From be91c1c2aba7f572fa1c550f4254f6461268b247 Mon Sep 17 00:00:00 2001 From: Miraty Date: Thu, 3 Mar 2022 17:58:37 +0100 Subject: [PATCH 01/16] Update to latest packaging format --- README.md | 54 ++++---- README_fr.md | 52 ++++---- conf/nginx.conf | 16 +-- conf/php-fpm.conf | 2 +- .../screenshots/screenshot.png | Bin manifest.json | 29 ++--- scripts/backup | 25 ++-- scripts/change_url | 41 +++++-- scripts/install | 102 ++++++--------- scripts/remove | 12 +- scripts/restore | 61 ++++----- scripts/upgrade | 116 ++++-------------- 12 files changed, 191 insertions(+), 319 deletions(-) rename screenshot.png => doc/screenshots/screenshot.png (100%) diff --git a/README.md b/README.md index 6262d00..1db2b9a 100755 --- a/README.md +++ b/README.md @@ -1,8 +1,12 @@ + + # LibreQR for YunoHost [![Integration level](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) - -[![Install LibreQR with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=qr) +[![Install LibreQR with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=qr) *[Lire ce readme en français.](./README_fr.md)* @@ -11,41 +15,31 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -A Web interface for generating QR codes in PHP. +Web interface for generating QR codes -**Shipped version:** 1.3.0 +**Shipped version:** 1.3.0~ynh1 -## Screenshot +**Demo:** https://qr.antopie.org -![](screenshot.png) +## Screenshots -## Demo +![](./doc/screenshots/screenshot.png) -* [Official demo](https://qr.antopie.org) +## Documentation and resources -## Configuration +* Upstream app code repository: https://code.antopie.org/miraty/libreqr +* YunoHost documentation for this app: https://yunohost.org/app_qr +* Report a bug: https://code.antopie.org/miraty/qr_ynh/issues -You can configure this app by editing `/var/www/qr/config.inc.php`. +## Developer info -## YunoHost specific features +Please send your pull request to the [testing branch](https://code.antopie.org/miraty/qr_ynh/src/branch/testing). -### Multi-user support +To try the testing branch, please proceed like that. +``` +sudo yunohost app install https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +or +sudo yunohost app upgrade qr -u https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +``` -* There is no authentication in the app -* The app can be installed multiple time - -### Supported architectures - -* x86-64 - [![Build Status](https://ci-apps.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps.yunohost.org/ci/apps/qr/) -* ARMv8-A - [![Build Status](https://ci-apps-arm.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps-arm.yunohost.org/ci/apps/qr/) - -## Additional information - -The application is called LibreQR, but its technical ID in YunoHost is `qr` for historical reasons. - -## Links - - * Report a bug in this package: - * Report a bug in LibreQR: - * LibreQR repository: - * YunoHost website: +**More info regarding app packaging:** https://yunohost.org/packaging_apps \ No newline at end of file diff --git a/README_fr.md b/README_fr.md index 35377a7..edc2602 100755 --- a/README_fr.md +++ b/README_fr.md @@ -1,51 +1,41 @@ # LibreQR pour YunoHost [![Niveau d'intégration](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) - -[![Installer LibreQR avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=qr) +[![Installer LibreQR avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=qr) *[Read this readme in english.](./README.md)* +*[Lire ce readme en français.](./README_fr.md)* > *Ce package vous permet d'installer LibreQR rapidement et simplement sur un serveur YunoHost. -Si vous n'avez pas YunoHost, consultez [le guide](https://yunohost.org/#/install) pour apprendre comment l'installer.* +Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.* ## Vue d'ensemble -Une interface Web pour générer des codes QR en PHP. +Interface Web pour générer des codes QR -**Version incluse :** 1.3.0 +**Version incluse :** 1.3.0~ynh1 -## Capture d'écran +**Démo :** https://qr.antopie.org -![](screenshot.png) +## Captures d'écran -## Démo +![](./doc/screenshots/screenshot.png) -* [Démo officielle](https://qr.antopie.org) +## Documentations et ressources -## Configuration +* Dépôt de code officiel de l'app : https://code.antopie.org/miraty/libreqr +* Documentation YunoHost pour cette app : https://yunohost.org/app_qr +* Signaler un bug : https://code.antopie.org/miraty/qr_ynh/issues -Vous pouvez configurer cette application en modifiant `/var/www/qr/config.inc.php`. +## Informations pour les développeurs -## Caractéristiques spécifiques YunoHost +Merci de faire vos pull request sur la [branche testing](https://code.antopie.org/miraty/qr_ynh/src/branch/testing). -### Support multi-utilisateur +Pour essayer la branche testing, procédez comme suit. +``` +sudo yunohost app install https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +ou +sudo yunohost app upgrade qr -u https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +``` -* Il n'y a pas d'authentification dans l'application -* L'application peut-être installée plusieurs fois - -### Architectures supportées - -* x86-64 - [![Build Status](https://ci-apps.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps.yunohost.org/ci/apps/qr/) -* ARMv8-A - [![Build Status](https://ci-apps-arm.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps-arm.yunohost.org/ci/apps/qr/) - -## Informations additionnelles - -L'application s'appelle LibreQR, mais son identifiant technique dans YunoHost est `qr` pour des raisons historiques. - -## Liens - - * Signaler un bug dans ce paquet : - * Signaler un bug dans LibreQR : - * Dépôt de LibreQR : - * Site web de YunoHost : +**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps \ No newline at end of file diff --git a/conf/nginx.conf b/conf/nginx.conf index 37de41d..154622a 100755 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -2,19 +2,10 @@ location __PATH__/ { # Path to source - alias __FINALPATH__/ ; + alias __FINALPATH__/; - # Force usage of https - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } - -### Example PHP configuration (remove it if not used) index index.php; - # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file - #client_max_body_size 50M; - try_files $uri $uri/ index.php; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; @@ -26,7 +17,10 @@ location __PATH__/ { fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; } -### End of PHP configuration part + + # Security related headers + more_set_headers "Referrer-Policy: no-referrer"; + more_set_headers "Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; manifest-src 'self'; frame-ancestors 'none';"; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index ab1a471..95f5229 100755 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -353,7 +353,7 @@ request_terminate_timeout = 1d ; possible. However, all PHP paths will be relative to the chroot ; (error_log, sessions.save_path, ...). ; Default Value: not set -;chroot = +;chroot = __FINALPATH__ ; Chdir to this directory at the start. ; Note: relative path can be used. diff --git a/screenshot.png b/doc/screenshots/screenshot.png similarity index 100% rename from screenshot.png rename to doc/screenshots/screenshot.png diff --git a/manifest.json b/manifest.json index 21178f9..264caa3 100755 --- a/manifest.json +++ b/manifest.json @@ -8,6 +8,11 @@ }, "version": "1.3.0~ynh1", "url": "https://code.antopie.org/miraty/libreqr", + "upstream": { + "license": "AGPL-3.0-or-later", + "demo": "https://qr.antopie.org", + "code": "https://code.antopie.org/miraty/libreqr" + }, "license": "AGPL-3.0-or-later", "maintainer": { "name": "Miraty", @@ -15,7 +20,7 @@ "url": "https://miraty.antopie.org" }, "requirements": { - "yunohost": ">= 4.0" + "yunohost": ">= 4.1.2" }, "multi_instance": true, "services": [ @@ -26,31 +31,13 @@ "install" : [ { "name": "domain", - "type": "domain", - "ask": { - "en": "Choose a domain name for LibreQR", - "fr": "Choisissez un nom de domaine pour LibreQR" - }, - "example": "qr.domain.tld" + "type": "domain" }, { "name": "path", "type": "path", - "ask": { - "en": "Choose a path for LibreQR", - "fr": "Choisissez un chemin pour LibreQR" - }, "example": "/qr", - "default": "/qr" - }, - { - "name": "is_public", - "type": "boolean", - "ask": { - "en": "Is it a public application?", - "fr": "Est-ce une application publique ?" - }, - "default": true + "default": "/" } ] } diff --git a/scripts/backup b/scripts/backup index 6bcde3e..09b69eb 100755 --- a/scripts/backup +++ b/scripts/backup @@ -6,8 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= @@ -24,39 +22,46 @@ ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." + +ynh_print_info --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME final_path=$(ynh_app_setting_get --app=$app --key=final_path) domain=$(ynh_app_setting_get --app=$app --key=domain) -#db_name=$(ynh_app_setting_get --app=$app --key=db_name) +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= -# STANDARD BACKUP STEPS +# DECLARE DATA AND CONF FILES TO BACKUP +#================================================= + +ynh_print_info --message="Declaring files to be backed up..." + +### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs +### to be backuped and not an actual copy of any file. The actual backup that +### creates and fill the archive with the files happens in the core after this +### script is called. Hence ynh_backups calls takes basically 0 seconds to run. + #================================================= # BACKUP THE APP MAIN DIR #================================================= -ynh_script_progression --message="Backing up the main app directory..." ynh_backup --src_path="$final_path" #================================================= # BACKUP THE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Backing up nginx web server configuration..." ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # BACKUP THE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Backing up php-fpm configuration..." -ynh_backup --src_path="/etc/php/7.3/fpm/pool.d/$app.conf" +ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --last +ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." diff --git a/scripts/change_url b/scripts/change_url index eeee689..dd445b0 100755 --- a/scripts/change_url +++ b/scripts/change_url @@ -6,7 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= @@ -24,15 +23,29 @@ app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= + ynh_script_progression --message="Loading installation settings..." # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) -# Add settings here as needed by your application -#db_name=$(ynh_app_setting_get --app=$app --key=db_name) -#db_user=$db_name -#db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd) +#================================================= +# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP +#================================================= + +ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --time --weight=1 + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. + ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" + + # Restore it if the upgrade fails + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors #================================================= # CHECK WHICH PARTS SHOULD BE CHANGED @@ -56,23 +69,24 @@ fi #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating nginx web server configuration..." + +ynh_script_progression --message="Updating NGINX web server configuration..." nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf -# Change the path in the nginx config file +# Change the path in the NGINX config file if [ $change_path -eq 1 ] then - # Make a backup of the original nginx config file if modified + # Make a backup of the original NGINX config file if modified ynh_backup_if_checksum_is_different --file="$nginx_conf_path" - # Set global variables for nginx helper + # Set global variables for NGINX helper domain="$old_domain" path_url="$new_path" - # Create a dedicated nginx config + # Create a dedicated NGINX config ynh_add_nginx_config fi -# Change the domain for nginx +# Change the domain for NGINX if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location @@ -85,7 +99,8 @@ fi #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." + +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload @@ -93,4 +108,4 @@ ynh_systemd_action --service_name=nginx --action=reload # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --time --last +ynh_script_progression --message="Change of URL completed for $app" --last diff --git a/scripts/install b/scripts/install index b5800e5..0476c67 100755 --- a/scripts/install +++ b/scripts/install @@ -6,17 +6,12 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= # MANAGE SCRIPT FAILURE #================================================= -ynh_clean_setup () { - ### Remove this function if there's nothing to clean before calling the remove script. - true -} # Exit if an error occurs during the execution of the script ynh_abort_if_errors @@ -26,18 +21,17 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -is_public=$YNH_APP_ARG_IS_PUBLIC ### If it's a multi-instance app, meaning it can be installed several times independently ### The id of the app as stated in the manifest is available as $YNH_APP_ID -### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2", ...) +### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2"...) ### The app instance name is available as $YNH_APP_INSTANCE_NAME ### - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample ### - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2 -### - ynhexample__{N} for the subsequent installations, with N=3,4, ... +### - ynhexample__{N} for the subsequent installations, with N=3,4... ### The app instance name is probably what interests you most, since this is ### guaranteed to be unique. This is a good unique identifier to define installation path, -### db names, ... +### db names... app=$YNH_APP_INSTANCE_NAME #================================================= @@ -53,8 +47,8 @@ app=$YNH_APP_INSTANCE_NAME ### The execution time is given for the duration since the previous call. So the weight should be applied to this previous call. ynh_script_progression --message="Validating installation parameters..." -### If the app uses nginx as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app". -### If the app provides an internal web server (or uses another application server such as uwsgi), the final path should be "/opt/yunohost/$app" +### If the app uses NGINX as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app". +### If the app provides an internal web server (or uses another application server such as uWSGI), the final path should be "/opt/yunohost/$app" final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" @@ -64,100 +58,76 @@ ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url #================================================= # STORE SETTINGS FROM MANIFEST #================================================= + ynh_script_progression --message="Storing installation settings..." ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=is_public --value=$is_public -ynh_app_setting_set --app=$app --key=final_path --value=$final_path #================================================= # STANDARD MODIFICATIONS #================================================= +#================================================= +# CREATE DEDICATED USER +#================================================= + +ynh_script_progression --message="Configuring system user..." + +# Create a system user +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= + ynh_script_progression --message="Setting up source files..." ### `ynh_setup_source` is used to install an app from a zip or tar.gz file, ### downloaded from an upstream source, like a git repository. ### `ynh_setup_source` use the file conf/app.src +ynh_app_setting_set --app=$app --key=final_path --value=$final_path # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" +# FIXME: this should be managed by the core in the future +# Here, as a packager, you may have to tweak the ownerhsip/permissions +# such that the appropriate users (e.g. maybe www-data) can access +# files in some cases. +# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - +# this will be treated as a security issue. +chmod -R 440 "$final_path" +find "$final_path" -type d | xargs chmod 110 +chmod 750 "$final_path"/temp +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Configuring nginx web server..." + +ynh_script_progression --message="Configuring NGINX web server..." ### `ynh_add_nginx_config` will use the file conf/nginx.conf -# Create a dedicated nginx config +# Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Configuring system user..." - -# Create a system user -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= -ynh_script_progression "Configuring php-fpm..." -### `ynh_add_fpm_config` is used to set up a PHP config. -### You can remove it if your app doesn't use PHP. -### `ynh_add_fpm_config` will use the files conf/php-fpm.conf and conf/php-fpm.ini -### If you're not using these lines: -### - You can remove these files in conf/. -### - Remove the section "BACKUP THE PHP-FPM CONFIGURATION" in the backup script -### - Remove also the section "REMOVE PHP-FPM CONFIGURATION" in the remove script -### - As well as the section "RESTORE THE PHP-FPM CONFIGURATION" in the restore script -### With the reload at the end of the script. -### - And the section "PHP-FPM CONFIGURATION" in the upgrade script +ynh_script_progression --message="Configuring PHP-FPM..." -# Create a dedicated php-fpm config +# Create a dedicated PHP-FPM config ynh_add_fpm_config #================================================= -# GENERIC FINALIZATION -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= - -### For security reason, any app should set the permissions to root: before anything else. -### Then, if write authorization is needed, any access should be given only to directories -### that really need such authorization. - -# Set permissions to app files -chown -R root: $final_path -find $final_path -type f | xargs chmod 644 -find $final_path -type d | xargs chmod 755 - -# For temp subdir, the user must have write permissions -mkdir -p $final_path/temp -chown -R $app:root $final_path/temp -chmod 711 $final_path/temp - -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Configuring SSOwat..." - -# Make app public if necessary -if [ $is_public -eq 1 ] -then - ynh_permission_update --permission "main" --add visitors -fi - +# GENERIC FINALIZATIONs #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." + +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/remove b/scripts/remove index ee40376..d4d1190 100755 --- a/scripts/remove +++ b/scripts/remove @@ -6,7 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= @@ -17,7 +16,6 @@ ynh_script_progression --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) -#port=$(ynh_app_setting_get --app=$app --key=port) final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= @@ -34,21 +32,19 @@ ynh_secure_remove --file="$final_path" #================================================= # REMOVE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Removing nginx web server configuration..." +ynh_script_progression --message="Removing NGINX web server configuration..." -# Remove the dedicated nginx config +# Remove the dedicated NGINX config ynh_remove_nginx_config #================================================= # REMOVE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Removing php-fpm configuration..." +ynh_script_progression --message="Removing PHP-FPM configuration..." -# Remove the dedicated php-fpm config +# Remove the dedicated PHP-FPM config ynh_remove_fpm_config -ynh_systemd_action --action=restart --service_name=php7.3-fpm - #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index c440d16..fae3895 100755 --- a/scripts/restore +++ b/scripts/restore @@ -6,8 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= @@ -24,32 +22,34 @@ ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading settings..." +ynh_script_progression --message="Loading installation settings..." --weight=1 app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # CHECK IF THE APP CAN BE RESTORED -#================================================= -ynh_script_progression --message="Validating restoration parameters..." - -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" -test ! -d $final_path \ - || ynh_die --message="There is already a directory: $final_path " - #================================================= # STANDARD RESTORATION STEPS #================================================= # RESTORE THE NGINX CONFIGURATION #================================================= +ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +#================================================= +# RECREATE THE DEDICATED USER +#================================================= +ynh_script_progression --message="Recreating the dedicated system user..." + +# Create the dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # RESTORE THE APP MAIN DIR #================================================= @@ -57,31 +57,16 @@ ynh_script_progression --message="Restoring the app main directory..." ynh_restore_file --origin_path="$final_path" -#================================================= -# RECREATE THE DEDICATED USER -#================================================= -ynh_script_progression --message="Recreating the dedicated system user..." - -# Create the dedicated user (if not existing) -ynh_system_user_create --username=$app - -#================================================= -# RESTORE USER RIGHTS -#================================================= - -### For security reason, any app should set the permissions to root: before anything else. -### Then, if write authorization is needed, any access should be given only to directories -### that really need such authorization. - -# Set permissions to app files -chown -R root: $final_path -find $final_path -type f | xargs chmod 644 -find $final_path -type d | xargs chmod 755 - -# For temp subdir, the user must have write permissions -mkdir -p $final_path/temp -chown -R $app:root $final_path/temp -chmod 711 $final_path/temp +# FIXME: this should be managed by the core in the future +# Here, as a packager, you may have to tweak the ownerhsip/permissions +# such that the appropriate users (e.g. maybe www-data) can access +# files in some cases. +# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - +# this will be treated as a security issue. +chmod -R 440 "$final_path" +find "$final_path" -type d | xargs chmod 110 +chmod 750 "$final_path"/temp +chown -R $app:www-data "$final_path" #================================================= # RESTORE THE PHP-FPM CONFIGURATION @@ -94,9 +79,9 @@ ynh_restore_file --origin_path="/etc/php/7.3/fpm/pool.d/$app.conf" #================================================= # RELOAD NGINX AND PHP-FPM #================================================= -ynh_script_progression --message="Reloading nginx web server and php-fpm..." +ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." -ynh_systemd_action --service_name=php7.3-fpm --action=reload +ynh_systemd_action --service_name=php$phpversion-fpm --action=reload ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 4862fcc..ef12088 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -6,19 +6,18 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= # LOAD SETTINGS #================================================= + ynh_script_progression --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= @@ -33,29 +32,10 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) ### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do. upgrade_type=$(ynh_check_app_version_changed) -#================================================= -# ENSURE DOWNWARD COMPATIBILITY -#================================================= -ynh_script_progression --message="Ensuring downward compatibility..." - -# Fix is_public as a boolean value -if [ "$is_public" = "Yes" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=1 - is_public=1 -elif [ "$is_public" = "No" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=0 - is_public=0 -fi - -# If final_path doesn't exist, create it -if [ -z "$final_path" ]; then - final_path=/var/www/$app - ynh_app_setting_set --app=$app --key=final_path --value=$final_path -fi - #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= + ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." # Backup the current version of the app @@ -70,6 +50,13 @@ ynh_abort_if_errors #================================================= # STANDARD UPGRADE STEPS #================================================= +# CREATE DEDICATED USER +#================================================= + +ynh_script_progression --message="Making sure dedicated system user exists..." + +# Create a dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -84,88 +71,37 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" - fi +# FIXME: this should be managed by the core in the future +# Here, as a packager, you may have to tweak the ownerhsip/permissions +# such that the appropriate users (e.g. maybe www-data) can access +# files in some cases. +# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - +# this will be treated as a security issue. +chmod -R 440 "$final_path" +find "$final_path" -type d | xargs chmod 110 +chmod 750 "$final_path"/temp +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Upgrading nginx web server configuration..." -# Create a dedicated nginx config +ynh_script_progression --message="Upgrading NGINX web server configuration..." + +# Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# UPGRADE DEPENDENCIES -#================================================= -#ynh_script_progression --message="Upgrading dependencies..." - -#ynh_install_app_dependencies $pkg_dependencies - -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Making sure dedicated system user exists..." - -# Create a dedicated user (if not existing) -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Upgrading php-fpm configuration..." -# Create a dedicated php-fpm config +ynh_script_progression --message="Upgrading PHP-FPM configuration..." + +# Create a dedicated PHP-FPM config ynh_add_fpm_config -#================================================= -# STORE THE CONFIG FILE CHECKSUM -#================================================= - -### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script. -### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it. -ynh_backup_if_checksum_is_different --file="$final_path/config.inc.php" -# Recalculate and store the checksum of the file for the next upgrade. -ynh_store_file_checksum --file="$final_path/config.inc.php" - -#================================================= -# GENERIC FINALIZATION -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= - -### For security reason, any app should set the permissions to root: before anything else. -### Then, if write authorization is needed, any access should be given only to directories -### that really need such authorization. - -# Set permissions to app files -chown -R root: $final_path -find $final_path -type f | xargs chmod 644 -find $final_path -type d | xargs chmod 755 - -# For temp subdir, the user must have write permissions -mkdir -p $final_path/temp -chown -R $app:root $final_path/temp -chmod 711 $final_path/temp - -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading SSOwat configuration..." - -# Make app public if necessary -if [ $is_public -eq 1 ] -then - ynh_permission_update --permission "main" --add visitors -fi - -#================================================= -# RELOAD NGINX -#================================================= -ynh_script_progression --message="Reloading nginx web server..." - -ynh_systemd_action --service_name=nginx --action=reload - #================================================= # END OF SCRIPT #================================================= From cff7a231f0e825c04784bab975815d05ddd0bbb9 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 00:25:55 +0100 Subject: [PATCH 02/16] Chroot PHP-FPM and upgrade to LibreQR 2.0.0-beta1 --- check_process | 10 ++ conf/app.src | 4 +- conf/nginx.conf | 9 +- conf/php-fpm.conf | 415 +--------------------------------------------- scripts/install | 12 +- scripts/restore | 14 +- scripts/upgrade | 2 +- 7 files changed, 24 insertions(+), 442 deletions(-) create mode 100644 check_process diff --git a/check_process b/check_process new file mode 100644 index 0000000..5586420 --- /dev/null +++ b/check_process @@ -0,0 +1,10 @@ +;; Default test serie + ; Checks + pkg_linter=1 + setup_sub_dir=1 + setup_root=1 + setup_private=1 + upgrade=1 + backup_restore=1 + multi_instance=1 + change_url=1 diff --git a/conf/app.src b/conf/app.src index 0920305..4a9a880 100755 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://libreqr.antopie.org/releases/libreqr-1.3.0.tar.gz -SOURCE_SUM=50334a26fcb478914a29cdc5b04a2a21f1428269197befca65c3d234aac0859df75609292ea69b855a8a9e43c8747a2fe38389ae4b7fb29c0613a040a65ab455 +SOURCE_URL=https://code.antopie.org/miraty/libreqr/archive/2.0.0-beta1.tar.gz +SOURCE_SUM=c4f14723dad06c7e5deff794a41fc12ddfd57b3403e5a9ed2696157d57ed12737487bbb1d8c729579611a327642780b35c2886c7a217bb7fcf0e2e47137f9a8c SOURCE_SUM_PRG=sha512sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/conf/nginx.conf b/conf/nginx.conf index 154622a..517c5dd 100755 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -6,21 +6,22 @@ location __PATH__/ { index index.php; - try_files $uri $uri/ index.php; - location ~ [^/]\.php(/|$) { + # Chrooted PHP-FPM + location ~ ^__PATH__(?/.*\.php) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; + alias /; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_param SCRIPT_FILENAME $chroot_path; } # Security related headers more_set_headers "Referrer-Policy: no-referrer"; - more_set_headers "Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; manifest-src 'self'; frame-ancestors 'none';"; + more_set_headers "Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self' data:; frame-ancestors 'none'; form-action 'self';"; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 95f5229..600477d 100755 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -1,430 +1,23 @@ -; Start a new pool named 'www'. -; the variable $pool can be used in any directive and will be replaced by the -; pool name ('www' here) [__NAMETOCHANGE__] -; Per pool prefix -; It only applies on the following directives: -; - 'access.log' -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or /usr) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. user = __USER__ group = __USER__ -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock -; Set listen(2) backlog. -; Default Value: 511 (-1 on FreeBSD and OpenBSD) -;listen.backlog = 511 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0660 listen.owner = www-data listen.group = www-data -;listen.mode = 0660 -; When POSIX Access Control Lists are supported you can set them using -; these options, value is a comma separated list of user/group names. -; When set, listen.owner and listen.group are ignored -;listen.acl_users = -;listen.acl_groups = -; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -;listen.allowed_clients = 127.0.0.1 - -; Specify the nice(2) priority to apply to the pool processes (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool processes will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; process.priority = -19 - -; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user -; or group is differrent than the master process user. It allows to create process -; core dump and ptrace the process for the pool user. -; Default Value: no -; process.dumpable = yes - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. pm.max_children = 5 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' pm.max_spare_servers = 3 -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 -; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: /usr/share/php/7.0/fpm/status.html -; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = log/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: output header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsuled in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsuled in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -;slowlog = log/$pool.log.slow - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 request_terminate_timeout = 1d -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 +chroot = __FINALPATH__ +chdir = / -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: you can prefix with '$prefix' to chroot to the pool prefix or one -; of its subdirectories. If the pool prefix is not set, the global prefix -; will be used instead. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = __FINALPATH__ - -; Chdir to this directory at the start. -; Note: relative path can be used. -; Default Value: current directory or / when chroot -chdir = __FINALPATH__ - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environement, this can cause some delay in the page -; process time (several ms). -; Default Value: no -;catch_workers_output = yes - -; Clear environment in FPM workers -; Prevents arbitrary environment variables from reaching FPM worker processes -; by clearing the environment in workers before env vars specified in this -; pool configuration are added. -; Setting to "no" will make all environment variables available to PHP code -; via getenv(), $_ENV and $_SERVER. -; Default Value: yes -;clear_env = no - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; execute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 .php7 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Note: path INI options can be relative and will be expanded with the prefix -; (pool, global or /usr) - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -;php_admin_value[error_log] = /var/log/fpm-php.www.log -;php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 32M - -; Common values to change to increase file upload limit -; php_admin_value[upload_max_filesize] = 50M -; php_admin_value[post_max_size] = 50M -; php_admin_flag[mail.add_x_header] = Off - -; Other common parameters -; php_admin_value[max_execution_time] = 600 -; php_admin_value[max_input_time] = 300 -; php_admin_value[memory_limit] = 256M -; php_admin_flag[short_open_tag] = On +clear_env = yes +security.limit_extensions = .php diff --git a/scripts/install b/scripts/install index 0476c67..c9225fa 100755 --- a/scripts/install +++ b/scripts/install @@ -98,7 +98,7 @@ ynh_setup_source --dest_dir="$final_path" # this will be treated as a security issue. chmod -R 440 "$final_path" find "$final_path" -type d | xargs chmod 110 -chmod 750 "$final_path"/temp +chmod 750 "$final_path"/css chown -R $app:www-data "$final_path" #================================================= @@ -121,16 +121,6 @@ ynh_script_progression --message="Configuring PHP-FPM..." # Create a dedicated PHP-FPM config ynh_add_fpm_config -#================================================= -# GENERIC FINALIZATIONs -#================================================= -# RELOAD NGINX -#================================================= - -ynh_script_progression --message="Reloading NGINX web server..." - -ynh_systemd_action --service_name=nginx --action=reload - #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/restore b/scripts/restore index fae3895..8543710 100755 --- a/scripts/restore +++ b/scripts/restore @@ -31,8 +31,6 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) -#================================================= -# CHECK IF THE APP CAN BE RESTORED #================================================= # STANDARD RESTORATION STEPS #================================================= @@ -65,7 +63,7 @@ ynh_restore_file --origin_path="$final_path" # this will be treated as a security issue. chmod -R 440 "$final_path" find "$final_path" -type d | xargs chmod 110 -chmod 750 "$final_path"/temp +chmod 750 "$final_path"/css chown -R $app:www-data "$final_path" #================================================= @@ -74,16 +72,6 @@ chown -R $app:www-data "$final_path" ynh_restore_file --origin_path="/etc/php/7.3/fpm/pool.d/$app.conf" -#================================================= -# GENERIC FINALIZATION -#================================================= -# RELOAD NGINX AND PHP-FPM -#================================================= -ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." - -ynh_systemd_action --service_name=php$phpversion-fpm --action=reload -ynh_systemd_action --service_name=nginx --action=reload - #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index ef12088..8748e92 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -81,7 +81,7 @@ fi # this will be treated as a security issue. chmod -R 440 "$final_path" find "$final_path" -type d | xargs chmod 110 -chmod 750 "$final_path"/temp +chmod 750 "$final_path"/css chown -R $app:www-data "$final_path" #================================================= From b41fb8d94c1ae3042fbf03dcfc70d57255e1fe40 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 02:39:55 +0100 Subject: [PATCH 03/16] Remove standard comments --- conf/nginx.conf | 2 +- scripts/_common.sh | 20 ---------- scripts/backup | 50 ------------------------ scripts/install | 94 +--------------------------------------------- scripts/remove | 40 -------------------- scripts/restore | 55 ++------------------------- scripts/upgrade | 69 ---------------------------------- 7 files changed, 5 insertions(+), 325 deletions(-) delete mode 100755 scripts/_common.sh diff --git a/conf/nginx.conf b/conf/nginx.conf index 517c5dd..d745eac 100755 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,7 +7,7 @@ location __PATH__/ { index index.php; # Chrooted PHP-FPM - location ~ ^__PATH__(?/.*\.php) { + location ~ ^__PATH__(?/.*\.php)$ { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; diff --git a/scripts/_common.sh b/scripts/_common.sh deleted file mode 100755 index eea5970..0000000 --- a/scripts/_common.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -#================================================= -# COMMON VARIABLES -#================================================= - -# dependencies used by the app -#pkg_dependencies="deb1 deb2" - -#================================================= -# PERSONAL HELPERS -#================================================= - -#================================================= -# EXPERIMENTAL HELPERS -#================================================= - -#================================================= -# FUTURE OFFICIAL HELPERS -#================================================= diff --git a/scripts/backup b/scripts/backup index 09b69eb..e30872a 100755 --- a/scripts/backup +++ b/scripts/backup @@ -1,67 +1,17 @@ #!/bin/bash - -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source /usr/share/yunohost/helpers -#================================================= -# MANAGE SCRIPT FAILURE -#================================================= - -ynh_clean_setup () { - ### Remove this function if there's nothing to clean before calling the remove script. - true -} -# Exit if an error occurs during the execution of the script ynh_abort_if_errors -#================================================= -# LOAD SETTINGS -#================================================= - ynh_print_info --message="Loading installation settings..." - app=$YNH_APP_INSTANCE_NAME - final_path=$(ynh_app_setting_get --app=$app --key=final_path) domain=$(ynh_app_setting_get --app=$app --key=domain) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) -#================================================= -# DECLARE DATA AND CONF FILES TO BACKUP -#================================================= - ynh_print_info --message="Declaring files to be backed up..." - -### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs -### to be backuped and not an actual copy of any file. The actual backup that -### creates and fill the archive with the files happens in the core after this -### script is called. Hence ynh_backups calls takes basically 0 seconds to run. - -#================================================= -# BACKUP THE APP MAIN DIR -#================================================= - ynh_backup --src_path="$final_path" - -#================================================= -# BACKUP THE NGINX CONFIGURATION -#================================================= - ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" - -#================================================= -# BACKUP THE PHP-FPM CONFIGURATION -#================================================= - ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" -#================================================= -# END OF SCRIPT -#================================================= - ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." diff --git a/scripts/install b/scripts/install index c9225fa..8974ab1 100755 --- a/scripts/install +++ b/scripts/install @@ -1,128 +1,36 @@ #!/bin/bash - -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source /usr/share/yunohost/helpers -#================================================= -# MANAGE SCRIPT FAILURE -#================================================= - -# Exit if an error occurs during the execution of the script ynh_abort_if_errors -#================================================= -# RETRIEVE ARGUMENTS FROM THE MANIFEST -#================================================= - domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH - -### If it's a multi-instance app, meaning it can be installed several times independently -### The id of the app as stated in the manifest is available as $YNH_APP_ID -### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2"...) -### The app instance name is available as $YNH_APP_INSTANCE_NAME -### - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample -### - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2 -### - ynhexample__{N} for the subsequent installations, with N=3,4... -### The app instance name is probably what interests you most, since this is -### guaranteed to be unique. This is a good unique identifier to define installation path, -### db names... app=$YNH_APP_INSTANCE_NAME -#================================================= -# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS -#================================================= -### About --weight and --time -### ynh_script_progression will show to your final users the progression of each scripts. -### In order to do that, --weight will represent the relative time of execution compared to the other steps in the script. -### --time is a packager option, it will show you the execution time since the previous call. -### This option should be removed before releasing your app. -### Use the execution time, given by --time, to estimate the weight of a step. -### A common way to do it is to set a weight equal to the execution time in second +1. -### The execution time is given for the duration since the previous call. So the weight should be applied to this previous call. ynh_script_progression --message="Validating installation parameters..." - -### If the app uses NGINX as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app". -### If the app provides an internal web server (or uses another application server such as uWSGI), the final path should be "/opt/yunohost/$app" final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" - -# Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url -#================================================= -# STORE SETTINGS FROM MANIFEST -#================================================= - ynh_script_progression --message="Storing installation settings..." - ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url - -#================================================= -# STANDARD MODIFICATIONS -#================================================= -#================================================= -# CREATE DEDICATED USER -#================================================= +ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_script_progression --message="Configuring system user..." - -# Create a system user ynh_system_user_create --username=$app --home_dir="$final_path" -#================================================= -# DOWNLOAD, CHECK AND UNPACK SOURCE -#================================================= - ynh_script_progression --message="Setting up source files..." - -### `ynh_setup_source` is used to install an app from a zip or tar.gz file, -### downloaded from an upstream source, like a git repository. -### `ynh_setup_source` use the file conf/app.src - -ynh_app_setting_set --app=$app --key=final_path --value=$final_path -# Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" - -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. chmod -R 440 "$final_path" find "$final_path" -type d | xargs chmod 110 chmod 750 "$final_path"/css chown -R $app:www-data "$final_path" -#================================================= -# NGINX CONFIGURATION -#================================================= - ynh_script_progression --message="Configuring NGINX web server..." - -### `ynh_add_nginx_config` will use the file conf/nginx.conf - -# Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# PHP-FPM CONFIGURATION -#================================================= - ynh_script_progression --message="Configuring PHP-FPM..." - -# Create a dedicated PHP-FPM config ynh_add_fpm_config -#================================================= -# END OF SCRIPT -#================================================= - ynh_script_progression --message="Installation of $app completed" --last diff --git a/scripts/remove b/scripts/remove index d4d1190..0322438 100755 --- a/scripts/remove +++ b/scripts/remove @@ -1,62 +1,22 @@ #!/bin/bash - -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source /usr/share/yunohost/helpers -#================================================= -# LOAD SETTINGS -#================================================= ynh_script_progression --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME - domain=$(ynh_app_setting_get --app=$app --key=domain) final_path=$(ynh_app_setting_get --app=$app --key=final_path) -#================================================= -# STANDARD REMOVE -#================================================= -#================================================= -# REMOVE APP MAIN DIR -#================================================= ynh_script_progression --message="Removing app main directory..." - -# Remove the app directory securely ynh_secure_remove --file="$final_path" -#================================================= -# REMOVE NGINX CONFIGURATION -#================================================= ynh_script_progression --message="Removing NGINX web server configuration..." - -# Remove the dedicated NGINX config ynh_remove_nginx_config -#================================================= -# REMOVE PHP-FPM CONFIGURATION -#================================================= ynh_script_progression --message="Removing PHP-FPM configuration..." - -# Remove the dedicated PHP-FPM config ynh_remove_fpm_config -#================================================= -# GENERIC FINALIZATION -#================================================= -# REMOVE DEDICATED USER -#================================================= ynh_script_progression --message="Removing the dedicated system user..." - -# Delete a system user ynh_system_user_delete --username=$app -#================================================= -# END OF SCRIPT -#================================================= - ynh_script_progression --message="Removal of $app completed" --last diff --git a/scripts/restore b/scripts/restore index 8543710..d2b332e 100755 --- a/scripts/restore +++ b/scripts/restore @@ -1,79 +1,30 @@ #!/bin/bash - -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source /usr/share/yunohost/helpers -#================================================= -# MANAGE SCRIPT FAILURE -#================================================= - -ynh_clean_setup () { - #### Remove this function if there's nothing to clean before calling the remove script. - true -} -# Exit if an error occurs during the execution of the script ynh_abort_if_errors -#================================================= -# LOAD SETTINGS -#================================================= ynh_script_progression --message="Loading installation settings..." --weight=1 - app=$YNH_APP_INSTANCE_NAME - domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) -#================================================= -# STANDARD RESTORATION STEPS -#================================================= -# RESTORE THE NGINX CONFIGURATION -#================================================= ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 - ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" -#================================================= -# RECREATE THE DEDICATED USER -#================================================= ynh_script_progression --message="Recreating the dedicated system user..." - -# Create the dedicated user (if not existing) ynh_system_user_create --username=$app --home_dir="$final_path" -#================================================= -# RESTORE THE APP MAIN DIR -#================================================= ynh_script_progression --message="Restoring the app main directory..." - ynh_restore_file --origin_path="$final_path" - -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. chmod -R 440 "$final_path" find "$final_path" -type d | xargs chmod 110 chmod 750 "$final_path"/css chown -R $app:www-data "$final_path" -#================================================= -# RESTORE THE PHP-FPM CONFIGURATION -#================================================= - -ynh_restore_file --origin_path="/etc/php/7.3/fpm/pool.d/$app.conf" - -#================================================= -# END OF SCRIPT -#================================================= +ynh_script_progression --message="Restoring the PHP-FPM configuration..." +ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" +ynh_systemd_action --service_name=php$phpversion-fpm --action=reload ynh_script_progression --message="Restoration completed for $app" --last diff --git a/scripts/upgrade b/scripts/upgrade index 8748e92..62b1e9c 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -1,109 +1,40 @@ #!/bin/bash - -#================================================= -# GENERIC START -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source /usr/share/yunohost/helpers -#================================================= -# LOAD SETTINGS -#================================================= - ynh_script_progression --message="Loading installation settings..." - app=$YNH_APP_INSTANCE_NAME - domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) -#================================================= -# CHECK VERSION -#================================================= - -### This helper will compare the version of the currently installed app and the version of the upstream package. -### $upgrade_type can have 2 different values -### - UPGRADE_APP if the upstream app version has changed -### - UPGRADE_PACKAGE if only the YunoHost package has changed -### ynh_check_app_version_changed will stop the upgrade if the app is up to date. -### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do. upgrade_type=$(ynh_check_app_version_changed) -#================================================= -# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP -#================================================= - ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." - -# Backup the current version of the app ynh_backup_before_upgrade ynh_clean_setup () { - # restore it if the upgrade fails ynh_restore_upgradebackup } -# Exit if an error occurs during the execution of the script ynh_abort_if_errors -#================================================= -# STANDARD UPGRADE STEPS -#================================================= -# CREATE DEDICATED USER -#================================================= - ynh_script_progression --message="Making sure dedicated system user exists..." - -# Create a dedicated user (if not existing) ynh_system_user_create --username=$app --home_dir="$final_path" -#================================================= -# DOWNLOAD, CHECK AND UNPACK SOURCE -#================================================= - if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." - - # Remove old version ynh_secure_remove --file="$final_path" - - # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" fi -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. chmod -R 440 "$final_path" find "$final_path" -type d | xargs chmod 110 chmod 750 "$final_path"/css chown -R $app:www-data "$final_path" -#================================================= -# NGINX CONFIGURATION -#================================================= - ynh_script_progression --message="Upgrading NGINX web server configuration..." - -# Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# PHP-FPM CONFIGURATION -#================================================= - ynh_script_progression --message="Upgrading PHP-FPM configuration..." - -# Create a dedicated PHP-FPM config ynh_add_fpm_config -#================================================= -# END OF SCRIPT -#================================================= - ynh_script_progression --message="Upgrade of $app completed" --last From 6344ac48e1ccfa73da7c782d4fde87fa84287cb5 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 02:45:30 +0100 Subject: [PATCH 04/16] Fix restore script --- scripts/restore | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/restore b/scripts/restore index d2b332e..4e63ef7 100755 --- a/scripts/restore +++ b/scripts/restore @@ -12,6 +12,7 @@ phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_systemd_action --service_name=nginx --action=reload ynh_script_progression --message="Recreating the dedicated system user..." ynh_system_user_create --username=$app --home_dir="$final_path" From 810f028635ca6f2e42ff6a64992ac8539b8b5e33 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 15:05:40 +0100 Subject: [PATCH 05/16] Fix restore script again --- scripts/change_url | 2 +- scripts/restore | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index dd445b0..b2be60e 100755 --- a/scripts/change_url +++ b/scripts/change_url @@ -33,7 +33,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --time --weight=1 +ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=1 # Backup the current version of the app ynh_backup_before_upgrade diff --git a/scripts/restore b/scripts/restore index 4e63ef7..e7faba4 100755 --- a/scripts/restore +++ b/scripts/restore @@ -10,10 +10,6 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) -ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" -ynh_systemd_action --service_name=nginx --action=reload - ynh_script_progression --message="Recreating the dedicated system user..." ynh_system_user_create --username=$app --home_dir="$final_path" @@ -28,4 +24,8 @@ ynh_script_progression --message="Restoring the PHP-FPM configuration..." ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" ynh_systemd_action --service_name=php$phpversion-fpm --action=reload +ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_systemd_action --service_name=nginx --action=reload + ynh_script_progression --message="Restoration completed for $app" --last From a55a7c5f918cce40af1a73d23234c83082f05a31 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 15:12:16 +0100 Subject: [PATCH 06/16] Bump version in manifest --- manifest.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifest.json b/manifest.json index 264caa3..968b584 100755 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Web interface for generating QR codes", "fr": "Interface Web pour générer des codes QR" }, - "version": "1.3.0~ynh1", + "version": "2.0.0-beta1~ynh1", "url": "https://code.antopie.org/miraty/libreqr", "upstream": { "license": "AGPL-3.0-or-later", @@ -20,7 +20,7 @@ "url": "https://miraty.antopie.org" }, "requirements": { - "yunohost": ">= 4.1.2" + "yunohost": ">= 4.3" }, "multi_instance": true, "services": [ From 940e3fd59363be9e924c1c534707e6132332da09 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 16:04:16 +0100 Subject: [PATCH 07/16] Fix installation on root path --- conf/nginx.conf | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index d745eac..1cda048 100755 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,16 +7,15 @@ location __PATH__/ { index index.php; # Chrooted PHP-FPM - location ~ ^__PATH__(?/.*\.php)$ { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; - +#sub_path_only location ~ ^__PATH__(?/.*\.php)$ { +#root_path_only location ~ ^(?/.*\.php)$ { alias /; + fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_index index.php; - include fastcgi_params; - fastcgi_param REMOTE_USER $remote_user; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $chroot_path; + include fastcgi_params; } # Security related headers From 3535ebc901b6f30ccc7123b673ea42354ebe97a3 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 18:08:29 +0100 Subject: [PATCH 08/16] Add public/private management --- manifest.json | 5 +++++ scripts/install | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/manifest.json b/manifest.json index 968b584..cc98381 100755 --- a/manifest.json +++ b/manifest.json @@ -38,6 +38,11 @@ "type": "path", "example": "/qr", "default": "/" + }, + { + "name": "is_public", + "type": "boolean", + "default": true } ] } diff --git a/scripts/install b/scripts/install index 8974ab1..ebcdae1 100755 --- a/scripts/install +++ b/scripts/install @@ -5,6 +5,7 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH +is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME ynh_script_progression --message="Validating installation parameters..." @@ -33,4 +34,10 @@ ynh_add_nginx_config ynh_script_progression --message="Configuring PHP-FPM..." ynh_add_fpm_config +ynh_script_progression --message="Configuring permissions..." +if [ $is_public -eq 1 ] +then + ynh_permission_update --permission="main" --add="visitors" +fi + ynh_script_progression --message="Installation of $app completed" --last From a1cacb65c013c2214568887d221383a1044bab80 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 18:08:57 +0100 Subject: [PATCH 09/16] Clean legacy permissions when upgrading --- scripts/upgrade | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index 62b1e9c..65a03f9 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -16,6 +16,12 @@ ynh_clean_setup () { } ynh_abort_if_errors +ynh_script_progression --message="Ensuring downward compatibility..." +if ynh_legacy_permissions_exists; then + ynh_legacy_permissions_delete_all + ynh_app_setting_delete --app=$app --key=is_public +fi + ynh_script_progression --message="Making sure dedicated system user exists..." ynh_system_user_create --username=$app --home_dir="$final_path" From a6d76ea6341b6b8e7b70b2eb13d5026b424c06ca Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 20:07:32 +0100 Subject: [PATCH 10/16] Test upgrade from LibreQR 1.3.0 in check_process --- check_process | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/check_process b/check_process index 5586420..e892668 100644 --- a/check_process +++ b/check_process @@ -4,7 +4,13 @@ setup_sub_dir=1 setup_root=1 setup_private=1 + setup_public=1 upgrade=1 + upgrade=1 from_commit=3b225b6a98f91493bdf3ae593a59cbdd3616106f backup_restore=1 multi_instance=1 change_url=1 +;;; Upgrade options + ; commit=3b225b6a98f91493bdf3ae593a59cbdd3616106f + name=LibreQR 1.3.0 + manifest_arg=domain=DOMAIN&path=PATH&is_public=1& From 3a594c167e0928afe9b770b4760c7fd0718a9c8e Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 5 Mar 2022 21:37:16 +0100 Subject: [PATCH 11/16] Add help about is_public --- check_process | 1 - manifest.json | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/check_process b/check_process index e892668..3dd879e 100644 --- a/check_process +++ b/check_process @@ -13,4 +13,3 @@ ;;; Upgrade options ; commit=3b225b6a98f91493bdf3ae593a59cbdd3616106f name=LibreQR 1.3.0 - manifest_arg=domain=DOMAIN&path=PATH&is_public=1& diff --git a/manifest.json b/manifest.json index cc98381..9f669c4 100755 --- a/manifest.json +++ b/manifest.json @@ -42,6 +42,10 @@ { "name": "is_public", "type": "boolean", + "help": { + "en": "If enabled, the application can be used without authentifying with a YunoHost account.", + "fr": "Si activé, l'application pourra être utilisée sans s'authentifier avec un compte YunoHost." + }, "default": true } ] From 2e680284a414c1b110705f0d73e3354626d87193 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sun, 6 Mar 2022 02:54:51 +0100 Subject: [PATCH 12/16] Change permissions with a dedicated function --- scripts/_common.sh | 14 ++++++++++++++ scripts/install | 6 ++---- scripts/restore | 10 ++++------ scripts/upgrade | 7 ++----- 4 files changed, 22 insertions(+), 15 deletions(-) create mode 100644 scripts/_common.sh diff --git a/scripts/_common.sh b/scripts/_common.sh new file mode 100644 index 0000000..f56b2c6 --- /dev/null +++ b/scripts/_common.sh @@ -0,0 +1,14 @@ +libreqr_apply_filesystem_permissions() { + find "$final_path" -type f -exec chmod 400 "{}" + + find "$final_path" -type f -exec chown www-data:www-data "{}" + + find "$final_path" -type d -exec chmod 110 "{}" + + find "$final_path" -type d -exec chown $app:www-data "{}" + + find "$final_path" -type f -name "*.php" -exec chmod 400 "{}" + + find "$final_path" -type f -name "*.php" -exec chown $app:$app "{}" + + find "$final_path" -type f -name "*.css" -exec chmod 440 "{}" + + find "$final_path" -type f -name "*.css" -exec chown $app:www-data "{}" + + find "$final_path" -type f -name "*.less" -exec chmod 440 "{}" + + find "$final_path" -type f -name "*.less" -exec chown $app:www-data "{}" + + chmod 350 "$final_path"/css + chown $app:www-data "$final_path"/css +} diff --git a/scripts/install b/scripts/install index ebcdae1..e56f14e 100755 --- a/scripts/install +++ b/scripts/install @@ -1,4 +1,5 @@ #!/bin/bash +source _common.sh source /usr/share/yunohost/helpers ynh_abort_if_errors @@ -23,10 +24,7 @@ ynh_system_user_create --username=$app --home_dir="$final_path" ynh_script_progression --message="Setting up source files..." ynh_setup_source --dest_dir="$final_path" -chmod -R 440 "$final_path" -find "$final_path" -type d | xargs chmod 110 -chmod 750 "$final_path"/css -chown -R $app:www-data "$final_path" +libreqr_apply_filesystem_permissions ynh_script_progression --message="Configuring NGINX web server..." ynh_add_nginx_config diff --git a/scripts/restore b/scripts/restore index e7faba4..2f94f48 100755 --- a/scripts/restore +++ b/scripts/restore @@ -1,9 +1,10 @@ #!/bin/bash +source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers ynh_abort_if_errors -ynh_script_progression --message="Loading installation settings..." --weight=1 +ynh_script_progression --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) @@ -15,16 +16,13 @@ ynh_system_user_create --username=$app --home_dir="$final_path" ynh_script_progression --message="Restoring the app main directory..." ynh_restore_file --origin_path="$final_path" -chmod -R 440 "$final_path" -find "$final_path" -type d | xargs chmod 110 -chmod 750 "$final_path"/css -chown -R $app:www-data "$final_path" +libreqr_apply_filesystem_permissions ynh_script_progression --message="Restoring the PHP-FPM configuration..." ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" ynh_systemd_action --service_name=php$phpversion-fpm --action=reload -ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 +ynh_script_progression --message="Restoring the NGINX configuration..." ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/upgrade b/scripts/upgrade index 65a03f9..2306faa 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -1,4 +1,5 @@ #!/bin/bash +source _common.sh source /usr/share/yunohost/helpers ynh_script_progression --message="Loading installation settings..." @@ -31,11 +32,7 @@ then ynh_secure_remove --file="$final_path" ynh_setup_source --dest_dir="$final_path" fi - -chmod -R 440 "$final_path" -find "$final_path" -type d | xargs chmod 110 -chmod 750 "$final_path"/css -chown -R $app:www-data "$final_path" +libreqr_apply_filesystem_permissions ynh_script_progression --message="Upgrading NGINX web server configuration..." ynh_add_nginx_config From b7fd5e871e647cd1bd62217f58dd4999c8286885 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sun, 6 Mar 2022 02:55:10 +0100 Subject: [PATCH 13/16] Compress change_url --- scripts/change_url | 79 ++++++---------------------------------------- 1 file changed, 10 insertions(+), 69 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index b2be60e..01a284d 100755 --- a/scripts/change_url +++ b/scripts/change_url @@ -1,111 +1,52 @@ #!/bin/bash - -#================================================= -# GENERIC STARTING -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - source /usr/share/yunohost/helpers -#================================================= -# RETRIEVE ARGUMENTS -#================================================= - old_domain=$YNH_APP_OLD_DOMAIN old_path=$YNH_APP_OLD_PATH - new_domain=$YNH_APP_NEW_DOMAIN new_path=$YNH_APP_NEW_PATH - app=$YNH_APP_INSTANCE_NAME - -#================================================= -# LOAD SETTINGS -#================================================= +nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf ynh_script_progression --message="Loading installation settings..." - -# Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) -#================================================= -# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP -#================================================= - -ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=1 - -# Backup the current version of the app +ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." ynh_backup_before_upgrade ynh_clean_setup () { - # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" - - # Restore it if the upgrade fails ynh_restore_upgradebackup } -# Exit if an error occurs during the execution of the script ynh_abort_if_errors -#================================================= -# CHECK WHICH PARTS SHOULD BE CHANGED -#================================================= - -change_domain=0 -if [ "$old_domain" != "$new_domain" ] -then - change_domain=1 -fi - +ynh_script_progression --message="Updating NGINX web server configuration..." +# Change the path if needed change_path=0 if [ "$old_path" != "$new_path" ] then change_path=1 fi - -#================================================= -# STANDARD MODIFICATIONS -#================================================= -#================================================= -# MODIFY URL IN NGINX CONF -#================================================= - -ynh_script_progression --message="Updating NGINX web server configuration..." - -nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf - -# Change the path in the NGINX config file if [ $change_path -eq 1 ] then - # Make a backup of the original NGINX config file if modified ynh_backup_if_checksum_is_different --file="$nginx_conf_path" - # Set global variables for NGINX helper domain="$old_domain" path_url="$new_path" - # Create a dedicated NGINX config ynh_add_nginx_config fi - -# Change the domain for NGINX +# Change the domain if needed +change_domain=0 +if [ "$old_domain" != "$new_domain" ] +then + change_domain=1 +fi if [ $change_domain -eq 1 ] then - # Delete file checksum for the old conf file location ynh_delete_file_checksum --file="$nginx_conf_path" mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf - # Store file checksum for the new config file location ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" fi -#================================================= -# RELOAD NGINX -#================================================= - ynh_script_progression --message="Reloading NGINX web server..." - ynh_systemd_action --service_name=nginx --action=reload -#================================================= -# END OF SCRIPT -#================================================= - ynh_script_progression --message="Change of URL completed for $app" --last From 8a67c2f4ca78e9d29b1d4f41f6788c77c3a85a05 Mon Sep 17 00:00:00 2001 From: Miraty Date: Sun, 6 Mar 2022 02:55:21 +0100 Subject: [PATCH 14/16] Auto-update READMEs --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1db2b9a..1dde038 100755 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Web interface for generating QR codes -**Shipped version:** 1.3.0~ynh1 +**Shipped version:** 2.0.0-beta1~ynh1 **Demo:** https://qr.antopie.org diff --git a/README_fr.md b/README_fr.md index edc2602..08469e3 100755 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Interface Web pour générer des codes QR -**Version incluse :** 1.3.0~ynh1 +**Version incluse :** 2.0.0-beta1~ynh1 **Démo :** https://qr.antopie.org From 91505ec5bbc2fa1e624e36b621bf4c91fda5951f Mon Sep 17 00:00:00 2001 From: Miraty Date: Thu, 2 Jun 2022 00:35:18 +0200 Subject: [PATCH 15/16] Slightly factorize libreqr_apply_filesystem_permissions() --- scripts/_common.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index f56b2c6..42f9bb1 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -5,10 +5,8 @@ libreqr_apply_filesystem_permissions() { find "$final_path" -type d -exec chown $app:www-data "{}" + find "$final_path" -type f -name "*.php" -exec chmod 400 "{}" + find "$final_path" -type f -name "*.php" -exec chown $app:$app "{}" + - find "$final_path" -type f -name "*.css" -exec chmod 440 "{}" + - find "$final_path" -type f -name "*.css" -exec chown $app:www-data "{}" + - find "$final_path" -type f -name "*.less" -exec chmod 440 "{}" + - find "$final_path" -type f -name "*.less" -exec chown $app:www-data "{}" + + find "$final_path" -type f -name "*.less" -or -name "*.css" -exec chmod 440 "{}" + + find "$final_path" -type f -name "*.less" -or -name "*.css" -exec chown $app:www-data "{}" + chmod 350 "$final_path"/css chown $app:www-data "$final_path"/css } From 067cc5a9b6ab6bbdc7b86c2ed50db88cf0f48e36 Mon Sep 17 00:00:00 2001 From: Miraty Date: Thu, 2 Jun 2022 00:44:51 +0200 Subject: [PATCH 16/16] Update README --- README.md | 15 ++++++++------- README_fr.md | 21 +++++++++++++-------- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 1dde038..1f9569e 100755 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ It shall NOT be edited by hand. # LibreQR for YunoHost -[![Integration level](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) +[![Integration level](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![Working status](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) [![Install LibreQR with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=qr) *[Lire ce readme en français.](./README_fr.md)* @@ -23,23 +23,24 @@ Web interface for generating QR codes ## Screenshots -![](./doc/screenshots/screenshot.png) +![Screenshot of LibreQR](./doc/screenshots/screenshot.png) ## Documentation and resources -* Upstream app code repository: https://code.antopie.org/miraty/libreqr -* YunoHost documentation for this app: https://yunohost.org/app_qr -* Report a bug: https://code.antopie.org/miraty/qr_ynh/issues +* Upstream app code repository: +* YunoHost documentation for this app: +* Report a bug: ## Developer info Please send your pull request to the [testing branch](https://code.antopie.org/miraty/qr_ynh/src/branch/testing). To try the testing branch, please proceed like that. -``` + +``` bash sudo yunohost app install https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug or sudo yunohost app upgrade qr -u https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug ``` -**More info regarding app packaging:** https://yunohost.org/packaging_apps \ No newline at end of file +**More info regarding app packaging:** diff --git a/README_fr.md b/README_fr.md index 08469e3..5091d78 100755 --- a/README_fr.md +++ b/README_fr.md @@ -1,10 +1,14 @@ + + # LibreQR pour YunoHost -[![Niveau d'intégration](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) +[![Niveau d'intégration](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) [![Installer LibreQR avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=qr) *[Read this readme in english.](./README.md)* -*[Lire ce readme en français.](./README_fr.md)* > *Ce package vous permet d'installer LibreQR rapidement et simplement sur un serveur YunoHost. Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.* @@ -19,23 +23,24 @@ Interface Web pour générer des codes QR ## Captures d'écran -![](./doc/screenshots/screenshot.png) +![Capture d'écran de LibreQR](./doc/screenshots/screenshot.png) ## Documentations et ressources -* Dépôt de code officiel de l'app : https://code.antopie.org/miraty/libreqr -* Documentation YunoHost pour cette app : https://yunohost.org/app_qr -* Signaler un bug : https://code.antopie.org/miraty/qr_ynh/issues +* Dépôt de code officiel de l'app : +* Documentation YunoHost pour cette app : +* Signaler un bug : ## Informations pour les développeurs Merci de faire vos pull request sur la [branche testing](https://code.antopie.org/miraty/qr_ynh/src/branch/testing). Pour essayer la branche testing, procédez comme suit. -``` + +``` bash sudo yunohost app install https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug ou sudo yunohost app upgrade qr -u https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug ``` -**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps \ No newline at end of file +**Plus d'infos sur le packaging d'applications :**