YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Also lint/reformat core bash hooks

Browse source
This commit is contained in:
Alexandre Aubin 2021-10-06 16:29:14 +02:00
parent 6048d1b0b3
commit 5a7a719661
20 changed files with 819 additions and 833 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
data/hooks/backup/50-conf_manually_modified_files
View file

@ -6,13 +6,12 @@ YNH_CWD="${YNH_BACKUP_DIR%/}/conf/manually_modified_files"
mkdir -p "$YNH_CWD" mkdir -p "$YNH_CWD"
cd "$YNH_CWD" cd "$YNH_CWD"
yunohost tools shell -c "from yunohost.regenconf import manually_modified_files; print('\n'.join(manually_modified_files()))" > ./manually_modified_files_list yunohost tools shell -c "from yunohost.regenconf import manually_modified_files; print('\n'.join(manually_modified_files()))" >./manually_modified_files_list
ynh_backup --src_path="./manually_modified_files_list" ynh_backup --src_path="./manually_modified_files_list"
for file in $(cat ./manually_modified_files_list) for file in $(cat ./manually_modified_files_list); do
do
[[ -e $file ]] && ynh_backup --src_path="$file" [[ -e $file ]] && ynh_backup --src_path="$file"
done done
ynh_backup --src_path="/etc/ssowat/conf.json.persistent" ynh_backup --src_path="/etc/ssowat/conf.json.persistent"

314
data/hooks/conf_regen/01-yunohost
View file

@ -3,129 +3,128 @@
set -e set -e
do_init_regen() { do_init_regen() {
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script" 1>&2 echo "You must be root to run this script" 1>&2
exit 1 exit 1
fi fi
cd /usr/share/yunohost/templates/yunohost cd /usr/share/yunohost/templates/yunohost
[[ -d /etc/yunohost ]] || mkdir -p /etc/yunohost [[ -d /etc/yunohost ]] || mkdir -p /etc/yunohost
# set default current_host # set default current_host
[[ -f /etc/yunohost/current_host ]] \ [[ -f /etc/yunohost/current_host ]] \
|| echo "yunohost.org" > /etc/yunohost/current_host || echo "yunohost.org" >/etc/yunohost/current_host
# copy default services and firewall # copy default services and firewall
[[ -f /etc/yunohost/firewall.yml ]] \ [[ -f /etc/yunohost/firewall.yml ]] \
|| cp firewall.yml /etc/yunohost/firewall.yml || cp firewall.yml /etc/yunohost/firewall.yml
# allow users to access /media directory # allow users to access /media directory
[[ -d /etc/skel/media ]] \ [[ -d /etc/skel/media ]] \
|| (mkdir -p /media && ln -s /media /etc/skel/media) || (mkdir -p /media && ln -s /media /etc/skel/media)
# Cert folders # Cert folders
mkdir -p /etc/yunohost/certs mkdir -p /etc/yunohost/certs
chown -R root:ssl-cert /etc/yunohost/certs chown -R root:ssl-cert /etc/yunohost/certs
chmod 750 /etc/yunohost/certs chmod 750 /etc/yunohost/certs
# App folders # App folders
mkdir -p /etc/yunohost/apps mkdir -p /etc/yunohost/apps
chmod 700 /etc/yunohost/apps chmod 700 /etc/yunohost/apps
mkdir -p /home/yunohost.app mkdir -p /home/yunohost.app
chmod 755 /home/yunohost.app chmod 755 /home/yunohost.app
# Domain settings # Domain settings
mkdir -p /etc/yunohost/domains mkdir -p /etc/yunohost/domains
chmod 700 /etc/yunohost/domains chmod 700 /etc/yunohost/domains
# Backup folders # Backup folders
mkdir -p /home/yunohost.backup/archives mkdir -p /home/yunohost.backup/archives
chmod 750 /home/yunohost.backup/archives chmod 750 /home/yunohost.backup/archives
chown root:root /home/yunohost.backup/archives # This is later changed to admin:root once admin user exists chown root:root /home/yunohost.backup/archives # This is later changed to admin:root once admin user exists
# Empty ssowat json persistent conf # Empty ssowat json persistent conf
echo "{}" > '/etc/ssowat/conf.json.persistent' echo "{}" >'/etc/ssowat/conf.json.persistent'
chmod 644 /etc/ssowat/conf.json.persistent chmod 644 /etc/ssowat/conf.json.persistent
chown root:root /etc/ssowat/conf.json.persistent chown root:root /etc/ssowat/conf.json.persistent
# Empty service conf # Empty service conf
touch /etc/yunohost/services.yml touch /etc/yunohost/services.yml
mkdir -p /var/cache/yunohost/repo mkdir -p /var/cache/yunohost/repo
chown root:root /var/cache/yunohost chown root:root /var/cache/yunohost
chmod 700 /var/cache/yunohost chmod 700 /var/cache/yunohost
cp yunoprompt.service /etc/systemd/system/yunoprompt.service cp yunoprompt.service /etc/systemd/system/yunoprompt.service
cp dpkg-origins /etc/dpkg/origins/yunohost cp dpkg-origins /etc/dpkg/origins/yunohost
# Change dpkg vendor # Change dpkg vendor
# see https://wiki.debian.org/Derivatives/Guidelines#Vendor # see https://wiki.debian.org/Derivatives/Guidelines#Vendor
readlink -f /etc/dpkg/origins/default | grep -q debian \ readlink -f /etc/dpkg/origins/default | grep -q debian \
&& rm -f /etc/dpkg/origins/default \ && rm -f /etc/dpkg/origins/default \
&& ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default && ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
} }
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/yunohost cd /usr/share/yunohost/templates/yunohost
# Legacy code that can be removed once on bullseye # Legacy code that can be removed once on bullseye
touch /etc/yunohost/services.yml touch /etc/yunohost/services.yml
yunohost tools shell -c "from yunohost.service import _get_services, _save_services; _save_services(_get_services())" yunohost tools shell -c "from yunohost.service import _get_services, _save_services; _save_services(_get_services())"
mkdir -p $pending_dir/etc/systemd/system mkdir -p $pending_dir/etc/systemd/system
mkdir -p $pending_dir/etc/cron.d/ mkdir -p $pending_dir/etc/cron.d/
mkdir -p $pending_dir/etc/cron.daily/ mkdir -p $pending_dir/etc/cron.daily/
# add cron job for diagnosis to be ran at 7h and 19h + a random delay between # add cron job for diagnosis to be ran at 7h and 19h + a random delay between
# 0 and 20min, meant to avoid every instances running their diagnosis at # 0 and 20min, meant to avoid every instances running their diagnosis at
# exactly the same time, which may overload the diagnosis server. # exactly the same time, which may overload the diagnosis server.
cat > $pending_dir/etc/cron.d/yunohost-diagnosis << EOF cat >$pending_dir/etc/cron.d/yunohost-diagnosis <<EOF
SHELL=/bin/bash SHELL=/bin/bash
0 7,19 * * * root : YunoHost Automatic Diagnosis; sleep \$((RANDOM\\%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably" 0 7,19 * * * root : YunoHost Automatic Diagnosis; sleep \$((RANDOM\\%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably"
EOF EOF
# Cron job that upgrade the app list everyday # Cron job that upgrade the app list everyday
cat > $pending_dir/etc/cron.daily/yunohost-fetch-apps-catalog << EOF cat >$pending_dir/etc/cron.daily/yunohost-fetch-apps-catalog <<EOF
#!/bin/bash #!/bin/bash
(sleep \$((RANDOM%3600)); yunohost tools update --apps > /dev/null) & (sleep \$((RANDOM%3600)); yunohost tools update --apps > /dev/null) &
EOF EOF
# Cron job that renew lets encrypt certificates if there's any that needs renewal # Cron job that renew lets encrypt certificates if there's any that needs renewal
cat > $pending_dir/etc/cron.daily/yunohost-certificate-renew << EOF cat >$pending_dir/etc/cron.daily/yunohost-certificate-renew <<EOF
#!/bin/bash #!/bin/bash
yunohost domain cert renew --email yunohost domain cert renew --email
EOF EOF
# If we subscribed to a dyndns domain, add the corresponding cron # If we subscribed to a dyndns domain, add the corresponding cron
# - delay between 0 and 60 secs to spread the check over a 1 min window # - delay between 0 and 60 secs to spread the check over a 1 min window
# - do not run the command if some process already has the lock, to avoid queuing hundreds of commands... # - do not run the command if some process already has the lock, to avoid queuing hundreds of commands...
if ls -l /etc/yunohost/dyndns/K*.private 2>/dev/null if ls -l /etc/yunohost/dyndns/K*.private 2>/dev/null; then
then cat >$pending_dir/etc/cron.d/yunohost-dyndns <<EOF
cat > $pending_dir/etc/cron.d/yunohost-dyndns << EOF
SHELL=/bin/bash SHELL=/bin/bash
*/10 * * * * root : YunoHost DynDNS update; sleep \$((RANDOM\\%60)); test -e /var/run/moulinette_yunohost.lock || yunohost dyndns update >> /dev/null */10 * * * * root : YunoHost DynDNS update; sleep \$((RANDOM\\%60)); test -e /var/run/moulinette_yunohost.lock || yunohost dyndns update >> /dev/null
EOF EOF
fi fi
# legacy stuff to avoid yunohost reporting etckeeper as manually modified # legacy stuff to avoid yunohost reporting etckeeper as manually modified
# (this make sure that the hash is null / file is flagged as to-delete) # (this make sure that the hash is null / file is flagged as to-delete)
mkdir -p $pending_dir/etc/etckeeper mkdir -p $pending_dir/etc/etckeeper
touch $pending_dir/etc/etckeeper/etckeeper.conf touch $pending_dir/etc/etckeeper/etckeeper.conf
# Skip ntp if inside a container (inspired from the conf of systemd-timesyncd) # Skip ntp if inside a container (inspired from the conf of systemd-timesyncd)
mkdir -p ${pending_dir}/etc/systemd/system/ntp.service.d/ mkdir -p ${pending_dir}/etc/systemd/system/ntp.service.d/
echo " echo "
[Unit] [Unit]
ConditionCapability=CAP_SYS_TIME ConditionCapability=CAP_SYS_TIME
ConditionVirtualization=!container ConditionVirtualization=!container
" > ${pending_dir}/etc/systemd/system/ntp.service.d/ynh-override.conf " >${pending_dir}/etc/systemd/system/ntp.service.d/ynh-override.conf
# Make nftable conflict with yunohost-firewall # Make nftable conflict with yunohost-firewall
mkdir -p ${pending_dir}/etc/systemd/system/nftables.service.d/ mkdir -p ${pending_dir}/etc/systemd/system/nftables.service.d/
cat > ${pending_dir}/etc/systemd/system/nftables.service.d/ynh-override.conf << EOF cat >${pending_dir}/etc/systemd/system/nftables.service.d/ynh-override.conf <<EOF
[Unit] [Unit]
# yunohost-firewall and nftables conflict with each other # yunohost-firewall and nftables conflict with each other
Conflicts=yunohost-firewall.service Conflicts=yunohost-firewall.service
@ -133,108 +132,107 @@ ConditionFileIsExecutable=!/etc/init.d/yunohost-firewall
ConditionPathExists=!/etc/systemd/system/multi-user.target.wants/yunohost-firewall.service ConditionPathExists=!/etc/systemd/system/multi-user.target.wants/yunohost-firewall.service
EOF EOF
# Don't suspend computer on LidSwitch # Don't suspend computer on LidSwitch
mkdir -p ${pending_dir}/etc/systemd/logind.conf.d/ mkdir -p ${pending_dir}/etc/systemd/logind.conf.d/
cat > ${pending_dir}/etc/systemd/logind.conf.d/ynh-override.conf << EOF cat >${pending_dir}/etc/systemd/logind.conf.d/ynh-override.conf <<EOF
[Login] [Login]
HandleLidSwitch=ignore HandleLidSwitch=ignore
HandleLidSwitchDocked=ignore HandleLidSwitchDocked=ignore
HandleLidSwitchExternalPower=ignore HandleLidSwitchExternalPower=ignore
EOF EOF
cp yunoprompt.service ${pending_dir}/etc/systemd/system/yunoprompt.service cp yunoprompt.service ${pending_dir}/etc/systemd/system/yunoprompt.service
if [[ "$(yunohost settings get 'security.experimental.enabled')" == "True" ]] if [[ "$(yunohost settings get 'security.experimental.enabled')" == "True" ]]; then
then cp proc-hidepid.service ${pending_dir}/etc/systemd/system/proc-hidepid.service
cp proc-hidepid.service ${pending_dir}/etc/systemd/system/proc-hidepid.service else
else touch ${pending_dir}/etc/systemd/system/proc-hidepid.service
touch ${pending_dir}/etc/systemd/system/proc-hidepid.service fi
fi
mkdir -p ${pending_dir}/etc/dpkg/origins/ mkdir -p ${pending_dir}/etc/dpkg/origins/
cp dpkg-origins ${pending_dir}/etc/dpkg/origins/yunohost cp dpkg-origins ${pending_dir}/etc/dpkg/origins/yunohost
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
###################### ######################
# Enfore permissions # # Enfore permissions #
###################### ######################
chmod 750 /home/admin chmod 750 /home/admin
chmod 750 /home/yunohost.conf chmod 750 /home/yunohost.conf
chmod 750 /home/yunohost.backup chmod 750 /home/yunohost.backup
chmod 750 /home/yunohost.backup/archives chmod 750 /home/yunohost.backup/archives
chown root:root /home/yunohost.conf chown root:root /home/yunohost.conf
chown admin:root /home/yunohost.backup chown admin:root /home/yunohost.backup
chown admin:root /home/yunohost.backup/archives chown admin:root /home/yunohost.backup/archives
# Certs # Certs
# We do this with find because there could be a lot of them... # We do this with find because there could be a lot of them...
chown -R root:ssl-cert /etc/yunohost/certs chown -R root:ssl-cert /etc/yunohost/certs
chmod 750 /etc/yunohost/certs chmod 750 /etc/yunohost/certs
find /etc/yunohost/certs/ -type f -exec chmod 640 {} \; find /etc/yunohost/certs/ -type f -exec chmod 640 {} \;
find /etc/yunohost/certs/ -type d -exec chmod 750 {} \; find /etc/yunohost/certs/ -type d -exec chmod 750 {} \;
find /etc/cron.*/yunohost-* -type f -exec chmod 755 {} \; find /etc/cron.*/yunohost-* -type f -exec chmod 755 {} \;
find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \; find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \;
find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \; find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \;
chown root:root /var/cache/yunohost chown root:root /var/cache/yunohost
chmod 700 /var/cache/yunohost chmod 700 /var/cache/yunohost
chown root:root /var/cache/moulinette chown root:root /var/cache/moulinette
chmod 700 /var/cache/moulinette chmod 700 /var/cache/moulinette
setfacl -m g:all_users:--- /var/www setfacl -m g:all_users:--- /var/www
setfacl -m g:all_users:--- /var/log/nginx setfacl -m g:all_users:--- /var/log/nginx
setfacl -m g:all_users:--- /etc/yunohost setfacl -m g:all_users:--- /etc/yunohost
setfacl -m g:all_users:--- /etc/ssowat setfacl -m g:all_users:--- /etc/ssowat
for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username') for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username'); do
do [ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
[ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER done
done
# Domain settings # Domain settings
mkdir -p /etc/yunohost/domains mkdir -p /etc/yunohost/domains
# Misc configuration / state files # Misc configuration / state files
chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null) chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null) chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
# Apps folder, custom hooks folder # Apps folder, custom hooks folder
[[ ! -e /etc/yunohost/hooks.d ]] || (chown root /etc/yunohost/hooks.d && chmod 700 /etc/yunohost/hooks.d) [[ ! -e /etc/yunohost/hooks.d ]] || (chown root /etc/yunohost/hooks.d && chmod 700 /etc/yunohost/hooks.d)
[[ ! -e /etc/yunohost/apps ]] || (chown root /etc/yunohost/apps && chmod 700 /etc/yunohost/apps) [[ ! -e /etc/yunohost/apps ]] || (chown root /etc/yunohost/apps && chmod 700 /etc/yunohost/apps)
[[ ! -e /etc/yunohost/domains ]] || (chown root /etc/yunohost/domains && chmod 700 /etc/yunohost/domains) [[ ! -e /etc/yunohost/domains ]] || (chown root /etc/yunohost/domains && chmod 700 /etc/yunohost/domains)
# Create ssh.app and sftp.app groups if they don't exist yet # Create ssh.app and sftp.app groups if they don't exist yet
grep -q '^ssh.app:' /etc/group || groupadd ssh.app grep -q '^ssh.app:' /etc/group || groupadd ssh.app
grep -q '^sftp.app:' /etc/group || groupadd sftp.app grep -q '^sftp.app:' /etc/group || groupadd sftp.app
# Propagates changes in systemd service config overrides # Propagates changes in systemd service config overrides
[[ ! "$regen_conf_files" =~ "ntp.service.d/ynh-override.conf" ]] || { systemctl daemon-reload; systemctl restart ntp; } [[ ! "$regen_conf_files" =~ "ntp.service.d/ynh-override.conf" ]] || {
[[ ! "$regen_conf_files" =~ "nftables.service.d/ynh-override.conf" ]] || systemctl daemon-reload systemctl daemon-reload
[[ ! "$regen_conf_files" =~ "login.conf.d/ynh-override.conf" ]] || systemctl daemon-reload systemctl restart ntp
if [[ "$regen_conf_files" =~ "yunoprompt.service" ]] }
then [[ ! "$regen_conf_files" =~ "nftables.service.d/ynh-override.conf" ]] || systemctl daemon-reload
systemctl daemon-reload [[ ! "$regen_conf_files" =~ "login.conf.d/ynh-override.conf" ]] || systemctl daemon-reload
action=$([[ -e /etc/systemd/system/yunoprompt.service ]] && echo 'enable' || echo 'disable') if [[ "$regen_conf_files" =~ "yunoprompt.service" ]]; then
systemctl $action yunoprompt --quiet --now systemctl daemon-reload
fi action=$([[ -e /etc/systemd/system/yunoprompt.service ]] && echo 'enable' || echo 'disable')
if [[ "$regen_conf_files" =~ "proc-hidepid.service" ]] systemctl $action yunoprompt --quiet --now
then fi
systemctl daemon-reload if [[ "$regen_conf_files" =~ "proc-hidepid.service" ]]; then
action=$([[ -e /etc/systemd/system/proc-hidepid.service ]] && echo 'enable' || echo 'disable') systemctl daemon-reload
systemctl $action proc-hidepid --quiet --now action=$([[ -e /etc/systemd/system/proc-hidepid.service ]] && echo 'enable' || echo 'disable')
fi systemctl $action proc-hidepid --quiet --now
fi
# Change dpkg vendor # Change dpkg vendor
# see https://wiki.debian.org/Derivatives/Guidelines#Vendor # see https://wiki.debian.org/Derivatives/Guidelines#Vendor
readlink -f /etc/dpkg/origins/default | grep -q debian \ readlink -f /etc/dpkg/origins/default | grep -q debian \
&& rm -f /etc/dpkg/origins/default \ && rm -f /etc/dpkg/origins/default \
&& ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default && ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

97
data/hooks/conf_regen/02-ssl
View file

@ -23,7 +23,7 @@ regen_local_ca() {
# (Update the serial so that it's specific to this very instance) # (Update the serial so that it's specific to this very instance)
# N.B. : the weird RANDFILE thing comes from: # N.B. : the weird RANDFILE thing comes from:
# https://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean # https://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean
RANDFILE=.rnd openssl rand -hex 19 > serial RANDFILE=.rnd openssl rand -hex 19 >serial
rm -f index.txt rm -f index.txt
touch index.txt touch index.txt
cp /usr/share/yunohost/templates/ssl/openssl.cnf openssl.ca.cnf cp /usr/share/yunohost/templates/ssl/openssl.cnf openssl.ca.cnf
@ -50,73 +50,72 @@ regen_local_ca() {
do_init_regen() { do_init_regen() {
LOGFILE=/tmp/yunohost-ssl-init LOGFILE=/tmp/yunohost-ssl-init
echo "" > $LOGFILE echo "" >$LOGFILE
chown root:root $LOGFILE chown root:root $LOGFILE
chmod 640 $LOGFILE chmod 640 $LOGFILE
# Make sure this conf exists # Make sure this conf exists
mkdir -p ${ssl_dir} mkdir -p ${ssl_dir}
cp /usr/share/yunohost/templates/ssl/openssl.cnf ${ssl_dir}/openssl.ca.cnf cp /usr/share/yunohost/templates/ssl/openssl.cnf ${ssl_dir}/openssl.ca.cnf
# create default certificates # create default certificates
if [[ ! -f "$ynh_ca" ]]; then if [[ ! -f "$ynh_ca" ]]; then
regen_local_ca yunohost.org >>$LOGFILE regen_local_ca yunohost.org >>$LOGFILE
fi fi
if [[ ! -f "$ynh_crt" ]]; then if [[ ! -f "$ynh_crt" ]]; then
echo -e "\n# Creating initial key and certificate \n" >>$LOGFILE echo -e "\n# Creating initial key and certificate \n" >>$LOGFILE
openssl req -new \ openssl req -new \
-config "$openssl_conf" \ -config "$openssl_conf" \
-days 730 \ -days 730 \
-out "${ssl_dir}/certs/yunohost_csr.pem" \ -out "${ssl_dir}/certs/yunohost_csr.pem" \
-keyout "${ssl_dir}/certs/yunohost_key.pem" \ -keyout "${ssl_dir}/certs/yunohost_key.pem" \
-nodes -batch &>>$LOGFILE -nodes -batch &>>$LOGFILE
openssl ca \ openssl ca \
-config "$openssl_conf" \ -config "$openssl_conf" \
-days 730 \ -days 730 \
-in "${ssl_dir}/certs/yunohost_csr.pem" \ -in "${ssl_dir}/certs/yunohost_csr.pem" \
-out "${ssl_dir}/certs/yunohost_crt.pem" \ -out "${ssl_dir}/certs/yunohost_crt.pem" \
-batch &>>$LOGFILE -batch &>>$LOGFILE
chmod 640 "${ssl_dir}/certs/yunohost_key.pem" chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
chmod 640 "${ssl_dir}/certs/yunohost_crt.pem" chmod 640 "${ssl_dir}/certs/yunohost_crt.pem"
cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key" cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key"
cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt" cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt"
ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem
ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem
fi fi
chown -R root:ssl-cert /etc/yunohost/certs/yunohost.org/ chown -R root:ssl-cert /etc/yunohost/certs/yunohost.org/
chmod o-rwx /etc/yunohost/certs/yunohost.org/ chmod o-rwx /etc/yunohost/certs/yunohost.org/
install -D -m 644 $openssl_conf "${ssl_dir}/openssl.cnf" install -D -m 644 $openssl_conf "${ssl_dir}/openssl.cnf"
} }
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/ssl cd /usr/share/yunohost/templates/ssl
install -D -m 644 openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf" install -D -m 644 openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
current_local_ca_domain=$(openssl x509 -in $ynh_ca -text | tr ',' '\n' | grep Issuer | awk '{print $4}') current_local_ca_domain=$(openssl x509 -in $ynh_ca -text | tr ',' '\n' | grep Issuer | awk '{print $4}')
main_domain=$(cat /etc/yunohost/current_host) main_domain=$(cat /etc/yunohost/current_host)
if [[ "$current_local_ca_domain" != "$main_domain" ]] if [[ "$current_local_ca_domain" != "$main_domain" ]]; then
then regen_local_ca $main_domain
regen_local_ca $main_domain # Idk how useful this is, but this was in the previous python code (domain.main_domain())
# Idk how useful this is, but this was in the previous python code (domain.main_domain()) ln -sf /etc/yunohost/certs/$domain/crt.pem /etc/ssl/certs/yunohost_crt.pem
ln -sf /etc/yunohost/certs/$domain/crt.pem /etc/ssl/certs/yunohost_crt.pem ln -sf /etc/yunohost/certs/$domain/key.pem /etc/ssl/private/yunohost_key.pem
ln -sf /etc/yunohost/certs/$domain/key.pem /etc/ssl/private/yunohost_key.pem fi
fi
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

260
data/hooks/conf_regen/06-slapd
View file

@ -8,19 +8,19 @@ config="/usr/share/yunohost/templates/slapd/config.ldif"
db_init="/usr/share/yunohost/templates/slapd/db_init.ldif" db_init="/usr/share/yunohost/templates/slapd/db_init.ldif"
do_init_regen() { do_init_regen() {
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script" 1>&2 echo "You must be root to run this script" 1>&2
exit 1 exit 1
fi fi
do_pre_regen "" do_pre_regen ""
# Drop current existing slapd data # Drop current existing slapd data
rm -rf /var/backups/*.ldapdb rm -rf /var/backups/*.ldapdb
rm -rf /var/backups/slapd-* rm -rf /var/backups/slapd-*
debconf-set-selections << EOF debconf-set-selections <<EOF
slapd slapd/password1 password yunohost slapd slapd/password1 password yunohost
slapd slapd/password2 password yunohost slapd slapd/password2 password yunohost
slapd slapd/domain string yunohost.org slapd slapd/domain string yunohost.org
@ -33,170 +33,166 @@ slapd slapd/no_configuration boolean false
slapd slapd/purge_database boolean false slapd slapd/purge_database boolean false
EOF EOF
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd -u DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd -u
# Enforce permissions # Enforce permissions
chown -R openldap:openldap /etc/ldap/schema/ chown -R openldap:openldap /etc/ldap/schema/
usermod -aG ssl-cert openldap usermod -aG ssl-cert openldap
# (Re-)init data according to default ldap entries # (Re-)init data according to default ldap entries
echo ' Initializing LDAP with YunoHost DB structure' echo ' Initializing LDAP with YunoHost DB structure'
rm -rf /etc/ldap/slapd.d rm -rf /etc/ldap/slapd.d
mkdir -p /etc/ldap/slapd.d mkdir -p /etc/ldap/slapd.d
slapadd -F /etc/ldap/slapd.d -b cn=config -l "$config" 2>&1 \ slapadd -F /etc/ldap/slapd.d -b cn=config -l "$config" 2>&1 \
| grep -v "none elapsed\|Closing DB" || true | grep -v "none elapsed\|Closing DB" || true
chown -R openldap: /etc/ldap/slapd.d chown -R openldap: /etc/ldap/slapd.d
rm -rf /var/lib/ldap rm -rf /var/lib/ldap
mkdir -p /var/lib/ldap mkdir -p /var/lib/ldap
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "$db_init" 2>&1 \ slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "$db_init" 2>&1 \
| grep -v "none elapsed\|Closing DB" || true | grep -v "none elapsed\|Closing DB" || true
chown -R openldap: /var/lib/ldap chown -R openldap: /var/lib/ldap
nscd -i group || true nscd -i group || true
nscd -i passwd || true nscd -i passwd || true
systemctl restart slapd systemctl restart slapd
# We don't use mkhomedir_helper because 'admin' may not be recognized # We don't use mkhomedir_helper because 'admin' may not be recognized
# when this script is ran in a chroot (e.g. ISO install) # when this script is ran in a chroot (e.g. ISO install)
# We also refer to admin as uid 1007 for the same reason # We also refer to admin as uid 1007 for the same reason
if [ ! -d /home/admin ] if [ ! -d /home/admin ]; then
then cp -r /etc/skel /home/admin
cp -r /etc/skel /home/admin chown -R 1007:1007 /home/admin
chown -R 1007:1007 /home/admin fi
fi
} }
_regenerate_slapd_conf() { _regenerate_slapd_conf() {
# Validate the new slapd config # Validate the new slapd config
# To do so, we have to use the .ldif to generate the config directory # To do so, we have to use the .ldif to generate the config directory
# so we use a temporary directory slapd_new.d # so we use a temporary directory slapd_new.d
rm -Rf /etc/ldap/slapd_new.d rm -Rf /etc/ldap/slapd_new.d
mkdir /etc/ldap/slapd_new.d mkdir /etc/ldap/slapd_new.d
slapadd -b cn=config -l "$config" -F /etc/ldap/slapd_new.d/ 2>&1 \ slapadd -b cn=config -l "$config" -F /etc/ldap/slapd_new.d/ 2>&1 \
| grep -v "none elapsed\|Closing DB" || true | grep -v "none elapsed\|Closing DB" || true
# Actual validation (-Q is for quiet, -u is for dry-run) # Actual validation (-Q is for quiet, -u is for dry-run)
slaptest -Q -u -F /etc/ldap/slapd_new.d slaptest -Q -u -F /etc/ldap/slapd_new.d
# "Commit" / apply the new config (meaning we delete the old one and replace # "Commit" / apply the new config (meaning we delete the old one and replace
# it with the new one) # it with the new one)
rm -Rf /etc/ldap/slapd.d rm -Rf /etc/ldap/slapd.d
mv /etc/ldap/slapd_new.d /etc/ldap/slapd.d mv /etc/ldap/slapd_new.d /etc/ldap/slapd.d
chown -R openldap:openldap /etc/ldap/slapd.d/ chown -R openldap:openldap /etc/ldap/slapd.d/
} }
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
# remove temporary backup file # remove temporary backup file
rm -f "$tmp_backup_dir_file" rm -f "$tmp_backup_dir_file"
# Define if we need to migrate from hdb to mdb # Define if we need to migrate from hdb to mdb
curr_backend=$(grep '^database' /etc/ldap/slapd.conf 2>/dev/null | awk '{print $2}') curr_backend=$(grep '^database' /etc/ldap/slapd.conf 2>/dev/null | awk '{print $2}')
if [ -e /etc/ldap/slapd.conf ] && [ -n "$curr_backend" ] && \ if [ -e /etc/ldap/slapd.conf ] && [ -n "$curr_backend" ] \
[ $curr_backend != 'mdb' ]; then && [ $curr_backend != 'mdb' ]; then
backup_dir="/var/backups/dc=yunohost,dc=org-${curr_backend}-$(date +%s)" backup_dir="/var/backups/dc=yunohost,dc=org-${curr_backend}-$(date +%s)"
mkdir -p "$backup_dir" mkdir -p "$backup_dir"
slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif" slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"
echo "$backup_dir" > "$tmp_backup_dir_file" echo "$backup_dir" >"$tmp_backup_dir_file"
fi fi
# create needed directories # create needed directories
ldap_dir="${pending_dir}/etc/ldap" ldap_dir="${pending_dir}/etc/ldap"
schema_dir="${ldap_dir}/schema" schema_dir="${ldap_dir}/schema"
mkdir -p "$ldap_dir" "$schema_dir" mkdir -p "$ldap_dir" "$schema_dir"
# remove legacy configuration file # remove legacy configuration file
[ ! -f /etc/ldap/slapd-yuno.conf ] || touch "${ldap_dir}/slapd-yuno.conf" [ ! -f /etc/ldap/slapd-yuno.conf ] || touch "${ldap_dir}/slapd-yuno.conf"
[ ! -f /etc/ldap/slapd.conf ] || touch "${ldap_dir}/slapd.conf" [ ! -f /etc/ldap/slapd.conf ] || touch "${ldap_dir}/slapd.conf"
[ ! -f /etc/ldap/schema/yunohost.schema ] || touch "${schema_dir}/yunohost.schema" [ ! -f /etc/ldap/schema/yunohost.schema ] || touch "${schema_dir}/yunohost.schema"
cd /usr/share/yunohost/templates/slapd cd /usr/share/yunohost/templates/slapd
# copy configuration files # copy configuration files
cp -a ldap.conf "$ldap_dir" cp -a ldap.conf "$ldap_dir"
cp -a sudo.ldif mailserver.ldif permission.ldif "$schema_dir" cp -a sudo.ldif mailserver.ldif permission.ldif "$schema_dir"
mkdir -p ${pending_dir}/etc/systemd/system/slapd.service.d/ mkdir -p ${pending_dir}/etc/systemd/system/slapd.service.d/
cp systemd-override.conf ${pending_dir}/etc/systemd/system/slapd.service.d/ynh-override.conf cp systemd-override.conf ${pending_dir}/etc/systemd/system/slapd.service.d/ynh-override.conf
install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd" install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
# fix some permissions # fix some permissions
echo "Enforce permissions on ldap/slapd directories and certs ..." echo "Enforce permissions on ldap/slapd directories and certs ..."
# penldap user should be in the ssl-cert group to let it access the certificate for TLS # penldap user should be in the ssl-cert group to let it access the certificate for TLS
usermod -aG ssl-cert openldap usermod -aG ssl-cert openldap
chown -R openldap:openldap /etc/ldap/schema/ chown -R openldap:openldap /etc/ldap/schema/
chown -R openldap:openldap /etc/ldap/slapd.d/ chown -R openldap:openldap /etc/ldap/slapd.d/
# If we changed the systemd ynh-override conf # If we changed the systemd ynh-override conf
if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/slapd.service.d/ynh-override.conf$" if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/slapd.service.d/ynh-override.conf$"; then
then systemctl daemon-reload
systemctl daemon-reload systemctl restart slapd
systemctl restart slapd sleep 3
sleep 3 fi
fi
# For some reason, old setups don't have the admins group defined... # For some reason, old setups don't have the admins group defined...
if ! slapcat | grep -q 'cn=admins,ou=groups,dc=yunohost,dc=org' if ! slapcat | grep -q 'cn=admins,ou=groups,dc=yunohost,dc=org'; then
then slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org <<< \
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org <<< \ "dn: cn=admins,ou=groups,dc=yunohost,dc=org
"dn: cn=admins,ou=groups,dc=yunohost,dc=org
cn: admins cn: admins
gidNumber: 4001 gidNumber: 4001
memberUid: admin memberUid: admin
objectClass: posixGroup objectClass: posixGroup
objectClass: top" objectClass: top"
chown -R openldap: /var/lib/ldap chown -R openldap: /var/lib/ldap
systemctl restart slapd systemctl restart slapd
nscd -i group nscd -i group
fi fi
[ -z "$regen_conf_files" ] && exit 0 [ -z "$regen_conf_files" ] && exit 0
# regenerate LDAP config directory from slapd.conf # regenerate LDAP config directory from slapd.conf
echo "Regenerate LDAP config directory from config.ldif" echo "Regenerate LDAP config directory from config.ldif"
_regenerate_slapd_conf _regenerate_slapd_conf
# If there's a backup, re-import its data # If there's a backup, re-import its data
backup_dir=$(cat "$tmp_backup_dir_file" 2>/dev/null || true) backup_dir=$(cat "$tmp_backup_dir_file" 2>/dev/null || true)
if [[ -n "$backup_dir" && -f "${backup_dir}/dc=yunohost-dc=org.ldif" ]]; then if [[ -n "$backup_dir" && -f "${backup_dir}/dc=yunohost-dc=org.ldif" ]]; then
# regenerate LDAP config directory and import database as root # regenerate LDAP config directory and import database as root
echo "Import the database using slapadd" echo "Import the database using slapadd"
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif" slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"
chown -R openldap:openldap /var/lib/ldap 2>&1 chown -R openldap:openldap /var/lib/ldap 2>&1
fi fi
echo "Running slapdindex" echo "Running slapdindex"
su openldap -s "/bin/bash" -c "/usr/sbin/slapindex" su openldap -s "/bin/bash" -c "/usr/sbin/slapindex"
echo "Reloading slapd" echo "Reloading slapd"
systemctl force-reload slapd systemctl force-reload slapd
# on slow hardware/vm this regen conf would exit before the admin user that # on slow hardware/vm this regen conf would exit before the admin user that
# is stored in ldap is available because ldap seems to slow to restart # is stored in ldap is available because ldap seems to slow to restart
# so we'll wait either until we are able to log as admin or until a timeout # so we'll wait either until we are able to log as admin or until a timeout
# is reached # is reached
# we need to do this because the next hooks executed after this one during # we need to do this because the next hooks executed after this one during
# postinstall requires to run as admin thus breaking postinstall on slow # postinstall requires to run as admin thus breaking postinstall on slow
# hardware which mean yunohost can't be correctly installed on those hardware # hardware which mean yunohost can't be correctly installed on those hardware
# and this sucks # and this sucks
# wait a maximum time of 5 minutes # wait a maximum time of 5 minutes
# yes, force-reload behave like a restart # yes, force-reload behave like a restart
number_of_wait=0 number_of_wait=0
while ! su admin -c '' && ((number_of_wait < 60)) while ! su admin -c '' && ((number_of_wait < 60)); do
do sleep 5
sleep 5 ((number_of_wait += 1))
((number_of_wait += 1)) done
done
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

16
data/hooks/conf_regen/09-nslcd
View file

@ -3,23 +3,23 @@
set -e set -e
do_init_regen() { do_init_regen() {
do_pre_regen "" do_pre_regen ""
systemctl restart nslcd systemctl restart nslcd
} }
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/nslcd cd /usr/share/yunohost/templates/nslcd
install -D -m 644 nslcd.conf "${pending_dir}/etc/nslcd.conf" install -D -m 644 nslcd.conf "${pending_dir}/etc/nslcd.conf"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \ [[ -z "$regen_conf_files" ]] \
|| systemctl restart nslcd || systemctl restart nslcd
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

15
data/hooks/conf_regen/10-apt
View file

@ -8,15 +8,14 @@ do_pre_regen() {
mkdir --parents "${pending_dir}/etc/apt/preferences.d" mkdir --parents "${pending_dir}/etc/apt/preferences.d"
packages_to_refuse_from_sury="php php-fpm php-mysql php-xml php-zip php-mbstring php-ldap php-gd php-curl php-bz2 php-json php-sqlite3 php-intl openssl libssl1.1 libssl-dev" packages_to_refuse_from_sury="php php-fpm php-mysql php-xml php-zip php-mbstring php-ldap php-gd php-curl php-bz2 php-json php-sqlite3 php-intl openssl libssl1.1 libssl-dev"
for package in $packages_to_refuse_from_sury for package in $packages_to_refuse_from_sury; do
do
echo " echo "
Package: $package Package: $package
Pin: origin \"packages.sury.org\" Pin: origin \"packages.sury.org\"
Pin-Priority: -1" >> "${pending_dir}/etc/apt/preferences.d/extra_php_version" Pin-Priority: -1" >>"${pending_dir}/etc/apt/preferences.d/extra_php_version"
done done
echo " echo "
# PLEASE READ THIS WARNING AND DON'T EDIT THIS FILE # PLEASE READ THIS WARNING AND DON'T EDIT THIS FILE
@ -43,15 +42,15 @@ Pin-Priority: -1
Package: bind9 Package: bind9
Pin: release * Pin: release *
Pin-Priority: -1 Pin-Priority: -1
" >> "${pending_dir}/etc/apt/preferences.d/ban_packages" " >>"${pending_dir}/etc/apt/preferences.d/ban_packages"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
# Make sure php7.3 is the default version when using php in cli # Make sure php7.3 is the default version when using php in cli
update-alternatives --set php /usr/bin/php7.3 update-alternatives --set php /usr/bin/php7.3
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

102
data/hooks/conf_regen/12-metronome
View file

@ -3,71 +3,71 @@
set -e set -e
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/metronome cd /usr/share/yunohost/templates/metronome
# create directories for pending conf # create directories for pending conf
metronome_dir="${pending_dir}/etc/metronome" metronome_dir="${pending_dir}/etc/metronome"
metronome_conf_dir="${metronome_dir}/conf.d" metronome_conf_dir="${metronome_dir}/conf.d"
mkdir -p "$metronome_conf_dir" mkdir -p "$metronome_conf_dir"
# retrieve variables # retrieve variables
main_domain=$(cat /etc/yunohost/current_host) main_domain=$(cat /etc/yunohost/current_host)
# install main conf file # install main conf file
cat metronome.cfg.lua \ cat metronome.cfg.lua \
| sed "s/{{ main_domain }}/${main_domain}/g" \ | sed "s/{{ main_domain }}/${main_domain}/g" \
> "${metronome_dir}/metronome.cfg.lua" >"${metronome_dir}/metronome.cfg.lua"
# add domain conf files # add domain conf files
for domain in $YNH_DOMAINS; do for domain in $YNH_DOMAINS; do
cat domain.tpl.cfg.lua \ cat domain.tpl.cfg.lua \
| sed "s/{{ domain }}/${domain}/g" \ | sed "s/{{ domain }}/${domain}/g" \
> "${metronome_conf_dir}/${domain}.cfg.lua" >"${metronome_conf_dir}/${domain}.cfg.lua"
done done
# remove old domain conf files # remove old domain conf files
conf_files=$(ls -1 /etc/metronome/conf.d \ conf_files=$(ls -1 /etc/metronome/conf.d \
| awk '/^[^\.]+\.[^\.]+.*\.cfg\.lua$/ { print $1 }') | awk '/^[^\.]+\.[^\.]+.*\.cfg\.lua$/ { print $1 }')
for file in $conf_files; do for file in $conf_files; do
domain=${file%.cfg.lua} domain=${file%.cfg.lua}
[[ $YNH_DOMAINS =~ $domain ]] \ [[ $YNH_DOMAINS =~ $domain ]] \
|| touch "${metronome_conf_dir}/${file}" || touch "${metronome_conf_dir}/${file}"
done done
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
# retrieve variables # retrieve variables
main_domain=$(cat /etc/yunohost/current_host) main_domain=$(cat /etc/yunohost/current_host)
# FIXME : small optimization to do to avoid calling a yunohost command ...
# maybe another env variable like YNH_MAIN_DOMAINS idk
domain_list=$(yunohost domain list --exclude-subdomains --output-as plain --quiet)
# create metronome directories for domains # FIXME : small optimization to do to avoid calling a yunohost command ...
for domain in $domain_list; do # maybe another env variable like YNH_MAIN_DOMAINS idk
mkdir -p "/var/lib/metronome/${domain//./%2e}/pep" domain_list=$(yunohost domain list --exclude-subdomains --output-as plain --quiet)
# http_upload directory must be writable by metronome and readable by nginx
mkdir -p "/var/xmpp-upload/${domain}/upload"
# sgid bit allows that file created in that dir will be owned by www-data
# despite the fact that metronome ain't in the www-data group
chmod g+s "/var/xmpp-upload/${domain}/upload"
done
# fix some permissions # create metronome directories for domains
[ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/" for domain in $domain_list; do
[ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/" mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
# http_upload directory must be writable by metronome and readable by nginx
mkdir -p "/var/xmpp-upload/${domain}/upload"
# sgid bit allows that file created in that dir will be owned by www-data
# despite the fact that metronome ain't in the www-data group
chmod g+s "/var/xmpp-upload/${domain}/upload"
done
# metronome should be in ssl-cert group to let it access SSL certificates # fix some permissions
usermod -aG ssl-cert metronome [ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
chown -R metronome: /var/lib/metronome/ [ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"
chown -R metronome: /etc/metronome/conf.d/
[[ -z "$regen_conf_files" ]] \ # metronome should be in ssl-cert group to let it access SSL certificates
|| systemctl restart metronome usermod -aG ssl-cert metronome
chown -R metronome: /var/lib/metronome/
chown -R metronome: /etc/metronome/conf.d/
[[ -z "$regen_conf_files" ]] \
|| systemctl restart metronome
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

226
data/hooks/conf_regen/15-nginx
View file

@ -5,148 +5,156 @@ set -e
. /usr/share/yunohost/helpers . /usr/share/yunohost/helpers
do_init_regen() { do_init_regen() {
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script" 1>&2 echo "You must be root to run this script" 1>&2
exit 1 exit 1
fi fi
cd /usr/share/yunohost/templates/nginx cd /usr/share/yunohost/templates/nginx
nginx_dir="/etc/nginx" nginx_dir="/etc/nginx"
nginx_conf_dir="${nginx_dir}/conf.d" nginx_conf_dir="${nginx_dir}/conf.d"
mkdir -p "$nginx_conf_dir" mkdir -p "$nginx_conf_dir"
# install plain conf files # install plain conf files
cp plain/* "$nginx_conf_dir" cp plain/* "$nginx_conf_dir"
# probably run with init: just disable default site, restart NGINX and exit # probably run with init: just disable default site, restart NGINX and exit
rm -f "${nginx_dir}/sites-enabled/default" rm -f "${nginx_dir}/sites-enabled/default"
export compatibility="intermediate" export compatibility="intermediate"
ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc" ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"
ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf" ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf"
ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc" ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc"
ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc" ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc"
mkdir -p $nginx_conf_dir/default.d/ mkdir -p $nginx_conf_dir/default.d/
cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/ cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/
# Restart nginx if conf looks good, otherwise display error and exit unhappy # Restart nginx if conf looks good, otherwise display error and exit unhappy
nginx -t 2>/dev/null || { nginx -t; exit 1; } nginx -t 2>/dev/null || {
systemctl restart nginx || { journalctl --no-pager --lines=10 -u nginx >&2; exit 1; } nginx -t
exit 1
}
systemctl restart nginx || {
journalctl --no-pager --lines=10 -u nginx >&2
exit 1
}
exit 0 exit 0
} }
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/nginx cd /usr/share/yunohost/templates/nginx
nginx_dir="${pending_dir}/etc/nginx" nginx_dir="${pending_dir}/etc/nginx"
nginx_conf_dir="${nginx_dir}/conf.d" nginx_conf_dir="${nginx_dir}/conf.d"
mkdir -p "$nginx_conf_dir" mkdir -p "$nginx_conf_dir"
# install / update plain conf files # install / update plain conf files
cp plain/* "$nginx_conf_dir" cp plain/* "$nginx_conf_dir"
# remove the panel overlay if this is specified in settings # remove the panel overlay if this is specified in settings
panel_overlay=$(yunohost settings get 'ssowat.panel_overlay.enabled') panel_overlay=$(yunohost settings get 'ssowat.panel_overlay.enabled')
if [ "$panel_overlay" == "false" ] || [ "$panel_overlay" == "False" ] if [ "$panel_overlay" == "false" ] || [ "$panel_overlay" == "False" ]; then
then echo "#" >"${nginx_conf_dir}/yunohost_panel.conf.inc"
echo "#" > "${nginx_conf_dir}/yunohost_panel.conf.inc" fi
fi
# retrieve variables # retrieve variables
main_domain=$(cat /etc/yunohost/current_host) main_domain=$(cat /etc/yunohost/current_host)
# Support different strategy for security configurations # Support different strategy for security configurations
export redirect_to_https="$(yunohost settings get 'security.nginx.redirect_to_https')" export redirect_to_https="$(yunohost settings get 'security.nginx.redirect_to_https')"
export compatibility="$(yunohost settings get 'security.nginx.compatibility')" export compatibility="$(yunohost settings get 'security.nginx.compatibility')"
export experimental="$(yunohost settings get 'security.experimental.enabled')" export experimental="$(yunohost settings get 'security.experimental.enabled')"
ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc" ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"
cert_status=$(yunohost domain cert status --json) cert_status=$(yunohost domain cert status --json)
# add domain conf files # add domain conf files
for domain in $YNH_DOMAINS; do for domain in $YNH_DOMAINS; do
domain_conf_dir="${nginx_conf_dir}/${domain}.d" domain_conf_dir="${nginx_conf_dir}/${domain}.d"
mkdir -p "$domain_conf_dir" mkdir -p "$domain_conf_dir"
mail_autoconfig_dir="${pending_dir}/var/www/.well-known/${domain}/autoconfig/mail/" mail_autoconfig_dir="${pending_dir}/var/www/.well-known/${domain}/autoconfig/mail/"
mkdir -p "$mail_autoconfig_dir" mkdir -p "$mail_autoconfig_dir"
# NGINX server configuration # NGINX server configuration
export domain export domain
export domain_cert_ca=$(echo $cert_status \ export domain_cert_ca=$(echo $cert_status \
| jq ".certificates.\"$domain\".CA_type" \ | jq ".certificates.\"$domain\".CA_type" \
| tr -d '"') | tr -d '"')
ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf" ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf"
ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml" ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml"
touch "${domain_conf_dir}/yunohost_local.conf" # Clean legacy conf files touch "${domain_conf_dir}/yunohost_local.conf" # Clean legacy conf files
done done
export webadmin_allowlist_enabled=$(yunohost settings get security.webadmin.allowlist.enabled) export webadmin_allowlist_enabled=$(yunohost settings get security.webadmin.allowlist.enabled)
if [ "$webadmin_allowlist_enabled" == "True" ] if [ "$webadmin_allowlist_enabled" == "True" ]; then
then export webadmin_allowlist=$(yunohost settings get security.webadmin.allowlist)
export webadmin_allowlist=$(yunohost settings get security.webadmin.allowlist) fi
fi ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc"
ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc" ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc"
ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc" ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf"
ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf" mkdir -p $nginx_conf_dir/default.d/
mkdir -p $nginx_conf_dir/default.d/ cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/
cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/
# remove old domain conf files # remove old domain conf files
conf_files=$(ls -1 /etc/nginx/conf.d \ conf_files=$(ls -1 /etc/nginx/conf.d \
| awk '/^[^\.]+\.[^\.]+.*\.conf$/ { print $1 }') | awk '/^[^\.]+\.[^\.]+.*\.conf$/ { print $1 }')
for file in $conf_files; do for file in $conf_files; do
domain=${file%.conf} domain=${file%.conf}
[[ $YNH_DOMAINS =~ $domain ]] \ [[ $YNH_DOMAINS =~ $domain ]] \
|| touch "${nginx_conf_dir}/${file}" || touch "${nginx_conf_dir}/${file}"
done done
# remove old mail-autoconfig files # remove old mail-autoconfig files
autoconfig_files=$(ls -1 /var/www/.well-known/*/autoconfig/mail/config-v1.1.xml 2>/dev/null || true) autoconfig_files=$(ls -1 /var/www/.well-known/*/autoconfig/mail/config-v1.1.xml 2>/dev/null || true)
for file in $autoconfig_files; do for file in $autoconfig_files; do
domain=$(basename $(readlink -f $(dirname $file)/../..)) domain=$(basename $(readlink -f $(dirname $file)/../..))
[[ $YNH_DOMAINS =~ $domain ]] \ [[ $YNH_DOMAINS =~ $domain ]] \
|| (mkdir -p "$(dirname ${pending_dir}/${file})" && touch "${pending_dir}/${file}") || (mkdir -p "$(dirname ${pending_dir}/${file})" && touch "${pending_dir}/${file}")
done done
# disable default site # disable default site
mkdir -p "${nginx_dir}/sites-enabled" mkdir -p "${nginx_dir}/sites-enabled"
touch "${nginx_dir}/sites-enabled/default" touch "${nginx_dir}/sites-enabled/default"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
[ -z "$regen_conf_files" ] && exit 0 [ -z "$regen_conf_files" ] && exit 0
# create NGINX conf directories for domains # create NGINX conf directories for domains
for domain in $YNH_DOMAINS; do for domain in $YNH_DOMAINS; do
mkdir -p "/etc/nginx/conf.d/${domain}.d" mkdir -p "/etc/nginx/conf.d/${domain}.d"
done done
# Get rid of legacy lets encrypt snippets # Get rid of legacy lets encrypt snippets
for domain in $YNH_DOMAINS; do for domain in $YNH_DOMAINS; do
# If the legacy letsencrypt / acme-challenge domain-specific snippet is still there # If the legacy letsencrypt / acme-challenge domain-specific snippet is still there
if [ -e /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf ] if [ -e /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf ]; then
then # And if we're effectively including the new domain-independant snippet now
# And if we're effectively including the new domain-independant snippet now if grep -q "include /etc/nginx/conf.d/acme-challenge.conf.inc;" /etc/nginx/conf.d/${domain}.conf; then
if grep -q "include /etc/nginx/conf.d/acme-challenge.conf.inc;" /etc/nginx/conf.d/${domain}.conf # Delete the old domain-specific snippet
then rm /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf
# Delete the old domain-specific snippet fi
rm /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf fi
fi done
fi
done
# Reload nginx if conf looks good, otherwise display error and exit unhappy # Reload nginx if conf looks good, otherwise display error and exit unhappy
nginx -t 2>/dev/null || { nginx -t; exit 1; } nginx -t 2>/dev/null || {
pgrep nginx && systemctl reload nginx || { journalctl --no-pager --lines=10 -u nginx >&2; exit 1; } nginx -t
exit 1
}
pgrep nginx && systemctl reload nginx || {
journalctl --no-pager --lines=10 -u nginx >&2
exit 1
}
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

114
data/hooks/conf_regen/19-postfix
View file

@ -5,78 +5,76 @@ set -e
. /usr/share/yunohost/helpers . /usr/share/yunohost/helpers
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/postfix cd /usr/share/yunohost/templates/postfix
postfix_dir="${pending_dir}/etc/postfix" postfix_dir="${pending_dir}/etc/postfix"
mkdir -p "$postfix_dir" mkdir -p "$postfix_dir"
default_dir="${pending_dir}/etc/default/" default_dir="${pending_dir}/etc/default/"
mkdir -p "$default_dir" mkdir -p "$default_dir"
# install plain conf files # install plain conf files
cp plain/* "$postfix_dir" cp plain/* "$postfix_dir"
# prepare main.cf conf file # prepare main.cf conf file
main_domain=$(cat /etc/yunohost/current_host) main_domain=$(cat /etc/yunohost/current_host)
# Support different strategy for security configurations # Support different strategy for security configurations
export compatibility="$(yunohost settings get 'security.postfix.compatibility')" export compatibility="$(yunohost settings get 'security.postfix.compatibility')"
# Add possibility to specify a relay
# Could be useful with some isp with no 25 port open or more complex setup
export relay_port=""
export relay_user=""
export relay_host="$(yunohost settings get 'smtp.relay.host')"
if [ -n "${relay_host}" ]
then
relay_port="$(yunohost settings get 'smtp.relay.port')"
relay_user="$(yunohost settings get 'smtp.relay.user')"
relay_password="$(yunohost settings get 'smtp.relay.password')"
# Avoid to display "Relay account paswword" to other users
touch ${postfix_dir}/sasl_passwd
chmod 750 ${postfix_dir}/sasl_passwd
# Avoid "postmap: warning: removing zero-length database file"
chown postfix ${pending_dir}/etc/postfix
chown postfix ${pending_dir}/etc/postfix/sasl_passwd
cat <<< "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > ${postfix_dir}/sasl_passwd # Add possibility to specify a relay
postmap ${postfix_dir}/sasl_passwd # Could be useful with some isp with no 25 port open or more complex setup
fi export relay_port=""
export main_domain export relay_user=""
export domain_list="$YNH_DOMAINS" export relay_host="$(yunohost settings get 'smtp.relay.host')"
ynh_render_template "main.cf" "${postfix_dir}/main.cf" if [ -n "${relay_host}" ]; then
relay_port="$(yunohost settings get 'smtp.relay.port')"
relay_user="$(yunohost settings get 'smtp.relay.user')"
relay_password="$(yunohost settings get 'smtp.relay.password')"
cat postsrsd \ # Avoid to display "Relay account paswword" to other users
| sed "s/{{ main_domain }}/${main_domain}/g" \ touch ${postfix_dir}/sasl_passwd
| sed "s/{{ domain_list }}/${YNH_DOMAINS}/g" \ chmod 750 ${postfix_dir}/sasl_passwd
> "${default_dir}/postsrsd" # Avoid "postmap: warning: removing zero-length database file"
chown postfix ${pending_dir}/etc/postfix
chown postfix ${pending_dir}/etc/postfix/sasl_passwd
# adapt it for IPv4-only hosts cat <<<"[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" >${postfix_dir}/sasl_passwd
ipv6="$(yunohost settings get 'smtp.allow_ipv6')" postmap ${postfix_dir}/sasl_passwd
if [ "$ipv6" == "False" ] || [ ! -f /proc/net/if_inet6 ]; then fi
sed -i \ export main_domain
's/ \[::ffff:127.0.0.0\]\/104 \[::1\]\/128//g' \ export domain_list="$YNH_DOMAINS"
"${postfix_dir}/main.cf" ynh_render_template "main.cf" "${postfix_dir}/main.cf"
sed -i \
's/inet_interfaces = all/&\ninet_protocols = ipv4/' \ cat postsrsd \
"${postfix_dir}/main.cf" | sed "s/{{ main_domain }}/${main_domain}/g" \
fi | sed "s/{{ domain_list }}/${YNH_DOMAINS}/g" \
>"${default_dir}/postsrsd"
# adapt it for IPv4-only hosts
ipv6="$(yunohost settings get 'smtp.allow_ipv6')"
if [ "$ipv6" == "False" ] || [ ! -f /proc/net/if_inet6 ]; then
sed -i \
's/ \[::ffff:127.0.0.0\]\/104 \[::1\]\/128//g' \
"${postfix_dir}/main.cf"
sed -i \
's/inet_interfaces = all/&\ninet_protocols = ipv4/' \
"${postfix_dir}/main.cf"
fi
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
if [ -e /etc/postfix/sasl_passwd ] if [ -e /etc/postfix/sasl_passwd ]; then
then chmod 750 /etc/postfix/sasl_passwd*
chmod 750 /etc/postfix/sasl_passwd* chown postfix:root /etc/postfix/sasl_passwd*
chown postfix:root /etc/postfix/sasl_passwd* fi
fi
[[ -z "$regen_conf_files" ]] \ [[ -z "$regen_conf_files" ]] \
|| { systemctl restart postfix && systemctl restart postsrsd; } || { systemctl restart postfix && systemctl restart postsrsd; }
} }

80
data/hooks/conf_regen/25-dovecot
View file

@ -5,62 +5,62 @@ set -e
. /usr/share/yunohost/helpers . /usr/share/yunohost/helpers
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/dovecot cd /usr/share/yunohost/templates/dovecot
dovecot_dir="${pending_dir}/etc/dovecot" dovecot_dir="${pending_dir}/etc/dovecot"
mkdir -p "${dovecot_dir}/global_script" mkdir -p "${dovecot_dir}/global_script"
# copy simple conf files # copy simple conf files
cp dovecot-ldap.conf "${dovecot_dir}/dovecot-ldap.conf" cp dovecot-ldap.conf "${dovecot_dir}/dovecot-ldap.conf"
cp dovecot.sieve "${dovecot_dir}/global_script/dovecot.sieve" cp dovecot.sieve "${dovecot_dir}/global_script/dovecot.sieve"
export pop3_enabled="$(yunohost settings get 'pop3.enabled')" export pop3_enabled="$(yunohost settings get 'pop3.enabled')"
export main_domain=$(cat /etc/yunohost/current_host) export main_domain=$(cat /etc/yunohost/current_host)
ynh_render_template "dovecot.conf" "${dovecot_dir}/dovecot.conf" ynh_render_template "dovecot.conf" "${dovecot_dir}/dovecot.conf"
# adapt it for IPv4-only hosts # adapt it for IPv4-only hosts
if [ ! -f /proc/net/if_inet6 ]; then if [ ! -f /proc/net/if_inet6 ]; then
sed -i \ sed -i \
's/^\(listen =\).*/\1 */' \ 's/^\(listen =\).*/\1 */' \
"${dovecot_dir}/dovecot.conf" "${dovecot_dir}/dovecot.conf"
fi fi
mkdir -p "${dovecot_dir}/yunohost.d" mkdir -p "${dovecot_dir}/yunohost.d"
cp pre-ext.conf "${dovecot_dir}/yunohost.d" cp pre-ext.conf "${dovecot_dir}/yunohost.d"
cp post-ext.conf "${dovecot_dir}/yunohost.d" cp post-ext.conf "${dovecot_dir}/yunohost.d"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
mkdir -p "/etc/dovecot/yunohost.d/pre-ext.d" mkdir -p "/etc/dovecot/yunohost.d/pre-ext.d"
mkdir -p "/etc/dovecot/yunohost.d/post-ext.d" mkdir -p "/etc/dovecot/yunohost.d/post-ext.d"
# create vmail user # create vmail user
id vmail > /dev/null 2>&1 \ id vmail >/dev/null 2>&1 \
|| adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home || adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
# Delete legacy home for vmail that existed in the past but was empty, poluting /home/ # Delete legacy home for vmail that existed in the past but was empty, poluting /home/
[ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail [ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail
# fix permissions # fix permissions
chown -R vmail:mail /etc/dovecot/global_script
chmod 770 /etc/dovecot/global_script
chown root:mail /var/mail
chmod 1775 /var/mail
[ -z "$regen_conf_files" ] && exit 0
# compile sieve script
[[ "$regen_conf_files" =~ dovecot\.sieve ]] && {
sievec /etc/dovecot/global_script/dovecot.sieve
chown -R vmail:mail /etc/dovecot/global_script chown -R vmail:mail /etc/dovecot/global_script
} chmod 770 /etc/dovecot/global_script
chown root:mail /var/mail
chmod 1775 /var/mail
systemctl restart dovecot [ -z "$regen_conf_files" ] && exit 0
# compile sieve script
[[ "$regen_conf_files" =~ dovecot\.sieve ]] && {
sievec /etc/dovecot/global_script/dovecot.sieve
chown -R vmail:mail /etc/dovecot/global_script
}
systemctl restart dovecot
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

88
data/hooks/conf_regen/31-rspamd
View file

@ -3,60 +3,60 @@
set -e set -e
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/rspamd cd /usr/share/yunohost/templates/rspamd
install -D -m 644 metrics.local.conf \ install -D -m 644 metrics.local.conf \
"${pending_dir}/etc/rspamd/local.d/metrics.conf" "${pending_dir}/etc/rspamd/local.d/metrics.conf"
install -D -m 644 dkim_signing.conf \ install -D -m 644 dkim_signing.conf \
"${pending_dir}/etc/rspamd/local.d/dkim_signing.conf" "${pending_dir}/etc/rspamd/local.d/dkim_signing.conf"
install -D -m 644 rspamd.sieve \ install -D -m 644 rspamd.sieve \
"${pending_dir}/etc/dovecot/global_script/rspamd.sieve" "${pending_dir}/etc/dovecot/global_script/rspamd.sieve"
} }
do_post_regen() { do_post_regen() {
## ##
## DKIM key generation ## DKIM key generation
## ##
# create DKIM directory with proper permission # create DKIM directory with proper permission
mkdir -p /etc/dkim mkdir -p /etc/dkim
chown _rspamd /etc/dkim chown _rspamd /etc/dkim
# create DKIM key for domains # create DKIM key for domains
for domain in $YNH_DOMAINS; do for domain in $YNH_DOMAINS; do
domain_key="/etc/dkim/${domain}.mail.key" domain_key="/etc/dkim/${domain}.mail.key"
[ ! -f "$domain_key" ] && { [ ! -f "$domain_key" ] && {
# We use a 1024 bit size because nsupdate doesn't seem to be able to # We use a 1024 bit size because nsupdate doesn't seem to be able to
# handle 2048... # handle 2048...
opendkim-genkey --domain="$domain" \ opendkim-genkey --domain="$domain" \
--selector=mail --directory=/etc/dkim -b 1024 --selector=mail --directory=/etc/dkim -b 1024
mv /etc/dkim/mail.private "$domain_key" mv /etc/dkim/mail.private "$domain_key"
mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt" mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt"
}
done
# fix DKIM keys permissions
chown _rspamd /etc/dkim/*.mail.key
chmod 400 /etc/dkim/*.mail.key
[ ! -e /var/log/rspamd ] || chown -R _rspamd:_rspamd /var/log/rspamd
regen_conf_files=$1
[ -z "$regen_conf_files" ] && exit 0
# compile sieve script
[[ "$regen_conf_files" =~ rspamd\.sieve ]] && {
sievec /etc/dovecot/global_script/rspamd.sieve
chown -R vmail:mail /etc/dovecot/global_script
systemctl restart dovecot
} }
done
# fix DKIM keys permissions # Restart rspamd due to the upgrade
chown _rspamd /etc/dkim/*.mail.key # https://rspamd.com/announce/2016/08/01/rspamd-1.3.1.html
chmod 400 /etc/dkim/*.mail.key systemctl -q restart rspamd.service
[ ! -e /var/log/rspamd ] || chown -R _rspamd:_rspamd /var/log/rspamd
regen_conf_files=$1
[ -z "$regen_conf_files" ] && exit 0
# compile sieve script
[[ "$regen_conf_files" =~ rspamd\.sieve ]] && {
sievec /etc/dovecot/global_script/rspamd.sieve
chown -R vmail:mail /etc/dovecot/global_script
systemctl restart dovecot
}
# Restart rspamd due to the upgrade
# https://rspamd.com/announce/2016/08/01/rspamd-1.3.1.html
systemctl -q restart rspamd.service
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

94
data/hooks/conf_regen/34-mysql
View file

@ -4,69 +4,65 @@ set -e
. /usr/share/yunohost/helpers . /usr/share/yunohost/helpers
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/mysql cd /usr/share/yunohost/templates/mysql
install -D -m 644 my.cnf "${pending_dir}/etc/mysql/my.cnf" install -D -m 644 my.cnf "${pending_dir}/etc/mysql/my.cnf"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
if [[ ! -d /var/lib/mysql/mysql ]] if [[ ! -d /var/lib/mysql/mysql ]]; then
then # dpkg-reconfigure will initialize mysql (if it ain't already)
# dpkg-reconfigure will initialize mysql (if it ain't already) # It enabled auth_socket for root, so no need to define any root password...
# It enabled auth_socket for root, so no need to define any root password... # c.f. : cat /var/lib/dpkg/info/mariadb-server-10.3.postinst | grep install_db -C3
# c.f. : cat /var/lib/dpkg/info/mariadb-server-10.3.postinst | grep install_db -C3 MYSQL_PKG="$(dpkg --list | sed -ne 's/^ii \(mariadb-server-[[:digit:].]\+\) .*$/\1/p')"
MYSQL_PKG="$(dpkg --list | sed -ne 's/^ii \(mariadb-server-[[:digit:].]\+\) .*$/\1/p')" dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1
dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1
systemctl -q is-active mariadb.service \ systemctl -q is-active mariadb.service \
|| systemctl start mariadb || systemctl start mariadb
sleep 5 sleep 5
echo "" | mysql && echo "Can't connect to mysql using unix_socket auth ... something went wrong during initial configuration of mysql !?" >&2 echo "" | mysql && echo "Can't connect to mysql using unix_socket auth ... something went wrong during initial configuration of mysql !?" >&2
fi fi
# Legacy code to get rid of /etc/yunohost/mysql ... # Legacy code to get rid of /etc/yunohost/mysql ...
# Nowadays, we can simply run mysql while being run as root of unix_socket/auth_socket is enabled... # Nowadays, we can simply run mysql while being run as root of unix_socket/auth_socket is enabled...
if [ -f /etc/yunohost/mysql ]; then if [ -f /etc/yunohost/mysql ]; then
# This is a trick to check if we're able to use mysql without password # This is a trick to check if we're able to use mysql without password
# Expect instances installed in stretch to already have unix_socket # Expect instances installed in stretch to already have unix_socket
#configured, but not old instances from the jessie/wheezy era #configured, but not old instances from the jessie/wheezy era
if ! echo "" | mysql 2>/dev/null if ! echo "" | mysql 2>/dev/null; then
then password="$(cat /etc/yunohost/mysql)"
password="$(cat /etc/yunohost/mysql)" # Enable plugin unix_socket for root on localhost
# Enable plugin unix_socket for root on localhost mysql -u root -p"$password" <<<"GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH unix_socket WITH GRANT OPTION;"
mysql -u root -p"$password" <<< "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH unix_socket WITH GRANT OPTION;" fi
fi
# If now we're able to login without password, drop the mysql password # If now we're able to login without password, drop the mysql password
if echo "" | mysql 2>/dev/null if echo "" | mysql 2>/dev/null; then
then rm /etc/yunohost/mysql
rm /etc/yunohost/mysql else
else echo "Can't connect to mysql using unix_socket auth ... something went wrong while trying to get rid of mysql password !?" >&2
echo "Can't connect to mysql using unix_socket auth ... something went wrong while trying to get rid of mysql password !?" >&2 fi
fi fi
fi
# mysql is supposed to be an alias to mariadb... but in some weird case is not # mysql is supposed to be an alias to mariadb... but in some weird case is not
# c.f. https://forum.yunohost.org/t/mysql-ne-fonctionne-pas/11661 # c.f. https://forum.yunohost.org/t/mysql-ne-fonctionne-pas/11661
# Playing with enable/disable allows to recreate the proper symlinks. # Playing with enable/disable allows to recreate the proper symlinks.
if [ ! -e /etc/systemd/system/mysql.service ] if [ ! -e /etc/systemd/system/mysql.service ]; then
then systemctl stop mysql -q
systemctl stop mysql -q systemctl disable mysql -q
systemctl disable mysql -q systemctl disable mariadb -q
systemctl disable mariadb -q systemctl enable mariadb -q
systemctl enable mariadb -q systemctl is-active mariadb -q || systemctl start mariadb
systemctl is-active mariadb -q || systemctl start mariadb fi
fi
[[ -z "$regen_conf_files" ]] \ [[ -z "$regen_conf_files" ]] \
|| systemctl restart mysql || systemctl restart mysql
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

8
data/hooks/conf_regen/35-redis
View file

@ -1,13 +1,13 @@
#!/bin/bash #!/bin/bash
do_pre_regen() { do_pre_regen() {
: :
} }
do_post_regen() { do_post_regen() {
# Enforce these damn permissions because for some reason in some weird cases # Enforce these damn permissions because for some reason in some weird cases
# they are spontaneously replaced by root:root -_- # they are spontaneously replaced by root:root -_-
chown -R redis:adm /var/log/redis chown -R redis:adm /var/log/redis
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

63
data/hooks/conf_regen/37-mdns
View file

@ -3,55 +3,52 @@
set -e set -e
_generate_config() { _generate_config() {
echo "domains:" echo "domains:"
echo " - yunohost.local" echo " - yunohost.local"
for domain in $YNH_DOMAINS for domain in $YNH_DOMAINS; do
do # Only keep .local domains (don't keep
# Only keep .local domains (don't keep [[ "$domain" =~ [^.]+\.[^.]+\.local$ ]] && echo "Subdomain $domain cannot be handled by Bonjour/Zeroconf/mDNS" >&2
[[ "$domain" =~ [^.]+\.[^.]+\.local$ ]] && echo "Subdomain $domain cannot be handled by Bonjour/Zeroconf/mDNS" >&2 [[ "$domain" =~ ^[^.]+\.local$ ]] || continue
[[ "$domain" =~ ^[^.]+\.local$ ]] || continue echo " - $domain"
echo " - $domain" done
done
} }
do_init_regen() { do_init_regen() {
do_pre_regen do_pre_regen
do_post_regen /etc/systemd/system/yunomdns.service do_post_regen /etc/systemd/system/yunomdns.service
systemctl enable yunomdns systemctl enable yunomdns
} }
do_pre_regen() { do_pre_regen() {
pending_dir="$1" pending_dir="$1"
cd /usr/share/yunohost/templates/mdns cd /usr/share/yunohost/templates/mdns
mkdir -p ${pending_dir}/etc/systemd/system/ mkdir -p ${pending_dir}/etc/systemd/system/
cp yunomdns.service ${pending_dir}/etc/systemd/system/ cp yunomdns.service ${pending_dir}/etc/systemd/system/
getent passwd mdns &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group mdns getent passwd mdns &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group mdns
mkdir -p ${pending_dir}/etc/yunohost mkdir -p ${pending_dir}/etc/yunohost
_generate_config > ${pending_dir}/etc/yunohost/mdns.yml _generate_config >${pending_dir}/etc/yunohost/mdns.yml
} }
do_post_regen() { do_post_regen() {
regen_conf_files="$1" regen_conf_files="$1"
chown mdns:mdns /etc/yunohost/mdns.yml chown mdns:mdns /etc/yunohost/mdns.yml
# If we changed the systemd ynh-override conf # If we changed the systemd ynh-override conf
if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/yunomdns.service$" if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/yunomdns.service$"; then
then systemctl daemon-reload
systemctl daemon-reload fi
fi
# Legacy stuff to enable the new yunomdns service on legacy systems # Legacy stuff to enable the new yunomdns service on legacy systems
if [[ -e /etc/avahi/avahi-daemon.conf ]] && grep -q 'yunohost' /etc/avahi/avahi-daemon.conf if [[ -e /etc/avahi/avahi-daemon.conf ]] && grep -q 'yunohost' /etc/avahi/avahi-daemon.conf; then
then systemctl enable yunomdns
systemctl enable yunomdns fi
fi
[[ -z "$regen_conf_files" ]] \ [[ -z "$regen_conf_files" ]] \
|| systemctl restart yunomdns || systemctl restart yunomdns
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

111
data/hooks/conf_regen/43-dnsmasq
View file

@ -4,80 +4,77 @@ set -e
. /usr/share/yunohost/helpers . /usr/share/yunohost/helpers
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/dnsmasq cd /usr/share/yunohost/templates/dnsmasq
# create directory for pending conf # create directory for pending conf
dnsmasq_dir="${pending_dir}/etc/dnsmasq.d" dnsmasq_dir="${pending_dir}/etc/dnsmasq.d"
mkdir -p "$dnsmasq_dir" mkdir -p "$dnsmasq_dir"
etcdefault_dir="${pending_dir}/etc/default" etcdefault_dir="${pending_dir}/etc/default"
mkdir -p "$etcdefault_dir" mkdir -p "$etcdefault_dir"
# add general conf files # add general conf files
cp plain/etcdefault ${pending_dir}/etc/default/dnsmasq cp plain/etcdefault ${pending_dir}/etc/default/dnsmasq
cp plain/dnsmasq.conf ${pending_dir}/etc/dnsmasq.conf cp plain/dnsmasq.conf ${pending_dir}/etc/dnsmasq.conf
# add resolver file # add resolver file
cat plain/resolv.dnsmasq.conf | grep "^nameserver" | shuf > ${pending_dir}/etc/resolv.dnsmasq.conf cat plain/resolv.dnsmasq.conf | grep "^nameserver" | shuf >${pending_dir}/etc/resolv.dnsmasq.conf
# retrieve variables # retrieve variables
ipv4=$(curl -s -4 https://ip.yunohost.org 2>/dev/null || true) ipv4=$(curl -s -4 https://ip.yunohost.org 2>/dev/null || true)
ynh_validate_ip4 "$ipv4" || ipv4='127.0.0.1' ynh_validate_ip4 "$ipv4" || ipv4='127.0.0.1'
ipv6=$(curl -s -6 https://ip6.yunohost.org 2>/dev/null || true) ipv6=$(curl -s -6 https://ip6.yunohost.org 2>/dev/null || true)
ynh_validate_ip6 "$ipv6" || ipv6='' ynh_validate_ip6 "$ipv6" || ipv6=''
export ipv4 export ipv4
export ipv6 export ipv6
# add domain conf files # add domain conf files
for domain in $YNH_DOMAINS; do for domain in $YNH_DOMAINS; do
export domain export domain
ynh_render_template "domain.tpl" "${dnsmasq_dir}/${domain}" ynh_render_template "domain.tpl" "${dnsmasq_dir}/${domain}"
done done
# remove old domain conf files # remove old domain conf files
conf_files=$(ls -1 /etc/dnsmasq.d \ conf_files=$(ls -1 /etc/dnsmasq.d \
| awk '/^[^\.]+\.[^\.]+.*$/ { print $1 }') | awk '/^[^\.]+\.[^\.]+.*$/ { print $1 }')
for domain in $conf_files; do for domain in $conf_files; do
[[ $YNH_DOMAINS =~ $domain ]] \ [[ $YNH_DOMAINS =~ $domain ]] \
|| touch "${dnsmasq_dir}/${domain}" || touch "${dnsmasq_dir}/${domain}"
done done
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
# Fuck it, those domain/search entries from dhclient are usually annoying # Fuck it, those domain/search entries from dhclient are usually annoying
# lying shit from the ISP trying to MiTM # lying shit from the ISP trying to MiTM
if grep -q -E "^ *(domain|search)" /run/resolvconf/resolv.conf if grep -q -E "^ *(domain|search)" /run/resolvconf/resolv.conf; then
then if grep -q -E "^ *(domain|search)" /run/resolvconf/interface/*.dhclient 2>/dev/null; then
if grep -q -E "^ *(domain|search)" /run/resolvconf/interface/*.dhclient 2>/dev/null sed -E "s/^(domain|search)/#\1/g" -i /run/resolvconf/interface/*.dhclient
then fi
sed -E "s/^(domain|search)/#\1/g" -i /run/resolvconf/interface/*.dhclient
fi
grep -q '^supersede domain-name "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede domain-name "";' >> /etc/dhcp/dhclient.conf grep -q '^supersede domain-name "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede domain-name "";' >>/etc/dhcp/dhclient.conf
grep -q '^supersede domain-search "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede domain-search "";' >> /etc/dhcp/dhclient.conf grep -q '^supersede domain-search "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede domain-search "";' >>/etc/dhcp/dhclient.conf
grep -q '^supersede name "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede name "";' >> /etc/dhcp/dhclient.conf grep -q '^supersede name "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede name "";' >>/etc/dhcp/dhclient.conf
systemctl restart resolvconf systemctl restart resolvconf
fi fi
# Some stupid things like rabbitmq-server used by onlyoffice won't work if # Some stupid things like rabbitmq-server used by onlyoffice won't work if
# the *short* hostname doesn't exists in /etc/hosts -_- # the *short* hostname doesn't exists in /etc/hosts -_-
short_hostname=$(hostname -s) short_hostname=$(hostname -s)
grep -q "127.0.0.1.*$short_hostname" /etc/hosts || echo -e "\n127.0.0.1\t$short_hostname" >>/etc/hosts grep -q "127.0.0.1.*$short_hostname" /etc/hosts || echo -e "\n127.0.0.1\t$short_hostname" >>/etc/hosts
[[ -n "$regen_conf_files" ]] || return [[ -n "$regen_conf_files" ]] || return
# Remove / disable services likely to conflict with dnsmasq # Remove / disable services likely to conflict with dnsmasq
for SERVICE in systemd-resolved bind9 for SERVICE in systemd-resolved bind9; do
do systemctl is-enabled $SERVICE &>/dev/null && systemctl disable $SERVICE 2>/dev/null
systemctl is-enabled $SERVICE &>/dev/null && systemctl disable $SERVICE 2>/dev/null systemctl is-active $SERVICE &>/dev/null && systemctl stop $SERVICE
systemctl is-active $SERVICE &>/dev/null && systemctl stop $SERVICE done
done
systemctl restart dnsmasq systemctl restart dnsmasq
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

16
data/hooks/conf_regen/46-nsswitch
View file

@ -3,23 +3,23 @@
set -e set -e
do_init_regen() { do_init_regen() {
do_pre_regen "" do_pre_regen ""
systemctl restart unscd systemctl restart unscd
} }
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/nsswitch cd /usr/share/yunohost/templates/nsswitch
install -D -m 644 nsswitch.conf "${pending_dir}/etc/nsswitch.conf" install -D -m 644 nsswitch.conf "${pending_dir}/etc/nsswitch.conf"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \ [[ -z "$regen_conf_files" ]] \
|| systemctl restart unscd || systemctl restart unscd
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

24
data/hooks/conf_regen/52-fail2ban
View file

@ -5,26 +5,26 @@ set -e
. /usr/share/yunohost/helpers . /usr/share/yunohost/helpers
do_pre_regen() { do_pre_regen() {
pending_dir=$1 pending_dir=$1
cd /usr/share/yunohost/templates/fail2ban cd /usr/share/yunohost/templates/fail2ban
fail2ban_dir="${pending_dir}/etc/fail2ban" fail2ban_dir="${pending_dir}/etc/fail2ban"
mkdir -p "${fail2ban_dir}/filter.d" mkdir -p "${fail2ban_dir}/filter.d"
mkdir -p "${fail2ban_dir}/jail.d" mkdir -p "${fail2ban_dir}/jail.d"
cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf" cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
cp jail.conf "${fail2ban_dir}/jail.conf" cp jail.conf "${fail2ban_dir}/jail.conf"
export ssh_port="$(yunohost settings get 'security.ssh.port')" export ssh_port="$(yunohost settings get 'security.ssh.port')"
ynh_render_template "yunohost-jails.conf" "${fail2ban_dir}/jail.d/yunohost-jails.conf" ynh_render_template "yunohost-jails.conf" "${fail2ban_dir}/jail.d/yunohost-jails.conf"
} }
do_post_regen() { do_post_regen() {
regen_conf_files=$1 regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \ [[ -z "$regen_conf_files" ]] \
|| systemctl reload fail2ban || systemctl reload fail2ban
} }
do_$1_regen ${@:2} do_$1_regen ${@:2}

2
data/hooks/post_user_create/ynh_multimedia
View file

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
user=$1 user=$1
readonly MEDIA_GROUP=multimedia readonly MEDIA_GROUP=multimedia
readonly MEDIA_DIRECTORY=/home/yunohost.multimedia readonly MEDIA_DIRECTORY=/home/yunohost.multimedia

12
data/hooks/restore/05-conf_ldap
View file

@ -14,11 +14,11 @@ die() {
# Restore saved configuration and database # Restore saved configuration and database
[[ $state -ge 1 ]] \ [[ $state -ge 1 ]] \
&& (rm -rf /etc/ldap/slapd.d && && (rm -rf /etc/ldap/slapd.d \
mv "${TMPDIR}/slapd.d" /etc/ldap/slapd.d) && mv "${TMPDIR}/slapd.d" /etc/ldap/slapd.d)
[[ $state -ge 2 ]] \ [[ $state -ge 2 ]] \
&& (rm -rf /var/lib/ldap && && (rm -rf /var/lib/ldap \
mv "${TMPDIR}/ldap" /var/lib/ldap) && mv "${TMPDIR}/ldap" /var/lib/ldap)
chown -R openldap: /etc/ldap/slapd.d /var/lib/ldap chown -R openldap: /etc/ldap/slapd.d /var/lib/ldap
systemctl start slapd systemctl start slapd
@ -38,7 +38,7 @@ cp -a "${backup_dir}/ldap.conf" /etc/ldap/ldap.conf
|| cp -a "${backup_dir}/slapd.conf" /etc/ldap/slapd.conf || cp -a "${backup_dir}/slapd.conf" /etc/ldap/slapd.conf
slapadd -F /etc/ldap/slapd.d -b cn=config \ slapadd -F /etc/ldap/slapd.d -b cn=config \
-l "${backup_dir}/cn=config.master.ldif" \ -l "${backup_dir}/cn=config.master.ldif" \
|| die 1 "Unable to restore LDAP configuration" || die 1 "Unable to restore LDAP configuration"
chown -R openldap: /etc/ldap/slapd.d chown -R openldap: /etc/ldap/slapd.d
# Restore the database # Restore the database
@ -46,7 +46,7 @@ mv /var/lib/ldap "$TMPDIR"
mkdir -p /var/lib/ldap mkdir -p /var/lib/ldap
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \ slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
-l "${backup_dir}/dc=yunohost-dc=org.ldif" \ -l "${backup_dir}/dc=yunohost-dc=org.ldif" \
|| die 2 "Unable to restore LDAP database" || die 2 "Unable to restore LDAP database"
chown -R openldap: /var/lib/ldap chown -R openldap: /var/lib/ldap
systemctl start slapd systemctl start slapd

3
data/hooks/restore/50-conf_manually_modified_files
View file

@ -5,8 +5,7 @@ ynh_abort_if_errors
YNH_CWD="${YNH_BACKUP_DIR%/}/conf/manually_modified_files" YNH_CWD="${YNH_BACKUP_DIR%/}/conf/manually_modified_files"
cd "$YNH_CWD" cd "$YNH_CWD"
for file in $(cat ./manually_modified_files_list) for file in $(cat ./manually_modified_files_list); do
do
ynh_restore_file --origin_path="$file" --not_mandatory ynh_restore_file --origin_path="$file" --not_mandatory
done done