1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/shaarli_ynh.git synced 2024-09-03 20:26:10 +02:00

Update to 0.10.2, added logrotate, change url and fail2ban (#36)

* Update manifest to 0.10.2

* Update to 0.10.2

* Update ReadMe to 0.10.2

* Update to 0.10.2

* Updated is_public according to YNH 3

* Added logrotate,fail2ban

* Added dependencies and updated change_url

* Added dependencies php5-gd

* Remove ini file for php

* Removed backup of php.ini file

* Removed restore of php.ini file
This commit is contained in:
lapineige 2018-11-04 14:01:28 +01:00 committed by GitHub
parent 1b1a07040e
commit 9109a4ca89
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 223 additions and 104 deletions

View file

@ -12,7 +12,7 @@ It is based on the community version of Shaarli (from @sebsauvage original softw
You can get a demo [here](https://shaarli.readthedocs.io/en/master/#demo). You can get a demo [here](https://shaarli.readthedocs.io/en/master/#demo).
Current version: **0.9.7** Current version: **0.10.2**
This app intends to provide to Yunohost's users Shaarli (https://github.com/shaarli/Shaarli), a simple but advanced bookmarking service. This app intends to provide to Yunohost's users Shaarli (https://github.com/shaarli/Shaarli), a simple but advanced bookmarking service.
@ -26,6 +26,7 @@ Maintainer: @Lapineige
- [X] Backup/restore scripts - [X] Backup/restore scripts
- [X] Upgrade Script - [X] Upgrade Script
- [X] Change url - [X] Change url
- [X] Integrate fail2ban for the app
## Installation information ## Installation information
@ -36,7 +37,7 @@ After the installation go to the domain and create your account. After the creat
## TODO ## TODO
- [ ] Integrate the LDAP/SSOWAT authentication (currently the authentication is done by Shaarli) - [ ] Integrate the LDAP/SSOWAT authentication (currently the authentication is done by Shaarli)
- [ ] Integrate fail2ban for the app
## Changelog ## Changelog

View file

@ -27,7 +27,8 @@
Level 2=auto Level 2=auto
Level 3=auto Level 3=auto
# Level 4: # Level 4:
Level 4=0 # Not implimented by upstream
Level 4=na
# Level 5: # Level 5:
Level 5=auto Level 5=auto
Level 6=auto Level 6=auto

View file

@ -1,5 +1,5 @@
SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.9.7/shaarli-v0.9.7-full.tar.gz SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.10.2/shaarli-v0.10.2-full.tar.gz
SOURCE_SUM=f4146c10b477713c1f25ab59d383e56c37dce2ad60a820a3a4eb3273c9b436a4 SOURCE_SUM=e8e804b5e85283d3f81798bb46b22b2395cc646e6f4411efdbc3477de4d51a41
SOURCE_SUM_PRG=sha256sum SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz SOURCE_FORMAT=tar.gz
SOURCE_IN_SUBDIR=true SOURCE_IN_SUBDIR=true

View file

@ -390,3 +390,15 @@ catch_workers_output = yes
;php_admin_value[error_log] = /var/log/fpm-php.www.log ;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on ;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M ;php_admin_value[memory_limit] = 32M
; Common values to change to increase file upload limit
; upload_max_filesize = 50M
; post_max_size = 50M
; mail.add_x_header = Off
; Other common parameters
; max_execution_time = 600
; max_input_time = 300
; memory_limit = 256M
; short_open_tag = On

View file

@ -1,10 +0,0 @@
; Common values to change to increase file upload limit
; upload_max_filesize = 50M
; post_max_size = 50M
; mail.add_x_header = Off
; Other common parameters
; max_execution_time = 600
; max_input_time = 300
; memory_limit = 256M
; short_open_tag = On

View file

@ -16,8 +16,8 @@
}, },
"url": "https://github.com/shaarli/Shaarli", "url": "https://github.com/shaarli/Shaarli",
"license": "free", "license": "free",
"version": "0.9.7", "version": "0.10.2",
"multi_instance": "true", "multi_instance": true,
"services": [ "services": [
"nginx", "nginx",
"php5-fpm" "php5-fpm"

View file

@ -1,58 +1,78 @@
#!/bin/bash
# ============= FUTURE YUNOHOST HELPER =============
# Delete a file checksum from the app settings
# #
# Common variables # $app should be defined when calling this helper
# #
# usage: ynh_remove_file_checksum file
# Shaarli version # | arg: file - The file for which the checksum will be deleted
VERSION="0.9.6" ynh_delete_file_checksum () {
local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_'
# Download shaarli (dependencies included) ynh_app_setting_delete $app $checksum_setting_name
# Full Shaarli sources tarball URL
SHAARLI_SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v${VERSION}/shaarli-v${VERSION}-full.tar.gz
# Full Shaarli sources tarball checksum
SHAARLI_SOURCE_SHA256="a4f00b428b31b1a26aec199eb20165861ed5aff50e40173d0babcb85504a256e"
#
# Common helpers
#
# Source app helpers
. /usr/share/yunohost/helpers
# Add path
ynh_normalize_url_path () {
path_url=$1
test -n "$path_url" || ynh_die "ynh_normalize_url_path expect a URL path as first argument and received nothing."
if [ "${path_url:0:1}" != "/" ]; then # If the first character is not a /
path_url="/$path_url" # Add / at begin of path variable
fi
if [ "${path_url:${#path_url}-1}" == "/" ] && [ ${#path_url} -gt 1 ]; then # If the last character is a / and that not the only character.
path_url="${path_url:0:${#path_url}-1}" # Delete the last character
fi
echo $path_url
} }
# Download and extract Shaarli sources to the given directory
# usage: extract_shaarli DESTDIR [AS_USER]
extract_shaarli() {
local AS_USER=${6:-$USER}
# Retrieve and extract Shaarli tarball #=================================================
sh_tarball="/tmp/shaarli.tar.gz" # EXPERIMENTAL HELPERS
rm -f "$sh_tarball" #=================================================
wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \
|| ynh_die "Unable to download Shaarli tarball"
echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \
|| ynh_die "Invalid checksum of downloaded tarball"
sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \
|| ynh_die "Unable to extract Shaarli tarball"
rm -f "$sh_tarball"
wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \ # Create a dedicated fail2ban config (jail and filter conf files)
|| ynh_die "Unable to download Shaarli tarball" #
echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \ # usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
|| ynh_die "Invalid checksum of downloaded tarball" # | arg: log_file - Log file to be checked by fail2ban
sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \ # | arg: failregex - Failregex to be looked for by fail2ban
|| ynh_die "Unable to extract Shaarli tarball" # | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
sudo chown -R www-data: $final_path # | arg: ports - Ports blocked for a banned IP address - default: http,https
ynh_add_fail2ban_config () {
# Process parameters
logpath=$1
failregex=$2
max_retry=${3:-3}
ports=${4:-http,https}
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
sudo tee $finalfail2banjailconf <<EOF
[$app]
enabled = true
port = $ports
filter = $app
logpath = $logpath
maxretry = $max_retry
EOF
sudo tee $finalfail2banfilterconf <<EOF
[INCLUDES]
before = common.conf
[Definition]
failregex = $failregex
ignoreregex =
EOF
ynh_store_file_checksum "$finalfail2banjailconf"
ynh_store_file_checksum "$finalfail2banfilterconf"
systemctl restart fail2ban
local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
if [ -n "$fail2ban_error" ]
then
echo "[ERR] Fail2ban failed to load the jail for $app" >&2
echo "WARNING${fail2ban_error#*WARNING}" >&2
fi
}
# Remove the dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_remove_fail2ban_config
ynh_remove_fail2ban_config () {
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
sudo systemctl restart fail2ban
} }

View file

@ -49,4 +49,16 @@ ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
#================================================= #=================================================
ynh_backup "/etc/php5/fpm/pool.d/$app.conf" ynh_backup "/etc/php5/fpm/pool.d/$app.conf"
ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
#=================================================
# BACKUP LOGROTATE
#=================================================
ynh_backup "$final_path/data/log.txt"
#=================================================
# BACKUP FAIL2BAN CONFIGURATION
#=================================================
ynh_backup "/etc/fail2ban/jail.d/$app.conf"
ynh_backup "/etc/fail2ban/filter.d/$app.conf"

View file

@ -21,6 +21,17 @@ new_path=$YNH_APP_NEW_PATH
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
#=================================================
# LOAD SETTINGS
#=================================================
# Needed for helper "ynh_add_nginx_config"
final_path=$(ynh_app_setting_get $app final_path)
# Add settings here as needed by your application
#db_name=$(ynh_app_setting_get "$app" db_name)
#db_pwd=$(ynh_app_setting_get $app db_pwd)
#================================================= #=================================================
# CHECK THE SYNTAX OF THE PATHS # CHECK THE SYNTAX OF THE PATHS
#================================================= #=================================================
@ -30,6 +41,7 @@ test -n "$new_path" || new_path="/"
new_path=$(ynh_normalize_url_path $new_path) new_path=$(ynh_normalize_url_path $new_path)
old_path=$(ynh_normalize_url_path $old_path) old_path=$(ynh_normalize_url_path $old_path)
#================================================= #=================================================
# CHECK WHICH PARTS SHOULD BE CHANGED # CHECK WHICH PARTS SHOULD BE CHANGED
#================================================= #=================================================
@ -59,13 +71,11 @@ if [ $change_path -eq 1 ]
then then
# Make a backup of the original nginx config file if modified # Make a backup of the original nginx config file if modified
ynh_backup_if_checksum_is_different "$nginx_conf_path" ynh_backup_if_checksum_is_different "$nginx_conf_path"
# Replace locations starting with old_path # Set global variables for nginx helper
# Look for every location possible patterns (see https://nginx.org/en/docs/http/ngx_http_core_module.html#location) domain="$old_domain"
ynh_replace_string "location\( \(=\|~\|~\*\|\^~\)\)\? $old_path" "location\1 $new_path" "$nginx_conf_path" path_url="$new_path"
# Replace path in "return" directives # Create a dedicated nginx config
ynh_replace_string "return \([[:digit:]]\{3\}\) $old_path" "return \1 $new_path" "$nginx_conf_path" ynh_add_nginx_config
# Calculate and store the nginx config file checksum
ynh_store_file_checksum "$nginx_conf_path"
fi fi
# Change the domain for nginx # Change the domain for nginx
@ -78,5 +88,16 @@ then
ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf"
fi fi
#=================================================
# SPECIFIC MODIFICATIONS
#=================================================
# ...
#=================================================
#=================================================
# GENERIC FINALISATION
#=================================================
# RELOAD NGINX
#=================================================
systemctl reload nginx systemctl reload nginx

View file

@ -13,9 +13,14 @@ source /usr/share/yunohost/helpers
# MANAGE SCRIPT FAILURE # MANAGE SCRIPT FAILURE
#================================================= #=================================================
ynh_clean_setup () {
### Remove this function if there's nothing to clean before calling the remove script.
true
}
# Exit if an error occurs during the execution of the script # Exit if an error occurs during the execution of the script
ynh_abort_if_errors ynh_abort_if_errors
#================================================= #=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST # RETRIEVE ARGUMENTS FROM THE MANIFEST
#================================================= #=================================================
@ -42,9 +47,11 @@ app=$YNH_APP_INSTANCE_NAME
#================================================= #=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THIS ARGS # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#================================================= #=================================================
### If the app uses nginx as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app".
### If the app provides an internal web server (or uses another application server such as uwsgi), the final path should be "/opt/yunohost/$app"
final_path=/var/www/$app final_path=/var/www/$app
test ! -e "$final_path" || ynh_die "This path already contains a folder" test ! -e "$final_path" || ynh_die "This path already contains a folder"
@ -57,14 +64,6 @@ ynh_webpath_available $domain $path_url
ynh_webpath_register $app $domain $path_url ynh_webpath_register $app $domain $path_url
# Check that the options are compatible
if [ $is_public = "Yes" ]; then
if [ $privateinstance = "Yes" ] ; then
ynh_die "Incompatible options: the instance cannot be both public and private" 1
fi
fi
#================================================= #=================================================
# STORE SETTINGS FROM MANIFEST # STORE SETTINGS FROM MANIFEST
#================================================= #=================================================
@ -75,7 +74,7 @@ ynh_app_setting_set $app is_public $is_public
# Install dependencies # Install dependencies
ynh_install_app_dependencies php5-cli ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
#================================================= #=================================================
@ -114,18 +113,36 @@ sudo find $final_path -type d | xargs sudo chmod 755
# Set right permissions for curl install # Set right permissions for curl install
chown -R $app: $final_path chown -R $app: $final_path
#=================================================
# SETUP LOGROTATE
#=================================================
### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
### Use this helper only if there is effectively a log file for this app.
### If you're not using this helper:
### - Remove the section "BACKUP LOGROTATE" in the backup script
### - Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script
### - As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script
### - And the section "SETUP LOGROTATE" in the upgrade script
# Use logrotate to manage application logfile(s)
ynh_use_logrotate "$final_path/data/log.txt"
#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
#================================================= #=================================================
# SETUP SSOWAT # SETUP SSOWAT
#================================================= #=================================================
if [ $is_public -eq 0 ]
then # Remove the public access
ynh_app_setting_delete $app skipped_uris
fi
# Make app public if necessary # Make app public if necessary
if [ $is_public -eq 1 ] if [ $is_public -eq 1 ]
then then
# unprotected_uris allows SSO credentials to be passed anyway. # unprotected_uris allows SSO credentials to be passed anyway
ynh_app_setting_set $app unprotected_uris "/" ynh_app_setting_set $app unprotected_uris "/"
fi fi

View file

@ -19,6 +19,14 @@ app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get $app domain) domain=$(ynh_app_setting_get $app domain)
final_path=$(ynh_app_setting_get $app final_path) final_path=$(ynh_app_setting_get $app final_path)
#=================================================
# REMOVE DEPENDENCIES
#=================================================
# Remove metapackage and its dependencies
ynh_remove_app_dependencies
#================================================= #=================================================
# REMOVE APP MAIN DIR # REMOVE APP MAIN DIR
#================================================= #=================================================
@ -40,6 +48,19 @@ ynh_remove_nginx_config
# Remove the dedicated php-fpm config # Remove the dedicated php-fpm config
ynh_remove_fpm_config ynh_remove_fpm_config
#=================================================
# REMOVE LOGROTATE CONFIGURATION
#=================================================
# Remove the app-specific logrotate config
ynh_remove_logrotate
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_remove_fail2ban_config
#================================================= #=================================================
# REMOVE DEDICATED USER # REMOVE DEDICATED USER
#================================================= #=================================================

View file

@ -74,7 +74,6 @@ chown -R $app: $final_path
#================================================= #=================================================
ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf" ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"
ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
#================================================= #=================================================
# SPECIFIC RESTORATION # SPECIFIC RESTORATION
@ -83,14 +82,27 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
#================================================= #=================================================
# Define and install dependencies # Define and install dependencies
ynh_install_app_dependencies php5-cli ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
#=================================================
# RESTORE THE LOGROTATE CONFIGURATION
#=================================================
ynh_restore_file "$final_path/data/log.txt"
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
systemctl restart fail2ban
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION
#================================================= #=================================================
# RELOAD NGINX AND PHP-FPM # RELOAD NGINX AND PHP-FPM
#================================================= #=================================================
systemctl reload php5-fpm systemctl reload php5-fpm
systemctl reload nginx systemctl reload nginx

View file

@ -87,6 +87,9 @@ sudo rm -Rf "$tmpdir"
# Create a dedicated nginx config # Create a dedicated nginx config
ynh_add_nginx_config ynh_add_nginx_config
# Install dependencies
ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
#================================================= #=================================================
# CREATE DEDICATED USER # CREATE DEDICATED USER
#================================================= #=================================================
@ -101,6 +104,19 @@ ynh_system_user_create $app
# Create a dedicated php-fpm config # Create a dedicated php-fpm config
ynh_add_fpm_config ynh_add_fpm_config
#=================================================
# SETUP LOGROTATE
#=================================================
# Use logrotate to manage app-specific logfile(s)
ynh_use_logrotate --non-append
#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
# Set right permissions # Set right permissions
chown -R $app: $final_path chown -R $app: $final_path
@ -108,10 +124,6 @@ chown -R $app: $final_path
# SETUP SSOWAT # SETUP SSOWAT
#================================================= #=================================================
if [ $is_public -eq 0 ]
then # Remove the public access
ynh_app_setting_delete $app skipped_uris
fi
# Make app public if necessary # Make app public if necessary
if [ $is_public -eq 1 ] if [ $is_public -eq 1 ]
then then