diff --git a/conf/nginx.conf b/conf/nginx.conf index 9c7977a..af69dcd 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,11 +1,15 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - # Path to source - alias __INSTALL_DIR__/ ; - - index index.html; + proxy_pass http://127.0.0.1:__PORT__/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; -} \ No newline at end of file + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; +} diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..83c3c9e --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,45 @@ +[Unit] +Description=Scratch +After=syslog.target network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/ +Environment="__YNH_NODE_LOAD_PATH__" +ExecStart=__YNH_NPM__ start + + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 28c4d8f..6867f90 100644 --- a/manifest.toml +++ b/manifest.toml @@ -20,8 +20,11 @@ code = "https://github.com/scratchfoundation/scratch-gui" yunohost = ">= 11.2" architectures = "all" multi_instance = true + ldap = false + sso = false + disk = "50M" ram.build = "50M" ram.runtime = "50M" @@ -50,3 +53,6 @@ ram.runtime = "50M" [resources.permissions] main.url = "/" + + [resources.ports] + diff --git a/scripts/backup b/scripts/backup index 52eea5b..f31d78a 100644 --- a/scripts/backup +++ b/scripts/backup @@ -22,11 +22,15 @@ ynh_print_info --message="Declaring files to be backed up..." ynh_backup --src_path="$install_dir" #================================================= -# BACKUP THE NGINX CONFIGURATION +# SYSTEM CONFIGURATION #================================================= +# Backup the nginx configuration ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +# Backup the systemd service unit +ynh_backup --src_path="/etc/systemd/system/$app.service" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index 2bc5d1f..f5b7d6a 100644 --- a/scripts/install +++ b/scripts/install @@ -9,6 +9,13 @@ source _common.sh source /usr/share/yunohost/helpers +#================================================= +# INSTALL DEPENDENCIES +#================================================= +ynh_script_progression --message="Installing nodejs..." --weight=50 + +ynh_install_nodejs --nodejs_version=$nodejs_version + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -21,13 +28,36 @@ chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" #================================================= -# NGINX CONFIGURATION +# SYSTEM CONFIGURATION #================================================= -ynh_script_progression --message="Configuring NGINX web server..." --weight=2 +ynh_script_progression --message="Adding system configurations related to $app..." --weight=1 # Create a dedicated nginx config ynh_add_nginx_config +# Create a dedicated systemd config +ynh_add_systemd_config + +yunohost service add "$app" --description="Language to create your own interactive stories" --log="/var/log/$app/$app.log" + +#================================================= +# INSTALL ETHERPAD +#================================================= +ynh_script_progression --message="Installing $app..." --weight=40 + +pushd "$install_dir" + ynh_use_nodejs + ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH $ynh_npm install +popd + +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting $app's systemd service..." --weight=1 + +# Start a systemd service +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/remove b/scripts/remove index e7f44d8..d5f8f6c 100644 --- a/scripts/remove +++ b/scripts/remove @@ -10,13 +10,22 @@ source _common.sh source /usr/share/yunohost/helpers #================================================= -# REMOVE NGINX CONFIGURATION +# REMOVE SYSTEM CONFIGURATIONS #================================================= -ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1 +ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 + +# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) +if ynh_exec_warn_less yunohost service status "$app" >/dev/null; then + ynh_script_progression --message="Removing $app service integration..." --weight=1 + yunohost service remove "$app" +fi + +ynh_remove_systemd_config -# Remove the dedicated NGINX config ynh_remove_nginx_config +ynh_remove_nodejs + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/restore b/scripts/restore index a5c61fd..d40859c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -25,14 +25,22 @@ chown -R $app:www-data "$install_dir" #================================================= ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 +ynh_install_nodejs --nodejs_version=$nodejs_version + ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/systemd/system/$app.service" +systemctl enable "$app.service" --quiet + +yunohost service add "$app" --description="Language to create your own interactive stories" --log="/var/log/$app/$app.log" + #================================================= -# GENERIC FINALIZATION +# RELOAD NGINX AND PHP-FPM OR THE APP SERVICE #================================================= -# RELOAD NGINX AND PHP-FPM -#================================================= -ynh_script_progression --message="Reloading NGINX web server..." --weight=1 +ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 + +### Typically you only have either $app or php-fpm but not both at the same time... +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/upgrade b/scripts/upgrade index f905c2f..2ffa286 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -10,34 +10,42 @@ source _common.sh source /usr/share/yunohost/helpers #================================================= -# CHECK VERSION +# STOP SYSTEMD SERVICE #================================================= +ynh_script_progression --message="Stopping $app's systemd service..." --weight=1 -upgrade_type=$(ynh_check_app_version_changed) +ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= +ynh_script_progression --message="Upgrading source files..." --weight=5 -if [ "$upgrade_type" == "UPGRADE_APP" ] -then - ynh_script_progression --message="Upgrading source files..." --weight=5 - - # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir="$install_dir" -fi +# Download, check integrity, uncompress and patch the source from app.src +ynh_setup_source --dest_dir="$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" #================================================= -# NGINX CONFIGURATION +# UPDATE A CONFIG FILE #================================================= -ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=2 +ynh_script_progression --message="Updating $app's configuration files..." --weight=1 # Create a dedicated NGINX config ynh_add_nginx_config +ynh_add_systemd_config + +yunohost service add "$app" --description="Language to create your own interactive stories" --log="/var/log/$app/$app.log" + +#================================================= +# START SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting $app's systemd service..." --weight=1 + +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" + #================================================= # END OF SCRIPT #=================================================