1 год назад · 87b416a658
--- a/conf/flohmarkt.conf
+++ b/conf/flohmarkt.conf
@@ -6,7 +6,7 @@ JwtSecret = __JWTSECRET__
 
				 DataPath = __DATA_DIR__
			
 
				 
			
 
				 [Database]
			
 
				-Server = https://__APP__:__PASSWORD_COUCHDB_ADMIN__@127.0.0.1:__PORT_COUCHDB__/
			
 
				+Server = http://__APP__:__PASSWORD_COUCHDB_ADMIN__@127.0.0.1:__PORT_COUCHDB__/
			
 
				 
			
 
				 [SMTP]
			
 
				 Server = 127.0.0.1
			
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -0,0 +1,48 @@
 
				+[Unit]
			
 
				+Description=flohmarkt server
			
 
				+After=network.target couchdb.service
			
 
				+
			
 
				+[Service]
			
 
				+Type=simple
			
 
				+User=__APP__
			
 
				+Group=__APP__
			
 
				+WorkingDirectory=__INSTALL_DIR__/__APP__
			
 
				+Environment="UVICORN_PORT=__PORT__"
			
 
				+Environment="VENV_DIR=__INSTALL_DIR__/venv/"
			
 
				+Environment="UVICORN_HOST=__127.0.0.1__"
			
 
				+ExecStart=__INSTALL_DIR__/venv/bin/uvicorn --reload flohmarkt:app
			
 
				+StandardOutput=append:/var/log/__APP__/__APP__.log
			
 
				+StandardError=inherit
			
 
				+
			
 
				+# Sandboxing options to harden security
			
 
				+# Depending on specificities of your service/app, you may need to tweak these
			
 
				+# .. but this should be a good baseline
			
 
				+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
			
 
				+NoNewPrivileges=yes
			
 
				+PrivateTmp=yes
			
 
				+PrivateDevices=yes
			
 
				+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
			
 
				+RestrictNamespaces=yes
			
 
				+RestrictRealtime=yes
			
 
				+DevicePolicy=closed
			
 
				+ProtectSystem=full
			
 
				+ProtectControlGroups=yes
			
 
				+ProtectKernelModules=yes
			
 
				+ProtectKernelTunables=yes
			
 
				+LockPersonality=yes
			
 
				+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
			
 
				+
			
 
				+# Denying access to capabilities that should not be relevant for webapps
			
 
				+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
			
 
				+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
			
 
				+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
			
 
				+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
			
 
				+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
			
 
				+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
			
 
				+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
			
 
				+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
			
 
				+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
			
 
				+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
			
 
				+
			
 
				+[Install]
			
 
				+WantedBy=multi-user.target
			
--- a/scripts/install
+++ b/scripts/install
@@ -44,6 +44,10 @@ chmod 750 "$install_dir"
 
				 chmod -R o-rwx "$install_dir"
			
 
				 chown -R "$app:$app" "$install_dir"
			
 
				 
			
 
				+# INTEGRATE SERVICE IN YUNOHOST
			
 
				+# ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
			
 
				+# yunohost service add $app --description="war mal couchdb" --log="/var/log/$app/$app.log"
			
 
				+
			
 
				 # get flohmarkt
			
 
				 ynh_setup_source --dest_dir="$install_dir/$app/"
			
 
				 
			
@@ -64,9 +68,18 @@ python3 -m venv --without-pip "$install_dir/venv"
 
				 # JwtSecret
			
 
				 jwtsecret=$(openssl rand 256 | base64 -w 0)
			
 
				 
			
 
				-# @@ configure
			
 
				+# generate flohmarkt.conf
			
 
				 ynh_add_config --template="../conf/flohmarkt.conf" --destination="$install_dir/$app/flohmarkt.conf"
			
 
				 
			
 
				+# setup couchdb
			
 
				+(
			
 
				+    set +o nounset
			
 
				+    source "$install_dir/venv/bin/activate"
			
 
				+    set -o nounset
			
 
				+    cd "$install_dir/$app"
			
 
				+    python3 initialize_couchdb.py bla42fasel bla42fasel
			
 
				+)
			
 
				+
			
 
				 # SETUP LOGROTATE
			
 
				 ynh_script_progression --message="Configuring log rotation..." --weight=2
			
 
				 # Use logrotate to manage application logfile(s)
			
@@ -78,9 +91,13 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=3
 
				 # Create a dedicated NGINX config
			
 
				 ynh_add_nginx_config
			
 
				 
			
 
				-# INTEGRATE SERVICE IN YUNOHOST
			
 
				+# systemd.service
			
 
				+ynh_script_progression --message="Configuring a systemd service..." --weight=1
			
 
				+# Create a dedicated systemd config
			
 
				+ynh_add_systemd_config
			
 
				+# integrate into yunohost
			
 
				 ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
			
 
				-yunohost service add $app --description="Open-source document-oriented NoSQL database" --log="/var/log/$app/$app.log" --needs_exposed_ports "$port"
			
 
				+yunohost service add $app --description="A self-hosted, single-user, ActivityPub powered microblog." --log="/var/log/$app/$app.log"
			
 
				 
			
 
				 # SETUP FAIL2BAN
			
 
				 # no need for couchdb, because it will not listen externally
			
@@ -89,5 +106,7 @@ yunohost service add $app --description="Open-source document-oriented NoSQL dat
 
				 # # Create a dedicated Fail2Ban config
			
 
				 # ynh_add_fail2ban_config --logpath="/var/log/couchdb/couchdb.log" --failregex="[warning] .*couch_httpd_auth: Authentication failed for user .+ from <HOST>" --max_retry=5
			
 
				 
			
 
				-# qed
			
 
				+# @@ logrotation
			
 
				+
			
 
				 ynh_script_progression --message="Installation of $app completed" --last
			
 
				+# qed