Update to 0.10.2, added logrotate, change url and fail2ban (#36)

* Update manifest to 0.10.2 * Update to 0.10.2 * Update ReadMe to 0.10.2 * Update to 0.10.2 * Updated is_public according to YNH 3 * Added logrotate,fail2ban * Added dependencies and updated change_url * Added dependencies php5-gd * Remove ini file for php * Removed backup of php.ini file * Removed restore of php.ini file
2024-09-03 20:26:10 +02:00 · 2018-11-04 14:01:28 +01:00 · 2018-11-04 14:01:28 +01:00 · 9109a4ca89
commit 9109a4ca89
parent 1b1a07040e
13 changed files with 223 additions and 104 deletions
--- a/README.md
+++ b/README.md
@ -12,7 +12,7 @@ It is based on the community version of Shaarli (from @sebsauvage original softw
 You can get a demo [here](https://shaarli.readthedocs.io/en/master/#demo).


-Current version: **0.9.7**
+Current version: **0.10.2**

 This app intends to provide to Yunohost's users Shaarli (https://github.com/shaarli/Shaarli), a simple but advanced bookmarking service.

@ -26,6 +26,7 @@ Maintainer: @Lapineige
 - [X] Backup/restore scripts
 - [X] Upgrade Script
 - [X] Change url
+- [X] Integrate fail2ban for the app

 ## Installation information

@ -36,7 +37,7 @@ After the installation go to the domain and create your account. After the creat
 ## TODO
    
 - [ ] Integrate the LDAP/SSOWAT authentication (currently the authentication is done by Shaarli)
- [ ] Integrate fail2ban for the app
+

 ## Changelog

--- a/3
+++ b/3
@ -27,7 +27,8 @@
 	Level 2=auto
 	Level 3=auto
 # Level 4: 
-	Level 4=0
+# Not implimented by upstream
+	Level 4=na
 # Level 5: 
 	Level 5=auto
 	Level 6=auto
--- a/conf/app.src
+++ b/conf/app.src
@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.9.7/shaarli-v0.9.7-full.tar.gz
-SOURCE_SUM=f4146c10b477713c1f25ab59d383e56c37dce2ad60a820a3a4eb3273c9b436a4
+SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.10.2/shaarli-v0.10.2-full.tar.gz
+SOURCE_SUM=e8e804b5e85283d3f81798bb46b22b2395cc646e6f4411efdbc3477de4d51a41
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
--- a/conf/php-fpm.conf
+++ b/conf/php-fpm.conf
@ -390,3 +390,15 @@ catch_workers_output = yes
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
+
+; Common values to change to increase file upload limit
+; upload_max_filesize = 50M
+; post_max_size = 50M
+; mail.add_x_header = Off
+
+; Other common parameters
+; max_execution_time = 600
+; max_input_time = 300
+; memory_limit = 256M
+; short_open_tag = On
+
--- a/conf/php-fpm.ini
+++ b/conf/php-fpm.ini
@ -1,10 +0,0 @@
-; Common values to change to increase file upload limit
-; upload_max_filesize = 50M
-; post_max_size = 50M
-; mail.add_x_header = Off
-
-; Other common parameters
-; max_execution_time = 600
-; max_input_time = 300
-; memory_limit = 256M
-; short_open_tag = On
--- a/manifest.json
+++ b/manifest.json
@ -16,8 +16,8 @@
  },
  "url": "https://github.com/shaarli/Shaarli",
  "license": "free",
-  "version": "0.9.7",
-  "multi_instance": "true",
+  "version": "0.10.2",
+  "multi_instance": true,
  "services": [
        "nginx",
        "php5-fpm"
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -1,58 +1,78 @@
+#!/bin/bash
+
+# ============= FUTURE YUNOHOST HELPER =============
+# Delete a file checksum from the app settings
 #
-# Common variables
+# $app should be defined when calling this helper
 #
-
-# Shaarli version
-VERSION="0.9.6"
-
-# Download shaarli (dependencies included)
-# Full Shaarli sources tarball URL
-SHAARLI_SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v${VERSION}/shaarli-v${VERSION}-full.tar.gz
-
-# Full Shaarli sources tarball checksum
-SHAARLI_SOURCE_SHA256="a4f00b428b31b1a26aec199eb20165861ed5aff50e40173d0babcb85504a256e"
-
-#
-# Common helpers
-#
-
-# Source app helpers
-. /usr/share/yunohost/helpers
-
-# Add path
-ynh_normalize_url_path () {
-	path_url=$1
-	test -n "$path_url" || ynh_die "ynh_normalize_url_path expect a URL path as first argument and received nothing."
-	if [ "${path_url:0:1}" != "/" ]; then    # If the first character is not a /
-		path_url="/$path_url"    # Add / at begin of path variable
-	fi
-	if [ "${path_url:${#path_url}-1}" == "/" ] && [ ${#path_url} -gt 1 ]; then    # If the last character is a / and that not the only character.
-		path_url="${path_url:0:${#path_url}-1}"	# Delete the last character
-	fi
-	echo $path_url
+# usage: ynh_remove_file_checksum file
+# | arg: file - The file for which the checksum will be deleted
+ynh_delete_file_checksum () {
+	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
+	ynh_app_setting_delete $app $checksum_setting_name
 }

-# Download and extract Shaarli sources to the given directory
-# usage: extract_shaarli DESTDIR [AS_USER]
-extract_shaarli() {
-    local AS_USER=${6:-$USER}

-    # Retrieve and extract Shaarli tarball
-    sh_tarball="/tmp/shaarli.tar.gz"
-    rm -f "$sh_tarball"
-    wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \
-        || ynh_die "Unable to download Shaarli tarball"
-    echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \
-        || ynh_die "Invalid checksum of downloaded tarball"
-    sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \
-        || ynh_die "Unable to extract Shaarli tarball"
-    rm -f "$sh_tarball"
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================

-    wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \
-        || ynh_die "Unable to download Shaarli tarball"
-    echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \
-        || ynh_die "Invalid checksum of downloaded tarball"
-    sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \
-        || ynh_die "Unable to extract Shaarli tarball"
-    sudo chown -R www-data: $final_path
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
 }
--- a/scripts/backup
+++ b/scripts/backup
@ -49,4 +49,16 @@ ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
 #=================================================

 ynh_backup "/etc/php5/fpm/pool.d/$app.conf"
-ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
+
+#=================================================
+# BACKUP LOGROTATE
+#=================================================
+
+ynh_backup "$final_path/data/log.txt"
+
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
--- a/scripts/change_url
+++ b/scripts/change_url
@ -21,6 +21,17 @@ new_path=$YNH_APP_NEW_PATH

 app=$YNH_APP_INSTANCE_NAME

+#=================================================
+# LOAD SETTINGS
+#=================================================
+
+# Needed for helper "ynh_add_nginx_config"
+final_path=$(ynh_app_setting_get $app final_path)
+
+# Add settings here as needed by your application
+#db_name=$(ynh_app_setting_get "$app" db_name)
+#db_pwd=$(ynh_app_setting_get $app db_pwd)
+
 #=================================================
 # CHECK THE SYNTAX OF THE PATHS
 #=================================================
@ -30,6 +41,7 @@ test -n "$new_path" || new_path="/"
 new_path=$(ynh_normalize_url_path $new_path)
 old_path=$(ynh_normalize_url_path $old_path)

+
 #=================================================
 # CHECK WHICH PARTS SHOULD BE CHANGED
 #=================================================
@ -57,26 +69,35 @@ nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
 # Change the path in the nginx config file
 if [ $change_path -eq 1 ]
 then
-  # Make a backup of the original nginx config file if modified
-  ynh_backup_if_checksum_is_different "$nginx_conf_path"
-  # Replace locations starting with old_path
-  # Look for every location possible patterns (see https://nginx.org/en/docs/http/ngx_http_core_module.html#location)
-  ynh_replace_string "location\( \(=\|~\|~\*\|\^~\)\)\? $old_path" "location\1 $new_path"  "$nginx_conf_path"
-  # Replace path in "return" directives
-  ynh_replace_string "return \([[:digit:]]\{3\}\) $old_path" "return \1 $new_path"  "$nginx_conf_path"
-  # Calculate and store the nginx config file checksum
-  ynh_store_file_checksum "$nginx_conf_path"
+	# Make a backup of the original nginx config file if modified
+	ynh_backup_if_checksum_is_different "$nginx_conf_path"
+	# Set global variables for nginx helper
+	domain="$old_domain"
+	path_url="$new_path"
+	# Create a dedicated nginx config
+	ynh_add_nginx_config
 fi

 # Change the domain for nginx
 if [ $change_domain -eq 1 ]
 then
-  # Delete file checksum for the old conf file location
-  ynh_delete_file_checksum "$nginx_conf_path"
+	# Delete file checksum for the old conf file location
+	ynh_delete_file_checksum "$nginx_conf_path"
 	mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf
-  # Store file checksum for the new config file location
-  ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf"
+	# Store file checksum for the new config file location
+	ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf"
 fi

+#=================================================
+# SPECIFIC MODIFICATIONS
+#=================================================
+# ...
+#=================================================
+
+#=================================================
+# GENERIC FINALISATION
+#=================================================
+# RELOAD NGINX
+#=================================================

 systemctl reload nginx
--- a/scripts/install
+++ b/scripts/install
@ -13,9 +13,14 @@ source /usr/share/yunohost/helpers
 # MANAGE SCRIPT FAILURE
 #=================================================

+ynh_clean_setup () {
+	### Remove this function if there's nothing to clean before calling the remove script.
+	true
+}
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors

+
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
 #=================================================
@ -42,9 +47,11 @@ app=$YNH_APP_INSTANCE_NAME


 #=================================================
-# CHECK IF THE APP CAN BE INSTALLED WITH THIS ARGS
+# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
 #=================================================

+### If the app uses nginx as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app".
+### If the app provides an internal web server (or uses another application server such as uwsgi), the final path should be "/opt/yunohost/$app"
 final_path=/var/www/$app
 test ! -e "$final_path" || ynh_die "This path already contains a folder"

@ -57,14 +64,6 @@ ynh_webpath_available $domain $path_url
 ynh_webpath_register $app $domain $path_url


-
-# Check that the options are compatible
-if [ $is_public = "Yes" ]; then
-  if [ $privateinstance = "Yes" ] ; then
-    ynh_die "Incompatible options: the instance cannot be both public and private" 1
-  fi
-fi
-
 #=================================================
 # STORE SETTINGS FROM MANIFEST
 #=================================================
@ -75,7 +74,7 @@ ynh_app_setting_set $app is_public $is_public


 # Install dependencies
-ynh_install_app_dependencies php5-cli 
+ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl'  'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl


 #=================================================
@ -114,18 +113,36 @@ sudo find $final_path -type d | xargs sudo chmod 755
 # Set right permissions for curl install
 chown -R $app: $final_path

+#=================================================
+# SETUP LOGROTATE
+#=================================================
+
+### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
+### Use this helper only if there is effectively a log file for this app.
+### If you're not using this helper:
+###		- Remove the section "BACKUP LOGROTATE" in the backup script
+###		- Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script
+###		- As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script
+###		- And the section "SETUP LOGROTATE" in the upgrade script
+
+# Use logrotate to manage application logfile(s)
+ynh_use_logrotate "$final_path/data/log.txt"
+
+
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================

-if [ $is_public -eq 0 ]
-then	# Remove the public access
-	ynh_app_setting_delete $app skipped_uris
-fi
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	# unprotected_uris allows SSO credentials to be passed anyway.
+	# unprotected_uris allows SSO credentials to be passed anyway
 	ynh_app_setting_set $app unprotected_uris "/"
 fi

--- a/scripts/remove
+++ b/scripts/remove
@ -19,6 +19,14 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get $app domain)
 final_path=$(ynh_app_setting_get $app final_path)

+
+#=================================================
+# REMOVE DEPENDENCIES
+#=================================================
+
+# Remove metapackage and its dependencies
+ynh_remove_app_dependencies
+
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
@ -40,6 +48,19 @@ ynh_remove_nginx_config
 # Remove the dedicated php-fpm config
 ynh_remove_fpm_config

+#=================================================
+# REMOVE LOGROTATE CONFIGURATION
+#=================================================
+
+# Remove the app-specific logrotate config
+ynh_remove_logrotate
+
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -74,7 +74,6 @@ chown -R $app: $final_path
 #=================================================

 ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"
-ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"

 #=================================================
 # SPECIFIC RESTORATION
@ -83,14 +82,27 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
 #=================================================

 # Define and install dependencies
-ynh_install_app_dependencies php5-cli 
+ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl'  'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
+
+#=================================================
+# RESTORE THE LOGROTATE CONFIGURATION
+#=================================================
+
+ynh_restore_file "$final_path/data/log.txt"
+
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban

 #=================================================
 # GENERIC FINALIZATION
 #=================================================
 # RELOAD NGINX AND PHP-FPM
 #=================================================
-
 systemctl reload php5-fpm
 systemctl reload nginx

--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -87,6 +87,9 @@ sudo rm -Rf "$tmpdir"
 # Create a dedicated nginx config
 ynh_add_nginx_config

+# Install dependencies
+ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
+
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -101,6 +104,19 @@ ynh_system_user_create $app
 # Create a dedicated php-fpm config
 ynh_add_fpm_config

+#=================================================
+# SETUP LOGROTATE
+#=================================================
+
+# Use logrotate to manage app-specific logfile(s)
+ynh_use_logrotate --non-append
+
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
+
 # Set right permissions 
 chown -R $app: $final_path

@ -108,10 +124,6 @@ chown -R $app: $final_path
 # SETUP SSOWAT
 #=================================================

-if [ $is_public -eq 0 ]
-then	# Remove the public access
-	ynh_app_setting_delete $app skipped_uris
-fi
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then