From 8562c3b19c78eff0a267f102f4af53303a67263c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Tue, 28 Feb 2023 08:51:31 +0100 Subject: [PATCH] cleaning --- conf/nginx.conf | 4 ++- conf/systemd.service | 37 ++++++++++++++++++++- doc/POST_INSTALL.md | 2 -- doc/POST_INSTALL_fr.md | 1 - manifest.toml | 1 - scripts/backup | 5 --- scripts/change_url | 73 +----------------------------------------- scripts/install | 23 +------------ scripts/remove | 1 - scripts/upgrade | 26 --------------- 10 files changed, 41 insertions(+), 132 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index e37e88e..061375b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,4 +1,6 @@ -location / { +#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; +location __PATH__/ { + proxy_pass http://127.0.0.1:__PORT__; proxy_redirect off; proxy_set_header Host $host; diff --git a/conf/systemd.service b/conf/systemd.service index b8e829c..e152647 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,5 +1,5 @@ [Unit] -Description=Trilium notes server +Description=Trilium: notes server After=network.target [Service] @@ -14,5 +14,40 @@ Environment=TRILIUM_ENV=dev WorkingDirectory=__INSTALL_DIR__/ ExecStart=__YNH_NODE__ __INSTALL_DIR__/src/www + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/doc/POST_INSTALL.md b/doc/POST_INSTALL.md index 58865bf..bc7bc57 100644 --- a/doc/POST_INSTALL.md +++ b/doc/POST_INSTALL.md @@ -1,3 +1 @@ -## Configuration - You will be asked to choose a password when you first access the app. You can configure Trillium from the settings menu of the app interface. diff --git a/doc/POST_INSTALL_fr.md b/doc/POST_INSTALL_fr.md index d7edf68..c02d007 100644 --- a/doc/POST_INSTALL_fr.md +++ b/doc/POST_INSTALL_fr.md @@ -1,3 +1,2 @@ -## Configuration On vous demandera de choisir un mot de passe quand vous installez l'application. Vous pouvez configurer Trillium depuis le menu de configuration de l'interface web. diff --git a/manifest.toml b/manifest.toml index a228318..087ef5d 100644 --- a/manifest.toml +++ b/manifest.toml @@ -28,7 +28,6 @@ ram.runtime = "110M" [install] [install.domain] - # this is a generic question - ask strings are automatically handled by Yunohost's core type = "domain" full_domain = true diff --git a/scripts/backup b/scripts/backup index 2638ff2..e32ebb5 100644 --- a/scripts/backup +++ b/scripts/backup @@ -15,11 +15,6 @@ source /usr/share/yunohost/helpers #================================================= ynh_print_info --message="Declaring files to be backed up..." -### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs -### to be backuped and not an actual copy of any file. The actual backup that -### creates and fill the archive with the files happens in the core after this -### script is called. Hence ynh_backups calls takes basically 0 seconds to run. - #================================================= # BACKUP THE APP MAIN DIR #================================================= diff --git a/scripts/change_url b/scripts/change_url index 6beabb0..b690f54 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -9,60 +9,6 @@ source _common.sh source /usr/share/yunohost/helpers -#================================================= -# RETRIEVE ARGUMENTS -#================================================= - -old_domain=$YNH_APP_OLD_DOMAIN -old_path=$YNH_APP_OLD_PATH - -new_domain=$YNH_APP_NEW_DOMAIN -new_path="/" - -app=$YNH_APP_INSTANCE_NAME - -#================================================= -# LOAD SETTINGS -#================================================= -ynh_script_progression --message="Loading installation settings..." --weight=1 - -# Needed for helper "ynh_add_nginx_config" -final_path=$(ynh_app_setting_get --app=$app --key=final_path) - -#================================================= -# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP -#================================================= -ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=15 - -# Backup the current version of the app -ynh_backup_before_upgrade -ynh_clean_setup () { - ynh_clean_check_starting - # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. - ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" - - # Restore it if the upgrade fails - ynh_restore_upgradebackup -} -# Exit if an error occurs during the execution of the script -ynh_abort_if_errors - -#================================================= -# CHECK WHICH PARTS SHOULD BE CHANGED -#================================================= - -change_domain=0 -if [ "$old_domain" != "$new_domain" ] -then - change_domain=1 -fi - -change_path=0 -if [ "$old_path" != "$new_path" ] -then - change_path=1 -fi - #================================================= # STANDARD MODIFICATIONS #================================================= @@ -77,17 +23,7 @@ ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= ynh_script_progression --message="Updating NGINX web server configuration..." --weight=1 -nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf - -# Change the domain for NGINX -if [ $change_domain -eq 1 ] -then - # Delete file checksum for the old conf file location - ynh_delete_file_checksum --file="$nginx_conf_path" - mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf - # Store file checksum for the new config file location - ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" -fi +ynh_change_url_nginx_config #================================================= # GENERIC FINALISATION @@ -98,13 +34,6 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening on port" -#================================================= -# RELOAD NGINX -#================================================= -ynh_script_progression --message="Reloading NGINX web server..." --weight=1 - -ynh_systemd_action --service_name=nginx --action=reload - #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index b791552..f059f51 100644 --- a/scripts/install +++ b/scripts/install @@ -9,27 +9,6 @@ source _common.sh source /usr/share/yunohost/helpers -# Install parameters are automatically saved as settings -# -# Settings are automatically loaded as bash variables -# in every app script context, therefore typically these will exist: -# - $domain -# - $path -# - $language -# ... etc -# -# Resources defined in the manifest are provisioned prior to this script -# and corresponding settings are also available, such as: -# - $install_dir -# - $port -# - $db_name -# ... - -# -# $app is the app id (i.e. 'example' for first install, -# or 'example__2', '__3', ... for multi-instance installs) -# - #================================================= # INSTALL NODEJS #================================================= @@ -87,7 +66,7 @@ yunohost service add $app --description="Trilium Notes app" --log="systemd" #================================================= # ADD A CONFIGURATION #================================================= -ynh_script_progression --message="Adding a configuration file..." +ynh_script_progression --message="Adding a configuration file..." --weight=1 ### You can add specific configuration files. diff --git a/scripts/remove b/scripts/remove index c190d7e..03deb14 100644 --- a/scripts/remove +++ b/scripts/remove @@ -14,7 +14,6 @@ source /usr/share/yunohost/helpers #================================================= # REMOVE SYSTEMD SERVICE #================================================= - ynh_script_progression --message="Removing system configurations related to $app..." # This should be a symetric version of what happens in the install script diff --git a/scripts/upgrade b/scripts/upgrade index 1fe652c..fdbfef7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -11,31 +11,6 @@ source /usr/share/yunohost/helpers upgrade_type=$(ynh_check_app_version_changed) -#================================================= -# STANDARD UPGRADE STEPS -#================================================= -# ENSURE DOWNWARD COMPATIBILITY -#================================================= -#ynh_script_progression --message="Ensuring downward compatibility..." --time --weight=1 - -# -# N.B. : the followings setting migrations snippets are provided as *EXAMPLES* -# of what you may want to do in some cases (e.g. a setting was not defined on -# some legacy installs and you therefore want to initiaze stuff during upgrade) -# - -# If db_name doesn't exist, create it -#if [ -z "$db_name" ]; then -# db_name=$(ynh_sanitize_dbid --db_name=$app) -# ynh_app_setting_set --app=$app --key=db_name --value=$db_name -#fi - -# If install_dir doesn't exist, create it -#if [ -z "$install_dir" ]; then -# install_dir=/var/www/$app -# ynh_app_setting_set --app=$app --key=install_dir --value=$install_dir -#fi - #================================================= # STOP SYSTEMD SERVICE #================================================= @@ -70,7 +45,6 @@ chown -R $app:www-data "$install_dir" #================================================= # UPGRADE NODEJS #================================================= - ynh_script_progression --message="Upgrading nodejs..." --weight=5 ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version