diff --git a/conf/gunicorn.conf.py b/conf/gunicorn.conf.py index 7880d8f..533a73e 100644 --- a/conf/gunicorn.conf.py +++ b/conf/gunicorn.conf.py @@ -7,7 +7,7 @@ workers = 5 bind = "127.0.0.1:__PORT_SEAHUB__" # Pid -pids_dir = '__INSTALL_DIR__/pids' +pids_dir = '/opt/seafile/pids' pidfile = os.path.join(pids_dir, 'seahub.pid') # for file upload, we need a longer timeout value (default is only 30s, too short) diff --git a/conf/nginx.conf b/conf/nginx.conf index cbed6d7..65d8abb 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -16,7 +16,11 @@ location __PATH__ { } location __PATH__/media/ { - alias __INSTALL_DIR__/seafile-server-latest/seahub/media/; + alias __SEAFILE_CODE__/seahub/media/; +} + +location __PATH__/media/avatars/ { + alias __DATA_DIR__/seahub-data/avatars/; } location /seafhttp/ { diff --git a/conf/seafile.service b/conf/seafile.service index 5e2fb37..9ccea1c 100644 --- a/conf/seafile.service +++ b/conf/seafile.service @@ -5,11 +5,15 @@ After=mysql.service [Service] Type=forking -ExecStart=/opt/yunohost/__APP__/seafile-server-latest/seafile.sh start -ExecStop=/opt/yunohost/__APP__/seafile-server-latest/seafile.sh stop +ExecStart=/opt/seafile/seafile-server-__SEAFILE_VERSION__/seafile.sh start +ExecStop=/opt/seafile/seafile-server-__SEAFILE_VERSION__/seafile.sh stop User=__APP__ Group=__APP__ +# Config releated to run in docker provied file system +RootDirectory=__INSTALL_DIR__/seafile_image +BindPaths=__SYSTEMD_SEAFILE_BIND_MOUNT__ + # Sandboxing options to harden security # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html NoNewPrivileges=yes diff --git a/conf/seahub.service b/conf/seahub.service index b81a4d4..e274bea 100644 --- a/conf/seahub.service +++ b/conf/seahub.service @@ -4,11 +4,15 @@ After=network.target seafile.service [Service] Type=forking -ExecStart=/opt/yunohost/__APP__/seafile-server-latest/seahub.sh start -ExecStop=/opt/yunohost/__APP__/seafile-server-latest/seahub.sh stop +ExecStart=/opt/seafile/seafile-server-__SEAFILE_VERSION__/seahub.sh start +ExecStop=/opt/seafile/seafile-server-__SEAFILE_VERSION__/seahub.sh stop User=__APP__ Group=__APP__ +# Config releated to run in docker provied file system +RootDirectory=__INSTALL_DIR__/seafile_image +BindPaths=__SYSTEMD_SEAFILE_BIND_MOUNT__ + # Sandboxing options to harden security # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html NoNewPrivileges=yes diff --git a/manifest.toml b/manifest.toml index c2b3aa6..9158650 100644 --- a/manifest.toml +++ b/manifest.toml @@ -23,8 +23,8 @@ architectures = ["amd64", "arm64"] multi_instance = false ldap = true sso = true -disk = "1G" -ram.build = "500M" +disk = "1.5G" +ram.build = "0M" ram.runtime = "500M" [install] @@ -66,8 +66,8 @@ ram.runtime = "500M" [resources.install_dir] dir = "/opt/yunohost/__APP__" - owner = "__APP__:rwX" - group = "__APP__:rX" + owner = "__APP__:rwx" + group = "www-data:rx" [resources.data_dir] dir = "/home/yunohost.app/__APP__" @@ -128,12 +128,7 @@ ram.runtime = "500M" arm64.sha256 = "035923b7982c2ccd5d8a9813948a670b70e3fefdb91ec76d33ba1280c9c14d40" [resources.apt] - packages = ["python3", "python3-venv", "python3-setuptools", "python3-pip", "python3-dev", - "python3-requests", "python3-scipy", "python3-matplotlib", - "mariadb-server", "libmariadb-dev-compat", "libmariadb-dev", - "ldap-utils", "libldap2-dev", "libsasl2-dev", - "memcached", "libmemcached-dev", - "ffmpeg"] + packages = ["mariadb-server", "memcached"] [resources.database] type = "mysql" diff --git a/scripts/_common.sh b/scripts/_common.sh index 2106b79..b8fb732 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,6 +4,12 @@ readonly time_zone="$(cat /etc/timezone)" readonly python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)" +systemd_seafile_bind_mount="$data_dir/seafile-data:/opt/seafile/seafile-data " +systemd_seafile_bind_mount+="$data_dir/seahub-data:/opt/seafile/seahub-data " +systemd_seafile_bind_mount+="/var/log/$app:/opt/seafile/logs " +systemd_seafile_bind_mount+="$install_dir/conf:/opt/seafile/conf " +systemd_seafile_bind_mount+="/proc " +systemd_seafile_bind_mount+="/dev" # Create special path with / at the end if [[ "$path" == '/' ]] @@ -23,54 +29,40 @@ fi # DEFINE ALL COMMON FONCTIONS #================================================= -install_pkg_conf() { - # Install manually pkgconf - # WARNING don't move this to dependencies - # We install this manually because we have an issue between pkgconf and pkg-config. - # If pkg-config is already installed on the system we can't declare pkgconf as dependency as pkg-config need to be removed to install pkgconf (note that pkgconf replace pkg-config and both can't be installed) - ynh_apt install pkgconf -} - -install_dependance() { - # Clean venv is it was on python3 with old version in case major upgrade of debian - if [ ! -e "$install_dir"/venv/bin/python3 ] || [ ! -e "$install_dir/venv/lib/python$python_version" ]; then - ynh_secure_remove --file="$install_dir"/venv/bin - ynh_secure_remove --file="$install_dir"/venv/lib - ynh_secure_remove --file="$install_dir"/venv/lib64 - ynh_secure_remove --file="$install_dir"/venv/include - ynh_secure_remove --file="$install_dir"/venv/share - ynh_secure_remove --file="$install_dir"/venv/pyvenv.cfg - fi - - # Create venv if it don't exist - test -e "$install_dir"/venv/bin/python3 || python3 -m venv "$install_dir"/venv - - py_dependancy="django==4.2.* future==0.18.* mysqlclient==2.1.* pymysql pillow==10.2.* pylibmc captcha==0.5.* markupsafe==2.0.1 jinja2 sqlalchemy==2.0.18 psd-tools django-pylibmc django_simple_captcha==0.6.* djangosaml2==1.5.* pysaml2==7.2.* pycryptodome==3.16.* cffi==1.15.1 lxml python-ldap==3.4.3" - "$install_dir"/venv/bin/pip3 install --upgrade --timeout=3600 $py_dependancy - - # Create symbolic link to venv package on seahub - ls "$install_dir/venv/lib/python$python_version/site-packages" | while read -r f; do - if [ ! -e "$install_dir/seafile-server-$seafile_version/seahub/thirdpart/$f" ]; then - ln -s "../../../venv/lib/python$python_version/site-packages/$f" "$install_dir/seafile-server-$seafile_version/seahub/thirdpart/$f" - fi - done +run_seafile_cmd() { + ynh_exec_warn_less systemd-run --wait --uid="$app" --gid="$app" \ + --property=RootDirectory="$install_dir"/seafile_image \ + --property="BindPaths=$systemd_seafile_bind_mount" \ + $@ } install_source() { - ynh_setup_source --dest_dir="$install_dir"/docker_image --full_replace - ynh_secure_remove --file="$install_dir/seafile-server-$seafile_version" - mv "$install_dir/docker_image/opt/seafile/seafile-server-$seafile_version" "$install_dir/seafile-server-$seafile_version" - ynh_secure_remove --file="$install_dir"/docker_image + ynh_setup_source --dest_dir="$install_dir"/seafile_image --full_replace + mkdir -p "$install_dir"/seafile_image/opt/seafile/{seafile-data,seahub-data,conf,logs} + grep "^$app:x" /etc/passwd | sed "s|$install_dir|/opt/seafile|" >> "$install_dir"/seafile_image/etc/passwd + grep "^$app:x" /etc/group >> "$install_dir"/seafile_image/etc/group + grep "^$app:x" /etc/group- >> "$install_dir"/seafile_image/etc/group- + grep "^$app:" /etc/shadow >> "$install_dir"/seafile_image/etc/shadow } set_permission() { - chown -R "$app:$app" "$install_dir" - chmod -R u+rwX,g-wx,o= "$install_dir" - setfacl -m user:www-data:rX "$install_dir" - setfacl -m user:www-data:rX "$install_dir/seafile-server-$seafile_version" + chown -R "$app:$app" "$install_dir"/conf + chmod -R u+rwX,g-w,o= "$install_dir"/conf + chown -R "$app:$app" "$install_dir"/seafile_image/opt/seafile + chmod -R u+rwX,g-w,o= "$install_dir"/seafile_image/opt/seafile + + # Allow to www-data to each dir between /opt/yunohost/seafile and /opt/yunohost/seafile/seafile_image/opt/seafile/seahub/media + local dir_path='' + while read -r -d/ dir_name; do + dir_path+="$dir_name/" + if [[ "$dir_path" == "$install_dir"* ]] && [ -e "$dir_path" ]; then + setfacl -m user:www-data:rX "$dir_path" + fi + done <<< "$seafile_code/seahub/media" + test -e "$install_dir/seafile_image/opt/seafile/seahub-data" && setfacl -m user:www-data:rX "$install_dir/seafile_image/opt/seafile/seahub-data" + test -e "$seafile_code/seahub/media" && setfacl -R -m user:www-data:rX "$seafile_code/seahub/media" + # At install time theses directory are not available - test -e "$install_dir/seafile-server-$seafile_version/seahub" && setfacl -m user:www-data:rX "$install_dir/seafile-server-$seafile_version/seahub" - test -e "$install_dir/seafile-server-$seafile_version/seahub/media" && setfacl -R -m user:www-data:rX "$install_dir/seafile-server-$seafile_version/seahub/media" test -e "$install_dir"/seahub-data && setfacl -m user:www-data:rX "$data_dir" test -e "$install_dir"/seahub-data && setfacl -R -m user:www-data:rX "$data_dir"/seahub-data diff --git a/scripts/backup b/scripts/backup index e9c0a3b..c5d9791 100644 --- a/scripts/backup +++ b/scripts/backup @@ -12,6 +12,7 @@ source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers seafile_version=$(ynh_app_upstream_version) +seafile_code="$install_dir/seafile_image/opt/seafile/seafile-server-$seafile_version" if systemctl is-active seafile --quiet || systemctl is-active seahub --quiet; then ynh_print_warn --message="It's hightly recommended to make your backup when the service is stopped. Please stop seafile service and seahub service with this command before to run the backup 'systemctl stop seafile.service seahub.service'" diff --git a/scripts/change_url b/scripts/change_url index f680826..e3ab8fb 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -12,6 +12,7 @@ source ./_common.sh source /usr/share/yunohost/helpers seafile_version="$(ynh_app_upstream_version)" +seafile_code="$install_dir/seafile_image/opt/seafile/seafile-server-$seafile_version" #================================================= # STANDARD MODIFICATIONS diff --git a/scripts/install b/scripts/install index 8e39baa..b91fae0 100644 --- a/scripts/install +++ b/scripts/install @@ -13,8 +13,7 @@ source /usr/share/yunohost/helpers source ./ynh_setup_source seafile_version=$(ynh_app_upstream_version) - -install_pkg_conf +seafile_code="$install_dir/seafile_image/opt/seafile/seafile-server-$seafile_version" ensure_vars_set @@ -33,14 +32,12 @@ fi mkdir -p /var/log/"$app" mkdir -p "$data_dir"/{seafile-data,seahub-data} +mkdir -p "$install_dir"/conf # Download new version from sources ynh_script_progression --message="Installing sources files..." --weight=7 install_source -ynh_script_progression --message="Installing python dependancies..." -install_dependance - # init databases ynh_script_progression --message="Configuring MySQL database..." db_user=seafile @@ -53,8 +50,8 @@ ynh_script_progression --message="Configuring application..." --weight=3 set_permission ynh_replace_special_string --match_string='seafile_config.seafile_dir = seafile_config.validate_seafile_dir(seafile_dir)' \ --replace_string 'seafile_config.seafile_dir = seafile_dir' \ - --target_file "$install_dir/seafile-server-$seafile_version/setup-seafile-mysql.py" -sudo -u "$app" bash "$install_dir/seafile-server-$seafile_version/setup-seafile-mysql.sh" auto \ + --target_file "$seafile_code/setup-seafile-mysql.py" +run_seafile_cmd bash "/opt/seafile/seafile-server-$seafile_version/setup-seafile-mysql.sh" auto \ --server-name "$server_name" \ --server-ip "$domain" \ --fileserver-port "$port_fileserver" \ @@ -104,7 +101,7 @@ ln -s "$data_dir"/seahub-data "$install_dir"/seahub-data ln -s /var/log/"$app" "$install_dir"/logs # Fix local warning -ynh_replace_string --match_string=en_US.UTF-8 --replace_string="${LANG:-'en_US.UTF-8'}" --target_file="$install_dir/seafile-server-$seafile_version/seahub.sh" +ynh_replace_string --match_string=en_US.UTF-8 --replace_string="${LANG:-'en_US.UTF-8'}" --target_file="$seafile_code/seahub.sh" # Add Seafile Server to startup ynh_script_progression --message="Configuring a systemd service..." diff --git a/scripts/remove b/scripts/remove index 3614395..a0ce8e0 100644 --- a/scripts/remove +++ b/scripts/remove @@ -12,6 +12,7 @@ source ./_common.sh source /usr/share/yunohost/helpers seafile_version="$(ynh_app_upstream_version)" +seafile_code="$install_dir/seafile_image/opt/seafile/seafile-server-$seafile_version" #================================================= # STANDARD REMOVE diff --git a/scripts/restore b/scripts/restore index 830de29..95587b1 100644 --- a/scripts/restore +++ b/scripts/restore @@ -12,6 +12,7 @@ source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers seafile_version="$(ynh_app_upstream_version)" +seafile_code="$install_dir/seafile_image/opt/seafile/seafile-server-$seafile_version" ynh_script_progression --message="Loading settings..." diff --git a/scripts/upgrade b/scripts/upgrade index 9a7b7da..297c8d3 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -15,14 +15,14 @@ source ./ynh_setup_source seafile_version="$(ynh_app_upstream_version)" installed_version="${YNH_APP_CURRENT_VERSION/~ynh*/}" +seafile_code="$install_dir/seafile_image/opt/seafile/seafile-server-$seafile_version" + ensure_vars_set if [ "$YNH_APP_CURRENT_VERSION" == '-' ] || ynh_compare_current_package_version --comparison=le --version='7.0~ynh1'; then ynh_die "Upgrade from this version not supported" fi -install_pkg_conf - ynh_script_progression --message="Stoping services..." ynh_systemd_action --service_name=seafile --action=stop @@ -105,9 +105,6 @@ if [ "$YNH_APP_UPGRADE_TYPE" == UPGRADE_APP ]; then install_source fi -ynh_script_progression --message="Installing python dependancies..." -install_dependance - ynh_script_progression --message="Configuring application..." # permission to execute update script and expect helper @@ -128,13 +125,13 @@ case "$installed_version" in ;& "7.0"* ) # Fix file comment - pushd "$install_dir/seafile-server-$seafile_version" - sudo -u "$app" "$install_dir/seafile-server-$seafile_version/seahub.sh" python-env python3 seahub/manage.py migrate_file_comment + pushd "$seafile_code" + run_seafile_cmd "/opt/seafile/seafile-server-$seafile_version/seahub.sh" python-env python3 seahub/manage.py migrate_file_comment popd # Update seafile by script - ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$install_dir/seafile-server-$seafile_version/upgrade/upgrade_7.0_7.1.sh" - sudo -u "$app" bash "$install_dir/seafile-server-$seafile_version/upgrade/upgrade_7.0_7.1.sh" + ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$seafile_code/upgrade/upgrade_7.0_7.1.sh" + run_seafile_cmd "/opt/seafile/seafile-server-$seafile_version/upgrade/upgrade_7.0_7.1.sh" # Fix seafile data link. Look like that the upgrade script of seafile don't always work correctly if [ -e "$install_dir"/seafile-data ]; then @@ -144,26 +141,26 @@ case "$installed_version" in ln -s "$data_dir" "$install_dir"/seafile-data ;& "7.1."* ) - ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$install_dir/seafile-server-$seafile_version/upgrade/upgrade_8.0_9.0.sh" - sudo -u "$app" bash "$install_dir/seafile-server-$seafile_version/upgrade/upgrade_8.0_9.0.sh" + ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$seafile_code/upgrade/upgrade_8.0_9.0.sh" + run_seafile_cmd "/opt/seafile/seafile-server-$seafile_version/upgrade/upgrade_8.0_9.0.sh" ;& "8.0."* ) - ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$install_dir/seafile-server-$seafile_version/upgrade/upgrade_7.1_8.0.sh" - sudo -u "$app" bash "$install_dir/seafile-server-$seafile_version/upgrade/upgrade_7.1_8.0.sh" + ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$seafile_code/upgrade/upgrade_7.1_8.0.sh" + run_seafile_cmd "/opt/seafile/seafile-server-$seafile_version/upgrade/upgrade_7.1_8.0.sh" ;& "9."* ) - ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$install_dir/seafile-server-$seafile_version/upgrade/upgrade_8.0_9.0.sh" - sudo -u "$app" bash "$install_dir/seafile-server-$seafile_version/upgrade/upgrade_8.0_9.0.sh" + ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$seafile_code/upgrade/upgrade_8.0_9.0.sh" + run_seafile_cmd "/opt/seafile/seafile-server-$seafile_version/upgrade/upgrade_8.0_9.0.sh" ;& "10."* ) - ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$install_dir/seafile-server-$seafile_version/upgrade/upgrade_9.0_10.0.sh" - sudo -u "$app" bash "$install_dir/seafile-server-$seafile_version/upgrade/upgrade_9.0_10.0.sh" - sudo -u "$app" "$install_dir"/venv/bin/python "$install_dir/seafile-server-$seafile_version/migrate_ldapusers.py" + ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$seafile_code/upgrade/upgrade_9.0_10.0.sh" + run_seafile_cmd "/opt/seafile/seafile-server-$seafile_version/upgrade/upgrade_9.0_10.0.sh" + sudo -u "$app" "$install_dir"/venv/bin/python "$seafile_code/migrate_ldapusers.py" ;& esac -ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$install_dir/seafile-server-$seafile_version/upgrade/minor-upgrade.sh" -sudo -u "$app" bash "$install_dir/seafile-server-$seafile_version/upgrade/minor-upgrade.sh" +ynh_replace_string --match_string='read dummy' --replace_string='# patched' --target_file="$seafile_code/upgrade/minor-upgrade.sh" +run_seafile_cmd "/opt/seafile/seafile-server-$seafile_version/upgrade/minor-upgrade.sh" # Clean url in config in DB clean_url_in_db_config @@ -177,7 +174,7 @@ ynh_add_config --template=seafdav.conf --destination="$install_dir"/conf/seafdav ynh_add_config --template=seafevents.conf --destination="$install_dir"/conf/seafevents.conf # Fix local warning -ynh_replace_string --match_string=en_US.UTF-8 --replace_string="${LANG:-'en_US.UTF-8'}" --target_file="$install_dir/seafile-server-$seafile_version/seahub.sh" +ynh_replace_string --match_string=en_US.UTF-8 --replace_string="${LANG:-'en_US.UTF-8'}" --target_file="$seafile_code/seahub.sh" #================================================= # STANDARD UPGRADE STEPS