Update to 0.10.2, added logrotate, change url and fail2ban (#36)

* Update manifest to 0.10.2 * Update to 0.10.2 * Update ReadMe to 0.10.2 * Update to 0.10.2 * Updated is_public according to YNH 3 * Added logrotate,fail2ban * Added dependencies and updated change_url * Added dependencies php5-gd * Remove ini file for php * Removed backup of php.ini file * Removed restore of php.ini file
2024-09-03 20:26:10 +02:00 · 2018-11-04 14:01:28 +01:00 · 2018-11-04 14:01:28 +01:00 · 9109a4ca89
commit 9109a4ca89
parent 1b1a07040e
13 changed files with 223 additions and 104 deletions
--- a/README.md
+++ b/README.md
@ -12,7 +12,7 @@ It is based on the community version of Shaarli (from @sebsauvage original softw
 You can get a demo [here](https://shaarli.readthedocs.io/en/master/#demo).
-Current version: **0.9.7**
+Current version: **0.10.2**
 This app intends to provide to Yunohost's users Shaarli (https://github.com/shaarli/Shaarli), a simple but advanced bookmarking service.
@ -26,6 +26,7 @@ Maintainer: @Lapineige
 - [X] Backup/restore scripts
 - [X] Upgrade Script
 - [X] Change url
 - [X] Integrate fail2ban for the app
 ## Installation information
@ -36,7 +37,7 @@ After the installation go to the domain and create your account. After the creat
 ## TODO
 - [ ] Integrate the LDAP/SSOWAT authentication (currently the authentication is done by Shaarli)
- [ ] Integrate fail2ban for the app
+
 ## Changelog
--- a/3
+++ b/3
@ -27,7 +27,8 @@
 	Level 2=auto
 	Level 3=auto
 # Level 4: 
-	Level 4=0
+# Not implimented by upstream
 	Level 4=na
 # Level 5: 
 	Level 5=auto
 	Level 6=auto
--- a/conf/app.src
+++ b/conf/app.src
@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.9.7/shaarli-v0.9.7-full.tar.gz
+SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v0.10.2/shaarli-v0.10.2-full.tar.gz
-SOURCE_SUM=f4146c10b477713c1f25ab59d383e56c37dce2ad60a820a3a4eb3273c9b436a4
+SOURCE_SUM=e8e804b5e85283d3f81798bb46b22b2395cc646e6f4411efdbc3477de4d51a41
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
--- a/conf/php-fpm.conf
+++ b/conf/php-fpm.conf
@ -390,3 +390,15 @@ catch_workers_output = yes
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
 ; Common values to change to increase file upload limit
 ; upload_max_filesize = 50M
 ; post_max_size = 50M
 ; mail.add_x_header = Off
 ; Other common parameters
 ; max_execution_time = 600
 ; max_input_time = 300
 ; memory_limit = 256M
 ; short_open_tag = On
--- a/conf/php-fpm.ini
+++ b/conf/php-fpm.ini
@ -1,10 +0,0 @@
 ; Common values to change to increase file upload limit
 ; upload_max_filesize = 50M
 ; post_max_size = 50M
 ; mail.add_x_header = Off
 ; Other common parameters
 ; max_execution_time = 600
 ; max_input_time = 300
 ; memory_limit = 256M
 ; short_open_tag = On
--- a/manifest.json
+++ b/manifest.json
@ -16,8 +16,8 @@
  },
  "url": "https://github.com/shaarli/Shaarli",
  "license": "free",
-  "version": "0.9.7",
+  "version": "0.10.2",
-  "multi_instance": "true",
+  "multi_instance": true,
  "services": [
        "nginx",
        "php5-fpm"
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -1,58 +1,78 @@
 #!/bin/bash
 # ============= FUTURE YUNOHOST HELPER =============
 # Delete a file checksum from the app settings
 #
-# Common variables
+# $app should be defined when calling this helper
 #
-
+# usage: ynh_remove_file_checksum file
-# Shaarli version
+# | arg: file - The file for which the checksum will be deleted
-VERSION="0.9.6"
+ynh_delete_file_checksum () {
-
+	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
-# Download shaarli (dependencies included)
+	ynh_app_setting_delete $app $checksum_setting_name
 # Full Shaarli sources tarball URL
 SHAARLI_SOURCE_URL=https://github.com/shaarli/Shaarli/releases/download/v${VERSION}/shaarli-v${VERSION}-full.tar.gz
 # Full Shaarli sources tarball checksum
 SHAARLI_SOURCE_SHA256="a4f00b428b31b1a26aec199eb20165861ed5aff50e40173d0babcb85504a256e"
 #
 # Common helpers
 #
 # Source app helpers
 . /usr/share/yunohost/helpers
 # Add path
 ynh_normalize_url_path () {
 	path_url=$1
 	test -n "$path_url" || ynh_die "ynh_normalize_url_path expect a URL path as first argument and received nothing."
 	if [ "${path_url:0:1}" != "/" ]; then    # If the first character is not a /
 		path_url="/$path_url"    # Add / at begin of path variable
 	fi
 	if [ "${path_url:${#path_url}-1}" == "/" ] && [ ${#path_url} -gt 1 ]; then    # If the last character is a / and that not the only character.
 		path_url="${path_url:0:${#path_url}-1}"	# Delete the last character
 	fi
 	echo $path_url
 }
 # Download and extract Shaarli sources to the given directory
 # usage: extract_shaarli DESTDIR [AS_USER]
 extract_shaarli() {
    local AS_USER=${6:-$USER}
-    # Retrieve and extract Shaarli tarball
+#=================================================
-    sh_tarball="/tmp/shaarli.tar.gz"
+# EXPERIMENTAL HELPERS
-    rm -f "$sh_tarball"
+#=================================================
    wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \
        || ynh_die "Unable to download Shaarli tarball"
    echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \
        || ynh_die "Invalid checksum of downloaded tarball"
    sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \
        || ynh_die "Unable to extract Shaarli tarball"
    rm -f "$sh_tarball"
-    wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \
+# Create a dedicated fail2ban config (jail and filter conf files)
-        || ynh_die "Unable to download Shaarli tarball"
+#
-    echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
-        || ynh_die "Invalid checksum of downloaded tarball"
+# | arg: log_file - Log file to be checked by fail2ban
-    sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \
+# | arg: failregex - Failregex to be looked for by fail2ban
-        || ynh_die "Unable to extract Shaarli tarball"
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
-    sudo chown -R www-data: $final_path
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
 ynh_add_fail2ban_config () {
   # Process parameters
   logpath=$1
   failregex=$2
   max_retry=${3:-3}
   ports=${4:-http,https}
  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
  sudo tee $finalfail2banjailconf <<EOF
 [$app]
 enabled = true
 port = $ports
 filter = $app
 logpath = $logpath
 maxretry = $max_retry
 EOF
  sudo tee $finalfail2banfilterconf <<EOF
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex = $failregex
 ignoreregex =
 EOF
  ynh_store_file_checksum "$finalfail2banjailconf"
  ynh_store_file_checksum "$finalfail2banfilterconf"
  systemctl restart fail2ban
  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
  if [ -n "$fail2ban_error" ]
  then
    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
    echo "WARNING${fail2ban_error#*WARNING}" >&2
  fi
 }
 # Remove the dedicated fail2ban config (jail and filter conf files)
 #
 # usage: ynh_remove_fail2ban_config
 ynh_remove_fail2ban_config () {
  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
  sudo systemctl restart fail2ban
 }
--- a/scripts/backup
+++ b/scripts/backup
@ -49,4 +49,16 @@ ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
 #=================================================
 ynh_backup "/etc/php5/fpm/pool.d/$app.conf"
-ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
+
 #=================================================
 # BACKUP LOGROTATE
 #=================================================
 ynh_backup "$final_path/data/log.txt"
 #=================================================
 # BACKUP FAIL2BAN CONFIGURATION
 #=================================================
 ynh_backup "/etc/fail2ban/jail.d/$app.conf"
 ynh_backup "/etc/fail2ban/filter.d/$app.conf"
--- a/scripts/change_url
+++ b/scripts/change_url
@ -21,6 +21,17 @@ new_path=$YNH_APP_NEW_PATH
 app=$YNH_APP_INSTANCE_NAME
 #=================================================
 # LOAD SETTINGS
 #=================================================
 # Needed for helper "ynh_add_nginx_config"
 final_path=$(ynh_app_setting_get $app final_path)
 # Add settings here as needed by your application
 #db_name=$(ynh_app_setting_get "$app" db_name)
 #db_pwd=$(ynh_app_setting_get $app db_pwd)
 #=================================================
 # CHECK THE SYNTAX OF THE PATHS
 #=================================================
@ -30,6 +41,7 @@ test -n "$new_path" || new_path="/"
 new_path=$(ynh_normalize_url_path $new_path)
 old_path=$(ynh_normalize_url_path $old_path)
 #=================================================
 # CHECK WHICH PARTS SHOULD BE CHANGED
 #=================================================
@ -59,13 +71,11 @@ if [ $change_path -eq 1 ]
 then
 	# Make a backup of the original nginx config file if modified
 	ynh_backup_if_checksum_is_different "$nginx_conf_path"
-  # Replace locations starting with old_path
+	# Set global variables for nginx helper
-  # Look for every location possible patterns (see https://nginx.org/en/docs/http/ngx_http_core_module.html#location)
+	domain="$old_domain"
-  ynh_replace_string "location\( \(=\|~\|~\*\|\^~\)\)\? $old_path" "location\1 $new_path"  "$nginx_conf_path"
+	path_url="$new_path"
-  # Replace path in "return" directives
+	# Create a dedicated nginx config
-  ynh_replace_string "return \([[:digit:]]\{3\}\) $old_path" "return \1 $new_path"  "$nginx_conf_path"
+	ynh_add_nginx_config
  # Calculate and store the nginx config file checksum
  ynh_store_file_checksum "$nginx_conf_path"
 fi
 # Change the domain for nginx
@ -78,5 +88,16 @@ then
 	ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf"
 fi
 #=================================================
 # SPECIFIC MODIFICATIONS
 #=================================================
 # ...
 #=================================================
 #=================================================
 # GENERIC FINALISATION
 #=================================================
 # RELOAD NGINX
 #=================================================
 systemctl reload nginx
--- a/scripts/install
+++ b/scripts/install
@ -13,9 +13,14 @@ source /usr/share/yunohost/helpers
 # MANAGE SCRIPT FAILURE
 #=================================================
 ynh_clean_setup () {
 	### Remove this function if there's nothing to clean before calling the remove script.
 	true
 }
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
 #=================================================
@ -42,9 +47,11 @@ app=$YNH_APP_INSTANCE_NAME
 #=================================================
-# CHECK IF THE APP CAN BE INSTALLED WITH THIS ARGS
+# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
 #=================================================
 ### If the app uses nginx as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app".
 ### If the app provides an internal web server (or uses another application server such as uwsgi), the final path should be "/opt/yunohost/$app"
 final_path=/var/www/$app
 test ! -e "$final_path" || ynh_die "This path already contains a folder"
@ -57,14 +64,6 @@ ynh_webpath_available $domain $path_url
 ynh_webpath_register $app $domain $path_url
 # Check that the options are compatible
 if [ $is_public = "Yes" ]; then
  if [ $privateinstance = "Yes" ] ; then
    ynh_die "Incompatible options: the instance cannot be both public and private" 1
  fi
 fi
 #=================================================
 # STORE SETTINGS FROM MANIFEST
 #=================================================
@ -75,7 +74,7 @@ ynh_app_setting_set $app is_public $is_public
 # Install dependencies
-ynh_install_app_dependencies php5-cli 
+ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl'  'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
 #=================================================
@ -114,18 +113,36 @@ sudo find $final_path -type d | xargs sudo chmod 755
 # Set right permissions for curl install
 chown -R $app: $final_path
 #=================================================
 # SETUP LOGROTATE
 #=================================================
 ### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
 ### Use this helper only if there is effectively a log file for this app.
 ### If you're not using this helper:
 ###		- Remove the section "BACKUP LOGROTATE" in the backup script
 ###		- Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script
 ###		- As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script
 ###		- And the section "SETUP LOGROTATE" in the upgrade script
 # Use logrotate to manage application logfile(s)
 ynh_use_logrotate "$final_path/data/log.txt"
 #=================================================
 # SETUP FAIL2BAN
 #=================================================
 ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
 #=================================================
 # SETUP SSOWAT
 #=================================================
 if [ $is_public -eq 0 ]
 then	# Remove the public access
 	ynh_app_setting_delete $app skipped_uris
 fi
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	# unprotected_uris allows SSO credentials to be passed anyway.
+	# unprotected_uris allows SSO credentials to be passed anyway
 	ynh_app_setting_set $app unprotected_uris "/"
 fi
--- a/scripts/remove
+++ b/scripts/remove
@ -19,6 +19,14 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get $app domain)
 final_path=$(ynh_app_setting_get $app final_path)
 #=================================================
 # REMOVE DEPENDENCIES
 #=================================================
 # Remove metapackage and its dependencies
 ynh_remove_app_dependencies
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
@ -40,6 +48,19 @@ ynh_remove_nginx_config
 # Remove the dedicated php-fpm config
 ynh_remove_fpm_config
 #=================================================
 # REMOVE LOGROTATE CONFIGURATION
 #=================================================
 # Remove the app-specific logrotate config
 ynh_remove_logrotate
 #=================================================
 # REMOVE FAIL2BAN CONFIGURATION
 #=================================================
 ynh_remove_fail2ban_config
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -74,7 +74,6 @@ chown -R $app: $final_path
 #=================================================
 ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"
 ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
 #=================================================
 # SPECIFIC RESTORATION
@ -83,14 +82,27 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
 #=================================================
 # Define and install dependencies
-ynh_install_app_dependencies php5-cli 
+ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl'  'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
 #=================================================
 # RESTORE THE LOGROTATE CONFIGURATION
 #=================================================
 ynh_restore_file "$final_path/data/log.txt"
 #=================================================
 # RESTORE FAIL2BAN CONFIGURATION
 #=================================================
 ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
 ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
 systemctl restart fail2ban
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
 # RELOAD NGINX AND PHP-FPM
 #=================================================
 systemctl reload php5-fpm
 systemctl reload nginx
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -87,6 +87,9 @@ sudo rm -Rf "$tmpdir"
 # Create a dedicated nginx config
 ynh_add_nginx_config
 # Install dependencies
 ynh_install_app_dependencies 'php5-cli|php-cli' php-gettext 'php5-curl|php-curl' 'php-intl|php5-intl' 'php-gd|php5-gd' 'php-mbstring|base-files(<<9.0)' openssl
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -101,6 +104,19 @@ ynh_system_user_create $app
 # Create a dedicated php-fpm config
 ynh_add_fpm_config
 #=================================================
 # SETUP LOGROTATE
 #=================================================
 # Use logrotate to manage app-specific logfile(s)
 ynh_use_logrotate --non-append
 #=================================================
 # SETUP FAIL2BAN
 #=================================================
 ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
 # Set right permissions 
 chown -R $app: $final_path
@ -108,10 +124,6 @@ chown -R $app: $final_path
 # SETUP SSOWAT
 #=================================================
 if [ $is_public -eq 0 ]
 then	# Remove the public access
 	ynh_app_setting_delete $app skipped_uris
 fi
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then