Merge pull request #162 from YunoHost-Apps/example

Apply last example_ynh
2024-09-03 18:26:31 +02:00 · 2022-01-18 20:05:57 +01:00 · 2022-01-18 20:05:57 +01:00 · 9270675f06
commit 9270675f06
parent 2808a3a8e9 c559e6fca1
13 changed files with 94 additions and 41 deletions
--- a/README.md
+++ b/README.md
@ -15,9 +15,9 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in

 ## Overview

-Manage passwords and other sensitive informations
+Alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.

-**Shipped version:** 1.23.0~ynh1
+**Shipped version:** 1.23.0~ynh2

 **Demo:** https://vault.bitwarden.com/#/register

--- a/README_fr.md
+++ b/README_fr.md
@ -11,9 +11,9 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour

 ## Vue d'ensemble

-Gérez les mots de passe et autres informations sensibles
+Alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.

-**Version incluse :** 1.23.0~ynh1
+**Version incluse :** 1.23.0~ynh2

 **Démo :** https://vault.bitwarden.com/#/register

--- a/4
+++ b/4
@ -23,6 +23,8 @@
 		upgrade=1	from_commit=3f7d7d2740a1cb3f16a290b64c89e84422d06ede
 		# 1.21.0~ynh2
 		upgrade=1	from_commit=703d5a9cb86d127c7723bb380d7c392a8eb9e703
+		# 1.23.0~ynh1
+		upgrade=1	from_commit=2808a3a8e985bb5431f6d8f2353b07201355afe4
 		backup_restore=1
 		multi_instance=1
 		port_already_use=0
@ -39,3 +41,5 @@ Notification=all
 		name=1.21.0~ynh2
 	; commit=c233d94d76cae449630c59ce228b7a3c72f8fa12
 		name=1.22.2~ynh1
+	; commit=2808a3a8e985bb5431f6d8f2353b07201355afe4
+		name=1.23.0~ynh1
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -7,21 +7,23 @@ After=network.target
 # The user/group vaultwarden is run under. the working directory (see below) should allow write and read access to this user/group
 User=__APP__
 Group=__APP__
-# The location of the .env file for configuration
+WorkingDirectory=__FINALPATH__/live/
+ReadWriteDirectories=__FINALPATH__/live/
 EnvironmentFile=__FINALPATH__/live/vaultwarden.env
-# The location of the compiled binary
 ExecStart=__FINALPATH__/live/vaultwarden
+
 # Set reasonable connection and process limits
 LimitNOFILE=1048576
 LimitNPROC=64
-# Isolate vaultwarden from the rest of the system
-PrivateTmp=true
-PrivateDevices=true
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+PrivateTmp=yes
+PrivateDevices=yes
 ProtectHome=true
 ProtectSystem=strict
-# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
-WorkingDirectory=__FINALPATH__/live/
-ReadWriteDirectories=__FINALPATH__/live/

 [Install]
 WantedBy=multi-user.target
--- a/conf/vaultwarden.env
+++ b/conf/vaultwarden.env
@ -5,7 +5,7 @@
 ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .

 ## Main data folder
-# DATA_FOLDER=data
+DATA_FOLDER=__DATADIR__

 ## Database URL
 ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
--- a/doc/DESCRIPTION.md
+++ b/doc/DESCRIPTION.md
@ -0,0 +1 @@
+Alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
--- a/manifest.json
+++ b/manifest.json
@ -6,7 +6,7 @@
        "en": "Manage passwords and other sensitive informations",
        "fr": "Gérez les mots de passe et autres informations sensibles"
    },
-    "version": "1.23.0~ynh1",
+    "version": "1.23.0~ynh2",
    "url": "https://github.com/dani-garcia/vaultwarden",
    "upstream": {
        "license": "GPL-3.0-or-later",
@ -27,7 +27,7 @@
        "nginx"
    ],
    "arguments": {
-        "install" : [
+        "install": [
            {
                "name": "domain",
                "type": "domain"
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -5,7 +5,7 @@
 #=================================================

 # dependencies used by the app
-pkg_dependencies="curl tar pkg-config libssl-dev libc6-dev"
+pkg_dependencies="build-essential pkg-config libssl-dev libc6-dev"

 #=================================================
 # PERSONAL HELPERS
--- a/scripts/backup
+++ b/scripts/backup
@ -29,6 +29,7 @@ app=$YNH_APP_INSTANCE_NAME

 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 domain=$(ynh_app_setting_get --app=$app --key=domain)
+datadir=$(ynh_app_setting_get --app=$app --key=datadir)

 #=================================================
 # DECLARE DATA AND CONF FILES TO BACKUP
@ -41,6 +42,12 @@ ynh_print_info --message="Declaring files to be backed up..."

 ynh_backup --src_path="$final_path"

+#=================================================
+# BACKUP THE DATA DIR
+#=================================================
+
+ynh_backup --src_path="$datadir" --is_big
+
 #=================================================
 # BACKUP THE NGINX CONFIGURATION
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -119,14 +119,14 @@ ynh_script_progression --message="Making install..."

 # Install rustup with the toolchain needed by vaultwarden
 pushd "$final_path"
-	sudo -u "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly'
+	ynh_exec_as "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly'
 popd

 export PATH="$PATH:$final_path/.cargo/bin:$final_path/.local/bin:/usr/local/sbin" 

 # Compile vaultwarden
 pushd "$final_path"/build
-	ynh_exec_warn_less sudo -u "$app" env PATH="$PATH" cargo build --features sqlite --release
+	ynh_exec_warn_less ynh_exec_as "$app" env PATH="$PATH" cargo build --features sqlite --release
 popd

 # Install vaultwarden
@ -137,17 +137,24 @@ ynh_secure_remove --file="$final_path/build"
 ynh_secure_remove --file="$final_path/.cargo"
 ynh_secure_remove --file="$final_path/.rustup"

-# Create datadir
-mkdir -p "$final_path/live/data"
+#=================================================
+# CREATE DATA DIRECTORY
+#=================================================
+ynh_script_progression --message="Creating a data directory..."

-chmod 750 "$final_path/live/data"
-chmod -R o-rwx "$final_path/live/data"
-chown -R $app:$app "$final_path/live/data"
+datadir=/home/yunohost.app/$app
+ynh_app_setting_set --app=$app --key=datadir --value=$datadir
+
+mkdir -p $datadir
+
+chmod 750 "$datadir"
+chmod -R o-rwx "$datadir"
+chown -R $app:$app "$datadir"

 #=================================================
 # ADD A CONFIGURATION
 #=================================================
-ynh_script_progression --message="Adding a config file..."
+ynh_script_progression --message="Adding a configuration file..."

 ynh_add_config --template="../conf/vaultwarden.env" --destination="$final_path/live/vaultwarden.env"

--- a/scripts/remove
+++ b/scripts/remove
@ -18,6 +18,7 @@ app=$YNH_APP_INSTANCE_NAME

 domain=$(ynh_app_setting_get --app=$app --key=domain)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+datadir=$(ynh_app_setting_get --app=$app --key=datadir)

 #=================================================
 # STANDARD REMOVE
@ -40,14 +41,6 @@ ynh_script_progression --message="Stopping and removing the systemd service..."
 # Remove the dedicated systemd config
 ynh_remove_systemd_config

-#=================================================
-# REMOVE DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Removing dependencies..."
-
-# Remove metapackage and its dependencies
-ynh_remove_app_dependencies
-
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
@ -56,6 +49,17 @@ ynh_script_progression --message="Removing app main directory..."
 # Remove the app directory securely
 ynh_secure_remove --file="$final_path"

+#=================================================
+# REMOVE DATA DIR
+#=================================================
+
+# Remove the data directory if --purge option is used
+if [ "${YNH_APP_PURGE:-0}" -eq 1 ]
+then
+	ynh_script_progression --message="Removing app data directory..."
+	ynh_secure_remove --file="$datadir"
+fi
+
 #=================================================
 # REMOVE NGINX CONFIGURATION
 #=================================================
@ -65,12 +69,12 @@ ynh_script_progression --message="Removing NGINX web server configuration..."
 ynh_remove_nginx_config

 #=================================================
-# REMOVE LOGROTATE CONFIGURATION
+# REMOVE DEPENDENCIES
 #=================================================
-ynh_script_progression --message="Removing logrotate configuration..."
+ynh_script_progression --message="Removing dependencies..."

-# Remove the app-specific logrotate config
-ynh_remove_logrotate
+# Remove metapackage and its dependencies
+ynh_remove_app_dependencies

 #=================================================
 # REMOVE FAIL2BAN CONFIGURATION
--- a/scripts/restore
+++ b/scripts/restore
@ -30,13 +30,15 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+datadir=$(ynh_app_setting_get --app=$app --key=datadir)

 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..."

-test ! -d $final_path || ynh_die --message="There is already a directory: $final_path "
+test ! -d $final_path \
+	|| ynh_die --message="There is already a directory: $final_path "

 #=================================================
 # STANDARD RESTORATION STEPS
@ -66,6 +68,19 @@ chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:$app "$final_path"

+#=================================================
+# RESTORE THE DATA DIRECTORY
+#=================================================
+ynh_script_progression --message="Restoring the data directory..."
+
+ynh_restore_file --origin_path="$datadir" --not_mandatory
+
+mkdir -p $datadir
+
+chmod 750 "$datadir"
+chmod -R o-rwx "$datadir"
+chown -R $app:$app "$datadir"
+
 #=================================================
 # RESTORE FAIL2BAN CONFIGURATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -21,6 +21,7 @@ domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 admin=$(ynh_app_setting_get --app=$app --key=admin)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+datadir=$(ynh_app_setting_get --app=$app --key=datadir)

 admin_token=$(ynh_app_setting_get --app=$app --key=admin_token)
 rocket_port=$(ynh_app_setting_get --app=$app --key=rocket_port)
@ -48,8 +49,6 @@ ynh_clean_setup () {
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors

-ynh_remove_logrotate
-
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@ -90,6 +89,20 @@ then
 	fi
 fi

+ynh_remove_logrotate
+
+# If datadir doesn't exist, create it
+if [ -z $datadir ]; then
+	datadir=/home/yunohost.app/$app
+	ynh_app_setting_set --app=$app --key=datadir --value=$datadir
+	mkdir -p $datadir
+	rsync -arz "$final_path/live/data/" "$datadir/" --delete-after --remove-source-files
+	ynh_secure_remove --file="$final_path/live/data"
+	chmod 750 "$datadir"
+	chmod -R o-rwx "$datadir"
+	chown -R $app:$app "$datadir"
+fi
+
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
@ -168,14 +181,14 @@ if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	# Install rustup with the toolchain needed by vaultwarden
 	pushd "$final_path"
-		sudo -u "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly'
+		ynh_exec_as "$app" RUSTUP_HOME="$final_path"/.rustup CARGO_HOME="$final_path"/.cargo bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain nightly'
 	popd

 	export PATH="$PATH:$final_path/.cargo/bin:$final_path/.local/bin:/usr/local/sbin" 

 	# Compile vaultwarden
 	pushd "$final_path"/build
-		ynh_exec_warn_less sudo -u "$app" env PATH="$PATH" cargo build --features sqlite --release
+		ynh_exec_warn_less ynh_exec_as "$app" env PATH="$PATH" cargo build --features sqlite --release
 	popd

 	# Remove old generated files before copying the new ones
				`@ -0,0 +1 @@`
				`Alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.`