YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'dev' into fix-1463-make-upnp-great-again

Browse source
This commit is contained in:
dbuscher 2021-10-10 14:38:27 +01:00 committed by GitHub
commit 1cff58b3e9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
210 changed files with 18048 additions and 8846 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.coveragerc Normal file
View file

@ -0,0 +1,2 @@
[report]
omit=src/yunohost/tests/*,src/yunohost/vendor/*,/usr/lib/moulinette/yunohost/*

20
.gitlab-ci.yml
View file

@ -1,9 +1,11 @@
---
stages:
- build
- install
- tests
- lint
- doc
- translation
default:
tags:
@ -11,12 +13,18 @@ default:
# All jobs are interruptible by default
interruptible: true
# see: https://docs.gitlab.com/ee/ci/yaml/#switch-between-branch-pipelines-and-merge-request-pipelines
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # If we move to gitlab one day
- if: $CI_PIPELINE_SOURCE == "external_pull_request_event" # For github PR
- if: $CI_COMMIT_TAG # For tags
- if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" # If it's not the default branch and if it's a push, then do not trigger a build
when: never
- when: always
variables:
YNH_BUILD_DIR: "ynh-build"
YNH_BUILD_DIR: "ynh-build"
include:
- local: .gitlab/ci/build.gitlab-ci.yml
- local: .gitlab/ci/install.gitlab-ci.yml
- local: .gitlab/ci/test.gitlab-ci.yml
- local: .gitlab/ci/lint.gitlab-ci.yml
- local: .gitlab/ci/doc.gitlab-ci.yml
- local: .gitlab/ci/*.gitlab-ci.yml

4
.gitlab/ci/doc.gitlab-ci.yml
View file

@ -12,9 +12,9 @@ generate-helpers-doc:
- git config --global user.name "$GITHUB_USER"
script:
- cd doc
- python generate_helper_doc.py
- python3 generate_helper_doc.py
- hub clone https://$GITHUB_TOKEN:x-oauth-basic@github.com/YunoHost/doc.git doc_repo
- cp helpers.md doc_repo/pages/02.contribute/04.packaging_apps/11.helpers/packaging_apps_helpers.md
- cp helpers.md doc_repo/pages/04.contribute/04.packaging_apps/11.helpers/packaging_apps_helpers.md
- cd doc_repo
# replace ${CI_COMMIT_REF_NAME} with ${CI_COMMIT_TAG} ?
- hub checkout -b "${CI_COMMIT_REF_NAME}"

20
.gitlab/ci/lint.gitlab-ci.yml
View file

@ -3,6 +3,7 @@
########################################
# later we must fix lint and format-check jobs and remove "allow_failure"
---
lint37:
stage: lint
image: "before-install"
@ -18,6 +19,13 @@ invalidcode37:
script:
- tox -e py37-invalidcode
mypy:
stage: lint
image: "before-install"
needs: []
script:
- tox -e py37-mypy
format-check:
stage: lint
image: "before-install"
@ -37,11 +45,13 @@ format-run:
- hub clone --branch ${CI_COMMIT_REF_NAME} "https://$GITHUB_TOKEN:x-oauth-basic@github.com/YunoHost/yunohost.git" github_repo
- cd github_repo
script:
# checkout or create and checkout the branch
- hub checkout "ci-format-${CI_COMMIT_REF_NAME}" || hub checkout -b "ci-format-${CI_COMMIT_REF_NAME}"
# create a local branch that will overwrite distant one
- git checkout -b "ci-format-${CI_COMMIT_REF_NAME}" --no-track
- tox -e py37-black-run
- hub commit -am "[CI] Format code" || true
- '[ $(git diff | wc -l) != 0 ] || exit 0' # stop if there is nothing to commit
- git commit -am "[CI] Format code" || true
- git push -f origin "ci-format-${CI_COMMIT_REF_NAME}":"ci-format-${CI_COMMIT_REF_NAME}"
- hub pull-request -m "[CI] Format code" -b Yunohost:dev -p || true # GITHUB_USER and GITHUB_TOKEN registered here https://gitlab.com/yunohost/yunohost/-/settings/ci_cd
only:
refs:
- dev
refs:
- dev

138
.gitlab/ci/test.gitlab-ci.yml
View file

@ -36,7 +36,9 @@ full-tests:
- *install_debs
- yunohost tools postinstall -d domain.tld -p the_password --ignore-dyndns --force-diskspace
script:
- python3 -m pytest --cov=yunohost tests/ src/yunohost/tests/ --junitxml=report.xml
- python3 -m pytest --cov=yunohost tests/ src/yunohost/tests/ data/hooks/diagnosis/ --junitxml=report.xml
- cd tests
- bash test_helpers.sh
needs:
- job: build-yunohost
artifacts: true
@ -48,79 +50,159 @@ full-tests:
reports:
junit: report.xml
root-tests:
test-i18n-keys:
extends: .test-stage
script:
- python3 -m pytest tests
- python3 -m pytest tests/test_i18n_keys.py
only:
changes:
- locales/en.json
- src/yunohost/*.py
- data/hooks/diagnosis/*.py
test-translation-format-consistency:
extends: .test-stage
script:
- python3 -m pytest tests/test_translation_format_consistency.py
only:
changes:
- locales/*
test-actionmap:
extends: .test-stage
script:
- python3 -m pytest tests/test_actionmap.py
only:
changes:
- data/actionsmap/*.yml
test-helpers:
extends: .test-stage
script:
- cd tests
- bash test_helpers.sh
only:
changes:
- data/helpers.d/*
test-domains:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_domains.py
only:
changes:
- src/yunohost/domain.py
test-dns:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_dns.py
only:
changes:
- src/yunohost/dns.py
- src/yunohost/utils/dns.py
test-apps:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_apps.py
- python3 -m pytest src/yunohost/tests/test_apps.py
only:
changes:
- src/yunohost/app.py
test-appscatalog:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_appscatalog.py
- python3 -m pytest src/yunohost/tests/test_app_catalog.py
only:
changes:
- src/yunohost/app_calalog.py
test-appurl:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_appurl.py
- python3 -m pytest src/yunohost/tests/test_appurl.py
only:
changes:
- src/yunohost/app.py
test-apps-arguments-parsing:
test-questions:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_apps_arguments_parsing.py
- python3 -m pytest src/yunohost/tests/test_questions.py
only:
changes:
- src/yunohost/utils/config.py
test-backuprestore:
test-app-config:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_backuprestore.py
- python3 -m pytest src/yunohost/tests/test_app_config.py
only:
changes:
- src/yunohost/app.py
- src/yunohost/utils/config.py
test-changeurl:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_changeurl.py
- python3 -m pytest src/yunohost/tests/test_changeurl.py
only:
changes:
- src/yunohost/app.py
test-backuprestore:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_backuprestore.py
only:
changes:
- src/yunohost/backup.py
test-permission:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_permission.py
- python3 -m pytest src/yunohost/tests/test_permission.py
only:
changes:
- src/yunohost/permission.py
test-settings:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_settings.py
- python3 -m pytest src/yunohost/tests/test_settings.py
only:
changes:
- src/yunohost/settings.py
test-user-group:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_user-group.py
- python3 -m pytest src/yunohost/tests/test_user-group.py
only:
changes:
- src/yunohost/user.py
test-regenconf:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_regenconf.py
- python3 -m pytest src/yunohost/tests/test_regenconf.py
only:
changes:
- src/yunohost/regenconf.py
test-service:
extends: .test-stage
script:
- cd src/yunohost
- python3 -m pytest tests/test_service.py
- python3 -m pytest src/yunohost/tests/test_service.py
only:
changes:
- src/yunohost/service.py
test-ldapauth:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_ldapauth.py
only:
changes:
- src/yunohost/authenticators/*.py

29
.gitlab/ci/translation.gitlab-ci.yml Normal file
View file

@ -0,0 +1,29 @@
########################################
# TRANSLATION
########################################
autofix-translated-strings:
stage: translation
image: "before-install"
needs: []
before_script:
- apt-get update -y && apt-get install git hub -y
- git config --global user.email "yunohost@yunohost.org"
- git config --global user.name "$GITHUB_USER"
- git remote set-url origin https://$GITHUB_TOKEN:x-oauth-basic@github.com/YunoHost/yunohost.git
script:
- cd tests # Maybe move this script location to another folder?
# create a local branch that will overwrite distant one
- git checkout -b "ci-autofix-translated-strings-${CI_COMMIT_REF_NAME}" --no-track
- python3 remove_stale_translated_strings.py
- python3 autofix_locale_format.py
- python3 reformat_locales.py
- '[ $(git diff -w | wc -l) != 0 ] || exit 0' # stop if there is nothing to commit
- git commit -am "[CI] Reformat / remove stale translated strings" || true
- git push -f origin "HEAD":"ci-remove-stale-translated-strings-${CI_COMMIT_REF_NAME}"
- hub pull-request -m "[CI] Reformat / remove stale translated strings" -b Yunohost:dev -p || true # GITHUB_USER and GITHUB_TOKEN registered here https://gitlab.com/yunohost/yunohost/-/settings/ci_cd
only:
variables:
- $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
changes:
- locales/*

8
README.md
View file

@ -6,8 +6,10 @@
<div align="center">
[![Build status](https://travis-ci.org/YunoHost/yunohost.svg?branch=stretch-unstable)](https://travis-ci.org/YunoHost/yunohost)
[![GitHub license](https://img.shields.io/github/license/YunoHost/yunohost)](https://github.com/YunoHost/yunohost/blob/stretch-unstable/LICENSE)
![Version](https://img.shields.io/github/v/tag/yunohost/yunohost?label=version&sort=semver)
[![Build status](https://shields.io/gitlab/pipeline/yunohost/yunohost/dev)](https://gitlab.com/yunohost/yunohost/-/pipelines)
![Test coverage](https://img.shields.io/gitlab/coverage/yunohost/yunohost/dev)
[![GitHub license](https://img.shields.io/github/license/YunoHost/yunohost)](https://github.com/YunoHost/yunohost/blob/dev/LICENSE)
[![Mastodon Follow](https://img.shields.io/mastodon/follow/28084)](https://mastodon.social/@yunohost)
</div>
@ -35,7 +37,7 @@ Webadmin ([Yunohost-Admin](https://github.com/YunoHost/yunohost-admin)) | Single
- You can help translate YunoHost on our [translation platform](https://translate.yunohost.org/engage/yunohost/?utm_source=widget)
<p align="center">
<img src="https://translate.yunohost.org/widgets/yunohost/-/multi-auto.svg" alt="Translation status" />
<img src="https://translate.yunohost.org/widgets/yunohost/-/core/horizontal-auto.svg" alt="Translation status" />
</p>
## License

170
bin/yunomdns Executable file
View file

@ -0,0 +1,170 @@
#!/usr/bin/env python3
"""
Pythonic declaration of mDNS .local domains for YunoHost
"""
import sys
import yaml
from time import sleep
from typing import List, Dict
import ifaddr
from ipaddress import ip_address
from zeroconf import Zeroconf, ServiceInfo, ServiceBrowser
def get_network_local_interfaces() -> Dict[str, Dict[str, List[str]]]:
"""
Returns interfaces with their associated local IPs
"""
interfaces = {
adapter.name: {
"ipv4": [ip.ip for ip in adapter.ips if ip.is_IPv4 and ip_address(ip.ip).is_private],
"ipv6": [ip.ip[0] for ip in adapter.ips if ip.is_IPv6 and ip_address(ip.ip[0]).is_private and not ip_address(ip.ip[0]).is_link_local],
}
for adapter in ifaddr.get_adapters()
if adapter.name != "lo"
}
return interfaces
# Listener class, to detect duplicates on the network
# Stores the list of servers in its list property
class Listener:
def __init__(self):
self.list = []
def remove_service(self, zeroconf, type, name):
info = zeroconf.get_service_info(type, name)
self.list.remove(info.server)
def update_service(self, zeroconf, type, name):
pass
def add_service(self, zeroconf, type, name):
info = zeroconf.get_service_info(type, name)
self.list.append(info.server[:-1])
def main() -> bool:
###
# CONFIG
###
with open("/etc/yunohost/mdns.yml", "r") as f:
config = yaml.safe_load(f) or {}
required_fields = ["domains"]
missing_fields = [field for field in required_fields if field not in config]
interfaces = get_network_local_interfaces()
if missing_fields:
print(f"The fields {missing_fields} are required in mdns.yml")
return False
if "interfaces" not in config:
config["interfaces"] = [interface
for interface, local_ips in interfaces.items()
if local_ips["ipv4"]]
if "ban_interfaces" in config:
config["interfaces"] = [interface
for interface in config["interfaces"]
if interface not in config["ban_interfaces"]]
# Let's discover currently published .local domains accross the network
zc = Zeroconf()
listener = Listener()
browser = ServiceBrowser(zc, "_device-info._tcp.local.", listener)
sleep(2)
browser.cancel()
zc.close()
# Always attempt to publish yunohost.local
if "yunohost.local" not in config["domains"]:
config["domains"].append("yunohost.local")
def find_domain_not_already_published(domain):
# Try domain.local ... but if it's already published by another entity,
# try domain-2.local, domain-3.local, ...
i = 1
domain_i = domain
while domain_i in listener.list:
print(f"Uh oh, {domain_i} already exists on the network...")
i += 1
domain_i = domain.replace(".local", f"-{i}.local")
return domain_i
config['domains'] = [find_domain_not_already_published(domain) for domain in config['domains']]
zcs: Dict[Zeroconf, List[ServiceInfo]] = {}
for interface in config["interfaces"]:
if interface not in interfaces:
print(f"Interface {interface} listed in config file is not present on system.")
continue
# Only broadcast IPv4 because IPv6 is buggy ... because we ain't using python3-ifaddr >= 0.1.7
# Buster only ships 0.1.6
# Bullseye ships 0.1.7
# To be re-enabled once we're on bullseye...
# ips: List[str] = interfaces[interface]["ipv4"] + interfaces[interface]["ipv6"]
ips: List[str] = interfaces[interface]["ipv4"]
# If at least one IP is listed
if not ips:
continue
# Create a Zeroconf object, and store the ServiceInfos
zc = Zeroconf(interfaces=ips) # type: ignore
zcs[zc] = []
for d in config["domains"]:
d_domain = d.replace(".local", "")
if "." in d_domain:
print(f"{d_domain}.local: subdomains are not supported.")
continue
# Create a ServiceInfo object for each .local domain
zcs[zc].append(
ServiceInfo(
type_="_device-info._tcp.local.",
name=f"{interface}: {d_domain}._device-info._tcp.local.",
parsed_addresses=ips,
port=80,
server=f"{d}.",
)
)
print(f"Adding {d} with addresses {ips} on interface {interface}")
# Run registration
print("Registering...")
for zc, infos in zcs.items():
for info in infos:
zc.register_service(info, allow_name_change=True, cooperating_responders=True)
try:
print("Registered. Press Ctrl+C or stop service to stop.")
while True:
sleep(1)
except KeyboardInterrupt:
pass
finally:
print("Unregistering...")
for zc, infos in zcs.items():
zc.unregister_all_services()
zc.close()
return True
if __name__ == "__main__":
sys.exit(0 if main() else 1)

2
bin/yunopaste
View file

@ -34,7 +34,7 @@ Haste server.
For example, to paste the output of the YunoHost diagnosis, you
can simply execute the following:
yunohost tools diagnosis | ${0}
yunohost diagnosis show | ${0}
It will return the URL where you can access the pasted data.

12
bin/yunoprompt
View file

@ -66,19 +66,19 @@ then
echo "$LOGO_AND_FINGERPRINTS"
cat << EOF
===============================================================================
You should now proceed with Yunohost post-installation. This is where you will
be asked for :
- the main domain of your server ;
You should now proceed with YunoHost post-installation. This is where you will
be asked for:
- the main domain of your server;
- the administration password.
You can perform this step :
- from your web browser, by accessing : https://yunohost.local/ or ${local_ip}
You can perform this step:
- from your web browser, by accessing: https://yunohost.local/ or ${local_ip}
- or in this terminal by answering 'yes' to the following question
If this is your first time with YunoHost, it is strongly recommended to take
time to read the administator documentation and in particular the sections
'Finalizing your setup' and 'Getting to know YunoHost'. It is available at
the following URL : https://yunohost.org/admindoc
the following URL: https://yunohost.org/admindoc
===============================================================================
EOF

553
data/actionsmap/yunohost.yml
View file

@ -33,18 +33,10 @@
# Global parameters #
#############################
_global:
configuration:
authenticate:
- api
authenticator:
default:
vendor: ldap
help: admin_password
parameters:
uri: ldap://localhost:389
base_dn: dc=yunohost,dc=org
user_rdn: cn=admin,dc=yunohost,dc=org
argument_auth: false
name: yunohost.admin
authentication:
api: ldap_admin
cli: null
arguments:
-v:
full: --version
@ -67,7 +59,7 @@ user:
api: GET /users
arguments:
--fields:
help: fields to fetch
help: fields to fetch (username, fullname, mail, mail-alias, mail-forward, mailbox-quota, groups, shell, home-path)
nargs: "+"
### user_create()
@ -206,6 +198,28 @@ user:
arguments:
username:
help: Username or email to get information
### user_export()
export:
action_help: Export users into CSV
api: GET /users/export
### user_import()
import:
action_help: Import several users from CSV
api: POST /users/import
arguments:
csvfile:
help: "CSV file with columns username, firstname, lastname, password, mail, mailbox-quota, mail-alias, mail-forward, groups (separated by coma)"
type: open
-u:
full: --update
help: Update all existing users contained in the CSV file (by default existing users are ignored)
action: store_true
-d:
full: --delete
help: Delete all existing users that are not contained in the CSV file (by default existing users are kept)
action: store_true
subcategories:
group:
@ -252,30 +266,6 @@ user:
extra:
pattern: *pattern_groupname
### user_group_update()
update:
action_help: Update group
api: PUT /users/groups/<groupname>
arguments:
groupname:
help: Name of the group to be updated
extra:
pattern: *pattern_groupname
-a:
full: --add
help: User(s) to add in the group
nargs: "*"
metavar: USERNAME
extra:
pattern: *pattern_username
-r:
full: --remove
help: User(s) to remove in the group
nargs: "*"
metavar: USERNAME
extra:
pattern: *pattern_username
### user_group_info()
info:
action_help: Get information about a specific group
@ -286,6 +276,38 @@ user:
extra:
pattern: *pattern_username
### user_group_add()
add:
action_help: Add users to group
api: PUT /users/groups/<groupname>/add/<usernames>
arguments:
groupname:
help: Name of the group to add user(s) to
extra:
pattern: *pattern_groupname
usernames:
help: User(s) to add in the group
nargs: "*"
metavar: USERNAME
extra:
pattern: *pattern_username
### user_group_remove()
remove:
action_help: Remove users from group
api: PUT /users/groups/<groupname>/remove/<usernames>
arguments:
groupname:
help: Name of the group to remove user(s) from
extra:
pattern: *pattern_groupname
usernames:
help: User(s) to remove from the group
nargs: "*"
metavar: USERNAME
extra:
pattern: *pattern_username
permission:
subcategory_help: Manage permissions
actions:
@ -295,6 +317,9 @@ user:
action_help: List permissions and corresponding accesses
api: GET /users/permissions
arguments:
apps:
help: Apps to list permission for (all by default)
nargs: "*"
-s:
full: --short
help: Only list permission names
@ -319,20 +344,6 @@ user:
arguments:
permission:
help: Permission to manage (e.g. mail or nextcloud or wordpress.editors) (use "yunohost user permission list" and "yunohost user permission -f" to see all the current permissions)
-a:
full: --add
help: Group or usernames to grant this permission to
nargs: "*"
metavar: GROUP_OR_USER
extra:
pattern: *pattern_username
-r:
full: --remove
help: Group or usernames revoke this permission from
nargs: "*"
metavar: GROUP_OR_USER
extra:
pattern: *pattern_username
-l:
full: --label
help: Label for this permission. This label will be shown on the SSO and in the admin
@ -343,10 +354,38 @@ user:
- 'True'
- 'False'
## user_permission_add()
add:
action_help: Grant permission to group or user
api: PUT /users/permissions/<permission>/add/<names>
arguments:
permission:
help: Permission to manage (e.g. mail or nextcloud or wordpress.editors) (use "yunohost user permission list" and "yunohost user permission -f" to see all the current permissions)
names:
help: Group or usernames to grant this permission to
nargs: "*"
metavar: GROUP_OR_USER
extra:
pattern: *pattern_username
## user_permission_remove()
remove:
action_help: Revoke permission to group or user
api: PUT /users/permissions/<permission>/remove/<names>
arguments:
permission:
help: Permission to manage (e.g. mail or nextcloud or wordpress.editors) (use "yunohost user permission list" and "yunohost user permission -f" to see all the current permissions)
names:
help: Group or usernames to revoke this permission to
nargs: "*"
metavar: GROUP_OR_USER
extra:
pattern: *pattern_username
## user_permission_reset()
reset:
action_help: Reset allowed groups to the default (all_users) for a given permission
api: DELETE /users/permissions/<app>
api: DELETE /users/permissions/<permission>
arguments:
permission:
help: Permission to manage (e.g. mail or nextcloud or wordpress.editors) (use "yunohost user permission list" and "yunohost user permission -f" to see all the current permissions)
@ -354,25 +393,6 @@ user:
ssh:
subcategory_help: Manage ssh access
actions:
### user_ssh_enable()
allow:
action_help: Allow the user to uses ssh
api: POST /users/ssh/enable
arguments:
username:
help: Username of the user
extra:
pattern: *pattern_username
### user_ssh_disable()
disallow:
action_help: Disallow the user to uses ssh
api: POST /users/ssh/disable
arguments:
username:
help: Username of the user
extra:
pattern: *pattern_username
### user_ssh_keys_list()
list-keys:
@ -397,7 +417,7 @@ user:
help: The key to be added
-c:
full: --comment
help: Optionnal comment about the key
help: Optional comment about the key
### user_ssh_keys_remove()
remove-key:
@ -411,7 +431,6 @@ user:
key:
help: The key to be removed
#############################
# Domain #
#############################
@ -460,21 +479,17 @@ domain:
help: Do not ask confirmation to remove apps
action: store_true
### domain_dns_conf()
dns-conf:
deprecated: true
action_help: Generate sample DNS configuration for a domain
api: GET /domains/<domain>/dns
arguments:
domain:
help: Target domain
-t:
full: --ttl
help: Time To Live (TTL) in second before DNS servers update. Default is 3600 seconds (i.e. 1 hour).
extra:
pattern:
- !!str ^[0-9]+$
- "pattern_positive_number"
pattern: *pattern_domain
### domain_maindomain()
main-domain:
action_help: Check the current main domain, or change it
@ -482,7 +497,7 @@ domain:
- maindomain
api:
- GET /domains/main
- PUT /domains/main
- PUT /domains/<new_main_domain>/main
arguments:
-n:
full: --new-main-domain
@ -492,8 +507,8 @@ domain:
### certificate_status()
cert-status:
deprecated: true
action_help: List status of current certificates (all by default).
api: GET /domains/cert-status/<domain_list>
arguments:
domain_list:
help: Domains to check
@ -504,8 +519,8 @@ domain:
### certificate_install()
cert-install:
deprecated: true
action_help: Install Let's Encrypt certificates for given domains (all by default).
api: POST /domains/cert-install/<domain_list>
arguments:
domain_list:
help: Domains for which to install the certificates
@ -525,8 +540,8 @@ domain:
### certificate_renew()
cert-renew:
deprecated: true
action_help: Renew the Let's Encrypt certificates for given domains (all by default).
api: POST /domains/cert-renew/<domain_list>
arguments:
domain_list:
help: Domains for which to renew the certificates
@ -547,7 +562,7 @@ domain:
### domain_url_available()
url-available:
action_help: Check availability of a web path
api: GET /domain/urlavailable
api: GET /domain/<domain>/urlavailable
arguments:
domain:
help: The domain for the web path (e.g. your.domain.tld)
@ -556,18 +571,139 @@ domain:
path:
help: The path to check (e.g. /coffee)
subcategories:
### domain_info()
# info:
# action_help: Get domain informations
# api: GET /domains/<domain>
# arguments:
# domain:
# help: ""
# extra:
# pattern:
# - '^([a-zA-Z0-9]{1}([a-zA-Z0-9\-]*[a-zA-Z0-9])*)(\.[a-zA-Z0-9]{1}([a-zA-Z0-9\-]*[a-zA-Z0-9])*)*(\.[a-zA-Z]{1}([a-zA-Z0-9\-]*[a-zA-Z0-9])*)$'
# - "Must be a valid domain name (e.g. my-domain.org)"
config:
subcategory_help: Domain settings
actions:
### domain_config_get()
get:
action_help: Display a domain configuration
api: GET /domains/<domain>/config
arguments:
domain:
help: Domain name
key:
help: A specific panel, section or a question identifier
nargs: '?'
-f:
full: --full
help: Display all details (meant to be used by the API)
action: store_true
-e:
full: --export
help: Only export key/values, meant to be reimported using "config set --args-file"
action: store_true
### domain_config_set()
set:
action_help: Apply a new configuration
api: PUT /domains/<domain>/config
arguments:
domain:
help: Domain name
key:
help: The question or form key
nargs: '?'
-v:
full: --value
help: new value
-a:
full: --args
help: Serialized arguments for new configuration (i.e. "mail_in=0&mail_out=0")
dns:
subcategory_help: Manage domains DNS
actions:
### domain_dns_conf()
suggest:
action_help: Generate sample DNS configuration for a domain
api:
- GET /domains/<domain>/dns
- GET /domains/<domain>/dns/suggest
arguments:
domain:
help: Target domain
extra:
pattern: *pattern_domain
### domain_dns_push()
push:
action_help: Push DNS records to registrar
api: POST /domains/<domain>/dns/push
arguments:
domain:
help: Domain name to push DNS conf for
extra:
pattern: *pattern_domain
-d:
full: --dry-run
help: Only display what's to be pushed
action: store_true
--force:
help: Also update/remove records which were not originally set by Yunohost, or which have been manually modified
action: store_true
--purge:
help: Delete all records
action: store_true
cert:
subcategory_help: Manage domain certificates
actions:
### certificate_status()
status:
action_help: List status of current certificates (all by default).
api: GET /domains/<domain_list>/cert
arguments:
domain_list:
help: Domains to check
nargs: "*"
--full:
help: Show more details
action: store_true
### certificate_install()
install:
action_help: Install Let's Encrypt certificates for given domains (all by default).
api: PUT /domains/<domain_list>/cert
arguments:
domain_list:
help: Domains for which to install the certificates
nargs: "*"
--force:
help: Install even if current certificate is not self-signed
action: store_true
--no-checks:
help: Does not perform any check that your domain seems correctly configured (DNS, reachability) before attempting to install. (Not recommended)
action: store_true
--self-signed:
help: Install self-signed certificate instead of Let's Encrypt
action: store_true
--staging:
help: Use the fake/staging Let's Encrypt certification authority. The new certificate won't actually be enabled - it is only intended to test the main steps of the procedure.
action: store_true
### certificate_renew()
renew:
action_help: Renew the Let's Encrypt certificates for given domains (all by default).
api: PUT /domains/<domain_list>/cert/renew
arguments:
domain_list:
help: Domains for which to renew the certificates
nargs: "*"
--force:
help: Ignore the validity threshold (30 days)
action: store_true
--email:
help: Send an email to root with logs if some renewing fails
action: store_true
--no-checks:
help: Does not perform any check that your domain seems correctly configured (DNS, reachability) before attempting to renew. (Not recommended)
action: store_true
--staging:
help: Use the fake/staging Let's Encrypt certification authority. The new certificate won't actually be enabled - it is only intended to test the main steps of the procedure.
action: store_true
#############################
@ -579,7 +715,7 @@ app:
catalog:
action_help: Show the catalog of installable application
api: GET /appscatalog
api: GET /apps/catalog
arguments:
-f:
full: --full
@ -589,7 +725,7 @@ app:
full: --with-categories
help: Also return a list of app categories
action: store_true
### app_search()
search:
action_help: Search installable apps
@ -597,6 +733,14 @@ app:
string:
help: Return matching app name or description with "string"
### app_manifest()
manifest:
action_help: Return the manifest of a given app from the catalog, or from a remote git repo
api: GET /apps/manifest
arguments:
app:
help: Name, local path or git URL of the app to fetch the manifest of
fetchlist:
deprecated: true
@ -631,7 +775,7 @@ app:
### app_map()
map:
action_help: Show the mapping between urls and apps
api: GET /appsmap
api: GET /apps/map
arguments:
-a:
full: --app
@ -668,18 +812,22 @@ app:
help: Do not ask confirmation if the app is not safe to use (low quality, experimental or 3rd party)
action: store_true
### app_remove() TODO: Write help
### app_remove()
remove:
action_help: Remove app
api: DELETE /apps/<app>
arguments:
app:
help: App(s) to delete
help: App to remove
-p:
full: --purge
help: Also remove all application data
action: store_true
### app_upgrade()
upgrade:
action_help: Upgrade app
api: PUT /upgrade/apps
api: PUT /apps/<app>/upgrade
arguments:
app:
help: App(s) to upgrade (default all)
@ -694,6 +842,10 @@ app:
full: --force
help: Force the update, even though the app is up to date
action: store_true
-b:
full: --no-safety-backup
help: Disable the safety backup during upgrade
action: store_true
### app_change_url()
change-url:
@ -737,7 +889,6 @@ app:
### app_register_url()
register-url:
action_help: Book/register a web path for a given app
api: PUT /tools/registerurl
arguments:
app:
help: App which will use the web path
@ -761,7 +912,6 @@ app:
### app_ssowatconf()
ssowatconf:
action_help: Regenerate SSOwat configuration file
api: PUT /ssowatconf
### app_change_label()
change-label:
@ -776,7 +926,6 @@ app:
### app_addaccess() TODO: Write help
addaccess:
action_help: Grant access right to users (everyone by default)
api: PUT /access
deprecated: true
arguments:
apps:
@ -788,7 +937,6 @@ app:
### app_removeaccess() TODO: Write help
removeaccess:
action_help: Revoke access right to users (everyone by default)
api: DELETE /access
deprecated: true
arguments:
apps:
@ -800,7 +948,6 @@ app:
### app_clearaccess()
clearaccess:
action_help: Reset access rights for the app
api: POST /access
deprecated: true
arguments:
apps:
@ -837,24 +984,45 @@ app:
subcategory_help: Applications configuration panel
actions:
### app_config_show_panel()
show-panel:
action_help: show config panel for the application
### app_config_get()
get:
action_help: Display an app configuration
api: GET /apps/<app>/config-panel
arguments:
app:
help: App name
app:
help: App name
key:
help: A specific panel, section or a question identifier
nargs: '?'
-f:
full: --full
help: Display all details (meant to be used by the API)
action: store_true
-e:
full: --export
help: Only export key/values, meant to be reimported using "config set --args-file"
action: store_true
### app_config_apply()
apply:
action_help: apply the new configuration
api: POST /apps/<app>/config
### app_config_set()
set:
action_help: Apply a new configuration
api: PUT /apps/<app>/config
arguments:
app:
help: App name
-a:
full: --args
help: Serialized arguments for new configuration (i.e. "domain=domain.tld&path=/path")
app:
help: App name
key:
help: The question or panel key
nargs: '?'
-v:
full: --value
help: new value
-a:
full: --args
help: Serialized arguments for new configuration (i.e. "domain=domain.tld&path=/path")
-f:
full: --args-file
help: YAML or JSON file with key/value couples
type: open
#############################
# Backup #
@ -866,7 +1034,7 @@ backup:
### backup_create()
create:
action_help: Create a backup local archive. If neither --apps or --system are given, this will backup all apps and all system parts. If only --apps if given, this will only backup apps and no system parts. Similarly, if only --system is given, this will only backup system parts and no apps.
api: POST /backup
api: POST /backups
arguments:
-n:
full: --name
@ -890,11 +1058,14 @@ backup:
--apps:
help: List of application names to backup (or all if none given)
nargs: "*"
--dry-run:
help: "'Simulate' the backup and return the size details per item to backup"
action: store_true
### backup_restore()
restore:
action_help: Restore from a local backup archive. If neither --apps or --system are given, this will restore all apps and all system parts in the archive. If only --apps if given, this will only restore apps and no system parts. Similarly, if only --system is given, this will only restore system parts and no apps.
api: POST /backup/restore/<name>
api: PUT /backups/<name>/restore
arguments:
name:
help: Name of the local backup archive
@ -911,7 +1082,7 @@ backup:
### backup_list()
list:
action_help: List available local backup archives
api: GET /backup/archives
api: GET /backups
arguments:
-i:
full: --with-info
@ -925,7 +1096,7 @@ backup:
### backup_info()
info:
action_help: Show info about a local backup archive
api: GET /backup/archives/<name>
api: GET /backups/<name>
arguments:
name:
help: Name of the local backup archive
@ -941,7 +1112,7 @@ backup:
### backup_download()
download:
action_help: (API only) Request to download the file
api: GET /backup/download/<name>
api: GET /backups/<name>/download
arguments:
name:
help: Name of the local backup archive
@ -949,7 +1120,7 @@ backup:
### backup_delete()
delete:
action_help: Delete a backup archive
api: DELETE /backup/archives/<name>
api: DELETE /backups/<name>
arguments:
name:
help: Name of the archive to delete
@ -1016,7 +1187,6 @@ service:
### service_add()
add:
action_help: Add a service
# api: POST /services
arguments:
name:
help: Service name to add
@ -1054,7 +1224,6 @@ service:
### service_remove()
remove:
action_help: Remove a service
# api: DELETE /services
arguments:
name:
help: Service name to remove
@ -1062,7 +1231,7 @@ service:
### service_start()
start:
action_help: Start one or more services
api: PUT /services/<names>
api: PUT /services/<names>/start
arguments:
names:
help: Service name to start
@ -1072,7 +1241,7 @@ service:
### service_stop()
stop:
action_help: Stop one or more services
api: DELETE /services/<names>
api: PUT /services/<names>/stop
arguments:
names:
help: Service name to stop
@ -1120,7 +1289,7 @@ service:
### service_disable()
disable:
action_help: Disable one or more services
api: DELETE /services/<names>/enable
api: PUT /services/<names>/disable
arguments:
names:
help: Service name to disable
@ -1155,7 +1324,6 @@ service:
### service_regen_conf()
regen-conf:
action_help: Regenerate the configuration file(s) for a service
api: PUT /services/regenconf
deprecated_alias:
- regenconf
arguments:
@ -1207,19 +1375,10 @@ firewall:
help: List forwarded ports with UPnP
action: store_true
### firewall_reload()
reload:
action_help: Reload all firewall rules
api: PUT /firewall
arguments:
--skip-upnp:
help: Do not refresh port forwarding using UPnP
action: store_true
### firewall_allow()
allow:
action_help: Allow connections on a port
api: POST /firewall/port
api: PUT /firewall/<protocol>/allow/<port>
arguments:
protocol:
help: "Protocol type to allow (TCP/UDP/Both)"
@ -1249,11 +1408,10 @@ firewall:
help: Do not reload firewall rules
action: store_true
### firewall_disallow()
disallow:
action_help: Disallow connections on a port
api: DELETE /firewall/port
api: PUT /firewall/<protocol>/disallow/<port>
arguments:
protocol:
help: "Protocol type to allow (TCP/UDP/Both)"
@ -1281,11 +1439,10 @@ firewall:
help: Do not reload firewall rules
action: store_true
### firewall_upnp()
upnp:
action_help: Manage port forwarding using UPnP
api: GET /firewall/upnp
api: PUT /firewall/upnp/<action>
arguments:
action:
choices:
@ -1298,10 +1455,19 @@ firewall:
help: Do not refresh port forwarding
action: store_true
### firewall_reload()
reload:
action_help: Reload all firewall rules
arguments:
--skip-upnp:
help: Do not refresh port forwarding using UPnP
action: store_true
### firewall_stop()
stop:
action_help: Stop iptables and ip6tables
api: DELETE /firewall
@ -1315,7 +1481,6 @@ dyndns:
### dyndns_subscribe()
subscribe:
action_help: Subscribe to a DynDNS service
api: POST /dyndns
arguments:
--subscribe-host:
help: Dynette HTTP API to subscribe to
@ -1332,7 +1497,6 @@ dyndns:
### dyndns_update()
update:
action_help: Update IP on DynDNS platform
api: PUT /dyndns
arguments:
--dyn-host:
help: Dynette DNS server to inform
@ -1403,9 +1567,9 @@ tools:
postinstall:
action_help: YunoHost post-install
api: POST /postinstall
configuration:
authentication:
# We need to be able to run the postinstall without being authenticated, otherwise we can't run the postinstall
authenticate: false
api: null
arguments:
-d:
full: --domain
@ -1429,32 +1593,47 @@ tools:
help: Use this if you really want to set a weak password
action: store_true
--force-diskspace:
help: Use this if you really want to install Yunohost on a setup with less than 10 GB on the root filesystem
help: Use this if you really want to install YunoHost on a setup with less than 10 GB on the root filesystem
action: store_true
### tools_update()
update:
action_help: YunoHost update
api: PUT /update
api: PUT /update/<target>
arguments:
target:
help: What to update, "apps" (application catalog) or "system" (fetch available package upgrades, equivalent to apt update), "all" for both
choices:
- apps
- system
- all
nargs: "?"
metavar: TARGET
default: all
--apps:
help: Fetch the application list to check which apps can be upgraded
help: (Deprecated, see first positional arg) Fetch the application list to check which apps can be upgraded
action: store_true
--system:
help: Fetch available system packages upgrades (equivalent to apt update)
help: (Deprecated, see first positional arg) Fetch available system packages upgrades (equivalent to apt update)
action: store_true
### tools_upgrade()
upgrade:
action_help: YunoHost upgrade
api: PUT /upgrade
api: PUT /upgrade/<target>
arguments:
target:
help: What to upgrade, either "apps" (all apps) or "system" (all system packages)
choices:
- apps
- system
nargs: "?"
--apps:
help: List of apps to upgrade (all by default)
nargs: "*"
help: (Deprecated, see first positional arg) Upgrade all applications
action: store_true
--system:
help: Upgrade only the system packages
help: (Deprecated, see first positional arg) Upgrade only the system packages
action: store_true
### tools_shell()
@ -1488,7 +1667,9 @@ tools:
### tools_regen_conf()
regen-conf:
action_help: Regenerate the configuration file(s)
api: PUT /tools/regenconf
api:
- PUT /regenconf
- PUT /regenconf/<names>
arguments:
names:
help: Categories to regenerate configuration of (all by default)
@ -1537,7 +1718,9 @@ tools:
### tools_migrations_run()
run:
action_help: Run migrations
api: POST /migrations/run
api:
- PUT /migrations
- PUT /migrations/<targets>
deprecated_alias:
- migrate
arguments:
@ -1560,7 +1743,6 @@ tools:
### tools_migrations_state()
state:
action_help: Show current migrations state
api: GET /migrations/state
#############################
@ -1589,7 +1771,6 @@ hook:
### hook_info()
info:
action_help: Get information about a given hook
api: GET /hooks/<action>/<name>
arguments:
action:
help: Action name
@ -1619,7 +1800,6 @@ hook:
### hook_callback()
callback:
action_help: Execute all scripts binded to an action
api: POST /hooks/<action>
arguments:
action:
help: Action name
@ -1715,7 +1895,7 @@ log:
### log_share()
share:
action_help: Share the full log on yunopaste (alias to show --share)
api: GET /logs/share
api: GET /logs/<path>/share
arguments:
path:
help: Log file to share
@ -1730,11 +1910,11 @@ diagnosis:
list:
action_help: List diagnosis categories
api: GET /diagnosis/list
api: GET /diagnosis/categories
show:
action_help: Show most recents diagnosis results
api: GET /diagnosis/show
api: GET /diagnosis
arguments:
categories:
help: Diagnosis categories to display (all by default)
@ -1752,9 +1932,20 @@ diagnosis:
help: Show a human-readable output
action: store_true
get:
action_help: Low-level command to fetch raw data and status about a specific diagnosis test
api: GET /diagnosis/<category>
arguments:
category:
help: Diagnosis category to fetch results from
item:
help: "List of criteria describing the test. Must correspond exactly to the 'meta' infos in 'yunohost diagnosis show'"
metavar: CRITERIA
nargs: "*"
run:
action_help: Run diagnosis
api: POST /diagnosis/run
api: PUT /diagnosis/run
arguments:
categories:
help: Diagnosis categories to run (all by default)
@ -1771,27 +1962,21 @@ diagnosis:
ignore:
action_help: Configure some diagnosis results to be ignored and therefore not considered as actual issues
api: POST /diagnosis/ignore
api: PUT /diagnosis/ignore
arguments:
--add-filter:
--filter:
help: "Add a filter. The first element should be a diagnosis category, and other criterias can be provided using the infos from the 'meta' sections in 'yunohost diagnosis show'. For example: 'dnsrecords domain=yolo.test category=xmpp'"
nargs: "*"
metavar: CRITERIA
--remove-filter:
help: Remove a filter (it should be an existing filter as listed with --list)
nargs: "*"
metavar: CRITERIA
--list:
help: List active ignore filters
action: store_true
get:
action_help: Low-level command to fetch raw data and status about a specific diagnosis test
api: GET /diagnosis/item/<category>
unignore:
action_help: Configure some diagnosis results to be unignored and therefore considered as actual issues
api: PUT /diagnosis/unignore
arguments:
category:
help: Diagnosis category to fetch results from
item:
help: "List of criteria describing the test. Must correspond exactly to the 'meta' infos in 'yunohost diagnosis show'"
metavar: CRITERIA
--filter:
help: Remove a filter (it should be an existing filter as listed with --list)
nargs: "*"
metavar: CRITERIA

3
data/actionsmap/yunohost_completion.py
View file

@ -13,6 +13,7 @@ import yaml
THIS_SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
ACTIONSMAP_FILE = THIS_SCRIPT_DIR + "/yunohost.yml"
os.system(f"mkdir {THIS_SCRIPT_DIR}/../bash-completion.d")
BASH_COMPLETION_FILE = THIS_SCRIPT_DIR + "/../bash-completion.d/yunohost"
@ -32,7 +33,7 @@ def get_dict_actions(OPTION_SUBTREE, category):
with open(ACTIONSMAP_FILE, "r") as stream:
# Getting the dictionary containning what actions are possible per category
OPTION_TREE = yaml.load(stream)
OPTION_TREE = yaml.safe_load(stream)
CATEGORY = [
category for category in OPTION_TREE.keys() if not category.startswith("_")

3
data/bash-completion.d/yunohost
View file

@ -1,3 +0,0 @@
# This file is automatically generated
# during Debian's package build by the script
# data/actionsmap/yunohost_completion.py

113
data/helpers.d/apt
View file

@ -210,6 +210,8 @@ ynh_package_install_from_equivs () {
ynh_package_is_installed "$pkgname"
}
YNH_INSTALL_APP_DEPENDENCIES_REPLACE="true"
# Define and install dependencies with a equivs control file
#
# This helper can/should only be called once per app
@ -248,13 +250,51 @@ ynh_install_app_dependencies () {
dependencies="$(echo "$dependencies" | sed 's/\([^(\<=\>]\)\([\<=\>]\+\)\([^,]\+\)/\1 (\2 \3)/g')"
fi
# Check for specific php dependencies which requires sury
# This grep will for example return "7.4" if dependencies is "foo bar php7.4-pwet php-gni"
# The (?<=php) syntax corresponds to lookbehind ;)
local specific_php_version=$(echo $dependencies | grep -oP '(?<=php)[0-9.]+(?=-|\>)' | sort -u)
# Ignore case where the php version found is the one available in debian vanilla
[[ "$specific_php_version" != "$YNH_DEFAULT_PHP_VERSION" ]] || specific_php_version=""
if [[ -n "$specific_php_version" ]]
then
# Cover a small edge case where a packager could have specified "php7.4-pwet php5-gni" which is confusing
[[ $(echo $specific_php_version | wc -l) -eq 1 ]] \
|| ynh_die --message="Inconsistent php versions in dependencies ... found : $specific_php_version"
dependencies+=", php${specific_php_version}, php${specific_php_version}-fpm, php${specific_php_version}-common"
ynh_add_sury
fi
# The first time we run ynh_install_app_dependencies, we will replace the
# entire control file (This is in particular meant to cover the case of
# upgrade script where ynh_install_app_dependencies is called with this
# expected effect) Otherwise, any subsequent call will add dependencies
# to those already present in the equivs control file.
if [[ $YNH_INSTALL_APP_DEPENDENCIES_REPLACE == "true" ]]
then
YNH_INSTALL_APP_DEPENDENCIES_REPLACE="false"
else
local current_dependencies=""
if ynh_package_is_installed --package="${dep_app}-ynh-deps"
then
current_dependencies="$(dpkg-query --show --showformat='${Depends}' ${dep_app}-ynh-deps) "
current_dependencies=${current_dependencies// | /|}
fi
dependencies="$current_dependencies, $dependencies"
fi
#
# Epic ugly hack to fix the goddamn dependency nightmare of sury
# Sponsored by the "Djeezusse Fokin Kraiste Why Do Adminsys Has To Be So Fucking Complicated I Should Go Grow Potatoes Instead Of This Shit" collective
# https://github.com/YunoHost/issues/issues/1407
#
# If we require to install php dependency
if echo $dependencies | grep --quiet 'php'
if grep --quiet 'php' <<< "$dependencies"
then
# And we have packages from sury installed (7.0.33-10+weirdshiftafter instead of 7.0.33-0 on debian)
if dpkg --list | grep "php7.0" | grep --quiet --invert-match "7.0.33-0+deb9"
@ -263,7 +303,7 @@ ynh_install_app_dependencies () {
if ! grep --recursive --quiet "^ *deb.*sury" /etc/apt/sources.list*
then
# Re-add sury
ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(ynh_get_debian_release) main" --key="https://packages.sury.org/php/apt.gpg" --name=extra_php_version --priority=600
ynh_add_sury
fi
fi
fi
@ -281,14 +321,43 @@ EOF
ynh_package_install_from_equivs /tmp/${dep_app}-ynh-deps.control \
|| ynh_die --message="Unable to install dependencies" # Install the fake package and its dependencies
rm /tmp/${dep_app}-ynh-deps.control
ynh_app_setting_set --app=$app --key=apt_dependencies --value="$dependencies"
if [[ -n "$specific_php_version" ]]
then
# Set the default php version back as the default version for php-cli.
update-alternatives --set php /usr/bin/php$YNH_DEFAULT_PHP_VERSION
# Store phpversion into the config of this app
ynh_app_setting_set --app=$app --key=phpversion --value=$specific_php_version
# Integrate new php-fpm service in yunohost
yunohost service add php${specific_php_version}-fpm --log "/var/log/php${phpversion}-fpm.log"
elif grep --quiet 'php' <<< "$dependencies"; then
# Store phpversion into the config of this app
ynh_app_setting_set --app=$app --key=phpversion --value=$YNH_DEFAULT_PHP_VERSION
fi
}
# Add sury repository with adequate pin strategy
#
# [internal]
#
# usage: ynh_add_sury
#
ynh_add_sury() {
# Add an extra repository for those packages
ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(ynh_get_debian_release) main" --key="https://packages.sury.org/php/apt.gpg" --name=extra_php_version --priority=600
}
# Add dependencies to install with ynh_install_app_dependencies
#
# usage: ynh_add_app_dependencies --package=phpversion [--replace]
# | arg: -p, --package= - Packages to add as dependencies for the app.
# | arg: -r, --replace - Replace dependencies instead of adding to existing ones.
#
# Requires YunoHost version 3.8.1 or higher.
ynh_add_app_dependencies () {
@ -296,24 +365,11 @@ ynh_add_app_dependencies () {
local legacy_args=pr
local -A args_array=( [p]=package= [r]=replace)
local package
local replace
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
replace=${replace:-0}
local current_dependencies=""
if [ $replace -eq 0 ]
then
local dep_app=${app//_/-} # Replace all '_' by '-'
if ynh_package_is_installed --package="${dep_app}-ynh-deps"
then
current_dependencies="$(dpkg-query --show --showformat='${Depends}' ${dep_app}-ynh-deps) "
fi
current_dependencies=${current_dependencies// | /|}
fi
ynh_install_app_dependencies "${current_dependencies}${package}"
ynh_print_warn --message="Packagers: ynh_add_app_dependencies is deprecated and is now only an alias to ynh_install_app_dependencies"
ynh_install_app_dependencies "${package}"
}
# Remove fake package and its dependencies
@ -325,7 +381,26 @@ ynh_add_app_dependencies () {
# Requires YunoHost version 2.6.4 or higher.
ynh_remove_app_dependencies () {
local dep_app=${app//_/-} # Replace all '_' by '-'
local current_dependencies=""
if ynh_package_is_installed --package="${dep_app}-ynh-deps"
then
current_dependencies="$(dpkg-query --show --showformat='${Depends}' ${dep_app}-ynh-deps) "
current_dependencies=${current_dependencies// | /|}
fi
ynh_package_autopurge ${dep_app}-ynh-deps # Remove the fake package and its dependencies if they not still used.
# Check if this app used a specific php version ... in which case we check
# if the corresponding php-fpm is still there. Otherwise, we remove the
# service from yunohost as well
local specific_php_version=$(echo $current_dependencies | tr '-' ' ' | grep -o -E "\<php[0-9.]+\>" | sed 's/php//g' | sort | uniq)
[[ "$specific_php_version" != "$YNH_DEFAULT_PHP_VERSION" ]] || specific_php_version=""
if [[ -n "$specific_php_version" ]] && ! ynh_package_is_installed --package="php${specific_php_version}-fpm";
then
yunohost service remove php${specific_php_version}-fpm
fi
}
# Install packages from an extra repository properly.
@ -359,7 +434,7 @@ ynh_install_extra_app_dependencies () {
ynh_install_extra_repo --repo="$repo" $key --priority=995 --name=$name
# Install requested dependencies from this extra repository.
ynh_add_app_dependencies --package="$package"
ynh_install_app_dependencies "$package"
# Remove this extra repository after packages are installed
ynh_remove_extra_repo --name=$app

19
data/helpers.d/backup
View file

@ -207,14 +207,14 @@ ynh_restore () {
# usage: _get_archive_path ORIGIN_PATH
_get_archive_path () {
# For security reasons we use csv python library to read the CSV
python -c "
python3 -c "
import sys
import csv
with open(sys.argv[1], 'r') as backup_file:
backup_csv = csv.DictReader(backup_file, fieldnames=['source', 'dest'])
for row in backup_csv:
if row['source']==sys.argv[2].strip('\"'):
print row['dest']
print(row['dest'])
sys.exit(0)
raise Exception('Original path for %s not found' % sys.argv[2])
" "${YNH_BACKUP_CSV}" "$1"
@ -326,12 +326,25 @@ ynh_bind_or_cp() {
ynh_store_file_checksum () {
# Declare an array to define the options of this helper.
local legacy_args=f
local -A args_array=( [f]=file= )
local -A args_array=( [f]=file= [u]=update_only )
local file
local update_only
update_only="${update_only:-0}"
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
local checksum_setting_name=checksum_${file//[\/ ]/_} # Replace all '/' and ' ' by '_'
# If update only, we don't save the new checksum if no old checksum exist
if [ $update_only -eq 1 ] ; then
local checksum_value=$(ynh_app_setting_get --app=$app --key=$checksum_setting_name)
if [ -z "${checksum_value}" ] ; then
unset backup_file_checksum
return 0
fi
fi
ynh_app_setting_set --app=$app --key=$checksum_setting_name --value=$(md5sum "$file" | cut --delimiter=' ' --fields=1)
# If backup_file_checksum isn't empty, ynh_backup_if_checksum_is_different has made a backup

357
data/helpers.d/config Normal file
View file

@ -0,0 +1,357 @@
#!/bin/bash
_ynh_app_config_get_one() {
local short_setting="$1"
local type="$2"
local bind="$3"
local getter="get__${short_setting}"
# Get value from getter if exists
if type -t $getter 2>/dev/null | grep -q '^function$' 2>/dev/null;
then
old[$short_setting]="$($getter)"
formats[${short_setting}]="yaml"
elif [[ "$bind" == *"("* ]] && type -t "get__${bind%%(*}" 2>/dev/null | grep -q '^function$' 2>/dev/null;
then
old[$short_setting]="$("get__${bind%%(*}" $short_setting $type $bind)"
formats[${short_setting}]="yaml"
elif [[ "$bind" == "null" ]]
then
old[$short_setting]="YNH_NULL"
# Get value from app settings or from another file
elif [[ "$type" == "file" ]]
then
if [[ "$bind" == "settings" ]]
then
ynh_die --message="File '${short_setting}' can't be stored in settings"
fi
old[$short_setting]="$(ls "$(echo $bind | sed s@__FINALPATH__@$final_path@ | sed s/__APP__/$app/)" 2> /dev/null || echo YNH_NULL)"
file_hash[$short_setting]="true"
# Get multiline text from settings or from a full file
elif [[ "$type" == "text" ]]
then
if [[ "$bind" == "settings" ]]
then
old[$short_setting]="$(ynh_app_setting_get $app $short_setting)"
elif [[ "$bind" == *":"* ]]
then
ynh_die --message="For technical reasons, multiline text '${short_setting}' can't be stored automatically in a variable file, you have to create custom getter/setter"
else
old[$short_setting]="$(cat $(echo $bind | sed s@__FINALPATH__@$final_path@ | sed s/__APP__/$app/) 2> /dev/null || echo YNH_NULL)"
fi
# Get value from a kind of key/value file
else
local bind_after=""
if [[ "$bind" == "settings" ]]
then
bind=":/etc/yunohost/apps/$app/settings.yml"
fi
local bind_key_="$(echo "$bind" | cut -d: -f1)"
bind_key_=${bind_key_:-$short_setting}
if [[ "$bind_key_" == *">"* ]];
then
bind_after="$(echo "${bind_key_}" | cut -d'>' -f1)"
bind_key_="$(echo "${bind_key_}" | cut -d'>' -f2)"
fi
local bind_file="$(echo "$bind" | cut -d: -f2 | sed s@__FINALPATH__@$final_path@ | sed s/__APP__/$app/)"
old[$short_setting]="$(ynh_read_var_in_file --file="${bind_file}" --key="${bind_key_}" --after="${bind_after}")"
fi
}
_ynh_app_config_apply_one() {
local short_setting="$1"
local setter="set__${short_setting}"
local bind="${binds[$short_setting]}"
local type="${types[$short_setting]}"
if [ "${changed[$short_setting]}" == "true" ]
then
# Apply setter if exists
if type -t $setter 2>/dev/null | grep -q '^function$' 2>/dev/null;
then
$setter
elif [[ "$bind" == *"("* ]] && type -t "set__${bind%%(*}" 2>/dev/null | grep -q '^function$' 2>/dev/null;
then
"set__${bind%%(*}" $short_setting $type $bind
elif [[ "$bind" == "null" ]]
then
continue
# Save in a file
elif [[ "$type" == "file" ]]
then
if [[ "$bind" == "settings" ]]
then
ynh_die --message="File '${short_setting}' can't be stored in settings"
fi
local bind_file="$(echo "$bind" | sed s@__FINALPATH__@$final_path@ | sed s/__APP__/$app/)"
if [[ "${!short_setting}" == "" ]]
then
ynh_backup_if_checksum_is_different --file="$bind_file"
ynh_secure_remove --file="$bind_file"
ynh_delete_file_checksum --file="$bind_file" --update_only
ynh_print_info --message="File '$bind_file' removed"
else
ynh_backup_if_checksum_is_different --file="$bind_file"
if [[ "${!short_setting}" != "$bind_file" ]]
then
cp "${!short_setting}" "$bind_file"
fi
ynh_store_file_checksum --file="$bind_file" --update_only
ynh_print_info --message="File '$bind_file' overwritten with ${!short_setting}"
fi
# Save value in app settings
elif [[ "$bind" == "settings" ]]
then
ynh_app_setting_set --app=$app --key=$short_setting --value="${!short_setting}"
ynh_print_info --message="Configuration key '$short_setting' edited in app settings"
# Save multiline text in a file
elif [[ "$type" == "text" ]]
then
if [[ "$bind" == *":"* ]]
then
ynh_die --message="For technical reasons, multiline text '${short_setting}' can't be stored automatically in a variable file, you have to create custom getter/setter"
fi
local bind_file="$(echo "$bind" | sed s@__FINALPATH__@$final_path@ | sed s/__APP__/$app/)"
ynh_backup_if_checksum_is_different --file="$bind_file"
echo "${!short_setting}" > "$bind_file"
ynh_store_file_checksum --file="$bind_file" --update_only
ynh_print_info --message="File '$bind_file' overwritten with the content provided in question '${short_setting}'"
# Set value into a kind of key/value file
else
local bind_after=""
local bind_key_="$(echo "$bind" | cut -d: -f1)"
bind_key_=${bind_key_:-$short_setting}
if [[ "$bind_key_" == *">"* ]];
then
bind_after="$(echo "${bind_key_}" | cut -d'>' -f1)"
bind_key_="$(echo "${bind_key_}" | cut -d'>' -f2)"
fi
local bind_file="$(echo "$bind" | cut -d: -f2 | sed s@__FINALPATH__@$final_path@ | sed s/__APP__/$app/)"
ynh_backup_if_checksum_is_different --file="$bind_file"
ynh_write_var_in_file --file="${bind_file}" --key="${bind_key_}" --value="${!short_setting}" --after="${bind_after}"
ynh_store_file_checksum --file="$bind_file" --update_only
# We stored the info in settings in order to be able to upgrade the app
ynh_app_setting_set --app=$app --key=$short_setting --value="${!short_setting}"
ynh_print_info --message="Configuration key '$bind_key_' edited into $bind_file"
fi
fi
}
_ynh_app_config_get() {
# From settings
local lines
lines=$(python3 << EOL
import toml
from collections import OrderedDict
with open("../config_panel.toml", "r") as f:
file_content = f.read()
loaded_toml = toml.loads(file_content, _dict=OrderedDict)
for panel_name, panel in loaded_toml.items():
if not isinstance(panel, dict): continue
for section_name, section in panel.items():
if not isinstance(section, dict): continue
for name, param in section.items():
if not isinstance(param, dict):
continue
print(';'.join([
name,
param.get('type', 'string'),
param.get('bind', 'settings' if param.get('type', 'string') != 'file' else 'null')
]))
EOL
)
for line in $lines
do
# Split line into short_setting, type and bind
IFS=';' read short_setting type bind <<< "$line"
binds[${short_setting}]="$bind"
types[${short_setting}]="$type"
file_hash[${short_setting}]=""
formats[${short_setting}]=""
ynh_app_config_get_one $short_setting $type $bind
done
}
_ynh_app_config_apply() {
for short_setting in "${!old[@]}"
do
ynh_app_config_apply_one $short_setting
done
}
_ynh_app_config_show() {
for short_setting in "${!old[@]}"
do
if [[ "${old[$short_setting]}" != YNH_NULL ]]
then
if [[ "${formats[$short_setting]}" == "yaml" ]]
then
ynh_return "${short_setting}:"
ynh_return "$(echo "${old[$short_setting]}" | sed 's/^/ /g')"
else
ynh_return "${short_setting}: "'"'"$(echo "${old[$short_setting]}" | sed 's/"/\\"/g' | sed ':a;N;$!ba;s/\n/\n\n/g')"'"'
fi
fi
done
}
_ynh_app_config_validate() {
# Change detection
ynh_script_progression --message="Checking what changed in the new configuration..." --weight=1
local nothing_changed=true
local changes_validated=true
for short_setting in "${!old[@]}"
do
changed[$short_setting]=false
if [ -z ${!short_setting+x} ]
then
# Assign the var with the old value in order to allows multiple
# args validation
declare "$short_setting"="${old[$short_setting]}"
continue
fi
if [ ! -z "${file_hash[${short_setting}]}" ]
then
file_hash[old__$short_setting]=""
file_hash[new__$short_setting]=""
if [ -f "${old[$short_setting]}" ]
then
file_hash[old__$short_setting]=$(sha256sum "${old[$short_setting]}" | cut -d' ' -f1)
if [ -z "${!short_setting}" ]
then
changed[$short_setting]=true
nothing_changed=false
fi
fi
if [ -f "${!short_setting}" ]
then
file_hash[new__$short_setting]=$(sha256sum "${!short_setting}" | cut -d' ' -f1)
if [[ "${file_hash[old__$short_setting]}" != "${file_hash[new__$short_setting]}" ]]
then
changed[$short_setting]=true
nothing_changed=false
fi
fi
else
if [[ "${!short_setting}" != "${old[$short_setting]}" ]]
then
changed[$short_setting]=true
nothing_changed=false
fi
fi
done
if [[ "$nothing_changed" == "true" ]]
then
ynh_print_info --message="Nothing has changed"
exit 0
fi
# Run validation if something is changed
ynh_script_progression --message="Validating the new configuration..." --weight=1
for short_setting in "${!old[@]}"
do
[[ "${changed[$short_setting]}" == "false" ]] && continue
local result=""
if type -t validate__$short_setting | grep -q '^function$' 2>/dev/null;
then
result="$(validate__$short_setting)"
elif [[ "$bind" == *"("* ]] && type -t "validate__${bind%%(*}" 2>/dev/null | grep -q '^function$' 2>/dev/null;
then
"validate__${bind%%(*}" $short_setting
fi
if [ -n "$result" ]
then
#
# Return a yaml such as:
#
# validation_errors:
# some_key: "An error message"
# some_other_key: "Another error message"
#
# We use changes_validated to know if this is
# the first validation error
if [[ "$changes_validated" == true ]]
then
ynh_return "validation_errors:"
fi
ynh_return " ${short_setting}: \"$result\""
changes_validated=false
fi
done
# If validation failed, exit the script right now (instead of going into apply)
# Yunohost core will pick up the errors returned via ynh_return previously
if [[ "$changes_validated" == "false" ]]
then
exit 0
fi
}
ynh_app_config_get_one() {
_ynh_app_config_get_one $1 $2 $3
}
ynh_app_config_get() {
_ynh_app_config_get
}
ynh_app_config_show() {
_ynh_app_config_show
}
ynh_app_config_validate() {
_ynh_app_config_validate
}
ynh_app_config_apply_one() {
_ynh_app_config_apply_one $1
}
ynh_app_config_apply() {
_ynh_app_config_apply
}
ynh_app_config_run() {
declare -Ag old=()
declare -Ag changed=()
declare -Ag file_hash=()
declare -Ag binds=()
declare -Ag types=()
declare -Ag formats=()
case $1 in
show)
ynh_app_config_get
ynh_app_config_show
;;
apply)
max_progression=4
ynh_script_progression --message="Reading config panel description and current configuration..."
ynh_app_config_get
ynh_app_config_validate
ynh_script_progression --message="Applying the new configuration..."
ynh_app_config_apply
ynh_script_progression --message="Configuration of $app completed" --last
;;
esac
}

4
data/helpers.d/fail2ban
View file

@ -61,7 +61,7 @@
# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf
# ```
#
# Requires YunoHost version 3.5.0 or higher.
# Requires YunoHost version 4.1.0 or higher.
ynh_add_fail2ban_config () {
# Declare an array to define the options of this helper.
local legacy_args=lrmptv
@ -79,7 +79,7 @@ ynh_add_fail2ban_config () {
others_var="${others_var:-}"
use_template="${use_template:-0}"
[[ -z "$others_var" ]] || ynh_print_warn --message="Packagers: using --others_var is unecessary since Yunohost 4.2"
[[ -z "$others_var" ]] || ynh_print_warn --message="Packagers: using --others_var is unecessary since YunoHost 4.2"
if [ $use_template -ne 1 ]
then

2
data/helpers.d/logging
View file

@ -293,7 +293,7 @@ ynh_script_progression () {
set -o xtrace # set -x
}
# Return data to the Yunohost core for later processing
# Return data to the YunoHost core for later processing
# (to be used by special hooks like app config panel and core diagnosis)
#
# usage: ynh_return somedata

6
data/helpers.d/logrotate
View file

@ -96,6 +96,12 @@ $logfile {
EOF
mkdir --parents $(dirname "$logfile") # Create the log directory, if not exist
cat ${app}-logrotate | $customtee /etc/logrotate.d/$app > /dev/null # Append this config to the existing config file, or replace the whole config file (depending on $customtee)
if ynh_user_exists --username="$app"; then
chown $app:$app "$logfile"
chmod o-rwx "$logfile"
fi
}
# Remove the app's logrotate config.

10
data/helpers.d/multimedia
View file

@ -6,6 +6,8 @@ readonly MEDIA_DIRECTORY=/home/yunohost.multimedia
# Initialize the multimedia directory system
#
# usage: ynh_multimedia_build_main_dir
#
# Requires YunoHost version 4.2 or higher.
ynh_multimedia_build_main_dir() {
## Création du groupe multimedia
@ -29,7 +31,11 @@ ynh_multimedia_build_main_dir() {
mkdir -p "$MEDIA_DIRECTORY/$user/eBook"
ln -sfn "$MEDIA_DIRECTORY/share" "$MEDIA_DIRECTORY/$user/Share"
# Création du lien symbolique dans le home de l'utilisateur.
ln -sfn "$MEDIA_DIRECTORY/$user" "/home/$user/Multimedia"
#link will only be created if the home directory of the user exists and if it's located in '/home' folder
local user_home="$(getent passwd $user | cut -d: -f6 | grep '^/home/')"
if [[ -d "$user_home" ]]; then
ln -sfn "$MEDIA_DIRECTORY/$user" "$user_home/Multimedia"
fi
# Propriétaires des dossiers utilisateurs.
chown -R $user "$MEDIA_DIRECTORY/$user"
done
@ -55,6 +61,7 @@ ynh_multimedia_build_main_dir() {
#
# This "directory" will be a symbolic link to a existing directory.
#
# Requires YunoHost version 4.2 or higher.
ynh_multimedia_addfolder() {
# Declare an array to define the options of this helper.
@ -83,6 +90,7 @@ ynh_multimedia_addfolder() {
#
# | arg: -u, --user_name= - The name of the user which gain this access.
#
# Requires YunoHost version 4.2 or higher.
ynh_multimedia_addaccess () {
# Declare an array to define the options of this helper.
local legacy_args=u

11
data/helpers.d/network
View file

@ -20,7 +20,7 @@ ynh_find_port () {
test -n "$port" || ynh_die --message="The argument of ynh_find_port must be a valid port."
while ! ynh_port_available --port=$port
do
port=$((port+1)) # Else, pass to next port
port=$((port+1))
done
echo $port
}
@ -42,7 +42,12 @@ ynh_port_available () {
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
if ss --numeric --listening --tcp --udp | awk '{print$5}' | grep --quiet --extended-regexp ":$port$" # Check if the port is free
# Check if the port is free
if ss --numeric --listening --tcp --udp | awk '{print$5}' | grep --quiet --extended-regexp ":$port$"
then
return 1
# This is to cover (most) case where an app is using a port yet ain't currently using it for some reason (typically service ain't up)
elif grep -q "port: '$port'" /etc/yunohost/apps/*/settings.yml
then
return 1
else
@ -75,7 +80,7 @@ ynh_validate_ip()
[ "$family" == "4" ] || [ "$family" == "6" ] || return 1
python /dev/stdin << EOF
python3 /dev/stdin << EOF
import socket
import sys
family = { "4" : socket.AF_INET, "6" : socket.AF_INET6 }

2
data/helpers.d/nginx
View file

@ -15,7 +15,7 @@
# This allows to enable/disable specific behaviors dependenging on the install
# location
#
# Requires YunoHost version 2.7.2 or higher.
# Requires YunoHost version 4.1.0 or higher.
ynh_add_nginx_config () {
local finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf"

6
data/helpers.d/nodejs
View file

@ -1,6 +1,6 @@
#!/bin/bash
n_version=7.0.2
n_version=7.5.0
n_install_dir="/opt/node_n"
node_version_path="$n_install_dir/n/versions/node"
# N_PREFIX is the directory of n, it needs to be loaded as a environment variable.
@ -17,7 +17,7 @@ ynh_install_n () {
ynh_print_info --message="Installation of N - Node.js version management"
# Build an app.src for n
echo "SOURCE_URL=https://github.com/tj/n/archive/v${n_version}.tar.gz
SOURCE_SUM=fa80a8685f0fb1b4187fc0a1228b44f0ea2f244e063fe8f443b8913ea595af89" > "$YNH_APP_BASEDIR/conf/n.src"
SOURCE_SUM=d4da7ea91f680de0c9b5876e097e2a793e8234fcd0f7ca87a0599b925be087a3" > "$YNH_APP_BASEDIR/conf/n.src"
# Download and extract n
ynh_setup_source --dest_dir="$n_install_dir/git" --source_id=n
# Install n
@ -92,6 +92,8 @@ ynh_use_nodejs () {
node_PATH="$PATH"
# Create an alias to easily load the PATH
ynh_node_load_PATH="PATH=$node_PATH"
# Same var but in lower case to be compatible with ynh_replace_vars...
ynh_node_load_path="PATH=$node_PATH"
}
# Install a specific version of nodejs

15
data/helpers.d/permission
View file

@ -182,7 +182,7 @@ ynh_permission_exists() {
local permission
ynh_handle_getopts_args "$@"
yunohost user permission list --output-as json --quiet \
yunohost user permission list "$app" --output-as json --quiet \
| jq -e --arg perm "$app.$permission" '.permissions[$perm]' >/dev/null
}
@ -362,8 +362,17 @@ ynh_permission_has_user() {
return 1
fi
yunohost user permission info "$app.$permission" --output-as json --quiet \
| jq -e --arg user $user '.corresponding_users | index($user)' >/dev/null
# Check both allowed and corresponding_users sections in the json
for section in "allowed" "corresponding_users"
do
if yunohost user permission info "$app.$permission" --output-as json --quiet \
| jq -e --arg user $user --arg section $section '.[$section] | index($user)' >/dev/null
then
return 0
fi
done
return 1
}
# Check if a legacy permissions exist

84
data/helpers.d/php
View file

@ -55,9 +55,7 @@ YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION}
# RAM) but the impact on the proc is lower. The service will be quick to answer as there's always many
# children ready to answer.
#
# Requires YunoHost version 2.7.2 or higher.
# Requires YunoHost version 3.5.1 or higher for the argument --phpversion
# Requires YunoHost version 3.8.1 or higher for the arguments --use_template, --usage, --footprint, --package and --dedicated_service
# Requires YunoHost version 4.1.0 or higher.
ynh_add_fpm_config () {
# Declare an array to define the options of this helper.
local legacy_args=vtufpd
@ -113,7 +111,7 @@ ynh_add_fpm_config () {
elif [ -n "$package" ]
then
# Install the additionnal packages from the default repository
ynh_add_app_dependencies --package="$package"
ynh_install_app_dependencies "$package"
fi
if [ $dedicated_service -eq 1 ]
@ -227,7 +225,7 @@ syslog.ident = php-fpm-__APP__
include = __FINALPHPCONF__
" > $YNH_APP_BASEDIR/conf/php-fpm-$app.conf
ynh_add_config --template="../config/php-fpm-$app.conf" --destination="$globalphpconf"
ynh_add_config --template="$YNH_APP_BASEDIR/conf/php-fpm-$app.conf" --destination="$globalphpconf"
# Create a config for a dedicated PHP-FPM service for the app
echo "[Unit]
@ -247,7 +245,7 @@ WantedBy=multi-user.target
# Create this dedicated PHP-FPM service
ynh_add_systemd_config --service=$fpm_service --template=$fpm_service
# Integrate the service in YunoHost admin panel
yunohost service add $fpm_service --log /var/log/php/fpm-php.$app.log --log_type file --description "Php-fpm dedicated to $app"
yunohost service add $fpm_service --log /var/log/php/fpm-php.$app.log --description "Php-fpm dedicated to $app"
# Configure log rotate
ynh_use_logrotate --logfile=/var/log/php
# Restart the service, as this service is either stopped or only for this app
@ -287,6 +285,12 @@ ynh_remove_fpm_config () {
fpm_service="php$YNH_DEFAULT_PHP_VERSION-fpm"
fi
ynh_secure_remove --file="$fpm_config_dir/pool.d/$app.conf"
if [ -e $fpm_config_dir/conf.d/20-$app.ini ]
then
ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini"
fi
if [ $dedicated_service -eq 1 ]
then
# Remove the dedicated service PHP-FPM service for the app
@ -299,12 +303,6 @@ ynh_remove_fpm_config () {
ynh_systemd_action --service_name=$fpm_service --action=reload
fi
ynh_secure_remove --file="$fpm_config_dir/pool.d/$app.conf"
if [ -e $fpm_config_dir/conf.d/20-$app.ini ]
then
ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini"
fi
# If the PHP version used is not the default version for YunoHost
if [ "$phpversion" != "$YNH_DEFAULT_PHP_VERSION" ]
then
@ -332,37 +330,13 @@ ynh_install_php () {
ynh_handle_getopts_args "$@"
package=${package:-}
# Store phpversion into the config of this app
ynh_app_setting_set $app phpversion $phpversion
if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ]
then
ynh_die --message="Do not use ynh_install_php to install php$YNH_DEFAULT_PHP_VERSION"
fi
# Create the file if doesn't exist already
touch /etc/php/ynh_app_version
# Do not add twice the same line
if ! grep --quiet "$YNH_APP_INSTANCE_NAME:" "/etc/php/ynh_app_version"
then
# Store the ID of this app and the version of PHP requested for it
echo "$YNH_APP_INSTANCE_NAME:$phpversion" | tee --append "/etc/php/ynh_app_version"
fi
# Add an extra repository for those packages
ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(ynh_get_debian_release) main" --key="https://packages.sury.org/php/apt.gpg" --name=extra_php_version --priority=600
# Install requested dependencies from this extra repository.
# Install PHP-FPM first, otherwise PHP will install apache as a dependency.
ynh_add_app_dependencies --package="php${phpversion}-fpm"
ynh_add_app_dependencies --package="php$phpversion php${phpversion}-common $package"
# Set the default PHP version back as the default version for php-cli.
update-alternatives --set php /usr/bin/php$YNH_DEFAULT_PHP_VERSION
# Advertise service in admin panel
yunohost service add php${phpversion}-fpm --log "/var/log/php${phpversion}-fpm.log"
ynh_install_app_dependencies "$package"
ynh_app_setting_set --app=$app --key=phpversion --value=$specific_php_version
}
# Remove the specific version of PHP used by the app.
@ -373,35 +347,7 @@ ynh_install_php () {
#
# Requires YunoHost version 3.8.1 or higher.
ynh_remove_php () {
# Get the version of PHP used by this app
local phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ] || [ -z "$phpversion" ]
then
if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ]
then
ynh_print_err "Do not use ynh_remove_php to remove php$YNH_DEFAULT_PHP_VERSION !"
fi
return 0
fi
# Create the file if doesn't exist already
touch /etc/php/ynh_app_version
# Remove the line for this app
sed --in-place "/$YNH_APP_INSTANCE_NAME:$phpversion/d" "/etc/php/ynh_app_version"
# If no other app uses this version of PHP, remove it.
if ! grep --quiet "$phpversion" "/etc/php/ynh_app_version"
then
# Remove the service from the admin panel
if ynh_package_is_installed --package="php${phpversion}-fpm"; then
yunohost service remove php${phpversion}-fpm
fi
# Purge PHP dependencies for this version.
ynh_package_autopurge "php$phpversion php${phpversion}-fpm php${phpversion}-common"
fi
ynh_remove_app_dependencies
}
# Define the values to configure PHP-FPM
@ -570,6 +516,7 @@ YNH_COMPOSER_VERSION=${YNH_COMPOSER_VERSION:-$YNH_DEFAULT_COMPOSER_VERSION}
# | arg: -w, --workdir - The directory from where the command will be executed. Default $final_path.
# | arg: -c, --commands - Commands to execute.
#
# Requires YunoHost version 4.2 or higher.
ynh_composer_exec () {
# Declare an array to define the options of this helper.
local legacy_args=vwc
@ -582,7 +529,7 @@ ynh_composer_exec () {
workdir="${workdir:-$final_path}"
phpversion="${phpversion:-$YNH_PHP_VERSION}"
COMPOSER_HOME="$workdir/.composer" \
COMPOSER_HOME="$workdir/.composer" COMPOSER_MEMORY_LIMIT=-1 \
php${phpversion} "$workdir/composer.phar" $commands \
-d "$workdir" --quiet --no-interaction
}
@ -595,6 +542,7 @@ ynh_composer_exec () {
# | arg: -a, --install_args - Additional arguments provided to the composer install. Argument --no-dev already include
# | arg: -c, --composerversion - Composer version to install
#
# Requires YunoHost version 4.2 or higher.
ynh_install_composer () {
# Declare an array to define the options of this helper.
local legacy_args=vwac

4
data/helpers.d/setting
View file

@ -86,7 +86,7 @@ key, value = os.environ['KEY'], os.environ.get('VALUE', None)
setting_file = "/etc/yunohost/apps/%s/settings.yml" % app
assert os.path.exists(setting_file), "Setting file %s does not exists ?" % setting_file
with open(setting_file) as f:
settings = yaml.load(f)
settings = yaml.safe_load(f)
if action == "get":
if key in settings:
print(settings[key])
@ -96,7 +96,7 @@ else:
del settings[key]
elif action == "set":
if key in ['redirected_urls', 'redirected_regex']:
value = yaml.load(value)
value = yaml.safe_load(value)
settings[key] = value
else:
raise ValueError("action should either be get, set or delete")

2
data/helpers.d/string
View file

@ -43,12 +43,14 @@ ynh_replace_string () {
local target_file
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
set +o xtrace # set +x
local delimit=@
# Escape the delimiter if it's in the string.
match_string=${match_string//${delimit}/"\\${delimit}"}
replace_string=${replace_string//${delimit}/"\\${delimit}"}
set -o xtrace # set -x
sed --in-place "s${delimit}${match_string}${delimit}${replace_string}${delimit}g" "$target_file"
}

17
data/helpers.d/systemd
View file

@ -11,7 +11,7 @@
# See the documentation of `ynh_add_config` for a description of the template
# format and how placeholders are replaced with actual variables.
#
# Requires YunoHost version 2.7.11 or higher.
# Requires YunoHost version 4.1.0 or higher.
ynh_add_systemd_config () {
# Declare an array to define the options of this helper.
local legacy_args=stv
@ -25,7 +25,7 @@ ynh_add_systemd_config () {
template="${template:-systemd.service}"
others_var="${others_var:-}"
[[ -z "$others_var" ]] || ynh_print_warn --message="Packagers: using --others_var is unecessary since Yunohost 4.2"
[[ -z "$others_var" ]] || ynh_print_warn --message="Packagers: using --others_var is unecessary since YunoHost 4.2"
ynh_add_config --template="$YNH_APP_BASEDIR/conf/$template" --destination="/etc/systemd/system/$service.service"
@ -88,6 +88,12 @@ ynh_systemd_action() {
log_path="${log_path:-/var/log/$service_name/$service_name.log}"
timeout=${timeout:-300}
# Manage case of service already stopped
if [ "$action" == "stop" ] && ! systemctl is-active --quiet $service_name
then
return 0
fi
# Start to read the log
if [[ -n "$line_match" ]]
then
@ -139,11 +145,8 @@ ynh_systemd_action() {
ynh_print_info --message="The service $service_name has correctly executed the action ${action}."
break
fi
if [ $i -eq 3 ]; then
echo -n "Please wait, the service $service_name is ${action}ing" >&2
fi
if [ $i -ge 3 ]; then
echo -n "." >&2
if [ $i -eq 30 ]; then
echo "(this may take some time)" >&2
fi
sleep 1
done

14
data/helpers.d/user
View file

@ -92,10 +92,11 @@ ynh_system_group_exists() {
# Create a system user
#
# usage: ynh_system_user_create --username=user_name [--home_dir=home_dir] [--use_shell]
# usage: ynh_system_user_create --username=user_name [--home_dir=home_dir] [--use_shell] [--groups="group1 group2"]
# | arg: -u, --username= - Name of the system user that will be create
# | arg: -h, --home_dir= - Path of the home dir for the user. Usually the final path of the app. If this argument is omitted, the user will be created without home
# | arg: -s, --use_shell - Create a user using the default login shell if present. If this argument is omitted, the user will be created with /usr/sbin/nologin shell
# | arg: -g, --groups - Add the user to system groups. Typically meant to add the user to the ssh.app / sftp.app group (e.g. for borgserver, my_webapp)
#
# Create a nextcloud user with no home directory and /usr/sbin/nologin login shell (hence no login capability) :
# ```
@ -110,14 +111,17 @@ ynh_system_group_exists() {
ynh_system_user_create () {
# Declare an array to define the options of this helper.
local legacy_args=uhs
local -A args_array=( [u]=username= [h]=home_dir= [s]=use_shell )
local -A args_array=( [u]=username= [h]=home_dir= [s]=use_shell [g]=groups= )
local username
local home_dir
local use_shell
local groups
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
use_shell="${use_shell:-0}"
home_dir="${home_dir:-}"
groups="${groups:-}"
if ! ynh_system_user_exists "$username" # Check if the user exists on the system
then # If the user doesn't exist
@ -135,6 +139,12 @@ ynh_system_user_create () {
fi
useradd $user_home_dir --system --user-group $username $shell || ynh_die --message="Unable to create $username system account"
fi
local group
for group in $groups
do
usermod -a -G "$group" "$username"
done
}
# Delete a system user

277
data/helpers.d/utils
View file

@ -1,6 +1,6 @@
#!/bin/bash
YNH_APP_BASEDIR=$([[ "$(basename $0)" =~ ^backup|restore$ ]] && echo '../settings' || echo '..')
YNH_APP_BASEDIR=${YNH_APP_BASEDIR:-$(realpath ..)}
# Handle script crashes / failures
#
@ -180,6 +180,11 @@ ynh_setup_source () {
# Extract source into the app dir
mkdir --parents "$dest_dir"
if [ -n "${final_path:-}" ] && [ "$dest_dir" == "$final_path" ]
then
_ynh_apply_default_permissions $dest_dir
fi
if ! "$src_extract"
then
mv $src_filename $dest_dir
@ -196,6 +201,7 @@ ynh_setup_source () {
else
unzip -quo $src_filename -d "$dest_dir"
fi
ynh_secure_remove --file="$src_filename"
else
local strip=""
if [ "$src_in_subdir" != "false" ]
@ -214,18 +220,22 @@ ynh_setup_source () {
else
ynh_die --message="Archive format unrecognized."
fi
ynh_secure_remove --file="$src_filename"
fi
# Apply patches
local patches_folder=$(realpath $YNH_APP_BASEDIR/sources/patches/)
if (( $(find $patches_folder -type f -name "${source_id}-*.patch" 2> /dev/null | wc --lines) > "0" ))
if [ -d "$YNH_APP_BASEDIR/sources/patches/" ]
then
(cd "$dest_dir"
for p in $patches_folder/${source_id}-*.patch
do
echo $p
patch --strip=1 < $p
done) || ynh_die --message="Unable to apply patches"
local patches_folder=$(realpath $YNH_APP_BASEDIR/sources/patches/)
if (( $(find $patches_folder -type f -name "${source_id}-*.patch" 2> /dev/null | wc --lines) > "0" ))
then
(cd "$dest_dir"
for p in $patches_folder/${source_id}-*.patch
do
echo $p
patch --strip=1 < $p
done) || ynh_die --message="Unable to apply patches"
fi
fi
# Add supplementary files
@ -363,8 +373,17 @@ ynh_add_config () {
ynh_backup_if_checksum_is_different --file="$destination"
# Make sure to set the permissions before we copy the file
# This is to cover a case where an attacker could have
# created a file beforehand to have control over it
# (cp won't overwrite ownership / modes by default...)
touch $destination
chown root:root $destination
chmod 640 $destination
cp -f "$template_path" "$destination"
chown root: "$destination"
_ynh_apply_default_permissions $destination
ynh_replace_vars --file="$destination"
@ -454,6 +473,207 @@ ynh_replace_vars () {
done
}
# Get a value from heterogeneous file (yaml, json, php, python...)
#
# usage: ynh_read_var_in_file --file=PATH --key=KEY
# | arg: -f, --file= - the path to the file
# | arg: -k, --key= - the key to get
#
# This helpers match several var affectation use case in several languages
# We don't use jq or equivalent to keep comments and blank space in files
# This helpers work line by line, it is not able to work correctly
# if you have several identical keys in your files
#
# Example of line this helpers can managed correctly
# .yml
# title: YunoHost documentation
# email: 'yunohost@yunohost.org'
# .json
# "theme": "colib'ris",
# "port": 8102
# "some_boolean": false,
# "user": null
# .ini
# some_boolean = On
# action = "Clear"
# port = 20
# .php
# $user=
# user => 20
# .py
# USER = 8102
# user = 'https://donate.local'
# CUSTOM['user'] = 'YunoHost'
#
# Requires YunoHost version 4.3 or higher.
ynh_read_var_in_file() {
# Declare an array to define the options of this helper.
local legacy_args=fka
local -A args_array=( [f]=file= [k]=key= [a]=after=)
local file
local key
local after
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
after="${after:-}"
[[ -f $file ]] || ynh_die --message="File $file does not exists"
set +o xtrace # set +x
# Get the line number after which we search for the variable
local line_number=1
if [[ -n "$after" ]];
then
line_number=$(grep -n $after $file | cut -d: -f1)
if [[ -z "$line_number" ]];
then
set -o xtrace # set -x
return 1
fi
fi
local filename="$(basename -- "$file")"
local ext="${filename##*.}"
local endline=',;'
local assign="=>|:|="
local comments="#"
local string="\"'"
if [[ "$ext" =~ ^ini|env|toml|yml|yaml$ ]]; then
endline='#'
fi
if [[ "$ext" =~ ^ini|env$ ]]; then
comments="[;#]"
fi
if [[ "php" == "$ext" ]] || [[ "$ext" == "js" ]]; then
comments="//"
fi
local list='\[\s*['$string']?\w+['$string']?\]'
local var_part='^\s*((const|var|let)\s+)?\$?(\w+('$list')*(->|\.|\[))*\s*'
var_part+="[$string]?${key}[$string]?"
var_part+='\s*\]?\s*'
var_part+="($assign)"
var_part+='\s*'
# Extract the part after assignation sign
local expression_with_comment="$(tail +$line_number ${file} | grep -i -o -P $var_part'\K.*$' || echo YNH_NULL | head -n1)"
if [[ "$expression_with_comment" == "YNH_NULL" ]]; then
set -o xtrace # set -x
echo YNH_NULL
return 0
fi
# Remove comments if needed
local expression="$(echo "$expression_with_comment" | sed "s@$comments[^$string]*\$@@g" | sed "s@\s*[$endline]*\s*]*\$@@")"
local first_char="${expression:0:1}"
if [[ "$first_char" == '"' ]] ; then
echo "$expression" | grep -m1 -o -P '"\K([^"](\\")?)*[^\\](?=")' | head -n1 | sed 's/\\"/"/g'
elif [[ "$first_char" == "'" ]] ; then
echo "$expression" | grep -m1 -o -P "'\K([^'](\\\\')?)*[^\\\\](?=')" | head -n1 | sed "s/\\\\'/'/g"
else
echo "$expression"
fi
set -o xtrace # set -x
}
# Set a value into heterogeneous file (yaml, json, php, python...)
#
# usage: ynh_write_var_in_file --file=PATH --key=KEY --value=VALUE
# | arg: -f, --file= - the path to the file
# | arg: -k, --key= - the key to set
# | arg: -v, --value= - the value to set
#
# Requires YunoHost version 4.3 or higher.
ynh_write_var_in_file() {
# Declare an array to define the options of this helper.
local legacy_args=fkva
local -A args_array=( [f]=file= [k]=key= [v]=value= [a]=after=)
local file
local key
local value
local after
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
after="${after:-}"
[[ -f $file ]] || ynh_die --message="File $file does not exists"
set +o xtrace # set +x
# Get the line number after which we search for the variable
local line_number=1
if [[ -n "$after" ]];
then
line_number=$(grep -n $after $file | cut -d: -f1)
if [[ -z "$line_number" ]];
then
set -o xtrace # set -x
return 1
fi
fi
local range="${line_number},\$ "
local filename="$(basename -- "$file")"
local ext="${filename##*.}"
local endline=',;'
local assign="=>|:|="
local comments="#"
local string="\"'"
if [[ "$ext" =~ ^ini|env|toml|yml|yaml$ ]]; then
endline='#'
fi
if [[ "$ext" =~ ^ini|env$ ]]; then
comments="[;#]"
fi
if [[ "php" == "$ext" ]] || [[ "$ext" == "js" ]]; then
comments="//"
fi
local list='\[\s*['$string']?\w+['$string']?\]'
local var_part='^\s*((const|var|let)\s+)?\$?(\w+('$list')*(->|\.|\[))*\s*'
var_part+="[$string]?${key}[$string]?"
var_part+='\s*\]?\s*'
var_part+="($assign)"
var_part+='\s*'
# Extract the part after assignation sign
local expression_with_comment="$(tail +$line_number ${file} | grep -i -o -P $var_part'\K.*$' || echo YNH_NULL | head -n1)"
if [[ "$expression_with_comment" == "YNH_NULL" ]]; then
set -o xtrace # set -x
return 1
fi
# Remove comments if needed
local expression="$(echo "$expression_with_comment" | sed "s@$comments[^$string]*\$@@g" | sed "s@\s*[$endline]*\s*]*\$@@")"
endline=${expression_with_comment#"$expression"}
endline="$(echo "$endline" | sed 's/\\/\\\\/g')"
value="$(echo "$value" | sed 's/\\/\\\\/g')"
local first_char="${expression:0:1}"
delimiter=$'\001'
if [[ "$first_char" == '"' ]] ; then
# \ and sed is quite complex you need 2 \\ to get one in a sed
# So we need \\\\ to go through 2 sed
value="$(echo "$value" | sed 's/"/\\\\"/g')"
sed -ri "${range}s$delimiter"'(^'"${var_part}"'")([^"]|\\")*("[\s;,]*)(\s*'$comments'.*)?$'$delimiter'\1'"${value}"'"'"${endline}${delimiter}i" ${file}
elif [[ "$first_char" == "'" ]] ; then
# \ and sed is quite complex you need 2 \\ to get one in a sed
# However double quotes implies to double \\ to
# So we need \\\\\\\\ to go through 2 sed and 1 double quotes str
value="$(echo "$value" | sed "s/'/\\\\\\\\'/g")"
sed -ri "${range}s$delimiter(^${var_part}')([^']|\\')*('"'[\s,;]*)(\s*'$comments'.*)?$'$delimiter'\1'"${value}'${endline}${delimiter}i" ${file}
else
if [[ "$value" == *"'"* ]] || [[ "$value" == *'"'* ]] || [[ "$ext" =~ ^php|py|json|js$ ]] ; then
value='\"'"$(echo "$value" | sed 's/"/\\\\"/g')"'\"'
fi
if [[ "$ext" =~ ^yaml|yml$ ]] ; then
value=" $value"
fi
sed -ri "${range}s$delimiter(^${var_part}).*\$$delimiter\1${value}${endline}${delimiter}i" ${file}
fi
set -o xtrace # set -x
}
# Render templates with Jinja2
#
# [internal]
@ -517,6 +737,7 @@ ynh_secure_remove () {
local file
# Manage arguments with getopts
ynh_handle_getopts_args "$@"
set +o xtrace # set +x
local forbidden_path=" \
/var/www \
@ -544,6 +765,8 @@ ynh_secure_remove () {
else
ynh_print_info --message="'$file' wasn't deleted because it doesn't exist."
fi
set -o xtrace # set -x
}
# Extract a key from a plain command output
@ -726,3 +949,37 @@ ynh_compare_current_package_version() {
# Return the return value of dpkg --compare-versions
dpkg --compare-versions $current_version $comparison $version
}
# Check if we should enforce sane default permissions (= disable rwx for 'others')
# on file/folders handled with ynh_setup_source and ynh_add_config
#
# [internal]
#
# Having a file others-readable or a folder others-executable(=enterable)
# is a security risk comparable to "chmod 777"
#
# Configuration files may contain secrets. Or even just being able to enter a
# folder may allow an attacker to do nasty stuff (maybe a file or subfolder has
# some write permission enabled for 'other' and the attacker may edit the
# content or create files as leverage for priviledge escalation ...)
#
# The sane default should be to set ownership to $app:$app.
# In specific case, you may want to set the ownership to $app:www-data
# for example if nginx needs access to static files.
#
_ynh_apply_default_permissions() {
local target=$1
local ynh_requirement=$(jq -r '.requirements.yunohost' $YNH_APP_BASEDIR/manifest.json | tr -d '>= ')
if [ -z "$ynh_requirement" ] || [ "$ynh_requirement" == "null" ] || dpkg --compare-versions $ynh_requirement ge 4.2
then
chmod o-rwx $target
chmod g-w $target
chown -R root:root $target
if ynh_system_user_exists $app
then
chown $app:$app $target
fi
fi
}

1
data/hooks/backup/05-conf_ldap Executable file → Normal file
View file

@ -11,7 +11,6 @@ backup_dir="${1}/conf/ldap"
# Backup the configuration
ynh_backup "/etc/ldap/ldap.conf" "${backup_dir}/ldap.conf"
ynh_backup "/etc/ldap/slapd.ldif" "${backup_dir}/slapd.ldif"
slapcat -b cn=config -l "${backup_dir}/cn=config.master.ldif"
# Backup the database

17
data/hooks/backup/08-conf_ssh
View file

@ -1,17 +0,0 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/conf/ssh"
# Backup the configuration
if [ -d /etc/ssh/ ]; then
ynh_backup "/etc/ssh" "$backup_dir"
else
echo "SSH is not installed"
fi

0
data/hooks/backup/17-data_home Executable file → Normal file
View file

17
data/hooks/backup/18-data_multimedia Normal file
View file

@ -0,0 +1,17 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/data/multimedia"
if [ -e "/home/yunohost.multimedia/.nobackup" ]; then
exit 0
fi
# Backup multimedia directory
ynh_backup --src_path="/home/yunohost.multimedia" --dest_path="${backup_dir}" --is_big --not_mandatory

13
data/hooks/backup/20-conf_ynh_firewall
View file

@ -1,13 +0,0 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/conf/ynh/firewall"
# Backup the configuration
ynh_backup "/etc/yunohost/firewall.yml" "${backup_dir}/firewall.yml"

18
data/hooks/backup/20-conf_ynh_settings Normal file
View file

@ -0,0 +1,18 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/conf/ynh"
# Backup the configuration
ynh_backup "/etc/yunohost/firewall.yml" "${backup_dir}/firewall.yml"
ynh_backup "/etc/yunohost/current_host" "${backup_dir}/current_host"
ynh_backup "/etc/yunohost/domains" "${backup_dir}/domains"
[ ! -e "/etc/yunohost/settings.json" ] || ynh_backup "/etc/yunohost/settings.json" "${backup_dir}/settings.json"
[ ! -d "/etc/yunohost/dyndns" ] || ynh_backup "/etc/yunohost/dyndns" "${backup_dir}/dyndns"
[ ! -d "/etc/dkim" ] || ynh_backup "/etc/dkim" "${backup_dir}/dkim"

0
data/hooks/backup/21-conf_ynh_certs Executable file → Normal file
View file

9
data/hooks/backup/22-conf_mail
View file

@ -1,9 +0,0 @@
#!/bin/bash
source /usr/share/yunohost/helpers
ynh_abort_if_errors
YNH_CWD="${YNH_BACKUP_DIR%/}/conf/dkim"
mkdir -p "$YNH_CWD"
cd "$YNH_CWD"
ynh_backup --src_path="/etc/dkim"

0
data/hooks/backup/23-data_mail Executable file → Normal file
View file

14
data/hooks/backup/26-conf_xmpp
View file

@ -1,14 +0,0 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/conf/xmpp"
# Backup the configuration
ynh_backup /etc/metronome "${backup_dir}/etc"
ynh_backup /var/lib/metronome "${backup_dir}/var"

13
data/hooks/backup/27-data_xmpp Normal file
View file

@ -0,0 +1,13 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/data/xmpp"
ynh_backup /var/lib/metronome "${backup_dir}/var_lib_metronome"
ynh_backup /var/xmpp-upload/ "${backup_dir}/var_xmpp-upload"

13
data/hooks/backup/29-conf_nginx
View file

@ -1,13 +0,0 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/conf/nginx"
# Backup the configuration
ynh_backup "/etc/nginx/conf.d" "$backup_dir"

13
data/hooks/backup/40-conf_ynh_currenthost
View file

@ -1,13 +0,0 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/conf/ynh"
# Backup the configuration
ynh_backup "/etc/yunohost/current_host" "${backup_dir}/current_host"

10
data/hooks/backup/42-conf_ynh_dyndns
View file

@ -1,10 +0,0 @@
#!/bin/bash
source /usr/share/yunohost/helpers
ynh_abort_if_errors
YNH_CWD="${YNH_BACKUP_DIR%/}/conf/ynh/dyndns"
mkdir -p $YNH_CWD
cd "$YNH_CWD"
# Backup the configuration
ynh_exec_warn_less ynh_backup --src_path="/etc/yunohost/dyndns" --not_mandatory

18
data/hooks/backup/50-conf_manually_modified_files Normal file
View file

@ -0,0 +1,18 @@
#!/bin/bash
source /usr/share/yunohost/helpers
ynh_abort_if_errors
YNH_CWD="${YNH_BACKUP_DIR%/}/conf/manually_modified_files"
mkdir -p "$YNH_CWD"
cd "$YNH_CWD"
yunohost tools shell -c "from yunohost.regenconf import manually_modified_files; print('\n'.join(manually_modified_files()))" > ./manually_modified_files_list
ynh_backup --src_path="./manually_modified_files_list"
for file in $(cat ./manually_modified_files_list)
do
[[ -e $file ]] && ynh_backup --src_path="$file"
done
ynh_backup --src_path="/etc/ssowat/conf.json.persistent"

186
data/hooks/conf_regen/01-yunohost
View file

@ -2,8 +2,6 @@
set -e
services_path="/etc/yunohost/services.yml"
do_init_regen() {
if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script" 1>&2
@ -19,8 +17,6 @@ do_init_regen() {
|| echo "yunohost.org" > /etc/yunohost/current_host
# copy default services and firewall
[[ -f $services_path ]] \
|| cp services.yml "$services_path"
[[ -f /etc/yunohost/firewall.yml ]] \
|| cp firewall.yml /etc/yunohost/firewall.yml
@ -39,6 +35,10 @@ do_init_regen() {
mkdir -p /home/yunohost.app
chmod 755 /home/yunohost.app
# Domain settings
mkdir -p /etc/yunohost/domains
chmod 700 /etc/yunohost/domains
# Backup folders
mkdir -p /home/yunohost.backup/archives
chmod 750 /home/yunohost.backup/archives
@ -49,9 +49,21 @@ do_init_regen() {
chmod 644 /etc/ssowat/conf.json.persistent
chown root:root /etc/ssowat/conf.json.persistent
# Empty service conf
touch /etc/yunohost/services.yml
mkdir -p /var/cache/yunohost/repo
chown root:root /var/cache/yunohost
chmod 700 /var/cache/yunohost
cp yunoprompt.service /etc/systemd/system/yunoprompt.service
cp dpkg-origins /etc/dpkg/origins/yunohost
# Change dpkg vendor
# see https://wiki.debian.org/Derivatives/Guidelines#Vendor
readlink -f /etc/dpkg/origins/default | grep -q debian \
&& rm -f /etc/dpkg/origins/default \
&& ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
}
do_pre_regen() {
@ -59,26 +71,11 @@ do_pre_regen() {
cd /usr/share/yunohost/templates/yunohost
# update services.yml
if [[ -f $services_path ]]; then
tmp_services_path="${services_path}-tmp"
new_services_path="${services_path}-new"
cp "$services_path" "$tmp_services_path"
_update_services "$new_services_path" || {
mv "$tmp_services_path" "$services_path"
exit 1
}
if [[ -f $new_services_path ]]; then
# replace services.yml with new one
mv "$new_services_path" "$services_path"
mv "$tmp_services_path" "${services_path}-old"
else
rm -f "$tmp_services_path"
fi
else
cp services.yml /etc/yunohost/services.yml
fi
# Legacy code that can be removed once on bullseye
touch /etc/yunohost/services.yml
yunohost tools shell -c "from yunohost.service import _get_services, _save_services; _save_services(_get_services())"
mkdir -p $pending_dir/etc/systemd/system
mkdir -p $pending_dir/etc/cron.d/
mkdir -p $pending_dir/etc/cron.daily/
@ -99,7 +96,7 @@ EOF
# Cron job that renew lets encrypt certificates if there's any that needs renewal
cat > $pending_dir/etc/cron.daily/yunohost-certificate-renew << EOF
#!/bin/bash
yunohost domain cert-renew --email
yunohost domain cert renew --email
EOF
# If we subscribed to a dyndns domain, add the corresponding cron
@ -135,6 +132,28 @@ Conflicts=yunohost-firewall.service
ConditionFileIsExecutable=!/etc/init.d/yunohost-firewall
ConditionPathExists=!/etc/systemd/system/multi-user.target.wants/yunohost-firewall.service
EOF
# Don't suspend computer on LidSwitch
mkdir -p ${pending_dir}/etc/systemd/logind.conf.d/
cat > ${pending_dir}/etc/systemd/logind.conf.d/ynh-override.conf << EOF
[Login]
HandleLidSwitch=ignore
HandleLidSwitchDocked=ignore
HandleLidSwitchExternalPower=ignore
EOF
cp yunoprompt.service ${pending_dir}/etc/systemd/system/yunoprompt.service
if [[ "$(yunohost settings get 'security.experimental.enabled')" == "True" ]]
then
cp proc-hidepid.service ${pending_dir}/etc/systemd/system/proc-hidepid.service
else
touch ${pending_dir}/etc/systemd/system/proc-hidepid.service
fi
mkdir -p ${pending_dir}/etc/dpkg/origins/
cp dpkg-origins ${pending_dir}/etc/dpkg/origins/yunohost
}
do_post_regen() {
@ -144,6 +163,7 @@ do_post_regen() {
# Enfore permissions #
######################
chmod 750 /home/admin
chmod 750 /home/yunohost.conf
chmod 750 /home/yunohost.backup
chmod 750 /home/yunohost.backup/archives
@ -164,7 +184,21 @@ do_post_regen() {
chown root:root /var/cache/yunohost
chmod 700 /var/cache/yunohost
chown root:root /var/cache/moulinette
chmod 700 /var/cache/moulinette
setfacl -m g:all_users:--- /var/www
setfacl -m g:all_users:--- /var/log/nginx
setfacl -m g:all_users:--- /etc/yunohost
setfacl -m g:all_users:--- /etc/ssowat
for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username')
do
[ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
done
# Domain settings
mkdir -p /etc/yunohost/domains
# Misc configuration / state files
chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
@ -173,88 +207,34 @@ do_post_regen() {
# Apps folder, custom hooks folder
[[ ! -e /etc/yunohost/hooks.d ]] || (chown root /etc/yunohost/hooks.d && chmod 700 /etc/yunohost/hooks.d)
[[ ! -e /etc/yunohost/apps ]] || (chown root /etc/yunohost/apps && chmod 700 /etc/yunohost/apps)
[[ ! -e /etc/yunohost/domains ]] || (chown root /etc/yunohost/domains && chmod 700 /etc/yunohost/domains)
# Create ssh.app and sftp.app groups if they don't exist yet
grep -q '^ssh.app:' /etc/group || groupadd ssh.app
grep -q '^sftp.app:' /etc/group || groupadd sftp.app
# Propagates changes in systemd service config overrides
[[ ! "$regen_conf_files" =~ "ntp.service.d/ynh-override.conf" ]] || { systemctl daemon-reload; systemctl restart ntp; }
[[ ! "$regen_conf_files" =~ "nftables.service.d/ynh-override.conf" ]] || systemctl daemon-reload
[[ ! "$regen_conf_files" =~ "login.conf.d/ynh-override.conf" ]] || systemctl daemon-reload
if [[ "$regen_conf_files" =~ "yunoprompt.service" ]]
then
systemctl daemon-reload
action=$([[ -e /etc/systemd/system/yunoprompt.service ]] && echo 'enable' || echo 'disable')
systemctl $action yunoprompt --quiet --now
fi
if [[ "$regen_conf_files" =~ "proc-hidepid.service" ]]
then
systemctl daemon-reload
action=$([[ -e /etc/systemd/system/proc-hidepid.service ]] && echo 'enable' || echo 'disable')
systemctl $action proc-hidepid --quiet --now
fi
# Change dpkg vendor
# see https://wiki.debian.org/Derivatives/Guidelines#Vendor
readlink -f /etc/dpkg/origins/default | grep -q debian \
&& rm -f /etc/dpkg/origins/default \
&& ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
}
_update_services() {
python3 - << EOF
import yaml
with open('services.yml') as f:
new_services = yaml.load(f)
with open('/etc/yunohost/services.yml') as f:
services = yaml.load(f) or {}
updated = False
for service, conf in new_services.items():
# remove service with empty conf
if conf is None:
if service in services:
print("removing '{0}' from services".format(service))
del services[service]
updated = True
# add new service
elif not services.get(service, None):
print("adding '{0}' to services".format(service))
services[service] = conf
updated = True
# update service conf
else:
conffiles = services[service].pop('conffiles', {})
# status need to be removed
if "status" not in conf and "status" in services[service]:
print("update '{0}' service status access".format(service))
del services[service]["status"]
updated = True
if services[service] != conf:
print("update '{0}' service".format(service))
services[service].update(conf)
updated = True
if conffiles:
services[service]['conffiles'] = conffiles
# Remove legacy /var/log/daemon.log and /var/log/syslog from log entries
# because they are too general. Instead, now the journalctl log is
# returned by default which is more relevant.
if "log" in services[service]:
if services[service]["log"] in ["/var/log/syslog", "/var/log/daemon.log"]:
del services[service]["log"]
if updated:
with open('/etc/yunohost/services.yml-new', 'w') as f:
yaml.safe_dump(services, f, default_flow_style=False)
EOF
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
init)
do_init_regen
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

23
data/hooks/conf_regen/02-ssl
View file

@ -48,8 +48,6 @@ regen_local_ca() {
popd
}
do_init_regen() {
LOGFILE=/tmp/yunohost-ssl-init
@ -121,23 +119,4 @@ do_post_regen() {
fi
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
init)
do_init_regen
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

20
data/hooks/conf_regen/03-ssh
View file

@ -25,7 +25,7 @@ do_pre_regen() {
# Support different strategy for security configurations
export compatibility="$(yunohost settings get 'security.ssh.compatibility')"
export port="$(yunohost settings get 'security.ssh.port')"
export ssh_keys
export ipv6_enabled
ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
@ -48,20 +48,4 @@ do_post_regen() {
systemctl restart ssh
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

96
data/hooks/conf_regen/06-slapd
View file

@ -2,7 +2,10 @@
set -e
tmp_backup_dir_file="/tmp/slapd-backup-dir.txt"
tmp_backup_dir_file="/root/slapd-backup-dir.txt"
config="/usr/share/yunohost/templates/slapd/config.ldif"
db_init="/usr/share/yunohost/templates/slapd/db_init.ldif"
do_init_regen() {
if [[ $EUID -ne 0 ]]; then
@ -12,16 +15,12 @@ do_init_regen() {
do_pre_regen ""
systemctl daemon-reload
systemctl restart slapd
# Drop current existing slapd data
rm -rf /var/backups/*.ldapdb
rm -rf /var/backups/slapd-*
debconf-set-selections << EOF
debconf-set-selections << EOF
slapd slapd/password1 password yunohost
slapd slapd/password2 password yunohost
slapd slapd/domain string yunohost.org
@ -36,20 +35,38 @@ EOF
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd -u
# Regen conf
_regenerate_slapd_conf
# Enforce permissions
chown root:openldap /etc/ldap/slapd.ldif
# Enforce permissions
chown -R openldap:openldap /etc/ldap/schema/
usermod -aG ssl-cert openldap
# (Re-)init data according to default ldap entries
echo ' Initializing LDAP with YunoHost DB structure'
rm -rf /etc/ldap/slapd.d
mkdir -p /etc/ldap/slapd.d
slapadd -F /etc/ldap/slapd.d -b cn=config -l "$config" 2>&1 \
| grep -v "none elapsed\|Closing DB" || true
chown -R openldap: /etc/ldap/slapd.d
rm -rf /var/lib/ldap
mkdir -p /var/lib/ldap
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "$db_init" 2>&1 \
| grep -v "none elapsed\|Closing DB" || true
chown -R openldap: /var/lib/ldap
nscd -i group || true
nscd -i passwd || true
systemctl restart slapd
# (Re-)init data according to ldap_scheme.yaml
yunohost tools shell -c "from yunohost.tools import tools_ldapinit; tools_ldapinit()"
# We don't use mkhomedir_helper because 'admin' may not be recognized
# when this script is ran in a chroot (e.g. ISO install)
# We also refer to admin as uid 1007 for the same reason
if [ ! -d /home/admin ]
then
cp -r /etc/skel /home/admin
chown -R 1007:1007 /home/admin
fi
}
_regenerate_slapd_conf() {
@ -59,7 +76,7 @@ _regenerate_slapd_conf() {
# so we use a temporary directory slapd_new.d
rm -Rf /etc/ldap/slapd_new.d
mkdir /etc/ldap/slapd_new.d
slapadd -n0 -l /etc/ldap/slapd.ldif -F /etc/ldap/slapd_new.d/ 2>&1 \
slapadd -b cn=config -l "$config" -F /etc/ldap/slapd_new.d/ 2>&1 \
| grep -v "none elapsed\|Closing DB" || true
# Actual validation (-Q is for quiet, -u is for dry-run)
slaptest -Q -u -F /etc/ldap/slapd_new.d
@ -101,7 +118,7 @@ do_pre_regen() {
cd /usr/share/yunohost/templates/slapd
# copy configuration files
cp -a ldap.conf slapd.ldif "$ldap_dir"
cp -a ldap.conf "$ldap_dir"
cp -a sudo.ldif mailserver.ldif permission.ldif "$schema_dir"
mkdir -p ${pending_dir}/etc/systemd/system/slapd.service.d/
@ -117,7 +134,6 @@ do_post_regen() {
echo "Enforce permissions on ldap/slapd directories and certs ..."
# penldap user should be in the ssl-cert group to let it access the certificate for TLS
usermod -aG ssl-cert openldap
chown root:openldap /etc/ldap/slapd.ldif
chown -R openldap:openldap /etc/ldap/schema/
chown -R openldap:openldap /etc/ldap/slapd.d/
@ -126,12 +142,28 @@ do_post_regen() {
then
systemctl daemon-reload
systemctl restart slapd
sleep 3
fi
# For some reason, old setups don't have the admins group defined...
if ! slapcat | grep -q 'cn=admins,ou=groups,dc=yunohost,dc=org'
then
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org <<< \
"dn: cn=admins,ou=groups,dc=yunohost,dc=org
cn: admins
gidNumber: 4001
memberUid: admin
objectClass: posixGroup
objectClass: top"
chown -R openldap: /var/lib/ldap
systemctl restart slapd
nscd -i group
fi
[ -z "$regen_conf_files" ] && exit 0
# regenerate LDAP config directory from slapd.conf
echo "Regenerate LDAP config directory from slapd.ldif"
echo "Regenerate LDAP config directory from config.ldif"
_regenerate_slapd_conf
# If there's a backup, re-import its data
@ -147,7 +179,7 @@ do_post_regen() {
su openldap -s "/bin/bash" -c "/usr/sbin/slapindex"
echo "Reloading slapd"
service slapd force-reload
systemctl force-reload slapd
# on slow hardware/vm this regen conf would exit before the admin user that
# is stored in ldap is available because ldap seems to slow to restart
@ -167,26 +199,4 @@ do_post_regen() {
done
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
init)
do_init_regen
;;
apply_config)
do_post_regen /etc/ldap/slapd.ldif
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

21
data/hooks/conf_regen/09-nslcd
View file

@ -22,23 +22,4 @@ do_post_regen() {
|| systemctl restart nslcd
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
init)
do_init_regen
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

47
data/hooks/conf_regen/10-apt
View file

@ -17,19 +17,16 @@ Pin-Priority: -1" >> "${pending_dir}/etc/apt/preferences.d/extra_php_version"
done
echo "
# Yes !
# This is what's preventing you from installing apache2 !
#
# Maybe take two fucking minutes to realize that if you try to install
# apache2, this will break nginx and break the entire YunoHost ecosystem.
# on your server.
#
# So, *NO*
# DO NOT do this.
# DO NOT remove these lines.
#
# I warned you. I WARNED YOU! But did you listen to me?
# Oooooh, noooo. You knew it all, didn't you?
# PLEASE READ THIS WARNING AND DON'T EDIT THIS FILE
# You are probably reading this file because you tried to install apache2 or
# bind9. These 2 packages conflict with YunoHost.
# Installing apache2 will break nginx and break the entire YunoHost ecosystem
# on your server, therefore don't remove those lines!
# You have been warned.
Package: apache2
Pin: release *
@ -39,9 +36,9 @@ Package: apache2-bin
Pin: release *
Pin-Priority: -1
# Also yes, bind9 will conflict with dnsmasq.
# Same story than for apache2.
# Don't fucking install it.
# Also bind9 will conflict with dnsmasq.
# Same story as for apache2.
# Don't install it, don't remove those lines.
Package: bind9
Pin: release *
@ -57,20 +54,4 @@ do_post_regen() {
update-alternatives --set php /usr/bin/php7.3
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

25
data/hooks/conf_regen/12-metronome
View file

@ -52,11 +52,14 @@ do_post_regen() {
mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
# http_upload directory must be writable by metronome and readable by nginx
mkdir -p "/var/xmpp-upload/${domain}/upload"
# sgid bit allows that file created in that dir will be owned by www-data
# despite the fact that metronome ain't in the www-data group
chmod g+s "/var/xmpp-upload/${domain}/upload"
chown -R metronome:www-data "/var/xmpp-upload/${domain}"
done
# fix some permissions
[ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
[ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"
# metronome should be in ssl-cert group to let it access SSL certificates
usermod -aG ssl-cert metronome
@ -64,23 +67,7 @@ do_post_regen() {
chown -R metronome: /etc/metronome/conf.d/
[[ -z "$regen_conf_files" ]] \
|| service metronome restart
|| systemctl restart metronome
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

34
data/hooks/conf_regen/15-nginx
View file

@ -25,6 +25,8 @@ do_init_regen() {
export compatibility="intermediate"
ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"
ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf"
ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc"
ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc"
mkdir -p $nginx_conf_dir/default.d/
cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/
@ -58,10 +60,12 @@ do_pre_regen() {
main_domain=$(cat /etc/yunohost/current_host)
# Support different strategy for security configurations
export redirect_to_https="$(yunohost settings get 'security.nginx.redirect_to_https')"
export compatibility="$(yunohost settings get 'security.nginx.compatibility')"
export experimental="$(yunohost settings get 'security.experimental.enabled')"
ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"
cert_status=$(yunohost domain cert-status --json)
cert_status=$(yunohost domain cert status --json)
# add domain conf files
for domain in $YNH_DOMAINS; do
@ -83,6 +87,13 @@ do_pre_regen() {
done
export webadmin_allowlist_enabled=$(yunohost settings get security.webadmin.allowlist.enabled)
if [ "$webadmin_allowlist_enabled" == "True" ]
then
export webadmin_allowlist=$(yunohost settings get security.webadmin.allowlist)
fi
ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc"
ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc"
ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf"
mkdir -p $nginx_conf_dir/default.d/
cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/
@ -138,23 +149,4 @@ do_post_regen() {
pgrep nginx && systemctl reload nginx || { journalctl --no-pager --lines=10 -u nginx >&2; exit 1; }
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
init)
do_init_regen
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

20
data/hooks/conf_regen/19-postfix
View file

@ -76,24 +76,8 @@ do_post_regen() {
fi
[[ -z "$regen_conf_files" ]] \
|| { service postfix restart && service postsrsd restart; }
|| { systemctl restart postfix && systemctl restart postsrsd; }
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

25
data/hooks/conf_regen/25-dovecot
View file

@ -41,7 +41,10 @@ do_post_regen() {
# create vmail user
id vmail > /dev/null 2>&1 \
|| adduser --system --ingroup mail --uid 500 vmail
|| adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
# Delete legacy home for vmail that existed in the past but was empty, poluting /home/
[ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail
# fix permissions
chown -R vmail:mail /etc/dovecot/global_script
@ -57,23 +60,7 @@ do_post_regen() {
chown -R vmail:mail /etc/dovecot/global_script
}
service dovecot restart
systemctl restart dovecot
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

18
data/hooks/conf_regen/31-rspamd
View file

@ -59,20 +59,4 @@ do_post_regen() {
systemctl -q restart rspamd.service
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

24
data/hooks/conf_regen/34-mysql
View file

@ -37,7 +37,7 @@ do_post_regen() {
# This is a trick to check if we're able to use mysql without password
# Expect instances installed in stretch to already have unix_socket
#configured, but not old instances from the jessie/wheezy era
if ! echo "" | mysql
if ! echo "" | mysql 2>/dev/null
then
password="$(cat /etc/yunohost/mysql)"
# Enable plugin unix_socket for root on localhost
@ -45,7 +45,7 @@ do_post_regen() {
fi
# If now we're able to login without password, drop the mysql password
if echo "" | mysql
if echo "" | mysql 2>/dev/null
then
rm /etc/yunohost/mysql
else
@ -66,23 +66,7 @@ do_post_regen() {
fi
[[ -z "$regen_conf_files" ]] \
|| service mysql restart
|| systemctl restart mysql
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

18
data/hooks/conf_regen/35-redis
View file

@ -10,20 +10,4 @@ do_post_regen() {
chown -R redis:adm /var/log/redis
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

37
data/hooks/conf_regen/37-avahi-daemon
View file

@ -1,37 +0,0 @@
#!/bin/bash
set -e
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/avahi-daemon
install -D -m 644 avahi-daemon.conf \
"${pending_dir}/etc/avahi/avahi-daemon.conf"
}
do_post_regen() {
regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \
|| service avahi-daemon restart
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0

57
data/hooks/conf_regen/37-mdns Executable file
View file

@ -0,0 +1,57 @@
#!/bin/bash
set -e
_generate_config() {
echo "domains:"
echo " - yunohost.local"
for domain in $YNH_DOMAINS
do
# Only keep .local domains (don't keep
[[ "$domain" =~ [^.]+\.[^.]+\.local$ ]] && echo "Subdomain $domain cannot be handled by Bonjour/Zeroconf/mDNS" >&2
[[ "$domain" =~ ^[^.]+\.local$ ]] || continue
echo " - $domain"
done
}
do_init_regen() {
do_pre_regen
do_post_regen /etc/systemd/system/yunomdns.service
systemctl enable yunomdns
}
do_pre_regen() {
pending_dir="$1"
cd /usr/share/yunohost/templates/mdns
mkdir -p ${pending_dir}/etc/systemd/system/
cp yunomdns.service ${pending_dir}/etc/systemd/system/
getent passwd mdns &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group mdns
mkdir -p ${pending_dir}/etc/yunohost
_generate_config > ${pending_dir}/etc/yunohost/mdns.yml
}
do_post_regen() {
regen_conf_files="$1"
chown mdns:mdns /etc/yunohost/mdns.yml
# If we changed the systemd ynh-override conf
if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/yunomdns.service$"
then
systemctl daemon-reload
fi
# Legacy stuff to enable the new yunomdns service on legacy systems
if [[ -e /etc/avahi/avahi-daemon.conf ]] && grep -q 'yunohost' /etc/avahi/avahi-daemon.conf
then
systemctl enable yunomdns
fi
[[ -z "$regen_conf_files" ]] \
|| systemctl restart yunomdns
}
do_$1_regen ${@:2}

25
data/hooks/conf_regen/43-dnsmasq
View file

@ -32,6 +32,7 @@ do_pre_regen() {
# add domain conf files
for domain in $YNH_DOMAINS; do
[[ ! $domain =~ \.local$ ]] || continue
export domain
ynh_render_template "domain.tpl" "${dnsmasq_dir}/${domain}"
done
@ -40,8 +41,10 @@ do_pre_regen() {
conf_files=$(ls -1 /etc/dnsmasq.d \
| awk '/^[^\.]+\.[^\.]+.*$/ { print $1 }')
for domain in $conf_files; do
[[ $YNH_DOMAINS =~ $domain ]] \
|| touch "${dnsmasq_dir}/${domain}"
if [[ ! $YNH_DOMAINS =~ $domain ]] && [[ ! $domain =~ \.local$ ]]
then
touch "${dnsmasq_dir}/${domain}"
fi
done
}
@ -80,20 +83,4 @@ do_post_regen() {
systemctl restart dnsmasq
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

21
data/hooks/conf_regen/46-nsswitch
View file

@ -22,23 +22,4 @@ do_post_regen() {
|| systemctl restart unscd
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
init)
do_init_regen
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

26
data/hooks/conf_regen/52-fail2ban
View file

@ -2,6 +2,8 @@
set -e
. /usr/share/yunohost/helpers
do_pre_regen() {
pending_dir=$1
@ -13,30 +15,16 @@ do_pre_regen() {
cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
cp jail.conf "${fail2ban_dir}/jail.conf"
cp yunohost-jails.conf "${fail2ban_dir}/jail.d/"
export ssh_port="$(yunohost settings get 'security.ssh.port')"
ynh_render_template "yunohost-jails.conf" "${fail2ban_dir}/jail.d/yunohost-jails.conf"
}
do_post_regen() {
regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \
|| service fail2ban restart
|| systemctl reload fail2ban
}
FORCE=${2:-0}
DRY_RUN=${3:-0}
case "$1" in
pre)
do_pre_regen $4
;;
post)
do_post_regen $4
;;
*)
echo "hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0
do_$1_regen ${@:2}

24
data/hooks/diagnosis/00-basesystem.py
View file

@ -133,6 +133,13 @@ class BaseSystemDiagnoser(Diagnoser):
summary="diagnosis_backports_in_sources_list",
)
if self.number_of_recent_auth_failure() > 500:
yield dict(
meta={"test": "high_number_auth_failure"},
status="WARNING",
summary="diagnosis_high_number_auth_failures",
)
def bad_sury_packages(self):
packages_to_check = ["openssl", "libssl1.1", "libssl-dev"]
@ -154,6 +161,23 @@ class BaseSystemDiagnoser(Diagnoser):
cmd = "grep -q -nr '^ *deb .*-backports' /etc/apt/sources.list*"
return os.system(cmd) == 0
def number_of_recent_auth_failure(self):
# Those syslog facilities correspond to auth and authpriv
# c.f. https://unix.stackexchange.com/a/401398
# and https://wiki.archlinux.org/title/Systemd/Journal#Facility
cmd = "journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4 --since '1day ago' | grep 'authentication failure' | wc -l"
n_failures = check_output(cmd)
try:
return int(n_failures)
except Exception:
self.logger_warning(
"Failed to parse number of recent auth failures, expected an int, got '%s'"
% n_failures
)
return -1
def is_vulnerable_to_meltdown(self):
# meltdown CVE: https://security-tracker.debian.org/tracker/CVE-2017-5754

86
data/hooks/diagnosis/12-dnsrecords.py
View file

@ -8,11 +8,15 @@ from publicsuffix import PublicSuffixList
from moulinette.utils.process import check_output
from yunohost.utils.network import dig
from yunohost.utils.dns import (
dig,
YNH_DYNDNS_DOMAINS,
is_yunohost_dyndns_domain,
is_special_use_tld,
)
from yunohost.diagnosis import Diagnoser
from yunohost.domain import domain_list, _build_dns_conf, _get_maindomain
YNH_DYNDNS_DOMAINS = ["nohost.me", "noho.st", "ynh.fr"]
from yunohost.domain import domain_list, _get_maindomain
from yunohost.dns import _build_dns_conf, _get_dns_zone_for_domain
class DNSRecordsDiagnoser(Diagnoser):
@ -25,19 +29,20 @@ class DNSRecordsDiagnoser(Diagnoser):
main_domain = _get_maindomain()
all_domains = domain_list()["domains"]
for domain in all_domains:
major_domains = domain_list(exclude_subdomains=True)["domains"]
for domain in major_domains:
self.logger_debug("Diagnosing DNS conf for %s" % domain)
is_subdomain = domain.split(".", 1)[1] in all_domains
for report in self.check_domain(
domain, domain == main_domain, is_subdomain=is_subdomain
domain,
domain == main_domain,
):
yield report
# Check if a domain buy by the user will expire soon
psl = PublicSuffixList()
domains_from_registrar = [
psl.get_public_suffix(domain) for domain in all_domains
psl.get_public_suffix(domain) for domain in major_domains
]
domains_from_registrar = [
domain for domain in domains_from_registrar if "." in domain
@ -48,16 +53,25 @@ class DNSRecordsDiagnoser(Diagnoser):
for report in self.check_expiration_date(domains_from_registrar):
yield report
def check_domain(self, domain, is_main_domain, is_subdomain):
def check_domain(self, domain, is_main_domain):
if is_special_use_tld(domain):
categories = []
yield dict(
meta={"domain": domain},
data={},
status="INFO",
summary="diagnosis_dns_specialusedomain",
)
base_dns_zone = _get_dns_zone_for_domain(domain)
basename = domain.replace(base_dns_zone, "").rstrip(".") or "@"
expected_configuration = _build_dns_conf(
domain, include_empty_AAAA_if_no_ipv6=True
)
categories = ["basic", "mail", "xmpp", "extra"]
# For subdomains, we only diagnosis A and AAAA records
if is_subdomain:
categories = ["basic"]
for category in categories:
@ -66,8 +80,21 @@ class DNSRecordsDiagnoser(Diagnoser):
results = {}
for r in records:
id_ = r["type"] + ":" + r["name"]
r["current"] = self.get_current_record(domain, r["name"], r["type"])
fqdn = r["name"] + "." + base_dns_zone if r["name"] != "@" else domain
# Ugly hack to not check mail records for subdomains stuff,
# otherwise will end up in a shitstorm of errors for people with many subdomains...
# Should find a cleaner solution in the suggested conf...
if r["type"] in ["MX", "TXT"] and fqdn not in [
domain,
f"mail._domainkey.{domain}",
f"_dmarc.{domain}",
]:
continue
r["current"] = self.get_current_record(fqdn, r["type"])
if r["value"] == "@":
r["value"] = domain + "."
@ -90,7 +117,10 @@ class DNSRecordsDiagnoser(Diagnoser):
# A bad or missing A record is critical ...
# And so is a wrong AAAA record
# (However, a missing AAAA record is acceptable)
if results["A:@"] != "OK" or results["AAAA:@"] == "WRONG":
if (
results[f"A:{basename}"] != "OK"
or results[f"AAAA:{basename}"] == "WRONG"
):
return True
return False
@ -102,6 +132,12 @@ class DNSRecordsDiagnoser(Diagnoser):
status = "SUCCESS"
summary = "diagnosis_dns_good_conf"
# If status is okay and there's actually no expected records
# (e.g. XMPP disabled)
# then let's not yield any diagnosis line
if not records and "status" == "SUCCESS":
continue
output = dict(
meta={"domain": domain, "category": category},
data=results,
@ -111,10 +147,7 @@ class DNSRecordsDiagnoser(Diagnoser):
if discrepancies:
# For ynh-managed domains (nohost.me etc...), tell people to try to "yunohost dyndns update --force"
if any(
domain.endswith(ynh_dyndns_domain)
for ynh_dyndns_domain in YNH_DYNDNS_DOMAINS
):
if is_yunohost_dyndns_domain(domain):
output["details"] = ["diagnosis_dns_try_dyndns_update_force"]
# Otherwise point to the documentation
else:
@ -123,10 +156,9 @@ class DNSRecordsDiagnoser(Diagnoser):
yield output
def get_current_record(self, domain, name, type_):
def get_current_record(self, fqdn, type_):
query = "%s.%s" % (name, domain) if name != "@" else domain
success, answers = dig(query, type_, resolvers="force_external")
success, answers = dig(fqdn, type_, resolvers="force_external")
if success != "ok":
return None
@ -154,7 +186,7 @@ class DNSRecordsDiagnoser(Diagnoser):
)
# For SPF, ignore parts starting by ip4: or ip6:
if r["name"] == "@":
if "v=spf1" in r["value"]:
current = {
part
for part in current
@ -173,7 +205,6 @@ class DNSRecordsDiagnoser(Diagnoser):
"""
Alert if expiration date of a domain is soon
"""
details = {"not_found": [], "error": [], "warning": [], "success": []}
for domain in domains:
@ -183,6 +214,7 @@ class DNSRecordsDiagnoser(Diagnoser):
status_ns, _ = dig(domain, "NS", resolvers="force_external")
status_a, _ = dig(domain, "A", resolvers="force_external")
if "ok" not in [status_ns, status_a]:
# i18n: diagnosis_domain_not_found_details
details["not_found"].append(
(
"diagnosis_domain_%s_details" % (expire_date),
@ -217,6 +249,12 @@ class DNSRecordsDiagnoser(Diagnoser):
# Allow to ignore specifically a single domain
if len(details[alert_type]) == 1:
meta["domain"] = details[alert_type][0][1]["domain"]
# i18n: diagnosis_domain_expiration_not_found
# i18n: diagnosis_domain_expiration_error
# i18n: diagnosis_domain_expiration_warning
# i18n: diagnosis_domain_expiration_success
# i18n: diagnosis_domain_expiration_not_found_details
yield dict(
meta=meta,
data={},

11
data/hooks/diagnosis/21-web.py
View file

@ -8,6 +8,7 @@ from moulinette.utils.filesystem import read_file
from yunohost.diagnosis import Diagnoser
from yunohost.domain import domain_list
from yunohost.utils.dns import is_special_use_tld
DIAGNOSIS_SERVER = "diagnosis.yunohost.org"
@ -34,6 +35,12 @@ class WebDiagnoser(Diagnoser):
summary="diagnosis_http_nginx_conf_not_up_to_date",
details=["diagnosis_http_nginx_conf_not_up_to_date_details"],
)
elif is_special_use_tld(domain):
yield dict(
meta={"domain": domain},
status="INFO",
summary="diagnosis_http_special_use_tld",
)
else:
domains_to_check.append(domain)
@ -115,6 +122,10 @@ class WebDiagnoser(Diagnoser):
for domain in domains:
# i18n: diagnosis_http_bad_status_code
# i18n: diagnosis_http_connection_error
# i18n: diagnosis_http_timeout
# If both IPv4 and IPv6 (if applicable) are good
if all(
results[ipversion][domain]["status"] == "ok" for ipversion in ipversions

16
data/hooks/diagnosis/24-mail.py
View file

@ -12,7 +12,7 @@ from moulinette.utils.filesystem import read_yaml
from yunohost.diagnosis import Diagnoser
from yunohost.domain import _get_maindomain, domain_list
from yunohost.settings import settings_get
from yunohost.utils.network import dig
from yunohost.utils.dns import dig
DEFAULT_DNS_BLACKLIST = "/usr/share/yunohost/other/dnsbl_list.yml"
@ -35,11 +35,11 @@ class MailDiagnoser(Diagnoser):
# TODO check that the recent mail logs are not filled with thousand of email sending (unusual number of mail sent)
# TODO check for unusual failed sending attempt being refused in the logs ?
checks = [
"check_outgoing_port_25",
"check_ehlo",
"check_fcrdns",
"check_blacklist",
"check_queue",
"check_outgoing_port_25", # i18n: diagnosis_mail_outgoing_port_25_ok
"check_ehlo", # i18n: diagnosis_mail_ehlo_ok
"check_fcrdns", # i18n: diagnosis_mail_fcrdns_ok
"check_blacklist", # i18n: diagnosis_mail_blacklist_ok
"check_queue", # i18n: diagnosis_mail_queue_ok
]
for check in checks:
self.logger_debug("Running " + check)
@ -102,6 +102,10 @@ class MailDiagnoser(Diagnoser):
continue
if r["status"] != "ok":
# i18n: diagnosis_mail_ehlo_bad_answer
# i18n: diagnosis_mail_ehlo_bad_answer_details
# i18n: diagnosis_mail_ehlo_unreachable
# i18n: diagnosis_mail_ehlo_unreachable_details
summary = r["status"].replace("error_smtp_", "diagnosis_mail_ehlo_")
yield dict(
meta={"test": "mail_ehlo", "ipversion": ipversion},

4
data/hooks/diagnosis/50-systemresources.py
View file

@ -77,7 +77,9 @@ class SystemResourcesDiagnoser(Diagnoser):
# Ignore /dev/loop stuff which are ~virtual partitions ? (e.g. mounted to /snap/)
disk_partitions = [
d for d in disk_partitions if d.mountpoint in ["/", "/var"] or not d.device.startswith("/dev/loop")
d
for d in disk_partitions
if d.mountpoint in ["/", "/var"] or not d.device.startswith("/dev/loop")
]
for disk_partition in disk_partitions:

29
data/hooks/diagnosis/70-regenconf.py
View file

@ -1,9 +1,12 @@
#!/usr/bin/env python
import os
import re
from yunohost.settings import settings_get
from yunohost.diagnosis import Diagnoser
from yunohost.regenconf import _get_regenconf_infos, _calculate_hash
from moulinette.utils.filesystem import read_file
class RegenconfDiagnoser(Diagnoser):
@ -35,6 +38,32 @@ class RegenconfDiagnoser(Diagnoser):
details=["diagnosis_regenconf_manually_modified_details"],
)
if (
any(f["path"] == "/etc/ssh/sshd_config" for f in regenconf_modified_files)
and os.system(
"grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config"
)
!= 0
):
yield dict(
meta={"test": "sshd_config_insecure"},
status="ERROR",
summary="diagnosis_sshd_config_insecure",
)
# Check consistency between actual ssh port in sshd_config vs. setting
ssh_port_setting = settings_get("security.ssh.port")
ssh_port_line = re.findall(
r"\bPort *([0-9]{2,5})\b", read_file("/etc/ssh/sshd_config")
)
if len(ssh_port_line) == 1 and int(ssh_port_line[0]) != ssh_port_setting:
yield dict(
meta={"test": "sshd_config_port_inconsistency"},
status="WARNING",
summary="diagnosis_sshd_config_inconsistent",
details=["diagnosis_sshd_config_inconsistent_details"],
)
def manually_modified_files(self):
for category, infos in _get_regenconf_infos().items():

96
data/hooks/diagnosis/80-apps.py Normal file
View file

@ -0,0 +1,96 @@
#!/usr/bin/env python
import os
from yunohost.app import app_list
from yunohost.diagnosis import Diagnoser
class AppDiagnoser(Diagnoser):
id_ = os.path.splitext(os.path.basename(__file__))[0].split("-")[1]
cache_duration = 300
dependencies = []
def run(self):
apps = app_list(full=True)["apps"]
for app in apps:
app["issues"] = list(self.issues(app))
if not any(app["issues"] for app in apps):
yield dict(
meta={"test": "apps"},
status="SUCCESS",
summary="diagnosis_apps_allgood",
)
else:
for app in apps:
if not app["issues"]:
continue
level = (
"ERROR"
if any(issue[0] == "error" for issue in app["issues"])
else "WARNING"
)
yield dict(
meta={"test": "apps", "app": app["name"]},
status=level,
summary="diagnosis_apps_issue",
details=[issue[1] for issue in app["issues"]],
)
def issues(self, app):
# Check quality level in catalog
if not app.get("from_catalog") or app["from_catalog"].get("state") != "working":
yield ("error", "diagnosis_apps_not_in_app_catalog")
elif (
not isinstance(app["from_catalog"].get("level"), int)
or app["from_catalog"]["level"] == 0
):
yield ("error", "diagnosis_apps_broken")
elif app["from_catalog"]["level"] <= 4:
yield ("warning", "diagnosis_apps_bad_quality")
# Check for super old, deprecated practices
yunohost_version_req = (
app["manifest"].get("requirements", {}).get("yunohost", "").strip(">= ")
)
if yunohost_version_req.startswith("2."):
yield ("error", "diagnosis_apps_outdated_ynh_requirement")
deprecated_helpers = [
"yunohost app setting",
"yunohost app checkurl",
"yunohost app checkport",
"yunohost app initdb",
"yunohost tools port-available",
]
for deprecated_helper in deprecated_helpers:
if (
os.system(
f"grep -hr '{deprecated_helper}' {app['setting_path']}/scripts/ | grep -v -q '^\\s*#'"
)
== 0
):
yield ("error", "diagnosis_apps_deprecated_practices")
old_arg_regex = r"^domain=\${?[0-9]"
if (
os.system(
f"grep -q '{old_arg_regex}' {app['setting_path']}/scripts/install"
)
== 0
):
yield ("error", "diagnosis_apps_deprecated_practices")
def main(args, env, loggers):
return AppDiagnoser(args, env, loggers).diagnose()

6
data/hooks/post_user_create/ynh_multimedia
View file

@ -15,7 +15,11 @@ mkdir -p "$MEDIA_DIRECTORY/$user/Video"
mkdir -p "$MEDIA_DIRECTORY/$user/eBook"
ln -sfn "$MEDIA_DIRECTORY/share" "$MEDIA_DIRECTORY/$user/Share"
# Création du lien symbolique dans le home de l'utilisateur.
ln -sfn "$MEDIA_DIRECTORY/$user" "/home/$user/Multimedia"
#link will only be created if the home directory of the user exists and if it's located in '/home' folder
user_home="$(getent passwd $user | cut -d: -f6 | grep '^/home/')"
if [[ -d "$user_home" ]]; then
ln -sfn "$MEDIA_DIRECTORY/$user" "$user_home/Multimedia"
fi
# Propriétaires des dossiers utilisateurs.
chown -R $user "$MEDIA_DIRECTORY/$user"

100
data/hooks/restore/05-conf_ldap
View file

@ -1,61 +1,53 @@
#!/bin/bash
backup_dir="${1}/conf/ldap"
if [[ $EUID -ne 0 ]]; then
systemctl stop slapd
# We need to execute this script as root, since the ldap
# service will be shut down during the operation (and sudo
# won't be available)
/bin/bash $(readlink -f $0) $1
# Create a directory for backup
TMPDIR="/tmp/$(date +%s)"
mkdir -p "$TMPDIR"
else
die() {
state=$1
error=$2
service slapd stop || true
# Restore saved configuration and database
[[ $state -ge 1 ]] \
&& (rm -rf /etc/ldap/slapd.d &&
mv "${TMPDIR}/slapd.d" /etc/ldap/slapd.d)
[[ $state -ge 2 ]] \
&& (rm -rf /var/lib/ldap &&
mv "${TMPDIR}/ldap" /var/lib/ldap)
chown -R openldap: /etc/ldap/slapd.d /var/lib/ldap
# Create a directory for backup
TMPDIR="/tmp/$(date +%s)"
mkdir -p "$TMPDIR"
die() {
state=$1
error=$2
# Restore saved configuration and database
[[ $state -ge 1 ]] \
&& (rm -rf /etc/ldap/slapd.d &&
mv "${TMPDIR}/slapd.d" /etc/ldap/slapd.d)
[[ $state -ge 2 ]] \
&& (rm -rf /var/lib/ldap &&
mv "${TMPDIR}/ldap" /var/lib/ldap)
chown -R openldap: /etc/ldap/slapd.d /var/lib/ldap
service slapd start
rm -rf "$TMPDIR"
# Print an error message and exit
printf "%s" "$error" 1>&2
exit 1
}
# Restore the configuration
mv /etc/ldap/slapd.d "$TMPDIR"
mkdir -p /etc/ldap/slapd.d
cp -a "${backup_dir}/ldap.conf" /etc/ldap/ldap.conf
cp -a "${backup_dir}/slapd.ldif" /etc/ldap/slapd.ldif
# Legacy thing but we need it to force the regen-conf in case of it exist
cp -a "${backup_dir}/slapd.conf" /etc/ldap/slapd.conf
slapadd -F /etc/ldap/slapd.d -b cn=config \
-l "${backup_dir}/cn=config.master.ldif" \
|| die 1 "Unable to restore LDAP configuration"
chown -R openldap: /etc/ldap/slapd.d
# Restore the database
mv /var/lib/ldap "$TMPDIR"
mkdir -p /var/lib/ldap
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
-l "${backup_dir}/dc=yunohost-dc=org.ldif" \
|| die 2 "Unable to restore LDAP database"
chown -R openldap: /var/lib/ldap
service slapd start
systemctl start slapd
rm -rf "$TMPDIR"
fi
# Print an error message and exit
printf "%s" "$error" 1>&2
exit 1
}
# Restore the configuration
mv /etc/ldap/slapd.d "$TMPDIR"
mkdir -p /etc/ldap/slapd.d
cp -a "${backup_dir}/ldap.conf" /etc/ldap/ldap.conf
# Legacy thing but we need it to force the regen-conf in case of it exist
[ ! -e "${backup_dir}/slapd.conf" ] \
|| cp -a "${backup_dir}/slapd.conf" /etc/ldap/slapd.conf
slapadd -F /etc/ldap/slapd.d -b cn=config \
-l "${backup_dir}/cn=config.master.ldif" \
|| die 1 "Unable to restore LDAP configuration"
chown -R openldap: /etc/ldap/slapd.d
# Restore the database
mv /var/lib/ldap "$TMPDIR"
mkdir -p /var/lib/ldap
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
-l "${backup_dir}/dc=yunohost-dc=org.ldif" \
|| die 2 "Unable to restore LDAP database"
chown -R openldap: /var/lib/ldap
systemctl start slapd
rm -rf "$TMPDIR"

9
data/hooks/restore/08-conf_ssh
View file

@ -1,9 +0,0 @@
backup_dir="$1/conf/ssh"
if [ -d /etc/ssh/ ]; then
cp -a $backup_dir/. /etc/ssh
service ssh restart
else
echo "SSH is not installed"
fi

3
data/hooks/restore/14-conf_ssowat
View file

@ -1,3 +0,0 @@
backup_dir="$1/conf/ssowat"
cp -a $backup_dir/. /etc/ssowat

6
data/hooks/backup/14-conf_ssowat → data/hooks/restore/18-data_multimedia Executable file → Normal file
View file

@ -6,8 +6,4 @@ set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
# Backup destination
backup_dir="${1}/conf/ssowat"
# Backup the configuration
ynh_backup "/etc/ssowat" "$backup_dir"
ynh_restore_file --origin_path="/home/yunohost.multimedia" --not_mandatory

4
data/hooks/restore/20-conf_ynh_firewall
View file

@ -1,4 +0,0 @@
backup_dir="$1/conf/ynh/firewall"
cp -a $backup_dir/. /etc/yunohost
yunohost firewall reload

8
data/hooks/restore/20-conf_ynh_settings Normal file
View file

@ -0,0 +1,8 @@
backup_dir="$1/conf/ynh"
cp -a "${backup_dir}/current_host" /etc/yunohost/current_host
cp -a "${backup_dir}/firewall.yml" /etc/yunohost/firewall.yml
cp -a "${backup_dir}/domains" /etc/yunohost/domains
[ ! -e "${backup_dir}/settings.json" ] || cp -a "${backup_dir}/settings.json" "/etc/yunohost/settings.json"
[ ! -d "${backup_dir}/dyndns" ] || cp -raT "${backup_dir}/dyndns" "/etc/yunohost/dyndns"
[ ! -d "${backup_dir}/dkim" ] || cp -raT "${backup_dir}/dkim" "/etc/dkim"

2
data/hooks/restore/21-conf_ynh_certs
View file

@ -3,5 +3,3 @@ backup_dir="$1/conf/ynh/certs"
mkdir -p /etc/yunohost/certs/
cp -a $backup_dir/. /etc/yunohost/certs/
service nginx reload
service metronome reload

9
data/hooks/restore/22-conf_mail
View file

@ -1,9 +0,0 @@
#!/bin/bash
backup_dir="$1/conf/dkim"
cp -a $backup_dir/etc/dkim/. /etc/dkim
chown -R root:root /etc/dkim
chown _rspamd:root /etc/dkim
chown _rspamd:root /etc/dkim/*.mail.key

4
data/hooks/restore/23-data_mail
View file

@ -2,7 +2,3 @@ backup_dir="$1/data/mail"
cp -a $backup_dir/. /var/mail/ || echo 'No mail found'
chown -R vmail:mail /var/mail/
# Restart services to use migrated certs
service postfix restart
service dovecot restart

7
data/hooks/restore/26-conf_xmpp
View file

@ -1,7 +0,0 @@
backup_dir="$1/conf/xmpp"
cp -a $backup_dir/etc/. /etc/metronome
cp -a $backup_dir/var/. /var/lib/metronome
# Restart to apply new conf and certs
service metronome restart

4
data/hooks/restore/27-data_xmpp Normal file
View file

@ -0,0 +1,4 @@
backup_dir="$1/data/xmpp"
cp -a $backup_dir/var_lib_metronome/. /var/lib/metronome
cp -a $backup_dir/var_xmpp-upload/. /var/xmpp-upload

7
data/hooks/restore/29-conf_nginx
View file

@ -1,7 +0,0 @@
backup_dir="$1/conf/nginx"
# Copy all conf except apps specific conf located in DOMAIN.d
find $backup_dir/ -mindepth 1 -maxdepth 1 -name '*.d' -or -exec cp -a {} /etc/nginx/conf.d/ \;
# Restart to use new conf and certs
service nginx restart

3
data/hooks/restore/40-conf_ynh_currenthost
View file

@ -1,3 +0,0 @@
backup_dir="$1/conf/ynh"
cp -a "${backup_dir}/current_host" /etc/yunohost/current_host

9
data/hooks/restore/42-conf_ynh_dyndns
View file

@ -1,9 +0,0 @@
#!/bin/bash
source /usr/share/yunohost/helpers
ynh_abort_if_errors
YNH_CWD="${YNH_BACKUP_DIR%/}/conf/ynh/dyndns"
cd "$YNH_CWD"
# Restore file if exists
ynh_restore_file --origin_path="/etc/yunohost/dyndns" --not_mandatory

13
data/hooks/restore/50-conf_manually_modified_files Normal file
View file

@ -0,0 +1,13 @@
#!/bin/bash
source /usr/share/yunohost/helpers
ynh_abort_if_errors
YNH_CWD="${YNH_BACKUP_DIR%/}/conf/manually_modified_files"
cd "$YNH_CWD"
for file in $(cat ./manually_modified_files_list)
do
ynh_restore_file --origin_path="$file" --not_mandatory
done
ynh_restore_file --origin_path="/etc/ssowat/conf.json.persistent" --not_mandatory

55
data/other/config_domain.toml Normal file
View file

@ -0,0 +1,55 @@
version = "1.0"
i18n = "domain_config"
#
# Other things we may want to implement in the future:
#
# - maindomain handling
# - default app
# - autoredirect www in nginx conf
# - ?
#
[feature]
[feature.mail]
#services = ['postfix', 'dovecot']
[feature.mail.features_disclaimer]
type = "alert"
style = "warning"
icon = "warning"
[feature.mail.mail_out]
type = "boolean"
default = 1
[feature.mail.mail_in]
type = "boolean"
default = 1
#[feature.mail.backup_mx]
#type = "tags"
#default = []
#pattern.regexp = '^([^\W_A-Z]+([-]*[^\W_A-Z]+)*\.)+((xn--)?[^\W_]{2,})$'
#pattern.error = "pattern_error"
[feature.xmpp]
[feature.xmpp.xmpp]
type = "boolean"
default = 0
[dns]
[dns.registrar]
optional = true
# This part is automatically generated in DomainConfigPanel
# [dns.advanced]
#
# [dns.advanced.ttl]
# type = "number"
# min = 0
# default = 3600

12
data/other/dnsbl_list.yml
View file

@ -151,12 +151,6 @@
ipv4: true
ipv6: false
domain: false
- name: Invaluement
dns_server: sip.invaluement.com
website: https://www.invaluement.com/
ipv4: true
ipv6: false
domain: false
# Added cause it supports IPv6
- name: AntiCaptcha.NET IPv6
dns_server: dnsbl6.anticaptcha.net
@ -164,12 +158,6 @@
ipv4: false
ipv6: true
domain: false
- name: SPFBL.net RBL
dns_server: dnsbl.spfbl.net
website: https://spfbl.net/en/dnsbl/
ipv4: true
ipv6: true
domain: true
- name: Suomispam Blacklist
dns_server: bl.suomispam.net
website: http://suomispam.net/

91
data/other/ldap_scheme.yml
View file

@ -1,91 +0,0 @@
parents:
ou=users:
ou: users
objectClass:
- organizationalUnit
- top
ou=domains:
ou: domains
objectClass:
- organizationalUnit
- top
ou=apps:
ou: apps
objectClass:
- organizationalUnit
- top
ou=permission:
ou: permission
objectClass:
- organizationalUnit
- top
ou=groups:
ou: groups
objectClass:
- organizationalUnit
- top
ou=sudo:
ou: sudo
objectClass:
- organizationalUnit
- top
children:
cn=admin,ou=sudo:
cn: admin
sudoUser: admin
sudoHost: ALL
sudoCommand: ALL
sudoOption: "!authenticate"
objectClass:
- sudoRole
- top
cn=admins,ou=groups:
cn: admins
gidNumber: "4001"
memberUid: admin
objectClass:
- posixGroup
- top
cn=all_users,ou=groups:
cn: all_users
gidNumber: "4002"
objectClass:
- posixGroup
- groupOfNamesYnh
cn=visitors,ou=groups:
cn: visitors
gidNumber: "4003"
objectClass:
- posixGroup
- groupOfNamesYnh
depends_children:
cn=mail.main,ou=permission:
cn: mail.main
gidNumber: "5001"
objectClass:
- posixGroup
- permissionYnh
groupPermission:
- "cn=all_users,ou=groups,dc=yunohost,dc=org"
authHeader: "FALSE"
label: "E-mail"
showTile: "FALSE"
isProtected: "TRUE"
cn=xmpp.main,ou=permission:
cn: xmpp.main
gidNumber: "5002"
objectClass:
- posixGroup
- permissionYnh
groupPermission:
- "cn=all_users,ou=groups,dc=yunohost,dc=org"
authHeader: "FALSE"
label: "XMPP"
showTile: "FALSE"
isProtected: "TRUE"

649
data/other/registrar_list.toml Normal file
View file

@ -0,0 +1,649 @@
[aliyun]
[aliyun.auth_key_id]
type = "string"
redact = true
[aliyun.auth_secret]
type = "string"
redact = true
[aurora]
[aurora.auth_api_key]
type = "string"
redact = true
[aurora.auth_secret_key]
type = "string"
redact = true
[azure]
[azure.auth_client_id]
type = "string"
redact = true
[azure.auth_client_secret]
type = "string"
redact = true
[azure.auth_tenant_id]
type = "string"
redact = true
[azure.auth_subscription_id]
type = "string"
redact = true
[azure.resource_group]
type = "string"
redact = true
[cloudflare]
[cloudflare.auth_username]
type = "string"
redact = true
[cloudflare.auth_token]
type = "string"
redact = true
[cloudflare.zone_id]
type = "string"
redact = true
[cloudns]
[cloudns.auth_id]
type = "string"
redact = true
[cloudns.auth_subid]
type = "string"
redact = true
[cloudns.auth_subuser]
type = "string"
redact = true
[cloudns.auth_password]
type = "password"
[cloudns.weight]
type = "number"
[cloudns.port]
type = "number"
[cloudxns]
[cloudxns.auth_username]
type = "string"
redact = true
[cloudxns.auth_token]
type = "string"
redact = true
[conoha]
[conoha.auth_region]
type = "string"
redact = true
[conoha.auth_token]
type = "string"
redact = true
[conoha.auth_username]
type = "string"
redact = true
[conoha.auth_password]
type = "password"
[conoha.auth_tenant_id]
type = "string"
redact = true
[constellix]
[constellix.auth_username]
type = "string"
redact = true
[constellix.auth_token]
type = "string"
redact = true
[digitalocean]
[digitalocean.auth_token]
type = "string"
redact = true
[dinahosting]
[dinahosting.auth_username]
type = "string"
redact = true
[dinahosting.auth_password]
type = "password"
[directadmin]
[directadmin.auth_password]
type = "password"
[directadmin.auth_username]
type = "string"
redact = true
[directadmin.endpoint]
type = "string"
redact = true
[dnsimple]
[dnsimple.auth_token]
type = "string"
redact = true
[dnsimple.auth_username]
type = "string"
redact = true
[dnsimple.auth_password]
type = "password"
[dnsimple.auth_2fa]
type = "string"
redact = true
[dnsmadeeasy]
[dnsmadeeasy.auth_username]
type = "string"
redact = true
[dnsmadeeasy.auth_token]
type = "string"
redact = true
[dnspark]
[dnspark.auth_username]
type = "string"
redact = true
[dnspark.auth_token]
type = "string"
redact = true
[dnspod]
[dnspod.auth_username]
type = "string"
redact = true
[dnspod.auth_token]
type = "string"
redact = true
[dreamhost]
[dreamhost.auth_token]
type = "string"
redact = true
[dynu]
[dynu.auth_token]
type = "string"
redact = true
[easydns]
[easydns.auth_username]
type = "string"
redact = true
[easydns.auth_token]
type = "string"
redact = true
[easyname]
[easyname.auth_username]
type = "string"
redact = true
[easyname.auth_password]
type = "password"
[euserv]
[euserv.auth_username]
type = "string"
redact = true
[euserv.auth_password]
type = "password"
[exoscale]
[exoscale.auth_key]
type = "string"
redact = true
[exoscale.auth_secret]
type = "string"
redact = true
[gandi]
[gandi.auth_token]
type = "string"
redact = true
[gandi.api_protocol]
type = "string"
choices.rpc = "RPC"
choices.rest = "REST"
default = "rest"
visible = "false"
[gehirn]
[gehirn.auth_token]
type = "string"
redact = true
[gehirn.auth_secret]
type = "string"
redact = true
[glesys]
[glesys.auth_username]
type = "string"
redact = true
[glesys.auth_token]
type = "string"
redact = true
[godaddy]
[godaddy.auth_key]
type = "string"
redact = true
[godaddy.auth_secret]
type = "string"
redact = true
[googleclouddns]
[goggleclouddns.auth_service_account_info]
type = "string"
redact = true
[gransy]
[gransy.auth_username]
type = "string"
redact = true
[gransy.auth_password]
type = "password"
[gratisdns]
[gratisdns.auth_username]
type = "string"
redact = true
[gratisdns.auth_password]
type = "password"
[henet]
[henet.auth_username]
type = "string"
redact = true
[henet.auth_password]
type = "password"
[hetzner]
[hetzner.auth_token]
type = "string"
redact = true
[hostingde]
[hostingde.auth_token]
type = "string"
redact = true
[hover]
[hover.auth_username]
type = "string"
redact = true
[hover.auth_password]
type = "password"
[infoblox]
[infoblox.auth_user]
type = "string"
redact = true
[infoblox.auth_psw]
type = "password"
[infoblox.ib_view]
type = "string"
redact = true
[infoblox.ib_host]
type = "string"
redact = true
[infomaniak]
[infomaniak.auth_token]
type = "string"
redact = true
[internetbs]
[internetbs.auth_key]
type = "string"
redact = true
[internetbs.auth_password]
type = "string"
redact = true
[inwx]
[inwx.auth_username]
type = "string"
redact = true
[inwx.auth_password]
type = "password"
[joker]
[joker.auth_token]
type = "string"
redact = true
[linode]
[linode.auth_token]
type = "string"
redact = true
[linode4]
[linode4.auth_token]
type = "string"
redact = true
[localzone]
[localzone.filename]
type = "string"
redact = true
[luadns]
[luadns.auth_username]
type = "string"
redact = true
[luadns.auth_token]
type = "string"
redact = true
[memset]
[memset.auth_token]
type = "string"
redact = true
[mythicbeasts]
[mythicbeasts.auth_username]
type = "string"
redact = true
[mythicbeasts.auth_password]
type = "password"
[mythicbeasts.auth_token]
type = "string"
redact = true
[namecheap]
[namecheap.auth_token]
type = "string"
redact = true
[namecheap.auth_username]
type = "string"
redact = true
[namecheap.auth_client_ip]
type = "string"
redact = true
[namecheap.auth_sandbox]
type = "string"
redact = true
[namesilo]
[namesilo.auth_token]
type = "string"
redact = true
[netcup]
[netcup.auth_customer_id]
type = "string"
redact = true
[netcup.auth_api_key]
type = "string"
redact = true
[netcup.auth_api_password]
type = "string"
redact = true
[nfsn]
[nfsn.auth_username]
type = "string"
redact = true
[nfsn.auth_token]
type = "string"
redact = true
[njalla]
[njalla.auth_token]
type = "string"
redact = true
[nsone]
[nsone.auth_token]
type = "string"
redact = true
[onapp]
[onapp.auth_username]
type = "string"
redact = true
[onapp.auth_token]
type = "string"
redact = true
[onapp.auth_server]
type = "string"
redact = true
[online]
[online.auth_token]
type = "string"
redact = true
[ovh]
[ovh.auth_entrypoint]
type = "select"
choices = ["ovh-eu", "ovh-ca", "soyoustart-eu", "soyoustart-ca", "kimsufi-eu", "kimsufi-ca"]
default = "ovh-eu"
[ovh.auth_application_key]
type = "string"
redact = true
[ovh.auth_application_secret]
type = "string"
redact = true
[ovh.auth_consumer_key]
type = "string"
redact = true
[plesk]
[plesk.auth_username]
type = "string"
redact = true
[plesk.auth_password]
type = "password"
[plesk.plesk_server]
type = "string"
redact = true
[pointhq]
[pointhq.auth_username]
type = "string"
redact = true
[pointhq.auth_token]
type = "string"
redact = true
[powerdns]
[powerdns.auth_token]
type = "string"
redact = true
[powerdns.pdns_server]
type = "string"
redact = true
[powerdns.pdns_server_id]
type = "string"
redact = true
[powerdns.pdns_disable_notify]
type = "boolean"
[rackspace]
[rackspace.auth_account]
type = "string"
redact = true
[rackspace.auth_username]
type = "string"
redact = true
[rackspace.auth_api_key]
type = "string"
redact = true
[rackspace.auth_token]
type = "string"
redact = true
[rackspace.sleep_time]
type = "string"
redact = true
[rage4]
[rage4.auth_username]
type = "string"
redact = true
[rage4.auth_token]
type = "string"
redact = true
[rcodezero]
[rcodezero.auth_token]
type = "string"
redact = true
[route53]
[route53.auth_access_key]
type = "string"
redact = true
[route53.auth_access_secret]
type = "string"
redact = true
[route53.private_zone]
type = "string"
redact = true
[route53.auth_username]
type = "string"
redact = true
[route53.auth_token]
type = "string"
redact = true
[safedns]
[safedns.auth_token]
type = "string"
redact = true
[sakuracloud]
[sakuracloud.auth_token]
type = "string"
redact = true
[sakuracloud.auth_secret]
type = "string"
redact = true
[softlayer]
[softlayer.auth_username]
type = "string"
redact = true
[softlayer.auth_api_key]
type = "string"
redact = true
[transip]
[transip.auth_username]
type = "string"
redact = true
[transip.auth_api_key]
type = "string"
redact = true
[ultradns]
[ultradns.auth_token]
type = "string"
redact = true
[ultradns.auth_username]
type = "string"
redact = true
[ultradns.auth_password]
type = "password"
[vultr]
[vultr.auth_token]
type = "string"
redact = true
[yandex]
[yandex.auth_token]
type = "string"
redact = true
[zeit]
[zeit.auth_token]
type = "string"
redact = true
[zilore]
[zilore.auth_key]
type = "string"
redact = true
[zonomi]
[zonomy.auth_token]
type = "string"
redact = true
[zonomy.auth_entrypoint]
type = "string"
redact = true

68
data/templates/avahi-daemon/avahi-daemon.conf
View file

@ -1,68 +0,0 @@
# This file is part of avahi.
#
# avahi is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# avahi is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
# License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with avahi; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA.
# See avahi-daemon.conf(5) for more information on this configuration
# file!
[server]
host-name=yunohost
domain-name=local
#browse-domains=0pointer.de, zeroconf.org
use-ipv4=yes
use-ipv6=yes
#allow-interfaces=eth0
#deny-interfaces=eth1
#check-response-ttl=no
#use-iff-running=no
#enable-dbus=yes
#disallow-other-stacks=no
#allow-point-to-point=no
#cache-entries-max=4096
#clients-max=4096
#objects-per-client-max=1024
#entries-per-entry-group-max=32
ratelimit-interval-usec=1000000
ratelimit-burst=1000
[wide-area]
enable-wide-area=yes
[publish]
#disable-publishing=no
#disable-user-service-publishing=no
#add-service-cookie=no
#publish-addresses=yes
#publish-hinfo=yes
#publish-workstation=yes
#publish-domain=yes
#publish-dns-servers=192.168.50.1, 192.168.50.2
#publish-resolv-conf-dns-servers=yes
#publish-aaaa-on-ipv4=yes
#publish-a-on-ipv6=no
[reflector]
#enable-reflector=no
#reflect-ipv=no
[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=768
rlimit-stack=4194304
rlimit-nproc=3

8
data/templates/dnsmasq/plain/resolv.dnsmasq.conf
View file

@ -12,9 +12,6 @@ nameserver 80.67.169.12
nameserver 2001:910:800::12
nameserver 80.67.169.40
nameserver 2001:910:800::40
# (FR) LDN
nameserver 80.67.188.188
nameserver 2001:913::8
# (FR) ARN
nameserver 89.234.141.66
nameserver 2a00:5881:8100:1000::3
@ -23,11 +20,6 @@ nameserver 185.233.100.100
nameserver 2a0c:e300::100
nameserver 185.233.100.101
nameserver 2a0c:e300::101
# (FR) gozmail / grifon
nameserver 80.67.190.200
nameserver 2a00:5884:8218::1
# (DE) FoeBud / Digital Courage
nameserver 85.214.20.141
# (DE) CCC Berlin
nameserver 195.160.173.53
# (DE) AS250

1
data/templates/fail2ban/yunohost-jails.conf
View file

@ -1,4 +1,5 @@
[sshd]
port = {{ssh_port}}
enabled = true
[nginx-http-auth]

2
data/templates/fail2ban/yunohost.conf
View file

@ -15,7 +15,7 @@
# Values: TEXT
#
failregex = helpers.lua:[0-9]+: authenticate\(\): Connection failed for: .*, client: <HOST>
^<HOST> -.*\"POST /yunohost/api/login HTTP/1.1\" 401
^<HOST> -.*\"POST /yunohost/api/login HTTP/\d.\d\" 401
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

14
data/templates/mdns/yunomdns.service Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=YunoHost mDNS service
After=network.target
[Service]
User=mdns
Group=mdns
Type=simple
Environment=PYTHONUNBUFFERED=1
ExecStart=/usr/bin/yunomdns
StandardOutput=syslog
[Install]
WantedBy=default.target

5
data/templates/metronome/metronome.cfg.lua
View file

@ -32,6 +32,7 @@ modules_enabled = {
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
"pep"; -- Allows setting of mood, tune, etc.
"pubsub"; -- Publish-subscribe XEP-0060
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"bidi"; -- Enables Bidirectional Server-to-Server Streams.
@ -95,6 +96,10 @@ allow_registration = false
-- Use LDAP storage backend for all stores
storage = "ldap"
-- stanza optimization
csi_config_queue_all_muc_messages_but_mentions = false;
-- Logging configuration
log = {
info = "/var/log/metronome/metronome.log"; -- Change 'info' to 'debug' for verbose logging

2
data/templates/mysql/my.cnf
View file

@ -30,7 +30,7 @@ skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 16M
table_open_cache = 4
sort_buffer_size = 64K
sort_buffer_size = 4M
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K

11
data/templates/nginx/plain/yunohost_admin.conf.inc
View file

@ -1,11 +0,0 @@
# Avoid the nginx path/alias traversal weakness ( #1037 )
rewrite ^/yunohost/admin$ /yunohost/admin/ permanent;
location /yunohost/admin/ {
alias /usr/share/yunohost/admin/;
default_type text/html;
index index.html;
more_set_headers "Content-Security-Policy: upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://raw.githubusercontent.com https://paste.yunohost.org wss://$host; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; object-src 'none';";
more_set_headers "Content-Security-Policy-Report-Only:";
}

2
data/templates/nginx/plain/yunohost_panel.conf.inc
View file

@ -1,5 +1,5 @@
# Insert YunoHost button + portal overlay
sub_filter </head> '<script type="text/javascript" src="/ynh_portal.js"></script><link type="text/css" rel="stylesheet" href="/ynh_overlay.css"></link><script type="text/javascript" src="/ynhtheme/custom_portal.js"></script><link type="text/css" rel="stylesheet" href="/ynhtheme/custom_overlay.css"></link></head>';
sub_filter </head> '<script type="text/javascript" src="/ynh_portal.js"></script><link type="text/css" rel="stylesheet" href="/ynh_overlay.css"><script type="text/javascript" src="/ynhtheme/custom_portal.js"></script><link type="text/css" rel="stylesheet" href="/ynhtheme/custom_overlay.css"></head>';
sub_filter_once on;
# Apply to other mime types than text/html
sub_filter_types application/xhtml+xml;

13
data/templates/nginx/security.conf.inc
View file

@ -25,7 +25,11 @@ ssl_dhparam /usr/share/yunohost/other/ffdhe2048.pem;
# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/
{% if experimental == "True" %}
more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data:";
{% else %}
more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
{% endif %}
more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval' ";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "X-XSS-Protection : 1; mode=block";
@ -33,6 +37,15 @@ more_set_headers "X-Download-Options : noopen";
more_set_headers "X-Permitted-Cross-Domain-Policies : none";
more_set_headers "X-Frame-Options : SAMEORIGIN";
# Disable the disaster privacy thing that is FLoC
{% if experimental == "True" %}
more_set_headers "Permissions-Policy : fullscreen=(), geolocation=(), payment=(), accelerometer=(), battery=(), magnetometer=(), usb=(), interest-cohort=()";
# Force HTTPOnly and Secure for all cookies
proxy_cookie_path ~$ "; HTTPOnly; Secure;";
{% else %}
more_set_headers "Permissions-Policy : interest-cohort=()";
{% endif %}
# Disable gzip to protect against BREACH
# Read https://trac.nginx.org/nginx/ticket/1720 (text/html cannot be disabled!)
gzip off;

Some files were not shown because too many files have changed in this diff Show more