diff --git a/README.md b/README.md index 758bdef..2e10273 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in A self hostable read-it-later app -**Shipped version:** 2.4.2~ynh1 +**Shipped version:** 2.4.2~ynh2 **Demo:** https://demo.yunohost.org/wallabag/ diff --git a/README_fr.md b/README_fr.md index 9bbcc06..1ae6ec6 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Une application de lecture-plus-tard auto-hébergeable -**Version incluse :** 2.4.2~ynh1 +**Version incluse :** 2.4.2~ynh2 **Démo :** https://demo.yunohost.org/wallabag/ diff --git a/check_process b/check_process index c81570d..ce9bdf6 100644 --- a/check_process +++ b/check_process @@ -15,8 +15,6 @@ backup_restore=1 multi_instance=1 change_url=1 -;;; Levels - Level 5=auto ;;; Options Email= Notification=none diff --git a/conf/parameters.yml.dist b/conf/parameters.yml.dist new file mode 100644 index 0000000..97f194e --- /dev/null +++ b/conf/parameters.yml.dist @@ -0,0 +1,74 @@ +# This file is a "template" of what your parameters.yml file should look like +parameters: + # Uncomment these settings or manually update your parameters.yml + # to use docker-compose + # + # database_driver: %env.database_driver% + # database_host: %env.database_host% + # database_port: %env.database_port% + # database_name: %env.database_name% + # database_user: %env.database_user% + # database_password: %env.database_password% + + database_driver: pdo_mysql + database_host: 127.0.0.1 + database_port: ~ + database_name: __DB_NAME__ + database_user: __DB_NAME__ + database_password: __DB_PWD__ + # For SQLite, database_path should be "%kernel.project_dir%/data/db/wallabag.sqlite" + database_path: null + database_table_prefix: null + database_socket: null + # with PostgreSQL and SQLite, you must set "utf8" + database_charset: utf8mb4 + + domain_name: https://__DOMAIN____PATH__ + server_name: "Your wallabag instance" + + mailer_transport: smtp + mailer_user: ~ + mailer_password: ~ + mailer_host: 127.0.0.1 + mailer_port: false + mailer_encryption: ~ + mailer_auth_mode: ~ + + locale: en + + # A secret key that's used to generate certain security-related tokens + secret: __DESKEY__ + + # two factor stuff + twofactor_auth: true + twofactor_sender: no-reply@wallabag.org + + # fosuser stuff + fosuser_registration: false + fosuser_confirmation: true + + # how long the access token should live in seconds for the API + fos_oauth_server_access_token_lifetime: 3600 + # how long the refresh token should life in seconds for the API + fos_oauth_server_refresh_token_lifetime: 1209600 + + from_email: no-reply@wallabag.org + + rss_limit: 50 + + # RabbitMQ processing + rabbitmq_host: localhost + rabbitmq_port: 5672 + rabbitmq_user: guest + rabbitmq_password: guest + rabbitmq_prefetch_count: 10 + + # Redis processing + redis_scheme: tcp + redis_host: localhost + redis_port: 6379 + redis_path: null + redis_password: null + + # sentry logging + sentry_dsn: ~ diff --git a/manifest.json b/manifest.json index 18315d3..6611bb6 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "A self hostable read-it-later app", "fr": "Une application de lecture-plus-tard auto-hébergeable" }, - "version": "2.4.2~ynh1", + "version": "2.4.2~ynh2", "url": "https://www.wallabag.org", "upstream": { "license": "MIT", @@ -35,7 +35,7 @@ { "name": "domain", "type": "domain", - "example": "domain.org" + "example": "example.com" }, { "name": "path", @@ -46,7 +46,7 @@ { "name": "admin", "type": "user", - "example": "homer" + "example": "johndoe" } ] } diff --git a/scripts/_common.sh b/scripts/_common.sh index 8168fde..c4fe893 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -7,7 +7,7 @@ YNH_PHP_VERSION="7.3" # dependencies used by the app -extra_php_dependencies="php${YNH_PHP_VERSION}-cli php${YNH_PHP_VERSION}-mysql php${YNH_PHP_VERSION}-json php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-tidy php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-php-gettext php${YNH_PHP_VERSION}-redis" +extra_php_dependencies="php${YNH_PHP_VERSION}-cli php${YNH_PHP_VERSION}-mysql php${YNH_PHP_VERSION}-json php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-tidy php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-gettext php${YNH_PHP_VERSION}-redis" #================================================= # PERSONAL HELPERS diff --git a/scripts/backup b/scripts/backup index 2f4cccb..c1b9d28 100644 --- a/scripts/backup +++ b/scripts/backup @@ -67,4 +67,5 @@ ynh_backup "/etc/fail2ban/filter.d/$app.conf" #================================================= # END OF SCRIPT #================================================= + ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." diff --git a/scripts/install b/scripts/install index ea46a97..a180b8d 100644 --- a/scripts/install +++ b/scripts/install @@ -98,20 +98,11 @@ phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= ynh_script_progression --message="Configuring wallabag..." --weight=35 -# Copy and set Wallabag dist configuration -wb_conf=$final_path/app/config/parameters.yml -cp $final_path/app/config/parameters.yml.dist $wb_conf - -ynh_replace_string --match_string="fosuser_registration: true" --replace_string="fosuser_registration: false" --target_file=$wb_conf -ynh_replace_string --match_string="database_name: wallabag" --replace_string="database_name: $db_name" --target_file=$wb_conf -ynh_replace_string --match_string="database_user: root" --replace_string="database_user: $db_user" --target_file=$wb_conf -ynh_replace_string --match_string="database_password: ~" --replace_string="database_password: $db_pwd" --target_file=$wb_conf -ynh_replace_string --match_string="database_table_prefix: wallabag_" --replace_string="database_table_prefix: null" --target_file=$wb_conf # Generate random DES key & password deskey=$(ynh_string_random --length=24) ynh_app_setting_set --app=$app --key=deskey --value=$deskey -ynh_replace_string --match_string="secret: ovmpmAWXRCabNlMgzlzFXDYmCFfzGv" --replace_string="secret: $deskey" --target_file=$wb_conf -ynh_replace_string --match_string="domain_name: https://your-wallabag-url-instance.com" --replace_string="domain_name: https://$domain$path_url" --target_file=$wb_conf + +ynh_add_config --template="../conf/parameters.yml.dist" --destination="$final_path/app/config/parameters.yml" # Alias for php-cli execution command php_exec="ynh_exec_as $app php "$final_path/bin/console" --no-interaction --env=prod" @@ -134,12 +125,18 @@ done $php_exec fos:user:promote --super "$admin" #================================================= -# CONFIGURE FAIL2BAN +# CONFIGURE LOG #================================================= + # Create the log file is not already existing during install mkdir -p "$final_path/var/logs/" touch "$final_path/var/logs/prod.log" chown $app: "$final_path/var/logs/prod.log" + +#================================================= +# CONFIGURE FAIL2BAN +#================================================= + # Add fail2ban config ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP ""' --max_retry=5 @@ -149,7 +146,15 @@ ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='a # SECURE FILES AND DIRECTORIES #================================================= -set_permissions +# Set permissions to app files +chown -R $app:www-data $final_path +chmod -R g=u,g-w,o-rwx $final_path + +# Restrict rights to Wallabag user only +chmod 600 $final_path/app/config/parameters.yml +if [ -e $final_path/var/cache/prod/appProdProjectContainer.php ]; then + chmod 700 $final_path/var/cache/prod/appProdProjectContainer.php +fi #================================================= # SETUP HOOKS @@ -158,13 +163,6 @@ set_permissions ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_user_create" ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_user_delete" -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Configuring permissions..." --weight=1 - -ynh_permission_update --permission="main" --add="visitors" - #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/remove b/scripts/remove index 4fbbea0..195457f 100644 --- a/scripts/remove +++ b/scripts/remove @@ -58,6 +58,7 @@ ynh_remove_fpm_config #================================================= # REMOVE FAIL2BAN CONFIGURATION #================================================= + ynh_remove_fail2ban_config #================================================= diff --git a/scripts/restore b/scripts/restore index f4b8546..267f2b6 100644 --- a/scripts/restore +++ b/scripts/restore @@ -29,6 +29,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # CHECK IF THE APP CAN BE RESTORED @@ -48,6 +49,14 @@ test ! -d $final_path \ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +#================================================= +# RECREATE THE DEDICATED USER +#================================================= +ynh_script_progression --message="Recreating the dedicated system user..." --weight=2 + +# Create the dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # RESTORE THE APP MAIN DIR #================================================= @@ -55,26 +64,24 @@ ynh_script_progression --message="Restoring the app main directory..." ynh_restore_file --origin_path="$final_path" -#================================================= -# RECREATE THE DEDICATED USER -#================================================= -ynh_script_progression --message="Recreating the dedicated system user..." --weight=2 - -# Create the dedicated user (if not existing) -ynh_system_user_create --username=$app - #================================================= # RESTORE USER RIGHTS #================================================= -wb_conf=$final_path/app/config/parameters.yml +# Set permissions to app files +chown -R $app:www-data $final_path +chmod -R g=u,g-w,o-rwx $final_path -set_permissions +# Restrict rights to Wallabag user only +chmod 600 $final_path/app/config/parameters.yml +if [ -e $final_path/var/cache/prod/appProdProjectContainer.php ]; then + chmod 700 $final_path/var/cache/prod/appProdProjectContainer.php +fi #================================================= # RESTORE THE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Restoring the PHP-FPM configuration..." --weight=5 +ynh_script_progression --message="Restoring the PHP-FPM configuration..." --weight=1 ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" diff --git a/scripts/upgrade b/scripts/upgrade index 9273e81..2826443 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -31,6 +31,20 @@ deskey=$(ynh_app_setting_get --app=$app --key=deskey) upgrade_type=$(ynh_check_app_version_changed) +#================================================= +# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +#================================================= +ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=5 + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # restore it if the upgrade fails + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= @@ -54,6 +68,14 @@ if [ -z "$path_url" ]; then ynh_app_setting_set --app=$app --key=path --value=$path_url fi +# Create the log file is not already existing +if [ ! -f "$final_path/var/logs/prod.log" ] +then + mkdir -p "$final_path/var/logs/" + touch "$final_path/var/logs/prod.log" + chown $app: "$final_path/var/logs/prod.log" +fi + if ynh_legacy_permissions_exists then ynh_legacy_permissions_delete_all @@ -62,18 +84,12 @@ then fi #================================================= -# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +# CREATE DEDICATED USER #================================================= -ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=30 +ynh_script_progression --message="Making sure dedicated system user exists..." -# Backup the current version of the app -ynh_backup_before_upgrade -ynh_clean_setup () { - # restore it if the upgrade fails - ynh_restore_upgradebackup -} -# Exit if an error occurs during the execution of the script -ynh_abort_if_errors +# Create a dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # STANDARD UPGRADE STEPS @@ -101,31 +117,18 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." # Create a dedicated nginx config ynh_add_nginx_config -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Making sure dedicated system user exists..." - -# Create a dedicated user (if not existing) -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Upgrading php-fpm configuration..." +ynh_script_progression --message="Upgrading PHP-FPM configuration..." # Create a dedicated php-fpm config ynh_add_fpm_config --package="$extra_php_dependencies" -# Set-up fail2ban -# Create the log file is not already existing -if [ ! -f "$final_path/var/logs/prod.log" ] -then - mkdir -p "$final_path/var/logs/" - touch "$final_path/var/logs/prod.log" - chown $app: "$final_path/var/logs/prod.log" -fi -# Add fail2ban config +#================================================= +# CONFIGURE FAIL2BAN +#================================================= + ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP ""' --max_retry=5 # same as install config #================================================= @@ -134,22 +137,11 @@ ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='a # CONFIGURE WALLABAG #================================================= -wb_conf=$final_path/app/config/parameters.yml - if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Reconfiguring wallabag..." --weight=11 - # Copy and set Wallabag dist configuration - cp $final_path/app/config/parameters.yml.dist $wb_conf - - ynh_replace_string --match_string="fosuser_registration: true" --replace_string="fosuser_registration: false" --target_file=$wb_conf - ynh_replace_string --match_string="database_name: wallabag" --replace_string="database_name: $db_name" --target_file=$wb_conf - ynh_replace_string --match_string="database_user: root" --replace_string="database_user: $db_user" --target_file=$wb_conf - ynh_replace_string --match_string="database_password: ~" --replace_string="database_password: $db_pwd" --target_file=$wb_conf - ynh_replace_string --match_string="database_table_prefix: wallabag_" --replace_string="database_table_prefix: null" --target_file=$wb_conf - ynh_replace_string --match_string="secret: ovmpmAWXRCabNlMgzlzFXDYmCFfzGv" --replace_string="secret: $deskey" --target_file=$wb_conf - ynh_replace_string --match_string="domain_name: https://your-wallabag-url-instance.com" --replace_string="domain_name: https://$domain$path_url" --target_file=$wb_conf + ynh_add_config --template="../conf/parameters.yml.dist" --destination="$final_path/app/config/parameters.yml" #================================================= # UPGRADE WALLABAG @@ -181,7 +173,15 @@ fi # SECURE FILES AND DIRECTORIES #================================================= -set_permissions +# Set permissions to app files +chown -R $app:www-data $final_path +chmod -R g=u,g-w,o-rwx $final_path + +# Restrict rights to Wallabag user only +chmod 600 $final_path/app/config/parameters.yml +if [ -e $final_path/var/cache/prod/appProdProjectContainer.php ]; then + chmod 700 $final_path/var/cache/prod/appProdProjectContainer.php +fi #================================================= # SETUP HOOKS