diff --git a/check_process b/check_process index 692db47..c81570d 100644 --- a/check_process +++ b/check_process @@ -1,8 +1,8 @@ ;; Complete test ; Manifest - domain="domain.tld" (DOMAIN) - path="/path" (PATH) - admin="john" (USER) + domain="domain.tld" + path="/path" + admin="john" ; Checks pkg_linter=1 setup_sub_dir=1 @@ -14,8 +14,6 @@ upgrade=1 from_commit=f75d58cb32c51a0981333ea88974dc3199324e65 backup_restore=1 multi_instance=1 - incorrect_path=1 - port_already_use=0 change_url=1 ;;; Levels Level 5=auto diff --git a/conf/nginx.conf b/conf/nginx.conf index dabfbf9..99858c5 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -22,7 +22,7 @@ location __PATH__/ { fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param REMOTE_USER $remote_user; - fastcgi_pass unix:/var/run/php5-fpm-__NAME__.sock; + fastcgi_pass unix:/var/run/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_intercept_errors on; } diff --git a/conf/parameters.yml.dist b/conf/parameters.yml.dist new file mode 100644 index 0000000..97f194e --- /dev/null +++ b/conf/parameters.yml.dist @@ -0,0 +1,74 @@ +# This file is a "template" of what your parameters.yml file should look like +parameters: + # Uncomment these settings or manually update your parameters.yml + # to use docker-compose + # + # database_driver: %env.database_driver% + # database_host: %env.database_host% + # database_port: %env.database_port% + # database_name: %env.database_name% + # database_user: %env.database_user% + # database_password: %env.database_password% + + database_driver: pdo_mysql + database_host: 127.0.0.1 + database_port: ~ + database_name: __DB_NAME__ + database_user: __DB_NAME__ + database_password: __DB_PWD__ + # For SQLite, database_path should be "%kernel.project_dir%/data/db/wallabag.sqlite" + database_path: null + database_table_prefix: null + database_socket: null + # with PostgreSQL and SQLite, you must set "utf8" + database_charset: utf8mb4 + + domain_name: https://__DOMAIN____PATH__ + server_name: "Your wallabag instance" + + mailer_transport: smtp + mailer_user: ~ + mailer_password: ~ + mailer_host: 127.0.0.1 + mailer_port: false + mailer_encryption: ~ + mailer_auth_mode: ~ + + locale: en + + # A secret key that's used to generate certain security-related tokens + secret: __DESKEY__ + + # two factor stuff + twofactor_auth: true + twofactor_sender: no-reply@wallabag.org + + # fosuser stuff + fosuser_registration: false + fosuser_confirmation: true + + # how long the access token should live in seconds for the API + fos_oauth_server_access_token_lifetime: 3600 + # how long the refresh token should life in seconds for the API + fos_oauth_server_refresh_token_lifetime: 1209600 + + from_email: no-reply@wallabag.org + + rss_limit: 50 + + # RabbitMQ processing + rabbitmq_host: localhost + rabbitmq_port: 5672 + rabbitmq_user: guest + rabbitmq_password: guest + rabbitmq_prefetch_count: 10 + + # Redis processing + redis_scheme: tcp + redis_host: localhost + redis_port: 6379 + redis_path: null + redis_password: null + + # sentry logging + sentry_dsn: ~ diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 6505dc6..1e379e7 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -33,7 +33,7 @@ group = __USER__ ; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. -listen = /var/run/php/php7.0-fpm-__NAMETOCHANGE__.sock +listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock ; Set listen(2) backlog. ; Default Value: 511 (-1 on FreeBSD and OpenBSD) @@ -419,16 +419,12 @@ chdir = __FINALPATH__ ;php_admin_value[memory_limit] = 32M ; Common values to change to increase file upload limit -; php_admin_value[upload_max_filesize] = 50M -; php_admin_value[post_max_size] = 50M +php_admin_value[upload_max_filesize] = 50M +php_admin_value[post_max_size] = 50M ; php_admin_flag[mail.add_x_header] = Off ; Other common parameters -; php_admin_value[max_execution_time] = 600 +php_admin_value[max_execution_time] = 3600 ; php_admin_value[max_input_time] = 300 ; php_admin_value[memory_limit] = 256M ; php_admin_flag[short_open_tag] = On - -php_admin_value[max_execution_time] = 3600 -php_admin_value[upload_max_filesize] = 50M -php_admin_value[post_max_size] = 50M diff --git a/manifest.json b/manifest.json index b41b677..d042a79 100644 --- a/manifest.json +++ b/manifest.json @@ -14,12 +14,12 @@ "email": "" }, "requirements": { - "yunohost": ">= 4.1.0" + "yunohost": ">= 4.2.4" }, "multi_instance": true, "services": [ "nginx", - "php5-fpm", + "php7.3-fpm", "mysql" ], "arguments": { @@ -27,29 +27,17 @@ { "name": "domain", "type": "domain", - "ask": { - "en": "Choose a domain for Wallabag", - "fr": "Choisissez un domaine pour Wallabag" - }, "example": "domain.org" }, { "name": "path", "type": "path", - "ask": { - "en": "Choose a path for Wallabag", - "fr": "Choisissez un chemin pour Wallabag" - }, "example": "/wallabag", "default": "/wallabag" }, { "name": "admin", "type": "user", - "ask": { - "en": "Choose the Wallabag administrator", - "fr": "Choisissez l'administrateur de Wallabag" - }, "example": "homer" } ] diff --git a/scripts/_common.sh b/scripts/_common.sh index f58d4bf..f4fd644 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,6 +4,8 @@ # COMMON VARIABLES #================================================= +YNH_PHP_VERSION="7.3" + # dependencies used by the app pkg_dependencies="php$YNH_DEFAULT_PHP_VERSION-cli php$YNH_DEFAULT_PHP_VERSION-mysql php$YNH_DEFAULT_PHP_VERSION-json php$YNH_DEFAULT_PHP_VERSION-gd php$YNH_DEFAULT_PHP_VERSION-tidy php$YNH_DEFAULT_PHP_VERSION-curl php$YNH_DEFAULT_PHP_VERSION-gettext php$YNH_DEFAULT_PHP_VERSION-redis" @@ -26,16 +28,3 @@ function set_permissions { #================================================= # EXPERIMENTAL HELPERS #================================================= - -# Execute a command as another user -# usage: exec_as USER COMMAND [ARG ...] -ynh_exec_as() { - local USER=$1 - shift 1 - - if [[ $USER = $(whoami) ]]; then - eval "$@" - else - sudo -u "$USER" "$@" - fi -} diff --git a/scripts/backup b/scripts/backup index f55f3f3..db7e199 100644 --- a/scripts/backup +++ b/scripts/backup @@ -19,7 +19,7 @@ ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." +ynh_print_info --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME @@ -36,37 +36,35 @@ db_name=$(ynh_app_setting_get --app=$app --key=db_name) # Clean cache files before backup (saved some disk space) ynh_secure_remove --file=$final_path/var/cache/prod -ynh_script_progression --message="Backing up the main app directory..." ynh_backup --src_path="$final_path" #================================================= # BACKUP NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Backing up nginx web server configuration..." ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # BACKUP PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Backing up php-fpm configuration..." -ynh_backup --src_path="/etc/php/7.0/fpm/pool.d/$app.conf" +ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" #================================================= # BACKUP MYSQL DB #================================================= -ynh_script_progression --message="Backing up the MySQL database..." ynh_mysql_dump_db --database="$db_name" > db.sql #================================================= # BACKUP FAIL2BAN CONFIGURATION #================================================= + ynh_backup "/etc/fail2ban/jail.d/$app.conf" ynh_backup "/etc/fail2ban/filter.d/$app.conf" #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --last + +ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." diff --git a/scripts/change_url b/scripts/change_url index b49b957..df33ee7 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -53,7 +53,7 @@ fi #================================================= # MODIFY URL IN NGINX CONF FILE #================================================= -ynh_script_progression --message="Updating nginx web server configuration..." --weight=2 +ynh_script_progression --message="Updating NGINX web server configuration..." --weight=2 nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf @@ -104,7 +104,7 @@ ynh_secure_remove --file=$final_path/var/cache #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/install b/scripts/install index ab4ea3c..3b9ef15 100644 --- a/scripts/install +++ b/scripts/install @@ -66,6 +66,14 @@ db_user=$db_name ynh_app_setting_set --app=$app --key=db_name --value=$db_name ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name +#================================================= +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Configuring system user..." --weight=2 + +# Create a system user +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -78,23 +86,15 @@ ynh_setup_source --dest_dir="$final_path" #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Configuring nginx web server..." --weight=2 +ynh_script_progression --message="Configuring NGINX web server..." --weight=2 # Create a dedicated nginx config ynh_add_nginx_config -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Configuring system user..." --weight=2 - -# Create a system user -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Configuring php-fpm..." --weight=2 +ynh_script_progression --message="Configuring PHP-FPM..." --weight=2 # Create a dedicated php-fpm config ynh_add_fpm_config @@ -106,20 +106,11 @@ ynh_add_fpm_config #================================================= ynh_script_progression --message="Configuring wallabag..." --weight=35 -# Copy and set Wallabag dist configuration -wb_conf=$final_path/app/config/parameters.yml -cp $final_path/app/config/parameters.yml.dist $wb_conf - -ynh_replace_string --match_string="fosuser_registration: true" --replace_string="fosuser_registration: false" --target_file=$wb_conf -ynh_replace_string --match_string="database_name: wallabag" --replace_string="database_name: $db_name" --target_file=$wb_conf -ynh_replace_string --match_string="database_user: root" --replace_string="database_user: $db_user" --target_file=$wb_conf -ynh_replace_string --match_string="database_password: ~" --replace_string="database_password: $db_pwd" --target_file=$wb_conf -ynh_replace_string --match_string="database_table_prefix: wallabag_" --replace_string="database_table_prefix: null" --target_file=$wb_conf # Generate random DES key & password deskey=$(ynh_string_random --length=24) ynh_app_setting_set --app=$app --key=deskey --value=$deskey -ynh_replace_string --match_string="secret: ovmpmAWXRCabNlMgzlzFXDYmCFfzGv" --replace_string="secret: $deskey" --target_file=$wb_conf -ynh_replace_string --match_string="domain_name: https://your-wallabag-url-instance.com" --replace_string="domain_name: https://$domain$path_url" --target_file=$wb_conf + +ynh_add_config --template="../conf/parameters.yml.dist" --destination="$final_path/app/config/parameters.yml" # Alias for php-cli execution command php_exec="ynh_exec_as $app php "$final_path/bin/console" --no-interaction --env=prod" @@ -144,10 +135,12 @@ $php_exec fos:user:promote --super "$admin" #================================================= # CONFIGURE FAIL2BAN #================================================= + # Create the log file is not already existing during install mkdir -p "/var/www/$app/var/logs/" touch "/var/www/$app/var/logs/prod.log" chown $app: "/var/www/$app/var/logs/prod.log" + # Add fail2ban config ynh_add_fail2ban_config --logpath="/var/www/$app/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP ""' --max_retry=5 @@ -157,7 +150,15 @@ ynh_add_fail2ban_config --logpath="/var/www/$app/var/logs/prod.log" --failregex= # SECURE FILES AND DIRECTORIES #================================================= -set_permissions +# Set permissions to app files +chown -R $app:www-data $final_path +chmod -R g=u,g-w,o-rwx $final_path + +# Restrict rights to Wallabag user only +chmod 600 $final_path/app/config/parameters.yml +if [ -e $final_path/var/cache/prod/appProdProjectContainer.php ]; then + chmod 700 $final_path/var/cache/prod/appProdProjectContainer.php +fi #================================================= # SETUP HOOKS @@ -169,13 +170,14 @@ ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_fil #================================================= # SETUP SSOWAT #================================================= -ynh_script_progression --message="Configuring SSOwat..." +ynh_script_progression --message="Configuring permissions..." + ynh_permission_update --permission="main" --add="visitors" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/remove b/scripts/remove index 70f90cf..5e48f41 100644 --- a/scripts/remove +++ b/scripts/remove @@ -66,6 +66,7 @@ ynh_remove_fpm_config #================================================= # REMOVE FAIL2BAN CONFIGURATION #================================================= + ynh_remove_fail2ban_config #================================================= diff --git a/scripts/restore b/scripts/restore index 1654db7..8160cea 100644 --- a/scripts/restore +++ b/scripts/restore @@ -47,6 +47,14 @@ test ! -d $final_path \ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +#================================================= +# RECREATE THE DEDICATED USER +#================================================= +ynh_script_progression --message="Recreating the dedicated system user..." --weight=2 + +# Create the dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # RESTORE THE APP MAIN DIR #================================================= @@ -54,27 +62,26 @@ ynh_script_progression --message="Restoring the app main directory..." ynh_restore_file --origin_path="$final_path" -#================================================= -# RECREATE THE DEDICATED USER -#================================================= -ynh_script_progression --message="Recreating the dedicated system user..." --weight=2 - -# Create the dedicated user (if not existing) -ynh_system_user_create --username=$app - #================================================= # RESTORE USER RIGHTS #================================================= -wb_conf=$final_path/app/config/parameters.yml +# Set permissions to app files +chown -R $app:www-data $final_path +chmod -R g=u,g-w,o-rwx $final_path -set_permissions +# Restrict rights to Wallabag user only +chmod 600 $final_path/app/config/parameters.yml +if [ -e $final_path/var/cache/prod/appProdProjectContainer.php ]; then + chmod 700 $final_path/var/cache/prod/appProdProjectContainer.php +fi #================================================= # RESTORE THE PHP-FPM CONFIGURATION #================================================= +ynh_script_progression --message="Restoring the PHP-FPM configuration..." --weight=1 -ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf" +ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" #================================================= # SPECIFIC RESTORATION @@ -108,9 +115,9 @@ ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./ #================================================= # RELOAD NGINX AND PHP-FPM #================================================= -ynh_script_progression --message="Reloading nginx web server and php-fpm..." +ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." -ynh_systemd_action --service_name=php7.0-fpm --action=reload +ynh_systemd_action --service_name=php$phpversion-fpm --action=reload ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 779a2dc..5d83bd7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -54,6 +54,13 @@ if [ -z "$path_url" ]; then ynh_app_setting_set --app=$app --key=path --value=$path_url fi +# Cleaning legacy permissions +if ynh_legacy_permissions_exists; then + ynh_legacy_permissions_delete_all + + ynh_app_setting_delete --app=$app --key=is_public +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -69,20 +76,12 @@ ynh_clean_setup () { ynh_abort_if_errors #================================================= -# Migrate legacy permissions to new system +# CREATE DEDICATED USER #================================================= -if ynh_legacy_permissions_exists -then - ynh_legacy_permissions_delete_all +ynh_script_progression --message="Making sure dedicated system user exists..." - ynh_app_setting_delete --app=$app --key=is_public -fi - -#================================================= -# CHECK THE PATH -#================================================= - -path_url=$(ynh_normalize_url_path --path_url=$path_url) +# Create a dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # STANDARD UPGRADE STEPS @@ -117,14 +116,6 @@ ynh_script_progression --message="Upgrading dependencies..." --weight=7 ynh_install_app_dependencies $pkg_dependencies -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Making sure dedicated system user exists..." - -# Create a dedicated user (if not existing) -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= @@ -150,22 +141,11 @@ ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='a # CONFIGURE WALLABAG #================================================= -wb_conf=$final_path/app/config/parameters.yml - if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Reconfiguring wallabag..." --weight=11 - # Copy and set Wallabag dist configuration - cp $final_path/app/config/parameters.yml.dist $wb_conf - - ynh_replace_string --match_string="fosuser_registration: true" --replace_string="fosuser_registration: false" --target_file=$wb_conf - ynh_replace_string --match_string="database_name: wallabag" --replace_string="database_name: $db_name" --target_file=$wb_conf - ynh_replace_string --match_string="database_user: root" --replace_string="database_user: $db_user" --target_file=$wb_conf - ynh_replace_string --match_string="database_password: ~" --replace_string="database_password: $db_pwd" --target_file=$wb_conf - ynh_replace_string --match_string="database_table_prefix: wallabag_" --replace_string="database_table_prefix: null" --target_file=$wb_conf - ynh_replace_string --match_string="secret: ovmpmAWXRCabNlMgzlzFXDYmCFfzGv" --replace_string="secret: $deskey" --target_file=$wb_conf - ynh_replace_string --match_string="domain_name: https://your-wallabag-url-instance.com" --replace_string="domain_name: https://$domain$path_url" --target_file=$wb_conf + ynh_add_config --template="../conf/parameters.yml.dist" --destination="$final_path/app/config/parameters.yml" #================================================= # UPGRADE WALLABAG @@ -197,7 +177,15 @@ fi # SECURE FILES AND DIRECTORIES #================================================= -set_permissions +# Set permissions to app files +chown -R $app:www-data $final_path +chmod -R g=u,g-w,o-rwx $final_path + +# Restrict rights to Wallabag user only +chmod 600 $final_path/app/config/parameters.yml +if [ -e $final_path/var/cache/prod/appProdProjectContainer.php ]; then + chmod 700 $final_path/var/cache/prod/appProdProjectContainer.php +fi #================================================= # SETUP HOOKS @@ -206,13 +194,6 @@ set_permissions ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_user_create" ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_user_delete" -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading SSOwat configuration..." - -ynh_app_setting_set "$app" unprotected_uris "/" - #================================================= # RELOAD NGINX #=================================================