diff --git a/conf/env_api-gateway.env.sample b/conf/env_api-gateway.env.sample index 4593250..2da1623 100644 --- a/conf/env_api-gateway.env.sample +++ b/conf/env_api-gateway.env.sample @@ -8,6 +8,7 @@ PORT="__PORT_API_GATEWAY__" SYNCING_SERVER_JS_URL="http://localhost:__PORT_SYNCING_SERVER__" AUTH_SERVER_URL="http://localhost:__PORT_AUTH__" +WORKSPACE_SERVER_URL="http://localhost:__PORT_WORKSPACE__" #PAYMENTS_SERVER_URL=http://payments:3000 FILES_SERVER_URL=http://__DOMAIN____PATH__/files/ diff --git a/conf/env_workspace.env.sample b/conf/env_workspace.env.sample new file mode 100644 index 0000000..9d6b155 --- /dev/null +++ b/conf/env_workspace.env.sample @@ -0,0 +1,36 @@ +__YNH_NODE_LOAD_PATH__ + +LOG_LEVEL="info" +NODE_ENV="production" +VERSION="production" + +AUTH_JWT_SECRET=__AUTH_JWT_SECRET__ + +PORT="__PORT_WORKSPACE__" + +DB_HOST=localhost +DB_REPLICA_HOST=localhost +DB_PORT=3306 +DB_USERNAME=__DB_USER__ +DB_PASSWORD=__DB_PWD__ +DB_DATABASE=__DB_NAME__ +DB_DEBUG_LEVEL=all # "all" | "query" | "schema" | "error" | "warn" | "info" | "log" | "migration" +DB_MIGRATIONS_PATH=dist/migrations/*.js + +REDIS_URL="redis://localhost:6379/__REDIS_DB__" + +SNS_TOPIC_ARN= +SNS_AWS_REGION= +SQS_QUEUE_URL= +SQS_AWS_REGION= + +REDIS_EVENTS_CHANNEL=events + +# (Optional) New Relic Setup +NEW_RELIC_ENABLED=false +NEW_RELIC_APP_NAME=Workspace +NEW_RELIC_LICENSE_KEY= +NEW_RELIC_NO_CONFIG_FILE=true +NEW_RELIC_DISTRIBUTED_TRACING_ENABLED=false +NEW_RELIC_LOG_ENABLED=false +NEW_RELIC_LOG_LEVEL=info diff --git a/conf/systemd_workspace.service b/conf/systemd_workspace.service new file mode 100644 index 0000000..31615fb --- /dev/null +++ b/conf/systemd_workspace.service @@ -0,0 +1,45 @@ +[Unit] +Description=StandardNotes workspace +After=network.target +After=__APP__-auth.service + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__FINALPATH__/live/ +EnvironmentFile=__FINALPATH__/live/workspace.env +ExecStart=/usr/bin/yarn start:workspace +StandardOutput=append:/var/log/__APP__/workspace.log +StandardError=inherit +Restart=always + +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=default.target diff --git a/scripts/backup b/scripts/backup index b5039ce..68c35e5 100755 --- a/scripts/backup +++ b/scripts/backup @@ -80,6 +80,7 @@ ynh_backup --src_path="/etc/systemd/system/$app-auth-worker.service" ynh_backup --src_path="/etc/systemd/system/$app-files.service" ynh_backup --src_path="/etc/systemd/system/$app-syncing-server.service" ynh_backup --src_path="/etc/systemd/system/$app-syncing-server-worker.service" +ynh_backup --src_path="/etc/systemd/system/$app-workspace.service" #================================================= # BACKUP VARIOUS FILES diff --git a/scripts/change_url b/scripts/change_url index 7956d3b..02da51b 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -36,6 +36,7 @@ port_auth_worker=$(ynh_app_setting_get --app=$app --key=port_auth_worker) port_files=$(ynh_app_setting_get --app=$app --key=port_files) port_syncing_server=$(ynh_app_setting_get --app=$app --key=port_syncing_server) port_syncing_server_worker=$(ynh_app_setting_get --app=$app --key=port_syncing_server_worker) +port_workspace=$(ynh_app_setting_get --app=$app --key=port_workspace) config_api_gateway="$final_path/live/api-gateway.env" diff --git a/scripts/install b/scripts/install index 6242910..7aed4e3 100755 --- a/scripts/install +++ b/scripts/install @@ -69,6 +69,7 @@ port_auth_worker=$(ynh_find_port --port=$((port_auth+1))) port_files=$(ynh_find_port --port=$((port_auth_worker+1))) port_syncing_server=$(ynh_find_port --port=$((port_files+1))) port_syncing_server_worker=$(ynh_find_port --port=$((port_syncing_server+1))) +port_workspace=$(ynh_find_port --port=$((port_syncing_server_worker+1))) ynh_app_setting_set --app=$app --key=port_api_gateway --value=$port_api_gateway ynh_app_setting_set --app=$app --key=port_auth --value=$port_auth @@ -76,6 +77,7 @@ ynh_app_setting_set --app=$app --key=port_auth_worker --value=$port_auth_worker ynh_app_setting_set --app=$app --key=port_files --value=$port_files ynh_app_setting_set --app=$app --key=port_syncing_server --value=$port_syncing_server ynh_app_setting_set --app=$app --key=port_syncing_server_worker --value=$port_syncing_server_worker +ynh_app_setting_set --app=$app --key=port_workspace --value=$port_workspace #================================================= # INSTALL DEPENDENCIES @@ -162,6 +164,7 @@ config_auth_worker="$final_path/live/auth-worker.env" config_files="$final_path/live/files.env" config_syncing_server="$final_path/live/syncing-server.env" config_syncing_server_worker="$final_path/live/syncing-server-worker.env" +config_workspace="$final_path/live/workspace.env" jwt_secret=$(ynh_string_random --length=48 | base64) legacy_jwt_secret=$(ynh_string_random --length=48 | base64) @@ -183,6 +186,7 @@ ynh_add_config --template="env_auth-worker.env.sample" --destination="$config_au ynh_add_config --template="env_files.env.sample" --destination="$config_files" ynh_add_config --template="env_syncing-server.env.sample" --destination="$config_syncing_server" ynh_add_config --template="env_syncing-server-worker.env.sample" --destination="$config_syncing_server_worker" +ynh_add_config --template="env_workspace.env.sample" --destination="$config_workspace" #================================================= # INSTALLING Standard Notes - Syncing Server @@ -191,8 +195,8 @@ ynh_script_progression --message="Installing Standard Notes - Syncing Server..." ynh_use_nodejs pushd "$final_path/live" - ynh_exec_warn_less ynh_exec_as $app env NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn install --immutable - ynh_exec_warn_less ynh_exec_as $app env NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn build + ynh_exec_warn_less ynh_exec_as $app env NODE_ENV="production" NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn install --immutable + ynh_exec_warn_less ynh_exec_as $app env NODE_ENV="production" NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn build popd #================================================= @@ -207,6 +211,7 @@ ynh_add_systemd_config --service="$app-auth-worker" --template="systemd_auth-wor ynh_add_systemd_config --service="$app-files" --template="systemd_files.service" ynh_add_systemd_config --service="$app-syncing-server" --template="systemd_syncing-server.service" ynh_add_systemd_config --service="$app-syncing-server-worker" --template="systemd_syncing-server-worker.service" +ynh_add_systemd_config --service="$app-workspace" --template="systemd_workspace.service" #================================================= # SETUP A CRON @@ -236,6 +241,7 @@ ynh_use_logrotate --logfile="/var/log/$app/auth-worker.log" ynh_use_logrotate --logfile="/var/log/$app/files.log" ynh_use_logrotate --logfile="/var/log/$app/syncing-server.log" ynh_use_logrotate --logfile="/var/log/$app/syncing-server-worker.log" +ynh_use_logrotate --logfile="/var/log/$app/workspace.log" #================================================= # INTEGRATE SERVICE IN YUNOHOST @@ -248,6 +254,7 @@ yunohost service add "$app-auth-worker" --description="Standard Notes - Auth - W yunohost service add "$app-files" --description="Standard Notes - Files" --log="/var/log/$app/files.log" yunohost service add "$app-syncing-server" --description="Standard Notes - Syncing Server" --log="/var/log/$app/syncing-server.log" yunohost service add "$app-syncing-server-worker" --description="Standard Notes - Syncing Server - Worker" --log="/var/log/$app/syncing-server-worker.log" +yunohost service add "$app-workspace" --description="Standard Notes - Workspace" --log="/var/log/$app/workspace.log" #================================================= # START SYSTEMD SERVICE @@ -285,6 +292,11 @@ ynh_systemd_action \ --action="start" \ --log_path="/var/log/$app/syncing-server-worker.log" \ --line_match='^.*Server started on port.*$|^.*Starting worker.*$' +ynh_systemd_action \ + --service_name="$app-workspace" \ + --action="start" \ + --log_path="/var/log/$app/workspace.log" \ + --line_match='^.*Server started on port.*$|^.*Starting worker.*$' #================================================= # SETUP FAIL2BAN diff --git a/scripts/remove b/scripts/remove index 57712e8..1263572 100755 --- a/scripts/remove +++ b/scripts/remove @@ -25,6 +25,7 @@ port_auth_worker=$(ynh_app_setting_get --app=$app --key=port_auth_worker) port_files=$(ynh_app_setting_get --app=$app --key=port_files) port_syncing_server=$(ynh_app_setting_get --app=$app --key=port_syncing_server) port_syncing_server_worker=$(ynh_app_setting_get --app=$app --key=port_syncing_server_worker) +port_workspace=$(ynh_app_setting_get --app=$app --key=port_workspace) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name final_path=$(ynh_app_setting_get --app=$app --key=final_path) @@ -67,6 +68,11 @@ then ynh_script_progression --message="Removing $app-syncing-server-worker service..." --weight=1 yunohost service remove "$app-syncing-server-worker" fi +if ynh_exec_warn_less yunohost service status "$app-workspace" >/dev/null +then + ynh_script_progression --message="Removing $app-workspace service..." --weight=1 + yunohost service remove "$app-workspace" +fi #================================================= # STOP AND REMOVE SERVICE @@ -80,6 +86,7 @@ ynh_remove_systemd_config --service="$app-auth-worker" ynh_remove_systemd_config --service="$app-files" ynh_remove_systemd_config --service="$app-syncing-server" ynh_remove_systemd_config --service="$app-syncing-server-worker" +ynh_remove_systemd_config --service="$app-workspace" ynh_reset_systemd diff --git a/scripts/restore b/scripts/restore index bb6855a..4dbe522 100755 --- a/scripts/restore +++ b/scripts/restore @@ -45,6 +45,7 @@ config_auth_worker="$final_path/live/auth-worker.env" config_files="$final_path/live/files.env" config_syncing_server="$final_path/live/syncing-server.env" config_syncing_server_worker="$final_path/live/syncing-server-worker.env" +config_workspace="$final_path/live/workspace.env" config_nginx="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= @@ -69,6 +70,7 @@ port_auth_worker=$(ynh_find_port --port=$((port_auth+1))) port_files=$(ynh_find_port --port=$((port_auth_worker+1))) port_syncing_server=$(ynh_find_port --port=$((port_files+1))) port_syncing_server_worker=$(ynh_find_port --port=$((port_syncing_server+1))) +port_workspace=$(ynh_find_port --port=$((port_syncing_server_worker+1))) ynh_app_setting_set --app=$app --key=port_api_gateway --value=$port_api_gateway ynh_app_setting_set --app=$app --key=port_auth --value=$port_auth @@ -76,6 +78,7 @@ ynh_app_setting_set --app=$app --key=port_auth_worker --value=$port_auth_worker ynh_app_setting_set --app=$app --key=port_files --value=$port_files ynh_app_setting_set --app=$app --key=port_syncing_server --value=$port_syncing_server ynh_app_setting_set --app=$app --key=port_syncing_server_worker --value=$port_syncing_server_worker +ynh_app_setting_set --app=$app --key=port_workspace --value=$port_workspace #================================================= # RECREATE THE DEDICATED USER @@ -158,6 +161,7 @@ ynh_replace_string --match_string="^REDIS_URL.*$" --replace_string="REDIS_URL=re ynh_replace_string --match_string="^REDIS_URL.*$" --replace_string="REDIS_URL=redis://localhost:6379/$redis_db" --target_file="$config_files" ynh_replace_string --match_string="^REDIS_URL.*$" --replace_string="REDIS_URL=redis://localhost:6379/$redis_db" --target_file="$config_syncing_server" ynh_replace_string --match_string="^REDIS_URL.*$" --replace_string="REDIS_URL=redis://localhost:6379/$redis_db" --target_file="$config_syncing_server_worker" +ynh_replace_string --match_string="^REDIS_URL.*$" --replace_string="REDIS_URL=redis://localhost:6379/$redis_db" --target_file="$config_workspace" # Syncing_Server Port ynh_replace_string --match_string="^PORT.*$" --replace_string="PORT=$port_syncing_server" --target_file="$config_syncing_server" ynh_replace_string --match_string="^SYNCING_SERVER_JS_URL.*$" --replace_string="SYNCING_SERVER_JS_URL=http://localhost:$port_syncing_server" --target_file="$config_api_gateway" @@ -178,6 +182,9 @@ ynh_replace_string_on_line --line="2" --match_string="proxy_pass.*$" --replace_s # Files Port ynh_replace_string --match_string="^PORT.*$" --replace_string="PORT=$port_files" --target_file="$config_files" ynh_replace_string_on_line --line="17" --match_string="proxy_pass.*$" --replace_string="proxy_pass http://127.0.0.1:$port_files/;" --target_file="$config_nginx" +# Workspace Port +ynh_replace_string --match_string="^PORT.*$" --replace_string="PORT=$port_workspace" --target_file="$config_workspace" +ynh_replace_string --match_string="^WORKSPACE_SERVER_URL.*$" --replace_string="WORKSPACE_SERVER_URL=http://localhost:$port_workspace" --target_file="$config_api_gateway" #================================================= # RESTORE VARIOUS FILES @@ -206,6 +213,7 @@ ynh_restore_file --origin_path="/etc/systemd/system/$app-auth-worker.service" ynh_restore_file --origin_path="/etc/systemd/system/$app-files.service" ynh_restore_file --origin_path="/etc/systemd/system/$app-syncing-server.service" ynh_restore_file --origin_path="/etc/systemd/system/$app-syncing-server-worker.service" +ynh_restore_file --origin_path="/etc/systemd/system/$app-workspace.service" systemctl enable $app-api-gateway.service --quiet systemctl enable $app-auth.service --quiet @@ -213,6 +221,7 @@ systemctl enable $app-auth-worker.service --quiet systemctl enable $app-files.service --quiet systemctl enable $app-syncing-server.service --quiet systemctl enable $app-syncing-server-worker.service --quiet +systemctl enable $app-workspace.service --quiet #================================================= # RESTORE THE LOGROTATE CONFIGURATION @@ -235,6 +244,7 @@ yunohost service add "$app-auth-worker" --description="Standard Notes - Auth - W yunohost service add "$app-files" --description="Standard Notes - Files" --log="/var/log/$app/files.log" yunohost service add "$app-syncing-server" --description="Standard Notes - Syncing Server" --log="/var/log/$app/syncing-server.log" yunohost service add "$app-syncing-server-worker" --description="Standard Notes - Syncing Server - Worker" --log="/var/log/$app/syncing-server-worker.log" +yunohost service add "$app-workspace" --description="Standard Notes - Workspace" --log="/var/log/$app/workspace.log" #================================================= # START SYSTEMD SERVICE @@ -271,6 +281,11 @@ ynh_systemd_action \ --action="start" \ --log_path="/var/log/$app/syncing-server-worker.log" \ --line_match='^.*Server started on port.*$|^.*Starting worker.*$' +ynh_systemd_action \ + --service_name="$app-workspace" \ + --action="start" \ + --log_path="/var/log/$app/workspace.log" \ + --line_match='^.*Server started on port.*$|^.*Starting worker.*$' #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index b8864ab..197c127 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -32,6 +32,7 @@ port_auth_worker=$(ynh_app_setting_get --app=$app --key=port_auth_worker) port_files=$(ynh_app_setting_get --app=$app --key=port_files) port_syncing_server=$(ynh_app_setting_get --app=$app --key=port_syncing_server) port_syncing_server_worker=$(ynh_app_setting_get --app=$app --key=port_syncing_server_worker) +port_workspace=$(ynh_app_setting_get --app=$app --key=port_workspace) redis_db=$(ynh_app_setting_get --app=$app --key=redis_db) @@ -51,6 +52,7 @@ config_auth_worker="$final_path/live/auth-worker.env" config_files="$final_path/live/files.env" config_syncing_server="$final_path/live/syncing-server.env" config_syncing_server_worker="$final_path/live/syncing-server-worker.env" +config_workspace="$final_path/live/workspace.env" nodejs_version_installed=$(ynh_app_setting_get --app=$app --key=nodejs_version) @@ -106,6 +108,10 @@ ynh_systemd_action \ --service_name="$app-syncing-server-worker" \ --action="stop" \ --log_path="/var/log/$app/syncing-server-worker.log" +ynh_systemd_action \ + --service_name="$app-workspace" \ + --action="stop" \ + --log_path="/var/log/$app/workspace.log" #================================================= # ENSURE DOWNWARD COMPATIBILITY @@ -131,19 +137,22 @@ if [[ -z "$port_api_gateway" || \ -z "$port_auth_worker" || \ -z "$port_files" || \ -z "$port_syncing_server" || \ - -z "$port_syncing_server_worker" ]]; then + -z "$port_syncing_server_worker" || \ + -z "$port_workspace" ]]; then port_api_gateway=$(ynh_find_port --port=3000) port_auth=$(ynh_find_port --port=$((port_api_gateway+1))) port_auth_worker=$(ynh_find_port --port=$((port_auth+1))) port_files=$(ynh_find_port --port=$((port_auth_worker+1))) port_syncing_server=$(ynh_find_port --port=$((port_files+1))) port_syncing_server_worker=$(ynh_find_port --port=$((port_syncing_server+1))) + port_workspace=$(ynh_find_port --port=$((port_syncing_server_worker+1))) ynh_app_setting_set --app=$app --key=port_api_gateway --value=$port_api_gateway ynh_app_setting_set --app=$app --key=port_auth --value=$port_auth ynh_app_setting_set --app=$app --key=port_auth_worker --value=$port_auth_worker ynh_app_setting_set --app=$app --key=port_files --value=$port_files ynh_app_setting_set --app=$app --key=port_syncing_server --value=$port_syncing_server ynh_app_setting_set --app=$app --key=port_syncing_server_worker --value=$port_syncing_server_worker + ynh_app_setting_set --app=$app --key=port_workspace --value=$port_workspace fi # If jwt_secret doesn't exist, create it @@ -317,6 +326,7 @@ ynh_add_config --template="env_auth-worker.env.sample" --destination="$config_au ynh_add_config --template="env_files.env.sample" --destination="$config_files" ynh_add_config --template="env_syncing-server.env.sample" --destination="$config_syncing_server" ynh_add_config --template="env_syncing-server-worker.env.sample" --destination="$config_syncing_server_worker" +ynh_add_config --template="env_workspace.env.sample" --destination="$config_workspace" #================================================= # INSTALLING Standard Notes - Syncing Server @@ -326,8 +336,8 @@ then ynh_script_progression --message="Installing Standard Notes - Syncing Server..." --weight=93 ynh_use_nodejs pushd "$final_path/live" - ynh_exec_warn_less ynh_exec_as $app env NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn install --immutable - ynh_exec_warn_less ynh_exec_as $app env NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn build + ynh_exec_warn_less ynh_exec_as $app env NODE_ENV="production" NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn install --immutable + ynh_exec_warn_less ynh_exec_as $app env NODE_ENV="production" NODE_OPTIONS="--max-old-space-size=$node_max_old_space_size" $ynh_node_load_PATH yarn build popd fi @@ -343,6 +353,7 @@ ynh_add_systemd_config --service="$app-auth-worker" --template="systemd_auth-wor ynh_add_systemd_config --service="$app-files" --template="systemd_files.service" ynh_add_systemd_config --service="$app-syncing-server" --template="systemd_syncing-server.service" ynh_add_systemd_config --service="$app-syncing-server-worker" --template="systemd_syncing-server-worker.service" +ynh_add_systemd_config --service="$app-workspace" --template="systemd_workspace.service" #================================================= # GENERIC FINALIZATION @@ -361,6 +372,7 @@ ynh_use_logrotate --logfile="/var/log/$app/auth-worker.log" ynh_use_logrotate --logfile="/var/log/$app/files.log" ynh_use_logrotate --logfile="/var/log/$app/syncing-server.log" ynh_use_logrotate --logfile="/var/log/$app/syncing-server-worker.log" +ynh_use_logrotate --logfile="/var/log/$app/workspace.log" #================================================= # INTEGRATE SERVICE IN YUNOHOST @@ -373,6 +385,7 @@ yunohost service add "$app-auth-worker" --description="Standard Notes - Auth - W yunohost service add "$app-files" --description="Standard Notes - Files" --log="/var/log/$app/files.log" yunohost service add "$app-syncing-server" --description="Standard Notes - Syncing Server" --log="/var/log/$app/syncing-server.log" yunohost service add "$app-syncing-server-worker" --description="Standard Notes - Syncing Server - Worker" --log="/var/log/$app/syncing-server-worker.log" +yunohost service add "$app-workspace" --description="Standard Notes - Workspace" --log="/var/log/$app/workspace.log" #================================================= # START SYSTEMD SERVICE @@ -410,6 +423,11 @@ ynh_systemd_action \ --action="start" \ --log_path="/var/log/$app/syncing-server-worker.log" \ --line_match='^.*Server started on port.*$|^.*Starting worker.*$' +ynh_systemd_action \ + --service_name="$app-workspace" \ + --action="start" \ + --log_path="/var/log/$app/workspace.log" \ + --line_match='^.*Server started on port.*$|^.*Starting worker.*$' #================================================= # SETUP A CRON