From e68d171e317648c06c303bea4fd79571ec84909d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Thu, 20 Jun 2024 22:07:27 +0200 Subject: [PATCH] Use built artifacts statically --- conf/nginx.conf | 12 +----------- conf/systemd.service | 45 -------------------------------------------- scripts/backup | 3 --- scripts/install | 19 +++++-------------- scripts/remove | 9 --------- scripts/restore | 10 ++-------- scripts/upgrade | 22 ++++------------------ 7 files changed, 12 insertions(+), 108 deletions(-) delete mode 100644 conf/systemd.service diff --git a/conf/nginx.conf b/conf/nginx.conf index af69dcd..9dac991 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,15 +1,5 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - proxy_pass http://127.0.0.1:__PORT__/; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + alias __INSTALL_DIR/www/; } diff --git a/conf/systemd.service b/conf/systemd.service deleted file mode 100644 index 83c3c9e..0000000 --- a/conf/systemd.service +++ /dev/null @@ -1,45 +0,0 @@ -[Unit] -Description=Scratch -After=syslog.target network.target - -[Service] -Type=simple -User=__APP__ -Group=__APP__ -WorkingDirectory=__INSTALL_DIR__/ -Environment="__YNH_NODE_LOAD_PATH__" -ExecStart=__YNH_NPM__ start - - -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - -[Install] -WantedBy=multi-user.target diff --git a/scripts/backup b/scripts/backup index e73d3fc..98fca87 100644 --- a/scripts/backup +++ b/scripts/backup @@ -26,9 +26,6 @@ ynh_backup --src_path="$install_dir" # Backup the nginx configuration ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" -# Backup the systemd service unit -ynh_backup --src_path="/etc/systemd/system/$app.service" - #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index 2f9a787..f84b9bb 100644 --- a/scripts/install +++ b/scripts/install @@ -22,7 +22,7 @@ ynh_install_nodejs --nodejs_version=$nodejs_version ynh_script_progression --message="Setting up source files..." --weight=5 # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$install_dir" +ynh_setup_source --dest_dir="$install_dir/sources" chmod -R o-rwx "$install_dir" chown -R "$app:www-data" "$install_dir" @@ -36,9 +36,12 @@ pushd "$install_dir" ynh_use_nodejs ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" "$ynh_npm" install ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" BUILD_MODE=dist "$ynh_npm" run build - # ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" BUILD_MODE=dist "$ynh_npm" link popd +mv "$install_dir/sources/build" "$install_dir/www" + +chown -R "$app:www-data" "$install_dir" + #================================================= # SYSTEM CONFIGURATION #================================================= @@ -47,18 +50,6 @@ ynh_script_progression --message="Adding system configurations related to $app.. # Create a dedicated nginx config ynh_add_nginx_config -# Create a dedicated systemd config -ynh_add_systemd_config -yunohost service add "$app" --description="Language to create your own interactive stories" --log="/var/log/$app/$app.log" - -#================================================= -# START SYSTEMD SERVICE -#================================================= -ynh_script_progression --message="Starting $app's systemd service..." --weight=1 - -# Start a systemd service -ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" - #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/remove b/scripts/remove index 4298270..74aeff0 100644 --- a/scripts/remove +++ b/scripts/remove @@ -1,7 +1,5 @@ #!/bin/bash -#================================================= -# GENERIC START #================================================= # IMPORT GENERIC HELPERS #================================================= @@ -14,13 +12,6 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 -# Remove the service from the list of services known by YunoHost (added from `yunohost service add`) -if ynh_exec_warn_less yunohost service status "$app" >/dev/null; then - yunohost service remove "$app" -fi - -ynh_remove_systemd_config - ynh_remove_nginx_config ynh_remove_nodejs diff --git a/scripts/restore b/scripts/restore index 3ccca72..19e60b4 100644 --- a/scripts/restore +++ b/scripts/restore @@ -23,20 +23,14 @@ chown -R "$app:www-data" "$install_dir" #================================================= ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 -ynh_install_nodejs --nodejs_version=$nodejs_version +ynh_install_nodejs --nodejs_version="$nodejs_version" ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" -ynh_restore_file --origin_path="/etc/systemd/system/$app.service" -systemctl enable "$app.service" --quiet -yunohost service add "$app" --description="Language to create your own interactive stories" --log="/var/log/$app/$app.log" - #================================================= # RELOAD NGINX AND PHP-FPM OR THE APP SERVICE #================================================= -ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1 - -ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" +ynh_script_progression --message="Reloading NGINX web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/upgrade b/scripts/upgrade index a8f1f98..c493d86 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -7,13 +7,6 @@ source _common.sh source /usr/share/yunohost/helpers -#================================================= -# STOP SYSTEMD SERVICE -#================================================= -ynh_script_progression --message="Stopping $app's systemd service..." --weight=1 - -ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log" - #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -34,9 +27,12 @@ pushd "$install_dir" ynh_use_nodejs ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" "$ynh_npm" install ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" BUILD_MODE=dist "$ynh_npm" run build - # ynh_exec_warn_less ynh_exec_as "$app" env "$ynh_node_load_PATH" BUILD_MODE=dist "$ynh_npm" link popd +mv "$install_dir/sources/build" "$install_dir/www" + +chown -R "$app:www-data" "$install_dir" + #================================================= # REAPPLY SYSTEM CONFIGURATIONS #================================================= @@ -45,16 +41,6 @@ ynh_script_progression --message="Upgrading system configurations related to $ap # Create a dedicated NGINX config ynh_add_nginx_config -ynh_add_systemd_config -yunohost service add "$app" --description="Language to create your own interactive stories" --log="/var/log/$app/$app.log" - -#================================================= -# START SYSTEMD SERVICE -#================================================= -ynh_script_progression --message="Starting $app's systemd service..." --weight=1 - -ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" - #================================================= # END OF SCRIPT #=================================================