diff --git a/README.md b/README.md index 5368f3e..14b382d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ @@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in SOGo is an opensource groupware solution which has Webmail, a global address book and Calender and Contacts which can be synced via caldav or cardav. -**Shipped version:** 5.0.1~ynh3 +**Shipped version:** 5.0.1~ynh4 **Demo:** https://demo.sogo.nu/SOGo/ ## Documentation and resources @@ -42,4 +42,4 @@ or sudo yunohost app upgrade sogo -u https://github.com/YunoHost-Apps/sogo_ynh/tree/testing --debug ``` -**More info regarding app packaging:** +**More info regarding app packaging:** \ No newline at end of file diff --git a/README_fr.md b/README_fr.md index b8ba07e..3a7b5d6 100644 --- a/README_fr.md +++ b/README_fr.md @@ -1,5 +1,5 @@ @@ -19,7 +19,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po SOGo is an opensource groupware solution which has Webmail, a global address book and Calender and Contacts which can be synced via caldav or cardav. -**Version incluse :** 5.0.1~ynh3 +**Version incluse :** 5.0.1~ynh4 **Démo :** https://demo.sogo.nu/SOGo/ ## Documentations et ressources diff --git a/conf/cron b/conf/cron deleted file mode 100644 index d13c566..0000000 --- a/conf/cron +++ /dev/null @@ -1,22 +0,0 @@ -# Sogod cronjobs - -# Vacation messages expiration -# The credentials file should contain the sieve admin credentials (username:passwd) -0 0 * * * __APP__ /__INSTALL_DIR__/sbin/sogo-tool update-autoreply -p /etc/sogo/sieve.creds - -# Session cleanup - runs every minute -# - Ajust the nbMinutes parameter to suit your needs -# Example: Sessions without activity since 60 minutes will be dropped: -* * * * * __APP__ /__INSTALL_DIR__/sbin/sogo-tool expire-sessions 60 > /dev/null 2>&1 - -# Email alarms - runs every minutes -# If you need to use SMTP AUTH for outgoing mails, specify credentials to use -# with '-p /path/to/credentialsFile' (same format as the sieve credentials) -* * * * * __APP__ /__INSTALL_DIR__/sbin/sogo-ealarms-notify > /dev/null 2>&1 - -# Daily backups -# - writes to ~sogo/backups/ by default -# - will keep 31 days worth of backups by default -# - runs once a day by default, but can run more frequently -# - make sure to set the path to sogo-backup.sh correctly -#30 0 * * * __APP__ /__INSTALL_DIR__/share/doc/sogo/sogo-backup.sh diff --git a/conf/default_sogo b/conf/default_sogo deleted file mode 100644 index 05efad1..0000000 --- a/conf/default_sogo +++ /dev/null @@ -1 +0,0 @@ -PREFORK=3 diff --git a/conf/nginx.conf b/conf/nginx.conf index 9ee8171..9e5f9ff 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,8 +1,9 @@ # SOGo Proxying #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; -location ^~ __PATH__/ { +location ^~/SOGo/ +{ proxy_pass http://127.0.0.1:__PORT__; - proxy_redirect http://127.0.0.1:__PORT__/SOGo/ /SOGo; + proxy_redirect http://127.0.0.1:__PORT__ default; # forward user's IP address proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -11,17 +12,39 @@ location ^~ __PATH__/ { proxy_set_header x-webobjects-remote-host 127.0.0.1; proxy_set_header x-webobjects-server-name $server_name; proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_set_header x-webobjects-server-port $server_port; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 8k; + proxy_buffers 4 64k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + break; + include conf.d/yunohost_panel.conf.inc; client_max_body_size 100M; } - -location __PATH__.woa/WebServerResources/ { +location /SOGo.woa/WebServerResources/ +{ alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; } -location __PATH__/WebServerResources/ { +location /SOGo/WebServerResources/ +{ alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; } -location ^__PATH__/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ { +location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$)/ +{ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; +} +location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$)/ +{ + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; } diff --git a/conf/sogo.conf b/conf/sogo.conf index f5b5b47..05ce975 100644 --- a/conf/sogo.conf +++ b/conf/sogo.conf @@ -10,13 +10,13 @@ SOGoAppointmentSendEMailNotifications = YES; SOGoEnablePublicAccess = YES; SOGoMailingMechanism = smtp; - SOGoSMTPServer = 127.0.0.1:__PORT_SMTP__; + SOGoSMTPServer = "smtp://__DOMAIN__:587/?tls=YES"; SOGoSMTPAuthenticationType = PLAIN; SOGoTimeZone = UTC; SOGoSentFolderName = Sent; SOGoTrashFolderName = Trash; SOGoDraftsFolderName = Drafts; - SOGoIMAPServer = "imap://localhost:143"; + SOGoIMAPServer = "imaps://__DOMAIN__:993"; SOGoIMAPAclConformsToIMAPExt = YES; SOGoVacationEnabled = YES; SOGoForwardEnabled = YES; diff --git a/conf/stunnel.conf b/conf/stunnel.conf deleted file mode 100644 index 3c859d2..0000000 --- a/conf/stunnel.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Smtp-Starttls] -client=yes -accept = __PORT_SMTP__ -connect = 587 - -protocol = smtp -protocolAuthentication = plain diff --git a/conf/systemd.service b/conf/systemd.service deleted file mode 100644 index 71c6dbe..0000000 --- a/conf/systemd.service +++ /dev/null @@ -1,46 +0,0 @@ -[Unit] -Description=SOGo is a groupware server -After=network.target -After=mariadb.service - -[Service] -Environment="PREFORK=3" -Environment="LD_LIBRARY_PATH=/lib:/usr/lib:/__INSTALL_DIR__/Library/Libraries/sogo:/__INSTALL_DIR__/Local/Library/Libraries/sogo" -EnvironmentFile=-/etc/default/__APP__ -Type=forking -ExecStart=/__INSTALL_DIR__/sbin/sogod -WOWorkersCount ${PREFORK} -WOPidFile /run/__APP__/sogo.pid -WOLogFile /var/log/__APP__/sogo.log -PIDFile=/run/__APP__/sogo.pid -User=__APP__ - -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - -[Install] -WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index c4b8abd..f7484df 100644 --- a/manifest.toml +++ b/manifest.toml @@ -7,7 +7,7 @@ name = "SOGo" description.en = "Opensource groupware for E-Mail, Contacts and Calender" description.fr = "Groupware opensource pour les e-mail, contacts et calendrier" -version = "5.0.1~ynh3" +version = "5.0.1~ynh4" maintainers = ["Josué Tille"] @@ -34,6 +34,10 @@ ram.runtime = "200M" [install.domain] type = "domain" + [install.path] + type = "path" + default = "/SOGo" + [install.admin] type = "user" @@ -41,13 +45,11 @@ ram.runtime = "200M" help.en = "If it's not public, everybody which want to access to any page of SOGo need to be authenticated on the SSO. On the public mode anybody can access to the authentication page. The shared calendar will be also accessible by anybody who has this link" help.fr = "Si n'est pas publique, n'importe qui veux accéder à n'importe quelle page de SOGo doit être authentifié dans le SSO. Dans le mode publique n'importe qui peut accéder à la page d'authentification de SOGo. Les agenda partagé seront aussi accessible par n'import qui qui à ce liens." type = "group" - default = "visitors" + default = "all_users" [resources] [resources.system_user] - [resources.install_dir] - [resources.permissions] main.url = "/" @@ -58,15 +60,12 @@ ram.runtime = "200M" sync_client.auth_header = false sync_client.additional_urls = ["/Microsoft-Server-ActiveSync", "/principals", "/.well-known/caldav", "/.well-known/carddav"] - [resources.ports] main.default = 20000 - smtp.default = 20001 [resources.apt] packages = [ "sogo", - "stunnel4", "memcached", "mariadb-server", ] diff --git a/scripts/_common.sh b/scripts/_common.sh index ec74b54..c3d16fa 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -9,7 +9,7 @@ #================================================= config_nginx() { - nginx_config="$YNH_APP_BASEDIR/conf/nginx.conf" + nginx_config="/etc/nginx/conf.d/$domain.d/$app.conf" # shellcheck disable=SC2016 principals_block=' @@ -21,22 +21,33 @@ location = /principals/ { # shellcheck disable=SC2016 activesync_block=' # For ActiveSync -location /Microsoft-Server-ActiveSync/ { - proxy_pass http://127.0.0.1:__PORT__/SOGo/Microsoft-Server-ActiveSync/; +location ^~ /Microsoft-Server-ActiveSync { + proxy_connect_timeout 75; + proxy_send_timeout 3600; + proxy_read_timeout 3600; + proxy_buffers 64 256k; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:'$port'/SOGo/Microsoft-Server-ActiveSync; }' # shellcheck disable=SC2016 caldav_block=' # For Caldav -location /.well-known/caldav { +location = /.well-known/caldav { rewrite ^ https://$server_name/SOGo/dav/; }' # shellcheck disable=SC2016 carddav_block=' # For Carddav -location /.well-known/carddav { +location = /.well-known/carddav { rewrite ^ https://$server_name/SOGo/dav/; }' + ynh_add_nginx_config + if ! is_url_handled -d "$domain" -p "/principals"; then echo "$principals_block" >> "$nginx_config" fi @@ -49,7 +60,19 @@ location /.well-known/carddav { if ! is_url_handled -d "$domain" -p "/.wellk-nown/carddav"; then echo "$carddav_block" >> "$nginx_config" fi - ynh_add_nginx_config + ynh_store_file_checksum --file="$nginx_config" + systemctl reload nginx.service +} + +set_permissions() { + chown -R "$app:$app" "/etc/$app" + chmod -R u=rwX,g=rX,o= "/etc/$app" + + chown -R "$app:$app" "/var/log/$app" + chmod -R u=rwX,g=rX,o= "/var/log/$app" + + chown root: "/etc/cron.d/$app" + chmod 644 "/etc/cron.d/$app" } #================================================= diff --git a/scripts/backup b/scripts/backup index 7c2afc2..228d9a0 100755 --- a/scripts/backup +++ b/scripts/backup @@ -22,9 +22,6 @@ ynh_print_info --message="Declaring files to be backed up..." # Backup the nginx configuration ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" -# Backup the logrotate configuration -ynh_backup --src_path="/etc/logrotate.d/$app" - #================================================= # BACKUP VARIOUS FILES #================================================= @@ -32,9 +29,6 @@ ynh_backup --src_path="/etc/logrotate.d/$app" # Backup SOGo configuration ynh_backup --src_path="/etc/$app" -# Backup Stunnel configuration -ynh_backup --src_path="/etc/stunnel/$app.conf" - # Backup cron ynh_backup --src_path="/etc/cron.d/$app" diff --git a/scripts/change_url b/scripts/change_url index d9ed0d8..5c76915 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -20,6 +20,7 @@ fi ynh_script_progression --message="Updating NGINX configuration..." ynh_change_url_nginx_config +config_nginx #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index fdee59c..9ef697b 100755 --- a/scripts/install +++ b/scripts/install @@ -9,8 +9,9 @@ source _common.sh source /usr/share/yunohost/helpers -# Set variable -path="/SOGo" +if [[ $path != "/SOGo" ]]; then + ynh_die --message "You can't install SOGo on other path than '/SOGo'" +fi #================================================= # ADD A CONFIGURATION @@ -19,37 +20,13 @@ ynh_script_progression --message="Configuring application..." --weight=3 mkdir -p "/etc/$app" ynh_add_config --template="sogo.conf" --destination="/etc/$app/sogo.conf" -chown -R "$app:$app" "/etc/$app" -chmod -R 750 "/etc/$app" - -# Configure stunnel -# To fix the issue https://sogo.nu/bugs/view.php?id=31 we need stunnel to be able to connect correctly to the smtp server -ynh_add_config --template="stunnel.conf" --destination="/etc/stunnel/$app.conf" - -# Enable stunnel at startup -ynh_replace_string --match_string="ENABLED=0" --replace_string="ENABLED=1" --target_file="/etc/default/stunnel4" - -#================================================= -# SETUP A CRON -#================================================= -ynh_script_progression --message="Setting up a cron..." --weight=1 - -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" - -#================================================= -# SYSTEM CONFIGURATION -#================================================= -ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 - config_nginx +ynh_use_logrotate --logfile="/var/log/$app/sogo.log" --nonappend + yunohost service add "sogo" --description="Groupware for E-Mail, Contacts and Calender" --log="/var/log/$app/$app.log" -ynh_use_logrotate --logfile="/var/log/$app/sogo.log" --nonappend -chown -R "$app:$app" "/var/log/$app" -chmod -R 750 "/var/log/$app" +set_permissions #================================================= # START SYSTEMD SERVICE @@ -57,7 +34,6 @@ chmod -R 750 "/var/log/$app" ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="restart" --log_path="systemd" -ynh_systemd_action --service_name="stunnel4" --action="restart" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index 1f411fc..e40fa3e 100755 --- a/scripts/remove +++ b/scripts/remove @@ -14,11 +14,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 -# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) -if ynh_exec_warn_less yunohost service status "sogo" >/dev/null; then - ynh_script_progression --message="Removing sogo service integration..." --weight=1 - yunohost service remove "sogo" -fi +yunohost service remove "sogo" # Remove the dedicated systemd config ynh_remove_systemd_config diff --git a/scripts/restore b/scripts/restore index 1a033e4..936d2a7 100755 --- a/scripts/restore +++ b/scripts/restore @@ -17,37 +17,19 @@ ynh_script_progression --message="Restoring the MySQL database..." --weight=1 ynh_mysql_connect_as --user="$db_user" --password="$db_pwd" --database="$db_name" < ./db.sql -# Enable stunnel at startup -ynh_replace_string --match_string "ENABLED=0" --replace_string "ENABLED=1" --target_file /etc/default/stunnel4 - #================================================= # RESTORE VARIOUS FILES #================================================= ynh_script_progression --message="Restoring various files..." --weight=1 - -ynh_restore_file --origin_path="/etc/$app" -chown -R "$app:$app" "/etc/$app" -chmod -R 750 "/etc/$app" - -ynh_restore_file --origin_path="/etc/stunnel/$app.conf" - -ynh_restore_file --origin_path="/etc/cron.d/$app" - -ynh_restore_file --origin_path="/var/log/$app" -chown -R "$app:$app" "/var/log/$app" -chmod -R 750 "/var/log/$app" +ynh_restore #================================================= # RESTORE SYSTEM CONFIGURATIONS #================================================= ynh_script_progression --message="Restoring system configurations related to $app..." --weight=1 -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" - -systemctl enable "$app.service" --quiet yunohost service add "sogo" --description="Groupware for E-Mail, Contacts and Calender" --log="/var/log/$app/$app.log" - -ynh_use_logrotate --logfile="/var/log/$app/sogo.log" --nonappend +set_permissions #================================================= # START SYSTEMD SERVICE @@ -55,15 +37,17 @@ ynh_use_logrotate --logfile="/var/log/$app/sogo.log" --nonappend ynh_script_progression --message="Starting a systemd service..." --weight=3 ynh_systemd_action --service_name="$app" --action="restart" --log_path="systemd" -ynh_systemd_action --service_name="stunnel4" --action="restart" --log_path="systemd" #================================================= -# RELOAD NGINX AND PHP-FPM +# RELOAD NGINX #================================================= ynh_script_progression --message="Reloading NGINX web server..." --weight=1 ynh_systemd_action --service_name="nginx" --action=reload +# Use logrotate to manage app-specific logfile(s) +ynh_use_logrotate --logfile="/var/log/$app/sogo.log" --nonappend + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 62d5b1b..000e712 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -31,27 +31,6 @@ ynh_script_progression --message="Configuring application..." --weight=1 # Configure SOGO ynh_add_config --template="sogo.conf" --destination="/etc/$app/sogo.conf" -chown -R "$app:$app" "/etc/$app" -chmod -R 750 "/etc/$app" - -# Configure stunnel -ynh_add_config --template="stunnel.conf" --destination="/etc/stunnel/$app.conf" - -# Enable stunnel at startup -ynh_replace_string --match_string="ENABLED=0" --replace_string="ENABLED=1" --target_file="/etc/default/stunnel4" - -# Protect logs dir -chown -R "$app:$app" "/var/log/$app" -chmod -R 750 "/var/log/$app" - -#================================================= -# SETUP A CRON -#================================================= -ynh_script_progression --message="Setting up a cron..." --weight=1 - -ynh_add_config --template="cron" --destination="/etc/cron.d/$app" -chown root: "/etc/cron.d/$app" -chmod 644 "/etc/cron.d/$app" #================================================= # REAPPLY SYSTEM CONFIGURATIONS @@ -65,13 +44,14 @@ yunohost service add "sogo" --description="Groupware for E-Mail, Contacts and Ca # Use logrotate to manage app-specific logfile(s) ynh_use_logrotate --logfile="/var/log/$app/sogo.log" --nonappend +set_permissions + #================================================= # START SYSTEMD SERVICE #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name="$app" --action="restart" --log_path="systemd" -ynh_systemd_action --service_name="stunnel4" --action="restart" --log_path="systemd" #================================================= # END OF SCRIPT