diff --git a/README.md b/README.md index 6a8cea6..eb5a2d8 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ It is based on the community version of Shaarli (from @sebsauvage original softw You can get a demo [here](https://shaarli.readthedocs.io/en/master/#demo). -Current version: **0.9.7** +Current version: **0.10.2** This app intends to provide to Yunohost's users Shaarli (https://github.com/shaarli/Shaarli), a simple but advanced bookmarking service. @@ -26,6 +26,7 @@ Maintainer: @Lapineige - [X] Backup/restore scripts - [X] Upgrade Script - [X] Change url +- [X] Integrate fail2ban for the app ## Installation information @@ -36,7 +37,7 @@ After the installation go to the domain and create your account. After the creat ## TODO - [ ] Integrate the LDAP/SSOWAT authentication (currently the authentication is done by Shaarli) -- [ ] Integrate fail2ban for the app + ## Changelog diff --git a/check_process b/check_process index 48d5cbd..a7f9ebe 100644 --- a/check_process +++ b/check_process @@ -27,7 +27,8 @@ Level 2=auto Level 3=auto # Level 4: - Level 4=0 +# Not implimented by upstream + Level 4=na # Level 5: Level 5=auto Level 6=auto diff --git a/conf/app.src b/conf/app.src index edea6e5..85471d8 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.9.7/shaarli-v0.9.7-full.tar.gz -SOURCE_SUM=f4146c10b477713c1f25ab59d383e56c37dce2ad60a820a3a4eb3273c9b436a4 +SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.10.2/shaarli-v0.10.2-full.tar.gz +SOURCE_SUM=e8e804b5e85283d3f81798bb46b22b2395cc646e6f4411efdbc3477de4d51a41 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 8affbc2..57affa6 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -390,3 +390,15 @@ catch_workers_output = yes ;php_admin_value[error_log] = /var/log/fpm-php.www.log ;php_admin_flag[log_errors] = on ;php_admin_value[memory_limit] = 32M + +; Common values to change to increase file upload limit +; upload_max_filesize = 50M +; post_max_size = 50M +; mail.add_x_header = Off + +; Other common parameters +; max_execution_time = 600 +; max_input_time = 300 +; memory_limit = 256M +; short_open_tag = On + diff --git a/conf/php-fpm.ini b/conf/php-fpm.ini deleted file mode 100644 index 5c27d59..0000000 --- a/conf/php-fpm.ini +++ /dev/null @@ -1,10 +0,0 @@ -; Common values to change to increase file upload limit -; upload_max_filesize = 50M -; post_max_size = 50M -; mail.add_x_header = Off - -; Other common parameters -; max_execution_time = 600 -; max_input_time = 300 -; memory_limit = 256M -; short_open_tag = On diff --git a/manifest.json b/manifest.json index 1739c30..6e86c5d 100644 --- a/manifest.json +++ b/manifest.json @@ -16,8 +16,8 @@ }, "url": "https://github.com/shaarli/Shaarli", "license": "free", - "version": "0.9.7", - "multi_instance": "true", + "version": "0.10.2", + "multi_instance": true, "services": [ "nginx", "php5-fpm" diff --git a/scripts/_common.sh b/scripts/_common.sh index efb9c12..a479bed 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -1,58 +1,78 @@ +#!/bin/bash + +# ============= FUTURE YUNOHOST HELPER ============= +# Delete a file checksum from the app settings # -# Common variables +# $app should be defined when calling this helper # - -# Shaarli version -VERSION="0.9.6" - -# Download shaarli (dependencies included) -# Full Shaarli sources tarball URL -SHAARLI_SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v${VERSION}/shaarli-v${VERSION}-full.tar.gz - -# Full Shaarli sources tarball checksum -SHAARLI_SOURCE_SHA256="a4f00b428b31b1a26aec199eb20165861ed5aff50e40173d0babcb85504a256e" - -# -# Common helpers -# - -# Source app helpers -. /usr/share/yunohost/helpers - -# Add path -ynh_normalize_url_path () { - path_url=$1 - test -n "$path_url" || ynh_die "ynh_normalize_url_path expect a URL path as first argument and received nothing." - if [ "${path_url:0:1}" != "/" ]; then # If the first character is not a / - path_url="/$path_url" # Add / at begin of path variable - fi - if [ "${path_url:${#path_url}-1}" == "/" ] && [ ${#path_url} -gt 1 ]; then # If the last character is a / and that not the only character. - path_url="${path_url:0:${#path_url}-1}" # Delete the last character - fi - echo $path_url +# usage: ynh_remove_file_checksum file +# | arg: file - The file for which the checksum will be deleted +ynh_delete_file_checksum () { + local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' + ynh_app_setting_delete $app $checksum_setting_name } -# Download and extract Shaarli sources to the given directory -# usage: extract_shaarli DESTDIR [AS_USER] -extract_shaarli() { - local AS_USER=${6:-$USER} - # Retrieve and extract Shaarli tarball - sh_tarball="/tmp/shaarli.tar.gz" - rm -f "$sh_tarball" - wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \ - || ynh_die "Unable to download Shaarli tarball" - echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \ - || ynh_die "Invalid checksum of downloaded tarball" - sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \ - || ynh_die "Unable to extract Shaarli tarball" - rm -f "$sh_tarball" +#================================================= +# EXPERIMENTAL HELPERS +#================================================= - wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \ - || ynh_die "Unable to download Shaarli tarball" - echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \ - || ynh_die "Invalid checksum of downloaded tarball" - sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \ - || ynh_die "Unable to extract Shaarli tarball" - sudo chown -R www-data: $final_path +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: log_file - Log file to be checked by fail2ban +# | arg: failregex - Failregex to be looked for by fail2ban +# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: ports - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + # Process parameters + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + sudo tee $finalfail2banjailconf <&2 + echo "WARNING${fail2ban_error#*WARNING}" >&2 + fi +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + sudo systemctl restart fail2ban } diff --git a/scripts/backup b/scripts/backup index b308c7b..49d2dbb 100644 --- a/scripts/backup +++ b/scripts/backup @@ -49,4 +49,16 @@ ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= ynh_backup "/etc/php5/fpm/pool.d/$app.conf" -ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini" + +#================================================= +# BACKUP LOGROTATE +#================================================= + +ynh_backup "$final_path/data/log.txt" + +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" diff --git a/scripts/change_url b/scripts/change_url index 2c5f46e..8b7446a 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -21,6 +21,17 @@ new_path=$YNH_APP_NEW_PATH app=$YNH_APP_INSTANCE_NAME +#================================================= +# LOAD SETTINGS +#================================================= + +# Needed for helper "ynh_add_nginx_config" +final_path=$(ynh_app_setting_get $app final_path) + +# Add settings here as needed by your application +#db_name=$(ynh_app_setting_get "$app" db_name) +#db_pwd=$(ynh_app_setting_get $app db_pwd) + #================================================= # CHECK THE SYNTAX OF THE PATHS #================================================= @@ -30,6 +41,7 @@ test -n "$new_path" || new_path="/" new_path=$(ynh_normalize_url_path $new_path) old_path=$(ynh_normalize_url_path $old_path) + #================================================= # CHECK WHICH PARTS SHOULD BE CHANGED #================================================= @@ -57,26 +69,35 @@ nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf # Change the path in the nginx config file if [ $change_path -eq 1 ] then - # Make a backup of the original nginx config file if modified - ynh_backup_if_checksum_is_different "$nginx_conf_path" - # Replace locations starting with old_path - # Look for every location possible patterns (see https://nginx.org/en/docs/http/ngx_http_core_module.html#location) - ynh_replace_string "location\( \(=\|~\|~\*\|\^~\)\)\? $old_path" "location\1 $new_path" "$nginx_conf_path" - # Replace path in "return" directives - ynh_replace_string "return \([[:digit:]]\{3\}\) $old_path" "return \1 $new_path" "$nginx_conf_path" - # Calculate and store the nginx config file checksum - ynh_store_file_checksum "$nginx_conf_path" + # Make a backup of the original nginx config file if modified + ynh_backup_if_checksum_is_different "$nginx_conf_path" + # Set global variables for nginx helper + domain="$old_domain" + path_url="$new_path" + # Create a dedicated nginx config + ynh_add_nginx_config fi # Change the domain for nginx if [ $change_domain -eq 1 ] then - # Delete file checksum for the old conf file location - ynh_delete_file_checksum "$nginx_conf_path" + # Delete file checksum for the old conf file location + ynh_delete_file_checksum "$nginx_conf_path" mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf - # Store file checksum for the new config file location - ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" + # Store file checksum for the new config file location + ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" fi +#================================================= +# SPECIFIC MODIFICATIONS +#================================================= +# ... +#================================================= + +#================================================= +# GENERIC FINALISATION +#================================================= +# RELOAD NGINX +#================================================= systemctl reload nginx diff --git a/scripts/install b/scripts/install index ea6b108..3ea6f3c 100644 --- a/scripts/install +++ b/scripts/install @@ -13,9 +13,14 @@ source /usr/share/yunohost/helpers # MANAGE SCRIPT FAILURE #================================================= +ynh_clean_setup () { + ### Remove this function if there's nothing to clean before calling the remove script. + true +} # Exit if an error occurs during the execution of the script ynh_abort_if_errors + #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= @@ -42,9 +47,11 @@ app=$YNH_APP_INSTANCE_NAME #================================================= -# CHECK IF THE APP CAN BE INSTALLED WITH THIS ARGS +# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= +### If the app uses nginx as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app". +### If the app provides an internal web server (or uses another application server such as uwsgi), the final path should be "/opt/yunohost/$app" final_path=/var/www/$app test ! -e "$final_path" || ynh_die "This path already contains a folder" @@ -57,14 +64,6 @@ ynh_webpath_available $domain $path_url ynh_webpath_register $app $domain $path_url - -# Check that the options are compatible -if [ $is_public = "Yes" ]; then - if [ $privateinstance = "Yes" ] ; then - ynh_die "Incompatible options: the instance cannot be both public and private" 1 - fi -fi - #================================================= # STORE SETTINGS FROM MANIFEST #================================================= @@ -75,7 +74,7 @@ ynh_app_setting_set $app is_public $is_public # Install dependencies -ynh_install_app_dependencies php5-cli +ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl #================================================= @@ -114,18 +113,36 @@ sudo find $final_path -type d | xargs sudo chmod 755 # Set right permissions for curl install chown -R $app: $final_path +#================================================= +# SETUP LOGROTATE +#================================================= + +### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app. +### Use this helper only if there is effectively a log file for this app. +### If you're not using this helper: +### - Remove the section "BACKUP LOGROTATE" in the backup script +### - Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script +### - As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script +### - And the section "SETUP LOGROTATE" in the upgrade script + +# Use logrotate to manage application logfile(s) +ynh_use_logrotate "$final_path/data/log.txt" + + +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s\s-\sLogin failed for user.*$" 5 + #================================================= # SETUP SSOWAT #================================================= -if [ $is_public -eq 0 ] -then # Remove the public access - ynh_app_setting_delete $app skipped_uris -fi # Make app public if necessary if [ $is_public -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway. + # unprotected_uris allows SSO credentials to be passed anyway ynh_app_setting_set $app unprotected_uris "/" fi diff --git a/scripts/remove b/scripts/remove index 074a1a9..f4bb727 100644 --- a/scripts/remove +++ b/scripts/remove @@ -19,6 +19,14 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get $app domain) final_path=$(ynh_app_setting_get $app final_path) + +#================================================= +# REMOVE DEPENDENCIES +#================================================= + +# Remove metapackage and its dependencies +ynh_remove_app_dependencies + #================================================= # REMOVE APP MAIN DIR #================================================= @@ -40,6 +48,19 @@ ynh_remove_nginx_config # Remove the dedicated php-fpm config ynh_remove_fpm_config +#================================================= +# REMOVE LOGROTATE CONFIGURATION +#================================================= + +# Remove the app-specific logrotate config +ynh_remove_logrotate + +#================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= + +ynh_remove_fail2ban_config + #================================================= # REMOVE DEDICATED USER #================================================= diff --git a/scripts/restore b/scripts/restore index dd9e7e2..984086c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -74,7 +74,6 @@ chown -R $app: $final_path #================================================= ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf" -ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini" #================================================= # SPECIFIC RESTORATION @@ -83,14 +82,27 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini" #================================================= # Define and install dependencies -ynh_install_app_dependencies php5-cli +ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl + +#================================================= +# RESTORE THE LOGROTATE CONFIGURATION +#================================================= + +ynh_restore_file "$final_path/data/log.txt" + +#================================================= +# RESTORE FAIL2BAN CONFIGURATION +#================================================= + +ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" +systemctl restart fail2ban #================================================= # GENERIC FINALIZATION #================================================= # RELOAD NGINX AND PHP-FPM #================================================= - systemctl reload php5-fpm systemctl reload nginx diff --git a/scripts/upgrade b/scripts/upgrade index 47c7c3b..56a85b2 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -87,6 +87,9 @@ sudo rm -Rf "$tmpdir" # Create a dedicated nginx config ynh_add_nginx_config +# Install dependencies +ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl + #================================================= # CREATE DEDICATED USER #================================================= @@ -101,6 +104,19 @@ ynh_system_user_create $app # Create a dedicated php-fpm config ynh_add_fpm_config +#================================================= +# SETUP LOGROTATE +#================================================= + +# Use logrotate to manage app-specific logfile(s) +ynh_use_logrotate --non-append + +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s\s-\sLogin failed for user.*$" 5 + # Set right permissions chown -R $app: $final_path @@ -108,10 +124,6 @@ chown -R $app: $final_path # SETUP SSOWAT #================================================= -if [ $is_public -eq 0 ] -then # Remove the public access - ynh_app_setting_delete $app skipped_uris -fi # Make app public if necessary if [ $is_public -eq 1 ] then