= ynh_script_progression --message="Configuring a systemd service..." --weight=1 -ynh_replace_string --match_string="__ENV_PATH__" --replace_string="$PATH" --target_file="../conf/systemd.service" ynh_add_systemd_config #================================================= @@ -135,7 +134,7 @@ yunohost service add $app --description="Software for notes" --log="/var/log/$ap ynh_script_progression --message="Starting a systemd service..." --weight=2 # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="Server running at port" +ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="Server running at " #================================================= # Set Public or private diff --git a/scripts/upgrade b/scripts/upgrade index f21e597..b427e27 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -120,7 +120,6 @@ ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version #================================================= ynh_script_progression --message="Upgrading systemd configuration..." --weight=1 -ynh_replace_string --match_string="__ENV_PATH__" --replace_string="$PATH" --target_file="../conf/systemd.service" ynh_add_systemd_config #=================================================