From 2e383748f9e074c45d20336b8e772a4281b9efa2 Mon Sep 17 00:00:00 2001 From: eric_G <46165813+ericgaspar@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:40:16 +0100 Subject: [PATCH 1/2] Testing (#161) * Auto-update README * Upgrade to upstream * Auto-update README * Bullseye (#141) * Fix * Fix * Auto-update README Co-authored-by: yunohost-bot * Upgrade * Auto-update README * Auto-update README * Upgrade to upstream * Auto-update README * PHP * Auto-update README * Update manifest.json * Auto-update README * Update config * Fix * Auto-update README * update * Auto-update README * Version 2 (#148) * v2 * v2 * Auto-update README * Fix * Auto-update README * fix --------- Co-authored-by: yunohost-bot * Update tests.toml * Delete check_process * Update restore * Update remove * Update install * Update upgrade * Fix * Update upgrade * Update manifest.toml * Update manifest.toml * data_migration * fix * Fix * Update manifest.toml * Auto-update README * Update manifest.toml * Update manifest.toml * Auto-update README * Update tests.toml * auto updater * Update manifest.toml * Auto-update README * remove data migration * update git repo * Auto-update README * Update manifest.toml * Update manifest.toml * Auto-update README * update to upstream * Auto-update README * fix * Auto-update README * Update manifest.toml * Update manifest.toml * Auto-update README * Update manifest.toml * Auto-update README * PostgreSQL (#150) * switch to PHP * Update install * Update _common.sh * Update _common.sh * Update app.src * Update manifest.json * Auto-update README * Fix * Update remove * Update _common.sh * Update app.src * Fix * Remove cron * Update install * Update change_url * Update systemd.service * Update install * Update DESCRIPTION.md * Auto-update README * Fix * Update manifest.json * Update restore * Update app.src * Create migration * v2 * v2 * Auto-update README * Fix * Auto-update README * fix * fix * fix * Update restore * data_migration * Revert "data_migration" This reverts commit 1aea23fb527ae3dade359d4e0b553cd87d10442a. * fix * fix * Update manifest.toml * Update manifest.toml * Update manifest.toml * Auto-update README * fix * Update manifest.toml * Update manifest.toml * Auto-update README * Create PRE_UPGRADE_fr.md * fix * Auto-update README * Auto-update README * Update manifest.toml * Auto-update README --------- Co-authored-by: Yunohost-Bot <> Co-authored-by: yunohost-bot * Update manifest.toml * cleaning --------- Co-authored-by: yunohost-bot --- manifest.toml | 2 +- scripts/install | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifest.toml b/manifest.toml index 0c8468a..244f141 100644 --- a/manifest.toml +++ b/manifest.toml @@ -62,7 +62,7 @@ ram.runtime = "50M" api.protected = true [resources.apt] - packages = "postgresql php8.2-pgsql php8.2-curl php8.2-gd php8.2-opcache php8.2-fileinfo php8.2-intl php8.2-cli php8.2-mbstring php8.2-xml" + packages = "postgresql, php8.2-pgsql, php8.2-curl, php8.2-gd, php8.2-opcache,php8.2-fileinfo, php8.2-intl, php8.2-cli, php8.2-mbstring, php8.2-xml" [resources.database] type = "postgresql" diff --git a/scripts/install b/scripts/install index 33a910e..0066e6c 100644 --- a/scripts/install +++ b/scripts/install @@ -28,7 +28,7 @@ chown -R $app:www-data "$install_dir" ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 # Create a dedicated PHP-FPM config -ynh_add_fpm_config --usage=low --footprint=low +ynh_add_fpm_config # Create a dedicated NGINX config ynh_add_nginx_config diff --git a/scripts/upgrade b/scripts/upgrade index 51fd702..9df6460 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -56,7 +56,7 @@ chown -R $app:www-data "$install_dir" ynh_script_progression --message="Upgrading system configurations related to $app..." --weight=1 # Create a dedicated PHP-FPM config -ynh_add_fpm_config --usage=low --footprint=low +ynh_add_fpm_config # Create a dedicated NGINX config ynh_add_nginx_config From c4a792f573f97ff923f3fca5736b0dc9cf740a7b Mon Sep 17 00:00:00 2001 From: eric_G <46165813+ericgaspar@users.noreply.github.com> Date: Wed, 6 Dec 2023 11:24:27 +0100 Subject: [PATCH 2/2] Testing (#163) * Auto-update README * Upgrade to upstream * Auto-update README * Bullseye (#141) * Fix * Fix * Auto-update README Co-authored-by: yunohost-bot * Upgrade * Auto-update README * Auto-update README * Upgrade to upstream * Auto-update README * PHP * Auto-update README * Update manifest.json * Auto-update README * Update config * Fix * Auto-update README * update * Auto-update README * Version 2 (#148) * v2 * v2 * Auto-update README * Fix * Auto-update README * fix --------- Co-authored-by: yunohost-bot * Update tests.toml * Delete check_process * Update restore * Update remove * Update install * Update upgrade * Fix * Update upgrade * Update manifest.toml * Update manifest.toml * data_migration * fix * Fix * Update manifest.toml * Auto-update README * Update manifest.toml * Update manifest.toml * Auto-update README * Update tests.toml * auto updater * Update manifest.toml * Auto-update README * remove data migration * update git repo * Auto-update README * Update manifest.toml * Update manifest.toml * Auto-update README * update to upstream * Auto-update README * fix * Auto-update README * Update manifest.toml * Update manifest.toml * Auto-update README * Update manifest.toml * Auto-update README * PostgreSQL (#150) * switch to PHP * Update install * Update _common.sh * Update _common.sh * Update app.src * Update manifest.json * Auto-update README * Fix * Update remove * Update _common.sh * Update app.src * Fix * Remove cron * Update install * Update change_url * Update systemd.service * Update install * Update DESCRIPTION.md * Auto-update README * Fix * Update manifest.json * Update restore * Update app.src * Create migration * v2 * v2 * Auto-update README * Fix * Auto-update README * fix * fix * fix * Update restore * data_migration * Revert "data_migration" This reverts commit 1aea23fb527ae3dade359d4e0b553cd87d10442a. * fix * fix * Update manifest.toml * Update manifest.toml * Update manifest.toml * Auto-update README * fix * Update manifest.toml * Update manifest.toml * Auto-update README * Create PRE_UPGRADE_fr.md * fix * Auto-update README * Auto-update README * Update manifest.toml * Auto-update README --------- Co-authored-by: Yunohost-Bot <> Co-authored-by: yunohost-bot * Update manifest.toml * cleaning * Email (#162) * add email * Update config.php * Update systemd.service * Update manifest.toml * Auto-update README * Update config.php * Update config.php --------- Co-authored-by: yunohost-bot --- README.md | 2 +- README_fr.md | 2 +- conf/config.php | 8 ++++---- conf/migration | 30 ------------------------------ conf/systemd.service | 35 +++++++++++++++++++++++++++++++++++ manifest.toml | 3 ++- scripts/change_url | 2 +- scripts/install | 3 +-- scripts/upgrade | 3 +-- 9 files changed, 46 insertions(+), 42 deletions(-) delete mode 100644 conf/migration diff --git a/README.md b/README.md index 2d55628..420d841 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Tiny Tiny RSS is a free and open source web-based news feed (RSS/Atom) reader an - flexible article filtering -**Shipped version:** 20231202~ynh1 +**Shipped version:** 20231202~ynh2 **Demo:** https://srv.tt-rss.org/tt-rss/ diff --git a/README_fr.md b/README_fr.md index 460492a..eb07ca1 100644 --- a/README_fr.md +++ b/README_fr.md @@ -28,7 +28,7 @@ Tiny Tiny RSS est un lecteur et agrégateur de flux de nouvelles (RSS/Atom) bas - filtrage flexible des articles -**Version incluse :** 20231202~ynh1 +**Version incluse :** 20231202~ynh2 **Démo :** https://srv.tt-rss.org/tt-rss/ diff --git a/conf/config.php b/conf/config.php index 9c15695..62098ea 100644 --- a/conf/config.php +++ b/conf/config.php @@ -134,7 +134,7 @@ // ********************************* putenv('TTRSS_SMTP_FROM_NAME=Tiny Tiny RSS'); - putenv('TTRSS_SMTP_FROM_ADDRESS=noreply@your.domain.dom'); + putenv('TTRSS_SMTP_FROM_ADDRESS=noreply@__DOMAIN__'); // Name, address and subject for sending outgoing mail. This applies // to password reset notifications, digest emails and any other mail. @@ -145,8 +145,8 @@ // Hostname:port combination to send outgoing mail (i.e. localhost:25). // Blank - use system MTA. - putenv('TTRSS_SMTP_LOGIN='); - putenv('TTRSS_SMTP_PASSWORD='); + putenv('TTRSS_SMTP_LOGIN=__APP__'); + putenv('TTRSS_SMTP_PASSWORD=__MAIL_PWD__'); // These two options enable SMTP authentication when sending // outgoing mail. Only used with SMTP_SERVER. @@ -168,7 +168,7 @@ // if you experience weird errors and tt-rss failing to start, blank pages // after login, or content encoding errors, disable it. - putenv('TTRSS_PLUGINS=auth_internal, note, data_migration'); + putenv('TTRSS_PLUGINS=auth_internal, note'); // Comma-separated list of plugins to load automatically for all users. // System plugins have to be specified here. Please enable at least one // authentication plugin here (auth_*). diff --git a/conf/migration b/conf/migration deleted file mode 100644 index 15e836d..0000000 --- a/conf/migration +++ /dev/null @@ -1,30 +0,0 @@ -# OPML import/export (including filters and some settings). Must be done before data_migration plugin if you want to keep feed categories - -# on the original machine -sudo mkdir /var/www/tt-rss/export -sudo chown -R www-data:www-data /var/www/tt-rss/export/ -sudo -u www-data php /var/www/tt-rss/update.php --opml-export "MYUSERNAME /var/www/tt-rss/export/export-2020-08-07.opml" # export feeds OPML -# on a client -rsync -avP my.original.machine.org:/var/www/tt-rss/export/export-2020-08-07.opml ./ # download opml export -# login to the new tt-rss instance from a browser, go to Preferences > Feeds, import OPML file - -# migrate all articles from mysql to postgresql -# on the original machine -git clone https://git.tt-rss.org/fox/ttrss-data-migration -sudo chown -R root:www-data ttrss-data-migration/ -sudo mv ttrss-data-migration/ /var/www/tt-rss/plugins.local/data_migration -sudo nano /var/www/tt-rss/config.php # enable data_migration in the PLUGINS array -sudo -u www-data php /var/www/tt-rss/update.php --data_user MYUSERNAME --data_export /var/www/tt-rss/export/export-2020-08-07.zip # export articles to database-agnostic format - -# on the target machine -git clone https://git.tt-rss.org/fox/ttrss-data-migration -sudo chown -R root:www-data ttrss-data-migration/ -sudo mv ttrss-data-migration/ /var/www/rss.example.org/plugins.local/data_migration -sudo nano /var/www/rss.example.org/config.php # enable data_migration in the PLUGINS array -rsync -avP my.original.machine.org:/var/www/tt-rss/export/export-2020-08-07.zip ./ -sudo mkdir /var/www/rss.example.org/export -sudo mv export-2020-08-07.zip /var/www/rss.example.org/export -sudo chown -R root:www-data /var/www/rss.example.org/export -sudo chmod -R g+rX /var/www/rss.example.org/export/ -sudo -u www-data php /var/www/rss.example.org/update.php --data_user MYUSERNAME --data_import /var/www/rss.example.org/export/export-2020-08-07.zip # it can take a while -sudo rm -r /var/www/rss.example.org/export/ # cleanup \ No newline at end of file diff --git a/conf/systemd.service b/conf/systemd.service index 341d325..a37e9d1 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -10,5 +10,40 @@ ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/update_daemon2.php Restart=always RestartSec=10 + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 244f141..542a5fc 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Tiny Tiny RSS" description.en = "News feed (RSS/Atom) reader and aggregator" description.fr = "Lecteur de flux d’actualité utilisant les protocoles RSS et Atom" -version = "20231202~ynh1" +version = "20231202~ynh2" maintainers = [] @@ -47,6 +47,7 @@ ram.runtime = "50M" sha256 = "72ec560bd5ad7bac4789d7af0e5c2d7c1c394e9c540d46d5421ecae219d8f875" [resources.system_user] + allow_email = true [resources.install_dir] diff --git a/scripts/change_url b/scripts/change_url index 2bccdeb..fb1351f 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -34,7 +34,7 @@ ynh_script_progression --message="Updating a configuration file..." --weight=1 domain_path="https://${new_domain}${new_path}" domain="$new_domain" -ynh_add_config --template="../conf/config.php" --destination="$install_dir/config.php" +ynh_add_config --template="config.php" --destination="$install_dir/config.php" chmod 400 "$install_dir/config.php" chown $app "$install_dir/config.php" diff --git a/scripts/install b/scripts/install index 0066e6c..9303b62 100644 --- a/scripts/install +++ b/scripts/install @@ -16,7 +16,6 @@ ynh_script_progression --message="Setting up source files..." --weight=7 # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" -#ynh_setup_source --dest_dir="$install_dir/plugins.local/data_migration" --source_id="data_migration" echo "$(ynh_app_upstream_version)" > "$install_dir/version_static.txt" chmod -R o-rwx "$install_dir" @@ -47,7 +46,7 @@ ynh_script_progression --message="Adding a configuration file..." --weight=1 domain_path=https://$domain$path -ynh_add_config --template="../conf/config.php" --destination="$install_dir/config.php" +ynh_add_config --template="config.php" --destination="$install_dir/config.php" chmod 400 "$install_dir/config.php" chown $app "$install_dir/config.php" diff --git a/scripts/upgrade b/scripts/upgrade index 9df6460..0797a0c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -43,7 +43,6 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" - #ynh_setup_source --dest_dir="$install_dir/plugins.local/data_migration" --source_id="data_migration" echo "$(ynh_app_upstream_version)" > "$install_dir/version_static.txt" fi @@ -77,7 +76,7 @@ then ynh_script_progression --message="Updating a configuration file..." --weight=2 domain_path=https://$domain$path - ynh_add_config --template="../conf/config.php" --destination="$install_dir/config.php" + ynh_add_config --template="config.php" --destination="$install_dir/config.php" ynh_script_progression --message="Upgrading the database..." --weight=2