diff --git a/README.md b/README.md index 22bd820..af80222 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ a public page. - 📥️ **Import your collection** from many other [recipe managers](https://docs.tandoor.dev/features/import_export/) - ➕ Many more like recipe scaling, image compression, printing views and supermarkets -**Shipped version:** 1.5.18~ynh1 +**Shipped version:** 1.5.18~ynh2 **Demo:** diff --git a/README_es.md b/README_es.md index 090b846..c7c2329 100644 --- a/README_es.md +++ b/README_es.md @@ -45,7 +45,7 @@ a public page. - 📥️ **Import your collection** from many other [recipe managers](https://docs.tandoor.dev/features/import_export/) - ➕ Many more like recipe scaling, image compression, printing views and supermarkets -**Versión actual:** 1.5.18~ynh1 +**Versión actual:** 1.5.18~ynh2 **Demo:** diff --git a/README_eu.md b/README_eu.md index 0d8854e..c3addbf 100644 --- a/README_eu.md +++ b/README_eu.md @@ -45,7 +45,7 @@ a public page. - 📥️ **Import your collection** from many other [recipe managers](https://docs.tandoor.dev/features/import_export/) - ➕ Many more like recipe scaling, image compression, printing views and supermarkets -**Paketatutako bertsioa:** 1.5.18~ynh1 +**Paketatutako bertsioa:** 1.5.18~ynh2 **Demoa:** diff --git a/README_fr.md b/README_fr.md index aa7d4a1..ec59fdb 100644 --- a/README_fr.md +++ b/README_fr.md @@ -45,7 +45,7 @@ a public page. - 📥️ **Import your collection** from many other [recipe managers](https://docs.tandoor.dev/features/import_export/) - ➕ Many more like recipe scaling, image compression, printing views and supermarkets -**Version incluse :** 1.5.18~ynh1 +**Version incluse :** 1.5.18~ynh2 **Démo :** diff --git a/README_gl.md b/README_gl.md index 1dd26f2..6ea7845 100644 --- a/README_gl.md +++ b/README_gl.md @@ -45,7 +45,7 @@ a public page. - 📥️ **Import your collection** from many other [recipe managers](https://docs.tandoor.dev/features/import_export/) - ➕ Many more like recipe scaling, image compression, printing views and supermarkets -**Versión proporcionada:** 1.5.18~ynh1 +**Versión proporcionada:** 1.5.18~ynh2 **Demo:** diff --git a/README_id.md b/README_id.md index b9f8374..fce894e 100644 --- a/README_id.md +++ b/README_id.md @@ -45,7 +45,7 @@ a public page. - 📥️ **Import your collection** from many other [recipe managers](https://docs.tandoor.dev/features/import_export/) - ➕ Many more like recipe scaling, image compression, printing views and supermarkets -**Versi terkirim:** 1.5.18~ynh1 +**Versi terkirim:** 1.5.18~ynh2 **Demo:** diff --git a/README_zh_Hans.md b/README_zh_Hans.md index 59afa01..ccd0598 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -45,7 +45,7 @@ a public page. - 📥️ **Import your collection** from many other [recipe managers](https://docs.tandoor.dev/features/import_export/) - ➕ Many more like recipe scaling, image compression, printing views and supermarkets -**分发版本:** 1.5.18~ynh1 +**分发版本:** 1.5.18~ynh2 **演示:** diff --git a/conf/dot_env b/conf/dot_env index 05a5554..5d4322a 100644 --- a/conf/dot_env +++ b/conf/dot_env @@ -12,9 +12,7 @@ TANDOOR_PORT=__PORT__ ALLOWED_HOSTS=__DOMAIN__ # random secret key, use for example `base64 /dev/urandom | head -c50` to generate one -# ---------------------------- REQUIRED ------------------------- SECRET_KEY=__SECRETKEY__ -# --------------------------------------------------------------- # your default timezone See https://timezonedb.com/time-zones for a list of timezones TZ=__TIMEZONE__ @@ -25,9 +23,7 @@ DB_ENGINE=django.db.backends.postgresql POSTGRES_HOST=127.0.0.1 POSTGRES_PORT=5432 POSTGRES_USER=__DB_USER__ -# ---------------------------- REQUIRED ------------------------- POSTGRES_PASSWORD=__DB_PWD__ -# --------------------------------------------------------------- POSTGRES_DB=__DB_NAME__ # the default value for the user preference 'fractions' (enable/disable fraction support) @@ -85,8 +81,8 @@ GUNICORN_MEDIA=0 # Required for email confirmation and password reset (automatically activates if host is set) EMAIL_HOST='127.0.0.1' EMAIL_PORT=25 -EMAIL_HOST_USER= -EMAIL_HOST_PASSWORD= +EMAIL_HOST_USER='__APP__' +EMAIL_HOST_PASSWORD='__MAIL_PWD__' EMAIL_USE_TLS=0 EMAIL_USE_SSL=0 # email sender address (default 'webmaster@localhost') diff --git a/conf/nginx.conf b/conf/nginx.conf index 1a54f7f..932dbd0 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -20,5 +20,3 @@ location __PATH__/ { location /media/ { alias __DATA_DIR__/media/; } - - diff --git a/conf/systemd.service b/conf/systemd.service index 61a2ebc..f6cc38d 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,16 +1,50 @@ [Unit] -Description=Tandoor, smart recipe mangement +Description=Tandoor: smart recipe mangement After=network.target [Service] Type=simple User=__APP__ Group=__APP__ -WorkingDirectory=__INSTALL_DIR__/source/ +WorkingDirectory=__INSTALL_DIR__/ EnvironmentFile=__INSTALL_DIR__/.env ExecStart=__INSTALL_DIR__/venv/bin/gunicorn --bind 127.0.0.1:__PORT__ recipes.wsgi:application Restart=on-failure RestartSec=10 +### Depending on specificities of your service/app, you may need to tweak these +### .. but this should be a good baseline +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 6744518..8bd6dce 100644 --- a/manifest.toml +++ b/manifest.toml @@ -4,10 +4,10 @@ packaging_format = 2 id = "tandoor" name = "Tandoor" -description.en = "Application for managing and sharing recipes, planning meals, building shopping lists and much much more!" -description.fr = "Gérez et partagez vos recettes, planifiez vos repas, créez vos listes de courses et beaucoup plus encore !" +description.en = "Manage and share recipes, plan meals, build shopping lists" +description.fr = "Gérez et partagez des recettes, planifiez des repas, créez des listes de courses" -version = "1.5.18~ynh1" +version = "1.5.18~ynh2" maintainers = ["Navan Chauhan"] @@ -21,14 +21,14 @@ code = "https://github.com/TandoorRecipes/recipes" cpe = "cpe:2.3:a:tandoor:recipes" [integration] -yunohost = ">= 11.2" +yunohost = ">= 11.2.20" architectures = "all" multi_instance = true ldap = false sso = false -disk = "50M" -ram.build = "50M" -ram.runtime = "50M" +disk = "1000M" +ram.build = "2000M" +ram.runtime = "1500M" [install] [install.domain] @@ -47,7 +47,8 @@ ram.runtime = "50M" autoupdate.asset = "tarball" [resources.system_user] - + allow_email = true + [resources.install_dir] [resources.data_dir] diff --git a/scripts/_common.sh b/scripts/_common.sh index 02ac495..dea5baf 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -6,7 +6,6 @@ nodejs_version=16 -# Used in .env timezone="$(cat /etc/timezone)" #================================================= @@ -17,13 +16,13 @@ _tandoor_venv_install() { ynh_exec_as "$app" python3 -m venv --upgrade "$install_dir/venv" venvpy="$install_dir/venv/bin/python3" - pushd "$install_dir/source" + pushd "$install_dir" ynh_exec_as "$app" "$venvpy" -m pip install -r requirements.txt popd } _tandoor_build_frontend() { - pushd "$install_dir/source/vue" + pushd "$install_dir/vue" ynh_use_nodejs ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" yarn install ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" yarn build diff --git a/scripts/backup b/scripts/backup index 866f7ac..34ea8d1 100755 --- a/scripts/backup +++ b/scripts/backup @@ -44,12 +44,6 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf" ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf" -#================================================= -# BACKUP VARIOUS FILES -#================================================= - -ynh_backup --src_path="/var/log/$app/" - #================================================= # BACKUP THE PostgreSQL DATABASE #================================================= diff --git a/scripts/change_url b/scripts/change_url index 4988f8a..e2ac889 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -14,14 +14,14 @@ source /usr/share/yunohost/helpers #================================================= # STOP SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Stopping a systemd service..." --time --weight=1 +ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating NGINX web server configuration..." --time --weight=1 +ynh_script_progression --message="Updating NGINX web server configuration..." --weight=1 ynh_change_url_nginx_config @@ -40,12 +40,12 @@ chown "$app:$app" "$install_dir/.env" #================================================= # START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --time --weight=1 +ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app" --action="start" --log_path="systemd" #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --time --last +ynh_script_progression --message="Change of URL completed for $app" --last diff --git a/scripts/install b/scripts/install index 7e38186..26a9733 100755 --- a/scripts/install +++ b/scripts/install @@ -38,16 +38,10 @@ ynh_psql_execute_as_root --sql="ALTER USER $db_name WITH SUPERUSER;" ynh_script_progression --message="Setting up source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$install_dir/source" +ynh_setup_source --dest_dir="$install_dir" -chmod 750 "$install_dir" -chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" -chmod 750 "$data_dir" -chmod -R o-rwx "$data_dir" -chown -R "$app:www-data" "$data_dir" - #================================================= # ADD A CONFIGURATION #================================================= @@ -60,9 +54,10 @@ chown "$app:$app" "$install_dir/.env" version=$(ynh_app_upstream_version) -ynh_add_config --template="version.py" --destination="$install_dir/source/recipes/version.py" -chmod 400 "$install_dir/source/recipes/version.py" -chown "$app:$app" "$install_dir/source/recipes/version.py" +ynh_add_config --template="version.py" --destination="$install_dir/recipes/version.py" + +chmod 400 "$install_dir/recipes/version.py" +chown "$app:$app" "$install_dir/recipes/version.py" #================================================= # SPECIFIC SETUP @@ -75,7 +70,7 @@ _tandoor_venv_install ynh_script_progression --message="Running migrations and generating static files..." --weight=2 -pushd "$install_dir/source" +pushd "$install_dir" ( source "$install_dir/.env" ynh_exec_as "$app" "$venvpy" manage.py migrate @@ -106,7 +101,7 @@ ynh_use_logrotate ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service -ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app" --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 1ed1148..e329248 100755 --- a/scripts/restore +++ b/scripts/restore @@ -17,8 +17,6 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" -chmod 750 "$install_dir" -chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" #================================================= @@ -28,8 +26,6 @@ ynh_script_progression --message="Restoring the data directory..." --weight=1 ynh_restore_file --origin_path="$data_dir" --not_mandatory -chmod 750 "$data_dir" -chmod -R o-rwx "$data_dir" chown -R "$app:www-data" "$data_dir" #================================================= @@ -52,12 +48,6 @@ yunohost service add "$app" --description="Smart recipe management" --log="/var/ ynh_restore_file --origin_path="/etc/logrotate.d/$app" -#================================================= -# RESTORE VARIOUS FILES -#================================================= - -ynh_restore_file --origin_path="/var/log/$app/" - #================================================= # GENERIC FINALIZATION #================================================= @@ -65,7 +55,7 @@ ynh_restore_file --origin_path="/var/log/$app/" #================================================= ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 -ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app" --action="start" --log_path="systemd" ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/upgrade b/scripts/upgrade index 597450e..03acc0b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -16,7 +16,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app" --action="stop" --log_path="systemd" #================================================= # UPGRADE DEPENDENCIES @@ -31,7 +31,7 @@ ynh_exec_warn_less ynh_install_nodejs --nodejs_version="$nodejs_version" ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$install_dir/source" --full_replace=1 +ynh_setup_source --dest_dir="$install_dir" --full_replace=1 --keep="$install_dir/.env" chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" @@ -49,24 +49,26 @@ chown "$app:$app" "$install_dir/.env" version=$(ynh_app_upstream_version) -ynh_add_config --template="version.py" --destination="$install_dir/source/recipes/version.py" -chmod 400 "$install_dir/source/recipes/version.py" -chown "$app:$app" "$install_dir/source/recipes/version.py" +ynh_add_config --template="version.py" --destination="$install_dir/recipes/version.py" + +chmod 400 "$install_dir/recipes/version.py" +chown "$app:$app" "$install_dir/recipes/version.py" #================================================= # SPECIFIC SETUP #================================================= ynh_script_progression --message="Building frontend..." --weight=5 + _tandoor_build_frontend ynh_script_progression --message="Installing Tandoor and its python dependencies..." --weight=1 + _tandoor_venv_install ynh_script_progression --message="Running migrations and generating static files..." --weight=2 -pushd "$install_dir/source" +pushd "$install_dir" ( source "$install_dir/.env" - ynh_exec_as "$app" "$venvpy" manage.py migrate ynh_psql_execute_as_root --sql="ALTER USER $app WITH NOSUPERUSER;" ynh_exec_as "$app" "$venvpy" manage.py collectstatic --no-input @@ -94,7 +96,7 @@ ynh_use_logrotate --non-append #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" #================================================= # END OF SCRIPT